Secure Computation Basics Yan Huang Indiana University May 9, 2016

Dating: Genetically 2 Good match?

Problem Abstraction Bob Alice Holds Public function f z = f(x, y) Reveal z but nothing more ! Security requirement: 3

4 Ideally, with a Trusted Party

5 In the Real World …… Secure computation enables this! but nothing more !

Secure Computation Bob Alice Holds Public function f z = f(x, y) Reveal z but nothing more! Security requirement: 6

7 What’s Out of the Scope Leaking through the final results Bad implementation of the protocol

8 Secure Computation [Yao, FOCS’82] Fairplay [MNPS, USENIX’04] 1980s 2012 Yao’s Circuits [Yao, FOCS’86] Millionaire ( x > y ) : 1 sec Median of 20 numbers ( 16-bit ) 7 sec :

9 Secure Computation [Yao, FOCS’82] Fairplay [MNPS, USENIX’04] 1980s 2012 Secure Genomics [JKS, S&P’08] FastGC [HEKM, USENIX’11] Yao’s Circuits [Yao, FOCS’86] Millionaire ( x > y ) : 1 sec Median of 20 numbers ( 16-bit ) 7 sec Edit Distance of 100-char strings: m 320μs 0.8ms 4s :

today Secure auction and voting Secure biometrics Ridge regression Neighborhood watch Binary search Time series analysis Set intersection Zero- knowledge proof Private navigation Secure Gaming Secure Gaming Whole genome comparison

This Talk Garbled Circuits Oblivious Transfer and its Extension Formal Definition of Security Deal with Active Adversaries 11

12 Alice Bob (Evaluator) 0 NAND 0 x =0 y =0 NAND A B Z A Binary Gate [Yao, FOCS’86]

13 Alice a1a1 a 0 a 0, a 1 are random bit strings (Generator) Bob (Evaluator) A Binary Gate A B Z NAND [Yao, FOCS’86]

b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 14 Alice(Generator) a 0, a 1, b 0, b 1, z 0, z 1 are independent random bit strings A Binary Gate A B Z NAND [Yao, FOCS’86]

NAND b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 A Binary Gate A 15 B Z Alice(Generator) messageskeys [Yao, FOCS’86]

b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 A Binary Gate AND A 16 B Z Alice(Generator) [Yao, FOCS’86]

b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 A Binary Gate NAND A 17 B Z [Yao, FOCS’86] Alice(Generator) Bob (Evaluator)

a1a1 0 NAND 0 a0a0 b1b1 z0z0 b0b0 a0a0 z1z1 18 Alice(Generator) x =0 Bob (Evaluator) y =0 b0b0 ✔ ✗ ✗ ✗ z1z1 z=0 NAND 0 = 1 z=0 NAND 0 = 1 [Yao, FOCS’86] A Binary Gate NAND A B Z

a0a0 19 Alice(Generator) x =0 Bob (Evaluator) y =0 b0b0 ✔ ✗ ✗ ✗ z1z1 [Yao, FOCS’86] A Leak Alice’s input must be 0 since it’s the first row that can be decrypted. 0 NAND 0

Prevent the Leak 20 Alice(Generator) Randomly Permute [Yao, FOCS’86]

21 Bob (Evaluator) a0a0 b0b0 ✔ ✗ ✗ ✗ [Yao, FOCS’86] Prevent the Leak Alice(Generator)

b1b1 b0b0 Transferring b 0 obliviously 22 Alice(Generator) Bob (Evaluator) y =0 Oblivious Transfer b0b0

b1b1 b0b0 Transferring b 0 obliviously 23 Alice(Generator) Bob (Evaluator) y Oblivious Transfer byby [Naor-Pinkas, SODA’00] Output

Security of NPOT Receiver’s Privacy – h is uniformly random, independent of y Sender’s Privacy – Receiver cannot learn b y as it doesn’t know log g C 24 Output

b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 Computing a Binary Gate NAND A 25 B Z Alice(Generator) x =0 Bob (Evaluator) y =0 a0a0 b0b0 ✔ ✗ ✗ ✗ Oblivious Transfer z=0 NAND 0 = 0 z=0 NAND 0 = 0 [Yao, FOCS’86]

b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 Computing a Binary Gate OR A 26 B Z Alice(Generator) Bob (Evaluator) [Yao, FOCS’86]

b1b1 z0z0 a1a1 b0b0 a0a0 z1z1 Computing a Binary Gate OR A 27 B Z Alice(Generator) Bob (Evaluator) [Yao, FOCS’86]

