Download - MPC Beyond Generic Computation - SJTU
![Page 1: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/1.jpg)
MPC Beyond Generic Computation
Benny Pinkas, Bar Ilan University
1
![Page 2: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/2.jpg)
•Previous lecture:1. Efficient circuit → efficient MPC protocol
2. We know that every function which is efficient to compute has a circuit of polynomial size
3. (1) + (2) → if we can efficiently compute a function then we can also run an MPC computing it
•Overhead of MPC depends on circuit representation of the function
2
![Page 3: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/3.jpg)
Examples
•Alice has integer x, Bob has integer y• Computing x+y• Computing whether x>y, max(x,y)
• Computing xy, xy
•X, Y are sets• Computing X ∩Y• Computing median(X,Y)
•X is an array, y is an index• Computing X[y]
3
![Page 4: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/4.jpg)
Specific vs. Generic Protocols
•Sometimes we can design a specific protocol for a specific problem, which will be more efficient than a generic, circuit-based protocol
•Still, it is preferable to use a circuit-based generic protocol• Adaptability
• Instead of hiring a crypto expert, hire an undergrad• Existing code base (libscapi @ github)• Composability
4
![Page 5: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/5.jpg)
In this lecture
•Secure computation of the median
•Secure computation of the intersection•Specific protocols•Circuit-based protocols
•Oblivious RAM
5
![Page 6: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/6.jpg)
Secure Computation of the Median
G. Aggarwal, N. Mishra and B. Pinkas, Secure Computation of the K'th-ranked Element, Eurocrypt '2004.
6
![Page 7: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/7.jpg)
kth-ranked element (e.g. median)
• Inputs:• Alice: SA Bob: SB
• Large sets of unique items (D).
•Output: • x SA SB s.t. x has k-1 elements smaller than it.
• The rank k • Could depend on the size of input datasets. • Median: k = (|SA| + |SB|) / 2
•Motivation:• Basic statistical analysis of distributed data.• E.g. histogram of salaries in different companies.
7
![Page 8: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/8.jpg)
Secure computation in the case of large circuit representation
•The Problem: •The size of a circuit for computing the kth
ranked element is at least linear in k (probably O(klogk)). This value might be very large.
•We will show a specific protocol for computing the kth ranked element, for the case of semi-honest parties.
8
![Page 9: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/9.jpg)
An (insecure) two-party median protocol
RALASA
SB
mA
RBLB mB
LA lies below the median, RB lies above the median. |LA| = |RB|
New median is same as original median.
Recursion → Need log n rounds
mA < mB
9
![Page 10: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/10.jpg)
A Secure two-party median protocol
A finds its median mA
B finds itsmedian mB
mA < mB
A deletes elements ≤ mA.B deletes elements > mB.
A deletes elements > mA.B deletes elements ≤ mB.
YES
NO
Secure comparison(e.g. a small circuit)
10
![Page 11: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/11.jpg)
(Explanation of the previous slide)
Namely (if you do not see the animation), all that it takes to make this protocol secure is to run a secure comparison protocol which compares the medians of the two parties and outputs a big which signals which of these two values is larger.
11
![Page 12: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/12.jpg)
An example
A B
mA>mB
mA<mB
mA<mB
mA>mB
mA<mB
Medianfound!!
8 9 16
1
16 161 1
12
![Page 13: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/13.jpg)
Recall: Security definition for MPC
x y
F(x,y) and nothing else
Input:Output:
x yAs if…
F(x,y) F(x,y)
13
![Page 14: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/14.jpg)
Proof of security
A B
mA>mB
mA<mB
mA<mB
mA>mB
mA<mB
median
mA>mB
mA<mB
mA<mB
mA>mB
mA<mB
14
![Page 15: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/15.jpg)
(Explanation of the previous slide)
(if you do not see the animation) the security proof shows that the entire view of Alice in the protocol can be simulated based on her input and output.
Namely, we need to simulate the output bit that she receives in each comparison protocol. This is easysince this output bit is exactly the one that does not cause to remove the input half which contains the final output (the median of the two sets).
15
![Page 16: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/16.jpg)
Proof of security
• This is a proof of security for the case of semi-honest adversaries.
