Private Function Evaluation
38
Private Function Evaluation Payman Mohassel University of Calgary Talks given at Bristol and Aarhus Universities Joint work with Saeed Sadeghian
description
Private Function Evaluation. Payman Mohassel University of Calgary Talks given at Bristol and Aarhus Universities. Joint work with Saeed Sadeghian. Secure Function Evaluation. Correctness: honest parties learn the correct output Privacy: Nothing but the final output is leaked . - PowerPoint PPT Presentation
Transcript of Private Function Evaluation
Private Function Evaluation
Payman Mohassel University of Calgary
Talks given at Bristol and Aarhus Universities
Joint work with Saeed Sadeghian
2
Secure Function Evaluation
Parties learn f(x1,…,xn)
P1, x1
P2, x2
P5, x5
P4, x4
P3, x3
Correctness:honest parties learn the correct output
Privacy:Nothing but the final output is leaked
Private vs. Secure Function Evaluation
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
Our Setup
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
• Function o Boolean circuitso Arithmetic circuits
• Settings we considero Two-partyo Multiparty
• Dishonest majority• Semi-honest
adversaries
Motivation• Why Hide the Function?
o Private functions• Proprietary, intellectual property
o Sensitive functions• Revealing vulnerabilities
o Output of SFE leaks information• Hiding the function potentially helps• Prevents dictionary attacks on input
• Interactive program obfuscationo If interaction is possible PFE yields efficient program
obfuscation
Is PFE Hard?• Not really!
• All SFE feasibility results extend to PFEo Using Universal Circuits
• The only interesting questions are efficiency questions
Universal CircuitsC Universal Circuit
x
C(x)
Universal Circuits• Boolean
o For a circuit C with g gateso [Valiant’ 76]: (good for large circuits)
• Building it seems complicatedo [KS’ 08]: (good for small circuits )
• Arithmetico For a circuit C with g gates and depth d o [Raz’ 08]: gates, i.e. in the worst case
PFE Constructions• Two-party setting
o Universal Circuit + Yao’s protocol• or symmetric ops + OTs
o [KM’ 11]: Homomorphic Enc + Yao’s protocol • public-key ops + symmetric ops
• Multi-party settingo Universal Circuit + GMW protocol
• OTs
• Arithmetic circuitso Universal Circuit + HE-based MPC [CDN’ 01]o public-key ops
Efficiency Questions• Asymptotic Efficiency
o Can we design PFE with linear complexity in all standard settings?
• Practical Efficiencyo Constant factors are importanto Symmetric ops superior to public-key opso …o Can we improve practical efficiency of universal
circuit approach?
Our Framework
Hiding the Circuit• What is leaked
o Number of gateso Input sizeo Output size
