Presentation is loading. Please wait.

Presentation is loading. Please wait.

Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.

Published bySylvia Carroll Modified over 9 years ago

Similar presentations

Presentation on theme: "Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND."— Presentation transcript:

1 Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND Secure Multi-Party Computation of Boolean Circuits with Applications to Privacy in On-Line Marketplaces CRYP-403 Advanced Joint work with Jonathan Katz (University of Maryland) Kyung-Wook Hwang, Tal Malkin, Dan Rubenstein (Columbia University)

2 Insert presenter logo here on slide master. See hidden slide 4 for directions  Motivation: Online Marketplace 1 car 2 cars 1 car $8,000$8,100$9,100 $8,500 Wants with minimal price Find best match 2

3 Insert presenter logo here on slide master. See hidden slide 4 for directions  Online Marketplace  Participants  Providers: have resources and associated metric  Customer: has preference  Desired result  For each resource r, compute its score according to the input of the customer and the providers  Output the resource with best score 3

4 Insert presenter logo here on slide master. See hidden slide 4 for directions  Example: P2P Content Distribution  Resources = Peers  Providers: ISPs  Know bandwidth info of peers  Customer  Knows which peer has the desired file  Wants to find a suitable peer with highest bandwidth  Result  Score for a peer: if the peer has the file, output its bandwidth; otherwise, output 0  Output: the peer with the highest score 4

5 Insert presenter logo here on slide master. See hidden slide 4 for directions  Other Examples  Cloud computing  Find the best-quality cloud service within price limit  Find the cheapest cloud service of desired quality  Mobile social network  Find the closet user within enough matching interests  Find the user with most matching interests within a certain distance. 5

6 Insert presenter logo here on slide master. See hidden slide 4 for directions  Privacy in Online Marketplaces  Privacy  The providers and the customer should learn nothing about anyone’s inputs (beyond the output)  Semi-honest security: corrupted parties follow the protocol honestly, but try to infer secret information from the protocol transcript.  Protocol?  One could attempt to construct a specific protocol…  How well would a generic secure multi-party computation (MPC) protocol work? 6

7 Insert presenter logo here on slide master. See hidden slide 4 for directions  Secure Multi-Party Computation 7 Compute f(x 1, x 2, x 3, x 4 ) x1x1 x2x2 x3x3 x4x4 E.g., f = x 1 x 2 + x 3 + x 4 =2 = 7 = 1 = 5 = 20

8 Insert presenter logo here on slide master. See hidden slide 4 for directions  Generic Solutions?  “Generic” = a protocol for any function, specified as a boolean/arithmetic circuit  Good news: generic solutions exist  Bad news: relatively inefficient (?) 8

9 Insert presenter logo here on slide master. See hidden slide 4 for directions  However, in the Past Few Years  Growing interest in research community  Optimizing efficiency of protocols  Increased capability of modern computers Several generic solutions have been implemented 9

10 Insert presenter logo here on slide master. See hidden slide 4 for directions  Two Types of Generic MPC Solutions  Boolean circuits  A circuit with boolean gates e.g., XOR and AND.  Input of each party: represented as bits  Arithmetic circuits  A circuit with addition/multiplication gates in some field, e.g., GF(p) or GF(2 n )  Input of each party: an element in the given field 10

11 Insert presenter logo here on slide master. See hidden slide 4 for directions  Boolean or Arithmetic? FunctionBoolean (Bit)Arithmetic (Field) Statistics (e.g., average) Large circuitSmall circuit Comparison (e.g., less than) Small circuitLarge circuit 11 Boolean circuits better suited for addressing the private marketplaces problem

12 Insert presenter logo here on slide master. See hidden slide 4 for directions  Previous Work on MPC Solutions 12 OursBooleanC++Yes< n CircuitLanguageCircuit Scalability # Corrupted parties FairplayMP [BNP08] BooleanJavaNo (~4000 gates) < n/2 VIFF [DGKN09] ArithmeticPythonYes< n/2 SEPIA [BSMD10] ArithmeticJavaYes< n/2 Not satisfactory for our purpose

13 Insert presenter logo here on slide master. See hidden slide 4 for directions  Our Contributions  We provide the first scalable implementation of multi-party computation for boolean circuits, with optimal resilience  We apply our implementation to the problem of online marketplaces  Performance better than what is obtained using previous solutions (VIFF, SEPIA)  Another indication that generic secure MPC can be useful in solving practical problems 13

14 Insert presenter logo here on slide master. See hidden slide 4 for directions  Our Generic MPC Solution 14

15 Insert presenter logo here on slide master. See hidden slide 4 for directions  Overview of the Protocol  We implement the [GMW87] protocol  The function is given as a boolean circuit  With XOR and AND gates  Evaluate the circuit in a gate-by-gate manner  Invariant: the actual value of each wire is secret- shared. 15

16 Insert presenter logo here on slide master. See hidden slide 4 for directions  Overview of the GMW Protocol 16 XOR AND y x 10 0 1 Evaluate the circuit gate-by-gate. The value of each wire is secret-shared. 1011 11 1 0

17 Insert presenter logo here on slide master. See hidden slide 4 for directions  sender receiver 1-out-of-4 Oblivious Transfer (OT) 17 σ?σ?Other x i s? OT input σ input ( x 0, x 1, x 2, x 3 )output x σ

18 Insert presenter logo here on slide master. See hidden slide 4 for directions  GMW – Evaluating AND gates AND ab c a 1, b 1 a 2, b 2 c 1 = r c 2 = x σ Run oblivious transfer OT x 0 = (a 1 +0)(b 1 +0)+ r x 1 = (a 1 +0)(b 1 +1)+ r x 2 = (a 1 +1)(b 1 +0)+ r x 3 = (a 1 +1)(b 1 +1)+ r σ = 2a 2 + b 2 xσxσ 18

