Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Scaling Secure Computation

1,355 views

Published on

Oregon Security Day, 5 April 2013

Two-party secure computation offers the potential for two participants to securely compute a function that depends on both of their inputs, without revealing those inputs to the other party or needing to trust any third party. For example, it could enable two people who meet at a conference to learn what contacts they have in common without revealing any of their other contacts or allow a pharmaceutical company to determine if a patient's genome shares common markers with successful participants in a study group, without revealing the genomes of the patient or study members. A general solution to this problem have been known since Andrew Yao's pioneering work on garbled circuits in the 1980s, but only recently has it become conceivable to use this approach in real systems. Our group has developed a framework for building efficient and scalable secure computations that achieves orders of magnitude performance improvements over the best previous systems. In this talk, I'll describe the techniques we use to design scalable and efficient secure computation protocols and share some recent results on improving the security and performance of secure computing applications.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Scaling Secure Computation

  1. 1. David EvansUniversity of Virginiahttp://www.cs.virginia.edu/evanshttp://MightBeEvil.comOregon Security Day5 April 2013
  2. 2. (De)Motivating Application:“Genetic Dating”2AliceBobGenome CompatibilityProtocolYour offspring will havegood immune systems!Your offspring will havegood immune systems!WARNING!Don’t ReproduceWARNING!Don’t Reproduce
  3. 3. 3Cost to sequence human genomeMoore’s Law prediction(halve every 18 months)$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000Aug2001Feb2002Aug2002Feb2003Aug2003Feb2004Aug2004Feb2005Aug2005Feb2006Aug2006Feb2007Aug2007Feb2008Aug2008Feb2009Aug2009Feb2010Aug2010Feb2011Aug2011Feb2012Aug2012Feb2013
  4. 4. $1,000$10,000$100,000$1,000,000$10,000,000$100,000,000Aug2001Feb2002Aug2002Feb2003Aug2003Feb2004Aug2004Feb2005Aug2005Feb2006Aug2006Feb2007Aug2007Feb2008Aug2008Feb2009Aug2009Feb2010Aug2010Feb2011Aug2011Feb2012Aug2012Feb20134Cost to sequence human genomeMoore’s Law prediction(halve every 18 months)Ion torrent Personal Genome Machine
  5. 5. Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. RadojeDrmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, PaoloCarnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker,Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, DanChernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage,Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le,Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, BrockA. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum,Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V.Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant,William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010.
  6. 6. 6DystopiaPersonalized Medicine
  7. 7. Secure Two-Party Computation7AliceBobBob’s Genome: ACTG…Markers (~1000): *0,1, …, 0+Alice’s Genome: ACTG…Markers (~1000): [0, 0, …, 1]Can Alice and Bob compute a function of their privatedata, without exposing anything about their data besides theresult?
  8. 8. Secure Function EvaluationAlice (circuit generator) Bob (circuit evaluator)Garbled Circuit ProtocolAndrew Yao, 1982/1986
  9. 9. Regular LogicInputs Outputa b x0 0 00 1 01 0 01 1 1ANDa bx
  10. 10. Computing with Meaningless Values?Inputs Outputa b xa0 b0 x0a0 b1 x0a1 b0 x0a1 b1 x1ANDa0 or a1 b0 or b1x0 or x1ai, bi, xi are randomvalues, chosen by thecircuit generator butmeaningless to thecircuit evaluator.
  11. 11. Computing with Garbled TablesInputs Outputa b xa0 b0 Enca0,b0(x0)a0 b1 Enca0,b1(x0)a1 b0 Enca1,b0(x0)a1 b1 Enca1,b1(x1)ANDa0 or a1 b0 or b1x0 or x1Bobcanonlydecryptoneofthese!Garbled And GateEnca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)RandomPermutation
  12. 12. Garbled GateEnca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)Garbled Circuit ProtocolAlice (circuit generator)Sends ai to Bobbased on her inputvalueBob (circuit evaluator)How does the Bob learn his own input wires?
