Private Function Evaluation Payman Mohassel University of Calgary Talks given at Bristol and Aarhus Universities Joint work with Saeed Sadeghian
Feb 23, 2016
Private Function Evaluation
Payman Mohassel University of Calgary
Talks given at Bristol and Aarhus Universities
Joint work with Saeed Sadeghian
2
Secure Function Evaluation
Parties learn f(x1,β¦,xn)
P1, x1
P2, x2
P5, x5
P4, x4
P3, x3
Correctness:honest parties learn the correct output
Privacy:Nothing but the final output is leaked
Private vs. Secure Function Evaluation
π (ππ ,β¦, ππ)
π (ππ ,β¦, ππ)
Our Setup
π (ππ ,β¦, ππ)
β’ Function o Boolean circuitso Arithmetic circuits
β’ Settings we considero Two-partyo Multiparty
β’ Dishonest majorityβ’ Semi-honest
adversaries
Motivationβ’ Why Hide the Function?
o Private functionsβ’ Proprietary, intellectual property
o Sensitive functionsβ’ Revealing vulnerabilities
o Output of SFE leaks informationβ’ Hiding the function potentially helpsβ’ Prevents dictionary attacks on input
β’ Interactive program obfuscationo If interaction is possible PFE yields efficient program
obfuscation
Is PFE Hard?β’ Not really!
β’ All SFE feasibility results extend to PFEo Using Universal Circuits
β’ The only interesting questions are efficiency questions
Universal CircuitsC Universal Circuit
x
C(x)
Universal Circuitsβ’ Boolean
o For a circuit C with g gateso [Valiantβ 76]: (good for large circuits)
β’ Building it seems complicatedo [KSβ 08]: (good for small circuits )
β’ Arithmetico For a circuit C with g gates and depth d o [Razβ 08]: gates, i.e. in the worst case
PFE Constructionsβ’ Two-party setting
o Universal Circuit + Yaoβs protocolβ’ or symmetric ops + OTs
o [KMβ 11]: Homomorphic Enc + Yaoβs protocol β’ public-key ops + symmetric ops
β’ Multi-party settingo Universal Circuit + GMW protocol
β’ OTs
β’ Arithmetic circuitso Universal Circuit + HE-based MPC [CDNβ 01]o public-key ops
Efficiency Questionsβ’ Asymptotic Efficiency
o Can we design PFE with linear complexity in all standard settings?
β’ Practical Efficiencyo Constant factors are importanto Symmetric ops superior to public-key opso β¦o Can we improve practical efficiency of universal
circuit approach?
Our Framework
Hiding the Circuitβ’ What is leaked
o Number of gateso Input sizeo Output size
β’ What is privateo Functionality of gateso Topology of the circuit
One can hide circuit size using an FHE-based construction
Private Gate Evaluation
β’ Inputs are shared
o
β’ Gate function
o Known only to
β’ Output is shared
π (π , π )
π§1 π§ 2
Actual sharing mechanism depends on the protocol
Circuit Topologyβ’ Topology captured using a mapping π1
π2π3π4
π5π6π7π8
π9π10
π1π2
π3π4 π6
π5
π1π2π3π4π5π6π7π8π9π10
π πͺ
CTH Functionality
β’ Inputs are shared
β’ Mappingo known by only
β’ Outputs are shared
β’ Query typeso Map: done internallyo Reveal: reveal result of mapo On-demand mapping
π₯=π₯1βπ₯2π₯ β² β² 1βπ₯ β² β²2=π₯
π¦=π¦1β π¦2π¦ β² 1β π¦ β²2=π¦
Map
Reveal
π πͺπ₯ β² 1βπ₯ β²2=π₯
PGE + CTHπ1π2π3π4
π5π6π7π8
π9π10
π1π2
π3π4 π6
π5CTH
PGE
PGE
PGE
PGE
PGE
Topological orderπ5
π5
π6
π6
π
π
π
π
π1
π2
π3
π4 π
ππ
π
πππ
ππ
ππ
ππππ
ππ
ππππππππππ
ππ
RevealMap
Instantiating PGE
PGE for GMW
g x y z0 0 g(0,0
)0 1 g(0,1
)1 0 g(1,0
)1 1 g(1,1
)
π (π , π )
π§1 π§ 2
g0 00 11 01 1
π1 π2
π₯2 , π¦ 21-out-of-4 OT
PGE for AC
β’ is an additively homomrphic encryption
π1
π1 ,π1 ,ππ π2π2 ,π2 ,ππ ,π ππΈππππ (π2 ) ,πΈππππ (π2 ) ,πΈππππ(π2π2)
(If )
(If )
πΆ=πΈππππ(π2+π2+π )
π2βπ·πππ π(πΆ)
π1βπ πΆ=πΈππππ(π1π1+π2π1+π1π2+π2π2βπ1)
PGE for Garbled Circuit
β’ We kind of cheat!o We assume all gates are NAND gates
β’ Sharing associated with Yaoo To share a value o holds ( o holds
β’ sends a garbled table to β’ decrypts one row of the table
Instantiating CTH
Oblivious Mappingβ’ Assume inputs are ready Oblivious mapping
π πͺ
π1
Ο
π2(π‘1π‘2...π‘π
)(ππβ 1 (1 )βπ‘1ππβ 1 (2 )βπ‘ 2
.
.
