Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Multi-Party Computation for the Masses
David Evans
www.cs.virginia.edu/evans
CROSSING – Where
Quantum Physics,
Cryptograph...
(De)Motivating
Application
AliceBob
AliceBob
Genome Compatibility
Protocol
“Genetic Dating”
Genetic
Matchr
WARNING!
Reproduction not
recommended
Your offsprin...
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
20...
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
20...
Secure Two-Party Computation
AliceBob
Bob’s Genome Alice’s Genome
Can Alice and Bob compute a function on private data, wi...
Bob’s Genome
Secure Two-Party Computation
AliceBob
r = f(a, b)
Alice’s Genome
Can Alice and Bob compute a function on priv...
Yao’s Garbled Circuit Protocol
Alice (circuit generator) Bob (circuit evaluator)
Garbled Circuit Protocol
Andrew Yao, 1980...
Regular Logic
Inputs Output
xa b
0 0 0
0 1 0
1 0 0
1 1 1
a b
x
AND
“Obfuscated” Logic
Inputs Output
xa b
a1 b0 x0
a0 b1 x0
a1 b1 x1
a1 b0 x0
a0 or a1
x
AND
b0 or b1
ai, bi, xi are random va...
Inputs Output
xa b
a1 b0 x0
a0 b1 x0
a1 b1 x1
a1 b0 x0
a0 or a1
x
AND
b0 or b1
Leaks information!
“Obfuscated” Logic
ai, b...
Garbled Logic
Inputs Output
xa b
a1 b0 Ea1 || b0
(x0)
a0 b1 Ea0 || b1
(x0)
a1 b1 Ea1 || b1
(x1)
a0 b0 Ea0 || b0
(x0)
a0 or...
Garbled Logic
Inputs Output
xa b
a1 b0 Ea1 || b0
(x0)
a0 b1 Ea0 || b1
(x0)
a1 b1 Ea1 || b1
(x1)
a0 b0 Ea0 || b0
(x0)
a0 or...
GarbledCircuitProtocol Alice (generator)
Sends ai, based
on her input
Bob (evaluator)
Picks random values for a{0, 1}, b{0...
GarbledCircuitProtocol Alice (generator)
Sends ai, based
on her input
Bob (evaluator)
Picks random values for a{0, 1}, b{0...
Primitive: Oblivious Transfer
Alice (generator) Bob (evaluator)
Oblivious Transfer
Protocol
b0, b1 selector i
bi
Learns no...
a0,0ora0,1
G0
b0,0orb1,0
G1
…
x0 or x1
G2
x1,0 or x1,1
a1,0ora1,1
b1,0orb1,1
Ea0,1||b0,0
(x0,0)
Ea0,0||b0,1
(x0,0)
Ea0,1||...
Building Computing Systems
18
Digital Electronic Circuits Garbled Circuits
Operate on known data Operate on encrypted wire...
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
20...
for (i = 1; i <= n1; ++i) {
for(j = 1; j <= n2; ++j) {
Accum temp = acMin (dp[i][j-1], dp[i-1][j]);
obliv bool d = true;
o...
for (i = 1; i <= n1; ++i) {
for(j = 1; j <= n2; ++j) {
Accum temp = acMin (dp[i][j-1], dp[i-1][j]);
obliv bool d = true;
o...
TalkOutline Gate Execution
Protocols
Enca0,1,b0,0
(x0,0)
Enca0,0,b0,1
(x0,0)
Enca0,1,b0,1
(x0,1)
Enca0,0,b0,1
(x0,0)
Circu...
Two Halves Make a Whole
Reducing Data Transfer in
Garbled Circuits using Half Gates
Samee Zahur, Mike Rosulek, and David E...
Background: Point-and-Permute
Enca0,,b0,
(c0)
Enca0,,b1
(c0)
Enca0,,b0
(c0)
Enca1,b1
(c1)
Encoding garble table entries:
I...
