Efficient and Precise Secure Generalized Edit Distance and Beyond

Ruiyu Zhu; Yan Huang

doi:10.1109/tdsc.2020.2984219

. Author manuscript; available in PMC: 2023 Apr 4.

Published in final edited form as: IEEE Trans Dependable Secure Comput. 2020 Apr 2;19(1):579–590. doi: 10.1109/tdsc.2020.2984219

Efficient and Precise Secure Generalized Edit Distance and Beyond

Ruiyu Zhu ¹, Yan Huang ²

PMCID: PMC10072857 NIHMSID: NIHMS1772631 PMID: 37020740

Abstract

Secure string-comparison by some non-linear metrics such as edit-distance and its variations is an important building block of many applications including patient genome matching and text-based intrusion detection. Despite the significance of these string metrics, computing them in a provably secure manner is very expensive. In this paper, we improve the performance of secure computation of these string metrics without sacrificing security, generality, composability, and accuracy. We explore a new design methodology that allows us to reduce the asymptotic cost by a factor of O(log n) (where n denotes the input string length). In our experiments, we observe up to an order-of-magnitude savings in time and bandwidth compared to the best prior results. We extended our semi-honest protocols to work in the malicious model, which is by-far the most efficient actively-secure protocols for computing these string metrics.

1. Introduction

STRING comparison is a useful primitive that finds applications in many real-world scenarios. Among the metrics for comparing strings, many non-linear metrics such as edit distance are most interesting thanks to their versatility in adapting its cost model to field applications. For example, when genomes are denoted by strings, it is customary to use non-linear metrics such as weighted edit distance and Needleman-Wunsch distance [1] to help diagnosing genetic diseases [2], [3], [4]. In many other scenarios where the strings may represent file segments, sequences of system calls, or snippets of network traffic, these non-linear metrics are important enabling techniques of computer immunology [5] and intrusion detection [6], [7].

Often, the input strings in these applications carry highly sensitive information, thus are intended to stay encrypted throughout the computation. However, securely computing these non-linear metrics is a highly challenging research task. Researchers have studied intensively secure protocols to match strings based on edit distance, an epitome metric of its kind. When designing these protocols, several properties are vitally important.

First, one would prefer the protocols to be generic. This implies a number of desirable features: 1) The resulting protocol is ready to be used as a subroutine in another secure protocol using standard composition methods; 2) It is easy to modify the protocol to also work with other variants of string-metrics; 3) It allows to upgrade the security guarantees, e.g., from semi-honest to covert or malicious threat models, using well-known cryptographic techniques.

Second, it is desirable for the protocols to produce accurate results. Imprecise results can cause false decisions that will undermine the value of some security-critical systems. Secure protocols that can always provide accurate results irrespective of the secret input data can be used in many very different scenarios.

Third, the protocols are expected to be rigorously proven secure and free of leakage, which is necessary for safe use of such protocols in real-world applications.

Finally, we surely wish to have protocols as efficient as possible, such that they can be adopted in more performance-critical settings.

Unfortunately, existing protocols cannot yet provide a satisfactory solution to meet all the design expectations above. The heuristics-based protocols [8], [9] are efficient, but missed the first three design requirements entirely. On the other hand, while protocols using state-of-the-art generic garbled circuits [10] or ABY [11] are generic, accurate and proven-secure, they are very expensive in terms of cost.

1.1. Methodology and Threat Model

Motivated by the limitation of existing protocols, we ask:

Can we design secure string comparison protocols that are as secure, accurate and generic as required by the standard definition of secure computation, while being significantly more efficient than the best existing generic solutions?

In this work, we answer this question with a new methodology. We adapt the garbling scheme itself to the public properties of target computations. In the context of computing string-comparison metrics, for example, we made two key observations and exploited them in our protocol design: (a) There are useful public patterns in such computations that correlate the secret values on intermediate wires. E.g., in edit distance, the two input numbers to the min circuit will differ by at most 1. (b) Many parts of string-comparison computations can be realized more efficiently using arithmetic (instead of binary) circuits. By exploiting these insights, we are able to securely compute a number of representative string-metrics significantly more efficiently than the best previous secure protocols.

Threat Models.

In this work, we consider both semi-honest and malicious adversaries. We will discuss the semi-honest protocols first and then show how to upgrade them to thwart full-malicious attacks in Section 5.

1.2. Contributions

We propose a new design methodology for building efficient privacy-preserving computations. We customize the garbling to exploit public properties of the target computations. We apply this methodology in developing secure protocols for several representative string-comparison metrics. Like the protocols of [10], [14], [15], our protocols work in the Random Oracle Model. Unlike prior works, our approach leverages low-cost bounded-input comparison, minimum, and table-lookup, while keeping arithmetic addition free. The overall complexity of our secure string-comparison protocols is O(n²) (with n being the length of each input string), in contrast to O(n² log n) of prior protocols using best previous garbling schemes [10], [14]. We formally proved the security of our scheme (Section 3.2) and presented ways to extend our garbling schemes to handle arbitrary functions through tethering it to binary garbled circuits (Section 4).

We have strengthened the semi-honest protocols into efficient actively-secure string-metrics computation protocols (Section 5), which are by far the best of its kind. Equipped with state-of-the-art cut-and-choose strategies, for improved performance, the cut-and-choose parameters of our protocols can be selected based on the actual cost ratio between checking and evaluating a GC. Security of our protocols can be guaranteed as long as one correct GC is evaluated.

We have experimentally evaluated our approach on a range of string-comparison metrics including edit distance, weighted edit distance, Needleman-Wunsch distance, LCS, HCS. In the semi-honest model, our protocols are able to run up to 16 times faster and use an significantly less bandwidth than best existing GC-based protocols (see Table 1). In the malicious model, our protocols achieves 2⁻⁴⁰ statistical and 2⁻¹²⁷ computational security with only about 20x (or 10x) the time and about 15x (or 8.5x) the bandwidth of their semi-honest versions in the LAN (or WAN) setting (see Table 2). Unlike the heuristics-based protocols [8], [9], our approach is generic, accurate, and proven-secure, and does not use any public reference. As a first step in this direction of research, our findings would shed some light on designing other application-specific MPC protocols in the future.

TABLE 1:

Performance Highlights (semi-honest model)

	Edit Distance			Weighted ED			Needleman-Wunsch			LCS
	Time		B/W	Time		B/W	Time		B/W	Time		B/W
	LAN	WAN	B/W	LAN	WAN	B/W	LAN	WAN	B/W	LAN	WAN	B/W
Best Prior	286	1776	39.4	360	2257	50.1	1030	6747	155	202	1224	27.1
This Work	23.7	178	4.09	83.3	625	14.3	142	1073	25.6	18.9	135	3.07

Open in a new tab

Tested with 127-bit computational security. Times are in seconds and B/W in GB. Computation inputs are two 4000-nucleotide genomes. The weight tables used in Weighted ED and Needleman-Wunsch are given in Figure 1. “Best Prior” results are measured on efficient implementations based on the ideas of Huang et al. [12] and emp-toolkit [13], an updated framework integrating Free-XOR, AESNI, and Half-Gates. Detailed experiment setup is given in Section 6.

TABLE 2:

Performance of Actively-Secure Protocols

		Edit Dist.	Wgtd. ED	N. Wunsch	LCS
LAN	$\frac{c_{eval}}{c_{chk}}$	3.31	4.82	3.25	2.98
	n	45	49	45	45
	$E (k)$	15.00	13.47	15.01	14.99
	Time	9.41	25.14	57.23	7.71
	B/W	61.5	193.2	369.0	46.1
WAN	$\frac{c_{eval}}{c_{chk}}$	23.97	39.06	23.57	20.70
	n	93	123	93	93
	$E (k)$	8.91	7.93	8.91	8.91
	Time	35.38	106.62	213.52	27.92
	B/W	36.6	113.8	219.1	27.5

Open in a new tab

$\frac{c_{eval}}{c_{chk}}$ denotes the observed cost ratio between Evaluate (Step 5.) and Check (Step 4.), which can vary with application and hardware/network conditions. n and k are cut-and-choose parameters picked based on cost ratio. As k is chosen probabilistically, $E (k)$ denotes the expected value of k. Time in minute and B/W in GB.

1.3. Related Work

1.3.1. Heuristics-based private string matching

Researchers have proposed some interesting heuristics to approximate best matches of low-entropy strings by their edit-distances. Two seminal works of this kind are by Wang et al. [9] and Asharov et al. [8]. Wang et al. estimated edit-distance of human genomes through solving set-difference-size problems that were efficiently sketched using a public reference genome. Asharov et al. divided genome strings into short segments then approximated edit-distance-based match.¹ Although these protocols offered high efficiency, they also suffered from leakage, accuracy, and generality issues: (a) They assume a weaker threat model that does leak more than what is allowed by the standard definition of secure computation, while it is hard to argue that the leaked information is not what an attacker wanted. (b) They produce input-data-specific errors with their results, making them inapplicable in scenarios where errors are less tolerable. (c) It is hard to use these protocols as generic building blocks in other secure protocols or on inputs other than low-entropy genomes. It is neither clear how to modify them to compute other variant string-metrics such as Needleman-Wunsch, LCS, or to work against stronger adversaries. Moreover, both protocols rely a “good” public reference string, which may not be available in many use cases. We note that the quality of the reference string can severely affect the accuracy and cost of these protocols (see experiments in Section 6.1), while methods of picking “good” references were yet to be studied.

1.3.2. Garbled-circuit-based approach

Generic protocols using optimized garbled circuits (GC) were also used to compute edit-distance [12], [16]. This type of protocols always produce accurate results, offering strong security guarantees satisfying the standard definition of security for MPC, and are generally applicable to other string-comparison metrics. In addition, these GC-based protocols can be used as black-box components in larger secure computations. There are standard practical transformations to upgrade these protocols to work in the presence of active adversaries.

On the flip side, the costs of such protocols are prohibitive, partly because of the large constant factor blowup from translating the computation into binary circuits. We have implemented GC-based protocols to securely compute edit distance, weighted edit distance, Needleman-Wunsch, LCS and HCS. In the baseline implementation, we used all applicable state-of-the-art optimizations including fixed-key hardware AES [17], [18], Half-Gate garbling [10], and free-XOR technique [19]. The performance of these protocols is reported as “Best Prior” row in Table 1 and the performance charts of Figure 3, Figure 4 in Section 6.1. These baseline performance numbers are already significantly better than any generic protocols found in the literature, since we used all possible state-of-the-art optimizations. Still, their performance wouldn’t be satisfactory in many practical settings.

Fig. 3: — Edit Distance, Weighted Edit Distance, and Needleman-Wunsch. (κ = 127)

1.3.3. Comparison with Ball-Malkin-Rosulek [14]

Ball, Malkin and Rosulek proposed a garbling scheme where plaintext signals are encoded in their CRT-representations (Chinese Remainder Theorem). The CRT-representation encodes a plaintext value as elements in field GF(p₁ × ··· × p_n) where p₁, ... , p_n are a number of distinct small primes. Their scheme can be considered as an extension of Half-Gate’s wire-label encoding, which is over the field GF(2^κ), with general projection gates. They show with calculation that this garbling scheme can be of theoretical interest in saving bandwidth for certain computations that consist of many high fan-in threshold and modular addition gates. However, they did not consider any practical end-to-end secure computation protocols and practical time efficiency. In contrast, we focus on a class of important string comparison metrics computations, discovering some key properties of these computations, and advocate customizing the protocol to leverage the public properties for efficiency improvements. Our work considers both semi-honest and malicious adversaries. We show with experiments that our protocols are up to an order-of-magnitude better in both time and bandwidth than best existing generic protocols.

In fact, an important technical distinction between the two works is that their garbling schemes rely on the point-and-permute technique to evaluate the garbled gates, while we use zero-tags to allow the evaluator to identify failed trial-decryptions. The point-and-permute technique is not compatible with the bounded-value projection technique which has significantly boosted the performance of our protocols. This is because if any garbled rows skip the transmission, the point-and-permute mechanism allows the evaluator to learn something about the secret permutation from observing how the (publicly-known) omitted entries are moved before and after the permutation.

1.3.4. Comparison with ABY [11] and ABY3 [20]

The ABY framework enables generic secure computations using one or a mixture of GMW-based Arithmetic/Binary circuits and Yao’s binary GC. However, it won’t outperform our protocols since it does not support bounded-value projection. Nor does it offer convenient upgrade to malicious model security as our protocols do. In fact, ABY cannot even outperform our GC-based baseline (see Section 6.3).

In comparison to ABY’s secret-share conversion techniques, we stress that our GC-based arithmetic encoding is very different from ABY’s GMW-based arithmetic encoding. Henceforth, the conversion methods we present in Section 4.1 differs from those of ABY in essential ways.

Mohassel and Rindal extended ABY to ABY3 for machine learning computations. However, ABY3 only works for a completely different threat model (3PC with honest majority) which is out of the scope of this paper.

1.3.5. Comparison with DKS+ [21]

The work by Dessouky et al. suggests that some custom-built circuits could benefit from efficient OT extension specific for short messages by a constant (and application-dependent) factor (2–4x for AES and PSI) of savings. However, they didn’t consider the string metrics that we study here and their idea doesn’t support bounded-value projection.

2. Background

Notations.

