Transcript Towards Practical Secure Computation

Scaling Secure Computation
Using the Cloud
Payman Mohassel
Yahoo Labs
1
Do We Have the Same Person
in Mind?
Joe
Jack
Alice
Bob
only reveal Yes/No
Solutions?
• You have access to a trusted
computer
• You can use an airline reservation
service
• You can use a password login page
3
Who is Richer?
Millionaires’ Problem
Y=
X=
X > Y ?!!
4
Solutions?
• Trusted Party
• Trusted Program
• Check different digits?
• Ask comparison questions
5
Secure Multiparty
Computation (MPC)
P2, x2
P1, x1
P3, x3
P5, x5
P4, x4
Correctness:
honest parties learns
the correct output
Privacy:
Nothing but the
final output is leaked
Parties learn only f(x1,…,xn)
6
Location-Based Services
• Serving information/services
Privacy-Preserving
Proximity
– stores,
restaurants, ATMs,
… Testing
Alice and Bob learn if they are close to
–each
tourist
guides,
… else:[NTLH 11,KMRS13]
other
but Ads,
nothing
• Location-based access control
7
Remote Diagnosis
• Error reporting systems
• Medical Diagnosis program
• IDS/IPS rule sets
Privacy-Preserving Intrusion
Detection
• DNA patterns
G T A T .
IDS rule set  DFA  Oblivious DFA evaluation
Implemented and tested on snort: [MNS13]
.
.
• Log files
• List of symptoms
• Packets
• DNA database
8
More Applications
•
•
•
•
•
•
•
•
Data mining
Electronic Voting
Auctions
Exchanges/financial analysis
Location privacy
Genomic computation
Electronic commerce
Healthcare
• When there is IP, NDA, user consent involved
• When you need to distribute trust
9
[Lindell]
A Heuristic Approach to Security
1. Build a protocol
2. Try to break the protocol
3. Fix the break
4. Return to (2)
[Lindell]
The Challenge Is
• You can never be really sure that the
protocol is secure
• Compare to algorithms:
– Inputs are not adversarial
– Hackers will do anything to exploit a
weakness – if one exists, it may well be
found
– Security cannot be checked empirically
[Lindell]
A Rigorous Approach
• Provide an exact problem definition
– Adversarial power
– Network model
– Meaning of security
• Prove that the protocol is secure
– Often by reduction to an assumed
hard problem, like discrete-log problem
Our Adversary
• Adversary is an algorithm
• Adversary runs in polynomial time
• Adversary corrupts one of the two
parties
– We do not know which one
• How does the corrupted party
behave?
– Follows the protocol (semi-honest)
– Behaves arbitrarily (malicious)
What Does Security Mean?
• Correctness
– An honest party learns the correct output
• Privacy
– Nothing but the final output is leaked
• Fairness
– Either both parties learn the output or
neither
Is It Achievable?
• Feasible for any polynomial-time
function
• Boolean circuits
– [Yao82, GMW87, BMR90, …]
• Arithmetic circuits
– [BGW88, CCD88, …]
15
Implementations
•
Fairplay, FairplayMP
•
VIFF and SEPIA
•
Sharemind
Dyadic Security
– Implementations of 2PC & MPC
– Sharing-based MPC
– Real-life usage
– 3-party MPC
– Financial data analysis
•
TASTY
•
Fast Garbled Circuits
