Embed Size (px)
Citation preview
Practical Secure Two-Party Computation and Applications
Lecture 3:Tools and Applications
Estonian Winter School in Computer Science 2016
Overview of this lecture
2
Special Purpose Protocols Generic Protocols
Arithmetic Circuit Boolean Circuit
Homomorphic Encryption
Symmetric CryptoPublic Key Crypto
GMWYao
OT
One-Time Pad>> >>
Part 1: TASTY
Part 2: ABYPart 3: GSHADE
Part 1: TASTY
3
W. Henecka, S. Kögl, A.-R. Sadeghi, T. Schneider, I. Wehrenberg:TASTY - Tool for Automating Secure Two-partY computations. In ACM CCS’10.
Code: http://encrypto.de/code/TASTY
How to use SFE for your specific task?
4
Goal: Automize with Tools
Task / Problem
Algorithm
SFE Protocol
Implementa:on
Measure Performance
Homomorphic Encryp:on (HE)
Garbled Circuits (GC)
SFE Compilers and Libraries
5
Abstrac5on Level Primi5ves GC HE
Func:on Descrip:on(What?) I/O, computa:on Fairplay(MP) (Py)SMCL
Protocol Descrip:on(How?)
I/O, enc/dec, compute under encryp:on
VIFF, SMC, Sharemind
Here: TASTYProtocol Implementa:on (How Exactly?)
I/O, protocols, messages,crypto primi:ves
Qilin, L1
Previous SFE compilers were restricted to either GC or HE.
SFE with Homomorphic Encryption (HE)
6
Application: SFE by Computing on Encrypted Data
pk, JxKJzK JzK = f(JxK, JyK)
HE Schemes:
Property:
+ [Paillier99], [DamgårdJ01], [DamgårdGK07], ...
+, 1* [BonehGN05], [GentryHV10], ...
+, * [Gentry09], [SmartV10], [vanDijkGHV10], ...
z
ServerClient restricted to
specific homomorphic operation(s)private data x private data y
8x, y 2 P : Jx � yK = JxK � JyK, JxK := Encpk(x)
Examples for Homomorphic Encryption Schemes
Multiplicatively homomorphic encryption: • Epk(x) Epk(y) = Epk(xy)
• RSA: c1 = x1e mod n, c2 = x2
e mod nc1 c2 = (x1
e )(x2e) mod n = (x1x2)e mod n
• ElGamal: c1 = (gr1 ; x1 hr1), c2 = (gr2 ; x2 hr2) c1 c2 = (gr1+r2; x1x2hr1+r2 )
Additively homomorphic encryption: • Epk(x) Epk(y) = Epk(x+y) • Epk(x)a = Epk(ax)
• Paillier: c1 = gx1r1n mod n², c2 = gx2r2
n mod n² c1 c2 = gx1+x2(r1r2)n mod n²
7
Performance of Homomorphic Encryption
8
• Fully HE: minimal interac:on but not prac5cal yet
– [SmartV10]: 3.5s to encrypt 1 bit (up to 2*)
– [HaleviGentry EC’10 Rump]: Re-Crypt 30min (deg=15,dim=215)
• Addi:vely Homomorphic Encryp:on is prac:cal but needs interac5on for mul5plica5on:
JxK, JyKchoose random r
x
, r
y
JxK = JxK � Jrx
KJyK = JyK � Jr
y
KJxK, JyK
z = x ⇤ y JzKJx ⇤ yK = JzK � r
y
JxK � r
x
JyK � Jrx
⇤ ry
K
Combine Advantages of HE and GC
9
• HE good for linear opera:ons (+,*)
• GC good for + and non-linear opera:ons (<,min,...)
• convert HE ⇔ GC[BrickellPSW07], [BarniFKLSS09], [KolesnikovSS13], ...
1. A: add random mask under encryp:on
2. B: decrypt + encrypt with new scheme
3. A: take off random mask under encryp:on
Theoretical Framework: SFE using GC + HE
10
SFE = convert + compute on encrypted data [KolesnikovSS13]
1. encrypt inputs
2. compute under encryp:on
3. decrypt outputs
Plain Value x
Boolean Circuits
using Garbled Circuits
Client C
Homomorphic Value JxK
Plain Value x
Server S
Garbled Value ex
Arithmetic Circuitsusing Homomorphic Encryption
Inputs/Outputs
Encrypted Values
SFE of
Contributions of the TASTY Framework
11
TASTY: SFE tool to arbitrarily combine GC+HE
• TASTYL: Intui:ve Protocol Descrip:on Language
• For many privacy-preserving applica5ons
• Primi5ves: shii complexity into setup phase
• Performance:
– Faster GC implementa:on (10x faster online phase)
– Fast Mul:plica:on Circuits
– Mul:plica:on GC vs. HE
+ =
TASTY: Tool for Automating Secure Two-partY computations
12
Design Goals:
• program SFE protocols as sequence of opera:ons on encrypted data
• minimize latency of online phase by pre-compu:ng in setup phase
• test, benchmark + compare performance of SFE protocols
Client C Server S
Input
Output
Input
Output
Costs
Protocol Description
in TASTYL
Analyzation Phase
Setup Phase
Online Phase
Runtime Environment
TASTYL: Types and Operators
13
Garbled
Vector
min, max, ...
Vector
+, -, *, dot
GarbledValue
mux, <, =, ...
HomomorphicValue
Plain Valuerand, input, output
/, <, =, ...
Unsigned ModularSigned
bitlengthValue
+, -, *
N
HomomorphicVector
Plain Vector
rand, input, output
/, =, ...
