Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew...
-
date post
21-Dec-2015 -
Category
Documents
-
view
217 -
download
1
Transcript of Usenix Security 2004 Slide 1 Fairplay – A Secure Two- Party Computation System Yaron Sella Hebrew...
Usenix Security 2004 Slide 1
Fairplay – A Secure Two-Fairplay – A Secure Two-Party Computation System Party Computation System
Yaron SellaYaron SellaHebrew University of JerusalemHebrew University of Jerusalem
Joint work with Dahlia Malkhi, Joint work with Dahlia Malkhi, Noam Nisan, and Benny PinkasNoam Nisan, and Benny Pinkas
Project team: Ziv Balshai, Amir Levy, Project team: Ziv Balshai, Amir Levy, Dudi Einey, ODudi Einey, Ori Pelegri Peleg
Slide 2Usenix Security 2004
Outline
• SFE – Secure Function Evaluation
• Goals
• Fairplay– Fairplay computation overview
– Demo (SFDL & SHDL examples)
– Bob/Alice two party SFE
– Experiments
Slide 3Usenix Security 2004
SFE - Secure Function Evaluation
• Started with Yao’s seminal paper (1986 - almost 20 years ago!)
• Allows several parties to perform a joint computation, that in real life requires a trusted party, using cryptographic tools only (i.e., the trusted party is not needed!)
• Theoretical significance only?
• We focus on 2-party SFE
Slide 4Usenix Security 2004
SFE Example - Millionaires’ Problem
$ X $ Y
?
<
=
>
Secure Function
EvaluationProtocol
Slide 5Usenix Security 2004
General Structure of Yao’s Protocol
• Represent f(x,y) as a Boolean circuit• Bob “garbles” the circuit:
wire, assigns random values instead of 0/1 gate, constructs a “secure” truth table
• Bob sends to Alice the tables and garbled versions of his input
• Alice uses oblivious transfer to obtain garbled versions of her input and uses them to compute the output of the circuit
Slide 6Usenix Security 2004
Goals
• Answer some basic questions on SFE:– Is two-party SFE practical?
– Obtain actual measurements of overall computation: How much time is needed to solve the Millionaires’ problem? The Billionaires’ problem?
• Better understanding of SFE computation:– Where are the bottlenecks?
– Computation versus communication
• Test-bed for various optimizations
Slide 7Usenix Security 2004
Fairplay Computation Overview (1)
Bob AliceGUI
SFDL program (a file)
SFDL Compiler + Circuit optimizer
SFDL Compiler + Circuit optimizer
SHDL circuit
SHDL circuit
(a file) (a file)
Off-line
SHDL Parser SHDL Parser
Circuit Circuit(Java obj.) (Java obj.)
On-line SFE
Slide 8Usenix Security 2004
Fairplay Computation Overview (2)
Bob Alice
m x Circuit garbler
Circuits send Circuits receive
Circuit Circuit(Java obj.) (Java obj.)
Garbled circuits (Java obj.)
Circuit chooseRead Integer
Reveal secrets Circuits verify
Slide 9Usenix Security 2004
Fairplay Computation Overview (3)
Bob Alice
Input + input send Input receive
Input
OT chooserOT sender
Circuit evaluatorOutput
Output
Slide 10Usenix Security 2004
Outline
SFE – Secure Function EvaluationGoalsFairplay
Fairplay computation overview
– Demo (SFDL & SHDL examples)
– Bob/Alice two party SFE
– Experiments
Slide 11Usenix Security 2004
The Compilation Paradigm
• SFDL (Secure Function Definition Language) - High-level programming language for the func. to be evaluated in the trusted party model– Allows clear, formal, easily understandable
definition and requirements by humans
• SHDL (Secure Hardware Definition Language) - Low-level language describing Boolean circuits
• “Obliviousness-aware” SFDL SHDL compiler
• The compiler also produces an I/O format file
Slide 12Usenix Security 2004
SFDL Exampleprogram Millionaires {
type int = Int<4>; // 4-bit integer
type AliceInput = int;
type BobInput = int;
type AliceOutput = Boolean;
type BobOutput = Boolean;
type Output = struct {AliceOutput alice, BobOutput bob};
type Input = struct {AliceInput alice, BobInput bob};
function Output output(Input input) {
output.alice = input.alice > input.bob;
output.bob = input.bob > input.alice;
}
}
Slide 13Usenix Security 2004
