Better Concrete Security for Half-Gates Garbling (in the - PowerPoint PPT Presentation

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo Jonathan Katz Xiao Wang Chenkai Weng Yu Yu

Yao’s garbled circuits • Two-party computation (2PC) • Multiple optimizations • Point-and-permute • Free-XOR • Garbled-row-reduction • Half-gates (state-of-the-art) [1] • Fixed-key AES based garbling [2] [1] S. Zahur, M. Rosulek, and D. Evans. Two halves make a whole—reducing data transfer in garbled circuits using half gates. In Advances in Cryptology—Eurocrypt 2015, Part II, volume 9057 of LNCS, pages 220–250. Springer, 2015. [2] M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway. Efficient garbling from a fixed-key blockcipher. In IEEE Symposium on Security and Privacy (S&P) 2013, pages 478–492, 2013.

Concrete security for Half-Gates (Outline) • An attack on current Half-Gates implementation • Deficiencies of current implementation • Inappropriate instantiation of the hash function • A lack of concrete security • A new abstraction of hash function • miTCCR hash • Better concrete security • Optimization/performance

Attack overview • Exploit the weakness when 𝐼 ∗ instantiated with fixed-key AES • Attacker succeed in running time 𝑃 2 ! /𝐷 • 𝑙 : bit length of the labels; 𝐷 : # of AND gates • Circuit with 𝑙 = 80 and 𝐷 = 2 !" would be completely broken • Circuit with 𝑙 = 128 and 𝐷 = 2 !" has only ~80 bit security • Implementation of the attack consistent with analysis • Can be extended to multi-instance case

Half-gate protocol " , 𝑋 " ⨁𝑆 𝑋 𝑋 ! ! ! $" , 𝑋 $" ⨁𝑆 𝑋 𝑋 $ " , 𝑋 " ⨁𝑆 𝑋 𝑋 # # # Generator Evaluator 𝑈 % , 𝑈 & AND gate Garbling AND gate Evaluation " , 𝑘 ⨁𝐼 𝑋 ' , 𝑘 ⨁𝑞 # 𝑆 𝑈 % = 𝐼 𝑋 ! ! " , 𝑘 ( ⨁𝐼 𝑋 ' , 𝑘 ( ⨁ 𝑋 " 𝑈 & = 𝐼 𝑋 ! # #

Half-gate protocol " , 𝑋 " ⨁𝑆 𝑋 𝑋 ! ! ! $" , 𝑋 $" ⨁𝑆 𝑋 𝑋 $ " , 𝑋 " ⨁𝑆 𝑋 𝑋 # # # Generator Evaluator 𝑈 % , 𝑈 & AND gate Garbling AND gate Evaluation " , 𝑘 ⨁𝐼 𝑋 ' , 𝑘 ⨁𝑞 # 𝑆 𝑈 % = 𝐼 𝑋 ! ! " , 𝑘 ( ⨁𝐼 𝑋 ' , 𝑘 ( ⨁ 𝑋 " 𝑈 & = 𝐼 𝑋 ! # #

Details of the attack 𝑋 ! 𝑋 $ 𝑋 # " , 𝑘 ⨁𝐼 𝑋 . , 𝑘 ⨁𝑞 / 𝑆 • The evaluator receives 𝑈 , = 𝐼 𝑋 - - • Compute Evaluator 𝐼 - ≝ 𝑈 , ⊕ 𝐼 𝑋 - , 𝑘 = 𝐼 𝑋 - ⨁𝑆, 𝑘 ⨁𝑞 / 𝑆 • With prob=1/2, 𝐼 - = 𝐼 𝑋 - ⨁𝑆, 𝑘

Details of the attack 𝑋 ! 𝑋 Implementation of the 𝐼 : $ 𝑋 # 𝐼 𝑦, 𝑘 = π 𝐿 ⨁𝐿 , where 𝐿 = 2𝑦⨁𝑘 • With prob=1/2, Evaluator 𝐼 - = 𝐼 𝑋 - ⨁𝑆, 𝑘 = π 2 𝑋 - ⨁𝑆 ⨁𝑘 ⨁2 𝑋 - ⨁𝑆 ⨁𝑘 • If find 𝑋 ∗ s.t. 𝐼 - = π 𝑋 ∗ ⨁𝑋 ∗ , then knows 𝑆 . • The evaluator collects all the 𝑘, 𝑋 - , 𝐼 - pairs.

