Secure Computation » Software

The Cut-and-Choose Game and its Application to Cryptographic Protocols

David Evans — Wed, 06 Jul 2016 14:50:53 +0000

The cut-and-choose technique plays a fundamental role in cryptographic-protocol design, especially for secure
two-party computation in the malicious model. The basic idea is that one party constructs n versions of a message
in a protocol (e.g., garbled circuits); the other party randomly checks some of them and uses the rest of them in
the protocol. Most existing uses of cut-and-choose fix in advance the number of objects to be checked and in optimizing
this parameter they fail to recognize the fact that checking and evaluating may have dramatically different costs.

In a paper to be presented at USENIX Security 2016, we consider a refined cost model and formalize the cut-and-choose parameter selection problem as a constrained optimization problem. We analyze “cut-and-choose games” and show equilibrium strategies
for the parties in these games. We then show how our methodology can be applied to improve the efficiency of three representative categories of secure-computation protocols based on cut-and-choose. We show improvements of up to an-order-of-magnitude in terms of bandwidth, and 12–106% in terms of total time.

Paper: Ruiyu Zhu, Yan Huang, Jonathan Katz, and abhi shelat. The Cut-and-Choose Game and its Application to Cryptographic Protocols. USENIX Security Symposium, 2016.

Source code of our game solvers: https://github.com/cut-n-choose

Square-Root ORAM

David Evans — Fri, 03 Jun 2016 18:23:16 +0000

Hiding memory access patterns is required for secure computation, but remains prohibitively expensive for many interesting applications. Prior work has either developed custom algorithms that minimize the need for data-dependant memory access, or proposed the use of Oblivious RAM (ORAM) to provide a general-purpose solution. However, most ORAMs are designed for client-server scenarios, and provide only asymptotic benefits in secure computation. We developed a new version of the classical square-root ORAM of Goldreich and Ostrovsky suited for use in secure computation. It has over 100x lower initialization cost than the best previous schemes, and provides benefits over linear scan for just 8 blocks of data. Our scheme outperforms alternate approaches across a wide range of parameters, often by several orders of magnitude.

Samee Zahur presented the results at IEEE Symposium on Security and Privacy (“Oakland”) 2016. The full paper is:

Samee Zahur, Xiao Wang, Mariana Raykova, Adrià Gascón, Jack Doerner, David Evans, Jonathan Katz. Revisiting Square-Root ORAM Efficient Random Access in Multi-Party Computation. In 37th IEEE Symposium on Security and Privacy (“Oakland”). San Jose, CA. 23-25 May 2016.

For more (including source code and benchmarks), see https://oblivc.org/sqoram/.

Two Halves Make a Whole

David Evans — Sat, 28 Mar 2015 17:55:09 +0000

Surprisingly, it is possible to reduce the data needed for a garbled gate to only two ciphertexts per gate, while preserving free xors. The scheme for doing that is described in our paper, Two Halves Make a Whole: Reducing Data Transfer in Garbled Circuits using Half Gates by Samee Zahur and Mike Rosulek and David Evans (now available on eprint). Samee Zahur will present the work at Eurocrypt 2015 in Sofia, Bulgaria, 26-30 April.

Abstract. The well-known classical constructions of garbled circuits use four ciphertexts per gate, although various methods have been proposed to reduce this cost. The best previously known methods for optimizing AND gates (two ciphertexts; Pinkas et al., ASIACRYPT 2009) and XOR gates (zero ciphertexts; Kolesnikov & Schneider, ICALP 2008) were incompatible, so most implementations used the best known method compatible with free-XOR gates (three ciphertexts; Kolesnikov & Schneider, ICALP 2008). In this work we show how to simultaneously garble AND gates using two ciphertexts and XOR gates using zero ciphertexts, resulting in smaller garbled circuits than any prior scheme. The main idea behind our construction is to break an AND gate into two half-gates — AND gates for which one party knows one input. Each half-gate can be garbled with a single ciphertext, so our construction uses two ciphertexts for each AND gate while being compatible with free-XOR gates. The price for the reduction in size is that the evaluator must perform two cryptographic operations per AND gate, rather than one as in previous schemes. We experimentally demonstrate that our garbling scheme leads to an overall decrease in time (up to 25%), bandwidth (up to 33%), and energy use (up to 20%) over several benchmark applications. We also initiate a study of lower bounds for garbled gate size, and show that our construction is optimal for a large class of garbling schemes encompassing all known practical garbling techniques.

iDash Competition Winner

David Evans — Tue, 17 Mar 2015 17:51:02 +0000

Congratulations to Samee Zahur for winning the iDash Secure Genomics competition (Hamming Distance challenge task), sponsored by Human Longevity, Inc. A video of the event is available at http://www.humangenomeprivacy.org/.

Samee’s solution was built using Obliv-C, a language for data-oblivious computation.

Circuit Structures

David Evans — Tue, 05 Mar 2013 01:32:47 +0000

Samee Zahur and I have written a paper on Circuit Structures for Improving Efficiency of Security and Privacy Tools. The paper explores ways to design static circuits (as used in garbled circuit protocols and symbolic execution, among other things) to provide reasonable efficiency for algorithms that use common data structures like arrays. By taking advantage of somewhat predictable access patterns, as well as batching, our circuit structures are able to provide operations with amortized cost that is polylogarithmic in the size of the data structure (in contrast to naive approaches that would require effectively copying the entire data structure for each operation). Samee will present the paper at the IEEE Symposium on Security and Privacy (“Oakland”) in San Francisco in May.

Full paper (15 pages): [PDF]

Project: MightBeEvil.com/netlist

Code: http://github.com/samee/netlist

GC Framework Released

David Evans — Thu, 25 Aug 2011 12:09:40 +0000

Version 0.0.1 of our Java-based framework and library enable programmers to build efficient and scalable privacy-preserving applications using Yao’s garbled circuit techniques. The framework is now available for download and released under the MIT open source license.