Embed Size (px)
Citation preview
Secure Computation System– How it works
2018.8NTT Secure Platform laboratories
© 2018 NTT corp. 1
Secure computation• Secure Computation• Benefits• History
© 2018 NTT corp. 2
Secure Computation
• computes while keeping data encrypted
© 2018 NTT corp. 3
Data Analysisresults
encryptionreconstruction
results onlyComputationwhile keeping
dataencrypted
Secure Computation System
data encrypted process
typical encryption
transformation and storage
−
secure computation
transformation and storage
computation
Benefits
© 2018 NTT corp. 4© 2018 NTT corp. 4
Secure Computation System
Data from company A
Data from company B
Data from company C
Personal Data, Trade Secret, …
Data is never leakedeven to the system
Data is never disclosed among companies
Only the result can be accessed
Analysisresults
Computationwhile keeping
dataencrypted
• keep the data secret except for results• a novel “inter-organization” data analysis
History
• Cryptology “Secure multi-party computation” has been studied since 1980’s
• Practical issue is the performance• too slow!
• More modern studies are made for speed-up and implementation
• Industries start to pay attention for Secure Computation as a new data utilization method
© 2018 NTT corp. 5
Secure Computation based on Secret Sharing• Secret Sharing as an encryption
mechanism• Multi-party Computation based on
Secret Sharing• Security Condition
u Secure Computation denotes Secret Sharing based Secure Computation in this document
© 2018 NTT corp. 6
Secret Sharing
• Secret Sharing as an encryption mechanism
• We use ISO conformance Secret Sharing
© 2018 NTT corp. 7
Secret Sharingis to protect data confidentiality by dividing data into pieces called "shares"1. Individual shares are no use2. If some shares are lost, data can be recovered
ISO/IEC 19592-2:Information technology - Security techniques - Secret sharing - Part 2: Fundamental mechanismsNTT contributed to this ISO as editors
Multi-party Computation
• We use multi-party Computation based on Secret Sharing
8
Multi-party Computation1. performs data operations and exchange among
multiple servers according to defined procedures2. data is processed in an encrypted fashion called
share
Multi-party Computation Share
Security Condition
• One share has no information
• Two shares can be enough for reconstruction
© 2018 NTT corp. 9
Single server can not reconstruct the data or results → ?
→+
condition for data reconstruction
typical encryption ciphertext and key
secure computation two shares
++
Prevention of data acquisition from two servers is the security condition• compatible with typical encryption
(right table)
System Model• Client-Multiservers Model• Data Registration• Computation (data analysis)
© 2018 NTT corp. 10
Client-Multiservers Model
© 2018 NTT corp. 11
Client
Client
Multiservers
• Multiple servers work together to perform Secure Computation
Data Registration
© 2018 NTT corp. 12
• Client protects data as shares and register them with each server
Client
Multiservers
Computation (data analysis)
© 2018 NTT corp. 13
• Client requests computation to each server and obtains results from them
“Calculate the average of income”
xxxx JPY• Shares of the value xxxxare returned
• Client reconstructs the value from shares
Multi-party computation
①
②③
①
②
③
Client
Multiservers
How it works• Secret Sharing• Addition on Secret Sharing
• Multiplication on Secret Sharing
• Secure Sort
© 2018 NTT corp. 14
ADVANCED
ADVANCED
Secret Sharing
© 2018 NTT corp. 15
2 Reverse the number from the secret
Throw the diceReconstruction
2
Forward 5 from 7
Single Share (the number of dice, reverse of the roulette) is no use