Background: Garbled Row Reduction
Naor, Pinkas and Sumner [1999]
Background: Garbled Row Reduction
Naor, Pinkas and Sumner [1999]
Background: Garbled Row Reduction
Naor, Pinkas and Sumner [1999]
Background: Free-XOR
Kolesnikov and Schneider [2008]
Global
generator
secret
Background: Free-XOR
Kolesnikov and Schneider [2008]
Global
generator
secret
Background: Free-XOR
Kolesnikov and Schneider [2008]
Global
generator
secret
XOR are free! No ciphertexts or encryption ne...
Half Gates
Yan Huang, David Evans, and Jonathan Katz.
Private Set Intersection: Are Garbled Circuits
Better than Custom Pr...
Yan Huang, David Evans, and Jonathan Katz.
Private Set Intersection: Are Garbled Circuits
Better than Custom Protocols? [N...
Yan Huang, David Evans, and Jonathan Katz.
Private Set Intersection: Are Garbled Circuits
Better than Custom Protocols? [N...
Generator Half Gate
Known to generator (but secret to evaluator)
Generator Half Gate
Known to generator (but secret to evaluator)
Swapper: “Generator Half Gate”
Known to generator (but secret to evaluator)
With Garbled Row Reduction:
Evaluator Half-Gate
Known to evaluator (but secret to generator)
Evaluator Half-Gate
Known to evaluator (but secret to generator)
But, we need a gate where both inputs are secret…
Half + Half = Full Secret Gate
random bit
selected by
generator
“leaked”unknownknownunknown
Half + Half = Full Secret Gate
random bit
selected by
generator
“leaked”unknownknownunknown
Half + Half = Full Secret Gate
random bit
selected by
generator
“leaked”unknownknownunknown
Half + Half = Full Secret Gate
random bit
selected by
generator
generator half gate evaluator half gate
“leaked”unknownkno...
Standard Gates Half Gates
Generator Encryptions (H) 4 4
Evaluator Encryptions (H) 1 2
Ciphertexts Transmitted 3 2
XORs Fre...
Standard Gates Half Gates
Generator Encryptions (H) 4 4
Evaluator Encryptions (H) 1 2
Ciphertexts Transmitted 3 2
XORs Fre...
Is one ciphertext enough?
Is one ciphertext enough?
No, two is minimum at least assuming garbling
schemes use only random oracle and linear operatio...
for (i = 1; i <= n1; ++i) {
for(j = 1; j <= n2; ++j) {
Accum temp = acMin (dp[i][j-1], dp[i-1][j]);
obliv bool d = true;
o...
Fairplay
48
Malkhi, Nisan, Pinkas and
Sella [USENIX Sec 2004]
SFDL Program
SFDL
Compiler
Circuit
(SHDL)
Alice Bob
Garbled ...
PipelinedExecution Circuit-Level
Application
GC Framework
(Evaluator)
GC Framework
(Generator)
Circuit StructureCircuit St...
$100
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
20...
Semi-Honest (“Honest but Curious”)
Alice Bob
generated circuits
generator oblivious transfer
Evaluates
rr
output decoding/...
StandardFix:
“Cut-and-Choose” Generator
(Alice)
Evaluator
(Bob)
(1) N instances of generated circuit
(5) If okay,
evaluate...
$100
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
20...
Semi-Honest is Half-Way There
Privacy
Nothing is revealed
other than the output
(Not) Correctness
The output of the
protoc...
Dual Execution Protocols
Yan Huang, Jonathan Katz, David Evans.
[IEEE S&P (Oakland) 2012]
Mohassel and Franklin. [PKC 2006]
Dual Execution Protocol
Alice Bob
first round execution (semi-honest)generator evaluator
generatorevaluator
z=f(x, y)
Pass...
Security Properties
Correctness: guaranteed by authenticated,
secure equality test
Privacy: Leaks one (extra) bit on avera...
Proving Security: Malicious
A B
Ideal World
yx
Adversary
receives:
f (x, y)
TrustedPartyinIdeal
World
Standard Malicious M...
Proof of Security: One-Bit Leakage
A B
Ideal World
yx
Controlled by
malicious A
g  R  {0, 1}
g is an arbitrary
Boolean f...
