Introduction to Secure
Computation
Benny Pinkas
HP Labs, Princeton
1
Roadmap
• Secure Function Evaluation
– Motivation and definitions
– Scenarios
– Constructions
2
SFE Example – Millionaires Problem
?
<
=
>
X
$
Secure
Function
Evaluation
Protocol
Y
$
3
Secure Function Evaluation
• A set of (two or more) parties with private
inputs wish to compute some joint function
of their inputs.
• Parties wish to preserve some security
properties. E.g., privacy and correctness.
– Example: Computing the maximum
• Security must be preserved in the face of
adversarial behavior by some of the
participants.
4
…Secure Function Evaluation
• Cryptography aims for the following
(regarding privacy):
– A secure protocol must reveal no more
information than the output of the
function itself
– That is, the process of protocol
computation reveals nothing.
5
The Security Definition
For every real
adversary A
Protocol
interaction

there exists an
adversary S
Trusted party
REAL
IDEAL
6
Does the trusted party
scenario make sense?
y
x
F(x,y)
F(x,y)
• We cannot hope for more privacy
• Does the trusted party scenario make sense?
• Are the parties motivated to submit their
true inputs?
• Can they tolerate the disclosure of F(x,y)?
• If so, we can implement the scenario without a
trusted party.
7
Roadmap
• Secure Function Evaluation
– Motivation and definitions
– Scenarios
– Constructions
8
Modeling the Adversary
• Semi-honest: follows the protocol but
tries to learn more
• Malicious: can do anything
– E.g.,
• Protocol: “Flip a random coin and send the
result”
• Malicious party might…
• Easier to provide security against semihonest adversaries
9
Modeling the Adversary
• Do semi-honest adversaries make
sense?
– Semi-trusted parties?
– Secure hardware/software?
– It’s easier for the adversary to
eavesdrop than to change the program.
• Is there a reasonable model between
semi-honest and malicious?
10
Participating Parties
• Two parties.
• Multi-party: N parties with private inputs
x1,..,xN, wish to compute F(x1,..,xN).
• There are generic secure constructions for
both scenarios
• The constructions for the two-party
scenario are usually more efficient
11
Multi-Party Protocols
• The main issues are often the communication
pattern and the number of rounds
12
A different setting for multiparty protocols? [NPS]
Computation
Server 1
Computation
Server 2
Computation
Server m
Perform computation
P1
P2
Provide inputs (and that’s it)
Pn
13
Trust
Computation
Server 1
Computation
Server 2
Computation
Server m
dangerous collusion
benign collusion
P1
P2
benign collusion
Pn
This is not weaker security if we have some
14
trust that computation servers do not collude
Advantages
• Separation between input providers
and computation.
• Input providers
– submit their inputs independently of
each other.
– Do not have to coordinate their
operation.
• Once all inputs are submitted, the
computation is performed by the
computation servers.
15
Roadmap
• Secure Function Evaluation
– Motivation and definitions
– Scenarios
– Constructions
16
Secure two-party computation of
general functions [Yao, early 80s]
• First, represent the function F as a
Boolean circuit C
• It’s always possible
• Sometimes it’s easy (additions,
comparisons)
• Sometimes the result is inefficient
(e.g. for indirect addressing, a[i])
17
Garbling the circuit
• Bob constructs the circuit, and then
garbles it.
wk0,wk1
G
wi0,wi1
wJ0,wJ1
Wk0 = 0 on wire k
Wk1 = 1 on wire k
|Wk0| = |Wk1| > 80
(Alice will learn one
string per wire, but
not the bit to which
it corresponds.)
18
Gate tables
• For, e.g., an AND gate, Bob constructs
a table that enables to compute:
–
–
–
–
wk0 given wi0,wJ0
wk0 given wi0,wJ1
wk0 given wi1,wJ0
wk1 given wi1,wJ1
wk0,wk1
G
wi0,wi1
wJ0,wJ1
• I.e., given wix,wJy, can compute wkG(x,y)
19
Secure computation
• Bob sends the tables of the gates to Alice
• Given, e.g., wi0,wJ1, she computes wk0, but doesn’t
know the actual values of the wires.
• If Alice gets garbled values (w’s)
of her input values, she can
G
compute the output of the
circuit, and nothing else.
wi0,wi1
wk0,wk1
wJ0,wJ1
20
Secure computation – the big
picture
• Represent the function as a circuit C
• Bob sends to Alice |C| tables (e.g. 40|C|
Bytes).
• Alice performs an oblivious transfer for
every input bit. (Can do, e.g. 100 OTs per
sec.)
• ~One round of communication.
• Efficient for medium size circuits!
• Good for one invocation only! 
21
FairPlay [Nisan,Malkhi,Pinkas,Sella]
• Yao’s construction is about 20 years old.
There are no known implementations (?).
• FairPlay - a full fledged secure two-party
computation system, implementing Yao’s
“garbled circuit” protocol.
• Goals:
–
–
–
–
Investigate whether two-party SFE is practical
Actual measurements of overall computation
Breakdown of computation into parts
Test-bed for various optimizations
22
…FairPlay
• The Compilation paradigm
– Programs written in a high-level
programming language
– SHDL: Low-level language describing
Boolean circuits
– First stage: compile to SHDL and
optimize
– Second stage: Given an SHDL circuit,
generate programs implementing Yao’s
protocol
23
Specific Constructions of SFE
•
•
•
•
Mean
Max, Min
Set intersection
Median and quintiles
24
Discussion Points
• Candidate applications?
• Where will SFE be most beneficial?
• How to model the adversary?
25
Issues
• Suppose you cannot access the data
– Data cleaning?
– What functions do you need to compute?
26