Unsigned
Vector
Signed
Vector
Modular
Vector
TASTYL: Example
14
# convert unsigned to homomorphic vector client.hv = HomomorphicVec(val=client.v) server.hv <<= client.hv
# mul:ply vectors (component-wise) server.hx = server.hv * server.w
# convert homomorphic to garbled vector client.gx <<= GarbledVec(val=server.hx)
# compute minimum value client.gmin = client.gx.min_value()
# convert garbled to unsigned value and output client.min = Unsigned(val=client.gmin) client.min.output(desc="minimum value")
def protocol(client, server): N = 4 L = 32
# input of client client.v = UnsignedVec(bitlen=L, dim=N) client.v.input(desc="enter values for v")
# input of server server.w = UnsignedVec(bitlen=L, dim=N) server.w.input(desc="enter values for w”)
Inputs: C has vector v and S has vector w (N=4 unsigned L=32-bit values each) Output: C obtains
GC HE
mini=1,..,N (vi · wi)
Privacy-Preserving Applications in TASTYL
15
• Private Set Intersec:on [FreedmanNP04]: HE
• Face-Recogni:on [SSW09]: HE+GC
– based on Eigenface algorithm [TurkP91]
– berer online communica:on than [ErkinFGKLT09]: HE
– less efficient than hand-op:mized code [SSW09]
– SCiFI [OsadchyPJM10] is more accurate/efficient:co-designed recogni:on algorithm and protocol
• Medical Diagnos:cs (ECG) [BFKLSS09]: HE+GC
• ...
Multiplication Circuits for ℓ-bit values
16
• Textbook mul:plica:on: 2ℓ2 - ℓ non-XORs [KSS09]
• Fast mul:plica:on [KaratsubaO62]≈ 9 ℓ1.6 - 13 ℓ - 34 non-XORs
TASTY and compare di�erent protocols against each otherand with existing SFE implementations: multiplication cir-cuits and protocols based on GC or HE (§5.1), SFE of anAES circuit generated by the Fairplay compiler (§5.2), andSFE of large GCs (§5.3).
System Setup. All performance measurements are per-formed on two desktop PCs with Intel Core 2 Duo CPU(E6850) running at 3.00GHz and 4GB RAM connected viaGigabit Ethernet. The system runs on 64 bit Gentoo Linuxwith Python version 2.6.5, gmpy version 1.11 and GMP ver-sion 4.3.2. Unless stated otherwise, all measurements wereperformed for short-term security (cf. Table 4) and usingpoint compression for elliptic curves (cf. §4.3).
5.1 Multiplication Circuits and ProtocolsAs arithmetic circuits can express arbitrary computations
as sequence of additions and multiplications, multiplicationis a fundamental basic operation. Indeed, the main di�er-ence between SFE protocols based on arithmetic and booleancircuits is the cost for multiplications. We present e⇥cientmultiplication circuits in §5.1.1 and compare the perfor-mance of secure multiplication protocols in §5.1.2.
5.1.1 Multiplication CircuitsTextbook Multiplication. The usual way of multi-
plying two unsigned ⌥-bit integers x and y, called “Text-book Method”, multiplies x with each bit of y and addsup all the properly shifted results according to the formulax · y =
�⌅�1i=0 xyi2
i. This results in a circuit with 2⌥2 � ⌥non-XOR 2-input gates [28].
Karatsuba Multiplication. As observed by Karatsuba[26], multiplication can be performed more e⇥ciently usingthe following recursive method (details in Algorithm 1): xand y are split into two halves as x = xh2
⇥⌅/2⇤ + xl andy = yh2
⇥⌅/2⇤ + yl. Then, the product can be computed asxy = (xh2
⇥⌅/2⇤+xl)(yh2⇥⌅/2⇤+yl) = zh2
2⇥⌅/2⇤+zd2⇥⌅/2⇤+zl.
After computing zh = xhyh and zl = xlyl, zd can be com-puted with only one multiplication as zd = (xh + xl)(yh +yl) � zh � zl. This process is continued recursively untilthe numbers are su⇥ciently small (⌥ = 19 in our case asdescribed below) and multiplied with the classical schoolmethod. Overall, multiplying two ⌥ bit numbers with Karat-suba’s method requires three multiplications of ⌥/2 bit num-bers and some additions and subtractions with linear bitcomplexity resulting in costs
TKara(⌥) = 3TKara (⌥/2) + c⌥+ d
for constants c and d. The master theorem [8, §4.3f] yieldsasymptotic complexity TKara(⌥) ⇧ O(⌥log2 3) ⇤ O(⌥1.585).
Algorithm 1 Karatsuba multiplication
1: function karatsuba(x, y) � x, y are ⌥-bit integers2: xh||xl ⌅ x � x = xh2
⇥⌅/2⇤ + xl
3: yh||yl ⌅ y � y = yh2⇥⌅/2⇤ + yl
4: Ph ⌅ KARATSUBA(xh, yh)5: Pl ⌅ KARATSUBA(yl, yl)6: xs ⌅ xh + xl
7: ys ⌅ yh + yl8: Ps ⌅ KARATSUBA(xs, ys)9: Pd ⌅ Ps � Ph � Pl
10: return (Ph22⇥⌅/2 ) + Pd2
⇥⌅/2⇤ + Pl
11: end function
Circuit Complexity. In TASTY we have implementedboth methods for multiplication based on e⇥cient additionand subtraction circuits of [28]. As shown in Fig. 6 and Ta-ble 5, Karatsuba multiplication is more e⇥cient, i.e., resultsin circuits with less non-XOR gates, than Textbook multipli-cation already for multiplication of 20 bit operands. By in-terpolating through the points for bitlength ⌥ ⇧ {32, 64, 128}and solving the resulting system of linear equations we ob-tain as approximation for the number of non-XOR gates
TKara(⌥) ⇤ 9.0165⌥1.585 � 13.375⌥� 34.
