Practical and Deployable Secure Multi-Party Computation Debayan Gupta Yale University May 11, 2016 Jai Dadabhai
The Apparent Paradox of Modern Cryptography Intuitive ideas of secrecy -Encrypted data are safe; but they appear to be unusable If people have secrets, and want to do a joint computation -They can use a trusted third party Modern cryptography -You may not have to decrypt -There may not need to be a trusted third party 2
Secure Multi-Party Computation (SMPC) Have your cake and eat it too Secret inputs; joint computation of desired output (Yao82) SMPC or Secure Function Evaluation (SFE) State of the art -2P-SFE: Currently fast enough for many applications -SMPC: Fast enough in some cases -Fully Homomorphic Encryption: Slow, but improving 3
Talk Outline Example: Privacy-preserving Proximity PartialGC (ACM CCS'14*) -With Benjamin Mood, Kevin Butler, and Joan Feigenbaum Other work on practical, secure computation -SMPC: Overview and challenges -Frigate, SGX, Systematization Deploying SMPC Ongoing and future work 4 *Expanded version:
Talk Outline →Example: Privacy-preserving Proximity PartialGC (ACM CCS'14*) -With Benjamin Mood, Kevin Butler, and Joan Feigenbaum Other work on practical, secure computation -SMPC: Overview and challenges -Frigate, SGX, Systematization Deploying SMPC Ongoing and future work 5 *Expanded version:
Privacy-Preserving Proximity 2 parties -They want to know whether they are within 1 mile of each other -Locations are private Classic 2P-SFE problem (garbled circuits, Yao82) -Every pair needs to start from scratch -Basic GC is still not efficient enough for mobile devices Could use a trusted cloud server -Location is kept private from other party but is known to server 6 SFE Are the locations within 1 mile of one another? AliceBob 2. Location-21. Location-1 3. Result 4. Result Cloud Server
Proximity using PartialGC We want the advantages of a cloud server -But the privacy guarantees of SFE -Location data remain private from each other and cloud PartialGC is a garbled-circuit based, general method for fully privacy-preserving server-aided computation 7 Alice Cloud Server SFE Bob SFE
Overview of PartialGC Garbled circuits Cut-and-choose for GCs secure against malicious adversaries Partial garbled circuits -Break a large garbled circuit into smaller sub-circuits -Encrypted outputs of one GC become inputs to the next -No intermediate decryption To achieve this, we need novel circuit-generation and cut-and-choose techniques 8
Garbled Circuits 2 parties Private inputs; outputs may be private or public Public function represented as a Boolean circuit The generator creates and encrypts (or “garbles”) the circuit The evaluator evaluates the garbled circuit -Gate by gate -Online: Evaluation involves interaction with the generator 9
Generating a Garbled Circuit 10 AND OR AND ABC 00c0c0 01c1c1 10c2c2 11c3c3 Generator creates 4 keys, one each for A=0, A=1, B=0, and B=1 ABC 00E(A0.B0, c 0 ) 01E(A0.B1, c 1 ) 10E(A1.B0, c 2 ) 11E(A1.B1, c 3 ) Permute E(A1.B1, c 3 ) E(A1.B0, c 2 ) E(A0.B0, c 0 ) E(A0.B1, c 1 ) This is sent to the evaluator
Evaluating a Garbled Circuit 11 Received E(A#.B#, c # ) Generator sends A0 if its input is 0 or A1, if its input is 1 Gen-input E(A0.B#, c # ) B0 Evaluator’s input B1 This should be B0 if the evaluator’s input was 0, and B1 if it was 1 Plug in B0 (e.g.) Eval-input E(A0.B0, c # ) Eval-input E(A0.B0, c # ) Value of C for one row of the table How do we do this? Oblivious Transfer
Cut-and-Choose How can we defend against malicious adversaries? -Many copies of the circuit -Check some circuits, evaluate the rest normally -Final result is majority output Malicious evaluator: sign output within the circuit -Does not guarantee fair release 12 Generator creates Boolean circuit from program Generator builds many different garbled versions of this circuit All circuits are sent to the evaluator Evaluator randomly selects some circuits as “check” Generator sends all keys (A0,A1,B0,B1) for that circuit to the evaluator
Talk Outline Example: Privacy-preserving Proximity →PartialGC (ACM CCS'14*) -With Benjamin Mood, Kevin Butler, and Joan Feigenbaum Other work on practical, secure computation -SMPC: Overview and challenges -Frigate, SGX, Systematization Deploying SMPC Ongoing and future work 13 *Expanded version:
Partial Garbled Circuits We need to take encrypted output from one GC -And feed it as input into another GC -Different evaluator Trivial if we have a trusted third party -Take the encrypted output from GC 1, decrypt -Re-encrypt with new keys, and send as input to GC 2 But we have a way to jointly compute a function without requiring a trusted third party – garbled circuits! 14 GC 1 GC 2 Transform Trusted Third Party
Transformation Augment circuits with an extra layer of input gates These are 1-input gates, attached to each input bit Output from this gate is a valid input for the new circuit -Same idea as normal garbled circuits -One nonce per sub-circuit copy -More variants available in thesis 15 GATE Output-0 Output-1 nonce = random(), group_enc(info) Transform-0 = hash( Output-0. nonce ) XOR Input-0 Transform-1 = hash( Output-1. nonce ) XOR Input-1 GATE Input-0 Input-1 Send to Evaluator Gets Output-X from info Input-X = hash( Output-X. nonce ) XOR Transform-X hash(…) XOR Input-X XOR hash(...) = Input-X
Cut-and-Choose Complications Standard cut-and-choose -Each circuit has multiple copies* -Generator knows which circuits are being checked after the first round (first evaluator) -We cannot have a different set of check circuits (this leaks information) The generator must not learn which circuits are being checked -Use oblivious transfer! 16 GC 1 Check Evaluate Check Evaluate GC 2 Check Evaluate Check Evaluate
PartialGC Cut-and-Choose Generator offers check and evaluation keys for each sub-circuit copy -Evaluator selects one key for each via OT -Generator never learns whether a sub- circuit was checked or evaluated Use OT cut-and-choose for first round Subsequent rounds -No need to select a new set of check and evaluation circuits -Use saved (encrypted) data to pass on this information 17 GC 1 CheckOT EvaluateOT CheckOT Check-key Evaluate-key Check-key Evaluate-key Check-key Evaluate-key 1 copy of sub-circuit
Performance 18 Time taken to save and load a bit in PartialGC (using 256 copies in the cut-and-choose) We compare PartialGC to CMTB, which is based on the PCF (Kreuter-Shelat-Shen) system.
