On the Security of the “Free-XOR”
Technique
Ranjit Kumaresan
Joint work with Seung Geol Choi, Jonathan Katz, and
Hong-Sheng Zhou
(UMD)
Research in Secure Two-party
Computation (2PC)
• Generic protocols [Yao86, GMW87]
• “Tailored” protocols for specific applications
[FNP04,HL08,KO97,…]
• Fairplay [MNPS04]: Implemented generic protocols
– Hope for practicality
Research in Secure Two-party
Computation (2PC)
• Active research improving concrete efficiency of generic
protocols
– Garbled circuit approach
[PSSW09,HEKM11,KM11,LP07,LP11,…]
– GMW approach [NNOB11, CHKMR12,...]
• Moving secure computation from theory to practice
Talk Outline
• Background on Yao GC & the Free-XOR technique [KS08]
– Description in the random oracle (RO) model
– Replacing RO with correlation robust hash functions?
• Sufficient assumptions on the hash function
– Why correlation robust hash functions are not enough
– New notion: Circular correlation robust hash functions
– Security of the Free-XOR technique
• Conclusions
Yao Garbled Circuit (GC) [Yao86]
•
•
•
•
Generic secure computation protocol
Constant round solution
Mostly symmetric-key operations
Popular choice for efficient 2PC
Yao Garbled Circuit
u
v
XOR
u
v
w
u
v
AND
u
v
v
u
Credit: V. Kolesnikov
u
v
Yao Garbled Circuit
y0
H(w0,x0,g’) ⊕ y0
H(w0,x1,g’) ⊕ y1
H(w1,x0,g’) ⊕ y1
g,g’: gate indices
H: hash function
y1
XOR
H(w1,x1,g’) ⊕ y0
w0
x0
w1
x1
H(u0,v0,g) ⊕ w0
H(u0,v1,g) ⊕ w0
AND
H(u1,v0,g) ⊕ w0
H(u1,v1,g) ⊕ w1
u0
v0
u1
v1
GC Based Semi-Honest 2PC [Yao86]
GC
….
Alice input keys
Bob keys
input bits
OT
Bob input keys
Evaluate GC using
received input keys
GC
….
Efficiency Improvements to Yao GC
• Garbled row reduction [NPS99,PSSW09]
– Just 3 entries per garbled table
• Point-and-permute [MNPS04]
– Decrypt only one entry
• Free-XOR technique [KS08]
– No garbled table for XOR gates
Free-XOR Technique [KS08]
• Idea: XOR gates evaluated for “free”
– No cryptographic operations or communication (like [Kol05,GMW87])
– GC based 2PC in the semi-honest setting
• Gains in practice?
– 40% improvement for “typical” circuits
– 300% improvement for universal circuits
• Impact
– All recent implementations use Free-XOR technique [PSSW09,
SS11,…]
– Efforts to minimize #non-XOR gates in circuit [KS08, KSS09,
PSSW09]
Free-XOR Technique [KS08]
H(w0,x0,g’) ⊕ y0
y0
H(w0,x1,g’) ⊕ y1
y1
H(w1,x0,g’) ⊕ y1
XOR
H(w1,x1,g’) ⊕ y0
w0
x0
w1
x1
H(u0,v0,g) ⊕ w0
H(u0,v1,g) ⊕ w0
AND
H(u1,v0,g) ⊕ w0
H(u1,v1,g) ⊕ w1
u0
v0
u1
v1
Free-XOR Technique [KS08]
H(w0,x0,g’)
⊕
y 0 = w0 ⊕ x 0
y0
H(w0,x1,g’) ⊕ y1
: hidden
global parameter
H(w1,x0,g’)R⊕
y1
y1 = y0 ⊕
R
XOR
H(w1,x1,g’) ⊕ y0
x0
w0
w1 = w0 ⊕ R
x1 = x0 ⊕ R
H(u0,v0,g) ⊕ w0
H(u0,v1,g) ⊕ w0
AND
H(u1,v0,g) ⊕ w0
H(u1,v1,g) ⊕ w1
u0
u1 = u0 ⊕ R
v0
v 1 = v0 ⊕ R
Free-XOR Technique [KS08]
y
H(w0,x0,g’) ⊕ y0
Set y = w⊕x
H(w0,x1,g’) ⊕ y1
: hidden
global parameter
H(w1,x0,g’)R⊕
y1
XOR
H(w1,x1,g’) ⊕ y0
x
w
H(u0,v0,g) ⊕ w0
Use H(u,v,g) to recover w
H(u0,v1,g) ⊕ w0
AND
H(u1,v0,g) ⊕ w0
H(u1,v1,g) ⊕ w1
u
v
Proof in the RO Model [KS08]
• Corrupt Alice: Trivial
• Corrupt Bob:
– Sim creates a fake garbled circuit whose output is always correct
– Intuitively, security reduces to proving R is completely hidden
– Indistinguishability proved by induction on topological ordering of gates
Real table
H(u,v,g) ⊕ w
Simulated table
H(u,v,g) ⊕ w
H(u,v⊕R,g) ⊕ w
random1
H(u⊕R,v,g) ⊕ w
random2
H(u⊕R,v⊕R,g) ⊕ (w⊕R)
random3
 By induction, known input keys: u, v
 Only w is recovered
 Except with negl. prob., all other
values are hidden
Proof in the Standard Model?
