for when semihonest is only semigoodenough David Evans University of Virginia httpwwwcsvirginiaeduevans httpwwwMightBeEvilcom DHOSA MURI Review UVa Falls Church 8 December 2011 ID: 594495
Download Presentation The PPT/PDF document "1 Dual Execution Protocols" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
1
Dual Execution Protocols
(for when semi-honest is only semi-good-enough)
David EvansUniversity of Virginiahttp://www.cs.virginia.edu/evanshttp://www.MightBeEvil.com
DHOSA MURI Review
UVa
Falls Church
8 December 2011Slide2
transformation
HARDWARE
SYstem
architectures
SVA
Binary translation and
emulation
Formal methods
Hardware support for isolation
Dealing with malicious hardware
Cryptographic secure computation
Data-centric security
Secure browser appliance
Secure servers
web-based architectures
e.g., Enforce properties
on a malicious OS
e.g., Prevent
data
exfiltration
e.g., Enable complex distributed systems, with resilience to hostile OS’s
2Slide3
transformation
HARDWARE
SYstem
architectures
SVA
Binary translation and
emulation
Formal methods
Hardware support for isolation
Dealing with malicious hardware
Cryptographic secure computation
Data-centric security
Secure browser appliance
Secure servers
web-based architectures
e.g., Enforce properties
on a malicious OS
e.g., Prevent
data
exfiltration
e.g., Enable complex distributed systems, with resilience to hostile OS’s
Tianhao
Tong
3Slide4
HARDWARE
SYstem
architectures
SVA
Binary translation and
emulation
Formal methods
Dealing with malicious hardware
Cryptographic secure computation
Data-centric security
Secure browser appliance
Secure servers
web-based architectures
e.g., Enforce properties
on a malicious OS
e.g., Enable complex distributed systems, with resilience to hostile OS’s
Hardware support for isolation
e.g., Prevent
data
exfiltration
Yikan
Chen
Peter Chapman
CRA Outstanding Undergraduate
Researcher Award 2012 Runner-Up
Yan Huang
Jiamin
Chen
CRA
Oustanding
Undergraduate
Researcher 2012 Honorable Mention
4Slide5
Secure Two-Party Computation
5
Alice
Bob
Bob’s Genome: ACTG…
Markers (~1000): [0,1, …, 0]
Alice’s Genome: ACTG…
Markers (~1000): [0, 0, …, 1]
Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?Slide6
Secure Function Evaluation
Alice (circuit generator)
Bob (circuit evaluator)
Garbled Circuit Protocol
Andrew Yao, 1982/1986
6Slide7
Enc
x
00,
x11(x2
1
)
Enc
x
0
1
,
x11
(x21)
Encx0
1,x10(x
21)
Enc
x20
, x21(x
30)
Encx2
1,x21
(x30)
Enc
x
21,
x20(x3
1)
Enc
x2
0
,
x3
1
(
x
4
1
)
Enc
x
2
1
,
x
3
1
(
x
4
1
)
Enc
x
2
1
,
x
3
0
(
x
4
0
)
Enc
x
4
0
,
x
3
1
(
x
5
1
)
Enc
x
4
1
,
x
3
1
(
x
5
0
)
Enc
x
4
1
,
x
3
0
(
x
5
0
)
Enc
x
4
0
,
x
5
1(x61)Encx41,x51(x60)Encx41,x50(x60)
Encx30, x61(x71)Encx31,x61(x70)Encx31,x60(x71)
Our Approach: Faster Garbled Circuits
7
Circuit-Level Application
GC Framework(Evaluator)
GC Framework (Generator)
Circuit Structure
Circuit Structure
Pipelining:
gates evaluated as they are generated
Garbled evaluation can be
combined with normal execution
Circuit-level optimizationsSlide8
Results for Semi-honest Protocols
Performance
Scalability
8
Applications
biometric identification (5x speedup)
[NDSS 2011]
Hamming distance (4000x), Edit distance (30x), Smith-Waterman,
AES Encryption (16x)
[USENIX Sec 2011]private set intersection (faster than best custom protocols) [NDSS 2012]
Non-free gates per millisecond
Largest circuit executed (non-free gates)Slide9
Standard Threat Models
Semi-Honest: Adversary follows the protocol as specified
, but tries to learn more from the protocol execution transcriptMalicious: Adversary can do anything, guarantees correctness and privacy
Reasonable performance, unreasonable assumptions
Reasonable assumptions, unreasonable
performance
9Slide10
Security Properties
Privacy
Nothing is revealed other than the outputCorrectnessThe output of the protocol is indeed
f(x,y)Generator
Evaluator
Malicious-resistant OT
Semi-Honest
GC
As long as evaluator doesn’t send result back, and a malicious-resistant OT is used,
privacy
for evaluator is guaranteed.
How can we get both correctness, and maintain privacy while giving both parties result?
10Slide11
Dual Execution Protocol
[
Mohassel and Franklin, PKC’06]
AliceBob
first round execution (semi-honest)
generator
evaluator
generator
evaluator
z
=
f
(
x
,
y)
Pass if z = z’
and correct wire labelsz’
, learned outputwire labels
second round execution (semi-honest)
z'=f(
x, y)
z
, learned outputwire labels
fully-secure, authenticated equality testSlide12
Dual Execution Protocol
Alice
Bob
first round execution (semi-honest)
generator
evaluator
z
=
f
(
x
,
y
)
Pass if z = z’ and correct wire labels
z’, learned output
wire labelsgenerator
evaluator
second round execution (semi-honest)
z'=f
(x, y)
z, learned output
wire labels
Recall: work to generate is 3x work to evaluate!
12
fully-secure, authenticated equality testSlide13
13
Best reported malicious protocol [PSSW09]Slide14
Scalability
14Slide15
Security Properties
Correctness: guaranteed by authenticated, secure equality testPrivacy:
Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs
Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input
15Slide16
Enhancements
Delayed Revelation
Don’t reveal semantic value of output until after equality test passes
“Fair” Revelation
Each party learns one (matching) bit of output at a time.
16Slide17
Biggest Open Question
Circuit structure can be checked by evaluator (including free XORs)
Design circuit to limit malicious generator’s ability to partition input space.Challenge: can lie about inputs also
Can we leak less than one bit on average?17Slide18
Summary
first round execution (semi-honest)
z
=
f
(
x
,
y
)
second round execution (semi-honest)
z'
=
f(x, y)
fully-secure, authenticated equality test
Provides full correctness and maximum one-bit average leakage against fully malicious adversaries (formal proof using ideal/real world model)
With pipelining framework, almost free with dual-core, 40-50% over semi-honest protocol with one core.
18www.MightBeEvil.orgevans@cs.virginia.eduSlide19
19