Secure&Computation: Why,%How%and%When Mariana Raykova Yale - PowerPoint PPT Presentation

Secure&Computation: Why,%How%and%When Mariana Raykova Yale University 12/12/16 1 PMPML

Predictive&Model Patient Blood+Count Heart Conditions Digestive+Track Medicine … Effectiveness Arrhyt Inflamm Dyspha … … … RBC WBC Murmur hmia ation gia A 3.9 10.0 0 0 0 1 1 B 5.0 4.5 1 0 1 2 1.5 C 2.5 11 0 1 1 0 2 D 4.3 5.3 2 1 0 1 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Given samples ( x 1 , y 1 ), ( x 2 , y 2 ), …, ( x n , y n ) • o x i �� d , y i �� Learn a function f such that f( x i ) = y i • 12/12/16 2 PMPML

Linear&Regression Patient Blood+Count Heart Conditions Digestive+Track Medicine … Effectiveness Arrhyt Inflamm Dyspha … … … RBC WBC Murmur hmia ation gia A 3.9 10.0 0 0 0 1 1 B 5.0 4.5 1 0 1 2 1.5 C 2.5 11 0 1 1 0 2 D 4.3 5.3 2 1 0 1 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Given samples ( x 1 , y 1 ), ( x 2 , y 2 ), …, ( x n , y n ) • f is well approximated o x i �� d , y i �� by a linear map Learn a function f such that f( x i ) = y i • y i ≈ ! T x i 12/12/16 3 PMPML

Distributed&Data Patient Blood+Count Heart Conditions Digestive+Track Medicine … Effectiveness Arrhyt Inflamm Dyspha … … … RBC WBC Murmur hmia ation gia A 3.9 10.0 0 0 0 1 1 B 5.0 4.5 1 0 1 2 1.5 C 2.5 11 0 1 1 0 2 D 4.3 5.3 2 1 0 1 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shared database - (x 1 , y 1 ), (x 2 , y 2 ), …, (x n , y n ) do not • belong to the same party 12/12/16 4 PMPML

Horizontally&Partitioned& Database Patient Blood+Count Heart Conditions Digestive+Track Medicine … Effectiveness Arrhyt Inflamm Dyspha … … … RBC WBC Murmur hmia ation gia A 3.9 10.0 0 0 0 1 1 B 5.0 4.5 1 0 1 2 1.5 C 2.5 11 0 1 1 0 2 D 4.3 5.3 2 1 0 1 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Different rows belong to different parties • o E.g., each patient has their own information 12/12/16 5 PMPML

Vertically&Partitioned& Database Patient Blood+Count Heart Conditions Digestive+Track Medicine … Effectiveness Arrhyt Inflamm Dyspha … … … RBC WBC Murmur hmia ation gia A 3.9 10.0 0 0 0 1 1 B 5.0 4.5 1 0 1 2 1.5 C 2.5 11 0 1 1 0 2 D 4.3 5.3 2 1 0 1 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Different columns belong to different parties • o E.g., different specialized hospitals have different parts of the information for all patients 12/12/16 6 PMPML

Can&the&parties&holding&the&distributed&data&construct& the&predictive&model&on&the&whole&database& while+ protecting+the+privacy+of+their+inputs? Without+sending+their+own+ data+to+other+parties Without+revealing+more+about+ their+own+inputs+ 12/12/16 7 PMPML

Secure&Computation Alice&and&Bob&want&to&compute&F(X,Y)& without+revealing+their+inputs X Y 12/12/16 8 PMPML

Secure&Computation Secure&computation protocol Y X m 1 m 2 F(X,Y) F(X,Y) Security: the+parties+cannot+learn+ more+than+what+is+revealed+by+the+result 12/12/16 9 PMPML

Secure&Multiparty& Computation&(MPC) f (& .& , .& , .& , .& , . ) C B A f (A,+B,+C,+D,+E) D E Security: the+parties+cannot+learn+ more+than+what+is+revealed+by+the+result 12/12/16 10 PMPML

Applications • Auctions: inputs: bids; output: winner, price to pay o o Sugar beet auction in Denmark, 2008 o Energy trade auctions 12/12/16 11 PMPML

What&Does&and&Does&Not& MPC&Guarantee? Guarantee:+The+computation+does+not+ reveal+more+than+what+the+output+reveals. No+Guarantee: How+much+does+the+output+reveal. Differential+ Privacy 12/12/16 12 PMPML

Security Real World Ideal World F(X 1 ,& … ,&X 5 ) F(X 1 ,& … ,&X 5 ) ≈ Simulator 12/12/16 13 PMPML

Adversarial&Models Adversary&behavior: SemiMhonest – corrupt&parties& • follow&the&MPC&protocol Malicious – corrupt&parties& • deviate&arbitrarily&from&the& MPC&protocol Party&corruption: Static – corrupted&parties&are& • chosen&before&the&start&of&the& MPC&protocol&execution Adaptive – parties&can&be& • corrupted&during&the&execution 12/12/16 14 PMPML

