Secure Computation David Evans University of Virginia httpwwwcsvirginiaeduevans httpwwwMightBeEvilcom DHOSA MURI PIs Meeting Berkeley CA 28 April 2011 transformation HARDWARE ID: 708921
Download Presentation The PPT/PDF document "1 Practical Cryptographic" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
1
Practical
CryptographicSecure Computation
David EvansUniversity of Virginiahttp://www.cs.virginia.edu/evanshttp://www.MightBeEvil.com
DHOSA MURI
PIs Meeting
Berkeley, CA
28 April 2011Slide2
transformation
HARDWARE
SYstem
architectures
SVA
Binary translation and
emulation
Formal methods
Hardware support for isolation
Dealing with malicious hardware
Cryptographic secure computation
Data-centric security
Secure browser appliance
Secure servers
web-based architectures
e.g., Enforce properties
on a malicious OS
e.g., Prevent
data
exfiltration
e.g., Enable complex distributed systems, with resilience to hostile OS’sSlide3
Secure Two-Party Computation
3
Alice
Bob
Bob’s Genome: ACTG…
Markers (~1000): [0,1, …, 0]
Alice’s Genome: ACTG…
Markers (~1000): [0, 0, …, 1]
Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?Slide4
Secure Function Evaluation
Alice (circuit generator)
Bob (circuit evaluator)
Garbled Circuit Protocol
Andrew Yao, 1982/1986Slide5
Yao’s Garbled Circuits
Inputs
Output
a
b
x
0
0
0
0
1
0
1
0
0
1
1
1
AND
a
b
xSlide6
Computing with Meaningless Values?
Inputs
Output
a
b
x
a
0
b
0
x
0
a
0
b
1
x
0
a
1
b
0
x0
a
1
b
1
x
1
AND
a
0
or
a
1
b
0
or
b
1
x
0
or
x
1
a
i
,
b
i
,
x
i
are
random
values, chosen by the
circuit generator
but
meaningless
to the
circuit evaluator
.Slide7
Computing with Garbled Tables
Inputs
Output
a
b
x
a
0
b
0
Enc
a
0
,b
0
(
x
0)
a0
b1
Enca
0,b1(
x0)
a
1
b0
Enc
a1,b
0
(
x
0
)
a
1
b
1
Enc
a
1
,b
1
(
x
1
)
AND
a
0
or
a
1
b
0
or
b
1
x
0
or
x
1
a
i
,
b
i
,
x
i are random values, chosen by the circuit generator but meaningless to the circuit evaluator.
Bob can only decrypt one of these!
Garbled And Gate
Enca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)Slide8
Chaining Garbled Circuits
8
AND
a
0
b
0
x
0
AND
a1
b
1
x
1
OR
x
2
And Gate 1
Enc
a
1
0
,
b
11
(x10
)
Enc
a
1
1
,
b
1
1
(
x
1
1
)
Enc
a
1
1
,
b
1
0
(
x
1
0
)
Enc
a
1
0
,
b
1
0
(
x
1
0
)
Or Gate 2
Enc
x
0
0
,
x
1
1(x21)Enc
x01,x
11(x2
1)Encx01,x10(x21)Encx00,x10(x20)…We can do any computation privately this way!Slide9
Fairplay
9
Dahlia
Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella [USENIX Sec 2004]
SFDL Program
SFDL Compiler
Circuit
(SHDL)
Alice
Bob
Garbled Tables Generator
Garbled Tables Evaluator
SFDL CompilerSlide10
Enc
x
00,
x11(x
2
1
)
Enc
x
0
1
,
x11
(x21)
Enc
x0
1,x10(
x21)
Enc
x
20
, x21
(x30
)
Enc
x2
1,x21
(x30)
Enc
x
2
1
,
x
2
0
(
x3
1
)
Enc
x2
0
,
x3
1
(
x
4
1
)
Enc
x
2
1
,
x
3
1
(
x
4
1
)
Enc
x
2
1
,
x
3
0
(
x
4
0
)Encx40,
x31(
x51)
Encx41,x31(x50)Encx41,x30(x50)Encx40, x51(x61)Encx41,
x
5
1
(
x
6
0
)
Enc
x
4
1
,
x
5
0
(
x
6
0
)
Enc
x
3
0
,
x
6
1
(
x
7
1
)
Enc
x
3
1
,
x
6
1
(
x
7
0)Encx31,x60(x71)
Our Approach: Faster Garbled Circuits
10
Circuit-Level Application
GC Framework(Evaluator)
GC Framework (Generator)
Circuit Structure
Circuit Structure
x
4
1
x21
x31
x60
x51
x71
Gates can be evaluated as they are generated:
pipelining
Gates can be evaluated in any topological sort order:
parallelizing
Garbled evaluation can be
combined with normal executionSlide11
Applications
11
Privacy-Preserving Biometric Matching
Private Personal Genomics
Private Set Intersection
Private AES EncryptionSlide12
Private Set Intersection
Do Alice and Bob have any contacts in common?Two countries want to compare their miscreant lists
Identify common medical records across hospitalsTwo companies want to do joint marketing to common customers12Slide13
Sort-Compare-Shuffle
13
Sort:
Take advantage of total order of elements
Compare
adjacent elements
Shuffle
to hide positionsSlide14
14
Private Set Intersection Protocol
Free
Gates to generate and evaluate
Bitonic
Sorting Circuit
Waksman Permutation NetworkSlide15
Private Set Intersection Results
15
Seconds
Set Size (each set)32-bit valuesSlide16
Some Other Results
Problem
Best Previous ResultOur ResultSpeedup
Hamming Distance (Face Recognition) – 900-bit vectors213s [SCiFI, 2010]
0.051s
4176
Levenshtein
Distance
(genome, text comparison) – two 200-character inputs
534s
[
Jha
+, 2008]18.4s29
Smith-Waterman (genome alignment) – two 60-nucleotide sequences[Not Implementable]
447s-AES Encryption
3.3s [Henecka
, 2010]0.2s16.5Fingerprint Matching (1024-entry database, 640x8bit vectors)
~83s [Barni, 2010]18s
4.616
Scalable: 1 Billion gates evaluated at ~100,000 gates/second on laptop
NDSS 2011
USENIX Security 2011Slide17
David Evansevans@cs.virginia.edu
http://www.cs.virginia.edu/evans
17CollaboratorsYan Huang
(UVa PhD Student), Yikan Chen (UVa PhD Student),Samee Zahur (
UVa
MS Student),
Peter Chapman (
UVa
BACS Student)
Jonathan Katz (University of Maryland)Aaron Mackey (UVa Public Health Genomics)