Scaling Secure Computation
Click here to load reader
-
Upload
david-evans -
Category
Technology
-
view
1.109 -
download
0
Transcript of Scaling Secure Computation
![Page 1: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/1.jpg)
David EvansUniversity of Virginia
http://www.cs.virginia.edu/evanshttp://MightBeEvil.com
Oregon Security Day5 April 2013
![Page 2: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/2.jpg)
2
(De)Motivating Application:“Genetic Dating”
AliceBob
Genome Compatibility Protocol
Your offspring will have good immune systems!
Your offspring will have good immune systems!
WARNING! Don’t Reproduce
WARNING!Don’t Reproduce
![Page 3: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/3.jpg)
3
Cost to sequence human genome
Moore’s Law prediction(halve every 18 months)
Aug 2001
Feb 2002
Aug 2002
Feb 2003
Aug 2003
Feb 2004
Aug 2004
Feb 2005
Aug 2005
Feb 2006
Aug 2006
Feb 2007
Aug 2007
Feb 2008
Aug 2008
Feb 2009
Aug 2009
Feb 2010
Aug 2010
Feb 2011
Aug 2011
Feb 2012
Aug 2012
Feb 2013
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
![Page 4: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/4.jpg)
4
Aug 2001
Feb 2002
Aug 2002
Feb 2003
Aug 2003
Feb 2004
Aug 2004
Feb 2005
Aug 2005
Feb 2006
Aug 2006
Feb 2007
Aug 2007
Feb 2008
Aug 2008
Feb 2009
Aug 2009
Feb 2010
Aug 2010
Feb 2011
Aug 2011
Feb 2012
Aug 2012
Feb 2013
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
Cost to sequence human genome
Moore’s Law prediction(halve every 18 months)
Ion torrent Personal Genome Machine
![Page 5: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/5.jpg)
Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010.
![Page 6: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/6.jpg)
6
Dystopia
Personalized Medicine
![Page 7: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/7.jpg)
7
Secure Two-Party Computation
AliceBob
Bob’s Genome: ACTG…Markers (~1000): [0,1, …, 0]
Alice’s Genome: ACTG…Markers (~1000): [0, 0, …, 1]
Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?
![Page 8: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/8.jpg)
Secure Function EvaluationAlice (circuit generator) Bob (circuit evaluator)
Garbled Circuit Protocol
Andrew Yao, 1982/1986
![Page 9: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/9.jpg)
Regular LogicInputs Output
a b x0 0 00 1 01 0 01 1 1
AND
a b
x
![Page 10: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/10.jpg)
Computing with Meaningless Values?Inputs Output
a b xa0 b0 x0
a0 b1 x0
a1 b0 x0
a1 b1 x1
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi are random values, chosen by the circuit generator but meaningless to the circuit evaluator.
![Page 11: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/11.jpg)
Computing with Garbled TablesInputs Output
a b xa0 b0 Enca0,b0(x0)a0 b1 Enca0,b1(x0)a1 b0 Enca1,b0(x0)a1 b1 Enca1,b1(x1)
AND
a0 or a1 b0 or b1
x0 or x1
Bob can only decrypt one of these!
Garbled And Gate
Enca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)
Random Permutation
![Page 12: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/12.jpg)
Garbled Gate
Enca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)
Garbled Circuit ProtocolAlice (circuit generator)
Sends ai to Bob based on her input value
Bob (circuit evaluator)
How does the Bob learn his own input wires?
![Page 13: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/13.jpg)
Primitive: Oblivious TransferAlice Bob
Oblivious Transfer Protocol
Oblivious: Alice doesn’t learn which secret Bob obtainsTransfer: Bob learns one of Alice’s secrets
Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers
![Page 14: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/14.jpg)
14
Chaining Garbled Circuits
AND
a0 b0
x0
AND
a1 b1
x1
ORx2
And Gate 1
Enca10, b11(x10)Enca11,b11(x11)Enca11,b10(x10)Enca10,b10(x10)
Or Gate 2
Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20) …
We can do any computation privately this way!
![Page 15: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/15.jpg)
15
Building Computing SystemsEncx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20)
Digital Electronic Circuits Garbled Circuits
Operate on known data Operate on encrypted wire labels
One-bit logical operation requires moving a few electrons a few nanometers (hundreds of Billions per second)
One-bit logical operation requires performing (up to) 4 encryption operations: very slow execution
Reuse is great! Reuse is not allowed for privacy: huge circuits needed
![Page 16: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/16.jpg)
16
Fairplay
Dahlia Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella [USENIX Sec 2004]
SFDL Program
SFDL Compiler
Circuit (SHDL)
Alice Bob
Garbled Tables Generator
Garbled Tables Evaluator
SFDL Compiler
![Page 17: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/17.jpg)
17
Faster Circuit Execution
Yan Huang(UVa PhD Student)
GraduateYan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure Two-Party Computation Using Garbled Circuits. USENIX Security 2011.
