Garbled Circuits Checking Garbled Circuits: More Efficient and Secure Two-Party Computation

Applying cut-and-choose techniques to Yao’s garbled circuit protocol has been a promising approach for designing efficient Two-Party Computation (2PC) with malicious and covert security, as is evident from various optimizations and software implementations in the recent years. We revisit the security and efficiency properties of this popular approach and propose alternative constructions and a new definition that are more suitable for use in practice. We design an efficient fully-secure 2PC protocol for two-output functions that only requires O(t|C|) symmetric-key operations (with small constant factors, and ignoring factors that are independent of the circuit in use) in the Random Oracle Model, where |C| is the circuit size and t is a statistical security parameter. This is essentially the optimal complexity for protocols based on cut-and-choose, resolving a main question left open by the previous work on the subject. Our protocol utilizes novel techniques for enforcing garbler’s input consistency and handling two-output functions that are more efficient than all prior solutions. Motivated by the goal of eliminating the all-or-nothing nature of 2PC with covert security (that privacy and correctness are fully compromised if the adversary is not caught in the challenge phase), we propose a new security definition for 2PC that strengthens the guarantees provided by the standard covert model, and offers a smoother security vs. efficiency tradeoff to protocol designers in choosing the right deterrence factor. In our new notion, correctness is always guaranteed, privacy is fully guaranteed with probability (1 − e), and with probability e (i.e. the event of undetected cheating), privacy is only “partially compromised” with at most a single bit of information leaked, in case of an abort. We present two efficient 2PC constructions achieving our new notion. Both protocols are competitive with the previous covert 2PC protocols based on cut-and-choose.

[1]  Vladimir Kolesnikov,et al.  Improved Garbled Circuit: Free XOR Gates and Applications , 2008, ICALP.

[2]  Claudio Orlandi,et al.  LEGO for Two-Party Secure Computation , 2009, TCC.

[3]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[4]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[5]  Yehuda Lindell,et al.  A Proof of Security of Yao’s Protocol for Two-Party Computation , 2009, Journal of Cryptology.

[6]  David P. Woodruff Revisiting the Efficiency of Malicious Two-Party Computation , 2007, EUROCRYPT.

[7]  Berry Schoenmakers,et al.  A protocol issue for the malicious case of Yao's garbled circuit construction , 2006 .

[8]  Jonathan Katz,et al.  On the Security of the Free-XOR Technique , 2012, IACR Cryptol. ePrint Arch..

[9]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[10]  Jonathan Katz,et al.  Quid-Pro-Quo-tocols: Strengthening Semi-honest Protocols with Dual Execution , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Yuval Ishai,et al.  Extending Oblivious Transfers Efficiently , 2003, CRYPTO.

[12]  Benny Pinkas,et al.  Efficient Private Matching and Set Intersection , 2004, EUROCRYPT.

[13]  Jonathan Katz,et al.  Faster Secure Two-Party Computation Using Garbled Circuits , 2011, USENIX Security Symposium.

[14]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[15]  Yehuda Lindell,et al.  An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries , 2007, Journal of Cryptology.

[16]  Yehuda Lindell,et al.  Highly-Efficient Universally-Composable Commitments based on the DDH Assumption , 2011, IACR Cryptol. ePrint Arch..

[17]  Claudio Orlandi,et al.  A New Approach to Practical Active-Secure Two-Party Computation , 2012, IACR Cryptol. ePrint Arch..

[18]  Matthew K. Franklin,et al.  Efficiency Tradeoffs for Malicious Two-Party Computation , 2006, Public Key Cryptography.

[19]  Marc Fischlin,et al.  Trapdoor commitment schemes and their applications , 2001 .

[20]  Abhi Shelat,et al.  Billion-Gate Secure Computation with Malicious Adversaries , 2012, USENIX Security Symposium.

[21]  Yehuda Lindell,et al.  The IPS Compiler: Optimizations, Variants and Concrete Efficiency , 2011, CRYPTO.

[22]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[23]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[24]  Mihir Bellare,et al.  Foundations of garbled circuits , 2012, CCS.

[25]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[26]  Yehuda Lindell,et al.  Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer , 2010, IACR Cryptol. ePrint Arch..

[27]  Florian Kerschbaum,et al.  Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently , 2013, IACR Cryptol. ePrint Arch..

[28]  Abhi Shelat,et al.  Two-Output Secure Computation with Malicious Adversaries , 2011, EUROCRYPT.

[29]  Adam D. Smith,et al.  Efficient Two Party and Multi Party Computation Against Covert Adversaries , 2008, EUROCRYPT.

[30]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[31]  Rafail Ostrovsky,et al.  Efficient Non-interactive Secure Computation , 2011, EUROCRYPT.

[32]  Vitaly Shmatikov,et al.  Efficient Two-Party Secure Computation on Committed Inputs , 2007, EUROCRYPT.

[33]  Yehuda Lindell,et al.  Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries , 2007, Journal of Cryptology.