Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scaling Secure Computation Using the Cloud

Published byBertram McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "Scaling Secure Computation Using the Cloud"— Presentation transcript:

1 Scaling Secure Computation Using the Cloud
Payman Mohassel Yahoo Labs

2 Do We Have the Same Person in Mind?
Jack Joe Alice Bob only reveal Yes/No

3 Solutions? You have access to a trusted computer
You can use an airline reservation service You can use a password login page

4 Who is Richer? Millionaires’ Problem X = Y = X > Y ?!!

5 Solutions? Trusted Party Trusted Program Check different digits?
Ask comparison questions

6 Secure Multiparty Computation (MPC)
Correctness: honest parties learns the correct output Privacy: Nothing but the final output is leaked P2, x2 P1, x1 P3, x3 P4, x4 P5, x5 Parties learn only f(x1,…,xn)

7 Location-Based Services
Serving information/services stores, restaurants, ATMs, … tourist guides, Ads, … Location-based access control Privacy-Preserving Proximity Testing Alice and Bob learn if they are close to each other but nothing else:[NTLH 11,KMRS13]

8 Remote Diagnosis Error reporting systems Medical Diagnosis program
IDS/IPS rule sets DNA patterns Privacy-Preserving Intrusion Detection IDS rule set  DFA  Oblivious DFA evaluation Implemented and tested on snort: [MNS13] G T A . Log files List of symptoms Packets DNA database

9 More Applications Data mining Electronic Voting Auctions
Exchanges/financial analysis Location privacy Genomic computation Electronic commerce Healthcare When there is IP, NDA, user consent involved When you need to distribute trust

10 A Heuristic Approach to Security
[Lindell] A Heuristic Approach to Security Build a protocol Try to break the protocol Fix the break Return to (2)

11 The Challenge Is [Lindell] You can never be really sure that the protocol is secure Compare to algorithms: Inputs are not adversarial Hackers will do anything to exploit a weakness – if one exists, it may well be found Security cannot be checked empirically

12 A Rigorous Approach Provide an exact problem definition
[Lindell] A Rigorous Approach Provide an exact problem definition Adversarial power Network model Meaning of security Prove that the protocol is secure Often by reduction to an assumed hard problem, like discrete-log problem

13 Our Adversary Adversary is an algorithm
Adversary runs in polynomial time Adversary corrupts one of the two parties We do not know which one How does the corrupted party behave? Follows the protocol (semi-honest) Behaves arbitrarily (malicious)

14 What Does Security Mean?
Correctness An honest party learns the correct output Privacy Nothing but the final output is leaked Fairness Either both parties learn the output or neither

15 Is It Achievable? Feasible for any polynomial-time function
Boolean circuits [Yao82, GMW87, BMR90, …] Arithmetic circuits [BGW88, CCD88, …]

16 Implementations Dyadic Security Fairplay, FairplayMP VIFF and SEPIA
Implementations of 2PC & MPC VIFF and SEPIA Sharing-based MPC Real-life usage Sharemind 3-party MPC Financial data analysis TASTY Mixed MPC framework (HE + garbled circuits) Fast Garbled Circuits Highly-optimized garbled circuit framework FRESCO A reusable set of libraries for implementing MPC SCAPI A set of Java-based libraries for MPC SPDZ MPC implementation with fast online phase

17 1-out-of 2 Oblivious Transfer
Y0, Y1 Chooser Sender j Alice Bob Learns nothing Yj [Rabin, 1981]

18 Yao’s Garbled Circuits
First secure computation protocol One of the most efficient Implementations Fairplay, 2004 TASTY, 2010 FastGarble, 2011 SCAPI, 2013 JustGarble, 2013 Circuits with millions of gates in less than a second

19 A Garbling Scheme Encode( ) Garble( Eval( ) 𝐺𝐶 𝐺𝐼𝑥 𝐺𝐼𝑦 𝒙,𝒚, 𝒇(𝒙,𝒚)
𝐸 Encode( ) 𝒙,𝒚, 𝐶 𝑥,𝑦 =𝑓(𝑥,𝑦) Garble( , 𝑠𝑒𝑒𝑑) 𝐺𝐼𝑥 𝐺𝐼𝑦 𝐷 𝐺𝐶 𝐸 𝐺 𝐼 𝑥 𝐺𝐶 𝐺𝑂 𝐷 Eval( ) 𝒇(𝒙,𝒚) 𝐺 𝐼 𝑦

