Private Function Evaluation
description
Transcript of Private Function Evaluation
Private Function Evaluation
Payman Mohassel University of Calgary
Talks given at Bristol and Aarhus Universities
Joint work with Saeed Sadeghian
2
Secure Function Evaluation
Parties learn f(x1,…,xn)
P1, x1
P2, x2
P5, x5
P4, x4
P3, x3
Correctness:honest parties learn the correct output
Privacy:Nothing but the final output is leaked
Private vs. Secure Function Evaluation
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
Our Setup
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
• Function o Boolean circuitso Arithmetic circuits
• Settings we considero Two-partyo Multiparty
• Dishonest majority• Semi-honest
adversaries
Motivation• Why Hide the Function?
o Private functions• Proprietary, intellectual property
o Sensitive functions• Revealing vulnerabilities
o Output of SFE leaks information• Hiding the function potentially helps• Prevents dictionary attacks on input
• Interactive program obfuscationo If interaction is possible PFE yields efficient program
obfuscation
Is PFE Hard?• Not really!
• All SFE feasibility results extend to PFEo Using Universal Circuits
• The only interesting questions are efficiency questions
Universal CircuitsC Universal Circuit
x
C(x)
Universal Circuits• Boolean
o For a circuit C with g gateso [Valiant’ 76]: (good for large circuits)
• Building it seems complicatedo [KS’ 08]: (good for small circuits )
• Arithmetico For a circuit C with g gates and depth d o [Raz’ 08]: gates, i.e. in the worst case
PFE Constructions• Two-party setting
o Universal Circuit + Yao’s protocol• or symmetric ops + OTs
o [KM’ 11]: Homomorphic Enc + Yao’s protocol • public-key ops + symmetric ops
• Multi-party settingo Universal Circuit + GMW protocol
• OTs
• Arithmetic circuitso Universal Circuit + HE-based MPC [CDN’ 01]o public-key ops
Efficiency Questions• Asymptotic Efficiency
o Can we design PFE with linear complexity in all standard settings?
• Practical Efficiencyo Constant factors are importanto Symmetric ops superior to public-key opso …o Can we improve practical efficiency of universal
circuit approach?
Our Framework
Hiding the Circuit• What is leaked
o Number of gateso Input sizeo Output size
• What is privateo Functionality of gateso Topology of the circuit
One can hide circuit size using an FHE-based construction
Private Gate Evaluation
• Inputs are shared
o
• Gate function
o Known only to