•
FRESCO
•
SCAPI
•
SPDZ
– Mixed MPC framework (HE + garbled circuits)
– Highly-optimized garbled circuit framework
– A reusable set of libraries for implementing MPC
– A set of Java-based libraries for MPC
– MPC implementation with fast online phase
16
1-out-of 2 Oblivious Transfer
j
Chooser
Sender
Alice
Bob
Learns
nothing
Yj
[Rabin, 1981]
Y 0, Y 1
Yao’s Garbled Circuits
• First secure computation protocol
• One of the most efficient
• Implementations
–
–
–
–
–
–
Fairplay, 2004
TASTY, 2010
FastGarble, 2011
SCAPI, 2013
JustGarble, 2013
…
• Circuits with millions of gates in less than a second
A Garbling Scheme
Encode(
𝐶 𝑥, 𝑦 = 𝑓(𝑥, 𝑦)
Garble(
, 𝑠𝑒𝑒𝑑
)
𝐸
𝐺𝐶
𝒙, 𝒚,
𝐺𝐼𝑥
𝐷
𝐸
)
𝐺𝐼𝑦
𝐺𝐼𝑥
Eval(
𝐺𝐶
𝐺𝐼𝑦
)
𝐺𝑂
𝐷
𝒇(𝒙, 𝒚)
Some Basic Properties
•
Privacy: Knowing 𝐺𝐼𝑥 , 𝐺𝐼𝑦 , and 𝐺𝐶 does no leak any info
𝐺𝐼𝑥
𝐺𝐼𝑥
𝐺𝐶
𝐺𝐶
𝐺𝐼𝑦
•
𝒇(𝒙, 𝒚)
𝐷
𝐺𝐼𝑦
Output Authenticity: Cannot compute another valid output
𝐺𝐼𝑥
𝐺𝐶
𝐺𝐼𝑦
𝐺𝑂‘
Garble/Evaluate
Evaluate
Garble
𝑘01 , 𝑘11
AND
𝑘02 , 𝑘12
𝑘03 , 𝑘13
AND
𝑐0,0 = 𝐸 𝑘01,𝑘02 (𝑘03 )
𝑐0,1 = 𝐸 𝑘01,𝑘12 (𝑘03 )
𝑐1,0 = 𝐸 𝑘11,𝑘02
𝑐1,1 = 𝐸 𝑘11,𝑘12
(𝑘03 )
(𝑘13 )
3
𝐷𝑒𝑐 𝑘𝑎1,𝑘 2 𝑐𝑎,𝑏 = 𝑘𝑎&𝑏
𝑏
Semi-honest 2PC
𝐶 𝑥, 𝑦 = 𝑓(𝑥, 𝑦)
𝐺𝐶, 𝐸, 𝐷 ← 𝐺𝑎𝑟𝑏𝑙𝑒(𝐶, 𝑠𝑑)
𝐺𝐼𝑥 ← 𝐸𝑛𝑐𝑜𝑑𝑒(𝑥, 𝐸)
𝒙
𝐺𝐼𝑥
𝐺𝐶
𝒚
𝐷
Evaluator
Garbler
Oblivious Transfer
𝐺𝐼𝑦
𝒇(𝒙, 𝒚)
Efficiency Metrics
• Computation
– Cheap: SHA, AES, …
– Expensive: exponentiations, …
• Communication
– A major challenge
– Specially for small devices
• Interaction
– Minimize coordination
• Memory usage
23
Limits of Standard MPC
• MPC is symmetric
– All parties work/bandwidth is similar
• MPC does not always scale
– Cost proportional to circuit size
– Circuits with billions of gates
• Unavoidable overhead
– crypto is expensive
– E.g. public-key crypto is required
24
Server-Aided Model
• Introduce a server
– No input or output
– Considerable resources
– Motivated by cloud services
• Assumptions
– Honest, semi-honest, malicious?
– Collude or not collude?
• Server involvement
– Is it always online?
– Knows the function, parties, …?
• Outsourcing secure multiparty computation, eprint, 2011
• Salus: a system for server-aided secure computation,
ACM CCS, 2012
25
Honest Cloud
• Cloud is trusted with
– Privacy of inputs/outputs
– Correctness of its computation
• Easy case!
– Each party sends his inputs to the cloud
– Cloud does all the computation
– Status quo
26
Dishonest Cloud
• Semi-honest
– Trusted with correct computation
– Not trusted with privacy of inputs/outputs
• Malicious
– Is not trusted with anything
27
1) Service Providers
• SP and cloud
Cloud
– have resources
Service provider (SP)
y
• Clients
– Limited resources
• Salus [KMR 2012]
• General-purpose
• Clients
small work
x
xdo very
x
1
2
3
Weak clients
Goal: weak clients need little work/bandwidth
28
2) Collaborative Computing
We don’t trust each other
x2
x1
Cloud
• SA-PSI [KMRS 2013]
x2
• Server-aided private set intersection
•x Scales to Billion-element sets
3
x1
• Over the internet (using MS Azure)
x3
• 5 orders of magnitude
There improvement!
