Toward Quantitative Metrics in the MPC - Performance Continuum Dave Archer -Kevin Butler - Jose Nazario - Mike Rosulek - Patrick Traynor Galois, Inc. University of Oregon Invincea, Inc. Oregon State University Georgia Tech Security
Toward Quantitative Metrics in the MPC - Performance Continuum
Dave Archer -Kevin Butler -Jose Nazario - Mike Rosulek - Patrick Traynor Galois, Inc. University of Oregon Invincea, Inc. Oregon State University Georgia Tech
Security
Toward Quantitative Metrics in the MPC - Performance Continuum
Dave Archer -Kevin Butler -Jose Nazario - Mike Rosulek - Patrick Traynor Galois, Inc. University of Oregon Invincea, Inc. Oregon State University Georgia Tech
Influence
© Galois, Inc. 2014
Is MPC Performance Practical? 2
VoIP coordinator (modified uMurmur)
MPC proxyservers
Encrypted
Encrypted
Encrypted 16kHz audio: 1440 compressed 8-bit samples every 90 ms
Amazon ECS
© Galois, Inc. 2014
Is MPC Performance Practical? 2
EncryptedMail server
Encrypted
Secure regular expression matching
© Galois, Inc. 2014
Is MPC Performance Practical? 2
EncryptedMail server
Encrypted
Secure regular expression matching
© Galois, Inc. 2014
Re-usable Optimizations 3
uLAW2PCM
Add and clip
PCM2uLAW
Local Global
1440 samples per packet 4 virtual voice processors
12 seconds (!) vs. 90ms goal
Similar,but inverse
ulawbyte = ~ulawbyte;
sign = (ulawbyte & 0x80);
short tempsign = sign | sign >> 1;
tempsign |= tempsign >> 2;
tempsign |= tempsign >> 4;
tempsign = tempsign | tempsign << 8;
short adder = tempsign & 0x0001;
mantissa = ulawbyte & 0x0F;
exponent = ulawbyte & 0x70;
exponent = exponent >> 4;
short expPlus3 = exponent + 3;
short tempMantissa = mantissa << expPlus3;
sample = exp_lut[exponent]; // oblivious table lookup
sample = sample + tempMantissa;
sample = sample ^ tempsign;
sample = sample + adder;
© Galois, Inc. 2014
Re-usable Optimizations 3
Public Table
Contents !
64k x 8
8b
8b
64k x 1
Dem
ultip
lex
Index Construction Data Access
Approach: Public table shared by all proxies
Each lookup must access entire table
© Galois, Inc. 2014
Re-usable Optimizations 3
Demux
1 x 8 1 x 8
256 !x !1
256 x 256 x W
256 x 1
Demux
© Galois, Inc. 2014
Re-usable Optimizations 3
c1
stat
e 0
√
c2
stat
e 2√
SimplifyCompose
Schedule
Pack
© Galois, Inc. 2014
Re-usable Optimizations 3
unoptimized optimizedinput ands xors state comms ands xors state comms
1 203 0 358 10 149 15 119 42 388 0 358 12 277 27 117 54 756 0 358 14 493 53 117 68 1492 0 358 19 949 104 117 916 2964 0 358 33 1,950 212 117 17
.*(((TOP|)SECRET)|TS|S)--(ROCKYBEACH|STINGRAY).*
.*(((TOP|)SECRET)|TS|S)--SI--NO(CON|CONTRACTOR|FOREIGN).*
.*(((TOP|)SECRET)|TS|S|R|RESTRICTED)--(AO|DO|MO|SO|TO)--LIMDIS.*
.*ac*cb.*
Diminishing Returns
© Galois, Inc. 2014
What’s the Problem Anyway? 4
MPC-ATV (Multi-Party Computation, Automatically Tuned and Verified)
© Galois, Inc. 2014
What’s the Problem Anyway? 4
MPC-ATV (Multi-Party Computation, Automatically Tuned and Verified)
(By non-cryptographers)
© Galois, Inc. 2014
What’s the Problem Anyway? 4
MPC-ATV (Multi-Party Computation, Automatically Tuned and Verified)
(By non-cryptographers)
(Maybe in a hurry)
© Galois, Inc. 2014
Why is this Hard?
■ No system for understanding value to adversary ■ Have: concurrent, imperfect information game (actual moves) ■ Need: complete information game (possible moves and pay-offs)
!
■ No useful language for constraining adversary influence ■ and then what about maintainability?
!
■ Not clear what constraints can be used as knobs to implement ■ Much less how to quantify their effects!
