Two Halves Make a Whole

eurocrypt, pp. 220-250, 2015.

Cited by: 0|Bibtex|Views50|Links
Keywords:
select bitwire labeltruth tablexor gateparty computationMore(1+)
Wei bo:
In the point-and-permute optimization, introduced by Beaver, Micali and Rogaway, a select bit is appended to each wire label, so that the two labels on each wire have opposite select bits

Abstract:

The well-known classical constructions of garbled circuits use four ciphertexts per gate, although various methods have been proposed to reduce this cost. The best previously known methods for optimizing AND gates (two ciphertexts; Pinkas et al., ASIACRYPT 2009) and XOR gates (zero ciphertexts; Kolesnikov and Schneider, ICALP 2008) were i...More

Code:

Data:

Introduction
  • Yao’s garbled circuit technique remains one of the most promising and actively studied methods for secure multi-party computation.
  • While the result is still four ciphertexts per gate, the ciphertexts no longer need to be from a CPA-secure encryption scheme.
  • Rather, they can be of the form H(AB) ⊕ C, where A, B, calls to H per gate size per gate generator technique evaluator
Highlights
  • Yao’s garbled circuit technique remains one of the most promising and actively studied methods for secure multi-party computation
  • Each half-gate can be garbled with a single ciphertext, so our construction uses two ciphertexts for each AND gate while being compatible with free-XOR gates
  • In the point-and-permute optimization, introduced by Beaver, Micali and Rogaway [3], a select bit is appended to each wire label, so that the two labels on each wire have opposite select bits
  • Circuits, our work gives a 33% reduction in garbled circuit size. This leads to reductions in overall latency, as well as energy since the extra computation required to compute the hash function twice is more than offset by the energy savings of reduced bandwidth
  • The association between select bits and logical truth values is random and secret, but the garbled truth table can be arranged by these public select bits
Methods
  • There are many techniques that fall under the category of garbling schemes.
  • The authors wish to focus on techniques based on symmetric-key primitives only.
  • The authors model parties as computationally unbounded entities that can make polynomially many queries to a random oracle.
  • This is the standard setting for proving lower bounds about Minicrypt.2.
  • The authors say that a garbling scheme has ideal security if no adversary of the above form has advantage better than poly(k)/2k in the
Results
  • The authors experimentally demonstrate that the garbling scheme leads to an overall decrease in time, bandwidth, and energy use over several benchmark applications.
  • Circuits, the work gives a 33% reduction in garbled circuit size.
  • This leads to reductions in overall latency, as well as energy since the extra computation required to compute the hash function twice is more than offset by the energy savings of reduced bandwidth
Conclusion
  • Let them define the parity of a binary boolean gate as the number of

    1s in its truth table.
  • XOR, for instance, has even parity, while AND has odd parity.
  • The proof of Theorem 3 applies to any odd-parity gate.
  • The authors are currently unable to prove a lower bound for completely arbitrary garbling schemes.
  • The authors cannot rule out the possibility of garbling an AND gate with only k bits.
  • The authors' lower bound shows that if such a method exists, it must use public-key primitives or be significantly non-linear
Summary
  • Introduction:

    Yao’s garbled circuit technique remains one of the most promising and actively studied methods for secure multi-party computation.
  • While the result is still four ciphertexts per gate, the ciphertexts no longer need to be from a CPA-secure encryption scheme.
  • Rather, they can be of the form H(AB) ⊕ C, where A, B, calls to H per gate size per gate generator technique evaluator
  • Methods:

    There are many techniques that fall under the category of garbling schemes.
  • The authors wish to focus on techniques based on symmetric-key primitives only.
  • The authors model parties as computationally unbounded entities that can make polynomially many queries to a random oracle.
  • This is the standard setting for proving lower bounds about Minicrypt.2.
  • The authors say that a garbling scheme has ideal security if no adversary of the above form has advantage better than poly(k)/2k in the
  • Results:

