ScalingSecureTwoPartyComputa5on
Anupam Datta Fall 2015
Based on work and slides from Yan Huang, David Evans, Jonathan Katz, Lior Malka
18734: Foundations of Privacy
Overview
• Describeasystemforsecure2-partycomputa5onusinggarbledcircuitsthatismuchmorescalableandsignificantlyfasterthanbestpriorwork
• Applica5ons:– Facerecogni.on:Hammingdistance– Genomics:Editdistance,Smith-Waterman– Privateencryp.on:ObliviousAESevalua5on
2
Fairplay
3
DahliaMalkhi,NoamNisan,BennyPinkasandYaronSella[USENIXSecurity2004]
SFDLProgram
SFDLCompiler
Circuit(SHDL)Alice Bob
GarbledTablesGenerator
GarbledTablesEvaluator
GarbledTables
Problems?
4
Analterna5veapproach…wouldhavebeentoapplyYao’sgenericsecuretwo-partyprotocol….Thiswouldhaverequiredexpressingthealgorithmasacircuit…andthensendingandcompu5ngthatcircuit.…[We]believethattheperformanceofourprotocolsissignificantlybeIerthanthatofapplyinggenericprotocols.MargaritaOsadchy,BennyPinkas,AymanJarrous,BoazMoskovich.
SCiFI–ASystemforSecureFaceIden6fica6on.Oakland2010.
[GenericSFE]isveryfast…butthecircuitsizeisextremelylarge….Ourprototypecircuitcompilercancompilecircuitsforproblemsofsize(200,200)butusesalmost2GBofmemorytodoso….largercircuitswouldbeconstrainedbyavailablememoryforconstruc.ngtheirgarbledversions.
SomeshJha,LouisKruger,VitalyShma5kov.TowardsPrac6calPrivacyforGenomicComputa6on.Oakland2008.
TheFallacy
5
Theen+recircuitispreparedandstoredonbothsides
SFDLProgram
SFDLCompiler
Circuit(SHDL)Alice Bob
GarbledTablesGenerator
GarbledTablesEvaluator
GarbledTablesGarbledTables
Encx00, x11(x21)
Encx01,x11(x21)
Encx01,x10(x21)
Encx20, x21(x30)
Encx21,x21(x30)
Encx21,x20(x31)
Encx20, x31(x41)
Encx21,x31(x41)
Encx21,x30(x40)
Encx40, x31(x51)
Encx41,x31(x50)
Encx41,x30(x50)
Encx40, x51(x61)
Encx41,x51(x60)
Encx41,x50(x60)
Encx30, x61(x71)
Encx31,x61(x70)
Encx31,x60(x71)
FasterGarbledCircuits
6
Circuit-LevelApplica5on
GCFramework(Evaluator)
GCFramework(Generator)
CircuitStructureCircuitStructure
x41
x21x31
x60x51
x71
Gatescanbeevaluatedastheyaregenerated:pipelining
BenefitsofPipelining
• AllowsGCtoscaletocircuitsofarbitrarysize
• Improvesthe5meefficiency
Werancircuitswithoverabilliongates,atarateofroughly10μspergate.
ProblemsinExis.ng(SFDL)Compilers
Resource-demandingSFDLcompila5on
Manyop5miza5onopportuni5esaremissed
Ittakeshoursona40GBmemoryservertocompileaSFDLprogramthatimplementsAES.
CircuitlevelMinimizebitwidthReducethenumberofnon-freegates
ProgramlevelTreatpublicandsecretvaluesdifferently
SomeResultsProblem BestPreviousResult OurResult Speedup
HammingDistance(FaceRecogni5on,Gene5cDa5ng)–two900-bitvectors
213s[SCiFI,2010]
0.051s 4176x
LevenshteinDistance(genome,textcomparison)–two200-characterinputs
534s[Jha+,2008]
18.4s 29x
Smith-Waterman(genomealignment)–two60-nucleo5desequences
[NotImplementable] 447s -
AESEncryp.on 3.3s[Henecka,2010]
0.2s 16.5x
9
Scalable:1billiongatesevaluatedat≈100,000gates/secondonregularPCs
Comparisonsarealignedtothesamesecuritylevelinthesemi-honestmodel.
0
0.2
0.4
0.6
0.8
1
1.2
Fairplay[PSSW09] TASTY Here
Billion
s
maxgates
OurResults
0
2
4
6
8
10
Fairplay [PSSW09] TASTY Here
x10000
non-freegates/s
PerformanceScalability
TimingResults
0
100
200
300
400
500
600
Hammingdistance(900bits)
editdistance(200256-bitchars)
Second
s
BestpreviousHere
4176xfaster
29xfaster
[SCiFI,2010]
[Jha+,2008]
TimeSavings:AES
0
1
2
3
4
5
6
7
[PSSW09] TASTY Here
Second
s
16.5xfaster
[Henecka,etal.CCS2010]
Conclusion
• Pipeliningenablesgarbled-circuittechniquetoscaletolargeproblemsizes
• Circuit-levelop.miza.onscandrama5callyreduceperformanceoverhead
Privacy-preservingapplica5onscanrunordersofmagnitudefasterthanpreviouslythought.
