Slide 1
Slide 1 text
Introduction Secure Scala Evaluation Conclusion
SecureScala: Scala Embedding of Secure
Computations
Markus Hauck 1 Savvas Savvides 2 Patrick Eugster 2
Mira Mezini 3 Guido Salvaneschi3
1codecentric AG
2Purdue University
3TU Darmstadt
October 30, 2016
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 1
Slide 2
Slide 2 text
Introduction Secure Scala Evaluation Conclusion
The Current Situation
cloud computing offers cheap processing power
we have more data available than ever
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 2
Slide 3
Slide 3 text
Introduction Secure Scala Evaluation Conclusion
The Current Situation
cloud computing offers cheap processing power
we have more data available than ever
but what about sensitive data?
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 2
Slide 4
Slide 4 text
Introduction Secure Scala Evaluation Conclusion
A Possible Solution
use encryption?
decrypt for computation = danger of leak
need to compute over encrypted data:
secure function evaluation using garbled circuits
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 3
Slide 5
Slide 5 text
Introduction Secure Scala Evaluation Conclusion
A Possible Solution
use encryption?
decrypt for computation = danger of leak
need to compute over encrypted data:
secure function evaluation using garbled circuits
Homomorphic Encryption Schemes
fully homomorphic (FHE)
partial homomorphic (PHE)
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 3
Slide 6
Slide 6 text
Introduction Secure Scala Evaluation Conclusion
Homomorphic Encryption Schemes
perform operation on cipher text without decryption
fully homomorphic encryption schemes
support at least multiplication and addition
far too expensive for practical use
partial homomorphic encryption schemes
in most cases support only one operation
collection of schemes for multiple operations
significant overhead but usable in practice
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 4
Slide 7
Slide 7 text
Introduction Secure Scala Evaluation Conclusion
Contribution
What
currently: special purpose / external DSL
goal: use general purpose language
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 5
Slide 8
Slide 8 text
Introduction Secure Scala Evaluation Conclusion
Contribution
What
currently: special purpose / external DSL
goal: use general purpose language
How
implement embedded DSL in Scala
user: no cryptographic knowledge
external libraries!
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 5
Slide 9
Slide 9 text
Introduction Secure Scala Evaluation Conclusion
A First Approach
use an ADT to encode encrypted integers
sealed trait EncInt
case class PaillierEnc(...) extends EncInt // addition
case class ElGamalEnc(...) extends EncInt // multiplication
case class AesEnc(...) extends EncInt // equality
case class OpeEnc(...) extends EncInt // ordering
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 6
Slide 10
Slide 10 text
Introduction Secure Scala Evaluation Conclusion
Defining Addition Naively
def add(lhs: EncInt, rhs: EncInt): EncInt =
(lhs,rhs) match {
case (x@PaillierEnc(...),y@PaillierEnc(...)) => x + y
case (_,_) => convert(lhs) + convert(rhs)
}
both operands encrypted under same scheme = easy
just use homomorphic property of Paillier
different schemes? We need to convert
conversion = decryption + encryption
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 7
Slide 11
Slide 11 text
Introduction Secure Scala Evaluation Conclusion
Defining Addition Naively
def add(lhs: EncInt, rhs: EncInt): EncInt =
(lhs,rhs) match {
case (x@PaillierEnc(...),y@PaillierEnc(...)) => x + y
case (_,_) => convert(lhs) + convert(rhs)
}
both operands encrypted under same scheme = easy
just use homomorphic property of Paillier
different schemes? We need to convert
conversion = decryption + encryption
decryption in the cloud?
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 7
Slide 12
Slide 12 text
Introduction Secure Scala Evaluation Conclusion
Defining Addition Naively
def add(lhs: EncInt, rhs: EncInt): EncInt =
(lhs,rhs) match {
case (x@PaillierEnc(...),y@PaillierEnc(...)) => x + y
case (_,_) => convert(lhs) + convert(rhs)
}
both operands encrypted under same scheme = easy
just use homomorphic property of Paillier
different schemes? We need to convert
conversion = decryption + encryption
decryption in the cloud? bad!
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 7
Slide 13
Slide 13 text
Introduction Secure Scala Evaluation Conclusion
Roadmap
Idea: write an embedded DSL
Free Monad
Free Applicative
Both
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 8
Slide 14
Slide 14 text
Introduction Secure Scala Evaluation Conclusion
Free Monads
popular technique in Haskell for DSLs
define base functor for operations
get a monad for free to sequence them
programs are first class, write interpreter
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 9
Slide 15
Slide 15 text
Introduction Secure Scala Evaluation Conclusion
Define Base Functor for Operations
sealed trait CryptoF[+K]
case class Plus[K](
lhs: EncInt,
rhs: EncInt,
k: PaillierEnc => K
) extends CryptoF[K]
def plus(lhs: EncInt, rhs: EncInt) =
Free.lift(Plus(lhs,rhs,identity))
type Crypto[A] = Free[CryptoF,A]
define infix operators: +,*,. . .
