Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew University of Jerusalem Joint work with Dahlia Malkhi,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew University of Jerusalem Joint work with Dahlia Malkhi,"— Presentation transcript:

1 Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew University of Jerusalem Joint work with Dahlia Malkhi, Noam Nisan, and Benny Pinkas Project team: Ziv Balshai, Amir Levy, Dudi Einey, Ori Peleg

2 Slide 2 Usenix Security 2004 Outline SFE – Secure Function Evaluation Goals Fairplay –Fairplay computation overview –Demo (SFDL & SHDL examples) –Bob/Alice two party SFE –Experiments

3 Slide 3 Usenix Security 2004 SFE - Secure Function Evaluation Started with Yao’s seminal paper (1986 - almost 20 years ago!) Allows several parties to perform a joint computation, that in real life requires a trusted party, using cryptographic tools only (i.e., the trusted party is not needed!) Theoretical significance only? We focus on 2-party SFE

4 Slide 4 Usenix Security 2004 SFE Example - Millionaires’ Problem $ X$ Y ?<=>?<=> Secure Function Evaluation Protocol

5 Slide 5 Usenix Security 2004 General Structure of Yao’s Protocol Represent f(x,y) as a Boolean circuit Bob “garbles” the circuit: –  wire, assigns random values instead of 0/1 –  gate, constructs a “secure” truth table Bob sends to Alice the tables and garbled versions of his input Alice uses oblivious transfer to obtain garbled versions of her input and uses them to compute the output of the circuit

6 Slide 6 Usenix Security 2004 Goals Answer some basic questions on SFE: –Is two-party SFE practical? –Obtain actual measurements of overall computation: How much time is needed to solve the Millionaires’ problem? The Billionaires’ problem? Better understanding of SFE computation: –Where are the bottlenecks? –Computation versus communication Test-bed for various optimizations

7 Slide 7 Usenix Security 2004 Fairplay Computation Overview (1) BobAlice GUI SFDL program (a file) SFDL Compiler + Circuit optimizer SHDL circuit (a file) Off-line SHDL Parser Circuit (Java obj.) On-line SFE

8 Slide 8 Usenix Security 2004 Fairplay Computation Overview (2) BobAlice m x Circuit garbler Circuits sendCircuits receive Circuit (Java obj.) Garbled circuits (Java obj.) Circuit chooseRead Integer Reveal secretsCircuits verify

9 Slide 9 Usenix Security 2004 Fairplay Computation Overview (3) BobAlice Input + input sendInput receive Input OT chooserOT sender Circuit evaluatorOutput

10 Slide 10 Usenix Security 2004 Outline SFE – Secure Function Evaluation Goals Fairplay Fairplay computation overview –Demo (SFDL & SHDL examples) –Bob/Alice two party SFE –Experiments

11 Slide 11 Usenix Security 2004 The Compilation Paradigm SFDL (Secure Function Definition Language) - High-level programming language for the func. to be evaluated in the trusted party model –Allows clear, formal, easily understandable definition and requirements by humans SHDL (Secure Hardware Definition Language) - Low-level language describing Boolean circuits “Obliviousness-aware” SFDL  SHDL compiler The compiler also produces an I/O format file

12 Slide 12 Usenix Security 2004 SFDL Example program Millionaires { type int = Int ; // 4-bit integer type AliceInput = int; type BobInput = int; type AliceOutput = Boolean; type BobOutput = Boolean; type Output = struct {AliceOutput alice, BobOutput bob}; type Input = struct {AliceInput alice, BobInput bob}; function Output output(Input input) { output.alice = input.alice > input.bob; output.bob = input.bob > input.alice; }

13 Slide 13 Usenix Security 2004 SFDL Properties Conventional syntax (C/Pascal-like) Type system – Boolean, integer, enumerated Program structure –Declarations: global constants, types –Sequence of functions (no nesting [C], no recursion) –Function name is its return value [Pascal] Conditional execution and loops –if-then, if-then-else statements, For-loop Assignments and expressions –constants, variables, array entries, structure items, function calls, operators (+, -, logical, comparison), parenthesis

14 Slide 14 Usenix Security 2004 SHDL Example (1) 0 input//output$input.bob$0 1 input//output$input.bob$1 2 input//output$input.bob$2 3 input//output$input.bob$3 4 input//output$input.alice$0 5 input//output$input.alice$1 6 input//output$input.alice$2 7 input//output$input.alice$3 8 gate arity 2 table [ 1 0 0 0 ] inputs [ 4 5 ] 9 gate arity 2 table [ 0 1 1 0 ] inputs [ 4 5 ]

