| Abstract | Secure computation allows multiple mutually distrusting parties to jointly compute a function
on their private inputs without revealing anything but the function output. This technique is
particularly interesting in the context of mobile devices, such as smartphones, where typically
highly sensitive user data is stored and processed. The protection of this data is desirable but
challenging, due to the computational complexity of secure computation protocols and the limited
processing power, memory and battery-life of mobile hardware.
In this work we focus on the practical realization of secure two-party computation in a mobile
environment and the possibility of enhancing it by using a trusted hardware token.
Previous work in the field, e.g., is mainly based on Yao’s garbled circuit protocol
[Yao86]. Further protocols employ homomorphic encryption, but are usually limited to a specific
use case. We follow a different and more efficient approach by implementing the protocol by
Goldreich-Micali-Wigderson and allowing generic functions to be evaluated. This is
done on off-the-shelf Android smartphones using a general purpose microSD smartcard.
To address the aforementioned performance issues, we shift the most expensive cryptographic
operations into an initialization phase on the trusted hardware token. This phase is independent
of the function to be evaluated and can be executed locally when the phone is idle, e.g., charging
overnight. The pre-generated trusted data enables us to efficiently mask sensitive user data, thus
minimizing the ad-hoc computation time. For the purpose of securely distributing this data from
the trusted token to the user, we implemented two secure channel protocols on the smartcard.
Our proof-of-concept implementation allows for managing the hardware token and running ad-
hoc secure two-party computation with several use cases: private set intersection in order to find
common contacts or securely scheduling a meeting, optionally with location preferences. However,
our implementation is generic, i.e., new functionalities can easily be introduced by providing the
Boolean circuit to be evaluated securely. The performance of our mobile implementation is exten-
sively evaluated and found to be able to compete with state-of-the-art protocols implemented on
desktop PCs. |
|---|
