Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jonathan Katz Professor, Computer Science, UMD Director, Maryland Cybersecurity Center Secure Computation.

Published byPeter Maximilian Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "Jonathan Katz Professor, Computer Science, UMD Director, Maryland Cybersecurity Center Secure Computation."— Presentation transcript:

1 Jonathan Katz Professor, Computer Science, UMD Director, Maryland Cybersecurity Center Secure Computation

2 Mathematics Complexity theory Cryptography Cybersecurity

3 Science of Cybersecurity Cryptography

4 Importance of cryptography Cryptography is a key component in many (all?) security solutions The cryptographic approach provides a way to move beyond the “design-break-patch” cycle Define (even informally) what you want to achieve State your assumptions explicitly Prove that your construction achieves your goal Cryptography is a nucleus for cybersecurity research – Foundations for a “secure networked world” … with end- to-end formal guarantees

5 Scope of modern cryptography “Foundations”: Number theory, block ciphers, hardware, … “Primitives”: encryption/signature schemes, … “Protocols”: key exchange, secure distributed computing, … “Systems”: DB privacy, voting, bitcoin, trust/reputation, …

6 Secure computation

7 A dilemma Can Alice and Bob determine their shared interests, without revealing any interests they don’t have in common? BobAlice Hi… What are your hobbies? …, bird watching, … bird watching?!

8 Secure two-party computation BobAlice bird watching!! Let’s run a protocol! hobby 1 hobby 2 … hobby n hobby 1 hobby 2 … hobby n {…,bird watching,…} Hi… What are your hobbies?

9 Secure two-party computation Are any passengers on the no-fly list? Person 1 Person 2 … Person n Passenger 1 Passenger 2 … Passenger n

10 Natural question I How can these parties (who don’t trust each other) “securely” perform the computation? – While preserving secrecy of their inputs (to the extent possible) – While ensuring correctness of outputs Techniques/ideas from crypto, programming languages, distributed computing

11 Natural question II Why are these questions important? Candidate application domains – [DoD/IC] Secure search, cloud storage – [OFR, Treasury] More transparency, better regulation – Industry interest

12 How can parties securely compute f ?

13 A protocol is secure if it emulates the use of a trusted party In particular, this implies: The computed results are correct Parties’ inputs remain private (except for what is implied by the outputs) Parties’ inputs are chosen independently And more… In particular, this implies: The computed results are correct Parties’ inputs remain private (except for what is implied by the outputs) Parties’ inputs are chosen independently And more…

14 Threat models Semi-honest (honest-but-curious) adversaries – Adversary follows the protocol faithfully, but tries to learn information from the protocol execution – A reasonable threat model in some settings Trusted parties under legal/policy constraints Software attestation, auditing, etc. Malicious adversaries – May behave arbitrarily; still cannot violate security guarantees

15 Is secure computation possible? Protocols for secure computation of any function, with security against malicious behavior of any number of parties, have been known since the ’80s Protocols for secure computation of any function, with security against malicious behavior of any number of parties, have been known since the ’80s These protocols are generic, and work for any function represented as a boolean circuit

16 Using generic secure 2PC PSSW (2009) Protocol computing f Express f in suitable representation Express f in high-level language Fairplay (2004) TASTY (2010)

17 Is secure computation practical? The general perception in the ’80s/’90s was that garbled circuits were hopelessly inefficient – Need to express f as a boolean circuit – Circuits get big quickly! (>2 30 gates) – Symmetric-key operations linear in the circuit size – Public-key operations linear in the input length

18 Performance (-2010)

19 Using generic secure 2PC Protocol computing f Express f in suitable representation Express f in high-level language Efficient implementation Protocol optimizations Better crypto primitives

20 Notable improvements Protocol level – OT extension [IKNP03] – Better garbling (free-XOR [KS08], row reduction [PSSW09], half gates [ZRE15] ) – Cut-and-choose [LP07, LP11, HKE14, L14, …], new models [MF06, HKE12], amortization [LR14, H + 14] Implementation level [HEKM11] – “Pipelining” – Reducing number of wires/gates – Optimized circuit libraries

21 Huge impact PerformanceScalability [HEKM11] Secure computation is efficient (for moderately-sized circuits, and semi-honest security) Secure computation is efficient (for moderately-sized circuits, and semi-honest security) Huang et al., “Faster Secure Two-Party Computation Using Garbled Circuits,” USENIX Security 2011

22 Using generic secure 2PC Protocol computing f Express f in suitable representation Express f in high-level language Compile-time optimizations? Choice of representation Which representation? Which protocol? Efficient implementation Protocol optimizations Better crypto primitives Expressiveness? Support for low-level optimizations? Type checking?

