-
Notifications
You must be signed in to change notification settings - Fork 111
ABY
ABY is a library-style framework for secure computation that provides fine-grained control over computation efficiency via multiple protocol support.
It supports three sharing schemes: Arithmetic sharing, Boolean sharing, and Yao's garbled circuits. Arithmetic-shared circuits are evaluated using a novel GMW-based protocol, fully described in the paper. Boolean-shared circuits are evaluated using the GMW protocol. Yao circuits are evaluated with Yao's garbled circuits protocol. Users can manually switch between circuit types during the secure computation.
Function specification is done via gates. There are some useful abstractions (parallelizing concurrent operations with SIMD gates; add, multiply, subtraction, inversion gates for all circuit types, plus bitwise and, xor, or, greater than, equality, and multiplexer gates for Boolean and Yao shares), but the developer is still implementing functions with a fairly low-level representation.
The framework only supports two parties, but you can secret share from multiple parties to two, then rebuild the inputs and implement the function.
Compilation was fairly straightforward, although it failed on OSX.
Their extensive user guide explains most of hte basic functionality of the framework and explains how the type system is structured.
It has some omissions (EQ gate for Boolean circuits, ADD for shares or for wireids, pre-computation phase used in min-euclidean-dist example) and out-of-date entries (get_wire_ids does not exist, contradiction between statements in UG and implementations). For example,
Changing the bitlength only works for Boolean or Yao sharing, but not for arithmetic sharing.
but innerprod.cpp calls set_bitlength at the end of the computation in an Arithmetic circuit.
Arithmetic circuits define ADD and MUL gates that takes wire ids as input, rather than shares. This is not documented in the User Guide and is not supported for Boolean circuits.
We found some correctness issues. We contacted the ABY team about underlying implementation issues and these have since been fixed, so we don't discuss them here. We also found an easy user error that can cause incorrect results:
- The same share type is used to represent secret input as understood by each circuit. This is a useful abstraction, but there's no enforcement re: which circuit type a share represents at any given time. For example, you can have an Arithmetic circuit output a share generated on a Yao circuit. This doesn't produce any warnings or errors, and will produce incorrect output.
All network communications trace back to the ENCRYPTO_utils socket files. Secure communications shouldn't matter, though, because it's a two-party computation.
ABY uses OpenSSL which uses AES-NI by default unless configured with no-asm option. I grepped the repo and didn't find that string, so I strongly suspect this framework does use AES-NI.
ABY demonstrates a less seamless approach to hybrid computation, allowing the user fine-grained control via explicit protocol selection. It has since spawned many follow-up works, including several which automate protocol selection between the three options. These include:
- EzPC: ABY but with automatic protocol selection and language guarantees. (Follow-up application: SecureNN, see also MiniONN below)
- ABY^3: 3-party malicious security, switches between protocols, designed for machine-learning applications.
- HyCC: more automation!
The system has been used in a variety of practical applications
- Ciphers for MPC and FHE: Implements symmetric-key primitives
- The SIXPACK system [ANRW16, CDCSS17]: Computing routing information at internet exchange points
- Private set intersection for unequal size sets with mobile applications: Compares PSI protocols in different settings
- Efficient circuit-based PSI via cuckoo hashing: Implements new circuit-based PSI protocols
- Oblivious neural network predictions via MiniONN transformations [source]: Transforms neural nets to oblivious neural nets without changing model training.
- Privacy-preserving whole-genome variant queries: Outsourcing queries on genomic data using MPC
Method GetNumGates on Circuit types is not fully implemented, so we're not yet reporting circuit size in gates.
mult3: Since the framework only supports two-party computations, multiplying 3 numbers requires secret-sharing 3 inputs between the two parties.
Arithmetic circuits operate in a field of size 2^l, where l is the bit size of the types computed on. For these examples, we used 16-bit numbers, and the results were given mod 2^16. The largest bit size available is for the double type (l = 64).
Using PutSharedInGates automatically adds the shares, but isn't implemented for 32 bit inputs.
ABY includes the inner product as an example. Our version has the same function implementation but is modified to read data from a file.