private function evaluation
DESCRIPTION
Private Function Evaluation. Payman Mohassel & Saeed Sadeghian University of Calgary. Secure Function Evaluation. Correctness: honest parties learn the correct output Privacy: Nothing but the final output is leaked β¦. P 2 , x 2. P 1 , x 1. P 3 , x 3. P 4 , x 4. P 5 , x 5. - PowerPoint PPT PresentationTRANSCRIPT
Private Function Evaluation
Payman Mohassel & Saeed Sadeghian University of Calgary
2
Secure Function Evaluation
Parties learn f(x1,β¦,xn)
P1, x1
P2, x2
P5, x5
P4, x4
P3, x3
Correctness:honest parties learn the correct output
Privacy:Nothing but the final output is leaked
β¦
Private vs. Secure Function Evaluation
π (ππ ,β¦, ππ)
π (ππ ,β¦, ππ)
SFEPFE
Why Hide The Function?
β’ Private functionso Proprietary, intellectual propertyo E.g., medical diagnosis, error reporting systems β¦
β’ Sensitive functionso Revealing vulnerabilitieso E.g. IDS containing zero-day signatures
β’ In SFE output leaks infoo Hiding the function can helpo Prevents dictionary attacks
Hide Everything Fully Homomorphic Encryption
π2 π1
π₯ π¦ , ππΈ (π₯ )
πΈ ( π (π₯ , π¦ ))
π (π₯ , π¦)Also hides size of and
Relaxation
β’ leako Function/circuit sizeo Input size
β’ But o More efficient primitiveso Milder assumptions
Is PFE Hard?β’ Not really!
β’ All SFE feasibility results extend to PFEo Using Universal Circuits
β’ The only interesting questions are efficiency questions
Universal CircuitsC Universal Circuit
x
C(x)
Universal Circuitsβ’ Boolean
o For a circuit C with g gateso [Valiantβ 76]: (good for large circuits)
β’ Actually building it seems complicatedo [KSβ 08]: (good for small circuits )
β’ Arithmetico For a circuit C with g gates and depth d o [Razβ 08]: gates, i.e. in the worst caseo Or use a Boolean circuit
PFE Constructionsβ’ Two-party setting
o Universal Circuit + Yaoβs protocolβ’ or symmetric ops + OTs
o [KMβ 11]: Singly Homomorphic Enc + Yaoβs protocol β’ public-key ops + symmetric ops
β’ Multi-party settingo Universal Circuit + GMW protocol
β’ OTs
β’ Arithmetic circuitso Universal Circuit + HE-based MPC [CDNβ 01]o public-key ops
Efficiency Questionsβ’ Asymptotic Efficiency
o Can we design PFE with linear complexity in all standard settings?
o The multiparty caseo The malicious case
β’ Practical Efficiencyo Can we improve practical efficiency of universal
circuit approach?o Constant factors are important
What Does UC Hide?
β’ Function of each gate
β’ Topology of circuit
Our Framework
Private Gate Evaluation
β’ Inputs are shared
o
β’ Gate function
o Known only to
β’ Output is shared
π (π , π )
π§1 π§ 2
Actual sharing mechanism depends on the protocol
Circuit Topologyβ’ Topology captured using an extended permutation π1
π2π3π4
π5π6π7π8
π9π10
π1π2
π3π4 π6
π5
π1π2π3π4π5π6π7π8π9π10
π πͺ
CTH Functionality
β’ Inputs are shared
β’ Mappingo known by only
β’ Outputs are shared
β’ Query typeso Map: done internallyo Reveal: reveal result of mapo On-demand mapping
π₯=π₯1βπ₯2π₯ β² β² 1βπ₯ β² β²2=π₯
π¦=π¦1β π¦2π¦ β² 1β π¦ β²2=π¦
Map
Reveal
π πͺπ₯ β² 1βπ₯ β²2=π₯
PGE + CTHπ1π2π3π4
π5π6π7π8
π9π10
π1π2
π3π4 π6
π5CTH
PGE
PGE
PGE
PGE
PGE
Topological orderπ5
π5
π6
π6
π
π
π
π
π1
π2
π3
π4 π
ππ
π
πππ
ππ
ππ
ππππ
ππ
ππππππππππ
ππ
RevealMap PGE
Instantiating PGE
PGE for GMW
g x y z0 0 g(0,0
)0 1 g(0,1
)1 0 g(1,0
)1 1 g(1,1
)
π (π , π )
π§1 π§ 2
g0 00 11 01 1
π1 π2
π₯2 , π¦ 21-out-of-4 OT
PGE for AC
β’ is an additively homomrphic encryption
π1
π1 ,π1 ,ππ π2π2 ,π2 ,ππ ,π ππΈππππ (π2 ) ,πΈππππ (π2 ) ,πΈππππ(π2π2)
(If )
(If )
πΆ=πΈππππ(π2+π2+π )
π2βπ·πππ π(πΆ)
π1βπ πΆ=πΈππππ(π1π1+π2π1+π1π2+π2π2βπ1)
Instantiating CTH
Oblivious Extended Perm.
