Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa - PowerPoint PPT Presentation

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU

Secure Two-Party Computation 𝒛 𝒚 𝑄 2 𝑄 1 𝑔(𝑦, 𝑧)

Secure Two-Party Computation 𝒛 𝒚 𝑄 2 𝑄 1 𝑔(𝑦, 𝑧)

Non-Interactive Secure Computation (NISC) 𝑁 1 𝒛 𝒚 𝑄 𝑁 2 𝑄 2 1

Non-Interactive Secure Computation (NISC) 𝑁 1 • Over the internet 𝒛 𝒚 𝑄 𝑁 2 𝑄 2 • Without coordination 1 • Email • Bulletin boards

Non-Interactive Secure Computation (NISC) 𝑁 1 • Over the internet 𝒛 𝒚 𝑄 𝑁 2 𝑄 2 • Without coordination 1 • Email • Bulletin boards Comparable to best 2PC [AMPR14]

Batched 2PC 𝒚 𝟐 𝒛 𝟐 𝑄 2 𝑄 1 𝒚 𝟑 𝒛 𝟑 ⋮ 𝒚 𝑶 𝒛 𝑶

Batched 2PC • Better amortized efficiency 𝒚 𝟐 𝒛 𝟐 • 𝑚𝑝𝑕𝑂 improvement 𝑄 2 𝑄 1 • [NO09,FJNNO13, LR14,HKKKM14, … ] 𝒚 𝟑 𝒛 𝟑 ⋮ 𝒚 𝑶 𝒛 𝑶

Batched 2PC • Better amortized efficiency 𝒚 𝟐 𝒛 𝟐 • 𝑚𝑝𝑕𝑂 improvement 𝑄 2 𝑄 1 • [NO09,FJNNO13, LR14,HKKKM14, … ] 𝒚 𝟑 𝒛 𝟑 ⋮ 4 rounds 𝒚 𝑶 𝒛 𝑶

Best of Both Worlds 𝑵 𝟐 𝑦 1 𝑧 1 • 𝑈𝑥𝑝 𝑠𝑝𝑣𝑜𝑒𝑡 ⋮ ⋮ 𝑦 𝑂 𝑧 𝑂 𝑄 𝑵 𝟑 • 𝑚𝑝𝑕𝑂 𝑗𝑛𝑞𝑠𝑝𝑤𝑓𝑛𝑓𝑜𝑢 1 𝑄 2

Yao’s Garbled Circuits 𝐷 𝑦, 𝑧 = 𝑔(𝑦, 𝑧) 1 , 𝑙 1 1 𝑙 0 𝐻𝐷 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒) 3 , 𝑙 1 3 𝑙 0 2 , 𝑙 1 2 𝑙 0 AND 𝐻𝐽 𝑦 𝐻𝐽 𝑦 ← 𝐻𝐽𝑜(𝑦, 𝑡𝑒) 𝒛 𝒚 𝐻𝐷 Evaluator Garbler 3 ) 𝑑 0,0 = 𝐹 𝑙 0 2 (𝑙 0 1 ,𝑙 0 3 ) 𝑑 0,1 = 𝐹 𝑙 0 2 (𝑙 0 1 ,𝑙 1 Oblivious Transfer 𝐻𝐽 𝑧 𝒈(𝒚, 𝒛) 3 ) 𝑑 1,0 = 𝐹 𝑙 1 2 (𝑙 0 1 ,𝑙 0 3 ) 𝑑 1,1 = 𝐹 𝑙 1 2 (𝑙 1 1 ,𝑙 1

Cut-and-Choose 2PC (majority) 𝑦 𝐻𝐷 1 𝐻𝐷 1 𝑦 𝑨 2 𝐻𝐷 2 𝐻𝐷 2 𝒚 𝐻𝐷 3 𝐻𝐷 3 ⋮ 𝑄 1 𝑨 4 𝑨 = 𝑔(𝑦, 𝑧) 𝐻𝐷 4 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 5 𝑨 6 𝑦 𝐻𝐷 6 𝐻𝐷 6