15 Slide 15 Usenix Security 2004 SHDL Example (2) 10 gate arity 2 table [ 0 1 0 0 ] inputs [ 8 6 ] 11 gate arity 2 table [ 1 0 0 1 ] inputs [ 8 6 ] 12 gate arity 2 table [ 1 0 0 1 ] inputs [ 10 7 ] 13 gate arity 2 table [ 0 0 0 1 ] inputs [ 4 0 ] 14 gate arity 3 table [ 0 0 0 1 0 1 1 1 ] inputs [ 13 9 1 ] 15 gate arity 3 table [ 0 0 0 1 0 1 1 1 ] inputs [ 14 11 2 ] 16 gate arity 2 table [ 0 1 1 0 ] inputs [ 12 3 ] 17 gate arity 2 table [ 0 1 1 0 ] inputs [ 15 16 ] 18 output gate arity 1 table [ 0 1 ] inputs [ 17 ] …

16 Slide 16 Usenix Security 2004 SHDL Properties Each line is a circuit component, i.e: –An input bit, or –A Boolean gate with a given truth-table and input wires Circuit wiring is based on line numbers The compiler produces gates of arity 1,2,3 // Comments are ignored (even though the compiler generated them)

17 Slide 17 Usenix Security 2004 The Format File Enables the input bits to be specified and the output bits to be presented in a user-friendly format Format file example: Bob input integer "input.bob" [0 1 2 3] Alice input integer "input.alice" [4 5 6 7] Alice output integer "output.alice" [18] Bob output integer "output.bob" [29] Bob’s input bits should be read from the user as an integer

18 Slide 18 Usenix Security 2004 The SFDL  SHDL Compiler Compiler’s sequence of steps: Parsing Function inlining and loop unfolding (obliviousness!) Transformation into single bit operations Array access handling (cost = O(n) gates) Single variable assignment Optimizations: local code optimization, duplicate code removal, dead code elimination

19 Slide 19 Usenix Security 2004 Bob-Alice 2-Party SFE – Overview (1) Input: C = circuit in SHDL Cut-and-Choose: –Bob parses C into m garbled circuits, and sends them to Alice. Alice also parses C. –Alice chooses one circuit for evaluation - GC –Bob exposes secrets of all garbled circuits except GC –Alice verifies all exposed garbled circuits –Catches cheating with probability 1-1/m Bob sends his inputs for GC (Alice can’t interpret them because they are garbled)

20 Slide 20 Usenix Security 2004 Bob-Alice 2-Party SFE – Overview (2) Oblivious Transfer: Alice obtains her inputs for GC from Bob using a single OT per each Alice input bit (Alice = chooser, Bob = sender) Alice evaluates GC Alice interprets her outputs (she can’t interpret Bob’s outputs, because they are garbled) Alice sends to Bob his outputs Bob interprets his outputs

21 Slide 21 Usenix Security 2004 Garbled Circuit Preparation (by Bob) x | y | out 0 | 0 | b0 0 | 1 | b1 1 | 0 | b2 1 | 1 | b3 WiWi WjWj WkWk vk0vk0 vk1vk1 x | y | out 0 | 0 | v k b0 0 | 1 | v k b1 1 | 0 | v k b2 1 | 1 | v k b3 GTT x | y | output 0 | 0 | E(v k b0 ) 0 | 1 | E(v k b1 ) 1 | 0 | E(v k b2 ) 1 | 1 | E(v k b3 ) EGTT E(v k b0 ): SHA-1(v i 0, v j 0, k)  v k b0 E(v k b1 ): SHA-1(v i 0, v j 1, k)  v k b1 E(v k b2 ): SHA-1(v i 1, v j 0, k)  v k b2 E(v k b3 ): SHA-1(v i 1, v j 1, k)  v k b3 v i 0, v i 1 v j 0, v j 1 PEGTT Permute rows

22 Slide 22 Usenix Security 2004 Garbled Circuit Evaluation (by Alice) vivi vjvj output v k ’ v k ’’ v k ’’’ v k ’’’’ PEGTT vkvk 2. D (v k ’ ): SHA-1 (v i, v j, k)  v k ’ ( = v k ) 1. Try decrypting each entry Note that 1. Alice doesn’t learn any other table entry. 2. Alice doesn’t learn if entry and wire values correspond to 0 or 1.