Secret Sharing The number and the reverse are shares
“2” into two shares
Addition on Secret Sharing
© 2018 NTT corp. 16
Share 1Bob
Share 1Alice
Reconstructing results
2
Alice
3
Bob
+ =
Add share 1s
5
Forward 7 from 8
Share 2Bob
Share 2Alice
+ =
“Share” the secret
“2+3=5” Calculation
Add Share 2s
Multiplication on Secret Sharing (1/2)
© 2018 NTT corp. 17
2
Reverse two numbers from the secret
Reconstruction
2
Throw two dice
Select share-pair out of three*
Get two numbers from two share pair
Secret Sharing
ADVANCED
“2” into three shares
* three shares: two numbers of dice and reverse of the roulette
forward (5+3) stepsfrom 4
Multiplication on Secret Sharing (2/2)
© 2018 NTT corp. 18
2
Aさん
= + +
a=a0 +a1 +a2a0b0 +a0b1 +a1b0 =
a0 a1 b0 b1a0 a1 a2
BさんのシェアAさんのシェア
3
Bさん
= + +b2b0 b1
a2b2 +a2b0 +a0b2 =a0 b0
BさんのシェアAさんのシェア
a1b1 +a1b2 +a2b1 =a1 b1
BさんのシェアAさんのシェア
a2 b2
a2 b2b=b0 +b1 +b2
Forward 3 results steps (ignoring the tenʼs place)
6ab=(a0+a1+a2)(b0+b1+b2)=
ab=(a0 +a1 +a2)(b0 +b1 +b2) = a0b0 +a0b1 +a1b0+a1b1 +a1b2 +a2b1+a2b2 +a2b0 +a0b2
ignoring the ten’s place
ADVANCED
“2x3=6” CalculationEvaluate the formula below with each pair of share
Reconstructing results
“Share” the secret
ignoring the ten’s place
forward (7+6) steps from 3(ignoring the tenʼs place)
Secure Sort
© 2018 NTT corp. 19
101
010
011
223
+×notinput
sum1
sum2
(1) NOT of input
(2) sub total of series of not and input
(3) multiply not/input by mul1/mul2
101
input
010
not
101
input
010
203
mul1
mul2
010
not
011
223
sum1
sum2
×
NOT
010
203
mul1 mul2
213
(4) add mul1 and mul2
add=order
Using “radix sort” with our “secure one-bit-sort”
101
input
213
order
Secure one-bit-sort
Calculate the numerical order for each input
while keeping data encrypted
reconstruct only the order and sort the encrypted input
101
boxednumbersareallencrypted
outline 詳細
ADVANCED
Performance of Secure Computation• Does it work?• Performance• Behind our exclusive performance
© 2018 NTT corp. 20
Does it work?Q: I heard that secure computation is too slow to
use?A: No, we have achieved highly efficient data
processing in secure computation.
© 2018 NTT corp. 21
details in next slide
functions execution time
addition 0.014 sec 10 million times
multiplication 0.473 sec 10 million times
sort 12.2 sec 10 million records
12 seconds for secure sort 10 million records about 1 second for plain sort (with single thread)
The performance gap between our secure computation and ordinary plain one reaches one to ten level
Performance
© 2018 NTT corp. 22
functions execution time [milliseconds]
number of data 103 104 105 106 107
Addition 1 1 1 2 14
Multiplication 1 1 5 39 473
Sort 10 23 133 1,274 12,255
Sum Total 1 1 1 1 9
Sum of Products 1 1 1 2 15
Quantity Table 22 46 255 2,252 22,676
Shuffle 1 1 8 60 731
Table Join 19 65 518 4,965 53,205
Data Filter with prefix match 6 6 14 91 813
Data Filter with numerical data 5 5 10 35 413
PC 3台 (CPU: Intel Core i7 6900K, MEM: 32GB, SSD: 525GB, OS: CentOS 7.2) with 10Gbps networks
Execution time of typical function of our system
Behind our exclusive performance
• Secret Sharing based
• Implementations
© 2018 NTT corp. 23
• small data size• dedicated algorithm for addition and
multiplication
We work hard for:• secret sharing data procession• multi-party communication• fast secure sort algorithm
Secure Computation SystemSan-shi®• What is San-shi?• Features of San-shi• Typical Functions
© 2018 NTT corp. 24
San-shi® is a trade mark of NTT
• NTT’s Secure Computation System• consist of serer/client software• multi-party computation based on secret
sharing by 3 or 4 computers
What is San-shi?
