Presentation is loading. Please wait.

Presentation is loading. Please wait.

A System for Secure Multi-Party Computation

Published byClaud Eaton Modified over 6 years ago

Similar presentations

Presentation on theme: "A System for Secure Multi-Party Computation"— Presentation transcript:

1 A System for Secure Multi-Party Computation
FairplayMP A System for Secure Multi-Party Computation Assaf Ben-David, Hebrew University Noam Nisan, Google and Hebrew University Benny Pinkas, University of Haifa Hi, my name is Assaf Ben-David and I’m a PhD student in the Hebrew University. I’ll present the FairplayMP project which is a system for secure multi-party computation. This is a joint work with Noam Nisan and Benny Pinkas. September 22, 2018 FairplayMP

2 Secure Multi-Party Computation Why do we need it?
The Emperor wants to sell a brand new death star. The potential buyers: Desired properties: All learn who won. Only winner and seller learn how much was paid. No other information is leaked – not even the seller knows the bids! What is secure computation and why do we need it? ****************************************** Lets think of an auction, we have the seller in this example the emperor, who finally completed his brand new death star and wants to sell it. We have the potential buyers, in this example villains including a former employee. Obviously there is no trust among them at all. The desired properties of this auction are that: All learn who won but only the winner and seller learn how much was paid. No other information is leaked - not even the seller or the auctioneer should know the given bids. Note that traditional envelope style auction, does not satisfy these requirements since the seller learns all the bids. September 22, 2018 FairplayMP

3 Secure Multi-Party Computation Ideal scenario - trusted third party
Secretly pass their input Secure computation Secretly pass the output How can we carry out such an auction? In an ideal world we would have someone like Yoda, a third party that everyone trusts. ****************************************** The buyers would then tell him their bids and he would have tell them who won and also tell the winning price to the winner and seller. However, in most cases it is impossible or very expensive to have such a trusted party. The solution could be using secure computation to replace the trusted third party. September 22, 2018 FairplayMP 3 3

4 Secure Computation (aka Secure Function Evaluation – SFE)
How can we replace the third trusted party? The parties themselves must perform a joint computation, that in real life requires a trusted party. This is done using cryptographic tools Is called “secure computation” Applicable for uses like Voting, Auctions (pricing), B2B data sharing (salaries, business processes), etc. Secure computation is done by the parties themselves performing a joint computation using cryptographic tools. ****************************************** Such computation is applicable for many uses such as voting, auctions B2B data sharing etc. September 22, 2018 FairplayMP

5 Feasibility results in secure computation
Started with Yao’s seminal paper on secure two-party computation. Any function can be computed securely [Yao82,GMW87] The basic technique: Any function can be represented as a Boolean circuit or an algebraic circuit Show how each gate can be securely evaluated, and from that the entire function can be computed. Adversary models: semi-honest, malicious. Secure computation started with a seminal (SEMAINAL) paper by Yao in 1982. He defined the problem and gave a solution for two-party computation. ****************************************** The basic technique for performing secure computation is the following: any function can be represented as a Boolean circuit or an algebraic circuit. Then each gate in the circuit can be securely evaluated. Our work is about multi-party computation which is secure against semi-honest adversaries. This is a common model which assumes that the parties follow all the steps of the protocol but might try to learn as much as they can from the computation process. This model is relevant for most computation where the risk of being tagged as cheater is high. A stronger model, which we don’t discuss, is that of malicious adversaries which can behave arbitrarily. September 22, 2018 FairplayMP

6 Feasibility results in secure computation
Generic protocols for multi-party comp. GMW, BMR, CCD, BGW and more. BMR Works on a Boolean circuit. Works in a constant number of communication rounds regardless of the depth or size of the circuit, by working on all gate simultaneously. BGW Works on arithmetic circuit. Handles + operation very well, * cost one communication round. There are many protocols that describe how to carry out secure multi-party computation. I’ll focus on two protocols that were been used in our project. ****************************************** The first is the Beaver-Micali-Rogaway protocol, the BMR protocol, which works on functions represented as a Boolean circuit and runs in a constant number of communication rounds regardless of the depth or size of the circuit. The second is the Ben-Or-Goldwasser-Wigderson protocol, the BGW protocol, which works on function represented as an arithmetic circuit, where the gates implement addition and multiplication in a finite (FAINIGHT) field. In this protocol only computing multiplication gates require a communication round. I’ll expend more on these protocols later. September 22, 2018 FairplayMP

