Slide 1

Slide 1 text

Introduction Secure Scala Evaluation Conclusion SecureScala: Scala Embedding of Secure Computations Markus Hauck 1 Savvas Savvides 2 Patrick Eugster 2 Mira Mezini 3 Guido Salvaneschi3 1codecentric AG 2Purdue University 3TU Darmstadt October 30, 2016 Markus Hauck - SecureScala: Scala Embedding of Secure Computations 1

Slide 2

Slide 2 text

Introduction Secure Scala Evaluation Conclusion The Current Situation cloud computing offers cheap processing power we have more data available than ever Markus Hauck - SecureScala: Scala Embedding of Secure Computations 2

Slide 3

Slide 3 text

Introduction Secure Scala Evaluation Conclusion The Current Situation cloud computing offers cheap processing power we have more data available than ever but what about sensitive data? Markus Hauck - SecureScala: Scala Embedding of Secure Computations 2

Slide 4

Slide 4 text

Introduction Secure Scala Evaluation Conclusion A Possible Solution use encryption? decrypt for computation = danger of leak need to compute over encrypted data: secure function evaluation using garbled circuits Markus Hauck - SecureScala: Scala Embedding of Secure Computations 3

Slide 5

Slide 5 text

Introduction Secure Scala Evaluation Conclusion A Possible Solution use encryption? decrypt for computation = danger of leak need to compute over encrypted data: secure function evaluation using garbled circuits Homomorphic Encryption Schemes fully homomorphic (FHE) partial homomorphic (PHE) Markus Hauck - SecureScala: Scala Embedding of Secure Computations 3

Slide 6

Slide 6 text

Introduction Secure Scala Evaluation Conclusion Homomorphic Encryption Schemes perform operation on cipher text without decryption fully homomorphic encryption schemes support at least multiplication and addition far too expensive for practical use partial homomorphic encryption schemes in most cases support only one operation collection of schemes for multiple operations significant overhead but usable in practice Markus Hauck - SecureScala: Scala Embedding of Secure Computations 4

Slide 7

Slide 7 text

Introduction Secure Scala Evaluation Conclusion Contribution What currently: special purpose / external DSL goal: use general purpose language Markus Hauck - SecureScala: Scala Embedding of Secure Computations 5

Slide 8

Slide 8 text

Introduction Secure Scala Evaluation Conclusion Contribution What currently: special purpose / external DSL goal: use general purpose language How implement embedded DSL in Scala user: no cryptographic knowledge external libraries! Markus Hauck - SecureScala: Scala Embedding of Secure Computations 5

Slide 9

Slide 9 text

Introduction Secure Scala Evaluation Conclusion A First Approach use an ADT to encode encrypted integers sealed trait EncInt case class PaillierEnc(...) extends EncInt // addition case class ElGamalEnc(...) extends EncInt // multiplication case class AesEnc(...) extends EncInt // equality case class OpeEnc(...) extends EncInt // ordering Markus Hauck - SecureScala: Scala Embedding of Secure Computations 6

Slide 10

Slide 10 text

Introduction Secure Scala Evaluation Conclusion Defining Addition Naively def add(lhs: EncInt, rhs: EncInt): EncInt = (lhs,rhs) match { case (x@PaillierEnc(...),y@PaillierEnc(...)) => x + y case (_,_) => convert(lhs) + convert(rhs) } both operands encrypted under same scheme = easy just use homomorphic property of Paillier different schemes? We need to convert conversion = decryption + encryption Markus Hauck - SecureScala: Scala Embedding of Secure Computations 7

Slide 11

Slide 11 text

Introduction Secure Scala Evaluation Conclusion Defining Addition Naively def add(lhs: EncInt, rhs: EncInt): EncInt = (lhs,rhs) match { case (x@PaillierEnc(...),y@PaillierEnc(...)) => x + y case (_,_) => convert(lhs) + convert(rhs) } both operands encrypted under same scheme = easy just use homomorphic property of Paillier different schemes? We need to convert conversion = decryption + encryption decryption in the cloud? Markus Hauck - SecureScala: Scala Embedding of Secure Computations 7

Slide 12

Slide 12 text

Introduction Secure Scala Evaluation Conclusion Defining Addition Naively def add(lhs: EncInt, rhs: EncInt): EncInt = (lhs,rhs) match { case (x@PaillierEnc(...),y@PaillierEnc(...)) => x + y case (_,_) => convert(lhs) + convert(rhs) } both operands encrypted under same scheme = easy just use homomorphic property of Paillier different schemes? We need to convert conversion = decryption + encryption decryption in the cloud? bad! Markus Hauck - SecureScala: Scala Embedding of Secure Computations 7

