TY - GEN
T1 - Better concrete security for half-gates garbling (in the multi-instance setting)
AU - Guo, Chun
AU - Katz, Jonathan
AU - Wang, Xiao
AU - Weng, Chenkai
AU - Yu, Yu
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2020.
PY - 2020
Y1 - 2020
N2 - We study the concrete security of high-performance implementations of half-gates garbling, which all rely on (hardware-accelerated) AES. We find that current instantiations using k-bit wire labels can be completely broken—in the sense that the circuit evaluator learns all the inputs of the circuit garbler—in time O(2k/C), where C is the total number of (non-free) gates that are garbled, possibly across multiple independent executions. The attack can be applied to existing circuit-garbling libraries using k=80 when C ≈ 109, and would require 267 machine-months and cost about $3500 to implement on the Google Cloud Platform. Since the attack can be fully parallelized, it could be carried out in about a month using ≈250 machines. With this as our motivation, we seek a way to instantiate the hash function in the half-gates scheme so as to achieve better concrete security. We present a construction based on AES that achieves optimal security in the single-instance setting (when only a single circuit is garbled). We also show how to modify the half-gates scheme so that its concrete security does not degrade in the multi-instance setting. Our modified scheme is as efficient as prior work in networks with up to 2 Gbps bandwidth.
AB - We study the concrete security of high-performance implementations of half-gates garbling, which all rely on (hardware-accelerated) AES. We find that current instantiations using k-bit wire labels can be completely broken—in the sense that the circuit evaluator learns all the inputs of the circuit garbler—in time O(2k/C), where C is the total number of (non-free) gates that are garbled, possibly across multiple independent executions. The attack can be applied to existing circuit-garbling libraries using k=80 when C ≈ 109, and would require 267 machine-months and cost about $3500 to implement on the Google Cloud Platform. Since the attack can be fully parallelized, it could be carried out in about a month using ≈250 machines. With this as our motivation, we seek a way to instantiate the hash function in the half-gates scheme so as to achieve better concrete security. We present a construction based on AES that achieves optimal security in the single-instance setting (when only a single circuit is garbled). We also show how to modify the half-gates scheme so that its concrete security does not degrade in the multi-instance setting. Our modified scheme is as efficient as prior work in networks with up to 2 Gbps bandwidth.
UR - https://www.scopus.com/pages/publications/85089717063
U2 - 10.1007/978-3-030-56880-1_28
DO - 10.1007/978-3-030-56880-1_28
M3 - 会议稿件
AN - SCOPUS:85089717063
SN - 9783030568795
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 793
EP - 822
BT - Advances in Cryptology - CRYPTO 2020 - 40th Annual International Cryptology Conference, CRYPTO 2020, Proceedings
A2 - Micciancio, Daniele
A2 - Ristenpart, Thomas
PB - Springer
T2 - 40th Annual International Cryptology Conference, CRYPTO 2020
Y2 - 17 August 2020 through 21 August 2020
ER -