Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton."— Presentation transcript:

1 1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton

2 2 Roadmap Secure Function Evaluation –Motivation and definitions –Scenarios –Constructions

3 3 SFE Example – M illionaires Problem X$X$ Y$Y$ ?<=>?<=> Secure Function Evaluation Protocol

4 4 Secure Function Evaluation A set of (two or more) parties with private inputs wish to compute some joint function of their inputs. Parties wish to preserve some security properties. E.g., privacy and correctness. –Example: Computing the maximum Security must be preserved in the face of adversarial behavior by some of the participants.

5 5 …Secure Function Evaluation Cryptography aims for the following (regarding privacy): –A secure protocol must reveal no more information than the output of the function itself –That is, the process of protocol computation reveals nothing.

6 6 The Security Definition IDEALREAL Trusted party Protocol interaction For every real adversary A there exists an adversary S 

7 7 Does the trusted party scenario make sense? x y F(x,y) We cannot hope for more privacy Does the trusted party scenario make sense? Are the parties motivated to submit their true inputs? Can they tolerate the disclosure of F(x,y)? If so, we can implement the scenario without a trusted party.

8 8 Roadmap Secure Function Evaluation –Motivation and definitions –Scenarios –Constructions

9 9 Modeling the Adversary Semi-honest: follows the protocol but tries to learn more Malicious: can do anything –E.g., Protocol: “Flip a random coin and send the result” Malicious party might… Easier to provide security against semi- honest adversaries

10 10 Modeling the Adversary Do semi-honest adversaries make sense? –Semi-trusted parties? –Secure hardware/software? –It’s easier for the adversary to eavesdrop than to change the program. Is there a reasonable model between semi-honest and malicious?

11 11 Participating Parties Two parties. Multi-party: N parties with private inputs x 1,..,x N, wish to compute F(x 1,..,x N ). There are generic secure constructions for both scenarios The constructions for the two-party scenario are usually more efficient

12 12 Multi-Party Protocols The main issues are often the communication pattern and the number of rounds

13 13 A different setting for multi- party protocols? [NPS] P1P1 P2P2 PnPn Computation Server 1 Computation Server 2 Computation Server m Provide inputs (and that’s it) Perform computation

14 14 Trust P1P1 P2P2 PnPn benign collusion dangerous collusion This is not weaker security if we have some trust that computation servers do not collude Computation Server 1 Computation Server 2 Computation Server m

15 15 Advantages Separation between input providers and computation. Input providers –submit their inputs independently of each other. –Do not have to coordinate their operation. Once all inputs are submitted, the computation is performed by the computation servers.

16 16 Roadmap Secure Function Evaluation –Motivation and definitions –Scenarios –Constructions

17 17 Secure two-party computation of general functions [ Yao, early 80s ] First, represent the function F as a Boolean circuit C It’s always possible Sometimes it’s easy (additions, comparisons) Sometimes the result is inefficient (e.g. for indirect addressing, a[i])

18 18 Garbling the circuit Bob constructs the circuit, and then garbles it. G w i 0,w i 1 w J 0,w J 1 w k 0,w k 1 W k 0 = 0 on wire k W k 1 = 1 on wire k |W k 0 | = |W k 1 | > 80 (Alice will learn one string per wire, but not the bit to which it corresponds.)

19 19 Gate tables For, e.g., an AND gate, Bob constructs a table that enables to compute: –w k 0 given w i 0,w J 0 –w k 0 given w i 0,w J 1 –w k 0 given w i 1,w J 0 –w k 1 given w i 1,w J 1 I.e., given w i x,w J y, can compute w k G(x,y) G w i 0,w i 1 w J 0,w J 1 w k 0,w k 1

20 20 Secure computation Bob sends the tables of the gates to Alice Given, e.g., w i 0,w J 1, she computes w k 0, but doesn’t know the actual values of the wires. If Alice gets garbled values (w’s) of her input values, she can compute the output of the circuit, and nothing else. G w i 0,w i 1 wJ0,wJ1wJ0,wJ1 w k 0,w k 1

21 21 Secure computation – the big picture Represent the function as a circuit C Bob sends to Alice |C| tables (e.g. 40|C| Bytes). Alice performs an oblivious transfer for every input bit. (Can do, e.g. 100 OTs per sec.) ~One round of communication. Efficient for medium size circuits! Good for one invocation only! 

22 22 FairPlay [Nisan,Malkhi,Pinkas,Sella] Yao’s construction is about 20 years old. There are no known implementations (?). FairPlay - a full fledged secure two-party computation system, implementing Yao’s “garbled circuit” protocol. Goals: –Investigate whether two-party SFE is practical –Actual measurements of overall computation –Breakdown of computation into parts –Test-bed for various optimizations

23 23 …FairPlay The Compilation paradigm –Programs written in a high-level programming language –SHDL: Low-level language describing Boolean circuits –First stage: compile to SHDL and optimize –Second stage: Given an SHDL circuit, generate programs implementing Yao’s protocol

24 24 Specific Constructions of SFE Mean Max, Min Set intersection Median and quintiles

25 25 Discussion Points Candidate applications? Where will SFE be most beneficial? How to model the adversary?

26 26 Issues Suppose you cannot access the data –Data cleaning? –What functions do you need to compute?

Download ppt "1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.

Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google