Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making Secure Computation Practical IBM: Craig Gentry, Shai Halevi, Charanjit Jutla, Hugo Krawczyk, Tal Rabin, NYU: Victor Shoup SRI: Mariana Raykova Stanford:

Published byHerbert Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Making Secure Computation Practical IBM: Craig Gentry, Shai Halevi, Charanjit Jutla, Hugo Krawczyk, Tal Rabin, NYU: Victor Shoup SRI: Mariana Raykova Stanford:"— Presentation transcript:

1 Making Secure Computation Practical IBM: Craig Gentry, Shai Halevi, Charanjit Jutla, Hugo Krawczyk, Tal Rabin, NYU: Victor Shoup SRI: Mariana Raykova Stanford: Dan Boneh UC Irvine: Stanislaw Jarecki

2 Time for Secure Computation The time has come for secure-MPC to enter computing mainstream ▫Like public-key cryptography in the 1990’s The problems are here So are the solutions ▫At least in principle, need to push it to practice SPAR-MPC should be about technical tools to help make it happen

3 This Presentation Useful directions ▫Protocols for huge crowds ▫Semantic leakage ▫Computation with RAM complexity ▫SWHE-based protocols ▫Comparing MPC technologies Musings about automation ▫Computer-aided design/implementation/proofs

4 Protocols for Huge Crowds Need for private computing with a huge number of (loosely-connected?) parties ▫Cars on highway collect road-hazard info, smart phones report nearby friends, etc. Most secure-MPC protocols are not designed for these settings ▫Assume full connectivity, require broadcast, … Some existing work in these directions, but much work remains

5 Semantic Leakage Crypto modeling captures formal leakage ▫Whatever we need to leak to the simulator so that it can simulate But not “semantic” leakage ▫What is actually given away by this leakage This is inherent to some extent ▫Semantic leakage depends on application ▫Same leakage can be harmless in one application, devastating in another

6 Semantic Leakage Identify useful patterns What: access-pattern, access-frequency, timing, … How much: Signal-to-noise ratio, … ▫Identify cases where certain what/how-much combinations are acceptable and useful Composition? Connections to differential privacy?

7 Secure MPC with RAM Complexity When are ORAM-based protocols useful? ▫Asymptotically faster than circuit-based ones ▫But in practice, often much slower ▫Combinations that perform well in practice ORAM for multiple clients Reduce interaction ▫Faster Garbled RAM? ▫Practical RAM-based MPC with little interaction?

8 SWHE-Based MPC Protocols FHE/SWHE perceived as slow ▫Save on interaction, pay with more processing But low-degree SWHE is a handy tool for designing secure-computation protocols Contemporary SWHE provides: ▫A few multiplications ▫Ciphertext packing ▫Variable plaintext space ▫Parallelism Potential for practical efficiency ▫Very little work so far exploiting it

9 Comparing MPC Technologies Several low-level technologies ▫Binary (Yao, GMW) ▫Algebraic black-box (using additive HE) ▫SWHE-based protocols and ways of combining them ▫MPC-in-the-head ▫SPDZ ▫MPC-over-ORAM, Garbled-ORAM How to decide what to use where?

10 Comparing MPC Technologies Develop a comparative corpus of data points Start from a few useful low-level tasks ▫Comparison, Sorting, Regular expressions, … ▫Parameterized by: number of parties, input size, security parameter, adversary model, … Organize a shoot-out, compare different implementations ▫Time, bandwidth, rounds, trust model, …

11 Automation Automation, tool-support, is crucial for practical MPC protocols But our expectations should be modest ▫In general, we cannot expect non-experts to design their own crypto protocols ▫Even without crypto, work-flows design is typically left for domain experts ▫Progress on tool-support for crypto proofs has been slow

12 Automation Tool support for implementation promises better bang-for-buck than for design ▫Implementing secure-MPC is laborious ▫APIs, development environments, languages, would help Example: integrating libraries is hard ▫E.g., using HElib as a primitive inside SCAPI ▫Without losing the low-level optimizations that HElib supports

13 Automation A good development environment can be “scaled up” to support design, proofs ▫Without limiting the developer Example: Use interface/implementation paradigm to specify security guarantees ▫Put hooks for proofs ▫Add tool support for proof-checking if/when it becomes available ▫Use UC-security, relaxation thereof  But allow opt-out of UC as needed

14 Summary Goal: bring secure-MPC to practice Useful directions ▫Protocols for huge crowds ▫Semantic leakage ▫Computation with RAM complexity ▫SWHE-based protocols ▫Comparing MPC technologies Automation ▫Start small, make extensible

Download ppt "Making Secure Computation Practical IBM: Craig Gentry, Shai Halevi, Charanjit Jutla, Hugo Krawczyk, Tal Rabin, NYU: Victor Shoup SRI: Mariana Raykova Stanford:"

Similar presentations

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.

2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Evis Trandafili Polytechnic University of Tirana Albania Functional Programming Languages 1.

Evis Trandafili Polytechnic University of Tirana Albania Functional Programming Languages 1.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.

ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.

CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
1 © IBM, 2003-2004 A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,

1 © IBM, A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,

Similar presentations

Ads by Google