We let κ be the computational parameter; let $“ a : = b ”$ denote assigning the value of b to a; and let $” x \leftarrow S ”$ denote assigning to x a uniformly element of the set $S$ .

2.1. Secure Garbling

First proposed by Yao [22], garbled circuits were later formalized by Bellare et al. [18] as a cryptographic primitive of independent interest. Following the notations of Bellare et al., a garbling scheme $G$ is a 5-tuple (Gb, En, Ev, De, f) of algorithms, where Gb is an efficient randomized garbler that, on input (1^k, f), outputs (F, e, d); En is an encoder that, on input (e, x), outputs X; Ev is an evaluator that, on input (F, X), outputs Y; De is a decoder that, on input (d, Y), outputs y. The correctness of $G$ requires that for every $(F, e, d) \leftarrow Gb (1^{k}, f)$ and every x,

De (d, Ev (F, En (e, x))) = f (x) .

Bellare et al. have proposed three security notions for garbling: privacy, obliviousness, and authenticity, which we summarize as below.

Privacy: There exists an efficient $S_{prv}$ such that for all x,
${(F, X, d) : \begin{array}{l} (F, e, d) \leftarrow Gb (1^{k}, f), \\ X \leftarrow E n (e, x) \end{array}} \approx {S_{prv} (1^{k}, f, f (x)} .$

where “≈” symbolizes computational indistinguishability.
Obliviousness: There exists an efficient $S_{oblvs}$ such that ∀x,
${(F, X) : \begin{matrix} (F, e, d) \leftarrow Gb (1^{k}, f), \\ X \leftarrow En (e, x) . \end{matrix}} \approx {S_{oblvs} (1^{k}, f)} .$
$ϵ$ -Authenticity: For all efficient $A = (A_{1}, A_{2})$ ,
$\Pr (\begin{matrix} Y \neq Ev (F, X) & (f, x) \leftarrow A_{1} (1^{k}), \\ and & : (F, e, d) \leftarrow Gb (1^{k}, f), \\ De (d, Y) \neq ⊥ & X \leftarrow En (e, x), \\ Y \leftarrow A_{2} (1^{k}, F, X) . \end{matrix}) \leq ϵ .$

Optimizations have been proposed and improved garbling in many aspects such as bandwidth [10], [14], [23], evaluator’s computation [23], memory consumption [12], and using dedicated hardware [10], [17], [24]. State-of-the-art implementations of garbling schemes using AESNI can typically produce a garbled row of the garbled truth table in roughly every 25ns [13], [17], [24].

2.2. Edit Distance and Other Metric Variants

The edit distance (also known as Levenshtein distance) between any two strings s and t is the minimum number of edits needed to transform s into t, where an edit is typically one of three basic operations: insert, delete, and substitute. Algorithm 1 is a standard dynamic programming approach to compute the edit distance between two strings. The invariant is that D_i,j always represents the edit distance between s[1..i] and t[1..j]. Lines 1–2 initialize the first row of the matrix D while lines 3–4 initialize the first column. Within the main nested loops (lines 5–7), D_i,j is set at line 7 to the smallest of $D_{i - 1, j} + c_{i n s}$ , $D_{i, j - 1} + c_{d e l}$ , and $D_{i - 1, j - 1} + c_{s u b}$ , where c_ins, c_del, and c_sub correspond to the cost of insert, delete, and substitute a single character (at any position). For basic edit distance, $c_{i n s} : = 1$ , $c_{d e l} : = 1$ , and $c_{s u b} : = (s [i] = t [j]) ? 0 : 1$ , i.e., each single-character insert, delete, and substitute incurs one unit cost while matching characters costs zero. Once the minimal edit distance is computed, it is easy to backtrack (from D_i,j) a sequence of edits that transform s[1..i] to t[1..j], e.g., for the purpose of deriving an optimal alignment.

Algorithm 1.

EditDistance(s, t)

1:	for i := 0 to length(s) do
2:	D_{i, 0} := i · c_ins;
3:	for j := 0 to length(t) do
4:	D_{0, j} := j · c_del;
5:	for i := 1 to length(s) do
6:	for j := 1 to length(t) do
7:	$D_{i, j} : = \min (D_{i - 1, j} + c_{i n s}, D_{i, j - 1} + c_{d e l}, D_{i - 1, j - 1} + C_{s u b});$

Open in a new tab

Weighted Edit Distance.

More generally, the c_ins, c_del, and c_sub above can be adjusted to fit the goals of specific applications. For example, in diagnosing certain genetic diseases [2], [4], it is customary to set c_ins and c_del to integers between 5–10 while setting the substitution cost to 1. The rationale behind the cost gaps is that insertions and deletions (called indels) occur much more rarely than substitution in some application domain so one would adjust the costs so that the changes are better captured by the editing model. For example, during DNA replication, indels are much rarer than substitutes, so we would expect a good alignment to contain proportionally less indels to reflect the natural clone of DNAs.

Needleman-Wunsch.

As the statistical models of various operations were refined with respect to the symbols involved in the mutations, researchers [25], [26], [27], [28] have found many good reasons to also adjust the costs c_ins, c_del, c_sub according to the specific characters to be inserted, deleted, or substituted. In this case, c_ins, c_del and c_sub can be viewed as functions over the alphabet of all possible characters. For example, for genomes, they can be encoded as one- and two-dimensional tables (Fig. 1). Note that although the weight tables are publicly known, lookups over the arrays have to be obliviously computed because the indices used to lookup are secret.

Fig. 1: — Example weight tables of genomic Needleman-Wunsch

Longest Common Subsequence (LCS).

Unlike edit distance, the length of longest common subsequence measures the similarity of two strings. Given strings s and t, the length of the longest common subsequence between them can be computed using dynamic programming similar to that for edit distance (Algorithm 2). Comparing to Algorithm 1, the only two changes are the initialization values in line 2 and 3, and the logic to derive D_i,j (line 7). The invariant now is that D_i,j always represents the length of $LCS (s [1.. i], t [1.. j])$ .

Algorithm 2.

Longest common subsequence(s, t)

1:	for i := 0 to length(s) do
2:	D_{i, 0} := 0;
3:	for j := 0 to length(t) do
4:	D_{0, j} := 0;
5:	for i := 1 to length(s) do
6:	for j := 1 to length(t) do
7:	$D_{i, j} : = \max (D_{i - 1, j}, D_{i, j - 1}, D_{i - 1, j - 1} + w_{i, j})$ ;

Open in a new tab

With basic LCS, the matching reward, w_i,j, is set to

w_{i, j} = {\begin{matrix} 1, & if s [i] = t [j] \\ 0, & otherwise \end{matrix} .

Heaviest Common Subsequence (HCS).

As a generalization of LCS, researchers [29] have introduced the concept of heaviest common subsequence, just like Needleman-Wunsch generalizes edit distance. The idea is to let different characters reward differently when they match. Therefore, w_i,j can be viewed as a matrix (to be indexed by s[i] and t[j]) where only the diagonal entries will be positive while the rest of the matrix are filled by 0s.

3. The Semi-Honest Model

Next, we give our semi-honest string-comparison protocols.

3.1. Insights and Intuitions

First, we illustrate two important observations behind the design of our new garbling scheme.

Dominant Costs.

A dominant cost of solving the general edit distance problem lies in the oblivious computation of addition, equality (or table-lookup in general), minimum. This is evident from the dynamic programming Algorithm 1. Therefore, it should be our foremost priority to make these oblivious computations efficient in our new garbling scheme.

Bounded Difference Values.

The edit distance computation makes a number of calls to the three-minimum function, which can be instantiated as two nested calls to the two-minimum function, i.e., $\min (a, b, c) = \min (\min (a, b), c)$ . A key observation is that edit distances can be calculated such that all two-minimum gates are computed on such inputs (a, b) that a − b is bounded by some constants independent of the absolute values of a and b. This observation opens up an opportunity to speed up private edit distance computation. We exploit this opportunity by designing special two-minimum gadgets which only need to work for inputs of bounded difference, but runs significantly more efficient than generic minimum gates (that need to process all possible inputs).

Take basic edit distance as an example. We can show that every call to min(a, b) can be arranged so that $a - b \in {- 1, 0, 1, 2}$ . We can prove this fact as follows. First, because

\min (D_{i - 1, j} + 1, D_{i, j - 1} + 1, D_{i - 1, j - 1} + c_{s u b}) = \min (\min (D_{i - 1, j} + 1, D_{i - 1, j - 1} + c_{s u b}), D_{i, j - 1} + 1),

let $m_{i, j} = \min (D_{i - 1, j} + 1, D_{i - 1, j - 1} + c_{s u b})$ , our goal is then to show

\begin{array}{r} (D_{i - 1, j} + 1) - (D_{i - 1, j - 1} + c_{s u b}) \in {- 1, 0, 1, 2}, \\ (D_{i, j - 1} + 1) - m_{i, j} \in {- 1, 0, 1, 2} . \end{array}

Since all the quantities involved are integers, it suffices to show

- 1 \leq (D_{i - 1, j} + 1) - (D_{i - 1, j - 1} + c_{s u b}) \leq 2, and

(1)

- 1 \leq (D_{i, j - 1} + 1) - m_{i, j} \leq 2.

(2)

The triangle inequality of basic edit distance ensures

| D_{i - 1, j} - D_{i - 1, j - 1} | \leq 1,

(3)

| D_{i, j - 1} - D_{i - 1, j - 1} | \leq 1.

(4)

Thus,

| D_{i - 1, j} - D_{i, j - 1} |

= | D_{i - 1, j} - D_{i - 1, j - 1} - (D_{i, j - 1} - D_{i - 1, j - 1}) |

\leq | D_{i - 1, j} - D_{i - 1, j - 1} | + | D_{i, j - 1} - D_{i - 1, j - 1} | \leq 2.

Also because (3), (4), and $0 \leq c_{s u b} \leq 1$ , we know

- 1 \leq (D_{i - 1, j} + 1) - (D_{i - 1, j - 1} + c_{s u b}) \leq 2, and

- 1 \leq (D_{i, j - 1} + 1) - (D_{i - 1, j - 1} + c_{s u b}) \leq 2.

Since

(D_{i, j - 1} + 1) - (D_{i - 1, j} + 1) \leq | D_{i, j - 1} - D_{i - 1, j} | \leq 2,

(D_{i, j - 1} + 1) - (D_{i - 1, j - 1} + c_{s u b}) \leq 2,

thus,

(D_{i, j - 1} + 1) - m_{i, j} =

(D_{i, j - 1} + 1) - \min (D_{i - 1, j} + 1, D_{i - 1, j - 1} + c_{s u b}) \leq 2.

Finally, we have

(D_{i, j - 1} + 1) - m_{i, j}

= (D_{i, j - 1} + 1) - \min (D_{i - 1, j} + 1, D_{i - 1, j - 1} + c_{s u b})

\geq (D_{i, j - 1} + 1) - (D_{i - 1, j} + 1) \geq - 1.

Therefore, both constraints (1) and (2) must hold.

Generally, observations like the one above can also be shown for many other string-comparison metrics. Next, we state our general proposition of this insight which is formally proven in Appendix B. We note that, unlike the example above, our proof for the general case does not rely on the triangle inequality property of the metrics.

Proposition 1.

Let s, t, $D_{i, j}, c_{i n s}, c_{d e l}, c_{s u b}$ be defined as in Section 2.2, where c_ins, c_del are generalized to one-dimensional tables and c_sub is generalized to a two-dimensional table. Let

m_{i, j} = \min (D_{i, j - 1} + c_{d e l} [t [j]], D_{i - 1, j - 1} + c_{s u b} [s [i], t [j]])

u_{i, j} = (D_{i, j - 1} + c_{d e l} [t [j]]) - (D_{i - 1, j - 1} + c_{s u b} [s [i], t [j]])

v_{i, j} = (D_{i - 1, j} + c_{i n s} [s [i]]) - m_{i, j}

Then, there exist public constants C₁, C₂, C₃, C₄ which are independent of D_i,j, such that for all valid indices i, j.

C_{1} \leq u_{i, j} \leq C_{2}, C_{3} \leq v_{i, j} \leq C_{4} .

3.2. The Garbling Scheme

Basic Idea.

Since these computations only deal with integers, we generalize the idea of garbling binary signals to work directly on arithmetic signals. Recall that when garbling binary circuits, the garbler picks, for every wire in the circuit, a secret string $w_{0} \leftarrow {0, 1}$ ¹²⁸ to encode 0 and sets $w_{1} : = w_{0} \oplus Δ$ to encode 1 (where Δ is a circuit-global secret uniformly sampled from {0, 1}¹²⁷). To generalize this idea, we replace “⊕”, the adder on the binary field, with “+_p”, the adder on the prime field $ℤ_{p}$ (where p is public and sufficiently large, e.g., p > 2⁸⁷). In our scheme, the garbler will first pick a uniform global secret Δ from $ℤ_{p}$ . Then, for every wire in the arithmetic circuit, the garbler picks a uniform k₀ (called wire-key) from $ℤ_{p}$ to denote 0; and encode every integer $a \in ℤ_{p}$ as $k_{a} = k_{0} +_{p} a \times_{p} Δ$ where “+_p” and “×_p” denote mod-p addition and multiplication, respectively.

