Secure Computation Basics
Yan Huang
Indiana University
May 9, 2016
Dating: Genetically
Good match?
2
Problem Abstraction
Alice
Holds
x Î{0,1}
Bob
Public function f
s
Holds
y Î{0,1}
t
z = f(x, y)
Security
requirement:
Reveal z
but nothing more!
3
Ideally, with a Trusted Party
z = f (x, y)
x
z
y
z
4
In the Real World
z = f (x, y) enables this!
Secure computation
x
z
f (x, y)
but nothing more!
y
……
z
f (x, y)
but nothing more!
5
Secure Computation
Alice
Holds
x Î{0,1}
Bob
Public function f
s
Holds
y Î{0,1}
t
z = f(x, y)
Security
requirement:
Reveal z
but nothing more!
6
What’s Out of the Scope
Leaking through the final results
Bad implementation of the protocol
7
2012
1980s
Secure
Computation
[Yao, FOCS’82]
Yao’s Circuits
[Yao, FOCS’86]
Fairplay
[MNPS, USENIX’04]
Millionaire (x > y):
1 sec
Median of 20
numbers (16-bit) :
7 sec
8
FastGC [HEKM,
USENIX’11]
Edit Distance of 4s Secure Genomics
100
100-char strings: 1.5 m [JKS, S&P’08]
1980s
Secure
Computation
[Yao, FOCS’82]
Yao’s Circuits
[Yao, FOCS’86]
2012
Fairplay
[MNPS, USENIX’04]
Millionaire (x > y):
1 sec
320μs
Median of 20
numbers (16-bit) :
7 sec
0.8ms
9
Secure
Gaming
Secure
biometrics
Private
navigation
Ridge
regression
Set
intersection
Time
series
analysis
2011
today
Binary search
Secure
auction
and voting
Zeroknowledge
proof
Neighborhood
watch
Whole
genome
comparison
10
This Talk
•
•
•
•
Garbled Circuits
Oblivious Transfer and its Extension
Formal Definition of Security
Deal with Active Adversaries
11
A Binary Gate
Bob
Alice
0 NAND 0
x=0
(Evaluator)
y=0
B
A
NAND
Z
[Yao, FOCS’86]
12
A Binary Gate
Alice
A
(Generator)
a0
a1
Bob
(Evaluator)
B
NAND
a0, a1 are random
bit strings
Z
[Yao, FOCS’86]
13
A Binary Gate
Alice
A
(Generator)
a0
a1
b0
b1
B
NAND
Z
[Yao, FOCS’86]
z0
z1
a0, a1, b0, b1, z0, z1
are independent
random bit strings
14
A Binary Gate
Alice
keys
A
(Generator)
a0
a1
b0
b1
B
messages
Enca0, b0(z1)
Enca0, b1(z1)
NAND
Enc
(z )
a 1, b 0
1
Enca1, b1(z0)
Z
[Yao, FOCS’86]
z0
z1
15
A Binary Gate
Alice
A
(Generator)
a0
a1
b0
b1
B
Enca0, b0(z1)
Enca0, b1(z1)
AND
Enca1, b0(z1)
Enca1, b1(z0)
Z
[Yao, FOCS’86]
z0
z1
16
A Binary Gate
Alice
A
(Generator)
a0
a1
b0
b1
Bob
(Evaluator)
B
Enca0, b0(z1)
Enca0, b1(z1)
NAND
Enc
(z )
a 1, b 0
1
Enca1, b1(z0)
Z
[Yao, FOCS’86]
z0
z1
17
A Binary Gate
Alice
x=0
A
Bob
(Generator)
a0
a1
b0
b1
0 NAND 0
(Evaluator)
y=0
B
z11)
✔Enca0, b0(z
NAND
z=0 NAND 0 ✗Enca0, b1(z1)
=1
(z )
✗Enc
a 1, b 0
1
✗Enca1, b1(z0)
Z
[Yao, FOCS’86]
z0
z1
18
A Leak
Alice
0 NAND 0
x=0
(Evaluator)
Bob
(Generator)
Alice’s input must
be 0 since it’s the
first row that can
be decrypted.
