Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure In The Malicious Setting #103

Open
greenfrogs opened this issue Aug 23, 2021 · 5 comments
Open

Secure In The Malicious Setting #103

greenfrogs opened this issue Aug 23, 2021 · 5 comments

Comments

@greenfrogs
Copy link

I was wondering if OblivC is secure for computing the malicious setting. SoK mentions that this is not supported and yet Obliv-C includes execDualexProtocol(). For this to be secure the following needs to be true and I was wondering if you could provide some help in saying if they are met:

  1. During the normal execution of the two threads, the two threads can be in the semi-honest setting but the oblivious transfer needs to be malicious (this is all before the equality check)
  2. For the equality check the implementation needs to be in the malicious setting along with the oblivious transfer

Thank you for any help with answering these questions. This is also discussed in more detail in this paper and implemented by emp-toolkit.
@weikengchen
Copy link
Contributor

It looks like OblivC has some implementations on the dual-execution protocol: https://github.com/samee/obliv-c/blob/obliv-c/src/ext/oblivc/dualex.c#L133

But I haven't used it, and right now, there is a limitation:

fprintf(stderr,"Right now, Dualex protocol requires all "
      "outputs to be revealed to both parties\n"); 
    exit(1);

If you have a program that is not reactive, then you should be able to write it in emp-agmpc.

@greenfrogs
Copy link
Author

Hi @weikengchen, thank you very much for your quick response. Aside from that limitation, it would be great to know if the check at the very end of the execDualexProtocol (found here) is in the malicious setting (i.e. using agmpc and not sh2pc). It is not clear from the code.

If the dualExEqualityCheck is running in the same sh2pc mode that the earlier execution (both parallel threads) are using, then this is not secure.

@weikengchen
Copy link
Contributor

I think your question is about whether the oblivious transfer is done maliciously secure, in order to enable dual execution to be secure.

I would leave this question to @samee.

Note that as academic research is gradually moving to malicious security, and the language base of Obliv-C, the CIL, has not been maintained for a long while since George Necula has moved to Google, and that Samee is also at Google now, you would expect Obliv-C to be not very frequently updated. This also happens to many other MPC platforms.

@samee
Copy link
Owner

samee commented Aug 25, 2021

That dual execution protocol is pretty much a direct implementation of this paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.677.1248&rep=rep1&type=pdf. As far as I remember, yes the OT and equality checks are secure against malicious adversaries. However, the caveat of dual-execution protocols is that there is no easy way to bound whether the result of that equality check is revealing something sensitive by itself. If you look at the paper, it says that it can leak any arbitrary one-bit function of the input—at least that's what we could prove. I don't know if that's acceptable for the application you have in mind. I hope it is!

I had no idea George Necula is now in Google. I'll have to reach out to him :)

@weikengchen
Copy link
Contributor

While, not in the Bay Area Google, but Google Switzerland.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@samee @greenfrogs @weikengchen