(Ever More) Efficient Protocols for Secure Jonathan Katz Associate Professor Dept. of Computer Science

Transcription

1 (Ever More) Efficient Protocols for Secure Jonathan Katz Associate Professor Dept. of Computer Science

2 x 7 x 6 x 1 (y 1,y 2,,y n ) = f(x 1,x 2,,x n ) x 5 x 2 x 4 x 3

3 x 7 xy 7 x 6 x 1 xy 1 xy 6 xy 5 x 2 xy 2 xy 3 xy 4 (y 1,y 2,,y n ) = f(x 1,x 2,,x n ) x 5 x 4 x 3

4 Drawbacks? May not be a single party trusted by everyone Trusted party learns all inputs + outputs May be problemaac for legal/policy reasons Trusted party may later be compromised Trusted party becomes a high- value target If compromised, all security lost

5

6 A protocol is secure (within some specified threat model) if it emulates the use of a trusted party In paracular: The computed results are correct ParAes inputs remain private (except for what is implied by the outputs) ParAes inputs are chosen independently

7 Threat models Assumed bound on the number of corrupted (and colluding) paraes Types of misbehavior: Semi- honest Malicious

8 Distributed Used to compute the market- clearing price for sugar beets in Denmark (2008) Financial Compute HHIs for int l insatuaons to look for unsafe levels of exposure Privacy- preserving malware analysis

9 PrevenAng satellite collisions Sharemind (cf. youtube) Searching on encrypted data (Without fully homomorphic encrypaon ) Funded projects by DARPA, IARPA, ERC,

10 Is secure possible? Protocols for secure computaaon of any funcaon, with security against malicious behavior of any number of paraes, have been known since the 80s These protocols are generic, and work for any funcaon represented as a boolean circuit

11 Is secure Hopelessly inefficient Fairplay (two paraes, semi- honest) mula- party; malicious smartphone app improvements, tailored protocols, (faster computers)

12 Progress (2- party, semi- honest) x non- free gates/s gates/ Billions max gates Fairplay [PSSW09] TASTY Here 0 Fairplay [PSSW09] TASTY Here Performance Scalability 1 billion gates at 10 µs/gate

13 Generic vs. tailored protocols? (E.g., PSI) security level

14 Other Problem Best Previous Result Our Result Speedup Hamming Distance (face 213s 0.051s 4000x recogniaon) 900- bit vectors [SCiFI, 2010] An alternaave approach would have been to apply [a] generic secure two- party protocol. This would have required expressing Edit Distance (genome, the text algorithm as a circuit 534s and then sending 18.4s and compuang 30x that comparison) 200- character circuit. [We] believe [Jha+, that 2008] the performance of our protocols is strings, 8- bit alphabet significantly be`er than that of applying generic protocols. Smith- Waterman (genome [Not Osadchy Implementable] et al., IEEE Security & 447s Privacy (Oakland), alignment) 60- nucleoade sequences Oblivious AES Evalua@on 3.3s [H + 10] 0.2s 16x

15 Recent work Secure computaaon with sublinear work More efficient protocols with security against malicious behavior Relaxed security guarantees ( one- bit leakage ) Full malicious security

16 Secure 2PC over large data? Consider lookup in a (sorted) database Person 1 Person 2 Person n Is passenger X on the no-fly list? The circuit for this funcaon has size Ω(n) The circuit for any (non- trivial) funcaon has size Ω(n) Could have computed it (insecurely) in O(log n) Ame

17 Secure 2PC over large data? (At least) linear complexity is inherent for secure computaaon of any non- trivial f If the server never touches the ith record, then it learns that the ith record was irrelevant

18 Secure 2PC over large data Ideas: 1. Instead of secure 2PC based on circuits, explore secure 2PC based on RAMs 2. Consider secure 2PC in a senng where f is evaluated mul-ple Ames, and we aim for good amor-zed complexity

19 Experimental results 1600 (512- bit entries) Our Protocol Basic Yao Time (s) Log 2 (# entries)

20 Malicious adversaries? In principle, a malicious adversary aoacking a semi- honest protocol can completely violate privacy/correctness Can we guarantee any protecaon? Best known malicious protocols roughly 200x slower than semi- honest protocols * ( * In recent work we improve this by a factor of 3)

21 Malicious adversaries? What if we relax the security requirements? Here: 1- bit leakage The best a malicious adversary can do is learn is one bit of disallowed informaaon Cannot affect correctness

22 Performance Time (seconds) Semi- honest DualEx (dual- core) DualEx (single- core) Malicious [Kreuter et al., USENIX Security 2012] 0 PSI (4096) ED (200x200) AES (100) AES (1) 22

23 Current work Bridging PL and cryptography Beoer compilers for secure computaaon Beoer understanding of what is leaked by (even ideally) secure computaaon computaaon Bridging game theory and cryptography

24 Conclusions Secure computaaon is already (for moderate- sized circuits, and semi- honest security) Privacy- preserving applicaaons can run orders of magnitude faster than previously thought Secure computaaon will be deployed in <10 years

25 Acknowledgments Collaborators Yan Huang, Dave Evans, Lior Malka Dov Gordon, Vlad Kolesnikov, Fernando Krell, Tal Malkin, Mariana Raykova, Yevgeniy Vahlis Mike Hicks, Elaine Shi Research supported by NSF ( TC: Large: CollaboraAve Research: PracAcal Secure ComputaAon: Techniques, Tools, and ApplicaAons ) DARPA ( Toward PracAcal Cryptographic Protocols for Secure InformaAon Sharing ) ARL- ITA ( Secure InformaAon Flow in Hybrid CoaliAon Networks )

26 Selected Y. Huang et al., Faster Secure Two- Party ComputaGon Using Garbled Circuits, USENIX Security Symposium 2011 Y. Huang et al., Private Set IntersecGon: Are Garbled Circuits BeOer than Custom Protocols? NDSS 2012 D. Gordon et al., Secure Two- Party ComputaGon in Sublinear (AmorGzed) Time, ACM CCCS 2012 Y. Huang et al., Quid Pro Quo- tocols: Strengthening Semi- Honest Protocols with Dual ExecuGon, IEEE Security & Privacy (Oakland) 2012 Papers and code linked from h`p://