Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation Basics Yan Huang Indiana University May 9, 2016.

Published byDamian Carpenter Modified over 7 years ago

Similar presentations

Presentation on theme: "Secure Computation Basics Yan Huang Indiana University May 9, 2016."— Presentation transcript:

1 Secure Computation Basics Yan Huang Indiana University May 9, 2016

2 Dating: Genetically 2 Good match?

3 Problem Abstraction Bob Alice Holds Public function f z = f(x, y) Reveal z but nothing more ! Security requirement: 3

4 4 Ideally, with a Trusted Party

5 5 In the Real World …… Secure computation enables this! but nothing more !

6 Secure Computation Bob Alice Holds Public function f z = f(x, y) Reveal z but nothing more! Security requirement: 6

7 7 What’s Out of the Scope Leaking through the final results Bad implementation of the protocol

8 8 Secure Computation [Yao, FOCS’82] Fairplay [MNPS, USENIX’04] 1980s 2012 Yao’s Circuits [Yao, FOCS’86] Millionaire ( x > y ) : 1 sec Median of 20 numbers ( 16-bit ) 7 sec :

9 9 Secure Computation [Yao, FOCS’82] Fairplay [MNPS, USENIX’04] 1980s 2012 Secure Genomics [JKS, S&P’08] FastGC [HEKM, USENIX’11] Yao’s Circuits [Yao, FOCS’86] Millionaire ( x > y ) : 1 sec Median of 20 numbers ( 16-bit ) 7 sec Edit Distance of 100-char strings: 100 1.5 m 320μs 0.8ms 4s :

10 10 2011today Secure auction and voting Secure biometrics Ridge regression Neighborhood watch Binary search Time series analysis Set intersection Zero- knowledge proof Private navigation Secure Gaming Secure Gaming Whole genome comparison

11 This Talk Garbled Circuits Oblivious Transfer and its Extension Formal Definition of Security Deal with Active Adversaries 11

12 12 Alice Bob (Evaluator) 0 NAND 0 x =0 y =0 NAND A B Z A Binary Gate [Yao, FOCS’86]

13 13 Alice a1a1 a 0 a 0, a 1 are random bit strings (Generator) Bob (Evaluator) A Binary Gate A B Z NAND [Yao, FOCS’86]

14 b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 14 Alice(Generator) a 0, a 1, b 0, b 1, z 0, z 1 are independent random bit strings A Binary Gate A B Z NAND [Yao, FOCS’86]

15 NAND b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 A Binary Gate A 15 B Z Alice(Generator) messageskeys [Yao, FOCS’86]

16 b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 A Binary Gate AND A 16 B Z Alice(Generator) [Yao, FOCS’86]

17 b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 A Binary Gate NAND A 17 B Z [Yao, FOCS’86] Alice(Generator) Bob (Evaluator)

18 a1a1 0 NAND 0 a0a0 b1b1 z0z0 b0b0 a0a0 z1z1 18 Alice(Generator) x =0 Bob (Evaluator) y =0 b0b0 ✔ ✗ ✗ ✗ z1z1 z=0 NAND 0 = 1 z=0 NAND 0 = 1 [Yao, FOCS’86] A Binary Gate NAND A B Z

19 a0a0 19 Alice(Generator) x =0 Bob (Evaluator) y =0 b0b0 ✔ ✗ ✗ ✗ z1z1 [Yao, FOCS’86] A Leak Alice’s input must be 0 since it’s the first row that can be decrypted. 0 NAND 0

20 Prevent the Leak 20 Alice(Generator) Randomly Permute [Yao, FOCS’86]

21 21 Bob (Evaluator) a0a0 b0b0 ✔ ✗ ✗ ✗ [Yao, FOCS’86] Prevent the Leak Alice(Generator)

22 b1b1 b0b0 Transferring b 0 obliviously 22 Alice(Generator) Bob (Evaluator) y =0 Oblivious Transfer b0b0

23 b1b1 b0b0 Transferring b 0 obliviously 23 Alice(Generator) Bob (Evaluator) y Oblivious Transfer byby [Naor-Pinkas, SODA’00] Output

24 Security of NPOT Receiver’s Privacy – h is uniformly random, independent of y Sender’s Privacy – Receiver cannot learn b y as it doesn’t know log g C 24 Output