Slide 13

Slide 13 text

Introduction Secure Scala Evaluation Conclusion Roadmap Idea: write an embedded DSL Free Monad Free Applicative Both Markus Hauck - SecureScala: Scala Embedding of Secure Computations 8

Slide 14

Slide 14 text

Introduction Secure Scala Evaluation Conclusion Free Monads popular technique in Haskell for DSLs define base functor for operations get a monad for free to sequence them programs are first class, write interpreter Markus Hauck - SecureScala: Scala Embedding of Secure Computations 9

Slide 15

Slide 15 text

Introduction Secure Scala Evaluation Conclusion Define Base Functor for Operations sealed trait CryptoF[+K] case class Plus[K]( lhs: EncInt, rhs: EncInt, k: PaillierEnc => K ) extends CryptoF[K] def plus(lhs: EncInt, rhs: EncInt) = Free.lift(Plus(lhs,rhs,identity)) type Crypto[A] = Free[CryptoF,A] define infix operators: +,*,. . . Markus Hauck - SecureScala: Scala Embedding of Secure Computations 10

Slide 16

Slide 16 text

Introduction Secure Scala Evaluation Conclusion Writing Programs can use monadic combinators (for free) 1 // 20 * 2 + 2 2 val program: Crypto[EncInt] = for { 3 x1 <- EncInt(20) * EncInt(2) // or mult(20,2) 4 x2 <- x1 + EncInt(2) // or plus(x1,2) 5 } yield x2 6 7 // monadic left fold from Scalaz 8 def sumList(z: EncInt)(xs: List[EncInt]) = 9 xs.foldLeftM(z)(_+_) Markus Hauck - SecureScala: Scala Embedding of Secure Computations 11

Slide 17

Slide 17 text

Introduction Secure Scala Evaluation Conclusion Interpreting Programs — Plus def interpret[A](key: KeyRing)(p: Crypto[A]): A = p.resume match { // ... case -\/(Plus(l,r,k)) => (l,r) match { case (lhs@PaillierEnc(_),rhs@PaillierEnc(_)) => interpret(key)(k(lhs + rhs)) case _ => val lhs = convertToPaillier(key)(l) val rhs = convertToPaillier(key)(r) interpret(key)(k(lhs + rhs)) } // ... } def convertToPaillier: KeyRing => EncInt => PaillerEnc Markus Hauck - SecureScala: Scala Embedding of Secure Computations 12

Slide 18

Slide 18 text

Introduction Secure Scala Evaluation Conclusion Interpreting Programs Markus Hauck - SecureScala: Scala Embedding of Secure Computations 13

Slide 19

Slide 19 text

Introduction Secure Scala Evaluation Conclusion Free Monads — Review write programs without caring about encryption schemes programs are first class, interpreter used to execute them swap interpreters adds flexibility Markus Hauck - SecureScala: Scala Embedding of Secure Computations 14

Slide 20

Slide 20 text

Introduction Secure Scala Evaluation Conclusion Free Monads — Review write programs without caring about encryption schemes programs are first class, interpreter used to execute them swap interpreters adds flexibility free monads have drawbacks no static analysis forced sequential execution Markus Hauck - SecureScala: Scala Embedding of Secure Computations 14

Slide 21

Slide 21 text

Introduction Secure Scala Evaluation Conclusion Forced Sequential Execution 7 + 7 + 7 + 7 + 7 + 7 Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15

Slide 22

Slide 22 text

Introduction Secure Scala Evaluation Conclusion Forced Sequential Execution 7 + 7 + 7 + 7 + 7 + 7 convert operands Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15

Slide 23

Slide 23 text

Introduction Secure Scala Evaluation Conclusion Forced Sequential Execution 7 + 7 + 7 + 7 + 7 + 7 homomorphic property Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15

Slide 24

Slide 24 text

Introduction Secure Scala Evaluation Conclusion Forced Sequential Execution 7 + 7 + 7 + 7 + 7 + 7 no conversion needed, homomorphic property Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15

Slide 25

Slide 25 text

Introduction Secure Scala Evaluation Conclusion Forced Sequential Execution 7 + 7 + 7 + 7 + 7 + 7 convert operand, exploit homomorphic property, and so on . . . Problem we cannot look ahead, the continuation needs an argument Markus Hauck - SecureScala: Scala Embedding of Secure Computations 15

