2e4e7bf447ab350e4c1834a3fbc60b75.ppt
- Количество слайдов: 31
Fairplay – A Secure Two. Party Computation System Yaron Sella Hebrew University of Jerusalem Joint work with Dahlia Malkhi, Noam Nisan, and Benny Pinkas Project team: Ziv Balshai, Amir Levy, Dudi Einey, Ori Peleg Usenix Security 2004 Slide 1
Outline • SFE – Secure Function Evaluation • Goals • Fairplay – Fairplay computation overview – Demo (SFDL & SHDL examples) – Bob/Alice two party SFE – Experiments Usenix Security 2004 Slide 2
SFE - Secure Function Evaluation • Started with Yao’s seminal paper (1986 - almost 20 years ago!) • Allows several parties to perform a joint computation, that in real life requires a trusted party, using cryptographic tools only (i. e. , the trusted party is not needed!) • Theoretical significance only? • We focus on 2 -party SFE Usenix Security 2004 Slide 3
SFE Example - Millionaires’ Problem ? < = > $X Usenix Security 2004 Secure Function Evaluation Protocol $Y Slide 4
General Structure of Yao’s Protocol • Represent f(x, y) as a Boolean circuit • Bob “garbles” the circuit: – wire, assigns random values instead of 0/1 – gate, constructs a “secure” truth table • Bob sends to Alice the tables and garbled versions of his input • Alice uses oblivious transfer to obtain garbled versions of her input and uses them to compute the output of the circuit Usenix Security 2004 Slide 5
Goals • Answer some basic questions on SFE: – Is two-party SFE practical? – Obtain actual measurements of overall computation: How much time is needed to solve the Millionaires’ problem? The Billionaires’ problem? • Better understanding of SFE computation: – Where are the bottlenecks? – Computation versus communication • Test-bed for various optimizations Usenix Security 2004 Slide 6
Fairplay Computation Overview (1) Bob GUI SFDL program SFDL Compiler + Circuit optimizer SHDL circuit Usenix Security 2004 (a file) Off-line (Java obj. ) SFDL Compiler + Circuit optimizer SHDL circuit (a file) SHDL Parser Circuit Alice On-line SFE (a file) SHDL Parser Circuit (Java obj. ) Slide 7
Fairplay Computation Overview (2) Bob Circuit (Java obj. ) Alice Circuit (Java obj. ) m x Circuit garbler Garbled circuits (Java obj. ) Circuits send Circuits receive Read Integer Circuit choose Reveal secrets Circuits verify Usenix Security 2004 Slide 8
Fairplay Computation Overview (3) Bob Input + input send Alice Input receive Input OT sender OT chooser Output Circuit evaluator Output Usenix Security 2004 Slide 9
Outline üSFE – Secure Function Evaluation üGoals üFairplay computation overview – Demo (SFDL & SHDL examples) – Bob/Alice two party SFE – Experiments Usenix Security 2004 Slide 10
The Compilation Paradigm • SFDL (Secure Function Definition Language) High-level programming language for the func. to be evaluated in the trusted party model – Allows clear, formal, easily understandable definition and requirements by humans • SHDL (Secure Hardware Definition Language) Low-level language describing Boolean circuits • “Obliviousness-aware” SFDL SHDL compiler • The compiler also produces an I/O format file Usenix Security 2004 Slide 11
SFDL Example program Millionaires { type int = Int<4>; // 4 -bit integer type Alice. Input = int; type Bob. Input = int; type Alice. Output = Boolean; type Bob. Output = Boolean; type Output = struct {Alice. Output alice, Bob. Output bob}; type Input = struct {Alice. Input alice, Bob. Input bob}; function Output output(Input input) { output. alice = input. alice > input. bob; output. bob = input. bob > input. alice; } } Usenix Security 2004 Slide 12