SFDL Properties
• Conventional syntax (C/Pascal-like)
• Type system – Boolean, integer, enumerated
• Program structure– Declarations: global constants, types
– Sequence of functions (no nesting [C], no recursion)
– Function name is its return value [Pascal]
• Conditional execution and loops– if-then, if-then-else statements, For-loop
• Assignments and expressions– constants, variables, array entries, structure items, function
calls, operators (+, -, logical, comparison), parenthesis
Slide 14Usenix Security 2004
SHDL Example (1)
0 input //output$input.bob$0
1 input //output$input.bob$1
2 input //output$input.bob$2
3 input //output$input.bob$3
4 input //output$input.alice$0
5 input //output$input.alice$1
6 input //output$input.alice$2
7 input //output$input.alice$3
8 gate arity 2 table [ 1 0 0 0 ] inputs [ 4 5 ]
9 gate arity 2 table [ 0 1 1 0 ] inputs [ 4 5 ]
Slide 15Usenix Security 2004
SHDL Example (2)
10 gate arity 2 table [ 0 1 0 0 ] inputs [ 8 6 ]
11 gate arity 2 table [ 1 0 0 1 ] inputs [ 8 6 ]
12 gate arity 2 table [ 1 0 0 1 ] inputs [ 10 7 ]
13 gate arity 2 table [ 0 0 0 1 ] inputs [ 4 0 ]
14 gate arity 3 table [ 0 0 0 1 0 1 1 1 ] inputs [ 13 9 1 ]
15 gate arity 3 table [ 0 0 0 1 0 1 1 1 ] inputs [ 14 11 2 ]
16 gate arity 2 table [ 0 1 1 0 ] inputs [ 12 3 ]
17 gate arity 2 table [ 0 1 1 0 ] inputs [ 15 16 ]
18 output gate arity 1 table [ 0 1 ] inputs [ 17 ]
…
Slide 16Usenix Security 2004
SHDL Properties
• Each line is a circuit component, i.e: – An input bit, or
– A Boolean gate with a given truth-table and input wires
• Circuit wiring is based on line numbers
• The compiler produces gates of arity 1,2,3
// Comments are ignored (even though the compiler generated them)
Slide 17Usenix Security 2004
The Format File
• Enables the input bits to be specified and the output bits to be presented in a user-friendly format
• Format file example:Bob input integer "input.bob" [0 1 2 3]
Alice input integer "input.alice" [4 5 6 7]
Alice output integer "output.alice" [18]
Bob output integer "output.bob" [29]
• Bob’s input bits should be read from the user as an integer
Slide 18Usenix Security 2004
The SFDL SHDL Compiler
Compiler’s sequence of steps:
• Parsing
• Function inlining and loop unfolding (obliviousness!)
• Transformation into single bit operations
• Array access handling (cost = O(n) gates)
• Single variable assignment
• Optimizations: local code optimization, duplicate code removal, dead code elimination
Slide 19Usenix Security 2004
Bob-Alice 2-Party SFE – Overview (1)
• Input: C = circuit in SHDL
• Cut-and-Choose:– Bob parses C into m garbled circuits, and sends them to
Alice. Alice also parses C.– Alice chooses one circuit for evaluation - GC– Bob exposes secrets of all garbled circuits except GC– Alice verifies all exposed garbled circuits– Catches cheating with probability 1-1/m
• Bob sends his inputs for GC (Alice can’t interpret them because they are garbled)
Slide 20Usenix Security 2004
Bob-Alice 2-Party SFE – Overview (2)
• Oblivious Transfer: Alice obtains her inputs for GC from Bob using a single OT per each Alice input bit (Alice = chooser, Bob = sender)
• Alice evaluates GC
• Alice interprets her outputs (she can’t interpret Bob’s outputs, because they are garbled)
• Alice sends to Bob his outputs
• Bob interprets his outputs
Slide 21Usenix Security 2004
Garbled Circuit Preparation (by Bob)
x | y | out0 | 0 | b00 | 1 | b11 | 0 | b21 | 1 | b3
Wi Wj
Wk
vk0
vk1
x | y | out0 | 0 | vk
b0 0 | 1 | vk
b1 1 | 0 | vk
b2 1 | 1 | vk
b3
GTT
x | y | output0 | 0 | E(vk
b0) 0 | 1 | E(vk
b1) 1 | 0 | E(vk
b2) 1 | 1 | E(vk
b3)
EGTT
E(vkb0): SHA-1(vi
0, vj0 , k) vk
b0
E(vkb1): SHA-1(vi
0, vj1 , k) vk
b1
E(vkb2): SHA-1(vi
1, vj0 , k) vk
b2
E(vkb3): SHA-1(vi
1, vj1 , k) vk
b3
vi0, vi
1 vj0, vj
1 PEGTT
Permute rows
Slide 22Usenix Security 2004
Garbled Circuit Evaluation (by Alice)
vi vj
outputvk
’ vk
’’ vk
’’’ vk
’’’’
PEGTT
vk
2. D (vk’ ): SHA-1 (vi , vj
, k) vk’ ( = vk)