  13. 13. Primitive: Oblivious TransferAlice BobOblivious TransferProtocolOblivious: Alice doesn’t learn which secret Bob obtainsTransfer: Bob learns one of Alice’s secretsRabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers
  14. 14. Chaining Garbled Circuits14ANDa0 b0x0ANDa1 b1x1ORx2And Gate 1Enca10, b11(x10)Enca11,b11(x11)Enca11,b10(x10)Enca10,b10(x10)Or Gate 2Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20)…We can do any computation privately this way!
  15. 15. Building Computing Systems15Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20)Digital Electronic Circuits Garbled CircuitsOperate on known data Operate on encrypted wire labelsOne-bit logical operation requiresmoving a few electrons a fewnanometers(hundreds of Billions per second)One-bit logical operation requiresperforming (up to) 4 encryptionoperations: very slow executionReuse is great! Reuse is not allowed for privacy:huge circuits needed
  16. 16. Fairplay16Dahlia Malkhi, Noam Nisan,Benny Pinkas and Yaron Sella[USENIX Sec 2004]SFDL ProgramSFDLCompilerCircuit(SHDL)Alice BobGarbled TablesGeneratorGarbled TablesEvaluatorSFDLCompiler
  17. 17. Faster Circuit Execution17Yan Huang(UVa PhD Student)GraduateYan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster SecureTwo-Party Computation Using Garbled Circuits. USENIX Security 2011.Pipelined ExecutionOptimized Circuit LibraryPartial Evaluation
  18. 18. Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx20, x21(x30)Encx21,x21(x30)Encx21,x20(x31)Encx20, x31(x41)Encx21,x31(x41)Encx21,x30(x40)Encx40, x31(x51)Encx41,x31(x50)Encx41,x30(x50)Encx40, x51(x61)Encx41,x51(x60)Encx41,x50(x60)Encx30, x61(x71)Encx31,x61(x70)Encx31,x60(x71)Pipelined Execution18Circuit-LevelApplicationGC Framework(Evaluator)GC Framework(Generator)Circuit StructureCircuit Structurex41x21x31x60x51x71Saves memory: never need to keep whole circuit in memory
  19. 19. PipeliningCircuit GenerationCircuitTransmissionCircuitEvaluationCircuit GenerationCircuit TransmissiontimeCircuit EvaluationWaiting I d l i n g19WaitingSaves time: reduceslatency and improvesthroughput
  20. 20. 00.20.40.60.811.2Fairplay [PSSW09] TASTY HereBillionsResults0246810Fairplay [PSSW09] TASTY Herex10000Performance(10,000x non-free gates per second)Scalability(billions of gates)[HEKM11][HEKM11]20100000gates/second
  21. 21. Semi-Honest is Half-Way TherePrivacyNothing is revealedother than the outputCorrectnessThe output of theprotocol is indeed f(x,y)Generator EvaluatorAs long as evaluator doesn’t sendresult back, and a malicious-resistant OT is used, privacy forevaluator is guaranteed.How can we get both correctness, and maintainprivacy while giving both parties result?21
  22. 22. Dual Execution ProtocolsYan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. IEEE Security and Privacy (Oakland) 2012.
