Scaling Secure Computation

1,124 views

Published on

Oregon Security Day, 5 April 2013

Two-party secure computation offers the potential for two participants to securely compute a function that depends on both of their inputs, without revealing those inputs to the other party or needing to trust any third party. For example, it could enable two people who meet at a conference to learn what contacts they have in common without revealing any of their other contacts or allow a pharmaceutical company to determine if a patient's genome shares common markers with successful participants in a study group, without revealing the genomes of the patient or study members. A general solution to this problem have been known since Andrew Yao's pioneering work on garbled circuits in the 1980s, but only recently has it become conceivable to use this approach in real systems. Our group has developed a framework for building efficient and scalable secure computations that achieves orders of magnitude performance improvements over the best previous systems. In this talk, I'll describe the techniques we use to design scalable and efficient secure computation protocols and share some recent results on improving the security and performance of secure computing applications.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,124
On SlideShare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Circuit structure is small and can be reused;Each GT can be used only once.Significance: 1) allow GC to easily scale to arbitrary problem size; 2) indirectly improves time efficiency;
  • People have done this before. What’s new here is achieving performance & scalability needed for realistic problems.
  • Scaling Secure Computation

    1. 1. David EvansUniversity of Virginiahttp://www.cs.virginia.edu/evanshttp://MightBeEvil.comOregon Security Day5 April 2013
    2. 2. (De)Motivating Application:“Genetic Dating”2AliceBobGenome CompatibilityProtocolYour offspring will havegood immune systems!Your offspring will havegood immune systems!WARNING!Don’t ReproduceWARNING!Don’t Reproduce
    3. 3. 3Cost to sequence human genomeMoore’s Law prediction(halve every 18 months)$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000Aug2001Feb2002Aug2002Feb2003Aug2003Feb2004Aug2004Feb2005Aug2005Feb2006Aug2006Feb2007Aug2007Feb2008Aug2008Feb2009Aug2009Feb2010Aug2010Feb2011Aug2011Feb2012Aug2012Feb2013
    4. 4. $1,000$10,000$100,000$1,000,000$10,000,000$100,000,000Aug2001Feb2002Aug2002Feb2003Aug2003Feb2004Aug2004Feb2005Aug2005Feb2006Aug2006Feb2007Aug2007Feb2008Aug2008Feb2009Aug2009Feb2010Aug2010Feb2011Aug2011Feb2012Aug2012Feb20134Cost to sequence human genomeMoore’s Law prediction(halve every 18 months)Ion torrent Personal Genome Machine
    5. 5. Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. RadojeDrmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, PaoloCarnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker,Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, DanChernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage,Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le,Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, BrockA. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum,Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V.Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant,William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010.
    6. 6. 6DystopiaPersonalized Medicine
    7. 7. Secure Two-Party Computation7AliceBobBob’s Genome: ACTG…Markers (~1000): *0,1, …, 0+Alice’s Genome: ACTG…Markers (~1000): [0, 0, …, 1]Can Alice and Bob compute a function of their privatedata, without exposing anything about their data besides theresult?
    8. 8. Secure Function EvaluationAlice (circuit generator) Bob (circuit evaluator)Garbled Circuit ProtocolAndrew Yao, 1982/1986
    9. 9. Regular LogicInputs Outputa b x0 0 00 1 01 0 01 1 1ANDa bx
    10. 10. Computing with Meaningless Values?Inputs Outputa b xa0 b0 x0a0 b1 x0a1 b0 x0a1 b1 x1ANDa0 or a1 b0 or b1x0 or x1ai, bi, xi are randomvalues, chosen by thecircuit generator butmeaningless to thecircuit evaluator.
    11. 11. Computing with Garbled TablesInputs Outputa b xa0 b0 Enca0,b0(x0)a0 b1 Enca0,b1(x0)a1 b0 Enca1,b0(x0)a1 b1 Enca1,b1(x1)ANDa0 or a1 b0 or b1x0 or x1Bobcanonlydecryptoneofthese!Garbled And GateEnca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)RandomPermutation
    12. 12. Garbled GateEnca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)Garbled Circuit ProtocolAlice (circuit generator)Sends ai to Bobbased on her inputvalueBob (circuit evaluator)How does the Bob learn his own input wires?