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 10
Slide 16
Slide 16 text
Introduction Secure Scala Evaluation Conclusion
Writing Programs
can use monadic combinators (for free)
1 // 20 * 2 + 2
2 val program: Crypto[EncInt] = for {
3 x1 <- EncInt(20) * EncInt(2) // or mult(20,2)
4 x2 <- x1 + EncInt(2) // or plus(x1,2)
5 } yield x2
6
7 // monadic left fold from Scalaz
8 def sumList(z: EncInt)(xs: List[EncInt]) =
9 xs.foldLeftM(z)(_+_)
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 11
Slide 17
Slide 17 text
Introduction Secure Scala Evaluation Conclusion
Interpreting Programs — Plus
def interpret[A](key: KeyRing)(p: Crypto[A]): A =
p.resume match {
// ...
case -\/(Plus(l,r,k)) => (l,r) match {
case (lhs@PaillierEnc(_),rhs@PaillierEnc(_)) =>
interpret(key)(k(lhs + rhs))
case _ =>
val lhs = convertToPaillier(key)(l)
val rhs = convertToPaillier(key)(r)
interpret(key)(k(lhs + rhs))
}
// ...
}
def convertToPaillier: KeyRing => EncInt => PaillerEnc
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 12
Slide 18
Slide 18 text
Introduction Secure Scala Evaluation Conclusion
Interpreting Programs
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 13
Slide 19
Slide 19 text
Introduction Secure Scala Evaluation Conclusion
Free Monads — Review
write programs without caring about encryption schemes
programs are first class, interpreter used to execute them
swap interpreters adds flexibility
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 14
Slide 20
Slide 20 text
Introduction Secure Scala Evaluation Conclusion
Free Monads — Review
write programs without caring about encryption schemes
programs are first class, interpreter used to execute them
swap interpreters adds flexibility
free monads have drawbacks
no static analysis
forced sequential execution
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 14
Slide 21
Slide 21 text
Introduction Secure Scala Evaluation Conclusion
Forced Sequential Execution
7 + 7 + 7 + 7 + 7 + 7
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15
Slide 22
Slide 22 text
Introduction Secure Scala Evaluation Conclusion
Forced Sequential Execution
7 + 7 + 7 + 7 + 7 + 7
convert operands
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15
Slide 23
Slide 23 text
Introduction Secure Scala Evaluation Conclusion
Forced Sequential Execution
7 + 7 + 7 + 7 + 7 + 7
homomorphic property
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15
Slide 24
Slide 24 text
Introduction Secure Scala Evaluation Conclusion
Forced Sequential Execution
7 + 7 + 7 + 7 + 7 + 7
no conversion needed, homomorphic property
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15
Slide 25
Slide 25 text
Introduction Secure Scala Evaluation Conclusion
Forced Sequential Execution
7 + 7 + 7 + 7 + 7 + 7
convert operand, exploit homomorphic property, and so on . . .
Problem
we cannot look ahead, the continuation needs an argument
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15
Slide 26
Slide 26 text
Introduction Secure Scala Evaluation Conclusion
Free Applicative Functors
free applicative functor are less expressive than free monads
applicative functors: “lifting” of pure functions over effectful
arguments
can not depend on effectful results (this is the essence of
(>>=)/flatMap)
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 16
Slide 27
Slide 27 text
Introduction Secure Scala Evaluation Conclusion
Free Applicative Functors
free applicative functor are less expressive than free monads
applicative functors: “lifting” of pure functions over effectful
arguments
can not depend on effectful results (this is the essence of
(>>=)/flatMap)
Why switch?