Details of the attack 𝑋 ! 𝑋 Implementation of the 𝐼 : $ 𝑋 # 𝐼 𝑦, 𝑘 = π 𝐿 ⨁𝐿 , where 𝐿 = 2𝑦⨁𝑘 Randomly generate Oracle 𝑋 ∗ Evaluator I/O pairs 𝑘, 𝑋 ! , 𝐼 ! . Oracle . H . Existence check 𝐼 ∗ = π 𝑋 ∗ ⨁𝑋 ∗

Implementation of the attack Result of interpolation: Breaking the circuit when k=80 using 267 machine-months & $3500.

Better concrete security Abstraction 678995 𝒫 5

Better concrete security Hash function Abstraction Protocol 4 678995 𝑁𝑁𝑃 : Half-Gate 𝒫 5

Abstraction of the hash function 678995 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 = 𝑆 𝒫 5 • Adversary given 𝑣 instances • Queries of form ⋆, 𝑗,⋆ at most 𝜈

The hash function • Hash function (from ideal cipher) 𝑁𝑁𝑃 ! 𝑦, 𝑗 ≝ 𝐹 𝑗, 𝜏 𝑦 ! ⨁𝜏 𝑦 • 𝜏 𝑦 is a linear orthomorphism • Linear if 𝜏 𝑦⨁𝑧 = 𝜏 𝑦 ⨁𝜏 𝑧 • Orthomorphism if it is a permutation, and 𝜏 ! 𝑦 ≝ 𝜏 𝑦 ⨁𝑦 is also a permutation • 𝜏 𝑦 " ∥ 𝑦 # = 𝑦 # ⨁ 𝑦 " ∥ 𝑦 " • 𝐹 is modeled as an ideal cipher

Concrete security bound • Multi-instance tweakable circular correlation robustness (miTCCR) #$%&&" 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 / 𝑆 𝒫 " • Adversary given 𝑣 instances. • Queries of form ⋆, 𝑗,⋆ at most 𝜈 . • Attacker advantage 𝜁 = 2𝜈𝑞 2 ' + 𝜈 − 1 𝑟 2 '

Better concrete security for multi-instance • Multi-instance tweakable circular correlation robustness (miTCCR) #$%&&" 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 / 𝑆 𝒫 " • Bound the queries of form ⋆, 𝑗,⋆ . • Before: 𝑗 starts from 1. • Now: 𝑗 starts from a random point. • Proof using “balls-and-bins”

Better concrete security for multi-instance • Multi-instance tweakable circular correlation robustness (miTCCR) #$%&&" 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 / 𝑆 𝒫 " • Concrete security 2𝐷 *+, 𝜁 = 𝜈𝑞 + 𝜈 − 1 𝐷 + 2 !() 𝜈 + 1 !×2 *-

Better concrete security for multi-instance • Multi-instance tweakable circular correlation robustness (miTCCR) #$%&&" 𝑥, 𝑗, 𝑐 ≝ 𝐼 𝑥⨁𝑆, 𝑗 ⨁𝑐 / 𝑆 𝒫 " • Concrete security 𝒍 (bit) Comp. sec. (bit) Sta. sec. (bit) 𝑫 ≤ 2 *+.- 80 78 40 ≤ 2 .' 128 125 64

Implementation & optimization 𝑁𝑁𝑃 & 𝑦, 𝑗 ≝ 𝐹 𝑗, 𝜏 𝑦 F ⨁𝜏 𝑦 • Linear orthomorphism • mask = _mm_set_epi64x( 1 E! , 0 E! ) • 𝜏 𝑦 = _mm_shufFle_epi32 a, 78 ⨁_𝑛𝑛_𝑏𝑜𝑒_𝑡𝑗128(𝑏, mask) • Batch key scheduling [GLNP15] • Batch 8 key expansion We optimized it to 20 since then

Implementation & optimization 𝑁𝑁𝑃 & 𝑦, 𝑗 ≝ 𝐹 𝑗, 𝜏 𝑦 F ⨁𝜏 𝑦 • Linear orthomorphism • Batch key scheduling [GLNP15] • Implementation in EMP-toolkit • https://github.com/emp-toolkit/emp-tool/blob/release-2/emp- tool/utils/mitccrh.h • Full version of the paper • https://eprint.iacr.org/2019/1168.pdf