Yan Huang, Jonathan Katz, David EvansUniversity of Maryland, University of Virginia

Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose

Yehuda LindellBar-Ilan University

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Secure Two-Party Computation

• Two parties with private inputs x and y• Compute a joint function of their inputs while

preserving– Privacy– Correctness– Independence of inputs

2

Adversaries and Security

• Semi-honest: follow protocol description but attempt to learn more than allowed– Highly efficient, but weak guarantee

• Malicious: run any arbitrary attack strategy– Much more expensive

• Covert: behave maliciously and may succeed, but will be caught with a guaranteed probability

3

Yao’s Protocol (Semi-Honest)Alice Bob

Compute f(x,y)(learn nothing else)

Garbled (encrypted)

circuit

Security for Malicious

• Alice may not construct the circuit correctly• Solution – cut-and-choose

5

The Cut-and-choose Paradigm

6

The Cut-and-choose Paradigm

7

The Cut-and-choose Paradigm

8

Majority

Final output

The Cost

• How many circuits are needed to make sure that the majority are correct?– With s circuits, probability of cheating is 2-0.311s

[LP11] or 2-0.32s [sS11]– For error 2-40, need approximately 125 circuits– For error 2-80, need approximately 250 circuits

• This is a very heavy price!

9

These Two Works

• Aim: reduce the number of garbled circuits needed1. Lindell: s circuits + some small additional

overhead for 2-s error2. Huang-Katz-Evans: s circuits per party in parallel

for 2-s error

• Cut-and-choose opens up many other problems (input consistency etc.); we focus on the main issue of number of circuits

10

Lindell’s Solution – The Main Idea

• Why majority?– A malicious Alice can make most circuits correct

and a few not– The incorrect circuits can compute the function if

Bob’s input meets some condition; otherwise compute garbage

– Bob aborts if it gets different outputs:• If Bob aborts, Alice knows that Bob’s input does not

meet the condition• If Bob does not abort, Alice knows that Bob’s input

meets the condition11

Lindell’s Solution – The Main Idea

• Make cheating possible only if all checked circuits are correct and all evaluated circuits are incorrect– This yields error 2-s for s circuits

• How?– Alice and Bob run a small secure computation in

addition– If Bob received two different outputs in two different

circuits, it learns Alice’s input– In this case, Bob computes f(x,y) itself– Alice doesn’t know which case happened

12

Lindell’s Solution – The Main Idea

• The secure computation– Yao’s circuit for malicious (e.g., LP11)– Number of non-XOR gates is only the number of

bits in Alice’s input (very small circuit)• Input consistency and other issues are dealt

with as in other works– These other parameters are not optimized in the

paper– This will be discusses in the next talk; their

solutions can be applied here13

Lindell’s Solution – More Details

• The garbled values on the output wires are secret (this has been used for secure delegation)

• If Bob learns two garbled values on a single output wire (in different circuits), then Alice must have been cheating– This is a proof that Alice cheated

• The secure computation checks if Bob has two such values and outputs Alice’s input x to Bob if yes

• This circuit can be made very small, and Alice can be forced to use the same input

14

Huang-Katz-Evans Solution

• Observation– One of the two parties is honest, all circuits

generated by him is correct

• Approach– Let each party generate half of the circuits– Suffices to ensure at least one good evaluation

circuit is generated by the adversary

15

16

17

A party uses consistent inputs in both roles

Securely combine both parties’ results to obtain the final output

Input Consistency – The Goal

18

Evaluator / OT Receiver

Generator

The discrete log of C is unknown.

[Naor and Pinkas, SODA2001]

Input Consistency – The Idea

19

Evaluator / OT Receiver

Generator

Final output

Goal: Derive the final output from both parties’ circuit evaluation results

20

Output Revelation Verifiable Secret Sharing

21

Generator picks a pair of secrets (s0, s1)randomly

with threshold:

Output Revelationcircuit check

22

sharing threshold:

Output Revelationcircuit evaluation

23

sharing threshold:

Output Revelationsecure equality test

24

(s0,s1)

One and only one of the 2 tests can succeed.

(s’0,s’1)

(s0, s’0)Output 0

(s0, s’0)

(s1, s’1)Output 1

(s1, s’1)

Conclusions

Actively secure two party computation can be done with reduced number of circuits via either punishing the cheater or symmetric cut-and-choose.