implicit parallel execution
static analysis
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 16
Slide 28
Slide 28 text
Introduction Secure Scala Evaluation Conclusion
Implicit Parallel Execution
7 + 7 + 7 + 7 + 7 + 7
convert operands in parallel
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 17
Slide 29
Slide 29 text
Introduction Secure Scala Evaluation Conclusion
Implicit Parallel Execution
7 + 7 + 7 + 7 + 7 + 7
homomorphic property
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 17
Slide 30
Slide 30 text
Introduction Secure Scala Evaluation Conclusion
Implicit Parallel Execution
7 + 7 + 7 + 7 + 7 + 7
done
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 17
Slide 31
Slide 31 text
Introduction Secure Scala Evaluation Conclusion
Implicit Parallel Execution
7 + 7 + 7 + 7 + 7 + 7
done
different to monadic version:
parallel conversion
structure of the computation is known = static analysis
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 17
Slide 32
Slide 32 text
Introduction Secure Scala Evaluation Conclusion
Static Analysis and Program Transformation
free applicative functors, inspect and transform programs
count number of different schemes
count number of conversions needed
perform conversion (might involve network) in a separate
phase
batch conversion requests for huge number of requests
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 18
Slide 33
Slide 33 text
Introduction Secure Scala Evaluation Conclusion
Combining Both Approaches
free monads: depend on previous effects
free applicative functors: implicit parallelism + static analysis
solution: use monads on the outside, applicative where
possible
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 19
Slide 34
Slide 34 text
Introduction Secure Scala Evaluation Conclusion
Combining Both Approaches
free monads: depend on previous effects
free applicative functors: implicit parallelism + static analysis
solution: use monads on the outside, applicative where
possible
different types for programs:
type Crypto[A] = FreeAp[CryptoF, A]
type CryptoM[A] = Free[Coproduct[CryptoF,Embed,?], A]
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 19
Slide 35
Slide 35 text
Introduction Secure Scala Evaluation Conclusion
Interpreter
interpreters provide two methods for the two program types
by default applicative programs can be executed like monadic
programs
we can specialize applicative interpretation
trait CryptoInterpreter[F[_]] {
def interpret[A](p: CryptoM[A]): F[A]
def interpretA[A](p: Crypto[A]): F[A] =
interpret(embed(p))
}
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 20
Slide 36
Slide 36 text
Introduction Secure Scala Evaluation Conclusion
Putting It Together
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 21
Slide 37
Slide 37 text
Introduction Secure Scala Evaluation Conclusion
Putting It Together
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 21
Slide 38
Slide 38 text
Introduction Secure Scala Evaluation Conclusion
Putting It Together
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 21
Slide 39
Slide 39 text
Introduction Secure Scala Evaluation Conclusion
Putting It Together
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 21
Slide 40
Slide 40 text
Introduction Secure Scala Evaluation Conclusion
Evaluation
Recall the goals
embedded DSL for non-domain experts
usable with libraries
practical performance
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 22
Slide 41
Slide 41 text
Introduction Secure Scala Evaluation Conclusion
Writing Programs
applicative and monad provide a lot of functionality for free
effectful mapping (traverse)
monadic folding (foldLeftM,foldRightM)
lifting functions (Applicative)
and many more (Scalaz, Cats)
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 23
Slide 42
Slide 42 text
Introduction Secure Scala Evaluation Conclusion
Embedded DSL
1 def wordCountText(input: EncString):
2 CryptoM[List[(OpeString,Int)]] =
3 input.split("""\s+""") >>= wordCount
4
5 def wordCount(input: IList[EncString]):
6 Crypto[List[(OpeString,Int)]] =
7 input.traverse(toOpeStr).
8 map(_.groupBy(identity).map(_.length).toList)
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 24
Slide 43
Slide 43 text
Introduction Secure Scala Evaluation Conclusion
CEP — License Plates
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 25
Slide 44
Slide 44 text
Introduction Secure Scala Evaluation Conclusion
CEP — License Plates
sealed trait LicensePlateEvent {
def car: EncString
def speed: EncInt
def time: Long
}
case class CarStart(...) extends LicensePlateEvent
case class CheckPoint(...) extends LicensePlateEvent
case class CarGoal(...) extends LicensePlateEvent
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 26
Slide 45
Slide 45 text
Introduction Secure Scala Evaluation Conclusion
CEP — License Plates
SELECT car AS license, number, speed
FROM CheckPoint
WHERE Interp.isTooFast(speed)
object Interp {
val keyRing: KeyRing = KeyRing.create
val interpret = LocalInterpreter(keyRing)
val speedLimit: EncInt = encrypt(keyRing)(130)
def isTooFast(s: EncInt): Boolean =
interpret(s > speedLimit)
}
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 27
Slide 46
Slide 46 text
Introduction Secure Scala Evaluation Conclusion
CEP — License Plates
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 28
Slide 47
Slide 47 text
Introduction Secure Scala Evaluation Conclusion
More Evaluation in the Paper
Microbenchmark of different interpreters
WordCount
RxScala GUI
CEP with Esper
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 29
Slide 48
Slide 48 text
Introduction Secure Scala Evaluation Conclusion
Conclusion
SecureScala: embedded DSL in Scala
write programs working over encrypted data
significant overhead, but still usable
can be used in combination with libraries
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 30
Slide 49
Slide 49 text
Introduction Secure Scala Evaluation Conclusion
Conclusion
SecureScala: embedded DSL in Scala
write programs working over encrypted data
significant overhead, but still usable
can be used in combination with libraries
Thank you for your attention
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 30
Slide 50
Slide 50 text
Introduction Secure Scala Evaluation Conclusion
Secure Scala: Scala Embedding of Secure Computations
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 31
Slide 51
Slide 51 text
Appendix
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 32
Slide 52
Slide 52 text
Interpreting Programs
def interpret[A](key: KeyRing)(p: Crypto[A]): A =
p.resume match {
case \/-(x) => x
// handle cases of base functor
}
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 33
Slide 53
Slide 53 text
Reactive Programming — RxBank
RxScala — Reactive Extensions for Scala
scenario: collection of bank accounts
events: transfer random amount of money between random
accounts
colorize in GUI based on balance
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 34
Slide 54
Slide 54 text
Reactive Programming — RxBank
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 35
Slide 55
Slide 55 text
Reactive Programming — RxBank
2.7 ts/s ≈ 6 redraws per second
Markus Hauck - SecureScala: Scala Embedding of Secure Computations 36