• RO is not programmed
• Can RO be replaced by a suitable hash function?
– [KS08]: a variant of correlation robust hash functions (CorRHF) works
– Repeated wherever Free-XOR is used [PSSW09,SS11,AHI11,NO09,…]
• Our contributions
“Natural” variant of CorRHF is NOT sufficient
Specify variant of CorRHF that is sufficient
Proof in the Standard Model?
“Natural” variant of CorRHF is NOT sufficient
• Main issue is circularity
[BK03,BRS03, HK07, …]
– H(u⊕R,v⊕R,g) ⊕(w⊕R)
– CorRHF does not capture
circularity
H(u,v,g) ⊕w
H(u,v⊕R,g) ⊕w
H(u⊕R,v,g) ⊕w
H(u⊕R,v⊕R,g) ⊕
(w⊕R)
Specify variant of CorRHF that is sufficient
• Circular Correlation Robust Hash Functions
– Captures circularity
– Security proof for the Free-XOR technique
Why is this important?
• Implementors happy with RO…
• In theory, RO methodology is inherently flawed [CGH04]
– Want precise formulation of concrete properties required by RO
• “Natural” variant of CorRHF used in other contexts [AHI11,NO09]
• “CorRHF is sufficient for Free-XOR technique” claimed in several
works [PSSW09,SS11, AHI11,…]
• Assumptions required for Free-XOR tech. in Yao GC?
– Free-XOR in [GMW87, Kol05] with no other assumptions
Correlation Robust Hash Functions
[IKNP03]
• Proposed by [IKNP03] for removing RO in OT extension
• Definition: (CorRHF) H is CorRHF if for randomly chosen u1,…,
up, the following two distributions are comp. indistinguishable
– (u1,…, up, H(u1⊕R), …, H(up⊕R)) where R is chosen uniformly
– (u1,…, up, w1,…, wp) where each wi is chosen uniformly
• (Arithmetic variant) realized under PDH assumption [AHI11]
• [KS08]: Variant can replace RO in Free-XOR
– Use of hidden off-set in both [KS08] and [IKNP03]
“Natural” Variant of CorRHF
• Definition: (weak 2-CorRHF) H is weakly 2-CorRHF if for given
u1,…, up, v1,…, vp, the following two distributions are comp.
indistinguishable
– . H(u1⊕R,v1,1), H(u1,v1⊕R,1), H(u1⊕R,v1⊕R,1)
– `
.
.
.
H(up⊕R,vp,p), H(up,vp⊕R,p), H(up⊕R,vp⊕R,p)
where R is chosen uniformly
– (w1,…, w3p) where each wi is chosen uniformly
Our Working Definition of 2-CorRHF
• Oracle based
– CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g)
– Rand(u,v,g): if input was queried before then output answer given
previously, else output a uniformly chosen string
• Definition: (2-CorRHF) H is 2-CorRHF if every non-uniform PPT
adversary A with oracle access to O (either CorR or Rand)
cannot tell whether O is CorR or Rand except with negligible
advantage
• Stronger than previous definition
– Oracle queries can be adaptive
2-CorRHF and Free-XOR technique
Real table
H(u,v,g) ⊕ w
Simulated table
H(u,v,g) ⊕ w
H(u,v⊕R,g) ⊕ w
random1
H(u⊕R,v,g) ⊕ w
random2
H(u⊕R,v⊕R,g) ⊕
(w⊕R)
random3
Reduction Table
H(u,v,g) ⊕ w
h1 ⊕ w
h2 ⊕ w
?
 Reduction adversary B for 2-CorRHF
 Given O (either CorR or Rand)
 How to create garbled table?
 Choose random u,v,w
 Query O(u,v,g) to get h1, h2, h3
 First 3 entries can be set
 How to obtain fourth entry using h3?
 Unclear how to complete reduction
Counterexample
• Rule out fully black-box reduction using two oracles H and Break
• H is 2-CorRHF even if A has oracle access to H and Break
• Free-XOR technique is insecure when A has access to H and
Break
H(u,v,g)
 Random function
Break(u,v,g,z1,z2,z3)
 Output r when
 z1 = H(u,v⊕r,g)
 z2 = H(u⊕r,v,g)
 z3 = H(u⊕r,v⊕r,g)⊕r
 Else output nothing
H is 2-CorRHF against
H,
Break
A
• O = Rand: uniform, independent of A’s view
• O = CorR: uniform, independent of A’s view unless A queries
O(u,v,g) &
– O(u’,v’,g) with u’⊕u = R or v’⊕v = R, or
– H(u’,v’,g) with u’⊕u = R or v’⊕v = R, or
– Break(u,v,g,z1,z2,z3) with z3⊕H(u⊕R,v⊕R,g) = R
H(u,v,g)
 Random function
Break(u,v,g,z1,z2,z3)
Happens with
negligible prob.
