320 likes | 498 Vues
Fairplay – A Secure Two-Party Computation System Yaron Sella Hebrew University of Jerusalem. Joint work with Dahlia Malkhi, Noam Nisan, and Benny Pinkas Project team: Ziv Balshai, Amir Levy, Dudi Einey, O ri Peleg. Outline. SFE – Secure Function Evaluation Goals Fairplay
E N D
Fairplay – A Secure Two-Party Computation System Yaron SellaHebrew University of Jerusalem Joint work with Dahlia Malkhi, Noam Nisan, and Benny PinkasProject team: Ziv Balshai, Amir Levy, Dudi Einey, Ori Peleg
Outline • SFE – Secure Function Evaluation • Goals • Fairplay • Fairplay computation overview • Demo (SFDL & SHDL examples) • Bob/Alice two party SFE • Experiments
SFE - Secure Function Evaluation • Started with Yao’s seminal paper (1986 - almost 20 years ago!) • Allows several parties to perform a joint computation, that in real life requires a trusted party, using cryptographic tools only (i.e., the trusted party is not needed!) • Theoretical significance only? • We focus on 2-party SFE
SFE Example - Millionaires’ Problem ? < = > $ X Secure FunctionEvaluationProtocol $ Y
General Structure of Yao’s Protocol • Represent f(x,y) as a Boolean circuit • Bob “garbles” the circuit: • wire, assigns random values instead of 0/1 • gate, constructs a “secure” truth table • Bob sends to Alice the tables and garbled versions of his input • Alice uses oblivious transfer to obtain garbled versions of her input and uses them to compute the output of the circuit
Goals • Answer some basic questions on SFE: • Is two-party SFE practical? • Obtain actual measurements of overall computation: How much time is needed to solve the Millionaires’ problem? The Billionaires’ problem? • Better understanding of SFE computation: • Where are the bottlenecks? • Computation versus communication • Test-bed for various optimizations
Fairplay Computation Overview (1) Bob Alice GUI SFDL program (a file) SFDL Compiler + Circuit optimizer SFDL Compiler + Circuit optimizer Off-line SHDL circuit SHDL circuit (a file) (a file) SHDL Parser On-line SFE SHDL Parser Circuit (Java obj.) Circuit (Java obj.)
Fairplay Computation Overview (2) Bob Alice Circuit (Java obj.) Circuit (Java obj.) m x Circuit garbler Garbled circuits (Java obj.) Circuits send Circuits receive Read Integer Circuit choose Reveal secrets Circuits verify
Fairplay Computation Overview (3) Bob Alice Input + input send Input receive Input OT sender OT chooser Output Circuit evaluator Output
Outline • SFE – Secure Function Evaluation • Goals • Fairplay • Fairplay computation overview • Demo (SFDL & SHDL examples) • Bob/Alice two party SFE • Experiments
The Compilation Paradigm • SFDL (Secure Function Definition Language) - High-level programming language for the func. to be evaluated in the trusted party model • Allows clear, formal, easily understandable definition and requirements by humans • SHDL (Secure Hardware Definition Language) - Low-level language describing Boolean circuits • “Obliviousness-aware” SFDL SHDL compiler • The compiler also produces an I/O format file
SFDL Example program Millionaires { type int = Int<4>; // 4-bit integer type AliceInput = int; type BobInput = int; type AliceOutput = Boolean; type BobOutput = Boolean; type Output = struct {AliceOutput alice, BobOutput bob}; type Input = struct {AliceInput alice, BobInput bob}; function Output output(Input input) { output.alice = input.alice > input.bob; output.bob = input.bob > input.alice; } }
SFDL Properties • Conventional syntax (C/Pascal-like) • Type system – Boolean, integer, enumerated • Program structure • Declarations: global constants, types • Sequence of functions (no nesting [C], no recursion) • Function name is its return value [Pascal] • Conditional execution and loops • if-then, if-then-else statements, For-loop • Assignments and expressions • constants, variables, array entries, structure items, function calls, operators (+, -, logical, comparison), parenthesis
SHDL Example (1) 0 input //output$input.bob$0 1 input //output$input.bob$1 2 input //output$input.bob$2 3 input //output$input.bob$3 4 input //output$input.alice$0 5 input //output$input.alice$1 6 input //output$input.alice$2 7 input //output$input.alice$3 8 gate arity 2 table [ 1 0 0 0 ] inputs [ 4 5 ] 9 gate arity 2 table [ 0 1 1 0 ] inputs [ 4 5 ]
SHDL Example (2) 10 gate arity 2 table [ 0 1 0 0 ] inputs [ 8 6 ] 11 gate arity 2 table [ 1 0 0 1 ] inputs [ 8 6 ] 12 gate arity 2 table [ 1 0 0 1 ] inputs [ 10 7 ] 13 gate arity 2 table [ 0 0 0 1 ] inputs [ 4 0 ] 14 gate arity 3 table [ 0 0 0 1 0 1 1 1 ] inputs [ 13 9 1 ] 15 gate arity 3 table [ 0 0 0 1 0 1 1 1 ] inputs [ 14 11 2 ] 16 gate arity 2 table [ 0 1 1 0 ] inputs [ 12 3 ] 17 gate arity 2 table [ 0 1 1 0 ] inputs [ 15 16 ] 18 output gate arity 1 table [ 0 1 ] inputs [ 17 ] …
