Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical and Deployable Secure Multi-Party Computation Debayan Gupta Yale University May 11, 2016 Jai Dadabhai.

Published byPatrick Williamson Modified over 7 years ago

Similar presentations

Presentation on theme: "Practical and Deployable Secure Multi-Party Computation Debayan Gupta Yale University May 11, 2016 Jai Dadabhai."— Presentation transcript:

1 Practical and Deployable Secure Multi-Party Computation Debayan Gupta Yale University May 11, 2016 Jai Dadabhai

2 The Apparent Paradox of Modern Cryptography Intuitive ideas of secrecy -Encrypted data are safe; but they appear to be unusable If people have secrets, and want to do a joint computation -They can use a trusted third party Modern cryptography -You may not have to decrypt -There may not need to be a trusted third party 2

3 Secure Multi-Party Computation (SMPC) Have your cake and eat it too Secret inputs; joint computation of desired output (Yao82) SMPC or Secure Function Evaluation (SFE) State of the art -2P-SFE: Currently fast enough for many applications -SMPC: Fast enough in some cases -Fully Homomorphic Encryption: Slow, but improving 3

4 Talk Outline Example: Privacy-preserving Proximity PartialGC (ACM CCS'14*) -With Benjamin Mood, Kevin Butler, and Joan Feigenbaum Other work on practical, secure computation -SMPC: Overview and challenges -Frigate, SGX, Systematization Deploying SMPC Ongoing and future work 4 *Expanded version: http://arxiv.org/abs/1506.02954http://arxiv.org/abs/1506.02954

5 Talk Outline →Example: Privacy-preserving Proximity PartialGC (ACM CCS'14*) -With Benjamin Mood, Kevin Butler, and Joan Feigenbaum Other work on practical, secure computation -SMPC: Overview and challenges -Frigate, SGX, Systematization Deploying SMPC Ongoing and future work 5 *Expanded version: http://arxiv.org/abs/1506.02954http://arxiv.org/abs/1506.02954

6 Privacy-Preserving Proximity 2 parties -They want to know whether they are within 1 mile of each other -Locations are private Classic 2P-SFE problem (garbled circuits, Yao82) -Every pair needs to start from scratch -Basic GC is still not efficient enough for mobile devices Could use a trusted cloud server -Location is kept private from other party but is known to server 6 SFE Are the locations within 1 mile of one another? AliceBob 2. Location-21. Location-1 3. Result 4. Result Cloud Server

7 Proximity using PartialGC We want the advantages of a cloud server -But the privacy guarantees of SFE -Location data remain private from each other and cloud PartialGC is a garbled-circuit based, general method for fully privacy-preserving server-aided computation 7 Alice Cloud Server SFE Bob SFE

8 Overview of PartialGC Garbled circuits Cut-and-choose for GCs secure against malicious adversaries Partial garbled circuits -Break a large garbled circuit into smaller sub-circuits -Encrypted outputs of one GC become inputs to the next -No intermediate decryption To achieve this, we need novel circuit-generation and cut-and-choose techniques 8

9 Garbled Circuits 2 parties Private inputs; outputs may be private or public Public function represented as a Boolean circuit The generator creates and encrypts (or “garbles”) the circuit The evaluator evaluates the garbled circuit -Gate by gate -Online: Evaluation involves interaction with the generator 9

10 Generating a Garbled Circuit 10 AND OR AND ABC 00c0c0 01c1c1 10c2c2 11c3c3 Generator creates 4 keys, one each for A=0, A=1, B=0, and B=1 ABC 00E(A0.B0, c 0 ) 01E(A0.B1, c 1 ) 10E(A1.B0, c 2 ) 11E(A1.B1, c 3 ) Permute E(A1.B1, c 3 ) E(A1.B0, c 2 ) E(A0.B0, c 0 ) E(A0.B1, c 1 ) This is sent to the evaluator

11 Evaluating a Garbled Circuit 11 Received E(A#.B#, c # ) Generator sends A0 if its input is 0 or A1, if its input is 1 Gen-input E(A0.B#, c # ) B0 Evaluator’s input B1 This should be B0 if the evaluator’s input was 0, and B1 if it was 1 Plug in B0 (e.g.) Eval-input E(A0.B0, c # ) Eval-input E(A0.B0, c # ) Value of C for one row of the table How do we do this? Oblivious Transfer

