Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School in Computer Science 2016 Overview Lecture 1: Introduction to Secure Two-Party Computation Lecture 2: Private Set Intersection Lecture 3: Tools and Applications Lecture 4: Hardware-assisted Cryptographic Protocols 2 The Engineering Cryptographic Protocols Group (ENCRYPTO) Thomas Daniel Ágnes Michael Schneider Demmler Kiss Zohner Info: http://encrypto.de 3 Interested in Practical Secure Computation? We have an open, fully funded position as Ph.D. Student / Research Assistant in Engineering Scalable Secure Computation Darmstadt - 30km south of FRA - 150,000 inhabitants (5.8 Mio in Frankfurt/Rhine-Main Metro Area) - 40,000 students TU Darmstadt - Ranked #1 for IT security research in Germany (#5 in Europe) - Among Top 5 universiKes for computer science in Germany http://encrypto.de/jobs 4 Practical Secure Two-Party Computation and Applications Lecture 1: Introduction Estonian Winter School in Computer Science 2016 The Web of Services Our life moves into the web... ... and so does our data. 6 How were web services used yesterday? http://www.google.de “heart disease” heart disease attacker can eavesdrop or modify communication 7 How should web services be used today? https://www.google.de “heart disease” secure channel protects communication heart disease against external attackers HTTPS per default since 01/2010 02/2011 11/2012 8 Data breaches happen every day... June 2, 2011: Google attacked from China Computer hackers in China broke into the Gmail accounts of several hundred people, including senior ... from outsiders US government officials, military personnel and political activists. November 29, 2010: New WikiLeaks Publication WikiLeaks releases US State Department communiqués that offer an extraordinary look at the ... or insiders inner workings, and sharp elbows of diplomacy. October 16, 2012: Espionage Malware MiniFlame Kaspersky Labs discover that MiniFlame is most likely a targeted cyberweapon to conduct in-depth ... or malware. surveillance and cyber-espionage. 9 How could web services be used tomorrow? httpp://www.google.de encrypted query process under encryption heart disease encrypted response sensitive data remains encrypted ➪ Privacy-Preserving Web Services 10 Vision: Privacy-Preserving Web Services process sensitive data without any data leakage, e.g., Privacy-Preserving Medical Diagnostics Services give health recommendations without direct access to patient’s data. Privacy-Preserving Face Recognition Services detect criminals without allowing to trace honest citizens. Privacy-Preserving Cloud Computing Services allow to store and process data at untrusted service providers. 11 Is this possible at all? Andrew Chi-Chi Yao 1986: Any efficiently computable function can be evaluated securely. ➪ Secure Computation 12 Secure Two-Party Computation x y f(x,y) f All Lectures: Semi-Honest (Passive) Adversaries 13 Secure Two-Party Computation public function f( , ) Is C • compute arbitrary function f · · richer? • on private data x, y x > y Client Server • without trusted third party C S • reveal nothing but result z = f(x,y) private data x private data y x = $2 Mio y = $1 Mio S2PC Example: Yao’s Millionaires’ Problem true z = f(x, y) 14 Secure Two-Party Computation Auctions [NaorPS99], ... Remote Diagnostics [BrickellPSW07], ... DNA Searching [Troncoso-PastorizaKC07], ... Biometric Identification [ErkinFGKLT09], ... Medical Diagnostics [BarniFKLSS09], ... 15 Oblivious Transfer (OT) (x0, x1) r OT xr 1-out-of-2 OT is an essential building block for secure computation. 16 How to Measure Efficiency of a Protocol? ✓ Runtime (depends on implementation & scenario) ✓ Communication • # bits sent (important for networks with low bandwidth) • # rounds (important for networks with high latency) ? Computation • Usually: count # crypto operations, e.g., • # modular exponentiations • # point multiplications • # hash function evaluations (SHA) • # block cipher evaluations (AES) faster • # One-Time Pad evaluations • But also non-cryptographic operations do matter! 17 Overview of this lecture Part 1: Yao vs. GMW Special Purpose Protocols Generic Protocols Arithmetic Circuit Boolean Circuit Homomorphic Encryption Yao GMW OT Public Key Crypto >> Symmetric Crypto >> One-Time Pad Part 2: Efficient OT Extensions 18 Part 1: Yao vs. GMW and Efficient Circuits T. Schneider, M. Zohner: GMW vs. Yao? Efficient secure two-party computation with low depth circuits. In FC’13. 