  23. 23. Dual Execution Protocol[Mohassel and Franklin, PKC’06+Alice Bobfirst round execution (semi-honest)generator evaluatorgeneratorevaluatorz=f(x, y)Pass if z = z’ and correct wire labelsz’, learnedoutputwire labelssecond round execution (semi-honest)z=f(x, y)z, learnedoutputwire labelsfully-secure, authenticated equality test
  24. 24. Security PropertiesCorrectness: guaranteed by authenticated,secure equality testPrivacy: Leaks one (extra) bit on averageadversarial circuit generator provides acircuit that fails on ½ of inputsMalicious generator can decrease likelihood of being caught, andincrease information leaked when caught (but decreases averageinformation leaked): at extreme, circuit fails on just one input24
  25. 25. 1-bit Leak25Cheating detected
  26. 26. Proving Security: Malicious26A BIdeal Worldy xAdversaryreceives:f (x‘, y‘)TrustedPartyinIdealWorldStandard Malicious Model: can’t prove this for Dual ExecutionReal WorldA By xShow equivalenceCorruptedparty behavesarbitrarilySecure Computation Protocol
  27. 27. Proof of Security: One-Bit Leakage27A BIdeal Worldy xControlled bymalicious Ag R {0, 1}g is an arbitraryBoolean functionselected byadversaryAdversary receives:f (x‘, y) and g(x‘, y‘)TrustedPartyinIdealWorldCan prove equivalence to this for Dual Execution protocols
  28. 28. ImplementationAlice Bobfirst round execution (semi-honest)generator evaluatorz=f(x, y)Pass if z = z’ and correct wire labelsz’, learnedoutputwire labelsgeneratorevaluator second round execution (semi-honest)z=f(x, y)z, learnedoutputwire labelsRecall: work to generate is 3x work to evaluate!28fully-secure, authenticated equality test
  29. 29. 050100150200250PSI (4096) ED (200x200) AES (100) AES (1)Time(seconds)Semi-honestDualEx (dual-core)DualEx (single-core)MaliciousPerformance29Circuits of arbitrary size can be done this way[Kreuter et al., USENIX Security 2012]Less than 1 second
  30. 30. Applications30Privacy-PreservingBiometric MatchingPrivatePersonalGenomicsPrivate Set IntersectionPrivate AESEncryption
  31. 31. ProblemBest PreviousResult Our Result SpeedupPrivate Set Intersection (contactmatching, common disease carrier)Competitive with best custom protocols,scales to millions of 32-bit elementsHamming Distance (FaceRecognition)213s[SCiFI, 2010]0.051s 4176Levenshtein Distance (genome,text comparison) – two 200-character inputs534s[Jha+, 2008]18.4s 29Smith-Waterman (genomealignment) – two 60-nucleotidesequences[NotImplementable]447s -AES Encryption 3.3s[Henecka, 2010]0.2s 16.5Fingerprint Matching (1024-entrydatabase, 640x8bit vectors)~83s[Barni, 2010]18s 4.631NDSS2011USENIXSecurity2011NDSS2012
  32. 32. Crazy Things in Typical Code32a[i] = x
  33. 33. Circuit for Array Update33i == 0a[0] xa[0]a[i] = xi == 1a[1] xa’[1]i == 2a[2] xa’[2]…
  34. 34. Easy (and Common) Case34for (i = 0; i < n; i++)a[i] += 1a[0] a[1] a[2] a[n-1]…+1 +1 +1 +1
  35. 35. Design circuits to support typicaldata structures efficientlyNon-trivial access patterns, butpatterns nonethelessMain opportunities:Locality and Batching35Samee Zahur and David Evans. Circuit Structuresfor Improving Efficiency of Security & Privacy Tools.IEEE Security and Privacy (Oakland) 2013.Samee Zahur(UVa PhD Student)
  36. 36. Locality: Stacks and Queues36if (x != 0)a[i] += 1if (a[i] > 10)i += 1a[i] = 5t := a.top() + 1a.cond_update(x != 0, t)a.cond_push(x != 0 && t > 10, *)a.cond_update(x != 0, 5)Data-oblivious codeNo branching allowed
  37. 37. Naïve Conditional Push37…px a[0] a[1] a[2] …a’[0] a’[1] a’[2] …
  38. 38. Naïve Conditional Push38…True7 2 9 3 …7 2 9 …