Figure 6: Size of Multiplication Circuits
Table 5: Size of Multiplication Circuits (in numberof 2-input non-XOR gates)
Bitlength ⌥ 19 20 32 64 128Textbook 703 780 2,016 8,128 32,640Karatsuba 703 721 1,729 5,683 17,973Improvement 0.0 % 7.6 % 14.2 % 30.1 % 44.9 %
5.1.2 Multiplication ProtocolsUsing TASTY we compare the performance of di�erent
secure multiplication protocols based on homomorphic en-cryption (HE) and garbled circuits (GC). For this we con-structed four basic test cases. For each SFE paradigm, weconsider the case where both inputs are provided by oneparty (S for GC1 and C for HE1), or one by each of theparties (GC2 and HE2). The inputs are Unsigned ⌥-bit val-ues and the output, a 2⌥-bit Unsigned value is convertedinto a Plain output for C. In the following, we comparethe communication- and the computation complexity of thesetup- and online phase of the protocols.Communication (cf. Fig. 7). Our experiments show
that GC-based multiplication requires a substantial amountof setup communication (for transfer of GCs) whereas theonline communication of GC is better than HE for mul-tiplication of small values. The online communication formultiplying with HE is independent of the bitlength ⌥ as a
Algorithm 1 Karatsuba multiplication
1: function karatsuba(x, y) . x, y are `-bit integers2: if ` 19 then3: return Textbook(x,y)4: end if5: x
h
||xl
x . x = x
h
2d`/2e + x
l
6: y
h
||yl
y . y = y
h
2d`/2e + y
l
7: P
h
KARATSUBA(xh
, y
h
)8: P
l
KARATSUBA(yl
, y
l
)9: x
s
x
h
+ x
l
10: y
s
y
h
+ y
l
11: P
s
KARATSUBA(xs
, y
s
)12: P
d
P
s
� P
h
� P
l
13: return (Ph
22d`/2e) + P
d
2d`/2e + P
l
14: end function
in circuits with less non-XOR gates, than Textbook multipli-cation already for multiplication of 20 bit operands. By in-terpolating through the points for bitlength ` 2 {32, 64, 128}and solving the resulting system of linear equations we ob-tain as approximation for the number of non-XOR gates
T
Kara
(`) ⇡ 9.0165`1.585 � 13.375`� 34.
Figure 8: Size of Multiplication Circuits
Table 5: Size of Multiplication Circuits (in numberof 2-input non-XOR gates)
Bitlength ` 19 20 32 64 128Textbook 703 780 2,016 8,128 32,640Karatsuba 703 721 1,729 5,683 17,973Improvement 0.0 % 7.6 % 14.2 % 30.1 % 44.9 %
5.1.2 Multiplication ProtocolsUsing TASTY we compare the performance of di↵erent
secure multiplication protocols based on homomorphic en-cryption (HE) and garbled circuits (GC). For this we con-structed four basic test cases. For each SFE paradigm, we
consider the case where both inputs are provided by oneparty (S for GC1 and C for HE1), or one by each of theparties (GC2 and HE2). The inputs are Unsigned `-bit val-ues and the output, a 2`-bit Unsigned value is convertedinto a Plain output for C. In the following, we comparethe communication- and the computation complexity of thesetup- and online phase of the protocols.
100
1000
10000
100000
1e+06
1e+07
1 2 4 8 16 32 64 128
Data
in B
ytes
Bitlength
HE1: OnlineHE2: OnlineGC1: SetupGC1: OnlineGC2: SetupGC2: Online
Figure 9: Multiplication Protocols: Communication
Communication (cf. Fig. 9). Our experiments showthat GC-based multiplication requires a substantial amountof setup communication (for transfer of GCs) whereas theonline communication of GC is better than HE for mul-tiplication of small values. The online communication formultiplying with HE is independent of the bitlength ` as aconstant number of ciphertexts (2 for HE1 and 5 for HE2) isexchanged. For multiplying with GC, the setup communica-tion grows rapidly due to the large size of the GCs, whereasthe online communication complexity grows much slower.Setup Time (cf. Fig. 10(a)). The time of the setup
phase for GC-based multiplication protocols depends on thebitlength ` as GCs need to be computed; for better visual-ization we do not plot GC setup times for S in Fig. 10(a) asthey are similar to those of C. For HE-based multiplication,the setup time is independent of ` as a constant number ofencryptions is pre-computed.Online Time (cf. Fig. 10(b)). For GC-based multi-
plication, the time needed by C depends on the size of theevaluated GC which grows with the bitlength `; GC’s onlinetime for S is negligible. For HE-based multiplication, thetime in the online phase is almost independent of ` for smallbitlengths.Conclusion. The setup phase for GC-based multiplica-
tion is substantially more expensive than that of HE-basedmultiplication. However, for small values, GC-based multi-plication can result in a faster online time than HE-basedmultiplication. Furthermore, GC-based multiplication, incontrast to HE-based multiplication, needs no (when com-posed with other GC-based computations) or negligible on-line interaction and workload for S.Parallel Multiplications. When N multiplications are
done in parallel, e.g., component-wise multiplication of twovectors of N components, time and data complexity of GC-based multiplication grows linearly in N . HE-based paral-lel multiplication increases slower as multiple homomorphicvalues can be packed before sending from S to C (cf. §2.1).Security Level. We note that when the security level is
Multiplication using GC vs. HE
17
• Mul:plica:on = fundamental basic opera:on
• Compare efficiency with TASTY (80 bit security level)
Client C Server S
z = x · y
HE1
GC1
GC2,HE2
x, y
x
x, y
y
Multiplication GC vs. HE: Communication
18
100
1000
10000
100000
1e+06
1e+07
1 2 4 8 16 32 64 128
Dat
a in
Byt
es
Bitlength
HE1: OnlineHE2: OnlineGC1: SetupGC1: OnlineGC2: SetupGC2: Online
HE: beHer setup costs
GC: less online costs for small operands
Multiplication GC vs. HE: Setup Time
19
0.1
1
10
100
1000
10000
1 2 4 8 16 32 64 128
Setu
p Ti
me
in m
s
Bitlength
HE1: CHE1: SHE2: CHE2: SGC1: CGC2: C HE: less setup 5me
Multiplication GC vs. HE: Online Time
20
0.1
1
10
100
1000
1 2 4 8 16 32 64 128
Onl
ine
Tim
e in
ms
Bitlength
HE1: CHE1: SHE2: CHE2: SGC1: CGC1: SGC2: CGC2: S
GC: negligible online work for S
GC: beHer for small operands
Part 2: ABY
21
D. Demmler, T. Schneider, M. Zohner:ABY - a framework for efficient mixed-protocol secure two-party computation. In NDSS’15.
