# from circuits to RAM programs in malicious-2PC Abstract: Secure 2-party computation (2PC) is becoming practical in some domains. However, most approaches are limited by the fact that the desired functionality must be represented as a boolean circuit. In response, the random-access machine (RAM) model has recently been investigated as a promising alternative to circuits. In this talk, I will discuss some pitfalls of basing malicious-secure 2PC on the RAM model rather than circuits. I will then describe two new protocols for malicious-secure 2PC of RAM programs, whose performance relative to the semi-honest model matches the state of the art for circuit-based 2PC techniques. For malicious security with statistical security parameter $2^{-5}$ , our protocol without preprocessing has overhead s compared to the semi-honest model; our protocol with preprocessing has overhead $\sim 2s/\log T$ , where T is the running time of the RAM program. ➢ Arash Afshar @ CALGARY ➢ Zhangxiang Hu @ Oregon State SUP CALGARY ➢ Payman Mohassel @ CALGARY Mike Rosulek @ Oregon State SUP CALGARY AES √ AES S-box (need 208 of these) AES √ stable marriage 🗡 AES S-box (need 208 of these) AES √ stable marriage X binary search X size of circuit = $\Omega$ ( size of inputs ) AES S-box (need 208 of these) Garbled circuit technique [Yao86,BellareHoangRogaway12] Garbled circuit technique [Yao86,BellareHoangRogaway12] pick two random labels for each wire Garbled circuit technique [Yao86,BellareHoangRogaway12] randomly associate labels with true/false Garbled circuit technique [Yao86,BellareHoangRogaway12] give "encrypted truth table" for each gate Garbled circuit technique [Yao86,BellareHoangRogaway12] give "encrypted truth table" for each gate Garbled circuit technique [Yao86,BellareHoangRogaway12] give "encrypted truth table" for each gate Garbled circuit technique [Yao86,BellareHoangRogaway12] #### Informal security proof: - Wire label leaks no information about logical value - Receiver only learns one label for each wire (induction) cpu small internal state Oblivious RAM (ORAM) = memory access pattern leaks nothing about inputs/outputs/state [GoldreichOstrosvky96] - Can make any RAM program oblivious, polylog overhead in runtime & memory [ShiChanStefanovLi11, .....] - Must still "touch" all of memory, in initialization phase - Our results only need "metadata-obliviousness" (R vs W, address) initialize memory; secret share initial CPU state secure 2pc of augmented CPU circuit $\mathsf{ORAM} \Rightarrow \mathsf{safe}$ to let Bob handle all memory access Alice Bob example: CPU wants to read example: CPU wants to read Alice Bob example: CPU wants to write Alice Bob example: CPU wants to write example: CPU wants to write Integrity of state Integrity of state and memory! use a MAC? #### use a MAC? #### use a MAC? ### use a MAC? This will work, but ... - Crypto circuitry inside garbled circuit - Many inputs (MAC tags & keys) to garbled circuit State & memory information should be: - Kept private - 2. Protected from tampering #### State & memory information should be: - 1. Kept private - 2. Protected from tampering State & memory information should be: - Kept private √ - 2. Protected from tampering √ State & memory information should be: - Kept private √ - 2. Protected from tampering √ #### Key Idea Directly reuse garbled values for state & memory! #### Goals: - malicious security - no extra overhead inside garbled circuits - efficiency matching state-of-the-art for circuit-based 2PC #### Goals: - malicious security - no extra overhead inside garbled circuits - efficiency matching state-of-the-art for circuit-based 2PC #### Results: | style | cost | technique | |----------------|------------------------------------------|-------------------------| | streaming | s imes semi-honest | blind cut-and-choose, | | | | forge-and-lose | | online/offline | $\sim 2$ s $/$ log T $ imes$ semi-honest | batched cut-and-choose, | | | | LEGO | for security $2^{-s}$ T = ORAM running time #### Goals: - malicious security - no extra overhead inside garbled circuits - efficiency matching state-of-the-art