    13. 13. Primitive: Oblivious TransferAlice BobOblivious TransferProtocolOblivious: Alice doesn’t learn which secret Bob obtainsTransfer: Bob learns one of Alice’s secretsRabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers
    14. 14. Chaining Garbled Circuits14ANDa0 b0x0ANDa1 b1x1ORx2And Gate 1Enca10, b11(x10)Enca11,b11(x11)Enca11,b10(x10)Enca10,b10(x10)Or Gate 2Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20)…We can do any computation privately this way!
    15. 15. Building Computing Systems15Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20)Digital Electronic Circuits Garbled CircuitsOperate on known data Operate on encrypted wire labelsOne-bit logical operation requiresmoving a few electrons a fewnanometers(hundreds of Billions per second)One-bit logical operation requiresperforming (up to) 4 encryptionoperations: very slow executionReuse is great! Reuse is not allowed for privacy:huge circuits needed
    16. 16. Fairplay16Dahlia Malkhi, Noam Nisan,Benny Pinkas and Yaron Sella[USENIX Sec 2004]SFDL ProgramSFDLCompilerCircuit(SHDL)Alice BobGarbled TablesGeneratorGarbled TablesEvaluatorSFDLCompiler
    17. 17. Faster Circuit Execution17Yan Huang(UVa PhD Student)GraduateYan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster SecureTwo-Party Computation Using Garbled Circuits. USENIX Security 2011.Pipelined ExecutionOptimized Circuit LibraryPartial Evaluation
    18. 18. Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx20, x21(x30)Encx21,x21(x30)Encx21,x20(x31)Encx20, x31(x41)Encx21,x31(x41)Encx21,x30(x40)Encx40, x31(x51)Encx41,x31(x50)Encx41,x30(x50)Encx40, x51(x61)Encx41,x51(x60)Encx41,x50(x60)Encx30, x61(x71)Encx31,x61(x70)Encx31,x60(x71)Pipelined Execution18Circuit-LevelApplicationGC Framework(Evaluator)GC Framework(Generator)Circuit StructureCircuit Structurex41x21x31x60x51x71Saves memory: never need to keep whole circuit in memory
    19. 19. PipeliningCircuit GenerationCircuitTransmissionCircuitEvaluationCircuit GenerationCircuit TransmissiontimeCircuit EvaluationWaiting I d l i n g19WaitingSaves time: reduceslatency and improvesthroughput
    20. 20. 00.20.40.60.811.2Fairplay [PSSW09] TASTY HereBillionsResults0246810Fairplay [PSSW09] TASTY Herex10000Performance(10,000x non-free gates per second)Scalability(billions of gates)[HEKM11][HEKM11]20100000gates/second
    21. 21. Semi-Honest is Half-Way TherePrivacyNothing is revealedother than the outputCorrectnessThe output of theprotocol is indeed f(x,y)Generator EvaluatorAs long as evaluator doesn’t sendresult back, and a malicious-resistant OT is used, privacy forevaluator is guaranteed.How can we get both correctness, and maintainprivacy while giving both parties result?21
    22. 22. Dual Execution ProtocolsYan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. IEEE Security and Privacy (Oakland) 2012.