23 Slide 23 Usenix Security 2004 EGL 1-out-of-2 Oblivious Transfer (OT 1 2 ) Sender (Bob)Chooser (Alice) 1. PK 0, PK 1 Encrypt: M 0 with PK 0 (= E 0 ) M 1 with PK 1 (= E 1 ) 2. E 0, E 1 M 0, M 1 Bit b 3. Decrypt E 0 or E 1 (s.t. only one of PK 0, PK 1 can be a “real” PK)

24 Slide 24 Usenix Security 2004 OT 1 2 (EGL Paradigm with El-Gamal) Input: chooser - a bit σ sender - two strings M 0, M 1 Output: chooser - M σ Preliminaries: Z q is a sub-group of order q of Z p *, p,q are primes, and q | (p-1). Let g be a generator of Z q. H is a random oracle. Initialization: the sender publishes C, a random element in Z q (whose discrete log to the base g is unknown by the chooser).

25 Slide 25 Usenix Security 2004 OT 1 2 Interactive Protocol Sender (Bob)Chooser (Alice) 1. Picks random k in [1,q], and sets public keys: PK σ = g k, PK 1-σ = C / PK σ PK 0 2. Computes PK 1 = C / PK 0, chooses random r0,r1 in Z q, El-Gamal encrypts: E 0 = {g r0, H(PK 0 r0 ) ^ M 0 }, E 1 = {g r1, H(PK 1 r1 ) ^ M 1 } E 0, E 1 M 0, M 1 σ p, q, g, H, C 3. Computes H((g rσ ) k ) = H(PK σ rσ ) and uses it to decrypt M σ Note: NP01 variant (in RO model)

26 Slide 26 Usenix Security 2004 Experiments: Implementation & Setup Code written in Java Communication: TCP/IP (Java sockets) Crypto: Java BigInteger libraries, SHA1 as RO Two communication scenarios LAN – 617.8 MBPS, latency 0.4 ms WAN (USA, Israel) – 1.06 MBPS, latency 237.0 ms Two PCs – 2.4 GHz Parameters: |p|=1024, |q|=160, m=2 Results: 100 repetitions (compilation excluded)

27 Slide 27 Usenix Security 2004 Experiments – The Four Functions FunctionNumber of circuit gates TotalInputsAlice Inputs AND32168 Billionaires2546432 Keyed DB search12294866 Median4383320160 AND - a very simple circuit Keyed DB - small number of inputs for Alice Median – biggest circuit

28 Slide 28 Usenix Security 2004 Experiments – Results Highlights Billionaires’ problem: –LAN: 1.25 seconds, WAN: 4.01 seconds Communication versus computation: –Percentage of delay due to communication LAN: up to 42%, WAN: up to 77% Optimizations speed up factor: –WAN communication batching: up to 8.8! –Same g r mod p OT variant [NP01]: 1.3 LAN  WAN slowdown: up to 6.9

29 Slide 29 Usenix Security 2004 Experiments – WAN Detailed Results IP – Initializations and Parsing CC – Circuits communication OTs – Oblivious Transfers EV – Evaluation of circuit EET –Elapsed Execution Time FunctionWAN Communication IP (%)CC (%)OTs (%)EV (%)EET(sec) AND0.258.441.40.02.57 Billionaires0.845.253.90.14.01 Keyed DB5.964.329.40.43.38 Median4.745.849.20.316.63

30 Slide 30 Usenix Security 2004 Experiments – LAN Detailed Results IP – Initializations and Parsing CC – Circuits communication OTs – Oblivious Transfers EV – Evaluation of circuit EET –Elapsed Execution Time FunctionLAN Communication IP (%)CC (%)OTs (%)EV (%)EET(sec) AND1.518.879.50.20.41 Billionaires3.25.491.10.31.25 Keyed DB40.42.854.12.70.49 Median13.27.278.70.97.09

31 Slide 31 Usenix Security 2004 Future directions Better understanding of experiments’ results Improving the compiler (C ?) New features –fair termination Optimizations –Batch inversion (BS02) –Extending OTs (IKNP03) Real applications & products (www.cs.huji.ac.il/labs/danss/Fairplay)

Download ppt "Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew University of Jerusalem Joint work with Dahlia Malkhi,"

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Chapter 8 High-Level Programming Languages. 8-2 Chapter Goals Describe the translation process and distinguish between assembly, compilation, interpretation,

Chapter 8 High-Level Programming Languages. 8-2 Chapter Goals Describe the translation process and distinguish between assembly, compilation, interpretation,
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.

Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Chapter 8 Arrays and Strings

Chapter 8 Arrays and Strings

Similar presentations

Ads by Google