for Twoparty Computation. Based on work with . Matthew Franklin. , . Vladimir . Kolesnikov. , Ben Riva, Mike . Rosulek. . Payman Mohassel. . Yahoo Labs. Secure Multiparty Computation. Parties learn only . ID: 742219
DownloadNote  The PPT/PDF document "Security/Efficiency Tradeoffs" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, noncommercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Security/Efficiency Tradeoffs for Twoparty Computation
Based on work with Matthew Franklin, Vladimir Kolesnikov, Ben Riva, Mike Rosulek
Payman Mohassel
Yahoo Labs
Slide2Secure Multiparty Computation
Parties learn only f(x1,…,xn
)
P
1
, x
1
P
2
, x
2
P
5
, x
5
P
4
, x
4
P3, x3
Correctness:
honest parties learns
the correct output
Privacy:
Nothing but the
final output is leaked
Fairness, Output Delivery, …
Slide3LocationBased Services
Serving information/servicesstores, restaurants, ATMs, … tourist guides, Ads, …Locationbased access
control
PrivacyPreserving Proximity Testing
3
Slide4Remote Diagnosis
Error reporting systems
Medical
Diagnosis program
IDS/IPS rule sets
DNA patterns
G
T
A
T
.
.
.
Log files
List of symptoms
Packets
DNA database
Slide5
More Applications
Data miningElectronic VotingAuctionsExchanges/financial analysisLocation privacyGenomic computationElectronic commerceHealthcare
When there is
IP
,
NDA, user consent involved
When you need to distribute trust
Dyadic Security
Slide6Towards MPC in Practice
Optimizing/enhancing constructionsDesign and implementationGarbling, OT extension, parallelization, pipelining, hardware, batch execution, offline/online, RAM programs, …
Custom protocols
Customize for important functions
Set operations, pattern matching, genomic computation, linear algebra, …
Relaxing models and security guarantees
Commoditybased, covert, serveraided, leaky MPC, …
Slide7Security/Model Relaxations
Riskaware cheatersEconomic/legal incentive to not get caughtCovert adversariesMPC with small leakageFull correctness, but one bit of leakageAs cheap as semihonest security!
Revisit standard architectures
ServerAided MPC, commoditybased MPC
Slide8Leaky MPC (Outline)
2PC based on Garbled CircuitsLeaky 2PC via DualExecutionReducing Leakage ProbabilityRestricting Leakage FunctionsSummary/Future Work
Slide9Yao’s Garbled Circuits
First secure computation protocolUses fast symmetrickey primitivesImplementationsFairplay, 2004
TASTY, 2010
FastGarble
, 2011
SCAPI, 2013JustGarble, 2013
…Circuits with millions of gates in less than a second
Slide10A Garbling Scheme
,
)
,
Eval
(
)
Garble(
Encode(
)
Slide11Some Basic Properties
Privacy: Knowing
,
, and
does no leak any info
Output Authenticity
: Cannot compute another valid output
Slide12
Garble/Evaluate
AND
Garble
Evaluate
AND
Slide13
Semihonest 2PC
Garbler
Evaluator
Oblivious Transfer
Slide14
Malicious 2PC
CutandChoose
Open
Evaluate
Majority
Ensure all inputs are same
Slide15
Malicious 2PC
[
Lindell
2013]
Open
Evaluate
Cheating recovery
2PC
o
utput
if
circuits for
security
circuits for cheating recovery
But computation is smaller
p
roof of cheating
Slide16Security Definition for 2PC
TTP
Real world
Ideal world
Slide17
DualEx 2PC
[MF06, HKE12]
Yes/no
Yes/no
Leakage
prob. = 1
Bad circuit
Different inputs
Equality
Check
2PC
Slide181leaked Model
TTP
Real world
1leaked world
Slide19
Reducing Probability of Leakage
Slide20
CovIDA Model [MR13]
cheat
TTP
With probability
(detected)
cheat,
TTP
With probability
(undetected)
Slide21
CovIDA 2PC
Yes/no
Yes/no
Leakage
prob. = 1
Bad circuit
Different inputs
Equality
Check
2PC
Slide22
CovIDA 2PC
[MR13]
Leakage prob.
Bad circuit
Different inputs
Slide23

CovIDA
2PC
(
existing solutions)
[MR13]
circuits in each direction + equalitycheck (Pre Lindell’13)
Same cutandchoose for both parties (cannot use different values)Best alternative
Two malicious 2PCs with circuits (one in each direction)
Equalitycheck to compare the outputsTwo full cheating recovery 2PCs
circuits each + associated inputconsistency checks
Noticeable for small/medium circuits
Slide24

CovIDA
2PC
(inputconsistency via [SS’13])
All should be same
Slide25

CovIDA
2PC
(Cheating Recovery via PSI)
All the same for honest party
At least one correct output
with prob.
}
}
Malicious 2PC for
Private Set intersection
Slide26

CovIDA
2PC
(details)
Size of each set
Padded with dummy elements when needed
Size of intersection is
at most 1
TwoStage PSI(1) parties commit to input sets(2) parties learn the set intersection
Slide27

CovIDA
2PC
(efficiency)
exponentiations for PSI
Constant are small for best malicious PSI
F
or AES circuit
35% reduction in bandwidth compared to alternative
Best latency for standard 2PC too!
Slide28
Restricting the Leakage Function
Slide29
DualEx 2PC
Yes/no
Yes/no
Equality
Check
Slide30What is the leakage function?
But to what extent is
adversary’s choice?
[HKE, S&P 2012]
“It
may be possible to
take advantage of
constraints in
the circuit design
to limit the possible partitioning
functions ….
although
we have
no yet found a principled way to provide
meaningful constraints
on the possible partitioning functions.”
Slide31
PropertyEnforcing Garbling Schemes (PEGS)
What properties of can we enforce given
?
: topology, depth, input size, output size, …?
It may seem that an honest evaluator enforces topology through his evaluation
Slide32
,
)
,
Eval
(
)
Garble(
Encode(
)
Extract(
)
PEGS
Slide33
Extract(
)
Eval
(
)
PEGS
Slide34
Standard Garbling does NOT enforce topology
But is not far off!
Just need to control information bandwidth
Honest Garbler
Malicious
G
arbler
Enforcing Topology
Slide35
Computation Only Leaks
is a function of intermediate wires of
respects locality of inputs and intermediate wires
E.g.
i
f two inputs never touch in the circuit, they cannot both be inputs to
PEGS (topology) + gatelevel DualEx Computation Only Leakage
Conjunction of gatelocal leakage functions
Slide36
SummaryLeaking one bit via dualexecution
Reducing probability of leakage via cutandchoose & PSIRestricting leakage function via PEGsThe techniques are composable
Slide37Future Work
PEGSDesign PEGS for different propertiesApplications go beyond leaky MPCLeaky MPC

CovIDA
2PC with less than
circuits
Rule out certain leakage functions
Limit leakage to certain complexity classesLowdepth circuits, etc.
Slide38
Questions?
Next Slides