Post on 24-Feb-2016
description
GPU and CPU Parallelization of Honest-but-Curious Secure
Two-Party ComputationNathaniel Husted, Steve Myers, abhi shelat, Paul Grubbs
Alice and Bob want to compute a public function of their private inputs.
Secure Two-party Computation
Disease Database
Alice Bob
Secure Two-party Computation
F(X,Y)
Alice Bob
=> Alice & Bob
X Y
Alice provides X. Bob provides Y. F(X,Y) is correctly calculated without Bob learning X and Alice learning Y.
Yao’s Garbled Circuits [Yao1986]
XOR 1
AND 2
AND 3
OR 4
XOR 0X
OUTPUTS
Y
0
F(X,Y)
I’m going to discuss the current fastest solution for processing Yao’s Garbled Circuits.
Yao’s Garbled Circuits [Yao1986]
XOR 1
AND 2
AND 3
OR 4
XOR 0X
OUTPUTS
Y
0
F(X,Y) = X + Y
Wires in Yao’s Garbled Circuits [Yao1986]• Alice must use random labels () for wire values instead of 0’s and 1’s.
Label 0 () Wire 0 ()Label 1 ()
Yao’s Garbled Circuits [Yao1986]
XOR 1
AND 2
AND 3
OR 4
XOR 0
OUTPUTS
Label 0 = 0xF1F1 Label 1 = 0xABAB
0x43210x9932
0x67530x9B3F
0x12120x1234
0x93FA0x8843
0xFFCC0x1203
0xCC1C0x1112
X
Y
0
0x1103
0xBA81
F(X,Y) = X + Y
Encrypting Gates in Yao’s Garbled Circuits [Yao1986]
Gate 2 ()AND𝑊 0
𝑊 1
𝑊 2
AND GATE
Output
Encrypting Gates in Yao’s Garbled Circuits [Yao1986]• Notation shortcut: =
Gate 2 ()AND𝑊 0
𝑊 1
𝑊 2
AND GATE
Output
Garbling Gates in Yao’s Garbled Circuits [Yao1986]
Gate 2 ()AND𝑊 0
𝑊 1
𝑊 2
AND GATEEncrypted Entry
0,0
0,1
1,0
1,1
Garbling Gates in Yao’s Garbled Circuits [Yao1986]
Gate 2 ()AND𝑊 0
𝑊 1
𝑊 2
AND GATEEncrypted Entry
0,0
0,1
1,0
1,1
Garbling Gates in Yao’s Garbled Circuits [Yao1986]
Gate 2 ()AND𝑊 0
𝑊 1
𝑊 2
AND GATEEncrypted Entry
0,0
0,1
1,0
1,1
Yao’s Garbled Circuits [Yao1986]
XOR 1
AND 2
AND 3
OR 4
XOR 0
OUTPUTS
Label 0 = 0xF1F1 Label 1 = 0xABAB
0x43210x9932
0x67530x9B3F
0x12120x1234
0x93FA0x8843
0xFFCC0x1203
0xCC1C0x1112
X
Y
0
0x1103
0xBA81
F(X,Y) = X + Y
OR GATE
Output
Alice sends the generated circuit to Bob.• Alice sends ALL garbled truth tables to Bob.
XOR GATEEncrypted Entry
0,0
0,1
1,0
1,1
XOR GATEEncrypted Entry
0,0
0,1
1,0
1,1
AND GATEEncrypted Entry
0,0
0,1
1,0
1,1
OR GATEEncrypted Entry
0,0
0,1
1,0
1,1
Sent over the network…BOB
ALICE
AND GATE
Encrypted Entry
0,0
0,1
1,0
1,1
Bob evaluates the circuit.• Evaluation is the reverse of generation.
Gate 3 ()AND𝑊 0
𝑊 1
𝑊 2
𝜆2❑=? ?= ??
= 0xCC1C
= 0x1234 = 0x0
= 0x1
AND GATEEncrypted Entry
0,0
0,1
1,0
1,1
Bob evaluates the circuit.• Evaluation is the reverse of generation.