y=0
a0
b0
z110)
✔Enca0, b0(z
✗Enca0, b1(z10)
✗Enca1, b0(z10)
✗Enca1, b1(z01)
[Yao, FOCS’86]
19
Prevent the Leak
Alice
(Generator)
Randomly Permute
Enca0, b0(z1)
Enca0, b1(z1)
Enca1, b0(z1)
Enca1, b1(z0)
[Yao, FOCS’86]
20
Prevent the Leak
Alice
(Generator)
(Evaluator)
Bob
a0
b0
Enca1, b1(z0)
✗Enca1, b1(z0)
Enca1, b0(z1)
✗Enca1, b0(z1)
Enca0, b1(z1)
✗Enca0, b1(z1)
Enca0, b0(z1)
✔Enca0, b0(z1)
[Yao, FOCS’86]
21
Transferring b0 obliviously
Alice
(Generator)
b0
b1
Bob
Oblivious
Transfer
(Evaluator)
y=0
b0
22
Transferring b0 obliviously
Alice
(Generator)
b0
b1
Bob
(Evaluator)
y
Oblivious Transfer
by
Output
[Naor-Pinkas, SODA’00]
23
Security of NPOT
• Receiver’s Privacy
– h is uniformly random, independent of y
• Sender’s Privacy
– Receiver cannot learn by as it doesn’t know loggC
Output
24
Computing a Binary Gate
Alice
x=0
A
(Generator)
a0
a1
b0
b1
(Evaluator)
Bob
Oblivious
Transfer
y=0
a0
b0
B
✗Enca1, b1(z0)
NAND
z=0 NAND 0 ✗Enca1, b0(z1)
=0
(z )
✗Enc
Z
[Yao, FOCS’86]
a 0, b 1
z0
z1
1
✔Enca0, b0(z1)
25
Computing a Binary Gate
Alice
A
(Generator)
a0
a1
b0
b1
Bob
(Evaluator)
B
OR
Z
[Yao, FOCS’86]
z0
z1
26
Computing a Binary Gate
Alice
A
(Generator)
a0
a1
b0
b1
OR
Z
[Yao, FOCS’86]
z0
z1
B
Bob
(Evaluator)
Enca1, b1(z1)
Enca1, b0(z1)
Enca0, b1(z1)
Enca0, b0(z0)
27
Generic Secure Computatoin
a
c
b
AND
AND
OR Gate 2
d
f
e
AND Gate 1
Encc0, d1(f0)
Encc1,d1(f1)
Encc1,d0(f0)
Encc0,d0(f0)
100000000000
Ence0, f1(g1)
Ence1,f1(g1)
Ence1,f0(g1)
OR
Ence0,f0(g0)
…
g
O(n)
We can do any computation privately this way!
[Yao, FOCS’86]
28
Important Optimizations
• XOR can be free
• OT can be extended
• Two rows per gate is enough
– Using Half-Gates garbling (next lecture by Dave)
29
XOR can be (almost) Free
R←{0,1}n
a0
b0
a1 =
b1 =
a0⊕R
b0⊕R
a0
a1 =
a0⊕R
AND
c0
c1 = c0⊕R
b0
b1 =
b0⊕R
XOR
c0 =
ac10⊕b
= 0
a0⊕b0⊕R
Inexpensive local computation only;
No encryption, No communication overhead.
30
OT can be Extended
Similar Goal, Different Efforts
Symmetric Encryption
(PRG, Hash)
Very cheap in practice
(Easy to implement
heuristically)
Oblivious Transfer
Asymmetric encryption
?
Orders of magnitude
more expensive (Hard to
implement heuristically)
32
Extending Expensive Primitives
m1
m2
black-box
m1
⇐
m2
+
mn
mn
Encryption
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
OT
⇐
OT
OT
OT
OT
OT
+
OT
Oblivious Transfer
33
High-Level Idea
Sender
Receiver
k colomns
m1,s1
m2,s2
n
rows
Oblivious
Transfer
…
mn,sn
34
Matrix Q . Q i : ith row
r1
rk-1
Q i= T i
ith row
if si = 0
Q i= T i⊕ r
ith row
if si = 1
T1 ⊕ s
T1
…
T0 ⊕ s
…
T0
n
rows
r0
T k-1 ⊕ s
r ← {0,1}k
Receiver: s = s0 , …, sn-1
T←{0,1}n×k, T i : ith colomn T i : ith row
T k-1
Sender: (m0,i, m1,i) 0 ≤ i < n
Sender sends: (y0, y1) = (mi,0⊕ H(i, Qi), mi,1⊕ H(i, Qi⊕ r )) 0 ≤ i < n
Receiver outputs: y0 ⊕ H(0, Ti), if si=0; m1-si remains hidden
y1 ⊕ H(1, Ti), if si=1.because receiver never
knows Ti ⊕ r.
35
Do we really need a secure
encryption scheme?
Enca0, b0(z1)
Enca0, b1(z1)
Enca1, b0(z1)
Enca1, b1(z0)
No, Secure garbling
schemes suffice. More
on this in Dave’s
lecture later.
36
System Level Optimizations
• Design efficient circuits
• Use the right crypto protocols
• Frugal Budgets
– use SC only when absolutely necessary
– Don’t waste any single bit at any time
• Pipelined execution
37
What if the parties do not follow the protocol?
– Formalize the notion of security?
– Dealing with Active Adversaries?
Efficiently develop your favorite applications?