for circuit-based 2PC #### Results: | style | cost | technique | |----------------|-------------------------------------------|-------------------------| | streaming | s imes semi-honest | blind cut-and-choose, | | | | forge-and-lose | | online/offline | $\sim 2$ s $/$ log $ au imes$ semi-honest | batched cut-and-choose, | | | | LEGO | for security $2^{-s}$ T = ORAM running time #### Theme: Re-use wire labels between evaluations of garbled CPU circuit **Quiz:** isn't this the same as making a monolothic garbled circuit for unrolled RAM computation? **Quiz:** isn't this the same as making a monolothic garbled circuit for unrolled RAM computation? - connections between "data in/out" determined at runtime! - later inputs can depend on prior outputs **Quiz:** isn't this the same as making a monolothic garbled circuit for unrolled RAM computation? - connections between "data in/out" determined at runtime! - later inputs can depend on prior outputs **Note:** CPU need not encrypt data! generate many garbled circuits open & check some fraction of them; abort if any are bad evaluate remaining circuits; take majority output #### what about in the RAM setting? t t GC GC GC GC GC GC GC GC #### check circuit cannot share wire labels! (secrets revealed) #### eval circuit must share wire labels! can't predict check/eval when generating garbled circuits! t ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? Blind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14] establish many threads of computation Blind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14] receiver secretly sets each thread to "check" or "eval" Blind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14] sender generates garbled circuits, reusing wire labels within each thread Blind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14] sender generates garbled circuits, reusing wire labels within each thread Blind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14] sender generates garbled circuits, reusing wire labels within each thread Blind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14] check-threads: receiver gets only enough to check Blind cut-and-choose [KamaraMohasselRiva12,KreuterShelatShen12,Mood+14] eval-threads: receiver gets only enough to eval on sender's input ## overview of protocol #1 Cost of protocol = (# of threads) $\times$ (cost of semi-honest) - lacktriangle with traditional cut-and-choose: $\sim 3s$ threads for security $2^{-s}$ - with [Lindell13] cheating-recovery trick: only s threads - we show how to perform [Lindell13] trick only once at the end; communication independent of RAM running time! ## overview of protocol #1 #### Cost of protocol = (# of threads) $\times$ (cost of semi-honest) - lacktriangle with traditional cut-and-choose: $\sim 3s$ threads for security $2^{-s}$ - ▶ with [Lindell13] cheating-recovery trick: only s threads - we show how to perform [Lindell13] trick only once at the end; communication independent of RAM running time! #### Preprocessing, streaming? - need to remember wire labels of previous circuits! - can't pre-process garbled circuits (wire labels have runtime dependence) ## preprocessing: batched cut-and-choose Want to do 2PC of same circuit N times? [Huang Katz Kolesnikov Kumaresan Malozemoff 14, Lindell Riva 14] Want to do 2PC of same circuit N times? [Huang Katz Kolesnikov Kumaresan Malozemoff 14, Lindell Riva 14] generate a lot of garbled circuits Want to do 2PC of same circuit N times? [Huang Katz Kolesnikov Kumaresan Malozemoff 14, Lindell Riva 14] open and check some fraction of them Want to do 2PC of same circuit N times? [Huang Katz Kolesnikov Kumaresan Malozemoff 14, Lindell Riva 14] Want to do 2PC of same circuit N times? [Huang Katz Kolesnikov Kumaresan Malozemoff 14, Lindell Riva 14] Want to do 2PC of same circuit N times? [Huang Katz Kolesnikov Kumaresan Malozemoff 14, Lindell Riva 14] Want to do 2PC of same circuit N times? [Huang Katz Kolesnikov Kumaresan Malozemoff 14, Lindell Riva 14] Want to do 2PC of same circuit N times? [Huang Katz Kolesnikov Kumaresan Malozemoff 14, Lindell