Outsourcing Multi-Party
Computation Seny Kamara - Microsoft Research
Payman Mohassel – U. of Calgary
Mariana Raykova – Columbia
Distrustful Cooperation
f (x,y,z) x
y
z
Alice
Eve
Bob
Dagstuhl 12/06/11
Distrustful Cooperation
f
Dagstuhl 12/06/11
Distrustful Cooperation • Examples
o Data mining
o Negotiations
o Electronic Voting
o Auctions
o Exchanges
o Distributed constraint satisfaction & optimization
o ...
Dagstuhl 12/06/11
Distrustful Cooperation • Q: how do we achieve distrustful cooperation?
x y
z
Trusted Party
NDAs
Dagstuhl 12/06/11
Multi-Party Computation
f (x,y,z)
≈
x y
z
Dagstuhl 12/06/11
Outline • Motivation
• Overview of MPC
• Server-aided MPC
• Defining security o Standard definition
o Security w/ non-colluding adversaries
• Protocols o vs. non-colluding & semi-honest parties
o vs. non-colluding & 1 malicious party
o from secure delegation to server-aided 2PC
o private set intersection
Dagstuhl 12/06/11
Outline • Motivation
• Overview of MPC
• Server-aided MPC
• Defining security o Standard definition
o Security w/ non-colluding adversaries
• Protocols o vs. non-colluding & semi-honest parties
o vs. non-colluding & 1 malicious party
o from secure delegation to server-aided 2PC
o private set intersection
Dagstuhl 12/06/11
Theory of MPC • [Yao82]
o secure 2PC (vs. semi-honest adversary)
• [Goldreich-Micali-Wigderson87] o secure MPC(vs. malicious adversary)
• [BenOr-Goldwasser-W88, Chaum-Crepeau-Damgard88]
o perfectly secure MPC vs. semi-honest (t < n/2) & malicious (t < n/3)
• [...]:
o [Y82] has ≈ 1500 citations
o stronger definitions; stronger adversaries; more adversaries; less rounds
Dagstuhl 12/06/11
Towards Efficient MPC • [Malkhi-Nisan-Pinkas-Sella04, BenDavid-Nisan-Pinkas08]
o Fairplay & FairplayMP systems for 2PC & MPC
o Protocol optimizations
o vs. malicious adversary based on efficient cut-&-choose mechanism
• [Mohassel-Franklin06, Lindell-Pinkas07, Woodruff07] o improved cut-&-choose mechanisms
• [Kolesnikov-Schneider08a, KS08b]
o Circuit optimizations techniques (e.g., Free XOR)
Dagstuhl 12/06/11
MPC Systems • Fairplay
o Implementations of 2PC & MPC
• FairplayPF [KS08]
o Implementation of private function evaluation using UCs
• VIFF [BCD++09]
o Sharing-based MPC
o Real-life use-case
• Sharemind [Bogdanov-Laur-Willemson08]
o Sharing-based MPC for data analytics
• TASTY [Henecka-Kogl-Sadeghi-Schneider-Wehrenberg]
o Mixed MPC framework (sharing + garbled circuits)
• Fast Garbled Circuits [Huang-Evans-Katz-Malka11]
o Highly-optimized garbled circuit framework
o 900 bit hamming distance in 51ms
o 200 (8bit) character edit distance in 18.4s
Dagstuhl 12/06/11
Yao’s Garbled Circuits • Five PPT algorithms
o GarbCircuit(C; r) ⇒ G(C)
o GarbIn(x; r) ⇒ G(x)
o Eval(G(C), G(x), G(y)) ⇒ G(o)
o GarbOut(r) ⇒ T
o Translate(G(o), T) ⇒ o
AND
a b
c
AND
K0 & K1 K0 & K1
K0 & K1
EncK0(EncK0(K0))
EncK0(EncK1(K0))
EncK1(EncK0(K0))
EncK1(EncK1(K1))
0 0 0
0 1 0
1 0 0
1 1 1
AND:
Dagstuhl 12/06/11
Yao’s Garbled Circuits
AND
OR AND
EncK0(EncK0(K0))