SFDL Properties • Conventional syntax (C/Pascal-like) • Type system – Boolean, integer, enumerated • Program structure – Declarations: global constants, types – Sequence of functions (no nesting [C], no recursion) – Function name is its return value [Pascal] • Conditional execution and loops – if-then, if-then-else statements, For-loop • Assignments and expressions – constants, variables, array entries, structure items, function calls, operators (+, -, logical, comparison), parenthesis Usenix Security 2004 Slide 13
SHDL Example (1) 0 input //output$input. bob$0 1 input //output$input. bob$1 2 input //output$input. bob$2 3 input //output$input. bob$3 4 input //output$input. alice$0 5 input //output$input. alice$1 6 input //output$input. alice$2 7 input //output$input. alice$3 8 gate arity 2 table [ 1 0 0 0 ] inputs [ 4 5 ] 9 gate arity 2 table [ 0 1 1 0 ] inputs [ 4 5 ] Usenix Security 2004 Slide 14
SHDL Example (2) 10 gate arity 2 table [ 0 1 0 0 ] inputs [ 8 6 ] 11 gate arity 2 table [ 1 0 0 1 ] inputs [ 8 6 ] 12 gate arity 2 table [ 1 0 0 1 ] inputs [ 10 7 ] 13 gate arity 2 table [ 0 0 0 1 ] inputs [ 4 0 ] 14 gate arity 3 table [ 0 0 0 1 1 1 ] inputs [ 13 9 1 ] 15 gate arity 3 table [ 0 0 0 1 1 1 ] inputs [ 14 11 2 ] 16 gate arity 2 table [ 0 1 1 0 ] inputs [ 12 3 ] 17 gate arity 2 table [ 0 1 1 0 ] inputs [ 15 16 ] 18 output gate arity 1 table [ 0 1 ] inputs [ 17 ] … Usenix Security 2004 Slide 15
SHDL Properties • Each line is a circuit component, i. e: – An input bit, or – A Boolean gate with a given truth-table and input wires • Circuit wiring is based on line numbers • The compiler produces gates of arity 1, 2, 3 // Comments are ignored (even though the compiler generated them) Usenix Security 2004 Slide 16
The Format File • Enables the input bits to be specified and the output bits to be presented in a user-friendly format • Format file example: Bob input integer "input. bob" [0 1 2 3] Alice input integer "input. alice" [4 5 6 7] Alice output integer "output. alice" [18] Bob output integer "output. bob" [29] • Bob’s input bits should be read from the user as an integer Usenix Security 2004 Slide 17
The SFDL SHDL Compiler’s sequence of steps: • Parsing • Function inlining and loop unfolding (obliviousness!) • Transformation into single bit operations • Array access handling (cost = O(n) gates) • Single variable assignment • Optimizations: local code optimization, duplicate code removal, dead code elimination Usenix Security 2004 Slide 18
Bob-Alice 2 -Party SFE – Overview (1) • Input: C = circuit in SHDL • Cut-and-Choose: – Bob parses C into m garbled circuits, and sends them to Alice also parses C. – Alice chooses one circuit for evaluation - GC – Bob exposes secrets of all garbled circuits except GC – Alice verifies all exposed garbled circuits – Catches cheating with probability 1 -1/m • Bob sends his inputs for GC (Alice can’t interpret them because they are garbled) Usenix Security 2004 Slide 19
Bob-Alice 2 -Party SFE – Overview (2) • Oblivious Transfer: Alice obtains her inputs for GC from Bob using a single OT per each Alice input bit (Alice = chooser, Bob = sender) • Alice evaluates GC • Alice interprets her outputs (she can’t interpret Bob’s outputs, because they are garbled) • Alice sends to Bob his outputs • Bob interprets his outputs Usenix Security 2004 Slide 20
Garbled Circuit Preparation (by Bob) Wi vi 0, vi 1 Wj vj 0, vj 1 x | y | out 0 | b 0 0 | 1 | b 1 1 | 0 | b 2 1 | b 3 Wk vk 0 vk 1 GTT x | y | out 0 | vkb 0 0 | 1 | vkb 1 1 | 0 | vkb 2 1 | vkb 3 EGTT x | y | output 0 | E(vkb 0) 0 | 1 | E(vkb 1) 1 | 0 | E(vkb 2) 1 | E(vkb 3) PEGTT Permute rows E(vkb 0): SHA-1(vi 0, vj 0 , k) vkb 0 E(vkb 1): SHA-1(vi 0, vj 1 , k) vkb 1 E(vkb 2): SHA-1(vi 1, vj 0 , k) vkb 2 E(vkb 3): SHA-1(vi 1, vj 1 , k) vkb 3 Usenix Security 2004 Slide 21
