Private Function Evaluation

Payman Mohassel University of Calgary

Talks given at Bristol and Aarhus Universities

Joint work with Saeed Sadeghian

2

Secure Function Evaluation

Parties learn f(x1,…,xn)

P1, x1

P2, x2

P5, x5

P4, x4

P3, x3

Correctness:honest parties learn the correct output

Privacy:Nothing but the final output is leaked

Private vs. Secure Function Evaluation

𝒇 (𝒙𝟏 ,…, 𝒙𝒏)

𝒇 (𝒙𝟏 ,…, 𝒙𝒏)

Our Setup

𝒇 (𝒙𝟏 ,…, 𝒙𝒏)

• Function o Boolean circuitso Arithmetic circuits

• Settings we considero Two-partyo Multiparty

• Dishonest majority• Semi-honest

adversaries

Motivation• Why Hide the Function?

o Private functions• Proprietary, intellectual property

o Sensitive functions• Revealing vulnerabilities

o Output of SFE leaks information• Hiding the function potentially helps• Prevents dictionary attacks on input

• Interactive program obfuscationo If interaction is possible PFE yields efficient program

obfuscation

Is PFE Hard?• Not really!

• All SFE feasibility results extend to PFEo Using Universal Circuits

• The only interesting questions are efficiency questions

Universal CircuitsC Universal Circuit

x

C(x)

Universal Circuits• Boolean

o For a circuit C with g gateso [Valiant’ 76]: (good for large circuits)

• Building it seems complicatedo [KS’ 08]: (good for small circuits )

• Arithmetico For a circuit C with g gates and depth d o [Raz’ 08]: gates, i.e. in the worst case

PFE Constructions• Two-party setting

o Universal Circuit + Yao’s protocol• or symmetric ops + OTs

o [KM’ 11]: Homomorphic Enc + Yao’s protocol • public-key ops + symmetric ops

• Multi-party settingo Universal Circuit + GMW protocol

• OTs

• Arithmetic circuitso Universal Circuit + HE-based MPC [CDN’ 01]o public-key ops

Efficiency Questions• Asymptotic Efficiency

o Can we design PFE with linear complexity in all standard settings?

• Practical Efficiencyo Constant factors are importanto Symmetric ops superior to public-key opso …o Can we improve practical efficiency of universal

circuit approach?

Our Framework

Hiding the Circuit• What is leaked

o Number of gateso Input sizeo Output size

• What is privateo Functionality of gateso Topology of the circuit

One can hide circuit size using an FHE-based construction

Private Gate Evaluation

• Inputs are shared

o

• Gate function

o Known only to

• Output is shared

𝒈 (𝒙 , 𝒚 )

𝑧1 𝑧 2

Actual sharing mechanism depends on the protocol

Circuit Topology• Topology captured using a mapping 𝑖1

𝑖2𝑖3𝑖4

𝑖5𝑖6𝑖7𝑖8

𝑖9𝑖10

𝑜1𝑜2

𝑜3𝑜4 𝑜6

𝑜5

𝑖1𝑖2𝑖3𝑖4𝑖5𝑖6𝑖7𝑖8𝑖9𝑖10

𝝅𝑪

CTH Functionality

• Inputs are shared

• Mappingo known by only

• Outputs are shared

• Query typeso Map: done internallyo Reveal: reveal result of mapo On-demand mapping

𝑥=𝑥1⊕𝑥2𝑥 ′ ′ 1⊕𝑥 ′ ′2=𝑥

𝑦=𝑦1⊕ 𝑦2𝑦 ′ 1⊕ 𝑦 ′2=𝑦

Map

Reveal

𝝅𝑪𝑥 ′ 1⊕𝑥 ′2=𝑥

PGE + CTH𝑖1𝑖2𝑖3𝑖4

𝑖5𝑖6𝑖7𝑖8

𝑖9𝑖10

𝑜1𝑜2

𝑜3𝑜4 𝑜6

𝑜5CTH

PGE

PGE

PGE

PGE

PGE

Topological order𝑜5

𝑜5

𝑜6

𝑜6

𝟏

𝟐

𝟕

𝟑

𝑜1

𝑜2

𝑜3

𝑜4 𝟒

𝟓𝟔

𝟖

𝟗𝟏𝟎

𝟏𝟏

𝟏𝟐

𝟏𝟑𝟏𝟒

𝟏𝟓

𝟏𝟖𝟏𝟔𝟏𝟕𝟏𝟗𝟐𝟎

𝟐𝟏

RevealMap

Instantiating PGE

PGE for GMW

g x y z0 0 g(0,0

)0 1 g(0,1

)1 0 g(1,0

)1 1 g(1,1

)