EncK0(EncK1(K0))
EncK1(EncK0(K0))
EncK1(EncK1(K1))
EncK0(EncK0(K0))
EncK0(EncK1(K1))
EncK1(EncK0(K1))
EncK1(EncK1(K1))
EncK0(EncK0(K0))
EncK0(EncK1(K0))
EncK1(EncK0(K0))
EncK1(EncK1(K1))
0 1 1 1
1
K0 K1 K1 K1
K1 Dagstuhl 12/06/11
Yao’s 2PC Protocol
Garbler Evaluator
G(Cf), G(x), T
x y OT
G(y)
G(o)
1. Eval(G(Cf), G(x), G(y)) ⇒ G(o)
2. Translate(G(o), T) ⇒ o 1. GarbCircuit(C) ⇒ G(C)
2. GarbIn(x) ⇒ G(x) 3. GarbOut(r) ⇒ T
4. ∀i: GarbIn(i, yi) ⇒ G(yi)
5. Translate(G(o), T) ⇒ o Secure vs. semi-honest adversaries
Dagstuhl 12/06/11
Outline • Motivation
• Overview of MPC
• Server-aided MPC
• Defining security o Standard definition
o Security vs. non-colluding adversaries
• Protocols o vs. non-colluding & semi-honest parties
o vs. non-colluding & 1 malicious party
o from secure delegation to server-aided 2PC
o private set intersection
Dagstuhl 12/06/11
Implicit in MPC • Many works in MPC assume a homogeneous
environment o Parties have similar amounts of resources
o Parties play similar roles
o Collude with each other
o Exceptions: [Feige-Killian-Naor94,Naor-Pinkas-Sumner99,Damgard-Ishai05,
Halevi-Lindell-Pinkas11]
• Real life is heterogeneous o Parties have different amounts of resources (e.g., servers, clusters, phones)
o Parties don‟t necessarily want to collude
Dagstuhl 12/06/11
Homogeneous vs. Heterogeneous
f (x,y,z)
≠
Dagstuhl 12/06/11
But What If… Parties Outsource Work Do Not Collude
• use cloud comp. to scale MPC
• we can‟t trust the cloud
• more efficient protocols
• weaker adversarial model
Dagstuhl 12/06/11
Server-Aided MPC
≠ MPC
Server-aided MPC Dagstuhl 12/06/11
Server-Aided MPC
Q1: is server-aided MPC possible?
Q2: is it possible “efficiently” in theory?
Q3: is it possible efficiently in practice?
Dagstuhl 12/06/11
Related Work • [Feige-Killian-Naor94]
o Different motivation
o Server learns output, non-interactive
• [Naor-Pinkas-Sumner99] o Different motivation
o Server learns output
• [Damgard-Ishai05, BGD++09] o Multiple servers -- at least one of which is honest
• [Beaver98, Catrina-Kerschbaum08] o Extra parties to assist in computation
• Fully-homomorphic encryption [Gentry09,...]
o Not useful “out-of-the-box” – likely need FHE + PKE + VC or TFHE
Dagstuhl 12/06/11
Outline • Motivation
• Overview of MPC
• Server-aided MPC
• Defining security o Standard definition
o Security vs. non-colluding adversaries
• Protocols o vs. non-colluding & semi-honest parties
o vs. non-colluding & 1 malicious party
o from secure delegation to server-aided 2PC
o private set intersection
Dagstuhl 12/06/11
Standard Adversarial Model
• Traditional adversarial model in MPC o Cheaters modeled as a single “monolithic” A
o A corrupts the dishonest parties
o sees their state and possibly controls them
o the monolithic adversary captures collusion
Dagstuhl 12/06/11
Standard Security Definition
≈
x y
z
Dagstuhl 12/06/11
Standard Security Definition
≈
{OUT(P1),...,OUT(Pn),VIEW(A)} ≈ {OUT(P1),...,OUT(Pn),VIEW(S)}
Dagstuhl 12/06/11
Non-Colluding Advs.
