scaling secure two party computaonece734/fall2015/... · • describe a system for secure 2-party...
TRANSCRIPT
![Page 1: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/1.jpg)
ScalingSecureTwoPartyComputa5on
Anupam Datta Fall 2015
Based on work and slides from Yan Huang, David Evans, Jonathan Katz, Lior Malka
18734: Foundations of Privacy
![Page 2: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/2.jpg)
Overview
• Describeasystemforsecure2-partycomputa5onusinggarbledcircuitsthatismuchmorescalableandsignificantlyfasterthanbestpriorwork
• Applica5ons:– Facerecogni.on:Hammingdistance– Genomics:Editdistance,Smith-Waterman– Privateencryp.on:ObliviousAESevalua5on
2
![Page 3: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/3.jpg)
Fairplay
3
DahliaMalkhi,NoamNisan,BennyPinkasandYaronSella[USENIXSecurity2004]
SFDLProgram
SFDLCompiler
Circuit(SHDL)Alice Bob
GarbledTablesGenerator
GarbledTablesEvaluator
GarbledTables
![Page 4: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/4.jpg)
Problems?
4
Analterna5veapproach…wouldhavebeentoapplyYao’sgenericsecuretwo-partyprotocol….Thiswouldhaverequiredexpressingthealgorithmasacircuit…andthensendingandcompu5ngthatcircuit.…[We]believethattheperformanceofourprotocolsissignificantlybeIerthanthatofapplyinggenericprotocols.MargaritaOsadchy,BennyPinkas,AymanJarrous,BoazMoskovich.
SCiFI–ASystemforSecureFaceIden6fica6on.Oakland2010.
[GenericSFE]isveryfast…butthecircuitsizeisextremelylarge….Ourprototypecircuitcompilercancompilecircuitsforproblemsofsize(200,200)butusesalmost2GBofmemorytodoso….largercircuitswouldbeconstrainedbyavailablememoryforconstruc.ngtheirgarbledversions.
SomeshJha,LouisKruger,VitalyShma5kov.TowardsPrac6calPrivacyforGenomicComputa6on.Oakland2008.
![Page 5: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/5.jpg)
TheFallacy
5
Theen+recircuitispreparedandstoredonbothsides
SFDLProgram
SFDLCompiler
Circuit(SHDL)Alice Bob
GarbledTablesGenerator
GarbledTablesEvaluator
GarbledTablesGarbledTables
![Page 6: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/6.jpg)
Encx00, x11(x21)
Encx01,x11(x21)
Encx01,x10(x21)
Encx20, x21(x30)
Encx21,x21(x30)
Encx21,x20(x31)
Encx20, x31(x41)
Encx21,x31(x41)
Encx21,x30(x40)
Encx40, x31(x51)
Encx41,x31(x50)
Encx41,x30(x50)
Encx40, x51(x61)
Encx41,x51(x60)
Encx41,x50(x60)
Encx30, x61(x71)
Encx31,x61(x70)
Encx31,x60(x71)
FasterGarbledCircuits
6
Circuit-LevelApplica5on
GCFramework(Evaluator)
GCFramework(Generator)
CircuitStructureCircuitStructure
x41
x21x31
x60x51
x71
Gatescanbeevaluatedastheyaregenerated:pipelining
![Page 7: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/7.jpg)
BenefitsofPipelining
• AllowsGCtoscaletocircuitsofarbitrarysize
• Improvesthe5meefficiency
Werancircuitswithoverabilliongates,atarateofroughly10μspergate.
![Page 8: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/8.jpg)
ProblemsinExis.ng(SFDL)Compilers
Resource-demandingSFDLcompila5on
Manyop5miza5onopportuni5esaremissed
Ittakeshoursona40GBmemoryservertocompileaSFDLprogramthatimplementsAES.
CircuitlevelMinimizebitwidthReducethenumberofnon-freegates
ProgramlevelTreatpublicandsecretvaluesdifferently
![Page 9: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/9.jpg)
SomeResultsProblem BestPreviousResult OurResult Speedup
HammingDistance(FaceRecogni5on,Gene5cDa5ng)–two900-bitvectors
213s[SCiFI,2010]
0.051s 4176x
LevenshteinDistance(genome,textcomparison)–two200-characterinputs
534s[Jha+,2008]
18.4s 29x
Smith-Waterman(genomealignment)–two60-nucleo5desequences
[NotImplementable] 447s -
AESEncryp.on 3.3s[Henecka,2010]
0.2s 16.5x
9
Scalable:1billiongatesevaluatedat≈100,000gates/secondonregularPCs
Comparisonsarealignedtothesamesecuritylevelinthesemi-honestmodel.
![Page 10: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/10.jpg)
0
0.2
0.4
0.6
0.8
1
1.2
Fairplay[PSSW09] TASTY Here
Billion
s
maxgates
OurResults
0
2
4
6
8
10
Fairplay [PSSW09] TASTY Here
x10000
non-freegates/s
PerformanceScalability
![Page 11: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/11.jpg)
TimingResults
0
100
200
300
400
500
600
Hammingdistance(900bits)
editdistance(200256-bitchars)
Second
s
BestpreviousHere
4176xfaster
29xfaster
[SCiFI,2010]
[Jha+,2008]
![Page 12: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/12.jpg)
TimeSavings:AES
0
1
2
3
4
5
6
7
[PSSW09] TASTY Here
Second
s
16.5xfaster
[Henecka,etal.CCS2010]
![Page 13: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/13.jpg)
Conclusion
• Pipeliningenablesgarbled-circuittechniquetoscaletolargeproblemsizes
• Circuit-levelop.miza.onscandrama5callyreduceperformanceoverhead
Privacy-preservingapplica5onscanrunordersofmagnitudefasterthanpreviouslythought.