© 2018 NTT corp. 25
Server Software• multi-party computation
based on secret sharing
Client Software• data input and output with
secret sharing manner• analysis requests procession
Features of San-shi
© 2018 NTT corp. 26
Secure data management on secret sharing manner• Schema definition• Table creation• Data registration
Rich secure statistical functions• Sum, Average, Variance• Max, Min, Median• Cross Tabulation
A novel “inter-organization” data analysis while keeping data secret• Data join• Cross-sectional data analysis
Practical performance with 10 million x 100 attributes data
Typical Functions
© 2018 NTT corp. 27
Statistical FunctionsTotal SumAverageVarianceSum of ProductsMaxMinMedianP-quartileQuantity TableFrequency Table
(cross tabulation, histogram)Threshold / Dominance Rule for
Frequency Table Outputt-testKaplan-Meierʼs graph
管理機能Table managementSchema managementTransaction (for table)Rollback (for table)User/Tenant Administration
データ操作機能Data UpdateTable JoinNULL FilterDuplicate FilterData Filter with date/strings comparisonCategorization for numerical valueShuffle
Related Papers• Understanding our technology• Reviewed Paper/Conferences• Awards
© 2018 NTT corp. 28
Understanding our technology
1. 桐淵 直⼈, 五⼗嵐 ⼤, 濱⽥ 浩気, 菊池 亮: "プログラマブルな秘密計算ライブラリMEVAL3," 暗号と情報セキュリティシンポジウム(SCIS), 2018.
2. Koki Hamada, Satoshi Hasegawa, Kazuharu Misawa, Koji Chida, Soichi Ogishima, and Masao Nagasaki: "Privacy-Preserving Fisher's Exact Test for Genome-Wide Association Study," International Workshop on Genome Privacy and Security (GenoPri), 2017.
3. Eizen Kimura, Koki Hamada, Ryo Kikuchi, Koji Chida, Kazuya Okamoto, ShirouManabe, Tomohiro Kuroda, Yasushi Matsumura, Toshihiro Takeda, and Naoki Mihara: "Evaluation of Secure Computation in a Distributed Healthcare Setting," Medical Informatics Europe (MIE) 2016: 152-156.
4. Koji Chida, Gembu Morohashi, Hitoshi Fuji, Fumihiko Magata, Akiko Fujimura, Koki Hamada, Dai Ikarashi, Ryuichi Yamamoto: "Implementation and evaluation of an efficient secure computation system using 'R' for healthcare statistics," J Am Med Inform Assoc. 21, pp.326-331, 2014.
5. Satoshi Tanaka, Yutaka Abe, Satoshi Takahashi, Ryo Kikuchi, Atsushi Doi, Koji Chida, and Kiyomi Shirakawa: "Secure statistical computation system on encrypted data: An empirical study of secure regression analysis for official statistics," UNECE Work session on Statistical Data Confidentiality, 2017.
6. Koji Chida, Daniel Genkin, Koki Hamada, Dai Ikarashi, Ryo Kikuchi, Yehuda Lindell, Ariel Nof: "Fast Large-Scale Honest-Majority MPC for Malicious Adversaries," the 38th International Cryptology Conference (CRYPTO), 2018.
© 2018 NTT corp. 29
Note that some Japanese documents are included.
Understanding our technology
7. Dai Ikarashi, Ryo Kikuchi, Koki Hamada, and Koji Chida: "Actively Private and Correct MPC Scheme in t<n/2 from Passively Secure Schemes with Small Overhead, ePrint archive 2014.
8. Ryo Kikuchi, Dai Ikarashi, Takahiro Matsuda, Koki Hamada, Koji Chida: "Efficient Bit-Decomposition and Modulus-Conversion Protocols with an Honest Majority," The 23rd Australasian Conference on Information Security and Privacy (ACISP), 2018.
9. 五⼗嵐 ⼤, 濱⽥ 浩気, 菊池 亮, 千⽥ 浩司: "超⾼速秘密計算ソートの設計と実装:秘密計算がスクリプト⾔語に並んだ⽇," コンピュータセキュリティシンポジウム(CSS), 2017 (CSS論⽂賞).
10.桐淵 直⼈, 五⼗嵐 ⼤, 諸橋 ⽞武, 濱⽥ 浩気: "属性情報と履歴情報の秘匿統合分析に向けた秘密計算による⾼速な等結合アルゴリズムとその実装," コンピュータセキュリティシンポジウム(CSS), 2016 (CSS論⽂賞).