To garble a gate, the garbler would use encoding of a gate’s every possible input signal as a key to encrypt the encoding of its corresponding output signal; to evaluate the gate, the evaluator will decrypt every garbled row of the gate. To allow the evaluator to tell which row decrypts successfully, we add a constant tag of sufficient length to every wire-key k_a to form a wire-label. Thus, it is the output wire-labels (rather than wire-keys) that are actually encrypted.

If the zero-tags are short (e.g., 40-bits), one might worry that a wire-label could happen to successfully decrypt more than one garbled row in the same gate due to collision, which violates the correctness property of garbling. However, to semi-honest attackers, who cannot leverage side-computation to affect protocol execution, the length of the zero-tags is actually a statistical security parameter. To malicious attackers, the issue can be addressed, either by increasing the length of zero-tags (Section 4.2), or by fixing the random-tape of the Gb function to a collaboratively coin-tossed bit-string (so the garbler cannot precompute and cherry-pick a particular random-tape to produce a problematic garbled gate).

Notation for Wire-labels.

In the rest of the paper, we always use upper-case letters (e.g., A) to name wires. If $w_{a}^{A}$ denotes a wire-label, the superscript (A) indicates the id of the wire to which this wire-label is associated and the subscript (a) indicates the plaintext signal that the wire-label encodes. When the wire name is irrelevant to a discussion, the superscript can be omitted. In our terminology, generating (or sampling) a fresh wire-label, say $w_{a}^{A}$ , for a plaintext value a means first picking $k_{0}^{A} \leftarrow ℤ_{p}$ (unless $k_{0}^{A}$ is already known) then setting $k_{a}^{A} : = k_{0}^{A} +_{p} a \times_{p} Δ$ and $w_{a}^{A} : = 0^{40} ∥ k_{a}^{A}$ . We require $w_{a}^{A} \in {0, 1}$ ¹²⁸, so if $k_{a}^{A} < p$ , leading zeros are padded in front to ensure $w_{a}^{A}$ has exactly 128 bits.

Next, we show how every gadget needed in the private edit distance computation can be efficiently instantiated.

Addition.

To securely add two plaintext signals $a, b \in ℤ_{p}$ on two wires A and B, which are represented by wire-labels

w_{a}^{A} = 0^{40} ∥ (k_{0}^{A} +_{p} a \times_{p} Δ) and

w_{b}^{B} = 0^{40} ∥ (k_{0}^{B} +_{p} b \times_{p} Δ), respectively,

it suffices for the garbler to set

w_{0}^{C} = w_{0}^{A} +_{p} w_{0}^{B}

while the evaluator locally computes

w_{c}^{C} : = w_{a}^{A} +_{p} w_{b}^{B} .

Assuming there is no overflow², it is easy to verify that $w_{c}^{C} = (w_{0}^{C} +_{p} (a +_{p} b) \times_{p} Δ)$ , which is indeed the expected encoding of $a +_{p} b$ on wire C. Moreover, recall that if $a + b < p$ , then $a + b = a +_{p} b$ . Therefore, this essentially realizes addition over $ℤ$ when $a + b < p$ .

As a natural extension of secure addition, multiplying a secret value a of a wire A, encoded by wire-label

w_{a}^{A} = 0^{40} ∥ (k_{0}^{A} +_{p} a \times_{p} Δ)

with a public constant c can simply be realized as:

the garbler sets $w_{0}^{C} = c \times_{p} w_{0}^{A}$ ; and
the evaluator locally derives the wire-label $w_{z}^{Z} = c \times_{p} w_{a}^{A}$ .

Again, note that if $c \times a < p$ then $c \times a = c \times_{p} a$ . Hence, it realizes constant multiplication over $ℤ$ if $c \times a < p$ .

Obviously, addition (or public-constant multiplication) is also free—no expensive cryptographic computation nor network traffic is used—but only a mod-p addition (or mod-p multiplication, respectively) on each side of the protocol.

Equality.

When computing c_sub, an equality test is needed to decide whether two input characters are identical. Let $a, b \in {0, 1, \dots, ζ}$ be two integers, and w_a, w_b are the wire-labels corresponding to a and b, respectively. To securely compute if a equals b, first $d = a - b$ is securely computed, hence the garbler knows $k_{0}^{D}$ and Δ while the evaluator knows $w_{d}^{D} = 0^{40} ∥ (k_{0}^{D} +_{p} d \times_{p} Δ)$ . Then, since $d \in {- ζ, \dots, ζ}$ ,

the garbler samples a fresh pair of wire-labels $w_{0}^{Z}$ and $w_{1}^{Z}$ to encode signal 0 and 1 on the output-wire Z; and sends the following $2 ζ + 1$ garbled rows
${Enc}_{w_{0}^{D}} (w_{1}^{Z}, i d); and$

${Enc}_{w_{i}^{D}} (w_{0}^{Z}, i d), \forall i \neq 0, i \in {- ζ, \dots, ζ}$
in a randomly permuted order. Note that id_Z is the identifier of this projection gate.
the evaluator tries to decrypt the above $2 ζ + 1$ ciphertexts using $w_{d}^{D}$ as the key. Thus, only the ciphertext encrypted with key $w_{d}^{D}$ will be successfully decrypted to reveal the valid wire-label $w_{z}^{Z}$ encoding $(a = b) ? 1 : 0$ .

Namely, the evaluator will learn $w_{1}^{Z}$ if and only if a = b; and otherwise, will learn $w_{0}^{Z}$ .

The cost of the secure equality is linear in the range of (a − b). Recall that the cost of traditional binary garbled circuit based integer comparison is linear in the number of bits to represent the input numbers. Therefore, when a − b can be bounded by a constant (for application-specific reasons), our approach reduce can reduce the cost by a factor of min(log a, log b).

Minimum.

First, we observe that given two integers a, b, $\min (a, b) = a - 〈 a - b 〉$ , where “ $〈 \cdot 〉$ ” is a function defined as follows,

〈 x 〉 = {\begin{array}{l} x, & if x \geq 0; \\ 0, & otherwise . \end{array}

In essence, “ $〈 \cdot 〉$ ” is a generalized comparison, which can be realized using the same idea of secure projection like in the equality gadget above. Let X, Z be the input and output wires, respectively, and assume $x \in {- ζ, \dots, ζ}$ , the garbler simply sends the following $2 ζ + 1$ ciphertexts in a randomly permuted order:

{Enc}_{w_{i}^{X}} (w_{0}^{Z}, i d), \forall i \in {- ζ, \dots, - 1}; and

{Enc}_{w_{i}^{X}} (w_{i}^{Z}, i d), \forall i \in {0, \dots, ζ}

where for $0 \leq i \leq ζ$ , $w_{i}^{Z}$ is the wire-label representing plaintext value i on the wire Z. When a, b are large but $| a - b |$ is bounded by some constant (which is indeed the case for the string metrics considered in this paper), we can save a factor of min(log a, log b) than traditional garbling.

Table-lookup.

A one-dimensional table of n entries can be viewed as an association-list

{(0, v_{0}), (1, v_{1}), \dots, (n - 1, v_{n - 1})},

where v_is are bounded integer values. A table-lookup gadget can be treated as an unary gate with input-wire I and output-wire V. Given a wire-label $w_{i}^{I}$ that encodes plaintext index i, a secure table look-up will output a wire-label $w_{v_{i}}^{V}$ that actually encodes $v_{i}$ . In our scheme, this can be straightforwardly realized as follows:

The garbler generates fresh wire-labels $w_{v_{0}}^{V}, \dots, w_{v_{n - 1}}^{V}$ to encode $v_{0}, \dots, v_{n - 1}$ on the output-wire V; and sends the following n ciphertexts in a randomly permuted order:
${Enc}_{w_{i}^{I}} (w_{v_{i}}^{V}, i d), \forall i \in {0, \dots, n - 1}$
where $w_{i}^{I}$ encodes i on the input index wire I.
The evaluator uses $w_{i}^{I}$ as key to decrypt the above n ciphertexts. Due to the way the ciphertexts are constructed, precisely one of them will be successfully decrypted, revealing the wire-label $w_{v_{i}}^{V}$ that encodes $v_{i}$ .

Moreover, looking up a multi-dimensional table with our scheme is readily reducible into a one-dimensional table lookup problem. Take the two-dimensional m-by-n-table lookup as an example. A two-dimensional table can always be mapped to a one-dimensional table by concatenating the rows, i.e., an index (i,j) (where $0 \leq i < m$ , $0 \leq j < n$ ) over the 2D-table can be translated into an index k = i ∗ m + j over a 1D-table of size mn. Since m is public, the affine mapping of wire-labels $w_{i}^{I}$ and $w_{j}^{J}$ (that encode the row and column indices) to the wire-label $w_{k}^{K}$ (that encode the translated index) is almost free with our scheme. Once the translation is done, the secure 2D-table lookup reduces to sending and trial-decrypting mn ciphertexts—the same as the treatment to securely look up a 1D-table of mn entries.

Recall that with traditional binary circuit garbling schemes, a generic multiplexer-based secure table lookup is significantly more expensive because: 1) each index and each content integer in the table need to be encoded by multiple wire-labels; 2) n multiplexers would be needed to scan the table while the cost of each multiplexer depends on the bit length of the table content values as well as the length of the index. Alternatively, if the table is small, a secure table lookup can be realized as a giant garbled truth table like Huang et al. suggested [12]. However, it is unclear how this can be efficiently realized with AESNI support because log n keys (one key per bit of the index) are involved in producing every garbled row. A more straightforward solution would use SHA hashing, which, however, is orders-of-magnitude slower than AESNI instructions. In contrast, secure table lookup with our garbling scheme is significantly cheaper.

Handle Initial Inputs.

We assume the initial circuit inputs to our (arithmetic) circuit are in bits and the processing of these binary input values resembles that in binary garbled circuit protocols, i.e., the circuit generator’s private input bits are encoded by wire-labels that are directly sent to the evaluator while the circuit evaluator’s private input bits are translated to their corresponding wire-labels through oblivious transfer. Though we stress that the format of the wire-labels that encode the initial input bits conforms to the mod-p field notion of wire-labels required by our garbling scheme. Therefore, a set of addition and public-constant multiplication gadgets will be used to translate the bits representation of input values into their arithmetic representations.

Implementation.

Today’s high-performance garbling schemes rely heavily on ideal block ciphers instantiated with fixed-key AES. Our scheme can also leverage fast fixed-key AES garbling accelerated by AESNI. For all the building blocks, our garbling scheme requires only one cryptographic primitive, ${Enc}_{w_{i n}} (i d, w_{o u t})$ , where w_in and w_out are 128-bit wire-labels with valid zero-tags and i < 2¹²⁸ is an integer serving as a gadget counter. Similar to Half-Gates [10], we implement ${Enc}_{w_{i n}} (i d, w_{o u t})$ as

{Enc}_{w_{in}} (i, w_{out}) = π (K) \oplus K \oplus w_{out}

where $K = 2 w_{i n} \oplus i$ (note that 2w_in refers to doubling w_in in GF(2¹²⁸)) and π is a random permutation realized using fixed-key AES. We can implement ${Dec}_{w_{i n}} (i, c)$ as

{Dec}_{w_{i n}} (i, c) = {\begin{array}{l} m : = π (K) \oplus K \oplus c, & m has the zero-tag; \\ ⊥, & otherwise . \end{array}

where K is as defined before.

3.3. Formal Analysis

Complexity.

With our approach, the dominating cost can be attributed to the projection gates (used in computing the minimum and equality). For edit-distance, to compute each entry of the n²-entry dynamic programming matrix, only two projection gates are needed: one 8-row projection for equality and another 8-row projection for minimum. So overall, the cost is 16n² garbled rows. In comparison, using Half-Gate’s [10] garbling to compute edit-distance, computing each entry of the n² DP matrix requires a fixed-width equality gate (2 garbled rows), two variable-width minimum gates (2 log n × 2 rows), and one variable-width addition gates (2logn rows), totaling at $(6 \log n + 2) n^{2}$ garbled rows. With Ball-Malkin-Rosulek, even if additions are ignored, the cost per matrix entry will still be c₁ log n rows for equality plus c₂ log n rows for minimum (where c₁, c₂ are fairly large constants depending on the choice of the CRT-representation), totaling at $(c_{1} + c_{2}) n^{2} \log n$ rows. Therefore, our approach brings log n-factor savings over best existing generic garbling schemes.

Correctness.

