Knowledge Inference for Optimizing Secure Multi-party Computation Aseem Rastogi
advertisement
PLAS’13
Knowledge Inference for Optimizing
Secure Multi-party Computation
Aseem Rastogi
Piotr (Peter) Mardziel
Michael Hicks
Matthew Hammer
PLAS’13
Secure Computation
A
B
Compute f(A, B)
Without revealing A to Bob and B to Alice
6/27/2016
2
PLAS’13
Using a Trusted Third Party
A
B
f(A, B)
f(A, B)
A
B
Compute f(A, B)
Without revealing A to Bob and B to Alice
6/27/2016
3
PLAS’13
Secure Computation Protocols
A
B
f(A, B)
f(A, B)
Cryptographic Protocol
A
B
Compute f(A, B)
Without revealing A to Bob and B to Alice
6/27/2016
4
PLAS’13
Example – Joint Median Computation
{ A1, A2 }, { B1, B2 }
Assume: A1 < A2 and B1 < B2 and Distinct(A1, A2, B1, B2)
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
5
6/27/2016
PLAS’13
Example – Joint Median Computation
a = A1 ≤ B1;
b = a ? A 2 : A 1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
Secure Computation
6/27/2016
6
PLAS’13
Performance Optimization
• Cryptographic protocols prohibitively expensive
• Performance Optimization [F. Kerschbaum, CCS’11]
– Parties can infer some intermediate values eventually
• Once they know the output
– Revealing these early does not compromise security*
– Offload computation over known data to local hosts
* In a semi-honest (honest-but-curious) threat model
6/27/2016
7
PLAS’13
Questions
For a Secure Multi-party Computation (SMC) program:
Can we infer which variables are known to a party ?
Can we infer an evidence for a party’s knowledge of a variable
6/27/2016
8
PLAS’13
Contributions
Formalization of
knowledge
• Formalize what it means for a party p to
know a variable x
• Algorithm to infer if p knows x
Knowledge
inference algorithm • Proof of soundness and completeness
Constructive
• Algorithm to construct an evidence of p’s
knowledge of x
knowledge
inference algorithm • Proof of soundness and completeness
6/27/2016
9
PLAS’13
Median Example – Analysis
a = A1 ≤ B1;
b = a ? A2 : A1;
Alice and bob know a and d
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
6/27/2016
10
PLAS’13
Median Example –
Analysis from Bob’s Perspective
a = A1 ≤ B1;
d = (output ≠ B1 Ʌ output ≠ B2)
Recall: Distinct(A1, A2, B1, B2)
b = a ? A2 : A1;
a = (output ≤ B1)
Recall: B1 < B2
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
a = true
a = false
b = A2
b = A1
c = B1
c = B2
d = true
d = false
d = true
d = false
output = A2
output = B1
output = A1
output = B2
A1 ≤ B1 ∧ A2 ≤ B1
A1 ≤ B1 ∧ A2 > B1
A1 > B1 ∧ A2 ≤ B1
A1 > B1 ∧ A2 > B1
6/27/2016
11
PLAS’13
Optimized Joint Median Computation
a = A1 ≤ B1;
b = a ? A 2 : A 1;
c = a ? B1: B2;
d = b ≤ c;
output = d ? b : c;
Secure Computation
6/27/2016
12
PLAS’13
Formalization of Knowledge
Party p knows x if:
x can be uniquely determined by p’s inputs I and outputs O
Two program executions that agree on I and O, also agree on x
6/27/2016
13
PLAS’13
Knowledge in Median Example
Let states σ map program variables to values
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
Bob knows a, if for all final states σ1 and σ2 s.t.
• σ1[B1] = σ2[B1],
• σ1[B2] = σ2[B2], and
• σ1[output] = σ2[output],
we have,
• σ1[a] = σ2[a]
6/27/2016
14
PLAS’13
Knowledge Inference Algorithm
Compute postcondition of the program
Sound
approximation of
final program
states
6/27/2016
15
PLAS’13
Example Postcondition for Median
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
ϕ1 = (A1 ≤ B1) ∧(a = true) ∧(b = A2)∧(c = B1)∧(b ≤ c)∧(d = true)∧(output = b)
ϕ2 = (A1 ≤ B1) ∧(a = true) ∧(b = A2)∧(c = B1)∧(b > c)∧(d = false)∧(output = c)
ϕ3 = …, ϕ4 = …
φmedian = ϕ1 V ϕ2 V ϕ3 V ϕ4
6/27/2016
16
PLAS’13
Knowledge Inference Algorithm
Recall: we need
to prove a
Compute postcondition of the
program
property
of any
two program runs
Use self-composition to simulate two program runs
6/27/2016
17
PLAS’13
Self Composed Median Example
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
a’ = A’1 ≤ B’1;
φself-composed = φmedian ∧ φ’median
b’ = a’ ? A’2 : A’1;
c’ = a’ ? B’1 : B’2;
d’ = b’ ≤ c’;
output’ = d’ ? b’ : c’;
6/27/2016
18
PLAS’13
Knowledge Inference Algorithm
Compute postcondition of the program
Use self-composition to simulate two program runs
Derive knowledge formula and solve using SMT solver
6/27/2016
19
PLAS’13
Deriving Knowledge Formula
a = A1 ≤ B1;
b = a ? A2 : A1;
Does Bob know a ?
