private function evaluation
DESCRIPTION
Private Function Evaluation. Payman Mohassel University of Calgary Talks given at Bristol and Aarhus Universities. Joint work with Saeed Sadeghian. Secure Function Evaluation. Correctness: honest parties learn the correct output Privacy: Nothing but the final output is leaked . - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/1.jpg)
Private Function Evaluation
Payman Mohassel University of Calgary
Talks given at Bristol and Aarhus Universities
Joint work with Saeed Sadeghian
![Page 2: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/2.jpg)
2
Secure Function Evaluation
Parties learn f(x1,…,xn)
P1, x1
P2, x2
P5, x5
P4, x4
P3, x3
Correctness:honest parties learn the correct output
Privacy:Nothing but the final output is leaked
![Page 3: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/3.jpg)
Private vs. Secure Function Evaluation
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
![Page 4: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/4.jpg)
Our Setup
𝒇 (𝒙𝟏 ,…, 𝒙𝒏)
• Function o Boolean circuitso Arithmetic circuits
• Settings we considero Two-partyo Multiparty
• Dishonest majority• Semi-honest
adversaries
![Page 5: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/5.jpg)
Motivation• Why Hide the Function?
o Private functions• Proprietary, intellectual property
o Sensitive functions• Revealing vulnerabilities
o Output of SFE leaks information• Hiding the function potentially helps• Prevents dictionary attacks on input
• Interactive program obfuscationo If interaction is possible PFE yields efficient program
obfuscation
![Page 6: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/6.jpg)
Is PFE Hard?• Not really!
• All SFE feasibility results extend to PFEo Using Universal Circuits
• The only interesting questions are efficiency questions
![Page 7: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/7.jpg)
Universal CircuitsC Universal Circuit
x
C(x)
![Page 8: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/8.jpg)
Universal Circuits• Boolean
o For a circuit C with g gateso [Valiant’ 76]: (good for large circuits)
• Building it seems complicatedo [KS’ 08]: (good for small circuits )
• Arithmetico For a circuit C with g gates and depth d o [Raz’ 08]: gates, i.e. in the worst case
![Page 9: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/9.jpg)
PFE Constructions• Two-party setting
o Universal Circuit + Yao’s protocol• or symmetric ops + OTs
o [KM’ 11]: Homomorphic Enc + Yao’s protocol • public-key ops + symmetric ops
• Multi-party settingo Universal Circuit + GMW protocol
• OTs
• Arithmetic circuitso Universal Circuit + HE-based MPC [CDN’ 01]o public-key ops
![Page 10: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/10.jpg)
Efficiency Questions• Asymptotic Efficiency
o Can we design PFE with linear complexity in all standard settings?
• Practical Efficiencyo Constant factors are importanto Symmetric ops superior to public-key opso …o Can we improve practical efficiency of universal
circuit approach?
![Page 11: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/11.jpg)
Our Framework
![Page 12: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/12.jpg)
Hiding the Circuit• What is leaked
o Number of gateso Input sizeo Output size
• What is privateo Functionality of gateso Topology of the circuit
One can hide circuit size using an FHE-based construction
![Page 13: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/13.jpg)
Private Gate Evaluation
