Applying cut-and-choose techniques to Yao's garbled circuit protocol has been a promising approach for designing efficient Two-Party Computation (2PC) with malicious and covert security, as is evident from various optimizations and software implementations in the recent years. We revisit the security and efficiency properties of this popular approach and propose alternative constructions and a new definition that are more suitable for use in practice. 1. We design an efficient fully-secure 2PC protocol for two-output functions that only requires O(t|C|) symmetric-key operations (with small constant factors, and ignoring factors that are independent of the circuit in use) in the Random Oracle Model, where |C| is the circuit size and t is a statistical security parameter. This is essentially the optimal complexity for protocols based on cut-and-choose, resolving a main question left open by the previous work on the subject. Our protocol utilizes novel techniques for enforcing garbler's input consistency and handling two-output functions that are more efficient than all prior solutions. 2. Motivated by the goal of eliminating the all-or-nothing nature of 2PC with covert security (that privacy and correctness are fully compromised if the adversary is not caught in the challenge phase), we propose a new security definition for 2PC that strengthens the guarantees provided by the standard covert model, and offers a smoother security vs. efficiency tradeoff to protocol designers in choosing the right deterrence factor. In our new notion, correctness is always guaranteed, privacy is fully guaranteed with probability (1 - e), and with probability e (i.e. the event of undetected cheating), privacy is only "partially compromised" with at most a single bit of information leaked, in case of an abort. We present two efficient 2PC constructions achieving our new notion. Both protocols are competitive with the previous covert 2PC protocols based on cut-and-choose. A distinct feature of the techniques we use in all our constructions is to check consistency of inputs and outputs using new gadgets that are themselves garbled circuits, and to verify validity of these gadgets using multi-stage cut-and-choose openings.
展开▼
机译:近年来,从各种优化和软件实现中可以明显看出,在姚明的乱码电路协议中采用直接选择技术一直是设计具有恶意和隐蔽安全性的高效两方计算(2PC)的有前途的方法。我们将重新研究这种流行方法的安全性和效率属性,并提出更适合在实践中使用的替代结构和新定义。 1.我们为两个输出功能设计了一种高效的全安全2PC协议,该协议仅需O(t | C |)对称键操作(常数因子较小,而忽略与所使用电路无关的因子)。随机Oracle模型,其中| C |是电路尺寸,t是统计安全性参数。对于基于剪切和选择的协议来说,这本质上是最佳的复杂性,它解决了先前有关该主题的工作遗留下来的一个主要问题。我们的协议利用新颖的技术来增强垃圾程序的输入一致性,并处理两个输出功能,这些功能比所有现有解决方案都更有效。 2.我们的目标是通过隐蔽的安全性消除2PC的全部或全部性质(如果对手没有陷入挑战阶段,则隐私和正确性会受到损害),我们提出了2PC的新安全性定义,该定义应加强标准隐秘模型提供的保证,并为协议设计者选择正确的威慑因素提供了更平稳的安全性与效率的权衡。在我们的新概念中,始终保证正确性,并以概率(1- e)完全保证隐私,而以概率e(即,未检测到作弊事件),仅通过一点点信息就“部分损害了”隐私权。泄漏,以防中止。我们提出了两种有效的2PC结构,以实现我们的新概念。两种协议都与基于隐式选择的隐秘2PC协议相比具有竞争优势。我们在所有构造中使用的技术的一个显着特征是,使用本身是乱码电路的新小工具来检查输入和输出的一致性,并使用多阶段剪切和选择开口来验证这些小工具的有效性。
展开▼
