Fairplay – A Secure Two-Party Computation System Yaron Sella Hebrew University of Jerusalem

Usenix Security 2004 Slide 1

Fairplay – A Secure Two-Fairplay – A Secure Two-Party Computation System Party Computation System

Yaron SellaYaron SellaHebrew University of JerusalemHebrew University of Jerusalem

Joint work with Dahlia Malkhi, Joint work with Dahlia Malkhi, Noam Nisan, and Benny PinkasNoam Nisan, and Benny Pinkas

Project team: Ziv Balshai, Amir Levy, Project team: Ziv Balshai, Amir Levy, Dudi Einey, ODudi Einey, Ori Pelegri Peleg

Slide 2Usenix Security 2004

Outline

• SFE – Secure Function Evaluation• Goals• Fairplay

– Fairplay computation overview– Demo (SFDL & SHDL examples) – Bob/Alice two party SFE– Experiments


SFE - Secure Function Evaluation

• Started with Yao’s seminal paper (1986 - almost 20 years ago!)

• Allows several parties to perform a joint computation, that in real life requires a trusted party, using cryptographic tools only (i.e., the trusted party is not needed!)

• Theoretical significance only?• We focus on 2-party SFE


SFE Example - Millionaires’ Problem

$ X $ Y

?

<

=

>

Secure Function

EvaluationProtocol


General Structure of Yao’s Protocol

• Represent f(x,y) as a Boolean circuit• Bob “garbles” the circuit:

wire, assigns random values instead of 0/1 gate, constructs a “secure” truth table

• Bob sends to Alice the tables and garbled versions of his input

• Alice uses oblivious transfer to obtain garbled versions of her input and uses them to compute the output of the circuit


Goals

• Answer some basic questions on SFE:– Is two-party SFE practical?– Obtain actual measurements of overall computation:

How much time is needed to solve the Millionaires’ problem? The Billionaires’ problem?

• Better understanding of SFE computation:– Where are the bottlenecks?– Computation versus communication

• Test-bed for various optimizations


Fairplay Computation Overview (1)

Bob AliceGUI

SFDL program (a file)

SFDL Compiler + Circuit optimizer

SFDL Compiler + Circuit optimizer

SHDL circuit

SHDL circuit

(a file) (a file)

Off-line

SHDL Parser SHDL Parser

Circuit Circuit(Java obj.) (Java obj.)

On-line SFE



Bob Alice

m x Circuit garbler

Circuits send Circuits receive

Circuit Circuit(Java obj.) (Java obj.)

Garbled circuits (Java obj.)

Circuit chooseRead Integer

Reveal secrets Circuits verify



Bob Alice

Input + input send Input receive

Input

OT chooserOT sender

Circuit evaluatorOutput

Output


Outline

SFE – Secure Function EvaluationGoalsFairplay

Fairplay computation overview– Demo (SFDL & SHDL examples) – Bob/Alice two party SFE– Experiments


The Compilation Paradigm

• SFDL (Secure Function Definition Language) - High-level programming language for the func. to be evaluated in the trusted party model– Allows clear, formal, easily understandable

definition and requirements by humans • SHDL (Secure Hardware Definition Language) -

Low-level language describing Boolean circuits• “Obliviousness-aware” SFDL SHDL compiler• The compiler also produces an I/O format file


SFDL Exampleprogram Millionaires { type int = Int<4>; // 4-bit integer type AliceInput = int; type BobInput = int; type AliceOutput = Boolean; type BobOutput = Boolean; type Output = struct {AliceOutput alice, BobOutput bob}; type Input = struct {AliceInput alice, BobInput bob};

function Output output(Input input) { output.alice = input.alice > input.bob; output.bob = input.bob > input.alice; }}


SFDL Properties

• Conventional syntax (C/Pascal-like)• Type system – Boolean, integer, enumerated• Program structure

– Declarations: global constants, types– Sequence of functions (no nesting [C], no recursion)– Function name is its return value [Pascal]

• Conditional execution and loops– if-then, if-then-else statements, For-loop

• Assignments and expressions– constants, variables, array entries, structure items, function

calls, operators (+, -, logical, comparison), parenthesis


SHDL Example (1)