Gate 3 ()AND𝑊 0
𝑊 1
𝑊 2
𝜆2❑=? ?= ??
= 0xCC1C
= 0x1234 = 0x0
= 0x1
AND GATEEncrypted Entry
0,0
0,1
1,0
1,1ENTRY TO DECODE
Bob evaluates the circuit.• Evaluation is the reverse of generation.
Gate 3 ()AND𝑊 0
𝑊 1
𝑊 2
𝜆2❑=? ?= ??
= 0xCC1C
= 0x1234 = 0x0
= 0x1
AND GATEEncrypted Entry
0,0
0,1
1,0
1,1
ENTRY TO DECODE
Other security models for Yao’s Garbled Circuits• Malicious-Leaks-A-Bit [Huang2013]
• Benefits:• Attacker can analyze results and lie in the protocol.• Only requires one extra Generation and Evaluation.
• Drawbacks:• Leaks 1-bit of output.
• Fully Malicious [Lindell2013]• Benefits:
• Leaks no information to the attacker.• Drawbacks
• Requires Alice generate between 60 – 130 circuits. Bob must evaluate ~1/2 and verify the rest.
• NOTE: Our methods can work with either of these models!
Brief survey of garbled circuit systems
CPU Based?
GPUBased?
OT Extension?
Parallel? Bottleneck Security Model
Our Work Yes* Yes Yes* Yes Communication Honest-but-curious,malicious leaks a bit,(Fully Malicious)
Huang et al. Yes No Yes No Processing Honest-but-curious, malicious leaks a bit
Kreuter et al.[Kreuter2013]
Yes No Yes Super computers Communication Fully Malicious
Frederiksen et al. [Frederiksen201]
No Yes Yes* Single GPUs Communication Fully Malicious
Contributions to Garbled Circuit Optimization1. A method for accurately comparing garbled circuit systems with
very different circuit formats.2. A method for generating all gates in a circuit at once.3. A method for reducing the number of calculations for each gate
garbling.4. A scalable generation method that can be combined with other
best-in-class implementations.
Fast Garbled Circuit Processing With GPUs• GPUs are highly parallel Single Instruction Multiple Data (SIMD)
processors.• We can use every “core” on the GPU to process a gate. • But the SIMD parallelism requires protocol modifications.
• The Free XOR Technique [Kolesnikov2008]
Label 0 ()
Generating all gates at once allows high through-put but requires protocol modification.
Gate 0 ()XOR
Label 1 () =
=
𝜆20=𝜆00⨁ 𝜆10
𝜆21=𝜆00⨁ 𝜆10⨁𝑅
: Randomly Generated Constant
Gate 2 ()AND
• Our modified Free XOR technique
Label 0 ()
Generating all gates at once allows high through-put but requires protocol modification.
Gate 0 ()XOR
Label 1 () =
=
𝜆20
𝜆21=𝜆20⨁𝑅
: Randomly Generated Constant
XOR Offset Gate 2 ()AND
Benefits of increased Throughput
Benchmarking Machines
Name CPU GPU
Tie (DARPA) Tesla K200.71 Ghz
EC2 (Amazon) Tesla S20501.15 Ghz
Kreuter et al. Xenon E55062.13 Ghz
Garbling Truth Tables in practice
Gate 2 ()AND𝑊 0
𝑊 1
𝑊 2
AND GATE GARBLED TRUTH TABLEEncrypted Entry
0,0 SHA1
0,1 SHA1
1,0
1,1 SHA1
Reducing calculations required per-gate provided benefits over other GPU systems.
• But recall there are three wires for every gate in the circuit…
SHA1 CountsRandom Wire Label (per wire) 1 SHA1
Garbled Truth Table 4 SHA1
XOR Offset 0 SHA1
Inputs and Outputs of SHA1
1 2 3 … 15 16
A B C D E
Buckets holding inputs:
Buckets holding algorithm state:
4
Pre-computing SHA1 intermediate values
Seed Seed Seed … 0x0 … Wire ID Wire ID
Inputs for random wire values:Seed
Pre-computing SHA1 intermediate values
Seed Seed Seed … 0x0 … Wire ID Wire ID
Buckets holding inputs:Seed
Only buckets used during the first 14 rounds.
