Computing Cooperatively with People You Don't Trust

11,135 views

Published on

David Evans, UVA Department of Computer Science

Talk at University of Richmond, 30 January 2012

Two-party secure computation allows two parties to compute a function that depends on inputs from both parties, but reveals nothing except the output of the function. A general solution to this problem have been known since Andrew Yao's pioneering work on garbled circuits in the 1980s, but only recently has it become conceivable to use this approach in real systems. This talk will provide an introduction to secure computation, and describe the work we are doing at UVa to make secure computation efficient and scalable enough to build real applications. The talk assumes no prior background in cryptography, and should be understandable all computing students.

Published in: Education, Technology, Spiritual
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
11,135
On SlideShare
0
From Embeds
0
Number of Embeds
9,539
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • .
  • Computing Cooperatively with People You Don't Trust

    1. 1. ComputingCooperativelywith PeopleYou Dont TrustUniversity of Richmond30 January 2012 David Evans University of Virginia http://www.cs.virginia.edu/evans http://MightBeEvil.com
    2. 2. “Genetic Dating” Bob Alice Genome Compatibility ProtocolYour offspring will have WARNING! Your offspring will have WARNING!good immune systems! Don’t Reproduce good immune systems! Don’t Reproduce 2
    3. 3. 3
    4. 4. Genome Sequencing1990: Human Genome Project starts, estimate$3B to sequence one genome ($0.50/base)2000: HumanGenome Projectdeclaredcomplete, cost~$300M Whitehead Institute, MIT 4
    5. 5. $100,000,000 Cost to sequence human genome Moore’s Law prediction (halve every 18 months) $10,000,000 $1,000,000 $100,000 $10,000 Jun 2010 Jun 2005 Sep 2001 Feb 2002 Sep 2006 Feb 2007 May 2003 Aug 2004 Apr 2006 May 2008 Aug 2009 Mar 2004 Jan 2005 Nov 2005 Mar 2009 Jan 2010 Dec 2002 Dec 2007 Jul 2002 Oct 2003 Jul 2007 Oct 2008 Data from National Human Genome Research Institute: http://www.genome.gov/sequencingcosts5
    6. 6. $100,000,000 Cost to sequence human genome Moore’s Law prediction (halve every 18 months) $10,000,000 $1,000,000 $100,000 $10,000 Ion torrent Personal Genome Machine Sep 2001 Feb 2002 Sep 2006 Feb 2007 May 2003 Aug 2004 Nov 2005 Apr 2006 May 2008 Aug 2009 Mar 2004 Jan 2005 Dec 2002 Jun 2005 Mar 2009 Jan 2010 Dec 2007 Jun 2010 Jul 2002 Oct 2003 Jul 2007 Oct 2008 Data from National Human Genome Research Institute: http://www.genome.gov/sequencingcosts6
    7. 7. Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. RadojeDrmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, PaoloCarnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker,Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, DanChernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage,Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le,Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, BrockA. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum,Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V.Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant,William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010.
    8. 8. Dystopia Personalized Medicine 8
    9. 9. Secure Two-Party ComputationBob’s Genome: ACTG… Alice’s Genome: ACTG…Markers (~1000): *0,1, …, 0+ Markers (~1000): *0, 0, …, 1+ Bob Alice Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result? 9
    10. 10. Secure Function EvaluationAlice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol Andrew Yao, 1982/1986
    11. 11. Regular Logic Inputs Output a b x 0 0 0 0 1 0 1 0 0 1 1 1a b AND x
    12. 12. Computing with Meaningless Values? Inputs Output a b x a0 b0 x0 a0 b1 x0 a1 b0 x0 a1 b1 x1 a0 or a1 b0 or b1ai, bi, xi are randomvalues, chosen by thecircuit generator butmeaningless to the ANDcircuit evaluator. x0 or x1
    13. 13. Encryption Encrypt 13
    14. 14. Logic with Privacy Inputs Outputa b xa0 b0a0 b1a1 b0a1 b1
    15. 15. Computing with Garbled Tables Inputs Output a b x Bob can only decrypt a0 b0 Enca0,b0(x0) one of these! a0 b1 Enca0,b1(x0) a1 b0 Enca1,b0(x0) a1 b1 Enca1,b1(x1)a0 or a1 b0 or b1 Garbled And Gate Random Enca0, b1(x0) Permutation AND Enca1,b1(x1) Enca1,b0(x0) x0 or x1 Enca0,b0(x0)
