#### **Faster Secure Two-Party Computation Using Garbled Circuits**





Yan Huang David Evans

Jonathan Katz Lior Malka

www.MightBeEvil.com



**Secure Two-Party Computation** 

without exposing anything about their data besides the result?

#### **Overview**

- Describe a system for secure 2-party computation using garbled circuits that is much more *scalable* and significantly *faster* than best prior work
- Applications:
  - Face recognition: Hamming distance
  - Genomics: Edit distance, Smith-Waterman
  - Private encryption: Oblivious AES evaluation

## **Our Results**



**Scalability** 

Performance

#### **Secure Function Evaluation** Alice (circuit generator) Bob (circuit evaluator) Agree on Holds $a \in \{0,1\}^{s}$ Holds $b \in \{0,1\}^t$ $f(a,b) \rightarrow x$ **Garbled Circuit Protocol** Outputs x = f(a, b)without revealing *a* to Bob or *b* to Alice.

## Yao's Garbled Circuits

| Inputs |   | Output |  |
|--------|---|--------|--|
| а      | b | x      |  |
| 0      | 0 | 0      |  |
| 0      | 1 | 0      |  |
| 1      | 0 | 0      |  |
| 1      | 1 | 1      |  |





## **Chaining Garbled Circuits**







### **Threat Model**

Semi-Honest (Honest-but-Curious) Adversary

Adversary follows the protocol as specified (!), but tries to learn more from the protocol execution transcript

May be good enough for some scenarios

We are working on efficient solutions for malicious adversaries



# **Problems?**

An alternative approach ... would have been to apply Yao's generic secure two-party protocol.... This would have required expressing the algorithm as a circuit ... and then sending and computing that circuit.... [We] believe that the performance of our protocols is significantly better than that of applying generic protocols. Margarita Osadchy, Benny Pinkas, Ayman Jarrous, Boaz Moskovich. *SCiFI – A System for Secure Face Identification*. Oakland 2010.

[Generic SFE] is very fast ... but the circuit size is extremely large.... Our prototype circuit compiler can compile circuits for problems of size (200, 200) but uses almost 2 GB of memory to do so... **larger circuits would be constrained by available memory for constructing their garbled versions**. Somesh Jha, Louis Kruger, Vitaly Shmatikov. *Towards Practical Privacy for Genomic Computation*. Oakland 2008.





## Benefits of Pipelining

• Allows GC to scale to circuits of arbitrary size

We ran circuits with over a billion gates, at a rate of roughly 10  $\mu$ s per gate.

Improves the time efficiency

## **Problems in Existing (SFDL) Compilers**

Resource-demanding SFDL compilation

It takes hours on a 40GB memory server to compile a SFDL program that implements AES.

#### Many optimization opportunities are missed



Program level Treat public and secret values differently

# **Example: Secure Counter**

```
class Counter {
  int c = 0;
  void increment(bool b) {
    if (b) c++;
}
```

- SFDL requires pre-setting **c** to a fixed bit width
- For best performance, its bit width should be adjusted *dynamically*
- Saves *n* non-free gates (out of original *n* log *n*)

## **Circuit Optimization – Edit Distance**



200

100

0

4176x

faster

Hamming Distance

(900 bits)

29x

faster

**Edit Distance** 

(200 chars, 8-bits each)

| (genome, text comparison) –<br>two 200-character inputs                | [Jna+, 2008]            |      |       |
|------------------------------------------------------------------------|-------------------------|------|-------|
| Smith-Waterman (genome<br>alignment) – two 60-<br>nucleotide sequences | [Not Implementable]     | 447s | -     |
| AES Encryption                                                         | 3.3s<br>[Henecka, 2010] | 0.2s | 16.5x |
|                                                                        |                         |      |       |

Scalable: 1 billion gates evaluated at ≈100,000 gates/second on regular PCs

Comparisons are aligned to the same security level in the semi-honest model.





ASIC design for AES allows

us to reduce the state-of-

**30%** of non-free gates,

compared to [PSSW09]

and [HKSSW10]

the-art AES circuit by

 $\otimes \{e\}$ 

lг

 $\oplus$ 

Ð

GF(24)Inverse

 $\otimes$ 

 $\otimes$ 

Wolkerstorfer, et al. An ASIC Implementation of the AES S-boxes. RSA-CT 2002.

4-bit wire 8-bit wire Inverse Map GF(2<sup>8</sup>)Inverse

- Pipelining enables garbled-circuit technique to scale to large problem sizes
- · Circuit-level optimizations can dramatically reduce performance overhead

Privacy-preserving applications can run orders of magnitude faster than previously thought.

#### Thanks!

TASTY

[Henecka, et al. CCS 2010]

#### **Questions?**

Download framework and Android demo application from MightBeEvil.com

Seconds 4

3

2

1

0

[PSSW09]



16.5x

faster

Here