20 Some Basic Properties Privacy: Knowing 𝐺 𝐼 𝑥 , 𝐺 𝐼 𝑦 , and 𝐺𝐶 does no leak any info Output Authenticity: Cannot compute another valid output 𝐺 𝐼 𝑥 𝐺𝐶 𝐺 𝐼 𝑥 𝐺𝐶 𝐷 𝒇(𝒙,𝒚) 𝐺 𝐼 𝑦 𝐺 𝐼 𝑦 𝐺𝐶 𝐺 𝐼 𝑥 𝐺𝑂‘ 𝐺 𝐼 𝑦

21 Garble/Evaluate Evaluate Garble 𝑘 0 1 , 𝑘 1 1 𝑘 0 3 , 𝑘 1 3 AND AND
AND 𝑘 0 3 , 𝑘 1 3 AND 𝑘 0 2 , 𝑘 1 2 𝑐 0,0 =𝐸 𝑘 0 1 , 𝑘 ( 𝑘 0 3 ) 𝑐 0,1 =𝐸 𝑘 0 1 , 𝑘 ( 𝑘 0 3 ) 𝐷𝑒 𝑐 𝑘 𝑎 1 , 𝑘 𝑏 𝑐 𝑎,𝑏 = 𝑘 𝑎&𝑏 3 𝑐 1,0 =𝐸 𝑘 1 1 , 𝑘 ( 𝑘 0 3 ) 𝑐 1,1 =𝐸 𝑘 1 1 , 𝑘 ( 𝑘 1 3 )

22 Semi-honest 2PC Garbler Evaluator 𝐶 𝑥,𝑦 =𝑓(𝑥,𝑦) 𝐺𝐶,𝐸,𝐷←𝐺𝑎𝑟𝑏𝑙𝑒(𝐶,𝑠𝑑)
𝐺 𝐼 𝑥 ←𝐸𝑛𝑐𝑜𝑑𝑒(𝑥,𝐸) 𝐺 𝐼 𝑥 𝐺𝐶 𝐷 𝒙 𝒚 Garbler Evaluator 𝐺 𝐼 𝑦 Oblivious Transfer 𝒇(𝒙,𝒚)

23 Efficiency Metrics Computation Communication Interaction Memory usage
Cheap: SHA, AES, … Expensive: exponentiations, … Communication A major challenge Specially for small devices Interaction Minimize coordination Memory usage

24 Limits of Standard MPC MPC is symmetric MPC does not always scale
All parties work/bandwidth is similar MPC does not always scale Cost proportional to circuit size Circuits with billions of gates Unavoidable overhead crypto is expensive E.g. public-key crypto is required

25 Server-Aided Model Introduce a server Assumptions Server involvement
No input or output Considerable resources Motivated by cloud services Assumptions Honest, semi-honest, malicious? Collude or not collude? Server involvement Is it always online? Knows the function, parties, …? Outsourcing secure multiparty computation, eprint, 2011 Salus: a system for server-aided secure computation, ACM CCS, 2012

26 Honest Cloud Cloud is trusted with Easy case!
Privacy of inputs/outputs Correctness of its computation Easy case! Each party sends his inputs to the cloud Cloud does all the computation Status quo

27 Dishonest Cloud Semi-honest Malicious Trusted with correct computation
Not trusted with privacy of inputs/outputs Malicious Is not trusted with anything

28 1) Service Providers Salus [KMR 2012] General-purpose
Cloud SP and cloud have resources Clients Limited resources Service provider (SP) y Salus [KMR 2012] General-purpose Clients do very small work x1 x2 x3 Weak clients Goal: weak clients need little work/bandwidth

29 2) Collaborative Computing
We don’t trust each other Cloud x2 SA-PSI [KMRS 2013] Server-aided private set intersection Scales to Billion-element sets Over the internet (using MS Azure) 5 orders of magnitude improvement! x2 x1 x3 x1 x3 There is a cloud we don’t necessarily trust, but can help Goal: minimize average computation of all players

