Embed Size (px)
Citation preview
The Fusion of Secure Function Evaluationand Logic Synthesis
Siam U. Hussain, M. Sadegh Riazi, and Farinaz Koushanfar University of California, San Diego
Secure Function Evaluation (SFE) requires the underlying function to be compiled to a Boolean logic circuit.Designing custom SFE compilers has been an active research area. However, intelligent adaptation of the IntegratedCircuits (IC) synthesis tools outperforms these compilers. It is time for the custom compilers to embrace this trend.
IN the era of big data, ensur-ing privacy of sensitive content is
a standing challenge. While severalheuristic methodologies for privacy-preserving computing have been sug-gested, due to the large space of pos-sible breaches, it is hard to assuretheir resilience. Solutions based onprovably secure cryptographic prim-itives hold a promise to provide pri-vacy guarantees within the standardsecurity model.
Netlist
F (. , .)
Output Output
Data DataGC/ GMW
Fig. 1: Outline of the GC Protocol.
In 1986, the seminal work [1]by Yao introduced the Secure Func-tion Evaluation (SFE) protocol namedGarbled Circuit (GC) that allows anypolynomial time two-party functionto be computed efficiently withoutrevealing the private inputs. The fol-lowing year, a different approach toSFE was proposed in the Goldreich-Micali-Wigderson (GMW) [2] proto-col. Over the years many subsequentenhancements made Yao‘s protocoltruly practical, while the GMW pro-tocol has also been shown to be ef-fective in some scenarios. A common
property of both these protocols isthat the underlying function is rep-resented as a Boolean circuit, calleda netlist. The secure computation isperformed in a way such that theBoolean value associated with eachwire in the netlist is shared amongthe two parties. Only for the outputwires, the parties reveal their respec-tive shares to learn the values associ-ated with them. The key elements ofthese protocols are outlined in Fig 1.
One of the most crucial parts ofexecuting a function through eitherGC or GMW is converting the behav-ioral description of the function to thenetlist. On the one hand, several cus-tom compilers supporting (or design-ing) various programming languageshave emerged for addressing this is-sue. However, such custom compilershave been shown to have reliabilityissues and limitations in global op-timization. On the other hand, tech-niques for interpreting a behavioraldescription in a Boolean format arewidely researched for designing dig-ital integrated circuits (IC). Designautomation for the purpose of ICdesign is a true engineering successstory; the tools have enabled us toscale our chips to billions of gates tosupport complicated tasks. There isa wide gap between the capabilitiesof conventional IC design automationtools to compile sophisticated func-tions and what could be achieved bythe custom SFE compilers.
Our work in this area, called Tiny-Garble [3] bridges this gap by for-mulating GC netlist generation as anatypical circuit synthesis task whichcan be addressed and scaled withstandard IC logic synthesis tools.Following the path of TinyGarble,Demmler et. al. showed that a similarapproach also greatly enhances theperformance of circuit generation forthe GMW protocol [4]. In this paper,we summarize the recent advancesfollowing the paradigm shift intro-duced by TinyGarble and severalnovel applications that are enabledby connecting these two seeminglyseparate but synergistic technical ar-eas. We start with a brief overviewof the GC and GMW protocols, be-fore delving into the details of circuitconstruction and synthesis by designautomation tools along with excitingnew results. We also provide a shorthistory of the development of customSFE compilers.
