Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 223 times |
Download: | 0 times |
1
Introduction to Secure Introduction to Secure ComputationComputation
Benny PinkasHP Labs, Princeton
4
Secure Function Evaluation
• A set of (two or more) parties with private inputs wish to compute some joint function of their inputs.
• Parties wish to preserve some security properties. E.g., privacy and correctness.– Example: Computing the maximum
• Security must be preserved in the face of adversarial behavior by some of the participants.
5
…Secure Function Evaluation
• Cryptography aims for the following (regarding privacy):– A secure protocol must reveal no
more information than the output of the function itself
– That is, the process of protocol computation reveals nothing.
6
The Security Definition
IDEALREAL
Trusted party
Protocolinteraction
For every real adversary A
there exists anadversary S
7
Does the trusted party scenario make sense?
x y
F(x,y) F(x,y)• We cannot hope for more privacy• Does the trusted party scenario make sense?
• Are the parties motivated to submit their true inputs?• Can they tolerate the disclosure of F(x,y)?
• If so, we can implement the scenario without a trusted party.
9
Modeling the Adversary• Semi-honest: follows the protocol
but tries to learn more• Malicious: can do anything
– E.g.,• Protocol: “Flip a random coin and send the
result”• Malicious party might…
• Easier to provide security against semi-honest adversaries
10
Modeling the Adversary
• Do semi-honest adversaries make sense?– Semi-trusted parties?– Secure hardware/software?– It’s easier for the adversary to
eavesdrop than to change the program.
• Is there a reasonable model between semi-honest and malicious?
11
Participating Parties
• Two parties.• Multi-party: N parties with private
inputs x1,..,xN, wish to compute F(x1,..,xN).
• There are generic secure constructions for both scenarios
• The constructions for the two-party scenario are usually more efficient
12
Multi-Party Protocols• The main issues are often the
communication pattern and the number of rounds
13
A different setting for multi-party protocols? [NPS]
P1 P2Pn
ComputationServer 1
ComputationServer 2
ComputationServer m
Provide inputs (and that’s it)
Perform computation
14
Trust
P1 P2Pn
benign collusion benign collusion
dangerous collusion
This is not weaker security if we have sometrust that computation servers do not collude
ComputationServer 1
ComputationServer 2
ComputationServer m
15
Advantages• Separation between input
providers and computation. • Input providers
– submit their inputs independently of each other.
– Do not have to coordinate their operation.
• Once all inputs are submitted, the computation is performed by the computation servers.
17
Secure two-party computation of general functions [Yao, early
80s]• First, represent the function F as a
Boolean circuit C• It’s always possible• Sometimes it’s easy (additions,
comparisons)• Sometimes the result is inefficient
(e.g. for indirect addressing, a[i])
18
Garbling the circuit
• Bob constructs the circuit, and then garbles it.
G
wi0,wi
1 wJ0,wJ
1
wk0,wk
1Wk
0 = 0 on wire kWk
1 = 1 on wire k|Wk
0| = |Wk1| > 80
(Alice will learn onestring per wire, butnot the bit to whichit corresponds.)
19
Gate tables
• For, e.g., an AND gate, Bob constructs a table that enables to compute:– wk
0 given wi0,wJ
0
– wk0 given wi
0,wJ1
– wk0 given wi
1,wJ0
– wk1 given wi
1,wJ1
• I.e., given wix,wJ
y, can compute wkG(x,y)
G
wi0,wi
1 wJ0,wJ
1
wk0,wk
1
20
Secure computation
• Bob sends the tables of the gates to Alice
• Given, e.g., wi0,wJ
1, she computes wk0, but
doesn’t know the actual values of the wires.
• If Alice gets garbled values (w’s)of her input values, she cancompute the output of thecircuit, and nothing else.
G
wi0,wi
1 wJ0,wJ
1
wk0,wk
1
21
Secure computation – the big picture
• Represent the function as a circuit C• Bob sends to Alice |C| tables (e.g. 40|C|
Bytes).• Alice performs an oblivious transfer for
every input bit. (Can do, e.g. 100 OTs per sec.)
• ~One round of communication.• Efficient for medium size circuits! • Good for one invocation only!
22
FairPlay [Nisan,Malkhi,Pinkas,Sella]
• Yao’s construction is about 20 years old. There are no known implementations (?).
• FairPlay - a full fledged secure two-party computation system, implementing Yao’s “garbled circuit” protocol.
• Goals:– Investigate whether two-party SFE is practical– Actual measurements of overall computation– Breakdown of computation into parts– Test-bed for various optimizations
23
…FairPlay
• The Compilation paradigm– Programs written in a high-level
programming language– SHDL: Low-level language describing
Boolean circuits– First stage: compile to SHDL and
optimize– Second stage: Given an SHDL circuit,
generate programs implementing Yao’s protocol
25
Discussion Points
• Candidate applications?• Where will SFE be most beneficial?
• How to model the adversary?