1. Knowledge Inference for Optimizing Secure Multi-party Computation
Aseem Rastogi
Piotr (Peter) Mardziel Michael Hicks Matthew Hammer

2. Secure Computation A B Without revealing A to Bob and B to Alice
Compute f(A, B)
Without revealing A to Bob and B to Alice
12/4/2018

3. Using a Trusted Third PartyB
f(A, B)
f(A, B) A B
Compute f(A, B)
Without revealing A to Bob and B to Alice
12/4/2018

4. Secure Computation ProtocolsB
f(A, B)
Cryptographic Protocol A B
Compute f(A, B)
Without revealing A to Bob and B to Alice
12/4/2018

5. Example – Joint Median Computation
{ A1, A2 }, { B1, B2 } Assume: A1 < A2 and B1 < B2 and Distinct(A1, A2, B1, B2) a = A1 ≤ B1; b = a ? A2 : A1; c = a ? B1 : B2; d = b ≤ c; output = d ? b : c;
12/4/2018

6. Example – Joint Median Computation
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
Secure Computation
12/4/2018

7. Performance Optimization
Cryptographic protocols prohibitively expensive
Performance Optimization [F. Kerschbaum, CCS’11]
Parties can infer some intermediate values eventually
Once they know the output
Revealing these early does not compromise security*
Offload computation over known data to local hosts
* In a semi-honest (honest-but-curious) threat model
12/4/2018

8. Questions For a Secure Multi-party Computation (SMC) program:
Can we infer which variables are known to a party ?
Can we infer an evidence for a party’s knowledge of a variable
12/4/2018

9. Contributions Formalization of knowledge Knowledge inference algorithm
Formalize what it means for a party p to know a variable x
Knowledge inference algorithm
Algorithm to infer if p knows x
Proof of soundness and completeness
Constructive knowledge inference algorithm
Algorithm to construct an evidence of p’s knowledge of x
Proof of soundness and completeness
12/4/2018

10. Median Example – Analysis
a = A1 ≤ B1;
Alice and bob know a and d
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
12/4/2018

11. Median Example – Analysis from Bob’s Perspective
a = A1 ≤ B1;
d = (output ≠ B1 Ʌ output ≠ B2) Recall: Distinct(A1, A2, B1, B2)
b = a ? A2 : A1;
a = true
b = A2
c = B1
d = true
output = A2
d = false
output = B1
a = false
b = A1
c = B2
output = A1
output = B2
A1 ≤ B1 ∧ A2 ≤ B1
A1 ≤ B1 ∧ A2 > B1
A1 > B1 ∧ A2 ≤ B1
A1 > B1 ∧ A2 > B1
a = (output ≤ B1) Recall: B1 < B2
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
12/4/2018

12. Optimized Joint Median Computation
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1: B2;
d = b ≤ c;
output = d ? b : c; d d
Secure Computation
12/4/2018

13. Formalization of Knowledge
Party p knows x if:
x can be uniquely determined by p’s inputs I and outputs O
Two program executions that agree on I and O, also agree on x
12/4/2018

14. Knowledge in Median Example
Let states σ map program variables to values
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
Bob knows a, if for all final states σ1 and σ2 s.t.
σ1[B1] = σ2[B1],
σ1[B2] = σ2[B2], and
σ1[output] = σ2[output],
we have,
σ1[a] = σ2[a]
12/4/2018

15. Knowledge Inference Algorithm
Compute postcondition of the program
Sound approximation of final program states
12/4/2018

16. Example Postcondition for Median
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
ϕ1 = (A1 ≤ B1) ∧(a = true) ∧(b = A2)∧(c = B1)∧(b ≤ c)∧(d = true)∧(output = b)
ϕ2 = (A1 ≤ B1) ∧(a = true) ∧(b = A2)∧(c = B1)∧(b > c)∧(d = false)∧(output = c)
ϕ3 = …, ϕ4 = …
φmedian = ϕ1 V ϕ2 V ϕ3 V ϕ4
12/4/2018

17. Knowledge Inference Algorithm
Recall: we need to prove a property of any two program runs
Compute postcondition of the program
Use self-composition to simulate two program runs
12/4/2018

