Practical Secure Two-Party Computation and Applications Thomas - PowerPoint PPT Presentation

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School in Computer Science 2016

Overview Lecture 1: Introduction to Secure Two-Party Computation Lecture 2: Private Set Intersection Lecture 3: Tools and Applications Lecture 4: Hardware-assisted Cryptographic Protocols 2

The Engineering Cryptographic Protocols Group (ENCRYPTO) Thomas 
 Daniel Ágnes Michael Schneider Demmler Kiss Zohner Info: http://encrypto.de 3

Interested in Practical Secure Computation? We have an open, fully funded position as Ph.D. Student / Research Assistant in Engineering Scalable Secure Computation Darmstadt - 30km south of FRA - 150,000 inhabitants (5.8 Mio in Frankfurt/Rhine-Main Metro Area) - 40,000 students TU Darmstadt - Ranked #1 for IT security research in Germany (#5 in Europe) - Among Top 5 universiKes for computer science in Germany http://encrypto.de/jobs 4

Practical Secure Two-Party Computation and Applications Lecture 1: Introduction Estonian Winter School in Computer Science 2016

The Web of Services Our life moves into the web... ... and so does our data. 6

How were web services used yesterday? http://www.google.de “heart disease” attacker can eavesdrop 
 heart disease or modify communication 7

How should web services be used today? http s ://www.google.de “heart disease” secure channel 
 protects communication 
 against external heart disease attackers HTTPS per default since 01/2010 02/2011 11/2012 8

Data breaches happen every day... June 2, 2011: Google attacked from China 
 Computer hackers in China broke into the Gmail ... from outsiders accounts of several hundred people, including senior US government officials, military personnel and political activists. November 29, 2010: New WikiLeaks Publication 
 WikiLeaks releases US State Department ... or insiders communiqués that offer an extraordinary look at the inner workings, and sharp elbows of diplomacy. October 16, 2012: Espionage Malware MiniFlame 
 Kaspersky Labs discover that MiniFlame is most ... or malware. likely a targeted cyberweapon to conduct in-depth surveillance and cyber-espionage. 9

How could web services be used tomorrow? http p ://www.google.de encrypted query process 
 under 
 encryption heart disease sensitive data encrypted response remains encrypted ➪ Privacy-Preserving Web Services 10

Vision: Privacy-Preserving Web Services process sensitive data without any data leakage, e.g., Privacy-Preserving Medical Diagnostics Services 
 give health recommendations without direct access to patient’s data. Privacy-Preserving Face Recognition Services 
 detect criminals without allowing to trace honest citizens. Privacy-Preserving Cloud Computing Services 
 allow to store and process data at untrusted service providers. 11

Is this possible at all? Andrew Chi-Chi Yao 1986: 
 Any efficiently computable function 
 can be evaluated securely. ➪ Secure Computation 12

Secure Two-Party Computation x y f f(x,y) All Lectures: Semi-Honest (Passive) Adversaries 13

Secure Two-Party Computation Is C • public function f ( · , · ) compute arbitrary function f richer? • on private data x, y x > y Client C Server S • without trusted third party • reveal nothing but result z = f(x,y) private data x private data y x = $2 Mio y = $1 Mio S2PC Example: Yao’s Millionaires’ Problem true z = f ( x , y ) 14

Secure Two-Party Computation Auctions [NaorPS99], ... Remote Diagnostics [BrickellPSW07], ... DNA Searching [Troncoso-PastorizaKC07], ... Biometric Identification [ErkinFGKLT09], ... Medical Diagnostics [BarniFKLSS09], ... 15

Oblivious Transfer (OT) ( x 0 , x 1 ) r OT x r 1-out-of-2 OT is an essential building block for secure computation. 16

How to Measure Efficiency of a Protocol? ✓ Runtime (depends on implementation & scenario) ✓ Communication • # bits sent (important for networks with low bandwidth) • # rounds (important for networks with high latency) ? Computation • Usually: count # crypto operations, e.g., • # modular exponentiations • # point multiplications faster • # hash function evaluations (SHA) • # block cipher evaluations (AES) • # One-Time Pad evaluations • But also non-cryptographic operations do matter! 17

Overview of this lecture Part 1: Yao vs. GMW Special Purpose Protocols Generic Protocols Arithmetic Circuit Boolean Circuit Homomorphic Encryption Yao GMW OT 
 Public Key Crypto >> Symmetric Crypto >> One-Time Pad Part 2: Efficient OT Extensions 18

Part 1: Yao vs. GMW and Efficient Circuits T. Schneider, M. Zohner: 
 GMW vs. Yao? Efficient secure two-party computation with low depth circuits. In FC’13. 19

