Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.

Published byMaximo Savell Modified over 9 years ago

Similar presentations

Presentation on theme: "Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College."— Presentation transcript:

1 Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College Park)

2 What is Secure Multiparty Computation (SMC) A B Compute f(A, B) Without revealing A to Bob and B to Alice

3 Using a Trusted Third Party A B A B f(A, B) Compute f(A, B) Without revealing A to Bob and B to Alice

4 SMC Eliminates Trusted Third Party A B Compute f(A, B) Without revealing A to Bob and B to Alice Cryptographic Protocol

5 SMC Examples Private Data Nearest neighborLocations AuctionBids Private set intersectionSets Statistical computationNumbers

6 Beyond Toy SMC Examples Online card games SMC to deal cards Dice-based games SMC to roll dice

7 Monolithic Secure Multiparty Computation f(A, B) A B Not Enough !

8 Mixed-Mode Secure Multiparty Computation f(A, B) A B g(A 1, B 1 ) A 1 B 1 g(A 1, B 1 ) … … h(A 2, B 2 ) A 2 B 2 h(A 2, B 2 ) … Local … Secure State

9 State Of The Art: Existing SMC Languages Fairplay, FairplayMP, CBMC-GC – Only “circuit compilers” – No mixed-mode – No secure state L1 – Only 2-party, low level – No formal guarantees FastGC – Circuit library, only 2-party None supports generic programs (parametric in number of parties) None supports generic programs (parametric in number of parties)

10 Our Goal Push SMC beyond toy applications

11 Design an SMC Language Local and secure computations High-level support for secure state Mixed-Mode Code parametric in number of parties Generic Single specification Runtime compilation to circuits High-level Statically typed, sound Compositional Guarantees

12 A High-level Functional Language to write Mixed-Mode Generic SMCs Implementation and examples available at: http://ter.ps/wysteria Developing Online Poker using Wysteria (almost there …) Goes Without Saying, Wysteria Has It All ! Demo (coming up) Demo (coming up)

13 Wysteria by Examples: Two-party Millionaire’s * let a = read() in let b = read() in let o = a > b in o par(A) par(B) sec(A,B) *The example in this form does not type check in Wysteria. Single specification A and B run the same program Compute who is richer among A and B

14 Wysteria by Examples: Two-party Millionaire’s let a = read() in let b = read() in let o = a > b in o par(A) par(B) sec(A,B) A’s Local Computation (Skipped by B) Computation modes

15 Wysteria by Examples: Two-party Millionaire’s let a = read() in let b = read() in let o = a > b in o par(A) par(B) sec(A,B) A’s Local Computation B’s Local Computation (Skipped by A)

16 Wysteria by Examples: Two-party Millionaire’s let a = read() in let b = read() in let o = a > b in o par(A) par(B) sec(A,B) A’s Local Computation B’s Local Computation Secure Computation by (A,B)

17 let a = read() in let b = read() in let o = a > b in o par(A) par(B) sec(A,B) A’s Local Computation B’s Local Computation Secure Computation by (A,B) Runtime compiles it to boolean circuit, and evaluates using secure computation No communication primitives ! Wysteria by Examples: Two-party Millionaire’s

18 Key Ideas Mixed-Mode Computations via Mode Annotations

19 Wysteria by Examples: Asymmetric Output let a = read() in let b = read() in let o = a > b in o par(A) par(B) sec(A,B) What if only A is allowed to know the output ?

20 Wysteria by Examples: Asymmetric Output let a = read() in let b = read() in let o = wire A:(a > b) in o par(A) par(B) sec(A,B) What if only A is allowed to know the output ? Wire Bundle

21 Wire Bundles in Wysteria Maps from parties to values Each party sees only its own component in the bundle – Or nothing if it’s not in the domain Wire bundles are dependently typed Create wire A:0 : W {A} nat Concat (wire A:0)++(wire B:1) : W {A U B} nat Project (wire A:0)[A] : nat

22 Wysteria by Examples: Inputs Via Wire Bundles let a = read() in let b = read() in let w1 = wire A:a in let w2 = wire B:b in let w3 = w1 ++ w2 in let o = wire A:(w3[A] > w3[B]) in o par(A) par(B) sec(A,B)

23 let a = read() in let b = read() in let w1 = wire A:a in let w2 = wire B:b in let w3 = w1 ++ w2 in let o = wire A:(w3[A] > w3[B]) in o Wysteria by Examples: Wire Bundle Views A’s ViewB’s Viewsec(A,B)’s View w1{A:a}{}{A:a} w2{}{B:b} w3{A:a}{B:b}{A:a,B:b} par(A) par(B) sec(A,B)

24 Key Ideas Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations

25 let mill = λx:W {A U B} nat. let o = x[A] > x[B] in o in let a = read () in let b = read () in mill (wire A:a ++ wire B:b) sec(A,B) Wysteria by Examples: Functions par(A) par(B)

26 So Far We Have Seen … Mixed-Mode support via mode annotations Wire Bundles abstraction for private data Now: Writing Generic Code in Wysteria