= Common for all Wires
Benefits of SHA1 pre-computation
Benchmarking MachinesName GPU GPU Cores
Tie (DARPA) Tesla K200.71 Ghz
2496
EC2 (Amazon) Tesla S20501.15 Ghz
448
Current and On-Going Work• Now implement the PCF2 circuit format developed by Kreuter et al.• Working on additional circuit optimizations on top of those provided
by the PCF2 compiler.• Provide a full scale solution from honest-but-curious to fully malicious
processing.• Multiple GPUs• Super computers
• Experiments and source code are available upon request.
Questions?
Extra Slide Matter
Using GPUs we show the fastest single machine garbled circuit generator• XOR Gates: ~ 60.2 Million Gates Per Second• TT Gates: ~34.1 Million Gates Per Second
1. Alice will generate the Yao’s circuit.• Alice must construct the circuit using a series of Boolean gates with
two input wires and one output wire.• Each gate has a serial number and garbled truth table.
Gate 0 ()
AND
𝑊 0
𝑊 1
𝑊 2
Wires in Yao’s Garbled Circuits [Yao1986]• Alice must use random labels () for wire values instead of 0’s and 1’s.• Alice must use permutation bits (p-bits; ) to signify the label choice.
Label 0 () = 0xA1B2
P-bit 0 () = 0x1
Wire 0 ()Label 1 () = 0x192F
P-bit 1 () = 0x0
Encrypting Gates in Yao’s Garbled Circuits [Yao1986]• How Alice creates garbled truth tables in two steps• Step 1: Create Encrypted Truth Table
Gate 2 ()AND𝑊 0
𝑊 1
𝑊 2
AND GATE
Serial #: 2= 0xA1B2 = 0x1
= 0x192F = 0x0
= 0x428F = 0x0
= 0xADC1 = 0x1
= 0xA1B2
= 0x192F= 0x0
= 0x1
Encrypting Gates in Yao’s Garbled Circuits [Yao1986]• How Alice creates garbled truth tables in two steps• Step 1: Create Encrypted Truth Table
Gate 2 ()AND𝑊 0
𝑊 1
𝑊 2
AND GATE
Serial #: 2= 0xA1B2 = 0x1
= 0x192F = 0x0
= 0x428F = 0x0
= 0xADC1 = 0x1
= 0xA1B2
= 0x192F= 0x0
= 0x1
STEP 1 OUTPUT
Encrypting Gates in Yao’s Garbled Circuits [Yao1986]• How Alice creates garbled truth tables in two steps• Step 1: Create Encrypted Truth Table
Gate 1 ()XOR𝑊 0
𝑊 1
𝑊 2
XOR GATE
Output
Encrypting Gates in Yao’s Garbled Circuits [Yao1986]• How Alice creates garbled truth tables in two steps• Step 1: Create Encrypted Truth Table
Gate 4 ()OR𝑊 0
𝑊 1
𝑊 2
OR GATE
Output
A basic overview of the Yao’s protocol• Assumptions:• Security Model: Honest but Curious
• Process:1. Alice will generate the Yao’s circuit.2. Alice sends the generated circuit to Bob.3. Bob will use Oblivious Transfer to learn Alice’s inputs.4. Bob will evaluate the circuit.5. Bob sends the output to Alice
Yao’s Garbled Circuits under an Honest-but-Curious Security Model1. Alice generates wire labels and garbled truth tables for all wires and
gates in a circuit.2. Alice sends the garbled truth tables to Bob.3. Bob obtains Alice’s input using Oblivious Transfer.4. Bob evaluates the circuit.5. Bob sends output to Alice.
Both party can analyze data t all steps of this protocol but must perform all steps.
Bob performs Oblivious Transfer to obtain Alice’s Inputs
Oblivious TransferAlice Bob
𝑆0
𝑆1
𝑆𝑎
So how fast can we process garbled circuits?• XOR Gates: ~ 60.2 Million Gates Per Second• TT Gates: ~34.1 Million Gates Per Second