260 likes | 271 Views
Learn about Secure Function Evaluation, the concepts, motivations, and scenarios involved. Explore constructions and examples like the Millionaires Problem. Discover the modeling of adversaries, participating parties, and protocols for secure multi-party computations. Understand the advantages and techniques in Secure Two-Party Computation, including garbling circuits and gate tables. Delve into the concept of secure computation and the practicality of implementing protocols like FairPlay.
E N D
Introduction to Secure Computation Benny Pinkas HP Labs, Princeton
Roadmap • Secure Function Evaluation • Motivation and definitions • Scenarios • Constructions
SFE Example – Millionaires Problem ? < = > Secure FunctionEvaluationProtocol X $ Y $
Secure Function Evaluation • A set of (two or more) parties with private inputs wish to compute some joint function of their inputs. • Parties wish to preserve some security properties. E.g., privacy and correctness. • Example: Computing the maximum • Security must be preserved in the face of adversarial behavior by some of the participants.
…Secure Function Evaluation • Cryptography aims for the following (regarding privacy): • A secure protocol must reveal no more information than the output of the function itself • That is, the process of protocol computation reveals nothing.
For every real adversary A there exists an adversary S Protocol interaction Trusted party The Security Definition REAL IDEAL
Does the trusted party scenario make sense? y x F(x,y) F(x,y) • We cannot hope for more privacy • Does the trusted party scenario make sense? • Are the parties motivated to submit their true inputs? • Can they tolerate the disclosure of F(x,y)? • If so, we can implement the scenario without a trusted party.
Roadmap • Secure Function Evaluation • Motivation and definitions • Scenarios • Constructions
Modeling the Adversary • Semi-honest: follows the protocol but tries to learn more • Malicious: can do anything • E.g., • Protocol: “Flip a random coin and send the result” • Malicious party might… • Easier to provide security against semi-honest adversaries
Modeling the Adversary • Do semi-honest adversaries make sense? • Semi-trusted parties? • Secure hardware/software? • It’s easier for the adversary to eavesdrop than to change the program. • Is there a reasonable model between semi-honest and malicious?
Participating Parties • Two parties. • Multi-party: N parties with private inputs x1,..,xN, wish to compute F(x1,..,xN). • There are generic secure constructions for both scenarios • The constructions for the two-party scenario are usually more efficient
Multi-Party Protocols • The main issues are often the communication pattern and the number of rounds
Computation Server 1 Computation Server 2 Computation Server m Perform computation Provide inputs (and that’s it) A different setting for multi-party protocols? [NPS] Pn P1 P2
dangerous collusion benign collusion benign collusion Trust Computation Server 1 Computation Server 2 Computation Server m Pn P1 P2 This is not weaker security if we have some trust that computation servers do not collude
Advantages • Separation between input providers and computation. • Input providers • submit their inputs independently of each other. • Do not have to coordinate their operation. • Once all inputs are submitted, the computation is performed by the computation servers.
Roadmap • Secure Function Evaluation • Motivation and definitions • Scenarios • Constructions
Secure two-party computation of general functions [Yao, early 80s] • First, represent the function F as a Boolean circuit C • It’s always possible • Sometimes it’s easy (additions, comparisons) • Sometimes the result is inefficient (e.g. for indirect addressing, a[i])
wk0,wk1 G wi0,wi1 wJ0,wJ1 Garbling the circuit • Bob constructs the circuit, and then garbles it. Wk0 = 0 on wire k Wk1 = 1 on wire k |Wk0| = |Wk1| > 80 (Alice will learn one string per wire, but not the bit to which it corresponds.)
wk0,wk1 G wi0,wi1 wJ0,wJ1 Gate tables • For, e.g., an AND gate, Bob constructs a table that enables to compute: • wk0 given wi0,wJ0 • wk0 given wi0,wJ1 • wk0given wi1,wJ0 • wk1 given wi1,wJ1 • I.e., given wix,wJy, can compute wkG(x,y)
wk0,wk1 G wi0,wi1 wJ0,wJ1 Secure computation • Bob sends the tables of the gates to Alice • Given, e.g., wi0,wJ1, she computes wk0, but doesn’t know the actual values of the wires. • If Alice gets garbled values (w’s) of her input values, she can compute the output of the circuit, and nothing else.
Secure computation – the big picture • Represent the function as a circuit C • Bob sends to Alice |C| tables (e.g. 40|C| Bytes). • Alice performs an oblivious transfer for every input bit. (Can do, e.g. 100 OTs per sec.) • ~One round of communication. • Efficient for medium size circuits! • Good for one invocation only!
FairPlay [Nisan,Malkhi,Pinkas,Sella] • Yao’s construction is about 20 years old. There are no known implementations (?). • FairPlay - a full fledged secure two-party computation system, implementing Yao’s “garbled circuit” protocol. • Goals: • Investigate whether two-party SFE is practical • Actual measurements of overall computation • Breakdown of computation into parts • Test-bed for various optimizations
…FairPlay • The Compilation paradigm • Programs written in a high-level programming language • SHDL: Low-level language describing Boolean circuits • First stage: compile to SHDL and optimize • Second stage: Given an SHDL circuit, generate programs implementing Yao’s protocol
Specific Constructions of SFE • Mean • Max, Min • Set intersection • Median and quintiles
Discussion Points • Candidate applications? • Where will SFE be most beneficial? • How to model the adversary?
Issues • Suppose you cannot access the data • Data cleaning? • What functions do you need to compute?