We formalize our garbling scheme in Figure 2. It is easy to verify that correctness of this garbling scheme fails only if more than one row in the same gate decrypt to valid (but different) wire-labels. To semi-honest attackers, the length of the zero-tags provides statistical security. Thus correctness fails only when multiple honestly-garbled rows in the same gate happen to decrypt to different wire-labels each with a valid zero tag (such that an evaluator would be confused), which is bounded by 2⁻⁴⁰ in each gate. One might also worry that large circuits may be more likely to fail since a circuit with a |C| non-free gates might fail with probability $\sum_{i = 1}^{| C |} 2^{- 40} \cdot n_{i}$ (this is actually a loose upper-bound) where n_i is the number of rows in the i^th gate. However, this is not the case because for every internal gate, the evaluator can always try all seemingly-valid wire-labels in a subsequent gate to eliminate such spurious wire-labels. So a spurious wire-label can only propagate with $2^{- 40} n_{1} \cdot 2^{- 40} n_{2}$ probability at most, where n₁, n₂ are the number of garbled rows in the two connected gates, respectively. Since the number of rows in every garbled gate is bounded by a small constant in practice, we have $2^{- 40} n_{1} \cdot 2^{- 40} n_{2} ≪ 2^{- 40}$ . Therefore, the overall failure probability only depends on the final layer of gates, that is, at most $\sum_{i = 1}^{| C_{o u t} |} 2^{- 40} . n_{i}$ where $| C_{o u t} |$ is the number of non-free gates in the final layer and n_i is the number of rows in the i^th final-layergate. Since $| C_{o u t} |$ is typically a small constant in MPC applications (e.g., $4 \leq | C_{o u t} | \leq 20$ to denote the output distance/score in private string-comparison applications), our garbling schemes are correct except for a negligible probability (in concrete sense). In Section 4.2, we give a technique to increase both the computational and statistical security to 127-bit, which will address the concern even in presence of malicious attackers.

Security.

Note that equality, minimum and table-lookup gadgets are all essentially realized by a primitive operation called projection. Secure projection obliviously maps an input signal a_i to a predefined output signal b_i based on a publicly table ${(a_{1}, b_{1}), \dots, (a_{n}, b_{n})}$ . Thus, to prove the garbling scheme to be secure, it suffices to just consider addition and projection.

Theorem 1.

If π is an ideal block cipher that is used to realize Enc and Dec as described above. the scheme in Figure 2 satisfies the privacy and obliviousness definitions given in Section 2.1, and an application-dependent notion of authenticity.

Proof of Theorem 1 is given in Section A.

4. Extensions

In this section, we discuss three extensions of our approach: one for garbling arbitrary computations, the second for increasing the security parameters, and the third for achieving application-independent authenticity.

4.1. Garbling Arbitrary Computations

Our garbling scheme as is described so far can’t handle generic computations because we haven’t discussed how to multiply two secret values efficiently. To efficiently handle arbitrary computations, our basic idea is to tether the above scheme with a traditional binary circuit garbling such as Half-Gate.

Arithemtic Wire-labels to Binary Wire-labels.

Suppose the circuit garbler knows $w_{0} = 0^{40} ∥ k_{0}$ and Δ, whereas the evaluator knows $w_{a} = 0^{40} ∥ (k_{0} +_{p} a \times_{p} Δ)$ . Let the binary form of the integer a be $a_{1} a_{2}, \dots, a_{n}$ . After conversion, we hope the the garbler learns wire-labels $w_{1, 0}, \dots, w_{n, 0}$ and Δ while the evaluator learns $w_{1, a_{1}}, \dots, w_{n, a_{n}}$ such that $w_{i, a_{i}} = w_{i, 0} \oplus a_{i} Δ$ . We describe two methods to accomplish this goal that exhibit complementary tradeoffs between performance and generality.

4.1.0.1 Via secret shares: If the range of a is publicly known to be restricted to ${0, \dots, ζ}$ . The basic idea is to let the garbler send a random permutation of

{Enc}_{w_{i}} (i \oplus m), \forall i \in {0, \dots, ζ}

where m is a $⌈ \log ζ ⌉$ -bit secret mask picked by P₁. Thus, the evaluator who has w_a is able to recover $a \oplus m$ . Then, the two parties can use traditional garbled circuit protocols [10] to run any followup computation over a by starting from their respective shares m and $a \oplus m$ .

To convert an arithmetic wire, it costs $ζ + 1$ encryptions to send the encrypted masked-shares, 176 encryptions to translate the garbler’s input bits and 88 oblivious transfers (for the evaluator’s 88-bit input) in the second stage of the secure computation. This approach would be preferred when $ζ$ is known to be relatively small. As $ζ$ grows too big, it becomes infeasible to transmit $O (ζ)$ encryptions, in which case we can opt to an alternative conversion method suitable for large ζs.

4.1.0.2 Via generic secure modular-arithmetic: The basic idea is to construct a binary garbled circuit to securely compute $(k_{a} - k_{0}) / Δ$ where “−” and “/” are mod-p subtraction and division, respectively. By requiring the garbler to locally compute ( $Δ^{- 1}$ mod p), we can reduce the above computation into a secure mod-p subtraction followed by a secure mod-p multiplication, both realized by a traditional binary circuit garbling scheme.

Because $k_{0}, k_{a}, p \in {0, 1}$ ⁸⁸, the cost of this approach is that of a traditional garbled circuit secure computation protocol with 88 × 3 input bits (88 × 2 bits from the garbler and 88 bit from the evaluator), an 88-bit mod-p secure subtraction, and an 88-bit mod-p secure multiplication. Since it only depends on the computational security parameter rather than the range of the plaintext values, it fits better when the range of a can be very big (e.g., more than 2¹⁷).

With either approach, we stress that the authenticity of the final output-wire labels holds if $a ≪ p$ , because without knowing w₀ and Δ, for any $a, b \in ℤ_{p}$ ,

(w_{0} +_{p} a \times_{p} Δ, w_{0} +_{p} b \times_{p} Δ) \approx (X, Y)

where X, Y are uniform random samples from $0^{40} ∥ ℤ_{p}$ . So for example, when it is known that a ≤ 2³² from the application context, our approach can offer at least 87 − 32 = 55 bits authenticity.

Binary Circuit Wire-labels to Arithmetic Wire-labels.

Converting wire-labels from traditional binary circuit garbling to arithmetic wire-labels used in ours is more straightforward: the garbler only needs to send a randomly permuted pair of ciphertext

[{Enc}_{w_{0}^{'}} (w_{0}), {Enc}_{w_{1}^{'}} (w_{1})]

per wire in the binary circuit, where $w_{0}^{'}, w_{1}^{'}$ are wire-labels conforming to the format required by the traditional garbling (e.g., $\forall b \in {0, 1}, w_{b}^{'} = w_{0}^{'} \oplus b Δ, Δ \in {0, 1}$ ¹²⁸), and w₀, w₁ are freshly sampled labels based on our garbling scheme (e.g., $\forall b \in {0, 1}, w_{b} = 0^{40} ∥ k_{b}, k_{b} = k_{0} +_{p} b \times_{p} Δ, Δ \in ℤ_{p}$ ). So the evaluator can decrypt the ciphertext corresponding to the binary circuit wire-labels it learns from the evaluation.

To derive an arithmetic wire-label w_a that encodes

a = a_{0} + a_{1} \times 2 + \dots + a_{n} \times 2^{n - 1}, a_{i} \in {0, 1}

from binary wire-labels $w_{a_{0}}^{'}, \dots, w_{a_{n}}^{'}$ , it suffices to first convert binary encodings $w_{a_{0}}^{'}, \dots, w_{a_{n}}^{'}$ to arithmetic encodings $w_{a_{0}}, \dots, w_{a_{n}}$ , then w_a can be derived from $w_{a_{0}}, \dots, w_{a_{n}}$ through local constant multiplication and local addition.

4.2. Increase Security Parameters

The scheme as we described thus far only guarantees 87 bits computational and 40 bits statistical security for semi-honest adversaries. Next, we show how to modify our scheme to provide 127 bits computational and 128 bits statistical security for semi-honest adversaries (or 128 bit computational security for malicious adversaries).

The key idea is to set p to be a 128-bit prime (in doing so, we abandon the idea of using 40-bit all-zero tags to identify successful decryptions) and add to each garbled row ${Enc}_{w_{i n}} (i, w_{o u t})$ a 128-bit tag. That is,

{Enc}_{w_{i n}} (i, w_{o u t}) = (C_{1}, C_{2})

where

C_{1} = π (K) \oplus K \oplus w_{out}

C_{2} = π (K \oplus 1) \oplus K \oplus w_{out}

K = 2 w_{i n} \oplus i

where 2w_in refers to doubling w_in in GF(2¹²⁸) and π is an ideal block cipher realized by fixed-key AES.

Symmetrically, we can define

{Dec}_{w_{i n}} (i, (C_{1}, C_{2})) = {\begin{matrix} m_{1}, & m_{1} = m_{2} \\ ⊥, & otherwise \end{matrix}

where

m_{1} = π (K) \oplus K \oplus C_{1}

m_{2} = π (K \oplus 1) \oplus K \oplus C_{2},

and K is as was defined above. Thus, the evaluator, who obtains $w_{o u t}^{'}$ by trial decrypting garbled rows in the i-th gate with wire-label $w_{i n}^{'}$ , can verify whether

π (2 w_{i n}^{'} \oplus i \oplus 1) \oplus 2 w_{i n}^{'} \oplus i \oplus w_{o u t}^{'} = C_{2}

to tell if the decryption was successful. The intuitive reason behind this is that if $w_{i n}^{'}$ is not equal to w_in (the key used to generate (C₁, C₂), then $w_{o u t}^{'} \neq w_{o u t}$ and

π (2 w_{i n}^{'} \oplus i \oplus 1) \oplus 2 w_{i n}^{'} \oplus i \oplus w_{o u t}^{'} \neq π (2 w_{i n} \oplus i \oplus 1) 2 w_{i n} \oplus i \oplus w_{o u t},

for all but a negligible probability.

4.3. Application-Independent Authenticity

The authenticity of the garbling scheme described before (as well as the CRT-based garbling scheme of Ball-Malkin-Rosulek) is application-dependent since its authenticity-error n/p can grow with n (see proof of Theorem 1), the size of the application-dependent plaintext-domain. To provide the standard, application-independent notion of authenticity, we can modify our garbling scheme so that every wire’s plaintext value a is encoded as a pair $(k_{0} +_{p} a \times_{p} Δ, {\hat{k}}_{0} +_{p} a \times_{p} \hat{Δ})$ where Δ, $\hat{Δ}$ are the garbler’s two independently-sampled, circuit-global secrets and ${\hat{k}}_{0}$ are the garbler’s two independently-sampled wire-specific secrets. In more detail,

Encode. To encode a plaintext value $a \in ℤ_{p}$ , the garbler picks uniform $k_{0}, {\hat{k}}_{0}, Δ, \hat{Δ} \in ℤ_{p}$ and computes
$L_{a} : = (k_{0} +_{p} a \times_{p} Δ, {\hat{k}}_{0} +_{p} a \times_{p} \hat{Δ})$
as the encoding (i.e., wire-label) of a.

If the garbler (who knows $k_{0}, {\hat{k}}_{0}, Δ, \hat{Δ}$ ) receives an encoding $L = (L, \hat{L})$ , to check the validity of the encoding, he/she will verify
$(L - k_{0}) \times_{p} Δ^{- 1} = (\hat{L} - {\hat{k}}_{0}) \times_{p} {\hat{Δ}}^{- 1}$
and decode L to $(L - k_{0}) \times_{p} Δ^{- 1}$ only if the above equality holds.
Addition. Since the encoding is additively homomorphic, given two encodings L_a and L_b, the encoding of their sum can be locally computed as $L_{a + b} : = L_{a} +_{p} L_{b}$ .
Projection. To garble a projection $(v_{1} \mapsto u_{1}, \dots, v_{t} \mapsto u_{t})$ , a t-row garbled gate is computed as follows:
${Enc}_{L_{v_{1}}} (L_{u_{1}}), {Enc}_{L_{v_{2}}} (L_{u_{2}}), \dots, {Enc}_{L_{v_{t}}} (L_{u_{t}}) .$

Theorem 2.

The improved garbling scheme of Section 4.3 satisfies the privacy, obliviousness, and authenticity properties outlined in Section 2.1.

Proof of Theorem 2 can be found in Section C.2.

5. The Malicious Model

In this section, we give a general approach to compile our semi-honest protocols into ones secure against malicious adversaries. We consider the standard definition of active-security of secure two-party computation with respect to the standard ideal model execution: the trusted party, upon receiving input string x and y from party P₁ and P₂, respectively, computes the agreed string metric between x and y and sends the result to P₂.

Protocol Design Intuition.

We use the cut-and-choose technique, where the circuit generator sends n garbled circuits to the evaluator, k of which will be checked and the rest will be evaluated to derive the final outcome. For improved performance, we used the probabilistic cut-and-choose strategy of [30] to fix n but pick k from a public distribution, based on the observed cost ratio between checking and evaluation per GC. Also, the garbler sends only hashes of GCs in the “garble” step to save bandwidth, but re-generates the evaluation GCs in the “evaluate” step. Our protocol succeeds as long as at least one of the evaluation circuit is correctly generated. Due to page limit, we describe our malicious model protocols in Section C.1 and formally prove its security in Section C.3, but state Theorem 3 below for completeness.

Theorem 3.

The protocol of section C.1 securely computes f in presence of malicious adversaries.

6. Evaluation

In this section, we evaluate a set of secure string comparing protocols which motivated our work.

Experiment Setup.

We used two n1-standard-1 instances (1vCPU, 3.75GB memory, priced at 3 cents/hour) on Google Cloud Platform. The LAN setting has 2Gbps with 1ms latency. The WAN has 200Mbps with 40ms latency. The computational security parameter κ is 127 and the statistical security parameter s = 40. Unless specified otherwise, the performance numbers are averaged over 10 runs.

We implemented our scheme in C/C++, using Intel AESNI intrinsic instructions to realize the fixed block cipher π. We use emp-tool [13]’s implementation of Half-Gate [10] garbling and efficient OT extension [31], [32] to construct the baseline protocols to compare with. For fair comparison, all baseline protocols use their best possible custom circuits.

