secure computation in the real( ish ) world
DESCRIPTION
Secure Computation in the Real( ish ) World. David Evans University of Virginia http://www.cs.virginia.edu/evans http://www.MightBeEvil.com. Carnegie Mellon 20 April 2011. “Genetic Dating”. Alice. Bob. Genome Compatibility Protocol. Your offspring will have good immune systems!. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/1.jpg)
1
Secure Computation in the
Real(ish) World
David EvansUniversity of Virginiahttp://www.cs.virginia.edu/evanshttp://www.MightBeEvil.com
Carnegie Mellon20 April 2011
![Page 2: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/2.jpg)
2
“Genetic Dating”
AliceBob
Genome Compatibility Protocol
Your offspring will have good immune systems!
Your offspring will have good immune systems!
WARNING! Don’t Reproduce
WARNING!Don’t Reproduce
![Page 3: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/3.jpg)
3
![Page 4: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/4.jpg)
4
Genome Sequencing1990: Human Genome Project starts, estimate $3B to sequence one genome ($0.50/base)
2000: Human Genome Project declared complete, cost ~$300M
Whitehead Institute, MIT
![Page 5: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/5.jpg)
5
Sep 2001
Feb 2002
Jul 2002
Dec 2002
May 2003
Oct 2003
Mar 2004
Aug 2004
Jan 2005
Jun 2005
Nov 2005
Apr 2006
Sep 2006
Feb 2007
Jul 2007
Dec 2007
May 2008
Oct 2008
Mar 2009
Aug 2009
Jan 2010
Jun 2010 $10,000
$100,000
$1,000,000
$10,000,000
$100,000,000 Cost to sequence human genome
Moore’s Law prediction(halve every 18 months)
Data from National Human Genome Research Institute: http://www.genome.gov/sequencingcosts
![Page 6: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/6.jpg)
6
Sep 2001
Feb 2002
Jul 2002
Dec 2002
May 2003
Oct 2003
Mar 2004
Aug 2004
Jan 2005
Jun 2005
Nov 2005
Apr 2006
Sep 2006
Feb 2007
Jul 2007
Dec 2007
May 2008
Oct 2008
Mar 2009
Aug 2009
Jan 2010
Jun 2010 $10,000
$100,000
$1,000,000
$10,000,000
$100,000,000 Cost to sequence human genome
Moore’s Law prediction(halve every 18 months)
Data from National Human Genome Research Institute: http://www.genome.gov/sequencingcosts
Ion torrent Personal Genome Machine
![Page 7: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/7.jpg)
Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010.
George Church (Personal Genome Project)
![Page 8: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/8.jpg)
8
Steven Pinker (PGP-10)
![Page 9: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/9.jpg)
9
Dystopia
Personalized Medicine
![Page 10: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/10.jpg)
10
Secure Two-Party Computation
AliceBob
Bob’s Genome: ACTG…Markers (~1000): [0,1, …, 0]
Alice’s Genome: ACTG…Markers (~1000): [0, 0, …, 1]
Can Alice and Bob compute a function of their private data, without exposing anything about their data besides the result?
![Page 11: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/11.jpg)
Secure Function EvaluationAlice (circuit generator) Bob (circuit evaluator)
Garbled Circuit Protocol
Andrew Yao, 1982/1986
![Page 12: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/12.jpg)
Yao’s Garbled CircuitsInputs Output
a b x0 0 00 1 01 0 01 1 1
AND
a b
x
![Page 13: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/13.jpg)
Computing with Meaningless Values?Inputs Output
a b xa0 b0 x0
a0 b1 x0
a1 b0 x0
a1 b1 x1
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi are random values, chosen by the circuit generator but meaningless to the circuit evaluator.
![Page 14: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/14.jpg)
Computing with Garbled TablesInputs Output
a b xa0 b0 Enca0,b0(x0)a0 b1 Enca0,b1(x0)a1 b0 Enca1,b0(x0)a1 b1 Enca1,b1(x1)
AND
a0 or a1 b0 or b1
x0 or x1
ai, bi, xi are random values, chosen by the circuit generator but meaningless to the circuit evaluator.
Bob can only decrypt one of these!
Garbled And Gate
Enca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)
![Page 15: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/15.jpg)
And Gate
Enca0, b1(x0)Enca1,b1(x1)Enca1,b0(x0)Enca0,b0(x0)
Garbled Circuit ProtocolAlice (circuit generator)
Sends ai to Bob based on her input value
Bob (circuit evaluator)
How does the Bob learn his own input wires?
![Page 16: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/16.jpg)
Primitive: Oblivious TransferAlice Bob
Oblivious Transfer Protocol
Oblivious: Alice doesn’t learn which secret Bob obtainsTransfer: Bob learns one of Alice’s secrets
Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers
![Page 17: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/17.jpg)
17
Chaining Garbled Circuits
AND
a0 b0
x0
AND
a1 b1
x1
ORx2
And Gate 1
Enca10, b11(x10)Enca11,b11(x11)Enca11,b10(x10)Enca10,b10(x10)
Or Gate 2
Encx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20) …
We can do any computation privately this way!