7 Implementations of secure computation
In order to use secure computation one had to read the relevant papers and implement them from scratch  Alternatively, can use current generic implementations: Fairplay [MNPS 2004]: a system for generic secure two-party computation. [LPS 2008]: A system for two-party computation secure against malicious adversaries. SIMAP [2007]: focused on auctions. Today, if one wants to implement a secure computation he or she needs to read all the relevant papers and implement the protocol from scratch. This is not easy. ****************************************** Alternatively, one can use current generic implementations of secure computation, which include: The first Fairplay project which was done by Malchi-Nisan-Pinkas-Sella and is a system for generic secure TWO-party computation. The second is a recent work by Lindell-Pinkas-Smart which is a system for two-party computation secure against malicious adversaries. The third is the SIMAP project which was done by a group led by Damgard in Orhus university and focuses specifically on auctions. Our project provides a missing piece - generic MULTI-party computation. September 22, 2018 FairplayMP

8 FairplayMP I’ll now talk on our project FairplayMP.
As you might understood already, the MP stands for Multi-Party. September 22, 2018 FairplayMP

9 Goals of FairplayMP Build a full fledged system for secure multi-party computation Can be used by everyone Check the efficiency of MPC How long does it take to run an auction? Measure the overhead of each component of the computation Check different improvements Compare different protocols We had the following goals in doing this project: ****************************************** The first and main one was to build a full fledged system for secure multi-party computation that can be used by everyone (not only cryptography experts or programmers). We also wanted to check the efficiency of multi-party computation, to see how long it takes to run an action, to know where is the computation bottlenecks and to compare between different protocols with different computation properties. …………………. September 22, 2018 FairplayMP

10 Design goals of FairplayMP
We suspected that the number of communication rounds is a major bottleneck. Prefer constant number of communication round. We wanted to use a protocol where the run time does not depend on the circuit depth. We wanted to use a Boolean circuit representation of the function. The BMR (Beaver-Micali-Rogaway) protocol satisfies all of these requirements. Here are the design goal we took when we started building FairplayMP. ****************************************** We suspected that the number of communication rounds is a major bottleneck, so we wanted a system that will minimize this number. We preferred that the system will have a constant number of communication rounds. We wanted to use a protocol where the run time does not depend on the circuit depth, but rather on the size of the circuit. We wanted to use a Boolean circuit representation of the function. We wanted that for two reasons: First, we already had a compiler and the relevant knowledge from the first Fairplay project. In addition, Boolean circuit can compute comparisons very efficiently (unlike arithmetic circuits). The BMR protocol satisfies all of these requirements. …………………………….. September 22, 2018 FairplayMP

11 FairplayMP Example The compilation paradigm
The cryptographic protocol (modified BMR) The implementation details. Experiments results I’ll now go over the FairplayMP project. I’ll start with an Example and then I’ll go over different aspects of the project. ****************************************** Here is the example: September 22, 2018 FairplayMP

12 The setting Theoretical papers assume n symmetric players
We separate players into three types Input players (IP) Computation players (CP): Emulate the trusted party Protocol is secure if less than half of CPs are corrupt. Result players (RP): learn the output A participant can have several of these roles. First, I will describe the settings in such computation. All theoretical papers assume n symmetric players. Each of them participating in all aspects of the secure computation. We decided to separate players into three types depending on the role they are taking in the computation. The first type is of Input players (IPs) which provide input to the computation. The second type is of Computation players (CPs) which perform the actual computation and emulate the trusted third party. The protocol is secured against any minority of these players. The third type is of Result players (RPs) which learn an output from the computation. A participant can have several of these roles. If all participant take all three rolls we get the original setting of n symmetric players. September 22, 2018 FairplayMP

13 Example Input players (IP): Result players (RP):
So, back to our example. We have the buyers as input players. The buyers and the auctioneer are the result players since they all learn something from the computation. And we can have any setting we want for the Computation players. ****************************************** For example the computation players can be all the buyers, or two buyers and the auctioneer. Or any other group we define. We will continue with this setting. Computation players (CP): September 22, 2018 FairplayMP 13 13

14 FairplayMP – system overview Step 1: The settings
One writes the function to evaluate (using high level language) and a config.xml file with the basic computation settings. The first step is the settings, in which one writes the function that needs to be evaluated, in our case this is a second price action. One also writes a config.xml file with the basic computation settings such as the IP addresses of the participants. All participants should have these files and since these are only text files it’s easy to ensure that everything there is as it should be. ****************************************** All the participates then compile the program using our FairplayMP compiler to obtain a low level representation of a Boolean circuit. Compile the program using the FairplayMP compiler to receive a low level representation of a Boolean circuit. September 22, 2018 FairplayMP