𝒈 (𝒙 , 𝒚 )

𝑧1 𝑧 2

g0 00 11 01 1

𝑃1 𝑃2

𝑥2 , 𝑦 21-out-of-4 OT

PGE for AC

• is an additively homomrphic encryption

𝑃1

𝑎1 ,𝑏1 ,𝑝𝑘 𝑃2𝑎2 ,𝑏2 ,𝑝𝑘 ,𝑠𝑘𝐸𝑛𝑐𝑝𝑘 (𝑎2 ) ,𝐸𝑛𝑐𝑝𝑘 (𝑏2 ) ,𝐸𝑛𝑐𝑝𝑘(𝑎2𝑏2)

(If )

(If )

𝐶=𝐸𝑛𝑐𝑝𝑘(𝑎2+𝑏2+𝑟 )

𝑐2←𝐷𝑒𝑐𝑠𝑘(𝐶)

𝑐1←𝐅 𝐶=𝐸𝑛𝑐𝑝𝑘(𝑎1𝑏1+𝑎2𝑏1+𝑎1𝑏2+𝑎2𝑏2−𝑐1)

PGE for Garbled Circuit

• We kind of cheat!o We assume all gates are NAND gates

• Sharing associated with Yaoo To share a value o holds ( o holds

• sends a garbled table to • decrypts one row of the table

Instantiating CTH

Oblivious Mapping• Assume inputs are ready Oblivious mapping

𝝅𝑪

𝑃1

π

𝑃2(𝑡1𝑡2...𝑡𝑚

)(𝑎𝜋− 1 (1 )⊕𝑡1𝑎𝜋− 1 (2 )⊕𝑡 2

.

.

.𝑎𝜋−1 (𝑚 )⊕𝑡𝑚❑

)(𝑎1𝑎2...𝑎𝑛

)𝑎1

𝑎2

𝑎3

𝑎4𝑎5𝑎6

𝑎1⊕𝑡 1

𝑎1⊕𝑡 5

𝑎2⊕𝑡 2𝑎3⊕𝑡3

𝑎4⊕𝑡 4

𝑎5⊕𝑡6𝑎5⊕𝑡7

𝑎6⊕𝑡 9𝑎6⊕𝑡8

Oblivious Mapping• Using any MPC

o inefficiento Not clear it has the on-demand propertyo [HEK’12] implements Waksman using Yao’s protocol

• Using singly HE o Linear complexityo Requires public-key operations

• Using oblivious transfero Not linearo But better concrete efficiency (OT extension)

HE-based

𝑃1 𝑃2

𝐸𝑛𝑐𝑝𝑘(𝑎1)𝐸𝑛𝑐𝑝𝑘(𝑎2)

𝐸𝑛𝑐𝑝𝑘(𝑎𝑛)

𝐸𝑛𝑐𝑝𝑘(𝑎¿¿𝜋− 1 (1 )⊕𝑡¿¿1)¿𝐸𝑛𝑐𝑝𝑘(𝑎𝜋− 1 (2 )⊕𝑡¿¿2)¿ .¿ ..

𝐸𝑛𝑐𝑝𝑘(𝑎¿¿𝜋−1 (𝑚 )⊕𝑡 ¿¿𝑚)❑¿¿

.

.

. (𝑎1𝑎2...𝑎𝑛

)(𝑡1𝑡2...𝑡𝑚

)𝝅❑

Easy to make on-demand

𝑝𝑘 ,𝑠𝑘

Permutation Networks

𝑎𝑏

1

𝑎𝑏

0𝑎𝑏

𝑎𝑏

…

…

…

…

[Waksman’ 68]: any permutation can be implemented using a permutation network of size

The permutation is determined using selection bits

Permutation NetworkSwitchesselection bit

Switching Networks• Our mapping is not a permutation

• Need one more switch type

𝑎𝑏

1

𝑎𝑏

0𝑎𝑏

𝑎𝑏 𝑎

𝑏

1

𝑎𝑏

0𝑎𝑏

𝑎𝑎

Mapping from SN

Waksman network

Waksman network

𝑎1𝑎2...𝑎𝑛

𝑑𝑑...𝑑

𝑎1𝑑𝑑𝑎2𝑑𝑎3𝑎4...𝑑𝑎𝑛

1𝑎1𝑎1 1

𝑎1𝑎1 0 𝑎1

.

