Fairplay - A Secure Two-Party Computation System
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Fairplay — A Secure Two-Party Computation System
Dahlia Malkhi1 , Noam Nisan1 , Benny Pinkas2 , and Yaron Sella1
1
The School of Computer Science and Engineering
The Hebrew University of Jerusalem
E-mail: {noam,dalia,ysella}@cs.huji.ac.il
2
HP Labs
E-mail: benny.pinkas@hp.com
Abstract ticipants to implement a joint computation that, in
Advances in modern cryptography coupled with rapid real life, may be implemented using a trusted party,
growth in processing and communication speeds make but does this digitally without any trusted party. A
secure two-party computation a realistic paradigm. classic simple example of such a computation is the
Yet, thus far, interest in this paradigm has remained Millionaires’ problem [39]: Two millionaires want to
mostly theoretical. know who is richer, without any of them revealing to
This paper introduces Fairplay [28], a full-fledged the other his net worth. More generally, informally,
system that implements generic secure function eval- the two-party SFE problem is the following. Alice
uation (SFE). Fairplay comprises a high level proce- has an input ~x = x1 , . . . , xs and Bob has an input
dural definition language called SFDL tailored to the ~y = y1 , . . . , yr . They both wish to learn f (~x, ~y ) for
SFE paradigm; a compiler of SFDL into a one-pass some publicly known function f , without revealing any
Boolean circuit presented in a language called SHDL; information on their inputs that cannot be inferred
and Bob/Alice programs that evaluate the SHDL cir- from f (~x, ~y ). (We refer the reader to, e.g. [20], for a
cuit in the manner suggested by Yao in [39]. formal introduction to SFE.) SFE is a universal build-
This system enables us to present the first evaluation ing block, and many interesting cryptographic proto-
of an overall SFE in real settings, as well as examining cols can be formulated as instances thereof, e.g., zero
its components and identifying potential bottlenecks. knowledge proofs, private database mining, electronic
It provides a test-bed of ideas and enhancements con- auction and negotiation, and voting protocols.
cerning SFE, whether by replacing parts of it, or by Thus far, SFE techniques are rarely applied in prac-
integrating with it. We exemplify its utility by exam- tice, and are typically considered to have mostly the-
ining several alternative implementations of oblivious oretic significance. In this paper, we suggest that it
transfer within the system, and reporting on their ef- is prime time to start translating these theoretical re-
fect on overall performance. sults into practical applications. We see three main
forces converging to make this transition possible:
1 Introduction 1. New applications: new applications are driven
by advances in the communication infrastructure (such
Motivation. Modern cryptography is usually con- as the ubiquity of the Internet or the emergence of web
sidered to have its beginning in the landmark papers services), coupled with increased demand for informa-
of Diffie and Hellman [16], who introduced the concept tion based relationships (e.g. for business or homeland
of public key encryption, and of Rivest, Shamir and security purposes). These applications often involve
Adelman [35] who suggested a concrete public key sys- sensitive information related to issues such as pricing,
tem. The fundamental theoretical studies along these business processes, or personal information, and their
lines originate in the late 1970’s, and the results - the security often relies on trusting a designated trusted
well-known cryptographic primitives of public key en- party (such as eBay in the case of auctions). Not all
cryption, authentication and digital signature - have users feel completely confident giving this trust, es-
been widely applied in practice during the 1990’s. pecially when high stakes are involved. SFE offers a
However, theoretical cryptography provided addi- solution for unmediated e-commerce applications such
tional, powerful (and perhaps less intuitive) tools. One as auctions and web services [32, 17].
of the most attractive paradigms in this category is a
secure function evaluation (SFE). It allows two par- 2. New cryptographic techniques: we have latelyseen a growing theoretical effort to overcome the main oblivious to the actual protocol that implements it.
efficiency bottlenecks of previous theoretical solutions. This is the common definition of secure computation
Such efforts include more efficient cryptographic so- used in cryptography1 (we refer the reader to cryp-
lutions for specific tasks such as auctions and certain tographic literature, e.g. to [10, 12, 20], for an exact
database access tasks (e.g. [31, 13]), as well as gen- definition). Specifically, a definition of a task using a
eral theoretical results improving on various efficiency trusted party involves the following elements:
parameters (e.g. [29, 30, 24]).
1. Exact specification of the interaction of the
3. Improved CPU and communication speeds: trusted party with the participants. This in-
while sending megabytes of communication, or spend- cludes specification of what the participants tell
ing GigaFlops of processing power would have seemed and what they learn from the trusted party.
unreasonably expensive only a few years ago, such ef-
fort is certainly acceptable now. It is not unreasonable 2. Exact specification of the internal computations
to spend such an effort even for tasks whose monetary of the trusted party.
value is a few dollars. Even Gigabytes of communica-
tion, and TeraFlops of processing power are reasonable In support of the user’s high level view of the com-
for important tasks. putation, we provide our own high-level definition
language called Secure Function Definition Language
The goal of this work is to provide the first full (SFDL). SFDL is a procedural language that resembles
fledged secure two-party computation tool that is read- a subset of Pascal or C, and is tailored to our purpose.
ily deployed by the community. Fairplay provides the For convenience, a syntax-driven GUI is provided that
first solid answers to questions regarding the efficiency guides the program developer.
of the overall computation, and its breakdown into Once such a specification is given, a compiler gen-
parts. Thus, using this tool, we are able to tell for erates an intermediate level specification of the com-
the first time the overall price of solving a problem putation in the form of a one-pass Boolean circuit.
like the above mentioned Millionaires’ problem in real Whereas classical theory on SFE was satisfied with the
network settings (the answer is ≈ 4 seconds over a fact that it is provably possible to reduce any function
wide area network, see Section 6). We further discern to a canonical Boolean representation, we tackle for
the cost of different components of the SFE, and assess the first time actually automating the transformation,
their relative effect on overall elapsed time. Thus, for while keeping efficiency in mind.