Generic Secure Computatoin We can do any computation privately this way! 28 AND a b e c d f OR g AND Gate 1 Enc c 0, d 1 (f 0 ) Enc c 1,d 1 (f 1 ) Enc c 1,d 0 (f 0 ) Enc c 0,d 0 (f 0 ) OR Gate 2 Enc e 0, f 1 (g 1 ) Enc e 1,f 1 (g 1 ) Enc e 1,f 0 (g 1 ) Enc e 0,f 0 (g 0 ) … [Yao, FOCS’86] O(n)O(n) O(n)O(n)

Important Optimizations XOR can be free OT can be extended Two rows per gate is enough – Using Half-Gates garbling (next lecture by Dave) 29

30 Inexpensive local computation only; No encryption, No communication overhead. Inexpensive local computation only; No encryption, No communication overhead. XOR can be (almost) Free R ← {0,1} n XOR a0a0 a 1 = a 0 ⊕ R b0b0 b 1 = b 0 ⊕ R c0 =a0⊕b0c0 =a0⊕b0 c1 =a0⊕b0⊕Rc1 =a0⊕b0⊕R AND a0a0 a 1 = a 0 ⊕ R b0b0 b 1 = b 0 ⊕ R c0c0 c 1 = c 0 ⊕ R

OT can be Extended

Oblivious Transfer Similar Goal, Different Efforts 32 Symmetric Encryption (PRG, Hash) Symmetric Encryption (PRG, Hash) Asymmetric encryption Very cheap in practice (Easy to implement heuristically) Orders of magnitude more expensive (Hard to implement heuristically) ?

Extending Expensive Primitives 33 + m1m1 m2m2 mnmn m1m1 m2m2 mnmn black-box ⇐ Encryption

High-Level Idea 34 Oblivious Transfer SenderReceiver n rows k colomns m 1,s 1 m 2,s 2 … m n,s n

35 Sender: ( m 0,i, m 1,i ) 0 ≤ i < n Receiver: s = s 0, …, s n-1 T0T0 T0 ⊕ sT0 ⊕ s r ← {0,1} k r0r0 T1T1 T1 ⊕ sT1 ⊕ s r1r1 T k -1 T k -1 ⊕ s r k-1 … … if s i = 0 i th row T←{0,1} n×k, T i : i th colomn T i : i th row Q i =T i i th row if s i = 1 Q i =T i ⊕ r n rows Sender sends: ( y 0, y 1 ) = ( m i,0 ⊕ H(i, Q i ), m i,1 ⊕ H(i, Q i ⊕ r) ) 0 ≤ i < n Matrix Q. Q i : i th row Receiver outputs: y 0 ⊕ H(0, T i ), if s i =0; y 1 ⊕ H(1, T i ), if s i =1. m 1 - s i remains hidden because receiver never knows T i ⊕ r.

36 Do we really need a secure encryption scheme? No, Secure garbling schemes suffice. More on this in Dave’s lecture later.

System Level Optimizations 37 Design efficient circuits Use the right crypto protocols Frugal Budgets – use SC only when absolutely necessary – Don’t waste any single bit at any time Pipelined execution

What if the parties do not follow the protocol? 38 – Formalize the notion of security? – Dealing with Active Adversaries? Efficiently develop your favorite applications? RAM model computation? Saved for tomorrow

Modeling Adversaries Honest-but-curious Always follow the protocol but tries to learn extra from the execution transcripts 39 Malicious/Active Absolutely no restriction on polynomial time adversaries

How to Define Security? First attempt: breaking security into – Correctness P 1 learns f 1 (x,y) P 2 learns f 2 (x,y) – Privacy no leak of P 1 ’s x no leak of P 2 ’s y 40 Coin tossing: f( ⋅, ⋅ ) {return rand();} s ← {0,1} k r ← P(s) r output r P: a one-way permutation It satisfy the definition but is undesirable since Alice knows a hard-to-compute pre- image of r.

