Advances in Cryptology – CRYPTO 2013

In the setting of secure two-party computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure two-party computation is that of Yao’s garbled circuits (FOCS 1986). In the semi-honest model, where just one garbled circuit is constructed and evaluated, Yao’s protocol has proven itself to be very efficient. However, a malicious adversary who constructs the garbled circuit may construct a garbling of a different circuit computing a different function, and this cannot be detected (due to the garbling). In order to solve this problem, many circuits are sent and some of them are opened to check that they are correct while the others are evaluated. This methodology, called cut-and-choose, introduces significant overhead, both in computation and in communication, and is mainly due to the number of circuits that must be used in order to prevent cheating. In this paper, we present a cut-and-choose protocol for secure computation based on garbled circuits, with security in the presence of malicious adversaries, that vastly improves on all previous protocols of this type. Concretely, for a cheating probability of at most 2−40, the best previous works send between 125 and 128 circuits. In contrast, in our protocol 40 circuits alone suffice (with some additional overhead). Asymptotically, we achieve a cheating probability of 2−s where s is the number of garbled circuits, in contrast to the previous best of 2−0.32s. We achieve this by introducing a new cut-and-choose methodology with the property that in order to cheat, all of the evaluated circuits must be incorrect, and not just the majority as in previous works.

[1]  Toniann Pitassi,et al.  Monotone Circuits for the Majority Function , 2006, APPROX-RANDOM.

[2]  E. Szemerédi,et al.  O(n LOG n) SORTING NETWORK. , 1983 .

[3]  David Chaum,et al.  The Spymasters Double-Agent Problem: Multiparty Computations Secure Unconditionally from Minorities and Cryptographically from Majorities , 1989, CRYPTO.

[4]  Ron Steinfeld,et al.  On Secure Multi-party Computation in Black-Box Groups , 2007, CRYPTO.

[5]  Ueli Maurer,et al.  Player Simulation and General Adversary Structures in Perfect Multiparty Computation , 2000, Journal of Cryptology.

[6]  E. Kushilevitz Foundations of Cryptography Foundations of Cryptography , 2014 .

[7]  Yoram Moses,et al.  Fully Polynomial Byzantine Agreement for n > 3t Processors in t + 1 Rounds , 1998, SIAM J. Comput..

[8]  Yuval Ishai,et al.  Scalable Multiparty Computation with Nearly Optimal Work and Resilience , 2008, CRYPTO.

[9]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[10]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[11]  Ueli Maurer,et al.  Hybrid-secure MPC: trading information-theoretic robustness for computational privacy , 2010, IACR Cryptol. ePrint Arch..

[12]  Ueli Maurer,et al.  Secure multi-party computation made simple , 2002, Discret. Appl. Math..

[13]  Yuval Ishai,et al.  OT-Combiners via Secure Computation , 2008, TCC.

[14]  Matthias Fitzi,et al.  From partial consistency to global broadcast , 2000, STOC '00.

[15]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[16]  Sanjeev Mahajan,et al.  Using amplification to compute majority with small majority gates , 2005, computational complexity.

[17]  Andrew Chi-Chih Yao,et al.  Graph Design for Secure Multiparty Computation over Non-Abelian Groups , 2008, ASIACRYPT.

[18]  Rafail Ostrovsky,et al.  Zero-Knowledge Proofs from Secure Multiparty Computation , 2009, SIAM J. Comput..

[19]  Ivan Damgård,et al.  Secure Multiparty Computation and Secret Sharing , 2015 .

[20]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[21]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[22]  Yehuda Lindell,et al.  Information-theoretically secure protocols and security under composition , 2006, STOC '06.

[23]  Yehuda Lindell,et al.  The IPS Compiler: Optimizations, Variants and Concrete Efficiency , 2011, CRYPTO.

[24]  Jeffrey Considine,et al.  Byzantine Agreement Given Partial Broadcast , 2005, Journal of Cryptology.

[25]  Yuval Ishai,et al.  On Locally Decodable Codes, Self-correctable Codes, and t -Private PIR , 2007, APPROX-RANDOM.

[26]  Danny Dolev,et al.  The Byzantine Generals Strike Again , 1981, J. Algorithms.

[27]  Gabriel Bracha,et al.  An O(log n) expected rounds randomized byzantine generals protocol , 1987, JACM.

[28]  Matthias Fitzi,et al.  Efficient Byzantine Agreement Secure Against General Adversaries , 1998, DISC.

[29]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[30]  Ron Steinfeld,et al.  Active Security in Multiparty Computation over Black-Box Groups , 2012, SCN.

[31]  Leslie G. Valiant,et al.  Short Monotone Formulae for the Majority Function , 1984, J. Algorithms.

[32]  Moni Naor,et al.  A minimal model for secure computation (extended abstract) , 1994, STOC '94.

[33]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[34]  Yuval Ishai,et al.  Efficient Multi-party Computation over Rings , 2003, EUROCRYPT.

[35]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[36]  Ron Steinfeld,et al.  Graph Coloring Applied to Secure Computation in Non-Abelian Groups , 2011, Journal of Cryptology.