Professor Computer Science UMD Director Maryland Cybersecurity Center Secure Computation Mathematics Complexity theory C ryptography Cybersecurity Science of Cybersecurity C ryptography ID: 477847
Download Presentation The PPT/PDF document "Jonathan Katz" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Jonathan KatzProfessor, Computer Science, UMDDirector, Maryland Cybersecurity Center
Secure ComputationSlide2
Mathematics
Complexity theory
CryptographyCybersecuritySlide3
Science of
CybersecurityCryptographySlide4
Importance of cryptographyCryptography is a key component in many (all?) security solutions
The cryptographic approach provides a way to move beyond the “design-break-patch” cycleDefine (even informally) what you want to achieveState your assumptions explicitlyProve that your construction achieves your goalCryptography is a nucleus for cybersecurity research
Foundations for a “secure networked world” … with end-to-end formal guaranteesSlide5
Scope of modern cryptography
“Foundations”:Number theory,block ciphers, hardware, …
“Primitives”:encryption/signature schemes, …“Protocols”:key exchange,secure distributed computing, …“Systems”:DB privacy,voting, bitcoin,trust/reputation, …Slide6
Secure computationSlide7
A dilemmaCan Alice and Bob determine their shared interests,
without revealing any interests they don’t have in common?
BobAliceHi…What are yourhobbies?…, bird watching, …bird watching?!Slide8
Secure two-party computation
Bob
Alicebird watching!!Let’s run a protocol!hobby 1hobby 2…hobby nhobby 1hobby 2…h
obby n{…,bird watching,…}{…,bird watching,…}Hi…What are yourhobbies?Slide9
Secure two-party computation
Are any passengerson the no-fly list?
Person 1Person 2…Person nPassenger 1Passenger 2…Passenger nSlide10
Natural question IHow can these parties (who don’t trust each other) “securely” perform the computation?While preserving secrecy of their inputs (to the extent possible)While ensuring correctness of outputs
Techniques/ideas from crypto, programming languages, distributed computingSlide11
Natural question IIWhy are these questions important?Candidate application domains[
DoD/IC] Secure search, cloud storage[OFR, Treasury] More transparency, better regulationIndustry interestSlide12
Howcan parties securely compute f ?Slide13
A protocol is secure
if it emulates the use of a trusted partyIn particular, this implies:
The computed results are correctParties’ inputs remain private (except for what is implied by the outputs)Parties’ inputs are chosen independentlyAnd more…Slide14
Threat modelsSemi-honest (honest-but-curious) adversariesAdversary follows the protocol faithfully, but tries to learn information from the protocol executionA reasonable threat model in some settingsTrusted parties under legal/policy constraints
Software attestation, auditing, etc.Malicious adversariesMay behave arbitrarily; still cannot violate security guaranteesSlide15
Is secure computation possible?Protocols for secure computation of
any function, with security against malicious behavior of any number
of parties,have been known since the ’80s These protocols are generic, and work for any function represented as a boolean circuit Slide16
Using generic secure 2PCPSSW (2009)
Protocol computing f
Express f in suitable representationExpress f in high-level languageFairplay (2004)TASTY (2010)Slide17
Is secure computation practical?The general perception in the ’80s/’90s was that garbled circuits were hopelessly inefficientNeed to express
f as a boolean circuitCircuits get big quickly! (>230 gates)Symmetric-key operations linear in the circuit sizePublic-key operations linear in the input lengthSlide18
Performance (-2010)Slide19
Using generic secure 2PCProtocol computing f
Express f in suitable representation
Express f in high-level languageEfficient implementationProtocol optimizationsBetter crypto primitivesSlide20
Notable improvementsProtocol levelOT extension [IKNP03]Better garbling (free-XOR
[KS08], row reduction [PSSW09], half gates [ZRE15])Cut-and-choose [LP07, LP11, HKE14, L14, …], new models [MF06, HKE12]
, amortization [LR14, H+14]Implementation level [HEKM11]“Pipelining” Reducing number of wires/gatesOptimized circuit librariesSlide21
Huge impact
Performance
Scalability[HEKM11][HEKM11]Secure computation is efficient(for moderately-sized circuits,and semi-honest security)Huang et al., “Faster Secure Two-Party Computation Using Garbled Circuits,” USENIX Security 2011Slide22
Using generic secure 2PCProtocol computing f
Express f in suitable representation
Express f in high-level languageCompile-time optimizations?Choice of representationWhich representation?Which protocol?Efficient implementationProtocol optimizationsBetter crypto primitivesExpressiveness?Support for low-level optimizations?Type checking?Slide23
Recent resultsSecure 2PC in the RAM model*Represent f