A
B Y
Code: http://encrypto.de/code/ABY
Protocol Development
22
Function
Boolean Circuits
Arithmetic Circuits
GMWYao
Idea
Representation
Protocol
Optimizations Point-and-permute
Fixed-KeyGarbling Free-XOR Half-Gates
?DGK Paillier
?
Existing Frameworks
Abstract Languages
. . .
Mixed Protocols
23
- Some functionalities have a more efficient circuit representation ● Multiplication in Boolean circuits: O(n2) ● Comparison in Arithmetic circuits: O(n) multiplications of q-bit values
- TASTY [HKSSW10] combines Paillier (Arithmetic) and Yao (Boolean)
- Multiplication and conversion requires public-key operation ● For long-term security, Yao-only is often most efficient [KSS14]
YaoPaillier
Example: Minimum Euclidean Distance
24
Function
Boolean Circuits
Arithmetic Circuits
GMWYaoPaillier . . .PaillierDGK YaoDGK PaillierDGK
Minimum Euclidean Distance: min(∑di=1(Si,1 – Ci)2, …, ∑d
i=1 (Si,n – Ci)2) ● Server holds database S, client holds query C ● Used in biometric matching (face-recognition, fingerprint, …)
GMW
Outline
25
Function
Boolean Circuits
Arithmetic Circuits
GMWYaoDGK Paillier . . .
3.ABY
1.OT-ext.
2.Conversion
1) More efficient multiplication usingOT extension
2) More efficient conversion
3) Mixed-protocol framework called ABY
Multiplication using OT [Gilboa99]
26
School Multiplication z = x * y with x=x3x2x1x0 and y=y3y2y1y0
x3x2x1x0 * y3y2y1y0
(x3x2x1x0) * y0 + (x3x2x1x0 0) * y1 + (x3x2x1x0 0 0) * y2 + (x3x2x1x0 0 0 0) * y3
z7z6z5z4z3z2z1z0
(r0, r0+x) OT
y0 s0 = r0+x*y0
(r1, r1+2x) OT
y1 s1= r1+2x*y1
(r3, r3+8x) OT
y3 s3= r3+8x*y3
. . .
[z]A=∑3i=0 (-ri) [z]B=∑3
i=0 si= ∑3
i=0 ri + ∑3i=02ix*yi
z= [z]A+[z]B
r0 ЄR Z28
r1 ЄR Z28
r3 ЄR Z28
Multiplication using OT Extension
27
8 16 32 640
50010001500200025003000
Communication
Bit-Length of Values
Com
mun
icat
ion
(Byt
es)
8 16 32 641
10
100
1000
10000
100000Run-Time
Paillier (WAN)DGK (WAN)Paillier (LAN)DGK (LAN)OT-Ext (WAN)OT-Ext (LAN)
Bit-Length of Values
Run
-tim
e (μ
s)
Use a multiplication protocol that is based on OT extension ● Requires symmetric-key cryptography only
Compare one multiplication using Paillier, DGK, and OT extension
Communication and run-time for 1 multiplication in LAN and WAN for long-term security
The ABY framework
28
Combine: ● Arithmetic sharing ● Boolean sharing (GMW) ● Yao's garbled circuits
Efficient conversions between schemes
Use best practices in secure computation: ● batch pre-compute crypto ● use symmetric crypto where possible ● use sub-protocols with recent optimizations
A
B Y
a,b ABY Secure Computation Schemes
29
rithmetic sharing:
● Free addition / cheap multiplication ● Good for multiplication
oolean sharing: ● Free XOR / one message per AND ● Good for multiplexing
ao's garbled circuits: ● Free XOR / no interaction per AND ● Good for comparison
A
B
Y
A
B Y
Multiplication
Protocol Yao MixedLAN [µs] 1.1 0.1Comm. [KB]
100 5
c=a*b
c
c=a*b
Example: Minimum Euclidean Distance
30
Minimum Euclidean Distance: min(∑di=1(Si,1 – Ci)2, …, ∑d
i=1 (Si,n – Ci)2) ● Server holds database S, client holds query C ● Used in biometric matching (face-recognition, fingerprint, …)
1) Evaluate in Arithmetic circuits using Paillier [EFGJKT09] or DGK [BG11] ● Comparison is costly
2) Multiplication in Arithmetic; Comparison in Boolean circuits [HKSSW10] ● Costly conversion/multiplication: expensive public-key crypto
3) Evaluate everything in Boolean circuits using Yao [KSS14]
Example: Minimum Euclidean Distance
31
Minimum Euclidean Distance: min(∑di=1(Si,1 – Ci)2, …, ∑d
i=1 (Si,n – Ci)2)
dist min LAN [s]
WAN [s]
Comm [MB]
#Msg
Y Y 2.55 24.62 147.7 2
B B 2.43 39.41 99.9 129
A Y 0.19 3.42 5.0 8
A B 0.21 26.41 4.6 101
Euclidean distance for n = 512 values of 32-bit length and d = 4.
Summary of ABY Framework
32
ABY = mixed-protocol secure computation framework
Abstract from underlying secure computation protocol
Use only fast symmetric key crypto
A
B Y
Part 3: Privacy-Preserving Biometric Identification
33
J. Bringer, H. Chabanne, M. Favre, A. Patey, T. Schneider, M. Zohner:GSHADE: Faster privacy-preserving distance computation and biometric identification. In ACM IH&MMSEC’14.
Code: http://encrypto.de/code/GSHADE
Privacy-Preserving Biometric Identification
....
