wysteria: a programming language for generic, mixed-mode multiparty computations aseem rastogi...

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty

Computations

Aseem RastogiMatthew Hammer, Michael Hicks

(University of Maryland, College Park)

What is Secure Multiparty Computation(SMC)

A B

Compute f(A, B)

Without revealing A to Bob and B to Alice

Using a Trusted Third Party

A B

A B

f(A, B) f(A, B)

Compute f(A, B)

Without revealing A to Bob and B to Alice

SMC Eliminates Trusted Third Party

A B

Compute f(A, B)

Without revealing A to Bob and B to Alice

Cryptographic Protocol

SMC Examples

Private Data

Nearest neighbor Locations

Auction Bids

Private set intersection Sets

Statistical computation Numbers

Beyond Toy SMC Examples

• Online card games• SMC to deal cards

• Dice-based games• SMC to roll dice

Monolithic Secure Multiparty Computation

f(A, B)

A B f(A, B)

Not Enough !

Mixed-Mode Secure Multiparty Computation

f(A, B)

A B f(A, B)

g(A1, B1)

A1 B1 g(A1, B1)… …

h(A2, B2)

A2 B2 h(A2, B2)

… LocalLocal

…

Loca

lLo

cal

Secure State Secure State

State Of The Art: Existing SMC Languages

• Fairplay, FairplayMP, CBMC-GC– Only “circuit compilers”– No mixed-mode– No secure state

• L1– Only 2-party, low level– No formal guarantees

• FastGC– Circuit library, only 2-party

None supports generic programs(parametric in number of parties)

Our Goal

Push SMC beyond toy applications

Design an SMC Language

• Local and secure computations• High-level support for secure stateMixed-Mode

• Code parametric in number of partiesGeneric

• Single specification• Runtime compilation to circuitsHigh-level

• Statically typed, sound• CompositionalGuarantees

A High-level Functional Language to writeMixed-Mode Generic SMCs

Implementation and examples available at:

http://ter.ps/wysteria

Developing Online Poker using Wysteria (almost there …)

Goes Without Saying, Wysteria Has It All !

Demo(coming

up)

Wysteria by Examples: Two-party Millionaire’s*

let a = read() in

let b = read() in

let o = a > b in

o

par(A)

par(B)

sec(A,B)

*The example in this form does not type check in Wysteria.

Single specification

A and B run the same program

Compute who is richer among A and B

Wysteria by Examples: Two-party Millionaire’s

let a = read() in

let b = read() in

let o = a > b in

o

par(A)

par(B)

sec(A,B)

A’s Local Computation

(Skipped by B)

Computation modes

Wysteria by Examples: Two-party Millionaire’s

let a = read() in

let b = read() in

let o = a > b in

o

par(A)

par(B)

sec(A,B)

A’s Local Computation

B’s Local Computation

(Skipped by A)

Wysteria by Examples: Two-party Millionaire’s

let a = read() in

let b = read() in

let o = a > b in

o

par(A)

par(B)

sec(A,B)

A’s Local Computation

B’s Local Computation

Secure Computation by (A,B)

let a = read() in

let b = read() in

let o = a > b in

o

par(A)

par(B)

sec(A,B)

A’s Local Computation

B’s Local Computation

Secure Computation by (A,B)

Runtime compiles it to boolean circuit, and evaluates using secure computation

No communication primitives !

Wysteria by Examples: Two-party Millionaire’s

Key Ideas

Mixed-Mode Computations via Mode Annotations

Wysteria by Examples: Asymmetric Output

let a = read() in

let b = read() in

let o = a > b in

o

par(A)

par(B)

sec(A,B)

What if only A is allowed to know the output ?

Wysteria by Examples: Asymmetric Output

let a = read() in

let b = read() in

let o = wire A:(a > b) in

o

par(A)

par(B)

sec(A,B)

What if only A is allowed to know the output ?

Wire Bundle

Wire Bundles in Wysteria

• Maps from parties to values• Each party sees only its own component in the bundle– Or nothing if it’s not in the domain

• Wire bundles are dependently typed

• Create wire A:0 : W {A} nat• Concat (wire A:0)++(wire B:1) : W {A U B} nat• Project (wire A:0)[A] : nat

Wysteria by Examples: Inputs Via Wire Bundles

let a = read() in

let b = read() in

let w1 = wire A:a inlet w2 = wire B:b inlet w3 = w1 ++ w2 in

let o = wire A:(w3[A] > w3[B]) in

o

par(A)

par(B)

sec(A,B)

let a = read() in

let b = read() in

let w1 = wire A:a inlet w2 = wire B:b inlet w3 = w1 ++ w2 in

let o = wire A:(w3[A] > w3[B]) in

o

Wysteria by Examples: Wire Bundle Views

A’s View B’s View sec(A,B)’s View

w1 {A:a} {} {A:a}

w2 {} {B:b} {B:b}

w3 {A:a} {B:b} {A:a,B:b}

par(A)

par(B)

sec(A,B)

