Transcript Wysteria for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi

Wysteria: A Programming Language
for Generic, Mixed-Mode Multiparty
Computations
Aseem Rastogi
Matthew Hammer, Michael Hicks
(University of Maryland, College Park)
What is Secure Multiparty Computation
(SMC)
A
B
Compute f(A, B)
Without revealing A to Bob and B to Alice
Using a Trusted Third Party
A
B
f(A, B)
f(A, B)
A
B
Compute f(A, B)
Without revealing A to Bob and B to Alice
SMC Eliminates Trusted Third Party
Cryptographic Protocol
A
B
Compute f(A, B)
Without revealing A to Bob and B to Alice
SMC Examples
Private Data
Nearest neighbor
Locations
Auction
Bids
Private set intersection
Sets
Statistical computation
Numbers
Beyond Toy SMC Examples
• Online card games
• SMC to deal cards
• Dice-based games
• SMC to roll dice
Monolithic Secure Multiparty Computation
A
B
f(A, B)
f(A, B)
Not Enough !
B
f(A, B)
f(A, B)
Secure State
Local
…
Secure State
A1
B1
g(A1, B1)
g(A1, B1)
A2
B2
h(A2, B2)
h(A2, B2)
Local
…
…
Local
A
…
Local
Mixed-Mode Secure Multiparty Computation
State Of The Art: Existing SMC Languages
• Fairplay, FairplayMP, CBMC-GC
– Only “circuit compilers”
– No mixed-mode
– No secure state None supports generic programs
(parametric in number of parties)
• L1
– Only 2-party, low level
– No formal guarantees
• FastGC
– Circuit library, only 2-party
Our Goal
Push SMC beyond toy applications
Design an SMC Language
Mixed-Mode
Generic
High-level
Guarantees
• Local and secure computations
• High-level support for secure state
• Code parametric in number of parties
• Single specification
• Runtime compilation to circuits
• Statically typed, sound
• Compositional
Goes Without Saying, Wysteria Has It All !
A High-level Functional Language to write
Mixed-Mode Generic SMCs
Implementation and examples available at:
http://ter.ps/wysteria
Demo
(coming up)
Developing Online Poker using Wysteria (almost there …)
Wysteria by Examples: Two-party Millionaire’s*
Compute who is richer among A and B
par(A)
let a = read() in
par(B)
let b = read() in
sec(A,B)
let o = a > b in
o
*The example in this form does not type check in Wysteria.
Single specification
A and B run the same program
Wysteria by Examples: Two-party Millionaire’s
Computation modes
par(A)
let a = read() in
par(B)
let b = read() in
sec(A,B)
let o = a > b in
o
A’s Local Computation
(Skipped by B)
Wysteria by Examples: Two-party Millionaire’s
A’s Local Computation
par(A)
let a = read() in
B’s Local Computation
par(B)
let b = read() in
sec(A,B)
let o = a > b in
o
(Skipped by A)
Wysteria by Examples: Two-party Millionaire’s
A’s Local Computation
par(A)
let a = read() in
B’s Local Computation
par(B)
let b = read() in
sec(A,B)
let o = a > b in
o
Secure Computation by
(A,B)
Wysteria by Examples: Two-party Millionaire’s
A’s Local Computation
par(A)
let a = read() in
B’s Local Computation
par(B)
let b = read() in
sec(A,B)
Secure Computation by
(A,B)
let o = a > b in
o
Runtime compiles it to boolean circuit,
and evaluates using secure computation
No communication primitives !
Key Ideas
Mixed-Mode Computations via Mode Annotations
Wysteria by Examples: Asymmetric Output
What if only A is allowed to know the output ?
par(A)
let a = read() in
par(B)
let b = read() in
sec(A,B)
let o = a > b in
o
Wysteria by Examples: Asymmetric Output
What if only A is allowed to know the output ?
par(A)
let a = read() in
par(B)
let b = read() in
sec(A,B)
let o = wire A:(a > b) in
o
Wire Bundle
Wire Bundles in Wysteria
• Maps from parties to values
• Each party sees only its own component in the bundle
– Or nothing if it’s not in the domain
• Wire bundles are dependently typed
• Create wire A:0 : W {A} nat
• Concat (wire A:0)++(wire B:1) : W {A U B} nat
• Project (wire A:0)[A] : nat
Wysteria by Examples: Inputs Via Wire Bundles
par(A)
let a = read() in
par(B)
let b = read() in
let w1 = wire A:a in
let w2 = wire B:b in
let w3 = w1 ++ w2 in
sec(A,B)
let o = wire A:(w3[A] > w3[B]) in
o
Wysteria by Examples: Wire Bundle Views
par(A)
A’s View
B’s View
sec(A,B)’s View
w1
{A:a}
{}
{A:a}
w2
{}
{B:b}
{B:b}
w3
{A:a}
{B:b}
{A:a,B:b}
let a = read() in
par(B)
let b = read() in
let w1 = wire A:a in
let w2 = wire B:b in
let w3 = w1 ++ w2 in
sec(A,B)
let o = wire A:(w3[A] > w3[B]) in
o
Key Ideas
Wire Bundle Abstraction for Private Inputs/Outputs
Mixed-Mode Computations via Place Annotations
Wysteria by Examples: Functions
let mill = λx:W {A U B} nat .
sec(A,B)
let o = x[A] > x[B] in
o
in
par(A)
let a = read () in
par(B)
let b = read () in
mill (wire A:a ++ wire B:b)
So Far We Have Seen …
• Mixed-Mode support via mode annotations
• Wire Bundles abstraction for private data
• Now: Writing Generic Code in Wysteria
Parties As First Class Values
• Parties are values of type ps φ
• Refinement types for more precise invariants
• {A} : ps {ν = A}
• {A} : ps {ν
A U B}
Wysteria by Examples: Generic Millionaire’s
let comb = λx:ps . λy:W x nat.
