Knowledge Inference for Optimizing Secure Multi-party Computation Aseem Rastogi Piotr (Peter) Mardziel Michael Hicks Matthew Hammer

Secure Computation A B Without revealing A to Bob and B to Alice Compute f(A, B) Without revealing A to Bob and B to Alice 12/4/2018

Using a Trusted Third Party B f(A, B) f(A, B) A B Compute f(A, B) Without revealing A to Bob and B to Alice 12/4/2018

Secure Computation Protocols B f(A, B) Cryptographic Protocol A B Compute f(A, B) Without revealing A to Bob and B to Alice 12/4/2018

Example – Joint Median Computation { A1, A2 }, { B1, B2 } Assume: A1 < A2 and B1 < B2 and Distinct(A1, A2, B1, B2) a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; 12/4/2018

Example – Joint Median Computation a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; Secure Computation 12/4/2018

Performance Optimization Cryptographic protocols prohibitively expensive Performance Optimization [F. Kerschbaum, CCS’11] Parties can infer some intermediate values eventually Once they know the output Revealing these early does not compromise security* Offload computation over known data to local hosts * In a semi-honest (honest-but-curious) threat model 12/4/2018

Questions For a Secure Multi-party Computation (SMC) program: Can we infer which variables are known to a party ? Can we infer an evidence for a party’s knowledge of a variable 12/4/2018

Contributions Formalization of knowledge Knowledge inference algorithm Formalize what it means for a party p to know a variable x Knowledge inference algorithm Algorithm to infer if p knows x Proof of soundness and completeness Constructive knowledge inference algorithm Algorithm to construct an evidence of p’s knowledge of x Proof of soundness and completeness 12/4/2018

Median Example – Analysis a = A1 ≤ B1; Alice and bob know a and d b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; 12/4/2018

Median Example – Analysis from Bob’s Perspective a = A1 ≤ B1; d = (output ≠ B1 Ʌ output ≠ B2) Recall: Distinct(A1, A2, B1, B2) b = a ? A2 : A1; a = true b = A2 c = B1 d = true output = A2 d = false output = B1 a = false b = A1 c = B2 output = A1 output = B2 A1 ≤ B1 ∧ A2 ≤ B1 A1 ≤ B1 ∧ A2 > B1 A1 > B1 ∧ A2 ≤ B1 A1 > B1 ∧ A2 > B1 a = (output ≤ B1) Recall: B1 < B2 c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; 12/4/2018

Optimized Joint Median Computation a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1: B2; d = b ≤ c; output = d ? b : c; d d Secure Computation 12/4/2018

Formalization of Knowledge Party p knows x if: x can be uniquely determined by p’s inputs I and outputs O Two program executions that agree on I and O, also agree on x 12/4/2018

Knowledge in Median Example Let states σ map program variables to values a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; Bob knows a, if for all final states σ1 and σ2 s.t. σ1[B1] = σ2[B1], σ1[B2] = σ2[B2], and σ1[output] = σ2[output], we have, σ1[a] = σ2[a] 12/4/2018

Knowledge Inference Algorithm Compute postcondition of the program Sound approximation of final program states 12/4/2018

Example Postcondition for Median a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; ϕ1 = (A1 ≤ B1) ∧(a = true) ∧(b = A2)∧(c = B1)∧(b ≤ c)∧(d = true)∧(output = b) ϕ2 = (A1 ≤ B1) ∧(a = true) ∧(b = A2)∧(c = B1)∧(b > c)∧(d = false)∧(output = c) ϕ3 = …, ϕ4 = … φmedian = ϕ1 V ϕ2 V ϕ3 V ϕ4 12/4/2018

Knowledge Inference Algorithm Recall: we need to prove a property of any two program runs Compute postcondition of the program Use self-composition to simulate two program runs 12/4/2018