Intuition: 1-bit Leak
Cheating detected
Victim’s Possible Inputs
Inputs where
f (?, y) = r
Broken Circuit for these Inputs
Implementation
Alice Bob
first round execution (semi-honest)generator evaluator
z=f(x, y)
Pass if z = z’ and correct wire ...
$100
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
20...
Secure Computation for the Masses?
Remarkable progress in past 10 years
Costs reduced by 1012
Beginning to see commercial ...
David Evans
evans@virginia.edu
www.cs.virginia.edu/evans
oblivc.org
mightBeEvil.org
Collaborators (this work):
Yan Huang, ...
Not Used
Multi-Party Computation for the Masses
Upcoming SlideShare
Loading in …5
×

Multi-Party Computation for the Masses

4,559 views

Published on

Talk at CROSSING 2015
https://www.crossing.tu-darmstadt.de/en/crossing/events/crossing-workshop-2015/agenda/

Published in: Technology
  • Be the first to comment

Multi-Party Computation for the Masses

  1. 1. Multi-Party Computation for the Masses David Evans www.cs.virginia.edu/evans CROSSING – Where Quantum Physics, Cryptography, System Security and Software Engineering meet Darmstadt, 1 June 2015
  2. 2. (De)Motivating Application AliceBob
  3. 3. AliceBob Genome Compatibility Protocol “Genetic Dating” Genetic Matchr WARNING! Reproduction not recommended Your offspring would have good immune systems! processing…Start [Don’t sue us.] Genetic Matchr WARNING! Reproduction not recommended Your offspring would have good immune systems! processing…Start [Don’t sue us.] (De)Motivating Application
  4. 4. $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
  5. 5. $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Tomorrow: Jean-Pierre Hubaux “Whole Genome Sequencing: Revolutionary Medicine or Privacy Nightmare?”
  6. 6. Secure Two-Party Computation AliceBob Bob’s Genome Alice’s Genome Can Alice and Bob compute a function on private data, without exposing anything about their data besides the result? r = f(a, b)
  7. 7. Bob’s Genome Secure Two-Party Computation AliceBob r = f(a, b) Alice’s Genome Can Alice and Bob compute a function on private data, without exposing anything about their data besides the result?
  8. 8. Yao’s Garbled Circuit Protocol Alice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol Andrew Yao, 1980s secret input a secret input b Agree on function f r = f(a, b)r = f(a, b) Learns nothing else about b Learns nothing else about a
  9. 9. Regular Logic Inputs Output xa b 0 0 0 0 1 0 1 0 0 1 1 1 a b x AND
  10. 10. “Obfuscated” Logic Inputs Output xa b a1 b0 x0 a0 b1 x0 a1 b1 x1 a1 b0 x0 a0 or a1 x AND b0 or b1 ai, bi, xi are random values, chosen by generator but meaningless to evaluator.
  11. 11. Inputs Output xa b a1 b0 x0 a0 b1 x0 a1 b1 x1 a1 b0 x0 a0 or a1 x AND b0 or b1 Leaks information! “Obfuscated” Logic ai, bi, xi are random values, chosen by generator but meaningless to evaluator.
  12. 12. Garbled Logic Inputs Output xa b a1 b0 Ea1 || b0 (x0) a0 b1 Ea0 || b1 (x0) a1 b1 Ea1 || b1 (x1) a0 b0 Ea0 || b0 (x0) a0 or a1 x AND b0 or b1
  13. 13. Garbled Logic Inputs Output xa b a1 b0 Ea1 || b0 (x0) a0 b1 Ea0 || b1 (x0) a1 b1 Ea1 || b1 (x1) a0 b0 Ea0 || b0 (x0) a0 or a1 x AND b0 or b1 G Garbled Table
  14. 14. GarbledCircuitProtocol Alice (generator) Sends ai, based on her input Bob (evaluator) Picks random values for a{0, 1}, b{0, 1}, x{0, 1} Ea1||b0 (x0) Ea0||b1 (x0) Ea1||b1 (x1) Ea0||b0 (x0) Evaluates circuit, decrypting one row of each garbled gate xrSends hashes to decode outputs r
  15. 15. GarbledCircuitProtocol Alice (generator) Sends ai, based on her input Bob (evaluator) Picks random values for a{0, 1}, b{0, 1}, x{0, 1} Ea1||b0 (x0) Ea0||b1 (x0) Ea1||b1 (x1) Ea0||b0 (x0) Evaluates circuit, decrypting one row of each garbled gate xrSends hashes to decode outputs r How does the Bob learn his own input values?
