Fairplay%20

1
Fairplay A Secure Two-Party Computation System
Yaron SellaHebrew University of Jerusalem

• Joint work with Dahlia Malkhi, Noam Nisan, and
  Benny PinkasProject team Ziv Balshai, Amir
  Levy, Dudi Einey, Ori Peleg

2
Outline

• SFE Secure Function Evaluation
• Goals
• Fairplay
• Fairplay computation overview
• Demo (SFDL SHDL examples)
• Bob/Alice two party SFE
• Experiments

3
SFE - Secure Function Evaluation

• Started with Yaos seminal paper (1986 - almost
  20 years ago!)
• Allows several parties to perform a joint
  computation, that in real life requires a trusted
  party, using cryptographic tools only (i.e., the
  trusted party is not needed!)
• Theoretical significance only?
• We focus on 2-party SFE

4
SFE Example - Millionaires Problem
? lt gt
X
Y
Secure FunctionEvaluationProtocol
5
General Structure of Yaos Protocol

• Represent f(x,y) as a Boolean circuit
• Bob garbles the circuit
• ? wire, assigns random values instead of 0/1
• ? gate, constructs a secure truth table
• Bob sends to Alice the tables and garbled
  versions of his input
• Alice uses oblivious transfer to obtain garbled
  versions of her input and uses them to compute
  the output of the circuit

6
Goals

• Answer some basic questions on SFE
• Is two-party SFE practical?
• Obtain actual measurements of overall
  computation How much time is needed to solve the
  Millionaires problem? The Billionaires problem?
• Better understanding of SFE computation
• Where are the bottlenecks?
• Computation versus communication
• Test-bed for various optimizations

7
Fairplay Computation Overview (1)
Bob
Alice
GUI
SFDL program
(a file)
SFDL Compiler Circuit optimizer
SFDL Compiler Circuit optimizer
Off-line
SHDL circuit
SHDL circuit
(a file)
(a file)
SHDL Parser
SHDL Parser
On-line SFE
Circuit
Circuit
(Java obj.)
(Java obj.)
8
Fairplay Computation Overview (2)
Bob
Alice
Circuit
(Java obj.)
Circuit
(Java obj.)
m x Circuit garbler
Garbled circuits
(Java obj.)
Circuits send
Circuits receive
Circuit choose
Read Integer
Reveal secrets
Circuits verify
9
Fairplay Computation Overview (3)
Bob
Alice
Input input send
Input receive
Input
OT chooser
OT sender
Circuit evaluator
Output
Output
10
Outline

• SFE Secure Function Evaluation
• Goals
• Fairplay
• Fairplay computation overview
• Demo (SFDL SHDL examples)
• Bob/Alice two party SFE
• Experiments

11
The Compilation Paradigm

• SFDL (Secure Function Definition Language) -
  High-level programming language for the func. to
  be evaluated in the trusted party model
• Allows clear, formal, easily understandable
  definition and requirements by humans
• SHDL (Secure Hardware Definition Language) -
  Low-level language describing Boolean circuits
• Obliviousness-aware SFDL ? SHDL compiler
• The compiler also produces an I/O format file

12
SFDL Example

• program Millionaires
• type int Intlt4gt // 4-bit integer
• type AliceInput int
• type BobInput int
• type AliceOutput Boolean
• type BobOutput Boolean
• type Output struct AliceOutput alice,
  BobOutput bob
• type Input struct AliceInput alice,
  BobInput bob
• function Output output(Input input)
• output.alice input.alice gt input.bob
• output.bob input.bob gt input.alice

13
SFDL Properties

• Conventional syntax (C/Pascal-like)
• Type system Boolean, integer, enumerated
• Program structure
• Declarations global constants, types
• Sequence of functions (no nesting C, no
  recursion)
• Function name is its return value Pascal
• Conditional execution and loops
• if-then, if-then-else statements, For-loop
• Assignments and expressions
• constants, variables, array entries, structure
  items, function calls, operators (, -, logical,
  comparison), parenthesis

14
SHDL Example (1)

• 0 input //outputinput.bob0
• 1 input //outputinput.bob1
• 2 input //outputinput.bob2
• 3 input //outputinput.bob3
• 4 input //outputinput.alice0
• 5 input //outputinput.alice1
• 6 input //outputinput.alice2
• 7 input //outputinput.alice3
• 8 gate arity 2 table 1 0 0 0 inputs 4 5
• 9 gate arity 2 table 0 1 1 0 inputs 4 5

15
SHDL Example (2)

• 10 gate arity 2 table 0 1 0 0 inputs 8 6
• 11 gate arity 2 table 1 0 0 1 inputs 8 6
• 12 gate arity 2 table 1 0 0 1 inputs 10 7
• 13 gate arity 2 table 0 0 0 1 inputs 4 0
• 14 gate arity 3 table 0 0 0 1 0 1 1 1 inputs
  13 9 1
• 15 gate arity 3 table 0 0 0 1 0 1 1 1 inputs
  14 11 2
• 16 gate arity 2 table 0 1 1 0 inputs 12 3
• 17 gate arity 2 table 0 1 1 0 inputs 15 16
  
• 18 output gate arity 1 table 0 1 inputs 17
  

16
SHDL Properties

• Each line is a circuit component, i.e
• An input bit, or
• A Boolean gate with a given truth-table and
  input wires
• Circuit wiring is based on line numbers
• The compiler produces gates of arity 1,2,3
• // Comments are ignored (even though the compiler
  generated them)

17
The Format File

• Enables the input bits to be specified and the
  output bits to be presented in a user-friendly
  format
• Format file example
• Bob input integer "input.bob" 0 1 2 3
• Alice input integer "input.alice" 4 5 6 7
• Alice output integer "output.alice" 18
• Bob output integer "output.bob" 29
• Bobs input bits should be read from the user as
  an integer