β’ Assume inputs are ready
π πͺ
π1
Ο
π2(π‘1π‘2...π‘π
)(ππβ 1 (1 )βπ‘1ππβ 1 (2 )βπ‘ 2
.
.
.ππβ1 (π )βπ‘πβ
)(π1π2...ππ
)π1
π2
π3
π4π5π6
π1βπ‘ 1
π1βπ‘ 5
π2βπ‘ 2π3βπ‘3
π4βπ‘ 4
π5βπ‘6π5βπ‘7
π6βπ‘ 9π6βπ‘8
OEPβ’ Using any MPC
o Inefficiento Not on-demand
β’ Using singly HE o Linear complexityo Requires public-key ops
β’ Using oblivious transfero Not linearo But better concrete efficiency (OT extension)
HE-based
π1 π2
πΈππππ(π1)πΈππππ(π2)
πΈππππ(ππ)
πΈππππ(πΒΏΒΏπβ 1 (1 )βπ‘ΒΏΒΏ1)ΒΏπΈππππ(ππβ 1 (2 )βπ‘ΒΏΒΏ2)ΒΏ .ΒΏ ..
πΈππππ(πΒΏΒΏπβ1 (π )βπ‘ ΒΏΒΏπ)βΒΏΒΏ
.
.
. (π1π2...ππ
)(π‘1π‘2...π‘π
)π β
Easy to make on-demand
ππ ,π π
Permutation Networks
ππ
1
ππ
0ππ
ππ
β¦
β¦
β¦
β¦
[Waksmanβ 68]: any permutation can be implemented using a permutation network of size
The permutation is determined using selection bits
Permutation NetworkSwitchesselection bit
EP Networksβ’ Need one more switch type
ππ
1
ππ
0ππ
ππ π
π
1
ππ
0ππ
ππ
EP Networks
Waksman network
Waksman network
π1π2...ππ
ππ...π
π1πππ2ππ3π4...πππ
1π1π1 1
π1π1 0 π1
.
.
.
m ππππβπ+1+π+πππππβπ+1
Oblivious Switch
π1π2
π3π 4
π1
π ,ππ2
π
ΒΏ π 1-out-of-2 OT
πβπ1 ,πβπ 2
π =0β (πβπ1)β (π1βπ 3 )=πβπ π
(πβπ 2)β (π 2βπ 4 )=πβπ π
π =1β(πβπ2)β (π 2βπ 3 )=πβππ
(πβπ 1)β (π1βπ4 )=πβπ π
OEP
π1π2
π3π 4 π3
π 4π5π6
0
1
π6π5
π7π8
1
πβπ1 πβπ3
πβπ6
πβπ7
MAP
Reveal
πβπ 7βπ‘7πβ π‘7
π1
(π‘1π‘2...π‘π
)(π 1π‘2...π π
)π2
(π1π2...ππ
)
Ο
Efficiencyβ’ One OT per switch
o O(nlogn) OTs total
β’ Practical thanks to OT extension
β’ Fast online phaseo OTs done offline
β’ Constant round
Instantiationsβ’ First Multiparty PFE with linear complexity
o GMW + HE-Based OEP
β’ First Arithmetic PFE with linear complexityo [CDN 01] + HE-based OEP
β’ More efficient two-party PFE with linear complexityo Yao + HE-based OEPo Subsumes and improves construction of [KMβ11]
β’ More practical PFEo Yao/GMW + OT-based OEP + OT extension
Yao-based PFEπ1π2
π3π4
π5π6π7π8
π9π10
π1π2
π3π4 π6
π5
π1
π2ΒΏ(π‘1π‘2........π‘ 20
)
OEP
)
))
)
Open Questions
Stronger Securityβ’ Linear PFE with malicious security
o Recently solved! [Mohassel-Sadeghian-Smart 2014]
β’ Linear PFE with IT securityo Our linear solution relies on HE-based OEP
β’ Hide circuit size without FHE?o Use FHE in a limited way?o Use somewhat FHE?
PFE for Practiceβ’ Linear PFE with good concrete efficiency
o OEP with linear symmetric-key Opso Can use free-XOR if you leak number of XOR gates
β’ Can PFE help improve efficiency of SFE?o An Idea:
β’ One party embeds his input in the circuitβ’ Shrinks the circuit significantlyβ’ Circuit structure leaks information β’ Use PFE to hide the structure
β’ PFE for RAM programs
Thank you!