.

.

m 𝑙𝑜𝑔𝑚−𝑚+1+𝑚+𝑚𝑙𝑜𝑔𝑚−𝑚+1

Oblivious Switch 1

𝑟1𝑟2

𝑟3𝑟 4

𝑃1

𝑎 ,𝑏𝑃2

𝑠

¿ 𝑠1-out-of-2 OT

𝑎⊕𝑟1 ,𝑏⊕𝑟 2𝑠=0→ (𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 3 )=𝒂⊕𝒓 𝟑

(𝑏⊕𝑟 2)⊕ (𝑟 2⊕𝑟 4 )=𝒃⊕𝒓 𝟒

𝑠=1→(𝑏⊕𝑟2)⊕ (𝑟 2⊕𝑟 3 )=𝒃⊕𝒓𝟑

(𝑎⊕𝑟 1)⊕ (𝑟1⊕𝑟4 )=𝒂⊕𝒓 𝟒

Oblivious Switch 2

𝑟1𝑟2

𝑟3𝑟 4

𝑃1

𝑎 ,𝑏𝑃2

𝑠

¿ 𝑠1-out-of-2 OT

𝑎⊕𝑟1 ,𝑏⊕𝑟 2𝑠=0→ (𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 3 )=𝒂⊕𝒓 𝟑

(𝑏⊕𝑟 2)⊕ (𝑟 2⊕𝑟 4 )=𝒃⊕𝒓 𝟒

𝑠=1→ (𝑎⊕𝑟 1)⊕ (𝑟1⊕𝑟3 )=𝒂⊕𝒓𝟑

(𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 4 )=𝒂⊕𝒓𝟒

Oblivious SN Evaluation

𝑟1𝑟2

𝑟3𝑟 4 𝑟3

𝑟 4𝑟5𝑟6

0

1

𝑟6𝑟5

𝑟7𝑟8

1

𝑎⊕𝑟1 𝑎⊕𝑟3

𝑎⊕𝑟6

𝑎⊕𝑟7

MAP

Reveal

𝑎⊕𝑟 7⊕𝑡7𝑎⊕ 𝑡7

Oblivious SN Evaluation

• One OT per switcho O(mlog m) OTs total

• On-demando All OTs done offlineo Only Xoring online

• Practical when using OT extension

• Constant round

Oblivious Mapping CTH Functionality

• GMW or Arithmetic Circuitso Inputs to mapping are ADDITIVE- or XOR-sharedo (MAP) Each party runs an oblivious mapping with

• uses his vector of shares as input• uses his mapping and blinding vector

o (Reveal) Each party obtains his blinded “mapped” vector of shares

o maps his own vector of shares and XOR/SUBTRACTs s to adjust values.

• Yao’s Protocolo Slightly more involved due to “weird sharing”

mechanism

Summary of Results• First Multiparty PFE with linear complexity

o GMW + HE-Based oblivious mapping

• First Arithmetic PFE with linear complexityo [CDN 01] + HE-based oblivious mapping

• More efficient two-party PFE with linear complexityo Yao + HE-based oblivious mappingo Subsumes and improves construction of [KM’11]

• More practical PFEo Yao/GMW + OT-based oblivious mapping + OT extension

Future Work

Other Security Notions

• Security against stronger adversarieso Covert, maliciouso Can we still achieve linear complexity?

• PFE in the information theoretic settingo Our OT-based solution seems generalizable to IT settingo But linear PFE is open

• Can we hide circuit size without using FHE?o or use FHE in a limited way, or use somewhat FHE?

Round Complexity of PFE

• Can we do PFE non-interactively?o Our Yao-based protocol requires at least 3 messageso SFE can be done in two messages

• Can we achieve constant round multiparty PFE with linear complexity?o We only know it for two-party case

• Can we achieve constant round arithmetic PFE?o Without switching to a Boolean circuit

PFE for Practice• PFE with good concrete + asymptotic

efficiencyo E.g. designing OT-based oblivious mapping with linear

complexity• Can PFE help improve efficiency of SFE?

o Idea: • One party embeds his input in the circuit• Shrinks the circuit significantly• Circuit structure leaks information • We use PFE to hide the structure

• PFE for RAM programs

Thank you!