Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computing Cooperatively with People You Don't Trust David Evans University of Virginia University.

Published byNoel Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "Computing Cooperatively with People You Don't Trust David Evans University of Virginia University."— Presentation transcript:

1 Computing Cooperatively with People You Don't Trust David Evans University of Virginia http://www.cs.virginia.edu/evans http://MightBeEvil.com University of Richmond 30 January 2012

2 “Genetic Dating” 2 Alice Bob Genome Compatibility Protocol Your offspring will have good immune systems! WARNING! Don’t Reproduce WARNING! Don’t Reproduce

3 3

4 Genome Sequencing 4 1990: Human Genome Project starts, estimate $3B to sequence one genome ($0.50/base) 2000: Human Genome Project declared complete, cost ~$300M Whitehead Institute, MIT

5 5 Cost to sequence human genome Moore’s Law prediction (halve every 18 months) Data from National Human Genome Research Institute: http://www.genome.gov/sequencingcosts

6 6 Cost to sequence human genome Moore’s Law prediction (halve every 18 months) Data from National Human Genome Research Institute: http://www.genome.gov/sequencingcosts Ion torrent Personal Genome Machine

7 Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA NanoarraysHuman Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010. Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA NanoarraysHuman Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010.

8 8 Dystopia Personalized Medicine

9 Secure Two-Party Computation 9 Alice Bob Bob’s Genome: ACTG… Markers (~1000): [0,1, …, 0] Alice’s Genome: ACTG… Markers (~1000): [0, 0, …, 1] Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

10 Secure Function Evaluation Alice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol Andrew Yao, 1982/1986

11 Regular Logic InputsOutput abx 000 010 100 111 AND a b x

12 Computing with Meaningless Values? InputsOutput abx a0a0 b0b0 x0x0 a0a0 b1b1 x0x0 a1a1 b0b0 x0x0 a1a1 b1b1 x1x1 AND a 0 or a 1 b 0 or b 1 x 0 or x 1 a i, b i, x i are random values, chosen by the circuit generator but meaningless to the circuit evaluator.

13 Encryption 13 Encrypt

14 Logic with Privacy InputsOutput abx a0a0 b0b0 a0a0 b1b1 a1a1 b0b0 a1a1 b1b1

15 Computing with Garbled Tables InputsOutput abx a0a0 b0b0 Enc a 0,b 0 (x 0 ) a0a0 b1b1 Enc a 0,b 1 (x 0 ) a1a1 b0b0 Enc a 1,b 0 (x 0 ) a1a1 b1b1 Enc a 1,b 1 (x 1 ) AND a 0 or a 1 b 0 or b 1 x 0 or x 1 Bob can only decrypt one of these! Garbled And Gate Enc a 0, b 1 (x 0 ) Enc a 1,b 1 (x 1 ) Enc a 1,b 0 (x 0 ) Enc a 0,b 0 (x 0 ) Random Permutation

16 Garbled Gate Enc a 0, b 1 (x 0 ) Enc a 1,b 1 (x 1 ) Enc a 1,b 0 (x 0 ) Enc a 0,b 0 (x 0 ) Garbled Circuit Protocol Alice (circuit generator) Sends a i to Bob based on her input value Bob (circuit evaluator) How does the Bob learn his own input wires?

17 Primitive: Oblivious Transfer Alice Bob Oblivious Transfer Protocol Oblivious: Alice doesn’t learn which secret Bob obtains Transfer: Bob learns one of Alice’s secrets Oblivious: Alice doesn’t learn which secret Bob obtains Transfer: Bob learns one of Alice’s secrets Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers

18 Chaining Garbled Circuits 18 AND a0a0 b0b0 x0x0 a1 b1b1 x1x1 OR x2x2 And Gate 1 Enc a1 0, b 1 1 (x1 0 ) Enc a1 1,b1 1 (x1 1 ) Enc a1 1,b1 0 (x1 0 ) Enc a1 0,b1 0 (x1 0 ) Or Gate 2 Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x0 0,x1 0 (x2 0 ) … We can do any computation privately this way!

