/
Jonathan Katz Jonathan Katz

Jonathan Katz - PowerPoint Presentation

karlyn-bohler
karlyn-bohler . @karlyn-bohler
Follow
399 views
Uploaded On 2016-10-19

Jonathan Katz - PPT Presentation

Professor Computer Science UMD Director Maryland Cybersecurity Center Secure Computation Mathematics Complexity theory C ryptography Cybersecurity Science of Cybersecurity C ryptography ID: 477847

oram secure protocol computation secure oram computation protocol inst state client 2pc ram express server code mips security level key number language

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Jonathan Katz" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Jonathan KatzProfessor, Computer Science, UMDDirector, Maryland Cybersecurity Center

Secure ComputationSlide2

Mathematics

Complexity theory

CryptographyCybersecuritySlide3

Science of

CybersecurityCryptographySlide4

Importance of cryptographyCryptography is a key component in many (all?) security solutions

The cryptographic approach provides a way to move beyond the “design-break-patch” cycleDefine (even informally) what you want to achieveState your assumptions explicitlyProve that your construction achieves your goalCryptography is a nucleus for cybersecurity research

Foundations for a “secure networked world” … with end-to-end formal guaranteesSlide5

Scope of modern cryptography

“Foundations”:Number theory,block ciphers, hardware, …

“Primitives”:encryption/signature schemes, …“Protocols”:key exchange,secure distributed computing, …“Systems”:DB privacy,voting, bitcoin,trust/reputation, …Slide6

Secure computationSlide7

A dilemmaCan Alice and Bob determine their shared interests,

without revealing any interests they don’t have in common?

BobAliceHi…What are yourhobbies?…, bird watching, …bird watching?!Slide8

Secure two-party computation

Bob

Alicebird watching!!Let’s run a protocol!hobby 1hobby 2…hobby nhobby 1hobby 2…h

obby n{…,bird watching,…}{…,bird watching,…}Hi…What are yourhobbies?Slide9

Secure two-party computation

Are any passengerson the no-fly list?

Person 1Person 2…Person nPassenger 1Passenger 2…Passenger nSlide10

Natural question IHow can these parties (who don’t trust each other) “securely” perform the computation?While preserving secrecy of their inputs (to the extent possible)While ensuring correctness of outputs

Techniques/ideas from crypto, programming languages, distributed computingSlide11

Natural question IIWhy are these questions important?Candidate application domains[

DoD/IC] Secure search, cloud storage[OFR, Treasury] More transparency, better regulationIndustry interestSlide12

Howcan parties securely compute f ?Slide13

A protocol is secure

if it emulates the use of a trusted partyIn particular, this implies:

The computed results are correctParties’ inputs remain private (except for what is implied by the outputs)Parties’ inputs are chosen independentlyAnd more…Slide14

Threat modelsSemi-honest (honest-but-curious) adversariesAdversary follows the protocol faithfully, but tries to learn information from the protocol executionA reasonable threat model in some settingsTrusted parties under legal/policy constraints

Software attestation, auditing, etc.Malicious adversariesMay behave arbitrarily; still cannot violate security guaranteesSlide15

Is secure computation possible?Protocols for secure computation of

any function, with security against malicious behavior of any number

of parties,have been known since the ’80s These protocols are generic, and work for any function represented as a boolean circuit Slide16

Using generic secure 2PCPSSW (2009)

Protocol computing f

Express f in suitable representationExpress f in high-level languageFairplay (2004)TASTY (2010)Slide17

Is secure computation practical?The general perception in the ’80s/’90s was that garbled circuits were hopelessly inefficientNeed to express

f as a boolean circuitCircuits get big quickly! (>230 gates)Symmetric-key operations linear in the circuit sizePublic-key operations linear in the input lengthSlide18

Performance (-2010)Slide19

Using generic secure 2PCProtocol computing f

Express f in suitable representation

Express f in high-level languageEfficient implementationProtocol optimizationsBetter crypto primitivesSlide20

Notable improvementsProtocol levelOT extension [IKNP03]Better garbling (free-XOR

[KS08], row reduction [PSSW09], half gates [ZRE15])Cut-and-choose [LP07, LP11, HKE14, L14, …], new models [MF06, HKE12]

, amortization [LR14, H+14]Implementation level [HEKM11]“Pipelining” Reducing number of wires/gatesOptimized circuit librariesSlide21

Huge impact

Performance

Scalability[HEKM11][HEKM11]Secure computation is efficient(for moderately-sized circuits,and semi-honest security)Huang et al., “Faster Secure Two-Party Computation Using Garbled Circuits,” USENIX Security 2011Slide22

Using generic secure 2PCProtocol computing f

Express f in suitable representation

Express f in high-level languageCompile-time optimizations?Choice of representationWhich representation?Which protocol?Efficient implementationProtocol optimizationsBetter crypto primitivesExpressiveness?Support for low-level optimizations?Type checking?Slide23