    The authors experimentally demonstrate that the garbling scheme leads to an overall decrease in time, bandwidth, and energy use over several benchmark applications.
  • Circuits, the work gives a 33% reduction in garbled circuit size.
  • This leads to reductions in overall latency, as well as energy since the extra computation required to compute the hash function twice is more than offset by the energy savings of reduced bandwidth
  • Conclusion:

    Let them define the parity of a binary boolean gate as the number of

    1s in its truth table.
  • XOR, for instance, has even parity, while AND has odd parity.
  • The proof of Theorem 3 applies to any odd-parity gate.
  • The authors are currently unable to prove a lower bound for completely arbitrary garbling schemes.
  • The authors cannot rule out the possibility of garbling an AND gate with only k bits.
  • The authors' lower bound shows that if such a method exists, it must use public-key primitives or be significantly non-linear
Tables
  • Table1: Optimizations of garbled circuits. Size is number of “ciphertexts” (multiples of k bits)
  • Table2: Optimizations of privacy-free garbled circuits. Size is number of ciphertexts (multiples of k bits). The three prior schemes are from Frederiksen, Nielsen, and Orlandi [<a class="ref-link" id="c8" href="#r8">8</a>]
  • Table3: Comparison of garbled circuit size, for selected circuits of interest. Size measured in average number of ciphertexts per gate
  • Table4: Resource usage for three common programs. Edit distance refers to the Levenstein distance between two 200-byte strings. AES refers to 1 block of encryption and key expansion, iterated 10 times. Set intersection is performed on set of 1024, 32-bit integers, iterated 10 times. Each of these 3 jobs were in turn executed 5 times and measured separately, and the numbers are averages over these 5 runs. Whole denotes experimental setup using free-XOR with GRR2, while Half denotes a setup using our half-gates construction
  • Table5: Comparison of privacy-free garbled circuit size, for selected circuits of interest. Previous constructions and their statistics are from Frederiksen, Nielsen, and Orlandi [<a class="ref-link" id="c8" href="#r8">8</a>]. Size measured in average number of ciphertexts per gate
Download tables as Excel
Funding
  • Mike Rosulek was supported by NSF Award 1149647
  • David Evans and Samee Zahur were supported by NSF Award
Reference
  • Applebaum, B.: Garbling XOR gates “For Free” in the standard model. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 162–181. Springer, Heidelberg (2013)
    Google ScholarLocate open access versionFindings
  • Applebaum, B., Ishai, Y., Kushilevitz, E.: How to garble arithmetic circuits. In: 52nd Symposium on Foundations of Computer Science (2011)
    Google ScholarLocate open access versionFindings
  • Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols. In: 22nd Symposium on Theory of Computing (1990)
    Google ScholarLocate open access versionFindings
  • Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixed-key blockcipher. In: 34th IEEE Symposium on Security and Privacy (2013)
    Google ScholarLocate open access versionFindings
  • Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: 19th ACM Conference on Computer and Communications Security (2012)
    Google ScholarLocate open access versionFindings
  • Brandao, L.T.A.N.: Secure two-party computation with reusable bit-commitments, via a cut-and-choose with forge-and-lose technique. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 441–463. Springer, Heidelberg (2013)
    Google ScholarLocate open access versionFindings
  • Choi, S.G., Katz, J., Kumaresan, R., Zhou, H.-S.: On the security of the “FreeXOR” technique. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 39–53. Springer, Heidelberg (2012)
    Google ScholarLocate open access versionFindings
  • Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacy-free garbled circuits with applications to efficient zero-knowledge. In: EUROCRYPT (2014)
    Google ScholarFindings
  • Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: 45th ACM STOC (2013)
    Google ScholarLocate open access versionFindings
  • Henecka, W., Kogl, S., Sadeghi, A.R., Schneider, T., Wehrenberg, I.: TASTY: tool for automating secure two-party computations. In: 17th ACM Conference on Computer and Communications Security (2010)
    Google ScholarLocate open access versionFindings
