Introduction to Secure Multi-Party Computation in Practice

Slide 1

Slide 1 text

Tutorial: Introduction to Secure Multi-Party Computation in Practice David Evans University of Virginia www.JeffersonsWheel.org

Slide 2

Slide 2 text

Secure Multiparty Computation Since 1980s… Theory Cryptography Systems

Slide 3

Slide 3 text

(De)Motivating Application Alice Bob

Slide 4

Slide 4 text

Alice Bob Genome Compatibility Protocol “Genetic Dating” Genetic Matchr WARNING! Reproduction not recommended Your offspring would have good immune systems! processing… Start [Don’t sue us.] Genetic Matchr WARNING! Reproduction not recommended Your offspring would have good immune systems! processing… Start [Don’t sue us.] (De)Motivating Application

Slide 5

Slide 5 text

$1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Slide 6

Slide 6 text

$1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Slide 7

Slide 7 text

Secure Two-Party Computation Alice Bob Bob’s Genome Alice’s Genome Can Alice and Bob compute a function on private data, without exposing anything about their data besides the result? r = f(a, b)

Slide 8

Slide 8 text

Bob’s Genome Secure Two-Party Computation Alice Bob r = f(a, b) Alice’s Genome Can Alice and Bob compute a function on private data, without exposing anything about their data besides the result?

Slide 9

Slide 9 text

FOCS 1982 FOCS 1986 Note: neither paper actually describes Yao’s protocol. Andrew Yao Keynote talk Saturday: Interdisciplinarity: A View from Theory of Computation

Slide 10

Slide 10 text

Encode Decode f garbled circuit F e X Y z d x As formalized by: Original function decoding info a b Garble Evaluate

Slide 11

Slide 11 text

Garble Encode Evaluate Decode f garbled circuit F e X Y z d x Standard Instantiation Original function decoding info a b Generator (Alice) Evaluator (Bob) Oblivious Transfer Protocol

Slide 12

Slide 12 text

Encode Decode f garbled circuit F e X Y d x Security Properties Obliviousness: F, X reveal nothing (new) Privacy: F, X, and d don’t leak more than f(x) Authenticity: can’t fake Y Garble Evaluate Correctness z = f(x) z

Slide 13

Slide 13 text

Threat Model “Honest-but-Curious” (also called “Semi-Honest”) Security and correctness only guaranteed if participants follow protocol. Later: hardening techniques can strengthen to active adversaries.

Slide 14

Slide 14 text

Garble Encode Evaluate Decode f garbled circuit F e X Y z d x How can Alice garble a circuit so Bob can evaluate it but learn nothing (he doesn’t already know) when he does? Original function decoding info a b Generator (Alice) Evaluator (Bob) Oblivious Transfer Protocol

Slide 15

Slide 15 text

Garbling Techniques

Slide 16

Slide 16 text

Regular Logic Inputs Output x a b 0 0 0 0 1 0 1 0 0 1 1 1 a b x AND

Slide 17

Slide 17 text

“Obfuscated” Logic Inputs Output x a b a1 b0 x0 a0 b1 x0 a1 b1 x1 a1 b0 x0 a0 or a1 x AND b0 or b1 ai , bi , xi are random values, chosen by generator but meaningless to evaluator.

Slide 18

Slide 18 text

Inputs Output x a b a1 b0 x0 a0 b1 x0 a1 b1 x1 a1 b0 x0 a0 or a1 x AND b0 or b1 Leaks information! “Obfuscated” Logic ai , bi , xi are random values, chosen by generator but meaningless to evaluator.