Cut-and-Choose 2PC (Forge and Lose) 𝑦 𝐻𝐷 1 𝐻𝐷 1 𝑦 𝑨 2 𝐻𝐷 2 𝐻𝐷 2 𝑨 𝒚 𝐻𝐷 3 𝐻𝐷 3 𝑨′ ⋮ Cheating 𝑄 1 Recovery 𝑨 4 𝐻𝐷 4 𝐻𝐷 4 𝑦 2PC 𝐻𝐷 5 𝐻𝐷 5 𝑨 6 𝑦 𝐻𝐷 6 𝐻𝐷 6 𝑦

Homomorphic Commitments • Hiding and Binding • 𝐼𝐷𝑃𝑁 𝑏, 𝑒 𝑏 , 𝐼𝐷𝑃𝑁 𝑐, 𝑒 𝑐 • Open to 𝑏 ⊕ 𝑐 , using opening 𝑒 𝑏 ⊕ 𝑒 𝑐 • Pedersen commitments • OT-based Commitments [LR15] • Non-interactive, rate 1/𝜇 • (OT+ code)-based commitments [FJNT16] • Constant rate, interactive setup • Fiat-Shamir

Single NISC 𝐻𝐷 𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒 𝑗 ) 𝐻𝐽 𝑦 𝐻𝐷 𝑗 𝐿 𝑗

Single NISC 𝐻𝐷 𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒 𝑗 ) 𝐻𝐽 𝑦 𝐻𝐷 𝑗 𝐿 𝑗 𝑗 𝑗𝑜 0 Evaluator input 0/1 Probe-resistant encoding Input OT 𝑗 𝑗𝑜 1

Single NISC 𝐻𝐷 𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒 𝑗 ) 𝐻𝐽 𝑦 𝐻𝐷 𝑗 𝐿 𝑗 𝑗 𝑗𝑜 0 Evaluator input 0/1 Probe-resistant encoding Input OT 𝑗 𝑗𝑜 1 𝑡𝑒 𝑗 Open/evaluate Circuit OT Cut and choose 𝐿 𝑗

Single NISC 𝐻𝐷 𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒 𝑗 ) 𝐻𝐽 𝑦 𝐻𝐷 𝑗 𝐿 𝑗 𝑗 𝑗𝑜 0 Evaluator input 0/1 Probe-resistant encoding Input OT 𝑗 𝑗𝑜 1 𝑡𝑒 𝑗 Open/evaluate Circuit OT Cut and choose 𝐿 𝑗 permutation bit 𝐼𝐷𝑃𝑁 𝑡 𝑗 , 𝑗 𝑗 𝐷𝑃𝑁 𝑗𝑜 0⊕𝑡 𝑗 , 𝐷𝑃𝑁(𝑗𝑜 1⊕𝑡 𝑗 ) Garbler input 𝐼𝐷𝑃𝑁 𝑦

Single NISC 𝐻𝐷 𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒 𝑗 ) 𝐻𝐽 𝑦 𝐻𝐷 𝑗 𝐿 𝑗 𝑗 𝑗𝑜 0 Evaluator input 0/1 Probe-resistant encoding Input OT 𝑗 𝑗𝑜 1 𝒕 𝒋 𝑡𝑒 𝑗 Open/evaluate Circuit OT Cut and choose 𝒚 ⊕ 𝒕 𝒋 𝐿 𝑗 permutation bit 𝐼𝐷𝑃𝑁 𝑡 𝑗 , 𝑗 𝑗 𝐷𝑃𝑁 𝑗𝑜 0⊕𝑡 𝑗 , 𝐷𝑃𝑁(𝑗𝑜 1⊕𝑡 𝑗 ) Garbler input 𝐼𝐷𝑃𝑁 𝑦

Single NISC 𝐻𝐷 𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒 𝑗 ) 𝐻𝐽 𝑦 𝐻𝐷 𝑗 𝐿 𝑗 𝑗 𝑗𝑜 0 Evaluator input 0/1 Probe-resistant encoding Input OT 𝑗 𝑗𝑜 1 𝒕 𝒋 𝑡𝑒 𝑗 Open/evaluate Circuit OT Cut and choose 𝒚 ⊕ 𝒕 𝒋 𝐿 𝑗 permutation bit 𝐼𝐷𝑃𝑁 𝑡 𝑗 , 𝑗 𝑗 𝐷𝑃𝑁 𝑗𝑜 0⊕𝑡 𝑗 , 𝐷𝑃𝑁(𝑗𝑜 1⊕𝑡 𝑗 ) Garbler input 𝐼𝐷𝑃𝑁 𝑦 𝑗 𝑗 𝐼𝐷𝑃𝑁 𝑥 0 𝐼𝐷𝑃𝑁 𝑝𝑣𝑢 0 Cheating recovery 𝑗 ⊕ 𝑥 1 𝑗 = 𝑦 𝑗 𝑗 𝑥 0 𝐼𝐷𝑃𝑁 𝑝𝑣𝑢 1 𝐼𝐷𝑃𝑁 𝑥 1

