Transcript
Page 1: Private Function Evaluation

Private Function Evaluation

Payman Mohassel University of Calgary

Talks given at Bristol and Aarhus Universities

Joint work with Saeed Sadeghian

Page 2: Private Function Evaluation

2

Secure Function Evaluation

Parties learn f(x1,…,xn)

P1, x1

P2, x2

P5, x5

P4, x4

P3, x3

Correctness:honest parties learn the correct output

Privacy:Nothing but the final output is leaked

Page 3: Private Function Evaluation

Private vs. Secure Function Evaluation

𝒇 (π’™πŸ ,…, 𝒙𝒏)

𝒇 (π’™πŸ ,…, 𝒙𝒏)

Page 4: Private Function Evaluation

Our Setup

𝒇 (π’™πŸ ,…, 𝒙𝒏)

β€’ Function o Boolean circuitso Arithmetic circuits

β€’ Settings we considero Two-partyo Multiparty

β€’ Dishonest majorityβ€’ Semi-honest

adversaries

Page 5: Private Function Evaluation

Motivationβ€’ Why Hide the Function?

o Private functionsβ€’ Proprietary, intellectual property

o Sensitive functionsβ€’ Revealing vulnerabilities

o Output of SFE leaks informationβ€’ Hiding the function potentially helpsβ€’ Prevents dictionary attacks on input

β€’ Interactive program obfuscationo If interaction is possible PFE yields efficient program

obfuscation

Page 6: Private Function Evaluation

Is PFE Hard?β€’ Not really!

β€’ All SFE feasibility results extend to PFEo Using Universal Circuits

β€’ The only interesting questions are efficiency questions

Page 7: Private Function Evaluation

Universal CircuitsC Universal Circuit

x

C(x)

Page 8: Private Function Evaluation

Universal Circuitsβ€’ Boolean

o For a circuit C with g gateso [Valiant’ 76]: (good for large circuits)

β€’ Building it seems complicatedo [KS’ 08]: (good for small circuits )

β€’ Arithmetico For a circuit C with g gates and depth d o [Raz’ 08]: gates, i.e. in the worst case

Page 9: Private Function Evaluation

PFE Constructionsβ€’ Two-party setting

o Universal Circuit + Yao’s protocolβ€’ or symmetric ops + OTs

o [KM’ 11]: Homomorphic Enc + Yao’s protocol β€’ public-key ops + symmetric ops

β€’ Multi-party settingo Universal Circuit + GMW protocol

β€’ OTs

β€’ Arithmetic circuitso Universal Circuit + HE-based MPC [CDN’ 01]o public-key ops

Page 10: Private Function Evaluation

Efficiency Questionsβ€’ Asymptotic Efficiency

o Can we design PFE with linear complexity in all standard settings?

β€’ Practical Efficiencyo Constant factors are importanto Symmetric ops superior to public-key opso …o Can we improve practical efficiency of universal

circuit approach?

Page 11: Private Function Evaluation

Our Framework

Page 12: Private Function Evaluation

Hiding the Circuitβ€’ What is leaked

o Number of gateso Input sizeo Output size

β€’ What is privateo Functionality of gateso Topology of the circuit

One can hide circuit size using an FHE-based construction

Page 13: Private Function Evaluation

Private Gate Evaluation

β€’ Inputs are shared

o

β€’ Gate function

o Known only to

β€’ Output is shared

π’ˆ (𝒙 , π’š )

𝑧1 𝑧 2

Actual sharing mechanism depends on the protocol

Page 14: Private Function Evaluation

Circuit Topologyβ€’ Topology captured using a mapping 𝑖1

𝑖2𝑖3𝑖4

𝑖5𝑖6𝑖7𝑖8

𝑖9𝑖10

π‘œ1π‘œ2

π‘œ3π‘œ4 π‘œ6

π‘œ5

𝑖1𝑖2𝑖3𝑖4𝑖5𝑖6𝑖7𝑖8𝑖9𝑖10

𝝅π‘ͺ

Page 15: Private Function Evaluation

CTH Functionality

β€’ Inputs are shared

β€’ Mappingo known by only

β€’ Outputs are shared

β€’ Query typeso Map: done internallyo Reveal: reveal result of mapo On-demand mapping