What is Garbled Circuit?Formally, Yao’s GC allows two par-ties Alice and Bob to jointly computea function z = F(xa, xb) on theirprivate inputs xa from Alice and xb
from Bob. The netlist of the functionF consists of 2-input 1-output logicgates. Alice, assigns each wire in thenetlist with two k-bit random keyscorresponding to the values 1 and 0.For each gate, a garbled truth tableis constructed by encrypting the keys
1986 2010 2011 2012 2013 20152009 2014 20162004
Yao GC Protocol[Yao, FOCS]
Billion gates SFE[KSS, USENIX]
SFE in ANSI C[HFAK, CCS]
FastGC[HEKM, USENIX]
VMCrypt [Malka, CCS]
TASTY [HKSSW, CCS]
GC for One-Time Prog.[JKS, CHES]
FairPlay[MNPS, USENIX]
2-Party SFE is practical[PSNW, AISACCS]
PCF[KSMB, USENIX]
SFE on GPU[HMSG, ACSAC]
Fixed Key Cipher[BHKR, USENIX]
SFE on GPU [PL, ePrint]
SFE on GPU[FN, ACNS]
Circuit Structures[ZE, S&P]
RAM-Model[LHSHK, S&P]
Mobile phone HW tokens[DSZ, USENIX]
CBMC-GC[FHKSV, CC]
GarbledCPU[SDZSSK, DAC]
Frigate [MGCBT, Euro S&P]
Crypto Primitives
LibraryHardwareCompiler
Logic Synthesis
Legends
1999
Row Reduction[NPS, EC]
2008
Free XOR[VT, ICALP]
TinyGarble[SHSSK, S&P]
Obliv-C [ZE, ePrint]
ObliVM [LWNHS, S&P]
Logic Synthesis for GMW [DDKSS, CCS]
Half Gate[ZRE, TACT]
Fig. 2: Most impactful works on Yao’s garbled circuit (GC) over the years.
for the output with the correspond-ing input keys. Next, she sends thegarbled tables along with the keys forher input values to Bob. Bob obtainsthe keys corresponding to his inputvalues through Oblivious Transfers(OTs) that allows him to retrieve thekeys without revealing the values ofhis inputs. He then uses these inputkeys to evaluate the encrypted tablesgate by gate and decrypt the keys as-sociated with the value of each wire.However, the mapping of these keysto the actual values is known onlyto Alice. Thus together they sharethe secret value of each wire. At thefinal step, they reveal their respectiveshares for only the output wires tolearn the output z.
The original work by Yao and amajority of the subsequent enhance-ments adopt a honest-but-curious secu-rity model. In this model, both Aliceand Bob follow the agreed upon pro-tocol but may want to deduce morefrom the information at hand. Re-cent works have shown how to makeYao’s protocol secure in the malicioussecurity model where the parties maydeviate from the correct protocol.
A number of optimizations to the
GC protocol have been proposed,e.g., free-XOR [5], row reduction [6],half-gate [7], and fixed-key block ci-pher [8]. Among these, the mostimportant one is free-XOR as it al-lows the evaluation of XOR, XNORand NOT gates without costly cryp-tographic encryption and communi-cation. Therefore, the primary opti-mization goal while generating thenetlist for F is to minimize thenumber of non-XOR gates (AND, OR,NAND, etc.). Row-reduction and half-gate optimizations reduce the size ofthe garbled tables for non-XOR gatesby 25% each.
GMW and BMR ProtocolsIn the GMW protocol, the value of
each wire is split into two shares suchthat the actual value is XOR of thesetwo. Each of Alice and Bob receivesone share for each wire. Since theXOR operation is associative, they canlocally XOR their respective sharesof the input wires to compute theshares of the output wire of the XORgates. Thus this protocol naturallysupports free-XOR. For the non-XORgates, however, Alice computes theoutput of each gate for all four pos-
sible combinations of the shares ofthe input wires held by Bob, andBob receives one of them throughOT. To minimize the number of com-munication rounds, all non-XOR gatesat the same level of the netlist areevaluated in parallel. Thus, the roundcomplexity of the GMW protocol de-pends on the circuit depth, as op-posed to being constant like in theYao‘s protocol. However, in settingswith low network latency, this pro-tocol has been shown to have supe-rior performance in some cases. Moreimportantly, it scales better to prob-lems involving more than two par-ties. Even though GC was designedfor two-party computations, subse-quent enhancement has extended thisto multiparty settings, one of themost notable one being the Beaver-Micali-Rogaway (BMR) [9] protocol.