Single NISC 𝐻𝐷 𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒 𝑗 ) 𝐻𝐽 𝑦 𝐻𝐷 𝑗 𝐿 𝑗 𝑗 𝑗𝑜 0 Evaluator input 0/1 Probe-resistant encoding Input OT 𝑗 𝑗𝑜 1 𝒕 𝒋 𝑡𝑒 𝑗 Open/evaluate Circuit OT Cut and choose 𝒚 ⊕ 𝒕 𝒋 𝐿 𝑗 permutation bit 𝐼𝐷𝑃𝑁 𝑡 𝑗 𝑗 𝑗 𝐷𝑃𝑁 𝑗𝑜 0⊕𝑡 𝑗 , 𝐷𝑃𝑁(𝑗𝑜 1⊕𝑡 𝑗 ) Garbler input 𝐼𝐷𝑃𝑁 𝑦 , open to zero 𝑗 𝑗 𝐼𝐷𝑃𝑁 𝑥 0 𝐼𝐷𝑃𝑁 𝑝𝑣𝑢 0 Cheating recovery 𝑗 ⊕ 𝑥 1 𝑗 = 𝑦 𝑗 𝑗 𝑥 0 𝐼𝐷𝑃𝑁 𝑝𝑣𝑢 1 𝐼𝐷𝑃𝑁 𝑥 1

Single NISC 𝐻𝐷 𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒 𝑗 ) 𝐻𝐽 𝑦 𝐻𝐷 𝑗 𝐿 𝑗 𝑗 𝑗𝑜 0 Evaluator input 0/1 Probe-resistant encoding Input OT 𝑗 𝑗𝑜 1 𝒋 , 𝒑𝒗𝒖 𝟐 𝒋 𝒑𝒗𝒖 𝟏 𝒕 𝒋 𝑡𝑒 𝑗 Open/evaluate 𝒋 ⊕ 𝒙 𝟏 𝒋 Circuit OT 𝒑𝒗𝒖 𝟏 Cut and choose 𝒚 ⊕ 𝒕 𝒋 𝐿 𝑗 𝒋 ⊕ 𝒙 𝟐 𝒋 𝒑𝒗𝒖 𝟐 permutation bit 𝐼𝐷𝑃𝑁 𝑡 𝑗 𝑗 𝑗 𝐷𝑃𝑁 𝑗𝑜 0⊕𝑡 𝑗 , 𝐷𝑃𝑁(𝑗𝑜 1⊕𝑡 𝑗 ) Garbler input 𝐼𝐷𝑃𝑁 𝑦 , open to zero 𝑗 𝑗 𝐼𝐷𝑃𝑁 𝑥 0 𝐼𝐷𝑃𝑁 𝑝𝑣𝑢 0 Cheating recovery 𝑗 ⊕ 𝑥 1 𝑗 = 𝑦 𝑗 𝑗 𝑥 0 𝐼𝐷𝑃𝑁 𝑝𝑣𝑢 1 𝐼𝐷𝑃𝑁 𝑥 1

Batch 2PC

Batch 2PC 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7

Batch 2PC 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7 𝒚 𝟒 , 𝒛 𝟒 𝒚 𝟐 , 𝒛 𝟐 𝒚 𝟑 , 𝒛 𝟑 𝑂 𝐶 𝐶 𝐶

Batch 2PC 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7 𝒚 𝟒 , 𝒛 𝟒 𝒚 𝟐 , 𝒛 𝟐 𝒚 𝟑 , 𝒛 𝟑 𝑂 𝐻𝐷 4 𝐻𝐷 1 𝐻𝐷 5 𝐻𝐷 7 𝐻𝐷 6 𝐻𝐷 2 𝐻𝐷 3 𝐶 𝐶 𝐶