6.1. Application Performance

We applied the proposed garbling scheme to implementing five string metrics: edit distance, weighted edit distance, Needleman-Wunsch, longest common subsequence (LCS), and heaviest common subsequence.

6.1.1. Semi-honest Model Performance

Table 1 highlighted the performance improvements of our protocols in comparison with best previous results. Generally, the gains of our approach are slightly bigger on Edit Distance and LCS, since the choices of weights can affect the sizes of the projection gates (as indicated by Proposition 1). We observe that running times on LAN and WAN all conform very well with the linear cost model: ${Time}_{overall} = {Time}_{computation} + {Size}_{traffic} / {Speed}_{network}$ . Thus, in the scalability experiments below we will focus on the LAN setting.

Figure 3 and Figure 4 delineate the time and bandwidth costs of these end-to-end applications over input strings of lengths 800–4000 characters. The curves all show a quadratic shape, which is consistent with the asymptotic complexity of the underlying dynamic programming algorithms. We set c_ins and c_del to 5 and c_sub to 1 for Weighted-ED. Our Needleman-Wunsch used the weight tables of Figure 1.

6.1.2. Malicious Model Performance

Table 2 shows the performance of our actively-secure protocols in the malicious threat model. Input strings in these experiments each has 4000 nucleotides (or 8000 bits). We exploited the game-theoretic cut-and-choose strategy for single-cut protocols proposed by Zhu et al [30] to pick n and k based on the actual cost ratio $C_{eval} / C_{c h k}$ which can vary with network settings and applications. In our experiments, the cost ratio is affected most by the network performance due to the large bandwidth savings by the hashes of check-GCs. As a result, this optimization saved more than 1/2 (or 1/4) of bandwidth in WAN (or LAN) setting. Comparing to their semi-honest versions (see Table 1), the overall slowdown factor is about 10 (or 20) in WAN (or LAN) environment. This is by far the best performance for securely computing these string-metrics in the malicious model.

6.2. Comparison with [9] and [8]

These heuristics-based protocols are still more efficient than our protocols. However, those protocols are only able to approximate certain computation over very restricted sets of low-entropy strings and are not provably secure with respect to the standard definition of security for MPC protocols. It is also crucial to select a “good” reference string since as the accuracy of these heuristic protocols can be very sensitive on the choice of the reference strings. However, no secure methods to choose “good” reference strings were known.

The quality of an approximation method can be measured by Root-Mean-Square Relative-Error $\sqrt{({\sum_{i = 1}^{n} [(v_{i} - u) / u]}^{2}) / n}$ where ${v_{1}, \dots, v_{n}}$ are n approximations of a ground-truth value u using the method. Typically, approximation methods with RMSRE≥ 50% are not usable in most real-world string-comparison applications. We run an experiment over the same dataset used by [8], [9], where we picked uniformly 2000 pairs of 3500-nucleotide genome strings, computed the editdistances between them using the protocols of [8], [9] with a randomly generated reference string. We observed a root-mean-square relative-error (RMSRE) of 75% and 59% using [9]’s and [8]’s approach, respectively. Both numbers clearly indicate serious accuracy issues of applying their methods in practice.

In contrast, our approach doesn’t require any public reference string to work, can always produce accurate results, and can work for many variant string metrics over arbitrary strings. However, without knowing how to pick good reference strings, it is not possible to draw meaningful performance comparisons, even merely for the standard edit-distance case.

6.3. Comparison with protocols using ABY

We also find our GC-based baseline better than ABY-based protocols. Analytically speaking, this is because, for the string metrics considered in this paper,

a pure Y approach is essentially the same as our baseline;
a pure B approach (i.e. GMW on binary circuits) is no cheaper than Y, but only allows to move the expensive cryptography into an input-independent offline phase (at the cost of linear online rounds). Thus, for overall efficiency, it neither makes sense to combine B and Y;
even if A allows free addition, it can’t do secure comparison efficiently (other than first translate arithmetic encodings into binary encodings, then compare using either B or Y). In the best known circuits for computing these string metrics, every addition gate is immediately followed by a comparison gate. Because secure wire-label conversion is not cheaper than secure addition using Y or B, using A alone or mixing it with B or Y won’t produce better protocols than our baseline.

Micro-benchmarks.

We also measured the costs of addition, projection, and wire-label conversion. Due to page limit, we report our micro-benchmark experiments in Section D.

7. Conclusion

Customizing garbling schemes to specific computations can bring dramatical efficiency benefits. We have taken a first step to explore this methodology in constructing secure protocols for several representative string-comparison metrics. Our protocols are up to an order-of-magnitude more efficient than best existing results, but also generic, accurate, and provably secure under the standard, preferred definition of security. The resulting actively-secure versions of these protocols are also the best of its kind. Our findings would shed some light on designing other application-specific MPC protocols in the future.

Appendix A. Proof of Theorem 1

Theorem 1.

Proof. Privacy:

Figure 5 describes a simulator Sim_prv that can be used to show our garbling scheme is private. The construction of Sim_prv is similar to Gb except for three changes that we highlighted in red: (1) Sim_prv has a third input f(x); (2) it uses f(x)_i to replace t when producing the decoding information $d^{O_{i}}$ ; and (3) it calls En with an arbitrary legitimate input x₀ to produce X in the end.

Fig. 5: — The Simulator for Proving Privacy

For any x, consider (F, X, d) generated by

(F, e, d) \leftarrow Gb (1^{k}, f)

X : = En (e, x)

and the tuple $(F^{'}, X^{'}, d^{'})$ produced by ${Sim}_{prv}^{x_{0}} (1^{k}, f, f (x))$ . Should ${Sim}_{prv}^{x_{0}}$ know x, then it would not replace t with $f {(x)}_{i}$ in producing $d_{t}^{O_{i}}$ but simply call $En (\hat{e}, x)$ in the end to generate X^′. Note that ${Sim}_{prv}^{x}$ outputs exactly the distribution $(F^{″}, X^{″}, d^{″})$ . It is easy to see that (F, X, d) and $(F^{″}, X^{″}, d^{″})$ are identically distributed. Now, to see $(F^{″}, X^{″}, d^{″}) \approx (F^{'}, X^{'}, d^{'})$ , we note that

the distinguisher cannot tell the two distributions apart by examining any garbled gates because $\hat{e}$ is a tuple of uniform strings and ${Sim}_{prv}^{x}$ and ${Sim}_{prv}^{x_{0}}$ used exactly the same procedure to produce all garbled gates.
For every output-wire O_i, for every $w_{t}^{O_{i}}$ the distinguisher does not learn, $d_{t}^{O_{i}}$ is no different from a random string (because π is an ideal cipher); from the $w_{t}^{O_{i}}$ learned by the distinguisher, the distinguisher can only get $f {(x)}_{i}$ from decrypting $d_{t}^{O_{i}}$ , which is no different from what it would learn from examining (F, X, d).

Obliviousness:

We simply observe that in Sim_prv, f(x) is used only to compute d, which is dropped in the security definition of obliviousness. Thus, the simulator Sim_obl can be derived from ${Sim}_{prv}^{x}$ simply by dropping the input f(x) and the third component d in the output. The proof of privacy can be carried over to prove obliviousness.

Application-dependent Authenticity:

We note that due to the construction of Enc, if the adversary $A$ can provide any $Y^{'}$ such that $Y^{'} \neq Ev (F, X)$ ) and $De (d, Y^{'}) = k \neq ⊥$ (where $(F, e, d) \leftarrow Gb (1^{k}, f), X : = En (e, x)$ ), then $A$ must know $w_{k} = w_{0} +_{p} k \times_{p} Δ$ , which is the output wire-label corresponding to k. However, without knowing w₀ and Δ, for any particular k, $A$ can only guess $w_{k} = w_{0} +_{p} k \times_{p} Δ$ correctly with probability at most 1/p. Hence, let n be the size of the domain of the plaintext k, then the adversary can only succeed in guessing a valid output wire-label with probability at most n/p. Thus, our scheme guarantees n/p-authenticity. Since n can vary with application, we call this notion of authenticity application-dependent.

Remark.

In many practical applications such as string-comparison, it is easy to bound the value of n to small (application-specific) constants (e.g., < 300 in all applications considered in this paper) so that n/p is negligible.

Appendix B. Proof of Proposition 1

Proposition 1.

m_{i, j} = \min (D_{i, j - 1} + c_{d e l} [t [j]], D_{i - 1, j - 1} + c_{s u b} [s [i], t [j]])

u_{i, j} = (D_{i, j - 1} + c_{d e l} [t [j]]) - (D_{i - 1, j - 1} + c_{s u b} [s [i], t [j]])

v_{i, j} = (D_{i - 1, j} + c_{i n s} [s [i]]) - m_{i, j}

Then, there exist public constants C₁, C₂, C₃, C₄ which are independent of D_i,j, such that for all valid indices i,j.

C_{1} \leq u_{i, j} \leq C_{2}, C_{3} \leq v_{i, j} \leq C_{4} .

Proof. Because $| D_{i, j - 1} - D_{i - 1, j - 1} | \leq c_{i n s} [s [i]]$ , therefore

D_{i - 1, j - 1} - c_{i n s} [s [i]] \leq D_{i, j - 1} \leq D_{i - 1, j - 1} + c_{i n s} [s [i]]

so,

D_{i, j - 1} + c_{d e l} [t [j]] \geq D_{i - 1, j - 1} - c_{i n s} [s [i]] + c_{d e l} [t [j]]

D_{i, j - 1} + c_{del} [t [j]] \leq D_{i - 1, j - 1} + c_{ins} [s [i]] + c_{del} [t [j]]

hence,

u_{i, j} = D_{i, j - 1} + c_{d e l} [t [j]] - (D_{i - 1, j - 1} + c_{s u b} [s [i], t [j]]) \geq c_{d e l} [t [j]] - c_{i n s} [s [i]] - c_{s u b} [s [i], t [j]]

(5)

u_{i, j} = D_{i, j - 1} + c_{d e l} [t [j]] - (D_{i - 1, j - 1} + c_{s u b} [s [i], t [j]]) \leq c_{i n s} [s [i]] + c_{d e l} [t [j]] - c_{s u b} [s [i], t [j]]

(6)

So we can set

C_{1} : = \min_{i, j} (c_{d e l} [t [j]] - c_{i n s} [s [i]] - c_{s u b} [s [i], t [j]]),

C_{2} : = \max_{i, j} (c_{i n s} [s [i]] + c_{d e l} [t [j]] - c_{s u b} [s [i], t [j]]),

and we have $C_{1} \leq u_{i, j} \leq C 2$ .

Symmetrically, we can derive that

(D_{i - 1, j} + c_{i n s} [s [i]]) - (D_{i - 1, j - 1} + c_{s u b} [s [i], t [j]]) \geq c_{i n s} [s [i]] - c_{s u b} [s [i], t [j]] - c_{d e l} [t [j]]

(7)

(D_{i - 1, j} + c_{i n s} [s [i]]) - (D_{i - 1, j - 1} + c_{s u b} [s [i], t [j]]) \leq c_{i n s} [s [i]] + c_{d e l} [t [j]] - c_{s u b} [s [i], t [j]]

(8)

(8) – (5) yields

(D_{i - 1, j} + c_{i n s} [s [i]]) - (D_{i, j - 1} + c_{d e l} [t [j]]) \geq - 2 c_{d e l} [t [j]]

(9)

(7) – (6) yields

(D_{i - 1, j} + c_{i n s} [s [i]]) - (D_{i, j - 1} + c_{d e l} [t [j]]) \leq 2 c_{i n s} [s [i]]

(10)

Thus, we know from (7) and (9) that

v_{i, j} \geq \max (c_{i n s} [s [i]] - c_{s u b} [s [i], t [j]] - c_{d e l} [t [j]], - 2 c_{d e l} [t [j]])

and from (8) and (10) that

v_{i, j} \leq \max (c_{i n s} [s [i]] + c_{d e l} [t [j]] - c_{s u b} [s [i], t [j]], 2 c_{i n s} [s [i]])

Finally, by defining

C_{3} : = \min_{i, j} (\max (c_{i n s} [s [i]] - c_{s u b} [s [i], t [j]] - c_{d e l} [t [j]], - 2 c_{d e l} [t [j]]))

C_{4} : = \max_{i, j} (\max (c_{i n s} [s [i]] + c_{d e l} [t [j]] - c_{s u b} [s [i], t [j]], 2 c_{i n s} [s [i]]))

we proved $C_{3} \leq v_{i, j} \leq C_{4}$ . □

Appendix C. Actively-Secure Protocols

We use three ideal functionalities $F_{I H a s h}$ (interactive hash), $F_{COT}$ (correlated OT), and $F_{coin-toss}$ -toss (coin tossing) defined in Section C.4. First, the garbler is required to use a coin-tossed randomness to run Gb. This prevents an adversarial garbler from compromising the correctness any garbled table through selecting problematic randomness. To ensure P₁’s input wire-labels to the evaluation circuits denote the same plaintext value, we used $F_{IHash}$ , an XOR-homomorphic interactive hash implementation that was also used by JIMU [33] for similar purposes. Each initial input and final output wire in f’s circuit is associated with a random permutation bit λ^I and the evaluator knows $〈 λ^{I} 〉$ (i-hash of bit λ^I) and $〈 m_{λ^{I}}^{I} 〉$ (i-hash of the wire-label denoting bit λ^I. Thanks to the XOR-homomorphism of $F_{IHash}$ , it is easy for the evaluator to securely translate a wire-label $m_{b}^{I}$ (a label on the master circuit denoting b) into $m_{b}^{I, i}$ (a label on the i-th GC denoting b) for any $b \in {0, 1}$ , given their i-hashes and their XOR-differences (see Step 5.).

