IARPA Tunable MPC Solutions.key

Toward Quantitative Metrics in the MPC - Performance Continuum

Dave Archer -Kevin Butler -Jose Nazario - Mike Rosulek - Patrick Traynor Galois, Inc. University of Oregon Invincea, Inc. Oregon State University Georgia Tech

Security

Toward Quantitative Metrics in the MPC - Performance Continuum

Dave Archer -Kevin Butler -Jose Nazario - Mike Rosulek - Patrick Traynor Galois, Inc. University of Oregon Invincea, Inc. Oregon State University Georgia Tech

Influence

© Galois, Inc. 2014

Is MPC Performance Practical? 2



VoIP coordinator (modified uMurmur)

MPC proxyservers

Encrypted

Encrypted

Encrypted 16kHz audio: 1440 compressed 8-bit samples every 90 ms

Amazon ECS



EncryptedMail server

Encrypted

Secure regular expression matching



EncryptedMail server

Encrypted

Secure regular expression matching







2P M

PC


Re-usable Optimizations 3

uLAW2PCM

Add and clip

PCM2uLAW

Local Global

1440 samples per packet 4 virtual voice processors

12 seconds (!) vs. 90ms goal

Similar,but inverse

ulawbyte = ~ulawbyte;

sign = (ulawbyte & 0x80);

short tempsign = sign | sign >> 1;

tempsign |= tempsign >> 2;

tempsign |= tempsign >> 4;

tempsign = tempsign | tempsign << 8;

short adder = tempsign & 0x0001;

mantissa = ulawbyte & 0x0F;

exponent = ulawbyte & 0x70;

exponent = exponent >> 4;

short expPlus3 = exponent + 3;

short tempMantissa = mantissa << expPlus3;

sample = exp_lut[exponent]; // oblivious table lookup

sample = sample + tempMantissa;

sample = sample ^ tempsign;

sample = sample + adder;



Public Table

Contents !

64k x 8

8b

8b

64k x 1

Dem

ultip

lex

Index Construction Data Access

Approach: Public table shared by all proxies

Each lookup must access entire table



Demux

1 x 8 1 x 8

256 !x !1

256 x 256 x W

256 x 1

Demux



c1st

ate 0

stat

e 1

√

c2

stat

e 2

√



c1

stat

e 0

√

c2

stat

e 2√

SimplifyCompose

Schedule

Pack



unoptimized optimizedinput ands xors state comms ands xors state comms

1 203 0 358 10 149 15 119 42 388 0 358 12 277 27 117 54 756 0 358 14 493 53 117 68 1492 0 358 19 949 104 117 916 2964 0 358 33 1,950 212 117 17

.*(((TOP|)SECRET)|TS|S)--(ROCKYBEACH|STINGRAY).*

.*(((TOP|)SECRET)|TS|S)--SI--NO(CON|CONTRACTOR|FOREIGN).*

.*(((TOP|)SECRET)|TS|S|R|RESTRICTED)--(AO|DO|MO|SO|TO)--LIMDIS.*

.*ac*cb.*

Diminishing Returns


What’s the Problem Anyway? 4









MPC-ATV (Multi-Party Computation, Automatically Tuned and Verified)




(By non-cryptographers)




(By non-cryptographers)

(Maybe in a hurry)


Why is this Hard?

■ No system for understanding value to adversary ■ Have: concurrent, imperfect information game (actual moves) ■ Need: complete information game (possible moves and pay-offs)

!

■ No useful language for constraining adversary influence ■ and then what about maintainability?

!

■ Not clear what constraints can be used as knobs to implement ■ Much less how to quantify their effects!

!■ No mechanism for conveying trust in resulting system ■ If trust is warranted…e.g., the composable security problem

5


New Idea: Understandable Metrics for Influence

■ Privacy ■ From: “no participant learns anything about others’ inputs” ■ To: “which participants … what proportion of which inputs, and what might a

bad player do?”

■ Correctness ■ From: “no corrupt participant can keep any uncorrupted participant from learning

the full correct result of the computation ■ To: “which participants may prevent which others from learning how correct a

result is, and what would the adversary gain by prevention?”

■ Fairness ■ From: “all parties learn the result or no-one does” ■ To: “how relatively important is it that each player learns the result?”

■ …robustness, anonymity, audit-ability

6


Privacy Knobs and Foundations■ Attack-tree based analysis of allowable leakage [S14] ■ Automatically characterize influence and recommend constraints to block it

■ User-understandable choices ■ By recommending characterized, proven libraries of alternatives

■ Expert-developed libraries based on foundations we know: ■ Explicit choice of what to make public (LADM14, WHH14, BLR13),

extended to “proportionally public” ■ with automated analysis of what (KER11, RMHH13, WBK10) ■ with automated analysis of when (SM04)

■ Expose bits to gain speed (dual-execution MF06, HKE12, HMSG13) ■ Choose leaky or approximate operators to reduce communication (e.g.,

leaky divide, inexact multiply) ■ Concepts of additive and multiplicative g-leakage, min-entropy leakage

