Richer Efficiency/Security Trade-offs in 2PC [chapter]

Vladimir Kolesnikov, Payman Mohassel, Ben Riva, Mike Rosulek
2015 Lecture Notes in Computer Science  
The dual-execution protocol of Mohassel & Franklin (PKC 2006) is a highly efficient (each party garbling only one circuit) 2PC protocol that achieves malicious security apart from leaking an arbitrary, adversarially-chosen predicate about the honest party's input. We present two practical and orthogonal approaches to improve the security of the dual-execution technique. First, we show how to greatly restrict the predicate that an adversary can learn in the protocol, to a natural notion of "only
more » ... computation leaks"-style leakage. Along the way, we identify a natural security property of garbled circuits called property-enforcing that may be of independent interest. Second, we address a complementary direction of reducing the probability that the leakage occurs. We propose a new dual-execution protocol -with a very light cheating-detection phase and each party garbling s + 1 circuits -in which a cheating party learns a bit with probability only 2 −s . Our concrete measurements show approximately 35% reduction in communication for the AES circuit, compared to the best combination of state of the art techniques for achieving the same security notion. Combining the two results, we achieve a rich continuum of practical trade-offs between efficiency & security, connecting the covert, dual-execution and full-malicious guarantees. * Bell Labs, kolesnikov@research.bell-labs.com. The protocol is not secure against malicious adversaries. An honest party executes an adversarially crafted garbled circuit and then uses the garbled output in the equality-test sub-protocol. However, since the equality test has only one bit of output, it can be shown that the dual-execution protocol leaks at most one (adversarially chosen) bit about the honest party's input. Our Results In this section we summarize our results. In Section 2, we present at the high level the main motivation, intuition and insights of our constructions, as well as put all the pieces in the unifying perspective. In the subsequent corresponding sections, we present formalizations, complete constructions, proofs and performance analysis of each individual contribution. Our theme is to explore and reduce the leakage allowed by the dual-execution protocol. We develop new techniques for restricting the kinds of predicates that the adversary can learn, as well as for reducing the probability that the adversary succeeds in his attack. Combining the two approaches results in a more efficient continuum of cost-security trade-offs, connecting the covert, dual-execution and full-malicious guarantees. Limiting Leakage Functions in Dual-Execution. The original security notion introduced in the dualexecution paper [MF06] , and the follow-up [HKE12] allows the adversary to learn an arbitrary predicate of the player's input. We show how to significanly limit this leakage to a conjunction of what we call "gatelocal" queries, i.e., boolean queries that only operate on the input wires to a single gate of the original circuit. In our formalization, we follow the framework of [BHR12] and introduce the notion of Property-Enforcing Garbling Schemes (PEGS), which may be of independent interest. Reducing Leakage Probability in Dual-Execution. In a complementary research direction, using the -CovIDA security notion of [MR13], we develop new techniques for reducing the probability of leakage in the Dual-Execution framework. We improve on their construction by achieving 2 −s security with only s circuits for each party, similar to state-of-the-art results of Lindell [Lin13] and Huang, Katz and Evans [HKE13] from the malicious setting. However, we replace the "cheating-recovery" computation of [Lin13] and repeated dualexecution mechanism of [HKE13] with a much more lightweight procedure based on Private Set Intersection (PSI) that provides significant gains in computation and bandwidth. We note that the protocol of [HKE13] has a similar high-level idea to ours: each party sends (approximately) s circuits, then the parties run a fully-secure processing phase. However, their protocol does not achieve -CovIDA security. In particular, their protocol performs separate equality checks of wire labels for each output bit of the circuit. Hence, in the event that an adversary successfully passes the circuit-check phase (with probability 2 −s ), she can learn more than one bit. 1 Our concrete measurements (see Figure 7) show that our techniques yield 35% reduction in overall communication for the AES circuit (compared to protocol of [MR13] augmented with Lindell's circuit reduction techniques). Putting it Together: A Richer and Cheaper Security/Efficiency Trade-offs. Restricting the leakage functions a successful adversary may evaluate, and further limiting the probability of his success, allows for a fine-grained practical trade-offs between security guarantees and efficiency of 2PC. This work can be viewed as interpolating between the guarantees of covert, dual execution (i.e. the k-leaked model [MF06]) and fully-malicious models. Indeed, setting s = 2, our protocols correspond to an improved hybrid of covert and k-leaked models and protocols. We guarantee probability of 1/2 of catching the cheating adversary, and at the same time limit the leakage to an "only computation leaks" one-bit functions. On the opposite end of the spectrum, setting s = 40 gives fully-secure 2PC, which, while having better latency (since parties can work in parallel and due to a cheaper cheating recovery) than [Lin13], should be seen as less efficient than [Lin13] as it sends 2s total circuits. However, in the extremely important (in practice) set of security parameters/associated costs of s ∈ {1, . . . , 20}, our protocols provide the best "value". Indeed, the guarantee of covert 2PC can be unacceptable in such scenarios as a successful adversary may learn the entire input 1 Concretely, suppose Alice passes the circuit-check phase with malicious circuits that compute an arbitrary (multi-bit) function g(x, y). Then Alice will learn the length of the longest common prefix of g(x, y) and the correct output f (x, y).
doi:10.1007/978-3-662-46494-6_11 fatcat:f5bgnkma25fcthpxhwkm24oisa