!■ No mechanism for conveying trust in resulting system ■ If trust is warranted…e.g., the composable security problem
5
© Galois, Inc. 2014
New Idea: Understandable Metrics for Influence
■ Privacy ■ From: “no participant learns anything about others’ inputs” ■ To: “which participants … what proportion of which inputs, and what might a
bad player do?”
■ Correctness ■ From: “no corrupt participant can keep any uncorrupted participant from learning
the full correct result of the computation ■ To: “which participants may prevent which others from learning how correct a
result is, and what would the adversary gain by prevention?”
■ Fairness ■ From: “all parties learn the result or no-one does” ■ To: “how relatively important is it that each player learns the result?”
■ …robustness, anonymity, audit-ability
6
© Galois, Inc. 2014
Privacy Knobs and Foundations■ Attack-tree based analysis of allowable leakage [S14] ■ Automatically characterize influence and recommend constraints to block it
■ User-understandable choices ■ By recommending characterized, proven libraries of alternatives
■ Expert-developed libraries based on foundations we know: ■ Explicit choice of what to make public (LADM14, WHH14, BLR13),
extended to “proportionally public” ■ with automated analysis of what (KER11, RMHH13, WBK10) ■ with automated analysis of when (SM04)
■ Expose bits to gain speed (dual-execution MF06, HKE12, HMSG13) ■ Choose leaky or approximate operators to reduce communication (e.g.,
leaky divide, inexact multiply) ■ Concepts of additive and multiplicative g-leakage, min-entropy leakage
(ACM14, S09, ACPS12) ■ Trade-offs between outsourced computation and privacy
7
© Galois, Inc. 2014
A Platform Concept for MPC-ATV 8
Sharemonad MPC eDSL
Haskell
Interpreter 3-party LSS
MPC Compiler
Exists Some work to do Core challenges
MPC-ATV
© Galois, Inc. 2014
A Platform Concept for MPC-ATV 8
Attack tree risk analysis
Sharemonad MPC eDSL
Haskell
Interpreter 3-party LSS
MPC Compiler
2-party LSS
FHE? ORAM
Exists Some work to do Core challenges
MPC-ATV
© Galois, Inc. 2014
A Platform Concept for MPC-ATV 8
Attack tree risk analysis
“Metric Knob” Security Type System and Libraries
Sharemonad MPC eDSL
Haskell
Interpreter 3-party LSS
MPC Compiler
2-party LSS
FHE? ORAM
Exists Some work to do Core challenges
MPC-ATV
© Galois, Inc. 2014
A Platform Concept for MPC-ATV 8
Attack tree risk analysis
“Metric Knob” Security Type System and Libraries
Type Constraint Solver / Optimizer
Sharemonad MPC eDSL
Haskell
Interpreter 3-party LSS
MPC Compiler
2-party LSS
FHE? ORAM
Exists Some work to do Core challenges
MPC-ATV
© Galois, Inc. 2014
A Platform Concept for MPC-ATV 8
Attack tree risk analysis
“Metric Knob” Security Type System and Libraries
Type Constraint Solver / Optimizer
Sharemonad MPC eDSL
Haskell
Interpreter 3-party LSS
MPC Compiler
Com
plia
nce
Pr
ove
r
2-party LSS
FHE? ORAM
Exists Some work to do Core challenges
MPC-ATV
© Galois, Inc. 2014
A Platform Concept for MPC-ATV 8
Attack tree risk analysis
“Metric Knob” Security Type System and Libraries
Type Constraint Solver / Optimizer
Sharemonad MPC eDSL
Haskell
Interpreter 3-party LSS
MPC Compiler
Com
plia
nce
Pr
ove
r
Rec
om
men
der
, Fut
ure-
proofing
2-party LSS
FHE? ORAM
Exists Some work to do Core challenges
MPC-ATV
© Galois, Inc. 2014
A Platform Concept for MPC-ATV 8
Attack tree risk analysis
“Metric Knob” Security Type System and Libraries
Type Constraint Solver / Optimizer
Sharemonad MPC eDSL
Haskell
Interpreter 3-party LSS
MPC Compiler
Com
plia
nce
Pr
ove
r
Rec
om
men
der
, Fut
ure-
proofing
2-party LSS
FHE? ORAM
Exists Some work to do Core challenges
MPC-ATV
“Personal Shopper”
© Galois, Inc. 2014
Impact if we Succeed: Choose 1
■ MPC moves from Procrustean bed to Sleep NumberTM
■ We have a way to guide users in reasoning about adversary value chain and mitigating responses ■ We show personalizable security along one dimension at least for