(ACM14, S09, ACPS12) ■ Trade-offs between outsourced computation and privacy

7


A Platform Concept for MPC-ATV 8

Exists Some work to do Core challenges

MPC-ATV



Sharemonad MPC eDSL

Haskell

Interpreter 3-party LSS

MPC Compiler


MPC-ATV



Attack tree risk analysis

Sharemonad MPC eDSL

Haskell


MPC Compiler

2-party LSS

FHE? ORAM


MPC-ATV




“Metric Knob” Security Type System and Libraries

Sharemonad MPC eDSL

Haskell


MPC Compiler

2-party LSS

FHE? ORAM


MPC-ATV





Type Constraint Solver / Optimizer

Sharemonad MPC eDSL

Haskell


MPC Compiler

2-party LSS

FHE? ORAM


MPC-ATV






Sharemonad MPC eDSL

Haskell


MPC Compiler

Com

plia

nce

Pr

ove

r

2-party LSS

FHE? ORAM


MPC-ATV






Sharemonad MPC eDSL

Haskell


MPC Compiler

Com

plia

nce

Pr

ove

r

Rec

om

men

der

, Fut

ure-

proofing

2-party LSS

FHE? ORAM


MPC-ATV






Sharemonad MPC eDSL

Haskell


MPC Compiler

Com

plia

nce

Pr

ove

r

Rec

om

men

der

, Fut

ure-

proofing

2-party LSS

FHE? ORAM


MPC-ATV

“Personal Shopper”


Impact if we Succeed: Choose 1

■ MPC moves from Procrustean bed to Sleep NumberTM

■ We have a way to guide users in reasoning about adversary value chain and mitigating responses ■ We show personalizable security along one dimension at least for

some real-world problems, with an “expert shopper” approach

9


Reading Material■ [ACI14] Alvim, M., Chatzikokolakis, K., McIver, A, “Additive and multiplicative notions of leakage, and their capacities,” Computer Security Foundations (2014) to appear ■ [ACPS12] M. S. Alvim, K. Chatzikokolakis, C. Palamidessi, and G. Smith, “Measuring information leakage using generalized gain functions,” in Proc. 25th IEEE Computer Security

Foundations Symposium (CSF 2012) ■ [BLR13] D. Bogdanov, P. Laud, J. Randmets, “Domain-polymorphic language for privacy-preserving applications,” In Proceedings of the First ACM workshop on Language support for

privacy-enhancing technologies (PETShop '13). ACM, New York, 2013 ■ [CLT14] H. Carter, C. Lever, P. Traynor, “Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices,” College of Computing, Georgia Institute of Technology, Atlanta, GA,

USA, GT-CS-14-02, 2014. ■ [CMTB13] H. Carter, B. Mood, P. Traynor, and K. Butler, “Secure Outsourced Garbled Circuit Evaluation for Mobile Devices,” in Proceedings of the 22nd USENIX Security Symposium,

Washington DC, USA, 2013. ■ [GKP+13] S. Goldwasser, Y. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich, “Reusable garbled circuits and succinct functional encryption,” in STOC '13: Proceedings of the

45th annual ACM symposium on Symposium on Theory of Computing, 2013. ■ [HKE12] Y. Huang, J. Katz, D. Evans, “Quid-Pro-Quo-tocols: Strengthening Semi-honest Protocols with Dual Execution,” IEEE Symposium on Security and Privacy, 2012 ■ [HMSG13] Husted, N., Myers, S., Shelat, A., Grubbs, P. GPU and CPU Parallelization of Honest-but-Curious Secure Two-Party Computation. ACSAC’13. ■ [KER11] F. Kerschbaum, “Automatically optimizing secure computation,” In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM,

New York, 2011. ■ [LADM14] J. Launchbury, D. Archer, T. DuBuisson, E. Mertens, “Application-Scale Secure Multiparty Computation,” Programming Languages and Systems - Lecture Notes in

Computer Science, S. Zhong, ed. Springer Berlin Heidelberg, 2014. ■ [MF06] P. Mohassel, M. Franklin, “Efficiency Tradeoffs for Malicious Two-Party Computation,” Public Key Cryptography 2006. ■ [MGFB14] B. Mood, D. Gupta, J. Feigenbaum, and K. Butler, “Reuse It Or Lose It: More Efficient Secure Computation Through Reuse of Encrypted Values,” Department of Computer

and Information Science, University of Oregon, Eugene, OR, USA, TR-201403-01, 2014. ■ [RHH14] A. Rastogi, M. Hammer and M. Hicks, “Wysteria: A Programming Language for Generic, Mixed-mode Multiparty Computation,” in Proceedings of the 35th IEEE Symposium

on Security and Privacy. Oakland, CA, 2014 ■ [RMHH13] A. Rastogi, P. Mardziel, M. Hicks, and M. Hammer, “Knowledge inference for optimizing secure multi-party computation,” In Proceedings of the Eighth ACM SIGPLAN

workshop on Programming languages and analysis for security (PLAS '13). ACM, New York, 2013. ■ [S09] G. Smith, “On the foundations of quantitative information flow,” in Proc. 12th International Conference on Foundations of Software Science and Computational Structures

(FoSSaCS ’09) ■ [S14] Stephane, Paul. Towards Automating the Construction and Maintenance of Attack Trees. GraMSec’14. ■ [SM04] A. Sabelfield, A. Myers, “A Model for Delimited Information Release,” Software Security - Theories and Systems, Lecture Notes in Computer Science, Futatsugi et. al, eds.,

Springer Berlin Heidelberg, 2004. ■ [WS12] P. Williams and R. Sion, “Single Round Access Privacy on Outsourced Storage,” in CCS '12: Proceedings of the 19th ACM Conference on Computer and Communications

Security, 2012. ■ [WBK10] M. Wibmer, D. Biswas, F. Kerschbaum, “Leakage Quantification of Cryptographic Operations,” On the Move to Meaningful Internet Systems: OTM2010, Lecture Notes in

Computer Science, Meersman et. al, eds., Springer Berlin Heidelberg, 2010.

10

IARPA Tunable MPC Solutions.key

Documents