example, in Section 6 we analyze the relative contribu- The language used for describing the Boolean cir-
tion of the public key operations performed as part of cuit is named Secure Hardware Definition Language
the SFE protocol, and conclude that while 27%-77% (SHDL). Developing an SFDL-to-SHDL compiler is a
of the time is due to public key operations over a fast novel endeavor in itself, because unlike common hard-
LAN, only 9%-42% is accountable to public key oper- ware compilers, our compiler may use no registers, no
ations over a wide area link. loops or goto’s, and moreover, may use every gate only
Fairplay also serves as a test-bed of new ideas and once. Its complete obliviousness makes compiling even
algorithmic variations. For demonstration, we already the most primitive operations like array indexing (e.g.,
considered several flavors of oblivious transfer (OT) al- “a[i]”) a daunting task: it must create essentially a
gorithms within our tool. Specifically, we have imple- multiplexer, such that all possible values of “i” are
mented the original scheme by Bellare and Micali from hardwired into it. Thus, the SFDL-to-SHDL compiler
[6, 7], the enhancements suggested by Naor and Pinkas includes many novel tricks for reducing the number
in [30], and straight-forward communication batching. of resulting gates in the circuit, and for optimizing
Our experiments show a remarkable matching of the the use of wires. The final component of Fairplay
predicted 30% speedup of the enhancement in [30] over is a Bob/Alice pair of programs, whose input is an
[6]. The effect of communication batching is observed SHDL circuit, which together carry a secure compu-
to be up to nearly nine-fold speedup (see Section 6). tation protocol of the circuit in the manner suggested
Thus, our platform provides valuable guidance in trad- by Yao. The entire computation structure of Fairplay
ing different parameters. is depicted in Figure 1.
Technical approach. The first issue we tackle is the Security. The main security property guaranteed by
compilation paradigm. The correct paradigm for ad- the system is the equivalence to the specified trusted
dressing the computation is to adopt the trusted party party. I.e., each user is guaranteed that whatever the
model for the definition of tasks, and to compile these other participant does, including using completely dif-
definitions into protocols that do not use any trusted ferent software for communicating with him, his se-
party. In this way, the user specification is completely curity is assured to the same level that the trustedparty would have assured it. In particular, the func- programming language, which allows humans to spec-
tion is correctly computed on the reported values and ify the function-to-be-evaluated in the form of a com-
no information about the input of one party is leaked puter program. Another language that the system uses
to the other (beyond what is implied by the specified is the Secure Hardware Definition Language (SHDL).
output). Note, however, that, in principle, there is no The SHDL is a low-level language designed for speci-
way to “force” any party what to tell the trusted party fying Boolean circuits. The SFE computation is done
(e.g. force it to report its “true” input), and that in in several stages as shown in Figure 1.
two-party secure computation it is also impossible to
prevent one party from terminating the protocol pre- • An SFDL program file is written by the users us-
maturely, before the other party learns its output – ing an SFDL editor.
this is detected, but cannot be recovered from.
• The SFDL program is translated by an SFDL
The Fairplay system provides the guarantee above
compiler to an SHDL circuit file. The circuit is
based on common and widely accepted cryptographic
optimized before it is passed on to the next stage.
assumptions. We describe the security properties of
Fairplay in more detail in Section 5. The level of se- • The SHDL circuit is parsed. The resulting circuit
curity provided is asymmetric: Alice can only cheat is in the form of a Java object.
with negligible probability, but Bob can potentially
cheat with probability 1/m, where m is a parameter • Bob constructs m garbled/encrypted circuits and
that can be chosen at will and there is an overhead sends them to Alice. Alice randomly chooses one
that is proportional to m.2 of the circuits that will be evaluated.
• Bob exposes the secrets of the other m − 1 gar-
Summary of Contributions. We contribute a bled/encrypted circuits, and Alice verifies them
generic two-party computation engine that we make against her reference circuit.
available for use by the security community. The tool
is available at Fairplay’s web-site [28]. It includes • Bob specifies his inputs, and sends them to Alice
a specially tailored high level description language in garbled form. Alice inserts Bob’s inputs in the
(SFDL) that describes a secure computation in the garbled/encrypted circuit that she chose to eval-
trusted third-party model. It tackles the challenge of uate.
efficient compilation of SFDL into a one-pass Boolean
circuit. And it provides a Bob/Alice implementation • Alice specifies her inputs, and then Bob and Al-
that securely evaluates the circuit. ice engage in Oblivious Transfers (OTs) in order
Fairplay enables experimenting with mechanisms re- for Alice to receive her inputs (in garbled form)
lated to secure function evaluation, whether by replac- from Bob, while Bob learns nothing about Alice’s
ing a component of it, building on top of it, or interact- inputs.
ing with it. Our preliminary investigation introduces
• Alice evaluates the chosen circuit, finds the gar-
results concerning the overall cost of the SFE paradigm
bled outputs of both her and Bob, and sends the
in today’s Internet settings; it presents a breakdown
relevant garbled outputs to Bob.
of costs into components and bottlenecks; and it ex-
amines various enhancements that were introduced in • Each party interprets his/her garbled outputs and
the literature. prints the results.
2 System Overview 3 The SFDL, SHDL and their Com-
piler
We start by a general overview of the computation
being performed, which also allows us to present the
3.1 Motivation
main entities and components of our system. Fair-
play comprises two applications that are activated by The secure function evaluation protocol requires that
the two players, who want to engage in two-party se- the function to be evaluated be given as a Boolean cir-
cure function evaluation (SFE). By convention we call cuit. Designers, however, will desire the function to
these players/applications Bob and Alice. Prior to ex- be given in a more convenient high-level form. In the
ecuting the SFE protocol, the two players must define context of secure protocols, this is even more impor-
and coordinate the function-to-be-evaluated. In order tant than the strong usual reasons for writing in high-
to do that, they use the Secure Function Definition level programming languages. The starting point of
Language (SFDL), a language which was designed es- any attempt of security is a clear, formal, and easily-
pecially for this purpose. The SFDL is a high-level understandable definition of the requirements. SuchBob Alice
GUI
SFDL
program (a file)
? ?
SFDL compiler+ SFDL compiler+
Circuit optimizer Off-line Circuit optimizer
SHDL (a file) SHDL (a file)
circuit circuit
? ?
SHDL parser on-line SFE SHDL parser
circuit (a Java obj.) circuit (a Java obj.)
?
m×Circuit garbler
Garbled (Java obj.)
circuits
? ?
Circuits send - Circuits receive
? ?
Read Int ¾ Circuit choose
? ?
Reveal secrets - Circuits verify
? ?
Input+input send - Input receive
?
Input
? ?