  16. 16. Primitive: Oblivious Transfer Alice (generator) Bob (evaluator) Oblivious Transfer Protocol b0, b1 selector i bi Learns nothing else about i Learns nothing about other value Rabin, 1981; Even, Goldreich, and Lempel, 1985; …
  17. 17. a0,0ora0,1 G0 b0,0orb1,0 G1 … x0 or x1 G2 x1,0 or x1,1 a1,0ora1,1 b1,0orb1,1 Ea0,1||b0,0 (x0,0) Ea0,0||b0,1 (x0,0) Ea0,1||b0,1 (x0,1) Ea0,0||b0,1 (x0,0) Ea1,1||b1,1 (x1,1) Ea1,0||b1,1 (x1,0) Ea1,1||b1,0 (x1,0) Ea1,0||b1,0 (x1,0) x2,0 or x2,1 Chain gates to securely compute any discrete function! Ex0,0||x1,0 (x2,0) Ex0,1||x1,1 (x2,1) Ex0,1||x1,0 (x2,0) Ex0,0||x1,0 (x2,0)
  18. 18. Building Computing Systems 18 Digital Electronic Circuits Garbled Circuits Operate on known data Operate on encrypted wire labels One-bit logical operation requires moving some electrons a few nanometers One-bit logical operation requires performing four encryption operations Reuse is great! Reuse is not allowed! Ea1||b0 (x0) Ea0||b1 (x0) Ea1||b1 (x1)
  19. 19. $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 [Fairplay, USENIX Sec 2004] >$1M Estimated cost of 10k x 10k Smith-Waterman, 4T gates
  20. 20. for (i = 1; i <= n1; ++i) { for(j = 1; j <= n2; ++j) { Accum temp = acMin (dp[i][j-1], dp[i-1][j]); obliv bool d = true; obliv if (acLessEq(dp[i-1][j-1], temp)) { acCopy(&temp, &dp[i-1][j-1]); d = (s1[i-1] != s2[j-1]); } ScalingMPC Gate Execution Protocols Ea0,1||b0,0 (x0,0) Ea0,0||b0,1 (x0,0) Ea0,1||b0,1 (x0,1) Ea0,0,|b0,1 (x0,0) Circuit Construction Private Biometrics [NDSS 2011] Machine Learning [S&P 2013] Personalized Medicine, Medical Research [USENIX Sec 2011] Private Set Intersection [NDSS 2012] Obliv-C
  21. 21. for (i = 1; i <= n1; ++i) { for(j = 1; j <= n2; ++j) { Accum temp = acMin (dp[i][j-1], dp[i-1][j]); obliv bool d = true; obliv if (acLessEq(dp[i-1][j-1], temp)) { acCopy(&temp, &dp[i-1][j-1]); d = (s1[i-1] != s2[j-1]); } ScalingMPC Gate Execution Protocols Ea0,1||b0,0 (x0,0) Ea0,0||b0,1 (x0,0) Ea0,1||b0,1 (x0,1) Ea0,0,|b0,1 (x0,0) Circuit Construction Private Biometrics [NDSS 2011] Machine Learning [S&P 2013] Personalized Medicine, Medical Research [USENIX Sec 2011] Private Set Intersection [NDSS 2012] Obliv-C
  22. 22. TalkOutline Gate Execution Protocols Enca0,1,b0,0 (x0,0) Enca0,0,b0,1 (x0,0) Enca0,1,b0,1 (x0,1) Enca0,0,b0,1 (x0,0) Circuit Construction This Afternoon Farinaz Koushanfar “TinyGarble: Synthesis of Highly Compact Circuits for Secure Computation” Stefan Katzenbeisser “Towards Practical Two-Party Computations” z1 z2
  23. 23. Two Halves Make a Whole Reducing Data Transfer in Garbled Circuits using Half Gates Samee Zahur, Mike Rosulek, and David Evans. In EuroCrypt 2015.Samee Zahur (UVa PhD Student) + =
