Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi...
-
Upload
maximo-savell -
Category
Documents
-
view
217 -
download
0
Transcript of Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi...
![Page 1: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/1.jpg)
Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty
Computations
Aseem RastogiMatthew Hammer, Michael Hicks
(University of Maryland, College Park)
![Page 2: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/2.jpg)
What is Secure Multiparty Computation(SMC)
A B
Compute f(A, B)
Without revealing A to Bob and B to Alice
![Page 3: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/3.jpg)
Using a Trusted Third Party
A B
A B
f(A, B) f(A, B)
Compute f(A, B)
Without revealing A to Bob and B to Alice
![Page 4: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/4.jpg)
SMC Eliminates Trusted Third Party
A B
Compute f(A, B)
Without revealing A to Bob and B to Alice
Cryptographic Protocol
![Page 5: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/5.jpg)
SMC Examples
Private Data
Nearest neighbor Locations
Auction Bids
Private set intersection Sets
Statistical computation Numbers
![Page 6: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/6.jpg)
Beyond Toy SMC Examples
• Online card games• SMC to deal cards
• Dice-based games• SMC to roll dice
![Page 7: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/7.jpg)
Monolithic Secure Multiparty Computation
f(A, B)
A B f(A, B)
Not Enough !
![Page 8: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/8.jpg)
Mixed-Mode Secure Multiparty Computation
f(A, B)
A B f(A, B)
g(A1, B1)
A1 B1 g(A1, B1)… …
h(A2, B2)
A2 B2 h(A2, B2)
… LocalLocal
…
Loca
lLo
cal
Secure State Secure State
![Page 9: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/9.jpg)
State Of The Art: Existing SMC Languages
• Fairplay, FairplayMP, CBMC-GC– Only “circuit compilers”– No mixed-mode– No secure state
• L1– Only 2-party, low level– No formal guarantees
• FastGC– Circuit library, only 2-party
None supports generic programs(parametric in number of parties)
![Page 10: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/10.jpg)
Our Goal
Push SMC beyond toy applications
![Page 11: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/11.jpg)
Design an SMC Language
• Local and secure computations• High-level support for secure stateMixed-Mode
• Code parametric in number of partiesGeneric
• Single specification• Runtime compilation to circuitsHigh-level
• Statically typed, sound• CompositionalGuarantees
![Page 12: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/12.jpg)
A High-level Functional Language to writeMixed-Mode Generic SMCs
Implementation and examples available at:
http://ter.ps/wysteria
Developing Online Poker using Wysteria (almost there …)
Goes Without Saying, Wysteria Has It All !
Demo(coming
up)
![Page 13: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/13.jpg)
Wysteria by Examples: Two-party Millionaire’s*
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
*The example in this form does not type check in Wysteria.
Single specification
A and B run the same program
Compute who is richer among A and B
![Page 14: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/14.jpg)
Wysteria by Examples: Two-party Millionaire’s
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
A’s Local Computation
(Skipped by B)
Computation modes
![Page 15: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/15.jpg)
Wysteria by Examples: Two-party Millionaire’s
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
A’s Local Computation
B’s Local Computation
(Skipped by A)
![Page 16: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/16.jpg)
Wysteria by Examples: Two-party Millionaire’s
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
A’s Local Computation
B’s Local Computation
Secure Computation by (A,B)
![Page 17: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/17.jpg)
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
A’s Local Computation
B’s Local Computation
Secure Computation by (A,B)
Runtime compiles it to boolean circuit, and evaluates using secure computation
No communication primitives !
Wysteria by Examples: Two-party Millionaire’s
![Page 18: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/18.jpg)
Key Ideas
Mixed-Mode Computations via Mode Annotations
![Page 19: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/19.jpg)
Wysteria by Examples: Asymmetric Output
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
What if only A is allowed to know the output ?
![Page 20: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/20.jpg)
Wysteria by Examples: Asymmetric Output
let a = read() in
let b = read() in
let o = wire A:(a > b) in
o
par(A)
par(B)
sec(A,B)
What if only A is allowed to know the output ?
Wire Bundle
![Page 21: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/21.jpg)
Wire Bundles in Wysteria
• Maps from parties to values• Each party sees only its own component in the bundle– Or nothing if it’s not in the domain
• Wire bundles are dependently typed
• Create wire A:0 : W {A} nat• Concat (wire A:0)++(wire B:1) : W {A U B} nat• Project (wire A:0)[A] : nat
![Page 22: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/22.jpg)
Wysteria by Examples: Inputs Via Wire Bundles
let a = read() in
let b = read() in
let w1 = wire A:a inlet w2 = wire B:b inlet w3 = w1 ++ w2 in
let o = wire A:(w3[A] > w3[B]) in
o
par(A)
par(B)
sec(A,B)
![Page 23: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/23.jpg)
let a = read() in
let b = read() in
let w1 = wire A:a inlet w2 = wire B:b inlet w3 = w1 ++ w2 in
let o = wire A:(w3[A] > w3[B]) in
o
Wysteria by Examples: Wire Bundle Views
A’s View B’s View sec(A,B)’s View
w1 {A:a} {} {A:a}
w2 {} {B:b} {B:b}
w3 {A:a} {B:b} {A:a,B:b}
par(A)
par(B)
sec(A,B)
![Page 24: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/24.jpg)
Key Ideas
Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations
![Page 25: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/25.jpg)
let mill = λx:W {A U B} nat . let o = x[A] > x[B] in
oinlet a = read () in
let b = read () in
mill (wire A:a ++ wire B:b)
sec(A,B)
Wysteria by Examples: Functions
par(A)
par(B)
![Page 26: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/26.jpg)
So Far We Have Seen …
• Mixed-Mode support via mode annotations
• Wire Bundles abstraction for private data
• Now: Writing Generic Code in Wysteria
![Page 27: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/27.jpg)
Parties As First Class Values
• Parties are values of type ps φ• Refinement types for more precise invariants
• {A} : ps {ν = A}• {A} : ps {ν A U B}
![Page 28: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/28.jpg)
Wysteria by Examples: Generic Millionaire’s
sec(x)
let comb = λx:ps . λy:W x nat. λa:ps option . λp:ps .