OT sender ¾ - OT chooser
Output ¾ Circuit evaluator
Output
Figure 1: Computation overview
clarity of definition is almost impossible, for humans, this is one of the key reasons why it is humanly diffi-
using low-level formalisms such as Boolean circuits. cult to design efficient Boolean circuits. On the other
Clear high-level languages are needed. hand, the key reason why Boolean circuits were used
The compiler will thus accept a function written in a as the computation model for secure function evalua-
high-level programming language and compile it into tion protocols (rather than, e.g., a Turing machine)
a Boolean circuit that evaluates the same function. is their obliviousness. Non-oblivious computations
In our case the compiler compiles an SFDL program would seem to leak information from the very identity
into an SHDL circuit. In addition to bridging the se- of the operation being simulated (existing solutions
mantic gap between high and low level languages, as for running RAM based computations obliviously are
done by every compiler, a compiler into hardware has quite complex [22]).
to bridge another semantic gap: that of obliviousness. There do exist “hardware compilers” that compile
Boolean circuits are oblivious – they perform the same a high-level language into low level Boolean circuits.
sequence of operations independently of the input (i.e. These hardware compilers are used for actual hard-
compute the values of the gates one after the other). ware construction, and serve to ease the development
Normal high-level languages change their flow of con- effort. Most commonly used are the high level hard-
trol according to the input: they execute statements ware description languages VHDL [14] and Verilog [37]
conditionally, loop for a variable number of steps, etc. that do not “look” like “normal” programming lan-
This semantic gap is not a technicality, but rather guages. There are also many compilers that do aim
the central issue in hardware compilers. On one hand to use languages that “look” like usual programminglanguages, e.g. the C programming language (see e.g. Type system. The SFDL supports a full type sys-
[9, 18, 33, 38, 19]). There are some similarities and tem. The primitive types are Boolean, integer, and
some differences between the goals of such languages enumerated. For maximum efficiency and since there
and our goals. The similarities are concerned with is- is no pre-wired hardware word size, integers may be
sues like making conditional execution oblivious and declared to be of any bit-length and are always signed
the “single assignment” issue – each hardware bit can 2’s-complement. Similarly, enumerated types are al-
only be assigned a value once, but software allows re- located the minimal number of required bits. Struc-
assigning values, e.g. in statement like x=x+1. tures and arrays create more complex types from sim-
The main difference comes from the required out- pler ones. Structure entries are accessed using dot-
put. In our case the output should be a “theoreti- notation, s.f, and array entries using the standard ar-
cian’s Boolean circuit”: purely combinatorial, with no ray notation a[i]. Access to arrays has a potential for
sequential logic. Compilers into real hardware are ac- non-obliviousness if the index is not a constant expres-
tually mostly concerned with the use (and re-use) of sion. This is handled by the compiler, but users should
registers. Thus, for example, consider a command like be aware of the high price of such access. Pointers do
for i = 1 to 16 do sum = sum + a[i]. Our com- not exist – this is in order to maintain obliviousness.
piler should produce a circuit that has 16 copies of the Beyond their usual role as defining variable types, the
addition circuit. Real hardware compilers would pro- type system is used to formalize the input and out-
duce a circuit with a single register (sum) and a single put of the function to be evaluated. The special types
addition circuit, where in each of the 16 clock cycles, AliceInput, AliceOutput, BobInput, BobOutput, must
one value a[i] is added to the register’s contents. Ad- be defined in every program, specifying the respective
ditionally, our optimization metric is very simple: the input and output types of the two players. The types
number of gates (weighed by the the gate size). We Input and Output are always defined to be structures
are not bound at all by technological restrictions such encapsulating the inputs (resp. outputs) of both play-
as FPGA structure, delay considerations, or wiring is- ers.
sues.
Program Structure and Functions. An SFDL
program consists of a sequence of functions (as in C, no
3.2 The Secure Function Definition nesting is allowed) preceded by declarations of global
Language (SFDL) constants and types. Functions receive parameters
and return values using the Pascal-like syntax of as-
Let us begin with the simple example of the Million- signment to a variable whose name is identical to the
aires’ problem: function name. As in Pascal, a function must precede
any function that calls it. Unlike Pascal, no “forward”
program Millionaires { clause exists, and no recursion is allowed. The lack
type int = Int; // 4-bit integer of recursion is critical in order to maintain oblivious-
type AliceInput = int; ness. Functions may define and use local variables; in
type BobInput = int; the current implementation we forbid global variables.
type AliceOutput = Boolean; The last function in the program is the one computing
type BobOutput = Boolean; the desired output from the inputs. By convention it
type Output = struct { is named output. It accepts a single parameter of type
AliceOutput alice, BobOutput bob}; Input and produces the result of type Output.
type Input = struct {
Assignments and expressions. Expressions use
AliceInput alice, BobInput bob};
the standard notations: they combine constants, vari-
ables (including, recursively, array entries and struc-
function Output out(Input inp) {
ture items), and function calls using operators and,
out.alice = inp.alice > inp.bob;
optionally, parenthesis. The allowed operators include
out.bob = inp.bob > inp.alice;
arithmetic addition and subtraction, Boolean logical
}
operators (bitwise, for integers), and the standard
}
comparison operators. Due to their cost, multiplica-
tion and division are not provided as primitive opera-
First, note that the syntax is quite conventional, tors, but rather should be implemented as functions.
borrowing heavily from the C and Pascal program- Data types of different widths may be combined, and
ming languages. Now, let us look at some of the main sign-extension is used.
ingredients of this program as well as the language in
general. A full description of the language may be Loops and Conditional Execution. The SFDL
found in Appendix A. has the standard if-then and if-then-else statements.It should be noted that conditional execution is not Additionally, the compiler outputs another file that
oblivious, and thus the compiler generates hardware gives formatting instructions enabling the secure func-
that always computes both sides of the branch. Gen- tion evaluation protocol to input and output values in
eral loops are not oblivious and are not possible in a convenient user-friendly format. E.g. in the SHDL
the language. The language does provide a for-loop circuit produced above the first 4 wires (numbered 0–
where the number of iterations is known in advance (a 3) while treated as just 4 arbitrary bits inside the
compile-time constant). circuit, should be read from the user as an integer.
