Secure Computation » David Evans

Secure Computation in the MIPS Machine

David Evans — Wed, 06 Jul 2016 14:57:27 +0000

Existing systems for secure computation require programmers to express the program to be securely computed as a circuit, or in some domain-specific language that can be compiled to a form suitable for applying known protocols. We propose a new system that can securely execute native MIPS code with no special annotations. Our system has the advantage of allowing programmers to use a language of their choice to express their programs, together with any off-the-shelf compiler to MIPS; it can be used for secure computation of existing “legacy” MIPS code as well. Our system uses oblivious RAM for fetching instructions and performing load/store operations in memory, and garbled universal circuits for the execution of a MIPS ALU in each instruction step. We also explore various optimizations based on an offline analysis of the MIPS code to be executed, in order to minimize the overhead of executing each instruction while still maintaining security.

Paper: Xiao Shaun Wang and S. Dov Gordon and Allen McIntosh and Jonathan Katz, Secure Computation of MIPS Machine Code. In 21st European Symposium on Research in Computer Security (ESORICS), 2016.

The Cut-and-Choose Game and its Application to Cryptographic Protocols

David Evans — Wed, 06 Jul 2016 14:50:53 +0000

The cut-and-choose technique plays a fundamental role in cryptographic-protocol design, especially for secure
two-party computation in the malicious model. The basic idea is that one party constructs n versions of a message
in a protocol (e.g., garbled circuits); the other party randomly checks some of them and uses the rest of them in
the protocol. Most existing uses of cut-and-choose fix in advance the number of objects to be checked and in optimizing
this parameter they fail to recognize the fact that checking and evaluating may have dramatically different costs.

In a paper to be presented at USENIX Security 2016, we consider a refined cost model and formalize the cut-and-choose parameter selection problem as a constrained optimization problem. We analyze “cut-and-choose games” and show equilibrium strategies
for the parties in these games. We then show how our methodology can be applied to improve the efficiency of three representative categories of secure-computation protocols based on cut-and-choose. We show improvements of up to an-order-of-magnitude in terms of bandwidth, and 12–106% in terms of total time.

Paper: Ruiyu Zhu, Yan Huang, Jonathan Katz, and abhi shelat. The Cut-and-Choose Game and its Application to Cryptographic Protocols. USENIX Security Symposium, 2016.

Source code of our game solvers: https://github.com/cut-n-choose

Square-Root ORAM

David Evans — Fri, 03 Jun 2016 18:23:16 +0000

Hiding memory access patterns is required for secure computation, but remains prohibitively expensive for many interesting applications. Prior work has either developed custom algorithms that minimize the need for data-dependant memory access, or proposed the use of Oblivious RAM (ORAM) to provide a general-purpose solution. However, most ORAMs are designed for client-server scenarios, and provide only asymptotic benefits in secure computation. We developed a new version of the classical square-root ORAM of Goldreich and Ostrovsky suited for use in secure computation. It has over 100x lower initialization cost than the best previous schemes, and provides benefits over linear scan for just 8 blocks of data. Our scheme outperforms alternate approaches across a wide range of parameters, often by several orders of magnitude.

Samee Zahur presented the results at IEEE Symposium on Security and Privacy (“Oakland”) 2016. The full paper is:

Samee Zahur, Xiao Wang, Mariana Raykova, Adrià Gascón, Jack Doerner, David Evans, Jonathan Katz. Revisiting Square-Root ORAM Efficient Random Access in Multi-Party Computation. In 37th IEEE Symposium on Security and Privacy (“Oakland”). San Jose, CA. 23-25 May 2016.

For more (including source code and benchmarks), see https://oblivc.org/sqoram/.

Two Halves Make a Whole

David Evans — Sat, 28 Mar 2015 17:55:09 +0000

Surprisingly, it is possible to reduce the data needed for a garbled gate to only two ciphertexts per gate, while preserving free xors. The scheme for doing that is described in our paper, Two Halves Make a Whole: Reducing Data Transfer in Garbled Circuits using Half Gates by Samee Zahur and Mike Rosulek and David Evans (now available on eprint). Samee Zahur will present the work at Eurocrypt 2015 in Sofia, Bulgaria, 26-30 April.

Abstract. The well-known classical constructions of garbled circuits use four ciphertexts per gate, although various methods have been proposed to reduce this cost. The best previously known methods for optimizing AND gates (two ciphertexts; Pinkas et al., ASIACRYPT 2009) and XOR gates (zero ciphertexts; Kolesnikov & Schneider, ICALP 2008) were incompatible, so most implementations used the best known method compatible with free-XOR gates (three ciphertexts; Kolesnikov & Schneider, ICALP 2008). In this work we show how to simultaneously garble AND gates using two ciphertexts and XOR gates using zero ciphertexts, resulting in smaller garbled circuits than any prior scheme. The main idea behind our construction is to break an AND gate into two half-gates — AND gates for which one party knows one input. Each half-gate can be garbled with a single ciphertext, so our construction uses two ciphertexts for each AND gate while being compatible with free-XOR gates. The price for the reduction in size is that the evaluator must perform two cryptographic operations per AND gate, rather than one as in previous schemes. We experimentally demonstrate that our garbling scheme leads to an overall decrease in time (up to 25%), bandwidth (up to 33%), and energy use (up to 20%) over several benchmark applications. We also initiate a study of lower bounds for garbled gate size, and show that our construction is optimal for a large class of garbling schemes encompassing all known practical garbling techniques.

iDash Competition Winner

David Evans — Tue, 17 Mar 2015 17:51:02 +0000

Congratulations to Samee Zahur for winning the iDash Secure Genomics competition (Hamming Distance challenge task), sponsored by Human Longevity, Inc. A video of the event is available at http://www.humangenomeprivacy.org/.

