1 / 26

Introduction to Secure Computation

Introduction to Secure Computation. Benny Pinkas HP Labs, Princeton. Roadmap. Secure Function Evaluation Motivation and definitions Scenarios Constructions. SFE Example – M illionaires Problem. ? < = >. Secure Function EvaluationProtocol. X $. Y $. Secure Function Evaluation.

cblaze
Télécharger la présentation

Introduction to Secure Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to Secure Computation Benny Pinkas HP Labs, Princeton

  2. Roadmap • Secure Function Evaluation • Motivation and definitions • Scenarios • Constructions

  3. SFE Example – Millionaires Problem ? < = > Secure FunctionEvaluationProtocol X $ Y $

  4. Secure Function Evaluation • A set of (two or more) parties with private inputs wish to compute some joint function of their inputs. • Parties wish to preserve some security properties. E.g., privacy and correctness. • Example: Computing the maximum • Security must be preserved in the face of adversarial behavior by some of the participants.

  5. …Secure Function Evaluation • Cryptography aims for the following (regarding privacy): • A secure protocol must reveal no more information than the output of the function itself • That is, the process of protocol computation reveals nothing.

  6. For every real adversary A there exists an adversary S Protocol interaction Trusted party The Security Definition  REAL IDEAL

  7. Does the trusted party scenario make sense? y x F(x,y) F(x,y) • We cannot hope for more privacy • Does the trusted party scenario make sense? • Are the parties motivated to submit their true inputs? • Can they tolerate the disclosure of F(x,y)? • If so, we can implement the scenario without a trusted party.

  8. Roadmap • Secure Function Evaluation • Motivation and definitions • Scenarios • Constructions

  9. Modeling the Adversary • Semi-honest: follows the protocol but tries to learn more • Malicious: can do anything • E.g., • Protocol: “Flip a random coin and send the result” • Malicious party might… • Easier to provide security against semi-honest adversaries

  10. Modeling the Adversary • Do semi-honest adversaries make sense? • Semi-trusted parties? • Secure hardware/software? • It’s easier for the adversary to eavesdrop than to change the program. • Is there a reasonable model between semi-honest and malicious?

  11. Participating Parties • Two parties. • Multi-party: N parties with private inputs x1,..,xN, wish to compute F(x1,..,xN). • There are generic secure constructions for both scenarios • The constructions for the two-party scenario are usually more efficient

  12. Multi-Party Protocols • The main issues are often the communication pattern and the number of rounds

  13. Computation Server 1 Computation Server 2 Computation Server m Perform computation Provide inputs (and that’s it) A different setting for multi-party protocols? [NPS] Pn P1 P2

  14. dangerous collusion benign collusion benign collusion Trust Computation Server 1 Computation Server 2 Computation Server m Pn P1 P2 This is not weaker security if we have some trust that computation servers do not collude

  15. Advantages • Separation between input providers and computation. • Input providers • submit their inputs independently of each other. • Do not have to coordinate their operation. • Once all inputs are submitted, the computation is performed by the computation servers.

  16. Roadmap • Secure Function Evaluation • Motivation and definitions • Scenarios • Constructions

  17. Secure two-party computation of general functions [Yao, early 80s] • First, represent the function F as a Boolean circuit C • It’s always possible • Sometimes it’s easy (additions, comparisons) • Sometimes the result is inefficient (e.g. for indirect addressing, a[i])

  18. wk0,wk1 G wi0,wi1 wJ0,wJ1 Garbling the circuit • Bob constructs the circuit, and then garbles it. Wk0 = 0 on wire k Wk1 = 1 on wire k |Wk0| = |Wk1| > 80 (Alice will learn one string per wire, but not the bit to which it corresponds.)

  19. wk0,wk1 G wi0,wi1 wJ0,wJ1 Gate tables • For, e.g., an AND gate, Bob constructs a table that enables to compute: • wk0 given wi0,wJ0 • wk0 given wi0,wJ1 • wk0given wi1,wJ0 • wk1 given wi1,wJ1 • I.e., given wix,wJy, can compute wkG(x,y)

  20. wk0,wk1 G wi0,wi1 wJ0,wJ1 Secure computation • Bob sends the tables of the gates to Alice • Given, e.g., wi0,wJ1, she computes wk0, but doesn’t know the actual values of the wires. • If Alice gets garbled values (w’s) of her input values, she can compute the output of the circuit, and nothing else.

  21. Secure computation – the big picture • Represent the function as a circuit C • Bob sends to Alice |C| tables (e.g. 40|C| Bytes). • Alice performs an oblivious transfer for every input bit. (Can do, e.g. 100 OTs per sec.) • ~One round of communication. • Efficient for medium size circuits! • Good for one invocation only! 

  22. FairPlay [Nisan,Malkhi,Pinkas,Sella] • Yao’s construction is about 20 years old. There are no known implementations (?). • FairPlay - a full fledged secure two-party computation system, implementing Yao’s “garbled circuit” protocol. • Goals: • Investigate whether two-party SFE is practical • Actual measurements of overall computation • Breakdown of computation into parts • Test-bed for various optimizations

  23. …FairPlay • The Compilation paradigm • Programs written in a high-level programming language • SHDL: Low-level language describing Boolean circuits • First stage: compile to SHDL and optimize • Second stage: Given an SHDL circuit, generate programs implementing Yao’s protocol

  24. Specific Constructions of SFE • Mean • Max, Min • Set intersection • Median and quintiles

  25. Discussion Points • Candidate applications? • Where will SFE be most beneficial? • How to model the adversary?

  26. Issues • Suppose you cannot access the data • Data cleaning? • What functions do you need to compute?

More Related