This is my talk on security function evaluation. It has been presented for the Cryptographic Protocol Course at University of Salerno. It mainly focuses on practical aspects on secure computation with particular attention to Fairplay two party computation system.
Feedbacks are welcome! If you get inspired by this presentation, please let me know and add credits to your work ;)
1. Secure Function
Evaluation In Practice
Fairplay – A Two-Party Computation System
Malkhi - Nisan – Pinkas - Sella
Giuliana Carullo
Crypographic Protocol Course
Universityof Salerno
2012/2013
11. Back to 1980s construct the
garbled circuit
encode own
input in the
circuit
send circuit to
P2
participatein
the OT
receive results
receive circuit
learn input keys
from P1 via OT
evaluate circuit
send results to
P1
12. Back to 2004
A full-fledged
system that
implements
generic secure
function
evaluation (SFE)
Fairplay
15. Yao and Malicious Malicious
Parties refusing to participate
Parties substituting their local inputs
Parties aborting the protocol
prematurely
WHAT CAN GO WRONG?
16. Yao and Malicious Malicious
incorrect circuit
Misbehaving Bob may construct an incorrect circuit,
thus harming correctness, privacy and
independence ofinputs.
WHAT CAN GO WRONG?
17. Yao and Malicious Malicious
incorrect circuit
Misbehaving Bob may construct an incorrect circuit,
thus harming correctness, privacy and
independence ofinputs.
Bob may present a correct key for 1 and incorrect key
for 0.
WHAT CAN GO WRONG?
selective input
attack
18. Yao and Malicious Malicious
incorrect circuit
Misbehaving Bob may construct an incorrect circuit,
thus harming correctness, privacy and
independence ofinputs.
Bob may present a correct key for 1 and incorrect key
for 0.
If Alice obtains a valid output then, Bob knows that
she has 1 as input.
WHAT CAN GO WRONG?
selective input
attack
19. Yao and Malicious Malicious
incorrect circuit
Misbehaving Bob may construct an incorrect circuit,
thus harming correctness, privacy and
independence ofinputs.
Bob may present a correct key for 1 and incorrect key
for 0.
If Alice obtains a valid output then, Bob knows that
she has 1 as input.
Bob is also able to let Alice‟s computation aborts
(with a certain probabilityp) also in the ideal model
(sending garbage). However in this case, the abort
depends on Alice’s inputs.
WHAT CAN GO WRONG?
selective input
attack
42. program And {
const N=8;
type Byte = Int<N>;
type AliceInput = Byte;
type BobInput = Byte;
type AliceOutput = Byte;
type BobOutput = Byte;
type Input = struct {AliceInput alice, BobInput bob};
type Output = struct {AliceOutput alice, BobOutput bob};
function Output output(Input input) {
output.alice = (input.bob & input.alice);
output.bob = (input.bob & input.alice);
}
}
SFDL’s syntax borrows
heavily from C and Pascal.
43. program And {
const N=8;
type Byte = Int<N>;
type AliceInput = Byte;
type BobInput = Byte;
type AliceOutput = Byte;
type BobOutput = Byte;
type Input = struct {AliceInput alice, BobInput bob};
type Output = struct {AliceOutput alice, BobOutput bob};
function Output output(Input input) {
output.alice = (input.bob & input.alice);
output.bob = (input.bob & input.alice);
}
}
44. program And {
const N=8;
type Byte = Int<N>;
type AliceInput = Byte;
type BobInput = Byte;
type AliceOutput = Byte;
type BobOutput = Byte;
type Input = struct {AliceInput alice, BobInput bob};
type Output = struct {AliceOutput alice, BobOutput bob};
function Output output(Input input) {
output.alice = (input.bob & input.alice);
output.bob = (input.bob & input.alice);
}
}
45. program And {
const N=8;
type Byte = Int<N>;
type AliceInput = Byte;
type BobInput = Byte;
type AliceOutput = Byte;
type BobOutput = Byte;
type Input = struct {AliceInput alice, BobInput bob};
type Output = struct {AliceOutput alice, BobOutput bob};
function Output output(Input input) {
output.alice = (input.bob & input.alice);
output.bob = (input.bob & input.alice);
}
}
Special types, that
must be defined in
every program
53. Security Guarantees Malicious
misbehaving
Alice
Guaranteed by Yao‟s protocol and by
the usage of both OT and SHA-1
Semi
Honest
OT
misbehaving
Bob
Guaranteed by Cut and Choose, with
a probabilityp = 1 – 1/m
Simplified OT.
