jonathan katz professor, computer science, umd director, maryland cybersecurity center secure...
TRANSCRIPT
Jonathan KatzProfessor, Computer Science, UMD
Director, Maryland Cybersecurity Center
Secure Computation
MathematicsComplexity
theory
Cryptography
Cybersecurity
Science of Cybersecurity
Cryptography
Importance of cryptography
• Cryptography is a key component in many (all?) security solutions
• The cryptographic approach provides a way to move beyond the “design-break-patch” cycle• Define (even informally) what you want to achieve• State your assumptions explicitly• Prove that your construction achieves your goal
• Cryptography is a nucleus for cybersecurity research– Foundations for a “secure networked world” … with end-
to-end formal guarantees
Scope of modern cryptography
“Foundations”:Number theory,
block ciphers, hardware, …
“Primitives”:encryption/signature schemes, …
“Protocols”:key exchange,
secure distributed computing, …
“Systems”:DB privacy,
voting, bitcoin,trust/reputation, …
Secure computation
A dilemma
Can Alice and Bob determine their shared interests, without revealing any interests they don’t have in common?
Bob Alice
Hi…
What are yourhobbies?
…, bird watching, …
bird watching?!
Secure two-party computation
Bob Alice
bird watching!!
Let’s run a protocol!
hobby 1hobby 2
…hobby n
hobby 1hobby 2
…hobby n
{…,bird watching,…} {…,bird watching,…}
Hi…
What are yourhobbies?
Secure two-party computation
Are any passengerson the no-fly list?
Person 1Person 2
…Person n
Passenger 1Passenger 2
…Passenger n
Natural question I
• How can these parties (who don’t trust each other) “securely” perform the computation?– While preserving secrecy of their inputs (to the
extent possible)– While ensuring correctness of outputs
• Techniques/ideas from crypto, programming languages, distributed computing
Natural question II
• Why are these questions important?
• Candidate application domains– [DoD/IC]
Secure search, cloud storage– [OFR, Treasury]
More transparency, better regulation– Industry interest
Howcan parties securely compute f ?
A protocol is secure if it emulates the use of a trusted party
In particular, this implies:• The computed results are correct• Parties’ inputs remain private (except for what is
implied by the outputs)• Parties’ inputs are chosen independently• And more…
Threat models
• Semi-honest (honest-but-curious) adversaries– Adversary follows the protocol faithfully, but tries
to learn information from the protocol execution– A reasonable threat model in some settings• Trusted parties under legal/policy constraints• Software attestation, auditing, etc.
• Malicious adversaries– May behave arbitrarily; still cannot violate security
guarantees
Is secure computation possible?
Protocols for secure computation of any function, with security against
malicious behavior of any number of parties,have been known since the ’80s
These protocols are generic, and work for any function represented
as a boolean circuit
Using generic secure 2PC
PSSW (2009)
Protocol computing f
Express f in suitable representation
Express f in high-level language
Fairplay (2004)TASTY (2010)
Is secure computation practical?
• The general perception in the ’80s/’90s was that garbled circuits were hopelessly inefficient– Need to express f as a boolean circuit– Circuits get big quickly! (>230 gates)
– Symmetric-key operations linear in the circuit size
– Public-key operations linear in the input length
Performance (-2010)
Fairplay04 [PSSW09] TASTY100
500
1000
1500
2000
2500
3000
3500
4000
4500
gates/sec
Fairplay04 [PSSW09] TASTY100
5
10
15
20
25
Max gates (log scale)
Using generic secure 2PC
Protocol computing f
Express f in suitable representation
Express f in high-level language
Efficient implementation
Protocol optimizationsBetter crypto primitives
Notable improvements
• Protocol level– OT extension [IKNP03]– Better garbling (free-XOR [KS08], row reduction
[PSSW09], half gates [ZRE15])– Cut-and-choose [LP07, LP11, HKE14, L14, …], new
models [MF06, HKE12], amortization [LR14, H+14]
• Implementation level [HEKM11]– “Pipelining” – Reducing number of wires/gates– Optimized circuit libraries
Fairplay [PSSW09] TASTY Here0
200000000
400000000
600000000
800000000
1000000000
1200000000
max gates
Huge impact
Fairplay [PSSW09] TASTY Here0
20000
40000
60000
80000
100000non-free gates/s
Performance Scalability
[HEKM11] [HEKM11]
Secure computation is efficient(for moderately-sized circuits,
and semi-honest security)
Huang et al., “Faster Secure Two-Party Computation Using Garbled Circuits,” USENIX Security 2011
Using generic secure 2PC
Protocol computing f
Express f in suitable representation
Express f in high-level language
Compile-time optimizations?Choice of representation
Which representation?
Which protocol?Efficient implementation
Protocol optimizationsBetter crypto primitives
Expressiveness?Support for low-level optimizations?
Type checking?