A Brief History of GC CompilersYao’s protocol drew the interest ofresearchers around the world uponits appearance in 1986. However, itwas primarily considered a theoret-ical concept until the emergence ofFairplay [10], the first realization ofGC, in 2004. Fairplay introduced the
2
Current Garbled Circuit Compilers
PAL, 2012 [1]: The primary goal of PALis to generate the netlist at runtime onmobile platform. This framework takesthe input function an SFDL program,and produces a netlist in SHDL. SFDLand SHDL were developed by the firstGC framework Fairplay [2] which isemployed by PAL to execute the SHDLnetlist. This framework does not con-sider the free-XOR optimization whilegenerating the netlist.KSS, 2012 [3] This framework pro-vides inherent security against mali-cious adversary. The input function isrepresented using a custom untypedlanguage and the output is a netlistin binary format which is executed inparallel with generation.PCF, 2013 [4]: The PCF compiler takesLCC bytecode as input (generated byLCC compiler from a C program) andgenerates the netlist in a condensedASCII format. The netlist is executedthrough the GC back-end which sup-ports run-time unrolling of the loopsinside the program.CBMC-GC, 2014 [5]: This compilersupports a general purpose language,a subset of ANSI-C. It employs abit-precise model checker, CBMC, totranslate C programs into equivalentBoolean netlist in ASCII format. This
framework provides only the compilerto generate the netlist, and not a GCback-end for execution.
Wysteria, 2014 [6]: Wysteria is a high-level programming language and com-piler that enables users to write mixed-mode programs. Such programs in-clude a mixture of local and securecomputations.
Obliv-C, 2015 [7]: The Obliv-C lan-guage is an extension of C designedto write privacy-preserving functionsfor GC. The compilation and executiontask are combined in this framework.The output is a compiled binary thatexecutes the function securely.
ObliVM, 2015 [8]: Similar to Obliv-C, this framework also combines thecompilation and execution tasks. Theinput function is written in Java andthe output is a Java class file. Thisframework supports oblivious access toarrays when the index depends on theprivate data.
Frigate, 2016 [9]: The goal of this frame-work is to generate the netlist reliablyand fast. The input function is writtenin a custom language that resembles C.The function is compiled to a netlistin a custom format which is executedthrough its own GC back-end.
REFERENCES
[1] B. Mood, L. Letaw, and K. Butler,“Memory-efficient garbled circuit genera-tion for mobile devices,” Financial Cryptog-raphy and Data Security, pp. 254–268, 2012.
[2] D. Malkhi, N. Nisan, B. Pinkas, andY. Sella, “Fairplay-secure two-party com-putation system.” in USENIX Security.USENIX, 2004, pp. 287–302.
[3] B. Kreuter, A. Shelat, and C.-H. Shen,“Billion-gate secure computation with ma-licious adversaries.” in USENIX Security.USENIX, 2012, pp. 285–300.
[4] B. Kreuter, A. Shelat, B. Mood, and K. R.Butler, “PCF: A portable circuit format forscalable two-party secure computation.” inUSENIX Security. USENIX, 2013, pp. 321–336.
[5] M. Franz, A. Holzer, S. Katzenbeisser,C. Schallhart, and H. Veith, “CBMC-GC:An ANSI C Compiler for Secure Two-PartyComputations,” in Compiler Construction.Springer, 2014, pp. 244–249.
[6] A. Rastogi, M. A. Hammer, and M. Hicks,“Wysteria: A programming language forgeneric, mixed-mode multiparty computa-tions,” in S&P. IEEE, 2014, pp. 655–670.
[7] S. Zahur and D. Evans, “Obliv-C: A lan-guage for extensible data-oblivious com-putation.” IACR Cryptology ePrint Archive,vol. 2015, p. 1153, 2015.
[8] C. Liu, X. S. Wang, K. Nayak, Y. Huang,and E. Shi, “ObliVM: A programmingframework for secure computation,” inS&P. IEEE, 2015, pp. 359–376.
[9] B. Mood, D. Gupta, H. Carter, K. Butler,and P. Traynor, “Frigate: A validated, ex-tensible, and efficient compiler and inter-preter for secure computation,” in Securityand Privacy (EuroS&P), 2016 IEEE EuropeanSymposium on. IEEE, 2016, pp. 112–127.