• Output is shared
𝒈 (𝒙 , 𝒚 )
𝑧1 𝑧 2
Actual sharing mechanism depends on the protocol
Circuit Topology• Topology captured using a mapping 𝑖1
𝑖2𝑖3𝑖4
𝑖5𝑖6𝑖7𝑖8
𝑖9𝑖10
𝑜1𝑜2
𝑜3𝑜4 𝑜6
𝑜5
𝑖1𝑖2𝑖3𝑖4𝑖5𝑖6𝑖7𝑖8𝑖9𝑖10
𝝅𝑪
CTH Functionality
• Inputs are shared
• Mappingo known by only
• Outputs are shared
• Query typeso Map: done internallyo Reveal: reveal result of mapo On-demand mapping
𝑥=𝑥1⊕𝑥2𝑥 ′ ′ 1⊕𝑥 ′ ′2=𝑥
𝑦=𝑦1⊕ 𝑦2𝑦 ′ 1⊕ 𝑦 ′2=𝑦
Map
Reveal
𝝅𝑪𝑥 ′ 1⊕𝑥 ′2=𝑥
PGE + CTH𝑖1𝑖2𝑖3𝑖4
𝑖5𝑖6𝑖7𝑖8
𝑖9𝑖10
𝑜1𝑜2
𝑜3𝑜4 𝑜6
𝑜5CTH
PGE
PGE
PGE
PGE
PGE
Topological order𝑜5
𝑜5
𝑜6
𝑜6
𝟏
𝟐
𝟕
𝟑
𝑜1
𝑜2
𝑜3
𝑜4 𝟒
𝟓𝟔
𝟖
𝟗𝟏𝟎
𝟏𝟏
𝟏𝟐
𝟏𝟑𝟏𝟒
𝟏𝟓
𝟏𝟖𝟏𝟔𝟏𝟕𝟏𝟗𝟐𝟎
𝟐𝟏
RevealMap
Instantiating PGE
PGE for GMW
g x y z0 0 g(0,0
)0 1 g(0,1
)1 0 g(1,0
)1 1 g(1,1
)
𝒈 (𝒙 , 𝒚 )
𝑧1 𝑧 2
g0 00 11 01 1
𝑃1 𝑃2
𝑥2 , 𝑦 21-out-of-4 OT
PGE for AC
• is an additively homomrphic encryption
𝑃1
𝑎1 ,𝑏1 ,𝑝𝑘 𝑃2𝑎2 ,𝑏2 ,𝑝𝑘 ,𝑠𝑘𝐸𝑛𝑐𝑝𝑘 (𝑎2 ) ,𝐸𝑛𝑐𝑝𝑘 (𝑏2 ) ,𝐸𝑛𝑐𝑝𝑘(𝑎2𝑏2)
(If )
(If )
𝐶=𝐸𝑛𝑐𝑝𝑘(𝑎2+𝑏2+𝑟 )
𝑐2←𝐷𝑒𝑐𝑠𝑘(𝐶)
𝑐1←𝐅 𝐶=𝐸𝑛𝑐𝑝𝑘(𝑎1𝑏1+𝑎2𝑏1+𝑎1𝑏2+𝑎2𝑏2−𝑐1)
PGE for Garbled Circuit
• We kind of cheat!o We assume all gates are NAND gates
• Sharing associated with Yaoo To share a value o holds ( o holds
• sends a garbled table to • decrypts one row of the table
Instantiating CTH
Oblivious Mapping• Assume inputs are ready Oblivious mapping
𝝅𝑪
𝑃1
π
𝑃2(𝑡1𝑡2...𝑡𝑚
)(𝑎𝜋− 1 (1 )⊕𝑡1𝑎𝜋− 1 (2 )⊕𝑡 2
.
.
.𝑎𝜋−1 (𝑚 )⊕𝑡𝑚❑
)(𝑎1𝑎2...𝑎𝑛
)𝑎1
𝑎2
𝑎3
𝑎4𝑎5𝑎6
𝑎1⊕𝑡 1
𝑎1⊕𝑡 5
𝑎2⊕𝑡 2𝑎3⊕𝑡3
𝑎4⊕𝑡 4
𝑎5⊕𝑡6𝑎5⊕𝑡7
𝑎6⊕𝑡 9𝑎6⊕𝑡8
Oblivious Mapping• Using any MPC
o inefficiento Not clear it has the on-demand propertyo [HEK’12] implements Waksman using Yao’s protocol
• Using singly HE o Linear complexityo Requires public-key operations
• Using oblivious transfero Not linearo But better concrete efficiency (OT extension)
HE-based
𝑃1 𝑃2
𝐸𝑛𝑐𝑝𝑘(𝑎1)𝐸𝑛𝑐𝑝𝑘(𝑎2)
𝐸𝑛𝑐𝑝𝑘(𝑎𝑛)
𝐸𝑛𝑐𝑝𝑘(𝑎¿¿𝜋− 1 (1 )⊕𝑡¿¿1)¿𝐸𝑛𝑐𝑝𝑘(𝑎𝜋− 1 (2 )⊕𝑡¿¿2)¿ .¿ ..
𝐸𝑛𝑐𝑝𝑘(𝑎¿¿𝜋−1 (𝑚 )⊕𝑡 ¿¿𝑚)❑¿¿
.
.
. (𝑎1𝑎2...𝑎𝑛
)(𝑡1𝑡2...𝑡𝑚
)𝝅❑
Easy to make on-demand
𝑝𝑘 ,𝑠𝑘
Permutation Networks
𝑎𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑏
…
…
…
…
[Waksman’ 68]: any permutation can be implemented using a permutation network of size
The permutation is determined using selection bits
Permutation NetworkSwitchesselection bit
Switching Networks• Our mapping is not a permutation
• Need one more switch type
𝑎𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑏 𝑎
𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑎
Mapping from SN
Waksman network
Waksman network
𝑎1𝑎2...𝑎𝑛
𝑑𝑑...𝑑
𝑎1𝑑𝑑𝑎2𝑑𝑎3𝑎4...𝑑𝑎𝑛
1𝑎1𝑎1 1
𝑎1𝑎1 0 𝑎1
.