.ππβ1 (π )βπ‘πβ
)(π1π2...ππ
)π1
π2
π3
π4π5π6
π1βπ‘ 1
π1βπ‘ 5
π2βπ‘ 2π3βπ‘3
π4βπ‘ 4
π5βπ‘6π5βπ‘7
π6βπ‘ 9π6βπ‘8
Oblivious Mappingβ’ Using any MPC
o inefficiento Not clear it has the on-demand propertyo [HEKβ12] implements Waksman using Yaoβs protocol
β’ Using singly HE o Linear complexityo Requires public-key operations
β’ Using oblivious transfero Not linearo But better concrete efficiency (OT extension)
HE-based
π1 π2
πΈππππ(π1)πΈππππ(π2)
πΈππππ(ππ)
πΈππππ(πΒΏΒΏπβ 1 (1 )βπ‘ΒΏΒΏ1)ΒΏπΈππππ(ππβ 1 (2 )βπ‘ΒΏΒΏ2)ΒΏ .ΒΏ ..
πΈππππ(πΒΏΒΏπβ1 (π )βπ‘ ΒΏΒΏπ)βΒΏΒΏ
.
.
. (π1π2...ππ
)(π‘1π‘2...π‘π
)π β
Easy to make on-demand
ππ ,π π
Permutation Networks
ππ
1
ππ
0ππ
ππ
β¦
β¦
β¦
β¦
[Waksmanβ 68]: any permutation can be implemented using a permutation network of size
The permutation is determined using selection bits
Permutation NetworkSwitchesselection bit
Switching Networksβ’ Our mapping is not a permutation
β’ Need one more switch type
ππ
1
ππ
0ππ
ππ π
π
1
ππ
0ππ
ππ
Mapping from SN
Waksman network
Waksman network
π1π2...ππ
ππ...π
π1πππ2ππ3π4...πππ
1π1π1 1
π1π1 0 π1
.
.
.
m ππππβπ+1+π+πππππβπ+1
Oblivious Switch 1
π1π2
π3π 4
π1
π ,ππ2
π
ΒΏ π 1-out-of-2 OT
πβπ1 ,πβπ 2π =0β (πβπ1)β (π1βπ 3 )=πβπ π
(πβπ 2)β (π 2βπ 4 )=πβπ π
π =1β(πβπ2)β (π 2βπ 3 )=πβππ
(πβπ 1)β (π1βπ4 )=πβπ π
Oblivious Switch 2
π1π2
π3π 4
π1
π ,ππ2
π
ΒΏ π 1-out-of-2 OT
πβπ1 ,πβπ 2π =0β (πβπ1)β (π1βπ 3 )=πβπ π
(πβπ 2)β (π 2βπ 4 )=πβπ π
π =1β (πβπ 1)β (π1βπ3 )=πβππ
(πβπ1)β (π1βπ 4 )=πβππ
Oblivious SN Evaluation
π1π2
π3π 4 π3
π 4π5π6
0
1
π6π5
π7π8
1
πβπ1 πβπ3
πβπ6
πβπ7
MAP
Reveal
πβπ 7βπ‘7πβ π‘7
Oblivious SN Evaluation
β’ One OT per switcho O(mlog m) OTs total
β’ On-demando All OTs done offlineo Only Xoring online
β’ Practical when using OT extension
β’ Constant round
Oblivious Mapping CTH Functionality
β’ GMW or Arithmetic Circuitso Inputs to mapping are ADDITIVE- or XOR-sharedo (MAP) Each party runs an oblivious mapping with
β’ uses his vector of shares as inputβ’ uses his mapping and blinding vector
o (Reveal) Each party obtains his blinded βmappedβ vector of shares
o maps his own vector of shares and XOR/SUBTRACTs s to adjust values.
β’ Yaoβs Protocolo Slightly more involved due to βweird sharingβ
mechanism
Summary of Resultsβ’ First Multiparty PFE with linear complexity
o GMW + HE-Based oblivious mapping
β’ First Arithmetic PFE with linear complexityo [CDN 01] + HE-based oblivious mapping
β’ More efficient two-party PFE with linear complexityo Yao + HE-based oblivious mappingo Subsumes and improves construction of [KMβ11]
β’ More practical PFEo Yao/GMW + OT-based oblivious mapping + OT extension
Future Work
Other Security Notions
β’ Security against stronger adversarieso Covert, maliciouso Can we still achieve linear complexity?
β’ PFE in the information theoretic settingo Our OT-based solution seems generalizable to IT settingo But linear PFE is open
β’ Can we hide circuit size without using FHE?o or use FHE in a limited way, or use somewhat FHE?
Round Complexity of PFE
β’ Can we do PFE non-interactively?o Our Yao-based protocol requires at least 3 messageso SFE can be done in two messages
β’ Can we achieve constant round multiparty PFE with linear complexity?o We only know it for two-party case
β’ Can we achieve constant round arithmetic PFE?o Without switching to a Boolean circuit
PFE for Practiceβ’ PFE with good concrete + asymptotic
efficiencyo E.g. designing OT-based oblivious mapping with linear
complexityβ’ Can PFE help improve efficiency of SFE?
o Idea: β’ One party embeds his input in the circuitβ’ Shrinks the circuit significantlyβ’ Circuit structure leaks information β’ We use PFE to hide the structure
β’ PFE for RAM programs
Thank you!