Secure Function Definition Language(SFDL) to write the functions. Thecompiler converted the functions toa netlist in Secure Hardware Defini-tion Language (SHDL) which is laterexecuted through the Yao’s protocol.Since then, there has been a surge inthe research on GC. A selected set ofthe most impactful works are shownon the timeline presented in Fig 2. Inthis section, we focus on the differ-ent compilers developed to performSFE through the GC protocol. A briefdescription of the frameworks is pro-vided in the inset.
Realization of a function through
GC entails two major tasks: (i) thebehavioral description of the under-lying function is compiled to a netlistof Boolean logic and (ii) the netlistis executed via a garbling back-end.In the frameworks, PCF, KSS, CBMC-GC, TinyGarble and Frigate the twotasks are independent of each other.These frameworks provide more flex-ibility to the user as the netlist com-piled by one framework can be exe-cuted by another one. Thus, the usercan choose the best framework foreach task. For example, the JustGar-ble framework [8] provided around20× speed-up to the execution task
by employing a fixed-key block ci-pher to garble the gates. This frame-work does not include the compiler.However, a netlist compiled by anyof the above mentioned frameworkscan be executed by JustGarble to ben-efit from its speed-up. In contrast tothis, in Obliv-C and ObliVM, the twotasks are unified. The outputs of theseframeworks are compiled binary ofthe function to be executed securely.For these frameworks to benefit fromthe optimization of JustGarble, thesource codes of the frameworks needto be modified.
The ABY framework [11] provides
3
a mixed-protocol that efficiently com-bines secure computation based onGC, GMW and Beavers multiplica-tion triples based on arithmetic shar-ing. Similar to Obliv-C and ObliVM,this framework treats netlist genera-tion and execution as a unified task.However, recently by Demmler et.al.have extended [4] the framework toaccept externally generated netlists.
Custom-designed compilers en-able users to write the programin a high-level language and pro-vide a more user-friendly interface.However, such customized compil-ers for secure computation intro-duce their own Domain Specific Lan-guages (DSLs) which usually haveunfamiliar syntax, thus, diminishingtheir original goal. One of the mostrecent frameworks, Frigate [12] per-formed extensive research on the reli-ability of the current frameworks andfound out that most of them sufferfrom reliability issues. For example,they reported that PAL, KSS, CMBC,Obliv-C, ObliVM, and PCF crashedon programs that should have beencompiled correctly. Moreover, KSS,ObliVM, and PCF generated incorrectnetlists. While many of these issueswere later taken care of by the respec-tive developers, this research exposeda serious reliability issue regardingthe usage of these compilers.
Fusion of SFE and Logic SynthesisConventional IC logic synthesistransforms the behavioral descriptionof a function to a netlist of Booleangates. This concept can be tracedback to as early as 1979 whenIBM first started developing theLogic Synthesis System (LSS) [13].Since then IC design automationand synthesis rose to become oneof the most successful engineeringventures, as it has uniquely enabledthe modern computing era. The logicsynthesis and other automated IC
design tools have raised designers’productivity by several orders ofmagnitude. Indeed, while the com-puting and information revolutionis mostly credited to Moore’s lawscaling, the complexity hurdle hasbeen addressed by the automateddesign tools. Contemporary tools andmethodologies enable automationof IC design, verification and testof chips across various levels ofabstraction and sophistication.
TABLE 1: Comparison of the No. ofnon-XORs of TinyGarble with Frigate
Function Frigate TG Improv.