• Security for malicious adversaries is more complex. • The protocol must be changed to ensure that the
parties’ answers are consistent with some input.•Also, the comparison of the medians must be
done by a protocol secure against malicious adversaries.
16
![Page 17: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/17.jpg)
+
Arbitrary input size, arbitrary k
SA
SB
k
Now, compute the median of two sets of size k.
Size should be a power of 2.
median of new inputs = kth element of original inputs
2i
+
-
17
![Page 18: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/18.jpg)
Hiding size of inputs
• Can search for kth element without revealing size of input sets.
• However, k=n/2 (median) reveals input size.
• Solution: Let S=2i be a bound on input size.
|SA|S
-+
-+
|SB|
Median of new datasets is same
as median of original datasets.
18
![Page 19: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/19.jpg)
Private Set Intersection (PSI)
19
![Page 20: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/20.jpg)
Private Set Intersection (PSI)
? ?
20
![Page 21: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/21.jpg)
A naïve PSI protocol
x1,…,xn y1,…,yn
H(y1),…, H(yn)
Compares to H(x1),…, H(xn)
21
![Page 22: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/22.jpg)
A naïve PSI protocol
x1,…,xn y1,…,yn
H(y1),…, H(yn)
Compares to H(x1),…, H(xn) Problem: If the inputs do not have
considerable entropy then Alice can apply a dictionary attack
22
![Page 23: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/23.jpg)
• Information sharing, e.g., intersection of threat information or of suspect lists
•Matching, e.g., testing compatibility of different properties (preferences, genomes…)
• Identifying mutual contacts (Signal app)
•Computing ad conversion rates (Google)
Applications of PSI
23
![Page 24: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/24.jpg)
Application: Common Contacts
...
...
?
24
![Page 25: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/25.jpg)
Application: Online Advertising
- Retailers show ads
using, e.g., Facebook or
- For online web stores, it
is easy to measure the
effectivity of ads
- For offline shops it is
harder
Online Real-WorldOnline
25
![Page 26: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/26.jpg)
In this part of the talk
•Why should we compute PSI using circuits?
•How to do it• Sorting based PSI• Circuit based PSI via two-dimensional Cuckoo hashing
26
![Page 27: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/27.jpg)
PSI Background,and Why Circuit-Based PSI?
28
![Page 28: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/28.jpg)
Public-key based Protocols
30
![Page 29: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/29.jpg)
•The Decisional Diffie-Hellman assumption•Agree on a group G, with a generator g.
•The assumption: for random a,b,c cannot distinguish (ga, gb, gab) from (ga, gb, gc)
• (This is a very established assumption in modern crypto)
PSI based on Diffie-Hellman
31
![Page 30: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/30.jpg)
•The protocol [S80, M86, HFH99, AES03]:
PSI based on Diffie-Hellman
(H is modeled as a random oracle. Security based on DDH)
Implementation: very simple; can be based on elliptic-curve crypto; minimal communication.
x1,…,xn
y1,…,yn
(H(x1)),…, (H(xn))(H(y1)),…, (H(yn))
((H(x1))),…, ((H(xn)))((H(y1))),…, ((H(yn)) )
Compares the two lists
32
![Page 31: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/31.jpg)
Recent constructions [PSZ1,PSSZ15,KKRT16]
•PSI is “equivalent” to oblivious transfer
•Oblivious transfer extension is very fast, and can enable very efficient PSI
•Used different hashing ideas to dramatically reduce the overhead of PSI
34
![Page 32: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/32.jpg)
Performance Classification of PSI protocols [PSZ]
DH-FFC'86
Blind-RSA'10
DH-ECC'86
GMW'12Yao'12
Opt.GMW
Naïve
OT+Hash'15
Circuit-Based:
- high run-time &
communication,
but easily extensible to
arbitrary functions
OT-Based:
[PSZ15,PSSZ16,KKRT16]
good communication and
run-time
1 10 100 1,000Run-time (s)
Co
mm
un
ica
tio
n (
MB
yte
s)
10
100
1,000
10,000
PK-Based: (starting from
[S80,M86])
- high run-time
+ best communication
- PSI on n = 218 elements of s=32-bit length for 128-bit security on Gbit LAN
35
![Page 33: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/33.jpg)
Motivation for using circuits
Why use a circuit-based generic protocol for computing PSI?