15 FairplayMP – system overview Step 2a: Creating the circuit
IPs share the input using the BGW protocol CPs create a garbled circuit from the circuit according to the BMR protocol Now in the first part of the computation step the input players share their input using the BGW protocol. ****************************************** The computation players then use that input with the description of the Boolean circuit to create a garbled circuit according to the BMR protocol. September 22, 2018 FairplayMP

16 FairplayMP – system overview Step 2b: Evaluating the circuit
CPs send the garbled circuit to the RPs Finally, the computation players send the garbled circuit to the result players ****************************************** The result players then h evaluate it to receive their output. The system supports providing a different output for different players. The garbled circuit is evaluated by the RPs. (The system can provide different players with different outputs). September 22, 2018 FairplayMP

17 FairplayMP Example The compilation paradigm
The cryptographic protocol (modified BMR) The implementation details. Experiments results The compilation paradigm September 22, 2018 FairplayMP

18 The compilation paradigm
As in Fairplay Programs are written in SFDL 2.0 A high-level Secure Function Definition Language. Describing the function that would have been evaluated by a trusted party. Inputs and outputs from/to multiple parties. SFDL programs are translated to SHDL Secure Hardware Definition Language describing Boolean circuits. Our compilation paradigm is the same as in the first Fairplay project. ****************************************** The functions are written in a high level language called SFDL 2.0, which is an extended version of the first SFDL language used in Fairplay, and supports multi-party computation. When one writes the function he or she should only write what the trusted third party must evaluate, without worrying about implementation details. The SFDL program is then translated to an SHDL file which is a representation of a Boolean circuit. September 22, 2018 FairplayMP

19 SFDL example Part 1: Type definition.
/** * Performs a 2nd price auction between 5 bidders. * At the end only the winning bidder and the seller * know the identity of the winner * Everyone knows the 2nd highest price, * Nothing else is known to anyone. **/ program SecondPriceAuction { const nBidders = 5; type Bid = Int<4>; // enough bits for a small bid. type WinningBidder = Int<4>; // enough bits to represent a winner type SellerOutput = struct{WinningBidder winner, Bid winningPrice}; type Seller = struct{SellerOutput output}; // Seller has no input type BidderOutput = struct{Boolean win, Bid winningPrice}; type Bidder = struct{Bid input, BidderOutput output}; For example, we have here an SFDL program describing a second price auction between 5 bidders. An SFDL program contains two parts. The header declarations and the function definitions. I’ll start with the header declarations. ****************************************** you can define consts, in this case the number of bidders. Types of simple primitive and structs of previously defined types. The input and result players must be define as a struct with the key words input or output (or both) describing their inputs or outputs. September 22, 2018 FairplayMP

20 SFDL example Part 2: The main function.
function void main(Seller seller, Bidder[nBidders] bidder) { var Bid high = bidder[0].input, Bid second = 0; var WinningBidder winner = 0; // Making the auction. for(i=1 to nBidders-1) { if(bidder[i].input > high) { winner = i; second = high; high = bidder[i].input; } else if(bidder[i].input > second) second = bidder[i].input; } // Setting the result. seller.output.winner = winner; seller.output.winningPrice = second; for(i=0 to nBidders-1) { bidder[i].output.win = (winner == i); bidder[i].output.winningPrice = second; }}} This is the function definitions part. ****************************************** The main function is the first to be evaluated. It receives the input players and result players as arguments. Here we have one seller and nBidders bidders. To design this auction for more then 5 bidders one can just change the const nBidders and recompile the program to receive the new Boolean circuit representation. There are regular variables definition of previously defined types. Here you can see how the input property of Bidder 0 is used to initialize a variable. There are the regular “for”, and “if” commands. Eventually the output should be assigned, in this example we assign the identity of the winner and the price to the output of the seller. As you can see the language is very simple. It is easy to write an auction or any other program in this language, defiantly easier than writing a Boolean circuit with AND and OR gates. September 22, 2018 FairplayMP