34
Task: Check if query is similar to an entry in the DB. - without revealing the query to the server - without revealing the DB to the client
Y1X Y2 Y3 Yn....
Use-Cases
35
Biometric Access Control / Border Control
Anonymous Biometric Credentials
Secure Biometric Database Intersection
HD( , ) < t2HD( , ) < t3
HD( , ) < tn
The SCiFI Algorithm [Osadchy/Pinkas/Jarrous/Moskovich S&P’10]
36
HD( , ) < t1
....
?
?
?
?
Compute Hamming distance of ℓ=900 bit strings and compare with threshold.
Privacy-Preserving Biometric Identification: Classification
37
Technique
Public-Key Crypto
Boolean / Hybrid
OT-based
Hamming (HD) [OPJM10] [HEKM11][SZ13]
[BCP13] SHADEGSHADE
Euclidean [EFG+09] [SSW09] [HKS+10][BG11][HMEK11][SZ13]
GSHADE
Normalized HD - [BG11] GSHADE
Distance
SHADE
38
Secure Hamming Dist. computation from OT [BringerChabannePatey’13] Goal: compute HD(X,Y) = Σ(xi⨁yi), i=1..ℓ
OT ti=ri+(xi⨁yi)
ri+yi ; ri+(1-yi) xi
choose ri ∈R Zℓ+1
for i=1..ℓ:
T = Σti = R + HD(X,Y)R = Σri
Continue with generic MPC protocol (e.g., Yao or GMW)from T - R = HD(X,Y) …
GSHADE: Optimizations and Generalization of SHADE
39
• For multiple HD computations: HD(X,Y1), HD(X,Y2), …:Same number of OTs, but on longer strings
• Can use correlated OT (C-OT) to improve communication
• Generalize to larger class of functions f(X,Y) = fX(X) + fY(Y) + Σfi(xi,Y) • Hamming Distance: fX=fY=0, fi(xi,Y)=xi⨁yi
• Squared Euclidean Distance (for faces & fingerprints):fX(X)=Σxi2, fY(Y)=Σyi2, fi(xi,Y)=-2xiyi
• Normalized Hamming Distance (for irises) • Squared Mahalanobis Distance
(for hand shapes, keystrokes, signatures)
Application SCiFI Faces [38] IrisCodes [16] FingerCodes [31] Eigenfaces [44]
Distance Computation using GSHADE
Metric Hamming DistanceNormalized
Euclidean DistanceScalar Product
Hamming Distance + Euclidean DistanceTime in sec. (LAN/WiFi) 0.9 / 1.4 8.8 / 14.3 5.1 / 10.3 1.0 / 2.8Communication in MB 4.3 51.3 48.9 15.1
Post-Processing using GMWMethod Comparison Comparison Closest Match Closest MatchTime in sec. (LAN/WiFi) 0.09 / 0.27 0.3 / 1.4 1.6 / 4.1 4.0 / 13.1Communication in MB 1.9 5.1 18.6 68.5
Table 1: Empirical performance of GSHADE for 1-vs-5 000 biometric identification schemes. Details on thechoice of parameters are given in Tab. 2.
cryption, e.g., [13]. In the following, we give a short sum-mary of each of these techniques.
Oblivious Transfer. A 1-out-of-2 oblivious transfer(OT) [19,40], denoted by OT`, is a two-party protocol whereone party (the sender) inputs two `-bit strings x
0
, x1
2{0, 1}` and the other party (the receiver) inputs a bit b. Atthe end of the protocol, the receiver obtains xb but learnsno information about x
1�b whereas the sender learns no in-formation about b. OT protocols can be built from publickey cryptography, e.g., [36]. For a large number of OTs,OT extension [30] can be used that extends a few base OTsto many OTs using only e�cient symmetric cryptographicprimitives. Recent work of [32] further improved the commu-nication complexity of OT extension and [1] provides evenmore e�cient protocols for the correlated OT functionality,where the sender inputs only a single value � together witha correlation function f s.t. at the end of the protocol, thesender obtains x
0
2R {0, 1}` and x1
= f�
(x0
) as output andthe receiver obtains xb.
Yao’s Garbled Circuits Protocol. A garbled circuit[45] is an encrypted version of the binary circuit representingthe function to be evaluated securely. In Yao’s protocol, oneparty (the sender) generates the garbled circuit by buildingthe binary circuit, choosing a pair of encryption keys for ev-ery wire of the circuit, and encrypting the output wire keysusing the keys of the input wires. The sender then sends thegarbled circuit and the input keys that correspond to hisinputs to the second party (the receiver). The receiver ob-tains the keys corresponding to his inputs by engaging in anoblivious transfer with the sender. Using the obtained inputkeys, the receiver can then decrypt the garbled circuit to ob-tain the result while learning no intermediary information.See [27] for a more detailed description.
Yao’s protocol relies mostly on symmetric cryptographyand is best suited for functions that can e�ciently be rep-resented as binary circuits and in environments that have ahigh communication latency. However, Yao’s protocol hasa high communication complexity and requires the func-tion and input sizes to be known in advance to allow pre-computation. Yao’s garbled circuits protocol has been im-plemented in the FastGC framework [27].
GMW Protocol. Similar to Yao’s protocol, the GMWprotocol [21] also uses a binary circuit representation of thefunction, but performs the secure evaluation on shares ratherthan using encrypted gates. The parties first secret-sharetheir inputs using a XOR secret sharing scheme. To evaluatean XOR gate, the parties simply XOR the shares of the inputwires. To evaluate an AND gate, the parties perform an
oblivious transfer, where one party pre-computes all possibleoutputs of the gate and the other party obliviously obtainsthe output that corresponds to its input shares. To obtainthe output of the circuit, the parties exchange the shares ofthe output wires.As shown in [1,12,42], the GMW protocol allows the pre-
computation of all symmetric cryptographic operations be-fore the function or the inputs to the function are knownand requires less communication per AND gate than Yao’sgarbled circuits protocol. However, the GMW protocol re-quires a number of communication rounds that is linear inthe depth of the circuit. The GMW protocol has been im-plemented in [12] and further optimized for the two-partycase in [1, 42].Homomorphic Encryption. A public-key encryption
is homomorphic if it is possible to compute over encrypteddata without the knowledge of the secret key. Although fullyhomomorphic encryption (i.e., a cryptosystem that is homo-morphic for any operation) has been introduced in 2009 [20],it is not yet practical. Most implemented proposals there-fore use additively homomorphic encryption schemes, suchas Paillier [39] or Damgard-Geisler-Krøigaard (DGK) [15].Homomorphic encryption is more suited for arithmetic
circuits and the ciphertexts can be re-used for several in-stances of secure computation, which reduces the commu-nication complexity. However, homomorphic encryption re-quires computationally expensive public-key operations thatscale very ine�ciently for larger security parameters.