Ques5ons?
Thanks!
DownloadframeworkandAndroiddemoapplica5onfromMightBeEvil.com
SecureTwo-PartyComputa.on
15
AliceBob
Bob’sGenome:ACTG…Markers(~1000):[0,1,…,0]
Alice’sGenome:ACTG…Markers(~1000):[0,0,…,1]
CanAliceandBobcomputeafunc5onoftheirprivatedata,withoutexposinganythingabouttheirdatabesidestheresult?
SecureFunc.onEvalua.onAlice(circuitgenerator) Bob(circuitevaluator)
GarbledCircuitProtocol
AndrewYao,1986
sa }1,0{∈Holds tb }1,0{∈Holds
Yao’sGarbledCircuitsInputs Output
a b x0 0 00 1 01 0 01 1 1
AND
a b
x
Compu.ngwithMeaninglessValues?Inputs Output
a b xa0 b0 x0
a0 b1 x0
a1 b0 x0
a1 b1 x1
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi arerandomvalues,chosenbythecircuitgeneratorbutmeaninglesstothecircuitevaluator.
Compu.ngwithGarbledTablesInputs Output
a b xa0 b0 Enca0,b0(x0)
a0 b1 Enca0,b1(x0)
a1 b0 Enca1,b0(x0)
a1 b1 Enca1,b1(x1)
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi arerandomvalues,chosenbythecircuitgeneratorbutmeaninglesstothecircuitevaluator.
Bobcanonlydecryptoneofthese!
GarbledAndGate
Enca0, b1(x0)
Enca1,b1(x1)
Enca1,b0(x0)
Enca0,b0(x0)
ChainingGarbledCircuits
Candoanycomputa5onprivatelythisway!20
AND
a0 b0
x0
AND
a1 b1
x1
OR
x2
AndGate1
Enca10, b11(x10)
Enca11,b11(x11)
Enca11,b10(x10)
Enca10,b10(x10)OrGate2
Encx00, x11(x21)
Encx01,x11(x21)
Encx01,x10(x21)
Encx00,x10(x20) …
ThreatModelSemi-Honest(Honest-but-Curious)AdversaryAdversaryfollowstheprotocolasspecified(!),buttriestolearnmorefromtheprotocolexecu5ontranscriptMaybegoodenoughforsomescenarios
21
Weareworkingonefficientsolu5onsformaliciousadversaries
CircuitOp.miza.on–EditDistance
for (int i = 1; i < a.length; ++i) for (int j = 1; j < b.length; ++j) { T = (a[i] == b[j]) ? 0 : 1; D[i][j] = min(D[i-1][j]+1, D[i][j-1]+1, D[i-1][j-1] + T); }
CircuitOp.miza.on–EditDistance
D[i-1][j]
AddOneBit AddOneBit
2-Min AddOneBit
T
2-Min
1 1
D[i][j-1] D[i-1][j-1]
D[i][j]
CircuitOp.miza.on–EditDistance
AddOneBit
2-Min
AddOneBit
T
2-Min
1
D[i-1][j] D[i][j-1] D[i-1][j-1]
D[i][j]
CircuitOp.miza.on–EditDistance
AddOneBit
2-Min
Mux
T
2-Min
1
Savesabout28%ofgates
D[i-1][j] D[i][j-1] D[i-1][j-1]
D[i][j]
CircuitLibrary
Throughcustomcircuitdesignandtheuseofop5malcircuitcomponents,westrivetominimizethenumberofnon-freegates
V.KolesnikovandT.Schneider.ImprovedGarbledCircuit:FreeXORGatesandApplica6ons.(ICALP),2008.
AddOneBit
2-Min
Mux
T
2-Min
1
EaseofUse
• Ourframeworkassumesnoexpertknowledgeofcryptography
• NeedbasicideasofBooleancircuits
• CircuitdesignsconverteddirectlytoJavaprograms
Tradi5onalJava
Applica5on
Cri5calComponent
Cri5calComponent
Cri5calComponent
LibraryCircuit
CustomCircuit
LibraryCircuit
RestoftheJavaProgram
Javacode
javac
CircuitGenerator
CircuitEvaluator
UsetheFramework
Example:AESSBox
Leveraginganexis5ngASICdesignforAESallowsustoreducethestate-of-the-artAEScircuitby
30%ofnon-freegates,comparedto[PSSW09]and[HKSSW10]
Wolkerstorfer,etal.AnASICImplementa6onoftheAESS-boxes.RSA-CT2002.
Top Related