PartialGC: A server-aided
system for saving GC state
Benjamin Mood, Debayan Gupta , Kevin Butler, and
Joan Feigenbaum
February 21, 2014
Computer and Information Science
Data Analysis
Privacy Preserving Data Analysis
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
2
Data Analysis
Privacy Preserving Data Analysis
Data
Initialization
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
2
Data Analysis
Privacy Preserving Data Analysis
Data
Receive
Initialization Report
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
2
Data Analysis
Privacy Preserving Data Analysis
Data
Receive
Update
Initialization Report Information
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
2
Data Analysis
Privacy Preserving Data Analysis
Data
Receive
Update Receive
Initialization Report Information Report
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
2
Data Analysis
Privacy Preserving Data Analysis
Data
Receive
Update Receive
Remove Data
Initialization Report Information Report
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
2
Data Analysis
Privacy Preserving Data Analysis
Data
Receive
Update Receive
Modify
Remove Data
Initialization Report Information Report
Data
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
2
Data Analysis
Privacy Preserving Data Analysis
Data
Receive
Update Receive
Modify
Remove Data
Initialization Report Information Report
Data
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Receive
Report
2
Overall Idea:
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
3
Overall Idea:
Garbled Circuit 1
AND
XOR
Saved Values
OR
NOT
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
3
Overall Idea:
Transformation
Protocol
Garbled Circuit 1
AND
XOR
Saved Values
OR
NOT
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
3
Overall Idea:
Transformation
Protocol
Garbled Circuit 1
AND
Garbled Circuit 2
AND
XOR
XOR
Saved Values
OR
NOT
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
OR
NOT
3
Outline
• Transformation
• Checking Transformation
• Server Aided Protocol
• Results
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
4
Transforming Wires
• Generator creates garbled gates that transform the
wires that work in one garbled circuit to wires that
work in another garbled circuit.
Transformation
Protocol
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
5
Transformation Details
AND
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Encrypted Output Wires
Encrypted Input Wires
AND
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
AND
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Generator
AND
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Generator
AND
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Generator
Output-0
AND
Output-1
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Generator
Output-0
Random-0
Output-1
Random-1
AND
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Generator
Output-0
Random-0
Output-1
Random-1
AND
AND
OR
nonce = PRNG.rand() *
Transform-0 = hash(Output-0 ⨁ nonce) ⨁ Random-0
Transform-1 = hash(Output-1 ⨁ nonce) ⨁ Random-1
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Generator
Output-0
Random-0
Output-1
Random-1
AND
AND
Send To Evaluator
Transform-0
Transform-1
OR
nonce *
nonce = PRNG.rand() *
Transform-0 = hash(Output-0 ⨁ nonce) ⨁ Random-0
Transform-1 = hash(Output-1 ⨁ nonce) ⨁ Random-1
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
AND
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Evaluator
AND
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Evaluator
AND
Output-0
AND
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Evaluator
AND
AND
Output-0
nonce *
Transform-0
Transform-1
OR
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Evaluator
AND
AND
Output-0
nonce *
Transform-0
Transform-1
OR
Random-0 = hash(Output-0 ⨁ nonce) ⨁ Transform-0
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
Transformation Details
Evaluator
AND
AND
Output-0
Random-0
nonce *
Transform-0
Transform-1
OR
Random-0 = hash(Output-0 ⨁ nonce) ⨁ Transform-0
* = once per circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
6
How to check?
• Evaluator can save the possible out values for a check
circuit and upon receiving the next iteration of that
check circuit can verify the transformation is correct.
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
7
How to check? cont.
• Problem:
In our base protocol both parties know the check and
evaluation split allowing the generator to only disrupt
evaluation gates unless we commit.
• If we commit ahead of time we introduce other
problems of longevity of the values.
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
8
Insight
• If the generator does not know the evaluation circuits
from the check circuits, then he has to send correct
transformation gates for all circuits.
• This also means the generator, for the entirety of the
computation, can never learn the split.
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
9
Multiple Cut and Choose
Garbled Circuit 1
AND
Garbled Circuit 2
AND
XOR
OR
NOT
XOR
OR
NOT
Check Circuit
Evaluation Circuit
Evaluation Circuit
Check Circuit
Check Circuit
Check Circuit
Evaluation Circuit
Check Circuit
Check Circuit
Evaluation Circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
10
Multiple Cut and Choose
Garbled Circuit 1
AND
Garbled Circuit 2
AND
XOR
OR
NOT
XOR
OR
NOT
Check Circuit
Evaluation Circuit
Evaluation Circuit
Check Circuit
Check Circuit
Check Circuit
Evaluation Circuit
Check Circuit
Check Circuit
Evaluation Circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
11
Single Cut and Choose
Garbled Circuit 1
AND
Garbled Circuit 2
AND
XOR
OR
NOT
XOR
OR
NOT
Check Circuit
Check Circuit
Evaluation Circuit
Evaluation Circuit
Check Circuit
Check Circuit
Evaluation Circuit
Evaluation Circuit
Check Circuit
Check Circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
12
Details
• For the cut and choose, we use OT to select
encryption keys as implemented in [SS13].