What&Can&We&Compute& Securely? • We can compute securely any function! [ Yao82, GMW87, CDv88, BG89, BG90, Cha90, Bea92,CvT95, CFGN96, Gol97, HM97, CDM97, FHM98, o BW98,KOR98, GRR98, FvHM99, CDD+99, HMP00, CDM00, SR00,CDD00, HM00, Kil00, FGMO01, HM01, CDN01, Lin01,FGMv02, Mau02, GIKR02, PSR02, NNP03, FHHW03, KOS03,CFIK03, Lin03c, DN03, MOR03, CKL03, Pin03, PR03, NMQO+03,Lin03b, Lin03a, Lin03d, FWW04, FHW04, Pas04, IK04,HT04, ST04, KO04, MP04, ZLX05, CDG+05, HNP05, FGMO05, GL05, HN05, DI05, JL05, Kol05, WW05, vAHL05, LT06,CC06, DFK+06, BTH06, HN06, IKLP06, DI06, FFP+06,ADGH06, Dam06, MF06, CKL06, DPSW07, Kat07b, CGOS07,HIK07, DN07, Pen07, NO07, Kat07a, IKOS07, BMQU07,HK07, LP07, Woo07, BDNP08, QT08, PR08, HNP08, GK08,GMS08, SYT08, DIK+08, PCR08, KS08, Lin08, LPS08,GHKL08, CEMY09, GP09, GK09, MPR09, ZHM09, AKL+09,Tof09, BCD+09, DGKN09, DNW09, Lin09b, PSSW09, Lin09a,CLS09, LP09, Unr10, DO10, IKP10, DIK10,GK10,…….. ] 12/12/16 15 PMPML

Computation&Over&Circuits Boolean Circuits Arithmetic Circuits • Yao Gabled Circuits • BGW Construction o Ben-Or, Goldwasser, Widgerson + × × + + 12/12/16 16 PMPML

Yao&Garbled&Circuits Two Party Computation 12/12/16 17 PMPML

Circuit&Evaluation AND AND OR OR F OR AND AND 12/12/16 18 PMPML

Circuit&Evaluation 1 0 0 0 0 1 1 1 AND AND OR OR 1 0 0 1 F OR AND 1 0 AND 0 12/12/16 19 PMPML

Evaluation 0 1 AND In1 In2 Out 0 0 0 0 1 0 1 0 0 1 1 1 0 12/12/16 20 PMPML

Yao&Garbled&Evaluation k11 k00 k01 k10 0/1 0/1 AND ENC k00 ENC k10 (k20) In1 In2 Out ENC k00 ENC k11 (k20) 0 0 0 0 1 0 1 0 0 ENC k01 ENC k10 (k20) 1 1 1 ENC k01 ENC k11 (k21) 0/1 ENC k (m)&=&m& ⨁ k k21 k20 12/12/16 21 PMPML

Garbled&Evaluation 0 1 K00 K11 AND DEC k00 DEC k10 (k20) �� ct 1 In1 In2 Out K20 ← DEC k00 DEC k11 (k20) K2 0 0 0 ct 2 0 1 0 1 0 0 �� DEC k01 DEC k10 (k20) 1 1 1 ct 3 ENC k01 ENC k11 (k21) �� ct 4 0 K2 K20 12/12/16 22 PMPML

Secure&Computation F+ (X alice ,Y bob ) Evaluator Garbler 0 1 12/12/16 23 PMPML

Oblivious&Transfer&(OT) Receiver Sender Inputs:&b Inputs:&m 0 ,&m 1 Output:& � Output:&m b For&each&inputs&wire&corresponding&to& evaluator’s&input&execute&OT b m 0 m 1 Output:&m b 12/12/16 24 PMPML

The&Evolution&Of&Garbled& Circuits Size+(x+sec.param) Garble+cost Eval cost Assumption AND+++++++++++++XOR AND+++++++++++++XOR AND+++++++++++++XOR Classical&[Yao86] large 8 5 PKE P&P&[BMR90] 4&&&&&&&&&&&&&&&4 4/8&&&&&&&&&&&&4/8 1/2&&&&&&&&&&&&1/2 hash/PRF GRR3&[NPS99] 3&&&&&&&&&&&&&&&3 4/8&&&&&&&&&&&&4/8 1/2&&&&&&&&&&&&1/2 PRF/hash Free&XOR&[KS08] 3&&&&&&&&&&&&&&&0 4&&&&&&&&&&&&&&&0 1&&&&&&&&&&&&&&&0 circ.&hash GRR2&[PSSW09] 2&&&&&&&&&&&&&&&2 4/8&&&&&&&&&&&&4/8 1/2&&&&&&&&&&&&1/2 PRF/hash FlexOR [KMR14] 2& {0,1,2} 4& {0,1,2} 1& {0,1,2} circ.&symm HalfGates [ZRE15] 2&&&&&&&&&&&&&&&0 4&&&&&&&&&&&&&&&0 2&&&&&&&&&&&&&&&0 circ.&hash Threshold&gates,&garbling&arithmetic&operations&[BMR16] Asymptotic&and&concrete&improvements • 12/12/16 25 PMPML *&Comparison&table,&thanks&Mike&Rosulek

BGW&Protocol Multi Party Computation for Arithmetic Circuits 12/12/16 26 PMPML

Shamir’s&Secret&Sharing tMoutMofMn sharing: secret:&f(0)& random&degree&t& polynomial share:&f(5)& t shares+reveal+ nothing+about+the+ secret share:&f(10)& t+1+shares+ interpolate+the+ secret share:&f(10)& 12/12/16 27 PMPML

Secure&Computation: Why,%How%and%When Mariana Raykova Yale - PowerPoint PPT Presentation

Secure&Computation: Why,%How%and%When Mariana Raykova Yale University 12/12/16 1 PMPML Predictive&Model Patient Blood+Count Heart Conditions Digestive+Track Medicine Effectiveness Arrhyt Inflamm Dyspha

Secure computation With material from Matthew Green, Elaine Shi, CS Unplugged, others Secure

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai

Secure Computation ORAM The Case of 3-Party Computation Stanislaw Jarecki, UC Irvine

Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University)

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Fair Secure Computation (or how can I gain strategic advantage by breaking fairness) Alptekin

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Advanced Tools from Modern Cryptography Lecture 7 Secure 2-Party Computation: Yao s

2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

SoK: General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

General Purpose Frameworks for Secure Multi-party Computation Marcella Brett Daniel Steve

Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions