Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Verified DSL for MPC in

Published bySylvaine Audy Modified over 6 years ago

Similar presentations

Presentation on theme: "A Verified DSL for MPC in"— Presentation transcript:

1 A Verified DSL for MPC in
Aseem Rastogi Microsoft Research India (Computer Aided Security Proofs, Aarhus, Denmark)

2 Secure Multi-party Computation (MPC)
General n-party cryptographic protocols Compute f(x1, x2, x3) Without revealing inputs Input: x2 Encrypted msgs Input: x1 Input: x3 Circuit representation of f

3 Secure Multi-party Computation (MPC)
General n-party cryptographic protocols Compute f(x1, x2, x3) Without revealing inputs Input: x2 f(x1, x2, x3) Input: x1 Input: x3 Circuit representation of f

4 Wide ranging applications of MPC
Auctions Online ads Statistical computations over joint data Location privacy, and many more

5 How should we program MPC
What programming interface (API) to use Requirements: Should be high-level Should simplify reasoning about the programs *We consider only honest-but-curious threat model

6 MPC frameworks Circuit libraries Circuit compilers Too low-level
let g1 = Gate (AND, w1, w2) in let g2 = Gate (XOR, w2, w3) in Too low-level let r = x + y + z in Only monolithic circuit code What about normal computations around it ?

7 Unoptimized vs optimized median
Joint median computation (x1, x2) (y1, y2) Assume: x1 < x2 y1 < y2 Distinct (x1, x2, y1, y2) let b = compare x1 y1 in let x3 = b ? x2 : x1 in let y3 = b ? y1 : y2 in smaller x3 y3 Instead of median, do PSI ? Do median, then say ad placement is PSI, and this is how PSI looks like. Non trivial about Poker. let b = do_sec (compare, x1) in let x3 = b ? x2 : x in do_sec (smaller, x3) let b = do_sec (compare, y1) in let y3 = b ? y1 : y in do_sec (smaller, y3)

8 Writing one program for each party
Joint median computation (x1, x2) (y1, y2) Assume: x1 < x2 y1 < y2 Distinct (x1, x2, y1, y2) let b = do_sec (compare, x1) in let x3 = b ? x2 : x in do_sec (smaller, x3) let b = do_sec (compare, y1) in let y3 = b ? y1 : y in do_sec (smaller, y3) Not scalable Chances of errors, no tool support to catch them Reasoning about some program property as a whole is hard

9 Key Idea MPC Specific computation pattern
Parties compute their programs, and Synchronize at secure computations We use this insight to design a better MPC language

10 Wysteria: DSL for Programming MPC
A new high-level MPC language Supports n-party generic applications Wysteria programs are: written like regular single-threaded programs, and executed in a distributed, multi-party setting SIMD analogy, mention it … Third bullet -> implemented as a DSL embedded in F* > Mechanically verified toolchain, and enables formal verification of MPC programs

11 Key Idea of Wysteria We could write it in a single program
let b = do_sec (compare, x1) in let x3 = a ? x2 : x1 in do_sec (smaller, x3) let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) let b = do_sec (compare, y1) in let y3 = a ? y1 : y2 in do_sec (smaller, y3) as_par and as_sec are two of the API functions exported by Wysteria {A}, {B}, {A, B} are party sets

12 Wysteria computational model
let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) Every party runs the same program as_par ps e – parties in ps perform e “locally, in-parallel” as_sec ps e – parties in ps perform e “jointly, using MPC”

13 Wysteria computational model
let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) Every party runs the same program as_par ps e – parties in ps perform e “locally, in-parallel” as_sec ps e – parties in ps perform e “jointly, using MPC”

14 Wysteria computational model
let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) Every party runs the same program as_par ps e – parties in ps perform e “locally, in-parallel” as_sec ps e – parties in ps perform e “jointly, using MPC”

15 Wysteria computational model
let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) Every party runs the same program as_par ps e – parties in ps perform e “locally, in-parallel” as_sec ps e – parties in ps perform e “jointly, using MPC”

16 Wysteria computational model
let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) Every party runs the same program as_par ps e – parties in ps perform e “locally, in-parallel” as_sec ps e – parties in ps perform e “jointly, using MPC”

17 Wysteria advantages over previous work
let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) One, single-threaded program, scalable Design precludes a whole class of errors Do examples here. PSI. Poker. It’s written in F*, and it’s all verified. With each example, say what you proved about it. Higher assurance (Formal verification?)

