Computation Using Garbled Circuits Yan Huang David Evans Jonathan - PowerPoint PPT Presentation

Faster Secure Two-Party Computation Using Garbled Circuits Yan Huang David Evans Jonathan Katz Lior Malka www.MightBeEvil.com

Secure Two-Party Computation Bob’s Genome: ACTG… Alice’s Genome: ACTG… Markers (~1000): *0,1, …, 0+ Markers (~1000): *0, 0, …, 1+ Alice Bob Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result? 2

Overview • Describe a system for secure 2-party computation using garbled circuits that is much more scalable and significantly faster than best prior work • Applications: – Face recognition: Hamming distance – Genomics: Edit distance, Smith-Waterman – Private encryption: Oblivious AES evaluation 3

Our Results 1.2 Billions x 10000 10 1 max gates non-free gates/s 8 0.8 6 0.6 4 0.4 2 0.2 0 0 Fairplay [PSSW09] TASTY Here Fairplay [PSSW09] TASTY Here Performance Scalability

Secure Function Evaluation Alice (circuit generator) Bob (circuit evaluator)   s t a { 0 , 1 } b { 0 , 1 } Holds Holds Garbled Circuit Protocol Andrew Yao, 1986

Yao’s Garbled Circuits Inputs Output a b x 0 0 0 0 1 0 1 0 0 1 1 1 a b AND x

Computing with Meaningless Values? Inputs Output a b x a 0 b 0 x 0 a 0 b 1 x 0 a 1 b 0 x 0 a 1 b 1 x 1 a 0 or a 1 b 0 or b 1 a i , b i , x i are random values, chosen by the circuit generator but AND meaningless to the circuit evaluator . x 0 or x 1

Computing with Garbled Tables Inputs Output a b x Bob can only decrypt a 0 b 0 Enc a 0 ,b 0 ( x 0 ) one of these! a 0 b 1 Enc a 0 ,b 1 ( x 0 ) a 1 b 0 Enc a 1 ,b 0 ( x 0 ) a 1 b 1 Enc a 1 ,b 1 ( x 1 ) a 0 or a 1 b 0 or b 1 Garbled And Gate a i , b i , x i are random Enc a 0 , b 1 ( x 0 ) values, chosen by the circuit generator but AND Enc a 1 , b 1 ( x 1 ) meaningless to the circuit evaluator . Enc a 1 , b 0 ( x 0 ) Enc a 0 , b 0 ( x 0 ) x 0 or x 1

Chaining Garbled Circuits And Gate 1 a1 a 0 b 1 b 0 Enc a 1 0 , b 11 ( x 1 0 ) Enc a 1 1 , b 1 1 ( x 1 1 ) AND AND Enc a 1 1 , b 1 0 ( x 1 0 ) Enc a 1 0 , b 1 0 ( x 1 0 ) x 1 x 0 Or Gate 2 Enc x 0 0 , x 11 ( x 2 1 ) OR Enc x 0 1 , x 1 1 ( x 2 1 ) Enc x 0 1 , x 1 0 ( x 2 1 ) x 2 Enc x 0 0 , x 1 0 ( x 2 0 ) … Can do any computation privately this way! 9

Threat Model Semi-Honest ( Honest-but-Curious ) Adversary Adversary follows the protocol as specified ( ! ), but tries to learn more from the protocol execution transcript May be good enough for some scenarios We are working on efficient solutions for malicious adversaries 10

Fairplay SFDL Compiler SFDL Program Circuit (SHDL) Bob Alice Garbled Tables Generator Garbled Tables Dahlia Malkhi, Noam Nisan, Evaluator Benny Pinkas and Yaron Sella [USENIX Security 2004] 11

Problems? An alternative approach … would have been to apply Yao’s generic secure two- party protocol…. This would have required expressing the algorithm as a circuit … and then sending and computing that circuit.… [We] believe that the performance of our protocols is significantly better than that of applying generic protocols. Margarita Osadchy, Benny Pinkas, Ayman Jarrous, Boaz Moskovich. SCiFI – A System for Secure Face Identification . Oakland 2010. *Generic SFE+ is very fast … but the circuit size is extremely large…. Our prototype circuit compiler can compile circuits for problems of size (200, 200) but uses almost 2 GB of memory to do so…. larger circuits would be constrained by available memory for constructing their garbled versions. Somesh Jha, Louis Kruger, Vitaly Shmatikov. Towards Practical Privacy for Genomic Computation . Oakland 2008. 12

The Fallacy SFDL Compiler SFDL Program Circuit (SHDL) Bob Alice Garbled Tables Generator The entire circuit is Garbled Tables Evaluator prepared and stored on both sides 13