  • Henecka, W., Schneider, T.: Memory efficient secure function evaluation. https://code.google.com/p/me-sfe/
    Findings
  • Holzer, A., Franz, M., Katzenbeisser, S., Veith, H.: Secure two-party computations in ANSI C. In: 19th ACM Conference on Computer and Communications Security (2012)
    Google ScholarLocate open access versionFindings
  • Huang, Y., Evans, D., Katz, J.: Private set intersection: are garbled circuits better than custom protocols? In: 19th Network and Distributed System Security Symposium (2012)
    Google ScholarLocate open access versionFindings
  • Huang, Y., Evans, D., Katz, J., Malka, L.: Faster secure two-party computation using garbled circuits. In: 20th USENIX Security Symposium (2011)
    Google ScholarFindings
  • Huang, Y., Katz, J., Evans, D.: Efficient secure two-party computation using symmetric cut-and-choose. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 18–35. Springer, Heidelberg (2013)
    Google ScholarLocate open access versionFindings
  • Impagliazzo, R.: A personal view of average-case complexity. In: 10th Structure in Complexity Theory Conference (1995)
    Google ScholarLocate open access versionFindings
  • Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, Heidelberg (1990)
    Google ScholarLocate open access versionFindings
  • Jawurek, M., Kerschbaum, F., Orlandi, C.: Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In: ACM CCS 13 (2013)
    Google ScholarLocate open access versionFindings
  • Kolesnikov, V., Mohassel, P., Rosulek, M.: FleXOR: flexible garbling for XOR gates that beats free-XOR. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 440–457. Springer, Heidelberg (2014)
    Google ScholarLocate open access versionFindings
  • Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgard, I., Goldberg, L.A., Halldorsson, M.M., Ingolfsdottir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008)
    Google ScholarLocate open access versionFindings
  • Kreuter, B., Shelat, A., Shen, C.: Billion-gate secure computation with malicious adversaries. In: 21st USENIX Security Symposium (2012)
    Google ScholarFindings
  • Lindell, Y.: Fast cut-and-choose based protocols for malicious and covert adversaries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 1–17. Springer, Heidelberg (2013)
    Google ScholarLocate open access versionFindings
  • Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for two-party computation. Journal of Cryptology 22(2) (2009)
    Google ScholarLocate open access versionFindings
  • Lindell, Y., Pinkas, B.: Secure two-party computation via cut-and-choose oblivious transfer. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 329–346. Springer, Heidelberg (2011)
    Google ScholarLocate open access versionFindings
  • Lindell, Y., Pinkas, B., Smart, N.P.: Implementing two-party computation efficiently with security against malicious adversaries. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 2–20.
    Google ScholarLocate open access versionFindings
  • Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay - secure two-party computation system. In: 13th USENIX Security Symposium (2004)
    Google ScholarLocate open access versionFindings
  • Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: 1st ACM Conference on Electronic Commerce (1999)
    Google ScholarFindings
  • Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009)
    Google ScholarLocate open access versionFindings
  • shelat, A., Shen, C.: Two-output secure computation with malicious adversaries. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 386–405. Springer, Heidelberg (2011)
    Google ScholarLocate open access versionFindings
  • Tillich, S., Smart, N.: Circuits of basic functions suitable for MPC and FHE. http://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/
    Findings
  • Yao, A.C.C.: How to generate and exchange secrets. In: 27th FOCS (1986)
    Google ScholarFindings
  • Zahur, S.: Obliv-C: A lightweight compiler for data-oblivious computation (2014). https://github.com/samee/obliv-c
    Findings
  • Classical garbling: In a “classical” garbled circuit (with point-and-permute) optimization, the four ciphertexts comprising a garbled gate have the form H(A B) ⊕ C, where the choice of C0 or C1 depends on the association between select bits and truth values. Below is an example of the linear operation of the scheme’s operations. Highlighted entries are the positions that will vary based on a, b in Gb, or α, β in Ev.
    Google ScholarFindings
Your rating :
0

 

Tags
Comments