Garbled Circuit Evaluation (by Alice) vi PEGTT vj output vk’’’’ vk Note that 1. Alice doesn’t learn any other table entry. 2. Alice doesn’t learn if entry and wire values correspond to 0 or 1. Try decrypting each entry 2. D (vk’ ): SHA-1 (vi , vj , k) vk’ ( = vk) Usenix Security 2004 Slide 22
EGL 1 -out-of-2 Oblivious Transfer (OT 12) Sender (Bob) M 0, M 1 Chooser (Alice) Bit b 1. PK 0, PK 1 (s. t. only one of PK 0, PK 1 can be a “real” PK) Encrypt: M 0 with PK 0 (= E 0) M 1 with PK 1 (= E 1) 2. E 0, E 1 3. Decrypt E 0 or E 1 Usenix Security 2004 Slide 23
OT 12 (EGL Paradigm with El-Gamal) • Input: chooser - a bit σ sender - two strings M 0, M 1 • Output: chooser - Mσ • Preliminaries: Zq is a sub-group of order q of Zp*, p, q are primes, and q | (p-1). Let g be a generator of Zq. H is a random oracle. • Initialization: the sender publishes C, a random element in Zq (whose discrete log to the base g is unknown by the chooser). Usenix Security 2004 Slide 24
OT 12 Interactive Protocol Sender (Bob) M 0, M 1 p, q, g, H, C 1. Picks random k in [1, q], and sets public keys: PKσ = gk, PK 1 -σ = C / PKσ PK 0 2. Computes PK 1 = C / PK 0, chooses random r 0, r 1 in Zq, El-Gamal encrypts: E 0 = {gr 0 , H(PK 0 r 0) ^ M 0}, E 1 = {gr 1 , H(PK 1 r 1) ^ M 1} Chooser (Alice) σ E 0, E 1 3. Computes H((grσ)k) = H(PKσrσ) and uses it to decrypt Mσ Note: NP 01 variant (in RO model) Usenix Security 2004 Slide 25
Experiments: Implementation & Setup • Code written in Java • Communication: TCP/IP (Java sockets) • Crypto: Java Big. Integer libraries, SHA 1 as RO • Two communication scenarios LAN – 617. 8 MBPS, latency 0. 4 ms WAN (USA, Israel) – 1. 06 MBPS, latency 237. 0 ms • Two PCs – 2. 4 GHz • Parameters: |p|=1024, |q|=160, m=2 • Results: 100 repetitions (compilation excluded) Usenix Security 2004 Slide 26
Experiments – The Four Functions Function Number of circuit gates Total Inputs Alice Inputs AND 32 16 8 Billionaires 254 64 32 Keyed DB search 1229 486 6 Median 4383 320 160 AND - a very simple circuit Keyed DB - small number of inputs for Alice Median – biggest circuit Usenix Security 2004 Slide 27
Experiments – Results Highlights • Billionaires’ problem: – LAN: 1. 25 seconds, WAN: 4. 01 seconds • Communication versus computation: – Percentage of delay due to communication LAN: up to 42%, WAN: up to 77% • Optimizations speed up factor: – WAN communication batching: up to 8. 8! – Same gr mod p OT variant [NP 01]: 1. 3 • LAN WAN slowdown: up to 6. 9 Usenix Security 2004 Slide 28
Experiments – WAN Detailed Results Function WAN Communication IP (%) CC (%) OTs (%) EV (%) EET(sec) AND 0. 2 58. 4 41. 4 0. 0 2. 57 Billionaires 0. 8 45. 2 53. 9 0. 1 4. 01 Keyed DB 5. 9 64. 3 29. 4 0. 4 3. 38 Median 4. 7 45. 8 49. 2 0. 3 16. 63 IP – Initializations and Parsing CC – Circuits communication OTs – Oblivious Transfers EV – Evaluation of circuit EET –Elapsed Execution Time Usenix Security 2004 Slide 29
Experiments – LAN Detailed Results Function LAN Communication IP (%) CC (%) OTs (%) EV (%) EET(sec) AND 1. 5 18. 8 79. 5 0. 2 0. 41 Billionaires 3. 2 5. 4 91. 1 0. 3 1. 25 Keyed DB 40. 4 2. 8 54. 1 2. 7 0. 49 Median 13. 2 78. 7 0. 9 7. 09 IP – Initializations and Parsing CC – Circuits communication OTs – Oblivious Transfers EV – Evaluation of circuit EET –Elapsed Execution Time Usenix Security 2004 Slide 30
Future directions • Better understanding of experiments’ results • Improving the compiler (C ? ) • New features – fair termination • Optimizations – Batch inversion (BS 02) – Extending OTs (IKNP 03) • Real applications & products (www. cs. huji. ac. il/labs/danss/Fairplay) Usenix Security 2004 Slide 31