Michael Zohner (TU Darmstadt)

Transcription

1 ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation Michael Zohner (TU Darmstadt) Joint work with Daniel Demmler and Thomas Schneider ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 1

2 Secure Two-Party Computation x y f f(x,y) This work: semi-honest (passive) adversaries ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 2

3 Applications Auctions [NPS99],... Private Set Intersection [PSZ14],... Machine Learning [BPTG15],... Biometric Identification [EFGKLT09],... - several cool applications from different fields ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 3

4 Protocol Development Function Idea Optimizations Boolean Circuits Arithmetic Circuits Representation Protocol Abstract Languages DGK? Paillier Point-andpermute... Yao Fixed-Key Garbling? Free-XOR GMW Existing Frameworks Half-Gates Secure computation is a vast area and protocol development is a tedious task ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 4

5 Example: Minimum Euclidean Distance Minimum Euclidean Distance: min( di=1(si,1 Ci)2,, di=1 (Si,n Ci)2) Server holds database S, client holds query C Used in biometric matching (face-recognition, fingerprint, ) Function Boolean Circuits Arithmetic Circuits DGK Paillier... Yao ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 5 GMW

6 Example: Minimum Euclidean Distance Minimum Euclidean Distance: min( di=1(si,1 Ci)2,, di=1 (Si,n Ci)2) Server holds database S, client holds query C Used in biometric matching (face-recognition, fingerprint, ) Function Boolean Circuits Arithmetic Circuits DGK Paillier... Yao ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 6 GMW

7 Example: Minimum Euclidean Distance Minimum Euclidean Distance: min( di=1(si,1 Ci)2,, di=1 (Si,n Ci)2) Server holds database S, client holds query C Used in biometric matching (face-recognition, fingerprint, ) Function Boolean Circuits Arithmetic Circuits DGK Paillier... Yao ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 7 GMW

8 Our Contributions 1) More efficient multiplication using symmetric crypto Function 3.ABY 1.OT-ext. Arithmetic 2.Conversion Circuits DGK Paillier... 2) More efficient conversion Boolean Circuits Yao ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 8 GMW 3) Mixed-protocol framework called ABY

9 Multiplication using OT Extension Use a multiplication protocol that is based on OT extension Requires symmetric-key cryptography only Communication 3000 Run-Time Paillier (WAN) DGK (WAN) Paillier (LAN) DGK (LAN) OT-Ext (WAN) OT-Ext (LAN) Run-time (μs) Communication (Bytes) Compare one multiplication using Paillier, DGK, and OT extension Bit-Length of Values Bit-Length of Values Communication and run-time for 1 multiplication in LAN and WAN for long-term security ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 9

10 The ABY framework Combine: Arithmetic sharing Boolean sharing (GMW) Yao's garbled circuits A Efficient conversions between schemes B Use best practices in secure computation: batch pre-compute crypto use symmetric crypto where possible use sub-protocols with recent optimizations ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 10 Y

11 ABY Secure Computation Schemes A rithmetic sharing: Free XOR / one interaction per AND Good for multiplexing Y ao's garbled circuits: Free XOR / no interaction per AND Good for comparison ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 11 B c Free addition / cheap multiplication Good for multiplication B oolean sharing: A a,b c=a*b Y c=a*b Multiplication Protocol Yao Mixed LAN [μs] Comm. [KB] 100 5

12 Example: Minimum Euclidean Distance Minimum Euclidean Distance: min( di=1(si,1 Ci)2,, di=1 (Si,n Ci)2) dist min LAN [s] WAN [s] Comm [MB] #Msg Y Y B B A Y A B Euclidean distance for n = 512 values of 32-bit length and d = ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 12

13 Take Away Message A Developed a mixed-protocol secure computation framework B Abstract from underlying secure computation protocol Use only fast symmetric key crypto Code is available at GitHub: ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 13 Y

14 ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation Questions? Contact: Code: ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 14

15 ABY Development ABY Representation Extensibility Function Idea Circuit Boolean Arithmetic Special purpose circuits Schemes B Optimizations Optimize existing / implement new schemes A Protocol OT-Ext. Y Efficient Conversion Efficient Garbling ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 15 Implement further optimizations

16 Future Work - Implement new special purpose operations - Automatically assign operations to protocols [KSS14] - Add support for malicious adversaries TinyOT (Boolean circuits) SPDZ (Arithmetic circuits) ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 16

17 Mixed-Protocols - Some functionalities have a more efficient circuit representation Multiplication in Boolean circuits: O(n2) Comparison in Arithmetic circuits: O(n) multiplications of q-bit values - TASTY [HKSSW10] combines Paillier (Arithmetic) and Yao (Boolean) Paillier Yao - Multiplication and conversion requires public-key operation For long-term security, Yao-only is often most efficient [KSS14] ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 17

18 OT Extension Input: Alice holds two strings (x0, x1), Bob holds a choice bit r Output: Alice learns nothing, Bob only learns xr Traditionally, OT requires public-key crypto OT extension allows extending few real OTs to arbitrary many OTs using symmetric key cryptography only ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 18

19 References [NPS99]: Moni Naor, Benny Pinkas, Reuban Sumner: Privacy preserving auctions and mechanism design. EC 1999: [BPTG15] Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser: Machine Learning Classification over Encrypted Data. NDSS [EFGKLT09]: Zekeriya Erkin, Martin Franz, Jorge Guajardo, Stefan Katzenbeisser, Inald Lagendijk, Tomas Toft: Privacy-Preserving Face Recognition. Privacy Enhancing Technologies 2009: [KSS14]: Florian Kerschbaum, Thomas Schneider, Axel Schröpfer: Automatic Protocol Selection in Secure Two-Party Computations. ACNS 2014: DGK: Ivan Damgård, Martin Geisler, Mikkel Krøigaard: A correction to 'efficient and secure comparison for on-line auctions'. IJACT 1(4): (2009). Paillier: Pascal Paillier: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. EUROCRYPT 1999: , GMW: Oded Goldreich, Silvio Micali, Avi Wigderson: How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987: Yao: Andrew Chi-Chih Yao: Protocols for Secure Computations (Extended Abstract). FOCS 1982: ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 19

20 References [BG11]: Marina Blanton, Paolo Gasti: Secure and Efficient Protocols for Iris and Fingerprint Identification. ESORICS 2011: [HKSSW10]: Wilko Henecka, Stefan Kögl, Ahmad-Reza Sadeghi, Thomas Schneider, Immo Wehrenberg: TASTY: tool for automating secure two-party computations. ACM Conference on Computer and Communications Security 2010: ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 20

21 Protocol Overview Special Purpose Protocols Generic Protocols Arithmetic Circuit Boolean Circuit Yao Homomorphic Encryption GMW OT Public Key Crypto >> Symmetric Crypto ABY: Mixed-Protocol Secure Two-Party Computation Michael Zohner Slide 21 >> One-Time Pad