ScalingSecureTwoPartyComputa5on

Anupam Datta Fall 2015

Based on work and slides from Yan Huang, David Evans, Jonathan Katz, Lior Malka

18734: Foundations of Privacy

Overview

•  Describeasystemforsecure2-partycomputa5onusinggarbledcircuitsthatismuchmorescalableandsignificantlyfasterthanbestpriorwork

•  Applica5ons:– Facerecogni.on:Hammingdistance– Genomics:Editdistance,Smith-Waterman– Privateencryp.on:ObliviousAESevalua5on

2

Fairplay

3

DahliaMalkhi,NoamNisan,BennyPinkasandYaronSella[USENIXSecurity2004]

SFDLProgram

SFDLCompiler

Circuit(SHDL)Alice Bob

GarbledTablesGenerator

GarbledTablesEvaluator

GarbledTables

Problems?

4

Analterna5veapproach…wouldhavebeentoapplyYao’sgenericsecuretwo-partyprotocol….Thiswouldhaverequiredexpressingthealgorithmasacircuit…andthensendingandcompu5ngthatcircuit.…[We]believethattheperformanceofourprotocolsissignificantlybeIerthanthatofapplyinggenericprotocols.MargaritaOsadchy,BennyPinkas,AymanJarrous,BoazMoskovich.

SCiFI–ASystemforSecureFaceIden6fica6on.Oakland2010.

[GenericSFE]isveryfast…butthecircuitsizeisextremelylarge….Ourprototypecircuitcompilercancompilecircuitsforproblemsofsize(200,200)butusesalmost2GBofmemorytodoso….largercircuitswouldbeconstrainedbyavailablememoryforconstruc.ngtheirgarbledversions.

SomeshJha,LouisKruger,VitalyShma5kov.TowardsPrac6calPrivacyforGenomicComputa6on.Oakland2008.

TheFallacy

5

Theen+recircuitispreparedandstoredonbothsides

SFDLProgram

SFDLCompiler

Circuit(SHDL)Alice Bob

GarbledTablesGenerator

GarbledTablesEvaluator

GarbledTablesGarbledTables

Encx00, x11(x21)

Encx01,x11(x21)

Encx01,x10(x21)

Encx20, x21(x30)

Encx21,x21(x30)

Encx21,x20(x31)

Encx20, x31(x41)

Encx21,x31(x41)

Encx21,x30(x40)

Encx40, x31(x51)

Encx41,x31(x50)

Encx41,x30(x50)

Encx40, x51(x61)

Encx41,x51(x60)

Encx41,x50(x60)

Encx30, x61(x71)

Encx31,x61(x70)

Encx31,x60(x71)

FasterGarbledCircuits

6

Circuit-LevelApplica5on

GCFramework(Evaluator)

GCFramework(Generator)

CircuitStructureCircuitStructure

x41

x21x31

x60x51

x71

Gatescanbeevaluatedastheyaregenerated:pipelining

BenefitsofPipelining

•  AllowsGCtoscaletocircuitsofarbitrarysize

•  Improvesthe5meefficiency

Werancircuitswithoverabilliongates,atarateofroughly10μspergate.

ProblemsinExis.ng(SFDL)Compilers

Resource-demandingSFDLcompila5on

Manyop5miza5onopportuni5esaremissed

Ittakeshoursona40GBmemoryservertocompileaSFDLprogramthatimplementsAES.

CircuitlevelMinimizebitwidthReducethenumberofnon-freegates

ProgramlevelTreatpublicandsecretvaluesdifferently

SomeResultsProblem BestPreviousResult OurResult Speedup

HammingDistance(FaceRecogni5on,Gene5cDa5ng)–two900-bitvectors

213s[SCiFI,2010]

0.051s 4176x

LevenshteinDistance(genome,textcomparison)–two200-characterinputs

534s[Jha+,2008]

18.4s 29x

Smith-Waterman(genomealignment)–two60-nucleo5desequences

[NotImplementable] 447s -

AESEncryp.on 3.3s[Henecka,2010]

0.2s 16.5x

9

Scalable:1billiongatesevaluatedat≈100,000gates/secondonregularPCs

Comparisonsarealignedtothesamesecuritylevelinthesemi-honestmodel.

0

0.2

0.4

0.6

0.8

1

1.2

Fairplay[PSSW09] TASTY Here

Billion

s

maxgates

OurResults

0

2

4

6

8

10

Fairplay [PSSW09] TASTY Here

x10000

non-freegates/s

PerformanceScalability

TimingResults

0

100

200

300

400

500

600

Hammingdistance(900bits)

editdistance(200256-bitchars)

Second

s

BestpreviousHere

4176xfaster

29xfaster

[SCiFI,2010]

[Jha+,2008]

TimeSavings:AES

0

1

2

3

4

5

6

7

[PSSW09] TASTY Here

Second

s

16.5xfaster

[Henecka,etal.CCS2010]

Conclusion

•  Pipeliningenablesgarbled-circuittechniquetoscaletolargeproblemsizes

•  Circuit-levelop.miza.onscandrama5callyreduceperformanceoverhead

Privacy-preservingapplica5onscanrunordersofmagnitudefasterthanpreviouslythought.