Saved for tomorrow
RAM model computation?
38
Modeling Adversaries
Honest-but-curious
Malicious/Active
Always follow the
protocol but tries to learn
extra from the execution
transcripts
Absolutely no restriction
on polynomial time
adversaries
39
How to Define Security?
• First attempt: breaking security into
– Correctness
• P1 learns f1(x,y)
• P2 learns f2(x,y)
– Privacy
• no leak of P1’s x
• no leak of P2’s y
It satisfy the definition
but is undesirable
since Alice knows a
hard-to-compute preimage of r.
Coin tossing: f (⋅,⋅)
{return
rand();} P: a one-way
permutation
s ← {0,1}k
r ← P(s)
output r
r
output r
40
Alice
(Sender)
Bob
(Receiver)
y
b0 b1
Sender’s Privacy
Receiver cannot learn by as it doesn’t know loggC
Output
[Naor-Pinkas, SODA’00]
41
Yao’s Protocol (Semi-Honest)
Bob
Alice
Input: x
Input: y
Garbled
(encrypted)
circuit
Compute f(x,y)
(learns nothing else)
Example Active Attacks
Garbled And Gate
a0 or a1
b0 or b1
AND
x0 or x1
Enca0, b1(x0)
Enca1,b1(x1)
Enca1,b0(x0)
Enca0,b0(x0)
43
Example Active Attacks
Garbled And Gate
a0 or a1
b0 or b1
AND
x0 or x1
Enca0, b1(x0)
Enca1,b1(x1)
Enca1,b0(x0)
Enca0,b0(x0)
44
Active adversaries can attack a
protocol in any unexpected ways.
How to define security to anticipate
future/unknown venues of attacks?
45
Ideal/Real Paradigm
x
y
x
y
f1(x,y)
output
output
f1(x,y)
f2(x,y)
output
A protocol is secure if for every (efficient) real-world adversary,
there is an ideal-world adversary having an ‘equivalent’ effect.
46
What are effects?
x
y
x
x
f1(x,y)
output
y
y
f2(x,y)
output
f1(x,y)
The Environment/observer
output
47
Coin tossing: f (⋅,⋅)
{return rand();}
P: a one-way
permutation
s ← {0,1}k
r ← P(s)
In the Ideal/Real paradigm,
we can actually prove the
aforementioned coin-tossing
protocol cannot be secure.
r
output r
output r
f1(x,y)
s
r
?
f2(x,y)
r
48
Achieve Active Security
• Solution: cut-and-choose
49
The Cut-and-choose Paradigm
50
The Cut-and-choose Paradigm
51
The Cut-and-choose Paradigm
Final output
Majority
52
Bound the Failures
n --- total number of circuits
e --- number of error circuits
k --- number of circuits to check
Traditional Cut-and-choose:
k
n-e
C
/C < 2
k
n
-80
[Shen and Shelat, Eurocrypt 2011]
n-k
Þ n ³ 244, (when n =
+1, k » 2n / 5)
2
Roughly 3s circuits needed to achieve s-bit security.
53
Additional Issues
(1) Input consistency
among all evaluation
circuits
x, y
(2) Input consistency
between OT and
circuit Generation
wyi, w1-yi
OT
54
Recent Advances
Suffices to ensure there is at least one
good evaluation circuit generated by the
adversary. s circuits can offer s-bit
statistical security.
[Lindell, Crypto’13]
[AMPR, EUROCRYPT’14]
55
Cut-and-choose (Recent Advances)
56
Cut-and-choose (Recent Advances)
57
Cut-and-choose (Recent Advances)
Yes
Output f(x,y).
Consistent
outcome?
No
Recover x then
output f(x,y).
58
Goal
x
A
B

AND

Z

w0
w1
If the evaluator learns both w0 ,
w1 , it learns x.
The evaluator learning any one
of w0 , w1 doesn’t learn x.
Whatever binding mechanism is
used, ensure no leakage through
protocol deviation.
59
Public inputs: g, h
r, gxhr)
(g
r, s = loggh
(h0 , h1) such that
h0+h1= gs0+gs1
= gs = h
(h 0g w0, h 1g w1)
x
A
B
AND
Z
Learning s
reveals x.
w0
w1
Check: Evaluator verifies h0+h1= h and
(w0 , w1) matches (h 0 g w 0 , h 1 g w 1 )
Evaluate: Generator sends s0+w0 and s1+w1
60
Recent Advances (2)
Even more efficient if done collectively.
E.g., <7 duplicates for 40-bit security
[Lindell-Riva, Crypto’14]
[HKKKM, Crypto’14]
[FJNNO, EUROCRYPT’13]
Ongoing work: any duplication factor
strictly larger than 2 is achievable if the
circuit is sufficiently large; but 2 is
impossible to achieve.
61
Q&A
62