some real-world problems, with an “expert shopper” approach
9
© Galois, Inc. 2014
Reading Material■ [ACI14] Alvim, M., Chatzikokolakis, K., McIver, A, “Additive and multiplicative notions of leakage, and their capacities,” Computer Security Foundations (2014) to appear ■ [ACPS12] M. S. Alvim, K. Chatzikokolakis, C. Palamidessi, and G. Smith, “Measuring information leakage using generalized gain functions,” in Proc. 25th IEEE Computer Security
Foundations Symposium (CSF 2012) ■ [BLR13] D. Bogdanov, P. Laud, J. Randmets, “Domain-polymorphic language for privacy-preserving applications,” In Proceedings of the First ACM workshop on Language support for
privacy-enhancing technologies (PETShop '13). ACM, New York, 2013 ■ [CLT14] H. Carter, C. Lever, P. Traynor, “Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices,” College of Computing, Georgia Institute of Technology, Atlanta, GA,
USA, GT-CS-14-02, 2014. ■ [CMTB13] H. Carter, B. Mood, P. Traynor, and K. Butler, “Secure Outsourced Garbled Circuit Evaluation for Mobile Devices,” in Proceedings of the 22nd USENIX Security Symposium,
Washington DC, USA, 2013. ■ [GKP+13] S. Goldwasser, Y. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich, “Reusable garbled circuits and succinct functional encryption,” in STOC '13: Proceedings of the
45th annual ACM symposium on Symposium on Theory of Computing, 2013. ■ [HKE12] Y. Huang, J. Katz, D. Evans, “Quid-Pro-Quo-tocols: Strengthening Semi-honest Protocols with Dual Execution,” IEEE Symposium on Security and Privacy, 2012 ■ [HMSG13] Husted, N., Myers, S., Shelat, A., Grubbs, P. GPU and CPU Parallelization of Honest-but-Curious Secure Two-Party Computation. ACSAC’13. ■ [KER11] F. Kerschbaum, “Automatically optimizing secure computation,” In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM,
New York, 2011. ■ [LADM14] J. Launchbury, D. Archer, T. DuBuisson, E. Mertens, “Application-Scale Secure Multiparty Computation,” Programming Languages and Systems - Lecture Notes in
Computer Science, S. Zhong, ed. Springer Berlin Heidelberg, 2014. ■ [MF06] P. Mohassel, M. Franklin, “Efficiency Tradeoffs for Malicious Two-Party Computation,” Public Key Cryptography 2006. ■ [MGFB14] B. Mood, D. Gupta, J. Feigenbaum, and K. Butler, “Reuse It Or Lose It: More Efficient Secure Computation Through Reuse of Encrypted Values,” Department of Computer
and Information Science, University of Oregon, Eugene, OR, USA, TR-201403-01, 2014. ■ [RHH14] A. Rastogi, M. Hammer and M. Hicks, “Wysteria: A Programming Language for Generic, Mixed-mode Multiparty Computation,” in Proceedings of the 35th IEEE Symposium
on Security and Privacy. Oakland, CA, 2014 ■ [RMHH13] A. Rastogi, P. Mardziel, M. Hicks, and M. Hammer, “Knowledge inference for optimizing secure multi-party computation,” In Proceedings of the Eighth ACM SIGPLAN
workshop on Programming languages and analysis for security (PLAS '13). ACM, New York, 2013. ■ [S09] G. Smith, “On the foundations of quantitative information flow,” in Proc. 12th International Conference on Foundations of Software Science and Computational Structures
(FoSSaCS ’09) ■ [S14] Stephane, Paul. Towards Automating the Construction and Maintenance of Attack Trees. GraMSec’14. ■ [SM04] A. Sabelfield, A. Myers, “A Model for Delimited Information Release,” Software Security - Theories and Systems, Lecture Notes in Computer Science, Futatsugi et. al, eds.,
Springer Berlin Heidelberg, 2004. ■ [WS12] P. Williams and R. Sion, “Single Round Access Privacy on Outsourced Storage,” in CCS '12: Proceedings of the 19th ACM Conference on Computer and Communications
Security, 2012. ■ [WBK10] M. Wibmer, D. Biswas, F. Kerschbaum, “Leakage Quantification of Cryptographic Operations,” On the Move to Meaningful Internet Systems: OTM2010, Lecture Notes in
Computer Science, Meersman et. al, eds., Springer Berlin Heidelberg, 2010.
10