1 / 45

GPU and CPU Parallelization of Honest-but-Curious Secure Two-Party Computation

GPU and CPU Parallelization of Honest-but-Curious Secure Two-Party Computation. Nathaniel Husted, Steve Myers, abhi shelat , Paul Grubbs. Alice and Bob want to compute a public function of their private inputs. Secure Two-party Computation. Disease Database. Alice. Bob.

deiondre
Télécharger la présentation

GPU and CPU Parallelization of Honest-but-Curious Secure Two-Party Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GPU and CPU Parallelization of Honest-but-Curious Secure Two-Party Computation Nathaniel Husted, Steve Myers, abhishelat, Paul Grubbs

  2. Alice and Bob want to compute a public function of their private inputs. Secure Two-party Computation Disease Database Alice Bob

  3. Secure Two-party Computation Alice Bob Y X => Alice & Bob F(X,Y) Alice provides X. Bob provides Y. F(X,Y) is correctly calculated without Bob learning X and Alice learning Y.

  4. Yao’s Garbled Circuits [Yao1986] X XOR 0 OUTPUTS Y XOR 1 0 F(X,Y) AND 2 OR 4 AND 3

  5. I’m going to discuss the current fastest solution for processing Yao’s Garbled Circuits.

  6. Yao’s Garbled Circuits [Yao1986] X XOR 0 OUTPUTS Y XOR 1 0 F(X,Y) = X + Y AND 2 OR 4 AND 3

  7. Wires in Yao’s Garbled Circuits [Yao1986] • Alice must use randomlabels () for wire values instead of 0’s and 1’s. Label 0 () Wire 0 () Label 1 ()

  8. Yao’s Garbled Circuits [Yao1986] F(X,Y) = X + Y X XOR 0 OUTPUTS 0xCC1C Y XOR 1 Label 0 = 0xF1F1 0x1112 0x1212 Label 1 = 0xABAB 0 0x1234 AND 2 0xFFCC OR 4 0x1203 0x93FA 0x8843 0x1103 0x4321 0xBA81 AND 3 0x9932 0x6753 0x9B3F

  9. Encrypting Gates in Yao’s Garbled Circuits [Yao1986] Gate 2 () AND

  10. Encrypting Gates in Yao’s Garbled Circuits [Yao1986] • Notation shortcut: = Gate 2 () AND

  11. Garbling Gates in Yao’s Garbled Circuits [Yao1986] Gate 2 () AND

  12. Garbling Gates in Yao’s Garbled Circuits [Yao1986] Gate 2 () AND

  13. Garbling Gates in Yao’s Garbled Circuits [Yao1986] Gate 2 () AND

  14. Yao’s Garbled Circuits [Yao1986] F(X,Y) = X + Y X XOR 0 OUTPUTS 0xCC1C Y XOR 1 Label 0 = 0xF1F1 0x1112 0x1212 Label 1 = 0xABAB 0 0x1234 AND 2 0xFFCC OR 4 0x1203 0x93FA 0x8843 0x1103 0x4321 0xBA81 AND 3 0x9932 0x6753 0x9B3F

  15. Alice sends the generated circuit to Bob. • Alice sends ALL garbled truth tables to Bob. • BOB Sent over the network… • ALICE

  16. Bob evaluates the circuit. • Evaluation is the reverse of generation. Gate 3 () AND = 0xCC1C = 0x1 = ?? = 0x1234 = 0x0

  17. Bob evaluates the circuit. • Evaluation is the reverse of generation. Gate 3 () AND = 0xCC1C = 0x1 ENTRY TO DECODE = ?? = 0x1234 = 0x0

  18. Bob evaluates the circuit. • Evaluation is the reverse of generation. Gate 3 () AND = 0xCC1C = 0x1 ENTRY TO DECODE = ?? = 0x1234 = 0x0

  19. Other security models for Yao’s Garbled Circuits • Malicious-Leaks-A-Bit [Huang2013] • Benefits: • Attacker can analyze results and lie in the protocol. • Only requires one extra Generation and Evaluation. • Drawbacks: • Leaks 1-bit of output. • Fully Malicious [Lindell2013] • Benefits: • Leaks no information to the attacker. • Drawbacks • Requires Alice generate between 60 – 130 circuits. Bob must evaluate ~1/2 and verify the rest. • NOTE: Our methods can work with either of these models!

  20. Brief survey of garbled circuit systems

  21. Contributions to Garbled Circuit Optimization • A method for accurately comparing garbled circuit systems with very different circuit formats. • A method for generating all gates in a circuit at once. • A method for reducing the number of calculations for each gate garbling. • A scalable generation method that can be combined with other best-in-class implementations.

