Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew University of Jerusalem Joint work with Dahlia Malkhi,

Slides:



Advertisements
Similar presentations
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Advertisements

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials
Chapter 8 High-Level Programming Languages. 8-2 Chapter Goals Describe the translation process and distinguish between assembly, compilation, interpretation,
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Oblivious Transfer based on the McEliece Assumptions
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Chapter 8 Arrays and Strings
Key Distribution CS 470 Introduction to Applied Cryptography
Principles of Procedural Programming
Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
CSC 8310 Programming Languages Meeting 2 September 2/3, 2014.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
CSE 341, S. Tanimoto Concepts 1- 1 Programming Language Concepts Formal Syntax Paradigms Data Types Polymorphism.
How to play ANY mental game
CS573 Data Privacy and Security
High-Level Programming Languages: C++
CIS Computer Programming Logic
Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs.
ECE 2372 Modern Digital System Design
Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming 1.
Operator Precedence First the contents of all parentheses are evaluated beginning with the innermost set of parenthesis. Second all multiplications, divisions,
Chapter 1 Introduction Dr. Frank Lee. 1.1 Why Study Compiler? To write more efficient code in a high-level language To provide solid foundation in parsing.
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
Public-Key Cryptography CS110 Fall Conventional Encryption.
© Copyright 1992–2005 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Tutorial 5 – Dental Payment Application: Introducing.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Implementing RSA Encryption in Java
Chapter 6 Programming Languages © 2007 Pearson Addison-Wesley. All rights reserved.
CIS-165 C++ Programming I CIS-165 C++ Programming I Bergen Community College Prof. Faisal Aljamal.
Property of Jack Wilson, Cerritos College1 CIS Computer Programming Logic Programming Concepts Overview prepared by Jack Wilson Cerritos College.
Chapter 6 Programming Languages (1) Introduction to CS 1 st Semester, 2015 Sanghyun Park.
Group 4 Java Compiler Group Members: Atul Singh(Y6127) Manish Agrawal(Y6241) Mayank Sachan(Y6253) Sudeept Sinha(Y6483)
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
8-1 Compilers Compiler A program that translates a high-level language program into machine code High-level languages provide a richer set of instructions.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Page 1March 1, th Estonian Winter School in Computer Science Privacy Preserving Data Mining Lecture 2 Cryptographic Solutions Benny Pinkas HP Labs,
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.
Overview of Compilation Prepared by Manuel E. Bermúdez, Ph.D. Associate Professor University of Florida Programming Language Principles Lecture 2.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Garbling Techniques David Evans
Introduction to Algorithms
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Maliciously Secure Two-Party Computation
Multi-Party Computation: Second year
Introduction to Algorithms
Oblivious Transfer.
Presentation transcript:

Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew University of Jerusalem Joint work with Dahlia Malkhi, Noam Nisan, and Benny Pinkas Project team: Ziv Balshai, Amir Levy, Dudi Einey, Ori Peleg

Slide 2 Usenix Security 2004 Outline SFE – Secure Function Evaluation Goals Fairplay –Fairplay computation overview –Demo (SFDL & SHDL examples) –Bob/Alice two party SFE –Experiments

Slide 3 Usenix Security 2004 SFE - Secure Function Evaluation Started with Yao’s seminal paper ( almost 20 years ago!) Allows several parties to perform a joint computation, that in real life requires a trusted party, using cryptographic tools only (i.e., the trusted party is not needed!) Theoretical significance only? We focus on 2-party SFE

Slide 4 Usenix Security 2004 SFE Example - Millionaires’ Problem $ X$ Y ?<=>?<=> Secure Function Evaluation Protocol

Slide 5 Usenix Security 2004 General Structure of Yao’s Protocol Represent f(x,y) as a Boolean circuit Bob “garbles” the circuit: –  wire, assigns random values instead of 0/1 –  gate, constructs a “secure” truth table Bob sends to Alice the tables and garbled versions of his input Alice uses oblivious transfer to obtain garbled versions of her input and uses them to compute the output of the circuit

Slide 6 Usenix Security 2004 Goals Answer some basic questions on SFE: –Is two-party SFE practical? –Obtain actual measurements of overall computation: How much time is needed to solve the Millionaires’ problem? The Billionaires’ problem? Better understanding of SFE computation: –Where are the bottlenecks? –Computation versus communication Test-bed for various optimizations

Slide 7 Usenix Security 2004 Fairplay Computation Overview (1) BobAlice GUI SFDL program (a file) SFDL Compiler + Circuit optimizer SHDL circuit (a file) Off-line SHDL Parser Circuit (Java obj.) On-line SFE

Slide 8 Usenix Security 2004 Fairplay Computation Overview (2) BobAlice m x Circuit garbler Circuits sendCircuits receive Circuit (Java obj.) Garbled circuits (Java obj.) Circuit chooseRead Integer Reveal secretsCircuits verify