25 b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 Computing a Binary Gate NAND A 25 B Z Alice(Generator) x =0 Bob (Evaluator) y =0 a0a0 b0b0 ✔ ✗ ✗ ✗ Oblivious Transfer z=0 NAND 0 = 0 z=0 NAND 0 = 0 [Yao, FOCS’86]

26 b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 Computing a Binary Gate OR A 26 B Z Alice(Generator) Bob (Evaluator) [Yao, FOCS’86]

27 b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 Computing a Binary Gate OR A 27 B Z Alice(Generator) Bob (Evaluator) [Yao, FOCS’86]

28 Generic Secure Computatoin We can do any computation privately this way! 28 AND a b e c d f OR g AND Gate 1 Enc c 0, d 1 (f 0 ) Enc c 1,d 1 (f 1 ) Enc c 1,d 0 (f 0 ) Enc c 0,d 0 (f 0 ) OR Gate 2 Enc e 0, f 1 (g 1 ) Enc e 1,f 1 (g 1 ) Enc e 1,f 0 (g 1 ) Enc e 0,f 0 (g 0 ) … [Yao, FOCS’86] O(n)O(n) O(n)O(n) 100000000000

29 Important Optimizations XOR can be free OT can be extended Two rows per gate is enough – Using Half-Gates garbling (next lecture by Dave) 29

30 30 Inexpensive local computation only; No encryption, No communication overhead. Inexpensive local computation only; No encryption, No communication overhead. XOR can be (almost) Free R ← {0,1} n XOR a0a0 a 1 = a 0 ⊕ R b0b0 b 1 = b 0 ⊕ R c0 =a0⊕b0c0 =a0⊕b0 c1 =a0⊕b0⊕Rc1 =a0⊕b0⊕R AND a0a0 a 1 = a 0 ⊕ R b0b0 b 1 = b 0 ⊕ R c0c0 c 1 = c 0 ⊕ R

31 OT can be Extended

32 Oblivious Transfer Similar Goal, Different Efforts 32 Symmetric Encryption (PRG, Hash) Symmetric Encryption (PRG, Hash) Asymmetric encryption Very cheap in practice (Easy to implement heuristically) Orders of magnitude more expensive (Hard to implement heuristically) ?

33 Extending Expensive Primitives 33 + m1m1 m2m2 mnmn m1m1 m2m2 mnmn black-box ⇐ Encryption

34 High-Level Idea 34 Oblivious Transfer SenderReceiver n rows k colomns m 1,s 1 m 2,s 2 … m n,s n

35 35 Sender: ( m 0,i, m 1,i ) 0 ≤ i < n Receiver: s = s 0, …, s n-1 T0T0 T0 ⊕ sT0 ⊕ s r ← {0,1} k r0r0 T1T1 T1 ⊕ sT1 ⊕ s r1r1 T k -1 T k -1 ⊕ s r k-1 … … if s i = 0 i th row T←{0,1} n×k, T i : i th colomn T i : i th row Q i =T i i th row if s i = 1 Q i =T i ⊕ r n rows Sender sends: ( y 0, y 1 ) = ( m i,0 ⊕ H(i, Q i ), m i,1 ⊕ H(i, Q i ⊕ r) ) 0 ≤ i < n Matrix Q. Q i : i th row Receiver outputs: y 0 ⊕ H(0, T i ), if s i =0; y 1 ⊕ H(1, T i ), if s i =1. m 1 - s i remains hidden because receiver never knows T i ⊕ r.

36 36 Do we really need a secure encryption scheme? No, Secure garbling schemes suffice. More on this in Dave’s lecture later.

37 System Level Optimizations 37 Design efficient circuits Use the right crypto protocols Frugal Budgets – use SC only when absolutely necessary – Don’t waste any single bit at any time Pipelined execution

38 What if the parties do not follow the protocol? 38 – Formalize the notion of security? – Dealing with Active Adversaries? Efficiently develop your favorite applications? RAM model computation? Saved for tomorrow

39 Modeling Adversaries Honest-but-curious Always follow the protocol but tries to learn extra from the execution transcripts 39 Malicious/Active Absolutely no restriction on polynomial time adversaries

40 How to Define Security? First attempt: breaking security into – Correctness P 1 learns f 1 (x,y) P 2 learns f 2 (x,y) – Privacy no leak of P 1 ’s x no leak of P 2 ’s y 40 Coin tossing: f( ⋅, ⋅ ) {return rand();} s ← {0,1} k r ← P(s) r output r P: a one-way permutation It satisfy the definition but is undesirable since Alice knows a hard-to-compute pre- image of r.

