Computer Science Colloquia
Monday, July 30, 2012
Advisor: Dave Evans
Attending Faculty: Jonathan Katz, Wesley Weimer, Chair; abhi shelat, Gabriel Robins, Aaron Mackey (minor representative
9:30 AM, Rice Hall, Rm. 242
Ph.D. Dissertation presentation
Practical Secure Two-Party Computation
Secure two-party computation allows two parties to cooperatively evaluate a function that takes both parties' private data as input without revealing any private information other than the outcome. Although secure computation has many important applications in various fields and a general theoretical solution has been known for decades, practical systems are rare due to the prohibitive performance overhead and the tremendous effort required to build such systems.
The garbled circuit (i.e., Yao's circuit) technique enables secure computing of Turing-complete functions but has previously been thought to be too expensive for practical applications. We improved the efficiency of garbled circuits focusing on both execution and design aspects. Our implementation uses pipelining aggressively so the circuit execution runs with a nearly constant amount of memory and can scale to arbitrarily large circuits. To aid the efficient construction of circuits, we developed a library of component circuits that enables programmers to quickly create new ones by modular composition of existing ones. We integrated these ideas into a new framework that enables programmers to develop secure computation protocols from an existing insecure implementation while providing enough control over the circuit design to enable efficient implementation. To evaluate the effectiveness our new tools, we build several privacy-preserving applications which are secure against passive adversaries, including secure biometric identification, secure edit distance and Smith-Waterman, private encryption, and private set intersection.
The secure guarantees of passively-secure protocols do not hold if an attacker goes ``active'' --- by deviating from the protocol specification. To thwart active adversaries, we present a concrete design and implementation of protocols achieving security guarantees that are much stronger than are possible with passively-secure protocols, at minimal extra cost. We consider protocols in which a malicious adversary may learn a single (arbitrary) bit of additional information about the honest party's input. Correctness of the honest party's output is still guaranteed. Adapting prior work of Mohassel and Franklin, the basic idea in our protocols is to conduct two separate runs of a (specific) semi-honest, garbled-circuit protocol, with the parties swapping roles, followed by an inexpensive secure equality test. We provide a rigorous definition and prove that this protocol leaks no more than one additional bit against a malicious adversary. In addition, we propose some heuristic enhancements to reduce the overall information a cheating adversary learns. Our experiments show that protocols meeting this security level can be implemented at a cost very close to protocols that only achieve semi-honest security. Our results indicate that this model enables the large-scale, practical applications possible within the semi-honest security model, while providing stronger security guarantees.
We also explore the commodity-based paradigm for generic secure two-party computation. By trusting a third-party, not with private inputs, but only to provide correlated random numbers we can achieve a very low computation and communication overhead in both semi-honest and malicious threat models. The efficiency gains require a series of optimization techniques including layered circuit execution, round packing, traffic packing, and specialized circuit optimization for minimizing the cost of network latencies. Our experiments show that commodity-based protocols can be an order of magnitude more efficient (in both time and bandwidth) than the best known garbled circuit based ones assuming semi-honest adversaries. In presence of malicious adversaries, our approach offers even larger performance gains(more than 600x faster and 2500x more bandwidth-efficient compared to the state-of-art maliciously secure protocol).
Our results demonstrate that secure computation can be much more efficient than previously thought, and can scale to support large and interesting applications.