  22. Fast Garbled Circuit Processing With GPUs • GPUs are highly parallel Single Instruction Multiple Data (SIMD) processors. • We can use every “core” on the GPU to process a gate. • But the SIMD parallelism requires protocol modifications.

  23. Generating all gates at once allows high through-put but requires protocol modification. • The Free XOR Technique [Kolesnikov2008] Gate 0 () XOR Label 0 () Label 1 () = Gate 2 () AND = : Randomly Generated Constant

  24. Generating all gates at once allows high through-put but requires protocol modification. • Our modified Free XOR technique Gate 0 () XOR Label 0 () Label 1 () = Gate 2 () AND = : Randomly Generated Constant

  25. Benefits of increased Throughput

  26. Garbling Truth Tables in practice Gate 2 () AND

  27. Reducing calculations required per-gate provided benefits over other GPU systems. • But recall there are three wires for every gate in the circuit…

  28. Inputs and Outputs of SHA1 Buckets holding inputs: 4 … 16 1 2 3 15 Buckets holding algorithm state: E D B A C

  29. Pre-computing SHA1 intermediate values Inputs for random wire values: Seed … 0x0 … Wire ID Seed Seed Seed Wire ID

  30. Pre-computing SHA1 intermediate values Buckets holding inputs: Seed … 0x0 … Wire ID Seed Seed Seed Wire ID Only buckets used during the first 14 rounds. = Common for all Wires

  31. Benefits of SHA1 pre-computation

  32. Current and On-Going Work • Now implement the PCF2 circuit format developed by Kreuter et al. • Working on additional circuit optimizations on top of those provided by the PCF2 compiler. • Provide a full scale solution from honest-but-curious to fully malicious processing. • Multiple GPUs • Super computers • Experiments and source code are available upon request.

  33. Questions?

  34. Extra Slide Matter

  35. Using GPUs we show the fastest single machine garbled circuit generator • XOR Gates: ~ 60.2 Million Gates Per Second • TT Gates: ~34.1 Million Gates Per Second

  36. 1. Alice will generate the Yao’s circuit. • Alice must construct the circuit using a series of Boolean gates with two input wires and one output wire. • Each gate has a serial number and garbled truth table. Gate 0 () AND

  37. Wires in Yao’s Garbled Circuits [Yao1986] • Alice must use randomlabels () for wire values instead of 0’s and 1’s. • Alice must use permutation bits (p-bits; ) to signify the label choice. P-bit 0 () = 0x1 Label 0 () = 0xA1B2 Wire 0 () Label 1 () = 0x192F P-bit 1 () = 0x0

  38. Encrypting Gates in Yao’s Garbled Circuits [Yao1986] • How Alice creates garbled truth tables in two steps • Step 1: Create Encrypted Truth Table Gate 2 () AND = 0xA1B2 = 0x0 = 0x192F = 0x1

  39. Encrypting Gates in Yao’s Garbled Circuits [Yao1986] • How Alice creates garbled truth tables in two steps • Step 1: Create Encrypted Truth Table Gate 2 () AND = 0xA1B2 = 0x0 STEP 1 OUTPUT = 0x192F = 0x1

  40. Encrypting Gates in Yao’s Garbled Circuits [Yao1986] • How Alice creates garbled truth tables in two steps • Step 1: Create Encrypted Truth Table Gate 1 () XOR

  41. Encrypting Gates in Yao’s Garbled Circuits [Yao1986] • How Alice creates garbled truth tables in two steps • Step 1: Create Encrypted Truth Table Gate 4 () OR

  42. A basic overview of the Yao’s protocol • Assumptions: • Security Model: Honest but Curious • Process: • Alice will generate the Yao’s circuit. • Alice sends the generated circuit to Bob. • Bob will use Oblivious Transfer to learn Alice’s inputs. • Bob will evaluate the circuit. • Bob sends the output to Alice

  43. Yao’s Garbled Circuits under an Honest-but-Curious Security Model • Alice generates wire labels and garbled truth tables for all wires and gates in a circuit. • Alice sends the garbled truth tables to Bob. • Bob obtains Alice’s input using Oblivious Transfer. • Bob evaluates the circuit. • Bob sends output to Alice. Both party can analyze data t all steps of this protocol but must perform all steps.

  44. Bob performs Oblivious Transfer to obtain Alice’s Inputs Oblivious Transfer Bob Alice

  45. So how fast can we process garbled circuits? • XOR Gates: ~ 60.2 Million Gates Per Second • TT Gates: ~34.1 Million Gates Per Second

More Related