for Two-party Computation. Based on work with . Matthew Franklin. , . Vladimir . Kolesnikov. , Ben Riva, Mike . Rosulek. . Payman Mohassel. . Yahoo Labs. Secure Multiparty Computation. Parties learn only . ID: 742219
DownloadNote - The PPT/PDF document "Security/Efficiency Tradeoffs" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in Security/Efficiency Tradeoffs
Slide1
Security/Efficiency Tradeoffs for Two-party Computation
Based on work with Matthew Franklin, Vladimir Kolesnikov, Ben Riva, Mike Rosulek
Risk-aware cheatersEconomic/legal incentive to not get caughtCovert adversariesMPC with small leakageFull correctness, but one bit of leakageAs cheap as semi-honest security!
Revisit standard architectures
Server-Aided MPC, commodity-based MPC
Slide8
Leaky MPC (Outline)
2PC based on Garbled CircuitsLeaky 2PC via Dual-ExecutionReducing Leakage ProbabilityRestricting Leakage FunctionsSummary/Future Work
Slide9
Yao’s Garbled Circuits
First secure computation protocolUses fast symmetric-key primitivesImplementationsFairplay, 2004
TASTY, 2010
FastGarble
, 2011
SCAPI, 2013JustGarble, 2013
…Circuits with millions of gates in less than a second
Slide10
A Garbling Scheme
,
)
,
Eval
(
)
Garble(
Encode(
)
Slide11
Some Basic Properties
Privacy: Knowing
,
, and
does no leak any info
Output Authenticity
: Cannot compute another valid output
Slide12
Garble/Evaluate
AND
Garble
Evaluate
AND
Slide13
Semi-honest 2PC
Garbler
Evaluator
Oblivious Transfer
Slide14
Malicious 2PC
Cut-and-Choose
Open
Evaluate
Majority
Ensure all inputs are same
Slide15
Malicious 2PC
[
Lindell
2013]
Open
Evaluate
Cheating recovery
2PC
o
utput
if
circuits for
security
circuits for cheating recovery
But computation is smaller
p
roof of cheating
Slide16
Security Definition for 2PC
TTP
Real world
Ideal world
Slide17
Dual-Ex 2PC
[MF06, HKE12]
Yes/no
Yes/no
Leakage
prob. = 1
Bad circuit
Different inputs
Equality
Check
2PC
Slide18
1-leaked Model
TTP
Real world
1-leaked world
Slide19
Reducing Probability of Leakage
Slide20
-CovIDA Model [MR13]
cheat
TTP
With probability
(detected)
cheat,
TTP
With probability
(undetected)
Slide21
-CovIDA 2PC
Yes/no
Yes/no
Leakage
prob. = 1
Bad circuit
Different inputs
Equality
Check
2PC
Slide22
-CovIDA 2PC
[MR13]
Leakage prob.
Bad circuit
Different inputs
Slide23
-
CovIDA
2PC
(
existing solutions)
[MR13]
circuits in each direction + equality-check (Pre Lindell’13)
Same cut-and-choose for both parties (cannot use different values)Best alternative
Two malicious 2PCs with circuits (one in each direction)
Equality-check to compare the outputsTwo full cheating recovery 2PCs
circuits each + associated input-consistency checks
Noticeable for small/medium circuits
Slide24
-
CovIDA
2PC
(input-consistency via [SS’13])
All should be same
Slide25
-
CovIDA
2PC
(Cheating Recovery via PSI)
All the same for honest party
At least one correct output
with prob.
}
}
Malicious 2PC for
Private Set intersection
Slide26
-
CovIDA
2PC
(details)
Size of each set
Padded with dummy elements when needed
Size of intersection is
at most 1
Two-Stage PSI(1) parties commit to input sets(2) parties learn the set intersection
Slide27
-
CovIDA
2PC
(efficiency)
exponentiations for PSI
Constant are small for best malicious PSI
F
or AES circuit
35% reduction in bandwidth compared to alternative
Best latency for standard 2PC too!
Slide28
Restricting the Leakage Function
Slide29
Dual-Ex 2PC
Yes/no
Yes/no
Equality
Check
Slide30
What is the leakage function?
But to what extent is
adversary’s choice?