• New adversarial model in MPC o Cheaters modeled as independent adversaries A1, …,An
o Ai corrupts a single dishonest party
o Ai sees only that party‟s state and possibly controls it
o Independent adversaries capture non-collusion
Dagstuhl 12/06/11
Security vs. Non-Colluding Advs.
≈
x y
z
Dagstuhl 12/06/11
Security vs. Non-Colluding Advs. • Capturing non-collusion in MPC
o Independent adversaries
o Independent simulators
o Abort with partial fairness [Goldwasser-Lindell05]
o Partial emulation
• For all Ai
o joint distribution of honest parties‟ outputs and Ai„s view
o joint distribution of honest parties‟ outputs and Si „s view
o are “indistinguishable”
Collusion-free MPC [Lepinski-Micali-shelat05, Alwen-s-Visconti08, A-Katz-Lindell-Persiano-s-V09]
∀i: {OUT(P1),...,OUT(Pn),VIEW(Ai)} ≈ {OUT(P1),...,OUT(Pn),Si}
Dagstuhl 12/06/11
Security vs. Non-Colluding Advs.
• Protocol is secure only if adversaries do not share views
• Definition only meaningful in the semi-honest model
≈
∀ Ai: {OUT(P1),...,OUT(Pn),VIEW(Ai)} ≈ {OUT(P1),...,OUT(Pn),Si}
Dagstuhl 12/06/11
Security vs. Non-Colluding Advs. • Model captures Ai‟s that do not collude
o before protocol
o out-of-band during the protocol
o after the protocol
• What if Ai‟s collude in-band during protocol? o If Ai‟s are semi-honest then its OK
o If Ai‟s are malicious then problem!
Dagstuhl 12/06/11
Security vs. Non-Colluding Advs. • Characterizing Ai‟s that deviate w/o colluding
• Non-cooperative o Ai is non-coop. wrt Aj if ∃ a simulator Vi s.t. VIEW(Ai,Aj) ≈ Vj
o where Ai is semi-honest...
• Isolated o Aj is isolated if all Ai „s are non-coop. wrt Aj
Dagstuhl 12/06/11
Outline • Motivation
• Overview of MPC
• Server-aided MPC
• Defining security o Standard definition
o Security vs. non-colluding adversaries
• Protocols o vs. non-colluding & semi-honest parties
o vs. non-colluding & 1 malicious party
o from secure delegation to server-aided 2PC
o private set intersection
Dagstuhl 12/06/11
Yao’s Garbled Circuits • Five PPT algorithms
o GarbCircuit(C; r) ⇒ G(C)
o GarbIn(i, x; r) ⇒ G(x)
o Eval( G(C), G(x), G(y) ) ⇒ G(o)
o GarbOut(r) ⇒ T
o Translate(G(o), T) ⇒ o
AND
a b
c
AND
K0 & K1 K0 & K1
K0 & K1
EncK0(EncK0(K0))
EncK0(EncK1(K0))
EncK1(EncK0(K0))
EncK1(EncK1(K1))
Dagstuhl 12/06/11
The FKN Protocol
r r
G(C),G(x) G(y)
Eval( G(C), G(x), G(y) ) ⇒ G(o)
G(o) G(o)
Coin Toss
GarbOut(r) ⇒ T Translate(G(o), T) ⇒ o
GarbOut(r) ⇒ T Translate(G(o), T) ⇒ o
Dagstuhl 12/06/11
The FKN Protocol
G(C),G(x) G(y)
G(o) G(o)
Coin Toss
Cloud: privacy + verifiability of Yao
P1: view P2: view
Dagstuhl 12/06/11
The FKN Protocol
G(C), G(x) G(y)
G(o) G(o)
Coin Toss
Cloud: privacy + verifiability of Yao
P1: 1. send coins to cloud
2. garble an incorrect circuit
Dagstuhl 12/06/11
So far… • We have
o a simple 2-party server-aided protocol (FKN)
o secure vs. malicious server, semi-honest & non-cooperative parties
o no public-key operations
o P1„ s work is O(|C|) & P2 „s work is O(|y|)
o Can be extended to multi-party setting
• Next o We make FNK robust against non-cooperative garbler
o Secure vs. isolated & semi-honest server, non-cooperative P1, semi-honest
P2
o still no public-key operations
o P1 „s work is O(|C|) & P2 „s work is O(|y|)
o Can be extended to multi-party setting
Dagstuhl 12/06/11
Handling Deviating Garblers • Problem
o How do we know P1 garbled the circuit and input correctly?