    23. 23. Dual Execution Protocol[Mohassel and Franklin, PKC’06+Alice Bobfirst round execution (semi-honest)generator evaluatorgeneratorevaluatorz=f(x, y)Pass if z = z’ and correct wire labelsz’, learnedoutputwire labelssecond round execution (semi-honest)z=f(x, y)z, learnedoutputwire labelsfully-secure, authenticated equality test
    24. 24. Security PropertiesCorrectness: guaranteed by authenticated,secure equality testPrivacy: Leaks one (extra) bit on averageadversarial circuit generator provides acircuit that fails on ½ of inputsMalicious generator can decrease likelihood of being caught, andincrease information leaked when caught (but decreases averageinformation leaked): at extreme, circuit fails on just one input24
    25. 25. 1-bit Leak25Cheating detected
    26. 26. Proving Security: Malicious26A BIdeal Worldy xAdversaryreceives:f (x‘, y‘)TrustedPartyinIdealWorldStandard Malicious Model: can’t prove this for Dual ExecutionReal WorldA By xShow equivalenceCorruptedparty behavesarbitrarilySecure Computation Protocol
    27. 27. Proof of Security: One-Bit Leakage27A BIdeal Worldy xControlled bymalicious Ag R {0, 1}g is an arbitraryBoolean functionselected byadversaryAdversary receives:f (x‘, y) and g(x‘, y‘)TrustedPartyinIdealWorldCan prove equivalence to this for Dual Execution protocols
    28. 28. ImplementationAlice Bobfirst round execution (semi-honest)generator evaluatorz=f(x, y)Pass if z = z’ and correct wire labelsz’, learnedoutputwire labelsgeneratorevaluator second round execution (semi-honest)z=f(x, y)z, learnedoutputwire labelsRecall: work to generate is 3x work to evaluate!28fully-secure, authenticated equality test
    29. 29. 050100150200250PSI (4096) ED (200x200) AES (100) AES (1)Time(seconds)Semi-honestDualEx (dual-core)DualEx (single-core)MaliciousPerformance29Circuits of arbitrary size can be done this way[Kreuter et al., USENIX Security 2012]Less than 1 second
    30. 30. Applications30Privacy-PreservingBiometric MatchingPrivatePersonalGenomicsPrivate Set IntersectionPrivate AESEncryption
    31. 31. ProblemBest PreviousResult Our Result SpeedupPrivate Set Intersection (contactmatching, common disease carrier)Competitive with best custom protocols,scales to millions of 32-bit elementsHamming Distance (FaceRecognition)213s[SCiFI, 2010]0.051s 4176Levenshtein Distance (genome,text comparison) – two 200-character inputs534s[Jha+, 2008]18.4s 29Smith-Waterman (genomealignment) – two 60-nucleotidesequences[NotImplementable]447s -AES Encryption 3.3s[Henecka, 2010]0.2s 16.5Fingerprint Matching (1024-entrydatabase, 640x8bit vectors)~83s[Barni, 2010]18s 4.631NDSS2011USENIXSecurity2011NDSS2012
    32. 32. Crazy Things in Typical Code32a[i] = x
    33. 33. Circuit for Array Update33i == 0a[0] xa[0]a[i] = xi == 1a[1] xa’[1]i == 2a[2] xa’[2]…
    34. 34. Easy (and Common) Case34for (i = 0; i < n; i++)a[i] += 1a[0] a[1] a[2] a[n-1]…+1 +1 +1 +1
    35. 35. Design circuits to support typicaldata structures efficientlyNon-trivial access patterns, butpatterns nonethelessMain opportunities:Locality and Batching35Samee Zahur and David Evans. Circuit Structuresfor Improving Efficiency of Security & Privacy Tools.IEEE Security and Privacy (Oakland) 2013.Samee Zahur(UVa PhD Student)
    36. 36. Locality: Stacks and Queues36if (x != 0)a[i] += 1if (a[i] > 10)i += 1a[i] = 5t := a.top() + 1a.cond_update(x != 0, t)a.cond_push(x != 0 && t > 10, *)a.cond_update(x != 0, 5)Data-oblivious codeNo branching allowed
    37. 37. Naïve Conditional Push37…px a[0] a[1] a[2] …a’[0] a’[1] a’[2] …
    38. 38. Naïve Conditional Push38…True7 2 9 3 …7 2 9 …
    39. 39. More Efficient Stack39Level 0: 2 9 3t = 3Level 1: 4 7t = 25 4Level 2: 8 8 2 3 8…Block size = 2levelEach level has 5 blocks, at least 2 full and 2 emptyt = 3