Recent resultsSecure 2PC in the RAM model*Represent f

as a RAM program rather than as a boolean circuitBetter compilers/programming languages for secure 2PC (in the RAM model)**Allow programmers to code as usualSecure 2PC of native MIPS code***

Language-agnostic* Gordon et al., ACM CCCS 2012** Liu et al., IEEE S&P 2014*** Gordon et al., in submissionSlide24

Why the RAM model?EfficiencyRunning time for a RAM program can be much better than the circuit size (e.g., binary search)Sublinear-time

computation for “big data”?The circuit for any non-trivial function must have size at least linear in the input lengthIn fact, linear complexity is inherent for secure computation of any non-trivial functionThis is not true for amortized complexity!Slide25

Why the RAM model?Better alignment with how programmers think about algorithms and write their code

What is the complexity of sorting?Dynamic memory accesses (e.g., count[a[i]]++;)General-purpose computation on a von Neumann architectureInput-dependent running timeSlide26

Key tool: ORAMAllows oblivious access to stored data, with polylog overhead [GO96, …, S+11, S+

13, …]Client

Server

ORAM state

D:Slide27

Key tool: ORAMClientServer

ORAM state

ORAM

read, i1

D[i1](writes also supported)Security: accessed positions are independent of i1, i2, … read, i2D[i2]Slide28

Secure 2PC of RAM programs?st

st = xd = while (1) { (inst, st) = Π(st, d) if

inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}Client (x)Server (D)

ORAM state

ORAM

D[i]Slide29

Problems?If server initializes the ORAM itself, access patterns are no longer oblivious to the server!No security against the client!Client learns

stClient learns ORAM stateClient learns intermediate results of the ORAM computationSlide30

Conceptually…st

Client (x)Server (D)

[ORAM state]

[ORAM state]

[st][st]“Trusted 3rd party”Slide31

Conceptually…Client (x)Server (D)

[ORAM state]

[ORAM state]

st = xd = while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}[d][st][st][d]

ORAM[d’][d’]

Repeat until inst = done, thenreconstruct final outputSlide32

A secure protocol!Client (x)Server (D)

[ORAM state]

[ORAM state]

st = xd = while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}[st][st]

ORAM[d’][d’]Slide33

Have we gained anything?After the initialization, all circuits computed have small size, independent of |D| Amortized complexity:

Say original computation requires T steps for memory of size S ORAM protocol needs O(T polylog S) lookups O(T polylog S) secure-computation sub-protocols

on small circuits of size polylog S If T is sublinear, sublinear complexity overall!Slide34

Performance results

(512-bit entries)Slide35

LimitationsProgrammers still limited to using a fixed (toy?) language to express their programsNo support for legacy code

Although programs can be made instruction oblivious, doing so increases the number of instructions executedExisting compilers for secure computation are not as good as gcc…Slide36

Secure 2PC of MIPS machine codeProgrammers can write code in a language of their choice (so long as it compiles to MIPS)Existing MIPS code supported “for free”Number of instructions securely executed is

exactly* the number of instructions executed in the insecure versionCan leverage optimizations already present in existing compilersSlide37

MIPS execution (high level)MIPS CPU

RAM

Program

Registers

PCFetch next instructionExecute instructionRead or write to memorySlide38

Conceptually…P1 (x)P2 (y)

[

regs][regs]

ORAM

MIPS CPU

[PC][PC]

[regs’][regs’]xySlide39

Whyare these questions important?Slide40

DoDIARPA: secure database searchNow being piloted by NCTCDARPA: fully homomorphic encryption (PROCEED); private search

(BRANDEIS)Air Force: detecting potential satellite collisionsSlide41

OFR (US Dept. of the Treasury)Looking at using secure computation and differential privacy for facilitating data sharingAmong regulatorsBetween firmsWith researchers and the public

Obtain the benefits of transparency, while complying with policy regulations and reducing concerns about confidentiality

Flood et al., “Cryptography and the Economics of Supervisory Information: Balancing Transparency and Confidentiality,” Financial Stability Conference 2013Slide42

IndustryPartisia Danish sugar-beet auction (2008-present)Wireless-spectrum auctionsSharemindStatistical analysis of financial data

Sepior, DyadicThreshold AES decryptionSlide43

ConclusionsTremendous advances in theory and practice of secure 2PC in past few yearsReal-world deployment is already here!

Will continue to grow in importance and impactSlide44

AcknowledgmentsResearch supported by NSF (“TC: Large: Collaborative Research: Practical Secure Computation: Techniques, Tools, and Applications”)DARPA (“Toward Practical Cryptographic Protocols for Secure Information Sharing”)ARL-ITA (“Secure Information Flow in Hybrid Coalition

Networks”)Papers and code available athttp://www.cs.umd.edu/~jkatz/papers.htmlSlide45

Questions?