Security/Efficiency Tradeoffs PowerPoint Presentation, PPT - DocSlides

Security/Efficiency Tradeoffs PowerPoint Presentation, PPT - DocSlides

2018-12-16 5K 5 0 0

Description

for Two-party Computation. Based on work with . Matthew Franklin. , . Vladimir . Kolesnikov. , Ben Riva, Mike . Rosulek. . Payman Mohassel. . Yahoo Labs. Secure Multiparty Computation. Parties learn only . ID: 742219

Embed code:

Download this presentation



DownloadNote - The PPT/PDF document "Security/Efficiency Tradeoffs" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentations text content in Security/Efficiency Tradeoffs

Slide1

Security/Efficiency Tradeoffs for Two-party Computation

Based on work with Matthew Franklin, Vladimir Kolesnikov, Ben Riva, Mike Rosulek

Payman Mohassel

Yahoo Labs

Slide2

Secure Multiparty Computation

Parties learn only f(x1,…,xn

)

P

1

, x

1

P

2

, x

2

P

5

, x

5

P

4

, x

4

P3, x3

Correctness:

honest parties learns

the correct output

Privacy:

Nothing but the

final output is leaked

Fairness, Output Delivery, …

Slide3

Location-Based Services

Serving information/servicesstores, restaurants, ATMs, … tourist guides, Ads, …Location-based access

control

Privacy-Preserving Proximity Testing

3

Slide4

Remote Diagnosis

Error reporting systems

Medical

Diagnosis program

IDS/IPS rule sets

DNA patterns

G

T

A

T

.

.

.

Log files

List of symptoms

Packets

DNA database

Slide5

More Applications

Data miningElectronic VotingAuctionsExchanges/financial analysisLocation privacyGenomic computationElectronic commerceHealthcare

When there is

IP

,

NDA, user consent involved

When you need to distribute trust

Dyadic Security

Slide6

Towards MPC in Practice

Optimizing/enhancing constructionsDesign and implementationGarbling, OT extension, parallelization, pipelining, hardware, batch execution, offline/online, RAM programs, …

Custom protocols

Customize for important functions

Set operations, pattern matching, genomic computation, linear algebra, …

Relaxing models and security guarantees

Commodity-based, covert, server-aided, leaky MPC, …

Slide7

Security/Model Relaxations

Risk-aware cheatersEconomic/legal incentive to not get caughtCovert adversariesMPC with small leakageFull correctness, but one bit of leakageAs cheap as semi-honest security!

Revisit standard architectures

Server-Aided MPC, commodity-based MPC

Slide8

Leaky MPC (Outline)

2PC based on Garbled CircuitsLeaky 2PC via Dual-ExecutionReducing Leakage ProbabilityRestricting Leakage FunctionsSummary/Future Work

Slide9

Yao’s Garbled Circuits

First secure computation protocolUses fast symmetric-key primitivesImplementationsFairplay, 2004

TASTY, 2010

FastGarble

, 2011

SCAPI, 2013JustGarble, 2013

…Circuits with millions of gates in less than a second

Slide10

A Garbling Scheme

 

,

)

 

,

 

 

 

 

Eval

(

)

 

 

 

 

 

Garble(

 

 

 

 

Encode(

)

Slide11

Some Basic Properties

Privacy: Knowing

,

, and

does no leak any info

Output Authenticity

: Cannot compute another valid output

 

 

 

 

 

 

 

 

 

 

 

 

 

Slide12

Garble/Evaluate

AND

 

 

 

 

 

 

 

Garble

Evaluate

 

AND

 

 

 

Slide13

 

Semi-honest 2PC

Garbler

 

Evaluator

 

 

 

 

Oblivious Transfer

 

 

 

 

Slide14

 

Malicious 2PC

Cut-and-Choose

 

 

 

 

 

Open

Evaluate

 

 

 

 

 

 

 

 

 

Majority

 

 

 

 

 

 

Ensure all inputs are same

 

 

Slide15

 

Malicious 2PC

[

Lindell

2013]

 

 

 

 

 

Open

Evaluate

 

 

 

 

 

 

 

 

Cheating recovery

 

 

 

 

 

 

2PC

 

 

 

 

o

utput

if

 

circuits for

security

circuits for cheating recovery

But computation is smaller

 

p

roof of cheating

Slide16

Security Definition for 2PC

 