21 SHDL properties Each line is a circuit component, i.e.:
Input and output definition. A Boolean gate (of arity 2) with a given truth-table, input wires number and output wire number. FMT - Input: bidder[0],input,0,1,2,3,4,5,6,7 bidder[1],input,8,9,10,11,12,13,14,15 Gates: 40, ,9,8 41, ,9,8 FMT - Output: seller,output.winner,595,596,510 seller,output.winningPrice,573,576 This program is then compiled into a low level Boolean circuit representation. Each line is input or output definition or a gate with arity 2. ****************************************** For example the input of Bidder 0 consists of wires 0-7 an AND gate with input wires 9 and 8 and the output wire 40 And the output.winner field of the player seller is the wires 595,596,510 September 22, 2018 FairplayMP

22 FairplayMP Example The compilation paradigm The cryptographic protocol
The implementation details Experiments results The cryptographic protocol. September 22, 2018 FairplayMP

23 Properties of the BMR protocol
Implements secure multiparty computation over a Boolean circuit. Works on all the gates simultaneously. Works in a constant number of communication rounds, regardless of the size or depth of the Boolean circuit. First I’ll talk a bit about the BMR protocol which is the basis for our implementation. It implements a secure multiparty computation over a Boolean circuit, it does that by working on all the gates simultaneously and it works in a constant number of communication rounds regardless of the size or depth of the Boolean circuit. September 22, 2018 FairplayMP

24 The BMR protocol Two random seeds (garbled values) are set for every wire of the Boolean circuit: Each seed is a concatenation of seeds generated by each of the players and secretly shared among them. The true value of each wire is concealed using XOR with a secret shared random bit. Therefore it is unknown which seed corresponds to a 0 or 1 value. The BMR protocol assigns two random seeds for every wire. One for the value 0 and the other for the value 1. Those seeds are secretly shared among the players. ****************************************** Also, for each wire a random bit is assigned to conceal the true value of the wire. Therefore the zero seed of a wire doesn’t necessarily represent the value 0. September 22, 2018 FairplayMP

25 The BMR protocol The parties securely compute together a 4x1 table for every gate: Given 0/1 seeds of the input wires, the table reveals the seed of the resulting value of the output wire. Given the tables, and seeds of the input values, it is easy to compute the circuit output. This is done gate by gate, until the final output is recovered. The parties then build a 4 on 1 table for each gate. The table hides the output seed of the gate using the input seed of the gate. For example, for an AND gate the output seed 0 will be concealed 3 times, using the input values 00,01,10. The output seed 1 will be concealed only once using the input values 11. ****************************************** Given the table and the seed of the input wires it is easy to reveal the desired output seed and only it! There are more technical details for this construction, they can be read in both the BMR paper and ours. September 22, 2018 FairplayMP

26 The BGW protocol Implements a secure multi-party computation over an arithmetic circuit, based on Shamir’s secret sharing. Additions (+) come for “free”. Number of communication rounds depends on the depth of multiplications (*) in the circuit. Now a bit about the BGW protocol. This protocol uses the Shamir’s secret sharing scheme to implement secure multiparty computation over an arithmetic circuit. In this protocol additions cost nothing and multiplications cost one communication rounds. This means that the number of communication rounds needed in this protocol depends on the depth of the circuit, excluding the addition gates (only the multiplication gates count in that aspect). September 22, 2018 FairplayMP

27 The protocol used by FairplayMP
Simplified version of the BMR protocol joined with the BGW protocol. Handles only semi-honest adversaries. Improvements over the BMR protocol: Only computation players (CPs) generate the tables. IPs provide seeds corresponding to inputs. RPs alone evaluate the circuit and learn output. The protocol we implemented in FairplayMP is a modified version of the BMR protocol using the BGW protocol. ****************************************** We separated the players according to their type, to deal only with their part of the computation. September 22, 2018 FairplayMP

28 Improvements to the BMR construction
The BMR protocol can use any secure MPC protocol for constructing gate tables This step is the major performance bottleneck! We mask gate entries using addition in a large finite field instead of exclusive-or. Can therefore compute tables using the BGW protocol rather than a protocol based on bit operations. The BMR protocol require a secure and secret collective coin flipping We use a recent efficient protocol [DFKNT 05], which is also based on the BGW protocol. Our main improvement to the BMR protocol is to change the computation to work over a finite (FAINIGHT) field. BMR used exclusive-or to mask the table entries. We replace it with addition in a finite filed. This allows us to use the BGW protocol for constructing the table and also use an efficient protocol for collective coin flipping by . These steps in the original BMR protocol were a major performance bottleneck! Before we thought of this improvement we didn’t believe that an implementation of BMR would run in a reasonable time. Our protocol is unique in combining both arithmetic and Boolean circuit representations, and using each one where it is most efficient. September 22, 2018 FairplayMP