30 3) Privacy as a Service online offline
Cloud Minor cloud involvement Function is secret to cloud cd2 CB-2PC for Smartphone [MOR 2013] Implemented as Android App Privacy commodities = App updates Ind. of function/inputs/parties cd2, x2 cd1 cd3 cd1, x1 cd3, x3 online offline Obtain “privacy commodity” from cloud Goal: minimize online comp/bandwidth minimize online cloud interaction

31 Questions?

32 References [AL07] Aumann and Lindell. Security against covert adversaries: Efficient protocols for realistic adversaries. TCC [CLS09] Chow et al. Privacy-Preserving Queries over Distributed Databases. NDSS [DCCR12] Dong et al. Fair Private Set Intersection with a Semi-trusted Arbiter. Eprint [FR97] Franklin and Reiter. Fair exchange with a semi-trusted third party. ACM CCS 1997 [GHS10] Gennaro et al. Automata evaluation and text search protocols with simulation based security. PKC [GMS 08] Goyal et al. Secure Two-party and Multi-party Computation against Covert Adversaries. EUROCRYPT [HEK12] Huang et al. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? NDSS [HEKM11] Huang et al. Faster Secure Two-Party Computation Using Garbled Circuits. Usenix Security [HKE12] Huang et al. Quid Pro Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. IEEE S&P [IP07] Ishai and Paskin. Evaluating branching programs on encrypted data. TCC [JKSS10] Jarvinen et al. Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs. CHES [KMR11] Kamara et al. Outsourcing Multiparty Computation. Eprint [KMR12] Kamara et al. Salus: A System for Server-Aided Secure Function Evaluation. ACM CCS 2012.

33 References [KS08] Kolesnikov and Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. ICALP [KSS12] Kreuter et al. Towards Billion-Gate Secure Computation with Malicious Adversaries. Usenix Security [LP07] Lindell and Pinkas. An efficient protocol for secure two-party computation in the presence of malicious adversaries. Eurocrypt [LP11] Lindell and Pinkas. Secure two-party computation via cut-and-choose oblivious transfer. TCC [LTV12] Lopez-Alt et al. On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. STOC 2012 [MF06] Mohassel and Franklin. Efficiency Tradeoffs for Malicious Two-Party Computation. PKC [MN12] Mohassel and Niksefat. Oblivious Decision Programs from Oblivious Transfer: Efficient Reductions. FC [MNSS13] Mohassel et al. ZIDS - A Privacy-Preserving Intrusion Detection System using Secure Two-Party Computation Protocols. To appear in the Computer Journal [MNSS12] Mohassel et al. An Efficient Protocol for Oblivious DFA Evaluation and Applications. CT-RSA [MR13] Mohassel and Riva. More Efficient Secure Two-Party Computation Protocols Based on Cut-and-Choose. CRYPTO [NPS99] Naor et al. Privacy Preserving Auctions and Mechanisms. EC [NTLHB11] Narayanan et al. Location privacy via private proximity testing. NDSS [PSSW09] Pinkas et al. Secure two-party computation is practical. Asiacrypt [SS11] Shelat and Shen. Two-output secure computation with malicious adversaries. Eurocrypt 2011.

Download ppt "Scaling Secure Computation Using the Cloud"

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
SplitX: High-Performance Private Analytics Ruichuan Chen (Bell Labs / Alcatel-Lucent) Istemi Ekin Akkus (MPI-SWS) Paul Francis (MPI-SWS)

SplitX: High-Performance Private Analytics Ruichuan Chen (Bell Labs / Alcatel-Lucent) Istemi Ekin Akkus (MPI-SWS) Paul Francis (MPI-SWS)
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Vladimir Kolesnikov (Bell Labs) Tal Malkin (Columbia U), Payman Mohassel (U Calgary), Mike Rosulek (Oregon State), Yehuda Lindell (Bar-Ilan U) Kedar Namjoshi,

Vladimir Kolesnikov (Bell Labs) Tal Malkin (Columbia U), Payman Mohassel (U Calgary), Mike Rosulek (Oregon State), Yehuda Lindell (Bar-Ilan U) Kedar Namjoshi,
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google