    40. 40. 402 9 3t = 34 7t = 25 4Level 0t = 3Level 1 Level2Conditional push (True, 7)7 2 9 3t = 44 7t = 25 4t = 3Conditional push (True, 8)8 7 2 9 3t = 54 7t = 25 4t = 38 2 7t = 34 7t = 35 49 3t = 3Shift
    41. 41. 412 9 3t = 34 7t = 25 4Level 0t = 3Level 1 Level7 2 9 3t = 44 7t = 25 4t = 3Conditional push (True, 8)8 7 2 9 3t = 54 7t = 25 4t = 38 2 7t = 34 7t = 35 49 3t = 3AmortizedΘ(log n) gatesper operation
    42. 42. 0 2 7 9AUMRDYKCArbitrary Array Accesses(Associative Maps)42m[0] = Am[2] = Um[9] = Mm[7] = Rm[0] = Dm[9] = Ym[9] = Km[7] = CExecution trace: indexes andvalues are private values
    43. 43. 43m[0] = Am[2] = Um[9] = Mm[7] = Rm[0] = Dm[9] = Ym[9] = Km[7] = CSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!Batching Updates
    44. 44. 44m[0] = Am[2] = Um[9] = Mm[7] = Rm[0] = Dm[9] = Ym[9] = Km[7] = CSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!Batching Updates
    45. 45. 45AUMRDYKCSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!CompareAdjacentm[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = KBatching Updates
    46. 46. 46AUMRDYKCSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!CompareAdjacentm[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = KBatching Updates
    47. 47. 47Batching UpdatesAUMRDYKCSort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!CompareAdjacentm[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = K
    48. 48. 48Sort by Keym[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Kstable sort!CompareAdjacentm[0] = Am[0] = Dm[2] = Um[7] = Rm[7] = Cm[9] = Mm[9] = Ym[9] = Km[0] = Dm[2] = Um[7] = Cm[9] = Km[0] = Am[7] = Rm[9] = Mm[9] = YSortbyLivenessoutputwiresDiscarded
    49. 49. Associative Map Cost49Oblivious Stable SortComparisons and LivenessMarkingOblivious SortLiveness/KeyCircuit Size:Θ(n log n) ⨯comparisoncostΘ(n log2 n)
    50. 50. Example Application: DBScan50Density-based clustering:depth-first search to find dense clustersMartin Ester, Hans-Peter Kriegel, JörgSander, Xiaowei Xu. KDD 1996Alice’s Data Bob’s Data Joint Clusters
    51. 51. 51Private Input: P – array of points (combinesprivate points from both parties)Public inputs: minpts, radiusOutput: cluster number for each pointConditional Push!Array update!
    52. 52. 52050001000015000200002500030000350004000060 120 240 480ExecutionTime(seconds)Data SizeOptimized StructuresNormal Data Structures9.7 hours55 minutes
    53. 53. 53$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000Aug2001Mar2002Oct2002May2003Dec2003Jul2004Feb2005Sep2005Apr2006Nov2006Jun2007Jan2008Aug2008Mar2009Oct2009May2010Dec2010Jul2011Feb2012Sep2012Apr2013Cost to sequence human genomeMoore’s Law prediction(halve every 18 months)
    54. 54. 54$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000Aug2001Mar2002Oct2002May2003Dec2003Jul2004Feb2005Sep2005Apr2006Nov2006Jun2007Jan2008Aug2008Mar2009Oct2009May2010Dec2010Jul2011Feb2012Sep2012Apr2013FairPlay (2004) [10k*10k alignment]Free XORHEKMSchneider & Zhoner 2013
    55. 55. 55$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000$1,000,000,000$10,000,000,000$100,000,000,000Aug2001Mar2002Oct2002May2003Dec2003Jul2004Feb2005Sep2005Apr2006Nov2006Jun2007Jan2008Aug2008Mar2009Oct2009May2010Dec2010Jul2011Feb2012Sep2012Apr2013Semi-Honest
    56. 56. 56$1,000$10,000$100,000$1,000,000$10,000,000$100,000,000$1,000,000,000$10,000,000,000$100,000,000,000Aug2001Mar2002Oct2002May2003Dec2003Jul2004Feb2005Sep2005Apr2006Nov2006Jun2007Jan2008Aug2008Mar2009Oct2009May2010Dec2010Jul2011Feb2012Sep2012Apr2013Active SecuritySemi-HonestKSS 2011HKE 20131-bit leak
    57. 57. 57mightbeevil.comQuestions?

    ×