Pipelined Execution
Optimized Circuit Library
Partial Evaluation
![Page 18: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/18.jpg)
Encx00,
x11(x21)Encx01,x11(x2
1)Encx01,x10(x2
1)
Encx20,
x21(x30)Encx21,x21(x3
0)Encx21,x20(x3
1)
Encx20,
x31(x41)Encx21,x31(x4
1)Encx21,x30(x4
0)
Encx40,
x31(x51)Encx41,x31(x5
0)Encx41,x30(x5
0)
Encx40,
x51(x61)Encx41,x51(x6
0)Encx41,x50(x6
0)
Encx30,
x61(x71)Encx31,x61(x7
0)Encx31,x60(x7
1)
Pipelined Execution
18
Circuit-Level Application
GC Framework(Evaluator)
GC Framework (Generator)
Circuit StructureCircuit Structure
x41
x21x31
x60
x51
x71
Saves memory: never need to keep whole circuit in memory
![Page 19: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/19.jpg)
PipeliningCircuit Generation
Circuit Transmission
Circuit Evaluation
Circuit Generation
Circuit Transmission
timeCircuit Evaluation
Waiting I d l i n g
19
Waiting
Saves time: reduces latency and improves
throughput
![Page 20: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/20.jpg)
Fairplay [PSSW09] TASTY Here0
200000000
400000000
600000000
800000000
1000000000
1200000000
Results
Fairplay [PSSW09] TASTY Here0
20000
40000
60000
80000
100000
Performance(10,000x non-free gates per second)
Scalability(billions of gates)
[HEKM11] [HEKM11]
20
100
000
gate
s/se
cond
![Page 21: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/21.jpg)
Semi-Honest is Half-Way There
PrivacyNothing is revealed
other than the output
CorrectnessThe output of the protocol is indeed
f(x,y)Generator Evaluator
Malicious-resistant OT
Semi-Honest GC
As long as evaluator doesn’t send result back, and a malicious-resistant OT is used, privacy for evaluator is guaranteed.
How can we get both correctness, and maintain privacy while giving both parties result?
21
![Page 22: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/22.jpg)
Dual Execution Protocols
Yan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. IEEE Security and Privacy (Oakland) 2012.
![Page 23: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/23.jpg)
Dual Execution Protocol
[Mohassel and Franklin, PKC’06]
Alice Bob
first round execution (semi-honest)generator evaluator
generatorevaluator
z=f(x, y)
Pass if z = z’ and correct wire labelsz’, learned outputwire labels
second round execution (semi-honest)
z'=f(x, y)
z, learned outputwire labels
fully-secure, authenticated equality test
![Page 24: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/24.jpg)
Security Properties
Correctness: guaranteed by authenticated, secure equality testPrivacy: Leaks one (extra) bit on average
adversarial circuit generator provides a circuit that fails on ½ of inputs
Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input
24
![Page 25: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/25.jpg)
1-bit Leak
25
Victim’s input space 𝒈𝒇
Cheating detected
![Page 26: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/26.jpg)
26
Proving Security: Malicious
A B
Ideal World
y 'x'
Adversary receives:f (x‘, y‘)
Trusted Party in Ideal World
Standard Malicious Model: can’t prove this for Dual Execution
Real World
A B
y 'x'
Show equivalence
Corrupted party behaves
arbitrarily
Secure Computation Protocol
![Page 27: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/27.jpg)
27
Proof of Security: One-Bit Leakage
A B
Ideal World
y 'x'
Controlled bymalicious A
g R {0, 1}g is an arbitrary Boolean function selected by adversary
Adversary receives:f (x‘, y') and g(x‘, y‘)
Trusted Party in Ideal World
Can prove equivalence to this for Dual Execution protocols
![Page 28: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/28.jpg)
ImplementationAlice Bob
first round execution (semi-honest)generator evaluator
z=f(x, y)
Pass if z = z’ and correct wire labelsz’, learned outputwire labels
generatorevaluator second round execution (semi-honest)
z'=f(x, y)
z, learned outputwire labels
Recall: work to generate is 3x work to evaluate!