π‘₯=π‘₯1βŠ•π‘₯2π‘₯ β€² β€² 1βŠ•π‘₯ β€² β€²2=π‘₯

𝑦=𝑦1βŠ• 𝑦2𝑦 β€² 1βŠ• 𝑦 β€²2=𝑦

Map

Reveal

𝝅π‘ͺπ‘₯ β€² 1βŠ•π‘₯ β€²2=π‘₯

Page 16: Private Function Evaluation

PGE + CTH𝑖1𝑖2𝑖3𝑖4

𝑖5𝑖6𝑖7𝑖8

𝑖9𝑖10

π‘œ1π‘œ2

π‘œ3π‘œ4 π‘œ6

π‘œ5CTH

PGE

PGE

PGE

PGE

PGE

Topological orderπ‘œ5

π‘œ5

π‘œ6

π‘œ6

𝟏

𝟐

πŸ•

πŸ‘

π‘œ1

π‘œ2

π‘œ3

π‘œ4 πŸ’

πŸ“πŸ”

πŸ–

πŸ—πŸπŸŽ

𝟏𝟏

𝟏𝟐

πŸπŸ‘πŸπŸ’

πŸπŸ“

πŸπŸ–πŸπŸ”πŸπŸ•πŸπŸ—πŸπŸŽ

𝟐𝟏

RevealMap

Page 17: Private Function Evaluation

Instantiating PGE

Page 18: Private Function Evaluation

PGE for GMW

g x y z0 0 g(0,0

)0 1 g(0,1

)1 0 g(1,0

)1 1 g(1,1

)

π’ˆ (𝒙 , π’š )

𝑧1 𝑧 2

g0 00 11 01 1

𝑃1 𝑃2

π‘₯2 , 𝑦 21-out-of-4 OT

Page 19: Private Function Evaluation

PGE for AC

β€’ is an additively homomrphic encryption

𝑃1

π‘Ž1 ,𝑏1 ,π‘π‘˜ 𝑃2π‘Ž2 ,𝑏2 ,π‘π‘˜ ,π‘ π‘˜πΈπ‘›π‘π‘π‘˜ (π‘Ž2 ) ,πΈπ‘›π‘π‘π‘˜ (𝑏2 ) ,πΈπ‘›π‘π‘π‘˜(π‘Ž2𝑏2)

(If )

(If )

𝐢=πΈπ‘›π‘π‘π‘˜(π‘Ž2+𝑏2+π‘Ÿ )

𝑐2β†π·π‘’π‘π‘ π‘˜(𝐢)

𝑐1←𝐅 𝐢=πΈπ‘›π‘π‘π‘˜(π‘Ž1𝑏1+π‘Ž2𝑏1+π‘Ž1𝑏2+π‘Ž2𝑏2βˆ’π‘1)

Page 20: Private Function Evaluation

PGE for Garbled Circuit

β€’ We kind of cheat!o We assume all gates are NAND gates

β€’ Sharing associated with Yaoo To share a value o holds ( o holds

β€’ sends a garbled table to β€’ decrypts one row of the table

Page 21: Private Function Evaluation

Instantiating CTH

Page 22: Private Function Evaluation

Oblivious Mappingβ€’ Assume inputs are ready Oblivious mapping

𝝅π‘ͺ

𝑃1

Ο€

𝑃2(𝑑1𝑑2...π‘‘π‘š

)(π‘Žπœ‹βˆ’ 1 (1 )βŠ•π‘‘1π‘Žπœ‹βˆ’ 1 (2 )βŠ•π‘‘ 2

.

.

.π‘Žπœ‹βˆ’1 (π‘š )βŠ•π‘‘π‘šβ‘

)(π‘Ž1π‘Ž2...π‘Žπ‘›

)π‘Ž1

π‘Ž2

π‘Ž3

π‘Ž4π‘Ž5π‘Ž6

π‘Ž1βŠ•π‘‘ 1

π‘Ž1βŠ•π‘‘ 5

π‘Ž2βŠ•π‘‘ 2π‘Ž3βŠ•π‘‘3

π‘Ž4βŠ•π‘‘ 4

π‘Ž5βŠ•π‘‘6π‘Ž5βŠ•π‘‘7

π‘Ž6βŠ•π‘‘ 9π‘Ž6βŠ•π‘‘8

Page 23: Private Function Evaluation

Oblivious Mappingβ€’ Using any MPC

o inefficiento Not clear it has the on-demand propertyo [HEK’12] implements Waksman using Yao’s protocol

