an introduction to practical multiparty computation · practical multiparty computation jack...
TRANSCRIPT
![Page 1: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/1.jpg)
An Introduction to Practical Multiparty Computation
Jack Doerner [Northeastern U]
![Page 2: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/2.jpg)
![Page 3: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/3.jpg)
This TalkMPC Frameworks
Circuit Structures
The Memory Problem
Custom Protocols
- General Computation
- Solving Specific Problems
- A Perpetual Bugbear
- Beyond Circuits
But not: Theory, Protocols, Security Models
![Page 4: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/4.jpg)
MPC History1982
2004
2016
Yao’s Garbled Circuits
Fairplay
FairplayMP, Obliv-C, ObliVM, FastGC, TASTY, SPDZ, EMP, TinyOT, ShareMind, PCF, Sharemonad, TinyOT, Fresco, Wysteria, …
Plus, many schemes that have never been implemented!
![Page 5: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/5.jpg)
MPC Frameworks
Obliv-C ObliVM
SPDZ Sharemind
![Page 6: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/6.jpg)
The n Millionaires Problem
![Page 7: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/7.jpg)
The n Millionaires Problem
1. Millionaires additively share their inputs
2. Computation authorities engage in MPC
3. Result is revealed
![Page 8: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/8.jpg)
MPC Frameworks
Obliv-C ObliVM
SPDZ Sharemind
![Page 9: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/9.jpg)
• Protocol: Yao’s Garbled Circuits (others possible)
• Language type: C-compatible DSL
• Philosophy: Minimalism and expressiveness Only one additional keyword over C
• Raw speed: 3M+ AND gates per second reported
• Unique feature: Compiled; C-compatible
[ZE15]
![Page 10: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/10.jpg)
![Page 11: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/11.jpg)
Language features not seen
• obliv functions
• ~obliv
• intelligent typecasting
![Page 12: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/12.jpg)
Scalability Example: Secure Stable Matching
[DEs16]
![Page 13: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/13.jpg)
Scalability Example: Linear System Solving
[GSBRDZE16]
![Page 14: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/14.jpg)
MPC Frameworks
Obliv-C ObliVM
SPDZ Sharemind
![Page 15: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/15.jpg)
ObliVM• Protocol: Yao’s Garbled Circuits
• Language type: Java/C++ style DSL
• Philosophy: Common operations are first-class language constructs. Includes everything and the kitchen sink.
• Raw speed: 700K AND gates per second reported or 1.8M with preprocessing
[LWNHS15]
![Page 16: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/16.jpg)
ObliVM
![Page 17: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/17.jpg)
ObliVMLanguage features not seen • phantom functions • shared random types • bounded loops • hinted loop-coalescing • automatic ORAM • built-in map + reduce • C-style structs
![Page 18: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/18.jpg)
MPC Frameworks
Obliv-C ObliVM
SPDZ Sharemind
![Page 19: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/19.jpg)
SPDZ• Protocol: n-party Linear Secret Sharing + SHE
• No Language: programmed via python library calls
• Raw Speed (2PC Online): 358K multiplications/second (2PC Offline): 4800 multiplications/second
• Unique feature: Covert or Malicious security against dishonest majority
[DPSZ11] [DKLPSS12] [KOS16]
![Page 20: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/20.jpg)
SPDZ
![Page 21: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/21.jpg)
SPDZ
![Page 22: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/22.jpg)
SPDZ
Language features not seen
• Native GF(2n) types
• Many bits of syntax
![Page 23: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/23.jpg)
MPC Frameworks
Obliv-C ObliVM
SPDZ Sharemind
![Page 24: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/24.jpg)
• A Commercial “Application Server Platform” (free for researchers). Similar to Java or .NET
• Originally used a 3-party semi-honest protocol; now includes SPDZ, YGC, three-party malicious
• Programming environments: • C/C++ library calls • SecreC, a C-like DSL • Rmind, an R-inspired statistical analysis language
• Unique feature: vector optimized[sharemind.cyber.ee] [BLW08] [J10] [BKLS14]
![Page 25: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/25.jpg)
![Page 26: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/26.jpg)
[BJSV15]
Scalability Example: Tax Fraud Detection
![Page 27: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/27.jpg)
[sharemind.cyber.ee] [BKKRST16]
Scalability Example: Population-scale Statistical Studies
![Page 28: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/28.jpg)
MPC FrameworksObliv-C ObliVM SPDZ Sharemind
Protocol Yao’s GC (others possible) Yao’s GC n-party LSS +
SHE Multiple
Programming Paradigm
C-compatible DSL Java-like DSL Python Library “Application
Server Platform”
Philosophy Minimalism, Be like C
Do the sensible thing
No front-end Language
Commercial, Ever-growing
Advantages Is like C, Compiled, fast
Many language features
Malicious or Covert Security
Diverse Toolset, Vector-optimized
Disadvantages Is like C, No Floating Point
Complicated Syntax
Precomputation, Leaky Abstraction Commercial
![Page 29: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/29.jpg)
Circuit Structures
![Page 30: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/30.jpg)
Circuit Structures
Seems simple enough, right? But how do we sort?