  39. 39. More Efficient Stack39Level 0: 2 9 3t = 3Level 1: 4 7t = 25 4Level 2: 8 8 2 3 8…Block size = 2levelEach level has 5 blocks, at least 2 full and 2 emptyt = 3
  40. 40. 402 9 3t = 34 7t = 25 4Level 0t = 3Level 1 Level2Conditional push (True, 7)7 2 9 3t = 44 7t = 25 4t = 3Conditional push (True, 8)8 7 2 9 3t = 54 7t = 25 4t = 38 2 7t = 34 7t = 35 49 3t = 3Shift
  41. 41. 412 9 3t = 34 7t = 25 4Level 0t = 3Level 1 Level7 2 9 3t = 44 7t = 25 4t = 3Conditional push (True, 8)8 7 2 9 3t = 54 7t = 25 4t = 38 2 7t = 34 7t = 35 49 3t = 3AmortizedΘ(log n) gatesper operation
  42. 42. 0 2 7 9AUMRDYKCArbitrary Array Accesses(Associative Maps)42m[0] = Am[2] = Um[9] = Mm[7] = Rm[0] = Dm[9] = Ym[9] = Km[7] = CExecution trace: indexes andvalues are private values
  43. 43. 43m[0] = Am[2] = Um[9] = Mm[7] = Rm[0] = Dm[9] = Ym[9] = Km[7] = CSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!Batching Updates
  44. 44. 44m[0] = Am[2] = Um[9] = Mm[7] = Rm[0] = Dm[9] = Ym[9] = Km[7] = CSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!Batching Updates
  45. 45. 45AUMRDYKCSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!CompareAdjacentm[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = KBatching Updates
  46. 46. 46AUMRDYKCSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!CompareAdjacentm[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = KBatching Updates
  47. 47. 47Batching UpdatesAUMRDYKCSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!CompareAdjacentm[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = K
  48. 48. 48Sort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!CompareAdjacentm[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Km[0] = Dm[2] = Um[7] = Cm[9] = Km[0] = Am[7] = Rm[9] = Mm[9] = YSortbyLivenessoutputwiresDiscarded
  49. 49. Associative Map Cost49Oblivious Stable SortComparisons and LivenessMarkingOblivious SortLiveness/KeyCircuit Size:Θ(n log n) ⨯comparisoncostΘ(n log2 n)
  50. 50. Example Application: DBScan50Density-based clustering:depth-first search to find dense clustersMartin Ester, Hans-Peter Kriegel, JörgSander, Xiaowei Xu. KDD 1996Alice’s Data Bob’s Data Joint Clusters
  51. 51. 51Private Input: P – array of points (combinesprivate points from both parties)Public inputs: minpts, radiusOutput: cluster number for each pointConditional Push!Array update!
  52. 52. 52050001000015000200002500030000350004000060 120 240 480ExecutionTime(seconds)Data SizeOptimized StructuresNormal Data Structures9.7 hours55 minutes
  53. 53. 53$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000Aug2001Mar2002Oct2002May2003Dec2003Jul2004Feb2005Sep2005Apr2006Nov2006Jun2007Jan2008Aug2008Mar2009Oct2009May2010Dec2010Jul2011Feb2012Sep2012Apr2013Cost to sequence human genomeMoore’s Law prediction(halve every 18 months)
  54. 54. 54$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000Aug2001Mar2002Oct2002May2003Dec2003Jul2004Feb2005Sep2005Apr2006Nov2006Jun2007Jan2008Aug2008Mar2009Oct2009May2010Dec2010Jul2011Feb2012Sep2012Apr2013FairPlay (2004) [10k*10k alignment]Free XORHEKMSchneider & Zhoner 2013
  55. 55. 55$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000$1,000,000,000$10,000,000,000$100,000,000,000Aug2001Mar2002Oct2002May2003Dec2003Jul2004Feb2005Sep2005Apr2006Nov2006Jun2007Jan2008Aug2008Mar2009Oct2009May2010Dec2010Jul2011Feb2012Sep2012Apr2013Semi-Honest
  56. 56. 56$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000$1,000,000,000$10,000,000,000$100,000,000,000Aug2001Mar2002Oct2002May2003Dec2003Jul2004Feb2005Sep2005Apr2006Nov2006Jun2007Jan2008Aug2008Mar2009Oct2009May2010Dec2010Jul2011Feb2012Sep2012Apr2013Active SecuritySemi-HonestKSS 2011HKE 20131-bit leak
  57. 57. 57mightbeevil.comQuestions?

×