b1b1 b0b0 41 Alice(Sender) Bob (Receiver) y [Naor-Pinkas, SODA’00] Output Sender’s Privacy Receiver cannot learn b y as it doesn’t know log g C

Yao’s Protocol (Semi-Honest) Alice Bob Compute f(x,y) (learns nothing else) Garbled (encrypted) circuit

Example Active Attacks 43 Garbled And Gate Enc a 0, b 1 (x 0 ) Enc a 1,b 1 (x 1 ) Enc a 1,b 0 (x 0 ) Enc a 0,b 0 (x 0 ) AND a 0 or a 1 b 0 or b 1 x 0 or x 1

Example Active Attacks 44 Garbled And Gate Enc a 0, b 1 (x 0 ) Enc a 1,b 1 (x 1 ) Enc a 1,b 0 (x 0 ) Enc a 0,b 0 (x 0 ) AND a 0 or a 1 b 0 or b 1 x 0 or x 1

Active adversaries can attack a protocol in any unexpected ways. How to define security to anticipate future/unknown venues of attacks? 45

Ideal/Real Paradigm 46 x output f 1 (x,y) output x y f 1 (x,y)f 2 (x,y) A protocol is secure if for every (efficient) real-world adversary, there is an ideal-world adversary having an ‘equivalent’ effect. y

What are effects? 47 x output x f 1 (x,y) output f 1 (x,y) y f 2 (x,y) y The Environment/observer x y

48 Coin tossing: f( ⋅, ⋅ ) {return rand();} s ← {0,1} k r ← P(s) r output r P: a one-way permutation s r ? r f 1 (x,y)f 2 (x,y) In the Ideal/Real paradigm, we can actually prove the aforementioned coin-tossing protocol cannot be secure.

Achieve Active Security Solution: cut-and-choose 49

The Cut-and-choose Paradigm 50

The Cut-and-choose Paradigm 51

The Cut-and-choose Paradigm 52 Majority Final output

Bound the Failures 53 n --- total number of circuits e --- number of error circuits k --- number of circuits to check Traditional Cut-and-choose: Roughly 3s circuits needed to achieve s-bit security. [Shen and Shelat, Eurocrypt 2011]

Additional Issues 54 x, y w y i, w 1-y i (1) Input consistency among all evaluation circuits (2) Input consistency between OT and circuit Generation OT

Recent Advances Suffices to ensure there is at least one good evaluation circuit generated by the adversary. s circuits can offer s -bit statistical security. 55 [Lindell, Crypto’13] [AMPR, EUROCRYPT’14]

Cut-and-choose (Recent Advances) 56

57 Cut-and-choose (Recent Advances)

58 Consistent outcome? Yes No Output f(x,y). Recover x then output f(x,y). Cut-and-choose (Recent Advances)

59 AND AB Z w0w0 w1w1 x Goal If the evaluator learns both w 0, w 1, it learns x. The evaluator learning any one of w 0, w 1 doesn’t learn x. Whatever binding mechanism is used, ensure no leakage through protocol deviation.

r, s = log g h 60 AND AB Z w0w0 w1w1 x (g r, g x h r ) Public inputs: g, h (h 0, h 1 ) such that h 0 +h 1 = g s 0 +g s 1 = g s = h (h 0 g w 0, h 1 g w 1 ) Check: Evaluator verifies h 0 +h 1 = h and ( w 0, w 1 ) matches (h 0 g w 0, h 1 g w 1 ) Evaluate: Generator sends s 0 +w 0 and s 1 +w 1 Learning s reveals x. (h 0, h 1 )

Recent Advances (2) Even more efficient if done collectively. E.g., <7 duplicates for 40-bit security Ongoing work: any duplication factor strictly larger than 2 is achievable if the circuit is sufficiently large; but 2 is impossible to achieve. 61 [Lindell-Riva, Crypto’14] [HKKKM, Crypto’14] [FJNNO, EUROCRYPT’13]

Q & A 62