Secure In The Malicious Setting

[greenfrogs]

I was wondering if OblivC is secure for computing the malicious setting. SoK mentions that this is not supported and yet Obliv-C includes execDualexProtocol(). For this to be secure the following needs to be true and I was wondering if you could provide some help in saying if they are met:

1. During the normal execution of the two threads, the two threads can be in the semi-honest setting but the oblivious transfer needs to be malicious (this is all before the equality check)
2. For the equality check the implementation needs to be in the malicious setting along with the oblivious transfer

Thank you for any help with answering these questions. This is also discussed in more detail in this paper and implemented by emp-toolkit.

[weikengchen]

It looks like OblivC has some implementations on the dual-execution protocol: https://github.com/samee/obliv-c/blob/obliv-c/src/ext/oblivc/dualex.c#L133

But I haven't used it, and right now, there is a limitation:

fprintf(stderr,"Right now, Dualex protocol requires all "
      "outputs to be revealed to both parties\n"); 
    exit(1);

If you have a program that is not reactive, then you should be able to write it in emp-agmpc.

[greenfrogs]

Hi @weikengchen, thank you very much for your quick response. Aside from that limitation, it would be great to know if the check at the very end of the execDualexProtocol (found here) is in the malicious setting (i.e. using agmpc and not sh2pc). It is not clear from the code.

If the dualExEqualityCheck is running in the same sh2pc mode that the earlier execution (both parallel threads) are using, then this is not secure.

[weikengchen]

I think your question is about whether the oblivious transfer is done maliciously secure, in order to enable dual execution to be secure.

I would leave this question to @samee.

---

Note that as academic research is gradually moving to malicious security, and the language base of Obliv-C, the CIL, has not been maintained for a long while since George Necula has moved to Google, and that Samee is also at Google now, you would expect Obliv-C to be not very frequently updated. This also happens to many other MPC platforms.

[samee]

That dual execution protocol is pretty much a direct implementation of this paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.677.1248&rep=rep1&type=pdf. As far as I remember, yes the OT and equality checks are secure against malicious adversaries. However, the caveat of dual-execution protocols is that there is no easy way to bound whether the result of that equality check is revealing something sensitive by itself. If you look at the paper, it says that it can leak any arbitrary one-bit function of the input—at least that's what we could prove. I don't know if that's acceptable for the application you have in mind. I hope it is!

I had no idea George Necula is now in Google. I'll have to reach out to him :)

[weikengchen]

While, not in the Bay Area Google, but Google Switzerland.