Slide 19

Slide 19 text

Garbled Logic Inputs Output x a b a1 b0 Ea1 ,b0 (x0 ) a0 b1 Ea0 ,b1 (x0 ) a1 b1 Ea1 ,b1 (x1 ) a0 b0 Ea0 ,b0 (x0 ) a0 or a1 x AND b0 or b1

Slide 20

Slide 20 text

Garbled Logic Inputs Output x a b a1 b0 Ea1 ,b0 (x0 ) a0 b1 Ea0 ,b1 (x0 ) a1 b1 Ea1 ,b1 (x1 ) a0 b0 Ea0 ,b0 (x0 ) a0 or a1 x AND b0 or b1 G Garbled Table

Slide 21

Slide 21 text

a0,0 or a0,1 G0 b0,0 or b1,0 G1 … x0 or x1 G2 x1,0 or x1,1 a1,0 or a1,1 b1,0 or b1,1 Ea0,1 ,b0,0 (x0,0 ) Ea0,0 ,b0,1 (x0,0 ) Ea0,1 ,b0,1 (x0,1 ) Ea0,0 ,b0,1 (x0,0 ) Ea1,1 ,b1,1 (x1,1 ) Ea1,0 ,b1,1 (x1,0 ) Ea1,1 ,b1,0 (x1,0 ) Ea1,0 ,b1,0 (x1,0 ) x2,0 or x2,1 Chain gates to securely compute any discrete function! Ex0,0 ,x1,0 (x2,0 ) Ex0,1 ,x1,1 (x2,1 ) Ex0,1 ,x1,0 (x2,0 ) Ex0,0 ,x1,0 (x2,0 )

Slide 22

Slide 22 text

From Theory to Practice

Slide 23

Slide 23 text

Building Computing Systems 23 Digital Electronic Circuits Garbled Circuits Operate on known data Operate on encrypted wire labels One-bit logical operation requires moving some electrons a few nanometers One-bit logical operation requires performing four encryption operations Reuse is great! Reuse is not allowed! Ea1 ||b0 (x0 ) Ea0 ||b1 (x0 ) Ea1 ||b1 (x1 )

Slide 24

Slide 24 text

Fairplay 24 Malkhi, Nisan, Pinkas and Sella [USENIX Sec 2004] SFDL Program SFDL Compiler Circuit Garbled Tables Generator Garbled Tables Evaluator SFDL Compiler

Slide 25

Slide 25 text

[Fairplay, USENIX Sec 2004] ∼$1M Estimated cost of 10k x 10k Smith-Waterman, 4T gates $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Slide 26

Slide 26 text

Fairplay 26 Malkhi, Nisan, Pinkas and Sella [USENIX Sec 2004] SFDL Program SFDL Compiler Circuit (SHDL) Alice Bob Garbled Tables Generator Garbled Tables Evaluator SFDL Compiler 4T gates ～ 1.2 PB of storage

Slide 27

Slide 27 text

Pipelined Execution Circuit-Level Application GC Framework (Evaluator) GC Framework (Generator) Circuit Structure Circuit Structure Yan Huang (UVa PhD, U Indiana) Yan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure Two-Party Computation Using Garbled Circuits. USENIX Security 2011. x1 x2 y1 y2 z1 z2

Slide 28

Slide 28 text

$100 $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Pipelining, + (Estimates for 2PC, 4T gates)

Slide 29

Slide 29 text

Ea1 ,b0 (x0 ) Ea0 ,b1 (x0 ) Ea1 ,b1 (x1 ) Ea0 ,b0 (x0 ) Simple Garbling Try all four, can tell valid encryption output

Slide 30

Slide 30 text

Ea1 ,b0 (x0 ) Ea0 ,b1 (x0 ) Ea1 ,b1 (x1 ) Ea0 ,b0 (x0 ) Single Hash Garbling

Slide 31

Slide 31 text

Ea1 ,b0 (x0 ) Ea0 ,b1 (x0 ) Ea1 ,b1 (x1 ) Ea0 ,b0 (x0 ) Single Hash Garbling How can the evaluator know which row to decrypt?