2.2 Distance MetricsIn the following, we summarize some distance metrics that
are used in biometric identification schemes. In §2.3 we willdescribe which distance is used by which biometric identi-fication scheme and in §3 we will show that each of thesedistances can be computed e�ciently with our generalizedSHADE protocol.Hamming Distance (HD). The Hamming distance be-
tween two `-bit vectors X = (x1
, . . . , x`) and Y = (y1
, . . . ,
y`) is computed as HD(X,Y ) =P`
i=1
xi � yi.Normalized Hamming Distance (NHD). The nor-
malized Hamming distance between a `-bit vector X = (x1
,. . . , x`) with `-bit mask M = (m
1
, . . . ,m`) and a vectorY = (y
1
, . . . , y`) with mask M 0 = (m01
, . . . ,m0`) is computed
as NHD(X,M ;Y,M 0) =P`
i=1(mim0i(xi�yi))P`
i=1(mim0i)
.
Scalar Product (SP). The scalar product between twoK-dimensional vectors X = (X
1
, . . . , XK) and Y = (Y1
, . . . ,
YK) is computed as SP(X,Y ) =PK
i=1
XiYi.
Squared Euclidean Distance (ED). The squared Eu-clidean distance between two K-dimensional vectors X =(X
1
, . . . , XK) and Y = (Y1
, . . . , YK) is computed asED(X,Y ) =
PKi=1
(Xi�Yi)2 =
PKi=1
((Xi)2�2XiYi+(Yi)
2).Squared Mahalanobis Distance (MD). The squared
Mahalanobis distance between two K-dimensional vectorsX = (X
1
, . . . , XK) and Y = (Y1
, . . . , YK) is computed asMD(X,Y ) = (X � Y )TM(X � Y ), where M is a positivesemi-definite matrix (which might be the inverse of the co-variant matrix of a sample set). The Mahalanobis distancecan be used for instance for hand shape, keystroke, or sig-nature recognition [34].
2.3 Privacy-Preserving Biometric Identifica-tion
Several di↵erent schemes for privacy-preserving biomet-ric identification using S2PC have been proposed. Mostschemes focused on face [18, 38, 41], fingerprint [3, 5, 28, 43],or iris [5, 10, 35] recognition which we summarize next. Weprovide more details on the underlying algorithms in §4.
Privacy-preserving face recognition. Privacy-preser-ving face recognition has been realized based on two di↵erentrecognition algorithms: Eigenfaces used in [18,41,42] and theSCiFI algorithm used in [9, 27,38,42].
In protocols based on the Eigenfaces algorithm [44], theparties have to perform a projection (matrix-vector or scalarproducts), compute the Euclidean distance, and comparethe resulting distance to a threshold. Erkin et al. [18] sug-gest to employ additively homomorphic encryption for thewhole protocol. Sadeghi et al. [41] showed that a hybrid solu-tion gives better performances, using additively homomor-phic encryption for projection and distance computation,then garbled circuits for comparisons. Schneider et al. [42]use GMW, which allows to pre-compute all cryptographicoperations and thereby achieves a fast online phase.
The SCiFI algorithm [38] is a face recognition algorithmthat is based on the Hamming distance and was specificallydesigned to yield an e�cient privacy-preserving protocol.Originally, Osadchy et al. [38] used additively homomorphicencryption and subsequently Huang et al. [27] and Schneideret al. [42] showed that using Yao’s garbled circuits respec-tively GMW results in better performances. The SHADEprotocol of Bringer et al. [9] is an even more e�cient con-struction based on oblivious transfer (cf. §2.4 for details).
Privacy-preserving fingerprint recognition. Securefingerprint recognition has been considered using two mainsolutions. The FingerCodes technique [31] relies on Eu-clidean distance and has been proposed in [3,5,28], which useadditively homomorphic encryption for Euclidean distanceand several solutions for comparison/identification opera-tions. Use of minutiae-based fingerprint recognition [34] hasbeen envisioned in [5,43], but we do not further discuss it inthis paper as it does not fit our protocol.
Privacy-preserving iris recognition. Iris recognitionusing IrisCodes [16] requires secure evaluation of normalizedHamming distances and has first been considered by Blantonet al. [5] using homomorphic encryption, then by Luo et al.[35] and Bringer et al. [10] using Yao’s garbled circuits.
2.4 Secure Hamming Distance Computation(SHADE)
The SHADE protocol [9] allows e�cient secure Hammingdistance computation using oblivious transfer. In the fol-
lowing we describe the original SHADE protocol and its ex-tension to the 1-vs-N case.The SHADE Protocol. The SHADE protocol was first
intended for secure computation of Hamming distances. ForS and C with `-bit inputs Y and X the protocol works asfollows. S and C perform ` OTdlog2(`+1)e where, in the i-th OT, S chooses a random ri 2R Z`+1
and inputs (ri +yi, ri + (yi � 1)) and C inputs yi as choice bit and receivesti = ri + (xi � yi). S then sums up the random masks andoutputs R =
P`i=1
ri and C sums up the received values
and outputs T =P`
i=1
ti. Note that we have T � R =P`i=1
(ri +(xi � yi))�P`i=1
ri =P`
i=1
xi � yi = HD(X,Y ).SHADE for the 1-vs-N Case. SHADE was observed to
be e�ciently extendable to the 1-vs-N case, where S holdsN`-bit values Y 1, . . . , Y N and C holds a single `-bit value X.The only additional overhead for the extended protocol islonger bit strings in the oblivious transfers. More detailed,in the i-th OT, the parties perform ` OTNdlog2(`+1)e whereS inputs (r1i +x1
i || . . . ||rNi +xNi , r1i + x1
i || . . . ||rNi + xNi ) and C
inputs yi and receives ti = (r1i+(x1
i�yi)|| . . . ||rNi +(xNi �yi)).
