Computing Cooperatively with People You Don't Trust David Evans University of Virginia University.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Practical Cryptographic Secure Computation DHOSA MURI PIs Meeting
Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.
Faster Secure Two-Party Computation Using Garbled Circuits
Yan Huang, David Evans, Jonathan Katz
Addressing the Trust Asymmetry Problem In Grid Computing with Encrypted Computation Peter A. Dinda Prescience Lab Department of Computer Science Northwestern.
Oblivious Branching Program Evaluation
Modern Symmetric-Key Ciphers
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.
Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Network Security – Part 2 Public Key Cryptography Spring 2007 V.T. Raja, Ph.D., Oregon State University.
Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Secure Authentication Using Biometric Data Andrew Ackerman Professor Ostrovsky.
Cs3102: Theory of Computation Class 26: NP-Complete Entrées (DNA with a side of Gödel) Spring 2010 University of Virginia David Evans.
1 Secure Computation in the Real(ish) World David Evans University of Virginia Carnegie Mellon.
Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew University of Jerusalem Joint work with Dahlia Malkhi,
Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Computer Science Public Key Management Lecture 5.
Cystic Fibrosis Casey Kriak Joe Scalora Seyi Akinsola January 27, 2010 Period 9-10.
Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.
Privacy-Preserving Data Quality Assessment for High-Fidelity Data Sharing Julien Freudiger, Shantanu Rane, Alex Brito, and Ersin Uzun PARC.
ObliVM: A Programming Framework for Secure Computation
Cryptography: RSA & DES Marcia Noel Ken Roe Jaime Buccheri.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Privacy-Preserving Trust Negotiations* Mikhail Atallah CERIAS and Department of Computer Sciences Purdue University * Joint work with Keith Frikken and.
14-3 Human Molecular Genetics. Testing for Alleles Genetic tests are now available for hundreds of disorders o Tay-Sachs o Cystic Fibrosis o Sickle Cell.
1 Computing Without Exposing Data David Evans University of Virginia Radford University CSAT.
Privacy Preserving Data Mining Yehuda Lindell Benny Pinkas Presenter: Justin Brickell.
Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.
1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Page 1March 1, th Estonian Winter School in Computer Science Privacy Preserving Data Mining Lecture 2 Cryptographic Solutions Benny Pinkas HP Labs,
Hidden Access Control Policies with Hidden Credentials Keith Frikken, Mikhail Atallah, Jiangtao Li CERIAS and Department of Computer Sciences Purdue University.
Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Privacy-Preserving Data Aggregation without Secure Channel: Multivariate Polynomial Evaluation Taeho Jung 1, XuFei Mao 2, Xiang-Yang Li 1, Shao-Jie Tang.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 15: From Here to Oblivion.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Garbling Techniques David Evans
(More) Efficient Secure Computation from Garbled Circuits
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Maliciously Secure Two-Party Computation
Privacy Preserving analytics Private Set Intersection(PSI)
Presentation transcript:

Computing Cooperatively with People You Don't Trust David Evans University of Virginia University of Richmond 30 January 2012

“Genetic Dating” 2 Alice Bob Genome Compatibility Protocol Your offspring will have good immune systems! WARNING! Don’t Reproduce WARNING! Don’t Reproduce

3

Genome Sequencing : Human Genome Project starts, estimate $3B to sequence one genome ($0.50/base) 2000: Human Genome Project declared complete, cost ~$300M Whitehead Institute, MIT

5 Cost to sequence human genome Moore’s Law prediction (halve every 18 months) Data from National Human Genome Research Institute:

6 Cost to sequence human genome Moore’s Law prediction (halve every 18 months) Data from National Human Genome Research Institute: Ion torrent Personal Genome Machine

Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA NanoarraysHuman Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA NanoarraysHuman Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010.

8 Dystopia Personalized Medicine

Secure Two-Party Computation 9 Alice Bob Bob’s Genome: ACTG… Markers (~1000): [0,1, …, 0] Alice’s Genome: ACTG… Markers (~1000): [0, 0, …, 1] Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

Secure Function Evaluation Alice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol Andrew Yao, 1982/1986

Regular Logic InputsOutput abx AND a b x

Computing with Meaningless Values? InputsOutput abx a0a0 b0b0 x0x0 a0a0 b1b1 x0x0 a1a1 b0b0 x0x0 a1a1 b1b1 x1x1 AND a 0 or a 1 b 0 or b 1 x 0 or x 1 a i, b i, x i are random values, chosen by the circuit generator but meaningless to the circuit evaluator.

Encryption 13 Encrypt

Logic with Privacy InputsOutput abx a0a0 b0b0 a0a0 b1b1 a1a1 b0b0 a1a1 b1b1

Computing with Garbled Tables InputsOutput abx a0a0 b0b0 Enc a 0,b 0 (x 0 ) a0a0 b1b1 Enc a 0,b 1 (x 0 ) a1a1 b0b0 Enc a 1,b 0 (x 0 ) a1a1 b1b1 Enc a 1,b 1 (x 1 ) AND a 0 or a 1 b 0 or b 1 x 0 or x 1 Bob can only decrypt one of these! Garbled And Gate Enc a 0, b 1 (x 0 ) Enc a 1,b 1 (x 1 ) Enc a 1,b 0 (x 0 ) Enc a 0,b 0 (x 0 ) Random Permutation

Garbled Gate Enc a 0, b 1 (x 0 ) Enc a 1,b 1 (x 1 ) Enc a 1,b 0 (x 0 ) Enc a 0,b 0 (x 0 ) Garbled Circuit Protocol Alice (circuit generator) Sends a i to Bob based on her input value Bob (circuit evaluator) How does the Bob learn his own input wires?