Recent results
• Secure 2PC in the RAM model*
– Represent f as a RAM program rather than as a boolean circuit
• Better compilers/programming languages for secure 2PC (in the RAM model)**
– Allow programmers to code as usual• Secure 2PC of native MIPS code***
– Language-agnostic* Gordon et al., ACM CCCS 2012** Liu et al., IEEE S&P 2014*** Gordon et al., in submission
Why the RAM model?
• Efficiency– Running time for a RAM program can be much
better than the circuit size (e.g., binary search)• Sublinear-time computation for “big data”?– The circuit for any non-trivial function must have
size at least linear in the input length– In fact, linear complexity is inherent for secure
computation of any non-trivial function• This is not true for amortized complexity!
Why the RAM model?
• Better alignment with how programmers think about algorithms and write their code– What is the complexity of sorting?– Dynamic memory accesses (e.g., count[a[i]]++;)– General-purpose computation on a von Neumann
architecture• Input-dependent running time
Key tool: ORAM
• Allows oblivious access to stored data, with polylog overhead [GO96, …, S+11, S+13, …]
Client Server
ORAM state
D:
Key tool: ORAMClient Server
ORAM stateO
RAM
read, i1
D[i1]
(writes also supported)
Security: accessed positions are independent of i1, i2, …
read, i2
D[i2]
Secure 2PC of RAM programs?
st
st = xd = while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}
Client (x) Server (D)
ORAM state
ORAM
D[i]
Problems?
• If server initializes the ORAM itself, access patterns are no longer oblivious to the server!
• No security against the client!– Client learns st– Client learns ORAM state– Client learns intermediate results of the
ORAM computation
Conceptually…
st
Client (x) Server (D)
[ORAM state][ORAM state]
[st] [st]
“Trusted 3rd party”
Conceptually…Client (x) Server (D)
[ORAM state][ORAM state]
st = xd = while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}
[d][st] [st]
[d]
ORAM
[d’][d’]
Repeat until inst = done, thenreconstruct final output
A secure protocol!Client (x) Server (D)
[ORAM state][ORAM state]
st = xd = while (1) { (inst, st) = Π(st, d) if inst==done, return d if inst==(read, i): d=D[i] if inst==(write, i): D[i]=d}
[st] [st]
ORAM
[d’][d’]
Have we gained anything?
• After the initialization, all circuits computed have small size, independent of |D|
• Amortized complexity:– Say original computation requires T steps for
memory of size SÞ ORAM protocol needs O(T polylog S) lookupsÞ O(T polylog S) secure-computation sub-protocols
on small circuits of size polylog SÞ If T is sublinear, sublinear complexity overall!
Performance results
(512-bit entries)
Limitations
• Programmers still limited to using a fixed (toy?) language to express their programs
• No support for legacy code• Although programs can be made instruction
oblivious, doing so increases the number of instructions executed– Existing compilers for secure computation are not
as good as gcc…
Secure 2PC of MIPS machine code
• Programmers can write code in a language of their choice (so long as it compiles to MIPS)
• Existing MIPS code supported “for free”• Number of instructions securely executed is
exactly* the number of instructions executed in the insecure version
• Can leverage optimizations already present in existing compilers
MIPS execution (high level)
MIPS CPU
RAM
ProgramRegisters
PC
Fetch next instructionExecute instructionRead or write to memory
Conceptually…P1 (x) P2 (y)
[regs][regs]
ORAM
MIPS CPU
[PC] [PC][regs’][regs’]
xy
Whyare these questions important?
DoD
• IARPA: secure database search– Now being piloted by NCTC
• DARPA: fully homomorphic encryption (PROCEED); private search (BRANDEIS)
• Air Force: detecting potential satellite collisions
OFR (US Dept. of the Treasury)
• Looking at using secure computation and differential privacy for facilitating data sharing– Among regulators– Between firms– With researchers and the public
• Obtain the benefits of transparency, while complying with policy regulations and reducing concerns about confidentiality
Flood et al., “Cryptography and the Economics of Supervisory Information: Balancing Transparency and Confidentiality,” Financial Stability Conference 2013
Industry
• Partisia – Danish sugar-beet auction (2008-present)– Wireless-spectrum auctions
• Sharemind– Statistical analysis of financial data
• Sepior, Dyadic– Threshold AES decryption
Conclusions
• Tremendous advances in theory and practice of secure 2PC in past few years
• Real-world deployment is already here!– Will continue to grow in importance and impact
Acknowledgments
• Research supported by – NSF (“TC: Large: Collaborative Research: Practical Secure Computation:
Techniques, Tools, and Applications”)– DARPA (“Toward Practical Cryptographic Protocols for Secure
Information Sharing”)– ARL-ITA (“Secure Information Flow in Hybrid Coalition Networks”)
Papers and code available athttp://www.cs.umd.edu/~jkatz/papers.html
Questions?