Sum 1024 1,025 1,023 0.20%Compare 16,384 16,386 16,384 0.01%Hamming 160 719 159 77.89%Mult 32 995 993 0.20%MatrixMult5x5 32
128,252 127,225 0.80%
AES 128 10,383 6,400 38.36%
The task of generating efficientBoolean circuit (netlist) for GC issubstantially similar to logic synthe-sis. For nearly three decades thesetwo fields did not cross paths un-til the introduction of TinyGarble [3]in 2015. TinyGarble creates a set oflibraries and optimization strategiesfor industrial logic synthesis toolssuch that they can efficiently beemployed to generate an optimizednetlist for GC. At the time of its publi-cation, TinyGarble demonstrated su-periority over the existing custom GCcompilers. Recently, the Frigate [12]framework has shown to outperformall other previous compilers, exceptTinyGarble. In Table 1, the numberof non-XOR gates in selected bench-mark functions generated by thesetwo frameworks are compared. Es-sentially, the key to TinyGarble’s ef-ficiency is standing on the shouldersof a giant: IC logic synthesis. Thesynthesis tools that make TinyGarblea possibility are the same ones thatenabled the design of contemporary
ICs with billions of gates.As mentioned in the previous
section, the netlist generation andexecution of GC can be run indepen-dently in the TinyGarble framework.The GC execution of TinyGarblesupports secure two-party com-putation in the honest-but-curiousmodel. However, the capabilityof its netlist generation tool-chaingoes well beyond that. Currently,it supports netlist generation forthe realization of the BMR proto-col (github.com/cryptobiu/Semi-Honest-BMR) that supports securecomputation involving more thantwo parties, and the realizationof two-party GC in the malicioussetting provided in the EMP-Toolkit(github.com/emp-toolkit). Themethodology can easily be extendedto other GC based protocols giventhey also support disintegration ofnetlist generation and GC execution.
Inspired by TinyGarble, Demmleret. al. employed logic synthesis toolsto generate netlists for the GMW pro-tocol. Since the round complexity ofthe GMW protocol depends on thedepth of the netlist, they developed atool-chain to optimize the netlist notonly for size but also for depth. Theirwork showed a reduction of depthby up to 14% even over manuallyoptimized netlists.
Both GC and GMW involve logicgates whose functionalities are fixed(e.g., AND, OR). Therefore, bothTinyGarble and [4] employ ASIC syn-thesis tools. Dessouky et. al. [14] in-troduce protocols involving lookuptables (LUTs) which can be pro-grammed to realize arbitrary func-tions. To generate the Boolean cir-cuits, this work employs multi-inputLUT-based synthesis tools whichform the core of synthesis for FPGAs.
Note that while the logic synthe-sis tools have been shown to out-perform custom compilers in terms
4
of efficiency, development of prac-tical privacy-preserving systems re-quires consideration of several otherfactors, e.g., language expressibility,richer programming paradigms, andaccessibility to developers (please re-fer to [15] for a comprehensive studyon these factors). Perhaps the holygrail of GC compilers would be onethat combines the efficiency of logicsynthesis tools with the versatility ofprogramming languages.
Another significant contributionof [3] is introducing and leveragingthe concept of the sequential circuit toGC. We elaborate this concept next.
0.1
1
10
100
1000
10000
0
2
4
6
8
10
12
14
1 4
16
64
25
6
10
24
40
96
16
38
4
CP
U c
ycle
×1
0E6
Sequential Cycle (c)
32,768-bit Sum
Garbling TimeMemory Footprint
Fig. 3: The effect of the sequentialrepresentation of the circuit on thegarbling time and memory footprint.
Sequential Garbled CircuitTinyGarble‘s unique ability to garblesequential circuits enables scaling ofthe designs by leveraging the conceptof a memory. As opposed to the com-binational circuit, a sequential circuithas internal states stored in registers(flip-flops). At each clock cycle, thestate of the circuit depends on the in-puts at that cycle and the current stateof the circuit. Consider a 32-bit addercircuit for example. The circuit canbe represented as (i) a combinationalcircuit that takes two 32-bit numbersand outputs the 32-bit sum or, (ii) asequential circuit, 1-bit full-adder thatcomputes 1-bit of the sum at eachclock cycle. This circuit is executed
for 32 clock cycles to produce a 32-bitoutput. The state of the circuit is thecarry of the previous clock cycle. Ina general case, an n-bit adder can berealized using a l-bit adder module,executed for dnl e clock cycles.