[HKE, S&P 2012]
“It
may be possible to
take advantage of
constraints in
the circuit design
to limit the possible partitioning
functions ….
although
we have
no yet found a principled way to provide
meaningful constraints
on the possible partitioning functions.”
Slide31
Property-Enforcing Garbling Schemes (PEGS)
What properties of can we enforce given
?
: topology, depth, input size, output size, …?
It may seem that an honest evaluator enforces topology through his evaluation
Slide32
,
)
,
Eval
(
)
Garble(
Encode(
)
Extract(
)
PEGS
Slide33
Extract(
)
Eval
(
)
PEGS
Slide34
Standard Garbling does NOT enforce topology
But is not far off!
Just need to control information bandwidth
Honest Garbler
Malicious
G
arbler
Enforcing Topology
Slide35
Computation Only Leaks
is a function of intermediate wires of
respects locality of inputs and intermediate wires
E.g.
i
f two inputs never touch in the circuit, they cannot both be inputs to
PEGS (topology) + gate-level Dual-Ex Computation Only Leakage
Conjunction of gate-local leakage functions
Slide36
SummaryLeaking one bit via dual-execution
Reducing probability of leakage via cut-and-choose & PSIRestricting leakage function via PEGsThe techniques are composable
Slide37
Future Work
PEGSDesign PEGS for different propertiesApplications go beyond leaky MPCLeaky MPC
-
CovIDA
2PC with less than
circuits
Rule out certain leakage functions
Limit leakage to certain complexity classesLow-depth circuits, etc.
Download this presentation
DownloadNote - The PPT/PDF document "Security/Efficiency Tradeoffs" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in Security/Efficiency Tradeoffs
Security/Efficiency Tradeoffs for Two-party Computation
Based on work with Matthew Franklin, Vladimir Kolesnikov, Ben Riva, Mike Rosulek
Payman Mohassel
Yahoo Labs
Slide2Secure Multiparty Computation
Parties learn only f(x1,…,xn
)
P
1
, x
1
P
2
, x
2
P
5
, x
5
P
4
, x
4
P3, x3
Correctness:
honest parties learns
the correct output
Privacy:
Nothing but the
final output is leaked
Fairness, Output Delivery, …
Slide3Location-Based Services
Serving information/servicesstores, restaurants, ATMs, … tourist guides, Ads, …Location-based access
control
Privacy-Preserving Proximity Testing
3
Slide4Remote Diagnosis
Error reporting systems
Medical
Diagnosis program
IDS/IPS rule sets
DNA patterns
G
T
A
T
.
.
.
Log files
List of symptoms
Packets
DNA database
Slide5More Applications
Data miningElectronic VotingAuctionsExchanges/financial analysisLocation privacyGenomic computationElectronic commerceHealthcare
When there is
IP
,
NDA, user consent involved
When you need to distribute trust
Dyadic Security
Slide6Towards MPC in Practice
Optimizing/enhancing constructionsDesign and implementationGarbling, OT extension, parallelization, pipelining, hardware, batch execution, offline/online, RAM programs, …
Custom protocols
Customize for important functions
Set operations, pattern matching, genomic computation, linear algebra, …
Relaxing models and security guarantees
Commodity-based, covert, server-aided, leaky MPC, …
Slide7Security/Model Relaxations
Risk-aware cheatersEconomic/legal incentive to not get caughtCovert adversariesMPC with small leakageFull correctness, but one bit of leakageAs cheap as semi-honest security!