0 input //output$input.bob$01 input //output$input.bob$12 input //output$input.bob$23 input //output$input.bob$34 input //output$input.alice$05 input //output$input.alice$16 input //output$input.alice$27 input //output$input.alice$38 gate arity 2 table [ 1 0 0 0 ] inputs [ 4 5 ]9 gate arity 2 table [ 0 1 1 0 ] inputs [ 4 5 ]


SHDL Example (2)

10 gate arity 2 table [ 0 1 0 0 ] inputs [ 8 6 ]11 gate arity 2 table [ 1 0 0 1 ] inputs [ 8 6 ]12 gate arity 2 table [ 1 0 0 1 ] inputs [ 10 7 ]13 gate arity 2 table [ 0 0 0 1 ] inputs [ 4 0 ]14 gate arity 3 table [ 0 0 0 1 0 1 1 1 ] inputs [ 13 9 1 ]15 gate arity 3 table [ 0 0 0 1 0 1 1 1 ] inputs [ 14 11 2 ]16 gate arity 2 table [ 0 1 1 0 ] inputs [ 12 3 ]17 gate arity 2 table [ 0 1 1 0 ] inputs [ 15 16 ]18 output gate arity 1 table [ 0 1 ] inputs [ 17 ]…


SHDL Properties

• Each line is a circuit component, i.e: – An input bit, or– A Boolean gate with a given truth-table

and input wires• Circuit wiring is based on line numbers • The compiler produces gates of arity 1,2,3// Comments are ignored (even though the

compiler generated them)


The Format File

• Enables the input bits to be specified and the output bits to be presented in a user-friendly format

• Format file example:Bob input integer "input.bob" [0 1 2 3]Alice input integer "input.alice" [4 5 6 7]Alice output integer "output.alice" [18]Bob output integer "output.bob" [29]

• Bob’s input bits should be read from the user as an integer


The SFDL SHDL Compiler

Compiler’s sequence of steps:• Parsing• Function inlining and loop unfolding

(obliviousness!)• Transformation into single bit operations• Array access handling (cost = O(n) gates)• Single variable assignment• Optimizations: local code optimization, duplicate

code removal, dead code elimination


Bob-Alice 2-Party SFE – Overview (1)

• Input: C = circuit in SHDL• Cut-and-Choose:

– Bob parses C into m garbled circuits, and sends them to Alice. Alice also parses C.

– Alice chooses one circuit for evaluation - GC– Bob exposes secrets of all garbled circuits except GC– Alice verifies all exposed garbled circuits– Catches cheating with probability 1-1/m

• Bob sends his inputs for GC (Alice can’t interpret them because they are garbled)


Bob-Alice 2-Party SFE – Overview (2)

• Oblivious Transfer: Alice obtains her inputs for GC from Bob using a single OT per each Alice input bit (Alice = chooser, Bob = sender)

• Alice evaluates GC• Alice interprets her outputs (she can’t interpret

Bob’s outputs, because they are garbled)• Alice sends to Bob his outputs• Bob interprets his outputs


Garbled Circuit Preparation (by Bob)

x | y | out0 | 0 | b00 | 1 | b11 | 0 | b21 | 1 | b3

Wi Wj

Wk

vk0

vk1

x | y | out0 | 0 | vk

b0 0 | 1 | vk

b1 1 | 0 | vk

b2 1 | 1 | vk

b3

GTT

x | y | output0 | 0 | E(vk

b0) 0 | 1 | E(vk

b1) 1 | 0 | E(vk

b2) 1 | 1 | E(vk

b3)

EGTT

E(vkb0): SHA-1(vi

0, vj0 , k) vk

b0

E(vkb1): SHA-1(vi

0, vj1 , k) vk

b1

E(vkb2): SHA-1(vi

1, vj0 , k) vk

b2

E(vkb3): SHA-1(vi

1, vj1 , k) vk

b3

vi0, vi

1 vj0, vj

1 PEGTT

Permute rows


Garbled Circuit Evaluation (by Alice)vi vj

outputvk

’ vk

’’ vk

’’’ vk

’’’’

PEGTT

vk

2. D (vk’ ): SHA-1 (vi , vj

, k) vk’ ( = vk)