Samee’s solution was built using Obliv-C, a language for data-oblivious computation.

Congratulations Professor Huang!

David Evans — Sat, 28 Feb 2015 18:55:31 +0000

Yan Huang, who completed his PhD in 2012 and was the original lead PhD student for this project, and then was a post-doc at the University of Maryland, is now an Assistant Professor at Indiana University. See his IU faculty page and personal blog. IU is the also the home of Steven Myers, one of the PIs of our NSF funded secure computation project.

Symmetric Cut-and-Choose

David Evans — Fri, 14 Jun 2013 15:05:39 +0000

Our paper on symmetric cut-and-choose is now available. The paper will be presented at CRYPTO 2013 in August.

Abstract. Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure two-party computation based on the cut-and-choose paradigm. In existing instantiations of this paradigm, one party generates k garbled circuits; some fraction of those are “checked” by the other party, and the remaining fraction are evaluated. We introduce here the idea of symmetric cut-and-choose protocols, in which both parties generate k circuits to be checked by the other party. The main advantage of our technique is that k can be reduced by a factor of 3 while attaining the same statistical security level as in prior work. Since the number of garbled circuits dominates the costs of the protocol, especially as larger circuits are evaluated, our protocol is expected to run up to 3 times faster than existing schemes. Preliminary experiments validate this claim.

Full paper (16 pages): [PDF]

Circuit Structures

David Evans — Tue, 05 Mar 2013 01:32:47 +0000

Samee Zahur and I have written a paper on Circuit Structures for Improving Efficiency of Security and Privacy Tools. The paper explores ways to design static circuits (as used in garbled circuit protocols and symbolic execution, among other things) to provide reasonable efficiency for algorithms that use common data structures like arrays. By taking advantage of somewhat predictable access patterns, as well as batching, our circuit structures are able to provide operations with amortized cost that is polylogarithmic in the size of the data structure (in contrast to naive approaches that would require effectively copying the entire data structure for each operation). Samee will present the paper at the IEEE Symposium on Security and Privacy (“Oakland”) in San Francisco in May.

Full paper (15 pages): [PDF]

Project: MightBeEvil.com/netlist

Code: http://github.com/samee/netlist

Quid Pro Quo-tocols

David Evans — Thu, 08 Mar 2012 02:53:50 +0000

Our paper on strengthening secure computation protocols to resist stronger adversaries is now available:

Yan Huang, Jonathan Katz, and David Evans. Quid Pro Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. In 33rd IEEE Symposium on Security and Privacy (“Oakland” 2012), San Francisco, CA. 20-23 May 2012. [PDF, 13 pages]

Yan Huang will present the paper at the Oakland conference (which will be held in San Francisco for the first time, after being in Berkeley/Oakland for the first 32 years!) in May.

Abstract: Known protocols for secure two-party computation that are designed to provide full security against malicious behavior are significantly less efficient than protocols intended only to thwart semi-honest adversaries. We present a concrete design and implementation of protocols achieving security guarantees that are much stronger than are possible with semi-honest protocols, at minimal extra cost. Specifically, we consider protocols in which a malicious adversary may learn a single (arbitrary) bit of additional information about the honest party’s input. Correctness of the honest party’s output is still guaranteed. Adapting prior work of Mohassel and Franklin, the basic idea in our protocols is to conduct two separate runs of a (specific) semi-honest, garbled-circuit protocol, with the parties swapping roles, followed by an inexpensive secure equality test. We provide a rigorous definition and prove that this protocol leaks no more than one additional bit against a malicious adversary. In addition, we propose some enhancements to reduce the overall information a cheating adversary learns. Our experiments show that protocols meeting this security level can be implemented at cost very close to that of protocols that only achieve semi-honest security. Our results indicate that this model enables the large-scale, practical applications possible within the semi-honest security model, while providing dramatically stronger security guarantees.

Full paper (13 pages): [PDF]

Project site: MightBeEvil.com

Private Set Intersection

David Evans — Tue, 29 Nov 2011 13:27:28 +0000

Our paper on using generic garbled circuits to perform private set intersection is now available:

Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols?. In
19^th Network and Distributed Security Symposium (NDSS 2012), San Diego, CA. 5-8 February 2012. [PDF, 15 pages]

The paper develops three circuit designs for securely computing the intersection of two sets, where each set is the private input from one protocol participant. We show that for many scenarios, protocols built using only generic garbled circuit secure computation techniques can be competitive with the best custom-designed protocols for private set intersection.

Yan Huang will present the paper at NDSS in San Diego, in February 2012.