Security/Efficiency Tradeoffs PowerPoint Presentation, PPT - DocSlides

Security/Efficiency Tradeoffs for Two-party Computation

Based on work with Matthew Franklin, Vladimir Kolesnikov, Ben Riva, Mike Rosulek

Payman Mohassel

Yahoo Labs

Secure Multiparty Computation

Parties learn only f(x1,…,xn

)

P

1

, x

1

P

2

, x

2

P

5

, x

5

P

4

, x

4

P3, x3

Correctness:

honest parties learns

the correct output

Privacy:

Nothing but the

final output is leaked

Fairness, Output Delivery, …

Location-Based Services

Serving information/servicesstores, restaurants, ATMs, … tourist guides, Ads, …Location-based access

control

Privacy-Preserving Proximity Testing

3

Remote Diagnosis

Error reporting systems

Medical

Diagnosis program

IDS/IPS rule sets

DNA patterns

G

T

A

T

.

.

.

Log files

List of symptoms

Packets

DNA database

More Applications

Data miningElectronic VotingAuctionsExchanges/financial analysisLocation privacyGenomic computationElectronic commerceHealthcare

When there is

IP

,

NDA, user consent involved

When you need to distribute trust

Dyadic Security

Towards MPC in Practice

Optimizing/enhancing constructionsDesign and implementationGarbling, OT extension, parallelization, pipelining, hardware, batch execution, offline/online, RAM programs, …

Custom protocols

Customize for important functions

Set operations, pattern matching, genomic computation, linear algebra, …

Relaxing models and security guarantees

Commodity-based, covert, server-aided, leaky MPC, …

Security/Model Relaxations

Risk-aware cheatersEconomic/legal incentive to not get caughtCovert adversariesMPC with small leakageFull correctness, but one bit of leakageAs cheap as semi-honest security!

Revisit standard architectures

Server-Aided MPC, commodity-based MPC

Leaky MPC (Outline)

2PC based on Garbled CircuitsLeaky 2PC via Dual-ExecutionReducing Leakage ProbabilityRestricting Leakage FunctionsSummary/Future Work

Yao’s Garbled Circuits

First secure computation protocolUses fast symmetric-key primitivesImplementationsFairplay, 2004

TASTY, 2010

FastGarble

, 2011

SCAPI, 2013JustGarble, 2013

…Circuits with millions of gates in less than a second

A Garbling Scheme

,

)

,

Eval

(

)

Garble(

Encode(

)

Some Basic Properties

Privacy: Knowing

,

, and

does no leak any info

Output Authenticity

: Cannot compute another valid output

Garble/Evaluate

AND

Garble

Evaluate

AND

Semi-honest 2PC

Garbler

Evaluator

Oblivious Transfer

Malicious 2PC

Cut-and-Choose

Open

Evaluate

Majority

Ensure all inputs are same

Malicious 2PC

[

Lindell

2013]

Open

Evaluate

Cheating recovery

2PC

o

utput

if

circuits for

security

circuits for cheating recovery

But computation is smaller

p

roof of cheating

Security Definition for 2PC

TTP

Real world

Ideal world

Dual-Ex 2PC

[MF06, HKE12]

Yes/no

Yes/no

Leakage

prob. = 1

Bad circuit

Different inputs

Equality

Check

2PC

1-leaked Model

TTP

Real world

1-leaked world

Reducing Probability of Leakage

-CovIDA Model [MR13]

cheat

TTP

With probability

(detected)

cheat,

TTP

With probability

(undetected)

-CovIDA 2PC

Yes/no

Yes/no

Leakage

prob. = 1

Bad circuit

Different inputs

Equality

Check

2PC

-CovIDA 2PC

[MR13]

Leakage prob.

Bad circuit

Different inputs

-

CovIDA

2PC

(

existing solutions)

[MR13]

circuits in each direction + equality-check (Pre Lindell’13)

Same cut-and-choose for both parties (cannot use different values)Best alternative

Two malicious 2PCs with circuits (one in each direction)

Equality-check to compare the outputsTwo full cheating recovery 2PCs

circuits each + associated input-consistency checks

Noticeable for small/medium circuits

-

CovIDA

2PC

(input-consistency via [SS’13])

All should be same

-

CovIDA

2PC

(Cheating Recovery via PSI)

All the same for honest party

At least one correct output

with prob.

}

}

Malicious 2PC for

Private Set intersection

-

CovIDA

2PC

(details)

Size of each set

Padded with dummy elements when needed

Size of intersection is

at most 1

Two-Stage PSI(1) parties commit to input sets(2) parties learn the set intersection

-

CovIDA

2PC

(efficiency)

exponentiations for PSI

Constant are small for best malicious PSI

F

or AES circuit

35% reduction in bandwidth compared to alternative

Best latency for standard 2PC too!

Restricting the Leakage Function

Dual-Ex 2PC

Yes/no

Yes/no

Equality

Check

What is the leakage function?

But to what extent is

adversary’s choice?

[HKE, S&P 2012]

“It

may be possible to

take advantage of

constraints in

the circuit design

to limit the possible partitioning

functions ….

although

we have

no yet found a principled way to provide

meaningful constraints

on the possible partitioning functions.”

Property-Enforcing Garbling Schemes (PEGS)

What properties of can we enforce given

?

: topology, depth, input size, output size, …?

It may seem that an honest evaluator enforces topology through his evaluation

,

)

,

Eval

(

)

Garble(

Encode(

)

Extract(

)

PEGS

Extract(

)

Eval

(

)

PEGS

Standard Garbling does NOT enforce topology

But is not far off!

Just need to control information bandwidth

Honest Garbler

Malicious

G

arbler

Enforcing Topology

Computation Only Leaks

is a function of intermediate wires of

respects locality of inputs and intermediate wires

E.g.

i

f two inputs never touch in the circuit, they cannot both be inputs to

PEGS (topology) + gate-level Dual-Ex  Computation Only Leakage

Conjunction of gate-local leakage functions

SummaryLeaking one bit via dual-execution

Reducing probability of leakage via cut-and-choose & PSIRestricting leakage function via PEGsThe techniques are composable

Future Work

PEGSDesign PEGS for different propertiesApplications go beyond leaky MPCLeaky MPC

-

CovIDA

2PC with less than

circuits

Rule out certain leakage functions

Limit leakage to certain complexity classesLow-depth circuits, etc.

Questions?