12 Cut-and-Choose How can we defend against malicious adversaries? -Many copies of the circuit -Check some circuits, evaluate the rest normally -Final result is majority output Malicious evaluator: sign output within the circuit -Does not guarantee fair release 12 Generator creates Boolean circuit from program Generator builds many different garbled versions of this circuit All circuits are sent to the evaluator Evaluator randomly selects some circuits as “check” Generator sends all keys (A0,A1,B0,B1) for that circuit to the evaluator

13 Talk Outline Example: Privacy-preserving Proximity →PartialGC (ACM CCS'14*) -With Benjamin Mood, Kevin Butler, and Joan Feigenbaum Other work on practical, secure computation -SMPC: Overview and challenges -Frigate, SGX, Systematization Deploying SMPC Ongoing and future work 13 *Expanded version: http://arxiv.org/abs/1506.02954http://arxiv.org/abs/1506.02954

14 Partial Garbled Circuits We need to take encrypted output from one GC -And feed it as input into another GC -Different evaluator Trivial if we have a trusted third party -Take the encrypted output from GC 1, decrypt -Re-encrypt with new keys, and send as input to GC 2 But we have a way to jointly compute a function without requiring a trusted third party – garbled circuits! 14 GC 1 GC 2 Transform Trusted Third Party

15 Transformation Augment circuits with an extra layer of input gates These are 1-input gates, attached to each input bit Output from this gate is a valid input for the new circuit -Same idea as normal garbled circuits -One nonce per sub-circuit copy -More variants available in thesis 15 GATE Output-0 Output-1 nonce = random(), group_enc(info) Transform-0 = hash( Output-0. nonce ) XOR Input-0 Transform-1 = hash( Output-1. nonce ) XOR Input-1 GATE Input-0 Input-1 Send to Evaluator Gets Output-X from info Input-X = hash( Output-X. nonce ) XOR Transform-X hash(…) XOR Input-X XOR hash(...) = Input-X

16 Cut-and-Choose Complications Standard cut-and-choose -Each circuit has multiple copies* -Generator knows which circuits are being checked after the first round (first evaluator) -We cannot have a different set of check circuits (this leaks information) The generator must not learn which circuits are being checked -Use oblivious transfer! 16 GC 1 Check Evaluate Check Evaluate GC 2 Check Evaluate Check Evaluate

17 PartialGC Cut-and-Choose Generator offers check and evaluation keys for each sub-circuit copy -Evaluator selects one key for each via OT -Generator never learns whether a sub- circuit was checked or evaluated Use OT cut-and-choose for first round Subsequent rounds -No need to select a new set of check and evaluation circuits -Use saved (encrypted) data to pass on this information 17 GC 1 CheckOT EvaluateOT CheckOT Check-key Evaluate-key Check-key Evaluate-key Check-key Evaluate-key 1 copy of sub-circuit

18 Performance 18 Time taken to save and load a bit in PartialGC (using 256 copies in the cut-and-choose) We compare PartialGC to CMTB, which is based on the PCF (Kreuter-Shelat-Shen) system.

19 Cloud Solving Privacy-Preserving Proximity Question: Are we within 1 mile of each other? -Users communicate with the server in rounds -During each round, the user provides its current location, which is checked against the last reported location of the other user N users -One party’s leaving does not stop the protocol 19 Alice Server PGC Bob Server PGC Alice Server PGC Bob Server PGC Alice Server PGC Bob Server PGC Saved (encrypted) data Charlie Alice

20 Implementation 20

21 PartialGC is a fully general, server-aided, secure, multiparty computation mechanism We implemented privacy-preserving proximity -First SFE app fast and light enough to run on a standard phone Entry system that counts the number of people in a building -Disallows entry if there are too many people Saving credit card details across multiple purchases -One person could also pay for a group of purchases by different people Secure auctions -Only the highest/lowest values are saved per round Any iterative computation 21