β€’ Using singly HE o Linear complexityo Requires public-key operations

β€’ Using oblivious transfero Not linearo But better concrete efficiency (OT extension)

Page 24: Private Function Evaluation

HE-based

𝑃1 𝑃2

πΈπ‘›π‘π‘π‘˜(π‘Ž1)πΈπ‘›π‘π‘π‘˜(π‘Ž2)

πΈπ‘›π‘π‘π‘˜(π‘Žπ‘›)

πΈπ‘›π‘π‘π‘˜(π‘ŽΒΏΒΏπœ‹βˆ’ 1 (1 )βŠ•π‘‘ΒΏΒΏ1)ΒΏπΈπ‘›π‘π‘π‘˜(π‘Žπœ‹βˆ’ 1 (2 )βŠ•π‘‘ΒΏΒΏ2)ΒΏ .ΒΏ ..

πΈπ‘›π‘π‘π‘˜(π‘ŽΒΏΒΏπœ‹βˆ’1 (π‘š )βŠ•π‘‘ ΒΏΒΏπ‘š)❑¿¿

.

.

. (π‘Ž1π‘Ž2...π‘Žπ‘›

)(𝑑1𝑑2...π‘‘π‘š

)𝝅❑

Easy to make on-demand

π‘π‘˜ ,π‘ π‘˜

Page 25: Private Function Evaluation

Permutation Networks

π‘Žπ‘

1

π‘Žπ‘

0π‘Žπ‘

π‘Žπ‘

…

…

…

…

[Waksman’ 68]: any permutation can be implemented using a permutation network of size

The permutation is determined using selection bits

Permutation NetworkSwitchesselection bit

Page 26: Private Function Evaluation

Switching Networksβ€’ Our mapping is not a permutation

β€’ Need one more switch type

π‘Žπ‘

1

π‘Žπ‘

0π‘Žπ‘

π‘Žπ‘ π‘Ž

𝑏

1

π‘Žπ‘

0π‘Žπ‘

π‘Žπ‘Ž

Page 27: Private Function Evaluation

Mapping from SN

Waksman network

Waksman network

π‘Ž1π‘Ž2...π‘Žπ‘›

𝑑𝑑...𝑑

π‘Ž1π‘‘π‘‘π‘Ž2π‘‘π‘Ž3π‘Ž4...π‘‘π‘Žπ‘›

1π‘Ž1π‘Ž1 1

π‘Ž1π‘Ž1 0 π‘Ž1

.

.

.

m π‘™π‘œπ‘”π‘šβˆ’π‘š+1+π‘š+π‘šπ‘™π‘œπ‘”π‘šβˆ’π‘š+1

Page 28: Private Function Evaluation

Oblivious Switch 1

π‘Ÿ1π‘Ÿ2

π‘Ÿ3π‘Ÿ 4

𝑃1

π‘Ž ,𝑏𝑃2

𝑠

ΒΏ 𝑠1-out-of-2 OT

π‘ŽβŠ•π‘Ÿ1 ,π‘βŠ•π‘Ÿ 2𝑠=0β†’ (π‘ŽβŠ•π‘Ÿ1)βŠ• (π‘Ÿ1βŠ•π‘Ÿ 3 )=π’‚βŠ•π’“ πŸ‘

(π‘βŠ•π‘Ÿ 2)βŠ• (π‘Ÿ 2βŠ•π‘Ÿ 4 )=π’ƒβŠ•π’“ πŸ’

𝑠=1β†’(π‘βŠ•π‘Ÿ2)βŠ• (π‘Ÿ 2βŠ•π‘Ÿ 3 )=π’ƒβŠ•π’“πŸ‘

(π‘ŽβŠ•π‘Ÿ 1)βŠ• (π‘Ÿ1βŠ•π‘Ÿ4 )=π’‚βŠ•π’“ πŸ’