![Page 18: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/18.jpg)
18
Threat Model
Semi-Honest (Honest But Curious) AdversaryAdversary follows the protocol as specified (!)Curious adversary tries to learn more from protocol execution transcript
Garbled Circuits security proofs depend on this very weak model
General techniques for converting protocols secure in semi-honest model to resist malicious adversary.
Possibility to use software attestation to validate executing code?
Amount of information that could leak is probably small
![Page 19: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/19.jpg)
19
Building Computing SystemsEncx00, x11(x21)Encx01,x11(x21)Encx01,x10(x21)Encx00,x10(x20)
Digital Electronic Circuits Garbled Circuits
Operate on known data Operate on encrypted wire labels
One-bit logical operation requires moving a few electrons a few nanometers (hundreds of Billions per second)
One-bit logical operation requires performing (up to) 4 encryption operations(~100,000 gates per second)
Reuse is great! Reuse is not allowed!
All basic operations have similar cost Some logical operations “free” (XOR, NOT)
![Page 20: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/20.jpg)
20
Fairplay
Dahlia Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella [USENIX Sec 2004]
SFDL Program
SFDL Compiler
Circuit (SHDL)
Alice Bob
Garbled Tables Generator
Garbled Tables Evaluator
SFDL Compiler
![Page 21: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/21.jpg)
21
(Un)Fairplay?An alternative approach to our protocols would have been to apply Yao’s generic secure two-party protocol to the recognition algorithm. This would have required expressing the algorithm as a circuit which computes and compares many Hamming distances, and then sending and computing that circuit. … We therefore believe that the performance of our protocols is significantly better than that of applying generic protocols.Margarita Osadchy, Benny Pinkas, Ayman Jarrous, Boaz Moskovich.
SCiFI – A System for Secure Face Identification. Oakland 2010.
Protocol 1 (generic SMC) is very fast. Protocol 1 is ideal for small strings because the entire computation is performed in one round, but the circuit size is extremely large for longer strings. Our prototype circuit compiler can compile circuits for problems of size (200, 200) but uses almost 2 GB of memory to do so. Significantly larger circuits would be constrained by available memory for constructing their garbled versions.
Somesh Jha, Louis Kruger, Vitaly Shmatikov. Towards Practical Privacy for Genomic Computation. Oakland 2008.
![Page 22: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/22.jpg)
22
Encx00,
x11(x21)Encx01,x11(x2
1)Encx01,x10(x2
1)
Encx20,
x21(x30)Encx21,x21(x3
0)Encx21,x20(x3
1)
Encx20,
x31(x41)Encx21,x31(x4
1)Encx21,x30(x4
0)
Encx40,
x31(x51)Encx41,x31(x5
0)Encx41,x30(x5
0)
Encx40,
x51(x61)Encx41,x51(x6
0)Encx41,x50(x6
0)
Encx30,
x61(x71)Encx31,x61(x7
0)Encx31,x60(x7
1)
Faster Garbled CircuitsCircuit-Level Application
GC Framework(Evaluator)
GC Framework (Generator)
Circuit StructureCircuit Structure
x41
x21x31
x60
x51
x71
Gates can be evaluated as they are generated: pipeliningGates can be evaluated in any topological sort order: parallelizing
Garbled evaluation can be combined with normal execution
![Page 23: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/23.jpg)
23
ApplicationsPrivacy-Preserving
Biometric Matching
Private Personal
Genomics
Private Set Intersection
Private AES Encryption
![Page 24: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/24.jpg)
24
Heterozygous Recessive Risk
A aA AA Aaa aA aa
AliceBo
b
cystic fibrosis
carrier
Goal: find the intersection of A and B
Alice’s Heterozygous Recessive genes: { 5283423, 1425236, 839523, … } Bob’s Heterozygous Recessive genes: { 5823527, 839523, 169325, … }
![Page 25: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/25.jpg)
25
Bit Vector IntersectionAlice’s Recessive genes:
{ 5283423, 1425236, 839523, … } Bob’s Recessive genes:
{ 5823527, 839523, 169325, … }
[ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0]
[ PAH, PKU, CF, … ]
ANDANDAND . . . Bitwise AND
. . .