In the final step, the parties can again simply compute andoutput R1, . . . , RN and T 1, . . . , TN , where Rb =
P`i=1
rbiand T b =
P`i=1
tbi , for 1 b N .
3. OUR GENERALIZED SHADE (GSHA-DE) PROTOCOL
In this section we describe our generalized SHADE pro-tocol, called GSHADE, which allows to compute di↵erentdistances (§3.1). We describe how to combine GSHADEwith comparison or minimum protocols (§3.2), outline howto e�ciently extend it to 1-vs-N matching (§3.3) and howto base it on the more e�cient correlated OT functional-ity (§3.4). We give applications of GSHADE to biometricidentification with new adaptations for IrisCodes and Eigen-faces later in §4.3.1 The GSHADE ProtocolWe observe that the original SHADE protocol extends to
the family FGSHADE of functions that can be expressedas f(X,Y ) = fX(X) + ⌃n
i=1
fi(xi, Y ) + fY (Y ), where X =(x
1
, . . . , xn) 2 {0, 1}n is the input of C and Y is the inputof S. (The set S to which Y belongs does not impact theprotocol.) In particular, several metrics used for biometricmatching are included in this family of functions:
Hamming Distance X = (x1
, . . . , x`) and Y = (y1
, . . . ,y`) are n = `-bit vectors. We have fX = fY = 0 andfi(xi, Y ) = xi � yi, for i = 1, . . . , n.
Scalar Product X = (X1
, . . . , XK) withXi = (xK(i�1)+1
,. . . , xK(i�1)+`) and Y = (Y
1
, . . . , YK) with Yi =(yK(i�1)+1
, . . . , yK(i�1)+`) are n = K ⇥ `-bit-integervectors. We have fX = fY = 0 andfK·(i�1)+j(xK(i�1)+j , Y ) = 2j�1 · xK(i�1)+j · Yi, fori = 1, . . . ,K and j = 1, . . . , `.
Squared Euclidean Distance X = (X1
, . . . , XK) withXi = (xK(i�1)+1
, . . . , xK(i�1)+`) and Y = (Y1
, . . . , YK)with Yi = (yK(i�1)+1
, . . . , yK(i�1)+`) are n = K ⇥ `-bit-integer vectors. We have fX(X) = ⌃K
i=1
(Xi)2,
fY (Y ) = ⌃Ki=1
(Yi)2 and fK·(i�1)+j(xK(i�1)+j , Y ) =
�2j · xK(i�1)+j · Yi, for i = 1, . . . ,K and j = 1, . . . , `.
GSHADE Protocol
40
OT ti=ri+fi(xi,Y)
ri+fi(0,Y); ri+fi(1,Y) xi
choose ri ∈R Zm
for i=1..ℓ:
T = fX(X) + ΣtiR = - fY(Y) + Σri
Goal: compute f(X,Y) = fX(X) + fY(Y) + Σfi(xi,Y)
Continue with generic MPC from T - R = f(X,Y) = …
Performance of GSHADE
41
Algorithm Distance Time in s Communication in MB
SCiFI Hamming 1,0 6,2
Eigenfaces Euclidean 5,0 83,6
FingerCodes Euclidean 6,7 67,5
IrisCodes Normalized Hamming 9,1 56,4
Compare biometric sample with DB of 5,000 entries.
Performance for SCiFI
42
Run
time
in s
0,1
1
10
100
1.000
|DB|=100 |DB|=320|DB|=50,000
9,9
0,30,2
46
0,50,3
42,9
8,8
244,0
HE[OPJM10]
GC[HEKM11]
GMW[SZ13]
GSHADE+GMW[BCF+14]
Com
mun
icat
ion
in M
B
0,1
1
10
100
1.000
|DB|=100 |DB|=320 |DB|=50,000
63,4
0,50,2
886,5
5,7
1,7
8,3
2,6
7,3
Runtime for SCiFI
43
Numbers taken from papers (not measured on same machines).
Run
time
in s
0,1
1
10
100
1.000
|DB|=100 |DB|=320 |DB|=50,000
9,9
0,30,2
46
0,50,3
42,9
8,8
244,0
HE (Java)[OPJM10]
GC (Java)[HEKM11]
GMW (C++)[SZ13]
GSHADE+GMW (C++)[BCF+14]
Communication for SCiFI
44
Improvement by 1 order of magnitude.
Com
mun
icat
ion
in M
B
0,1
1
10
100
1.000
|DB|=100 |DB|=320 |DB|=50,000
63,4
0,50,2
886,5
5,7
1,7
8,3
2,67,3
HE (Java)[OPJM10]
GC (Java)[HEKM11]
GMW (C++)[SZ13]
GSHADE+GMW (C++)[BCF+14]
Performance for Eigenfaces
45
Run
time
in s
0,1
1
10
100
1.000
|DB|=320 |DB|=1,000
1,3
0,6
26,317,7
139,679,6
40,0
HE[EFG+09]
HE+GC [HKS+10]
GMW[SZ13]
GSHADE+GMW[BCF+14]
Com
mun
icat
ion
in M
B
1
10
100
1.000
|DB|=320 |DB|=1,000
9,47,7
446291,1
179,27,3
Runtime for Eigenfaces
46
Numbers taken from papers (not measured on same machines).