Revisit standard architectures
Server-Aided MPC, commodity-based MPC
Slide8Leaky MPC (Outline)
2PC based on Garbled CircuitsLeaky 2PC via Dual-ExecutionReducing Leakage ProbabilityRestricting Leakage FunctionsSummary/Future Work
Slide9Yao’s Garbled Circuits
First secure computation protocolUses fast symmetric-key primitivesImplementationsFairplay, 2004
TASTY, 2010
FastGarble
, 2011
SCAPI, 2013JustGarble, 2013
…Circuits with millions of gates in less than a second
Slide10A Garbling Scheme
,
)
,
Eval
(
)
Garble(
Encode(
)
Slide11Some Basic Properties
Privacy: Knowing
,
, and
does no leak any info
Output Authenticity
: Cannot compute another valid output
Slide12Garble/Evaluate
AND
Garble
Evaluate
AND
Slide13Semi-honest 2PC
Garbler
Evaluator
Oblivious Transfer
Slide14Malicious 2PC
Cut-and-Choose
Open
Evaluate
Majority
Ensure all inputs are same
Slide15Malicious 2PC
[
Lindell
2013]
Open
Evaluate
Cheating recovery
2PC
o
utput
if
circuits for
security
circuits for cheating recovery
But computation is smaller
p
roof of cheating
Slide16Security Definition for 2PC
TTP
Real world
Ideal world
Slide17Dual-Ex 2PC
[MF06, HKE12]
Yes/no
Yes/no
Leakage
prob. = 1
Bad circuit
Different inputs
Equality
Check
2PC
Slide181-leaked Model
TTP
Real world
1-leaked world
Slide19Reducing Probability of Leakage
Slide20-CovIDA Model [MR13]
cheat
TTP
With probability
(detected)
cheat,
TTP
With probability
(undetected)
Slide21-CovIDA 2PC
Yes/no
Yes/no
Leakage
prob. = 1
Bad circuit
Different inputs
Equality
Check
2PC
Slide22-CovIDA 2PC
[MR13]
Leakage prob.
Bad circuit
Different inputs
Slide23-
CovIDA
2PC
(
existing solutions)
[MR13]
circuits in each direction + equality-check (Pre Lindell’13)
Same cut-and-choose for both parties (cannot use different values)Best alternative
Two malicious 2PCs with circuits (one in each direction)
Equality-check to compare the outputsTwo full cheating recovery 2PCs
circuits each + associated input-consistency checks
Noticeable for small/medium circuits
Slide24-
CovIDA
2PC
(input-consistency via [SS’13])
All should be same
Slide25-
CovIDA
2PC
(Cheating Recovery via PSI)
All the same for honest party
At least one correct output
with prob.
}
}
Malicious 2PC for
Private Set intersection
Slide26-
CovIDA
2PC
(details)
Size of each set
Padded with dummy elements when needed
Size of intersection is
at most 1
Two-Stage PSI(1) parties commit to input sets(2) parties learn the set intersection
Slide27-
CovIDA
2PC
(efficiency)
exponentiations for PSI
Constant are small for best malicious PSI
F
or AES circuit
35% reduction in bandwidth compared to alternative
Best latency for standard 2PC too!
Slide28Restricting the Leakage Function
Slide29Dual-Ex 2PC
Yes/no
Yes/no
Equality
Check
Slide30What is the leakage function?
But to what extent is
adversary’s choice?
[HKE, S&P 2012]
“It
may be possible to
take advantage of
constraints in
the circuit design
to limit the possible partitioning
functions ….
although
we have
no yet found a principled way to provide
meaningful constraints
on the possible partitioning functions.”
Slide31Property-Enforcing Garbling Schemes (PEGS)
What properties of can we enforce given
?
: topology, depth, input size, output size, …?
It may seem that an honest evaluator enforces topology through his evaluation
Slide32,
)
,
Eval
(
)
Garble(
Encode(
)
Extract(
)
PEGS
Slide33Extract(
)
Eval
(
)
PEGS
Slide34Standard Garbling does NOT enforce topology
But is not far off!
Just need to control information bandwidth
Honest Garbler
Malicious
G
arbler
Enforcing Topology
Slide35Computation Only Leaks
is a function of intermediate wires of
respects locality of inputs and intermediate wires
E.g.
i
f two inputs never touch in the circuit, they cannot both be inputs to
PEGS (topology) + gate-level Dual-Ex Computation Only Leakage
Conjunction of gate-local leakage functions
Slide36SummaryLeaking one bit via dual-execution
Reducing probability of leakage via cut-and-choose & PSIRestricting leakage function via PEGsThe techniques are composable
Slide37Future Work
PEGSDesign PEGS for different propertiesApplications go beyond leaky MPCLeaky MPC
-
CovIDA
2PC with less than
circuits
Rule out certain leakage functions
Limit leakage to certain complexity classesLow-depth circuits, etc.
Slide38Questions?