22 Talk Outline Example: Privacy-preserving Proximity PartialGC (ACM CCS'14*) -With Benjamin Mood, Kevin Butler, and Joan Feigenbaum → Other work on practical, secure computation -SMPC: Overview and challenges -Frigate, SGX, Systematization Deploying SMPC Ongoing and future work *Expanded version: http://arxiv.org/abs/1506.02954 http://arxiv.org/abs/1506.02954

23 23 Secure, Multiparty Computation (SMPC)... x1x1 x2x2 x 3x 3 x n-1 x nx n y = F (x 1, …, x n ) Each i learns y No i can learn anything about x j (except what he can infer from x i and y ) Very general positive results (e.g., GMW87, BGW88) Not very widely used in practice … YET!

24 Last 10 or 15 Years: Substantial Progress on Making SMPC Practical and Usable Better conceptual frameworks Development environments and tools (languages, compilers, intermediate circuit formats, run-time systems) Realistic use cases Realistic execution environments, e.g., handheld devices and cloud servers Theoretical advances and new techniques Experiments and performance analysis 24

25 Communication Pattern: Trusted-Party Computations 25

26 Communication Pattern: General SMPC Protocols 26

27 Communication Pattern: K-for-N “Secure Outsourcing” 27

28 Frigate Compiler Many existing development tools for secure protocols are unstable, buggy, and hard to use Frigate is a validated, extensible, and efficient compiler for SMPC -Dramatically more efficient than others (experimental comparisons with KSS, PCF, and CMBC) -Carefully tested and validated to ensure correctness -Easy to install and use; C-like language Compiles C-like programs into a Boolean-circuit representation that can be executed in a variety of SMPC run-time systems 28 "Frigate: A Validated, Extensible, and Efficient Compiler and Interpreter for Secure Computation” In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P) 2016 (with Benjamin Mood, Henry Carter, Kevin Butler, Patrick Traynor)

29 Frigate Compile-time Speedup 29

30 Frigate Execution-time Speedup 30

31 Using Intel Software Guard Extensions for Efficient Two-Party Secure Function Evaluation We analyze the difficulties of using SGX for 2P-SFE and why naïve protocols do not work We show how to augment an SGX system to provide stronger guarantees, and we provide a protocol that enables two SGX systems to perform 2P-SFE efficiently Outsourcing and hybrid protocols Augment honest-but-curious to malicious 31 "Using Intel Software Guard Extensions for Efficient Two-Party Secure Function Evaluation” In Proceedings of the Workshop on Encrypted Computing and Applied Homomorphic Cryptography (WAHC), 2016 (with Benjamin Mood, Joan Feigenbaum, Kevin Butler, Patrick Traynor)

32 Systematization of Secure Computation We classify approximately 180 secure-computation protocols along major axes (security, efficiency, adversarial model, execution environment, etc.) By-product: annotated bibliography We develop a graphical tool (“ SysSC-UI ”) for exploring the secure- protocol space, comparing protocols, discovering dependencies and trade-offs among properties, etc. So far, the classification and SysSC-UI have helped newcomers get “up to speed” on the state of the art in secure-computation research 32 "Systematizing Secure Computation for Research and Decision Support” In Proceedings of the 9th Conference on Security and Cryptography for Networks (SCN’14), pp. 380-397, Springer, 2014 (with Jason Perry, Joan Feigenbaum, and Rebecca Wright)

33 SMPC PartialGCFrigateSGXSystematization 33

34 Ongoing ✓ and Future Work Practical reusable garbled circuits, using novel symbolic encryption, gate representation, and mini-circuits (w/ Mood, Hopkins, Carter, Feigenbaum, Butler) Improved SMPC for stable matching (w/ Terner, shelat, Feigenbaum) Implementations of Intel SGX-enabled 2P-SFE protocols (w/ Mood, Butler, Feigenbaum) Economic, legal, and social barriers to adoption -Idiosyncratic SMPC trust model (Libicki et al., 2014) -Need to comply with laws and organizational policies -Hard to displace an existing TTP

35 The End

Download ppt "Practical and Deployable Secure Multi-Party Computation Debayan Gupta Yale University May 11, 2016 Jai Dadabhai."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.

Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.

How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Similar presentations

Ads by Google