Towards an interpreter for efficient encrypted computation

Fully homomorphic encryption (FHE) techniques are capable of performing encrypted computation on Boolean circuits, i.e., the user specifies encrypted inputs to the program, and the server computes on the encrypted inputs. Applying these techniques to general programs with recursive procedures and data-dependent loops has not been a focus of attention. In this paper, we take a first step toward building an interpreter that, given programs with complex control flow, schedules efficient code suitable for the application of FHE schemes. We first describe how programs written in a small Turing-complete instruction set can be executed with encrypted data and point out inefficiencies in this methodology. We then provide examples of scheduling (a) the greatest common divisor (GCD) problem using Euclid's algorithm and (b) the 3-Satisfiability (3SAT) problem using a recursive backtracking algorithm into path-levelized FHE computations. We describe how path levelization reduces control flow ambiguity and improves encrypted computation efficiency. Using these techniques and data-dependent loops as a starting point, we then build support for hierarchical programs made up of phases, where each phase corresponds to a fixed point computation that can be used to further improve the efficiency of encrypted computation. In our setting, the adversary learns an estimate of the number of steps required to complete the computation, which we show is the least amount of leakage possible

S-FaaS: Trustworthy and Accountable Function-as-a-Service using Intel SGX

Function-as-a-Service (FaaS) is a recent and already very popular paradigm in cloud computing. The function provider need only specify the function to be run, usually in a high-level language like JavaScript, and the service provider orchestrates all the necessary infrastructure and software stacks. The function provider is only billed for the actual computational resources used by the function invocation. Compared to previous cloud paradigms, FaaS requires significantly more fine-grained resource measurement mechanisms, e.g. to measure compute time and memory usage of a single function invocation with sub-second accuracy. Thanks to the short duration and stateless nature of functions, and the availability of multiple open-source frameworks, FaaS enables non-traditional service providers e.g. individuals or data centers with spare capacity. However, this exacerbates the challenge of ensuring that resource consumption is measured accurately and reported reliably. It also raises the issues of ensuring computation is done correctly and minimizing the amount of information leaked to service providers. To address these challenges, we introduce S-FaaS, the first architecture and implementation of FaaS to provide strong security and accountability guarantees backed by Intel SGX. To match the dynamic event-driven nature of FaaS, our design introduces a new key distribution enclave and a novel transitive attestation protocol. A core contribution of S-FaaS is our set of resource measurement mechanisms that securely measure compute time inside an enclave, and actual memory allocations. We have integrated S-FaaS into the popular OpenWhisk FaaS framework. We evaluate the security of our architecture, the accuracy of our resource measurement mechanisms, and the performance of our implementation, showing that our resource measurement mechanisms add less than 6.3% latency on standardized benchmarks

Multiparty computations in varying contexts

Recent developments in the automatic transformation of protocols into Secure Multiparty Computation (SMC) interactions, and the selection of appropriate schemes for their implementation have improved usabililty of SMC. Poor performance along with data leakage or errors caused by coding mistakes and complexity had hindered SMC usability. Previous practice involved integrating the SMC code into the application being designed, and this tight integration meant the code was not reusable without modification. The progress that has been made to date towards the selection of different schemes focuses solely on the two-party paradigm in a static set-up, and does not consider changing contexts. Contexts, for secure multiparty computation, include the number of participants, link latency, trust and security requirements such as broadcast, dishonest majority etc. Variable Interpretation is a concept we propose whereby specific domain constructs, such as multiparty computation descriptions, are explicitly removed from the application code and expressed in SMC domain representation. This mirrors current practice in presenting a language or API to hide SMC complexity, but extends it by allowing the interpretation of the SMC to be adapted to the context. It also decouples SMC from human co-ordination by introducing a rule-based dynamic negotiation of protocols. Experiments were carried out to validate the method, running a multiparty computation on a variable interpreter for SMC using different protocols in different contexts

MAGE: Nearly Zero-Cost Virtual Memory for Secure Computation

Secure Computation (SC) is a family of cryptographic primitives for computing on encrypted data in single-party and multi-party settings. SC is being increasingly adopted by industry for a variety of applications. A significant obstacle to using SC for practical applications is the memory overhead of the underlying cryptography. We develop MAGE, an execution engine for SC that efficiently runs SC computations that do not fit in memory. We observe that, due to their intended security guarantees, SC schemes are inherently oblivious -- their memory access patterns are independent of the input data. Using this property, MAGE calculates the memory access pattern ahead of time and uses it to produce a memory management plan. This formulation of memory management, which we call memory programming, is a generalization of paging that allows MAGE to provide a highly efficient virtual memory abstraction for SC. MAGE outperforms the OS virtual memory system by up to an order of magnitude, and in many cases, runs SC computations that do not fit in memory at nearly the same speed as if the underlying machines had unbounded physical memory to fit the entire computation.Comment: 19 pages; Accepted to OSDI 202