41 b1b1 b0b0 41 Alice(Sender) Bob (Receiver) y [Naor-Pinkas, SODA’00] Output Sender’s Privacy Receiver cannot learn b y as it doesn’t know log g C

42 Yao’s Protocol (Semi-Honest) Alice Bob Compute f(x,y) (learns nothing else) Garbled (encrypted) circuit

43 Example Active Attacks 43 Garbled And Gate Enc a 0, b 1 (x 0 ) Enc a 1,b 1 (x 1 ) Enc a 1,b 0 (x 0 ) Enc a 0,b 0 (x 0 ) AND a 0 or a 1 b 0 or b 1 x 0 or x 1

44 Example Active Attacks 44 Garbled And Gate Enc a 0, b 1 (x 0 ) Enc a 1,b 1 (x 1 ) Enc a 1,b 0 (x 0 ) Enc a 0,b 0 (x 0 ) AND a 0 or a 1 b 0 or b 1 x 0 or x 1

45 Active adversaries can attack a protocol in any unexpected ways. How to define security to anticipate future/unknown venues of attacks? 45

46 Ideal/Real Paradigm 46 x output f 1 (x,y) output x y f 1 (x,y)f 2 (x,y) A protocol is secure if for every (efficient) real-world adversary, there is an ideal-world adversary having an ‘equivalent’ effect. y

47 What are effects? 47 x output x f 1 (x,y) output f 1 (x,y) y f 2 (x,y) y The Environment/observer x y

48 48 Coin tossing: f( ⋅, ⋅ ) {return rand();} s ← {0,1} k r ← P(s) r output r P: a one-way permutation s r ? r f 1 (x,y)f 2 (x,y) In the Ideal/Real paradigm, we can actually prove the aforementioned coin-tossing protocol cannot be secure.

49 Achieve Active Security Solution: cut-and-choose 49

50 The Cut-and-choose Paradigm 50

51 The Cut-and-choose Paradigm 51

52 The Cut-and-choose Paradigm 52 Majority Final output

53 Bound the Failures 53 n --- total number of circuits e --- number of error circuits k --- number of circuits to check Traditional Cut-and-choose: Roughly 3s circuits needed to achieve s-bit security. [Shen and Shelat, Eurocrypt 2011]

54 Additional Issues 54 x, y w y i, w 1-y i (1) Input consistency among all evaluation circuits (2) Input consistency between OT and circuit Generation OT

55 Recent Advances Suffices to ensure there is at least one good evaluation circuit generated by the adversary. s circuits can offer s -bit statistical security. 55 [Lindell, Crypto’13] [AMPR, EUROCRYPT’14]

56 Cut-and-choose (Recent Advances) 56

57 57 Cut-and-choose (Recent Advances)

58 58 Consistent outcome? Yes No Output f(x,y). Recover x then output f(x,y). Cut-and-choose (Recent Advances)

59 59 AND AB Z w0w0 w1w1 x Goal If the evaluator learns both w 0, w 1, it learns x. The evaluator learning any one of w 0, w 1 doesn’t learn x. Whatever binding mechanism is used, ensure no leakage through protocol deviation.

60 r, s = log g h 60 AND AB Z w0w0 w1w1 x (g r, g x h r ) Public inputs: g, h (h 0, h 1 ) such that h 0 +h 1 = g s 0 +g s 1 = g s = h (h 0 g w 0, h 1 g w 1 ) Check: Evaluator verifies h 0 +h 1 = h and ( w 0, w 1 ) matches (h 0 g w 0, h 1 g w 1 ) Evaluate: Generator sends s 0 +w 0 and s 1 +w 1 Learning s reveals x. (h 0, h 1 )

61 Recent Advances (2) Even more efficient if done collectively. E.g., <7 duplicates for 40-bit security Ongoing work: any duplication factor strictly larger than 2 is achievable if the circuit is sufficiently large; but 2 is impossible to achieve. 61 [Lindell-Riva, Crypto’14] [HKKKM, Crypto’14] [FJNNO, EUROCRYPT’13]

62 Q & A 62

Download ppt "Secure Computation Basics Yan Huang Indiana University May 9, 2016."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.

Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.

ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions

Similar presentations

Ads by Google