Download
1 / 39
390 likes | 564 Views
Wysteria : A Programming Language for Generic, Mixed-Mode Multiparty Computations . Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College Park). What is Secure Multiparty Computation (SMC). A. B. Compute f( A , B ). Without revealing A to Bob and B to Alice.
E N D
Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations Aseem Rastogi Matthew Hammer, Michael Hicks (University of Maryland, College Park)
What is Secure Multiparty Computation(SMC) A B Compute f(A, B) Without revealing A to Bob and B to Alice
Using a Trusted Third Party A B f(A, B) f(A, B) A B Compute f(A, B) Without revealing A to Bob and B to Alice
SMC Eliminates Trusted Third Party Cryptographic Protocol A B Compute f(A, B) Without revealing A to Bob and B to Alice
Beyond Toy SMC Examples • Online card games • SMC to deal cards • Dice-based games • SMC to roll dice
Monolithic Secure Multiparty Computation A B f(A, B) f(A, B) Not Enough !
Mixed-Mode Secure Multiparty Computation A B f(A, B) f(A, B) … … Secure State Secure State Local Local A1 B1 g(A1, B1) g(A1, B1) … … Local Local A2 B2 h(A2, B2) h(A2, B2)
State Of The Art: Existing SMC Languages None supports generic programs (parametric in number of parties) • Fairplay, FairplayMP, CBMC-GC • Only “circuit compilers” • No mixed-mode • No secure state • L1 • Only 2-party, low level • No formal guarantees • FastGC • Circuit library, only 2-party
Our Goal Push SMC beyond toy applications
Goes Without Saying, Wysteria Has It All ! A High-levelFunctional Language to write Mixed-Mode Generic SMCs Implementation and examples available at: http://ter.ps/wysteria Developing Online Poker using Wysteria (almost there …) Demo (coming up)
Wysteria by Examples: Two-party Millionaire’s* Compute who is richer among A and B par(A) • Single specification • Aand B run the same program par(B) sec(A,B) *The example in this form does not type check in Wysteria. leta = read() in let b = read() in let o = a > b in o
Wysteria by Examples: Two-party Millionaire’s Computation modes • A’s Local Computation • (Skipped by B) par(A) par(B) sec(A,B) leta = read() in let b = read() in let o = a > b in o
Wysteria by Examples: Two-party Millionaire’s A’s Local Computation par(A) • B’s Local Computation • (Skipped by A) par(B) sec(A,B) let a = read() in let b = read() in let o = a > b in o
Wysteria by Examples: Two-party Millionaire’s A’s Local Computation par(A) B’s Local Computation par(B) Secure Computation by (A,B) sec(A,B) let a = read() in let b = read() in let o = a > b in o
Wysteria by Examples: Two-party Millionaire’s A’s Local Computation par(A) B’s Local Computation par(B) Secure Computation by (A,B) sec(A,B) Runtime compiles it to boolean circuit, and evaluates using secure computation No communication primitives ! leta = read() in let b = read() in let o = a > b in o
Key Ideas Mixed-Mode Computations via Mode Annotations
Wysteria by Examples: Asymmetric Output What if only A is allowed to know the output ? par(A) par(B) sec(A,B) leta = read() in let b = read() in let o = a > b in o
Wysteria by Examples: Asymmetric Output What if only A is allowed to know the output ? par(A) par(B) sec(A,B) Wire Bundle leta = read() in let b = read() in let o = wire A:(a > b) in o
Wire Bundles in Wysteria • Maps from parties to values • Each party sees only its own component in the bundle • Or nothing if it’s not in the domain • Wire bundles are dependently typed • CreatewireA:0 : W {A} nat • Concat(wireA:0)++(wireB:1) : W {AU B} nat • Project(wireA:0)[A] : nat
Wysteria by Examples: Inputs Via Wire Bundles par(A) par(B) sec(A,B) leta = read() in let b = read() in letw1 =wireA:ain letw2 =wireB:bin letw3 =w1 ++ w2in let o = wire A:(w3[A] > w3[B]) in o
Wysteria by Examples: Wire Bundle Views par(A) par(B) sec(A,B) let a = read() in let b = read() in letw1 =wireA:ain letw2 =wireB:bin letw3 =w1 ++ w2in let o = wire A:(w3[A] > w3[B]) in o