![Page 14: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/14.jpg)
Ques5ons?
Thanks!
DownloadframeworkandAndroiddemoapplica5onfromMightBeEvil.com
![Page 15: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/15.jpg)
SecureTwo-PartyComputa.on
15
AliceBob
Bob’sGenome:ACTG…Markers(~1000):[0,1,…,0]
Alice’sGenome:ACTG…Markers(~1000):[0,0,…,1]
CanAliceandBobcomputeafunc5onoftheirprivatedata,withoutexposinganythingabouttheirdatabesidestheresult?
![Page 16: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/16.jpg)
SecureFunc.onEvalua.onAlice(circuitgenerator) Bob(circuitevaluator)
GarbledCircuitProtocol
AndrewYao,1986
sa }1,0{∈Holds tb }1,0{∈Holds
![Page 17: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/17.jpg)
Yao’sGarbledCircuitsInputs Output
a b x0 0 00 1 01 0 01 1 1
AND
a b
x
![Page 18: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/18.jpg)
Compu.ngwithMeaninglessValues?Inputs Output
a b xa0 b0 x0
a0 b1 x0
a1 b0 x0
a1 b1 x1
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi arerandomvalues,chosenbythecircuitgeneratorbutmeaninglesstothecircuitevaluator.
![Page 19: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/19.jpg)
Compu.ngwithGarbledTablesInputs Output
a b xa0 b0 Enca0,b0(x0)
a0 b1 Enca0,b1(x0)
a1 b0 Enca1,b0(x0)
a1 b1 Enca1,b1(x1)
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi arerandomvalues,chosenbythecircuitgeneratorbutmeaninglesstothecircuitevaluator.
Bobcanonlydecryptoneofthese!
GarbledAndGate
Enca0, b1(x0)
Enca1,b1(x1)
Enca1,b0(x0)
Enca0,b0(x0)
![Page 20: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/20.jpg)
ChainingGarbledCircuits
Candoanycomputa5onprivatelythisway!20
AND
a0 b0
x0
AND
a1 b1
x1
OR
x2
AndGate1
Enca10, b11(x10)
Enca11,b11(x11)
Enca11,b10(x10)
Enca10,b10(x10)OrGate2
Encx00, x11(x21)
Encx01,x11(x21)
Encx01,x10(x21)
Encx00,x10(x20) …
![Page 21: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/21.jpg)
ThreatModelSemi-Honest(Honest-but-Curious)AdversaryAdversaryfollowstheprotocolasspecified(!),buttriestolearnmorefromtheprotocolexecu5ontranscriptMaybegoodenoughforsomescenarios
21
Weareworkingonefficientsolu5onsformaliciousadversaries
![Page 22: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/22.jpg)
CircuitOp.miza.on–EditDistance
for (int i = 1; i < a.length; ++i) for (int j = 1; j < b.length; ++j) { T = (a[i] == b[j]) ? 0 : 1; D[i][j] = min(D[i-1][j]+1, D[i][j-1]+1, D[i-1][j-1] + T); }
![Page 23: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/23.jpg)
CircuitOp.miza.on–EditDistance
D[i-1][j]
AddOneBit AddOneBit
2-Min AddOneBit
T
2-Min
1 1
D[i][j-1] D[i-1][j-1]
D[i][j]
![Page 24: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/24.jpg)
CircuitOp.miza.on–EditDistance
AddOneBit
2-Min
AddOneBit
T
2-Min
1
D[i-1][j] D[i][j-1] D[i-1][j-1]
D[i][j]
![Page 25: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/25.jpg)
CircuitOp.miza.on–EditDistance
AddOneBit
2-Min
Mux
T
2-Min
1
Savesabout28%ofgates
D[i-1][j] D[i][j-1] D[i-1][j-1]
D[i][j]
![Page 26: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/26.jpg)
CircuitLibrary
Throughcustomcircuitdesignandtheuseofop5malcircuitcomponents,westrivetominimizethenumberofnon-freegates
V.KolesnikovandT.Schneider.ImprovedGarbledCircuit:FreeXORGatesandApplica6ons.(ICALP),2008.
AddOneBit
2-Min
Mux
T
2-Min
1
![Page 27: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/27.jpg)
EaseofUse
• Ourframeworkassumesnoexpertknowledgeofcryptography
• NeedbasicideasofBooleancircuits
• CircuitdesignsconverteddirectlytoJavaprograms
![Page 28: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/28.jpg)
Tradi5onalJava
Applica5on
Cri5calComponent
Cri5calComponent
Cri5calComponent
LibraryCircuit
CustomCircuit
LibraryCircuit
RestoftheJavaProgram
Javacode
javac
CircuitGenerator
CircuitEvaluator
UsetheFramework
![Page 29: Scaling Secure Two Party Computaonece734/fall2015/... · • Describe a system for secure 2-party computaon using garbled circuits that is much more scalable and significantly faster](https://reader033.vdocuments.site/reader033/viewer/2022053002/5f063c1b7e708231d416f89e/html5/thumbnails/29.jpg)
Example:AESSBox
Leveraginganexis5ngASICdesignforAESallowsustoreducethestate-of-the-artAEScircuitby
30%ofnon-freegates,comparedto[PSSW09]and[HKSSW10]
Wolkerstorfer,etal.AnASICImplementa6onoftheAESS-boxes.RSA-CT2002.