Top

Journal of Cryptology

Published in:

01-04-2015

An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries

Authors: Yehuda Lindell, Benny Pinkas

Published in: Journal of Cryptology | Issue 2/2015

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We show an efficient secure two-party protocol, based on Yao’s construction, which provides security against malicious adversaries. Yao’s original protocol is only secure in the presence of semi-honest adversaries, and can be transformed into a protocol that achieves security against malicious adversaries by applying the compiler of Goldreich, Micali, and Wigderson (the “GMW compiler”). However, this approach does not seem to be very practical as it requires using generic zero-knowledge proofs. Our construction is based on applying cut-and-choose techniques to the original circuit and inputs. Security is proved according to the ideal/real simulation paradigm, and the proof is in the standard model (with no random oracle model or common reference string assumptions). The resulting protocol is computationally efficient: the only usage of asymmetric cryptography is for running \(O(1)\) oblivious transfers for each input bit (or for each bit of a statistical security parameter, whichever is larger). Our protocol combines techniques from folklore (like cut-and-choose) along with new techniques for efficiently proving consistency of inputs. We remark that a naive implementation of the cut-and-choose technique with Yao’s protocol does not yield a secure protocol. This is the first paper to show how to properly implement these techniques, and to provide a full proof of security. Our protocol can also be interpreted as a constant-round black-box reduction of secure two-party computation to oblivious transfer and perfectly hiding commitments, or a black-box reduction of secure two-party computation to oblivious transfer alone, with a number of rounds which is linear in a statistical security parameter. These two reductions are comparable to Kilian’s (20th STOC, 1988) reduction, which uses OT alone but incurs a number of rounds which is linear in the depth of the circuit.

previous article From Non-adaptive to Adaptive Pseudorandom Functions

next article Computing on Authenticated Data

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Another way of defining \(f\) is as a deterministic function \(f:\{0,1\}^*\times \{0,1\}^*\times \{0,1\}^*\rightarrow \{0,1\}^*\times \{0,1\}^*\), where the third input is uniformly chosen. That is, first a uniformly distributed string \(r\) is chosen, and then the first and second parties receive \(f_1(x,y,r)\) and \(f_2(x,y,r)\), respectively.

Note that in order to meet Definition 1, one must actually switch the roles of \(P_1\) and \(P_2\) above. This is due to the fact that by our definition of the ideal model, a corrupted \(P_1\) is given the capability to cause \(P_2\) to abort, even after \(P_1\) has received its own output. In contrast, a corrupted \(P_2\) is not given this capability. In the protocol described, \(P_2\) receives output first and can cause \(P_1\) to abort, rather than the reverse. This is “fixed” by just switching the roles.

The reason for taking the majority value as the output is that the aforementioned test only reveals a single incorrectly constructed circuit with probability \(1/2\). Therefore, if \(P_{1} \,\) generates a single or constant number of “bad” circuits, there is a reasonable chance that it will not be caught. In contrast, there is only an exponentially small probability that the test reveals no corrupt circuit and at the same time a majority of the circuits that are not checked are incorrect. Consequently, with overwhelming probability it holds that if the test succeeds and \(P_{2} \,\) takes the majority result of the remaining circuits, then the result is correct. We remark that the alternative of aborting in case not all the outputs are the same (namely, where cheating is detected) is not secure and actually yields a concrete attack. The attack works as follows. Assume that \(P_1\) is corrupted and that it constructs all of the circuits correctly except for one. The “incorrect circuit” is constructed so that it computes the exclusive-or of the desired function \(f\) with the first bit of \(P_2\)’s input. Now, if \(P_2\) policy is to abort as soon as two outputs are not the same then \(P_1\) knows that \(P_2\) aborts if, and only if, the first bit of its input is 1.

Recall that \(\rho \) and \(\rho '\) are used to ensure that \(P_1\) constructs the circuits correctly and uses consistent input in each circuit. Thus, it may seem strange that they are generated via a coin-tossing protocol, and not just chosen singlehandedly by \(P_2\). Indeed, in order to prove the security of the protocol when \(P_1\) is corrupted, there is no need for a coin-tossing protocol here. However, having \(P_2\) choose \(\rho \) and \(\rho '\) singlehandedly creates a problem for the simulation in the case that \(P_2\) is corrupted. We therefore use a coin-tossing protocol instead.

This check is crucial and thus the order of first running the oblivious transfer and then sending the circuits and commitments is not at all arbitrary.

Notice that there is one oblivious transfer for each input bit. Furthermore, the input of \(A_1\) into these executions is a pair of vectors of \(s\) garbled values so that in the \(i\)th execution, the first vector contains all of the decommitments for garbled values that correspond to 0 for the \(i\)th input wire of \(P_2\), and the second vector contains all of the decommitments for garbled values that correspond to 1 for the \(i\)th input wire of \(P_2\). This means that in every circuit, \(A_2\) receives garbled values that correspond to the same input \(y\).

This requirement is due to our labelling of gates described below, that does not provide a unique label to each wire (see [22] for more discussion). We note that this assumption on \(C\) increases the number of gates by at most \(n\).

