Systems Novelties Seminar (2/24/10)

Transcription

1 Get rid of E-bay and do you own auction with FairPlayMP Systems Novelties Seminar (2/24/10) Sen-ching Samson Cheung University of Kentucky 1

2 Auction Courtesy of Luis von Ahn 2

3 Ebay s Second Price Auction Courtesy of Luis von Ahn 3

4 Ebay s Second Price Auction Your bid does not affect how much you pay; it only affects whether you get the object or not Consequences (without proof) Bidders have no incentive to overbid or underbid they bid on the truth worth of the object to them Seller revenue is the same as compared with the first-price auction 4

5 Assumption of Ebay s Auction Bidders do not know the actual bids of others Need a trusted party (like Ebay) to act as an auctioneer! End Result: Monopoly, Single-point of failure Desirable: No trusted party. All protocols are executed in a peer-to-peer fashion with privacy of inputs protected. Implications on other types of distributed computing 5

6 Secure multi-party computation N parties: P 1, P 2,., P N Goal: Compute function [y 1,, y N ] = f(x 1,,x N ) Procedure: each party P i executes code f i () & receive data d ji from party P j for j i s.t. At the end of fi, P i knows y i Pi knows nothing about x j beyond what can be inferred from f(), f i (), x i, y i and d ji for j i. Assumption: each party P i follows the procedure faithfully but will try to deduce x j for j i by colluding with each other (semi-honest) 6

7 Existing approaches Two cases: Case 1: # semi-honest parties are strict minority and the rest are TRUSTED Can be done (efficiently too!) Case 2: # semi-honest parties are majority Can t be done unless we have a one-way trapdoor function We can assume computationally-limited adversaries and use any public-key cipher for that. 7

8 Approach: Garbled Circuit A 2-party scenario of a binary function f: Keys F- Evaluation S 0,K 0 f(0,x 2 ) S 1,K 1 f(1,x 2 ) Cipher Text E[f(0,X 2 ); D(M;S 0 )] K 0, K 1 M=E(K A ; K X1 ) X 1 =1 S A,K A E[f(1,X 2 ); D(M;S 1 )] D[E[f(1,X 2 ); D(M;S 1 )];S A ] Extension to N-party evaluation of a binary function is not TOO difficult! = D[E[f(1,X 2 );K A )];S A ] = f(1,x 2 ) 8

9 Fairplay Originally developed in 2004 by Malkhi, Nisan, Pinkas and Shella for general 2-party SMC Refined in 2008 by Ben-David, Nisan and Pinkas for n-party SMC High-level Program in Secure Function Definition Language (SFDL) Low-level Circuit Description in Secure Hardware Definition Language (SHDL) Object code in java Config. File in XML SSL 9

10 Example of SFDL program SecondPriceAuction { const nbidders = 4; type Bid = Int<8>; // enough bits for a bid type WinningBidder = Int<3>; // enough bits to represent a winner type SellerOutput = struct { WinningBidder winner, Bid winningprice}; type Seller = struct {SellerOutput output}; // Seller has no input Input and output type BidderOutput = struct { members are Boolean win, Bid winningprice}; handled differently as they need to be type Bidder = struct { encrypted before Bid input, BidderOutput output}; sharing among players 10

11 function void main(seller seller, Bidder [nbidders] bidder) { var Bid high ; var Bid second ; var WinningBidder winner ; winner=0; high=bidder[0].input; second=0; for (i=1 to nbidders-1) { if (bidder[i].input > high ) { winner=i; second=high; high=bidder[i].input ; } else if (bidder[i].input>second) second = bidder[i].input; } seller.output.winner = winner ; seller.output.winningprice = second ; for (i=0 to nbidders-1) { bidder[i].output.win = (winner==i); bidder[i].output.winningprice = second ; }} 11

12 Output Circuit 2 input //bidder[0].input.$0(0), high.$0(0), second.$0(1), bidder[0].input.$0(1) [71, 63, 47] 3 input //bidder[0].input.$1(0), high.$1(0), second.$1(1), bidder[0].input.$1(1) [48, 64, 72] 4 input //bidder[0].input.$2(0), high.$2(0), second.$2(1), bidder[0].input.$2(1) [49, 65, 73] 5 input //bidder[0].input.$3(0), high.$3(0), second.$3(1), bidder[0].input.$3(1) [50, 66, 74] 6 input //bidder[0].input.$4(0), high.$4(0), second.$4(1), bidder[0].input.$4(1) [51, 67, 75] gate arity 2 table [ ] inputs [ ] // [48] 35 gate arity 2 table [ ] inputs [ ] // [36, 37] 36 gate arity 2 table [ ] inputs [ ] // [49] 37 gate arity 2 table [ ] inputs [ ] // [38, 39] 38 gate arity 2 table [ ] inputs [ ] // [50]... Total about 400 gates 12

13 Configuration File <Fairplay2> <Circuit>SecondPriceAuction.sfdl</Circuit> <Participates> <Players> <Player NameInFunction="bidder[0]"> </Player> <Player NameInFunction="bidder[1]"> </Player> <Player NameInFunction="bidder[2]"> </Player> <Player NameInFunction="bidder[3]"> </Player> <Player NameInFunction="seller"> </Player> </Players> <ComputationPlayers> , , , , </ComputationPlayers> </Participates> <Security> <Port> </Port> 13

14 Configuration File <Modulo> </Modulo> <PRGProtocol> SHA1PRNG </PRGProtocol> <Certificate> <KeyStore> certificate/ks </KeyStore> <KeyStorePassword> </KeyStorePassword> <TrustStore> certificate/ts </TrustStore> <TrustStorePassword> </TrustStorePassword> </Certificate> </Security> </Fairplay2> 14

15 To Probe Further von Ahn, Luis ( ). "Auctions" (PDF) : Science of the Web Course Notes. Carnegie Mellon University Primer on Auction A. Ben-David, N. Nisan, B. Pinkas, FairplayMP A System for Secure Multi-Pary Computation, CCS 08 Main paper that describe the software FairplayMP system - Actual system software SFDL 2.0 Specification Description of the language S.-C. Cheung and T. Nguyen, Secure Signal Processing between Distrusted Network Terminals, EURASIP Journal on Information Security. Volume 2007 (2007), Article ID My humble Tutorial article S. Yee, Y. Lou, J. Zhao and S.-C. Cheung, Anonymous Biometric Access Control, EURASIP Journal on Information Security. Volume 2009 (2009), Article ID Use Homomorphic Encryption to implement 2-party Secure Iris Matching 15