Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Predicate attack against current DEAP impl #3

Closed
sinui0 opened this issue May 2, 2023 · 4 comments
Closed

Predicate attack against current DEAP impl #3

sinui0 opened this issue May 2, 2023 · 4 comments

Comments

@sinui0
Copy link
Collaborator

sinui0 commented May 2, 2023

I just realized there is an predicate attack against our current DEAP impl we overlooked which doesn't require malicious garbling or OT to perform.

The Follower simply has to choose different inputs for each execution. This depends on the function in question but generally the follower can select different inputs such that:

$$f(x_0, y) \neq f(x_1, y) \longleftrightarrow g(y) = true$$

where $x$ and $y$ are the Follower and Leader inputs respectively. This leaks an arbitrary predicate of $y$ which satisfies this.

This attack is also present in standard Dual-ex, but we overlooked mitigating it. Fortunately the mitigation is relatively simple (but will require some work).

We need to implement the CommittedReceiver counter-part to our CommittedSender impl. Then during DEAP finalization, we can check that the Follower provided the same inputs to both executions by validating their OT choices.

It's still not clear whether this is something we need to mitigate for our application, the Followers only input is the PMS share to the PRF and it seems that it would be infeasible to select a predicate that affects the AES-CTR circuit.
@themighty1
Copy link
Collaborator

I agree that a fix is needed. Will make the protocol easier to reason about if both inputs are checked to be equal.

@heeckhau heeckhau transferred this issue from tlsnotary/tlsn Jun 8, 2023
@themighty1
Copy link
Collaborator

the Followers only input is the PMS share to the PRF

right. And with this attack the Follower could learn 1-bit info about the Leader's PMS share which is acceptable for us.

and it seems that it would be infeasible to select a predicate that affects the AES-CTR circuit

it should be impossible to attack encryption/decryption circuits because the Follower is "locked" into only using the labels corresponding to his key share (these are the labels which were derived during TLS handshake key derivation).

Apparently this attack does not apply to the way we impl tlsn.

Do you agree with the above @sinui0 ?

@sinui0
Copy link
Collaborator Author

sinui0 commented Aug 13, 2023

it should be impossible to attack encryption/decryption circuits because the Follower is "locked" into only using the labels corresponding to his key share (these are the labels which were derived during TLS handshake key derivation).

Apparently this attack does not apply to the way we impl tlsn.

Do you agree with the above @sinui0 ?

I do agree, I don't think this is a practical attack against TLSN

@sinui0
Copy link
Collaborator Author

sinui0 commented Nov 3, 2024

This (and DEAP) will be moved to TLSNotary project. The solution is simple, the follower proves their input by simply sending their input MACs to the leader. Afterwards the leader uses it as a public input to the ZK phase.

@sinui0 sinui0 closed this as completed Nov 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@themighty1 @sinui0