scaling secure computation using the cloud payman mohassel yahoo labs 1
TRANSCRIPT
3
Solutions?
• You have access to a trusted computer
• You can use an airline reservation service
• You can use a password login page
Secure Multiparty Computation (MPC)
Parties learn only f(x1,…,xn)
6
P1, x1
P2, x2
P5, x5
P4, x4
P3, x3
Correctness:honest parties learns the correct output
Privacy:Nothing but the final output is leaked
7
Location-Based Services
• Serving information/services
– stores, restaurants, ATMs, …
– tourist guides, Ads, …
• Location-based access control
Privacy-Preserving Proximity TestingAlice and Bob learn if they are close to each other but nothing else:[NTLH 11,KMRS13]
8
Remote Diagnosis
• Error reporting systems• Medical Diagnosis program• IDS/IPS rule sets • DNA patterns
G T A T . . .
• Log files• List of symptoms• Packets • DNA database
Privacy-Preserving Intrusion Detection IDS rule set DFA Oblivious DFA evaluation Implemented and tested on snort: [MNS13]
9
More Applications• Data mining• Electronic Voting• Auctions• Exchanges/financial analysis• Location privacy• Genomic computation• Electronic commerce• Healthcare
• When there is IP, NDA, user consent involved• When you need to distribute trust
A Heuristic Approach to Security
1. Build a protocol2. Try to break the protocol3. Fix the break4. Return to (2)
[Lindell]
The Challenge Is
• You can never be really sure that the protocol is secure
• Compare to algorithms:– Inputs are not adversarial– Hackers will do anything to exploit a weakness – if
one exists, it may well be found– Security cannot be checked empirically
[Lindell]
A Rigorous Approach
• Provide an exact problem definition– Adversarial power– Network model– Meaning of security
• Prove that the protocol is secure– Often by reduction to an assumed hard
problem, like discrete-log problem
[Lindell]
Our Adversary
• Adversary is an algorithm• Adversary runs in polynomial time • Adversary corrupts one of the two
parties– We do not know which one
• How does the corrupted party behave?– Follows the protocol (semi-honest)– Behaves arbitrarily (malicious)
What Does Security Mean?
• Correctness– An honest party learns the correct
output
• Privacy– Nothing but the final output is leaked
• Fairness– Either both parties learn the output or
neither
15
Is It Achievable?
• Feasible for any polynomial-time function
• Boolean circuits– [Yao82, GMW87, BMR90, …]
• Arithmetic circuits– [BGW88, CCD88, …]
16
Implementations• Fairplay, FairplayMP
– Implementations of 2PC & MPC
• VIFF and SEPIA – Sharing-based MPC– Real-life usage
• Sharemind– 3-party MPC– Financial data analysis
• TASTY – Mixed MPC framework (HE + garbled circuits)
• Fast Garbled Circuits– Highly-optimized garbled circuit framework
• FRESCO– A reusable set of libraries for implementing MPC
• SCAPI– A set of Java-based libraries for MPC
• SPDZ– MPC implementation with fast online phase
Dyadic Security
Yao’s Garbled Circuits
• First secure computation protocol• One of the most efficient• Implementations
– Fairplay, 2004– TASTY, 2010 – FastGarble, 2011– SCAPI, 2013– JustGarble, 2013– …
• Circuits with millions of gates in less than a second
A Garbling Scheme
𝐺𝐶, )
,
𝐺𝐶𝐺 𝐼 𝑦
𝐺 𝐼 𝑥Eval( ) 𝐺𝑂
𝐶 (𝑥 , 𝑦 )= 𝑓 (𝑥 , 𝑦 )
𝐷 𝐷 𝒇 (𝒙 ,𝒚 )
Garble( 𝐺𝐼𝑥 𝐺𝐼𝑦
𝐸
𝐸Encode( )
Some Basic Properties
• Privacy: Knowing , , and does no leak any info
• Output Authenticity: Cannot compute another valid output
𝐺𝐶𝐺 𝐼 𝑦
𝐺 𝐼 𝑥
𝐺𝑂 ‘
𝐺𝐶𝐺 𝐼 𝑦
𝐺 𝐼 𝑥 𝐷 𝒇 (𝒙 ,𝒚 )
𝐺𝐶𝐺 𝐼 𝑦
𝐺 𝐼 𝑥
Garble/Evaluate
AND
𝑘01 ,𝑘1
1
𝑘02 ,𝑘1
2
𝑐0,0=𝐸{𝑘01 ,𝑘02 }(𝑘03)
𝑘03 ,𝑘1
3
𝑐0,1=𝐸{𝑘01 ,𝑘12 }(𝑘03)
𝑐1,0=𝐸{𝑘11 ,𝑘02 }(𝑘03)
𝑐1,1=𝐸 {𝑘11 ,𝑘12 }(𝑘13)
Garble Evaluate
𝐷𝑒𝑐 {𝑘𝑎1 ,𝑘𝑏
2 } (𝑐𝑎 ,𝑏)=𝑘𝑎∧𝑏3
AND
𝐷
Semi-honest 2PC
Garbler𝒙
Evaluator𝒚
𝐶 (𝑥 , 𝑦 )= 𝑓 (𝑥 , 𝑦 )
𝐺𝐶 ,𝐸 ,𝐷←𝐺𝑎𝑟𝑏𝑙𝑒(𝐶 ,𝑠𝑑)𝐺 𝐼 𝑥←𝐸𝑛𝑐𝑜𝑑𝑒 (𝑥 ,𝐸)
Oblivious Transfer
𝐺𝐶𝐺 𝐼 𝑦
𝐺 𝐼 𝑥
𝒇 (𝒙 ,𝒚 )
23
Efficiency Metrics
• Computation– Cheap: SHA, AES, …– Expensive: exponentiations, …
• Communication– A major challenge – Specially for small devices
• Interaction– Minimize coordination
• Memory usage
24
Limits of Standard MPC
• MPC is symmetric– All parties work/bandwidth is similar
• MPC does not always scale– Cost proportional to circuit size – Circuits with billions of gates
• Unavoidable overhead– crypto is expensive– E.g. public-key crypto is required
25
Server-Aided Model• Introduce a server
– No input or output– Considerable resources– Motivated by cloud services
• Assumptions– Honest, semi-honest, malicious?– Collude or not collude?