![Page 26: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/26.jpg)
26
Scaling
What if there are millions of possible diseases?Length of bit vector:
number of possible values (2L where L is number of bits for each value)
Other private set intersection problems: Do Alice and Bob have any friends in common? Data mining problems: combine medical records across hospitals Two companies want to do joint marketing to common customers
![Page 27: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/27.jpg)
27
Pairwise Comparisonrandomly permute Arandomly permute Bfor i in range(0, n-1): for j in range(0, n-1): if A[i] = B[j] output A[i]
A[0] A[1] A[2] A[3]
B[0] B[1] B[2] B[3]
n2 comparisons
data-oblivious algorithm
![Page 28: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/28.jpg)
28
Short-Circuit Pairwise Comparison
for i in range(0, n-1): mask[i] = falsefor i in range(0, n-1): for j in range(0, n-1): if not mask[i] and A[i] = B[j]: reveal A[i] to both mask[i] = true break
![Page 29: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/29.jpg)
29
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
Short-Circuit AnalysisN
umbe
r of G
arbl
ed E
qual
Circ
uits
(n
= 1
00)
Fraction of Input Set in Intersection
½ of elements joint: save 43% of effort
![Page 30: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/30.jpg)
30
ScalingOther private set intersection problems: Do Alice and Bob have any friends in common? Data mining problems: combine medical records across hospitals Two companies want to do joint marketing to common customers
![Page 31: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/31.jpg)
31
Sort-Compare-Shuffl
e
Sort: Take advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
![Page 32: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/32.jpg)
32
Sort-Compare-Shuffl
e
Sort: Take advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
![Page 33: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/33.jpg)
33
Bito
nic
Sorti
ng1
4
9
7
5
4
3
2
1
5
4
4
3
9
2
7
1
3
2
4
5
9
4
7
1
2
3
4
4
5
7
9
1
2
3
4
4
5
7
9
![Page 34: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/34.jpg)
CMPFilter
CMPFilter
CMPFilter …
![Page 35: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/35.jpg)
CMP3Filter
CMP3Filter
CMP3Filter
![Page 36: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/36.jpg)
36
Can’t reveal results yet! Position leaks information.
![Page 37: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/37.jpg)
37
Oblivious Shuffling
Homomorphic Encryption Shuffling ProtocolAdd random mask, permute, exchange and reveal
ExpensiveSort
Simple…but expensiveRandom Permutation
![Page 38: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/38.jpg)
38
Journal of the ACM, January 1968
![Page 39: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/39.jpg)
39
I do not imagine that many of the Turing lecturers who will follow me will be people who were acquainted with Alan Turing. … Although a mathematician, Turing took quite an interest in the engineering side of computer design… Turing’s contribution to this discussion was to advocate the use of gin, which he said contained alcohol and water in just the right proportions …Sir Maurice Wilkes (1913-29 Nov 2010),
Computers Then and Now (1967 Turing Award Lecture)
flickr: rolandeva
![Page 40: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/40.jpg)
40
Waksman Network
Same circuit can generate any permutation: select a random permutation, and pick swaps
![Page 41: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/41.jpg)
41
Private Set Intersection Protocol
FreeGates to generate and evaluate
![Page 42: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/42.jpg)
42
Private Set Intersection Results
128 256 512 1024 2048 4096 81920
20
40
60
80
100
120
140
Seco
nds
Set Size (each set)
32-bit values
![Page 43: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/43.jpg)
43
Some Other ResultsProblem Best Previous Result Our Result Speedup
Hamming Distance (Face Recognition, Genetic Dating) – two 900-bit vectors
213s [SCiFI, 2010]
0.051s 4176
Levenshtein Distance (genome, text comparison) – two 200-character inputs
534s [Jha+, 2008]
18.4s 29
Smith-Waterman (genome alignment) – two 60-nucleotide sequences
[Not Implementable] 447s -
AES Encryption 3.3s [Henecka, 2010]
0.2s 16.5
Fingerprint Matching (1024-entry database, 640x8bit vectors)
~83s [Barni, 2010]
18s 4.6
Scalable: 1 Billion gates evaluated at ~100,000 gates/second on laptop
NDS
S 20
11U
SEN
IX S
ecur
ity 2
011
![Page 44: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/44.jpg)
44
Demo!
Private Set Intersection
on Android Devices
http://MightBeEvil.com/mobile/Peter Chapman and Yan Huang
![Page 45: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/45.jpg)
45
Yan Huang(UVa Computer Science PhD Student)
Jonathan Katz(University of Maryland)
Aaron Mackey(UVa Public Health Genomics)
Funding: NSF, MURI (AFOSR) Android toys: Google
Peter Chapman(UVa BACS 2012)
Lior Makla(UMd / Intel)
![Page 46: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/46.jpg)
46
David [email protected]://www.cs.virginia.edu/evans
Much of the early engineering development of digital computers was done in universities. A few years ago, the view was commonly expressed that universities had played their part in computer design, and that the matter could now safely be left to industry. I do not think that it is necessary that work on computer design should go on in all universities, but I am glad that some have remained active in the field. Apart from the obvious functions of universities in spreading knowledge, and keeping in the public domain material that might otherwise be hidden, universities can make a special contribution by reason of their freedom from commercial considerations, including freedom from the need to follow the fashion.
Sir Maurice Wilkes (June 1913-Nov 2010), 1967 Turing Award Lecture
![Page 47: Secure Computation in the Real( ish ) World](https://reader034.vdocument.in/reader034/viewer/2022051423/5681694c550346895de0e7f3/html5/thumbnails/47.jpg)
47
Shameless Plug
www.computingbook.org