We assume y has more than 40 bits. To ensure the evaluator use consistent y in all evaluation GCs, the parties run the correlated OT functionality $F_{COT}$ once for the evaluator to learn the wire-labels ${m_{y^{I}}^{I}}_{I \in lnp (P_{2})}$ , which represent y on the master circuit. For evaluation, these master wire-labels are translated to wire-labels on each evaluation GC using XOR-differences whose validity is guaranteed by $F_{IHash}$ .

Finally, $F_{IHash}$ also allows the evaluator to what output wire-labels are valid and identify inconsistent but valid output wire-labels. Note that inconsistent valid wire-labels reveals δ of the master circuit, and further reveals the garbler’s input x when the garbler cheats (see Step 6.).

C.1. Full Protocol Description

Let s be the statistical security parameter. Assume P₁ (the circuit generator holding input string x) and P₂ (the circuit evaluator holding input string y that has more than s bits) want to compute a string-comparison metric f between x, y.

1. Setup.

On cut-and-choose parameter n and computational security parameter κ, P₁ and P₂ call $F_{coin-toss}$ for P₁ to learn ${{seed}_{i} \in {0, 1}^{κ}}_{i \in [n]}$ . For $i \in [n]$ , P₁ sets

(δ_{i}, Δ_{i}) : = (PRG ({seed}_{i}, “delta”), PRG ({seed}_{i}, “Delta”))

and sends ${δ_{i}}_{i \in [n]}$ to P₂ through $F_{IHash}$ .

The master circuit.

P₁ samples $δ \in {0, 1}^{κ}$ . For every input-wire I of P₁’s input to f, P₁ samples uniform random bit $λ^{I} : = PRG (δ, I ∥ “lambda”)$ ; for every input-wire I of P₂’s input to f and every output-wire I of f, P₁ sets λ^I := 0. For every input-wire or output-wire I of f, P₁ samples $m_{0}^{I} \in {0, 1}^{κ}$ , sets $m_{1}^{I} : = m_{0}^{I} \oplus δ$ , and sends $〈 λ^{I} 〉, 〈 m_{λ^{I}}^{I} 〉, 〈 δ 〉$ to P₂ through $F_{IHash}$ .

OT of seeds.

P₁ picks a uniform $Δ \in {0, 1}^{κ}$ . P₁ and P₂ call $F_{coin-toss}$ for P₂ to learn an n-bit string $J$ sampled from certain public distribution (see [30] for the details on how this public distribution of $J$ is calculated). Then P₁ with input $(Δ, {{seed}_{i}}_{i \in [n]})$ with input $J$ call $F_{COT}$ for P₂ to learn ${{seed}_{i} ∣ J_{i} = 1}$ and ${s e e d_{i} \oplus Δ ∣ J_{i} = 0}$ .

2. Inputs.

For every input-wire I in the i-th GC, P₁ sets

m_{0}^{I, i} : = PRG (δ_{i}, (I, i) ∥ “label”),

m_{1}^{I, i} : = m_{0}^{I, i} \oplus δ_{i} .

Then,

P₁’s Input. For every input-wire I of P₁’s input in the i-th garbled circuit, P₁ sets
$λ^{I, i} : = PRG (δ_{i}, (I, i) ∥ “lambda”) .$
P₂’s Input. For every input-wire I of P₂’s input in the i-th garbled circuit, P₁ sets
$λ^{I, i} : = 0.$
(C-OT) P₁ with $(δ, {m_{0}^{I}}_{I \in lnp (P_{2})})$ and P₂ with ${y^{I}}_{I \in lnp (P_{2})}$ , invoke $F_{COT}$ so P2 learns ${m_{y^{I}}^{I}}_{I \in lnp (P_{2})}$ . P₂ verifies that $m_{y^{I}}^{I}$ matches with $〈 m_{0}^{I} 〉 \oplus y^{I} 〈 δ 〉$ for all I, and aborts otherwise.

Now, for every input-wire I in the i-th GC, P₁ sends $〈 λ^{I, i} 〉, 〈 m_{λ^{I, i}}^{I, i} 〉$ to P2 through $F_{IHash}$ .

3. Garble.

P₁ generates n garbled circuits ${G C_{i}}_{i \in [n]}$ for f as follows:

For every input-wire I of the i-th garbled circuit, P₁ generates arithmetic wire-labels
$w_{0}^{I, i} : = PRG (δ_{i}, I, i)$

$w_{1}^{I, i} : = w_{0}^{I, i} +_{p} Δ_{i},$
then sends an ordered pair
$[{Enc}_{m_{λ^{I, i}}^{I, i}} (w_{λ^{I, i}}^{I, i}), {Enc}_{m_{1 \oplus λ^{I, i}}^{I, i}} (w_{1 \oplus λ^{I, i}}^{I, i})] .$
which will allow securely translating binary field encodings into their $ℤ_{p}$ encodings.
For addition, subtraction, constant multiplication and bounded-value projection gates, P₁ runs the Gb algorithm of the garbling scheme of Figure 2.
For every output-wire I of the i-th garbled circuit, P₁ sends a secure projection table allows to translate arithmetic encoding $w_{v}^{I, i}$ (v takes a bounded number of values) to its binary encodings $m_{b_{0}}^{I, i, 0}, \dots, m_{b_{k}}^{I, i, k}$ where $v = b_{0} b_{1} \dots b_{k}$ and $m_{0}^{I, i, j} : = PRG (δ_{i}, I, i, j)$ , $m_{1}^{I, i, j} : = m_{0}^{I, i, j} \oplus δ_{i}$ for all $j \in [k]$ . P₁ sends ${〈 m_{0}^{I, i, j} 〉}_{I \in Output (f), i \in [n], j \in [k]}$ via $F_{IHash}$ .

P₁ sends H(GC_i) to P₂ (H is a collision-resistant hash).

4. Check.

For each check-circuit GC_i, namely those $i \in [n], J_{i} = 1$ , P₂ use seed_i to verify that P₁ have played honestly in all previous steps; and aborts otherwise. In particular, P₂ checks the following constraints:

GC_i generated from seed_i matches its hash H(GC_i).
δ_i generated from seed_i matches $〈 δ_{i} 〉$ via $F_{IHash}$ .
$m_{0}^{I, i}$ generated from δ_i matches $〈 m_{0}^{I, i} 〉$ via $F_{IHash}$ .
λ^{I, i} generated from δ_i matches $〈 λ^{I, i} 〉$ via $F_{IHash}$ .
For all $I \in Output (f), j \in [k]$ , wire-label $m_{0}^{I, i, j}$ of GCi matches $〈 m_{0}^{I, i, j} 〉$ via $F_{IHash}$ .

5. Evaluate.

For each evaluation-circuit GC_i, namely those $i \in [n], J_{i} = 0$ , P₂ sends ${seed}_{i} \oplus Δ$ to P₁ who verifies the consistency of the value. Then, P₁ and P₂ collaborate to evaluate these circuits. For every evaluation-circuit GC_i, P₁ sends $δ \oplus δ_{i}$ to P₂, who verifies it with $〈 δ 〉 \oplus 〈 δ_{i} 〉$ .

P₁’s Input. For every input-wire I of P₁’s input x^I, P₁ sends $m_{x^{I}}^{I} λ^{I} \oplus λ^{I, i}, m_{λ^{I}}^{I} \oplus m_{λ^{I, i}}^{I, i} \oplus (λ^{I} \oplus λ^{I, i}) δ_{i}$ to P₂, who verifies their validity against their i-hashes $F_{IHash}$ . P₂ computes $m_{x^{I}}^{I, i} : = m_{x^{I}}^{I} \oplus (m_{λ^{I}}^{I} \oplus m_{λ^{I, i}}^{I, i} \oplus (λ^{I} \oplus λ^{I, i}) δ_{i}) \oplus (λ^{I} \oplus x^{I}) (δ \oplus δ_{i}) .$
P₂’s Input. For every input-wire I of P₂’s input y^I, P₁ sends $m_{0}^{I} \oplus m_{0}^{I, i}$ to P₂, who verifies their validity against their i-hashes through. $F_{IHash}$ . P₂ computes $m_{y^{I}}^{I, i} : = m_{y^{I}}^{I} \oplus (m_{0}^{I} \oplus m_{0}^{I, i}) \oplus y^{I} (δ \oplus δ_{i})$ .
Eval. With the wire-labels obtained above, P₂ evaluates the garbled circuit according to the garbling scheme’s Ev method.
Check. P₂ verifies that all $G C_{i} (i \in [n])$ received match their hashes received in Step 3..

6. Output.

For every output-wire I in the i-th evaluation circuit, P₁ sends $m_{0}^{I} \oplus m_{0}^{I, i}$ to P₂, who verifies its validity through $F_{IHash}$ . P₂ validates every output wire-label obtained from circuit evaluation against their i-hashes, then translates them to plaintext values.

If P₂ all valid wire-labels obtained from evaluating the n − k circuits refer to the same plaintext value, then P₂ outputs this value and halts.
If P₂ obtains two valid output wire-labels on the same output wire I which decode to different plaintext values, then P₂ can obtain valid $m_{0}^{I}$ and $m_{1}^{I}$ simultaneously by:
$m_{0}^{I} : = m_{0}^{I, i_{1}} \oplus (m_{0}^{I} \oplus m_{0}^{I, i_{1}})$

$m_{1}^{I} : = m_{1}^{I, i_{2}} \oplus (m_{0}^{I} \oplus m_{0}^{I, i_{2}}) \oplus (δ \oplus δ_{i_{2}})$
for some i₁, i₂. Then P₂ can learn $δ : = m_{0}^{I} \oplus m_{1}^{I}$ , whose value can be validated through $F_{IHash}$ . With δ, P₂ can learn ${λ_{I}}_{I \in lnp (P_{1})}$ , and further recovers P₁’s input x from ${λ_{I}}_{I \in lnp (P_{1})}$ , ${m_{λ^{I}}^{I}}_{I \in lnp (P_{1})}$ and those ${m_{x^{I}}^{I}}_{I \in lnp (P_{1})}$ it received in Step 5.. P₂ locally computes $f (x, y)$ and outputs it.

C.2. Proof of Theorem 2

Theorem 2.

The improved garbling scheme of Section 4.3 satisfies the privacy, obliviousness, and authenticity properties outlined in Section 2.1.

Proof. Note that the garbling mechanism for addition and projection is the same as that of our basic garbling scheme described in Section 3. The proofs for privacy and obliviousness properties are essentially the same as that of the main theorem (Theorem 1). Thus, below we focus on the proof of authenticity. Assume for the purpose of contradiction that the adversary $A$ can provide some Y^′ such that $Y^{'} \neq Ev (F, X)$ ) but $De (d, Y^{'}) = k \neq ⊥$ (where $(F, e, d) \leftarrow Gb (1^{k}, f), X : = En (e, x)$ ). Then $A$ must know $L_{a} = (k_{0} +_{p} a \times_{p} Δ, {\hat{k}}_{0} +_{p} a \times_{p} \hat{Δ})$ for some a. However, without knowing any of $k_{0}, {\hat{k}}_{0}, Δ, \hat{Δ}$ , for any particular a, the probability that A succeeds in guessing a $L_{a} = (L, \hat{L})$ such that

(L - k_{0}) \times_{p} Δ^{- 1} = (\hat{L} - {\hat{k}}_{0}) \times_{p} {\hat{Δ}}^{- 1}

is 1/p at the best, (because both sides of the equation above are uniformly distributed over $ℤ_{p}$ ). Therefore, with e.g. p > 2⁸⁷, the authenticity error will be less than 2⁻⁸⁷. □

C.3. Proof of Theorem 3

Theorem 3.

The protocol of section C.1 securely computes f in presence of malicious adversaries.

Proof. We prove the security in a hybrid-model where the parties have access to ideal functionalities for $F_{IHash}$ , $F_{COT}$ , and $F_{coin-toss}$ . The standard composition theorem [34] implies security when the sub-routines are instantiated with secure implementations of these functionalities.

If P₁ is corrupted. We construct an efficient simulator $S$ interacting with the ideal string-metrics functionality as P₁. $S$ runs the corrupted real-model P₁ as a subroutine, interacting with it like real-model P₂ with input y = 0 using the protocol of Section C.1, except for the following changes:

1) In Step 1., through the simulated $F_{IHash}$ , $S$ learns ${λ^{I}}_{I \in Input (P_{1})}$ .
In Step 5.a, $S$ learns ${m_{x^{I}}^{I}}_{I \in Input (P_{1})}$ . For all I ∈ Input(P₁), if $m_{x}^{I}$ matches $〈 m_{λ^{I}}^{I} 〉$ , then $S$ sets $x^{I} : = λ^{I}$ ; if $m_{x^{I}}^{I}$ matches $m_{λ^{I}}^{I} \oplus 〈 δ 〉$ , then $S$ sets $x^{I} : = \bar{λ^{I}}$ .
In Step 6., $S$ submits x to the trusted functionality and outputs whatever P₁ outputs.

