wysteria: a programming language for generic, mixed-mode multiparty computations aseem rastogi...
TRANSCRIPT
Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty
Computations
Aseem RastogiMatthew Hammer, Michael Hicks
(University of Maryland, College Park)
What is Secure Multiparty Computation(SMC)
A B
Compute f(A, B)
Without revealing A to Bob and B to Alice
Using a Trusted Third Party
A B
A B
f(A, B) f(A, B)
Compute f(A, B)
Without revealing A to Bob and B to Alice
SMC Eliminates Trusted Third Party
A B
Compute f(A, B)
Without revealing A to Bob and B to Alice
Cryptographic Protocol
SMC Examples
Private Data
Nearest neighbor Locations
Auction Bids
Private set intersection Sets
Statistical computation Numbers
Beyond Toy SMC Examples
• Online card games• SMC to deal cards
• Dice-based games• SMC to roll dice
Monolithic Secure Multiparty Computation
f(A, B)
A B f(A, B)
Not Enough !
Mixed-Mode Secure Multiparty Computation
f(A, B)
A B f(A, B)
g(A1, B1)
A1 B1 g(A1, B1)… …
h(A2, B2)
A2 B2 h(A2, B2)
… LocalLocal
…
Loca
lLo
cal
Secure State Secure State
State Of The Art: Existing SMC Languages
• Fairplay, FairplayMP, CBMC-GC– Only “circuit compilers”– No mixed-mode– No secure state
• L1– Only 2-party, low level– No formal guarantees
• FastGC– Circuit library, only 2-party
None supports generic programs(parametric in number of parties)
Our Goal
Push SMC beyond toy applications
Design an SMC Language
• Local and secure computations• High-level support for secure stateMixed-Mode
• Code parametric in number of partiesGeneric
• Single specification• Runtime compilation to circuitsHigh-level
• Statically typed, sound• CompositionalGuarantees
A High-level Functional Language to writeMixed-Mode Generic SMCs
Implementation and examples available at:
http://ter.ps/wysteria
Developing Online Poker using Wysteria (almost there …)
Goes Without Saying, Wysteria Has It All !
Demo(coming
up)
Wysteria by Examples: Two-party Millionaire’s*
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
*The example in this form does not type check in Wysteria.
Single specification
A and B run the same program
Compute who is richer among A and B
Wysteria by Examples: Two-party Millionaire’s
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
A’s Local Computation
(Skipped by B)
Computation modes
Wysteria by Examples: Two-party Millionaire’s
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
A’s Local Computation
B’s Local Computation
(Skipped by A)
Wysteria by Examples: Two-party Millionaire’s
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
A’s Local Computation
B’s Local Computation
Secure Computation by (A,B)
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
A’s Local Computation
B’s Local Computation
Secure Computation by (A,B)
Runtime compiles it to boolean circuit, and evaluates using secure computation
No communication primitives !
Wysteria by Examples: Two-party Millionaire’s
Key Ideas
Mixed-Mode Computations via Mode Annotations
Wysteria by Examples: Asymmetric Output
let a = read() in
let b = read() in
let o = a > b in
o
par(A)
par(B)
sec(A,B)
What if only A is allowed to know the output ?
Wysteria by Examples: Asymmetric Output
let a = read() in
let b = read() in
let o = wire A:(a > b) in
o
par(A)
par(B)
sec(A,B)
What if only A is allowed to know the output ?
Wire Bundle
Wire Bundles in Wysteria
• Maps from parties to values• Each party sees only its own component in the bundle– Or nothing if it’s not in the domain
• Wire bundles are dependently typed
• Create wire A:0 : W {A} nat• Concat (wire A:0)++(wire B:1) : W {A U B} nat• Project (wire A:0)[A] : nat
Wysteria by Examples: Inputs Via Wire Bundles
let a = read() in
let b = read() in
let w1 = wire A:a inlet w2 = wire B:b inlet w3 = w1 ++ w2 in
let o = wire A:(w3[A] > w3[B]) in
o
par(A)
par(B)
sec(A,B)
let a = read() in
let b = read() in
let w1 = wire A:a inlet w2 = wire B:b inlet w3 = w1 ++ w2 in
let o = wire A:(w3[A] > w3[B]) in
o
Wysteria by Examples: Wire Bundle Views
A’s View B’s View sec(A,B)’s View
w1 {A:a} {} {A:a}
w2 {} {B:b} {B:b}
w3 {A:a} {B:b} {A:a,B:b}
par(A)
par(B)
sec(A,B)
Key Ideas
Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations
let mill = λx:W {A U B} nat . let o = x[A] > x[B] in
oinlet a = read () in
let b = read () in
mill (wire A:a ++ wire B:b)
sec(A,B)
Wysteria by Examples: Functions
par(A)
par(B)
So Far We Have Seen …
• Mixed-Mode support via mode annotations
• Wire Bundles abstraction for private data
• Now: Writing Generic Code in Wysteria
Parties As First Class Values
• Parties are values of type ps φ• Refinement types for more precise invariants
• {A} : ps {ν = A}• {A} : ps {ν A U B}
Wysteria by Examples: Generic Millionaire’s
sec(x)
let comb = λx:ps . λy:W x nat. λa:ps option . λp:ps .
