Download - Private Function Evaluation
![Page 1: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/1.jpg)
Private Function Evaluation
Payman Mohassel University of Calgary
Talks given at Bristol and Aarhus Universities
Joint work with Saeed Sadeghian
![Page 2: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/2.jpg)
2
Secure Function Evaluation
Parties learn f(x1,β¦,xn)
P1, x1
P2, x2
P5, x5
P4, x4
P3, x3
Correctness:honest parties learn the correct output
Privacy:Nothing but the final output is leaked
![Page 3: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/3.jpg)
Private vs. Secure Function Evaluation
π (ππ ,β¦, ππ)
π (ππ ,β¦, ππ)
![Page 4: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/4.jpg)
Our Setup
π (ππ ,β¦, ππ)
β’ Function o Boolean circuitso Arithmetic circuits
β’ Settings we considero Two-partyo Multiparty
β’ Dishonest majorityβ’ Semi-honest
adversaries
![Page 5: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/5.jpg)
Motivationβ’ Why Hide the Function?
o Private functionsβ’ Proprietary, intellectual property
o Sensitive functionsβ’ Revealing vulnerabilities
o Output of SFE leaks informationβ’ Hiding the function potentially helpsβ’ Prevents dictionary attacks on input
β’ Interactive program obfuscationo If interaction is possible PFE yields efficient program
obfuscation
![Page 6: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/6.jpg)
Is PFE Hard?β’ Not really!
β’ All SFE feasibility results extend to PFEo Using Universal Circuits
β’ The only interesting questions are efficiency questions
![Page 7: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/7.jpg)
Universal CircuitsC Universal Circuit
x
C(x)
![Page 8: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/8.jpg)
Universal Circuitsβ’ Boolean
o For a circuit C with g gateso [Valiantβ 76]: (good for large circuits)
β’ Building it seems complicatedo [KSβ 08]: (good for small circuits )
β’ Arithmetico For a circuit C with g gates and depth d o [Razβ 08]: gates, i.e. in the worst case
![Page 9: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/9.jpg)
PFE Constructionsβ’ Two-party setting
o Universal Circuit + Yaoβs protocolβ’ or symmetric ops + OTs
o [KMβ 11]: Homomorphic Enc + Yaoβs protocol β’ public-key ops + symmetric ops
β’ Multi-party settingo Universal Circuit + GMW protocol
β’ OTs
β’ Arithmetic circuitso Universal Circuit + HE-based MPC [CDNβ 01]o public-key ops
![Page 10: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/10.jpg)
Efficiency Questionsβ’ Asymptotic Efficiency
o Can we design PFE with linear complexity in all standard settings?
β’ Practical Efficiencyo Constant factors are importanto Symmetric ops superior to public-key opso β¦o Can we improve practical efficiency of universal
circuit approach?
![Page 11: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/11.jpg)
Our Framework
![Page 12: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/12.jpg)
Hiding the Circuitβ’ What is leaked
o Number of gateso Input sizeo Output size
β’ What is privateo Functionality of gateso Topology of the circuit
One can hide circuit size using an FHE-based construction
![Page 13: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/13.jpg)
Private Gate Evaluation
β’ Inputs are shared
o
β’ Gate function
o Known only to
β’ Output is shared
π (π , π )
π§1 π§ 2
Actual sharing mechanism depends on the protocol
