Michael Zohner

More efficient oblivious transfer and extensions for faster secure computation

Protocols for secure computation enable parties to compute a joint function on their private inputs without revealing anything but the result. A foundation for secure computation is oblivious transfer (OT), which traditionally requires expensive public key cryptography. A more efficient way to perform many OTs is to extend a small number of base OTs using OT extensions based on symmetric cryptography. In this work we present optimizations and efficient implementations of OT and OT extensions in the semi-honest model. We propose a novel OT protocol with security in the standard model and improve OT extensions with respect to communication complexity, computation complexity, and scalability. We also provide specific optimizations of OT extensions that are tailored to the secure computation protocols of Yao and Goldreich-Micali-Wigderson and reduce the communication complexity even further. We experimentally verify the efficiency gains of our protocols and optimizations. By applying our implementation to current secure computation frameworks, we can securely compute a Levenshtein distance circuit with 1.29 billion AND gates at a rate of 1.2 million AND gates per second. Moreover, we demonstrate the importance of correctly implementing OT within secure computation protocols by presenting an attack on the FastGC framework.

Ciphers for MPC and FHE

Designing an efficient cipher was always a delicate balance between linear and non-linear operations. This goes back to the design of DES, and in fact all the way back to the seminal work of Shannon.

GMW vs. Yao? Efficient Secure Two-Party Computation with Low Depth Circuits

Secure two-party computation is a rapidly emerging field of research and enables a large variety of privacy-preserving applications such as mobile social networks or biometric identification. In the late eighties, two different approaches were proposed: Yao’s garbled circuits and the protocol of Goldreich-Micali-Wigderson (GMW). Since then, research has mostly focused on Yao’s garbled circuits as they were believed to yield better efficiency due to their constant round complexity.

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Oblivious transfer (OT) is one of the most fundamental primitives in cryptography and is widely used in protocols for secure two-party and multi-party computation. As secure computation becomes more practical, the need for practical large scale oblivious transfer protocols is becoming more evident. Oblivious transfer extensions are protocols that enable a relatively small number of “base-OTs” to be utilized to compute a very large number of OTs at low cost. In the semi-honest setting, Ishai et al. (CRYPTO 2003) presented an OT extension protocol for which the cost of each OT (beyond the base-OTs) is just a few hash function operations. In the malicious setting, Nielsen et al. (CRYPTO 2012) presented an efficient OT extension protocol for the setting of active adversaries, that is secure in the random oracle model.

Intelligent machine homicide

In this contribution we propose the so-called SVM attack, a profiling based side channel attack, which uses the machine learning algorithm support vector machines (SVM) in order to recover a cryptographic secret. We compare the SVM attack to the template attack by evaluating the number of required traces in the attack phase to achieve a fixed guessing entropy. In order to highlight the benefits of the SVM attack, we perform the comparison for power traces with a varying noise level and vary the size of the profiling base. Our experiments indicate that due to the generalization of SVM the SVM attack is able to recover the key using a smaller profiling base than the template attack. Thus, the SVM attack counters the main drawback of the template attack, i.e. a huge profiling base.

Improved algebraic side-channel attack on AES

In this paper, we present improvements of the algebraic side-channel analysis of the Advanced Encryption Standard (AES) proposed in the works of M. Renauld and F.-X. Standaert. In particular, we optimize the algebraic representation of both the AES block cipher and obtained side-channel information, in the form of Hamming weights of intermediate states, in order to speed up the attack and increase its success rate. We study the performance of our improved attack in both known and unknown plaintext/ciphertext attack scenarios. Our experiments indicate that in both cases the amount of required side-channel information is less than the one required in the attacks introduced earlier. Furthermore, we introduce a method for handling erroneous side-channel information, which allows our improved algebraic side-channel attack (IASCA) to partially escape the assumption of an error-free environment and thus become applicable in practice. We demonstrate the practical use of our IASCA by inserting predictions from a single-trace template attack.

Side channel analysis of the SHA-3 finalists

At the cutting edge of todays security research and development, the SHA-3 competition evaluates a new secure hashing standard in succession to SHA-2. The five remaining candidates of the SHA-3 competition are BLAKE, Grøstl, JH, Keccak, and Skein. While the main focus was on the algorithmic security of the candidates, a side channel analysis has only been performed for BLAKE and Grøstl [1]. In order to equally evaluate all candidates, we identify side channel attacks on JH-MAC, Keccak-MAC, and Skein-MAC and demonstrate the applicability of the attacks by attacking their respective reference implementation. Additionally, we revisit the side channel analysis of Grøstl and introduce a profiling based side channel attack, which emphasizes the importance of side channel resistant hash functions by recovering the input to the hash function using only the measured power consumption.

Scalable Private Set Intersection Based on OT Extension

Private set intersection (PSI) allows two parties to compute the intersection of their sets without revealing any information about items that are not in the intersection. It is one of the best studied applications of secure computation and many PSI protocols have been proposed. However, the variety of existing PSI protocols makes it difficult to identify the solution that performs best in a respective scenario, especially since they were not compared in the same setting. In addition, existing PSI protocols are several orders of magnitude slower than an insecure naïve hashing solution, which is used in practice. In this article, we review the progress made on PSI protocols and give an overview of existing protocols in various security models. We then focus on PSI protocols that are secure against semi-honest adversaries and take advantage of the most recent efficiency improvements in Oblivious Transfer (OT) extension, propose significant optimizations to previous PSI protocols, and suggest a new PSI protocol whose runtime is superior to that of existing protocols. We compare the performance of the protocols, both theoretically and experimentally, by implementing all protocols on the same platform, give recommendations on which protocol to use in a particular setting, and evaluate the progress on PSI protocols by comparing them to the currently employed insecure naïve hashing protocol. We demonstrate the feasibility of our new PSI protocol by processing two sets with a billion elements each.

Privacy-Preserving Interdomain Routing at Internet Scale

Abstract The Border Gateway Protocol (BGP) computes routes between the organizational networks that make up today’s Internet. Unfortunately, BGP suffers from deficiencies, including slow convergence, security problems, a lack of innovation, and the leakage of sensitive information about domains’ routing preferences. To overcome some of these problems, we revisit the idea of centralizing and using secure multi-party computation (MPC) for interdomain routing which was proposed by Gupta et al. (ACM HotNets’12). We implement two algorithms for interdomain routing with state-of-the-art MPC protocols. On an empirically derived dataset that approximates the topology of today’s Internet (55 809 nodes), our protocols take as little as 6 s of topology-independent precomputation and only 3 s of online time. We show, moreover, that when our MPC approach is applied at country/region-level scale, runtimes can be as low as 0.17 s online time and 0.20 s pre-computation time. Our results motivate the MPC approach for interdomain routing and furthermore demonstrate that current MPC techniques are capable of efficiently tackling real-world problems at a large scale.

Butterfly-Attack on skein's modular addition

At the cutting edge of todays security research and development, the SHA-3 contest evaluates a new successor of SHA-2 for secure hashing operations. One of the finalists is the SHA-3 candidate Skein . Like many other cryptographic primitives Skein utilizes arithmetic operations, for instance modular addition. In this paper we introduce a new method of performing a DPA on modular addition of arbitrary length. We will give an overview over side channel analysis of modular addition, followed by problems occurring when dealing with large operand sizes of 32 bits and more. To overcome these problems, we suggest a new method, called the Butterfly-Attack to exploit the leakage of modular additions. Real world application is being shown by applying our new approach to Skein-MAC, enabling us to forge legitimate MACs using Skein.