• In the first computation perform the cut and choose.
• In any subsequent computation use the encryption
keys to generate new encryption keys.
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
13
3 Circuit Example
Circuit Key
Circuit Key
Circuit Key
Gen Input
Gen Input
Gen Input
Cut and Choose via OT
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
14
3 Circuit Example
Circuit Key
Circuit Key
Circuit Key
Gen Input
Gen Input
Gen Input
Cut and Choose via OT
Circuit Key
Circuit Key
Circuit Key
Gen Input
Gen Input
Gen Input
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
14
Checking Transformations
• Generator never learns the check/evaluation circuits
• Evaluator can check how the generator transforms
values from one garbled circuit computation to
another garbled circuit computation.
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
15
Implementation
• Server-aided setting
• [CMTB13] system: Outsources the evaluation of a
garbled circuit from a mobile device to a high
performance server (cloud) with security guarantees.
• Based on [KSS12]
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
16
CMTB
Generator
Cloud
Evaluator
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
17
CMTB
Generator
Cloud
Evaluator
Circuit Commit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
17
CMTB
Generator
Cloud
Evaluator
Cut and Choose
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
18
CMTB
Generator
Cloud
OOT
Evaluator
Outsourced Oblivious transfer
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
19
CMTB
Generator
Cloud
Generator’s Input
Consistency Check
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Evaluator
20
CMTB
Generator
Cloud
Evaluator
Circuit Evaluation
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
21
CMTB
Generator
Cloud
Evaluator
Circuit Commitment Check
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
22
CMTB
Generator
Cloud
Evaluator
Output and Output check
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
23
Outsourced PartialGC
Saved Values
Generator
Computation
Generator
Phone
Computation
Phone
Saved Values
Cloud
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Cloud
24
Protocol
Generator
Cloud
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Phone
Protocol
Generator
Cloud
Cut and Choose
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Phone
Protocol
Generator
Cloud
Cut and Choose
OOT
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Phone
Protocol
Generator
Cloud
Cut and Choose
OOT
Generator's input Consistency Check
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Phone
Protocol
Generator
Cloud
Cut and Choose
OOT
Generator's input Consistency Check
Partial Generator
Partial Evaluation
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Phone
Protocol
Generator
Cloud
Cut and Choose
OOT
Generator's input Consistency Check
Partial Generator
Partial Evaluation
Generation / Evaluation
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Phone
Protocol
Generator
Cloud
Cut and Choose
OOT
Generator's input Consistency Check
Partial Generator
Partial Evaluation
Generation / Evaluation
Output
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Phone
Protocol
Generator
Cloud
Cut and Choose
OOT
Generator's input Consistency Check
Partial Generator
Partial Evaluation
Generation / Evaluation
Output
Output Check
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
Phone
Output Check
• Output ( x || MAC(x) )
• Slower for circuit evaluation. Proof of concept
implementation has ~14,000 non-XOR gates per 128
bits.
• Extremely fast for our outsourcing party
[ bits/128 MAC operations instead of the output proof
with homomorphic XOR commitments].
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
26
Wrong Saved Values
• Generator gets caught through circuit check
• Cloud gets caught, assuming he continues in the
computation, when the output check fails
Garbled Circuit 1
AND
Garbled Circuit 2
AND
XOR
XOR
Saved Values
OR
NOT
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
OR
NOT
27
Incorrect Check Circuits
• Aborting on incorrect check circuits gives away
information about what circuits are check or
evaluation.
• If check is found to be incorrect, then the remaining
computation and any saved values must be abandoned.
• Cloud informs the Generator and Phone of the
incorrect circuit and what it should have been.
Check Circuit
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
28
Preliminary Test Results
KeyedDB 64
KeyedDB 128
KeyedDB 256
64 Circuits
CMTB
Partial
72 ± 2% 8.3 ± 5%
140 ± 2% 9.5 ± 4%
270 ± 1% 12 ± 6%
8.7x
15x
23x
256
CMTB
290 ± 2%
580 ± 2%
1200 ± 3%
Circuits
Partial
26 ± 2%
31 ± 3%
38 ± 5%
11x
19x
32x
* both evaluated on same hardware,
security parameters, and setup
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
29
Work in progress
Largest Substring 128
Largest Substring 256
Largest Substring 512
64 Circuits
CMTB
Partial
190 ± 4% 20 ± 9%
370 ± 4% 40 ± 10%
730 ± 4% 70 ± 10%
9.5x
9.3x
10x
256 Circuits
CMTB
Partial
800 ± 7%
84 ± 9%
1700 ± 8% 130 ± 7%
200 ± 10%
9.5x
13x
-
• For comparison
-- In [CMTB] output and input values under a 1-time
pad with MACs.
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
30
Conclusion
• Saving wire labels
• Transform and check values
• Discussed our protocol and preliminary results
• Work in progess ...
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
31
Questions?
Benjamin Mood, [email protected]
http://osiris.cs.uoregon.edu/
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
32
Questions?
Benjamin Mood, [email protected]
http://osiris.cs.uoregon.edu/
Oregon Systems Infrastructure Research and Information Security (OSIRIS) Lab
33