G. Aggarwal, N. Mishra, B. Pinkas, Secure computation of the k-th ranked element, in EUROCRYPT 2004. LNCS, vol. 3027 (Springer-Verlag, Berlin, 2004), pp. 40–55

B. Aiello, Y. Ishai, O. Reingold, Priced oblivious transfer: how to sell digital goods, in EUROCRYPT 2001. LNCS, vol. 2045 (Springer-Verlag, Berlin, 2001), pp. 119–135

B. Barak, Y. Lindell, Strict polynomial-time in simulation and extraction. SIAM J. Comput. 33(4), 783–818 (2004)

D. Beaver, Foundations of secure interactive computing. in CRYPTO’91. LNCS, vol. 576 (Springer-Verlag, Berlin, 1991), pp. 377–391

R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)

R. Cramer, I. Damgård, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, in CRYPTO’94. LNCS, vol. 839 (Springer-Verlag, Berlin, 1994), pp. 174–187

I. Damgård, T.P. Pedersen, B. Pfitzmann, On the existence of statistically hiding bit commitment schemes and fail-stop signatures, in CRYPTO’93. LNCS, vol. 773 (Springer-Verlag, Berlin, 1994), pp. 250–265

S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)

O. Goldreich, Foundations of Cryptography: vol. 1—Basic Tools. Cambridge University Press, Cambridge (2001)

10.

O. Goldreich, Foundations of Cryptography: vol. 2—Basic Applications. Cambridge University Press, Cambridge (2004)

11.

O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(3), 167–190 (1996)

12.

O. Goldreich, S. Micali, A. Wigderson, How to play any mental game—a completeness theorem for protocols with honest majority, in 19th STOC, pp. 218–229 (1987) (For details see [10])

13.

S. Goldwasser, L. Levin, Fair computation of general functions in presence of immoral majority, in CRYPTO’90. LNCS, vol. 537 (Springer-Verlag, Berlin, 1990), pp. 77–93

14.

S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

15.

S. Halevi, S. Micali, Practical and provably-secure commitment schemes from collision-free hashing. CRYPTO 1996. LNCS, vol. 1109 (Springer-Verlag, Berlin, 1996), pp. 201–215

16.

S. Jarecki, V. Shmatikov, Efficient two-party secure computation on committed inputs, in Eurocrypt ’07. LNCS, vol. 4515 (Springer-Verlag, Berlin, 2007), pp. 97–114

17.

Y.T. Kalai, Smooth projective hashing and two-message oblivious transfer, in EUROCRYPT 2005. LNCS, vol. 3494 (Springer-Verlag, Berlin, 2005), pp. 78–95

18.

J. Katz, Y. Lindell, Handling expected polynomial-time strategies in simulation-based security proofs, in The 2nd Theory of Cryptography Conference (TCC). LNCS, vol. 3378 (Springer-Verlag, Berlin, 2005), pp. 128–149

19.

J. Kilian, Founding cryptography on oblivious transfer, in 20th STOC, pp. 20–31 (1988)

20.

M. Kiraz, B. Schoenmakers. A protocol issue for the malicious case of Yao’s garbled circuit construction, in Proceedings of 27th Symposium on Information Theory in the Benelux, pp. 283–290 (2006)

21.

Y. Lindell, Efficient fully-simulatable oblivious transfer. Manuscript (2007)

22.

Y. Lindell, B. Pinkas, A proof of Yao’s protocol for secure two-party computation. J. Cryptol. (to appear). Also appeared as Cryptology ePrint Archive, Report 2004/175, 2004.

23.

D. Malkhi, N. Nisan, B. Pinkas, Y. Sella, Fairplay—a secure two-party computation system, in The 13th USENIX Security Symposium, pp. 287–302 (2004)

24.

S. Micali, P. Rogaway, Secure computation. Unpublished manuscript, 1992. Preliminary version in CRYPTO’91. LNCS, vol. 576 (Springer-Verlag, Berlin, 1991), pp. 392–404

25.

P. Mohassel, M.K. Franklin, Efficiency tradeoffs for Malicious two-party computation, in The 9th PKC Conference. LNCS, vol. 3958 (Springer-Verlag, Berlin, 2006), pp. 458–473

26.

M. Naor, Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991)

27.

M. Naor, B. Pinkas, Efficient oblivious transfer protocols, in The 12th SODA, pp. 448–457 (2001)

28.

T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in CRYPTO’91. LNCS, vol. 576 (Springer-Verlag, Berlin, 1992), pp. 129–140

29.

M. Rabin, How to exchange secrets by oblivious transfer. Tech. Memo TR-81, Aiken Computation Laboratory, Harvard University (1981)

30.

D. Woodruff, Revisiting the efficiency of Malicious two-party computation, in Eurocrypt ’07. LNCS, vol. 4515 (Springer-Verlag, Berlin, 2007), pp. 79–96

31.

A. Yao, How to generate and exchange secrets, in 27th FOCS, pp. 162–167 (1986)

Title: An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries
Authors: Yehuda Lindell
Benny Pinkas
Publication date: 01-04-2015
Publisher: Springer US
Published in: Journal of Cryptology / Issue 2/2015
Print ISSN: 0933-2790
Electronic ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-014-9177-x

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 2/2015

Efficient Recursive Diffusion Layers for Block Ciphers and Hash Functions

Computing on Authenticated Data

The Rebound Attack and Subspace Distinguishers: Application to Whirlpool

From Non-adaptive to Adaptive Pseudorandom Functions

New Attacks on IDEA with at Least 6 Rounds

Premium Partner