λa:ps option . λp:ps . λn:nat
match a with
| None => Some(p)
| Some(q) => if y[q] > n then a else
Some(p)
in
let mill = λx:ps .
λy:W x nat .
sec(x)
let o sec(x)
= wfold(y, None, comb x y) in
o
in …
Wysteria by Examples: Generic Millionaire’s
let comb = λx:ps . λy:W x nat.
λa:ps option . λp:ps . λn:nat
match a with
| None => Some(p)
| Some(q) => if y[q] > n then a else
Some(p)
in
let mill = λx:ps .
λy:W x nat .
sec(x)
let o sec(x)
= wfold(y, None, comb x y) in
o
in …
Wysteria by Examples: Generic Millionaire’s
let comb = λx:ps . λy:W x nat.
λa:ps{ν x} option.λp:ps{ν x}.λn:nat
match a with
| None => Some(p)
| Some(q) => if y[q] > n then a else
Some(p)
in
let mill = λx:ps .
λy:W x nat .
sec(x)
let o sec(x)
= wfold(y, None, comb x y) in
o
in …
Key Ideas
Generic Code:
1. Parties as First Class Values
2. Wire Bundle Combinators (e.g. wfold)
Wire Bundle Abstraction for Private Inputs/Outputs
Mixed-Mode Computations via Place Annotations
Wysteria Metatheory
• Formalized using λ-calculus with extensions
• Dependent type system
• Two operational semantics:
– Single-threaded (SIMD style specification)
– Multi-threaded (actual protocol runs)
– Slicing judgment from single- to multi-threaded
Wysteria Theorems*
• Type soundness (progress and preservation) in
single-threaded semantics
• Sound simulation:
Single-threaded
C1
Multi-threaded
π1
slice operation
C2
…
*
π2
*Proofs in Technical Report
Wysteria Implementation
We use GMW Implementation from Choi et. al.
Wysteria Evaluation
Application
n-Party ?
Mixed-Mode ?
Secure state ?
Millionaire’s
2nd Price auction
Yes
Yes
No
No
No
No
PSI
Nearest neighbor
2-party
Yes
Yes
No
No
No
Median
PSI count
2-party
2-party
Yes
Yes
No
Yes
2-round bidding
Yes
Yes
Yes
Online poker
Yes
Yes
Yes
Wysteria Code for Card Dealing
let rand = \(myunit:unit). sysop rand 52 in
let retryloop =
let mkdeal = \(x:ps{true}).
fix retryloop: (tmp5:unit) -> W tgt nat. (tmp5:unit).
let zerosh @ par(x) =
let myrand = \(z:unit).rand () in
let zerosh1 @ sec(x) = makesh 0 in
let rs = wapp x [wire x:(); wire x:myrand] in
zerosh1
let res = check rs in
in
if res.#success then
let dealt @ par(x) = array [ 52 ] of zerosh in
let nd = select ndealt[0] in
let ndealt @ par(x) = array [ 1 ] of 0 in
let _ = update dealt [nd] <- res.#sum in
let deal = \(tgt:ps{singl and subeq x}).
let _ = update ndealt [0] <- nd + 1 in
let w @ par(x) =
let card @ sec(x) =
let check = \(rs:W x nat).
let s = combsh (res.#sum) in
let nd = select ndealt[0] in
wire tgt:s
let sum @ sec(x) =
in
let s = wfold x [rs; 0; \(n1:nat).\(p:ps{true}).\(n2:nat). n1 + n2 ] in
card
let s1 = wfold x [wire x:(); s; \(n1:nat).\(p:ps{true}).\(n2:unit).
else
if n1 > 51 then n1 - 51 else n1
retryloop ()
] in
in
makesh s1
retryloop ()
in
in
let checkloop =
wcopy as x from w
fix checkloop:(i:nat) -> {#sum:Sh x nat, #success: bool}. (i:nat).
in
if i = nd then
{ #deal : deal }
{#sum:sum, #success:true}
in
else
l2et sd = select dealt[i] in
let cmp @ sec(x) =
let t1 = combsh sd in
let t2 = combsh sum in
t1 = t2
in
if cmp then
{#sum:sum, #success:false}
else
checkloop (i + 1)
n
checkloop 0
in
Secure computation
Local computation
Secret shares
Demo
• (Card dealing using Wysteria)
• Future Work: Integrate with bitcoin for betting
(c.f. Secure Multiparty Computation on BitCoin, Andrychowicz et. al.)
Also In The Paper …
• Support for secure state
• More language features
– Mutable state (interesting interaction with mixedmode)
– Additional wire bundle combinators
• Performance evaluation
• Complete proofs in TR
Wysteria Summary
A High-level Functional Language to write
Mixed-Mode Generic SMCs
Implementation and examples available at:
http://ter.ps/wysteria