The following example is produced for the Millionaires’
problem above:
3.3 The compiler
Bob input integer "input.bob"
The compiler reads the input program written in [0 1 2 3]
SFDL, and performs a sequence of transformations on Alice input integer "input.alice"
it. In the end of the sequence of transformations, a [4 5 6 7]
data structure that corresponds to the hardware is ob- Alice output integer "output.alice" [18]
tained, and is then output in SHDL format. The fol- Bob output integer "output.bob" [29]
lowing example shows part of the SHDL output pro-
duced for the Millionaires’ problem above. Each line Here is a short description of the sequence of steps
in the SHDL output file specifies a “wire” in the gener- performed by the compiler:
ated circuit that is either an input bit or a Boolean gate
1. Parsing. Simple syntactic analysis and parsing,
with given truth-table and input wires. This format is
resulting in a memory-resident data structure. Due to
in a verbose form, in particular containing comments
the simplicity of the language we have not used any
(automatically generated, but ignored by the secure
compiler-compiler tools.
evaluation protocols).
2. Function inlining and loop unfolding. all func-
0 input //output$input.bob$0 tion calls are treated as macros and simply inlined
1 input //output$input.bob$1 where they are called. All for-loops are simply un-
2 input //output$input.bob$2 folded (note that the number of iterations is a compile-
3 input //output$input.bob$3 time constant). These two transformations may seem
4 input //output$input.alice$0 quite inefficient at first sight but that is not the case:
5 input //output$input.alice$1 they are absolutely required in order to maintain obliv-
6 input //output$input.alice$2 iousness.
7 input //output$input.alice$3 3. Transformation into single-bit operations.
8 gate arity 2 table [1 0 0 0] Every command that deals with multi-bit values is
inputs [4 5] transformed into a sequence of single-bit operations.
9 gate arity 2 table [0 1 1 0] In the simplest case, an assignment of the form a=b
inputs [4 5] where a and b are 4-bit integers is converted into the
10 gate arity 2 table [0 1 0 0] four single-bit assignments a0 = b0, a1 = b1, a2 =
inputs [8 6] b2, a3 = b3. In the case of expressions, first a com-
11 gate arity 2 table [1 0 0 1] plex expression is transformed into a sequence of op-
inputs [8 6] erations, e.g. a = b + c + d is converted into temp =
12 gate arity 2 table [1 0 0 1] b + c, a = temp + d. Then, each multi-bit operator
inputs [10 7] is converted into its hardware implementation. E.g.
13 gate arity 2 table [0 0 0 1] an operation a = b + c, where b and c are 4-bit in-
inputs [4 0] tegers is converted into a sequence of 4 ”full-adders”,
14 gate arity 3 table [0 0 0 1 0 1 1 1] implemented using 8 ternary gates.
inputs [13 9 1]
15 gate arity 3 table [0 0 0 1 0 1 1 1] 4. Array access handling. Handling array indices
inputs [14 11 2] that are compile-time constants is simple: each array
16 gate arity 2 table [0 1 1 0] entry is treated as a separate variable, and the array
inputs [12 3] access logic is thus completely compile-time and incurs
17 gate arity 2 table [0 1 1 0] no hardware cost. Handling array indices that are ex-
inputs [15 16] pressions must incur a significant hardware cost due to
18 output gate arity 1 table [0 1] the semantic gap that must be bridged. In particular,
inputs [17] //output$output.alice$0 every access to a single array entry results in O(n) pro-
... duced hardware gates, where n is the total array size.An access to the value of an array entry, as in a = b[i] • Dead code elimination.
is obtained by constructing a multiplexor whose n in-
puts are the entries of b, and whose selection input Peekhole optimization and duplicate removal are
bits are the bits of i. Assigning a value to an array done in a single pass in topological order over the cir-
entry, as in a[i] = b, is obtained essentially by using a cuit. Dead code elimination is then done in an addi-
demultiplexer. More precisely by using, in effect, the tional single pass in reverse topological order.
sequence of n if-commands that contain only constant
array access indices: if (i = 0) then a[0] = b; if (i = 1) 3.4 The single assignment algorithm
then a[1] = b; ...
The input to this algorithm is code that contains as-
5. Single variable assignment. Normal code com- signment statements, where each variable may be as-
monly assigns values to variables multiple times, as in signed a value multiple times and (possibly nested) if
a = b + c; ...; a = a + 1. Hardware, does not allow statements. The output is straight line code where
this: each ”variable”, actually, wire, is assigned a sin- each variables is assigned a value only once.
gle value computed as an obliviously known operation
on other wires. One of the main challenges of every Data structure. Our basic data structure is a stack
hardware compiler is to eliminate multiple assignments of hash tables. It maintains a running version number
of values to variables, and to transform them into sin- for each identifier. It supports the following opera-
gle assignments. This issue has received much atten- tions:
tion in the literature (see e.g. work on SSA form [15]). • new(id): increases the version number of this
It seems that our algorithm for this problem is new identifier (and returns the new version number).
and superior to previous approaches. In particular, it The first time an id is declared, its version number
runs in linear time as long as the nesting depth of if is assigned to 1.
statements in the program is bound by a constant.
Let us first look at the simple case shown above • get(id): returns the current version number of
a = b+c; ...; a = a+1. The single assignment transfor- the identifier.
mation defines a new copy of the variable for each as-
signment: a1 = b + c; ...; a2 = a1 + 1. Things get more • push-scope(): starts a new version scope for all
complicated, when the different assignments are inter- identifiers. The version numbers of all identifiers
leaved with conditional execution, e.g. a = b + c; if (x) are initialized to the current version numbers, but
then a = a + 1 else a = a + 2; In this case, we must cre- all further new(id) commands will only affect the
ate new copies of a for each branch, and an additional new scope.
copy combining them together after the loop ends: • pop-scope(): ends the current version scope. All
a1 = b + c; a2 = a1 + 1; a3 = a1 + 2; a4 = x?a2 : a3, version numbers of all identifiers are reset to their
where the last assignment uses the C-language ”?:” value in the previous scope.
operator notation, which in hardware is a simple mul-
tiplexor. Note also that this transformation has elimi- • enum-scope(): enumerate all the variables in
nated the ”if” statement, yielding an oblivious circuit. the current scope.