Batch 2PC = 𝑂𝜇 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7 𝑂 𝑚𝑝𝑕𝑂 𝒚 𝟒 , 𝒛 𝟒 𝒚 𝟐 , 𝒛 𝟐 𝒚 𝟑 , 𝒛 𝟑 𝑂 𝐻𝐷 4 𝐻𝐷 1 𝐻𝐷 5 𝐻𝐷 7 𝐻𝐷 6 𝐻𝐷 2 𝐻𝐷 3 − 𝑂𝐶 𝐶 𝐶 𝐶 𝑂

Batch 2PC = 𝑂𝜇 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7 𝑂 𝑚𝑝𝑕𝑂 𝒚 𝟒 , 𝒛 𝟒 𝒚 𝟐 , 𝒛 𝟐 𝒚 𝟑 , 𝒛 𝟑 𝑂 𝐻𝐷 4 𝐻𝐷 1 𝐻𝐷 5 𝐻𝐷 7 𝐻𝐷 6 𝐻𝐷 2 𝐻𝐷 3 − 𝑂𝐶 𝐶 𝐶 𝐶 𝑂 1. Obliviously assign circuits to open/evaluate buckets

Batch 2PC = 𝑂𝜇 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7 𝑂 𝑚𝑝𝑕𝑂 𝒚 𝟒 , 𝒛 𝟒 𝒚 𝟐 , 𝒛 𝟐 𝒚 𝟑 , 𝒛 𝟑 𝑂 𝐻𝐷 4 𝐻𝐷 1 𝐻𝐷 5 𝐻𝐷 7 𝐻𝐷 6 𝐻𝐷 2 𝐻𝐷 3 − 𝑂𝐶 𝐶 𝐶 𝐶 𝑂 1. Obliviously assign circuits to open/evaluate buckets 2. Garble inputs before knowing assignment

Batch 2PC = 𝑂𝜇 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7 𝑂 𝑚𝑝𝑕𝑂 𝒚 𝟒 , 𝒛 𝟒 𝒚 𝟐 , 𝒛 𝟐 𝒚 𝟑 , 𝒛 𝟑 𝑂 𝐻𝐷 4 𝐻𝐷 1 𝐻𝐷 5 𝐻𝐷 7 𝐻𝐷 6 𝐻𝐷 2 𝐻𝐷 3 − 𝑂𝐶 𝐶 𝐶 𝐶 𝑂 1. Obliviously assign circuits to open/evaluate buckets 2. Garble inputs before knowing assignment 3. Input consistency before knowing assignment

Batch 2PC = 𝑂𝜇 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7 𝑂 𝑚𝑝𝑕𝑂 𝒚 𝟒 , 𝒛 𝟒 𝒚 𝟐 , 𝒛 𝟐 𝒚 𝟑 , 𝒛 𝟑 𝑂 𝐻𝐷 4 𝐻𝐷 1 𝐻𝐷 5 𝐻𝐷 7 𝐻𝐷 6 𝐻𝐷 2 𝐻𝐷 3 − 𝑂𝐶 𝐶 𝐶 𝐶 𝑂 1. Obliviously assign circuits to open/evaluate buckets 2. Garble inputs before knowing assignment 3. Input consistency before knowing assignment 4. Output recovery before knowing assignment

Batch 2PC = 𝑂𝜇 𝐻𝐷 1 𝐻𝐷 2 𝐻𝐷 3 𝐻𝐷 4 𝐻𝐷 5 𝐻𝐷 6 𝐻𝐷 7 𝑂 𝑚𝑝𝑕𝑂 𝒚 𝟒 , 𝒛 𝟒 𝒚 𝟐 , 𝒛 𝟐 𝒚 𝟑 , 𝒛 𝟑 𝑂 𝐻𝐷 4 𝐻𝐷 1 𝐻𝐷 5 𝐻𝐷 7 𝐻𝐷 6 𝐻𝐷 2 𝐻𝐷 3 − 𝑂𝐶 𝐶 𝐶 𝐶 𝑂 1. Obliviously assign circuits to open/evaluate buckets Naive Solution: Prepare garbled inputs and gadgets for all N possibilities 2. Garble inputs before knowing assignment Perform 1-out-of-N OT for each circuit 3. Input consistency before knowing assignment 4. Output recovery before knowing assignment