• What is privateo Functionality of gateso Topology of the circuit
One can hide circuit size using an FHE-based construction
Private Gate Evaluation
• Inputs are shared
o
• Gate function
o Known only to
• Output is shared
𝒈 (𝒙 , 𝒚 )
𝑧1 𝑧 2
Actual sharing mechanism depends on the protocol
Circuit Topology• Topology captured using a mapping 𝑖1
𝑖2𝑖3𝑖4
𝑖5𝑖6𝑖7𝑖8
𝑖9𝑖10
𝑜1𝑜2
𝑜3𝑜4 𝑜6
𝑜5
𝑖1𝑖2𝑖3𝑖4𝑖5𝑖6𝑖7𝑖8𝑖9𝑖10
𝝅𝑪
CTH Functionality
• Inputs are shared
• Mappingo known by only
• Outputs are shared
• Query typeso Map: done internallyo Reveal: reveal result of mapo On-demand mapping
𝑥=𝑥1⊕𝑥2𝑥 ′ ′ 1⊕𝑥 ′ ′2=𝑥
𝑦=𝑦1⊕ 𝑦2𝑦 ′ 1⊕ 𝑦 ′2=𝑦
Map
Reveal
𝝅𝑪𝑥 ′ 1⊕𝑥 ′2=𝑥
PGE + CTH𝑖1𝑖2𝑖3𝑖4
𝑖5𝑖6𝑖7𝑖8
𝑖9𝑖10
𝑜1𝑜2
𝑜3𝑜4 𝑜6
𝑜5CTH
PGE
PGE
PGE
PGE
PGE
Topological order𝑜5
𝑜5
𝑜6
𝑜6
𝟏
𝟐
𝟕
𝟑
𝑜1
𝑜2
𝑜3
𝑜4 𝟒
𝟓𝟔
𝟖
𝟗𝟏𝟎
𝟏𝟏
𝟏𝟐
𝟏𝟑𝟏𝟒
𝟏𝟓
𝟏𝟖𝟏𝟔𝟏𝟕𝟏𝟗𝟐𝟎
𝟐𝟏
RevealMap
Instantiating PGE
PGE for GMW
g x y z0 0 g(0,0
)0 1 g(0,1
)1 0 g(1,0
)1 1 g(1,1
)
𝒈 (𝒙 , 𝒚 )
𝑧1 𝑧 2
g0 00 11 01 1
𝑃1 𝑃2
𝑥2 , 𝑦 21-out-of-4 OT
PGE for AC
• is an additively homomrphic encryption
𝑃1
𝑎1 ,𝑏1 ,𝑝𝑘 𝑃2𝑎2 ,𝑏2 ,𝑝𝑘 ,𝑠𝑘𝐸𝑛𝑐𝑝𝑘 (𝑎2 ) ,𝐸𝑛𝑐𝑝𝑘 (𝑏2 ) ,𝐸𝑛𝑐𝑝𝑘(𝑎2𝑏2)
(If )
(If )
𝐶=𝐸𝑛𝑐𝑝𝑘(𝑎2+𝑏2+𝑟 )
𝑐2←𝐷𝑒𝑐𝑠𝑘(𝐶)
𝑐1←𝐅 𝐶=𝐸𝑛𝑐𝑝𝑘(𝑎1𝑏1+𝑎2𝑏1+𝑎1𝑏2+𝑎2𝑏2−𝑐1)
PGE for Garbled Circuit
• We kind of cheat!o We assume all gates are NAND gates
• Sharing associated with Yaoo To share a value o holds ( o holds
• sends a garbled table to • decrypts one row of the table
Instantiating CTH
Oblivious Mapping• Assume inputs are ready Oblivious mapping
𝝅𝑪
𝑃1
π
𝑃2(𝑡1𝑡2...𝑡𝑚
)(𝑎𝜋− 1 (1 )⊕𝑡1𝑎𝜋− 1 (2 )⊕𝑡 2
.
.
.𝑎𝜋−1 (𝑚 )⊕𝑡𝑚❑
)(𝑎1𝑎2...𝑎𝑛
)𝑎1
𝑎2
𝑎3
𝑎4𝑎5𝑎6
𝑎1⊕𝑡 1
𝑎1⊕𝑡 5
𝑎2⊕𝑡 2𝑎3⊕𝑡3
𝑎4⊕𝑡 4
𝑎5⊕𝑡6𝑎5⊕𝑡7
𝑎6⊕𝑡 9𝑎6⊕𝑡8
Oblivious Mapping• Using any MPC
o inefficiento Not clear it has the on-demand propertyo [HEK’12] implements Waksman using Yao’s protocol
• Using singly HE o Linear complexityo Requires public-key operations
• Using oblivious transfero Not linearo But better concrete efficiency (OT extension)
HE-based
𝑃1 𝑃2
𝐸𝑛𝑐𝑝𝑘(𝑎1)𝐸𝑛𝑐𝑝𝑘(𝑎2)
𝐸𝑛𝑐𝑝𝑘(𝑎𝑛)
𝐸𝑛𝑐𝑝𝑘(𝑎¿¿𝜋− 1 (1 )⊕𝑡¿¿1)¿𝐸𝑛𝑐𝑝𝑘(𝑎𝜋− 1 (2 )⊕𝑡¿¿2)¿ .¿ ..
𝐸𝑛𝑐𝑝𝑘(𝑎¿¿𝜋−1 (𝑚 )⊕𝑡 ¿¿𝑚)❑¿¿
.
.
. (𝑎1𝑎2...𝑎𝑛
)(𝑡1𝑡2...𝑡𝑚
)𝝅❑
Easy to make on-demand
𝑝𝑘 ,𝑠𝑘
Permutation Networks
𝑎𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑏
…
…
…
…
[Waksman’ 68]: any permutation can be implemented using a permutation network of size
The permutation is determined using selection bits
Permutation NetworkSwitchesselection bit
Switching Networks• Our mapping is not a permutation
• Need one more switch type
𝑎𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑏 𝑎
𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑎
Mapping from SN
Waksman network
Waksman network
𝑎1𝑎2...𝑎𝑛
𝑑𝑑...𝑑
𝑎1𝑑𝑑𝑎2𝑑𝑎3𝑎4...𝑑𝑎𝑛
1𝑎1𝑎1 1
𝑎1𝑎1 0 𝑎1
.
