Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and - PowerPoint PPT Presentation

GC hash definition Take advantage of the input to hash being a Garbled Circuit GC hash definition weaker than standard collision resistance Given a correctly generated garbled circuit and hash ( GC , h ) If A finds � GC such that H ( � GC ) = H ( GC ) Then, w.h.p, the garbled circuit property of � GC is broken

GC hash definition Take advantage of the input to hash being a Garbled Circuit GC hash definition weaker than standard collision resistance Given a correctly generated garbled circuit and hash ( GC , h ) If A finds � GC such that H ( � GC ) = H ( GC ) Then, w.h.p, the garbled circuit property of � GC is broken � GC will fail to evaluate

GC, GC , e, e , d, h C

GC, GC , e, e , d, h C H(GC) = H( GC ) = h

GC, GC , e, e , d, h C H(GC) = H( GC ) = h Ve(C, GC, d, e ) = accept

GC, GC , e, e , d, h GC, GC , e, e , d, h C H(GC) = H( GC ) = h Ve(C, GC, d, e ) = accept De( Eval( GC , En( e , x), d) ) = 丄 for all x , w.h.p

GC, GC , e, e , d, h C H(GC) = H( GC ) = h Ve(C, GC, d, e ) = accept De( Eval( GC , En( e , x), d) ) = 丄 for all x , w.h.p

GC, GC , e, e , d, h C H(GC) = H( GC ) = h Same decoding information d Ve(C, GC, d, e ) = accept De( Eval( GC , En( e , x), d) ) = 丄 for all x , w.h.p

Overview Definition of GC hash security Hashed garbling constructions – standard garbling and half-gates [ZRE’15] Implementation and evaluation Impact – Applications of free hash

GC hash construction Intertwine hash generation and verification with GC generation and evaluation

GC hash construction Intertwine hash generation and verification with GC generation and evaluation Attempt 1: H ( GC ) = ⊕ i GR i

a c e b d

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 E A0, B0 ( C 0 ) E A0, B1 ( C 0 ) E A1, B0 ( C 0 ) E A1, B1 ( C 1 )

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 1 ) E C1, D1 ( E 1 )

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 1 ) E C1, D1 ( E 1 )

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 1 ) E C1, D1 ( E 1 )

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 1 ) E C1, D1 ( E 1 )

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) E A1, B1 ( C 0 ) E C1, D1 ( E 1 )

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 )

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ

A 0 , A 1 C 0 , C 1 Inactive row E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E C0, D0 ( E 0 ) ⊕ Δ E A0, B0 ( C 0 ) GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) ⊕ Δ GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ⊕ Δ ⊕ Δ

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( C 0 ) E C0, D0 ( E 0 ) ⊕ Δ GC = (GT1, GT2) E A0, B1 ( C 0 ) E C0, D1 ( E 1 ) ⊕ h = H(GC) = h E A1, B0 ( C 0 ) E C1, D0 ( E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( C 0 ) E C1, D1 ( E 1 ) H(ĜC) = h ✔

GC hash construction Make each gate’s output wire label depend on all entries of GT

GC hash construction Make each gate’s output wire label depend on all entries of GT XOR hash correction involves modifying an active GT entry

GC hash construction Make each gate’s output wire label depend on all entries of GT XOR hash correction involves modifying an active GT entry This affects the computed output wire label of the gate

GC hash construction Make each gate’s output wire label depend on all entries of GT XOR hash correction involves modifying an active GT entry This affects the computed output wire label of the gate Does this suffice?

A 0 , A 1 C 0 , C 1 E 0 , E 1 B 0 , B 1 D 0 , D 1

C 0 , C 1 E 0 , E 1 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1

Temporary wire labels C 0 , C 1 E 0 , E 1 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1

C 0 , C 1 E 0 , E 1 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) E A1, B1 ( tC 1 ) E C1, D1 ( t E 1 )

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) E A1, B1 ( tC 1 ) E C1, D1 ( t E 1 )

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) E A1, B1 ( tC 1 ) E C1, D1 ( t E 1 )

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 Fixes Δ for h But tC 0 ⊕ GT1 = C b ? GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ⊕ Δ ⊕ Δ

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ✔

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ✔ tC 0 ⊕ GT1 = C 0

C b = tC b ⊕ GT1 C 0 , C 1 E 0 , E 1 E b = tE b ⊕ GT2 A 0 , A 1 tC 0 , tC 1 tE 0 , tE 1 B 0 , B 1 D 0 , D 1 GT1 GT2 E A0, B0 ( tC 0 ) ⊕ Δ E C0, D0 ( t E 0 ) GC = (GT1, GT2) E A0, B1 ( tC 0 ) E C0, D1 ( t E 1 ) ⊕ h = H(GC) = h E A1, B0 ( tC 0 ) E C1, D0 ( t E 1 ) ĜC = (ĜT1, GT2) E A1, B1 ( tC 0 ) E C1, D1 ( t E 1 ) H(ĜC) = h ✔ tC 0 ⊕ GT1 = C 0 ✔

Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and - PowerPoint PPT Presentation

Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation Garbled circuits (GC) main technique for secure computation Motivation Garbled circuits (GC) main technique for secure computation Primitive in

Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

Adaptive Garbled RAM from Adaptive Garbled RAM from Laconic Oblivious Transfer Sanjam Garg

Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks Shweta Agrawal

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov

Hashing (Application of Probability) Ashwinee Panda Final CS 70 Lecture! 9 Aug 2018 Overview

Hashing Connections 2-Universal Hash Function Perfect Hashing Anil Maheshwari Proofs

Union-Find [10] In the last class Hashing Collision Handling for Hashing Closed

Hashing Chapter 5 1 Objectives Understand the idea of hashing Compare hashing to sorting

Database Systems Index: Hashing Based on slides by Feifei Li, University of Utah Hashing n

Stevenage Circuits Group Incorporating: Stevenage Circuits Tru-Lon Printed Circuits March 2011

Lecture 14: Boolean Circuits I Arijit Bishnu 17.04.2010 Introduction Boolean Circuits and P

Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A

Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Security Crisis Management Emmanuel FUCHS Slides available soon at www.Elfuchs.Fr Crisis

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

Modelling childrens experiences of online skills, opportunities and risks: a European

Unit: Multicriteria decision analysis Learning goals I. General classification of strategies in

strtrs r sst

Proofs of Replicated Storage Without Timing Assumptions Ivan Damgrd, Chaya Ganesh, Claudio

The PARSEME Shared Task on Automatic Identification of Verbal Multiword Expressions (1.1) C.

Challenges in Applying Machine Learning Methods: Studying Political Interactions on Social

Explore More Topics

Sambuz

Useful Links

Newsletter

Mail Us