1. Try decrypting each entry

Note that

1. Alice doesn’t learnany other table entry.

2. Alice doesn’t learn ifentry and wire valuescorrespond to 0 or 1.


EGL 1-out-of-2 Oblivious Transfer (OT12)

Sender (Bob) Chooser (Alice)

1. PK0, PK1

Encrypt: M0 with PK0 (= E0) M1 with PK1 (= E1)

2. E0, E1

M0, M1 Bit b

3. Decrypt E0 or E1

(s.t. only one of PK0, PK1 can be a “real” PK)


OT12 (EGL Paradigm with El-Gamal)

• Input: chooser - a bit σsender - two strings M0, M1

• Output: chooser - Mσ

• Preliminaries: Zq is a sub-group of order q of Zp*,

p,q are primes, and q | (p-1). Let g be a generator of Zq . H is a random oracle.

• Initialization: the sender publishes C, a random element in Zq (whose discrete log to the base g is unknown by the chooser).


OT12 Interactive Protocol

Sender (Bob) Chooser (Alice)

1. Picks random k in [1,q], and sets public keys: PKσ = gk, PK1-σ = C / PKσPK0

2. Computes PK1 = C / PK0, chooses random r0,r1 in Zq, El-Gamal encrypts: E0 = {gr0 , H(PK0

r0) ^ M0}, E1 = {gr1 , H(PK1

r1) ^ M1} E0, E1

M0, M1 σp, q, g, H, C

3. Computes H((grσ)k) = H(PKσrσ)

and uses it to decrypt Mσ

Note: NP01 variant (in RO model)


Experiments: Implementation & Setup

• Code written in Java• Communication: TCP/IP (Java sockets)• Crypto: Java BigInteger libraries, SHA1 as RO• Two communication scenarios

LAN – 617.8 MBPS, latency 0.4 msWAN (USA, Israel) – 1.06 MBPS, latency 237.0 ms

• Two PCs – 2.4 GHz• Parameters: |p|=1024, |q|=160, m=2• Results: 100 repetitions (compilation excluded)


Experiments – The Four FunctionsFunction Number of circuit gates

Total Inputs Alice Inputs

AND 32 16 8Billionaires 254 64 32

Keyed DB search 1229 486 6Median 4383 320 160

AND - a very simple circuitKeyed DB - small number of inputs for AliceMedian – biggest circuit


Experiments – Results Highlights

• Billionaires’ problem:– LAN: 1.25 seconds, WAN: 4.01 seconds

• Communication versus computation:– Percentage of delay due to communication

LAN: up to 42%, WAN: up to 77%• Optimizations speed up factor:

– WAN communication batching: up to 8.8!– Same gr mod p OT variant [NP01]: 1.3

• LAN WAN slowdown: up to 6.9


Experiments – WAN Detailed Results

IP – Initializations and ParsingCC – Circuits communicationOTs – Oblivious TransfersEV – Evaluation of circuitEET –Elapsed Execution Time

Function WAN CommunicationIP (%) CC (%) OTs (%) EV (%) EET(sec)

AND 0.2 58.4 41.4 0.0 2.57Billionaires 0.8 45.2 53.9 0.1 4.01Keyed DB 5.9 64.3 29.4 0.4 3.38

Median 4.7 45.8 49.2 0.3 16.63


Experiments – LAN Detailed Results

IP – Initializations and ParsingCC – Circuits communicationOTs – Oblivious TransfersEV – Evaluation of circuitEET –Elapsed Execution Time

Function LAN CommunicationIP (%) CC (%) OTs (%) EV (%) EET(sec)

AND 1.5 18.8 79.5 0.2 0.41Billionaires 3.2 5.4 91.1 0.3 1.25Keyed DB 40.4 2.8 54.1 2.7 0.49

Median 13.2 7.2 78.7 0.9 7.09


Future directions

• Better understanding of experiments’ results• Improving the compiler (C ?)• New features

– fair termination• Optimizations

– Batch inversion (BS02)– Extending OTs (IKNP03)

• Real applications & products(www.cs.huji.ac.il/labs/danss/Fairplay)

Documents

Fairplay – A Secure Two-Party Computation System Yaron Sella Hebrew University of Jerusalem