A Fast and Verified Software Stack for Secure Function Evaluation
Total Page:16
File Type:pdf, Size:1020Kb
A Fast and Verified Software Stack for Secure Function Evaluation José Almeida, Manuel Barbosa, Gilles Barthe, Francois Dupressoir, Benjamin Grégoire, Vincent Laporte, Vitor Pereira To cite this version: José Almeida, Manuel Barbosa, Gilles Barthe, Francois Dupressoir, Benjamin Grégoire, et al.. A Fast and Verified Software Stack for Secure Function Evaluation. CCS 2017 - ACM SIGSAC Conference on Computer and Communications Security, Oct 2017, Dallas, United States. pp.1-18. hal-01649104 HAL Id: hal-01649104 https://hal.archives-ouvertes.fr/hal-01649104 Submitted on 27 Nov 2017 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. A Fast and Verified Software Stack for Secure Function Evaluation José Bacelar Almeida Manuel Barbosa Gilles Barthe INESC TEC and INESC TEC and FCUP IMDEA Software Institute, Spain Universidade do Minho, Portugal Universidade do Porto, Portugal François Dupressoir Benjamin Grégoire Vincent Laporte University of Surrey, UK Inria Sophia-Antipolis, France IMDEA Software Institute, Spain Vitor Pereira INESC TEC and FCUP Universidade do Porto, Portugal over encrypted data stands out as one of the technologies with the highest potential to change the landscape of secure ITC, namely ABSTRACT by improving cloud reliability and thus opening the way for new We present a high-assurance software stack for secure function secure cloud-based applications. Projects that aim to bring secure 4 evaluation (SFE). Our stack consists of three components: i. a veri- computation over encrypted data to practice include FRESCO [27], fied compiler (CircGen) that translates C programs into Boolean TASTY [38] and Sharemind [21]. circuits; ii. a verified implementation of Yao’s SFE protocol based on In contrast to other areas of software engineering for critical garbled circuits and oblivious transfer; and iii. transparent applica- systems, the benefits of formal verification for cryptographic en- tion integration and communications via FRESCO, an open-source gineering have been very limited, with some recent and notable framework for secure multiparty computation (MPC). CircGen is a exceptions [2, 3, 8, 18, 22, 33]. The reasons for this are well known: general purpose tool that builds on CompCert, a verified optimizing cryptographic software is a challenge for high-assurance software compiler for C. It can be used in arbitrary Boolean circuit-based development due to the tension that arises between complex speci- cryptography deployments. The security of our SFE protocol im- fications and the need for very high efficiency—security is supposed plementation is formally verified using EasyCrypt, a tool-assisted to be invisible, and current verification technology comes with a framework for building high-confidence cryptographic proofs, and performance penalty. The exceptions mentioned above mark the it leverages a new formalization of garbled circuits based on the emergence of a new area of research: high-assurance cryptogra- framework of Bellare, Hoang, and Rogaway (CCS 2012). We conduct phy. This aims to apply formal verification to both cryptographic a practical evaluation of our approach, and conclude that it is com- security proofs and the functional correctness and security of cryp- petitive with state-of-the-art (unverified) approaches. Our work tographic implementations. provides concrete evidence of the feasibility of building efficient, In this paper we demonstrate that a tight integration of high- verified, implementations of higher-level cryptographic systems. assurance cryptography and cryptographic engineering can deliver All our development is publicly available. the combined benefits of provable security and best cryptographic engineering practices at a scale that significantly exceeds previous KEYWORDS experiments (typically carried out on core cryptographic primi- Secure Function Evaluation, Verified Implementation, Certified tives). We deliver a fast and verified software stack for secure com- Compilation putation over encrypted data. This choice is motivated by several factors. First, as mentioned above, this technology is among the foremost practical applications of cryptography and is a fundamen- 1 INTRODUCTION tal building block for making cloud computing secure. Second, it is Cryptographic engineering is the domain-specific area of software a tremendous challenge for high-assurance cryptography, as its se- engineering that brings cryptography to practice. It encompasses curity proofs are markedly distinct from prior work in formalizing projects that maintain widely used cryptographic libraries such reductionist arguments. as OpenSSL,1 s2n2 and Bouncy Castle,3 as well as prototyping frameworks such as CHARM [1] and SCAPI [31]. More recently, a Contributions. We present a high-assurance and high-speed soft- series of groundbreaking cryptographic engineering projects have ware stack for secure multi-party computation. Figure 1 presents emerged, that aim to bring a new generation of cryptographic proto- the overall architecture of the stack. The lowest-level component cols to real-world applications. In this new generation of protocols, is FRESCO [27]; an existing, practical, open-source, framework for which has matured in the last two decades, secure computation secure multi-party computation, which we use for communications and input/output. The correctness of this framework (but not its A version of this report appears in the proceedings of CCS 2017. security) is part of our trusted computing base, as verifying the 1http://openssl.org 2http://https://github.com/awslabs/s2n 3https://www.bouncycastle.org/ 4https://github.com/aicis/fresco C program The higher-level component of our stack is a verified optimizing compiler from C programs to Boolean circuits that we call CircGen. Optimized CircGen CircGen Our compiler is mechanically verified using the Coq proof assistant, Boolean circuit and builds on top of CompCert [43], a verified optimizing compiler for C programs. It reuses the front- and middle-end of CompCert Inputs (introducing an extra loop-unrolling optimization) and it provides Circuit reader a new verified back-end producing Boolean circuits. The back-end includes correctness proofs for several program transformations Circuit description that have not previously been formally verified, including the trans- lation of RTL programs into guarded form and a memory-agnostic FRESCO application static single assignment (SSA) form. Our proof of semantic preser- vation is conditioned on the existence of an external oracle that provides functionally correct Boolean circuits for basic operations Verified Yao Protocol Suite in the C language, such as 32-bit addition and multiplication. The Outputs low-level circuits used in our current implementation for these Verified Yao Evaluator operations have not been formally verified and are hence part of our trusted computing base. Verifying Boolean circuits for native Communications C operations can be done either in Coq or using other verification FRESCO techniques and it is orthogonal to the reported verification effort. The Boolean circuits generated by CircGen compare well with alternative unverified solutions, namely CBMC-GC6 [34], although Figure 1: Verified cryptographic software stack. Blue rect- they are slightly less efficient (as would be expected). To widen the angles identify the verified components of the stack, while applicability of CircGen to scenarios where speed is more important black rectangles represent part of our trusting computing than assurance, we also implement some (yet unverified) global base. Dashed blue rectangles are partially verified elements post-processing optimizations that make CircGen a good alternative and in dashed black rectangles one can find intermediate in- to CBMC-GC for high-speed applications. put/output items. Our work delivers several generic building blocks (the Boolean circuit compiler, a verified implementation of oblivious transfer, ...) that can be reused by many other verified cryptographic systems. correctness of a Java-based communications infrastructure is out However, the main strength of our results resides in the fact that, of the scope of high-assurance cryptography. for the first time, we are able to produce a joining of high-assurance The intermediate component of our stack is a verified implemen- cryptography and cryptography engineering that covers all the tation of Yao’s secure function evaluation (SFE) protocol [57] based layers in a (passively) secure multiparty computation software on garbled circuits and oblivious transfer. This protocol allows framework. two parties P1 and P2, holding private inputs x1 and x2, to jointly evaluate any function f ¹x1; x2º and learn its result, whilst being Challenges. The development of the software stack raised several assured that no additional information about their respective inputs challenges, which we now highlight. is revealed. Two-party SFE provides a general distributed solution Machine-checked proofs of computational security. EasyCrypt [7, to the problem of computing