Describing a function as a sequen-tial circuit provides a compact rep-resentation that can scale for largeinput sizes. For example, Fig 3 showsthe memory footprint and garblingtimes for different values of l forrealizing a 215-bit adder. As can beseen, the amount of memory requiredfor garbling of the sequential circuitdecreases linearly with l. A majorbenefit of reducing the memory foot-print is that for several benchmarkfunctions, TinyGarble can synthesizethem to compact sizes that can fitwithin the cache. This compaction re-sults in fewer cache misses and there-fore a reduction in the garbling timewhich is evident in Fig 3. Note thatfor a certain value of l, the drop inthe execution time reaches a satura-tion point. At this point the netlistcompletely fits into the cache, and thenumber of cache misses is reducedto its minimum. Further reduction ofthe netlist size does not further im-prove the time. This saturation pointusually occurs at a higher value ofl for more complicated tasks withlarger netlists.
The PCF framework also took asimilar approach where it rolls a for-loop and repeatedly garble it, in-stead of unrolling it in a large cir-cuit. However, sequential circuit de-scription is a well-known and estab-lished approach that allows us to useindustrial IC compilers to generatemore optimized circuits, and at thesame time, keep the garbling foot-print small. The comparison in [3]shows that TinyGarble outperformsPCF by up to 85% in terms of thenumber of non-XOR gates for allthe benchmarks. Moreover, sequen-
tial description enables several (pre-viously unreported) functions to beefficiently garbled. For example, TheTinyGarble framework has been em-ployed to devise a scalable privacy-preserving solution for stable match-ing in [16], sub-string search [17], anddeep learning [18]. Even more inter-estingly, the sequential format allowsgarbling a general purpose processor(CPU). This was not possible by theprior custom compilers, as no sizableCPU can be built as a non-sequentialcircuit (a circuit without states, a.k.a.combinational circuit). For the sake ofbrevity, we elaborate one application–stable matching in this section. Inthe next section we provide a briefoverview of the garbled processor.
In stable matching, there aretwo groups of people where ev-ery member has a preference listto be matched to a person in theother group. The stability conditionrequires that there should be notwo persons such that they prefereach other more than their alreadyassigned partners. In secure stablematching, the goal is to ensure theprivacy of the preference lists of themembers. This has been seen as oneof the most complicated tasks inprivacy-preserving computation. Thememory footprint of secure stablematching with combinational circuitscannot scale for real-world groupsizes. The work in [16] presents ascalable solution to this problem byemploying the sequential garbling in-troduced by TinyGarble. The circuitblock diagrams of the combinationaland sequential circuits are depictedin Fig 4. The combinational circuit re-quires O
(n2
)sub-modules each com-
prising O(n2 log n
)number of non-
XOR gates where n is the numberof people in each group. Since thecombinational circuit has O
(n4 log n
)gates, it quickly reaches the limit ofcircuit synthesis tools. In contrast,
5
n2 log(n) n2 log(n)
1 2 n2
n2 log(n)
Combinational Circuit Sequential Circuit
n2 log(n)R
egister
Fig. 4: Combinational and sequential circuits for stable matching. n is the number of people in each group.
the sequential circuit only requiresO(n2 log n
)non-XOR gates. There-
fore, it provides scalability to themuch higher set sizes. Moreover, gar-bling the sequential circuit requiressignificantly less memory.
Garbling A ProcessorCustom-designed compilers usuallyrequire the user to write the pro-gram in an unfamiliar syntax. More-over, they suffer from correctness andreliability issues as studied in [12].An elegant solution to these prob-lems is to have off-the-shelf (unmod-ified) standard compilers and com-pile user’s program to the binarycode. This approach has the advan-tage that legacy-codes can be usedwith minimal modification and nospecial syntax is used. In order tosecurely evaluate the compiled bi-nary code on user’s private data, onehas to garble a general-purpose pro-cessor. In other words, the Booleancircuit garbled in the GC protocolis a general-purpose processor thatincludes instruction-memory, data-memory, and stack along with othercomponents. The compiled binary it-self is considered as an input to theprocessor by being loaded into theinstruction memory. User’s privatedata is also loaded into the data mem-ory. Therefore, by garbling the pro-cessor, the program is securely eval-uated on users’ private input.