28
fully-secure, authenticated equality test
![Page 29: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/29.jpg)
PSI (4096) ED (200x200) AES (100) AES (1)0
50
100
150
200
250 Semi-honestDualEx (dual-core)DualEx (single-core)Malicious
Tim
e (s
econ
ds)
Performance
29Circuits of arbitrary size can be done this way
[Kreuter et al., USENIX Security 2012]
Less than 1 second
![Page 30: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/30.jpg)
30
ApplicationsPrivacy-Preserving
Biometric Matching
Private Personal
Genomics
Private Set Intersection
Private AES Encryption
![Page 31: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/31.jpg)
31
ProblemBest Previous
Result Our Result SpeedupPrivate Set Intersection (contact matching, common disease carrier)
Competitive with best custom protocols, scales to millions of 32-bit elements
Hamming Distance (Face Recognition)
213s [SCiFI, 2010]
0.051s 4176
Levenshtein Distance (genome, text comparison) – two 200-character inputs
534s [Jha+, 2008]
18.4s 29
Smith-Waterman (genome alignment) – two 60-nucleotide sequences
[Not Implementable]
447s -
AES Encryption 3.3s [Henecka, 2010]
0.2s 16.5
Fingerprint Matching (1024-entry database, 640x8bit vectors)
~83s [Barni, 2010]
18s 4.6NDSS 2011
USE
NIX
Sec
urity
201
1
NDSS 2012
![Page 32: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/32.jpg)
32
Crazy Things in Typical Code
a[i] = x
![Page 33: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/33.jpg)
33
Circuit for Array Update
i == 0
a[0] x
a'[0]
a[i] = x
i == 1
a[1] x
a’[1]
i == 2a[2] x
a’[2]
…
![Page 34: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/34.jpg)
34
Easy (and Common) Case
for (i = 0; i < n; i++) a[i] += 1
a[0] a[1] a[2] a[n-1]…+1 +1 +1 +1
![Page 35: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/35.jpg)
35
Circuit Structures
Design circuits to support typical data structures efficientlyNon-trivial access patterns, but patterns nonethelessMain opportunities:
Locality and Batching
Samee Zahur and David Evans. Circuit Structures for Improving Efficiency of Security & Privacy Tools. IEEE Security and Privacy (Oakland) 2013.
Samee Zahur(UVa PhD Student)
![Page 36: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/36.jpg)
36
Locality: Stacks and Queuesif (x != 0) a[i] += 1 if (a[i] > 10) i += 1 a[i] = 5
t := a.top() + 1a.cond_update(x != 0, t)a.cond_push(x != 0 && t > 10, *)a.cond_update(x != 0, 5)
Data-oblivious codeNo branching allowed
![Page 37: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/37.jpg)
37
Naïve Conditional Push
…p
x a[0] a[1] a[2] …
a’[0] a’[1] a’[2] …
![Page 38: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/38.jpg)
38
Naïve Conditional Push
…True
7 2 9 3 …
7 2 9 …
![Page 39: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/39.jpg)
39
More Efficient Stack
Level 0: 2 9 3t = 3
Level 1: 4 7t = 2
5 4
Level 2: 8 8 2 3 8 6
…
Block size = 2levelEach level has 5 blocks, at least 2 full and 2 empty
t = 3
![Page 40: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/40.jpg)
40
2 9 3t = 3
4 7t = 2
5 4
Level 0
t = 3
Level 1 Level 2
Conditional push (True, 7)
7 2 9 3t = 4
4 7t = 2
5 4t = 3
Conditional push (True, 8)
8 7 2 9 3t = 5
4 7t = 2
5 4t = 3
8 2 7t = 3
4 7t = 3
5 49 3t = 3
Shift
![Page 41: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/41.jpg)
41
2 9 3t = 3
4 7t = 2
5 4
Level 0
t = 3
Level 1 Level 2
7 2 9 3t = 4
4 7t = 2
5 4t = 3
Conditional push (True, 8)
8 7 2 9 3t = 5
4 7t = 2
5 4t = 3
8 2 7t = 3
4 7t = 3
5 49 3t = 3
Amortized Θ(log n) gates per operation
![Page 42: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/42.jpg)
42
0 2 7 9'A'
'U''M'
'R''D'
'Y''K'
'C'
Arbitrary Array Accesses(Associative Maps)
m[0] = 'A'm[2] = 'U'm[9] = 'M'm[7] = 'R'm[0] = 'D'm[9] = 'Y'm[9] = 'K'm[7] = 'C'
Execution trace: indexes and values are private values
![Page 43: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/43.jpg)
43
m[0] = 'A'm[2] = 'U'm[9] = 'M'm[7] = 'R'm[0] = 'D'm[9] = 'Y'm[9] = 'K'm[7] = 'C'
Sort by Key
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
stable sort!
Batching Updates
![Page 44: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/44.jpg)
44
m[0] = 'A'm[2] = 'U'm[9] = 'M'm[7] = 'R'm[0] = 'D'm[9] = 'Y'm[9] = 'K'm[7] = 'C'
Sort by Key
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
stable sort!
Batching Updates
![Page 45: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/45.jpg)
45
m[0] = 'A'm[2] = 'U'm[9] = 'M'm[7] = 'R'm[0] = 'D'm[9] = 'Y'm[9] = 'K'm[7] = 'C'
Sort by Key
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
stable sort!