SHDL Properties • Each line is a circuit component, i.e: • An input bit, or • A Boolean gate with a given truth-table and input wires • Circuit wiring is based on line numbers • The compiler produces gates of arity 1,2,3 // Comments are ignored (even though the compiler generated them)
The Format File • Enables the input bits to be specified and the output bits to be presented in a user-friendly format • Format file example: Bob input integer "input.bob" [0 1 2 3] Alice input integer "input.alice" [4 5 6 7] Alice output integer "output.alice" [18] Bob output integer "output.bob" [29] • Bob’s input bits should be read from the user as an integer
The SFDL SHDL Compiler Compiler’s sequence of steps: • Parsing • Function inlining and loop unfolding (obliviousness!) • Transformation into single bit operations • Array access handling (cost = O(n) gates) • Single variable assignment • Optimizations: local code optimization, duplicate code removal, dead code elimination
Bob-Alice 2-Party SFE – Overview (1) • Input: C = circuit in SHDL • Cut-and-Choose: • Bob parses C into m garbled circuits, and sends them to Alice. Alice also parses C. • Alice chooses one circuit for evaluation - GC • Bob exposes secrets of all garbled circuits except GC • Alice verifies all exposed garbled circuits • Catches cheating with probability 1-1/m • Bob sends his inputs for GC (Alice can’t interpret them because they are garbled)
Bob-Alice 2-Party SFE – Overview (2) • Oblivious Transfer: Alice obtains her inputs for GC from Bob using a single OT per each Alice input bit (Alice = chooser, Bob = sender) • Alice evaluates GC • Alice interprets her outputs (she can’t interpret Bob’s outputs, because they are garbled) • Alice sends to Bob his outputs • Bob interprets his outputs
Wi Wj GTT EGTT PEGTT x | y | out0 | 0 | b00 | 1 | b11 | 0 | b21 | 1 | b3 x | y | out0 | 0 | vkb00 | 1 | vkb11 | 0 | vkb21 | 1 | vkb3 x | y | output0 | 0 | E(vkb0) 0 | 1 | E(vkb1) 1 | 0 | E(vkb2) 1 | 1 | E(vkb3) Permute rows vk0 E(vkb0): SHA-1(vi0, vj0 , k) vkb0 Wk vk1 E(vkb1): SHA-1(vi0, vj1 , k) vkb1 E(vkb2): SHA-1(vi1, vj0 , k) vkb2 E(vkb3): SHA-1(vi1, vj1 , k) vkb3 Garbled Circuit Preparation (by Bob) vi0, vi1 vj0, vj1
Garbled Circuit Evaluation (by Alice) vi vj Note that 1. Alice doesn’t learn any other table entry. 2. Alice doesn’t learn if entry and wire values correspond to 0 or 1. outputvk’ vk’’ vk’’’ vk’’’’ PEGTT vk 1. Try decrypting each entry 2. D (vk’): SHA-1 (vi , vj, k) vk’( = vk)
EGL 1-out-of-2 Oblivious Transfer (OT12) Sender (Bob) Chooser (Alice) M0, M1 Bit b 1. PK0, PK1 (s.t. only one of PK0, PK1 can be a “real” PK) Encrypt: M0 with PK0 (= E0) M1 with PK1 (= E1) 2. E0, E1 3. Decrypt E0 or E1
OT12 (EGL Paradigm with El-Gamal) • Input: chooser - a bit σ sender - two strings M0, M1 • Output: chooser - Mσ • Preliminaries: Zq is a sub-group of order q of Zp*, p,q are primes, and q | (p-1). Let g be a generator of Zq . H is a random oracle. • Initialization: the sender publishes C, a random element in Zq (whose discrete log to the base g is unknown by the chooser).
PK0 E0, E1 OT12 Interactive Protocol Sender (Bob) p, q, g, H, C Chooser (Alice) M0, M1 σ 1. Picks random k in [1,q], and sets public keys: PKσ = gk, PK1-σ = C / PKσ 2. Computes PK1 = C / PK0, chooses random r0,r1 in Zq, El-Gamal encrypts: E0 = {gr0 , H(PK0r0) ^ M0}, E1 = {gr1 , H(PK1r1) ^ M1} 3. Computes H((grσ)k) =H(PKσrσ) and uses it to decrypt Mσ Note: NP01 variant (in RO model)
Experiments: Implementation & Setup • Code written in Java • Communication: TCP/IP (Java sockets) • Crypto: Java BigInteger libraries, SHA1 as RO • Two communication scenarios LAN – 617.8 MBPS, latency 0.4 ms WAN (USA, Israel) – 1.06 MBPS, latency 237.0 ms • Two PCs – 2.4 GHz • Parameters: |p|=1024, |q|=160, m=2 • Results: 100 repetitions (compilation excluded)
Experiments – The Four Functions AND - a very simple circuitKeyed DB - small number of inputs for AliceMedian – biggest circuit
Experiments – Results Highlights • Billionaires’ problem: • LAN: 1.25 seconds, WAN: 4.01 seconds • Communication versus computation: • Percentage of delay due to communicationLAN: up to 42%, WAN: up to 77% • Optimizations speed up factor: • WAN communication batching: up to 8.8! • Same gr mod p OT variant [NP01]: 1.3 • LAN WAN slowdown: up to 6.9
Experiments – WAN Detailed Results IP – Initializations and ParsingCC – Circuits communicationOTs – Oblivious TransfersEV – Evaluation of circuitEET –Elapsed Execution Time
Experiments – LAN Detailed Results IP – Initializations and ParsingCC – Circuits communicationOTs – Oblivious TransfersEV – Evaluation of circuitEET –Elapsed Execution Time
Future directions • Better understanding of experiments’ results • Improving the compiler (C ?) • New features • fair termination • Optimizations • Batch inversion (BS02) • Extending OTs (IKNP03) • Real applications & products (www.cs.huji.ac.il/labs/danss/Fairplay)