Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement miTCCR #7

Open
sinui0 opened this issue Dec 12, 2022 · 7 comments
Open

Implement miTCCR #7

sinui0 opened this issue Dec 12, 2022 · 7 comments
Labels
enhancement New feature or request

Comments

@sinui0
Copy link
Collaborator

sinui0 commented Dec 12, 2022

Rereading https://eprint.iacr.org/2019/1168.pdf it occurs to me that we never implemented the recommendation to randomly sample the initial gate id while garbling a circuit. We should do this to achieve multi-instance TCCR.

@sinui0 sinui0 added enhancement New feature or request good first issue Good for newcomers labels Dec 12, 2022
@themighty1
Copy link
Collaborator

themighty1 commented Dec 13, 2022

My understanding is that we don't need to worry about miTCCR, here's why:
Edit: wrong understang, see newer comment below

GKWY19 (https://eprint.iacr.org/2019/ analyzes half-gates's notion "circular correlation robustness for naturally derived keys” in Section 5 and says that this notion "can be viewed as a form of tweakable circular correlation robustness (tccr)".
Then it says that tccr for half-gates "is overkill, and we show now that a family of hash functions satisfying the notion can be constructed from any H that is ccr".
Thus, we don't need tweakable ccr but just ccr. Since it is the re-use of a tweak that is the premise of the miTCCR paper, using ccr instead of tccr means the attack from the paper does not apply aymore.

I will double check about this line of reasoning with the emp-tool authors.

@themighty1
Copy link
Collaborator

themighty1 commented Apr 6, 2023

I realized that the emp-tool author hasn't responded to my q about this matter: emp-toolkit/emp-tool#179
EDIT: he did respond

I think we should play it safe and implement the random sampling

@heeckhau heeckhau transferred this issue from tlsnotary/tlsn Jun 8, 2023
@themighty1
Copy link
Collaborator

There are 3 things I learned from the "multi-instance (MI)" paper (https://eprint.iacr.org/2019/1168)

  1. There is an attack on GKWY19's TCCR hash where security degrades with the amount of AND gates garbled (even across multiple independently garbled circuits), quoting

They [GKWY19] did not focus on obtaining better concrete security, and indeed, in Appendix C we show that using their hash function [TCCR] in the half-gates scheme would admit an attack similar to the one described above.

  1. Then the paper shows a more secure miTCCR hash.

  2. Then they show that miTCCR hash's security is tight only when 1 circuit is garbled.When multiple circuits are garbled, they suggest the tweak to randomize gate ids.

In light of this, we should both:

  • replace TCCR with miTCCR
  • add gate id randomization

@themighty1
Copy link
Collaborator

miTCCR explained by one of the authors: https://www.youtube.com/watch?v=MKGqA0K9d8M

@themighty1
Copy link
Collaborator

We need to examine how findings of this paper https://eprint.iacr.org/2024/163 apply to us.

@themighty1 themighty1 removed the good first issue Good for newcomers label Feb 12, 2024
@themighty1
Copy link
Collaborator

The latest paper 2024/163 proves some security bounds when using miTCCR hash with a leaky delta (like the delta in KOS).
In the leaky-delta setting miTCCR security is worse than in the original miTCCR paper 2019/1168, but I couldn't exactly figure out how much worse it is.

Regardless of the 2024/163 findings, we still need to

  • replace TCCR with miTCCR
  • add gate id randomization

@themighty1
Copy link
Collaborator

The attack on the TCCR hash shown in the miTCCR paper also applies to multiple circuits with different deltas. To quote:

ee

the "shift R" is the delta.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants