1 / 38

Private Function Evaluation

Private Function Evaluation. Payman Mohassel University of Calgary Talks given at Bristol and Aarhus Universities. Joint work with Saeed Sadeghian. Secure Function Evaluation. Correctness: honest parties learn the correct output Privacy: Nothing but the final output is leaked .

helmut
Download Presentation

Private Function Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Private Function Evaluation PaymanMohassel University of Calgary Talks given at Bristol and Aarhus Universities Joint work with SaeedSadeghian

  2. Secure Function Evaluation • Correctness: • honest parties learn • the correct output • Privacy: • Nothing but the • final output is leaked P2, x2 P1, x1 P3, x3 P4, x4 P5, x5 Parties learn f(x1,…,xn)

  3. Private vs. Secure Function Evaluation

  4. Our Setup • Function • Boolean circuits • Arithmetic circuits • Settings we consider • Two-party • Multiparty • Dishonest majority • Semi-honest adversaries

  5. Motivation • Why Hide the Function? • Private functions • Proprietary, intellectual property • Sensitive functions • Revealing vulnerabilities • Output of SFE leaks information • Hiding the function potentially helps • Prevents dictionary attacks on input • Interactive program obfuscation • If interaction is possiblePFE yields efficient program obfuscation

  6. Is PFE Hard? • Not really! • All SFE feasibility results extend to PFE • Using Universal Circuits • The only interesting questions are efficiency questions

  7. Universal Circuits C Universal Circuit C(x) x

  8. Universal Circuits • Boolean • For a circuit C with g gates • [Valiant’ 76]: (good for large circuits) • Building it seems complicated • [KS’ 08]: (good for small circuits ) • Arithmetic • For a circuit C with g gates and depth d • [Raz’ 08]: gates, i.e. in the worst case

  9. PFE Constructions • Two-party setting • Universal Circuit + Yao’s protocol • or symmetric ops + OTs • [KM’ 11]: HomomorphicEnc + Yao’s protocol • public-key ops + symmetric ops • Multi-party setting • Universal Circuit + GMW protocol • OTs • Arithmetic circuits • Universal Circuit + HE-based MPC [CDN’ 01] • public-key ops

  10. Efficiency Questions • Asymptotic Efficiency • Can we design PFE with linear complexityin all standard settings? • Practical Efficiency • Constant factors are important • Symmetric ops superior to public-key ops • … • Can we improve practical efficiency of universal circuit approach?

  11. Our Framework

  12. Hiding the Circuit One can hide circuit size using an FHE-based construction • What is leaked • Number of gates • Input size • Output size • What is private • Functionality of gates • Topology of the circuit

  13. Private Gate Evaluation Actual sharing mechanism depends on the protocol • Inputs are shared • Gate function • Known only to • Output is shared

  14. Circuit Topology Topology captured using a mapping

  15. CTH Functionality Reveal Map • Inputs are shared • Mapping • known by only • Outputs are shared • Query types • Map: done internally • Reveal: reveal result of map • On-demand mapping

  16. PGE + CTH CTH PGE PGE PGE Topological order PGE PGE Map Reveal

  17. Instantiating PGE

  18. PGE for GMW 1-out-of-4 OT

  19. PGE for AC (If ) (If ) is an additively homomrphic encryption

  20. PGE for Garbled Circuit • We kind of cheat! • We assume all gates are NAND gates • Sharing associated with Yao • To share a value • holds ( • holds • sends a garbled table to • decrypts one row of the table

  21. Instantiating CTH

  22. Oblivious Mapping π Assume inputs are ready Oblivious mapping

  23. Oblivious Mapping • Using any MPC • inefficient • Not clear it has the on-demand property • [HEK’12] implements Waksman using Yao’s protocol • Using singly HE • Linear complexity • Requires public-key operations • Using oblivious transfer • Not linear • But better concrete efficiency (OT extension)

  24. HE-based . . . Easy to make on-demand

  25. Permutation Networks Switches Permutation Network selection bit 0 1 [Waksman’ 68]: any permutation can be implemented using a permutation network of size The permutation is determined using selection bits

  26. Switching Networks 0 0 1 1 • Our mapping is not a permutation • Need one more switch type

  27. Mapping from SN 1 1 Waksman network Waksman network . . . 0

  28. Oblivious Switch 1 1-out-of-2 OT

  29. Oblivious Switch 2 1-out-of-2 OT

  30. Oblivious SN Evaluation MAP 0 1 1 Reveal

  31. Oblivious SN Evaluation • One OT per switch • O(mlogm) OTs total • On-demand • All OTs done offline • Only Xoring online • Practical when using OT extension • Constant round

  32. Oblivious Mapping CTH Functionality • GMW or Arithmetic Circuits • Inputs to mapping are ADDITIVE- or XOR-shared • (MAP) Each party runs an oblivious mapping with • uses his vector of shares as input • uses his mapping and blinding vector • (Reveal) Each party obtains his blinded “mapped” vector of shares • maps his own vector of shares and XOR/SUBTRACTs s to adjust values. • Yao’s Protocol • Slightly more involved due to “weird sharing” mechanism

  33. Summary of Results • First Multiparty PFE with linear complexity • GMW + HE-Based oblivious mapping • First Arithmetic PFE with linear complexity • [CDN 01] + HE-based oblivious mapping • More efficient two-party PFE with linear complexity • Yao + HE-based oblivious mapping • Subsumes and improves construction of [KM’11] • More practical PFE • Yao/GMW + OT-based oblivious mapping + OT extension

  34. Future Work

  35. Other Security Notions • Security against stronger adversaries • Covert, malicious • Can we still achieve linear complexity? • PFE in the information theoretic setting • Our OT-based solution seems generalizable to IT setting • But linear PFE is open • Can we hide circuit size without using FHE? • or use FHE in a limited way, or use somewhat FHE?

  36. Round Complexity of PFE • Can we do PFE non-interactively? • Our Yao-based protocol requires at least 3 messages • SFE can be done in two messages • Can we achieve constant round multiparty PFE with linear complexity? • We only know it for two-party case • Can we achieve constant round arithmetic PFE? • Without switching to a Boolean circuit

  37. PFE for Practice • PFE with good concrete + asymptotic efficiency • E.g. designing OT-based oblivious mapping with linear complexity • Can PFE help improve efficiency of SFE? • Idea: • One party embeds his input in the circuit • Shrinks the circuit significantly • Circuit structure leaks information • We use PFE to hide the structure • PFE for RAM programs

  38. Thank you!

More Related