23 Recent results Secure 2PC in the RAM model * – Represent f as a RAM program rather than as a boolean circuit Better compilers/programming languages for secure 2PC (in the RAM model) ** – Allow programmers to code as usual Secure 2PC of native MIPS code *** – Language-agnostic * Gordon et al., ACM CCCS 2012 ** Liu et al., IEEE S&P 2014 *** Gordon et al., in submission

24 Why the RAM model? Efficiency – Running time for a RAM program can be much better than the circuit size (e.g., binary search) Sublinear-time computation for “big data”? – The circuit for any non-trivial function must have size at least linear in the input length – In fact, linear complexity is inherent for secure computation of any non-trivial function This is not true for amortized complexity!

25 Why the RAM model? Better alignment with how programmers think about algorithms and write their code – What is the complexity of sorting? – Dynamic memory accesses (e.g., count[a[i]]++;) – General-purpose computation on a von Neumann architecture Input-dependent running time

26 Key tool: ORAM Allows oblivious access to stored data, with polylog overhead [GO96, …, S + 11, S + 13, …] ClientServer ORAM state D:

27 Key tool: ORAM ClientServer ORAM state ORAM read, i 1 D[i 1 ] (writes also supported) Security: accessed positions are independent of i 1, i 2, … read, i 2 D[i 2 ]

28 Secure 2PC of RAM programs? st st = x d =  while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d } Client (x)Server (D) ORAM state ORAM D[i]

29 Problems? If server initializes the ORAM itself, access patterns are no longer oblivious to the server! No security against the client! – Client learns st – Client learns ORAM state – Client learns intermediate results of the ORAM computation

30 Conceptually… st Client (x)Server (D) [ORAM state] [st] “Trusted 3 rd party”

31 Conceptually… Client (x)Server (D) [ORAM state] st = x d =  while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d } [d] [st] [d] ORAM [d’] Repeat until inst = done, then reconstruct final output

32 A secure protocol! Client (x)Server (D) [ORAM state] st = x d =  while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d } [st] ORAM [d’]

33 Have we gained anything? After the initialization, all circuits computed have small size, independent of |D| Amortized complexity: – Say original computation requires T steps for memory of size S  ORAM protocol needs O(T polylog S) lookups  O(T polylog S) secure-computation sub-protocols on small circuits of size polylog S  If T is sublinear, sublinear complexity overall!

34 Performance results (512-bit entries)

35 Limitations Programmers still limited to using a fixed (toy?) language to express their programs No support for legacy code Although programs can be made instruction oblivious, doing so increases the number of instructions executed – Existing compilers for secure computation are not as good as gcc…

36 Secure 2PC of MIPS machine code Programmers can write code in a language of their choice (so long as it compiles to MIPS) Existing MIPS code supported “for free” Number of instructions securely executed is exactly * the number of instructions executed in the insecure version Can leverage optimizations already present in existing compilers

37 MIPS execution (high level) MIPS CPU RAM Program Registers PC Fetch next instruction Execute instruction Read or write to memory

38 Conceptually… P1 (x)P2 (y) [regs] ORAM MIPS CPU [PC] [regs’] x y

39 Why are these questions important?

40 DoD IARPA: secure database search – Now being piloted by NCTC DARPA: fully homomorphic encryption (PROCEED); private search (BRANDEIS) Air Force: detecting potential satellite collisions

41 OFR (US Dept. of the Treasury) Looking at using secure computation and differential privacy for facilitating data sharing – Among regulators – Between firms – With researchers and the public Obtain the benefits of transparency, while complying with policy regulations and reducing concerns about confidentiality Flood et al., “Cryptography and the Economics of Supervisory Information: Balancing Transparency and Confidentiality,” Financial Stability Conference 2013

42 Industry Partisia – Danish sugar-beet auction (2008-present) – Wireless-spectrum auctions Sharemind – Statistical analysis of financial data Sepior, Dyadic – Threshold AES decryption

43 Conclusions Tremendous advances in theory and practice of secure 2PC in past few years Real-world deployment is already here! – Will continue to grow in importance and impact

44 Acknowledgments Research supported by – NSF (“TC: Large: Collaborative Research: Practical Secure Computation: Techniques, Tools, and Applications”) – DARPA (“Toward Practical Cryptographic Protocols for Secure Information Sharing”) – ARL-ITA (“Secure Information Flow in Hybrid Coalition Networks”) Papers and code available at http://www.cs.umd.edu/~jkatz/papers.html

45 Questions?

Download ppt "Jonathan Katz Professor, Computer Science, UMD Director, Maryland Cybersecurity Center Secure Computation."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
CSCI 4717/5717 Computer Architecture

CSCI 4717/5717 Computer Architecture
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Master/Slave Architecture Pattern Source: Pattern-Oriented Software Architecture, Vol. 1, Buschmann, et al.

Master/Slave Architecture Pattern Source: Pattern-Oriented Software Architecture, Vol. 1, Buschmann, et al.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.

ORAM – Used for Secure Computation by Venkatasatheesh Piduri 1.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.

Automating Efficient RAM- Model Secure Computation Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, Michael Hicks University of Maryland, College Park.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google