• Inputs are shared
o
• Gate function
o Known only to
• Output is shared
𝒈 (𝒙 , 𝒚 )
𝑧1 𝑧 2
Actual sharing mechanism depends on the protocol
![Page 14: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/14.jpg)
Circuit Topology• Topology captured using a mapping 𝑖1
𝑖2𝑖3𝑖4
𝑖5𝑖6𝑖7𝑖8
𝑖9𝑖10
𝑜1𝑜2
𝑜3𝑜4 𝑜6
𝑜5
𝑖1𝑖2𝑖3𝑖4𝑖5𝑖6𝑖7𝑖8𝑖9𝑖10
𝝅𝑪
![Page 15: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/15.jpg)
CTH Functionality
• Inputs are shared
• Mappingo known by only
• Outputs are shared
• Query typeso Map: done internallyo Reveal: reveal result of mapo On-demand mapping
𝑥=𝑥1⊕𝑥2𝑥 ′ ′ 1⊕𝑥 ′ ′2=𝑥
𝑦=𝑦1⊕ 𝑦2𝑦 ′ 1⊕ 𝑦 ′2=𝑦
Map
Reveal
𝝅𝑪𝑥 ′ 1⊕𝑥 ′2=𝑥
![Page 16: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/16.jpg)
PGE + CTH𝑖1𝑖2𝑖3𝑖4
𝑖5𝑖6𝑖7𝑖8
𝑖9𝑖10
𝑜1𝑜2
𝑜3𝑜4 𝑜6
𝑜5CTH
PGE
PGE
PGE
PGE
PGE
Topological order𝑜5
𝑜5
𝑜6
𝑜6
𝟏
𝟐
𝟕
𝟑
𝑜1
𝑜2
𝑜3
𝑜4 𝟒
𝟓𝟔
𝟖
𝟗𝟏𝟎
𝟏𝟏
𝟏𝟐
𝟏𝟑𝟏𝟒
𝟏𝟓
𝟏𝟖𝟏𝟔𝟏𝟕𝟏𝟗𝟐𝟎
𝟐𝟏
RevealMap
![Page 17: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/17.jpg)
Instantiating PGE
![Page 18: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/18.jpg)
PGE for GMW
g x y z0 0 g(0,0
)0 1 g(0,1
)1 0 g(1,0
)1 1 g(1,1
)
𝒈 (𝒙 , 𝒚 )
𝑧1 𝑧 2
g0 00 11 01 1
𝑃1 𝑃2
𝑥2 , 𝑦 21-out-of-4 OT
![Page 19: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/19.jpg)
PGE for AC
• is an additively homomrphic encryption
𝑃1
𝑎1 ,𝑏1 ,𝑝𝑘 𝑃2𝑎2 ,𝑏2 ,𝑝𝑘 ,𝑠𝑘𝐸𝑛𝑐𝑝𝑘 (𝑎2 ) ,𝐸𝑛𝑐𝑝𝑘 (𝑏2 ) ,𝐸𝑛𝑐𝑝𝑘(𝑎2𝑏2)
(If )
(If )
𝐶=𝐸𝑛𝑐𝑝𝑘(𝑎2+𝑏2+𝑟 )
𝑐2←𝐷𝑒𝑐𝑠𝑘(𝐶)
𝑐1←𝐅 𝐶=𝐸𝑛𝑐𝑝𝑘(𝑎1𝑏1+𝑎2𝑏1+𝑎1𝑏2+𝑎2𝑏2−𝑐1)
![Page 20: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/20.jpg)
PGE for Garbled Circuit
• We kind of cheat!o We assume all gates are NAND gates
• Sharing associated with Yaoo To share a value o holds ( o holds
• sends a garbled table to • decrypts one row of the table
![Page 21: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/21.jpg)
Instantiating CTH
![Page 22: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/22.jpg)
Oblivious Mapping• Assume inputs are ready Oblivious mapping
𝝅𝑪
𝑃1
π
𝑃2(𝑡1𝑡2...𝑡𝑚
)(𝑎𝜋− 1 (1 )⊕𝑡1𝑎𝜋− 1 (2 )⊕𝑡 2
.
.
.𝑎𝜋−1 (𝑚 )⊕𝑡𝑚❑
)(𝑎1𝑎2...𝑎𝑛
)𝑎1
𝑎2
𝑎3
𝑎4𝑎5𝑎6
𝑎1⊕𝑡 1
𝑎1⊕𝑡 5
𝑎2⊕𝑡 2𝑎3⊕𝑡3
𝑎4⊕𝑡 4
𝑎5⊕𝑡6𝑎5⊕𝑡7
𝑎6⊕𝑡 9𝑎6⊕𝑡8
![Page 23: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/23.jpg)
Oblivious Mapping• Using any MPC
o inefficiento Not clear it has the on-demand propertyo [HEK’12] implements Waksman using Yao’s protocol
• Using singly HE o Linear complexityo Requires public-key operations
• Using oblivious transfero Not linearo But better concrete efficiency (OT extension)
![Page 24: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/24.jpg)
HE-based
𝑃1 𝑃2
𝐸𝑛𝑐𝑝𝑘(𝑎1)𝐸𝑛𝑐𝑝𝑘(𝑎2)
𝐸𝑛𝑐𝑝𝑘(𝑎𝑛)
𝐸𝑛𝑐𝑝𝑘(𝑎¿¿𝜋− 1 (1 )⊕𝑡¿¿1)¿𝐸𝑛𝑐𝑝𝑘(𝑎𝜋− 1 (2 )⊕𝑡¿¿2)¿ .¿ ..
𝐸𝑛𝑐𝑝𝑘(𝑎¿¿𝜋−1 (𝑚 )⊕𝑡 ¿¿𝑚)❑¿¿
.
.
. (𝑎1𝑎2...𝑎𝑛
)(𝑡1𝑡2...𝑡𝑚
)𝝅❑
Easy to make on-demand
𝑝𝑘 ,𝑠𝑘
![Page 25: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/25.jpg)
Permutation Networks
𝑎𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑏
…
…
…
…
[Waksman’ 68]: any permutation can be implemented using a permutation network of size
The permutation is determined using selection bits
Permutation NetworkSwitchesselection bit
![Page 26: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/26.jpg)
Switching Networks• Our mapping is not a permutation
• Need one more switch type
𝑎𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑏 𝑎
𝑏
1
𝑎𝑏
0𝑎𝑏
𝑎𝑎
![Page 27: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/27.jpg)
Mapping from SN
Waksman network
Waksman network
𝑎1𝑎2...𝑎𝑛
𝑑𝑑...𝑑
𝑎1𝑑𝑑𝑎2𝑑𝑎3𝑎4...𝑑𝑎𝑛
1𝑎1𝑎1 1
𝑎1𝑎1 0 𝑎1
.