  24. 24. Background: Point-and-Permute Enca0,,b0, (c0) Enca0,,b1 (c0) Enca0,,b0 (c0) Enca1,b1 (c1) Encoding garble table entries: Input wire labels (with selection bits) Output wire label Beaver, Micali and Rogaway [STOC 1990]
  25. 25. Background: Garbled Row Reduction Naor, Pinkas and Sumner [1999]
  26. 26. Background: Garbled Row Reduction Naor, Pinkas and Sumner [1999]
  27. 27. Background: Garbled Row Reduction Naor, Pinkas and Sumner [1999]
  28. 28. Background: Free-XOR Kolesnikov and Schneider [2008] Global generator secret
  29. 29. Background: Free-XOR Kolesnikov and Schneider [2008] Global generator secret
  30. 30. Background: Free-XOR Kolesnikov and Schneider [2008] Global generator secret XOR are free! No ciphertexts or encryption needed.
  31. 31. Half Gates Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]
  32. 32. Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]
  33. 33. Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012] Journal of the ACM, January 1968 swap gates, configured (by generator) to do random permutation
  34. 34. Generator Half Gate Known to generator (but secret to evaluator)
  35. 35. Generator Half Gate Known to generator (but secret to evaluator)
  36. 36. Swapper: “Generator Half Gate” Known to generator (but secret to evaluator) With Garbled Row Reduction:
  37. 37. Evaluator Half-Gate Known to evaluator (but secret to generator)
  38. 38. Evaluator Half-Gate Known to evaluator (but secret to generator) But, we need a gate where both inputs are secret…
  39. 39. Half + Half = Full Secret Gate random bit selected by generator “leaked”unknownknownunknown
  40. 40. Half + Half = Full Secret Gate random bit selected by generator “leaked”unknownknownunknown
  41. 41. Half + Half = Full Secret Gate random bit selected by generator “leaked”unknownknownunknown
  42. 42. Half + Half = Full Secret Gate random bit selected by generator generator half gate evaluator half gate “leaked”unknownknownunknown
  43. 43. Standard Gates Half Gates Generator Encryptions (H) 4 4 Evaluator Encryptions (H) 1 2 Ciphertexts Transmitted 3 2 XORs Free ✓ ✓ Bandwidth 33% Execution Time (edit distance) 25% Energy 21%
  44. 44. Standard Gates Half Gates Generator Encryptions (H) 4 4 Evaluator Encryptions (H) 1 2 Ciphertexts Transmitted 3 2 XORs Free ✓ ✓ Bandwidth 33% Execution Time (edit distance) 25% Energy 21%
  45. 45. Is one ciphertext enough?
  46. 46. Is one ciphertext enough? No, two is minimum at least assuming garbling schemes use only random oracle and linear operations.