Faster Garbled Circuits Circuit-Level Application Circuit Structure Circuit Structure GC Framework GC Framework (Generator) (Evaluator) Enc x 0 0 , x 11 ( x 2 1 ) Enc x 2 0 , x2 1 ( x 3 0 ) x 2 1 Enc x2 0 , x3 1 ( x 4 1 ) Enc x 0 1 , x 1 1 ( x 2 1 ) x3 1 Enc x 4 0 , x 31 ( x 5 1 ) Enc x2 1 , x2 1 ( x3 0 ) Enc x 4 0 , x 5 1 ( x 6 1 ) x 4 1 Enc x 2 1 , x 3 1 ( x 4 1 ) Enc x 3 0 , x 61 ( x 7 1 ) Enc x 0 1 , x 1 0 ( x 2 1 ) Enc x 4 1 , x 3 1 ( x 5 0 ) x 5 1 Enc x 2 1 , x 2 0 ( x3 1 ) Enc x 4 1 , x 5 1 ( x 6 0 ) Enc x 2 1 , x 3 0 ( x 4 0 ) Enc x 3 1 , x 6 1 ( x 7 0 ) x 6 0 Enc x 4 1 , x 3 0 ( x 5 0 ) Enc x 4 1 , x 5 0 ( x 6 0 ) x 7 1 Enc x 3 1 , x 6 0 ( x 7 1 ) Gates can be evaluated as they are generated: pipelining 14

Benefits of Pipelining • Allows GC to scale to circuits of arbitrary size We ran circuits with over a billion gates, at a rate of roughly 10 μ s per gate. • Improves the time efficiency

Problems in Existing (SFDL) Compilers Resource-demanding SFDL compilation It takes hours on a 40GB memory server to compile a SFDL program that implements AES. Many optimization opportunities are missed Circuit level Program level Minimize bitwidth Treat public and secret Reduce the number of values differently non-free gates

Example: Secure Counter class Counter { int c = 0; void increment(bool b) { if (b) c++; } • SFDL requires pre-setting c to a fixed bit width • For best performance, its bit width should be adjusted dynamically • Saves n non-free gates (out of original n log n )

Circuit Optimization – Edit Distance for (int i = 1; i < a.length; ++i) for (int j = 1; j < b.length; ++j) { T = (a[i] == b[j]) ? 0 : 1; D[i][j] = min (D[i-1][j]+1, D[i][j-1]+1, D[i-1][j-1] + T); }

Circuit Optimization – Edit Distance D[i-1][j] D[i][j-1] D[i-1][j-1] 1 1 AddOneBit AddOneBit T AddOneBit 2-Min 2-Min D[i][j]

Circuit Optimization – Edit Distance D[i-1][j] D[i][j-1] D[i-1][j-1] 2-Min T 1 AddOneBit AddOneBit 2-Min D[i][j]

Circuit Optimization – Edit Distance D[i-1][j] D[i][j-1] D[i-1][j-1] 2-Min T 1 2-Min Mux AddOneBit Saves about D[i][j] 28% of gates

Circuit Library 1 Through custom circuit 2-Min T design and the use of optimal circuit components, 2-Min Mux we strive to minimize the number of non-free gates AddOneBit V. Kolesnikov and T. Schneider. Improved Garbled Circuit: Free XOR Gates and Applications . (ICALP), 2008.

Some Results Problem Best Previous Result Our Result Speedup Hamming Distance (Face 213s 0.051s 4176x Recognition, Genetic Dating) [SCiFI, 2010] – two 900-bit vectors Levenshtein Distance 534s 18.4s 29x (genome, text comparison) – [Jha+, 2008] two 200-character inputs Smith-Waterman (genome [Not Implementable] 447s - alignment) – two 60- nucleotide sequences AES Encryption 3.3s 0.2s 16.5x [Henecka, 2010] Scalable: 1 billion gates evaluated at ≈100,000 gates/second on regular PCs Comparisons are aligned to the same security level in the semi-honest model. 23

Timing Results 600 [Jha+, 2008] Best previous 500 Here 400 Seconds 300 [SCiFI, 2010] 200 29x 100 4176x faster faster 0 Hamming distance edit distance (200 Hamming Distance Edit Distance (900 bits) 256-bit chars) (900 bits) (200 chars, 8-bits each)

Ease of Use • Our framework assumes no expert knowledge of cryptography • Need basic ideas of Boolean circuits • Circuit designs converted directly to Java programs

Use the Framework Traditional Rest of the Circuit Java Java Program Generator Application javac Library Critical Circuit Component Circuit Critical Java Evaluator Custom Component Circuit code Critical Library Component Circuit

Example: AES SBox Leveraging an existing ASIC design for AES allows us to reduce the state-of- the-art AES circuit by 30% of non-free gates, compared to [PSSW09] and [HKSSW10] Wolkerstorfer, et al. An ASIC Implementation of the AES S-boxes . RSA-CT 2002.

Time Savings: AES 7 6 5 Seconds 4 3 2 16.5 x faster 1 0 [PSSW09] TASTY Here [Henecka, et al. CCS 2010]

Conclusion • Pipelining enables garbled-circuit technique to scale to large problem sizes • Circuit-level optimizations can dramatically reduce performance overhead Privacy-preserving applications can run orders of magnitude faster than previously thought.

Thanks! Questions? Download framework and Android demo application from MightBeEvil.com