Slide 9 Usenix Security 2004 Fairplay Computation Overview (3) BobAlice Input + input sendInput receive Input OT chooserOT sender Circuit evaluatorOutput

Slide 10 Usenix Security 2004 Outline SFE – Secure Function Evaluation Goals Fairplay Fairplay computation overview –Demo (SFDL & SHDL examples) –Bob/Alice two party SFE –Experiments

Slide 11 Usenix Security 2004 The Compilation Paradigm SFDL (Secure Function Definition Language) - High-level programming language for the func. to be evaluated in the trusted party model –Allows clear, formal, easily understandable definition and requirements by humans SHDL (Secure Hardware Definition Language) - Low-level language describing Boolean circuits “Obliviousness-aware” SFDL  SHDL compiler The compiler also produces an I/O format file

Slide 12 Usenix Security 2004 SFDL Example program Millionaires { type int = Int ; // 4-bit integer type AliceInput = int; type BobInput = int; type AliceOutput = Boolean; type BobOutput = Boolean; type Output = struct {AliceOutput alice, BobOutput bob}; type Input = struct {AliceInput alice, BobInput bob}; function Output output(Input input) { output.alice = input.alice > input.bob; output.bob = input.bob > input.alice; }

Slide 13 Usenix Security 2004 SFDL Properties Conventional syntax (C/Pascal-like) Type system – Boolean, integer, enumerated Program structure –Declarations: global constants, types –Sequence of functions (no nesting [C], no recursion) –Function name is its return value [Pascal] Conditional execution and loops –if-then, if-then-else statements, For-loop Assignments and expressions –constants, variables, array entries, structure items, function calls, operators (+, -, logical, comparison), parenthesis

Slide 14 Usenix Security 2004 SHDL Example (1) 0 input//output$input.bob$0 1 input//output$input.bob$1 2 input//output$input.bob$2 3 input//output$input.bob$3 4 input//output$input.alice$0 5 input//output$input.alice$1 6 input//output$input.alice$2 7 input//output$input.alice$3 8 gate arity 2 table [ ] inputs [ 4 5 ] 9 gate arity 2 table [ ] inputs [ 4 5 ]

Slide 15 Usenix Security 2004 SHDL Example (2) 10 gate arity 2 table [ ] inputs [ 8 6 ] 11 gate arity 2 table [ ] inputs [ 8 6 ] 12 gate arity 2 table [ ] inputs [ 10 7 ] 13 gate arity 2 table [ ] inputs [ 4 0 ] 14 gate arity 3 table [ ] inputs [ ] 15 gate arity 3 table [ ] inputs [ ] 16 gate arity 2 table [ ] inputs [ 12 3 ] 17 gate arity 2 table [ ] inputs [ ] 18 output gate arity 1 table [ 0 1 ] inputs [ 17 ] …

Slide 16 Usenix Security 2004 SHDL Properties Each line is a circuit component, i.e: –An input bit, or –A Boolean gate with a given truth-table and input wires Circuit wiring is based on line numbers The compiler produces gates of arity 1,2,3 // Comments are ignored (even though the compiler generated them)

Slide 17 Usenix Security 2004 The Format File Enables the input bits to be specified and the output bits to be presented in a user-friendly format Format file example: Bob input integer "input.bob" [ ] Alice input integer "input.alice" [ ] Alice output integer "output.alice" [18] Bob output integer "output.bob" [29] Bob’s input bits should be read from the user as an integer

Slide 18 Usenix Security 2004 The SFDL  SHDL Compiler Compiler’s sequence of steps: Parsing Function inlining and loop unfolding (obliviousness!) Transformation into single bit operations Array access handling (cost = O(n) gates) Single variable assignment Optimizations: local code optimization, duplicate code removal, dead code elimination

Slide 19 Usenix Security 2004 Bob-Alice 2-Party SFE – Overview (1) Input: C = circuit in SHDL Cut-and-Choose: –Bob parses C into m garbled circuits, and sends them to Alice. Alice also parses C. –Alice chooses one circuit for evaluation - GC –Bob exposes secrets of all garbled circuits except GC –Alice verifies all exposed garbled circuits –Catches cheating with probability 1-1/m Bob sends his inputs for GC (Alice can’t interpret them because they are garbled)

Slide 20 Usenix Security 2004 Bob-Alice 2-Party SFE – Overview (2) Oblivious Transfer: Alice obtains her inputs for GC from Bob using a single OT per each Alice input bit (Alice = chooser, Bob = sender) Alice evaluates GC Alice interprets her outputs (she can’t interpret Bob’s outputs, because they are garbled) Alice sends to Bob his outputs Bob interprets his outputs