18 Unoptimized vs optimized median
as_sec {A, B} let b = compare x1 y1 in let x3 = b ? x2 : x1 in let y3 = b ? y1 : y2 in smaller x3 y3 Unoptimized median let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) Optimized median (runs faster) Instead of median, do PSI ? Do median, then say ad placement is PSI, and this is how PSI looks like. Non trivial about Poker. Optimized version reveals more, by design Is it secure ? Does it leak more than the unoptimized one ?

19 Formal verification of Wysteria programs
Wysteria is implemented as a DSL in F* Wysteria programs are simply F* programs Programmers can use F* facilities to verify MPC programs

20 Sample Code for Median (In emacs)

21 Formally verifying the median properties
as_sec {A, B} let b = compare x1 y1 in let x3 = b ? x2 : x1 in let y3 = b ? y1 : y2 in smaller x3 y3 Unoptimized median let b = as_sec {A, B} (compare x1 y1) in let x3 = as_par {A} (b ? x2 : x1) in let y3 = as_par {B} (b ? y1 : y2) in as_sec {A, B} (smaller x3 y3) Optimized median (runs faster) Instead of median, do PSI ? Do median, then say ad placement is PSI, and this is how PSI looks like. Non trivial about Poker. Both versions compute the correct median Optimized one does not leak more than the unoptimized one (Security verified in the idealized crypto model)

22 Wysteria metatheory Formalize two semantics C C’ π π’
Single-threaded semantics (Wysteria semantics in F*) Distributed semantics (for running the programs) Define a slice relation that relates a single-threaded configuration to its multi-party protocol Soundness theorem single-threaded termination * C C’ slices to * π π’ protocol termination

23 Wysteria metatheory Formalize two semantics
Single-threaded semantics (Wysteria semantics in F*) Distributed semantics (for running the programs) Define a slice relation that relates a single-threaded configuration to its multi-party protocol Soundness theorem Properties verified in the source carry over when the programs are run in the distributed semantics Theorem mechanically verified in F*

24 Sample Code for Metatheory
(In emacs)

25 Wysteria toolchain GMW is an MPC crypto protocol We use GMW implementation from Choi et. al. Interpreter converts as_sec code to boolean circuits dynamically

Download ppt "A Verified DSL for MPC in"

Similar presentations

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)

Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
Henry C. H. Chen and Patrick P. C. Lee

Henry C. H. Chen and Patrick P. C. Lee
Simplified Gated Assignment Surinder Jain Supervisor : Bernhard Scholz Assignment 3 – INFO5993.

Simplified Gated Assignment Surinder Jain Supervisor : Bernhard Scholz Assignment 3 – INFO5993.
Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.
1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.
A Dynamic World, what can Grids do for Multi-Core computing? Daniel Goodman, Anne Trefethen and Douglas Creager

A Dynamic World, what can Grids do for Multi-Core computing? Daniel Goodman, Anne Trefethen and Douglas Creager
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
On the Correctness of Model Transformations Gabor Karsai ISIS/Vanderbilt University.

On the Correctness of Model Transformations Gabor Karsai ISIS/Vanderbilt University.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
1 CHAPTER 4 LANGUAGE/SOFTWARE. 2 3-1 Hardware Hardware is the machine itself and its various individual equipment. It includes all mechanical, electronic.

1 CHAPTER 4 LANGUAGE/SOFTWARE Hardware Hardware is the machine itself and its various individual equipment. It includes all mechanical, electronic.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
How to play ANY mental game

How to play ANY mental game
SPAR-MPC Day 1 Breakout Sessions Emily Shen 29 May 2014.

SPAR-MPC Day 1 Breakout Sessions Emily Shen 29 May 2014.
1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.

1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.
Semantics In Text: Chapter 3.

Semantics In Text: Chapter 3.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.

Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.

Similar presentations

Ads by Google