1 / 57

Scaling Secure Computation

Scaling Secure Computation. David Evans University of Virginia http://www.cs.virginia.edu/evans http://MightBeEvil.com. Oregon Security Day 5 April 2013. (De)Motivating Application: “Genetic Dating”. Alice. Bob. Genome Compatibility Protocol.

dominique-rivers
Download Presentation

Scaling Secure Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scaling Secure Computation David Evans University of Virginia http://www.cs.virginia.edu/evans http://MightBeEvil.com Oregon Security Day 5 April 2013

  2. (De)Motivating Application:“Genetic Dating” Alice Bob Genome Compatibility Protocol Your offspring will have good immune systems! WARNING! Don’t Reproduce Your offspring will have good immune systems! WARNING! Don’t Reproduce

  3. Cost to sequence human genome Moore’s Law prediction (halve every 18 months)

  4. Cost to sequence human genome Moore’s Law prediction (halve every 18 months) Ion torrent Personal Genome Machine

  5. Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. RadojeDrmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, AnushkaBrownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, RazvanChirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, VitaliKarpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, KaliprasadPothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, UladzislauSharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, SnezanaDrmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid.Science, January 2010.

  6. Dystopia Personalized Medicine

  7. Secure Two-Party Computation Bob’s Genome: ACTG… Markers (~1000): [0,1, …, 0] Alice’s Genome: ACTG… Markers (~1000): [0, 0, …, 1] Alice Bob Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

  8. Secure Function Evaluation Alice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol Andrew Yao, 1982/1986

  9. Regular Logic a b AND x

  10. Computing with Meaningless Values? a0ora1 b0orb1 ai,bi,xi are random values, chosen by the circuit generator but meaningless to the circuit evaluator. AND x0orx1

  11. Computing with Garbled Tables Bob can only decrypt one of these! a0ora1 b0orb1 Random Permutation AND x0orx1

  12. Garbled Circuit Protocol Alice (circuit generator) Bob (circuit evaluator) Sends ai to Bob based on her input value How does the Bob learn his own input wires?

  13. Primitive: Oblivious Transfer Alice Bob Oblivious Transfer Protocol Oblivious: Alice doesn’t learn which secret Bob obtains Transfer: Bob learns one of Alice’s secrets Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers

  14. Chaining Garbled Circuits a1 a0 b1 b0 We can do any computation privately this way! AND AND x1 x0 OR x2 …

  15. Building Computing Systems

  16. Fairplay Bob Alice SFDL Compiler SFDL Compiler Circuit (SHDL) SFDL Program Garbled Tables Generator Dahlia Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella [USENIX Sec 2004] Garbled Tables Evaluator

  17. Faster Circuit Execution Pipelined Execution Optimized Circuit Library Partial Evaluation Yan Huang (UVa PhD Student) Graduate Yan Huang, David Evans, Jonathan Katz, and LiorMalka. Faster Secure Two-Party Computation Using Garbled Circuits. USENIX Security 2011.

  18. Pipelined Execution Circuit-Level Application Circuit Structure Circuit Structure GC Framework (Generator) GC Framework (Evaluator) x21 x31 x41 x51 x60 x71 Saves memory: never need to keep whole circuit in memory

  19. Pipelining Circuit Generation Circuit Transmission Waiting Circuit Evaluation Circuit Generation Saves time: reduces latency and improves throughput Circuit Transmission Waiting I d l i n g time Circuit Evaluation

  20. Results 100 000 gates/second [HEKM11] [HEKM11] Scalability (billions of gates) Performance (10,000x non-free gates per second)

  21. Semi-Honest is Half-Way There Privacy Nothing is revealed other than the output Correctness The output of the protocol is indeed f(x,y) Generator Evaluator Malicious-resistant OT As long as evaluator doesn’t send result back, and a malicious-resistant OT is used, privacy for evaluator is guaranteed. Semi-Honest GC How can we get both correctness, and maintain privacy while giving both parties result?

  22. Dual Execution Protocols Yan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. IEEE Security and Privacy (Oakland) 2012.

  23. Dual Execution Protocol Alice Bob first round execution (semi-honest) generator evaluator z=f(x, y) second round execution (semi-honest) evaluator generator z'=f(x, y) z, learned output wire labels fully-secure, authenticated equality test z’,learned output wire labels Pass ifz = z’ and correct wire labels [Mohassel and Franklin, PKC’06]

  24. Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input

  25. 1-bit Leak Victim’s input space Cheating detected

  26. Proving Security: Malicious Show equivalence Ideal World Real World A B A B y ' x' Trusted Party in Ideal World y ' x' Secure Computation Protocol Corrupted party behaves arbitrarily Adversary receives: f (x‘, y‘) Standard Malicious Model: can’t prove this for Dual Execution

  27. Proof of Security: One-Bit Leakage Ideal World Controlled by malicious A B A y ' x' Trusted Party in Ideal World g R  {0, 1} gis an arbitrary Boolean function selected by adversary Adversary receives: f (x‘, y') and g(x‘, y‘) Can prove equivalence to this for Dual Execution protocols