as a RAM program rather than as a boolean circuitBetter compilers/programming languages for secure 2PC (in the RAM model)**Allow programmers to code as usualSecure 2PC of native MIPS code***
Language-agnostic* Gordon et al., ACM CCCS 2012** Liu et al., IEEE S&P 2014*** Gordon et al., in submissionSlide24
Why the RAM model?EfficiencyRunning time for a RAM program can be much better than the circuit size (e.g., binary search)Sublinear-time
computation for “big data”?The circuit for any non-trivial function must have size at least linear in the input lengthIn fact, linear complexity is inherent for secure computation of any non-trivial functionThis is not true for amortized complexity!Slide25
Why the RAM model?Better alignment with how programmers think about algorithms and write their code
What is the complexity of sorting?Dynamic memory accesses (e.g., count[a[i]]++;)General-purpose computation on a von Neumann architectureInput-dependent running timeSlide26
Key tool: ORAMAllows oblivious access to stored data, with polylog overhead [GO96, …, S+11, S+
13, …]Client
Server
ORAM state
D:Slide27
Key tool: ORAMClientServer
ORAM state
ORAM
read, i1
D[i1](writes also supported)Security: accessed positions are independent of i1, i2, … read, i2D[i2]Slide28
Secure 2PC of RAM programs?st
st = xd = while (1) { (inst, st) = Π(st, d) if
inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}Client (x)Server (D)
ORAM state
ORAM
D[i]Slide29
Problems?If server initializes the ORAM itself, access patterns are no longer oblivious to the server!No security against the client!Client learns
stClient learns ORAM stateClient learns intermediate results of the ORAM computationSlide30
Conceptually…st
Client (x)Server (D)
[ORAM state]
[ORAM state]
[st][st]“Trusted 3rd party”Slide31
Conceptually…Client (x)Server (D)
[ORAM state]
[ORAM state]
st = xd = while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}[d][st][st][d]
ORAM[d’][d’]
Repeat until inst = done, thenreconstruct final outputSlide32
A secure protocol!Client (x)Server (D)
[ORAM state]
[ORAM state]
st = xd = while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}[st][st]
ORAM[d’][d’]Slide33
Have we gained anything?After the initialization, all circuits computed have small size, independent of |D| Amortized complexity:
Say original computation requires T steps for memory of size S ORAM protocol needs O(T polylog S) lookups O(T polylog S) secure-computation sub-protocols
on small circuits of size polylog S If T is sublinear, sublinear complexity overall!Slide34
Performance results
(512-bit entries)Slide35
LimitationsProgrammers still limited to using a fixed (toy?) language to express their programsNo support for legacy code
Although programs can be made instruction oblivious, doing so increases the number of instructions executedExisting compilers for secure computation are not as good as gcc…Slide36
Secure 2PC of MIPS machine codeProgrammers can write code in a language of their choice (so long as it compiles to MIPS)Existing MIPS code supported “for free”Number of instructions securely executed is
exactly* the number of instructions executed in the insecure versionCan leverage optimizations already present in existing compilersSlide37
MIPS execution (high level)MIPS CPU
RAM
Program
Registers
PCFetch next instructionExecute instructionRead or write to memorySlide38
Conceptually…P1 (x)P2 (y)
[
regs][regs]
ORAM
MIPS CPU
[PC][PC]
[regs’][regs’]xySlide39
Whyare these questions important?Slide40
DoDIARPA: secure database searchNow being piloted by NCTCDARPA: fully homomorphic encryption (PROCEED); private search
(BRANDEIS)Air Force: detecting potential satellite collisionsSlide41
OFR (US Dept. of the Treasury)Looking at using secure computation and differential privacy for facilitating data sharingAmong regulatorsBetween firmsWith researchers and the public
Obtain the benefits of transparency, while complying with policy regulations and reducing concerns about confidentiality
Flood et al., “Cryptography and the Economics of Supervisory Information: Balancing Transparency and Confidentiality,” Financial Stability Conference 2013Slide42
IndustryPartisia Danish sugar-beet auction (2008-present)Wireless-spectrum auctionsSharemindStatistical analysis of financial data
Sepior, DyadicThreshold AES decryptionSlide43
ConclusionsTremendous advances in theory and practice of secure 2PC in past few yearsReal-world deployment is already here!
Will continue to grow in importance and impactSlide44
AcknowledgmentsResearch supported by NSF (“TC: Large: Collaborative Research: Practical Secure Computation: Techniques, Tools, and Applications”)DARPA (“Toward Practical Cryptographic Protocols for Secure Information Sharing”)ARL-ITA (“Secure Information Flow in Hybrid Coalition
Networks”)Papers and code available athttp://www.cs.umd.edu/~jkatz/papers.htmlSlide45
Questions?