18. Self Composed Median Example
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
φself-composed = φmedian ∧ φ’median
a’ = A’1 ≤ B’1;
b’ = a’ ? A’2 : A’1;
c’ = a’ ? B’1 : B’2;
d’ = b’ ≤ c’;
output’ = d’ ? b’ : c’;
12/4/2018

19. Knowledge Inference Algorithm
Compute postcondition of the program
Use self-composition to simulate two program runs
Derive knowledge formula and solve using SMT solver
12/4/2018

20. Deriving Knowledge Formula
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
Does Bob know a ?
φmedian ∧ φ’median
a’ = A’1 ≤ B’1;
b’ = a’ ? A’2 : A’1;
c’ = a’ ? B’1 : B’2;
d’ = b’ ≤ c’;
output’ = d’ ? b’ : c’;
∧ B1 = B’1 ∧ B2 = B’2
∧ output = output’
⇒ a = a’
12/4/2018

21. Solving Using SMT Solver
φmedian ∧ φ’median∧ A1 = A’1 ∧ A2 = A’2∧ output = output’ ⇒ a = a’
Valid ?
Depending on completeness of postconditions
SMT Solver
Yes No
Bob knows a
Bob may / does not know a
12/4/2018

22. Properties of Knowledge Inference
Soundness
If algorithm returns p knows x, then p and x satisfy the formal definition of knowledge
Completeness
If p and x satisfy the formal definition of knowledge, then algorithm returns p knows x
Loop-free language (SMCs do not admit loops)
12/4/2018

23. Constructive Knowledge Inference
Infer an evidence for p’s knowledge of x
Evidence is a formula for x in terms of p’s input and output variables
12/4/2018

24. Constructive Knowledge Inference Algorithm
Formulate knowledge as an invariant of the program
Use template based verification to infer the invariant (Srivastava et. al., PLDI’09)
12/4/2018

25. Setting up Constructive Knowledge Inference
Does Bob know a ?
(A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2))
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
Variables in τ ϵ { B1, B2, output }
output = d ? b : c;
assert(a = τ)
12/4/2018

26. Setting up Constructive Knowledge Inference
Does Bob know a ?
(A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2))
a = A1 ≤ B1;
Candidate predicates for τ:
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
{ v1 op v2 | v1, v2 ϵ { B1, B2, output }, op ϵ { <, ≤, >, ≥, =, ≠ } }
output = d ? b : c;
assert(a = τ)
12/4/2018

27. Constructive Knowledge Inference Algorithm
Derived from template-based verification
Given (m, n), searches solutions in DNF(m, n)
Efficient search: O(|Q|m + |Q|n) queries to SMT solver
As opposed to naïve O(|Q|mn)
12/4/2018

28. Constructive Knowledge Inference for Median
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
φpre = A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2)
a = output ≥ A1 (for Alice)
a = output ≤ B1 (for Bob)
d = output = A1 V output = A2 (for Alice)
d = output ≠ B1 Ʌ output ≠ B2 (for Bob)
12/4/2018

29. Properties of Constructive Knowledge Inference
Soundness
If algorithm infers a formula τ for party p and variable x, then x = τ at the end of the program
Moreover, p can compute τ from its inputs and outputs
Completeness
Similar to the completeness of verification techniques
If a solution τ exists in the template structure, our algorithm finds it
12/4/2018

30. Connection to Information Flow Declassification Policies
Knowledge Inference similar to deciding delimited release [Sabelfeld et. al., ISSS’04]
Constructive knowledge inference similar to deciding required release [S. Chong, CSF‘10]
See our paper for more details !
12/4/2018

31. Contributions Formalization of knowledge Knowledge inference algorithm
Formalize what it means for a party p to know a variable x
Knowledge inference algorithm
Algorithm to infer if p knows x
Proof of soundness and completeness
Constructive knowledge inference algorithm
Algorithm to construct an evidence of p’s knowledge of x
Proof of soundness and completeness
12/4/2018

32. Ongoing Work Core calculus for writing M3PC program
Formal type-directed translation to target protocol
Translation exists for all well-typed programs
Source and target semantics preserve knowledge
Next step: Given inferred knowledge facts, automatically generate optimal M3PC programs
12/4/2018