19 Building Computing Systems 19 Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x0 0,x1 0 (x2 0 ) Digital Electronic CircuitsGarbled Circuits Operate on known dataOperate on encrypted wire labels One-bit logical operation requires moving a few electrons a few nanometers (hundreds of Billions per second) One-bit logical operation requires performing (up to) 4 encryption operations: very slow execution Reuse is great!Reuse is not allowed for privacy: huge circuits needed

20 Fairplay 20 Dahlia Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella [USENIX Sec 2004] SFDL Program SFDL Compiler Circuit (SHDL) Alice Bob Garbled Tables Generator Garbled Tables Evaluator SFDL Compiler

21 Enc x0 0, x 1 1 (x2 1 ) Enc x0 1,x1 1 (x2 1 ) Enc x0 1,x1 0 (x2 1 ) Enc x2 0, x2 1 (x3 0 ) Enc x2 1,x2 1 (x3 0 ) Enc x2 1,x2 0 (x3 1 ) Enc x2 0, x3 1 (x4 1 ) Enc x2 1,x3 1 (x4 1 ) Enc x2 1,x3 0 (x4 0 ) Enc x4 0, x 3 1 (x5 1 ) Enc x4 1,x3 1 (x5 0 ) Enc x4 1,x3 0 (x5 0 ) Enc x4 0, x5 1 (x6 1 ) Enc x4 1,x5 1 (x6 0 ) Enc x4 1,x5 0 (x6 0 ) Enc x3 0, x 6 1 (x7 1 ) Enc x3 1,x6 1 (x7 0 ) Enc x3 1,x6 0 (x7 1 ) Faster Garbled Circuits 21 Circuit-Level Application GC Framework (Evaluator) GC Framework (Evaluator) GC Framework (Generator) Circuit Structure x41x41 x21x21 x3 1 x60x60 x51x51 x71x71 Gates can be evaluated as they are generated: pipelining Gates can be evaluated in any topological sort order: parallelizing Garbled evaluation can be combined with normal execution

22 Results: Performance 22 Binary gates per millisecond 100,000 gates per second

23 Results: Scalability 23 Largest circuit executed (non-free gates)

24 Applications 24 Privacy-Preserving Biometric Matching Private Personal Genomics Private Set Intersection Private AES Encryption

25 Heterozygous Recessive Risk 25 Aa AAAAa aaAaa Alice Bob cystic fibrosis carrier Goal: find the intersection of A and B Alice’s Heterozygous Recessive genes: { 5283423, 1425236, 839523, … } Bob’s Heterozygous Recessive genes: { 5823527, 839523, 169325, … }

26 Bit Vector Intersection 26 Alice’s Recessive genes: { 5283423, 1425236, 839523, … } Bob’s Recessive genes: { 5823527, 839523, 169325, … } [ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0] [ PAH, PKU, CF, … ] AND... Bitwise AND...

27 Common Contacts

28 Sort-Compare-Shuffle 28 Sort: Take advantage of total order of elements Compare adjacent elements Shuffle to hide positions

29 SCS-WN Protocol Results 32-bit values

30 30

31 Problem Best Previous ResultOur ResultSpeedup Private Set Intersection (contact matching, common disease carrier) Competitive with best custom protocols, scales to millions of 32-bit elements Hamming Distance (Face Recognition) 213s [SCiFI, 2010] 0.051s4176 Levenshtein Distance (genome, text comparison) – two 200- character inputs 534s [Jha+, 2008] 18.4s29 Smith-Waterman (genome alignment) – two 60-nucleotide sequences [Not Implementable] 447s- AES Encryption3.3s [Henecka, 2010] 0.2s16.5 Fingerprint Matching (1024-entry database, 640x8bit vectors) ~83s [Barni, 2010] 18s4.6 31 NDSS 2011 USENIX Security 2011 NDSS 2012

32 Research Group and Alumni 32

33 33 Jonathan Katz (University of Maryland) Yan Huang (UVa Computer Science PhD Student) Peter Chapman (UVa BACS 2012) Funding: NSF, MURI (AFOSR), Google Funding: NSF, MURI (AFOSR), Google

34 34 MightBeEvil.com

Download ppt "Computing Cooperatively with People You Don't Trust David Evans University of Virginia University."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Practical Cryptographic Secure Computation DHOSA MURI PIs Meeting

Practical Cryptographic Secure Computation DHOSA MURI PIs Meeting
Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.

Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.
Faster Secure Two-Party Computation Using Garbled Circuits

Faster Secure Two-Party Computation Using Garbled Circuits
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Addressing the Trust Asymmetry Problem In Grid Computing with Encrypted Computation Peter A. Dinda Prescience Lab Department of Computer Science Northwestern.

Addressing the Trust Asymmetry Problem In Grid Computing with Encrypted Computation Peter A. Dinda Prescience Lab Department of Computer Science Northwestern.
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.

Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.

ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.
Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.

Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.

Similar presentations

Ads by Google