is a cloud we don’t necessarily trust,
but can help
Goal: minimize average computation of all players
29
3) Privacy as a Service
Cloud
cd2
cd1
Minor cloud involvement
Function is secret to cloud
• CB-2PC for Smartphone [MORcd2013]
2 , x2
• Implemented as Android App
cd3
• Privacy commodities = cd
App
updates
,
x
cd3, x3
1 1
• Ind. of function/inputs/parties
offline
online
Obtain “privacy commodity” from cloud
Goal: minimize online comp/bandwidth
minimize online cloud interaction
30
Questions?
31
References
[AL07] Aumann and Lindell. Security against covert adversaries: Efficient
protocols for realistic adversaries. TCC 2007.
[CLS09] Chow et al. Privacy-Preserving Queries over Distributed Databases. NDSS
2009.
[DCCR12] Dong et al. Fair Private Set Intersection with a Semi-trusted Arbiter.
Eprint 2012.
[FR97] Franklin and Reiter. Fair exchange with a semi-trusted third party. ACM
CCS 1997
[GHS10] Gennaro et al. Automata evaluation and text search protocols with
simulation based security. PKC 2010.
[GMS 08] Goyal et al. Secure Two-party and Multi-party Computation against
Covert Adversaries. EUROCRYPT 2010.
[HEK12] Huang et al. Private Set Intersection: Are Garbled Circuits Better than
Custom Protocols? NDSS 2012.
[HEKM11] Huang et al. Faster Secure Two-Party Computation Using Garbled
Circuits. Usenix Security 2011.
[HKE12] Huang et al. Quid Pro Quo-tocols: Strengthening Semi-Honest Protocols
with Dual Execution. IEEE S&P 2012.
[IP07] Ishai and Paskin. Evaluating branching programs on encrypted data. TCC
2007.
[JKSS10] Jarvinen et al. Garbled Circuits for Leakage-Resilience: Hardware
Implementation and Evaluation of One-Time Programs. CHES 2010.
[KMR11] Kamara et al. Outsourcing Multiparty Computation. Eprint 2011.
[KMR12] Kamara et al. Salus: A System for Server-Aided Secure Function
Evaluation. ACM CCS 2012.
32
References
[KS08] Kolesnikov and Schneider. Improved Garbled Circuit: Free XOR Gates and
Applications. ICALP 2008.
[KSS12] Kreuter et al. Towards Billion-Gate Secure Computation with Malicious Adversaries.
Usenix Security 2012.
[LP07] Lindell and Pinkas. An efficient protocol for secure two-party computation in the
presence of malicious adversaries. Eurocrypt 2007.
[LP11] Lindell and Pinkas. Secure two-party computation via cut-and-choose oblivious
transfer. TCC 2011.
[LTV12] Lopez-Alt et al. On-the-Fly Multiparty Computation on the Cloud via Multikey Fully
Homomorphic Encryption. STOC 2012
[MF06] Mohassel and Franklin. Efficiency Tradeoffs for Malicious Two-Party Computation.
PKC 2006.
[MN12] Mohassel and Niksefat. Oblivious Decision Programs from Oblivious Transfer: Efficient
Reductions. FC 2012.
[MNSS13] Mohassel et al. ZIDS - A Privacy-Preserving Intrusion Detection System using Secure
Two-Party Computation Protocols. To appear in the Computer Journal 2013.
[MNSS12] Mohassel et al. An Efficient Protocol for Oblivious DFA Evaluation and
Applications. CT-RSA 2012.
[MR13] Mohassel and Riva. More Efficient Secure Two-Party Computation Protocols Based
on Cut-and-Choose. CRYPTO 2013.
[NPS99] Naor et al. Privacy Preserving Auctions and Mechanisms. EC 1999.
[NTLHB11] Narayanan et al. Location privacy via private proximity testing. NDSS 2011.
[PSSW09] Pinkas et al. Secure two-party computation is practical. Asiacrypt 2009.
[SS11] Shelat and Shen. Two-output secure computation with malicious adversaries.
Eurocrypt 2011.
33