Primitive: Oblivious Transfer Alice Bob Oblivious Transfer Protocol Oblivious: Alice doesn’t learn which secret Bob obtains Transfer: Bob learns one of Alice’s secrets Oblivious: Alice doesn’t learn which secret Bob obtains Transfer: Bob learns one of Alice’s secrets Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers

Chaining Garbled Circuits 18 AND a0a0 b0b0 x0x0 a1 b1b1 x1x1 OR x2x2 And Gate 1 Enc a1 0, b 1 1 (x1 0 ) Enc a1 1,b1 1 (x1 1 ) Enc a1 1,b1 0 (x1 0 ) Enc a1 0,b1 0 (x1 0 ) Or Gate 2 Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x0 0,x1 0 (x2 0 ) … We can do any computation privately this way!

Building Computing Systems 19 Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x0 0,x1 0 (x2 0 ) Digital Electronic CircuitsGarbled Circuits Operate on known dataOperate on encrypted wire labels One-bit logical operation requires moving a few electrons a few nanometers (hundreds of Billions per second) One-bit logical operation requires performing (up to) 4 encryption operations: very slow execution Reuse is great!Reuse is not allowed for privacy: huge circuits needed

Fairplay 20 Dahlia Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella [USENIX Sec 2004] SFDL Program SFDL Compiler Circuit (SHDL) Alice Bob Garbled Tables Generator Garbled Tables Evaluator SFDL Compiler

Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x2 0, x2 1 (x3 0 ) Enc x2 1,x2 1 (x3 0 ) Enc x2 1,x2 0 (x3 1 ) Enc x2 0, x3 1 (x4 1 ) Enc x2 1,x3 1 (x4 1 ) Enc x2 1,x3 0 (x4 0 ) Enc x4 0, x 3 1 (x5 1 ) Enc x4 1,x3 1 (x5 0 ) Enc x4 1,x3 0 (x5 0 ) Enc x4 0, x5 1 (x6 1 ) Enc x4 1,x5 1 (x6 0 ) Enc x4 1,x5 0 (x6 0 ) Enc x3 0, x 6 1 (x7 1 ) Enc x3 1,x6 1 (x7 0 ) Enc x3 1,x6 0 (x7 1 ) Faster Garbled Circuits 21 Circuit-Level Application GC Framework (Evaluator) GC Framework (Evaluator) GC Framework (Generator) Circuit Structure x41x41 x21x21 x3 1 x60x60 x51x51 x71x71 Gates can be evaluated as they are generated: pipelining Gates can be evaluated in any topological sort order: parallelizing Garbled evaluation can be combined with normal execution

Results: Performance 22 Binary gates per millisecond 100,000 gates per second

Results: Scalability 23 Largest circuit executed (non-free gates)

Applications 24 Privacy-Preserving Biometric Matching Private Personal Genomics Private Set Intersection Private AES Encryption

Heterozygous Recessive Risk 25 Aa AAAAa aaAaa Alice Bob cystic fibrosis carrier Goal: find the intersection of A and B Alice’s Heterozygous Recessive genes: { , , , … } Bob’s Heterozygous Recessive genes: { , , , … }

Bit Vector Intersection 26 Alice’s Recessive genes: { , , , … } Bob’s Recessive genes: { , , , … } [ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0] [ PAH, PKU, CF, … ] AND... Bitwise AND...

Common Contacts

Sort-Compare-Shuffle 28 Sort: Take advantage of total order of elements Compare adjacent elements Shuffle to hide positions

SCS-WN Protocol Results 32-bit values

30

Problem Best Previous ResultOur ResultSpeedup Private Set Intersection (contact matching, common disease carrier) Competitive with best custom protocols, scales to millions of 32-bit elements Hamming Distance (Face Recognition) 213s [SCiFI, 2010] 0.051s4176 Levenshtein Distance (genome, text comparison) – two 200- character inputs 534s [Jha+, 2008] 18.4s29 Smith-Waterman (genome alignment) – two 60-nucleotide sequences [Not Implementable] 447s- AES Encryption3.3s [Henecka, 2010] 0.2s16.5 Fingerprint Matching (1024-entry database, 640x8bit vectors) ~83s [Barni, 2010] 18s NDSS 2011 USENIX Security 2011 NDSS 2012

Research Group and Alumni 32

33 Jonathan Katz (University of Maryland) Yan Huang (UVa Computer Science PhD Student) Peter Chapman (UVa BACS 2012) Funding: NSF, MURI (AFOSR), Google Funding: NSF, MURI (AFOSR), Google

34 MightBeEvil.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.