oblivious branching program evaluation payman mohassel and salman niksefat university of calgary
TRANSCRIPT
Oblivious Branching Program Evaluation
Payman Mohassel and Salman Niksefat
University of Calgary
Branching Programs
• A function representation, just like truth tables, decision trees, OBDDs, Boolean circuits
[image: Wikipedia]
Binary Decision Trees
• Each internal node labeled with a binary variable
• Each leaf labeled with an output value
[image: Wikipedia]
Ordered Binary Decision Diagrams (OBDD)
• Directed Acyclic Graphs– Nodes can have multiple incoming edges
• Variables processed in order• xi is processed in layer i • Applications– Formal verification– Circuit design– Fault-tree analysis
[image: Wikipedia]
Branching Programs
Each variable can appear at multiple layers, in arbitrary order
x2
x3
x3
x2
x1
x1
01
Other Generalizations
• Non-binary variables• Multivariate branching programs– Each node a function of multiple variables– Non-linear functions
• Non-binary outputs– Arbitrary output labels
Oblivious Branching Program (OBP) Evaluation
BP =
BP(x)
X = (x1 , … , xn)
Security Requirements
• Secure two-party computation– Keep the BP private– Keep the BP’s input private– Guarantee correctness
• Security against malicious parties– Corrupted party can behave arbitrarily
Potential Applications
• Daignostic programs– Medical diagnostic– Remote software fault-diagnostic– Spam filters– Intrusion detection
• keeping the program private– Proprietary program– Program reveals vulnerabilities
• Keeping inputs to the programs private – Client’s data privacy
Private Database Queries
• Represent server’s data as a BP• Represent client’s input as input to BP
• Private information retrieval• Private keyword search• Private element rank• …
Symmetric PIR(1-Out-of-N OT)
i1
i2i2
i3 i3 i3 i3
d1 d2 d3 d4 d5 d6 d7 d8
Server D = d1 , … , dN
ClientI = i1 i2 … ilogN
dI
Only keep the leaves private
Computation vs. Communication
• Most SPIRs computationally expensive– Public-key ops proportional to database size– Focus on communication for large databases
• Experiments on PIR: [SC 07, OG 11]– Communicating the database maybe more efficient
• The only SPIR focusing on computation is [NP 99]– O(logN) public-key ops– O(NlogN) symmetric-key ops– Significantly less computation, more communication
Private Keyword Search
x1
x2x2
x3 x3
d1 d2 d3
d4
Server D = (k1,d1) , … , (kN,dN)
Clientw = w1 w2 … wt
di if ki = w
Evaluation paths have different lengthsThey leak information about the keyword or database
Private Keyword Search
x1
x2x2
x3 x3
d1 d2 d3
Server D = (k1,d1) , … , (kN,dN)
Clientw = w1 w2 … wt
x1
x2x2
x3 x3
d1 d2 d3x2 x3
x3
Secure Evaluation of Public Decision Trees
• Alice knows– The input to the tree (x1 , … , xn)
• Bob knows– Labels of the leaves of the tree
• Both parties know– Structure of the tree
The Protocol
(k01 , k1
1 )(k0
2 , k12 )
(k0n , k1
n )...Oblivious Transfer
X = x1 … xnkxn
n
kx11
kx22
.
.
.
xipadi
padjpadk
k0i pad2 k1
i pad3
G(padi)
The Protocol Cont’d
• Server sends encrypted DT to client
• Client can decrypt a single path from root to a leaf
Node 1 Node 2 Node i
G(padi)
ki0
Security and Efficiency
• Security against malicious adversaries– If the OT is secure against malicious adversaries
• Efficiency– V PRG invocation– n oblivious transfers
• Consider SPIR– Naor-Pinkas construction
• NlogN symmetric-key ops
– Our new construction• N symmetric-key ops
Hiding the Structure
(k01 , k1
1 )(k0
2 , k12 )
(k0n , k1
n )...Oblivious Transfer
X = x1 … xnkxn
n
kx11
kx22
.
.
.
Return OT answers randomly permuted
Kx44 Kx7
7 Kx11 …
We need a strong OTQueries and answers cannot be connected
Hiding the Structure
Kx44 Kx7
7 Kx11 …
Node j Node i Node kPermuted list of encrypted nodes
Permuted list of OT answers
xipadi
padj padk
K0i Padj|| j K1
i Padk || k || 0k || 0k
$
G(pad1) j’ ||
Extension to DAGs
• In DTs– Each path from the root to a leaf contains unique
variables– If a variable appears twice we can remove the
second instance– A single key needs to be accessed only once
• In BPs– Each variable can appear multiple times in a single
path
Oblivious BP Evaluation
Kx44 Kx7
7 Kx11 …
Node j Node i Node kPermuted list of encrypted nodes
Permuted list for each level
xipad1
pad2 pad3
K0i Pad2 || j K1
i Pad3 || k || 0k || 0k
$
G(pad1) j’ ||
K’x66 K’x4
4 K’x22 …
Security and Efficiency
• Security– Secure against a malicious input holder– Private against a malicious BP holder
• Efficiency– O(nl) oblivious transfers– O(V) PRG invocations– V is the number of nodes in the graph, l is the
depth of the BP
Comparison
YaoIP07
Barnie09, Brickell 07
Ours
Conclusions
• A computationally efficient protocols for OBP• Applications to private database queries• Future Work– Avoid strong OTs• Needs Paillier’s encryption• Work in progress: achieve this using any standard OT
– Ambitious open question• Achieve communication and computation efficiency