Slide 21 Usenix Security 2004 Garbled Circuit Preparation (by Bob) x | y | out 0 | 0 | b0 0 | 1 | b1 1 | 0 | b2 1 | 1 | b3 WiWi WjWj WkWk vk0vk0 vk1vk1 x | y | out 0 | 0 | v k b0 0 | 1 | v k b1 1 | 0 | v k b2 1 | 1 | v k b3 GTT x | y | output 0 | 0 | E(v k b0 ) 0 | 1 | E(v k b1 ) 1 | 0 | E(v k b2 ) 1 | 1 | E(v k b3 ) EGTT E(v k b0 ): SHA-1(v i 0, v j 0, k)  v k b0 E(v k b1 ): SHA-1(v i 0, v j 1, k)  v k b1 E(v k b2 ): SHA-1(v i 1, v j 0, k)  v k b2 E(v k b3 ): SHA-1(v i 1, v j 1, k)  v k b3 v i 0, v i 1 v j 0, v j 1 PEGTT Permute rows

Slide 22 Usenix Security 2004 Garbled Circuit Evaluation (by Alice) vivi vjvj output v k ’ v k ’’ v k ’’’ v k ’’’’ PEGTT vkvk 2. D (v k ’ ): SHA-1 (v i, v j, k)  v k ’ ( = v k ) 1. Try decrypting each entry Note that 1. Alice doesn’t learn any other table entry. 2. Alice doesn’t learn if entry and wire values correspond to 0 or 1.

Slide 23 Usenix Security 2004 EGL 1-out-of-2 Oblivious Transfer (OT 1 2 ) Sender (Bob)Chooser (Alice) 1. PK 0, PK 1 Encrypt: M 0 with PK 0 (= E 0 ) M 1 with PK 1 (= E 1 ) 2. E 0, E 1 M 0, M 1 Bit b 3. Decrypt E 0 or E 1 (s.t. only one of PK 0, PK 1 can be a “real” PK)

Slide 24 Usenix Security 2004 OT 1 2 (EGL Paradigm with El-Gamal) Input: chooser - a bit σ sender - two strings M 0, M 1 Output: chooser - M σ Preliminaries: Z q is a sub-group of order q of Z p *, p,q are primes, and q | (p-1). Let g be a generator of Z q. H is a random oracle. Initialization: the sender publishes C, a random element in Z q (whose discrete log to the base g is unknown by the chooser).

Slide 25 Usenix Security 2004 OT 1 2 Interactive Protocol Sender (Bob)Chooser (Alice) 1. Picks random k in [1,q], and sets public keys: PK σ = g k, PK 1-σ = C / PK σ PK 0 2. Computes PK 1 = C / PK 0, chooses random r0,r1 in Z q, El-Gamal encrypts: E 0 = {g r0, H(PK 0 r0 ) ^ M 0 }, E 1 = {g r1, H(PK 1 r1 ) ^ M 1 } E 0, E 1 M 0, M 1 σ p, q, g, H, C 3. Computes H((g rσ ) k ) = H(PK σ rσ ) and uses it to decrypt M σ Note: NP01 variant (in RO model)

Slide 26 Usenix Security 2004 Experiments: Implementation & Setup Code written in Java Communication: TCP/IP (Java sockets) Crypto: Java BigInteger libraries, SHA1 as RO Two communication scenarios LAN – MBPS, latency 0.4 ms WAN (USA, Israel) – 1.06 MBPS, latency ms Two PCs – 2.4 GHz Parameters: |p|=1024, |q|=160, m=2 Results: 100 repetitions (compilation excluded)

Slide 27 Usenix Security 2004 Experiments – The Four Functions FunctionNumber of circuit gates TotalInputsAlice Inputs AND32168 Billionaires Keyed DB search Median AND - a very simple circuit Keyed DB - small number of inputs for Alice Median – biggest circuit

Slide 28 Usenix Security 2004 Experiments – Results Highlights Billionaires’ problem: –LAN: 1.25 seconds, WAN: 4.01 seconds Communication versus computation: –Percentage of delay due to communication LAN: up to 42%, WAN: up to 77% Optimizations speed up factor: –WAN communication batching: up to 8.8! –Same g r mod p OT variant [NP01]: 1.3 LAN  WAN slowdown: up to 6.9

Slide 29 Usenix Security 2004 Experiments – WAN Detailed Results IP – Initializations and Parsing CC – Circuits communication OTs – Oblivious Transfers EV – Evaluation of circuit EET –Elapsed Execution Time FunctionWAN Communication IP (%)CC (%)OTs (%)EV (%)EET(sec) AND Billionaires Keyed DB Median

Slide 30 Usenix Security 2004 Experiments – LAN Detailed Results IP – Initializations and Parsing CC – Circuits communication OTs – Oblivious Transfers EV – Evaluation of circuit EET –Elapsed Execution Time FunctionLAN Communication IP (%)CC (%)OTs (%)EV (%)EET(sec) AND Billionaires Keyed DB Median

Slide 31 Usenix Security 2004 Future directions Better understanding of experiments’ results Improving the compiler (C ?) New features –fair termination Optimizations –Batch inversion (BS02) –Extending OTs (IKNP03) Real applications & products (

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.