Salus

Seny Kamara, Payman Mohassel, Ben Riva
2012 Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12  
Secure function evaluation (SFE) allows a set of mutually distrustful parties to evaluate a function of their joint inputs without revealing their inputs to each other. SFE has been the focus of active research and recent work suggests that it can be made practical. Unfortunately, current protocols and implementations have inherent limitations that are hard to overcome using standard and practical techniques. Among them are: (1) requiring participants to do work linear in the size of the
more » ... representation of the function; (2) requiring all parties to do the same amount of work; and (3) not being able to provide complete fairness. A promising approach for overcoming these limitations is to augment the SFE setting with a small set of untrusted servers that have no input to the computation and that receive no output, but that make their computational resources available to the parties. In this model, referred to as server-aided SFE, the goal is to tradeoff the parties' work at the expense of the servers. Motivated by the emergence of public cloud services such as Amazon EC2 and Microsoft Azure, recent work has explored the extent to which server-aided SFE can be achieved with a single server. In this work, we revisit the sever-aided setting from a practical perspective and design singleserver-aided SFE protocols that are considerably more efficient than all previously-known protocols. We achieve this in part by introducing several new techniques for garbled-circuit-based protocols, including a new and efficient input-checking mechanism for cut-and-choose and a new pipelining technique that works in the presence of malicious adversaries. Furthermore, we extend the serveraided model to guarantee fairness which is an important property to achieve in practice. Finally, we implement and evaluate our constructions experimentally and show that our protocols (regardless of the number of parties involved) yield implementations that are 4 and 6 times faster than the most optimized two-party SFE implementation when the server is assumed to be malicious and covert, respectively. . Work done at Microsoft Research. Towards practical SFE. Early work on SFE-and the more general notion of multi-party computation (MPC)-focused on feasibility results; that is, demonstrating that every function can be computed securely [57, 58, 24, 10] . Motivated by these results, much of the work in SFE focused on improving the security definitions [44, 9] , on strengthening the adversarial models, on decreasing the round and communication complexity and on improving efficiency [43, 45, 7, 38, 41, 4, 6, 52] . The special case of two-party SFE (2SFE) in particular has been improved extensively with more efficient semi-honestto-malicious compilation techniques [43, 45, 56, 38, 41, 35, 40, 55] , garbled circuit constructions and implementations [49, 35, 52, 29, 42] , and oblivious transfer protocols [48, 30, 50] . In fact, recent work on practical SFE has even led to the design and implementation of several SFE/MPC frameworks such as Fairplay [43, 4] , VIFF [15], Sharemind [5], Tasty [28], HEKM [29] and VMCrypt [42].
doi:10.1145/2382196.2382280 dblp:conf/ccs/KamaraMR12 fatcat:x3ilk5w7crhn3lbu5n7lsc4zcm