Self Composed Median Example a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; φself-composed = φmedian ∧ φ’median a’ = A’1 ≤ B’1; b’ = a’ ? A’2 : A’1; c’ = a’ ? B’1 : B’2; d’ = b’ ≤ c’; output’ = d’ ? b’ : c’; 12/4/2018

Knowledge Inference Algorithm Compute postcondition of the program Use self-composition to simulate two program runs Derive knowledge formula and solve using SMT solver 12/4/2018

Deriving Knowledge Formula a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; Does Bob know a ? φmedian ∧ φ’median a’ = A’1 ≤ B’1; b’ = a’ ? A’2 : A’1; c’ = a’ ? B’1 : B’2; d’ = b’ ≤ c’; output’ = d’ ? b’ : c’; ∧ B1 = B’1 ∧ B2 = B’2 ∧ output = output’ ⇒ a = a’ 12/4/2018

Solving Using SMT Solver φmedian ∧ φ’median∧ A1 = A’1 ∧ A2 = A’2∧ output = output’ ⇒ a = a’ Valid ? Depending on completeness of postconditions SMT Solver Yes No Bob knows a Bob may / does not know a 12/4/2018

Properties of Knowledge Inference Soundness If algorithm returns p knows x, then p and x satisfy the formal definition of knowledge Completeness If p and x satisfy the formal definition of knowledge, then algorithm returns p knows x Loop-free language (SMCs do not admit loops) 12/4/2018

Constructive Knowledge Inference Infer an evidence for p’s knowledge of x Evidence is a formula for x in terms of p’s input and output variables 12/4/2018

Constructive Knowledge Inference Algorithm Formulate knowledge as an invariant of the program Use template based verification to infer the invariant (Srivastava et. al., PLDI’09) 12/4/2018

Setting up Constructive Knowledge Inference Does Bob know a ? (A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2)) a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; Variables in τ ϵ { B1, B2, output } output = d ? b : c; assert(a = τ) 12/4/2018

Setting up Constructive Knowledge Inference Does Bob know a ? (A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2)) a = A1 ≤ B1; Candidate predicates for τ: b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; { v1 op v2 | v1, v2 ϵ { B1, B2, output }, op ϵ { <, ≤, >, ≥, =, ≠ } } output = d ? b : c; assert(a = τ) 12/4/2018

Constructive Knowledge Inference Algorithm Derived from template-based verification Given (m, n), searches solutions in DNF(m, n) Efficient search: O(|Q|m + |Q|n) queries to SMT solver As opposed to naïve O(|Q|mn) 12/4/2018

Constructive Knowledge Inference for Median a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c; φpre = A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2) a = output ≥ A1 (for Alice) a = output ≤ B1 (for Bob) d = output = A1 V output = A2 (for Alice) d = output ≠ B1 Ʌ output ≠ B2 (for Bob) 12/4/2018

Properties of Constructive Knowledge Inference Soundness If algorithm infers a formula τ for party p and variable x, then x = τ at the end of the program Moreover, p can compute τ from its inputs and outputs Completeness Similar to the completeness of verification techniques If a solution τ exists in the template structure, our algorithm finds it 12/4/2018

Connection to Information Flow Declassification Policies Knowledge Inference similar to deciding delimited release [Sabelfeld et. al., ISSS’04] Constructive knowledge inference similar to deciding required release [S. Chong, CSF‘10] See our paper for more details ! 12/4/2018

Contributions Formalization of knowledge Knowledge inference algorithm Formalize what it means for a party p to know a variable x Knowledge inference algorithm Algorithm to infer if p knows x Proof of soundness and completeness Constructive knowledge inference algorithm Algorithm to construct an evidence of p’s knowledge of x Proof of soundness and completeness 12/4/2018

Ongoing Work Core calculus for writing M3PC program Formal type-directed translation to target protocol Translation exists for all well-typed programs Source and target semantics preserve knowledge Next step: Given inferred knowledge facts, automatically generate optimal M3PC programs 12/4/2018