•Adaptability• Instead of hiring a crypto expert, hire an undergrad
•Existing code base
•Existing applications compute functions over the results of PSI• E.g., computing the sum of revenues from ad views
37
![Page 34: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/34.jpg)
•A naïve circuit for PSI uses n2 comparisons
•Can we do better?
A circuit based protocol
39
![Page 35: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/35.jpg)
A circuit comparing two s-bit values
Xs Ys Xs-1 Ys-1 X1 Y1
… … ...
… … ...
Free XORs
s-1 gates
40
![Page 36: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/36.jpg)
Comparing two items is efficient
Our goal is to arrange two sets of n items so that the intersection can be computed with
as few comparisons as posible
41
![Page 37: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/37.jpg)
•An algorithm that sorts values using a fixed sequence of comparisons
• Can be thought of as a network of wires and comparator modules
Sorting networks
42
![Page 38: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/38.jpg)
•A PSI circuit that has three steps•Sort: merge two sorted lists using a bitonic
merging network [Bat68]. Uses nlog(2n)comparisons.
A circuit based PSI protocol [HEK12]
43
![Page 39: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/39.jpg)
• A circuit that has three steps• Sort: Merge two sorted lists using a bitonic merging network
[Bat68]. Computes the sorted union using nlog(2n)comparisons.
• Compare: Compare adjacent items. Uses 2n equality checks.
• Shuffle: Randomly shuffle results using a Waxman permutation network [W68], using nlog(n) swappings.
• Overall Computes O(nlogn) comparisons.Uses s(3nlogn + 4n) AND gates. (s is input length)
A circuit based PSI protocol [HEK12]
44
![Page 40: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/40.jpg)
The Algorithmic Challenge
•Goal: Find the smallest circuit for computing PSI• Alice and Bob can prepare their inputs• Circuit must not depend on data!
•Any symmetric function of the intersection could be added on top• The size of the intersection, or whether size > threshold,
potentially after adding noise to ensure differential privacy• Sum of values associated with the items in the intersection
•Minimize # of comparisons (and length of items)
47
![Page 41: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/41.jpg)
Hashing for PSI
49
![Page 42: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/42.jpg)
•Suppose each party uses a hash function H(), (known to both parties) to hash his/her n items to n bins• Then obviously if Alice and Bob have the same item, both
of them map it to the same bin• Need only compare matching bins
•The problem• Some bins have more items than others• Must hide how many items were mapped
to each bin
Hashing
50
![Page 43: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/43.jpg)
•Solution• Pad each bin with dummy items• so that all bins are of the same size as the most
populated bin
•Mapping n items to n bins• The expected size of a bin is O(1)• The maximum size of a bin is whp O(logn/loglogn)• The resulting size of a circuit is …
Hashing
51
![Page 44: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/44.jpg)
•Solution• Pad each bin with dummy items• so that all bins are of the same size as the most
populated bin
•Mapping n items to n bins• The expected size of a bin is O(1)• The maximum size of a bin is whp O(logn/loglogn)• The resulting size of a circuit is O(n log2n / loglog2n)
Hashing
52
![Page 45: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/45.jpg)
Cuckoo Hashing with a Stash [PR01,KMW08]
• Tables T1, T2 and stash S
• Hash functions h1, h2
• Invariant: Store x in T1[h1(x)] or in T2[h2(x)] or in S
T1 T2
X
• Fact: If size of table > 1 + 𝜖 𝑛 then it is possible to efficiently store n items and keep the invariant
• Except with probability 𝑂(𝑛−(𝑠+1) )
S• Slightly more than 2n table entries• Each of size 1
53
![Page 46: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/46.jpg)
Handling the Error Probability
•A stash of size s fails with probability O(n-(s+1))
•In PSI this results in a (minor?) privacy/accuracy breach
•What should be the failure probability?
54
![Page 47: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/47.jpg)
Handling the Error Probability
•What should be the failure probability?
•Concretely: smaller than 2-Stat, e.g. 2-40
•s = O(1) (but what is the exact size?)