Naive adaptation of garbled pro-cessor for SFE, however, incurs alarge overhead. The reason is that
for each instruction the entire proces-sor circuit including instruction-fetch,instruction-decoding, control paths,etc. have to be garbled. Two solutionshave been proposed to reduce thisoverhead: (i) static reduction [19] and(ii) dynamic reduction [20].
In [19], authors propose to cre-ate custom ALUs for different in-structions and evaluate the corre-sponding ALU for each cycle. How-ever, such coarse-grain optimization(instruction-level as opposed to gate-level) still incurs a significant over-head. To overcome these limitations,a gate-level reduction approach isproposed in ARM2GC that dynami-cally identifies gates that can be pro-cessed using public data, i.e., thecompiled binary. In other words,ARM2GC determines which parts ofthe processor can be evaluated inplaintext and which parts need to begarbled. The decision is based on theinstruction at each clock cycle and thepublic/private state of the processor.The latter depends on the previousinstructions and how they have af-fected the public and private statusof different parts of the processor.
It has been shown that ARM2GCrequires 8.4E + 3 and 49E + 3 timesless garbled non-XOR gates comparedto [19] for computing Hamming dis-tances with 32 and 512-bit inputs,respectively. In fact, the number ofgates garbled in ARM2GC for dif-ferent benchmarks is comparable orsignificantly lower compared to thehigh-level GC compilers like CBMC-
GC or Frigate. In the ARM2GCframework [20], users can write theprogram in a standard language andcompile using verified ARM compil-ers. The compiled program acts aspublic input to the ARM processorcircuit. In contrast to custom com-pilers, ARM2GC relies on standardcompilers that are rigorously testedand as a result is more reliable.
ADAPTATION of standard logicsynthesis techniques to generate
the netlist for Yao’s GC protocol alongwith the introduction of sequentialGC provide a paradigm shift in thefield of privacy-preserving computa-tion. The results of four decades of re-search in the field of electronic designautomation are made available to thesecurity community. Leveraging thepowerful IC synthesis tools for garblecircuit compilation uniquely allowsefficient and scalable realization ofa number of exciting new privacy-preserving applications. In particular,it enables the execution of a gen-eral purpose processor through theGC protocol. Recent advances in gar-bling a processor allow the users towrite a function in any programminglanguage and compute it efficientlythrough the GC protocol. The usageof standard and verified compilersfor garbling eliminates the unrelia-bility of custom compilers; openingthe possibility of privacy-preservingimplementation of services that entailextensive computation and massivedata sets, e.g., secure search, neuralnetwork, navigation, and a lot more.
6
*References
[1] A. C.-C. Yao, “How to generate andexchange secrets,” in FOCS. IEEE,1986, pp. 162–167.
[2] M.-S. Goldreich, O. and A. Wigder-son, “How to play ANY mental game,”in Symposium on Theory of Computing.ACM, 1987.
[3] E. M. Songhori, S. U. Hussain, A.-R.Sadeghi, T. Schneider, and F. Koushan-far, “TinyGarble: Highly compressedand scalable sequential garbled cir-cuits,” in S&P. IEEE, 2015, pp. 411–428.
[4] D. Demmler, G. Dessouky, F. Koushan-far, A.-R. Sadeghi, T. Schneider, andS. Zeitouni, “Automated synthesis ofoptimized circuits for secure computa-tion,” in CCS. ACM, 2015.
[5] V. Kolesnikov and T. Schneider, “Im-proved garbled circuit: Free XOR gatesand applications,” in ICALP. Springer,2008, pp. 486–498.
[6] M. Naor, B. Pinkas, and R. Sum-ner, “Privacy preserving auctions andmechanism design,” in EC. ACM,1999, pp. 129–139.