To show that the joint out distribution in this ideal-model involving $S$ is indistinguishable from that of the real-model involving the corrupted P₁, we consider a series of experiments each with a slightly modified simulator.

Hybrid₁ The simulator $S_{1}$ interacts with the corrupted P₁ running the real-model protocol, where $S_{1}$ uses P₂’s actual input y as its input. Their interaction is identical to the real-model execution.
Hybrid₂ Simulator $S_{2}$ acts the same way as $S_{1}$ in Hybrid₁, except:
1. In Step 1., through the simulated $F_{IHash}$ , $S_{2}$ learns ${λ^{I}}_{I \in Input (P_{1})}$ .
2. In Step 5.a, $S_{2}$ learns ${m_{x^{I}}^{I}}_{I \in Input (P_{1})}$ . For I ∈ Input $m_{x^{I}}^{I}$ matches $〈 m_{λ^{I}}^{I} 〉$ , then $S_{2}$ sets $x^{I} : = λ^{I}$ ; if $m_{x^{I}}^{I}$ matches $〈 m_{λ^{I}}^{I} 〉 \oplus 〈 δ 〉$ , then $S_{2}$ sets $x^{I} : = \bar{λ^{I}}$ .
3. In Step 6., $S_{2}$ outputs f(x, y).
We claim Hybrid₂ ≈ Hybrid₁ because
- To the corrupted P₁, the only messages it got from the simulators are ${{seed}_{i} \oplus Δ ∣ i \in [n], J_{i} = 0}$ in Step 4.. However, these messages in Hybrid₁ and Hybrid₂ are identically distributed, a fact guaranteed by $F_{COT}$ .
- In both experiments, the simulators correctly output f(x, y) if at least one correct GC is evaluated.
Hybrid₃ Simulator $S_{3}$ acts the same way as $S_{2}$ in Hybrid₂, except:
1. $S_{3}$ runs the corrupted P₁ as a sub-routine and take an ideal P₁’s role to interact with the ideal string-metrics functionality.
2. In Step 6., $S_{3}$ submits x to the ideal string-metrics functionality and outputs whatever the corrupted P₁ outputs.
We claim Hybrid₃ ≈ Hybrid₂ because
- $S_{3}$ ’s output is the same as the corrupted P₁’s in Hybrid₂.
- The ideal P₂ in Hybrid₃ and $S_{2}$ in Hybrid₂ both output f(x, y).
Hybrid₄ Simulator $S_{4}$ acts the same way as $S_{3}$ , except s₄ uses y = 0 instead of P₂’s actual input as its input when interacting with the corrupted P₁. $S_{4}$ is identical to $S$ . This is the ideal-model execution.

We claim Hybrid₄ ≈ Hybrid₃ because the real-model P₂’s outgoing-message distributions (including whether and when P₂ aborts) do not depend on the value of its input y.

If P₂ is corrupted. We construct an efficient simulator $S$ interacting with the ideal string-metrics functionality as an ideal-model P₂. $S$ will run the corrupted P₂ as a sub-routine, interacting with it as real-model P₁ with input x = 0 using the protocol of Section C.1, except for the following changes:

In Step 1., $S$ learns $J$ through the simulated $F_{COT}$ .
In Step 2., $S$ learns y through the simulated $F_{COT}$ . $S$ sends y to the ideal functionality and gets back $z = f (x, y)$ .
In Step 3., for all $i \in [n]$ , $J_{i} = 1$ , $S$ generates GC_i honestly. For all $i \in [n]$ , $J_{i} = 0$ , $S$ runs the simulator $S_{prv} (f, z)$ to produce GC_i (see the privacy definition of garbling for $S_{prv}$ ).
In Step 6., $S$ outputs whatever the malicious P₂ outputs.

To show that the joint out distribution in this ideal-model involving $S$ is indistinguishable from that of the real-model involving the corrupted P₂, we consider a series of experiments each with a slightly modified simulator.

Hybrid₁ The simulator $S_{1}$ interacts with the corrupted P₂ using the real-model protocol with P₁’s actual input x. This is the real-model execution.
Hybrid₂ The simulator $S_{2}$ is the same as $S_{1}$ in Hybrid₁, except:
1. In Step 1., $S$ learns $J$ through the simulated $F_{COT}$ .
2. In Step 2., $S_{2}$ learns y through the simulated $F_{COT}$ .
3. In Step 3., for all $i \in [n]$ , $J_{i} = 1$ , $S$ generates GC_i honestly. For all $i \in [n]$ , $J_{i} = 0$ , $S$ runs the simulator $S_{prv} (f, z)$ to produce GC_i (see the privacy definition of garbling for $S_{prv}$ ).
We claim Hybrid₂ ≈ Hybrid₁ because our garbling scheme is proven to be private, hence the corrupted P₂ cannot tell if a GC is honestly garbled or simulated with a chosen output z.
Hybrid₃ Simulator $S_{3}$ is the same as $S_{2}$ in Hybrid₂, except:
1. $S_{3}$ runs the corrupted P₂ as a subroutine and interacts with the ideal string-metrics functionality as an ideal-model P₂.
2. In Step 3., instead of computing f(x, y), $S_{3}$ submits y to the ideal functionality and receives f(x, y).
3. In Step 6., $S_{3}$ outputs whatever the corrupted P₂ outputs.
We claim Hybrid₃ ≈ Hybrid₂ because
- $S_{3}$ ’s output is the same as the corrupted P₂’s in Hybrid₂.
- The ideal-model P₁ in Hybrid₃ and $S_{2}$ in Hybrid₂ both have no output.
Hybrid₄ the simulator $S_{4}$ is the same as $S_{3}$ in Hybrid₃, except that it uses x = 0 as its input to interact with the corrupted P₁. $S_{4}$ is identical to $S$ and this is the ideal-model execution.

We claim Hybrid₃ ≈ Hybrid₂ because the real-model P₁’s outgoing-message distributions (including whether and when P₁ aborts) do not depend on the value of x. □

C.4. Definition of $F_{IHash}$ , $F_{COT}$ , and $F_{coin-toss}$

The $F_{IHash}$ Functionality.

We adopt the definition of $F_{IHash}$ from that of JIMU [33]. Note that $F_{IHash}$ allows to verify the validity of the XOR-difference among several previously hashed messages. $F_{IHash}$ also enables the receive to verify any single message by calling Verify on a single message (i.e., t = 1).

Fig. 6: — The ideal functionality $F_{IHash}$ .

The $F_{COT}$ Functionality.

$F_{COT}$ is the correlated OT functionality as defined in Figure 7. It can be efficiently realized with small modification to the actively-secure OT-extension protocol of Keller et al. [35]. The idea of $F_{COT}$ was also used in authenticated garbling [15], [36] to construct authenticated multiplicative triples.

The $F_{coin-toss}$ Functionality.

On receiving “init” from both parties, $F_{coin-toss}$ samples a uniform bit-string s and send it to the designated party (while allowing premature aborts).

Appendix D. Micro-benchmark Experiments

We measured the performance of several basic operations under our garbling scheme. All experiments in this subsection are conducted with respect to 87-bit computational security.

Secure Addition.

Table 3 shows the performance of secure addition in our approach. Recall that addition is (almost) free, our scheme is able to perform one addition every 2.8 nano-seconds, regardless of the bit-length of the numbers to add. This result is in line with the cost of computing a mod-p addition on this hardware. In contrast, costs of binary circuit based addition circuits (powered by Half-Gates) increase roughly linearly with the width of the adder. Ours are 500–40, 000 times faster and consume no bandwidth.

Fig. 7: — The Correlated OT functionality $F_{COT}$ .

Fig. 8: — Costs of secure table-lookup. (Timings are measured by averaging over 10⁶ runs.)

Secure Table-Lookup.

This is also the essential enabling primitive for secure comparison and bounded range minimum computations. Figure 8 shows the efficiency of secure table-lookup with our scheme and compares it to the best existing garbled-circuit-based implementation. Two relevant parameters are used to describe the table: the table size (i.e., the number of entries in the table) and the bit-length of each entry. With our scheme, the cost of secure table-lookup grows linearly with the number of entries in the table, but not the bit-length of the entries.

In contrast, a garbled-circuit-based table-lookup costs more when the values in the table grow bigger, because the secure multiplexers has to take wider inputs. In our experiments, we assumed the table contains either 4-, 8-, or 12-bit values, representing the value range of constant tables used in many practical applications. On these table parameters, our approach is 3.6–20 times faster and 6–23 times more bandwidth-efficient.

Wire-label Conversions.

Converting Boolean wire-labels from the binary circuit garbling scheme into arithmetic wire-labels in our scheme is highly efficient, at about 420ns (and ∼32 bytes bandwidth) per bit of Boolean wire-label, since it involves only two garbled rows per Boolean wire (Table 4).

Converting arithmetic wire-labels into Boolean ones used in Half-Gates is comparatively more expensive. The generic method needs 9.6 millisecond and 2MB per arithmetic wire-label, mostly spent on oblivious mod-p multiplication under the Half-Gates garbling scheme. However, if the arithmetic wire-label is known to denote values of a smaller range (usually < 2²⁰ possibilities), the faster secret-sharing based label conversion method turns out very efficient. For example, if the range of the arithmetic signal is up to 2⁸, the conversion an arithmetic wire-label takes only less than 11ns and 4.2KB bandwidth. We empirically find that the secret-sharing based conversion can outperform the generic method when the plaintext value is within 2¹⁶.

TABLE 3:

Costs of secure additions

	Time (ns)				Bandwidth (byte)

	8-bit	16-bit	32-bit	64-bit	8-bit	16-bit	32-bit	64-bit
Half-Gates [10]	1420	2770	5520	11100	154	330	682	1386
This Work	2.8				0

Open in a new tab

We note the timings coincide well with the cost of AESNI-based garbling (~ 45 ns/row) and that of modulo arithmetic with respect to an 88-bit prime (~2.8 ns/+_p). Timings are averaged over 10⁶ runs for Half-Gates and 10⁹ runs for ours.

TABLE 4:

Costs of label conversions.

	Time (μs)				Bandwidth (KB)

	8-bit	16-bit	32-bit	64-bit	8-bit	16-bit	32-bit	64-bit
Boolean to Arithmetic	3.34	6.69	13.31	26.75	0.26	0.51	1.02	2.05
Arithmetic to Boolean (via secret-shares)	10.89	743.2	―――		4.22	1048.83	―――
Arithmetic to Boolean (via generic secure modulo-arithmetic)	9628				2004.96

Open in a new tab

Timings in the first two rows are averaged over 10⁶ runs while those in the third row are over 10³ runs.

Footnotes

^1.

The protocol of [8] can’t really calculate edit-distance, but aimed at computing the closest matches under the edit-distance metric (a task that doesn’t necessarily require computing edit-distances).

^2.

For every specific computation, this assumption can be guaranteed to hold by setting p to be a sufficiently large prime so that no intermediate values in the computation could overflow. For example, fixing p to the largest 88-bit prime suffices for edit-distance-based human genome comparisons. We also note that, without incurring significant overhead, it is possible to use a 128-bit prime p with the extension technique discussed in Section 4.

Contributor Information

Ruiyu Zhu, IU Bloomington, with main research focus in applied cryptography, Indiana University, Bloomington.

Yan Huang, Computer Science at Indiana University Bloomington.

