Scaling Secure Computation Using the Cloud Payman Mohassel Yahoo Labs
Do We Have the Same Person in Mind? Jack Joe Alice Bob only reveal Yes/No
Solutions? You have access to a trusted computer You can use an airline reservation service You can use a password login page
Who is Richer? Millionaires’ Problem X = Y = X > Y ?!!
Solutions? Trusted Party Trusted Program Check different digits? Ask comparison questions
Secure Multiparty Computation (MPC) Correctness: honest parties learns the correct output Privacy: Nothing but the final output is leaked P2, x2 P1, x1 P3, x3 P4, x4 P5, x5 Parties learn only f(x1,…,xn)
Location-Based Services Serving information/services stores, restaurants, ATMs, … tourist guides, Ads, … Location-based access control Privacy-Preserving Proximity Testing Alice and Bob learn if they are close to each other but nothing else:[NTLH 11,KMRS13]
Remote Diagnosis Error reporting systems Medical Diagnosis program IDS/IPS rule sets DNA patterns Privacy-Preserving Intrusion Detection IDS rule set DFA Oblivious DFA evaluation Implemented and tested on snort: [MNS13] G T A . Log files List of symptoms Packets DNA database
More Applications Data mining Electronic Voting Auctions Exchanges/financial analysis Location privacy Genomic computation Electronic commerce Healthcare When there is IP, NDA, user consent involved When you need to distribute trust
A Heuristic Approach to Security [Lindell] A Heuristic Approach to Security Build a protocol Try to break the protocol Fix the break Return to (2)
The Challenge Is [Lindell] You can never be really sure that the protocol is secure Compare to algorithms: Inputs are not adversarial Hackers will do anything to exploit a weakness – if one exists, it may well be found Security cannot be checked empirically
A Rigorous Approach Provide an exact problem definition [Lindell] A Rigorous Approach Provide an exact problem definition Adversarial power Network model Meaning of security Prove that the protocol is secure Often by reduction to an assumed hard problem, like discrete-log problem
Our Adversary Adversary is an algorithm Adversary runs in polynomial time Adversary corrupts one of the two parties We do not know which one How does the corrupted party behave? Follows the protocol (semi-honest) Behaves arbitrarily (malicious)
What Does Security Mean? Correctness An honest party learns the correct output Privacy Nothing but the final output is leaked Fairness Either both parties learn the output or neither
Is It Achievable? Feasible for any polynomial-time function Boolean circuits [Yao82, GMW87, BMR90, …] Arithmetic circuits [BGW88, CCD88, …]
Implementations Dyadic Security Fairplay, FairplayMP VIFF and SEPIA Implementations of 2PC & MPC VIFF and SEPIA Sharing-based MPC Real-life usage Sharemind 3-party MPC Financial data analysis TASTY Mixed MPC framework (HE + garbled circuits) Fast Garbled Circuits Highly-optimized garbled circuit framework FRESCO A reusable set of libraries for implementing MPC SCAPI A set of Java-based libraries for MPC SPDZ MPC implementation with fast online phase
1-out-of 2 Oblivious Transfer Y0, Y1 Chooser Sender j Alice Bob Learns nothing Yj [Rabin, 1981]
Yao’s Garbled Circuits First secure computation protocol One of the most efficient Implementations Fairplay, 2004 TASTY, 2010 FastGarble, 2011 SCAPI, 2013 JustGarble, 2013 … Circuits with millions of gates in less than a second
A Garbling Scheme Encode( ) Garble( Eval( ) 𝐺𝐶 𝐺𝐼𝑥 𝐺𝐼𝑦 𝒙,𝒚, 𝒇(𝒙,𝒚) 𝐸 Encode( ) 𝒙,𝒚, 𝐶 𝑥,𝑦 =𝑓(𝑥,𝑦) Garble( , 𝑠𝑒𝑒𝑑) 𝐺𝐼𝑥 𝐺𝐼𝑦 𝐷 𝐺𝐶 𝐸 𝐺 𝐼 𝑥 𝐺𝐶 𝐺𝑂 𝐷 Eval( ) 𝒇(𝒙,𝒚) 𝐺 𝐼 𝑦
Some Basic Properties Privacy: Knowing 𝐺 𝐼 𝑥 , 𝐺 𝐼 𝑦 , and 𝐺𝐶 does no leak any info Output Authenticity: Cannot compute another valid output 𝐺 𝐼 𝑥 𝐺𝐶 𝐺 𝐼 𝑥 𝐺𝐶 𝐷 𝒇(𝒙,𝒚) 𝐺 𝐼 𝑦 𝐺 𝐼 𝑦 𝐺𝐶 𝐺 𝐼 𝑥 𝐺𝑂‘ 𝐺 𝐼 𝑦
Garble/Evaluate Evaluate Garble 𝑘 0 1 , 𝑘 1 1 𝑘 0 3 , 𝑘 1 3 AND AND AND 𝑘 0 3 , 𝑘 1 3 AND 𝑘 0 2 , 𝑘 1 2 𝑐 0,0 =𝐸 𝑘 0 1 , 𝑘 0 2 ( 𝑘 0 3 ) 𝑐 0,1 =𝐸 𝑘 0 1 , 𝑘 1 2 ( 𝑘 0 3 ) 𝐷𝑒 𝑐 𝑘 𝑎 1 , 𝑘 𝑏 2 𝑐 𝑎,𝑏 = 𝑘 𝑎&𝑏 3 𝑐 1,0 =𝐸 𝑘 1 1 , 𝑘 0 2 ( 𝑘 0 3 ) 𝑐 1,1 =𝐸 𝑘 1 1 , 𝑘 1 2 ( 𝑘 1 3 )
Semi-honest 2PC Garbler Evaluator 𝐶 𝑥,𝑦 =𝑓(𝑥,𝑦) 𝐺𝐶,𝐸,𝐷←𝐺𝑎𝑟𝑏𝑙𝑒(𝐶,𝑠𝑑) 𝐺 𝐼 𝑥 ←𝐸𝑛𝑐𝑜𝑑𝑒(𝑥,𝐸) 𝐺 𝐼 𝑥 𝐺𝐶 𝐷 𝒙 𝒚 Garbler Evaluator 𝐺 𝐼 𝑦 Oblivious Transfer 𝒇(𝒙,𝒚)
Efficiency Metrics Computation Communication Interaction Memory usage Cheap: SHA, AES, … Expensive: exponentiations, … Communication A major challenge Specially for small devices Interaction Minimize coordination Memory usage
Limits of Standard MPC MPC is symmetric MPC does not always scale All parties work/bandwidth is similar MPC does not always scale Cost proportional to circuit size Circuits with billions of gates Unavoidable overhead crypto is expensive E.g. public-key crypto is required