![Page 14: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/14.jpg)
Circuit Topologyβ’ Topology captured using a mapping π1
π2π3π4
π5π6π7π8
π9π10
π1π2
π3π4 π6
π5
π1π2π3π4π5π6π7π8π9π10
π πͺ
![Page 15: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/15.jpg)
CTH Functionality
β’ Inputs are shared
β’ Mappingo known by only
β’ Outputs are shared
β’ Query typeso Map: done internallyo Reveal: reveal result of mapo On-demand mapping
π₯=π₯1βπ₯2π₯ β² β² 1βπ₯ β² β²2=π₯
π¦=π¦1β π¦2π¦ β² 1β π¦ β²2=π¦
Map
Reveal
π πͺπ₯ β² 1βπ₯ β²2=π₯
![Page 16: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/16.jpg)
PGE + CTHπ1π2π3π4
π5π6π7π8
π9π10
π1π2
π3π4 π6
π5CTH
PGE
PGE
PGE
PGE
PGE
Topological orderπ5
π5
π6
π6
π
π
π
π
π1
π2
π3
π4 π
ππ
π
πππ
ππ
ππ
ππππ
ππ
ππππππππππ
ππ
RevealMap
![Page 17: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/17.jpg)
Instantiating PGE
![Page 18: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/18.jpg)
PGE for GMW
g x y z0 0 g(0,0
)0 1 g(0,1
)1 0 g(1,0
)1 1 g(1,1
)
π (π , π )
π§1 π§ 2
g0 00 11 01 1
π1 π2
π₯2 , π¦ 21-out-of-4 OT
![Page 19: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/19.jpg)
PGE for AC
β’ is an additively homomrphic encryption
π1
π1 ,π1 ,ππ π2π2 ,π2 ,ππ ,π ππΈππππ (π2 ) ,πΈππππ (π2 ) ,πΈππππ(π2π2)
(If )
(If )
πΆ=πΈππππ(π2+π2+π )
π2βπ·πππ π(πΆ)
π1βπ πΆ=πΈππππ(π1π1+π2π1+π1π2+π2π2βπ1)
![Page 20: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/20.jpg)
PGE for Garbled Circuit
β’ We kind of cheat!o We assume all gates are NAND gates
β’ Sharing associated with Yaoo To share a value o holds ( o holds
β’ sends a garbled table to β’ decrypts one row of the table
![Page 21: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/21.jpg)
Instantiating CTH
![Page 22: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/22.jpg)
Oblivious Mappingβ’ Assume inputs are ready Oblivious mapping
π πͺ
π1
Ο
π2(π‘1π‘2...π‘π
)(ππβ 1 (1 )βπ‘1ππβ 1 (2 )βπ‘ 2
.
.
.ππβ1 (π )βπ‘πβ
)(π1π2...ππ
)π1
π2
π3
π4π5π6
π1βπ‘ 1
π1βπ‘ 5
π2βπ‘ 2π3βπ‘3
π4βπ‘ 4
π5βπ‘6π5βπ‘7
π6βπ‘ 9π6βπ‘8
![Page 23: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/23.jpg)
Oblivious Mappingβ’ Using any MPC
o inefficiento Not clear it has the on-demand propertyo [HEKβ12] implements Waksman using Yaoβs protocol
β’ Using singly HE o Linear complexityo Requires public-key operations
β’ Using oblivious transfero Not linearo But better concrete efficiency (OT extension)
![Page 24: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/24.jpg)
HE-based
π1 π2
πΈππππ(π1)πΈππππ(π2)
πΈππππ(ππ)
πΈππππ(πΒΏΒΏπβ 1 (1 )βπ‘ΒΏΒΏ1)ΒΏπΈππππ(ππβ 1 (2 )βπ‘ΒΏΒΏ2)ΒΏ .ΒΏ ..
πΈππππ(πΒΏΒΏπβ1 (π )βπ‘ ΒΏΒΏπ)βΒΏΒΏ
.
.
. (π1π2...ππ
)(π‘1π‘2...π‘π
)π β
Easy to make on-demand
ππ ,π π
![Page 25: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/25.jpg)
Permutation Networks
ππ
1
ππ
0ππ
ππ
β¦
β¦
β¦
β¦
[Waksmanβ 68]: any permutation can be implemented using a permutation network of size
The permutation is determined using selection bits
Permutation NetworkSwitchesselection bit
![Page 26: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/26.jpg)
Switching Networksβ’ Our mapping is not a permutation
β’ Need one more switch type
ππ
1
ππ
0ππ
ππ π
π
1
ππ
0ππ
ππ
![Page 27: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/27.jpg)
Mapping from SN
Waksman network
Waksman network
π1π2...ππ
ππ...π
π1πππ2ππ3π4...πππ
1π1π1 1
π1π1 0 π1
.