• Solution o [GMW87]: Zero-knowledge proofs (inefficient)
o [MNPS04,MF06,LP07,W07]: cut and choose (efficient)
1. open GCs in T 2. verify they are correct 3. verify input equality 4. evaluate remaining GCs 5. Take majority outputs
(G(C), G(x))xλ , EQ(x)
T ⊂[1,...,λ] s.t. |T| = λ/2
{ ri }i∊T
Dagstuhl 12/06/11
Cut & Choose in Server-Aided Model
• Who verifies cut & choose? o If P2 , then its work goes from O(|y|) to O(|y| + λ ∙|C|)
o Can we outsource cut & choose verification to cloud?
G(y)
G(o) G(o)
1. open GCs in T
2. verify they are correct
3. verify input equality
4. evaluate remaining GCs
5. Take majority outputs
{G(C),G(x)}λ,EQ(x)
Coin Toss
Dagstuhl 12/06/11
Cut & Choose in Server-Aided Model
{G(C), G(x)}λ , EQ(x), MAJ(C)
T ⊂ [1,...,λ] s.t. |T| = λ/2
{ ri }i∊T 1. open GCs
2. verify they are correct
3. evaluate remaining GCs
4. Take majority outputs
Dagstuhl 12/06/11
Oblivious Cut & Choose
• Oblivious cut-and-choose 1. Sample random polys p0 and p1 such that p0 0 = 𝛄0 and p1 1 = 𝛄1
2. Eval polys. on labels: (..., p1(K1), p1(K1), ...) and (..., p0(K0), p0(K0), ...)
3. Encrypt 0 string under 𝛄0 and 𝛄1
4. Note: p0 and p1 must be permutation polynomials (e.g., Dickson) and
thus must satisfy various (simple) algebraic properties
Dagstuhl
AND
K0 & K1 K0 & K1 K0 & K1
... ...
... ... AND
... ...
AND
... ...
AND
... ...
K0 & K1
12/06/11
Server-aided 2PC from Delegation
Dagstuhl
e(f(x))
(f, e(x), pk)
Vrfy(sk, st, e(f(x)))
(pk,sk)←Gen(1) (st,e(x))←Encode(x)
Secure Delegation
12/06/11
Server-aided 2PC from Delegation
2PC
Dagstuhl
x y
f’(x|y) = f(x,y)
1. Use 2PC to generate (pk,sk) 2. Use 2PC to encode x 3. Receive shares of st and SK 4. Use 2PC to decode & verify
12/06/11
Outline • Motivation
• Overview of MPC
• Server-aided MPC
• Defining security o Standard definition
o Security vs. non-colluding adversaries
• Protocols o vs. non-colluding & semi-honest parties
o vs. non-colluding & 1 malicious party
o from secure delegation to server-aided 2PC
o private set intersection
Dagstuhl 12/06/11
Future/Open Problems • Definitions
o better/cleaner definitions of non-collusion
o stronger security guarantee (i.e., w/o partial emulation)
• Constructions o Composition of server-aided protocols
o More special-purpose protocols (e.g., data mining, pattern matching,...)
Dagstuhl 12/06/11
Questions?
Dagstuhl 12/06/11