 Output r when
 z1 = H(u,v⊕r,g)
 z2 = H(u⊕r,v,g)
 z3 = H(u⊕r,v⊕r,g)⊕r
 Else output nothing
Insecurity of Free-XOR Tech.:
AND gate g
H(u,v,g) ⊕w
c1
H(u,v⊕R,g) ⊕w
c2
c3
H(u⊕R,v,g) ⊕w
H(u⊕R,v⊕R,g)
⊕(w⊕R)
H(u,v,g)
 Random function
H,
Break
A
Attack: A acting as Bob recovers R
• Recover w from gate g using H(u,v,g)
– z1 = c1 ⊕ w
– z2 = c2 ⊕ w
– z3 = c3 ⊕ w
• Query Break(u,v,g,z1,z2,z3) to get R
Break(u,v,g,z1,z2,z3)
 Output r when
 z1 = H(u,v⊕r,g)
 z2 = H(u⊕r,v,g)
 z3 = H(u⊕r,v⊕r,g)⊕r
 Else output nothing
Capturing Circularity: Circular 2-CorRHF
• Recall indistinguishable oracles in 2-CorRHF
– CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g)
– Rand(u,v,g): if input was queried before then output answer given
previously, else output uniformly chosen
• Oracles for Circular 2-CorRHF
bR = 0 when b=0
bR = R when b=1
– CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R
– Rand(u,v,g,b1,b2,b3): same as before
Capturing Circularity: Circular 2-CorRHF
• Recall indistinguishable oracles in 2-CorRHF
– CorR(u,v,g): output H(u,v⊕R,g), H(u⊕R,v,g), H(u⊕R,v⊕R,g)
– Rand(u,v,g): if input was queried before then output answer given
previously, else output uniformly chosen
• Oracles for Circular 2-CorRHF
Allowing b3 = 1 captures circularity
– CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R
– Rand(u,v,g,b1,b2,b3): same as before
Circular 2-CorRHF
• Oracles for Circular 2-CorRHF
– CircR(u,v,g,b1,b2,b3): output H(u⊕b1R, v⊕b2R, g) ⊕ b3R
– Rand(u,v,g,b1,b2,b3): same as before
• Indistinguishability conditioned on restricted queries to CircR
– No queries of the form (u,v,g,0,0,b3)
– No queries on both (u,v,g,b1,b2,0) and (u,v,g,b1,b2,1)
• Definition: (Circular 2-CorRHF) H is circular 2-CorRHF if every
non-uniform PPT adversary A making legal queries to oracle O
cannot tell whether O is CircR or Rand except with negligible
advantage
Proof of Security for the Free-XOR Tech.
• Corrupt Alice: Trivial
• Corrupt Bob: Sim creates a fake garbled circuit
y = w⊕x
.
.
.
XOR
w
x
Simulated table
H(u,v,g) ⊕ w
random1
AND
u
random2
v
random3
 Choose random key for all wires
except output wires of XOR gates
 XOR chosen keys for input wires to
get key for output wire of XOR gate
 Populate unknown values in nonXOR gate table with random values
 Set output garbled table to give
correct output z
Reduction to Circular 2-CorRHF
• Reduction adversary B for Circular 2-CorRHF
• B given access to O (either CircR or Rand) & real inputs for
both parties
y = w⊕x
.
.
.
XOR
w
x
Reduction Table
H(u,v,g) ⊕ w
O(u,v,g,0,1,0) ⊕ w
AND
u
O(u,v,g,1,0,0) ⊕ w
v
O(u,v,g,1,1,1) ⊕ w
 Choose random key for all wires
except output wires of XOR gates
 XOR chosen keys for input wires to
get key for output wire of XOR gate
 Populate unknown values in nonXOR gate table using O
 Set output garbled table to give
correct output z
Circular 2-CorRHF & Free-XOR technique
Real table
H(u,v,g) ⊕ w
Simulated table
H(u,v,g) ⊕ w
H(u,v⊕R,g) ⊕ w
random1
H(u⊕R,v,g) ⊕ w
random2
H(u⊕R,v⊕R,g) ⊕
(w⊕R)
random3
O = CircR
Reduction Table
H(u,v,g) ⊕ w
O(u,v,g,0,1,0) ⊕ w
O(u,v,g,1,0,0) ⊕
w
O(u,v,g,1,1,1) ⊕
w
O = Rand
Recall CircR(u,v,g,b1,b2,b3):
 output H(u⊕b1R, v⊕b2R, g) ⊕
b3R
Conclusions & Open Questions
• Free-XOR technique extremely influential
– Used in all Yao GC implementations
• Secure in the random oracle model
• “Natural” variant of 2-CorRHF is not sufficient
– Circularity
• Stronger notion of 2-CorRHF: Circular 2-CorRHF
– Security proof for the Free-XOR technique
• “Free” gate evaluation under OWF?
• Realize Circular 2-CorRHF from standard crypto assumptions?
Thank You!