Compare Adjacent
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
Batching Updates
![Page 46: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/46.jpg)
46
m[0] = 'A'm[2] = 'U'm[9] = 'M'm[7] = 'R'm[0] = 'D'm[9] = 'Y'm[9] = 'K'm[7] = 'C'
Sort by Key
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
stable sort!
Compare Adjacent
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
Batching Updates
![Page 47: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/47.jpg)
47
Batching Updates
m[0] = 'A'm[2] = 'U'm[9] = 'M'm[7] = 'R'm[0] = 'D'm[9] = 'Y'm[9] = 'K'm[7] = 'C'
Sort by Key
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
stable sort!
Compare Adjacent
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
![Page 48: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/48.jpg)
48
Sort by Key
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
stable sort!
Compare Adjacent
m[0] = 'A'm[0] = 'D'm[2] = 'U'm[7] = 'R'm[7] = 'C'm[9] = 'M'm[9] = 'Y'm[9] = 'K'
m[0] = 'D'm[2] = 'U'm[7] = 'C'm[9] = 'K'm[0] = 'A'm[7] = 'R'm[9] = 'M'm[9] = 'Y'
Sort
by
Live
nessoutput
wires
Disc
arde
d
![Page 49: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/49.jpg)
49
Associative Map Cost
Oblivious Stable Sort
Comparisons and Liveness Marking
Oblivious Sort Liveness/Key
Circuit Size:(n log n) Θ ⨯ comparison
cost(n logΘ 2 n)
![Page 50: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/50.jpg)
50
Example Application: DBScan
Density-based clustering: depth-first search to find dense clusters
Martin Ester, Hans-Peter Kriegel, Jörg Sander, Xiaowei Xu. KDD 1996
Alice’s Data Bob’s Data Joint Clusters
![Page 51: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/51.jpg)
51
Private Input: P – array of points (combines private points from both parties)Public inputs: minpts, radiusOutput: cluster number for each point
Conditional Push!
Array update!
![Page 52: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/52.jpg)
52
60 120 240 4800
5000
10000
15000
20000
25000
30000
35000
40000
Data Size
Exec
ution
Tim
e (s
econ
ds)
Optimized Structures
Normal Data Structures
9.7 hours
55 minutes
![Page 53: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/53.jpg)
53
Aug 2001
Feb 2002
Aug 2002
Feb 2003
Aug 2003
Feb 2004
Aug 2004
Feb 2005
Aug 2005
Feb 2006
Aug 2006
Feb 2007
Aug 2007
Feb 2008
Aug 2008
Feb 2009
Aug 2009
Feb 2010
Aug 2010
Feb 2011
Aug 2011
Feb 2012
Aug 2012
Feb 2013
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
Cost to sequence human genome
Moore’s Law prediction(halve every 18 months)
![Page 54: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/54.jpg)
54
Aug 2001
Feb 2002
Aug 2002
Feb 2003
Aug 2003
Feb 2004
Aug 2004
Feb 2005
Aug 2005
Feb 2006
Aug 2006
Feb 2007
Aug 2007
Feb 2008
Aug 2008
Feb 2009
Aug 2009
Feb 2010
Aug 2010
Feb 2011
Aug 2011
Feb 2012
Aug 2012
Feb 2013
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000 FairPlay (2004) [10k*10k alignment]
Free XOR
HEKM
Schneider & Zhoner 2013
![Page 55: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/55.jpg)
55
Aug 2001
Mar 2002
Oct 2002
May 2003
Dec 2003
Jul 2004
Feb 2005
Sep 2005
Apr 2006
Nov 2006
Jun 2007
Jan 2008
Aug 2008
Mar 2009
Oct 2009
May 2010
Dec 2010
Jul 2011
Feb 2012
Sep 2012
Apr 2013
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
$1,000,000,000
$10,000,000,000
$100,000,000,000
Semi-Honest
![Page 56: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/56.jpg)
56
Aug 2001
Mar 2002
Oct 2002
May 2003
Dec 2003
Jul 2004
Feb 2005
Sep 2005
Apr 2006
Nov 2006
Jun 2007
Jan 2008
Aug 2008
Mar 2009
Oct 2009
May 2010
Dec 2010
Jul 2011
Feb 2012
Sep 2012
Apr 2013
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
$1,000,000,000
$10,000,000,000
$100,000,000,000 Active Security
Semi-Honest
KSS 2011
HKE 2013
1-bit leak
![Page 57: Scaling Secure Computation](https://reader037.fdocuments.us/reader037/viewer/2022102323/5483bcc3b4af9f80568b46a3/html5/thumbnails/57.jpg)
57
mightbeevil.com
Questions?