Private Matching

1
Introduction to Secure Computation
Benny Pinkas HP Labs, Princeton
2
Roadmap

• Secure Function Evaluation
• Motivation and definitions
• Scenarios
• Constructions

3
SFE Example Millionaires Problem
? lt gt
Secure FunctionEvaluationProtocol
X
Y
4
Secure Function Evaluation

• A set of (two or more) parties with private
  inputs wish to compute some joint function of
  their inputs.
• Parties wish to preserve some security
  properties. E.g., privacy and correctness.
• Example Computing the maximum
• Security must be preserved in the face of
  adversarial behavior by some of the participants.

5
Secure Function Evaluation

• Cryptography aims for the following (regarding
  privacy)
• A secure protocol must reveal no more information
  than the output of the function itself
• That is, the process of protocol computation
  reveals nothing.

6
The Security Definition
?
IDEAL
REAL
7
Does the trusted party scenario make sense?
y
x
F(x,y)
F(x,y)

• We cannot hope for more privacy
• Does the trusted party scenario make sense?
• Are the parties motivated to submit their true
  inputs?
• Can they tolerate the disclosure of F(x,y)?
• If so, we can implement the scenario without a
  trusted party.

8
Roadmap

• Secure Function Evaluation
• Motivation and definitions
• Scenarios
• Constructions

9
Modeling the Adversary

• Semi-honest follows the protocol but tries to
  learn more
• Malicious can do anything
• E.g.,
• Protocol Flip a random coin and send the
  result
• Malicious party might
• Easier to provide security against semi-honest
  adversaries

10
Modeling the Adversary

• Do semi-honest adversaries make sense?
• Semi-trusted parties?
• Secure hardware/software?
• Its easier for the adversary to eavesdrop than
  to change the program.
• Is there a reasonable model between semi-honest
  and malicious?

11
Participating Parties

• Two parties.
• Multi-party N parties with private inputs
  x1,..,xN, wish to compute F(x1,..,xN).
• There are generic secure constructions for both
  scenarios
• The constructions for the two-party scenario are
  usually more efficient

12
Multi-Party Protocols

• The main issues are often the communication
  pattern and the number of rounds

13
A different setting for multi-party protocols?
NPS
Pn
P1
P2
14
Trust
Computation Server 1
Computation Server 2
Computation Server m
Pn
P1
P2
This is not weaker security if we have some trust
that computation servers do not collude
15
Advantages

• Separation between input providers and
  computation.
• Input providers
• submit their inputs independently of each other.
• Do not have to coordinate their operation.
• Once all inputs are submitted, the computation is
  performed by the computation servers.

16
Roadmap

• Secure Function Evaluation
• Motivation and definitions
• Scenarios
• Constructions

17
Secure two-party computation of general functions
Yao, early 80s

• First, represent the function F as a Boolean
  circuit C
• Its always possible
• Sometimes its easy (additions, comparisons)
• Sometimes the result is inefficient (e.g. for
  indirect addressing, ai)

18
Garbling the circuit

• Bob constructs the circuit, and then garbles it.

Wk0 0 on wire k Wk1 1 on wire k Wk0 Wk1
gt 80 (Alice will learn one string per wire,
but not the bit to which it corresponds.)
19
Gate tables

• For, e.g., an AND gate, Bob constructs a table
  that enables to compute
• wk0 given wi0,wJ0
• wk0 given wi0,wJ1
• wk0 given wi1,wJ0
• wk1 given wi1,wJ1
• I.e., given wix,wJy, can compute wkG(x,y)

20
Secure computation

• Bob sends the tables of the gates to Alice
• Given, e.g., wi0,wJ1, she computes wk0, but
  doesnt know the actual values of the wires.
• If Alice gets garbled values (ws)
• of her input values, she can
• compute the output of the
• circuit, and nothing else.

21
Secure computation the big picture

• Represent the function as a circuit C
• Bob sends to Alice C tables (e.g. 40C Bytes).
• Alice performs an oblivious transfer for every
  input bit. (Can do, e.g. 100 OTs per sec.)
• One round of communication.
• Efficient for medium size circuits!
• Good for one invocation only! ?

22
FairPlay Nisan,Malkhi,Pinkas,Sella

• Yaos construction is about 20 years old. There
  are no known implementations (?).
• FairPlay - a full fledged secure two-party
  computation system, implementing Yaos garbled
  circuit protocol.
• Goals
• Investigate whether two-party SFE is practical
• Actual measurements of overall computation
• Breakdown of computation into parts
• Test-bed for various optimizations

23
FairPlay

• The Compilation paradigm
• Programs written in a high-level programming
  language
• SHDL Low-level language describing Boolean
  circuits
• First stage compile to SHDL and optimize
• Second stage Given an SHDL circuit, generate
  programs implementing Yaos protocol

24
Specific Constructions of SFE

• Mean
• Max, Min
• Set intersection
• Median and quintiles

25
Discussion Points

• Candidate applications?
• Where will SFE be most beneficial?
• How to model the adversary?

26
Issues

• Suppose you cannot access the data
• Data cleaning?
• What functions do you need to compute?