Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation
Practical Cryptographic Secure Computation
description
Transcript of Practical Cryptographic Secure Computation
![Page 1: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/1.jpg)
1
PracticalCryptographic
Secure Computation
David EvansUniversity of Virginiahttp://www.cs.virginia.edu/evanshttp://www.MightBeEvil.com
DHOSA MURI PIs MeetingBerkeley, CA28 April 2011
![Page 2: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/2.jpg)
TRANSFORMATION
HARDWARE SYSTEM ARCHITECTURES
SVA
Binary translation and
emulation
Formal methods
Hardware support for isolation
Dealing with malicious hardware
Cryptographic secure
computation
Data-centric security
Secure browser appliance
Secure servers
WEB-BASED ARCHITECTURES
e.g., Enforce properties on a malicious OS
e.g., Prevent dataexfiltration
e.g., Enable complex distributed systems, with resilience to hostile OS’s
![Page 3: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/3.jpg)
3
Secure Two-Party Computation
AliceBob
Bob’s Genome: ACTG…Markers (~1000): [0,1, …, 0]
Alice’s Genome: ACTG…Markers (~1000): [0, 0, …, 1]
Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?
![Page 4: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/4.jpg)
Secure Function EvaluationAlice (circuit generator) Bob (circuit evaluator)
Garbled Circuit Protocol
Andrew Yao, 1982/1986
![Page 5: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/5.jpg)
Yao’s Garbled CircuitsInputs Output
a b x0 0 00 1 01 0 01 1 1
AND
a b
x
![Page 6: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/6.jpg)
Computing with Meaningless Values?Inputs Output
a b xa0 b0 x0
a0 b1 x0
a1 b0 x0
a1 b1 x1
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi are random values, chosen by the circuit generator but meaningless to the circuit evaluator.
![Page 7: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/7.jpg)
Computing with Garbled TablesInputs Output
a b xa0 b0 Enca0,b0(x0)a0 b1 Enca0,b1(x0)a1 b0 Enca1,b0(x0)a1 b1 Enca1,b1(x1)
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi are random values, chosen by the circuit generator but meaningless to the circuit evaluator.
Bob can only decrypt one of these!
Garbled And Gate
Enca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)
![Page 8: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/8.jpg)
8
Chaining Garbled Circuits
AND
a0 b0
x0
AND
a1 b1
x1
ORx2
And Gate 1
Enca10, b11(x10)Enca11,b11(x11)Enca11,b10(x10)Enca10,b10(x10)
Or Gate 2
Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20) …
We can do any computation privately this way!
![Page 9: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/9.jpg)
9
Fairplay
Dahlia Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella [USENIX Sec 2004]
SFDL Program
SFDL Compiler
Circuit (SHDL)
Alice Bob
Garbled Tables Generator
Garbled Tables Evaluator
SFDL Compiler
![Page 10: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/10.jpg)
10
Encx00,
x11(x21)Encx01,x11(x2
1)Encx01,x10(x2
1)
Encx20,
x21(x30)Encx21,x21(x3
0)Encx21,x20(x3
1)
Encx20,
x31(x41)Encx21,x31(x4
1)Encx21,x30(x4
0)
Encx40,
x31(x51)Encx41,x31(x5
0)Encx41,x30(x5
0)
Encx40,
x51(x61)Encx41,x51(x6
0)Encx41,x50(x6
0)
Encx30,
x61(x71)Encx31,x61(x7
0)Encx31,x60(x7
1)
Our Approach: Faster Garbled CircuitsCircuit-Level Application
GC Framework(Evaluator)
GC Framework (Generator)
Circuit StructureCircuit Structure
x41
x21x31
x60
x51
x71
Gates can be evaluated as they are generated: pipeliningGates can be evaluated in any topological sort order: parallelizing
Garbled evaluation can be combined with normal execution
![Page 11: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/11.jpg)
11
ApplicationsPrivacy-Preserving
Biometric Matching
Private Personal
Genomics
Private Set Intersection
Private AES Encryption
![Page 12: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/12.jpg)
12
Private Set Intersection
• Do Alice and Bob have any contacts in common?
• Two countries want to compare their miscreant lists
• Identify common medical records across hospitals
• Two companies want to do joint marketing to common customers
![Page 13: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/13.jpg)
13
Sort-Compare-Shuffl
e
Sort: Take advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
![Page 14: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/14.jpg)
14
Private Set Intersection Protocol
FreeGates to generate and evaluate
Bitonic Sorting Circuit
Waksman Permutation Network
![Page 15: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/15.jpg)
15
Private Set Intersection Results
128 256 512 1024 2048 4096 81920
20
40
60
80
100
120
140
Seco
nds
Set Size (each set)
32-bit values
![Page 16: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/16.jpg)
16
Some Other ResultsProblem Best Previous Result Our Result Speedup
Hamming Distance (Face Recognition) – 900-bit vectors
213s [SCiFI, 2010]
0.051s 4176
Levenshtein Distance (genome, text comparison) – two 200-character inputs
534s [Jha+, 2008]
18.4s 29
Smith-Waterman (genome alignment) – two 60-nucleotide sequences
[Not Implementable] 447s -
AES Encryption 3.3s [Henecka, 2010]
0.2s 16.5
Fingerprint Matching (1024-entry database, 640x8bit vectors)
~83s [Barni, 2010]
18s 4.6
Scalable: 1 Billion gates evaluated at ~100,000 gates/second on laptop
NDS
S 20
11U
SEN
IX S
ecur
ity 2
011
![Page 17: Practical Cryptographic Secure Computation](https://reader035.fdocuments.in/reader035/viewer/2022062501/568160c3550346895dcfed73/html5/thumbnails/17.jpg)
17
David [email protected]://www.cs.virginia.edu/evans
CollaboratorsYan Huang (UVa PhD Student), Yikan Chen (UVa PhD Student),Samee Zahur (UVa MS Student),Peter Chapman (UVa BACS Student)Jonathan Katz (University of Maryland)Aaron Mackey (UVa Public Health Genomics)