References

[1].Needleman S. and Wunsch C, “A general method applicable to the search for similarities in the amino acid sequence of two proteins,” Journal of molecular biology, vol. 48, no. 3, 1970. [DOI] [PubMed] [Google Scholar]
[2].Cancer Genome Atlas Network, “Comprehensive molecular portraits of human breast tumours,” Nature, vol. 490, no. 7418, 2012. [DOI] [PMC free article] [PubMed] [Google Scholar]
[3].Waddell N, Pajic M, Patch A-M, Chang DK, Kassahn KS, Bailey P, Johns AL, Miller D, Nones K, Quek K. et al. , “Whole genomes redefine the mutational landscape of pancreatic cancer,” Nature, vol. 518, no. 7540, 2015. [DOI] [PMC free article] [PubMed] [Google Scholar]
[4].Evans WE and Relling MV, “Moving towards individualized medicine with pharmacogenomics,” Nature, vol. 429, 2004. [DOI] [PubMed] [Google Scholar]
[5].Forrest S, Hofmeyr SA, and Somayaji A, “Computer immunology,” Communications of the ACM, vol. 40, no. 10, pp. 88–96, 1997. [Google Scholar]
[6].Warrender C, Forrest S, and Pearlmutter B, “Detecting intrusions using system calls: Alternative data models,” in IEEE S&P, 1999.
[7].Gao D, Reiter MK, and Song D, “Behavioral distance for intrusion detection,” in Workshop on Recent Advances in Intrusion Detection, 2006.
[8].Asharov G, Halevi S, Lindell Y, Rabin T, “Privacy-preserving search of similar patients in genomic data.” in PETS, 2018.
[9].Wang X, Huang Y, Zhao Y, Tang H, Wang X, and Bu D, “Efficient genome-wide, privacy-preserving similar patient query based on private edit distance,” in ACM CCS, 2015.
[10].Zahur S, Rosulek M, and Evans D, “Two halves make a whole: reducing data transfer in garbled circuits using half gates,” in EUROCRYPT, 2015.
[11].Demmler D, Schneider T, Zohner M, “ABY: A framework for efficient mixed-protocol two-party computation,” in NDSS, 2015.
[12].Huang Y, Evans D, Katz J, and Malka L, “Faster secure two-party computation using garbled circuits,” in USENIX Security, 2011.
[13].Malozemoff A. and Wang X, “EMP-Toolkit,” https://github.com/emp-toolkit, 2016.
[14].Ball M, Malkin T, and Rosulek M, “Garbling gadgets for boolean and arithmetic circuits,” in ACM CCS, 2016.
[15].Wang X, Ranellucci S, and Katz J, “Global-scale secure multiparty computation,” in ACM CCS, 2017.
[16].Jha S, Kruger L, and Shmatikov V, “Towards practical privacy for genomic computation,” in IEEE S&P, 2008.
[17].Bellare M, Hoang VT, Keelveedhi S, and Rogaway P, “Efficient garbling from a fixed-key blockcipher,” in IEEE S&P, 2013.
[18].Bellare M, Hoang VT, and Rogaway P, “Foundations of garbled circuits,” in ACM CCS, 2012.
[19].Kolesnikov V. and Schneider T, “Improved garbled circuit: Free XOR gates and applications,” in ICALP, 2008.
[20].Mohassel P. and Rindal P, “ABY3: a mixed protocol framework for machine learning,” in ACM CCS. 2018, pp. 35–52.
[21].Dessouky G, Koushanfar F, Sadeghi A-R, Schneider T, Zeitouni S, and Zohner M, “Pushing the communication barrier in secure computation using lookup tables.” in NDSS, 2017.
[22].Yao AC-C, “How to generate and exchange secrets (extended abstract),” in FOCS, 1986.
[23].Pinkas B, Schneider T, Smart NP, and Williams SC, “Secure two-party computation is practical,” in ASIACRYPT, 2009.
[24].Gueron S, Lindell Y, Nof A, and Pinkas B, “Fast garbling of circuits under standard assumptions,” in ACM CCS, 2015.
[25].Tamura K, Peterson D, Peterson N, Stecher G, Nei M, and Kumar S, “Mega5: molecular evolutionary genetics analysis using maximum likelihood, evolutionary distance, and maximum parsimony methods,” Molecular biology and evolution, vol. 28, 2011. [DOI] [PMC free article] [PubMed] [Google Scholar]
[26].Kumar S, Tamura K, and Nei M, “Mega: molecular evolutionary genetics analysis software for microcomputers,” Computer applications in the biosciences: CABIOS, vol. 10, no. 2, pp. 189–191, 1994. [DOI] [PubMed] [Google Scholar]
[27].Kimura M, “A simple method for estimating evolutionary rates of base substitutions through comparative studies of nucleotide sequences,” Journal of molecular evolution, vol. 16, no. 2, 1980. [DOI] [PubMed] [Google Scholar]
[28].Tajima F. and Nei M, “Estimation of evolutionary distance between nucleotide sequences.” Molecular biology and evolution, 1984. [DOI] [PubMed]
[29].Amir A, Gotthilf Z, and Shalom BR, “Weighted LCS,” Journal of Discrete Algorithms, vol. 8, no. 3, 2010. [Google Scholar]
[30].Zhu R, Huang Y, Katz J, and Shelat A, “The cut-and-choose game and its application to cryptographic protocols,” in USENIX Security, 2016.
[31].Kolesnikov V. and Kumaresan R, “Improved OT extension for transferring short secrets,” in CRYPTO, 2013.
[32].Ishai Y, Kilian J, Nissim K, and Petrank E, “Extending oblivious transfers efficiently,” in CRYPTO, 2003.
[33].Zhu R. and Huang Y, “Jimu: Faster lego-based secure computation using additive homomorphic hashes,” in ASIACRYPT, 2017.
[34].Canetti R, “Security and composition of multiparty cryptographic protocols,” Journal of Cryptology, vol. 13, no. 1, pp. 143–202, 2000. [Google Scholar]
[35].Keller M, Orsini E, and Scholl P, “Actively secure OT extension with optimal overhead,” in CRYPTO, 2015.
[36].Wang X, Ranellucci S, and Katz J, “Authenticated garbling and efficient maliciously secure two-party computation,” in CCS, 2017.

[R1] [1].Needleman S. and Wunsch C, “A general method applicable to the search for similarities in the amino acid sequence of two proteins,” Journal of molecular biology, vol. 48, no. 3, 1970. [DOI] [PubMed] [Google Scholar]

[R2] [2].Cancer Genome Atlas Network, “Comprehensive molecular portraits of human breast tumours,” Nature, vol. 490, no. 7418, 2012. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R3] [3].Waddell N, Pajic M, Patch A-M, Chang DK, Kassahn KS, Bailey P, Johns AL, Miller D, Nones K, Quek K. et al. , “Whole genomes redefine the mutational landscape of pancreatic cancer,” Nature, vol. 518, no. 7540, 2015. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R4] [4].Evans WE and Relling MV, “Moving towards individualized medicine with pharmacogenomics,” Nature, vol. 429, 2004. [DOI] [PubMed] [Google Scholar]

[R5] [5].Forrest S, Hofmeyr SA, and Somayaji A, “Computer immunology,” Communications of the ACM, vol. 40, no. 10, pp. 88–96, 1997. [Google Scholar]

[R6] [6].Warrender C, Forrest S, and Pearlmutter B, “Detecting intrusions using system calls: Alternative data models,” in IEEE S&P, 1999.

[R7] [7].Gao D, Reiter MK, and Song D, “Behavioral distance for intrusion detection,” in Workshop on Recent Advances in Intrusion Detection, 2006.

[R8] [8].Asharov G, Halevi S, Lindell Y, Rabin T, “Privacy-preserving search of similar patients in genomic data.” in PETS, 2018.

[R9] [9].Wang X, Huang Y, Zhao Y, Tang H, Wang X, and Bu D, “Efficient genome-wide, privacy-preserving similar patient query based on private edit distance,” in ACM CCS, 2015.

[R10] [10].Zahur S, Rosulek M, and Evans D, “Two halves make a whole: reducing data transfer in garbled circuits using half gates,” in EUROCRYPT, 2015.

[R11] [11].Demmler D, Schneider T, Zohner M, “ABY: A framework for efficient mixed-protocol two-party computation,” in NDSS, 2015.

[R12] [12].Huang Y, Evans D, Katz J, and Malka L, “Faster secure two-party computation using garbled circuits,” in USENIX Security, 2011.

[R13] [13].Malozemoff A. and Wang X, “EMP-Toolkit,” https://github.com/emp-toolkit, 2016.

[R14] [14].Ball M, Malkin T, and Rosulek M, “Garbling gadgets for boolean and arithmetic circuits,” in ACM CCS, 2016.

[R15] [15].Wang X, Ranellucci S, and Katz J, “Global-scale secure multiparty computation,” in ACM CCS, 2017.

[R16] [16].Jha S, Kruger L, and Shmatikov V, “Towards practical privacy for genomic computation,” in IEEE S&P, 2008.

[R17] [17].Bellare M, Hoang VT, Keelveedhi S, and Rogaway P, “Efficient garbling from a fixed-key blockcipher,” in IEEE S&P, 2013.

[R18] [18].Bellare M, Hoang VT, and Rogaway P, “Foundations of garbled circuits,” in ACM CCS, 2012.

[R19] [19].Kolesnikov V. and Schneider T, “Improved garbled circuit: Free XOR gates and applications,” in ICALP, 2008.

[R20] [20].Mohassel P. and Rindal P, “ABY3: a mixed protocol framework for machine learning,” in ACM CCS. 2018, pp. 35–52.

[R21] [21].Dessouky G, Koushanfar F, Sadeghi A-R, Schneider T, Zeitouni S, and Zohner M, “Pushing the communication barrier in secure computation using lookup tables.” in NDSS, 2017.

[R22] [22].Yao AC-C, “How to generate and exchange secrets (extended abstract),” in FOCS, 1986.

[R23] [23].Pinkas B, Schneider T, Smart NP, and Williams SC, “Secure two-party computation is practical,” in ASIACRYPT, 2009.

[R24] [24].Gueron S, Lindell Y, Nof A, and Pinkas B, “Fast garbling of circuits under standard assumptions,” in ACM CCS, 2015.

[R25] [25].Tamura K, Peterson D, Peterson N, Stecher G, Nei M, and Kumar S, “Mega5: molecular evolutionary genetics analysis using maximum likelihood, evolutionary distance, and maximum parsimony methods,” Molecular biology and evolution, vol. 28, 2011. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R26] [26].Kumar S, Tamura K, and Nei M, “Mega: molecular evolutionary genetics analysis software for microcomputers,” Computer applications in the biosciences: CABIOS, vol. 10, no. 2, pp. 189–191, 1994. [DOI] [PubMed] [Google Scholar]

[R27] [27].Kimura M, “A simple method for estimating evolutionary rates of base substitutions through comparative studies of nucleotide sequences,” Journal of molecular evolution, vol. 16, no. 2, 1980. [DOI] [PubMed] [Google Scholar]

[R28] [28].Tajima F. and Nei M, “Estimation of evolutionary distance between nucleotide sequences.” Molecular biology and evolution, 1984. [DOI] [PubMed]

[R29] [29].Amir A, Gotthilf Z, and Shalom BR, “Weighted LCS,” Journal of Discrete Algorithms, vol. 8, no. 3, 2010. [Google Scholar]

[R30] [30].Zhu R, Huang Y, Katz J, and Shelat A, “The cut-and-choose game and its application to cryptographic protocols,” in USENIX Security, 2016.

[R31] [31].Kolesnikov V. and Kumaresan R, “Improved OT extension for transferring short secrets,” in CRYPTO, 2013.

[R32] [32].Ishai Y, Kilian J, Nissim K, and Petrank E, “Extending oblivious transfers efficiently,” in CRYPTO, 2003.

[R33] [33].Zhu R. and Huang Y, “Jimu: Faster lego-based secure computation using additive homomorphic hashes,” in ASIACRYPT, 2017.

[R34] [34].Canetti R, “Security and composition of multiparty cryptographic protocols,” Journal of Cryptology, vol. 13, no. 1, pp. 143–202, 2000. [Google Scholar]

[R35] [35].Keller M, Orsini E, and Scholl P, “Actively secure OT extension with optimal overhead,” in CRYPTO, 2015.

[R36] [36].Wang X, Ranellucci S, and Katz J, “Authenticated garbling and efficient maliciously secure two-party computation,” in CCS, 2017.

PERMALINK

Efficient and Precise Secure Generalized Edit Distance and Beyond

Ruiyu Zhu

Yan Huang

Roles

Abstract

1. Introduction

1.1. Methodology and Threat Model

Threat Models.

1.2. Contributions

TABLE 1:

TABLE 2:

1.3. Related Work

1.3.1. Heuristics-based private string matching

1.3.2. Garbled-circuit-based approach

Fig. 3:

Fig. 4:

1.3.3. Comparison with Ball-Malkin-Rosulek [14]

1.3.4. Comparison with ABY [11] and ABY3 [20]

1.3.5. Comparison with DKS+ [21]

2. Background

Notations.

2.1. Secure Garbling

2.2. Edit Distance and Other Metric Variants

Algorithm 1.

Weighted Edit Distance.

Needleman-Wunsch.

Fig. 1:

Longest Common Subsequence (LCS).

Algorithm 2.

Heaviest Common Subsequence (HCS).

3. The Semi-Honest Model

3.1. Insights and Intuitions

Dominant Costs.

Bounded Difference Values.

Proposition 1.

3.2. The Garbling Scheme

Basic Idea.

Notation for Wire-labels.

Addition.

Equality.

Minimum.

Table-lookup.

Handle Initial Inputs.

Implementation.

3.3. Formal Analysis

Complexity.

Correctness.

Fig. 2:

Security.

Theorem 1.

4. Extensions

4.1. Garbling Arbitrary Computations

Arithemtic Wire-labels to Binary Wire-labels.

Binary Circuit Wire-labels to Arithmetic Wire-labels.

4.2. Increase Security Parameters

4.3. Application-Independent Authenticity

Theorem 2.

5. The Malicious Model

Protocol Design Intuition.

Theorem 3.

6. Evaluation

Experiment Setup.

6.1. Application Performance

6.1.1. Semi-honest Model Performance

6.1.2. Malicious Model Performance

6.2. Comparison with [9] and [8]

6.3. Comparison with protocols using ABY

Micro-benchmarks.

7. Conclusion

Appendix A. Proof of Theorem 1

Theorem 1.

Proof. Privacy:

Fig. 5:

Obliviousness:

Application-dependent Authenticity:

Remark.

Appendix B. Proof of Proposition 1

Proposition 1.

Appendix C. Actively-Secure Protocols

C.4. Definition of $F_{IHash}$ , $F_{COT}$ , and $F_{coin-toss}$

The $F_{IHash}$ Functionality.

The $F_{COT}$ Functionality.

The $F_{coin-toss}$ Functionality.