•Asymptotically: negligible in n (namely, smaller than any 1/poly(n) ) •s = ω(1)
55
![Page 48: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/48.jpg)
Cuckoo Hashing – can both parties use it?
•What if each party stores its items using CH• Can we get O(n) comparisons?• No! Alice may store x in T2 while Bob in T1
T1 T2
X
x
T1 T2
X
x
57
![Page 49: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/49.jpg)
Circuit PSI via Two-Dimensional Cuckoo Hashing [PSWW18]
We will only show here an experimental solution, although there are solutions with provable asymptotic overhead of ω(n) or O(n)
62
![Page 50: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/50.jpg)
An Experimental Solution – 2D Cuckoo
• Alice and Bob each hold 4 tables, and the same 4 hash functions
T1 T2
X
x
x
T3 T4
x
x
70
![Page 51: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/51.jpg)
An Experimental Solution – 2D Cuckoo
• Alice and Bob each hold 4 tables, and the same 4 hash functions
71
![Page 52: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/52.jpg)
An Experimental Solution – 2D Cuckoo
• Alice and Bob each hold 4 tables, and the same 4 hash functions
• Alice: Places item in (T1 and T2) or (T3 and T4)
Possible cases
either
72
![Page 53: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/53.jpg)
An Experimental Solution – 2D Cuckoo
• Alice and Bob each hold 4 tables, and the same 4 hash functions
• Alice: Places item in (T1 and T2) or (T3 and T4)
• Bob: Places item in (T1 and T3) or (T2 and T4)
Possible cases
either
either
73
![Page 54: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/54.jpg)
An Experimental Solution – 2D Cuckoo
• If both parties have the same item then there is exactly one location in which they both store it
or
or
74
![Page 55: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/55.jpg)
An Experimental Solution – 2D Cuckoo
• The protocol is very simple:• Alice and bob agree on a hash function per
table• Alice places each input item in either both top
tables or both bottom tables• Bob places each input item in either both left
tables or both right tables• The circuit simply compares the item that
Alice places in a bin to the item that Bob places in the same bin
• Question: Can this hashing be done? how big should the tables be?
or
or
75
![Page 56: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/56.jpg)
• Invariant: Item in (T1 and T2) or (T3 and T4)
• Theorem: n items could be placed maintaining the invariant w.h.p.if each table has > 2n buckets of size 1.
• Total of 8n buckets and 8n comparisons
• The stash adds 2sn comparisons (there are many protocol variants; stash size is the main differentiator)
T1 T2
X
x
x
T3 T4
X
x
x
2D cuckoo hashing O(n) protocol
76
![Page 57: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/57.jpg)
• Invariant: Item in (T1 and T2) or (T3 and T4)
• Theorem: n items could be placed maintaining the invariant w.h.p.if each table has > 2n buckets of size 1.
• THM was proved using a new proof technique
• The new proof can also prove known theorems about CH, as well as more general constructions
• BUT, we don’t have (yet) a tight analysis for the size of the stash
T1 T2
X
x
x
T3 T4
X
x
x
2D cuckoo hashing O(n) protocol
77
![Page 58: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/58.jpg)
Why does the stash size matter?
•All items in the main tables are compared using O(n)comparisons (namely, 8n comparisons)
•Each item in the stash must be compared with the n items of the other party• With s items in each stash we end up adding 8sn
comparisons
78
![Page 59: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/59.jpg)
Using Probabilistic Data Structures in Crypto
•E.g., hash tables, dictionaries, etc.
•We want the failure probability to be small (2-40?, negligible in n?)
•Different levels of assurance1. There is an exact analysis of the failure probability (e.g.,
for collisions in a hash table or a Bloom filter)2. There is an asymptotic analysis of the failure probability
(e.g., for simple Cuckoo hashing)3. No analysis of the failure probability (e.g., 2D Cuckoo
hashing with 2 items in each bin)
82
![Page 60: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/60.jpg)
Using Probabilistic Data Structures in Crypto
•E.g., hash tables, dictionaries, etc.
•We want the failure probability to be small (2-40?, negligible in n?)