Cut and
Choose
Avoid to use it.
55. Performance analysis (AND) number of
gates
Total
LAN
of the total delay is given by
public key operations
32 16 8
Input Alice Input
27%-77%
56. Performance analysis (AND) number of
gates
Total
LAN
of the total delay is given by
public key operations
32 16 8
Input Alice Input
27%-77%
WAN
9%-42%
of the total delay is given by
public key operations
62. Summary
Efficient secure computation is a reality:
there is interest and we have fast protocols.
Even if Yao‟s garbled circuits can yield very
fast protocols, there is still more effort to
put in this field
Many other approaches are available in the
literature
63. References
1) Malkhi D., Nisan N.; Pinkas B. ; Sella Y., Fairplay – A Two-Party
Computation System, USENIX Security 2004
2) Orlandi C., Is multiparty computation any good in practice?,
Acoustics, Speech and Signal Processing (ICASSP), 2011 IEEE
International Conference on , vol., no., pp.5848,5851, 22-27
May 2011
3) Bogdanov D., Sharemind: programmable secure
computations with practical applications, PhD thesis,
University of Tartu, 2013.
4) Lindell Y., Techniques for Efficient Secure Computation Based
on Yao's Protocol. in Proc. Public Key Cryptography, 2013,
pp.253-253.
5) Kilian J., Secure Computation
64. Credits
Pictures
1) Bob And Alice (personally modified)
http://www.hep.yorku.ca/menary/courses/phys2040/images/alice_b
ob_quantum_joke.gif
2) Old vs Young
http://www.kellyrennie.com/lifes-journey/the-secrets-on-how-to-
grow-young/
3) World
http://blaberize.com/2009/10/15-really-cool-world-map-
wallpapers/
4) Baby chef
http://www.wallpaperhi.com/Technology/Apple/baby_milk_food_br
ead_cooking_chief_apples_cooks_children_2560x1600_wallpaper_10
0797
Others
Thanks to Jon Froehlich for getting inspired by his presentations
66. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
67. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
assumptions
focus
gates
input
All gates in SHDL have a single Boolean output.
The number of inputs into a gate can be 1, 2 and 3.
gates
output
Only binary gates.
68. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
STEP 1: Parameter generation
69. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
For each wire wi ∈ Wk Bob assigns vi
0 vi
1 and the
permutation pi .
He computes wi
0 wi
1 such that:
STEP 1: Parameter generation
wi
0 = vi
0 || (0 ⊕ pi) wi
1 = vi
1 || (1 ⊕ pi)
70. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
STEP 2 : Garbled-Truth-Table
71. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
For each gate g ∈ C Bob constructs the Garbled-
Truth-Table (GTT) by replacing every 0 and 1 with wi
0
and wi
1 respectively.
STEP 2 : Garbled-Truth-Table
72. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
STEP 3: Encrypted-Garbled-Truth-Table
73. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
For each gate g ∈ C Bob constructs the Encrypted-
Garbled-Truth-Table (EGTT).
For entry (x, y) computes x„= x ⊕ pi and y„= y ⊕ pi.
Performs Encrypt vi
0 vi
1k, x„, y„ (GTT(x, y))
STEP 3: Encrypted-Garbled-Truth-Table
74. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
STEP 4 : Permuted-Encrypted-Garbled-Truth-Table
75. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
For each gate g ∈ C Bob constructs the Permuted-
Encrypted-Garbled-Truth-Table (PEGTT) by simply
swapping entries in EGTT.
STEP 4 : Permuted-Encrypted-Garbled-Truth-Table
76. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
STEP 5 : Translation-Table
77. Circuit Generation notation
pi
circuit
definition
vi
0 vi
1
Let C be a circuit. Wk denotes the set of all wires in C
s. t. k ∈ {0, … , l-1}. g ∈ C denotes a gate.
Random t-bits strings which represents bit 0 and 1
respectively. (t is a security parameter).
Random binary permutation (i.e. a bit).
For each wire which carries a bit of Alice„s output,
Bob send a translation table that allows Alice to
interpret the outputs. This is performed sending the
hash value of wi
0 wi
1 .
STEP 5 : Translation-Table