.
.
m 𝑙𝑜𝑔𝑚−𝑚+1+𝑚+𝑚𝑙𝑜𝑔𝑚−𝑚+1
Oblivious Switch 1
𝑟1𝑟2
𝑟3𝑟 4
𝑃1
𝑎 ,𝑏𝑃2
𝑠
¿ 𝑠1-out-of-2 OT
𝑎⊕𝑟1 ,𝑏⊕𝑟 2𝑠=0→ (𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 3 )=𝒂⊕𝒓 𝟑
(𝑏⊕𝑟 2)⊕ (𝑟 2⊕𝑟 4 )=𝒃⊕𝒓 𝟒
𝑠=1→(𝑏⊕𝑟2)⊕ (𝑟 2⊕𝑟 3 )=𝒃⊕𝒓𝟑
(𝑎⊕𝑟 1)⊕ (𝑟1⊕𝑟4 )=𝒂⊕𝒓 𝟒
Oblivious Switch 2
𝑟1𝑟2
𝑟3𝑟 4
𝑃1
𝑎 ,𝑏𝑃2
𝑠
¿ 𝑠1-out-of-2 OT
𝑎⊕𝑟1 ,𝑏⊕𝑟 2𝑠=0→ (𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 3 )=𝒂⊕𝒓 𝟑
(𝑏⊕𝑟 2)⊕ (𝑟 2⊕𝑟 4 )=𝒃⊕𝒓 𝟒
𝑠=1→ (𝑎⊕𝑟 1)⊕ (𝑟1⊕𝑟3 )=𝒂⊕𝒓𝟑
(𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 4 )=𝒂⊕𝒓𝟒
Oblivious SN Evaluation
𝑟1𝑟2
𝑟3𝑟 4 𝑟3
𝑟 4𝑟5𝑟6
0
1
𝑟6𝑟5
𝑟7𝑟8
1
𝑎⊕𝑟1 𝑎⊕𝑟3
𝑎⊕𝑟6
𝑎⊕𝑟7
MAP
Reveal
𝑎⊕𝑟 7⊕𝑡7𝑎⊕ 𝑡7
Oblivious SN Evaluation
• One OT per switcho O(mlog m) OTs total
• On-demando All OTs done offlineo Only Xoring online
• Practical when using OT extension
• Constant round
Oblivious Mapping CTH Functionality
• GMW or Arithmetic Circuitso Inputs to mapping are ADDITIVE- or XOR-sharedo (MAP) Each party runs an oblivious mapping with
• uses his vector of shares as input• uses his mapping and blinding vector
o (Reveal) Each party obtains his blinded “mapped” vector of shares
o maps his own vector of shares and XOR/SUBTRACTs s to adjust values.
• Yao’s Protocolo Slightly more involved due to “weird sharing”
mechanism
Summary of Results• First Multiparty PFE with linear complexity
o GMW + HE-Based oblivious mapping
• First Arithmetic PFE with linear complexityo [CDN 01] + HE-based oblivious mapping
• More efficient two-party PFE with linear complexityo Yao + HE-based oblivious mappingo Subsumes and improves construction of [KM’11]
• More practical PFEo Yao/GMW + OT-based oblivious mapping + OT extension
Future Work
Other Security Notions
• Security against stronger adversarieso Covert, maliciouso Can we still achieve linear complexity?
• PFE in the information theoretic settingo Our OT-based solution seems generalizable to IT settingo But linear PFE is open
• Can we hide circuit size without using FHE?o or use FHE in a limited way, or use somewhat FHE?
Round Complexity of PFE
• Can we do PFE non-interactively?o Our Yao-based protocol requires at least 3 messageso SFE can be done in two messages
• Can we achieve constant round multiparty PFE with linear complexity?o We only know it for two-party case
• Can we achieve constant round arithmetic PFE?o Without switching to a Boolean circuit
PFE for Practice• PFE with good concrete + asymptotic
efficiencyo E.g. designing OT-based oblivious mapping with linear
complexity• Can PFE help improve efficiency of SFE?
o Idea: • One party embeds his input in the circuit• Shrinks the circuit significantly• Circuit structure leaks information • We use PFE to hide the structure
• PFE for RAM programs
Thank you!