Page 29: Private Function Evaluation

Oblivious Switch 2

π‘Ÿ1π‘Ÿ2

π‘Ÿ3π‘Ÿ 4

𝑃1

π‘Ž ,𝑏𝑃2

𝑠

ΒΏ 𝑠1-out-of-2 OT

π‘ŽβŠ•π‘Ÿ1 ,π‘βŠ•π‘Ÿ 2𝑠=0β†’ (π‘ŽβŠ•π‘Ÿ1)βŠ• (π‘Ÿ1βŠ•π‘Ÿ 3 )=π’‚βŠ•π’“ πŸ‘

(π‘βŠ•π‘Ÿ 2)βŠ• (π‘Ÿ 2βŠ•π‘Ÿ 4 )=π’ƒβŠ•π’“ πŸ’

𝑠=1β†’ (π‘ŽβŠ•π‘Ÿ 1)βŠ• (π‘Ÿ1βŠ•π‘Ÿ3 )=π’‚βŠ•π’“πŸ‘

(π‘ŽβŠ•π‘Ÿ1)βŠ• (π‘Ÿ1βŠ•π‘Ÿ 4 )=π’‚βŠ•π’“πŸ’

Page 30: Private Function Evaluation

Oblivious SN Evaluation

π‘Ÿ1π‘Ÿ2

π‘Ÿ3π‘Ÿ 4 π‘Ÿ3

π‘Ÿ 4π‘Ÿ5π‘Ÿ6

0

1

π‘Ÿ6π‘Ÿ5

π‘Ÿ7π‘Ÿ8

1

π‘ŽβŠ•π‘Ÿ1 π‘ŽβŠ•π‘Ÿ3

π‘ŽβŠ•π‘Ÿ6

π‘ŽβŠ•π‘Ÿ7

MAP

Reveal

π‘ŽβŠ•π‘Ÿ 7βŠ•π‘‘7π‘ŽβŠ• 𝑑7

Page 31: Private Function Evaluation

Oblivious SN Evaluation

β€’ One OT per switcho O(mlog m) OTs total

β€’ On-demando All OTs done offlineo Only Xoring online

β€’ Practical when using OT extension

β€’ Constant round

Page 32: Private Function Evaluation

Oblivious Mapping CTH Functionality

β€’ GMW or Arithmetic Circuitso Inputs to mapping are ADDITIVE- or XOR-sharedo (MAP) Each party runs an oblivious mapping with

β€’ uses his vector of shares as inputβ€’ uses his mapping and blinding vector

o (Reveal) Each party obtains his blinded β€œmapped” vector of shares

o maps his own vector of shares and XOR/SUBTRACTs s to adjust values.

β€’ Yao’s Protocolo Slightly more involved due to β€œweird sharing”

mechanism

Page 33: Private Function Evaluation

Summary of Resultsβ€’ First Multiparty PFE with linear complexity

o GMW + HE-Based oblivious mapping

β€’ First Arithmetic PFE with linear complexityo [CDN 01] + HE-based oblivious mapping

β€’ More efficient two-party PFE with linear complexityo Yao + HE-based oblivious mappingo Subsumes and improves construction of [KM’11]

β€’ More practical PFEo Yao/GMW + OT-based oblivious mapping + OT extension

Page 34: Private Function Evaluation

Future Work

Page 35: Private Function Evaluation

Other Security Notions

β€’ Security against stronger adversarieso Covert, maliciouso Can we still achieve linear complexity?

β€’ PFE in the information theoretic settingo Our OT-based solution seems generalizable to IT settingo But linear PFE is open

β€’ Can we hide circuit size without using FHE?o or use FHE in a limited way, or use somewhat FHE?

Page 36: Private Function Evaluation

Round Complexity of PFE

β€’ Can we do PFE non-interactively?o Our Yao-based protocol requires at least 3 messageso SFE can be done in two messages

β€’ Can we achieve constant round multiparty PFE with linear complexity?o We only know it for two-party case

β€’ Can we achieve constant round arithmetic PFE?o Without switching to a Boolean circuit

Page 37: Private Function Evaluation

PFE for Practiceβ€’ PFE with good concrete + asymptotic

efficiencyo E.g. designing OT-based oblivious mapping with linear

complexityβ€’ Can PFE help improve efficiency of SFE?

o Idea: β€’ One party embeds his input in the circuitβ€’ Shrinks the circuit significantlyβ€’ Circuit structure leaks information β€’ We use PFE to hide the structure

β€’ PFE for RAM programs

Page 38: Private Function Evaluation

Thank you!


Top Related