 

 

 

 

 

 

TTP

 

 

 

Real world

Ideal world

Slide17

 

Dual-Ex 2PC

[MF06, HKE12]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Yes/no

Yes/no

Leakage

prob. = 1

Bad circuit

Different inputs

 

Equality

Check

2PC

Slide18

1-leaked Model

 

 

 

 

 

 

 

TTP

 

 

 

Real world

1-leaked world

 

 

 

 

Slide19

Reducing Probability of Leakage

Slide20

-CovIDA Model [MR13]

 

 

 

 

cheat

 

 

 

TTP

With probability

(detected)

 

 

 

 

 

cheat,

 

 

TTP

With probability

(undetected)

 

 

 

 

Slide21

-CovIDA 2PC

 

 

 

 

 

 

 

 

 

Yes/no

Yes/no

Leakage

prob. = 1

Bad circuit

Different inputs

Equality

Check

2PC

Slide22

-CovIDA 2PC

[MR13]

 

 

 

 

 

 

 

 

 

Leakage prob.

Bad circuit

Different inputs

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Slide23

-

CovIDA

2PC

(

existing solutions)

 

[MR13]

circuits in each direction + equality-check (Pre Lindell’13)

Same cut-and-choose for both parties (cannot use different values)Best alternative

Two malicious 2PCs with circuits (one in each direction)

Equality-check to compare the outputsTwo full cheating recovery 2PCs

circuits each + associated input-consistency checks

Noticeable for small/medium circuits

 

Slide24

-

CovIDA

2PC

(input-consistency via [SS’13])

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

All should be same

Slide25

-

CovIDA

2PC

(Cheating Recovery via PSI)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

All the same for honest party

At least one correct output

with prob.

 

}

 

}

 

Malicious 2PC for

Private Set intersection

Slide26

-

CovIDA

2PC

(details)

 

Size of each set

Padded with dummy elements when needed

Size of intersection is

at most 1

Two-Stage PSI(1) parties commit to input sets(2) parties learn the set intersection

 

Slide27

-

CovIDA

2PC

(efficiency)

 

exponentiations for PSI

Constant are small for best malicious PSI

F

or AES circuit

35% reduction in bandwidth compared to alternative

Best latency for standard 2PC too!

 

Slide28

Restricting the Leakage Function

Slide29

 

Dual-Ex 2PC

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Yes/no

Yes/no

 

Equality

Check

Slide30

What is the leakage function?

But to what extent is

adversary’s choice?

[HKE, S&P 2012]

“It

may be possible to

take advantage of

constraints in

the circuit design

to limit the possible partitioning

functions ….

although

we have

no yet found a principled way to provide

meaningful constraints

on the possible partitioning functions.”

 

Slide31

Property-Enforcing Garbling Schemes (PEGS)

What properties of can we enforce given

?

: topology, depth, input size, output size, …?

It may seem that an honest evaluator enforces topology through his evaluation

 

Slide32

 

,

)

 

,

 

 

 

 

Eval

(

)

 

 

 

 

 

Garble(

 

 

 

 

Encode(

)

Extract(

 

 

)

 

 

PEGS

 

Slide33

 

Extract(

 

 

)

 

 

 

 

 

Eval

(

)

 

 

 

 

 

PEGS

Slide34

Standard Garbling does NOT enforce topology

But is not far off!

Just need to control information bandwidth

 

 

 

 

Honest Garbler

 

 

 

 

Malicious

G

arbler

Enforcing Topology

 

 

Slide35

Computation Only Leaks

is a function of intermediate wires of

respects locality of inputs and intermediate wires

E.g.

i

f two inputs never touch in the circuit, they cannot both be inputs to

PEGS (topology) + gate-level Dual-Ex  Computation Only Leakage

Conjunction of gate-local leakage functions

 

Slide36

SummaryLeaking one bit via dual-execution

Reducing probability of leakage via cut-and-choose & PSIRestricting leakage function via PEGsThe techniques are composable

Slide37

Future Work

PEGSDesign PEGS for different propertiesApplications go beyond leaky MPCLeaky MPC

-

CovIDA

2PC with less than

circuits

Rule out certain leakage functions

Limit leakage to certain complexity classesLow-depth circuits, etc.

 

Slide38

Questions?


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.