encrypt your channels! - github pages · channels in gmw •in practice: hopefully real-world...
TRANSCRIPT
![Page 1: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/1.jpg)
Encrypt your channels!On the (in)security of GMW with authenticated communication
Peter Scholl
TPMPC 2019 Rump Session, Bar-Ilan University
![Page 2: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/2.jpg)
MPC 101: the GMW protocol
• [Goldreich-Micali-Wigderson 87]Additively secret share inputs
XOR gates: local
AND gates: OT
Outputs: reconstruct shares
![Page 3: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/3.jpg)
MPC 101: the GMW protocol
• [Goldreich-Micali-Wigderson 87]Additively secret share inputs
XOR gates: local
AND gates: OT
Outputs: reconstruct shares
• Question: what kind of communication channels are necessary?
![Page 4: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/4.jpg)
MPC 101: the GMW protocol
• [Goldreich-Micali-Wigderson 87]Additively secret share inputs
XOR gates: local
AND gates: OT
Outputs: reconstruct shares
• Question: what kind of communication channels are necessary?
Encrypted Unencrypted(but authenticated)
vs
![Page 5: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/5.jpg)
Let’s ask the experts
Peter Scholl 5
[GMW 87]
![Page 6: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/6.jpg)
Let’s ask the experts
Peter Scholl 6
[GMW 87]
![Page 7: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/7.jpg)
Let’s ask the experts
Peter Scholl 7
[GMW 87]
![Page 8: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/8.jpg)
Let’s ask the experts
Peter Scholl 8
What the *#!? is this GMW protocol, anyway?
[GMW 87]
![Page 9: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/9.jpg)
Let’s try again
Peter Scholl 9
Foundations of Cryptography[Gol 04]
![Page 10: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/10.jpg)
Let’s try again
Peter Scholl 10
Foundations of Cryptography[Gol 04]
![Page 11: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/11.jpg)
Let’s try again
Peter Scholl 11
Universally Composable Two-Party and Multi-Party Secure Computation[CLOS ’02]
Foundations of Cryptography[Gol 04]
![Page 12: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/12.jpg)
Securely computing 𝑧 = 𝑎 + 𝑏 + 𝑐
Peter Scholl 12
𝑎 𝑏 𝑐
![Page 13: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/13.jpg)
Securely computing 𝑧 = 𝑎 + 𝑏 + 𝑐
Peter Scholl 13
𝑎 𝑏 𝑐
𝑏1
𝑐1
𝑎1
𝑏2
𝑐2
𝑎2
𝑏3
𝑐3
𝑎3
![Page 14: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/14.jpg)
Securely computing 𝑧 = 𝑎 + 𝑏 + 𝑐
Peter Scholl 14
𝑎 𝑏 𝑐 𝑎2 𝑏1 𝑐1
𝑐2𝑏3𝑎3
𝑏1
𝑐1
𝑎1
𝑏2
𝑐2
𝑎2
𝑏3
𝑐3
𝑎3
![Page 15: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/15.jpg)
Securely computing 𝑧 = 𝑎 + 𝑏 + 𝑐
Peter Scholl 15
𝑎 𝑏 𝑐 𝑎2 𝑏1 𝑐1
𝑐2𝑏3𝑎3
𝑏1
𝑐1
𝑎1
𝑏2
𝑐2
𝑎2
𝑏3
𝑐3
𝑎3
𝑧1 𝑧2 𝑧3
+ + +
![Page 16: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/16.jpg)
Securely computing 𝑧 = 𝑎 + 𝑏 + 𝑐
Peter Scholl 16
𝑎 𝑏 𝑐 𝑎2 𝑏1 𝑐1
𝑐2𝑏3𝑎3
𝑏1
𝑐1
𝑎1
𝑏2
𝑐2
𝑎2
𝑏3
𝑐3
𝑎3
𝑧1 𝑧2 𝑧3
𝑧1
𝑏1
𝑐1
+ + +
![Page 17: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/17.jpg)
Securely computing 𝑧 = 𝑎 + 𝑏 + 𝑐
Peter Scholl 17
𝑎 𝑏 𝑐 𝑎2 𝑏1 𝑐1
𝑐2𝑏3𝑎3
𝑏1
𝑐1
𝑎1
𝑏2
𝑐2
𝑎2
𝑏3
𝑐3
𝑎3
𝑧1 𝑧2 𝑧3
𝑧1
𝑏1
𝑐1
𝑎
+ + +
+
![Page 18: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/18.jpg)
Securely computing 𝑧 = 𝑎 + 𝑏 + 𝑐
Peter Scholl 18
𝑎 𝑏 𝑐 𝑎2 𝑏1 𝑐1
𝑐2𝑏3𝑎3
𝑏1
𝑐1
𝑎1
𝑏2
𝑐2
𝑎2
𝑏3
𝑐3
𝑎3
𝑧1 𝑧2 𝑧3
𝑧1
𝑏1
𝑐1
𝑎
+ + +
+
Leaks all inputs
![Page 19: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/19.jpg)
Conclusion: use secure and authenticatedchannels in GMW• In practice:
Hopefully real-world implementations do this already…
• In theory: [GMW 87], [CLOS 02] can still work with unencrypted channelsSecure for circuits where every output wire passes through an AND gateGeneric fix: AND every output wire with itself [Goldreich 17]
• A theoretical question:For what functionalities does security with 𝑡 = 𝑛 − 1 ⇒ security with 𝑡 < 𝑛?
Peter Scholl 19
![Page 20: Encrypt your channels! - GitHub Pages · channels in GMW •In practice: Hopefully real-world implementations do this already… •In theory: [GMW 87], [CLOS 02] can still work with](https://reader035.vdocuments.us/reader035/viewer/2022071610/61493df9080bfa6260147c00/html5/thumbnails/20.jpg)
Peter Scholl 20
Thank you!Acknowledgements:
- Thanks to Oded Goldreich, Yehuda Lindell and Claudio Orlandi for valuable discussions.
References:
[GMW 87] Goldreich, Micali, Wigderson. How to Play Any Mental Game
http://www.wisdom.weizmann.ac.il/~oded/X/gmw2a.pdf
[CLOS 02] Canetti, Lindell, Ostrovsky, Sahai. Universally Composable Two-Party and Multi-Party Secure Computation
https://eprint.iacr.org/2002/140.pdf
[Gol 04] Goldreich. Foundations of Cryptography - Volume 2: Basic Applications
[Gol 17] Goldreich. List of Corrections for Foundations of Cryptography - Volume 2
http://www.wisdom.weizmann.ac.il/~oded/foc-vol2.html