    16. 16. Garbled Circuit Protocol Alice (circuit generator) Bob (circuit evaluator) Garbled Gate Enca0, b1(x0) Enca1,b1(x1) Enca1,b0(x0) Enca0,b0(x0)Sends ai to Bobbased on her inputvalue How does the Bob learn his own input wires?
    17. 17. Primitive: Oblivious Transfer Alice Bob Oblivious Transfer ProtocolOblivious: Alice doesn’t learn which secret Bob obtainsTransfer: Bob learns one of Alice’s secrets Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers
    18. 18. Chaining Garbled Circuits And Gate 1 a0 b0 a1 b1 Enca10, b11(x10) Enca11,b11(x11) AND AND Enca11,b10(x10) x1 Enca10,b10(x10) x0 Or Gate 2Encx00, x11(x21)Encx01,x11(x21) OREncx01,x10(x21) x2Encx00,x10(x20) …We can do any computation privately this way! 18
    19. 19. Building Computing Systems Encx00, x11(x21) Encx01,x11(x21) Encx01,x10(x21) Encx00,x10(x20) Digital Electronic Circuits Garbled Circuits Operate on known data Operate on encrypted wire labelsOne-bit logical operation requires One-bit logical operation requiresmoving a few electrons a few performing (up to) 4 encryptionnanometers operations: very slow execution(hundreds of Billions per second)Reuse is great! Reuse is not allowed for privacy: huge circuits needed 19
    20. 20. Fairplay Alice Bob SFDL SFDL Compiler Compiler Circuit (SHDL) SFDL Program Garbled Tables GeneratorDahlia Malkhi, Noam Nisan,Benny Pinkas and Yaron Sella Garbled Tables[USENIX Sec 2004] Evaluator 20
    21. 21. Faster Garbled Circuits Circuit-Level Application Circuit Structure Circuit StructureGC Framework GC Framework (Generator) (Evaluator) Encx00, x11(x21) Encx20, x21(x30) x21 Encx20,(x2(x41) Encx01,x1x4x3x3 )(x51) x31 Enc 1 0,(x3 1 Encx21,x2x4 ,1x5 )(x61) Enc 1 0 1 01 Encx21(x2(x46 )(x71) x41 Enc Encx01,x1x4 ,x310) x 11 0) Enc0 ,x31 ) Encx21,x2x4x31,(x5 0) Enc0(x311(x6 1 x51 Encx21,x3x3 ,x60) 0) Enc0(x4 1 ) 1,x5 Encx41,x30(x5(x7 1 0 x60 Encx41,x50(x60) x71 Encx31,x60(x71) Gates can be evaluated as they are generated: pipelining Gates can be evaluated in any topological sort order: parallelizing Garbled evaluation can be combined with normal execution 21
    22. 22. Results: Performance Fairplay Binary gates per [PSSW09] millisecond TASTYOur Results 100,000 gates per second 0 10 20 30 40 50 60 70 80 90 100 22
    23. 23. Results: Scalability Fairplay Largest circuit executed [PSSW09] (non-free gates) TASTYOur Results 0 1,000,000,000 23
    24. 24. Private Personal Genomics ApplicationsPrivacy-PreservingBiometric Matching Private AES Encryption Private Set Intersection 24
    25. 25. Heterozygous Recessive Risk Alice A a carrier A AA Aa Bob a aA aa cystic fibrosisAlice’s Heterozygous Recessive genes: , 5283423, 1425236, 839523, … -Bob’s Heterozygous Recessive genes: , 5823527, 839523, 169325, … - Goal: find the intersection of A and B 25
    26. 26. Bit Vector Intersection Alice’s Recessive genes: Bob’s Recessive genes:, 5283423, 1425236, 839523, … - , 5823527, 839523, 169325, … - [ PAH, PKU, CF, … + [ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0] ... AND AND AND ... Bitwise AND 26
    27. 27. Common Contacts
    28. 28. Sort-Compare-Shuffle Sort: Take advantage of total order of elements Compare adjacent elements Shuffle to hide positions 28
    29. 29. SCS-WN Protocol Results 1000 Theoretical Projection Experimental ObservationSeconds 100 10 1 128 256 512 1024 2048 4096 8192 Set Size (each set) 32-bit values
    30. 30. 30
    31. 31. Best Previous Problem Result Our Result SpeedupNDSS Private Set Intersection (contact Competitive with best custom2012 matching, common disease carrier) protocols, scales to millions of 32-bit elements Hamming Distance (Face 213s 0.051s 4176 Recognition) [SCiFI, 2010] USENIX Security 2011 Levenshtein Distance 534s 18.4s 29 (genome, text comparison) – two [Jha+, 2008] 200-character inputs Smith-Waterman (genome [Not 447s - alignment) – two 60-nucleotide Implementable] sequences AES Encryption 3.3s 0.2s 16.5 [Henecka, 2010]NDSS Fingerprint Matching (1024-entry ~83s 18s 4.62011 database, 640x8bit vectors) [Barni, 2010] 31
    32. 32. Research Group and Alumni 32
    33. 33. Peter Chapman Yan Huang (UVa BACS 2012) (UVa Computer Science PhD Student) Funding: Jonathan Katz NSF, MURI (AFOSR), Google (University of Maryland) 33
    34. 34. MightBeEvil.com 34

    ×