λn:nat match a with
| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …
sec(x)
![Page 29: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/29.jpg)
Wysteria by Examples: Generic Millionaire’s
sec(x)
let comb = λx:ps . λy:W x nat. λa:ps option . λp:ps .
λn:nat match a with
| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …
sec(x)
![Page 30: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/30.jpg)
Wysteria by Examples: Generic Millionaire’s
sec(x)
let comb = λx:ps . λy:W x nat. λa:ps{ν x} option.λp:ps{ν
x}.λn:nat match a with
| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …
sec(x)
![Page 31: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/31.jpg)
Key Ideas
Generic Code:1. Parties as First Class Values2. Wire Bundle Combinators (e.g. wfold)
Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations
![Page 32: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/32.jpg)
Wysteria Metatheory
• Formalized using λ-calculus with extensions
• Dependent type system
• Two operational semantics:– Single-threaded (SIMD style specification)– Multi-threaded (actual protocol runs)– Slicing judgment from single- to multi-threaded
![Page 33: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/33.jpg)
Wysteria Theorems*
• Type soundness (progress and preservation) in single-threaded semantics
• Sound simulation:
C1 C2
π1
π2
… *
Single-threaded
Multi-threaded
slice operation *Proofs in Technical Report
![Page 34: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/34.jpg)
Wysteria Implementation
We use GMW Implementation from Choi et. al.
![Page 35: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/35.jpg)
Wysteria EvaluationApplication n-Party ? Mixed-Mode ? Secure state ?
Millionaire’s Yes No No2nd Price auction Yes No No
PSI 2-party Yes NoNearest neighbor Yes No No
Median 2-party Yes NoPSI count 2-party Yes Yes
2-round bidding Yes Yes Yes
Online poker Yes Yes Yes
![Page 36: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/36.jpg)
Wysteria Code for Card Dealing let retryloop = fix retryloop: (tmp5:unit) -> W tgt nat. (tmp5:unit). let myrand = \(z:unit).rand () in let rs = wapp x [wire x:(); wire x:myrand] in let res = check rs in if res.#success then let nd = select ndealt[0] in let _ = update dealt [nd] <- res.#sum in let _ = update ndealt [0] <- nd + 1 in let card @ sec(x) = let s = combsh (res.#sum) in wire tgt:s in card else retryloop () in retryloop () in wcopy as x from w in { #deal : deal }in
Secure computation
Local computation
Secret shares
let rand = \(myunit:unit). sysop rand 52 inlet mkdeal = \(x:ps{true}). let zerosh @ par(x) = let zerosh1 @ sec(x) = makesh 0 in zerosh1 in let dealt @ par(x) = array [ 52 ] of zerosh in let ndealt @ par(x) = array [ 1 ] of 0 in let deal = \(tgt:ps{singl and subeq x}). let w @ par(x) = let check = \(rs:W x nat). let nd = select ndealt[0] in let sum @ sec(x) = let s = wfold x [rs; 0; \(n1:nat).\(p:ps{true}).\(n2:nat). n1 + n2 ] in let s1 = wfold x [wire x:(); s; \(n1:nat).\(p:ps{true}).\(n2:unit). if n1 > 51 then n1 - 51 else n1 ] in makesh s1 in let checkloop = fix checkloop:(i:nat) -> {#sum:Sh x nat, #success: bool}. (i:nat). if i = nd then {#sum:sum, #success:true} else l2et sd = select dealt[i] in let cmp @ sec(x) =
let t1 = combsh sd inlet t2 = combsh sum int1 = t2
in if cmp then
{#sum:sum, #success:false} else
checkloop (i + 1) n
checkloop 0 in
![Page 37: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/37.jpg)
Demo
• (Card dealing using Wysteria)
• Future Work: Integrate with bitcoin for betting
(c.f. Secure Multiparty Computation on BitCoin, Andrychowicz et. al.)
![Page 38: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/38.jpg)
Also In The Paper …
• Support for secure state• More language features – Mutable state (interesting interaction with mixed-
mode)– Additional wire bundle combinators
• Performance evaluation• Complete proofs in TR
![Page 39: Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College.](https://reader036.fdocuments.us/reader036/viewer/2022062803/56649c7d5503460f9493291e/html5/thumbnails/39.jpg)
Wysteria Summary
http://ter.ps/wysteria
Implementation and examples available at:
A High-level Functional Language to writeMixed-Mode Generic SMCs