Slide 26

Slide 26 text

Introduction Secure Scala Evaluation Conclusion Free Applicative Functors free applicative functor are less expressive than free monads applicative functors: “lifting” of pure functions over effectful arguments can not depend on effectful results (this is the essence of (>>=)/flatMap) Markus Hauck - SecureScala: Scala Embedding of Secure Computations 16

Slide 27

Slide 27 text

Introduction Secure Scala Evaluation Conclusion Free Applicative Functors free applicative functor are less expressive than free monads applicative functors: “lifting” of pure functions over effectful arguments can not depend on effectful results (this is the essence of (>>=)/flatMap) Why switch? implicit parallel execution static analysis Markus Hauck - SecureScala: Scala Embedding of Secure Computations 16

Slide 28

Slide 28 text

Introduction Secure Scala Evaluation Conclusion Implicit Parallel Execution 7 + 7 + 7 + 7 + 7 + 7 convert operands in parallel Markus Hauck - SecureScala: Scala Embedding of Secure Computations 17

Slide 29

Slide 29 text

Introduction Secure Scala Evaluation Conclusion Implicit Parallel Execution 7 + 7 + 7 + 7 + 7 + 7 homomorphic property Markus Hauck - SecureScala: Scala Embedding of Secure Computations 17

Slide 30

Slide 30 text

Introduction Secure Scala Evaluation Conclusion Implicit Parallel Execution 7 + 7 + 7 + 7 + 7 + 7 done Markus Hauck - SecureScala: Scala Embedding of Secure Computations 17

Slide 31

Slide 31 text

Introduction Secure Scala Evaluation Conclusion Implicit Parallel Execution 7 + 7 + 7 + 7 + 7 + 7 done different to monadic version: parallel conversion structure of the computation is known = static analysis Markus Hauck - SecureScala: Scala Embedding of Secure Computations 17

Slide 32

Slide 32 text

Introduction Secure Scala Evaluation Conclusion Static Analysis and Program Transformation free applicative functors, inspect and transform programs count number of different schemes count number of conversions needed perform conversion (might involve network) in a separate phase batch conversion requests for huge number of requests Markus Hauck - SecureScala: Scala Embedding of Secure Computations 18

Slide 33

Slide 33 text

Introduction Secure Scala Evaluation Conclusion Combining Both Approaches free monads: depend on previous effects free applicative functors: implicit parallelism + static analysis solution: use monads on the outside, applicative where possible Markus Hauck - SecureScala: Scala Embedding of Secure Computations 19

Slide 34

Slide 34 text

Introduction Secure Scala Evaluation Conclusion Combining Both Approaches free monads: depend on previous effects free applicative functors: implicit parallelism + static analysis solution: use monads on the outside, applicative where possible different types for programs: type Crypto[A] = FreeAp[CryptoF, A] type CryptoM[A] = Free[Coproduct[CryptoF,Embed,?], A] Markus Hauck - SecureScala: Scala Embedding of Secure Computations 19

Slide 35

Slide 35 text

Introduction Secure Scala Evaluation Conclusion Interpreter interpreters provide two methods for the two program types by default applicative programs can be executed like monadic programs we can specialize applicative interpretation trait CryptoInterpreter[F[_]] { def interpret[A](p: CryptoM[A]): F[A] def interpretA[A](p: Crypto[A]): F[A] = interpret(embed(p)) } Markus Hauck - SecureScala: Scala Embedding of Secure Computations 20

Slide 36

Slide 36 text

Introduction Secure Scala Evaluation Conclusion Putting It Together Markus Hauck - SecureScala: Scala Embedding of Secure Computations 21

Slide 37

Slide 37 text

Introduction Secure Scala Evaluation Conclusion Putting It Together Markus Hauck - SecureScala: Scala Embedding of Secure Computations 21

Slide 38

Slide 38 text

Introduction Secure Scala Evaluation Conclusion Putting It Together Markus Hauck - SecureScala: Scala Embedding of Secure Computations 21

Slide 39

Slide 39 text

Introduction Secure Scala Evaluation Conclusion Putting It Together Markus Hauck - SecureScala: Scala Embedding of Secure Computations 21

Slide 40

Slide 40 text

Introduction Secure Scala Evaluation Conclusion Evaluation Recall the goals embedded DSL for non-domain experts usable with libraries practical performance Markus Hauck - SecureScala: Scala Embedding of Secure Computations 22