![Page 31: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/31.jpg)
“Standard” Sorts
O(logn) O(n)
Heapsort’s data-dependent branches make it inefficient Quicksort is totally unsuitable
![Page 32: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/32.jpg)
Batcher’s Mergesort
![Page 33: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/33.jpg)
Batcher’s Mergesort
A sorting algorithm with no data-dependent branches
![Page 34: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/34.jpg)
![Page 35: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/35.jpg)
Recursively Sort Lower Half
Recursively Sort Upper Half
Merge EvenRows
Merge Odd Rows
Compare Neighbor Elements
![Page 36: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/36.jpg)
![Page 37: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/37.jpg)
Circuit Structures
Batcher Merge
Batcher Odd-Even Mergesort
AKS Sorting Network
Waksman Permutation Network
O(nlogn)
O(nlog2n)
O(nlogn)
O(nlogn)
[B68]
[B68]
[AKS83]
[W68]
![Page 38: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/38.jpg)
Circuit Structures
Batcher Merge
Batcher Odd-Even Mergesort
AKS Sorting Network
Waksman Permutation Network
O(nlogn)
O(nlog2n)
O(nlogn)
O(nlogn)
[B68]
[B68]
[AKS83]
[W68]
![Page 39: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/39.jpg)
![Page 40: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/40.jpg)
The Memory Problem
![Page 41: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/41.jpg)
Oblivious Stack
![Page 42: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/42.jpg)
Oblivious Stack
![Page 43: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/43.jpg)
Oblivious Stack
![Page 44: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/44.jpg)
1
2
Oblivious Stack
![Page 45: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/45.jpg)
1
2
Oblivious Stack
![Page 46: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/46.jpg)
Oblivious Stack
![Page 47: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/47.jpg)
Oblivious Stack
![Page 48: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/48.jpg)
5 blocks every access
10 blocks every 2nd access
20 blocks every 4th access
40 blocks every 8th access
Amortized cost: Layers:
5 blocks per layer per accessO(logn)
Oblivious Stack
![Page 49: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/49.jpg)
Sublinear-time Memories
Stack, Queue
Square-root ORAM
Tree ORAM(Circuit, Path)
Algorithm-Specific
O(logn)
O(sqrt(nlog3n))
O(log3n)
O(?)
[ZE13]
[ZWRGDEK15]
[SDSFRYD13] [WCS15]
[BSA13][DEs16]
![Page 50: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/50.jpg)
Sublinear-time Memories
Stack, Queue
Square-root ORAM
Tree ORAM(Circuit, Path)
Algorithm-Specific
O(logn)
O(sqrt(nlog3n))
O(log3n)
O(?)
[ZE13]
[ZWRGDEK15]
[SDSFRYD13] [WCS15]
[BSA13][DEs16]
![Page 51: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/51.jpg)
Custom Protocols
![Page 52: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/52.jpg)
oblivc.org oblivm.com www.cs.bris.ac.uk/Research/CryptographySecurity/SPDZ
sharemind.cyber.ee
MPC Frameworks
Obliv-C
ObliVM
SPDZ
Sharemind
![Page 53: An Introduction to Practical Multiparty Computation · Practical Multiparty Computation Jack Doerner [Northeastern U] This Talk MPC Frameworks Circuit Structures The Memory Problem](https://reader033.vdocuments.us/reader033/viewer/2022053019/5f25dba91cb61b10cd14394c/html5/thumbnails/53.jpg)
An Introduction to Practical Multiparty Computation
Jack Doerner [Northeastern U]
jackdoerner.net