The algorithm for the general case is of independent
interest and is described in the next subsection. The implementation uses a new hash table for each
version scope. A new() command updates the ver-
6. Optimization. At this point we have obtained sion number in the current scope. A get() command
an in-memory image of a Boolean circuit. This circuit traverses the stack of hash tables (from the most re-
is now optimized, i.e., its size is reduced. The opti- cent backwards) until it finds an instance of the desired
mization step is crucial, often reducing the size of the identifier. Its running time is proportional to the stack
circuit by an order of magnitude. The optimization is depth.
done in linear time, and has three components:
Algorithm. Assume that the input is a sequence
• Peekhole optimization: local simplifications of of statements s1 ...sn . For ease of exposition, let us
code, e.g. (x and true → x), (x or not x → true), assume that all assignment commands involve two
etc. variables on the RHS, and that all if-statements
contain no else clauses. (An ”if (x) then y else z”
• Duplicate code removal: a hash table of all values command is equivalent to ”if (x) then y; if (not(x))
computed in the circuit is kept. If some value then z”.) The algorithm is now given by:
is computed twice, then one of the duplicates is
removed and replaced with direct access to the For i = 1..n do {
other wire. if si is a statement of the form" a = f (b, c) " then { teed by Yao’s protocol and is based on the security
i = get (b) of the symmetric function used for encoding the se-
j = get (c) cret (SHA-1, which is modeled, for this purpose, as
k = new (a) a pseudo-random function) and on the security of the
output: " ak = f (bi , cj ) " OT protocol against malicious behavior. The same
} properties also prevent malicious behavior of Bob, if
if si is a statement of the form we can guarantee the correctness of the circuit encod-
" if (x) then {r1 ...rm } " then { ing that he constructs. This last property was imple-
push-scope() mented using a cut-and-choose technique. Specifically,
recursively process {r1 ...rm } Bob sends m garbled circuits to Alice, and Alice ran-
Let V = enum-scope() domly chooses one circuit that will be evaluated. Bob
For each v ∈ V do must then reveal the secrets associated with the cir-
jv = get (v) cuits that were not chosen by Alice for evaluation. Al-
pop-scope() ice verifies that these m − 1 circuits indeed represent
For each v ∈ V do { the function f , by comparing them to a reference cir-
i = get (v) cuit that she constructed herself. The two parties then
j = jv evaluate the circuit Alice has chosen. This method al-
k = new (v) lows to catch a cheating Bob with probability 1−1/m.
output: " vk = x?vj : vi " In real-world scenarios, where cheating leads to bad
} reputation, this may be enough. We leave implemen-
} tation of more complex cut-and-choose techniques for
} future enhancements.3
4 Bob-Alice Two-Party SFE 4.2 Circuit preparation and evaluation
This section describes how Bob converts the Boolean
This section describes the specific two-party SFE pro- circuit C into a garbled circuit, and how Alice evalu-
tocol that was implemented in Fairplay, based on the ates that garbled circuit.
protocol suggested by Yao in his seminal work that in-
troduced the notion of secure function evaluation [39]. Circuit preparation. We use the notation Wk , k =
We start with a general overview and then describe 0, .., ` − 1 to denote all the wires that compose the
in detail how Bob constructs garbled circuits and how circuit C. All the gates in SHDL circuits have a single
Alice evaluates one. Finally we discuss the oblivious Boolean output. The number of inputs into a gate can
transfer (OT) variants that were implemented thus far. be either 1, 2 or 3 (SHDL itself allows more inputs, but
We do not prove here the security of the protocol, since the compiler produces only unary, binary or ternary
it was mostly borrowed from existing theoretical con- gates). For simplicity of exposition, in the description
structions (however, Section 5 states the security guar- below, we focus only on binary gates. The conversion
antees of the protocol, describes the reasoning for the of C into a garbled circuit works as follows.
choice of the specific cryptographic operations that we
use, and suggests some variants of the current proto- 1. Bob assigns to each wire Wk ∈ C two random t-
col). bit strings vk0 , vk1 (t is a security parameter that
was set to 80). The string vk0 represents the bit
0 for Wk . The string vk1 represents the bit 1 for
4.1 General overview Wk . Bob also assigns to each wire Wk ∈ C a
Our SFE computation is given as input a Boolean cir- random binary permutation (i.e., a bit) pk , and
cuit C made of gates and wires, described using SHDL. appends it to the pair vk0 , vk1 as follows: wk0 =
Then Alice and Bob interact in order to evaluate C vk0 ||(0 ⊕ pk ), wk1 = vk1 ||(1 ⊕ pk ). We let wk0 , wk1
securely. The version of Yao’s protocol that we im- denote the final result.
plemented requires a single OT per each input wire of 2. For each gate g ∈ C whose output wire is Wk and
C. In this version Bob constructs the circuit C, and whose input wires are Wi , Wj (see Figure 2)
converts it into a garbled circuit. The garbled circuit
is transferred to Alice. Then Bob and Alice execute (a) The original truth table of g consists of four
an OT once per each input wire. After this step Al- 0/1 entries. Bob constructs the Garbled-
ice evaluates the circuit independently without further Truth-Table (GT T ) of g by replacing every
interaction with Bob. 0 or 1 in the truth-table with wk0 or wk1 , re-
Thwarting malicious behavior by Alice is guaran- spectively.that Alice cannot interpret these strings back to Bob’s
Wi Wj
input bits, because the circuit is garbled. Alice then
uses oblivious transfer (OT) in order to obtain from
? ? Bob the garbled strings that match her input wires.
Gate g The OT protocol that was implemented is discussed in
x y out the next subsection. For now assume that for each in-
0 0 g00 put bit Alice obtains the corresponding garbled string.
0 1 g01
1 0 g10 Circuit evaluation. Alice proceeds to evaluate the
1 1 g11 garbled circuit gate by gate. Let g be a specific garbled
Wk gate whose output wire is Wk and whose input strings
? are wi , wj . Let the least significant bits of wi , wj be
x, y and the rest of the bits be vi , vj respectively. For
Figure 2: A gate in a circuit each such gate:
1. Alice uses x, y as indices into an entry to be de-
(b) Bob constructs the Encrypted-Garbled- crypted in g’s P EGT T .