Key Ideas Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations
Wysteria by Examples: Functions sec(A,B) par(A) par(B) let mill = λx:W {AUB} nat . let o = x[A] > x[B] in o in let a = read () in let b = read () in mill (wireA:a ++ wireB:b)
So Far We Have Seen … Mixed-Mode support via mode annotations Wire Bundles abstraction for private data Now: Writing Generic Code in Wysteria
Parties As First Class Values Parties are values of type psφ Refinement types for more precise invariants {A} : ps{ν=A} {A} : ps{νA U B}
Wysteria by Examples: Generic Millionaire’s sec(x) sec(x) let comb = λx:ps . λy:W x nat. λa:psoption . λp:ps . λn:nat match a with | None => Some(p) | Some(q) => if y[q] > n then a else Some(p) in let mill = λx:ps. λy:W x nat . let o = wfold(y, None, comb x y) in o in …
Wysteria by Examples: Generic Millionaire’s sec(x) sec(x) let comb = λx:ps . λy:W x nat. λa:psoption . λp:ps. λn:nat match a with | None => Some(p) | Some(q) => if y[q] > n then a else Some(p) in let mill = λx:ps. λy:W x nat . let o = wfold(y, None, comb x y) in o in …
Wysteria by Examples: Generic Millionaire’s sec(x) sec(x) let comb = λx:ps . λy:W x nat. λa:ps{ν x} option.λp:ps{ν x}.λn:nat match a with | None => Some(p) | Some(q) => if y[q] > n then a else Some(p) in let mill = λx:ps. λy:W x nat . let o = wfold(y, None, comb x y) in o in …
Key Ideas Generic Code: 1. Parties as First Class Values 2. Wire Bundle Combinators (e.g. wfold) Wire Bundle Abstraction for Private Inputs/Outputs Mixed-Mode Computations via Place Annotations
Wysteria Metatheory • Formalized using λ-calculus with extensions • Dependent type system • Two operational semantics: • Single-threaded (SIMD style specification) • Multi-threaded (actual protocol runs) • Slicing judgment from single- to multi-threaded
Wysteria Theorems* C2 Single-threaded C1 π1 π2 * Multi-threaded … *Proofs in Technical Report slice operation Type soundness (progress and preservation) in single-threaded semantics Sound simulation:
Wysteria Implementation We use GMW Implementation from Choi et. al.
Wysteria Code for Card Dealing let retryloop = fix retryloop: (tmp5:unit) -> W tgt nat. (tmp5:unit). let myrand = \(z:unit).rand () in let rs = wapp x [wire x:(); wire x:myrand] in let res = check rs in if res.#success then let nd = select ndealt[0] in let _ = update dealt [nd] <- res.#sum in let _ = update ndealt [0] <- nd + 1 in let card @ sec(x) = let s = combsh (res.#sum) in wire tgt:s in card else retryloop () in retryloop () in wcopy as x from w in { #deal : deal } in Secure computation Local computation Secret shares let rand = \(myunit:unit). sysop rand 52 in let mkdeal = \(x:ps{true}). letzerosh@ par(x) = let zerosh1 @ sec(x) = makesh 0in zerosh1 in let dealt @ par(x) = array [ 52 ] of zerosh in let ndealt @ par(x) = array [ 1 ] of 0 in let deal = \(tgt:ps{singl and subeq x}). let w @ par(x) = let check = \(rs:W x nat). let nd = select ndealt[0] in let sum @ sec(x) = let s = wfold x [rs; 0; \(n1:nat).\(p:ps{true}).\(n2:nat). n1 + n2 ] in let s1 = wfold x [wire x:(); s; \(n1:nat).\(p:ps{true}).\(n2:unit). if n1 > 51 then n1 - 51 else n1 ] in makesh s1 in let checkloop = fix checkloop:(i:nat) -> {#sum:Sh x nat, #success: bool}. (i:nat). if i = nd then {#sum:sum, #success:true} else l2et sd= select dealt[i] in let cmp @ sec(x) = let t1 = combshsd in let t2 = combsh sum in t1 = t2 in if cmp then {#sum:sum, #success:false} else checkloop(i + 1) n checkloop 0 in
Demo (Card dealing using Wysteria) Future Work: Integrate with bitcoin for betting (c.f. Secure Multiparty Computation on BitCoin, Andrychowicz et. al.)
Also In The Paper … • Support for secure state • More language features • Mutable state (interesting interaction with mixed-mode) • Additional wire bundle combinators • Performance evaluation • Complete proofs in TR
Wysteria Summary A High-levelFunctional Language to write Mixed-Mode Generic SMCs Implementation and examples available at: http://ter.ps/wysteria