.
.
m 𝑙𝑜𝑔𝑚−𝑚+1+𝑚+𝑚𝑙𝑜𝑔𝑚−𝑚+1
Oblivious Switch 1
𝑟1𝑟2
𝑟3𝑟 4
𝑃1
𝑎 ,𝑏𝑃2
𝑠
¿ 𝑠1-out-of-2 OT
𝑎⊕𝑟1 ,𝑏⊕𝑟 2𝑠=0→ (𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 3 )=𝒂⊕𝒓 𝟑
(𝑏⊕𝑟 2)⊕ (𝑟 2⊕𝑟 4 )=𝒃⊕𝒓 𝟒
𝑠=1→(𝑏⊕𝑟2)⊕ (𝑟 2⊕𝑟 3 )=𝒃⊕𝒓𝟑
(𝑎⊕𝑟 1)⊕ (𝑟1⊕𝑟4 )=𝒂⊕𝒓 𝟒
Oblivious Switch 2
𝑟1𝑟2
𝑟3𝑟 4
𝑃1
𝑎 ,𝑏𝑃2
𝑠
¿ 𝑠1-out-of-2 OT
𝑎⊕𝑟1 ,𝑏⊕𝑟 2𝑠=0→ (𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 3 )=𝒂⊕𝒓 𝟑
(𝑏⊕𝑟 2)⊕ (𝑟 2⊕𝑟 4 )=𝒃⊕𝒓 𝟒
𝑠=1→ (𝑎⊕𝑟 1)⊕ (𝑟1⊕𝑟3 )=𝒂⊕𝒓𝟑
(𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 4 )=𝒂⊕𝒓𝟒
Oblivious SN Evaluation
𝑟1𝑟2
𝑟3𝑟 4 𝑟3
𝑟 4𝑟5𝑟6
0
1
𝑟6𝑟5
𝑟7𝑟8
1
𝑎⊕𝑟1 𝑎⊕𝑟3
𝑎⊕𝑟6
𝑎⊕𝑟7
MAP
Reveal
𝑎⊕𝑟 7⊕𝑡7𝑎⊕ 𝑡7
Oblivious SN Evaluation
• One OT per switcho O(mlog m) OTs total
• On-demando All OTs done offlineo Only Xoring online
• Practical when using OT extension
• Constant round
Oblivious Mapping CTH Functionality
• GMW or Arithmetic Circuitso Inputs to mapping are ADDITIVE- or XOR-sharedo (MAP) Each party runs an oblivious mapping with
• uses his vector of shares as input• uses his mapping and blinding vector
o (Reveal) Each party obtains his blinded “mapped” vector of shares
o maps his own vector of shares and XOR/SUBTRACTs s to adjust values.
• Yao’s Protocolo Slightly more involved due to “weird sharing”
mechanism
Summary of Results• First Multiparty PFE with linear complexity
o GMW + HE-Based oblivious mapping
• First Arithmetic PFE with linear complexityo [CDN 01] + HE-based oblivious mapping
• More efficient two-party PFE with linear complexityo Yao + HE-based oblivious mappingo Subsumes and improves construction of [KM’11]
• More practical PFEo Yao/GMW + OT-based oblivious mapping + OT extension
Future Work
Other Security Notions
• Security against stronger adversarieso Covert, maliciouso Can we still achieve linear complexity?
• PFE in the information theoretic settingo Our OT-based solution seems generalizable to IT settingo But linear PFE is open
• Can we hide circuit size without using FHE?o or use FHE in a limited way, or use somewhat FHE?
Round Complexity of PFE
• Can we do PFE non-interactively?o Our Yao-based protocol requires at least 3 messageso SFE can be done in two messages
• Can we achieve constant round multiparty PFE with linear complexity?o We only know it for two-party case
• Can we achieve constant round arithmetic PFE?o Without switching to a Boolean circuit
PFE for Practice• PFE with good concrete + asymptotic
efficiencyo E.g. designing OT-based oblivious mapping with linear
complexity• Can PFE help improve efficiency of SFE?
o Idea: • One party embeds his input in the circuit• Shrinks the circuit significantly• Circuit structure leaks information • We use PFE to hide the structure
• PFE for RAM programs
Thank you!