Slide 41

Slide 41 text

Introduction Secure Scala Evaluation Conclusion Writing Programs applicative and monad provide a lot of functionality for free effectful mapping (traverse) monadic folding (foldLeftM,foldRightM) lifting functions (Applicative) and many more (Scalaz, Cats) Markus Hauck - SecureScala: Scala Embedding of Secure Computations 23

Slide 42

Slide 42 text

Introduction Secure Scala Evaluation Conclusion Embedded DSL 1 def wordCountText(input: EncString): 2 CryptoM[List[(OpeString,Int)]] = 3 input.split("""\s+""") >>= wordCount 4 5 def wordCount(input: IList[EncString]): 6 Crypto[List[(OpeString,Int)]] = 7 input.traverse(toOpeStr). 8 map(_.groupBy(identity).map(_.length).toList) Markus Hauck - SecureScala: Scala Embedding of Secure Computations 24

Slide 43

Slide 43 text

Introduction Secure Scala Evaluation Conclusion CEP — License Plates Markus Hauck - SecureScala: Scala Embedding of Secure Computations 25

Slide 44

Slide 44 text

Introduction Secure Scala Evaluation Conclusion CEP — License Plates sealed trait LicensePlateEvent { def car: EncString def speed: EncInt def time: Long } case class CarStart(...) extends LicensePlateEvent case class CheckPoint(...) extends LicensePlateEvent case class CarGoal(...) extends LicensePlateEvent Markus Hauck - SecureScala: Scala Embedding of Secure Computations 26

Slide 45

Slide 45 text

Introduction Secure Scala Evaluation Conclusion CEP — License Plates SELECT car AS license, number, speed FROM CheckPoint WHERE Interp.isTooFast(speed) object Interp { val keyRing: KeyRing = KeyRing.create val interpret = LocalInterpreter(keyRing) val speedLimit: EncInt = encrypt(keyRing)(130) def isTooFast(s: EncInt): Boolean = interpret(s > speedLimit) } Markus Hauck - SecureScala: Scala Embedding of Secure Computations 27

Slide 46

Slide 46 text

Introduction Secure Scala Evaluation Conclusion CEP — License Plates Markus Hauck - SecureScala: Scala Embedding of Secure Computations 28

Slide 47

Slide 47 text

Introduction Secure Scala Evaluation Conclusion More Evaluation in the Paper Microbenchmark of different interpreters WordCount RxScala GUI CEP with Esper Markus Hauck - SecureScala: Scala Embedding of Secure Computations 29

Slide 48

Slide 48 text

Introduction Secure Scala Evaluation Conclusion Conclusion SecureScala: embedded DSL in Scala write programs working over encrypted data significant overhead, but still usable can be used in combination with libraries Markus Hauck - SecureScala: Scala Embedding of Secure Computations 30

Slide 49

Slide 49 text

Introduction Secure Scala Evaluation Conclusion Conclusion SecureScala: embedded DSL in Scala write programs working over encrypted data significant overhead, but still usable can be used in combination with libraries Thank you for your attention Markus Hauck - SecureScala: Scala Embedding of Secure Computations 30

Slide 50

Slide 50 text

Introduction Secure Scala Evaluation Conclusion Secure Scala: Scala Embedding of Secure Computations Markus Hauck - SecureScala: Scala Embedding of Secure Computations 31

Slide 51

Slide 51 text

Appendix Markus Hauck - SecureScala: Scala Embedding of Secure Computations 32

Slide 52

Slide 52 text

Interpreting Programs def interpret[A](key: KeyRing)(p: Crypto[A]): A = p.resume match { case \/-(x) => x // handle cases of base functor } Markus Hauck - SecureScala: Scala Embedding of Secure Computations 33

Slide 53

Slide 53 text

Reactive Programming — RxBank RxScala — Reactive Extensions for Scala scenario: collection of bank accounts events: transfer random amount of money between random accounts colorize in GUI based on balance Markus Hauck - SecureScala: Scala Embedding of Secure Computations 34

Slide 54

Slide 54 text

Reactive Programming — RxBank Markus Hauck - SecureScala: Scala Embedding of Secure Computations 35

Slide 55

Slide 55 text

Reactive Programming — RxBank 2.7 ts/s ≈ 6 redraws per second Markus Hauck - SecureScala: Scala Embedding of Secure Computations 36