19 Insert presenter logo here on slide master. See hidden slide 4 for directions  GMW Protocol: Multi-Party Setting  Input wires: XOR of all shares are the actual value.  XOR gate: same as before (i.e., c i = a i + b i )  AND gate: use OT between all pairs of parties  Details omitted 19

20 Insert presenter logo here on slide master. See hidden slide 4 for directions  Implementation of the GMW Protocol  Critically depends on efficiency of OT protocol  Basic OT [NP01]  Multi-threading: two-threads for each pair-wise OT  Number-theory package: NTL http://shoup.net (modified for MT)http://shoup.net  OT extension [IKNP03]  Several (e.g., 80) basic OTs with long inputs  many bit OTs  Small overhead: four hash functions per OT  Use SHA-1 implementation from PolarSSL  OT preprocessing [Bea95]  Preprocess OTs on random input  Use them for OTs on actual input: tiny overhead (a few bits) 20

21 Insert presenter logo here on slide master. See hidden slide 4 for directions  Application to Online Marketplaces 21

22 Insert presenter logo here on slide master. See hidden slide 4 for directions  Circuit: P2P Content Distribution 22

23 Insert presenter logo here on slide master. See hidden slide 4 for directions  Experiments in LAN: P2P Content Distribution 23 # nodes  Running time linear in # nodes and (almost) in # resources  Marginal time per AND gate:  50  s (3 nodes)  340  s (13 nodes) OS: Linux CPU: Intel Xeon 2.80 GHz (dual-core) RAM: 4GB OS: Linux CPU: Intel Xeon 2.80 GHz (dual-core) RAM: 4GB seconds Running Time 4681012 10 30 50 70

24 Insert presenter logo here on slide master. See hidden slide 4 for directions  Running-Time Ratio: VIFF/Ours 24 Our implementation is 10-30x faster # nodes 357 9 running-time ratio 5 15 25 35

25 Insert presenter logo here on slide master. See hidden slide 4 for directions  Running-Time Ratio: SEPIA/ours 25 Our implementation is ~10x faster # nodes 357 9 running-time ratio 9 10 11

26 Insert presenter logo here on slide master. See hidden slide 4 for directions  Experiments in PlanetLab  Similar results  With somewhat bigger deviation  Details are in the paper 26

27 Insert presenter logo here on slide master. See hidden slide 4 for directions  Summary  Generic MPC implementation  Boolean circuit representation, optimal corruption thereshold  Source code: http://www.ee.columbia.edu/~kwhwang/projects/gmw.html  Application to privacy in online marketplaces  Generic MPC can be practical  Explore generic solutions before designing new protocols 27

28 Insert presenter logo here on slide master. See hidden slide 4 for directions  Thank you 28

29 Insert presenter logo here on slide master. See hidden slide 4 for directions  OT Extension [IKNP03,LXX05]  Several long string OTs  many bit OTs …. Very efficient: four additional hashes per OT 29

30 Insert presenter logo here on slide master. See hidden slide 4 for directions  OT Preprocessing [Bea95]  bit OTs on random input  bit OTs on actual input OT 2 2 ( r 0, r 1, r 2, r 3 ) r2r2 r2r2 input 1 input ( x 0, x 1, x 2, x 3 ) 3 3 ( r 3 +x 0, r 2 +x 1, r 1 +x 2, r 0 +x 3 ) 30

31 Insert presenter logo here on slide master. See hidden slide 4 for directions  Two-Party Computation? (Not in This Talk)  Initial work  Fairplay [MNPS04]  Rather slow and not scalable  Subsequent work  Improves performance and scalability  [LPS08,PSSW09,HEKM11, M11]  With semi-honest security  Corrupted parties follow the protocol honestly, but try to infer secret information from the protocol transcript. 31

32 Insert presenter logo here on slide master. See hidden slide 4 for directions  GMW – Evaluating AND gates OT x 0 = (a 1 +0)(b 1 +0)+ r x 1 = (a 1 +0)(b 1 +1)+ r x 2 = (a 1 +1)(b 1 +0)+ r x 3 = (a 1 +1)(b 1 +1)+ r σ = 2a 2 + b 2 xσxσ a 2 = 0, b 2 = 0: σ = 0, x 0 = (a 1 +a 2 )(b 1 +b 2 ) + r a 2 = 0, b 2 = 1: σ = 1, x 1 = (a 1 +a 2 )(b 1 +b 2 ) + r a 2 = 1, b 2 = 0: σ = 2, x 2 = (a 1 +a 2 )(b 1 +b 2 ) + r a 2 = 1, b 2 = 1: σ = 3, x 3 = (a 1 +a 2 )(b 1 +b 2 ) + r Check x σ = (a 1 +a 2 )(b 1 +b 2 ) + r c 1 + c 2 = r + x σ = (a 1 +a 2 )(b 1 +b 2 ) = ab = c 32

Download ppt "Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.

Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.
Distributed Approximate Spectral Clustering for Large- Scale Datasets FEI GAO, WAEL ABD-ALMAGEED, MOHAMED HEFEEDA PRESENTED BY : BITA KAZEMI ZAHRANI 1.

Distributed Approximate Spectral Clustering for Large- Scale Datasets FEI GAO, WAEL ABD-ALMAGEED, MOHAMED HEFEEDA PRESENTED BY : BITA KAZEMI ZAHRANI 1.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Privacy Preserving Data Mining Yehuda Lindell & Benny Pinkas.

Privacy Preserving Data Mining Yehuda Lindell & Benny Pinkas.

Similar presentations

Ads by Google