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
a’ = A’1 ≤ B’1;
φmedian ∧ φ’median
b’ = a’ ? A’2 : A’1;
∧ B1 = B’1 ∧ B2 = B’2
c’ = a’ ? B’1 : B’2;
∧ output = output’
d’ = b’ ≤ c’;
output’ = d’ ? b’ : c’;
6/27/2016
⇒ a = a’
20
PLAS’13
Solving Using SMT Solver
φmedian ∧ φ’median∧ A1 = A’1 ∧ A2 = A’2∧ output = output’ ⇒ a = a’
Valid ?
SMT Solver
Yes
Bob knows a
6/27/2016
No
Depending on
completeness
of
postconditions
Bob may / does not know a
21
PLAS’13
Properties of Knowledge Inference
• Soundness
– If algorithm returns p knows x, then p and x
satisfy the formal definition of knowledge
• Completeness
– If p and x satisfy the formal definition of
knowledge, then algorithm returns p knows x
– Loop-free language (SMCs do not admit loops)
6/27/2016
22
PLAS’13
Constructive Knowledge Inference
• Infer an evidence for p’s knowledge of x
• Evidence is a formula for x in terms of p’s
input and output variables
6/27/2016
23
PLAS’13
Constructive Knowledge Inference Algorithm
Formulate knowledge as an invariant of the program
Use template based verification to infer the invariant
(Srivastava et. al., PLDI’09)
6/27/2016
24
PLAS’13
Setting up Constructive Knowledge Inference
Does Bob know a ?
(A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2))
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
Variables in τ ϵ { B1, B2, output }
assert(a = τ)
6/27/2016
25
PLAS’13
Setting up Constructive Knowledge Inference
Does Bob know a ?
(A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2))
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
Candidate predicates for τ:
d = b ≤ c;
output = d ? b : c;
{ v1 op v2 | v1, v2 ϵ { B1, B2, output }, op ϵ { <, ≤, >, ≥, =, ≠ } }
assert(a = τ)
6/27/2016
26
PLAS’13
Constructive Knowledge Inference Algorithm
• Derived from template-based verification
• Given (m, n), searches solutions in DNF(m, n)
• Efficient search: O(|Q|m + |Q|n) queries to
SMT solver
– As opposed to naïve O(|Q|mn)
6/27/2016
27
PLAS’13
Constructive Knowledge Inference for Median
φpre = A1 < A2 ∧ B1 < B2 ∧ Distinct(A1, A2, B1, B2)
a = A1 ≤ B1;
b = a ? A2 : A1;
c = a ? B1 : B2;
d = b ≤ c;
output = d ? b : c;
a = output ≥ A1 (for Alice)
a = output ≤ B1 (for Bob)
d = output = A1 V output = A2 (for Alice)
d = output ≠ B1 Ʌ output ≠ B2 (for Bob)
6/27/2016
28
PLAS’13
Properties of Constructive Knowledge Inference
• Soundness
– If algorithm infers a formula τ for party p and
variable x, then x = τ at the end of the program
– Moreover, p can compute τ from its inputs and
outputs
• Completeness
– Similar to the completeness of verification
techniques
– If a solution τ exists in the template structure, our
algorithm finds it
6/27/2016
29
PLAS’13
Connection to Information Flow Declassification
Policies
• Knowledge Inference similar to deciding
delimited release [Sabelfeld et. al., ISSS’04]
• Constructive knowledge inference similar to
deciding required release [S. Chong, CSF‘10]
• See our paper for more details !
6/27/2016
30
PLAS’13
Contributions
Formalization of
knowledge
• Formalize what it means for a party p to
know a variable x
• Algorithm to infer if p knows x
Knowledge
inference algorithm • Proof of soundness and completeness
Constructive
• Algorithm to construct an evidence of p’s
knowledge of x
knowledge
inference algorithm • Proof of soundness and completeness
6/27/2016
31
PLAS’13
Ongoing Work
• Core calculus for writing M3PC program
– Formal type-directed translation to target protocol
– Translation exists for all well-typed programs
– Source and target semantics preserve knowledge
• Next step: Given inferred knowledge facts,
automatically generate optimal M3PC
programs
6/27/2016
32