•Different levels of assurance1. There is an exact analysis of the failure probability (e.g.,
for collisions in a hash table or a Bloom filter)2. There is an asymptotic analysis of the failure probability
(e.g., for simple Cuckoo hashing)3. No analysis of the failure probability (e.g., 2D Cuckoo
hashing with 2 items in each bin)
83
![Page 61: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/61.jpg)
Using Probabilistic Data Structures in Crypto
•E.g., hash tables, dictionaries, etc.
•We want the failure probability to be small (2-40?, negligible in n?)
•Different levels of assurance1. There is an exact analysis of the failure probability (e.g.,
for collisions in a hash table or a Bloom filter)2. There is an asymptotic analysis of the failure probability
(e.g., for simple Cuckoo hashing)3. No analysis of the failure probability (e.g., 2D Cuckoo
hashing with 2 items in each bin)
84
Must use experiments to find exact parameters
![Page 62: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/62.jpg)
Experiments
•How to verify a failure probability of 2-40?
• If we run 240 experiments and observe no failures, does this mean that the failure probability is sufficiently small?
85
![Page 63: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/63.jpg)
Experiments
• Verifying a failure probability of 2-40
• We ran 240 experiments of 2D Cuckoo hashing with entries of size 2• We used n = 26, 28, 210, 212
• The # of times that a stash was needed (i.e., the failure probability) behaved as n-3. (Agreeing with a sketch of a theoretical analysis)
• Used about 2,230,000 core hours! • Possibly the largest hashing experiment per date?
• For n=212 the stash was needed only once• This gives a 99.9% confidence level that p ≤ 2-37 for n=212.
• Therefore for 213 ≤ n we have 99.9% confidence that p ≤ 2-40
86
![Page 64: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/64.jpg)
Circuit size
Construction Circuit size (AND gates) Normalizedsize
Sorting network [HEKM12] 1,408,238,538 O(nlogn) 2.04
Cuckoo + simple hashing [PSSZ15] 688,258,388 O(nlog/loglogn) 1
2D Cuckoo with separate stashes 313,183,300 O(n) 0.45
2D Cuckoo with a combined stash 215,665,732 O(n) 0.31
Circuit size (# of AND gates) for sets of n=220
elements of length 32 bit each
91
![Page 65: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/65.jpg)
Conclusions about PSI
•PSI is interesting since • It has important applications• It cannot be easily computed using a circuit
•Research benefits from ideas from other subfields
•Most previous work was on simple two-party PSI
•New results (also in another paper):• Asymptotically better: O(n) vs. O(nlogn/loglogn)
• Also, run faster• New proof and analysis techniques for Cuckoo hashing
114
![Page 66: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/66.jpg)
Oblivious RAM
115
![Page 67: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/67.jpg)
Oblivious RAM – the setting
Setting: Client with small secure memory. Untrusted server with large storage.
116
![Page 68: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/68.jpg)
Oblivious RAM – the setting
Setting: Client with small secure memory. Untrusted server with large storage.
ClientServer farmCloud storage
117
![Page 69: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/69.jpg)
Oblivious RAM – the setting
Setting: Client with small secure memory. Untrusted server with large storage.
ClientServer farmCloud storage
118
Capacity:O(1) data itemslog(n) bit counter
Capacity:n data items
![Page 70: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/70.jpg)
Oblivious RAM – the setting
Setting: Client with small secure memory. Untrusted server with large storage.
119
Client can store data with the server
◼Can encrypt data to hide its contents
◼But also desires to hide access pattern to data
![Page 71: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/71.jpg)
Oblivious RAM – the setting
Hiding access pattern to data: Server does not know whether client accesses the items numbered (1,2,3,4) or items (1,1,1,1)
Client can store data with the server
◼Can encrypt data to hide its contents
◼But also desires to hide access pattern to data
120
![Page 72: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/72.jpg)
Oblivious RAM - definition
•Client• Stores n data items, of equal size, of the form (indexi , datai). i,j indexi indexj
• Performs a sequence y of n read/write ops
•Access pattern A(y) to remote storage contains• Remote storage indices accessed• Data read and written
•Secure oblivious RAM: for any two sequences y,y’ of equal length, access patterns A(y) and A(y’) are computationally indistinguishable.