18
The SFDL ? SHDL Compiler

• Compilers sequence of steps
• Parsing
• Function inlining and loop unfolding
  (obliviousness!)
• Transformation into single bit operations
• Array access handling (cost O(n) gates)
• Single variable assignment
• Optimizations local code optimization, duplicate
  code removal, dead code elimination

19
Bob-Alice 2-Party SFE Overview (1)

• Input C circuit in SHDL
• Cut-and-Choose
• Bob parses C into m garbled circuits, and sends
  them to Alice. Alice also parses C.
• Alice chooses one circuit for evaluation - GC
• Bob exposes secrets of all garbled circuits
  except GC
• Alice verifies all exposed garbled circuits
• Catches cheating with probability 1-1/m
• Bob sends his inputs for GC (Alice cant
  interpret them because they are garbled)

20
Bob-Alice 2-Party SFE Overview (2)

• Oblivious Transfer Alice obtains her inputs for
  GC from Bob using a single OT per each Alice
  input bit (Alice chooser, Bob sender)
• Alice evaluates GC
• Alice interprets her outputs (she cant interpret
  Bobs outputs, because they are garbled)
• Alice sends to Bob his outputs
• Bob interprets his outputs

21
Garbled Circuit Preparation (by Bob)
vi0, vi1
vj0, vj1
22
Garbled Circuit Evaluation (by Alice)
vi
vj
Note that 1. Alice doesnt learn any other table
entry. 2. Alice doesnt learn if entry and wire
values correspond to 0 or 1.
outputvk vk vk vk
PEGTT
vk
1. Try decrypting each entry
2. D (vk ) SHA-1 (vi , vj , k) ? vk (
vk)
23
EGL 1-out-of-2 Oblivious Transfer (OT12)
Sender (Bob)
Chooser (Alice)
M0, M1
Bit b
1. PK0, PK1
(s.t. only one of PK0, PK1 can be a real PK)
Encrypt M0 with PK0 ( E0) M1 with
PK1 ( E1)
2. E0, E1
3. Decrypt E0 or E1
24
OT12 (EGL Paradigm with El-Gamal)

• Input chooser - a bit s sender - two strings
  M0, M1
• Output chooser - Ms
• Preliminaries Zq is a sub-group of order q of
  Zp, p,q are primes, and q (p-1). Let g be a
  generator of Zq . H is a random oracle.
• Initialization the sender publishes C, a random
  element in Zq (whose discrete log to the base g
  is unknown by the chooser).

25
OT12 Interactive Protocol
Sender (Bob)
Chooser (Alice)
p, q, g, H, C
M0, M1
s
1. Picks random k in 1,q, and sets public
keys PKs gk, PK1-s C / PKs
2. Computes PK1 C / PK0, chooses random
r0,r1 in Zq, El-Gamal encrypts E0 gr0
, H(PK0r0) M0, E1 gr1 , H(PK1r1) M1
3. Computes H((grs)k) H(PKsrs) and uses it
to decrypt Ms
Note NP01 variant (in RO model)
26
Experiments Implementation Setup

• Code written in Java
• Communication TCP/IP (Java sockets)
• Crypto Java BigInteger libraries, SHA1 as RO
• Two communication scenarios
• LAN 617.8 MBPS, latency 0.4 ms
• WAN (USA, Israel) 1.06 MBPS, latency 237.0 ms
• Two PCs 2.4 GHz
• Parameters p1024, q160, m2
• Results 100 repetitions (compilation excluded)

27
Experiments The Four Functions
Function Number of circuit gates Number of circuit gates Number of circuit gates
Function Total Inputs Alice Inputs
AND 32 16 8
Billionaires 254 64 32
Keyed DB search 1229 486 6
Median 4383 320 160
AND - a very simple circuitKeyed DB - small
number of inputs for AliceMedian biggest
circuit
28
Experiments Results Highlights

• Billionaires problem
• LAN 1.25 seconds, WAN 4.01 seconds
• Communication versus computation
• Percentage of delay due to communicationLAN up
  to 42, WAN up to 77
• Optimizations speed up factor
• WAN communication batching up to 8.8!
• Same gr mod p OT variant NP01 1.3
• LAN ?WAN slowdown up to 6.9

29
Experiments WAN Detailed Results
Function WAN Communication WAN Communication WAN Communication WAN Communication WAN Communication
Function IP () CC () OTs () EV () EET(sec)
AND 0.2 58.4 41.4 0.0 2.57
Billionaires 0.8 45.2 53.9 0.1 4.01
Keyed DB 5.9 64.3 29.4 0.4 3.38
Median 4.7 45.8 49.2 0.3 16.63
IP Initializations and ParsingCC Circuits
communicationOTs Oblivious TransfersEV
Evaluation of circuitEET Elapsed Execution Time
30
Experiments LAN Detailed Results
Function LAN Communication LAN Communication LAN Communication LAN Communication LAN Communication
Function IP () CC () OTs () EV () EET(sec)
AND 1.5 18.8 79.5 0.2 0.41
Billionaires 3.2 5.4 91.1 0.3 1.25
Keyed DB 40.4 2.8 54.1 2.7 0.49
Median 13.2 7.2 78.7 0.9 7.09
IP Initializations and ParsingCC Circuits
communicationOTs Oblivious TransfersEV
Evaluation of circuitEET Elapsed Execution Time
31
Future directions

• Better understanding of experiments results
• Improving the compiler (C ?)
• New features
• fair termination
• Optimizations
• Batch inversion (BS02)
• Extending OTs (IKNP03)
• Real applications products
• (www.cs.huji.ac.il/labs/danss/Fairplay)