1. Try decrypting each entry
Note that
1. Alice doesn’t learnany other table entry.
2. Alice doesn’t learn ifentry and wire valuescorrespond to 0 or 1.
Slide 23Usenix Security 2004
EGL 1-out-of-2 Oblivious Transfer (OT12)
Sender (Bob) Chooser (Alice)
1. PK0, PK1
Encrypt: M0 with PK0 (= E0) M1 with PK1 (= E1)
2. E0, E1
M0, M1 Bit b
3. Decrypt E0 or E1
(s.t. only one of PK0, PK1 can be a “real” PK)
Slide 24Usenix Security 2004
OT12 (EGL Paradigm with El-Gamal)
• Input: chooser - a bit σsender - two strings M0, M1
• Output: chooser - Mσ
• Preliminaries: Zq is a sub-group of order q of Zp*,
p,q are primes, and q | (p-1). Let g be a generator of Zq . H is a random oracle.
• Initialization: the sender publishes C, a random element in Zq (whose discrete log to the base g is unknown by the chooser).
Slide 25Usenix Security 2004
OT12 Interactive Protocol
Sender (Bob) Chooser (Alice)
1. Picks random k in [1,q], and sets public keys: PKσ = gk, PK1-σ = C / PKσPK0
2. Computes PK1 = C / PK0, chooses random r0,r1 in Zq, El-Gamal encrypts: E0 = {gr0 , H(PK0
r0) ^ M0}, E1 = {gr1 , H(PK1
r1) ^ M1} E0, E1
M0, M1 σp, q, g, H, C
3. Computes H((grσ)k) = H(PKσrσ)
and uses it to decrypt Mσ
Note: NP01 variant (in RO model)
Slide 26Usenix Security 2004
Experiments: Implementation & Setup
• Code written in Java
• Communication: TCP/IP (Java sockets)
• Crypto: Java BigInteger libraries, SHA1 as RO
• Two communication scenariosLAN – 617.8 MBPS, latency 0.4 ms
WAN (USA, Israel) – 1.06 MBPS, latency 237.0 ms
• Two PCs – 2.4 GHz
• Parameters: |p|=1024, |q|=160, m=2
• Results: 100 repetitions (compilation excluded)
Slide 27Usenix Security 2004
Experiments – The Four Functions
Function Number of circuit gates
Total Inputs Alice Inputs
AND 32 16 8
Billionaires 254 64 32
Keyed DB search 1229 486 6
Median 4383 320 160
AND - a very simple circuitKeyed DB - small number of inputs for AliceMedian – biggest circuit
Slide 28Usenix Security 2004
Experiments – Results Highlights
• Billionaires’ problem:– LAN: 1.25 seconds, WAN: 4.01 seconds
• Communication versus computation:– Percentage of delay due to communication
LAN: up to 42%, WAN: up to 77%
• Optimizations speed up factor:– WAN communication batching: up to 8.8!
– Same gr mod p OT variant [NP01]: 1.3
• LAN WAN slowdown: up to 6.9
Slide 29Usenix Security 2004
Experiments – WAN Detailed Results
IP – Initializations and ParsingCC – Circuits communicationOTs – Oblivious TransfersEV – Evaluation of circuitEET –Elapsed Execution Time
Function WAN CommunicationIP (%) CC (%) OTs (%) EV (%) EET(sec)
AND 0.2 58.4 41.4 0.0 2.57Billionaires 0.8 45.2 53.9 0.1 4.01Keyed DB 5.9 64.3 29.4 0.4 3.38
Median 4.7 45.8 49.2 0.3 16.63
Slide 30Usenix Security 2004
Experiments – LAN Detailed Results
IP – Initializations and ParsingCC – Circuits communicationOTs – Oblivious TransfersEV – Evaluation of circuitEET –Elapsed Execution Time
Function LAN CommunicationIP (%) CC (%) OTs (%) EV (%) EET(sec)
AND 1.5 18.8 79.5 0.2 0.41Billionaires 3.2 5.4 91.1 0.3 1.25Keyed DB 40.4 2.8 54.1 2.7 0.49
Median 13.2 7.2 78.7 0.9 7.09
Slide 31Usenix Security 2004
Future directions
• Better understanding of experiments’ results
• Improving the compiler (C ?)
• New features– fair termination
• Optimizations– Batch inversion (BS02)
– Extending OTs (IKNP03)
• Real applications & products
(www.cs.huji.ac.il/labs/danss/Fairplay)