  28. Implementation Alice Bob first round execution (semi-honest) generator evaluator z=f(x, y) Recall: work to generate is 3x work to evaluate! second round execution (semi-honest) evaluator generator z'=f(x, y) z, learned output wire labels fully-secure, authenticated equality test z’,learned output wire labels Pass ifz = z’ and correct wire labels

  29. Performance [Kreuter et al., USENIX Security 2012] Less than 1 second Circuits of arbitrary size can be done this way

  30. Applications Private Personal Genomics Privacy-Preserving Biometric Matching Private AES Encryption Private Set Intersection

  31. NDSS 2012 USENIX Security 2011 NDSS 2011

  32. Crazy Things in Typical Code a[i] = x

  33. Circuit for Array Update a[0] x a[1] a[2] x x i == 0 i == 2 i == 1 … a'[0] a’[1] a’[2] a[i] = x

  34. Easy (and Common) Case for (i = 0; i < n; i++) a[i] += 1 … a[0] a[1] a[2] a[n-1] +1 +1 +1 +1

  35. Circuit Structures Design circuits to support typical data structures efficiently Non-trivial access patterns, but patterns nonetheless Main opportunities: Locality and Batching SameeZahur and David Evans. Circuit Structures for Improving Efficiency of Security & Privacy Tools. IEEE Security and Privacy (Oakland) 2013. SameeZahur (UVa PhD Student)

  36. Locality: Stacks and Queues if (x != 0) a[i] += 1 if (a[i] > 10) i += 1 a[i] = 5 Data-oblivious code No branching allowed t := a.top() + 1 a.cond_update(x != 0, t) a.cond_push(x != 0 && t > 10, *) a.cond_update(x != 0, 5)

  37. Naïve Conditional Push x a[0] a[1] a[2] … … p a’[0] a’[1] a’[2] …

  38. Naïve Conditional Push 7 2 9 3 … … True 7 2 9 …

  39. More Efficient Stack Level 0: 2 9 3 t = 3 Level 1: 5 4 4 7 t = 2 Level 2: 2 3 2 3 8 8 8 6 t = 3 … Block size = 2level Each level has 5 blocks, at least 2 full and 2 empty

  40. Level 0 Level 1 Level 2 2 9 3 5 4 4 7 t = 3 t = 2 t = 3 Conditional push (True, 7) 7 2 9 3 5 4 4 7 t = 4 t = 2 t = 3 Conditional push (True, 8) 8 7 2 9 3 5 4 4 7 t = 5 t = 2 t = 3 Shift 8 2 7 9 3 5 4 4 7 t = 3 t = 3 t = 3

  41. Level 0 Level 1 Level 2 2 9 3 5 4 4 7 t = 3 t = 2 t = 3 Amortized Θ(log n) gates per operation 7 2 9 3 5 4 4 7 t = 4 t = 2 t = 3 Conditional push (True, 8) 8 7 2 9 3 5 4 4 7 t = 5 t = 2 t = 3 8 2 7 9 3 5 4 4 7 t = 3 t = 3 t = 3

  42. Arbitrary Array Accesses(Associative Maps) m[0] = 'A' m[2] = 'U' m[9] = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' Execution trace: indexes and values are private values

  43. Batching Updates m[0] = 'A' m[2] = 'U' m[9] = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' Sort by Key stable sort!

  44. Batching Updates m[0] = 'A' m[2] = 'U' m[9] = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' Sort by Key stable sort!

  45. Batching Updates m[0] = 'A' m[2] = 'U' m[9] = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' Sort by Key Compare Adjacent stable sort!

  46. Batching Updates m[0] = 'A' m[2] = 'U' m[9] = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' Sort by Key Compare Adjacent stable sort!

  47. Batching Updates m[0] = 'A' m[2] = 'U' m[9] = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' Sort by Key Compare Adjacent stable sort!

  48. m[0] = 'A' m[2] = 'U' m[9] = 'M' m[7] = 'R' m[0] = 'D' m[9] = 'Y' m[9] = 'K' m[7] = 'C' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' m[0] = 'A' m[0] = 'D' m[2] = 'U' m[7] = 'R' m[7] = 'C' m[9] = 'M' m[9] = 'Y' m[9] = 'K' Sort by Key Compare Adjacent output wires m[0] = 'D' m[2] = 'U' m[7] = 'C' m[9] = 'K' m[0] = 'A' m[7] = 'R' m[9] = 'M' m[9] = 'Y' Sort by Liveness stable sort! Discarded

  49. Associative Map Cost Oblivious Stable Sort Circuit Size: Θ(n log n) ⨯ comparison cost Θ(n log2 n) Comparisons and Liveness Marking Oblivious Sort Liveness/Key

  50. Example Application: DBScan Martin Ester, Hans-Peter Kriegel, Jörg Sander, XiaoweiXu. KDD 1996 Density-based clustering: depth-first search to find dense clusters Alice’s Data Bob’s Data Joint Clusters

More Related