TLSNotary uses the
DEAP protocol described below to ensure malicious security of the overall protocol.
When using DEAP in TLSNotary, the
User plays the role of Alice and has full privacy and the
Notary plays the role of Bob and reveals all of his private inputs after the TLS session with the server is over. The Notary's private input is his TLS session key share.
The parties run the
Execution steps of
DEAP but they defer the
Since during the
Equality Check all of the
Notary's secrets are revealed to User, it must be deferred until after the TLS session with the server is over, otherwise the User would learn the full TLS session keys and be able to forge the TLS transcript.
Malicious secure 2-party computation with garbled circuits typically comes at the expense of dramatically lower efficiency compared to execution in the semi-honest model. One technique, called Dual Execution [MF06] [HKE12], achieves malicious security with a minimal 2x overhead. However, it comes with the concession that a malicious adversary may learn bits of the other's input with probability .
We present a variant of Dual Execution which provides different trade-offs. Our variant ensures complete privacy for one party, by sacrificing privacy entirely for the other. Hence the name, Dual Execution with Asymmetric Privacy (DEAP). During the execution phase of the protocol both parties have private inputs. The party with complete privacy learns the authentic output prior to the final stage of the protocol. In the final stage, prior to the equality check, one party reveals their private input. This allows a series of consistency checks to be performed which guarantees that the equality check can not cause leakage.
Similarly to standard DualEx, our variant ensures output correctness and detects leakage (of the revealing parties input) with probability where is the number of bits leaked.
The protocol takes place between Alice and Bob who want to compute where and are Alice and Bob's inputs respectively. The privacy of Alice's input is ensured, while Bob's input will be revealed in the final steps of the protocol.
Firstly, our protocol assumes a small amount of premature leakage of Bob's input is tolerable. By premature, we mean prior to the phase where Bob is expected to reveal his input.
If Alice is malicious, she has the opportunity to prematurely leak bits of Bob's input with probability of it going undetected.
We assume that it is acceptable for either party to cause the protocol to abort at any time, with the condition that no information of Alice's inputs are leaked from doing so.
In the last phase of our protocol Bob must open all oblivious transfers he sent to Alice. To achieve this, we require a very relaxed flavor of committed oblivious transfer. For more detail on these relaxations see section 2 of Zero-Knowledge Using Garbled Circuits [JKO13].
- and are Alice and Bob's inputs, respectively.
- denotes an encoding of chosen by Alice.
- and are Alice and Bob's encoded active inputs, respectively, ie .
- denotes a binding commitment to
- denotes a garbled circuit for computing , where:
- denotes output decoding information where
- denotes the global offset of a garbled circuit where
- denotes a secure pseudo-random generator
- denotes a secure hash function
The protocol can be thought of as three distinct phases: The setup phase, execution, and equality-check.
- Alice creates a garbled circuit with corresponding input labels , and output label commitment .
- Bob creates a garbled circuit with corresponding input labels .
- For committed OT, Bob picks a seed and uses it to generate all random-tape for his OTs with . Bob sends to Alice.
- Alice retrieves her active input labels from Bob using OT.
- Bob retrieves his active input labels from Alice using OT.
- Alice sends , , and to Bob.
- Bob sends , , and to Alice.
Both Alice and Bob can execute this phase of the protocol in parallel as described below:
- Evaluates using and to acquire .
- Decodes to using which she received earlier. She computes which we will call .
- Computes a commitment where is a key only known to Alice. She sends this commitment to Bob.
- Waits to receive from Bob1.
- Checks that is authentic, aborting if not, then decodes to using .
At this stage, if Bob is malicious, Alice could detect that . However, Alice must not react in this case. She proceeds with the protocol regardless, having the authentic output .
- Evaluates using and to acquire . He checks against the commitment which Alice sent earlier, aborting if it is invalid.
- Decodes to using which he received earlier. He computes which we'll call , and stores it for the equality check later.
- Sends to Alice1.
- Receives from Alice and stores it for the equality check later.
Bob, even if malicious, has learned nothing except the purported output and is not convinced it is correct. In the next phase Alice will attempt to convince Bob that it is.
Alice, if honest, has learned the correct output thanks to the authenticity property of garbled circuits. Alice, if malicious, has potentially learned Bob's entire input .
This is a significant deviation from standard DualEx protocols such as [HKE12]. Typically the output labels are not returned to the Generator, instead, output authenticity is established during a secure equality check at the end. See the section below for more detail.
- Bob opens his garbled circuit and OT by sending , and to Alice.
- Alice, can now derive the purported input labels to Bob's garbled circuit .
- Alice uses to open all of Bob's OTs for and verifies that they were performed honestly. Otherwise she aborts.
- Alice verifies that was garbled honestly by checking . Otherwise she aborts.
- Alice now opens by sending and to Bob.
- Bob verifies then asserts , aborting otherwise.
Bob is now convinced that is correct, ie . Bob is also assured that Alice only learned up to k bits of his input prior to revealing, with a probability of of it being undetected.
On the Leakage of Corrupted Garbled Circuits [DPB18] is recommended reading on this topic.
During the first execution, Alice has some degrees of freedom in how she garbles . According to [DPB18], when using a modern garbling scheme such as [ZRE15], these corruptions can be analyzed as two distinct classes: detectable and undetectable.
Recall that our scheme assumes Bob's input is an ephemeral secret which can be revealed at the end. For this reason, we are entirely unconcerned about the detectable variety. Simply providing Bob with the output labels commitment is sufficient to detect these types of corruptions. In this context, our primary concern is regarding the correctness of the output of .
[DPB18] shows that any undetectable corruption made to is constrained to the arbitrary insertion or removal of NOT gates in the circuit, such that computes instead of . Note that any corruption of has an equivalent effect. [DPB18] also shows that Alice's ability to exploit this is constrained by the topology of the circuit.
Recall that in the final stage of our protocol Bob checks that the output of matches the output of , or more specifically:
For the moment we'll assume Bob garbles honestly and provides the same inputs for both evaluations.
In the scenario where Bob reveals the output of prior to Alice committing to there is a trivial adaptive attack available to Alice. As an extreme example, assume Alice could choose such that . For most practical functions this is not possible to garble without detection, but for the sake of illustration we humor the possibility. In this case she could simply compute where in order to pass the equality check.
To address this, Alice is forced to choose , and prior to Bob revealing the output. In this case it is obvious that any valid combination of must satisfy all constraints on . Thus, for any non-trivial , choosing a valid combination would be equivalent to guessing correctly. In which case, any attack would be detected by the equality check with probability where k is the number of guessed bits of . This result is acceptable within our model as explained earlier.
Zero-Knowledge Using Garbled Circuits [JKO13] is recommended reading on this topic.
The last stage of our variant is functionally equivalent to the protocol described in [JKO13]. After Alice evaluates and commits to , Bob opens his garbled circuit and all OTs entirely. Following this, Alice performs a series of consistency checks to detect any malicious behavior. These consistency checks do not depend on any of Alice's inputs, so any attempted selective failure attack by Bob would be futile.
Bob's only options are to behave honestly, or cause Alice to abort without leaking any information.
They deserve whatever they get.