  47. 47. for (i = 1; i <= n1; ++i) { for(j = 1; j <= n2; ++j) { Accum temp = acMin (dp[i][j-1], dp[i-1][j]); obliv bool d = true; obliv if (acLessEq(dp[i-1][j-1], temp)) { acCopy(&temp, &dp[i-1][j-1]); d = (s1[i-1] != s2[j-1]); } ScalingMPC Gate Execution Protocols Ea0,1||b0,0 (x0,0) Ea0,0||b0,1 (x0,0) Ea0,1||b0,1 (x0,1) Ea0,0,|b0,1 (x0,0) Circuit Construction Private Biometrics [NDSS 2011] Machine Learning [S&P 2013] Personalized Medicine, Medical Research [USENIX Sec 2011] Private Set Intersection [NDSS 2012] obliv-C
  48. 48. Fairplay 48 Malkhi, Nisan, Pinkas and Sella [USENIX Sec 2004] SFDL Program SFDL Compiler Circuit (SHDL) Alice Bob Garbled Tables Generator Garbled Tables Evaluator SFDL Compiler
  49. 49. PipelinedExecution Circuit-Level Application GC Framework (Evaluator) GC Framework (Generator) Circuit StructureCircuit Structure Yan Huang (UVa PhD, U Indiana) Yan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure Two-Party Computation Using Garbled Circuits. USENIX Security 2011. x1 x2 y1 y2 z1 z2
  50. 50. $100 $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Free-XOR Pipelining, + HalfGates (Estimates for 2PC, 4T gates) 100s gates/second 100k gates/second ~5M gates/second
  51. 51. Semi-Honest (“Honest but Curious”) Alice Bob generated circuits generator oblivious transfer Evaluates rr output decoding/sharing r = f(a, b) Only provides privacy and correctness guarantees if circuit is generated honestly!
  52. 52. StandardFix: “Cut-and-Choose” Generator (Alice) Evaluator (Bob) (1) N instances of generated circuit (5) If okay, evaluate rest and select majority output (4) checks all revealed circuits (2) Challenge: choose a random subset (3) Keys for selected circuits Provides security against active attacker, but for reasonable security N > 300
  53. 53. $100 $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Semi-Honest Active Security Symmetric Cut-and-Choose [HKE 2013]
  54. 54. Semi-Honest is Half-Way There Privacy Nothing is revealed other than the output (Not) Correctness The output of the protocol is f(a, b) Generator Evaluator As long as evaluator doesn’t send result (or complaint) back, privacy for evaluator is guaranteed.
  55. 55. Dual Execution Protocols Yan Huang, Jonathan Katz, David Evans. [IEEE S&P (Oakland) 2012] Mohassel and Franklin. [PKC 2006]
  56. 56. Dual Execution Protocol Alice Bob first round execution (semi-honest)generator evaluator generatorevaluator z=f(x, y) Pass if z = z’ and correct wire labels z’, learned output wire labels second round execution (semi-honest) z'=f(x, y) z, learned output wire labels fully-secure, authenticated equality test
  57. 57. Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit fails on ½ of inputs Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input.
  58. 58. Proving Security: Malicious A B Ideal World yx Adversary receives: f (x, y) TrustedPartyinIdeal World Standard Malicious Model: can’t prove this for Dual Execution Real World A B yx Show equivalence Corrupted party behaves arbitrarily Secure Computation Protocol
  59. 59. Proof of Security: One-Bit Leakage A B Ideal World yx Controlled by malicious A g  R  {0, 1} g is an arbitrary Boolean function selected by adversary Adversary receives: f (x, y) and g(x, y) TrustedPartyinIdeal World Can prove equivalence to this for Dual Execution protocols
  60. 60. Intuition: 1-bit Leak Cheating detected Victim’s Possible Inputs Inputs where f (?, y) = r Broken Circuit for these Inputs
  61. 61. Implementation Alice Bob first round execution (semi-honest)generator evaluator z=f(x, y) Pass if z = z’ and correct wire labels z’, learned output wire labels generatorevaluator second round execution (semi-honest) z'=f(x, y) z, learned output wire labels Recall: work to generate is 2x work to evaluate! fully-secure, authenticated equality test
  62. 62. $100 $1,000 $10,000 $100,000 $1,000,000 $10,000,000 $100,000,000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Active Security Dual Execution
  63. 63. Secure Computation for the Masses? Remarkable progress in past 10 years Costs reduced by 1012 Beginning to see commercial deployments Scaling number of parties still very hard Challenge of End-to-End Trust Trusting Software Understanding leaks from output User-understandable information release policies
  64. 64. David Evans evans@virginia.edu www.cs.virginia.edu/evans oblivc.org mightBeEvil.org Collaborators (this work): Yan Huang, Jonathan Katz, Mike Rosulek, Samee Zahur Funding: NSF, AFOSR, Google
  65. 65. Not Used

×