.
.
m 𝑙𝑜𝑔𝑚−𝑚+1+𝑚+𝑚𝑙𝑜𝑔𝑚−𝑚+1
![Page 28: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/28.jpg)
Oblivious Switch 1
𝑟1𝑟2
𝑟3𝑟 4
𝑃1
𝑎 ,𝑏𝑃2
𝑠
¿ 𝑠1-out-of-2 OT
𝑎⊕𝑟1 ,𝑏⊕𝑟 2𝑠=0→ (𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 3 )=𝒂⊕𝒓 𝟑
(𝑏⊕𝑟 2)⊕ (𝑟 2⊕𝑟 4 )=𝒃⊕𝒓 𝟒
𝑠=1→(𝑏⊕𝑟2)⊕ (𝑟 2⊕𝑟 3 )=𝒃⊕𝒓𝟑
(𝑎⊕𝑟 1)⊕ (𝑟1⊕𝑟4 )=𝒂⊕𝒓 𝟒
![Page 29: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/29.jpg)
Oblivious Switch 2
𝑟1𝑟2
𝑟3𝑟 4
𝑃1
𝑎 ,𝑏𝑃2
𝑠
¿ 𝑠1-out-of-2 OT
𝑎⊕𝑟1 ,𝑏⊕𝑟 2𝑠=0→ (𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 3 )=𝒂⊕𝒓 𝟑
(𝑏⊕𝑟 2)⊕ (𝑟 2⊕𝑟 4 )=𝒃⊕𝒓 𝟒
𝑠=1→ (𝑎⊕𝑟 1)⊕ (𝑟1⊕𝑟3 )=𝒂⊕𝒓𝟑
(𝑎⊕𝑟1)⊕ (𝑟1⊕𝑟 4 )=𝒂⊕𝒓𝟒
![Page 30: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/30.jpg)
Oblivious SN Evaluation
𝑟1𝑟2
𝑟3𝑟 4 𝑟3
𝑟 4𝑟5𝑟6
0
1
𝑟6𝑟5
𝑟7𝑟8
1
𝑎⊕𝑟1 𝑎⊕𝑟3
𝑎⊕𝑟6
𝑎⊕𝑟7
MAP
Reveal
𝑎⊕𝑟 7⊕𝑡7𝑎⊕ 𝑡7
![Page 31: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/31.jpg)
Oblivious SN Evaluation
• One OT per switcho O(mlog m) OTs total
• On-demando All OTs done offlineo Only Xoring online
• Practical when using OT extension
• Constant round
![Page 32: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/32.jpg)
Oblivious Mapping CTH Functionality
• GMW or Arithmetic Circuitso Inputs to mapping are ADDITIVE- or XOR-sharedo (MAP) Each party runs an oblivious mapping with
• uses his vector of shares as input• uses his mapping and blinding vector
o (Reveal) Each party obtains his blinded “mapped” vector of shares
o maps his own vector of shares and XOR/SUBTRACTs s to adjust values.
• Yao’s Protocolo Slightly more involved due to “weird sharing”
mechanism
![Page 33: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/33.jpg)
Summary of Results• First Multiparty PFE with linear complexity
o GMW + HE-Based oblivious mapping
• First Arithmetic PFE with linear complexityo [CDN 01] + HE-based oblivious mapping
• More efficient two-party PFE with linear complexityo Yao + HE-based oblivious mappingo Subsumes and improves construction of [KM’11]
• More practical PFEo Yao/GMW + OT-based oblivious mapping + OT extension
![Page 34: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/34.jpg)
Future Work
![Page 35: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/35.jpg)
Other Security Notions
• Security against stronger adversarieso Covert, maliciouso Can we still achieve linear complexity?
• PFE in the information theoretic settingo Our OT-based solution seems generalizable to IT settingo But linear PFE is open
• Can we hide circuit size without using FHE?o or use FHE in a limited way, or use somewhat FHE?
![Page 36: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/36.jpg)
Round Complexity of PFE
• Can we do PFE non-interactively?o Our Yao-based protocol requires at least 3 messageso SFE can be done in two messages
• Can we achieve constant round multiparty PFE with linear complexity?o We only know it for two-party case
• Can we achieve constant round arithmetic PFE?o Without switching to a Boolean circuit
![Page 37: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/37.jpg)
PFE for Practice• PFE with good concrete + asymptotic
efficiencyo E.g. designing OT-based oblivious mapping with linear
complexity• Can PFE help improve efficiency of SFE?
o Idea: • One party embeds his input in the circuit• Shrinks the circuit significantly• Circuit structure leaks information • We use PFE to hide the structure
• PFE for RAM programs
![Page 38: Private Function Evaluation](https://reader036.vdocuments.site/reader036/viewer/2022062501/56816252550346895dd29bad/html5/thumbnails/38.jpg)
Thank you!