Cloud Solving Privacy-Preserving Proximity Question: Are we within 1 mile of each other? -Users communicate with the server in rounds -During each round, the user provides its current location, which is checked against the last reported location of the other user N users -One party’s leaving does not stop the protocol 19 Alice Server PGC Bob Server PGC Alice Server PGC Bob Server PGC Alice Server PGC Bob Server PGC Saved (encrypted) data Charlie Alice
Implementation 20
PartialGC is a fully general, server-aided, secure, multiparty computation mechanism We implemented privacy-preserving proximity -First SFE app fast and light enough to run on a standard phone Entry system that counts the number of people in a building -Disallows entry if there are too many people Saving credit card details across multiple purchases -One person could also pay for a group of purchases by different people Secure auctions -Only the highest/lowest values are saved per round Any iterative computation 21
Talk Outline Example: Privacy-preserving Proximity PartialGC (ACM CCS'14*) -With Benjamin Mood, Kevin Butler, and Joan Feigenbaum → Other work on practical, secure computation -SMPC: Overview and challenges -Frigate, SGX, Systematization Deploying SMPC Ongoing and future work *Expanded version:
23 Secure, Multiparty Computation (SMPC)... x1x1 x2x2 x 3x 3 x n-1 x nx n y = F (x 1, …, x n ) Each i learns y No i can learn anything about x j (except what he can infer from x i and y ) Very general positive results (e.g., GMW87, BGW88) Not very widely used in practice … YET!
Last 10 or 15 Years: Substantial Progress on Making SMPC Practical and Usable Better conceptual frameworks Development environments and tools (languages, compilers, intermediate circuit formats, run-time systems) Realistic use cases Realistic execution environments, e.g., handheld devices and cloud servers Theoretical advances and new techniques Experiments and performance analysis 24
Communication Pattern: Trusted-Party Computations 25
Communication Pattern: General SMPC Protocols 26
Communication Pattern: K-for-N “Secure Outsourcing” 27
Frigate Compiler Many existing development tools for secure protocols are unstable, buggy, and hard to use Frigate is a validated, extensible, and efficient compiler for SMPC -Dramatically more efficient than others (experimental comparisons with KSS, PCF, and CMBC) -Carefully tested and validated to ensure correctness -Easy to install and use; C-like language Compiles C-like programs into a Boolean-circuit representation that can be executed in a variety of SMPC run-time systems 28 "Frigate: A Validated, Extensible, and Efficient Compiler and Interpreter for Secure Computation” In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P) 2016 (with Benjamin Mood, Henry Carter, Kevin Butler, Patrick Traynor)
Frigate Compile-time Speedup 29
Frigate Execution-time Speedup 30
Using Intel Software Guard Extensions for Efficient Two-Party Secure Function Evaluation We analyze the difficulties of using SGX for 2P-SFE and why naïve protocols do not work We show how to augment an SGX system to provide stronger guarantees, and we provide a protocol that enables two SGX systems to perform 2P-SFE efficiently Outsourcing and hybrid protocols Augment honest-but-curious to malicious 31 "Using Intel Software Guard Extensions for Efficient Two-Party Secure Function Evaluation” In Proceedings of the Workshop on Encrypted Computing and Applied Homomorphic Cryptography (WAHC), 2016 (with Benjamin Mood, Joan Feigenbaum, Kevin Butler, Patrick Traynor)
Systematization of Secure Computation We classify approximately 180 secure-computation protocols along major axes (security, efficiency, adversarial model, execution environment, etc.) By-product: annotated bibliography We develop a graphical tool (“ SysSC-UI ”) for exploring the secure- protocol space, comparing protocols, discovering dependencies and trade-offs among properties, etc. So far, the classification and SysSC-UI have helped newcomers get “up to speed” on the state of the art in secure-computation research 32 "Systematizing Secure Computation for Research and Decision Support” In Proceedings of the 9th Conference on Security and Cryptography for Networks (SCN’14), pp , Springer, 2014 (with Jason Perry, Joan Feigenbaum, and Rebecca Wright)
SMPC PartialGCFrigateSGXSystematization 33
Ongoing ✓ and Future Work Practical reusable garbled circuits, using novel symbolic encryption, gate representation, and mini-circuits (w/ Mood, Hopkins, Carter, Feigenbaum, Butler) Improved SMPC for stable matching (w/ Terner, shelat, Feigenbaum) Implementations of Intel SGX-enabled 2P-SFE protocols (w/ Mood, Butler, Feigenbaum) Economic, legal, and social barriers to adoption -Idiosyncratic SMPC trust model (Libicki et al., 2014) -Need to comply with laws and organizational policies -Hard to displace an existing TTP
The End