A General Purpose Transpiler for Fully Homomorphic Encryption

Fully homomorphic encryption (FHE) is an encryption scheme which enables computation on encrypted data without revealing the underlying data. While there have been many advances in the field of FHE, developing programs using FHE still requires expertise in cryptography. In this white paper, we present a fully homomorphic encryption transpiler that allows developers to convert high-level code (e.g., C++) that works on unencrypted data into high-level code that operates on encrypted data. Thus, our transpiler makes transformations possible on encrypted data. Our transpiler builds on Google's open-source XLS SDK (https://github.com/google/xls) and uses an off-the-shelf FHE library, TFHE (https://tfhe.github.io/tfhe/), to perform low-level FHE operations. The transpiler design is modular, which means the underlying FHE library as well as the high-level input and output languages can vary. This modularity will help accelerate FHE research by providing an easy way to compare arbitrary programs in different FHE schemes side-by-side. We hope this lays the groundwork for eventual easy adoption of FHE by software developers. As a proof-of-concept, we are releasing an experimental transpiler (https://github.com/google/fully-homomorphic-encryption/tree/main/transpiler) as open-source software

Secure Multi-party Computation Protocols from a High-Level Programming Language

Turvalise ühisarvutuse abil on võimalik sooritada privaatsust säilitavaid arvutusi mitmelt osapoolelt kogutud andmetega. Tänapäeva digitaalses maailmas on andmete konfidentsiaalsuse tagamine üha raskemini teostatav. Turvalise ühisarvutuse meetodid nagu ühissalastus ja Yao sogastatud loogikaskeemid võimaldavad teostada privaatsust säilitavaid arvutusprotokolle, mis ei lekita konfidentsiaalseid sisendandmeid. Aditiivne ühissalastuse skeem on väga efektiivne algebraliste ringide tehete sooritamiseks fikseeritud bitilaiusega andmetüüpide peal. Samas on seda kasutades raske ehitada protokolle, mis nõuavad paindlikumaid bititaseme operatsioone. Yao sogastatud loogikaskeemide meetod töötab aga igasuguse bitilaiusega andmete peal ja võimaldab väärtustada mistahes Boole'i funktsioone. Neid kahte meetodit koos kasutades ehitame turvalise hübriidprotokolli, mis kujutab endast üldist meetodit privaatsust säilitavate arvutuste teostamiseks bitikaupa ühissalastatud andmete peal. Loogikaskeeme vajalikeks arvutusteks on lihtne saada kahe kaasaegse turvalise ühisarvutuse jaoks mõeldud kompilaatori abil, mis muundavad C programmi loogikaskeemiks --- PCF ja CBMC-GC. Meie hübriidprotokolli prototüüp privaatsust säilitaval arvutusplatvormil Sharemind saavutab praktilisi jõudlustulemusi, mis on võrreldavad teiste kaasaegsete lahendustega. Lisaks kahe osapoolega arvutustele pakub meie prototüüp võimekust teostada mitmekesiseid arvutusi üldises turvalise ühisarvutuse arvutusmudelis. Hübriidprotokoll ja loogikaskeemide kompilaatorid võimaldavad koos kasutades lihtsalt ja efektiivselt luua üldkasutatavaid turvalise ühisarvutuse protokolle mistahes Boole'i funktsioonide väärtustamiseks.Secure multi-party computation (SMC) enables privacy-preserving computations on data originating from a number of parties. In today's digital world, data privacy is increasingly more difficult to provide. With SMC methods like secret sharing and Yao's garbled circuits, it is possible to build privacy-preserving computational protocols that do not leak confidential inputs to other parties. The additive secret sharing scheme is very efficient for algebraic ring operations on fixed bit-length data types. However, it is difficult to build protocols that require robust bit-level manipulation. Yao's garbled circuits approach, in contrast, works on arbitrary bit-length data and allows the evaluation of any Boolean function. Combining the two methods, we build a secure hybrid protocol, which provides a general method for building arbitrary secure computations on bitwise secret-shared data. We are able to generate circuits for the protocol easily by using two state-of-the-art C to circuit compilers designed for SMC applications --- PCF and CBMC-GC. Our hybrid protocol prototype on the Sharemind privacy-preserving computational platform achieves practical performance comparable to other recent work. In addition to two-party computations, our prototype provides the ability to perform a set of diverse computations in a generic SMC computational model. The hybrid protocol together with the circuit compilers provides a simple and efficient toolchain to build general-purpose SMC protocols for evaluating any Boolean function