Riva 14] buckets of size $O(s/\log N)$ give security $2^{-s}$ ### preprocessing for RAM-2PC? #### Pros: - RAM CPU circuit evaluated over and over! - Batched cut-and-choose would reduce number of garbled circuits needed (in online phase) - Pre-processing already inherent for ORAM ### preprocessing for RAM-2PC? #### Pros: - RAM CPU circuit evaluated over and over! - Batched cut-and-choose would reduce number of garbled circuits needed (in online phase) - Pre-processing already inherent for ORAM #### Cons: - Wire-label dependence determined at runtime! - Cannot re-use wire labels if all circuits garbled beforehand ### preprocessing for RAM-2PC? #### Pros: - RAM CPU circuit evaluated over and over! - Batched cut-and-choose would reduce number of garbled circuits needed (in online phase) - Pre-processing already inherent for ORAM #### Cons: - Wire-label dependence determined at runtime! - Cannot re-use wire labels if all circuits garbled beforehand If only we had a way to "connect wires on the fly" in existing garbled circuits! ### the LEGO approach! ### Garble individual gates and connect them later [NielsenOrlandi09,FrederiksenJakobsenNielsenNordholdOrlandi13] - We extend the technique to circuits - Some careful modifications are necessary # our "LEGO RAM" approach LEGO set 6062 "Battering Ram" ### garbled circuit, wire labels Each wire has a secret "parity bit" ## garbled circuit, wire labels Each wire has a secret "parity bit" generate lots of garbled CPU circuits + homomorphic commitments open and check some fraction of them each timestep, select random "bucket" of circuits to evaluate solder input/output wires together by opening commitments (evaluate by taking majority wire labels of each computation path) solder input wires from previous garbled circuits ### overview of protocol #2 ### Two phase protocol: - offline phase = circuit generation & batch cut-and-choose - online phase = soldering & evaluation ### overview of protocol #2 ### Two phase protocol: - offline phase = circuit generation & batch cut-and-choose - online phase = soldering & evaluation Online cost of protocol = (bucket size) $\times$ (cost of semi-honest) - ▶ bucket size = $O(s/\log T)$ where T = RAM running time - ightharpoonup concretely, for s=40: - $T = 5,000 \Rightarrow \text{bucket size} = 7$ - $T = 500,000 \Rightarrow \text{bucket size} = 5$ ### overview of protocol #2 ### Two phase protocol: - offline phase = circuit generation & batch cut-and-choose - online phase = soldering & evaluation ### Online cost of protocol = (bucket size) $\times$ (cost of semi-honest) - ▶ bucket size = $O(s/\log T)$ where T = RAM running time - ightharpoonup concretely, for s=40: - $T = 5,000 \Rightarrow \text{bucket size} = 7$ - $T = 500,000 \Rightarrow \text{bucket size} = 5$ ### Other cool features: - oblivious RAM = (original RAM) + (ORAM construction steps) - pre-process different circuits separately: smaller bucket size for (common) ORAM steps ### lies and omissions ### Lots of other standard tools from circuit-2PC: - Input consistency checks - Output authenticity checks - Preventing selective aborts - Cheating recovery techniques #### RAM stuff I didn't mention: - Elephant in the room: ORAM initialization! - Getting inputs into the RAM - ORAM needs randomness - Safe to run many RAM invocations with same memory ### summary ### Goals: - malicious security - no extra overhead inside garbled circuits - efficiency matching state-of-the-art for circuit-based 2PC #### Results: | style | cost | technique | |----------------|------------------------------------------|-------------------------| | streaming | s imes semi-honest | blind cut-and-choose, | | | | forge-and-lose | | online/offline | $\sim 2$ s $/$ log T $ imes$ semi-honest | batched cut-and-choose, | | | | LEGO | for security $2^{-s}$ T = ORAM running time ### Theme: Leverage existing security properties of wire labels in garbled circuits! ### the end! Mike Rosulek: rosulekm@eecs.oregonstate.edu From Circuits to RAM Programs in Malicious-2PC Arash Afshar, Zhangxiang Hu, Payman Mohassel, Mike Rosulek appearing on eprint soon