.
.
m ππππβπ+1+π+πππππβπ+1
![Page 28: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/28.jpg)
Oblivious Switch 1
π1π2
π3π 4
π1
π ,ππ2
π
ΒΏ π 1-out-of-2 OT
πβπ1 ,πβπ 2π =0β (πβπ1)β (π1βπ 3 )=πβπ π
(πβπ 2)β (π 2βπ 4 )=πβπ π
π =1β(πβπ2)β (π 2βπ 3 )=πβππ
(πβπ 1)β (π1βπ4 )=πβπ π
![Page 29: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/29.jpg)
Oblivious Switch 2
π1π2
π3π 4
π1
π ,ππ2
π
ΒΏ π 1-out-of-2 OT
πβπ1 ,πβπ 2π =0β (πβπ1)β (π1βπ 3 )=πβπ π
(πβπ 2)β (π 2βπ 4 )=πβπ π
π =1β (πβπ 1)β (π1βπ3 )=πβππ
(πβπ1)β (π1βπ 4 )=πβππ
![Page 30: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/30.jpg)
Oblivious SN Evaluation
π1π2
π3π 4 π3
π 4π5π6
0
1
π6π5
π7π8
1
πβπ1 πβπ3
πβπ6
πβπ7
MAP
Reveal
πβπ 7βπ‘7πβ π‘7
![Page 31: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/31.jpg)
Oblivious SN Evaluation
β’ One OT per switcho O(mlog m) OTs total
β’ On-demando All OTs done offlineo Only Xoring online
β’ Practical when using OT extension
β’ Constant round
![Page 32: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/32.jpg)
Oblivious Mapping CTH Functionality
β’ GMW or Arithmetic Circuitso Inputs to mapping are ADDITIVE- or XOR-sharedo (MAP) Each party runs an oblivious mapping with
β’ uses his vector of shares as inputβ’ uses his mapping and blinding vector
o (Reveal) Each party obtains his blinded βmappedβ vector of shares
o maps his own vector of shares and XOR/SUBTRACTs s to adjust values.
β’ Yaoβs Protocolo Slightly more involved due to βweird sharingβ
mechanism
![Page 33: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/33.jpg)
Summary of Resultsβ’ First Multiparty PFE with linear complexity
o GMW + HE-Based oblivious mapping
β’ First Arithmetic PFE with linear complexityo [CDN 01] + HE-based oblivious mapping
β’ More efficient two-party PFE with linear complexityo Yao + HE-based oblivious mappingo Subsumes and improves construction of [KMβ11]
β’ More practical PFEo Yao/GMW + OT-based oblivious mapping + OT extension
![Page 34: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/34.jpg)
Future Work
![Page 35: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/35.jpg)
Other Security Notions
β’ Security against stronger adversarieso Covert, maliciouso Can we still achieve linear complexity?
β’ PFE in the information theoretic settingo Our OT-based solution seems generalizable to IT settingo But linear PFE is open
β’ Can we hide circuit size without using FHE?o or use FHE in a limited way, or use somewhat FHE?
![Page 36: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/36.jpg)
Round Complexity of PFE
β’ Can we do PFE non-interactively?o Our Yao-based protocol requires at least 3 messageso SFE can be done in two messages
β’ Can we achieve constant round multiparty PFE with linear complexity?o We only know it for two-party case
β’ Can we achieve constant round arithmetic PFE?o Without switching to a Boolean circuit
![Page 37: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/37.jpg)
PFE for Practiceβ’ PFE with good concrete + asymptotic
efficiencyo E.g. designing OT-based oblivious mapping with linear
complexityβ’ Can PFE help improve efficiency of SFE?
o Idea: β’ One party embeds his input in the circuitβ’ Shrinks the circuit significantlyβ’ Circuit structure leaks information β’ We use PFE to hide the structure
β’ PFE for RAM programs
![Page 38: Private Function Evaluation](https://reader036.vdocument.in/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/38.jpg)
Thank you!