121
![Page 73: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/73.jpg)
Immediate implications of ORAM def
•Client must have a private source of randomness
•Data must be encrypted with a semantically secure encryption scheme
•Each access to the remote storage must include a read and a write
•The location in which data item (indexi , datai) is stored must be independent of indexi
•Two accesses to indexi must not necessarily access the same location of the remote storage
122
![Page 74: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/74.jpg)
Oblivious RAM - applications•Related to Pippenger and Fischer’s 1979 result on
oblivious simulation of Turing machines
•Software protection (Goldreich Ostrovsky)• CPU = client, RAM = remote storage• Prevent reverse engineering of programs
•Remote storage (in the “cloud”)
•Search on encrypted data
•Preventing cache attacks (Osvik-Shamir-Tromer)
•Secure computation
123
![Page 75: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/75.jpg)
Trivial solution
•For every R/W operation•Client reads entire storage, item by item•Re-encrypts each item after possibly changing it•Writes the item back to remote storage
•O(n) overhead per each R/W operation
124
![Page 76: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/76.jpg)
The Goldreich-OstrovskyConstructions
Software protection and simulation on oblivious RAMs, O. Goldreich and R. Ostrovsky, Journal of the ACM (JACM) 43, no. 3 (1996): 431-473.
125
![Page 77: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/77.jpg)
Basic Tool: Oblivious Sort
•The client has stored n encrypted items on a remote server.
•The client needs to obliviously sort the items according to some key.• Comparing two items can be done by downloading them
to the client, decrypting and comparing them.
• But the server is aware which items the client downloads.
126
![Page 78: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/78.jpg)
Oblivious Sort
•Oblivious sort: the sequence of comparisons is independent of the input• Naïve Bubble Sort √ (but O(n2))
• Quick Sort O(nlogn) X
• Sorting network √• Basic primitive – black box comparator• Batcher - O(nlog2n)• AKS - O(nlogn), but > 6100∙nlogn• Randomized Shell sort O(nlogn)
127
![Page 79: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/79.jpg)
Square Root ORAM
• Initialization
m words m1/2
dummy words
m1/2
sheltered words
129
![Page 80: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/80.jpg)
Square Root ORAM
•Second Step
Permute MemoryClient selects a permutation π over the integers 1,…,m+m1/2 and obliviously relocates the words according to the permutation
Sheltered
Can be implemented using oblivious sort
130
![Page 81: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/81.jpg)
Square Root ORAM
Sheltered
•Accessing the RAMTo access a virtual word i
Scan through the entire shelter in a predefined order
If not found in the shelter go to the actual word π(i)
If found in the shelter, access the next dummy (in the actual address π(m+j)where j is the step# in this epoch)
131
![Page 82: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/82.jpg)
Square Root ORAM
Sheltered
• Writing to the ShelterThe updated value for the ith virtual location is written to the shelter
• update is done IN ANY CASE, and it is done by scanning ALL the shelter
• Obviously, after m1/2 I/O ops, shelter becomes full
132
![Page 83: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/83.jpg)
Square Root ORAM
Sheltered
• Updating the permuted memory After m1/2 accesses, the shelter values obliviously update the content of the permuted memory
• Implemented using oblivious sorting…
• The overhead using Batcher network is O(mlog2(m))
133
![Page 84: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/84.jpg)
Square Root ORAM•Overhead:•Each access requires reading all m1/2 sheltered
items•After m1/2 accesses, must sort all items at a cost
of O(mlog2(m))•Overall an amortized cost of O(m1/2 log2(m))•Simple to implement. No hidden constants.
•Security?
134
![Page 85: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/85.jpg)
Tree Based ORAM
147
![Page 86: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/86.jpg)
Tree based ORAM•A series of ORAM results that are very competitive
and very simple to implement, in software and in hardware• Oblivious RAM with O((log N)3) Worst-Case Cost. E. Shi, T.-
H. Chan, E. Stefanov, M. Li. Asiacrypt 2011.
• Path ORAM: An Extremely Simple Oblivious RAM Protocol. E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, S. Devadas. ACM CCS 2013.
•We will only describe the simplest scheme.
148
![Page 87: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/87.jpg)
Server Storage
A full binary tree with logn levels and n leaves.