Key Ideas

Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations

let mill = λx:W {A U B} nat . let o = x[A] > x[B] in

oinlet a = read () in

let b = read () in

mill (wire A:a ++ wire B:b)

sec(A,B)

Wysteria by Examples: Functions

par(A)

par(B)

So Far We Have Seen …

• Mixed-Mode support via mode annotations

• Wire Bundles abstraction for private data

• Now: Writing Generic Code in Wysteria

Parties As First Class Values

• Parties are values of type ps φ• Refinement types for more precise invariants

• {A} : ps {ν = A}• {A} : ps {ν A U B}

Wysteria by Examples: Generic Millionaire’s

sec(x)

let comb = λx:ps . λy:W x nat. λa:ps option . λp:ps .

λn:nat match a with

| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …

sec(x)

Wysteria by Examples: Generic Millionaire’s

sec(x)

let comb = λx:ps . λy:W x nat. λa:ps option . λp:ps .

λn:nat match a with

| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …

sec(x)

Wysteria by Examples: Generic Millionaire’s

sec(x)

let comb = λx:ps . λy:W x nat. λa:ps{ν x} option.λp:ps{ν

x}.λn:nat match a with

| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …

sec(x)

Key Ideas

Generic Code:1. Parties as First Class Values2. Wire Bundle Combinators (e.g. wfold)

Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations

Wysteria Metatheory

• Formalized using λ-calculus with extensions

• Dependent type system

• Two operational semantics:– Single-threaded (SIMD style specification)– Multi-threaded (actual protocol runs)– Slicing judgment from single- to multi-threaded

Wysteria Theorems*

• Type soundness (progress and preservation) in single-threaded semantics

• Sound simulation:

C1 C2

π1

π2

… *

Single-threaded

Multi-threaded

slice operation *Proofs in Technical Report

Wysteria Implementation

We use GMW Implementation from Choi et. al.

Wysteria EvaluationApplication n-Party ? Mixed-Mode ? Secure state ?

Millionaire’s Yes No No2nd Price auction Yes No No

PSI 2-party Yes NoNearest neighbor Yes No No

Median 2-party Yes NoPSI count 2-party Yes Yes

2-round bidding Yes Yes Yes

Online poker Yes Yes Yes

Wysteria Code for Card Dealing let retryloop = fix retryloop: (tmp5:unit) -> W tgt nat. (tmp5:unit). let myrand = \(z:unit).rand () in let rs = wapp x [wire x:(); wire x:myrand] in let res = check rs in if res.#success then let nd = select ndealt[0] in let _ = update dealt [nd] <- res.#sum in let _ = update ndealt [0] <- nd + 1 in let card @ sec(x) = let s = combsh (res.#sum) in wire tgt:s in card else retryloop () in retryloop () in wcopy as x from w in { #deal : deal }in

Secure computation

Local computation

Secret shares

let rand = \(myunit:unit). sysop rand 52 inlet mkdeal = \(x:ps{true}). let zerosh @ par(x) = let zerosh1 @ sec(x) = makesh 0 in zerosh1 in let dealt @ par(x) = array [ 52 ] of zerosh in let ndealt @ par(x) = array [ 1 ] of 0 in let deal = \(tgt:ps{singl and subeq x}). let w @ par(x) = let check = \(rs:W x nat). let nd = select ndealt[0] in let sum @ sec(x) = let s = wfold x [rs; 0; \(n1:nat).\(p:ps{true}).\(n2:nat). n1 + n2 ] in let s1 = wfold x [wire x:(); s; \(n1:nat).\(p:ps{true}).\(n2:unit). if n1 > 51 then n1 - 51 else n1 ] in makesh s1 in let checkloop = fix checkloop:(i:nat) -> {#sum:Sh x nat, #success: bool}. (i:nat). if i = nd then {#sum:sum, #success:true} else l2et sd = select dealt[i] in let cmp @ sec(x) =

let t1 = combsh sd inlet t2 = combsh sum int1 = t2

in if cmp then

{#sum:sum, #success:false} else

checkloop (i + 1) n

checkloop 0 in

Demo

• (Card dealing using Wysteria)

• Future Work: Integrate with bitcoin for betting

(c.f. Secure Multiparty Computation on BitCoin, Andrychowicz et. al.)

Also In The Paper …

• Support for secure state• More language features – Mutable state (interesting interaction with mixed-

mode)– Additional wire bundle combinators

• Performance evaluation• Complete proofs in TR

Wysteria Summary

http://ter.ps/wysteria

Implementation and examples available at:

A High-level Functional Language to writeMixed-Mode Generic SMCs