SMCL A Domain-Specific Programming Language for Secure Multiparty - PowerPoint PPT Presentation

SMCL A Domain-Specific Programming Language for Secure Multiparty Computation Janus Dam Nielsen and Michael I. Schwartzbach June 14, 2007 Janus Dam Nielsen - PLAS 2007 1/27

Overview • Secure Multiparty Computation • SMCL Concepts • An example • Security - what, why • Efficiency • Future Work • Conclusion June 14, 2007 Janus Dam Nielsen - PLAS 2007 2/27

Secure Multiparty Computation • n parties P1,...,Pn wish to jointly compute the computable function: f(x1,...,xn) • Party Pi only knows the input value xi which must be kept secret from the other parties. • Even if some adversary has power to corrupt some subset of the parties June 14, 2007 Janus Dam Nielsen - PLAS 2007 3/27

The Millionaire’s Example Alice Bob SMC Trent June 14, 2007 Janus Dam Nielsen - PLAS 2007 4/27

SMC Solves Problems • Auctions • Distributed Voting • Matchmaking • Benchmarking June 14, 2007 Janus Dam Nielsen - PLAS 2007 5/27

Conceptual Model Server Clients June 14, 2007 Janus Dam Nielsen - PLAS 2007 7/27

Values Clients: Server: Private values Public & Secret values Booleans Booleans Integers Secret booleans Records Integers Secret integers Records Client identity Secret client identity June 14, 2007 Janus Dam Nielsen - PLAS 2007 8/27

Communication Clients: Server: Tunnels: Tunnels: Accessed via client Asynchronous identity put and get functions put and get functions Primitive types only Data encrypted Secret data - shared and encrypted Functions: Synchronous Primitive types only Invoked by server June 14, 2007 Janus Dam Nielsen - PLAS 2007 9/27

Client Identity Clients: Server: Groups of clients: A set of clients All of the same kind Iterated using a for loop Uniform treatment of clients Secrecy of client identity Specified externally June 14, 2007 Janus Dam Nielsen - PLAS 2007 10/27

SMCL The Millionaire’s Example declare client Millionaires: declare server Max: tunnel of sint netWorth; group of Millionaires mills; function void main(int[] args) { function void main(int[] args) { sint max = 0; ask(); sclient rich; } foreach (client c in mills) { function void ask() { netWorth.put(readInt()); sint netWorth = c.netWorth.take(); } if (netWorth >= max) { max = netWorth; function void tell(bool b) { rich = c; if (b) { } display("You are the richest!"); } } else { foreach (client c in mills) { display("Make more money!"); c.tell(open(c==rich|rich)); } } } } June 14, 2007 Janus Dam Nielsen - PLAS 2007 11/27

Security • Identity property • Commutative property Server Clients • Adversary may: • Observe physical state of the server • Not observe private and secret values June 14, 2007 Janus Dam Nielsen - PLAS 2007 14/27

Adversary Traces • A sequence of states P P’ of an entire computation S S’ T • Secret values are masked out P P • Private state of P clients not available S 1 1 S S 2 2 • No declassification June 14, 2007 Janus Dam Nielsen - PLAS 2007 15/27

Adversary Traces (cont’) June 14, 2007 Janus Dam Nielsen - PLAS 2007 16/27

Identity Property • p’ = p’’ - Low equiv. • Traces must be P P’ identical S 1 S’ • Prevents attacks T 1 1 which are a function of the trace (e.g. timing) P’’ P • Requires basic operations S’ S 2 T 2 2 independent of arguments June 14, 2007 Janus Dam Nielsen - PLAS 2007 17/27

Commutative Property P P’ S’ S 1 T 1 1 • Soundness of secret representation P P’ P P’ 1 1 T 2 June 14, 2007 Janus Dam Nielsen - PLAS 2007 18/27

Ensuring Security • Carefully crafted semantics • Static analysis of well-typed SMCL programs June 14, 2007 Janus Dam Nielsen - PLAS 2007 19/27

Semantics • Conditionals are a if (b) { source of differences x = y; in trace } • Execute both else { branches x = z; } • Termination x = b*y + (1-b)*z • Public side-effects? June 14, 2007 Janus Dam Nielsen - PLAS 2007 20/27

Hoistability • Branches must agree on public side-effects • Assignment to public variables • Communication • Function calls • While loops and recursion with secret condition - not allowed June 14, 2007 Janus Dam Nielsen - PLAS 2007 21/27

Semantic Security • Ideal computations are Ideal computation inefficient • Prove that a pragmatic P version reveals same S S’ information as the S’’ ideal version • Assist the open(e|x,y,z) programmer June 14, 2007 Janus Dam Nielsen - PLAS 2007 22/27

Ideal Efficiency sint x = 17; sint a = 42; sint b = -5; sint c = 87; sint p = a*(x*x) + b*x +c sint sign = 0; int output; if (p<0) sign = -1; (parties, ideal pragmatic public if (p>0) sign = 1; threshold) output = open (sign|p); (3,1) 12 sec 30 ms < 1 ms Pragmatic int x = 17; sint a = 42; (5,2) 17 sec 65 ms < 1 ms sint b = -5; sint c = 87; sint p = open (a*(x*x) + b*x +c|a,b,c) (7,3) 30 sec 132 ms < 1 ms sint sign = 0; int output; if (p<0) sign = -1; if (p>0) sign = 1; output = sign; June 14, 2007 Janus Dam Nielsen - PLAS 2007 24/27

Future Work • Formalize Adversary traces • Dynamic groups • Secret compound datatypes • More elaborate examples June 14, 2007 Janus Dam Nielsen - PLAS 2007 25/27

Conclusion • A DSL for SMC • High-level abstractions • Strong security guaranties • Useful in practice June 14, 2007 Janus Dam Nielsen - PLAS 2007 26/27

Questions? June 14, 2007 Janus Dam Nielsen - PLAS 2007 27/27

SMCL A Domain-Specific Programming Language for Secure Multiparty - PowerPoint PPT Presentation

SMCL A Domain-Specific Programming Language for Secure Multiparty Computation Janus Dam Nielsen and Michael I. Schwartzbach June 14, 2007 Janus Dam Nielsen - PLAS 2007 1/27 Overview Secure Multiparty Computation SMCL Concepts An