Slide 32

Slide 32 text

Point-and-Permute Enca0, ,b0, (c0 ) Enca0, ,b1 (c0 ) Enca0, ,b0 (c0 ) Enca1 ,b1 (c1 ) Beaver, Micali and Rogaway [STOC 1990] Select random bit for each wire: rw Set last bit of w0 to rw , w1 to ¬ra ra = 0, rb = 0

Slide 33

Slide 33 text

Point-and-Permute Enca1, ,b1, (c1 ) Enca1, ,b0 (c0 ) Enca0, ,b1 (c0 ) Enca0 ,b0 (c0 ) Select random bit for each wire: rw Set last bit of w0 to rw , w1 to ¬ra Order table canonically: 00/01/10/11 ra = 1, rb = 1 Beaver, Micali and Rogaway [STOC 1990]

Slide 34

Slide 34 text

Point-and-Permute Encoding garble table entries: Input wire labels (with selection bits) Output wire label Enca1, ,b1, (c1 ) Enca1, ,b0 (c0 ) Enca0, ,b1 (c0 ) Enca0 ,b0 (c0 ) ra = 1, rb = 1

Slide 35

Slide 35 text

Bandwidth: 4 ciphertexts per gate Compute: 4 hashes per gate Compute: 1 hash per gate Garble Encode Evaluate Decode f garbled circuit F e X Y z d x Original function Generator Evaluator

Slide 36

Slide 36 text

Cost of Garbling Garbling Function AES(kconst , K ) ⊕ K ⊕ C where K =2A⊕ 4B ⊕ gateID SHA-256(A || B || gateID) ⊕ C ∼2000/1000 ns Bellare, Hoang, Keelveedhi, Rogaway 2013 “Fixed-key AES” using AES-NI ~ 15/7 ns Time per gate (garble/evaluate) Time to transmit 80-bits at 1Gbps: 80ns 4 ciphertexts: 320ns (45x compute time)

Slide 37

Slide 37 text

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Slide 38

Slide 38 text

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Slide 39

Slide 39 text

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Slide 40

Slide 40 text

Free-XOR Kolesnikovand Schneider [ICALP 2008] Global generator secret

Slide 41

Slide 41 text

Free-XOR Global generator secret Kolesnikovand Schneider [ICALP 2008]

Slide 42

Slide 42 text

Free-XOR Global generator secret

Slide 43

Slide 43 text

Free-XOR Global generator secret XOR are free! No ciphertexts or encryption needed.

Slide 44

Slide 44 text

Bandwidth: 3 ciphertexts per AND gate, 0 for XOR Compute: 4 hashes per AND gate Compute: 1 hash per AND gate Garble Encode Evaluate Decode f garbled circuit F e X Y z d x Original function Generator Evaluator

Slide 45

Slide 45 text

Half Gates Samee Zahur, Mike Rosulek, and David Evans. Two Halves Make a Whole: Reducing Data Transfer in Garbled Circuits using Half Gates. [EuroCrypt 2015] Samee Zahur (UVA) Mike Rosulek (Oregon State)

Slide 46

Slide 46 text

Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]

Slide 47

Slide 47 text

Journal of the ACM, January 1968 swap gates, configured (by generator) to do random permutation Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]

Slide 48

Slide 48 text

Generator Half Gate Known to generator (but secret to evaluator)

Slide 49

Slide 49 text

Generator Half Gate Known to generator (but secret to evaluator)

Slide 50

Slide 50 text

Generator Half Gate Known to generator (but secret to evaluator)

Slide 51

Slide 51 text

Swapper: “Generator Half Gate” Known to generator (but secret to evaluator) With Garbled Row Reduction: Only need to send one ciphertext!

Slide 52

Slide 52 text

Evaluator Half-Gate Known (semantic value) to evaluator (but secret to generator)

Slide 53

Slide 53 text

Evaluator Half-Gate Known (semantic value) to evaluator (but secret to generator)

Slide 54

Slide 54 text

Generator Half-Gates Generator knows a Evaluator Half-Gates Evaluator knows b Implementing But, we need a gate where both inputs are secret…

Slide 55

Slide 55 text

Half + Half = Full Secret Gate random bit selected by generator “leaked” unknown known unknown

Slide 56

Slide 56 text

Half + Half = Full Secret Gate random bit selected by generator “leaked” unknown known unknown

Slide 57

Slide 57 text

Half + Half = Full Secret Gate random bit selected by generator “leaked” unknown known unknown

Slide 58

Slide 58 text

Half + Half = Full Secret Gate random bit selected by generator generator half gate evaluator half gate “leaked” unknown known unknown 2 ciphertexts total!

Slide 59

Slide 59 text

How to leak r ⊕ b? random bit selected by generator generator half gate evaluator half gate “leaked” unknown known unknown 2 ciphertexts total! Use r as point-and-permute bit for B (false) Evaluator has r ⊕ b on obtained wire!

Slide 60

Slide 60 text

Free-XOR+GRR+PnP Half Gates Generator Encryptions (H) 4 4 Evaluator Encryptions (H) 1 2 Ciphertexts Transmitted 3 2 XORs Free ✓ ✓ Bandwidth ê33% Execution Time (edit distance) ê25% Energy ê21%

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

Semi-Honest (“Honest but Curious”) Alice Bob generated circuits generator oblivious transfer Evaluates r r output decoding/sharing r = f(a, b) Only provides privacy and correctness guarantees if circuit is generated honestly!

Slide 63

Slide 63 text

Standard Fix: “Cut-and-Choose” Generator (Alice) Evaluator (Bob) (1) N instances of generated circuit (5) If okay, evaluate rest and select majority output (4) checks all revealed circuits (2) Challenge: choose a random subset (3) Keys for selected circuits Provides security against active attacker, but for reasonable security N > 100

Slide 64

Slide 64 text

Semi-Honest is Half-Way There Privacy Nothing is revealed other than the output (Not) Correctness The output of the protocol is f(a, b) Generator Evaluator As long as evaluator doesn’t send result (or complaint) back, privacy for evaluator is guaranteed.

Slide 65

Slide 65 text

Dual Execution Protocols Mohassel & Franklin [PKC 2006] Huang, Katz, Evans. [IEEE S&P 2012]

Slide 66

Slide 66 text

Dual Execution Protocol Alice Bob first round execution (semi-honest) generator evaluator generator evaluator z=f(x, y) Pass if z = z’ and correct wire labels z’, learned output wire labels second round execution (semi-honest) z'=f(x, y) z, learned output wire labels fully-secure, authenticated equality test

Slide 67

Slide 67 text

Proving Security: Malicious A B Ideal World y x Adversary receives: f (x, y) Trusted Party in Ideal World Standard Malicious Model: can’t prove this for Dual Execution Real World A B y x Show equivalence Corrupted party behaves arbitrarily Secure Computation Protocol

Slide 68

Slide 68 text

Proof of Security: One-Bit Leakage A B Ideal World y x Controlled by malicious A g Î R ® {0, 1} g is an arbitrary Boolean function selected by adversary Adversary receives: f (x, y) and g(x, y) Trusted Party in Ideal World Can prove equivalence to this for Dual Execution protocols

Slide 69

Slide 69 text

Intuition: 1-bit Leak Cheating detected Victim’s Possible Inputs Inputs where f (?, y) = r

Slide 70

Slide 70 text

Implementation Alice Bob first round execution (semi-honest) generator evaluator z=f(x, y) Pass if z = z’ and correct wire labels z’, learned output wire labels generator evaluator second round execution (semi-honest) z'=f(x, y) z, learned output wire labels Recall: work to generate is ~2x work to evaluate! fully-secure, authenticated equality test

Slide 71

Slide 71 text

$100 $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Active Security Dual Execution

Slide 72

Slide 72 text

Secure Computation for the Masses? Remarkable progress in past 10 years Costs reduced by 1012 Still millions of times more than standard computation Scaling number of parties still very hard Challenge of End-to-End Trust Trusting Software Understanding leaks from output User-understandable information release policies

Slide 73

Slide 73 text

Tomorrow’s Talk Turning Complex Algorithms into MPCs Providing Random Access Memory