Practical Secure Two-Party Computation and Applications Lecture 3: - PowerPoint PPT Presentation

Practical Secure Two-Party Computation and Applications Lecture 3: 
 Tools and Applications Estonian Winter School in Computer Science 2016

Overview of this lecture Part 2: ABY Part 3: GSHADE Special Purpose Protocols Generic Protocols Part 1: TASTY Arithmetic Circuit Boolean Circuit Homomorphic Encryption Yao GMW OT 
 Public Key Crypto >> Symmetric Crypto >> One-Time Pad 2

Part 1: TASTY W. Henecka, S. Kögl, A.-R. Sadeghi, T. Schneider, I. Wehrenberg : 
 TASTY - Tool for Automating Secure Two-partY computations. In ACM CCS’10. Code: http://encrypto.de/code/TASTY 3

How to use SFE for your specific task? Task / Problem Algorithm Homomorphic Garbled Encryp:on (HE) Circuits (GC) Goal: 
 SFE Protocol Automize with Tools Implementa:on Measure Performance 4

SFE Compilers and Libraries Abstrac5on Level Primi5ves GC HE Func:on Descrip:on 
 I/O, computa:on Fairplay(MP) (Py)SMCL (What?) Protocol Descrip:on 
 VIFF, SMC, I/O, enc/dec, (How?) Sharemind compute under encryp:on Here: TASTY Protocol Implementa:on 
 I/O, protocols, (How Exactly?) messages, 
 Qilin, L1 crypto primi:ves Previous SFE compilers were restricted to either GC or HE. 5

SFE with Homomorphic Encryption (HE) Property: 8 x, y 2 P : J x � y K = J x K � J y K , J x K := Enc pk ( x ) HE Schemes: + [Paillier99], [DamgårdJ01], [DamgårdGK07], ... +, 1* [BonehGN05], [GentryHV10], ... +, * [Gentry09], [SmartV10], [vanDijkGHV10], ... Application: SFE by Computing on Encrypted Data restricted to 
 Client Server specific 
 homomorphic 
 operation(s) private data y private data x pk , J x K J z K = f ( J x K , J y K ) J z K z 6

Examples for Homomorphic Encryption Schemes Multiplicatively homomorphic encryption: • E pk (x) E pk (y) = E pk (xy) • RSA: c 1 = x 1e mod n, c 2 = x 2e mod n 
 c 1 c 2 = (x 1e )(x 2e ) mod n = (x 1 x 2 ) e mod n • ElGamal: c 1 = (g r1 ; x 1 h r1 ), c 2 = (g r2 ; x 2 h r2 ) 
 c 1 c 2 = (g r1+r2 ; x 1 x 2 h r1+r2 ) Additively homomorphic encryption: • E pk (x) E pk (y) = E pk (x+y) • E pk (x) a = E pk (ax) • Paillier: c 1 = g x1 r 1n mod n², c 2 = g x2 r 2n mod n² 
 c 1 c 2 = g x1+x2 (r 1 r 2 ) n mod n² 7

Performance of Homomorphic Encryption • Fully HE: minimal interac:on but not prac5cal yet – [SmartV10]: 3.5s to encrypt 1 bit (up to 2*) – [HaleviGentry EC’10 Rump]: Re-Crypt 30min (deg=15,dim=2 15 ) • Addi:vely Homomorphic Encryp:on is prac:cal but needs interac5on for mul5plica5on : J x K , J y K choose random r x , r y J ¯ x K = J x K � J r x K J ¯ x K , J ¯ y K J ¯ y K = J y K � J r y K z = ¯ ¯ x ∗ ¯ y J ¯ z K J x ∗ y K = J ¯ z K − r y J ¯ x K − r x J ¯ y K − J r x ∗ r y K 8

Combine Advantages of HE and GC • HE good for linear opera:ons (+,*) • GC good for + and non-linear opera:ons (<,min,...) • convert HE ⇔ GC 
 [BrickellPSW07], [BarniFKLSS09], [KolesnikovSS13], ... 1. A: add random mask under encryp:on 2. B: decrypt + encrypt with new scheme 3. A: take off random mask under encryp:on 9

Theoretical Framework: SFE using GC + HE SFE = convert + compute on encrypted data [KolesnikovSS13] 1. encrypt inputs 2. compute under encryp:on 3. decrypt outputs Client C Server S Inputs/Outputs Plain Value x Plain Value x Homomorphic Value J x K Encrypted Values Garbled Value e x Boolean Circuits Arithmetic Circuits SFE of using Garbled Circuits using Homomorphic Encryption 10

Contributions of the TASTY Framework + = TASTY : SFE tool to arbitrarily combine GC+HE • TASTYL : Intui:ve Protocol Descrip:on Language • For many privacy-preserving applica5ons • Primi5ves : shii complexity into setup phase • Performance: – Faster GC implementa:on (10x faster online phase) – Fast Mul:plica:on Circuits – Mul:plica:on GC vs. HE 11

TASTY: Tool for Automating Secure Two-partY computations Design Goals: • program SFE protocols Protocol Description Client C Server S as sequence of in TASTYL opera:ons on Runtime Environment encrypted data Analyzation Phase • minimize latency of online phase by pre- Setup Phase compu:ng in setup Input Input Online Phase phase Output Output • test , benchmark + Costs compare performance of SFE protocols 12

TASTYL: Types and Operators Garbled Value Value bitlength mux, < , =, ... +, -, * Plain Value N rand, input, output Homomorphic /, < , =, ... Value Unsigned Signed Modular Unsigned Signed Modular Vector Vector Vector Homomorphic Vector Plain Vector rand, input, output Garbled /, =, ... Vector Vector +, -, *, dot min, max, ... 13

