1 / 19

Dual Execution Protocols (for when semi-honest is only semi-good-enough)

Dual Execution Protocols (for when semi-honest is only semi-good-enough). DHOSA MURI Review UVa Falls Church 8 December 2011. David Evans University of Virginia http://www.cs.virginia.edu/evans http://www.MightBeEvil.com. SVA. Cryptographic secure computation.

suzy
Download Presentation

Dual Execution Protocols (for when semi-honest is only semi-good-enough)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dual Execution Protocols (for when semi-honest is only semi-good-enough) DHOSA MURI Review UVa Falls Church 8 December 2011 David Evans University of Virginia http://www.cs.virginia.edu/evans http://www.MightBeEvil.com

  2. SVA Cryptographic secure computation e.g., Enforce properties on a malicious OS Binary translation andemulation Data-centric security e.g., Enable complex distributed systems, with resilience to hostile OS’s Formal methods Secure browser appliance transformation Hardware support for isolation Secure servers e.g., Prevent dataexfiltration Dealing with malicious hardware web-based architectures HARDWARE SYstem architectures

  3. SVA Cryptographic secure computation e.g., Enforce properties on a malicious OS Binary translation andemulation Data-centric security e.g., Enable complex distributed systems, with resilience to hostile OS’s Formal methods Secure browser appliance transformation Tianhao Tong Hardware support for isolation Secure servers e.g., Prevent dataexfiltration Dealing with malicious hardware web-based architectures HARDWARE SYstem architectures

  4. SVA Cryptographic secure computation e.g., Enforce properties on a malicious OS Binary translation andemulation Data-centric security e.g., Enable complex distributed systems, with resilience to hostile OS’s Formal methods Secure browser appliance Hardware support for isolation Secure servers Jiamin Chen CRA Oustanding Undergraduate Researcher 2012 Honorable Mention e.g., Prevent dataexfiltration Dealing with malicious hardware Peter Chapman CRA Outstanding Undergraduate Researcher Award 2012 Runner-Up web-based architectures Yikan Chen Yan Huang HARDWARE SYstem architectures

  5. Secure Two-Party Computation Bob’s Genome: ACTG… Markers (~1000): [0,1, …, 0] Alice’s Genome: ACTG… Markers (~1000): [0, 0, …, 1] Alice Bob Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?

  6. Secure Function Evaluation Alice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol Andrew Yao, 1982/1986

  7. Our Approach: Faster Garbled Circuits Circuit-Level Application Circuit Structure Circuit Structure GC Framework (Generator) GC Framework (Evaluator) Pipelining: gates evaluated as they are generated Garbled evaluation can be combined with normal execution Circuit-level optimizations

  8. Results for Semi-honest Protocols Performance Scalability Non-free gates per millisecond Largest circuit executed (non-free gates) Applications biometric identification (5x speedup) [NDSS 2011] Hamming distance (4000x), Edit distance (30x), Smith-Waterman, AES Encryption (16x) [USENIX Sec 2011] private set intersection (faster than best custom protocols) [NDSS 2012]

  9. Standard Threat Models Semi-Honest: Adversary follows the protocol as specified, but tries to learn more from the protocol execution transcript Malicious: Adversary can do anything, guarantees correctness and privacy Reasonable performance, unreasonable assumptions Reasonable assumptions, unreasonable performance

  10. Security Properties Privacy Nothing is revealed other than the output Correctness The output of the protocol is indeed f(x,y) Generator Evaluator Malicious-resistant OT As long as evaluator doesn’t send result back, and a malicious-resistant OT is used, privacy for evaluator is guaranteed. Semi-Honest GC How can we get both correctness, and maintain privacy while giving both parties result?

  11. Dual Execution Protocol Alice Bob first round execution (semi-honest) generator evaluator z=f(x, y) second round execution (semi-honest) evaluator generator z'=f(x, y) z, learned output wire labels fully-secure, authenticated equality test z’,learned output wire labels Pass ifz = z’ and correct wire labels [Mohassel and Franklin, PKC’06]

  12. Dual Execution Protocol Alice Bob first round execution (semi-honest) generator evaluator z=f(x, y) Recall: work to generate is 3x work to evaluate! second round execution (semi-honest) evaluator generator z'=f(x, y) z, learned output wire labels fully-secure, authenticated equality test z’,learned output wire labels Pass ifz = z’ and correct wire labels

  13. Best reported malicious protocol [PSSW09]

  14. Scalability

  15. Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input

  16. Enhancements Delayed Revelation “Fair” Revelation Each party learns one (matching) bit of output at a time. Don’t reveal semantic value of output until after equality test passes

  17. Biggest Open Question Circuit structure can be checked by evaluator (including free XORs) Design circuit to limit malicious generator’s ability to partition input space. Challenge: can lie about inputs also Can we leak less than one bit on average?

  18. www.MightBeEvil.org evans@cs.virginia.edu Summary first round execution (semi-honest) z=f(x, y) second round execution (semi-honest) z'=f(x, y) fully-secure, authenticated equality test Provides full correctness and maximum one-bit average leakage against fully malicious adversaries (formal proof using ideal/real world model) With pipelining framework, almost free with dual-core, 40-50% over semi-honest protocol with one core.

More Related