Truth-Table (EGT T ) of g in the follow-
ing way. For entry (x, y) in g’s GT T , de- 2. Alice uses vi , vj as decryption-keys, and
fine x0 = x ⊕ pi , y 0 = y ⊕ pj . The en- k||x||y as an IV. Namely, Alice sets
try is encrypted using vix , vjy as encryption- wk = Decryptvi ,vj ,k,x,y (P EGT T [x, y]). The
keys and k, x0 , y 0 as an IV: EGT T [x, y] = decryption is done by hashing vi ||k||x||y and
Encryptvix ,vjy ,k,x0 ,y0 (GT T [x, y]). The encryp- vj ||k||x||y using SHA-1, and XORing the two
tion is done by hashing vix ||k||x0 ||y 0 and results to the ciphertext.
vjy ||k||x0 ||y 0 using SHA-1, and XORing the
Throughout the evaluation all that Alice obtains are
two results to the plaintext (see Section 5
garbled strings. These do not leak information on the
for explanations).
values of the bits flowing through the circuit. When
(c) Bob constructs the Permuted-Encrypted- Alice finds the garbled values of the output gates she
Garbled-Truth-Table (P EGT T ) of g by uses the translation tables to interpret the circuit’s
swapping the entries in g’s EGT T based on true output. As for Bob’s output, Alice sends him
the permutation bits assigned to g’s input the garbled values of his output wires. Bob associates
wires, namely pi , pj (the role of these per- them with the corresponding 0 or 1 values. (Note that
mutations is to make the position of a cer- in the case of a wire that carries an output bit which
tain string in a P EGT T meaningless). I.e., should be revealed to Bob alone, Alice cannot decipher
if pi = 1 then the first two entries of the ta- the value, or change it without being detected by Bob.
ble are swapped with the last two entries. If In the case of a wire that carries an output bit which is
pj = 1 then the first and third entries are revealed to both Bob and Alice, Alice can, of course,
swapped with the second and fourth entries. decrypt the value but she cannot change it without
(d) For each wire which carries a bit of Al- finding a collision in the hash function.)
ice’s output, Bob sends an appropriate
translation-table that allows Alice to inter- Malicious vs. Semi-honest parties. If the parties
pret the circuit’s output from the garbled are assumed to be semi-honest (i.e. follow the proto-
value of the wire. Namely, for every out- col) then there is no need for using cut-and-choose
put wire k Bob sends a table of the form methods for verifying the circuits constructed by Bob,
h(H(w0 ), 0), (H(w1 ), 1)i, where H is a colli- and we can set m = 1. The OT protocol, too, can be
sion resistant hash function, which we imple- simplified, since the current implementation is secure
mented as SHA-1. against malicious parties.5
Interaction. Initially, Bob sends to Alice m garbled
4.3 Oblivious Transfer
circuits as well as commitments to his garbled inputs
to each circuit. Out of these, Alice chooses at random Two OT variants were implemented thus far (the sys-
m − 1 circuits which are opened by Bob to prove that tem can be easily extended to employ more variants).
the circuits were prepared properly.4 Bob then opens Both variants are based on the Diffie-Hellman prob-
the commitments to the garbled strings that represent lem (and are implemented over a group Zq , which is a
his input bits of the remaining unopened circuit. Note sub-group of prime order q of Z∗p , where p is prime andq|p − 1). The first one is the 1-out-of-2 oblivious trans- Garbling the circuit. The basic symmetric crypto-
fer (OT12 ) protocol due to Bellare and Micali [6], which graphic function that we use is SHA-1. We preferred
was adapted to using random oracles [7]. The sec- it to using a block cipher (such as AES) since it sup-
ond protocol, which was proposed by Naor and Pinkas ports a variable input length. The encoding of the
in [30], is an optimization of the first one, that uses the circuit (garbling) can be implemented using a pseudo-
same g r mod p value for multiple OT executions (g is random function (as is described in detail, for exam-
a generator of the group Zq , r is a random exponent). ple, in [31]), where the output of the function is used
A detailed description of both protocols can be found as a pad that masks the values in the table represent-
in [30]. Both these OT protocols are secure in the ing a gate in the circuit. We use the masking values
random oracle model and were implemented using the SHA-1(wi ||k||x||y), SHA-1(wj ||k||x||y) for entry (x, y)
SHA-1 hash function. (There are constant-round OT of the table of gate number k, whose input wires are
protocols secure in the standard model [2, 30]. The i and j. (Note that wires i and j could be input into
SFE application requires multiple concurrent invoca- multiple gates.) The underlying security assumption
tions of these protocols, but on the other hand it is is that SHA-1 is pseudo-random function keyed by wi
only required that the SFE implementation, and not or wj and applied to other parameters.
necessarily each OT invocation, provide both privacy
and correctness.)
OT. The OT protocols are based on the random or-
5 Cryptographic Background acle model and the computational Diffie-Hellman as-
sumption. Alternative two-round OT protocols that
This section describes the rationale behind the choice are secure in the standard model and use only O(1) ex-
of specific cryptographic operations for Fairplay and ponentiations were described in [30, 2]. We preferred
suggests several additional variants. We do not pro- not to use them in order to reduce the number of ex-
vide here proofs of the correctness and security of the ponentiations.
implementation, as it is mostly based on existing con-
structions.
The protocol we implemented provides security
guarantees which depend on the following three as- Cut-and-choose. Bob commits to his garbled in-
sumptions: puts before the cut-and-choose step. This is done in
order to prevent him from choosing his input based on
1. SHA-1 is modeled as a random oracle. Alice’s choices in this step. We leave it for future work
2. The oblivious transfer protocol is secure (the se- to let Alice choose more than one circuit for evalua-
curity of the OT protocol can be based on the tion. This will reduce the cheating probability of Bob
computational Diffie-Hellman assumption [2, 30], to be exponentially small in the number of circuits
but we use random-oracle based protocols which that are evaluated, but implementing this variant re-
are more efficient). quires Bob to prove that he provides the same input to
all circuits, and this step incurs additional overhead.
3. Alice does not terminate the protocol before send- (An alternative method for verifying the garbled cir-
ing Bob’s output to him. cuit constructed by Bob is to require him to prove,
in zero-knowledge, that the tables are correct. To the
We get the following guarantees: best of our knowledge, this approach requires an even
• Bob is guaranteed that an interaction with a ma- higher overhead.)
licious Alice is not different than an interaction
with the trusted third party, except for a negligible
error probability. Bob’s output. The protocol provides Alice with the
• Alice has the same guarantee with relation to Bob, garbled values of Bob’s output wires. If the value of an
with error probability of 1/m. output wire should become known only to Bob (and
not to Alice) then she receives no information about
Note that these guarantees means that (1) a mali- the relationship between actual and garbled values of
cious party cannot learn more information about the this wire. If the output is used by both Bob and Alice,
other party’s input than it can learn in the trusted she receives hash values of the garbled values corre-
party model, and (2) a malicious party cannot change sponding to 0 and to 1. However, she is not able to
the computed function. Also, if we are assured that provide Bob with a garbled value that corresponds to a
Bob does not change the circuit he provides to Alice different output than the one she computed, since this
then his cheating probability is also negligible. would mean that she can invert the hash function.6 Experimental results numbers. Total circuit size is 4383 gates, out of
which 320 are inputs and 32 are outputs.