19 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · Client Server C S private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 • Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 • Garbled ... c2 c1 Setup Circuit C Phase C z 0 0 g(0,0) Online y E(x1, y1; c1 ) e c0, c1 E(x0, y1; cg(0,1)) Phase (x; ) OT(x;(x0, x1)) 1 1 1 1 1 Garbled e1 e0 eg(1,0) ? e E(x1, y1; c1 ) Values E(xe1, ye1; ecg(1,1)) f(x, y)=C(x, y) Part 2: Efficient OT e e 1 1 1 e e e Garblede e eTable e e e 20 e e e Garbled Circuits [Yao86] Conventional circuit Garbled circuit 01 keys look random 0 1 01 01 01 given input keys, can compute output key only (Slide from Viet-Tung Hoang) 21 Garbled Gate [Yao86] X Y Y 0 X 1 given two input keys, can compute only output key X 2 X 3 A B C D (Slide from Viet-Tung Hoang) 22 Overview of Efficient Garbled Circuit Constructions 1990 Point-and-Permute [BeaverMicaliRogaway] 1999 3-row reduction [NaorPinkasSumner] 2008 Free-XOR [KolesnikovSchneider] 2009 2-row reduction [PinkasSchneiderSmartWilliams] 2012 Garbling via AES [KreuterShelatShen] 2013 Fixed-key AES [BellareHoangKeelveedhiRogaway] 2014 FleXor [KolesnikovMohasselRosulek] 2015 HalfGates [ZahurRosulekEvans] (Slide from Payman Mohassel) 23 Summary of Garbled Circuit Constructions size (× t) garble cost (AES) eval cost (AES) XOR AND XOR AND XOR AND Classical large 8 5 P&P 4 4 1 GRR3 3 4 1 Free XOR 0 3 0 4 0 1 HalfGates 0 2 0 4 0 2 t: symmetric security parameter, e.g., t=128 (Slide from Mike Rosulek) 24 Summary: Yao - the Apple How to eat an apple? bite-by-bite + Yao has constant #rounds - Evaluating a garbled gate requires symmetric crypto in the online phase 25 The GMW Protocol [GMW87] Secret share inputs: a = a1 ⊕ a2 a b b = b1 ⊕ b2 ⊕ Non-Interactive XOR gates: c1 = a1 ⊕ b1 ; c2 = a2 ⊕ b2 c Interactive AND gates: c1,b1 c2,b2 ^ AND d1 ∧ d2 d Recombine outputs: d = d1 ⊕ d2 26 Evaluating ANDs via Multiplication Triples [Beaver91] Part 2: Efficient OTs Setup phase: Generate multiplication triple (a1⊕a2) (b1⊕b2) = c1⊕c2 for each AND via 2 OTs: 1) P1: m0, m1 ∈R {0,1}; P2: a2 ∈R {0,1} 2) P1 and P2 run OT, where P1 inputs (m0, m1), P2 inputs a2 and gets u2=ma2 3) P1 sets b1 = m0 ⊕ m1; v1 = m0 4) P1 and P2 repeat steps 1-3 with reversed roles to obtain (a1, u1); (b2, v2) 5) Pi sets ci = (ai bi) ⊕ ui ⊕ vi Online phase: x1, y1 xc2, y,b2 P1 → P2: d1=x1⊕a1; e1=y1⊕b1 c1,b1 2 2 AND P1 ← P2: d2=x2⊕a2; e2=y2⊕b2 ∧ dz11 zd2 2 P1, P2: d=d1⊕d2; e=e1⊕e2 P1: z1=db1⊕ea1⊕c1⊕de P2: z2=db2⊕ea2⊕c2 27 Summary: GMW - the Orange How to eat an orange? 1) peel (almost all the effort) Setup phase: - precompute multiplication triples for each AND gate using 2 R-OTs and constant #rounds + no need to know function, only max. #ANDs 2) eat (easy) Online phase: + evaluating circuit needs OTP operations only - 2x2 bit communication per layer of AND gates 28 Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. 29 Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Interactive AND gates via Beaver’s multiplication triples [D. Beaver. Efficient multiparty protocols using circuit randomization. CRYPTO’91.] setup phase: 1-out-of-4 OT online phase: 2 independent 2-bit messages (sent in parallel) => 1x network latency per layer of AND gates 30 Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Use AES-based PRF for OT extensions (instead of SHA-1). 31 Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Load Balancing: • Run half of the precomputed OTs in each direction (in parallel). • Run base OTs twice (in parallel). => Each party has exactly the same workload. 32 Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Use GMP instead of NTL for base OTs. 33 Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Process data in chunks of bytes (instead of bits). 34 Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Use assembly implementation of OpenSSL for SHA-1 (instead of C implementation of PolarSSL). 35 Benchmarks of an optimized GMW implementation [SZ13] Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN. Single Instruction Multiple Data: Evaluate multiple circuits in parallel (here 32). (inspired by Sharemind) 36 Remaining Bottlenecks in LAN Setting 1% 0.1% (Base OTs) 1.4% 0.8% 7% 3% 3% 20% 32% 35% 47% 98% 37% 16% 37 Yao vs. GMW Yao GMW Free XOR S: 4, R: 2 (online) symmetric crypto per AND setup: S: 6, R: 6 setup: S→R:t || R→S:t S→R: 2t communication [bit] per AND online: S→R:2 || R→S:2 setup: O(1) O(1) rounds online: O(ANDdepth(f)) t memory per wire [bit] 1 t: symmetric security parameter 38 Efficient Circuit Constructions for Secure Computation Classical circuit design: - few gates (⇒ small chip area) - low depth (⇒ high clock frequency) Circuits for secure computation: - low ANDsize (#non-XORs ⇒ communication and symmetric crypto) - low ANDdepth (#rounds in GMW’s online phase) Automatically generate optimized circuits from high-level descriptions: E.