PLAS 13 Knowledge Inference for Optimizing Secure Multiparty

PLAS’ 13 Knowledge Inference for Optimizing Secure Multi-party Computation Aseem Rastogi Piotr (Peter) Mardziel Michael Hicks Matthew Hammer

PLAS’ 13 Secure Computation A B Compute f(A, B) Without revealing A to Bob and B to Alice 2/21/2021 2

PLAS’ 13 Using a Trusted Third Party A B f(A, B) A B Compute f(A, B) Without revealing A to Bob and B to Alice 2/21/2021 3

PLAS’ 13 Secure Computation Protocols A B f(A, B) Cryptographic Protocol A B Compute f(A, B) Without revealing A to Bob and B to Alice 2/21/2021 4

PLAS’ 13 Example – Joint Median Computation { A 1, A 2 }, { B 1, B 2 } Assume: A 1 < A 2 and B 1 < B 2 and Distinct(A 1, A 2, B 1, B 2) a = A 1 ≤ B 1; b = a ? A 2 : A 1; c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; 5 2/21/2021

PLAS’ 13 Example – Joint Median Computation a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; Secure Computation 2/21/2021 6

PLAS’ 13 Performance Optimization • Cryptographic protocols prohibitively expensive • Performance Optimization [F. Kerschbaum, CCS’ 11] – Parties can infer some intermediate values eventually • Once they know the output – Revealing these early does not compromise security* – Offload computation over known data to local hosts * In a semi-honest (honest-but-curious) threat model 2/21/2021 7

PLAS’ 13 Questions For a Secure Multi-party Computation (SMC) program: Can we infer which variables are known to a party ? Can we infer an evidence for a party’s knowledge of a variable 2/21/2021 8

PLAS’ 13 Contributions Formalization of knowledge • Formalize what it means for a party p to know a variable x • Algorithm to infer if p knows x Knowledge inference algorithm • Proof of soundness and completeness Constructive • Algorithm to construct an evidence of p’s knowledge of x knowledge inference algorithm • Proof of soundness and completeness 2/21/2021 9

PLAS’ 13 Median Example – Analysis a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; Alice and bob know a and d c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; 2/21/2021 10

PLAS’ 13 Median Example – Analysis from Bob’s Perspective a = A 1 ≤ B 1 ; d = (output ≠ B 1 Ʌ output ≠ B 2) Recall: Distinct(A 1, A 2, B 1, B 2) b = a ? A 2 : A 1 ; a = (output ≤ B 1) Recall: B 1 < B 2 c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; a = true a = false b = A 2 b = A 1 c = B 2 d = true d = false output = A 2 output = B 1 output = A 1 output = B 2 A 1 ≤ B 1 ∧ A 2 ≤ B 1 A 1 ≤ B 1 ∧ A 2 > B 1 A 1 > B 1 ∧ A 2 ≤ B 1 A 1 > B 1 ∧ A 2 > B 1 2/21/2021 11

PLAS’ 13 Optimized Joint Median Computation a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; Secure Computation 2/21/2021 12

PLAS’ 13 Formalization of Knowledge Party p knows x if: x can be uniquely determined by p’s inputs I and outputs O Two program executions that agree on I and O, also agree on x 2/21/2021 13

PLAS’ 13 Knowledge in Median Example Let states σ map program variables to values a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; Bob knows a, if for all final states σ1 and σ2 s. t. • σ1[B 1] = σ2[B 1], • σ1[B 2] = σ2[B 2], and • σ1[output] = σ2[output], we have, • σ1[a] = σ2[a] 2/21/2021 14

PLAS’ 13 Knowledge Inference Algorithm Compute postcondition of the program Sound approximation of final program states 2/21/2021 15

PLAS’ 13 Example Postcondition for Median a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; ϕ 1 = (A 1 ≤ B 1) ∧(a = true) ∧(b = A 2)∧(c = B 1)∧(b ≤ c)∧(d = true)∧(output = b) ϕ 2 = (A 1 ≤ B 1) ∧(a = true) ∧(b = A 2)∧(c = B 1)∧(b > c)∧(d = false)∧(output = c) ϕ 3 = …, ϕ 4 = … φmedian = ϕ 1 V ϕ 2 V ϕ 3 V ϕ 4 2/21/2021 16

PLAS’ 13 Knowledge Inference Algorithm Recall: we need to prove a Compute postcondition of the program property of any two program runs Use self-composition to simulate two program runs 2/21/2021 17

PLAS’ 13 Self Composed Median Example a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; a’ = A’ 1 ≤ B’ 1; φself-composed = φmedian ∧ φ’median b’ = a’ ? A’ 2 : A’ 1; c’ = a’ ? B’ 1 : B’ 2; d’ = b’ ≤ c’; output’ = d’ ? b’ : c’; 2/21/2021 18