Yao’s Garbled Circuits Protocol [Yao86] f ( · , · ) e.g., x < y Client C Server S private data x = x 1 , .., x n private data y = y 1 , .., y n x n y n x 2 y 2 x 1 y 1 • Circuit c 2 c 1 < < < . . . z x n � � � x 1 � � � y n x 2 y 2 y 1 • Garbled 
 � � c 2 c 1 Setup 
 Circuit � . . . C e Phase C z c g (0 , 0) e x 0 y 0 E ( e 1 , e 1 ; e ) Online 
 y 1 c g (0 , 1) c 0 c 1 e 1 , e x 0 y 1 E ( e 1 , e 1 ; e ) Phase x 0 , e x 1 )) 1 1 ( e x ; ⊥ ) ← OT ( x ; ( e Garbled 
 c g (1 , 0) x 1 y 0 E ( e 1 , e 1 ; e ) 1 Values c g (1 , 1) x 1 y 1 E ( e 1 ; e ) 1 , e f ( x , y ) = e 1 C ( e x , e y ) Part 2: Efficient OT Garbled Table 20

Garbled Circuits [Yao86] Conventional circuit Garbled circuit 01 keys look random 01 01 01 01 given input keys, can compute output key only (Slide from Viet-Tung Hoang) 21

Garbled Gate [Yao86] X Y 0 Y X 1 given two input keys, can compute only output key X 2 X 3 A B C D (Slide from Viet-Tung Hoang) 22

Overview of Efficient Garbled Circuit Constructions 1990 Point-and-Permute [BeaverMicaliRogaway] 1999 3-row reduction [NaorPinkasSumner] 2008 Free-XOR [KolesnikovSchneider] 2009 2-row reduction [PinkasSchneiderSmartWilliams] 2012 Garbling via AES [KreuterShelatShen] 2013 Fixed-key AES [BellareHoangKeelveedhiRogaway] 2014 FleXor [KolesnikovMohasselRosulek] 2015 HalfGates [ZahurRosulekEvans] (Slide from Payman Mohassel) 23

Summary of Garbled Circuit Constructions size ( × t) garble cost (AES) eval cost (AES) XOR AND XOR AND XOR AND Classical large 8 5 P&P 4 4 1 GRR3 3 4 1 Free XOR 0 3 0 4 0 1 HalfGates 0 2 0 4 0 2 t: symmetric security parameter, e.g., t=128 (Slide from Mike Rosulek) 24

Summary: Yao - the Apple How to eat an apple? bite-by-bite + Yao has constant #rounds - Evaluating a garbled gate requires symmetric crypto in the online phase 25

The GMW Protocol [GMW87] Secret share inputs: a = a 1 ⊕ a 2 b a b = b 1 ⊕ b 2 ⊕ Non-Interactive XOR gates: c 1 = a 1 ⊕ b 1 ; c 2 = a 2 ⊕ b 2 c ∧ Interactive AND gates: ∧ c 1 , b 1 c 2 , b 2 AND d 1 d 2 d Recombine outputs: d = d 1 ⊕ d 2 26

Evaluating ANDs via Multiplication Triples [Beaver91] Part 2: Efficient OTs Setup phase: 
 Generate multiplication triple (a 1 ⊕ a 2 ) (b 1 ⊕ b 2 ) = c 1 ⊕ c 2 for each AND via 2 OTs : 1) P 1 : m 0 , m 1 ∈ R {0,1}; P 2 : a 2 ∈ R {0,1} 2) P 1 and P 2 run OT, where P 1 inputs (m 0 , m 1 ), P 2 inputs a 2 and gets u 2 =m a2 3) P 1 sets b 1 = m 0 ⊕ m 1 ; v 1 = m 0 4) P 1 and P 2 repeat steps 1-3 with reversed roles to obtain (a 1 , u 1 ); (b 2, v 2 ) 5) P i sets c i = (a i b i ) ⊕ u i ⊕ v i Online phase: 
 x 1 , y 1 x 2 , y 2 P 1 → P 2 : d 1 =x 1 ⊕ a 1 ; e 1 =y 1 ⊕ b 1 ∧ AND P 1 ← P 2 : d 2 =x 2 ⊕ a 2 ; e 2 =y 2 ⊕ b 2 z 1 z 2 P 1 , P 2 : d=d 1 ⊕ d 2 ; e=e 1 ⊕ e 2 P 1 : z 1 =db 1 ⊕ ea 1 ⊕ c 1 ⊕ de P 2 : z 2 =db 2 ⊕ ea 2 ⊕ c 2 27

Summary: GMW - the Orange How to eat an orange? 1) peel (almost all the effort) Setup phase: - precompute multiplication triples for each AND gate using 2 R-OTs and constant #rounds + no need to know function, only max. #ANDs 2) eat (easy) Online phase: + evaluating circuit needs OTP operations only - 2x2 bit communication per layer of AND gates 28

Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. 29

Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Interactive AND gates via Beaver’s multiplication triples 
 [D. Beaver. Efficient multiparty protocols using circuit randomization. CRYPTO’91.] setup phase: 1-out-of-4 OT online phase: 2 independent 2-bit messages (sent in parallel) => 1x network latency per layer of AND gates 30

Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Use AES-based PRF for OT extensions (instead of SHA-1). 31

Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Load Balancing: • Run half of the precomputed OTs in each direction (in parallel). • Run base OTs twice (in parallel). => Each party has exactly the same workload. 32