The first, immediate contribution of a system such as
Fairplay is that it can provide answers to very basic, The AND function was chosen as an example of the
concrete questions like: simplest possible circuit, whose size is of the same or-
der as the number of its inputs. The KDS function
• How much time does it take to execute the two- demonstrates a circuit in which the size of Alice’s in-
party SFE protocol for the quintessential Million- put (which defines the number of OTs) is much smaller
aires’ problem? than either the number of Bob’s inputs or the number
of gates. The median function demonstrates a circuit
• What would be the time-penalty if the two ty- whose size is much greater than the number of inputs.
coons in question were actually Billionaires and
not just Millionaires? Communication vs. computation. Another im-
portant contribution of a working system is that it
The experiments that we conducted using our sys-
enables a systematic, realistic investigation of the rel-
tem gave a very definite answer, that even the tougher
ative cost of its various ingredients. This can be done
Billionaires’ problem (i.e., using 32 bit inputs) can be
by utilizing profiling tools, and by performing super-
solved in very reasonable time. It took our system only
vised experiments, in which the cost of the different
1.25 seconds to solve the Billionaires’ problem using
sub-components is measured in isolation. One spe-
fast communication, and 4.01 seconds when commu-
cific question that we found interesting in this area is
nication was slow. More generally, in this paper we
the following: what is the relative cost of the public
report results for four functions, which produced cir-
key operations required by the two-party SFE proto-
cuits ranging in size from tens of gates to thousands
col? Since this relative cost is affected by the cost of
of gates. A summary of the various size parameters of
communication, and since communication delays vary
these four functions is shown in Table 1 (their SFDL
dramatically in different environments, we conducted
source code can be found in Fairplay’s web-site [28]).
our experiments in two extreme settings - LAN and
WAN. The LAN’s latency is 0.4 ms, and its effective
Function Number of circuit gates
throughput is 617.8 MBPS (Mega bit per second). The
Total Inputs Alice inputs
WAN’s latency is 237.0 ms, and its effective through-
AND 32 16 8
put is 1.06 MBPS. By activating our system on the
Billionaires 254 64 32
four functions described above, and profiling it under
KDS 1229 486 6
the LAN/WAN environments, we discovered that the
Median 4383 320 160
public key operations were responsible for 27%-77%
Table 1: The four functions of the total delay in the LAN setting, while in the
WAN setting the relative cost of the public key opera-
The details of the four functions are as follows: tions was only 9%-42%. These results suggest that, at
least for some interesting functions, the relative cost
• AND - performs bit-wise AND on two registers. of the communication is rather significant, especially
The input size for both Alice and Bob is 8 bits. in a WAN environment where communication is slow.
Total circuit size is 32 gates, out of which 16 are In light of this, we also calculated the slowdown fac-
inputs and 16 are outputs. tor caused by moving from LAN to WAN, which was
found to be at least 2.34 and at most 6.89.
• Billionaires - compares two integers. The input
size for both Alice and Bob is 32 bits. Total circuit Communication optimization using batching.
size is 254 gates, out of which 64 are inputs and Communication batching means that instead of send-
2 are outputs. ing k big integers (associated with different OTs) in
• Keyed Database Search (KDS) - Bob has a k separate messages, we aggregate them together and
database of 16 items, each item is keyed by a 6-bit send them in one big message. It is useful because of
key and comprises of 24 data bits. Alice privately the relatively large constant overhead associated with
retrieves the data of one item by specifying its key. any message being sent regardless of its size, and also
The input size for Bob is 480 bits and for Alice 6 due to internal implementation details of TCP/IP. By
bits. Total circuit size is 1229 gates, out of which implementing and measuring the performance of two
486 are inputs and 24 are outputs. variants of the SFE protocol, with and without com-
munication batching, we were able to assess its con-
• Median - finds the median of two sorted arrays. tribution. The observed speedup factors due to com-
The input for both Alice and Bob are ten 16-bit munication batching in a LAN setting were betweenFunction LAN WAN
IPCG CC OTs EV EET (sec) IPCG CC OTs EV EET (sec)
AND 1.5% 18.8% 79.5% 0.2% 0.41 0.2% 58.4% 41.4% 0.0% 2.57
Billionaires 3.2% 5.4% 91.1% 0.3% 1.25 0.8% 45.2% 53.9% 0.1% 4.01
KDS 40.4% 2.8% 54.1% 2.7% 0.49 5.9% 64.3% 29.4% 0.4% 3.38
Median 13.2% 7.2% 78.7% 0.9% 7.09 4.7% 45.8% 49.2% 0.3% 16.63
Table 2: Elapsed execution times and their breakdown into sub-tasks
1.89-2.72, while in a WAN setting they were between expected execution time as a function of the number
2.11-8.75. of OTs (Alice’s input bits), the number of gates, and
the security parameter m.
OT optimization. We have also implemented an
optimization technique for OT that was proposed by 7 Related work
Naor and Pinkas in [30], in which the sender uses the
same value of g r mod p for multiple OTs, improving There are very few previous actual implementations of
both computation and communication. The maximum secure computation, and even fewer automated com-
speedup factor of this optimization method that was pilers that generate an implementation of a secure pro-
observed in our system was 1.32. tocol from a program description in a higher level lan-
There are many additional optimization techniques guage.
that may be considered, implemented and tested (e.g., Kühne implemented a translator that takes a
turning multiple 1-out-of-2 OTs to a single 1-out-of- trusted-party specification of a multi-party protocol
n OT [30], or using computation batching of multiple and generates a specification for running the proto-
modular inverses). This is an area for future research col using the BGW paradigm [25]. (This implementa-
(see Section 8). tion is based on the specific construction of Hirt and
We conclude this section by presenting Table 2. This Maurer [23].) However, that project does not have an
table shows the elapsed execution times required for “evaluator” part, which performs a distributed imple-
the aforementioned functions in both LAN and WAN mentation of the resulting BGW protocol.