27 Parties As First Class Values Parties are values of type ps φ Refinement types for more precise invariants {A} : ps {ν = A} {A} : ps {ν A U B}

28 Wysteria by Examples: Generic Millionaire’s sec(x) let comb = λx:ps. λy:W x nat. λa:ps option. λp:ps. λn:nat match a with | None => Some(p) | Some(q) => if y[q] > n then a else Some(p) in let mill = λx:ps. λy:W x nat. let o = wfold(y, None, comb x y) in o in … sec(x)

29 Wysteria by Examples: Generic Millionaire’s sec(x) let comb = λx:ps. λy:W x nat. λa:ps option. λp:ps. λn:nat match a with | None => Some(p) | Some(q) => if y[q] > n then a else Some(p) in let mill = λx:ps. λy:W x nat. let o = wfold(y, None, comb x y) in o in … sec(x)

30 Wysteria by Examples: Generic Millionaire’s sec(x) let comb = λx:ps. λy:W x nat. λa:ps{ν x} option.λp:ps{ν x}.λn:nat match a with | None => Some(p) | Some(q) => if y[q] > n then a else Some(p) in let mill = λx:ps. λy:W x nat. let o = wfold(y, None, comb x y) in o in … sec(x)

31 Key Ideas Generic Code: 1. Parties as First Class Values 2. Wire Bundle Combinators (e.g. wfold ) Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations

32 Wysteria Metatheory Formalized using λ -calculus with extensions Dependent type system Two operational semantics: – Single-threaded (SIMD style specification) – Multi-threaded (actual protocol runs) – Slicing judgment from single- to multi-threaded

33 Wysteria Theorems* Type soundness (progress and preservation) in single-threaded semantics Sound simulation: C1C1 C2 π1π1 π2π2 … * Single-threaded Multi-threaded slice operation *Proofs in Technical Report

34 Wysteria Implementation We use GMW Implementation from Choi et. al.

35 Wysteria Evaluation Applicationn-Party ?Mixed-Mode ?Secure state ? Millionaire’sYesNo 2 nd Price auctionYesNo PSI2-partyYesNo Nearest neighborYesNo Median2-partyYesNo PSI count2-partyYes 2-round biddingYes Online pokerYes

36 Wysteria Code for Card Dealing let retryloop = fix retryloop: (tmp5:unit) -> W tgt nat. (tmp5:unit). let myrand = \(z:unit).rand () in let rs = wapp x [wire x:(); wire x:myrand] in let res = check rs in if res.#success then let nd = select ndealt[0] in let _ = update dealt [nd] <- res.#sum in let _ = update ndealt [0] <- nd + 1 in let card @ sec(x) = let s = combsh (res.#sum) in wire tgt:s in card else retryloop () in retryloop () in wcopy as x from w in { #deal : deal } in Secure computation Local computation Secret shares let rand = \(myunit:unit). sysop rand 52 in let mkdeal = \(x:ps{true}). let zerosh @ par(x) = let zerosh1 @ sec(x) = makesh 0 in zerosh1 in let dealt @ par(x) = array [ 52 ] of zerosh in let ndealt @ par(x) = array [ 1 ] of 0 in let deal = \(tgt:ps{singl and subeq x}). let w @ par(x) = let check = \(rs:W x nat). let nd = select ndealt[0] in let sum @ sec(x) = let s = wfold x [rs; 0; \(n1:nat).\(p:ps{true}).\(n2:nat). n1 + n2 ] in let s1 = wfold x [wire x:(); s; \(n1:nat).\(p:ps{true}).\(n2:unit). if n1 > 51 then n1 - 51 else n1 ] in makesh s1 in let checkloop = fix checkloop:(i:nat) -> {#sum:Sh x nat, #success: bool}. (i:nat). if i = nd then {#sum:sum, #success:true} else l2et sd = select dealt[i] in let cmp @ sec(x) = let t1 = combsh sd in let t2 = combsh sum in t1 = t2 in if cmp then {#sum:sum, #success:false} else checkloop (i + 1) n checkloop 0 in

37 Demo (Card dealing using Wysteria) Future Work: Integrate with bitcoin for betting (c.f. Secure Multiparty Computation on BitCoin, Andrychowicz et. al.)

38 Also In The Paper … Support for secure state More language features – Mutable state (interesting interaction with mixed- mode) – Additional wire bundle combinators Performance evaluation Complete proofs in TR

39 Wysteria Summary http://ter.ps/wysteria Implementation and examples available at: A High-level Functional Language to write Mixed-Mode Generic SMCs

Download ppt "Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.

Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.

Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)
Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.

Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
An Associative Broadcast Based Coordination Model for Distributed Processes James C. Browne Kevin Kane Hongxia Tian Department of Computer Sciences The.

An Associative Broadcast Based Coordination Model for Distributed Processes James C. Browne Kevin Kane Hongxia Tian Department of Computer Sciences The.

Similar presentations

Ads by Google