PLAS’ 13 Knowledge Inference Algorithm Compute postcondition of the program Use self-composition to simulate two program runs Derive knowledge formula and solve using SMT solver 2/21/2021 19

PLAS’ 13 Deriving Knowledge Formula a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; Does Bob know a ? c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; a’ = A’ 1 ≤ B’ 1; φmedian ∧ φ’median b’ = a’ ? A’ 2 : A’ 1; ∧ B 1 = B’ 1 ∧ B 2 = B’ 2 c’ = a’ ? B’ 1 : B’ 2; ∧ output = output’ d’ = b’ ≤ c’; output’ = d’ ? b’ : c’; 2/21/2021 ⇒ a = a’ 20

PLAS’ 13 Solving Using SMT Solver φmedian ∧ φ’median∧ A 1 = A’ 1 ∧ A 2 = A’ 2∧ output = output’ ⇒ a = a’ Valid ? SMT Solver Yes Bob knows a 2/21/2021 No Depending on completeness of postconditions Bob may / does not know a 21

PLAS’ 13 Properties of Knowledge Inference • Soundness – If algorithm returns p knows x, then p and x satisfy the formal definition of knowledge • Completeness – If p and x satisfy the formal definition of knowledge, then algorithm returns p knows x – Loop-free language (SMCs do not admit loops) 2/21/2021 22

PLAS’ 13 Constructive Knowledge Inference • Infer an evidence for p’s knowledge of x • Evidence is a formula for x in terms of p’s input and output variables 2/21/2021 23

PLAS’ 13 Constructive Knowledge Inference Algorithm Formulate knowledge as an invariant of the program Use template based verification to infer the invariant (Srivastava et. al. , PLDI’ 09) 2/21/2021 24

PLAS’ 13 Setting up Constructive Knowledge Inference Does Bob know a ? (A 1 < A 2 ∧ B 1 < B 2 ∧ Distinct(A 1, A 2, B 1, B 2)) a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; Variables in τ ϵ { B 1, B 2, output } assert(a = τ) 2/21/2021 25

PLAS’ 13 Setting up Constructive Knowledge Inference Does Bob know a ? (A 1 < A 2 ∧ B 1 < B 2 ∧ Distinct(A 1, A 2, B 1, B 2)) a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; c = a ? B 1 : B 2; Candidate predicates for τ: d = b ≤ c; output = d ? b : c; { v 1 op v 2 | v 1, v 2 ϵ { B 1, B 2, output }, op ϵ { <, ≤, >, ≥, =, ≠ } } assert(a = τ) 2/21/2021 26

PLAS’ 13 Constructive Knowledge Inference Algorithm • Derived from template-based verification • Given (m, n), searches solutions in DNF(m, n) • Efficient search: O(|Q|m + |Q|n) queries to SMT solver – As opposed to naïve O(|Q|mn) 2/21/2021 27

PLAS’ 13 Constructive Knowledge Inference for Median φpre = A 1 < A 2 ∧ B 1 < B 2 ∧ Distinct(A 1, A 2, B 1, B 2) a = A 1 ≤ B 1 ; b = a ? A 2 : A 1 ; c = a ? B 1 : B 2; d = b ≤ c; output = d ? b : c; a = output ≥ A 1 (for Alice) a = output ≤ B 1 (for Bob) d = output = A 1 V output = A 2 (for Alice) d = output ≠ B 1 Ʌ output ≠ B 2 (for Bob) 2/21/2021 28

PLAS’ 13 Properties of Constructive Knowledge Inference • Soundness – If algorithm infers a formula τ for party p and variable x, then x = τ at the end of the program – Moreover, p can compute τ from its inputs and outputs • Completeness – Similar to the completeness of verification techniques – If a solution τ exists in the template structure, our algorithm finds it 2/21/2021 29

PLAS’ 13 Connection to Information Flow Declassification Policies • Knowledge Inference similar to deciding delimited release [Sabelfeld et. al. , ISSS’ 04] • Constructive knowledge inference similar to deciding required release [S. Chong, CSF‘ 10] • See our paper for more details ! 2/21/2021 30

PLAS’ 13 Contributions Formalization of knowledge • Formalize what it means for a party p to know a variable x • Algorithm to infer if p knows x Knowledge inference algorithm • Proof of soundness and completeness Constructive • Algorithm to construct an evidence of p’s knowledge of x knowledge inference algorithm • Proof of soundness and completeness 2/21/2021 31

PLAS’ 13 Ongoing Work • Core calculus for writing M 3 PC program – Formal type-directed translation to target protocol – Translation exists for all well-typed programs – Source and target semantics preserve knowledge • Next step: Given inferred knowledge facts, automatically generate optimal M 3 PC programs 2/21/2021 32