[7] S. Zahur, M. Rosulek, and D. Evans,“Two halves make a whole: Reducingdata transfer in garbled circuits usinghalf gates.” pp. 220–250, 2015.
[8] M. Bellare, V. T. Hoang, S. Keelveedhi,and P. Rogaway, “Efficient garblingfrom a fixed-key blockcipher,” in S&P.IEEE, 2013, pp. 478–492.
[9] D. Beaver, S. Micali, and P. Rogaway,“The round complexity of secure proto-cols,” in Proceedings of the twenty-secondannual ACM symposium on Theory ofcomputing. ACM, 1990, pp. 503–513.
[10] D. Malkhi, N. Nisan, B. Pinkas, andY. Sella, “Fairplay-secure two-partycomputation system.” in USENIX Secu-rity. USENIX, 2004, pp. 287–302.
[11] D. Demmler, T. Schneider, andM. Zohner, “ABY-a framework forefficient mixed-protocol secure two-party computation.” in NDSS, 2015.
[12] B. Mood, D. Gupta, H. Carter, K. Butler,and P. Traynor, “Frigate: A validated,extensible, and efficient compiler andinterpreter for secure computation,” in(EuroS&P). IEEE, 2016, pp. 112–127.
[13] J. A. Darringer, D. Brand, J. V. Gerbi,W. H. Joyner, and L. Trevillyan, “LSS: Asystem for production logic synthesis,”IBM Journal of research and Development,vol. 28, no. 5, pp. 537–545, 1984.
[14] G. Dessouky, F. Koushanfar, A.-R.Sadeghi, T. Schneider, S. Zeitouni, andM. Zohner, “Pushing the communica-tion barrier in secure computation us-ing lookup tables,” in NDSS, 2017.
[15] M. Hastings, B. Hemenway, D. Noble,and S. Zdancewic, “Sok: General pur-pose compilers for secure multi-partycomputation,” in IEEE Symposium onSecurity & Privacy. IEEE, 2019.
[16] M. S. Riazi, E. M. Songhori, A.-R.Sadeghi, T. Schneider, and F. Koushan-far, “Toward practical secure stablematching,” Proceedings on Privacy En-hancing Technologies, vol. 2017, no. 1, pp.62–78, 2017.
[17] M. S. Riazi, E. M. Songhori, andF. Koushanfar, “PriSearch: EfficientSearch on Private Data,” in Proceedingsof the 54th Annual Design AutomationConference 2017. ACM, 2017, p. 14.
[18] B. D. Rouhani, M. S. Riazi, andF. Koushanfar, “DeepSecure: Scalableprovably-secure deep learning,” arXivpreprint arXiv:1705.08963, 2017.
[19] X. Wang, S. D. Gordon, A. McIntosh,and J. Katz, “Secure computation ofmips machine code,” in European Sym-posium on Research in Computer Security.Springer, 2016, pp. 99–117.
[20] E. M. Songhori, M. S. Riazi, S. U. Hus-sain, A.-R. Sadeghi, and F. Koushanfar,“ARM2GC: Simple and efficient gar-bled circuit framework by skipping,”Cryptology ePrint Archive 2017/1157,2017.
Siam U. Hussain is currentlya doctoral student at the De-partment of Electrical and Com-puter Engineering at Universityof California, San Diego. His re-search interests include privacypreserving computing and hard-ware security.
M. Sadegh Riazi is currentlya doctoral student at the De-partment of Electrical and Com-puter Engineering at Universityof California, San Diego. His re-search interests include privacypreserving computing and ma-chine learning.
Farinaz Koushanfar is the Pro-fessor and Henry Booker Fac-ulty Scholar at the Departmentof Electrical and Computer Engi-neering at University of Califor-nia, San Diego, She is the Direc-tor of Adaptive Computing andEmbedded Systems (ACES) Laband Co-Founder/Co-Director ofCenter for Machine IntegratedComputing and Security (MICS).Her research focuses on massivedata analytics in constrained set-tings and security and privacyfor data-intensive computing.
7