Server-Aided Model Introduce a server Assumptions Server involvement No input or output Considerable resources Motivated by cloud services Assumptions Honest, semi-honest, malicious? Collude or not collude? Server involvement Is it always online? Knows the function, parties, …? Outsourcing secure multiparty computation, eprint, 2011 Salus: a system for server-aided secure computation, ACM CCS, 2012
Honest Cloud Cloud is trusted with Easy case! Privacy of inputs/outputs Correctness of its computation Easy case! Each party sends his inputs to the cloud Cloud does all the computation Status quo
Dishonest Cloud Semi-honest Malicious Trusted with correct computation Not trusted with privacy of inputs/outputs Malicious Is not trusted with anything
1) Service Providers Salus [KMR 2012] General-purpose Cloud SP and cloud have resources Clients Limited resources Service provider (SP) y Salus [KMR 2012] General-purpose Clients do very small work x1 x2 x3 Weak clients Goal: weak clients need little work/bandwidth
2) Collaborative Computing We don’t trust each other Cloud x2 SA-PSI [KMRS 2013] Server-aided private set intersection Scales to Billion-element sets Over the internet (using MS Azure) 5 orders of magnitude improvement! x2 x1 x3 x1 x3 There is a cloud we don’t necessarily trust, but can help Goal: minimize average computation of all players
3) Privacy as a Service online offline Cloud Minor cloud involvement Function is secret to cloud cd2 CB-2PC for Smartphone [MOR 2013] Implemented as Android App Privacy commodities = App updates Ind. of function/inputs/parties cd2, x2 cd1 cd3 cd1, x1 cd3, x3 online offline Obtain “privacy commodity” from cloud Goal: minimize online comp/bandwidth minimize online cloud interaction
Questions?
References [AL07] Aumann and Lindell. Security against covert adversaries: Efficient protocols for realistic adversaries. TCC 2007. [CLS09] Chow et al. Privacy-Preserving Queries over Distributed Databases. NDSS 2009. [DCCR12] Dong et al. Fair Private Set Intersection with a Semi-trusted Arbiter. Eprint 2012. [FR97] Franklin and Reiter. Fair exchange with a semi-trusted third party. ACM CCS 1997 [GHS10] Gennaro et al. Automata evaluation and text search protocols with simulation based security. PKC 2010. [GMS 08] Goyal et al. Secure Two-party and Multi-party Computation against Covert Adversaries. EUROCRYPT 2010. [HEK12] Huang et al. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? NDSS 2012. [HEKM11] Huang et al. Faster Secure Two-Party Computation Using Garbled Circuits. Usenix Security 2011. [HKE12] Huang et al. Quid Pro Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. IEEE S&P 2012. [IP07] Ishai and Paskin. Evaluating branching programs on encrypted data. TCC 2007. [JKSS10] Jarvinen et al. Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs. CHES 2010. [KMR11] Kamara et al. Outsourcing Multiparty Computation. Eprint 2011. [KMR12] Kamara et al. Salus: A System for Server-Aided Secure Function Evaluation. ACM CCS 2012.
References [KS08] Kolesnikov and Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. ICALP 2008. [KSS12] Kreuter et al. Towards Billion-Gate Secure Computation with Malicious Adversaries. Usenix Security 2012. [LP07] Lindell and Pinkas. An efficient protocol for secure two-party computation in the presence of malicious adversaries. Eurocrypt 2007. [LP11] Lindell and Pinkas. Secure two-party computation via cut-and-choose oblivious transfer. TCC 2011. [LTV12] Lopez-Alt et al. On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. STOC 2012 [MF06] Mohassel and Franklin. Efficiency Tradeoffs for Malicious Two-Party Computation. PKC 2006. [MN12] Mohassel and Niksefat. Oblivious Decision Programs from Oblivious Transfer: Efficient Reductions. FC 2012. [MNSS13] Mohassel et al. ZIDS - A Privacy-Preserving Intrusion Detection System using Secure Two-Party Computation Protocols. To appear in the Computer Journal 2013. [MNSS12] Mohassel et al. An Efficient Protocol for Oblivious DFA Evaluation and Applications. CT-RSA 2012. [MR13] Mohassel and Riva. More Efficient Secure Two-Party Computation Protocols Based on Cut-and-Choose. CRYPTO 2013. [NPS99] Naor et al. Privacy Preserving Auctions and Mechanisms. EC 1999. [NTLHB11] Narayanan et al. Location privacy via private proximity testing. NDSS 2011. [PSSW09] Pinkas et al. Secure two-party computation is practical. Asiacrypt 2009. [SS11] Shelat and Shen. Two-output secure computation with malicious adversaries. Eurocrypt 2011.