λn:nat match a with
| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …
sec(x)
Wysteria by Examples: Generic Millionaire’s
sec(x)
let comb = λx:ps . λy:W x nat. λa:ps option . λp:ps .
λn:nat match a with
| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …
sec(x)
Wysteria by Examples: Generic Millionaire’s
sec(x)
let comb = λx:ps . λy:W x nat. λa:ps{ν x} option.λp:ps{ν
x}.λn:nat match a with
| None => Some(p) | Some(q) => if y[q] > n then a else Some(p)inlet mill = λx:ps . λy:W x nat . let o = wfold(y, None, comb x y) in oin …
sec(x)
Key Ideas
Generic Code:1. Parties as First Class Values2. Wire Bundle Combinators (e.g. wfold)
Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations
Wysteria Metatheory
• Formalized using λ-calculus with extensions
• Dependent type system
• Two operational semantics:– Single-threaded (SIMD style specification)– Multi-threaded (actual protocol runs)– Slicing judgment from single- to multi-threaded
Wysteria Theorems*
• Type soundness (progress and preservation) in single-threaded semantics
• Sound simulation:
C1 C2
π1
π2
… *
Single-threaded
Multi-threaded
slice operation *Proofs in Technical Report
Wysteria Implementation
We use GMW Implementation from Choi et. al.
Wysteria EvaluationApplication n-Party ? Mixed-Mode ? Secure state ?
Millionaire’s Yes No No2nd Price auction Yes No No
PSI 2-party Yes NoNearest neighbor Yes No No
Median 2-party Yes NoPSI count 2-party Yes Yes
2-round bidding Yes Yes Yes
Online poker Yes Yes Yes
Wysteria Code for Card Dealing let retryloop = fix retryloop: (tmp5:unit) -> W tgt nat. (tmp5:unit). let myrand = \(z:unit).rand () in let rs = wapp x [wire x:(); wire x:myrand] in let res = check rs in if res.#success then let nd = select ndealt[0] in let _ = update dealt [nd] <- res.#sum in let _ = update ndealt [0] <- nd + 1 in let card @ sec(x) = let s = combsh (res.#sum) in wire tgt:s in card else retryloop () in retryloop () in wcopy as x from w in { #deal : deal }in
Secure computation
Local computation
Secret shares
let rand = \(myunit:unit). sysop rand 52 inlet mkdeal = \(x:ps{true}). let zerosh @ par(x) = let zerosh1 @ sec(x) = makesh 0 in zerosh1 in let dealt @ par(x) = array [ 52 ] of zerosh in let ndealt @ par(x) = array [ 1 ] of 0 in let deal = \(tgt:ps{singl and subeq x}). let w @ par(x) = let check = \(rs:W x nat). let nd = select ndealt[0] in let sum @ sec(x) = let s = wfold x [rs; 0; \(n1:nat).\(p:ps{true}).\(n2:nat). n1 + n2 ] in let s1 = wfold x [wire x:(); s; \(n1:nat).\(p:ps{true}).\(n2:unit). if n1 > 51 then n1 - 51 else n1 ] in makesh s1 in let checkloop = fix checkloop:(i:nat) -> {#sum:Sh x nat, #success: bool}. (i:nat). if i = nd then {#sum:sum, #success:true} else l2et sd = select dealt[i] in let cmp @ sec(x) =
let t1 = combsh sd inlet t2 = combsh sum int1 = t2
in if cmp then
{#sum:sum, #success:false} else
checkloop (i + 1) n
checkloop 0 in
Demo
• (Card dealing using Wysteria)
• Future Work: Integrate with bitcoin for betting
(c.f. Secure Multiparty Computation on BitCoin, Andrychowicz et. al.)
Also In The Paper …
• Support for secure state• More language features – Mutable state (interesting interaction with mixed-
mode)– Additional wire bundle combinators
• Performance evaluation• Complete proofs in TR
Wysteria Summary
http://ter.ps/wysteria
Implementation and examples available at:
A High-level Functional Language to writeMixed-Mode Generic SMCs