Secure Function Evaluation

Transcription

1 Secure Function Evaluation 1) Use cryptography to securely compute a function/program. 2) Secure means a) Participant s inputs stay secret even though they are used in the computation. b) No participant can undetectably cause the program to output the wrong result. Why do we use cryptography to secure a program? It gives software independence because private inputs remains private and independent of what software does. If the software messes up then it s gonna break security property. There are two security models namely, a) Honest but curious: It considers Participant s inputs stay secret even though they are used in the computation. b) Malicious model: It includes both, 1. Participant s inputs stay secret even though they are used in the computation. 2. No participant can undetectably cause the program to output the wrong result. It s slow and it works only for basic function like voting system etc. Software should avoid attacks like buffer overflow, return oriented programming and code injection. Honest but curious can be converted into fully malicious generally by throwing lot of crypto at it. Garbled circuits: 1) Idea shows how to compute(security) a logic gate such as NAND. 2) Because NAND is an universal gate, build any circuit out of secure executions of NAND s. 3) Compute any program for e.g y=nand(a,b); where a is Alice s input and b is Bob s input. In order to implement this protocol we use encryption function(same key for both encryption and decryption), shuffled function and oblivious transfer to compute the program. 4) It s honest but curious model and there are ways to make it fully malicious In the NAND gate, Y=NAND(a,b); Alice knows bit a and Bob knows bit b. At the end of the computation, neither of them will know each others bit. We can t guarantee that after seeing y we can guess the inputs. If the output of the function doesn t reveals what your input is, then security is good else something need to be done.

2 Oblivious transfer(sketch): - Say there are two messages m 0 and m 1 (Bob knows these messages but Alice doesn t). - Alice can choose which one she wants(first or second) and Bob will not be able to learn what Alice chooses. Eg. Alice is willing to buy a song track either song 1 or song 2 for 99 cents, Bob has no problem if she picks any one of these song for 99 cents and he doesn t need to know what she picks but it bothers Bob if Alice gets both the songs for 99cents. - Bob can be ensured, Alice learns only one and nothing about the other. Nand Gate Logic: A B Y Steps: 1. Bob generates a key for every input to F. Here we use same key for encryption and decryption. Let [m] k be encryption of m under key k. Input Key a=0 K a0 a=1 K a1 b=0 K b0 b=1 K b1 Key: For an encryption scheme(eg. AES) 2. Bob encrypts the outputs with the appropriate key Output(Y) Cipher text 1 [[1] Ka0 ] Kb0 1 [[1] Ka0 ] Kb1 1 [[1] Ka1 ] Kb0 0 [[0] Ka1 ] Kb1

3 3. Bob shuffles the list and send this to Alice. Output(Y) Cipher text After Shuffle 1 [[1] Ka0 ] Kb0 [[1] Ka1 ] Kb0 1 [[1] Ka0 ] Kb1 [[0] Ka1 ] Kb1 1 [[1] Ka1 ] Kb0 [[1] Ka0 ] Kb1 0 [[0] Ka1 ] Kb1 [[1] Ka0 ] Kb0 4. Assume Alice has a=1, Bob has b=0; Now Bob sends K b0 to Alice(Knowing key doesn t leak any input of Bob). When Alice decrypts it, Output(Y) Cipher text After Shuffle Decrypt 1 [[1] Ka0 ] Kb0 [[1] Ka1 ] Kb0 [1] Ka1 1 [[1] Ka0 ] Kb1 [[0] Ka1 ] Kb1-1 [[1] Ka1 ] Kb0 [[1] Ka0 ] Kb1-0 [[0] Ka1 ] Kb1 [[1] Ka0 ] Kb0 [1] Ka0 Assumption: If we decrypt with wrong key, It gives an error. At this point Alice doesn t know if Bob picked 0 or 1. Here permutation matters and Alice getting key from Bob is important. 5. Using oblivious transfer Alice gets K a1 from Bob w/o Bob learning which value. Output(Y) Cipher text After Shuffle Decrypt 2 nd Decryption 1 [[1] Ka0 ] Kb0 [[1] Ka1 ] Kb0 [1] Ka1 1 1 [[1] Ka0 ] Kb1 [[0] Ka1 ] Kb [[1] Ka1 ] Kb0 [[1] Ka0 ] Kb [[0] Ka1 ] Kb1 [[1] Ka0 ] Kb0 [1] Ka0 - Why is this Honest but curious model? If Alice/Bob tries to cheat then they get wrong output. We can make Bob do encryption 100 times. If it s consistent Alice can believe Bob encrypted correctly. Using NAND gates: let Bob generate key for c as follows:

4 C Key 0 K c0 1 K c1 Cipher text After Shuffle Decrypt 2 nd Decryption [[K c1 ] Ka0 ] Kb0 [[K c1 ] Ka1 ] Kb0 [K c1 ] Ka1 K c1 [[K c1 ] Ka0 ] Kb1 [[K c0 ] Ka1 ] Kb1 - - [[K c1 ] Ka1 ] Kb0 [[K c1 ] Ka0 ] Kb1 - - [[K c0 ] Ka1 ] Kb1 [[K c1 ] Ka0 ] Kb0 [K c1 ] Ka0 - Fully Homomorphic Encryption: We are trying to compute a function with a bunch of private inputs y=f(a,b,c,d). In fully malicious model, all the participants will upload encryption of their data and cloud will compute function f on encrypted inputs. Result will also be encryption of output. There is no secret involved as all the inputs involved are cipher texts implies all the inputs are encrypted. It s also called as computing on encrypted data.

5 There is a special encryption scheme. Encryption scheme supports two functions: 3. [m 1 ] * [m 2 ] = [m 1 +m 2 mod 2] 4. [m 1 ] * [m 2 ] = [m 1.m 2 mod 2] Note: * can be any operation. If we have these two computations we can compute NAND gate It s Public key encryption scheme. All the participants can encrypt on same key but only one person can decrypt. So who gets to decrypt? Use threshold decryption where each share a part of decryption key. Symmetric key encryption is faster where as public key encryption is slower. Properties of encryption scheme: Scheme invented recently by gentry doesn t support unlimited multiplications. Unlimited multiplication means a. Multi add noise b. Somewhat called homomorphic Boot Strapping It works when decryption function itself has less than the max number of multiplications. We can t run c through as it creates further noise so we wrap it into another layer of encryption and decrypt. We repeat the process.

6 Squashing: Problem decryption didn t fit under the max number of multiplication Dec(C, K) = M [1] Defined Dec2(C, K, AUX)=M [2] Where AUX is secret. Equations [1], [2] are identical but the second equation has an auxiliary input.