• Server involvement– Is it always online?– Knows the function, parties, …?
• Outsourcing secure multiparty computation, eprint, 2011• Salus: a system for server-aided secure computation,
ACM CCS, 2012
26
Honest Cloud
• Cloud is trusted with– Privacy of inputs/outputs– Correctness of its computation
• Easy case!– Each party sends his inputs to the cloud– Cloud does all the computation– Status quo
27
Dishonest Cloud
• Semi-honest– Trusted with correct computation– Not trusted with privacy of
inputs/outputs
• Malicious– Is not trusted with anything
1) Service Providers
• SP and cloud – have resources
• Clients– Limited
resources
28
Service provider (SP)
Weak clients
Cloud
Goal: weak clients need little work/bandwidth
x1 x2 x3
y
• Salus [KMR 2012]• General-purpose• Clients do very small work
29
2) Collaborative Computing
Cloud
x1
x2
x3x1
x2
x3
Goal: minimize average computation of all players
We don’t trust each other
There is a cloud we don’t necessarily trust, but can help
• SA-PSI [KMRS 2013]• Server-aided private set intersection• Scales to Billion-element sets
• Over the internet (using MS Azure)• 5 orders of magnitude improvement!
30
3) Privacy as a Service
Cloud
cd1, x1
Goal: minimize online comp/bandwidth minimize online cloud interaction
Obtain “privacy commodity” from cloud
cd1
cd2
cd3
offline online
cd2, x2
cd3, x3
• CB-2PC for Smartphone [MOR 2013]• Implemented as Android App• Privacy commodities = App updates
• Ind. of function/inputs/parties
Minor cloud involvementFunction is secret to cloud
32
References[AL07] Aumann and Lindell. Security against covert adversaries: Efficient protocols for realistic adversaries. TCC 2007.[CLS09] Chow et al. Privacy-Preserving Queries over Distributed Databases. NDSS 2009.[DCCR12] Dong et al. Fair Private Set Intersection with a Semi-trusted Arbiter. Eprint 2012.[FR97] Franklin and Reiter. Fair exchange with a semi-trusted third party. ACM CCS 1997[GHS10] Gennaro et al. Automata evaluation and text search protocols with simulation based security. PKC 2010.[GMS 08] Goyal et al. Secure Two-party and Multi-party Computation against Covert Adversaries. EUROCRYPT 2010.[HEK12] Huang et al. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? NDSS 2012.[HEKM11] Huang et al. Faster Secure Two-Party Computation Using Garbled Circuits. Usenix Security 2011.[HKE12] Huang et al. Quid Pro Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. IEEE S&P 2012.[IP07] Ishai and Paskin. Evaluating branching programs on encrypted data. TCC 2007.[JKSS10] Jarvinen et al. Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs. CHES 2010.[KMR11] Kamara et al. Outsourcing Multiparty Computation. Eprint 2011.[KMR12] Kamara et al. Salus: A System for Server-Aided Secure Function Evaluation. ACM CCS 2012.
33
References[KS08] Kolesnikov and Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. ICALP 2008.[KSS12] Kreuter et al. Towards Billion-Gate Secure Computation with Malicious Adversaries. Usenix Security 2012.[LP07] Lindell and Pinkas. An efficient protocol for secure two-party computation in the presence of malicious adversaries. Eurocrypt 2007.[LP11] Lindell and Pinkas. Secure two-party computation via cut-and-choose oblivious transfer. TCC 2011.[LTV12] Lopez-Alt et al. On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. STOC 2012[MF06] Mohassel and Franklin. Efficiency Tradeoffs for Malicious Two-Party Computation. PKC 2006.[MN12] Mohassel and Niksefat. Oblivious Decision Programs from Oblivious Transfer: Efficient Reductions. FC 2012.[MNSS13] Mohassel et al. ZIDS - A Privacy-Preserving Intrusion Detection System using Secure Two-Party Computation Protocols. To appear in the Computer Journal 2013.[MNSS12] Mohassel et al. An Efficient Protocol for Oblivious DFA Evaluation and Applications. CT-RSA 2012.[MR13] Mohassel and Riva. More Efficient Secure Two-Party Computation Protocols Based on Cut-and-Choose. CRYPTO 2013.[NPS99] Naor et al. Privacy Preserving Auctions and Mechanisms. EC 1999.[NTLHB11] Narayanan et al. Location privacy via private proximity testing. NDSS 2011.[PSSW09] Pinkas et al. Secure two-party computation is practical. Asiacrypt 2009.[SS11] Shelat and Shen. Two-output secure computation with malicious adversaries. Eurocrypt 2011.