Fast and Secure Three-party Computation: The Garbled Circuit Approach ∗ Payman Mohassel Mike Rosulek Ye Zhang Yahoo Labs Oregon State University Google Sunnyvale, California Corvallis, Oregon Mountain View, CA y pmohassel@yahoo- rosulekm@eecs. [email protected] inc.com oregonstate.edu ABSTRACT allowing for distribution of secrets and trust while main- Many deployments of secure multi-party computation (MPC) taining the original functionality. Since the seminal work of in practice have used information-theoretic three-party pro- [Yao86, GMW87] showing its feasibility in the two-party and tocols that tolerate a single, semi-honest corrupt party, since multi-party settings, MPC has been the subject of extensive these protocols enjoy very high efficiency. research, focusing on bettering security and efficiency. We propose a new approach for secure three-party compu- The case of three-party computation (3PC) where the ad- tation (3PC) that improves security while maintaining prac- versary corrupts at most one party (honest majority) is an tical efficiency that is competitive with traditional information- important special case that has received particular atten- theoretic protocols. Our protocol is based on garbled circuits tion. It has been the subject of active research, implementa- and provides security against a single, malicious corrupt tion and optimization in frameworks such as VIFF [Gei07], Sharemind [BLW08], ShareMonad [LDDAM12, LADM14] party. Unlike information-theoretic 3PC protocols, ours uses + a constant number of rounds. Our protocol only uses inex- and MEVAL [CMF 14]. These protocols have been used in pensive symmetric-key cryptography: hash functions, block a wide range of applications such as statistical data analy- sis [BTW12], and email filtering [LADM14]. They have also ciphers, pseudorandom generators (in particular, no obliv- + ious transfers) and has performance that is comparable to been deployed in practice for online beet auctions [BCD 09] that of Yao's (semi-honest) 2PC protocol. and for financial data analysis [BTW12]. A main reason for We demonstrate the practicality of our protocol with an popularity of 3PC with-one-corruption is the simplicity and implementation based on the JustGarble framework of Bel- efficiency of the resulting protocols. In particular, proto- lare et al. (S&P 2013). The implementation incorporates cols designed in this setting can be significantly more effi- various optimizations including the most recent techniques cient than their two-party counterparts (or dishonest major- for efficient circuit garbling. We perform experiments on ity protocols in general) since they are commonly based on several benchmarking circuits, in different setups. Our ex- secret-sharing schemes and hence only require arithmetic op- periments confirm that, despite providing a more demanding erations that are considered faster than cryptographic ones. security guarantee, our protocol has performance compara- However, the secret-sharing-based solutions have several ble to existing information-theoretic 3PC. drawbacks. In particular, the round complexity of these protocols is proportional to the circuit-depth of the com- putation being performed, which can be high in practice. 1. INTRODUCTION Also, to the best of our knowledge, With the exception of Secure multi-party computation (MPC) allows a set of [IKHC14], existing implementations are only secure against parties to compute a function of their joint inputs without semi-honest adversaries. Traditionally, one may be willing revealing any information beyond the output of the func- to settle for semi-honest security given that security against tion they compute. MPC has found numerous applications active cheating (malicious adversaries) has a reputation of not only enabling various privacy-preserving tasks on sen- requiring significant overhead. Our work shows that this im- sitive data, but also removing a single point of attack by pression need not be true, and that malicious security can in fact be obtained with little to no overhead over semi-honest ∗Supported by NSF award CCF-1149647. security in the 3-party setting. yMost of the work done while an Intern at Yahoo Labs! and a PhD student at Penn State. 1.1 Our Contributions We design a new protocol for 3PC with one corruption Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are based on Garbled Circuits (GC) [Yao82, LP09, BHR12b]. not made or distributed for profit or commercial advantage and that copies Our protocol is constant-round and secure against a mali- bear this notice and the full citation on the first page. To copy otherwise, to cious adversary that corrupts one party. Unlike the standard republish, to post on servers or to redistribute to lists, requires prior specific approach of applying cut-and-choose techniques for compil- permission and/or a fee. ing GC-based protocols into malicious 2PC, we show that CCS’15 October 12 - 16, 2015, Denver, CO, USA in the setting of 3PC with one corruption one can avoid the Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-3832-5/15/10/$15.00 cut-and-choose paradigm and achieve malicious security at DOI: http://dx.doi.org/10.1145/2810103.2813705 . a cost similar to semi-honest two-party constructions. We also avoid the use of public-key operations such as Oblivious recent optimizations to standard garbled circuits can be sim- Transfer. ilarly applied to these protocols, and to compare the practi- We prove our protocol secure in the Universal Compos- cal efficiency of malicious-secure variants. ability (UC) model, but avoid the use of expensive UC- In concurrent and independent work, Ishai et al. [IKKPC15] secure primitives due to the honest-majority setting. The describe efficient, constant-round secure computation proto- only cryptographic tools we require are a secure garbling cols for 3 and 4 parties, tolerating 1 malicious corruption. scheme and a non-interactive (standalone-secure) commit- Both their protocol and ours use as a starting point the pro- ment scheme, both of which can be instantiated using sym- tocol of Feige et al. [FKN94] in the private simultaneous mes- metric key primitives. sages (PSM) setting, which is in turn based on Yao's garbled Our protocol does not achieve fairness, and we leave it circuit construction. The two protocols ([IKKPC15] and open to design a protocol with similar level of efficiency that ours) use incomparable techniques to strengthen the PSM also achieves fairness (a feasible goal in the honest majority protocol against one malicious participant, and achieve a dif- setting). ferent mix of properties. In the 3-party setting, [IKKPC15] We implement our protocol by enhancing the implemen- achieve a 2-round protocol whose cost is essentially that of 3 tation of JustGarble [BHKR13] in various ways and incor- garbled circuits, whereas our protocol requires 3 rounds (in porating the state-of-the-art \half-gates" garbling scheme of its random oracle instantiation) and has cost of 1 garbled [ZRE15]. We further reduce communication (which our ex- circuit. In the 4-party setting, [IKKPC15] achieve guaran- periments show to be the bottleneck), by a factor of two teed output delivery as well. using a hashing technique described in Section 3.4. We Fast implementation of malicious 2PC and MPC in the run experiments evaluating benchmarking circuits such as dishonest majority setting include cut-and-choose solutions AES/MD5/SHA1/SHA256, and with different communica- based on garbled circuits [LPS08, KS12, FN13, AMPR14], tion techniques turned on/off. Our experimental results con- OT-based solutions [NNOB12, LOS14], and implementa- firm that our construction is competitive with prior work tions in the pre-processing models [DKL+12, DKL+13]. These in the same setting while achieving the stronger malicious protocols resists a larger fraction of coalition of corrupted security. They also confirm that communication remains parties than ours, but are significantly less efficient. the major bottleneck in GC-based constructions even in the three-party setting. We also explore a motivating applica- 1.3 Organization tion we call distributed credential encryption service, that The building blocks used in our protocols such as a gar- naturally lends itself to an offline pre-processing stage. Our bling scheme, commitment schemes and coin-tossing are all experiments show that the online phase can be very fast. defined and described in Section2. Our main construction and its security proof are described in Section3. Our imple- 1.2 Related Work mentation, experimental results, and comparison with other The most relevant line of work to ours are MPC construc- implementations can be found in Section4. We discuss the tions with an honest majority. Starting with seminal work distributed encryption service application in Section5. of [BOGW88, CCD88] a large body of work has studied round and communication complexity of such protocols. A main building block for achieving security against a mali- 2. PRELIMINARIES cious adversarie in these constructions is verifiable secret sharing (VSS) [BOGW88, RBO89]. While these construc- 2.1 Secure MPC: UC Framework tions are quite efficient and avoid cryptographic operations, We define security of multi-party computation using the their practical efficiency and the constant factors are not framework of Universal Composition (UC) [Can01]. We give fully examined. The one implementation of 3PC with mali- a very brief overview here, and refer the reader to [Can01] cious security we know of is [IKHC14]. Their work proposes for all of the details. an approach for compiling a semi-honest 3PC into a mali- An execution in the UC framework involves a collection cious one with a small overhead (we discuss the overhead of (non-uniform) interactive Turing machines. In this work in more detail in the experiment section). The other exist- we consider an adversary that can statically (i.e., at the be- ing implementations we know of are based on customized ginning of the interaction) corrupt at most one party.