TASTYL: Example Inputs: C has vector v and S has vector w (N=4 unsigned L=32-bit values each) min i =1 ,..,N ( v i · w i ) Output: C obtains GC HE # convert unsigned to homomorphic vector def protocol(client, server): client.hv = HomomorphicVec(val=client.v) N = 4 server.hv <<= client.hv L = 32 # mul:ply vectors (component-wise) # input of client server.hx = server.hv * server.w client.v = UnsignedVec(bitlen=L, dim=N) client.v.input(desc="enter values for v") # convert homomorphic to garbled vector client.gx <<= GarbledVec(val=server.hx) # input of server server.w = UnsignedVec(bitlen=L, dim=N) # compute minimum value server.w.input(desc="enter values for w”) client.gmin = client.gx.min_value() # convert garbled to unsigned value and output client.min = Unsigned(val=client.gmin) client.min.output(desc="minimum value") 14

Privacy-Preserving Applications in TASTYL • Private Set Intersec:on [FreedmanNP04]: HE • Face-Recogni:on [SSW09]: HE+GC – based on Eigenface algorithm [TurkP91] – berer online communica:on than [ErkinFGKLT09]: HE – less efficient than hand-op:mized code [SSW09] – SCiFI [OsadchyPJM10] is more accurate/efficient: 
 co-designed recogni:on algorithm and protocol • Medical Diagnos:cs (ECG) [BFKLSS09]: HE+GC • ... 15

Multiplication Circuits for ℓ -bit values Algorithm 1 Karatsuba multiplication • Textbook mul:plica:on: 
 1: function karatsuba ( x, y ) . x, y are ` 2: if `  19 then 2ℓ 2 - ℓ non-XORs [KSS09] 3: return Textbook ( x , y ) 4: end if • Fast mul:plica:on 5: x h || x l x . x = x 6: y h || y l y . y = 7: P h KARATSUBA( x h , y h ) [KaratsubaO62] 
 8: P l KARATSUBA( y l , y l ) 9: x s x h + x l ≈ 9 ℓ 1.6 - 13 ℓ - 34 non-XORs 
 10: y s y h + y l 11: P s KARATSUBA( x s , y s ) 12: P d P s � P h � P l return ( P h 2 2 d ` / 2 e ) + P d 2 d ` / 2 e + P l 13: 14: end function Bitlength ⌥ 19 20 32 64 128 Textbook 703 780 2,016 8,128 32,640 Karatsuba 703 721 1,729 5,683 17,973 Improvement 0.0 % 7.6 % 14.2 % 30.1 % 44.9 % 16

Multiplication using GC vs. HE • Mul:plica:on = fundamental basic opera:on • Compare efficiency with TASTY (80 bit security level) Client C Server S GC2,HE2 x y GC1 x, y HE1 x, y z = x · y 17

Multiplication GC vs. HE: Communication 1e+07 HE1: Online HE2: Online GC1: Setup GC1: Online GC2: Setup 1e+06 GC2: Online HE: beHer setup costs 100000 Data in Bytes 10000 1000 GC: less online costs 
 for small operands 100 1 2 4 8 16 32 64 128 Bitlength 18

Multiplication GC vs. HE: Setup Time 10000 HE1: C HE1: S HE2: C HE2: S HE: less setup 5me GC1: C 1000 GC2: C Setup Time in ms 100 10 1 0.1 1 2 4 8 16 32 64 128 Bitlength 19

Multiplication GC vs. HE: Online Time 1000 HE1: C HE1: S HE2: C HE2: S GC: beHer 
 GC1: C GC1: S 100 GC2: C for small operands GC2: S Online Time in ms 10 1 GC: negligible 
 online work for S 0.1 1 2 4 8 16 32 64 128 Bitlength 20

Part 2: ABY A B Y D. Demmler, T. Schneider, M. Zohner : 
 ABY - a framework for efficient mixed-protocol secure two-party computation. In NDSS’15. Code: http://encrypto.de/code/ABY 21

Protocol Development Idea Function Abstract Languages Boolean Arithmetic Representation Circuits Circuits ? ? Protocol GMW DGK Paillier Yao . . . Existing Frameworks Optimizations Point-and- 
 Fixed-Key 
 Free-XOR Half-Gates permute Garbling 22

Mixed Protocols - Some functionalities have a more efficient circuit representation ● Multiplication in Boolean circuits: O( n 2 ) ● Comparison in Arithmetic circuits: O( n ) multiplications of q -bit values - TASTY [HKSSW10] combines Paillier (Arithmetic) and Yao (Boolean) Paillier Yao - Multiplication and conversion requires public-key operation ● For long-term security, Yao-only is often most efficient [KSS14] 23

Example: Minimum Euclidean Distance Minimum Euclidean Distance: min( ∑ d i= 1 ( S i ,1 – C i ) 2 , …, ∑ d i=1 ( S i,n – C i ) 2 ) ● Server holds database S , client holds query C ● Used in biometric matching (face-recognition, fingerprint, … ) Function Boolean Arithmetic Circuits Circuits DGK DGK DGK Yao GMW Paillier Paillier Paillier . . . Yao GMW 24

Outline 1) More efficient Function multiplication using 
 OT extension 3.ABY 2) More efficient 2.Conversion Boolean Arithmetic conversion Circuits Circuits 3) Mixed-protocol framework called ABY 1.OT-ext. DGK Paillier . . . Yao GMW 25