settings, and their breakdown into four main sub- MacKenzie et al. [27] implemented a compiler that
tasks. These sub-tasks are: IPCG - initializations, automatically generates protocols for secure two-party
parsing and circuit garbling, CC - circuits communi- computation that use arithmetic functions over groups
cation, OTs - Oblivious Transfers, EV - circuit evalu- and fields of special form. The compiler receives a
ation. (Note that the cost of the OTs includes contri- specification of a protocol that uses a secret key, e.g.,
butions from both calculating public key operations, for signature generation or for decryption, and imple-
and communicating their results back and forth.) The ments a threshold crypto protocol where the key is
results shown in Table 2 were obtained using the most shared between two parties and only the two of them
optimized method currently available in our system together can perform the protocol. The key is gen-
(namely, communication batching and Naor-Pinkas erated by a TTP and is given to the parties. Com-
g r optimization with no communication/computation pared to Fairplay, this is a compiler for a restricted
tradeoff). The EET columns present the elapsed exe- but important class of functions, which is particularly
cution time (in seconds), which was required for Alice suitable for applications where the secret key has to
to execute the entire two-party SFE protocol excluding be closely guarded using threshold cryptography. In
SFDL-to-SHDL compilation.6 The number of garbled principle this type of functions can be implemented
circuits for the cut-and-choose algorithm was set to by a Boolean circuit, but the result would be an over-
m = 2, and the size of the DL parameters p, q was whelmingly large circuit.
1024 and 160 bits, respectively. Both Alice and Bob An example of an automated security toolkit in a
used Intel 2.4 GHz Linux machines. The system was different domain is AGVI, a toolkit for Automatic
implemented in Java, and it used the TCP/IP pro- Generation, Verification, and Implementation of Se-
tocol for communication via Java sockets. The mea- curity Protocols [36]. AGVI receives as input a sys-
surements were taken as the average of 100 repetitions tem specification and security requirements, and au-
(10 for the Median function) of the protocol. All it- tomatically finds protocols for the specific application,
erations used a single TCP/IP connection, which was proves their correctness (using efficient search of a
established in the beginning. space representing the protocol execution), and im-
Part of the future work includes a more fine grained plements them in Java.
analysis of the performance. Namely, expressing the TEP [3] is a secure multi-party computation systemthat employs a trusted third party. The trusted plat- perfect solution for this issue and existing solutions
form co-joins participants in a joint computation, pass- are quite complex, some solutions can be implemented
ing authenticated information among participants over (e.g. [34]). We are currently extending our system with
guarded communication channels. TEP users need to fair termination mechanisms borrowing from [34].
annotate their program with information flow labels in
Reactive secure computation. Reactive secure
order to automatically verify that no information on
computation is an SFE which consists of several steps,
any private data is leaked through the TEP channels
where each step operates based on inputs from the par-
to other participants. In comparison, our system does
ties and a state information that it receives from the
not employ a TTP, and does not require information
previous step. For example, in each step the parties
flow labels by the user.
could compare two numbers and receive the result of
The secure program partitioning technique of [40]
the comparison, which they use to decide which in-
takes a user program written in a security-typed lan-
puts to provide to the following step. In addition, se-
guage, and automatically provides a distributed par-
cret state information is communicated from round to
titioning of the program. The user annotated pro-
round, and the inputs to all rounds are used by the
gram contains static information flow labels that spec-
protocol for computing the output of the final round
ify which program components may use what data and
(but should otherwise remain hidden from the parties).
how. An automated compiler splits the program to
This scenario, as well as appropriate security defini-
run on heterogeneously trusted hosts. Compared with
tions and constructions, was described in [10, 12]. (A
their approach, the secure program partitioning is ben-
protocol that uses reactive computation for securely
eficial only for programs that naturally break into com-
computing the median, in the presence of malicious
municating components, in a manner dictated by the
parties, was presented in [1].) In order to implement
user’s annotation.
secure reactive computation each step should transfer
a secret and authenticated state-information string to
8 Future Work the following step. In the two-party case this property
can be enforced using a modified implementation of
The current implementation of the secure two-party Yao’s protocol, see [1].
computation system can be extended in many ways.
Integrating other SFE primitives. While the
Improving the performance. The elapsed execu- generic construction of Yao can be used to implement
tion time is a function of the communication delay any functionality, more efficient constructions can be
and bandwidth, and of the processing time. Ideally designed for specific tasks (e.g. for bignum opera-
the network and the processor should run in parallel, tions, computing comparisons or intersections, evalu-
and none of them should be idle waiting for the other ating polynomials, or querying a database). A secure
one to finish its job. The current implementation does protocol for a more complex task can use a circuit
not perform this optimization. whose inputs are the results of specialized construc-
The main computational overhead is incurred by tions (for example, the protocol in [11] runs a circuit
running invocations of the oblivious transfer protocol. that computes statistics based on the results of secure
It would be interesting to explore deployment of fur- database queries, and the protocol in [26] runs a cir-
ther recent enhancements of OT, such as extending a cuit that uses uses the results of oblivious polynomial
small number of OTs into a large number of OTs us- evaluation).
ing symmetric cryptographic operations alone [24], or
using OT variants which are based on the hardness of Multi-party computation. The system we built
breaking RSA, rather than the DDH assumption. implements secure computation between two parties.
There is also a large body of research on secure multi-
Security against malicious parties. The basic party computation, for either combinatorial or alge-
SFE protocol of Section 4 provides a weak security braic circuits, and using different trust assumptions
against malicious parties. Namely, the cut-and-choose (see e.g. [21, 8, 5]). A natural next step is to im-
method guarantees with probability 1/m that the cir- plement the compilation paradigm in the multi-party
cuit that Bob prepares is correct. Some additional scenario. An additional open challenge is to devise fair
care must be taken if we want to reduce Bob’s cheat- termination techniques for multiple participants.
ing probability to be exponentially small in m (see,
e.g., [34]).
Acknowledgements
Fair termination. No implementation can prevent
a malicious party from aborting the protocol prema- We are grateful for the proactive and valuable par-
turely (e.g after learning its output and before the ticipation of several research students in the project.
other party learns its output).7 Although there is no Specifically, Ziv Balshai and Amir Levy implementedYou can also read