11.五⼗嵐 ⼤, 菊池 亮, ⾼橋 克⺒: "MEVAL2 vs. CCS Best paper on MPC-AES,"暗号と情報セキュリティシンポジウム(SCIS), 2017 (SCISイノベーション論⽂賞).
12.Ryo Kikuchi, Koji Chida, Dai Ikarashi, Wakaha Ogata, Koki Hamada, Katsumi Takahashi: "Secret sharing with share-conversion: Achieving small share-size and extendibility to multiparty computation," IEICE Transactions, 98-A(1):213-222, 2015.
© 2018 NTT corp. 30
Note that some Japanese documents are included.
Reviewed Paper/Conferences1. Koji Chida, Daniel Genkin, Koki Hamada, Dai Ikarashi, Ryo Kikuchi, Yehuda Lindell,
Ariel Nof: “Fast Large-Scale Honest-Majority MPC for Malicious Adversaries,” the 38th International Cryptology Conference (CRYPTO), 2018.
2. Ryo Kikuchi, Dai Ikarashi, Takahiro Matsuda, Koki Hamada, Koji Chida: “Efficient Bit-Decomposition and Modulus-Conversion Protocols with an Honest Majority,” The 23rd Australasian Conference on Information Security and Privacy (ACISP), 2018.
3. Ryo Kikuchi, Koji Chida, Dai Ikarashi, Koki Hamada: “Password-Based Authentication Protocol for Secret-Sharing-Based Multiparty Computation,” IEICE Transactions 101-A(1): 51-63, 2018.
4. Ryo Kikuchi, Dai Ikarashi, Koji Chida, Koki Hamada, Wakaha Ogata: “Computational SS and conversion protocols in both active and passive settings,” IET Information Security 11(5): 287-293, 2017.
5. Koki Hamada, Satoshi Hasegawa, Kazuharu Misawa, Koji Chida, Soichi Ogishima, Masao Nagasaki: “Privacy-Preserving Fisher's Exact Test for Genome-Wide Association Study,” 4th International Workshop on Genome Privacy and Security (GenoPri'17), 2017.
6. Koki Hamada, Satoshi Hasegawa, Dai Ikarashi, Koji Chida: “Presentations from invited participants: Track 1,” iDASH Privacy & Security Workshop (invited), 2017.
© 2018 NTT corp. 31
Reviewed Paper/Conferences7. Toru Mano, Takeru Inoue, Dai Ikarashi, Koki Hamada, Kimihiro Mizutani, Osamu Akashi:
“Efficient Virtual Network Optimization Across Multiple Domains Without Revealing Private Information,” IEEE Trans. Network and Service Management 13(3): 477-488, 2016.
8. Eizen Kimura, Koki Hamada, Ryo Kikuchi, Koji Chida, Kazuya Okamoto, Shirou Manabe, Tomohiro Kuroda, Yasushi Matsumura, Toshihiro Takeda, Naoki Mihara: “Evaluation of Secure Computation in a Distributed Healthcare Setting,” MIE 2016: 152-156, 2016.
9. Ryo Kikuchi, Koji Chida, Dai Ikarashi, Wakaha Ogata, Koki Hamada, Katsumi Takahashi: “Secret Sharing with Share-Conversion: Achieving Small Share-Size and Extendibility to Multiparty Computation,” IEICE Transactions 98-A(1): 213-222, 2015.
10.Ryo Kikuchi, Dai Ikarashi, Koki Hamada, Koji Chida: “Adaptively and Unconditionally Secure Conversion Protocols between Ramp and Linear Secret Sharing,” IEICE Transactions 98-A(1): 223-231, 2015.
11.Koji Chida, Gembu Morohashi, Hitoshi Fuji, Fumihiko Magata, Akiko Fujimura, Koki Hamada, Dai Ikarashi, Ryuichi Yamamoto: “Implementation and evaluation of an efficient secure computation system using ʻRʼ for healthcare statistics,” Journal of the American Medical Informatics Association, Volume 21, Issue e2, 1 October 2014, Pages 326-331, 2014.
