1

Introduction to Secure Introduction to Secure ComputationComputation

Benny PinkasHP Labs, Princeton

2

Roadmap

•Secure Function Evaluation–Motivation and definitions–Scenarios–Constructions

3

SFE Example – Millionaires Problem

X $

Y $

?

<

=

>Secure

FunctionEvaluationProtocol

4

Secure Function Evaluation

• A set of (two or more) parties with private inputs wish to compute some joint function of their inputs.

• Parties wish to preserve some security properties. E.g., privacy and correctness.– Example: Computing the maximum

• Security must be preserved in the face of adversarial behavior by some of the participants.

5

…Secure Function Evaluation

• Cryptography aims for the following (regarding privacy):– A secure protocol must reveal no

more information than the output of the function itself

– That is, the process of protocol computation reveals nothing.

6

The Security Definition

IDEALREAL

Trusted party

Protocolinteraction

For every real adversary A

there exists anadversary S

7

Does the trusted party scenario make sense?

x y

F(x,y) F(x,y)• We cannot hope for more privacy• Does the trusted party scenario make sense?

• Are the parties motivated to submit their true inputs?• Can they tolerate the disclosure of F(x,y)?

• If so, we can implement the scenario without a trusted party.

8

Roadmap

•Secure Function Evaluation–Motivation and definitions–Scenarios–Constructions

9

Modeling the Adversary• Semi-honest: follows the protocol

but tries to learn more• Malicious: can do anything

– E.g.,• Protocol: “Flip a random coin and send the

result”• Malicious party might…

• Easier to provide security against semi-honest adversaries

10

Modeling the Adversary

• Do semi-honest adversaries make sense?– Semi-trusted parties?– Secure hardware/software?– It’s easier for the adversary to

eavesdrop than to change the program.

• Is there a reasonable model between semi-honest and malicious?

11

Participating Parties

• Two parties.• Multi-party: N parties with private

inputs x1,..,xN, wish to compute F(x1,..,xN).

• There are generic secure constructions for both scenarios

• The constructions for the two-party scenario are usually more efficient

12

Multi-Party Protocols• The main issues are often the

communication pattern and the number of rounds

13

A different setting for multi-party protocols? [NPS]

P1 P2Pn

ComputationServer 1

ComputationServer 2

ComputationServer m

Provide inputs (and that’s it)

Perform computation

14

Trust

P1 P2Pn

benign collusion benign collusion

dangerous collusion

This is not weaker security if we have sometrust that computation servers do not collude

ComputationServer 1

ComputationServer 2

ComputationServer m

15

Advantages• Separation between input

providers and computation. • Input providers

– submit their inputs independently of each other.

– Do not have to coordinate their operation.

• Once all inputs are submitted, the computation is performed by the computation servers.

16

Roadmap

•Secure Function Evaluation–Motivation and definitions–Scenarios–Constructions

17

Secure two-party computation of general functions [Yao, early

80s]• First, represent the function F as a

Boolean circuit C• It’s always possible• Sometimes it’s easy (additions,

comparisons)• Sometimes the result is inefficient

(e.g. for indirect addressing, a[i])

18

Garbling the circuit

• Bob constructs the circuit, and then garbles it.

G

wi0,wi

1 wJ0,wJ

1

wk0,wk

1Wk

0 = 0 on wire kWk

1 = 1 on wire k|Wk

0| = |Wk1| > 80

(Alice will learn onestring per wire, butnot the bit to whichit corresponds.)

19

Gate tables

• For, e.g., an AND gate, Bob constructs a table that enables to compute:– wk

0 given wi0,wJ

0

– wk0 given wi

0,wJ1

– wk0 given wi

1,wJ0

– wk1 given wi

1,wJ1

• I.e., given wix,wJ

y, can compute wkG(x,y)

G

wi0,wi

1 wJ0,wJ

1

wk0,wk

1

20

Secure computation

• Bob sends the tables of the gates to Alice

• Given, e.g., wi0,wJ

1, she computes wk0, but

doesn’t know the actual values of the wires.

• If Alice gets garbled values (w’s)of her input values, she cancompute the output of thecircuit, and nothing else.

G

wi0,wi

1 wJ0,wJ

1

wk0,wk

1

21

Secure computation – the big picture

• Represent the function as a circuit C• Bob sends to Alice |C| tables (e.g. 40|C|

Bytes).• Alice performs an oblivious transfer for

every input bit. (Can do, e.g. 100 OTs per sec.)

• ~One round of communication.• Efficient for medium size circuits! • Good for one invocation only!

22

FairPlay [Nisan,Malkhi,Pinkas,Sella]

• Yao’s construction is about 20 years old. There are no known implementations (?).

• FairPlay - a full fledged secure two-party computation system, implementing Yao’s “garbled circuit” protocol.

• Goals:– Investigate whether two-party SFE is practical– Actual measurements of overall computation– Breakdown of computation into parts– Test-bed for various optimizations

23

…FairPlay

• The Compilation paradigm– Programs written in a high-level

programming language– SHDL: Low-level language describing

Boolean circuits– First stage: compile to SHDL and

optimize– Second stage: Given an SHDL circuit,

generate programs implementing Yao’s protocol

24

Specific Constructions of SFE

• Mean• Max, Min• Set intersection • Median and quintiles

25

Discussion Points

• Candidate applications?• Where will SFE be most beneficial?

• How to model the adversary?

26

Issues

• Suppose you cannot access the data – Data cleaning?– What functions do you need to

compute?