29 FairplayMP Example The compilation paradigm
The cryptographic protocol (modified BMR) The implementation details Experiments results The implementation details September 22, 2018 FairplayMP

30 The implemented protocol
FairplayMP is implemented in Java for readability and easy cross-platform usage. Five packages (~2000 code lines): circuit – An interface that allows to use different representation of circuits. communication - Basic Client/Server, msg. config – Allows simple configuration via code along with configuration via config.xml file. players – Implementation of the protocol steps for each of the players (IP, CP, RP). utils – Implementation of BGW and PRG. FairplayMP is implemented in Java for two main reasons: The first reason is make it easy to read especially for academic people. Second it is a cross-platform language. ****************************************** The implementation has 5 modular packages with around 2000 lines of code. The circuit package contains the circuit interface. This means that it is easy to use other representations of Boolean circuits with the FairplayMP computation paradigm. The communication package contains simple client/server implementation and the definition of msg, again if one has a better msg representation (for example the Google protocol-buffer) it’s easy to use it instead of ours. The config package – allows simple configuration of the project. The players package – contains implementation of the three types of players according to our protocol, all implements a player interface and run in there own thread to insure no bottlenecks. The utils package – has the implementation of the BGW protocol and PRG. September 22, 2018 FairplayMP

31 FairplayMP Example The compilation paradigm
The cryptography protocol (BMR) The implementation details Experiments results The experiments results September 22, 2018 FairplayMP

32 Experiments The results are in milliseconds.
The results are the average computation run time between all computation players over 3 different runs. The tests were run over a full binary tree like circuit: All the results are in milliseconds and are the average of the computation run time between all computation players over 3 different runs. The tests were run over a full binary tree like circuit as you can see in the picture. September 22, 2018 FairplayMP

33 Experiments The effect of the size
CP’s: This is the basic run time of a full binary tree circuit with different size and different number of computation players. As you can see the run time is linear in the circuit size. September 22, 2018 FairplayMP

34 Experiments The effect of the size
CP’s: In this experiment, we took the auction example you saw before, compiled it to get a circuit with 400 gates and run it using 5 computation players. The run time falls exactly on the graph, it is almost identical to that of a full binary tree with the same number of gates. It shows that the run time only depends on the setting and the circuit size and not on the actual computed function. September 22, 2018 FairplayMP

35 Experiments The effect of the depth
In this experiment we actually have two lines, the first is the runtime for a full binary tree from the first slide and the second is a run time of a circuit constructed as a line, whose depth is equal to the number of gates (you can see it in the picture). As you can see the runtime of the two circuits is practically identical which proves that it is not affected by the depth of the circuit. This property is unique to the BMR protocol. Any other multi-party protocol would have perform worse for the line type circuit. September 22, 2018 FairplayMP

36 Experiments The effect of a weak machine
In the last experiment we took the run time from the first slide and replaced one of the computation machines with a very weak machine. The runtime of all the machines was slowed down since for each communication round they all had to wait for the slow computer to finish. This experiment supports our assumption that the number of communication round is a major bottleneck. September 22, 2018 FairplayMP

37 FairplayMP – Summary. FairplayMP is a full system for generic secure multi-party computation with constant number of communication rounds. Functions are written in an easy to use high level language. The system can be download from the project web site: For conclusion. We presented FairplayMP project which is an easy to use full fledge system for generic multi-party computation that works in constant number of communication rounds. The system can be downloaded from the project web site. September 22, 2018 FairplayMP

38 Thank you Questions? Thank you. Questions? September 22, 2018
FairplayMP

Download ppt "A System for Secure Multi-Party Computation"

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Agenda Definitions Evolution of Programming Languages and Personal Computers The C Language.

Agenda Definitions Evolution of Programming Languages and Personal Computers The C Language.
Joe Kilian NEC Laboratories, America Aladdin Workshop on Privacy in DATA March 27, 2003.

Joe Kilian NEC Laboratories, America Aladdin Workshop on Privacy in DATA March 27, 2003.
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.

Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Nash’s Theorem Theorem (Nash, 1951): Every finite game (finite number of players, finite number of pure strategies) has at least one mixed-strategy Nash.

Nash’s Theorem Theorem (Nash, 1951): Every finite game (finite number of players, finite number of pure strategies) has at least one mixed-strategy Nash.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
The Assembly Language Level

The Assembly Language Level
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
Chapter 10-Arithmetic-logic units

Chapter 10-Arithmetic-logic units
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Similar presentations

Ads by Google