Each node contains a bucket of logn data items.
149
![Page 88: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/88.jpg)
Client Storage
For now, assume that the client stores a position map, randomly mapping data items to leaves.
O(n) storage, but each item is only logn bits long.
leafitem
30
21
52
73
……
27
150
![Page 89: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/89.jpg)
Storing Items
An item is always stored somewhere on the path from the root to its leaf.
leafitem
30
151
![Page 90: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/90.jpg)
Accessing an Item
1. Read path (leaf) from position map.
2. Traverse path from root to leaf. Look for the item in each bucket along the path. Remove when found.
3. Assign a new random leaf to the data item.
4. Update position map.5. Write updated item to the
root.
Note that these operations are oblivious
152
![Page 91: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/91.jpg)
We always write to the root…
153
![Page 92: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/92.jpg)
Evict to Prevent Overflows
In each level choose two nodes at random
For each node- Pop an item (if bucket is
non-empty)- Move item downwards to
next node on its path- Do a dummy write to
other child of the node
These operations are oblivious, too.
154
![Page 93: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/93.jpg)
Security
•All operations of the client are either deterministic or uniformly random
•All works well as long as no bucket overflows…• The evictions ensure this. The analysis uses Markov chains:
• A buffer in level i receives an item with probability (2/2i-1)∙(1/2)
• It evicts an item with probability 2/2i
155
![Page 94: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/94.jpg)
Using Recursion (I)
•When the client looks for an item in a node, it can either• Read all O(logn) items in the bucket
• Or, use ORAM recursively to check if the item it searches for is in the bucket
156
![Page 95: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/95.jpg)
Using Recursion (II)
• In the basic scheme the client stores a position map of n∙logn bits• The client can store the position map on the server
• Its size is smaller than that of the original data by a factor of (data block length) / logn
• The client can access the position map using a recursive call to ORAM
• And so on…
157
![Page 96: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/96.jpg)
Overhead
•Basic scheme• Server storage is O(n∙logn) data items
• Client stores n indexes (n∙logn bits)
• Each access costs O(log2n) r/w operations
•Using ORAM to read from internal nodes• Using, e.g., n0.5-ORAM reduces cost to O(log1.5n)
•Storing position ORAM at server• Client storage reduced to O(1)
• Overhead increases to O(log2.5n)
158
![Page 97: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/97.jpg)
Followup Work
•Multiple results tweaking the construction
•Different variants• For small or large client storage (which can store O(logn)
data items)• For small or large data items (blocks)
•Path ORAM achieves O(logn) overhead, with O(logn) client storage and large data items• Implemented even in hardware
159
![Page 98: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/98.jpg)
Secure Computation based on ORAM
(Recall, a circuit implementing indirect memory access is inefficient. RAM machines are much better at this.)
161
![Page 99: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/99.jpg)
Secure Computation based on ORAM [LO]
•Suppose two parties wish to securely compute a RAM program. The program•Has a state (shared by the parties)•Has a state machine (can be securely
implemented by a circuit)•Needs to read/write a RAM
162
![Page 100: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/100.jpg)
Secure Computation based on ORAM [LO]
•Read/write a RAM•Store RAM encrypted in P1. Only P2 knows the key.•The program accesses the RAM using ORAM.•The program state, shared by the parties, defines
which RAM location to access. Therefore, the address to read/write is shared between P1, P2.•The ORAM “client” is now shared between the
two parties.
163
![Page 101: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/101.jpg)
Secure Computation based on ORAM [LO]
•Read/write a RAM•The operations of the ORAM “client” (data access,
reshuffle, eviction) are implemented using secure computation.
•Circuit ORAM – optimized for implementation by a circuit.
164
![Page 102: MPC Beyond Generic Computation - SJTU](https://reader031.vdocuments.site/reader031/viewer/2022012412/616c0c22ad89ac3f7a3a7d4d/html5/thumbnails/102.jpg)
Conclusions
•ORAM is a remarkable achievement and a great tool for many applications
•A huge amount of new results in recent years•Goldreich-Ostrovsky paper cited 1250 times•Path RAM cited 500 times
•Current performance is pretty impressive
165