oblivious branching program evaluation payman mohassel and salman niksefat university of calgary

Oblivious Branching Program Evaluation

Payman Mohassel and Salman Niksefat

University of Calgary

Branching Programs

• A function representation, just like truth tables, decision trees, OBDDs, Boolean circuits

[image: Wikipedia]

Binary Decision Trees

• Each internal node labeled with a binary variable

• Each leaf labeled with an output value

[image: Wikipedia]

Ordered Binary Decision Diagrams (OBDD)

• Directed Acyclic Graphs– Nodes can have multiple incoming edges

• Variables processed in order• xi is processed in layer i • Applications– Formal verification– Circuit design– Fault-tree analysis

[image: Wikipedia]

Branching Programs

Each variable can appear at multiple layers, in arbitrary order

x2

x3

x3

x2

x1

x1

01

Other Generalizations

• Non-binary variables• Multivariate branching programs– Each node a function of multiple variables– Non-linear functions

• Non-binary outputs– Arbitrary output labels

Oblivious Branching Program (OBP) Evaluation

BP =

BP(x)

X = (x1 , … , xn)

Security Requirements

• Secure two-party computation– Keep the BP private– Keep the BP’s input private– Guarantee correctness

• Security against malicious parties– Corrupted party can behave arbitrarily

Potential Applications

• Daignostic programs– Medical diagnostic– Remote software fault-diagnostic– Spam filters– Intrusion detection

• keeping the program private– Proprietary program– Program reveals vulnerabilities

• Keeping inputs to the programs private – Client’s data privacy

Private Database Queries

• Represent server’s data as a BP• Represent client’s input as input to BP

• Private information retrieval• Private keyword search• Private element rank• …

Symmetric PIR(1-Out-of-N OT)

i1

i2i2

i3 i3 i3 i3

d1 d2 d3 d4 d5 d6 d7 d8

Server D = d1 , … , dN

ClientI = i1 i2 … ilogN

dI

Only keep the leaves private

Computation vs. Communication

• Most SPIRs computationally expensive– Public-key ops proportional to database size– Focus on communication for large databases

• Experiments on PIR: [SC 07, OG 11]– Communicating the database maybe more efficient

• The only SPIR focusing on computation is [NP 99]– O(logN) public-key ops– O(NlogN) symmetric-key ops– Significantly less computation, more communication

Private Keyword Search

x1

x2x2

x3 x3

d1 d2 d3

d4

Server D = (k1,d1) , … , (kN,dN)

Clientw = w1 w2 … wt

di if ki = w

Evaluation paths have different lengthsThey leak information about the keyword or database

Private Keyword Search

x1

x2x2

x3 x3

d1 d2 d3

Server D = (k1,d1) , … , (kN,dN)

Clientw = w1 w2 … wt

x1

x2x2

x3 x3

d1 d2 d3x2 x3

x3

Secure Evaluation of Public Decision Trees

• Alice knows– The input to the tree (x1 , … , xn)

• Bob knows– Labels of the leaves of the tree

• Both parties know– Structure of the tree

The Protocol

(k01 , k1

1 )(k0

2 , k12 )

(k0n , k1

n )...Oblivious Transfer

X = x1 … xnkxn

n

kx11

kx22

.

.

.

xipadi

padjpadk

k0i pad2 k1

i pad3

G(padi)

The Protocol Cont’d

• Server sends encrypted DT to client

• Client can decrypt a single path from root to a leaf

Node 1 Node 2 Node i

G(padi)

ki0

Security and Efficiency

• Security against malicious adversaries– If the OT is secure against malicious adversaries

• Efficiency– V PRG invocation– n oblivious transfers

• Consider SPIR– Naor-Pinkas construction

• NlogN symmetric-key ops

– Our new construction• N symmetric-key ops

Hiding the Structure

(k01 , k1

1 )(k0

2 , k12 )

(k0n , k1

n )...Oblivious Transfer

X = x1 … xnkxn

n

kx11

kx22

.

.

.

Return OT answers randomly permuted

Kx44 Kx7

7 Kx11 …

We need a strong OTQueries and answers cannot be connected

Hiding the Structure

Kx44 Kx7

7 Kx11 …

Node j Node i Node kPermuted list of encrypted nodes

Permuted list of OT answers

xipadi

padj padk

K0i Padj|| j K1

i Padk || k || 0k || 0k

$

G(pad1) j’ ||

Extension to DAGs

• In DTs– Each path from the root to a leaf contains unique

variables– If a variable appears twice we can remove the

second instance– A single key needs to be accessed only once

• In BPs– Each variable can appear multiple times in a single

path

Oblivious BP Evaluation

Kx44 Kx7

7 Kx11 …

Node j Node i Node kPermuted list of encrypted nodes

Permuted list for each level

xipad1

pad2 pad3

K0i Pad2 || j K1

i Pad3 || k || 0k || 0k

$

G(pad1) j’ ||

K’x66 K’x4

4 K’x22 …

Security and Efficiency

• Security– Secure against a malicious input holder– Private against a malicious BP holder

• Efficiency– O(nl) oblivious transfers– O(V) PRG invocations– V is the number of nodes in the graph, l is the

depth of the BP

Comparison

YaoIP07

Barnie09, Brickell 07

Ours

Conclusions

• A computationally efficient protocols for OBP• Applications to private database queries• Future Work– Avoid strong OTs• Needs Paillier’s encryption• Work in progress: achieve this using any standard OT

– Ambitious open question• Achieve communication and computation efficiency