Ques5ons?

Thanks!

DownloadframeworkandAndroiddemoapplica5onfromMightBeEvil.com

SecureTwo-PartyComputa.on

15

AliceBob

Bob’sGenome:ACTG…Markers(~1000):[0,1,…,0]

Alice’sGenome:ACTG…Markers(~1000):[0,0,…,1]

CanAliceandBobcomputeafunc5onoftheirprivatedata,withoutexposinganythingabouttheirdatabesidestheresult?

SecureFunc.onEvalua.onAlice(circuitgenerator) Bob(circuitevaluator)

GarbledCircuitProtocol

AndrewYao,1986

sa }1,0{∈Holds tb }1,0{∈Holds

Yao’sGarbledCircuitsInputs Output

a b x0 0 00 1 01 0 01 1 1

AND

a b

x

Compu.ngwithMeaninglessValues?Inputs Output

a b xa0 b0 x0

a0 b1 x0

a1 b0 x0

a1 b1 x1

AND

a0 or a1 b0 or b1

x0 or x1

ai, bi, xi arerandomvalues,chosenbythecircuitgeneratorbutmeaninglesstothecircuitevaluator.

Compu.ngwithGarbledTablesInputs Output

a b xa0 b0 Enca0,b0(x0)

a0 b1 Enca0,b1(x0)

a1 b0 Enca1,b0(x0)

a1 b1 Enca1,b1(x1)

AND

a0 or a1 b0 or b1

x0 or x1

ai, bi, xi arerandomvalues,chosenbythecircuitgeneratorbutmeaninglesstothecircuitevaluator.

Bobcanonlydecryptoneofthese!

GarbledAndGate

Enca0, b1(x0)

Enca1,b1(x1)

Enca1,b0(x0)

Enca0,b0(x0)

ChainingGarbledCircuits

Candoanycomputa5onprivatelythisway!20

AND

a0 b0

x0

AND

a1 b1

x1

OR

x2

AndGate1

Enca10, b11(x10)

Enca11,b11(x11)

Enca11,b10(x10)

Enca10,b10(x10)OrGate2

Encx00, x11(x21)

Encx01,x11(x21)

Encx01,x10(x21)

Encx00,x10(x20) …

ThreatModelSemi-Honest(Honest-but-Curious)AdversaryAdversaryfollowstheprotocolasspecified(!),buttriestolearnmorefromtheprotocolexecu5ontranscriptMaybegoodenoughforsomescenarios

21

Weareworkingonefficientsolu5onsformaliciousadversaries

CircuitOp.miza.on–EditDistance

for (int i = 1; i < a.length; ++i) for (int j = 1; j < b.length; ++j) { T = (a[i] == b[j]) ? 0 : 1; D[i][j] = min(D[i-1][j]+1, D[i][j-1]+1, D[i-1][j-1] + T); }

CircuitOp.miza.on–EditDistance

D[i-1][j]

AddOneBit AddOneBit

2-Min AddOneBit

T

2-Min

1 1

D[i][j-1] D[i-1][j-1]

D[i][j]

CircuitOp.miza.on–EditDistance

AddOneBit

2-Min

AddOneBit

T

2-Min

1

D[i-1][j] D[i][j-1] D[i-1][j-1]

D[i][j]

CircuitOp.miza.on–EditDistance

AddOneBit

2-Min

Mux

T

2-Min

1

Savesabout28%ofgates

D[i-1][j] D[i][j-1] D[i-1][j-1]

D[i][j]

CircuitLibrary

Throughcustomcircuitdesignandtheuseofop5malcircuitcomponents,westrivetominimizethenumberofnon-freegates

V.KolesnikovandT.Schneider.ImprovedGarbledCircuit:FreeXORGatesandApplica6ons.(ICALP),2008.

AddOneBit

2-Min

Mux

T

2-Min

1

EaseofUse

•  Ourframeworkassumesnoexpertknowledgeofcryptography

•  NeedbasicideasofBooleancircuits

•  CircuitdesignsconverteddirectlytoJavaprograms

Tradi5onalJava

Applica5on

Cri5calComponent

Cri5calComponent

Cri5calComponent

LibraryCircuit

CustomCircuit

LibraryCircuit

RestoftheJavaProgram

Javacode

javac

CircuitGenerator

CircuitEvaluator

UsetheFramework

Example:AESSBox

Leveraginganexis5ngASICdesignforAESallowsustoreducethestate-of-the-artAEScircuitby

30%ofnon-freegates,comparedto[PSSW09]and[HKSSW10]

Wolkerstorfer,etal.AnASICImplementa6onoftheAESS-boxes.RSA-CT2002.