Secure Multi-Party Computation: Promises, Protocols, and Practicalities David Evans University of Virginia (visiting Inria Paris) École Normale Supérieure Paris 27 June 2017 ECRYPT NET Workshop on Crypto for the Cloud & Implementation
Secure Two-Party Computation Can Alice and Bob compute a function on private data, without exposing anything about their data besides the result? = (, ) Alice’s Secret Input: Bob’s Secret Input: Alice’s Cert Cafe Bob’s Trust Emporium 7
Secure Two-Party Computation Can Alice and Bob compute a function on private data, without exposing anything about their data besides the result? = (, ) Alice’s Secret Input: Bob’s Secret Input: Alice’s Cert Cafe Bob’s Trust Emporium 8
Yao’s Garbled Circuit Protocol Alice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol secret input secret input Agree on function = (, ) = (, ) Learns nothing else about b Learns nothing else about a 10 skip?
Yao’s GC Protocol Alice (generator) Sends tables, her input labels (@ ) Bob (evaluator) Picks random values for <,? . <,? , <,? Evaluates circuit, decrypting one row of each garbled gate
Decodes output
Generates garbled tables 16 BC,DC (< ) BC,DE (< ) BE,DC (< ) BE,DE (? ) How does the Bob learn his own input wire labels?
G0 G1 … G2 Chain gates to securely compute any discrete function! < < or ? < < < or ? < < ? or ? ? < ? or ? ? < < or ? < < ? or ? ? < L or ? L BC C,DC C(< <) BE C,DC C(< <) BC C,DE C(< <) BE C,DE C(? <) BC E,DC E(< ?) BE E,DC E(< ?) BC E,DE E(< ?) BE E,DE E(? ?) MC C,MC E(< L) ME C,MC E(< L) MC C,ME E(< L) ME C,ME E(? L)
Building Computing Systems Digital Electronic Circuits Garbled Circuits Operate on known data Operate on encrypted wire labels 32-bit logical operation requires moving some electrons a few nm One-bit AND requires four encryptions Reuse is great! Reuse is not allowed! MC C,MC E(< L) ME C,MC E(< L) … 20
Background: Point-and-Permute Enca0,,b0, (c0 ) Enca0,,b1 (c0 ) Enca0,,b0 (c0 ) Enca1,b1 (c1 ) Input wire labels (with selection bits) Output wire label Beaver, Micali and Rogaway [STOC 1990] 26 Select random bit for each wire: Set last bit of 0 to , 1 to ¬ Order table canonically: 00/01/10/11
Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012] 30 Yan Huang (UVa PhD 2012 → Indiana) Jonathan Katz (Maryland)
Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012] swap gates (configured by generator) to do random permutation Journal of the ACM, January 1968
Two Halves Make a Whole Reducing Data Transfer in Garbled Circuits using Half Gates Samee Zahur, Mike Rosulek, and David Evans. In EuroCrypt 2015. Samee Zahur (UVa PhD 2016 → Google) + = 36 Mike Rosulek (Oregon State)
Standard Fix: “Cut-and-Choose” Generator (Alice) Evaluator (Bob) (1) instances of generated circuit (5) If okay, evaluate rest and select majority output (4) checks all revealed circuits (2) Challenge: choose a random subset (3) Keys for selected circuits Provides security against active attacker, but for reasonable security > 100 49
Semi-Honest is Half-Way There Privacy Nothing is revealed other than the output (Not) Correctness The output of the protocol is (, ) Generator Evaluator As long as evaluator doesn’t send result (or complaint) back, privacy for evaluator is guaranteed. 51
Security Properties Correctness: Guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit fails on ½ of inputs 54 Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input.
Proof of Security: One-Bit Leakage A B Ideal World
Controlled by malicious A Î ® {0, 1} is an arbitrary Boolean function selected by adversary Adversary receives: (, ) and (, ) Trusted Party in Ideal World 56
Real Costs are People 61 Problem Size Time People Cost Secure Stable Matching [Doerner, Evans, shelat. ACM CCS 2016] National Residency Match 17 hours (∼ $15) ∼$1M Secure Linear Regression [Gascon+, PETS 2017] 1M elements, 200 features, 2 parties (vertically- partitioned) 40 minutes (∼ $0.50) ∼$2M Not our real costs, assuming market wages!
Library-based frameworks: Circuit-level programs Full control Low-level programming Little type safety High-level Languages Little control High-level programming Strong type safety High-level programming Low-level customizability Helpful, escapable type checking Tools for Building Secure Computations 62 oblivc.org
Circuit for Array Update 64 i == 0 a[0] x a'[0] Linear Scan: need to touch every array element to hide which one is real i == 1 a[1] x a'[1] i == 2 a[2] x a'[2] i == 3 a[3] x a'[3] …
Traditional ORAM Client Untrusted Server [Goldreich 1987] Security property: all initialization and access sequences of the same length are indistinguishable to server. Sublinear client- side state Linear server-side encrypted state Initialize Access 65
RAM-SC [Gordon, Katz, Kolesnikov, Krell, Malkin, Raykova, Vahlis 2012] Alice Bob MPC Protocol Public ORAM state Public ORAM state Encrypted Results Oblivious ORAM state Initialize Access 66