12.濱⽥ 浩気, 五⼗嵐 ⼤, 千⽥ 浩司: “秘匿計算上の⼀括写像アルゴリズム,” 電⼦情報通信学会論⽂誌A, Vol.J96-A, No.4, pp.157-165, 2013.
13.Koki Hamada: “An Algorithm for Computing Aggregate Median on Secure Function Evaluation,” IWSEC 2013 (invited), 2013.
© 2018 NTT corp. 32
Note that some Japanese documents are included.
Awards1. [HLI and Baidu Award for 2017 iDASH Genome Privacy & Security Computation] Koki Hamada,
Dai Ikarashi, Satoshi Hasegawa, Koji Chida2. [SCIS2017イノベーション論⽂賞] 五⼗嵐 ⼤,菊池 亮,⾼橋 克⺒: “MEVAL2 vs. CCS Best paper
on MPC-AES,” SCIS2017.3. [CSS2017論⽂賞] 五⼗嵐 ⼤, 濱⽥ 浩気, 菊池 亮, 千⽥ 浩司: “超⾼速秘密計算ソートの設計と実
装: 秘密計算がスクリプト⾔語に並ぶ⽇,” CSS2017.4. [DICOMO2017最優秀論⽂賞], [DICOMO2017ヤングリサ−チャ賞] ⻑⾕川 聡, 濱⽥ 浩気, 三澤 計治,
千⽥ 浩司, 荻島 創⼀, ⻑崎 正朗: “プライ バシ保護ゲノム解析のための秘密計算フィッシャー正確検定の実装評価,” DICOMO2017.
5. [CSS2016優秀論⽂賞] 桐淵 直⼈, 五⼗嵐 ⼤, 諸橋 ⽞武, 濱⽥ 浩気: “属性情報と履歴情報の秘匿統合分析に向けた秘密計算による⾼速な等結合アルゴリズムとその実装,” CSS2016.
6. [CSS2014優秀論⽂賞] 濱⽥ 浩気, 桐淵 直⼈, 五⼗嵐 ⼤: “ラウンド効率のよい秘密計算パターンマッチング,” CSS2014.
7. [CSS2013優秀論⽂賞] 五⼗嵐 ⼤, 濱⽥ 浩気, 菊池 亮, 千⽥ 浩司: “少パーティの秘密分散ベース秘密計算のためのO(l)ビット通信ビット分解およびO(|p'|)ビット通信Modulus変換法,” CSS2013.
8. [2012年度⼭下記念研究賞], [CSS2012優秀論⽂賞] 濱⽥ 浩気, 五⼗嵐 ⼤, 千⽥ 浩司: “秘匿計算上の集約関数中央値計算アルゴリズム,” CSS2012.
9. [情報処理学会平成23年度論⽂賞] 千⽥ 浩司, 五⼗嵐 ⼤, 濱⽥ 浩気, ⾼橋 克⺒: “軽量検証可能3パーティ秘匿関 数計算の提案と実装評価,” 情報処理学会論⽂誌, 2011.
10. [SCIS2011論⽂賞] 濱⽥ 浩気, 五⼗嵐 ⼤, 千⽥ 浩司, ⾼橋 克⺒: “秘匿関数計算上の線形時間ソート,” SCIS2011.
11. [SCIS2011論⽂賞] 五⼗嵐 ⼤, 千⽥ 浩司, 濱⽥ 浩気, ⾼橋 克⺒: “軽量検証可能3 パーティ秘匿関 数計算の効率化及びこれを⽤いたセキュアなデータベース処理,” SCIS2011.
© 2018 NTT corp. 33
Note that some Japanese documents are included.
Thank you!
• version August 2018
© 2018 NTT corp. 34
![PHANTOM: Practical Oblivious Computation in a Secure Processortiwari/pubs/CCS-13-phantom.pdf · tree ORAM framework recently proposed by Shi et al. [28]. Other recent work has also](https://img.dokumen.tips/doc/110x75/5f0ac6827e708231d42d481c/phantom-practical-oblivious-computation-in-a-secure-processor-tiwaripubsccs-13-phantompdf.jpg)