Run
time
in s
0,1
1
10
100
1.000
|DB|=320 |DB|=1,000
1,3
0,6
26,317,7
139,679,6
40,0
HE[EFG+09]
HE+GC [HKS+10]
GMW[SZ13]
GSHADE+GMW[BCF+14]
Communication for Eigenfaces
47
Com
mun
icat
ion
in M
B
1
10
100
1.000
|DB|=320 |DB|=1,000
9,47,7
446291,1
179,27,3
HE[EFG+09]
HE+GC [HKS+10]
GMW[SZ’13]
GSHADE+GMW[BCF+14]
Performance for Iriscodes
48
Run
time
in s
0,1
1
10
100
1.000
|DB|=320 |DB|=10,000
17,2
0,5
212,6
17,6
HE+GC [BG11]
GSHADE+GMW[BCF+14]
Com
mun
icat
ion
in M
B10
100
1.000
|DB|=320 |DB|=10,000
87,5
4,9
37,6
1,7
Performance for Fingercodes
49
Run
time
in s
0,1
1
10
100
1.000
|DB|=128 |DB|=1,024
1,6
0,3
1114,3
148,2
HE+GC [HMEK11]
GSHADE+GMW[BCF+14]
Com
mun
icat
ion
in M
B
1
10
100
|DB|=128 |DB|=1,024
13,8
1,8
17,5
2,2
Summary
Part 1: TASTY - combine protocol based on
Homomorphic Encryption and Garbled Circuits
Part 2: ABY - combine protocols based on
Arithmetic, Boolean (GMW), and Yao (GC) sharing
Part 3: Privacy-preserving biometric identification - Applications can be built efficiently directly on OT
50
EXERCISE 4
Design public-key based OT protocol with two messages using additively homomorphic encryption.
51
OT
Literature
• M. Barni, P. Failla, V. Kolesnikov, R. Lazzeretti, A.-R. Sadeghi, T. Schneider: Secure evaluation of private linear branching programs with medical applications. In ESORICS’09.
• M. Blanton, P. Gasti: Secure and Efficient Protocols for Iris and Fingerprint Identification. In ESORICS’11. • J. Bringer, H. Chabanne, M. Favre, A. Patey, T. Schneider, M. Zohner: GSHADE: Faster privacy-preserving distance computation and
biometric identification. In ACM IH&MMSec’14. • J. Bringer, H. Chabanne, A. Patey. SHADE: secure hamming distance computation from oblivious transfer. In FC Workshops’13. • D. Boneh, E. Goh, K. Nissim: Evaluating 2-DNF Formulas on Ciphertexts. In TCC’05 • J. Brickell, D. E. Porter, V. Shmatikov, E. Witchel: Privacy-preserving remote diagnostics. In ACM CCS’07. • I. Damgård, M. Geisler, M. Krøigaard: A correction to 'Efficient and secure comparison for on-line auctions'. IJACT’09. • I. Damgård, M. Jurik: A Generalisation, a Simplification and some Applications of Paillier’s Probabilistic Public-Key System. In PKC’01. • D. Demmler, T. Schneider, M. Zohner: ABY - a framework for efficient mixed-protocol secure two-party computation. In NDSS’15. • Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, T. Toft: Privacy-preserving face recognition. In PETS’09. • M. J. Freedman, K. Nissim, B. Pinkas: Efficient private matching and set intersection. In EURORYPT’04. • C. Gentry: Fully homomorphic encryption using ideal latices. In STOC’09. • C. Gentry, S. Halevi, V. Vaikuntanathan: A Simple BGN-Type Cryptosystem from LWE. In EUROCRYPT’10. • N. Gilboa: Two party RSA key generation. In CRYPTO’99. • W. Henecka, S. Kögl, A.-R. Sadeghi, T. Schneider, I. Wehrenberg: TASTY - Tool for Automating Secure Two-partY computations. In ACM
CCS’10. • Y. Huang, D. Evans, J. Katz, L. Malka: Faster secure two-party computation using garbled circuits. In USENIX Security’11. • Y. Huang, L. Malka, D. Evans, J. Katz: Efficient privacy-preserving biometric identification. In NDSS’11. • A. Karatsuba, Y. Ofman. Multiplication of many-digital numbers by automatic computers. In SSSR Academy of Sciences’62. • F. Kerschbaum, T. Schneider, A. Schröpfer. Automatic protocol selection in secure two-party computations. In ANCS’14. • V. Kolesnikov, A.-R. Sadeghi, T. Schneider: Improved garbled circuit building blocks and applications to auctions and computing minima. In
CANS’09. • V. Kolesnikov, A.-R. Sadeghi, T. Schneider: A systematic approach to practically efficient general two-party secure function evaluation
protocols and their modular design. In Journal of Computer Security 2013. • M. Osadchy, B. Pinkas, A. Jarrous, B. Moskovich: SCiFI - A system for secure face identification. In IEEE S&P’10. • P. Paillier: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In EUROCRYPT’99. • A.-R. Sadeghi, T. Schneider, I. Wehrenberg: Efficient privacy-preserving face recognition. In ICISC’09. • T. Schneider, M. Zohner: GMW vs. Yao? Efficient secure two-party computation with low depth circuits. In FC’13. • N. Smart, F. Vercauteren: Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes. In PKC’10. • M. Turk, A. Pentland: Eigenfaces for recognition. Journal of Cognitive Neuroscience 1991. • M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan: Fully Homomorphic Encryption over the Integers. In EUROCRYPT’10.
52
![THE STATE-OF-THE-ART OF [0pt]HARDWARE …conference.crypto.rub.de/HWBenchmarking17/slides/slides_kimmo.pdf · SCALAR MULTIPLICATION I Efficient and secure computation of scalar multiplication](https://img.pdfslide.net/doc/110x75/6052f3d4bc73d139b9240259/the-state-of-the-art-of-0pthardware-scalar-multiplication-i-eficient-and-secure.jpg)
