SLIDE 1
An Introduction to Practical Multiparty Computation
Jack Doerner [Northeastern U]
An Introduction to Practical Multiparty Computation This Talk MPC - - PowerPoint PPT Presentation
An Introduction to Practical Multiparty Computation This Talk MPC - - PowerPoint PPT Presentation
Jack Doerner [Northeastern U] An Introduction to Practical Multiparty Computation This Talk MPC Frameworks - General Computation Circuit Structures - Solving Specific Problems The Memory Problem - A Perpetual Bugbear Custom Protocols
SLIDE 2
SLIDE 3
This Talk
MPC Frameworks Circuit Structures The Memory Problem Custom Protocols
- General Computation
- Solving Specific Problems
- A Perpetual Bugbear
- Beyond Circuits
But not: Theory, Protocols, Security Models
SLIDE 4
MPC History
1982 2004 2016 Yao’s Garbled Circuits Fairplay FairplayMP, Obliv-C, ObliVM, FastGC, TASTY, SPDZ, EMP, TinyOT, ShareMind, PCF, Sharemonad, TinyOT, Fresco, Wysteria, … Plus, many schemes that have never been implemented!
SLIDE 5
MPC Frameworks
Obliv-C ObliVM SPDZ Sharemind
SLIDE 6
The n Millionaires Problem
SLIDE 7
The n Millionaires Problem
- 1. Millionaires
additively share their inputs
- 2. Computation
authorities engage in MPC
- 3. Result is revealed
SLIDE 8
MPC Frameworks
Obliv-C ObliVM SPDZ Sharemind
SLIDE 9
- Protocol: Yao’s Garbled Circuits (others possible)
- Language type: C-compatible DSL
- Philosophy: Minimalism and expressiveness
Only one additional keyword over C
- Raw speed: 3M+ AND gates per second reported
- Unique feature: Compiled; C-compatible
[ZE15]
SLIDE 10
SLIDE 11
Language features not seen
- obliv functions
- ~obliv
- intelligent typecasting
SLIDE 12
Scalability Example: Secure Stable Matching
[DEs16]
SLIDE 13
Scalability Example: Linear System Solving
[GSBRDZE16]
SLIDE 14
MPC Frameworks
Obliv-C ObliVM SPDZ Sharemind
SLIDE 15
ObliVM
- Protocol: Yao’s Garbled Circuits
- Language type: Java/C++ style DSL
- Philosophy: Common operations are first-class
language constructs. Includes everything and the kitchen sink.
- Raw speed: 700K AND gates per second reported
- r 1.8M with preprocessing
[LWNHS15]
SLIDE 16
ObliVM
SLIDE 17
ObliVM
Language features not seen
- phantom functions
- shared random types
- bounded loops
- hinted loop-coalescing
- automatic ORAM
- built-in map + reduce
- C-style structs
SLIDE 18
MPC Frameworks
Obliv-C ObliVM SPDZ Sharemind
SLIDE 19
SPDZ
- Protocol: n-party Linear Secret Sharing + SHE
- No Language: programmed via python library calls
- Raw Speed (2PC Online): 358K multiplications/second
(2PC Offline): 4800 multiplications/second
- Unique feature: Covert or Malicious security against
dishonest majority [DPSZ11] [DKLPSS12] [KOS16]
SLIDE 20
SPDZ
SLIDE 21
SPDZ
SLIDE 22
SPDZ
Language features not seen
- Native GF(2n) types
- Many bits of syntax
SLIDE 23
MPC Frameworks
Obliv-C ObliVM SPDZ Sharemind
SLIDE 24
- A Commercial “Application Server Platform” (free for
researchers). Similar to Java or .NET
- Originally used a 3-party semi-honest protocol; now
includes SPDZ, YGC, three-party malicious
- Programming environments:
- C/C++ library calls
- SecreC, a C-like DSL
- Rmind, an R-inspired statistical analysis language
- Unique feature: vector optimized
[sharemind.cyber.ee] [BLW08] [J10] [BKLS14]
SLIDE 25
SLIDE 26
[BJSV15]
Scalability Example: Tax Fraud Detection
SLIDE 27
[sharemind.cyber.ee] [BKKRST16]
Scalability Example: Population-scale Statistical Studies
SLIDE 28
MPC Frameworks
Obliv-C ObliVM SPDZ Sharemind Protocol Yao’s GC (others possible) Yao’s GC n-party LSS + SHE Multiple Programming Paradigm C-compatible DSL Java-like DSL Python Library “Application Server Platform” Philosophy Minimalism, Be like C Do the sensible thing No front-end Language Commercial, Ever-growing Advantages Is like C, Compiled, fast Many language features Malicious or Covert Security Diverse Toolset, Vector-optimized Disadvantages Is like C, No Floating Point Complicated Syntax Precomputation, Leaky Abstraction Commercial
SLIDE 29
Circuit Structures
SLIDE 30
Circuit Structures
Seems simple enough, right? But how do we sort?
SLIDE 31
“Standard” Sorts
O(logn) O(n) Heapsort’s data-dependent branches make it inefficient Quicksort is totally unsuitable
SLIDE 32
Batcher’s Mergesort
SLIDE 33
Batcher’s Mergesort
A sorting algorithm with no data-dependent branches
SLIDE 34
SLIDE 35
Recursively Sort Lower Half Recursively Sort Upper Half Merge Even Rows Merge Odd Rows Compare Neighbor Elements
SLIDE 36
SLIDE 37
Circuit Structures
Batcher Merge Batcher Odd-Even Mergesort AKS Sorting Network Waksman Permutation Network O(nlogn) O(nlog2n) O(nlogn) O(nlogn) [B68] [B68] [AKS83] [W68]
SLIDE 38
Circuit Structures
Batcher Merge Batcher Odd-Even Mergesort AKS Sorting Network Waksman Permutation Network O(nlogn) O(nlog2n) O(nlogn) O(nlogn) [B68] [B68] [AKS83] [W68]
SLIDE 39
SLIDE 40
The Memory Problem
SLIDE 41
Oblivious Stack
SLIDE 42
Oblivious Stack
SLIDE 43
Oblivious Stack
SLIDE 44
1 2
Oblivious Stack
SLIDE 45
1 2
Oblivious Stack
SLIDE 46
Oblivious Stack
SLIDE 47
Oblivious Stack
SLIDE 48
5 blocks every access 10 blocks every 2nd access 20 blocks every 4th access 40 blocks every 8th access
Amortized cost: Layers: 5 blocks per layer per access O(logn)
Oblivious Stack
SLIDE 49
Sublinear-time Memories
Stack, Queue Square-root ORAM Tree ORAM (Circuit, Path) Algorithm-Specific O(logn) O(sqrt(nlog3n)) O(log3n) O(?) [ZE13] [ZWRGDEK15] [SDSFRYD13] [WCS15] [BSA13] [DEs16]
SLIDE 50
Sublinear-time Memories
Stack, Queue Square-root ORAM Tree ORAM (Circuit, Path) Algorithm-Specific O(logn) O(sqrt(nlog3n)) O(log3n) O(?) [ZE13] [ZWRGDEK15] [SDSFRYD13] [WCS15] [BSA13] [DEs16]
SLIDE 51
Custom Protocols
SLIDE 52
- blivc.org
- blivm.com
www.cs.bris.ac.uk/Research/ CryptographySecurity/SPDZ
sharemind.cyber.ee
MPC Frameworks
Obliv-C ObliVM SPDZ Sharemind
SLIDE 53
An Introduction to Practical Multiparty Computation
Jack Doerner [Northeastern U]