1. No category

Private Function Evaluation

Private Function Evaluation
Payman Mohassel
University of Calgary
Talks given at Bristol and Aarhus Universities
Joint work with Saeed
Sadeghian
Secure Function Evaluation
P2, x2
P1, x1
P3, x3
P5, x5
P4, x4
Correctness:
honest parties learn
the correct output
Privacy:
Nothing but the
final output is leaked
Parties learn f(x1,…,xn)
2
Private vs. Secure Function
Evaluation
π‘₯𝑛
β‹― π‘₯2 π‘₯1 , 𝒇
π‘₯𝑛 , 𝑓
β‹― π‘₯2 , 𝑓 π‘₯1 , 𝑓
𝒇(π’™πŸ , … , 𝒙𝒏 )
𝒇(π’™πŸ , … , 𝒙𝒏 )
β‹―
β‹―
Our Setup
β€’ Function 𝑓
o Boolean circuits
o Arithmetic circuits
β€’ Settings we consider
o Two-party
o Multiparty
β€’ Dishonest majority
β€’ Semi-honest adversaries
π‘₯𝑛
β‹― π‘₯2 π‘₯1 , 𝒇
𝒇(π’™πŸ , … , 𝒙𝒏 )
β‹―
Motivation
β€’ Why Hide the Function?
o Private functions
β€’ Proprietary, intellectual property
o Sensitive functions
β€’ Revealing vulnerabilities
o Output of SFE leaks information
β€’ Hiding the function potentially helps
β€’ Prevents dictionary attacks on input
β€’ Interactive program obfuscation
o If interaction is possible PFE yields efficient program
obfuscation
Is PFE Hard?
β€’ Not really!
β€’ All SFE feasibility results extend to PFE
o Using Universal Circuits
β€’ The only interesting questions are efficiency
questions
Universal Circuits
C
Universal Circuit
C(x)
x
Universal Circuits
β€’ Boolean
o For a circuit C with g gates
o [Valiant’ 76]: 19𝑔 log 𝑔 + … (good for large circuits)
β€’ Building it seems complicated
o [KS’ 08]: 1.5𝑔 log 2 𝑔 + 2.5𝑔 log 𝑔 + β‹― (good for small circuits )
β€’ Arithmetic
o For a circuit C with g gates and depth d
o [Raz’ 08]: 𝑂 𝑔𝑑 4 gates, i.e. 𝑂 𝑔5 in the worst case
PFE Constructions
β€’ Two-party setting
o Universal Circuit + Yao’s protocol
β€’ 𝑂(𝑔log𝑔) or 𝑂(𝑔log 2 𝑔) symmetric ops + 𝑂(𝑛) OTs
o [KM’ 11]: Homomorphic Enc + Yao’s protocol
β€’ 𝑂 𝑔 public-key ops + 𝑂 𝑔 symmetric ops
β€’ Multi-party setting
o Universal Circuit + GMW protocol
β€’ 𝑂 𝑑 2 𝑔log𝑔 OTs
β€’ Arithmetic circuits
o Universal Circuit + HE-based MPC [CDN’ 01]
o 𝑂(𝑔5 ) public-key ops
Efficiency Questions
β€’ Asymptotic Efficiency
o Can we design PFE with linear complexity in all standard
settings?
β€’ Practical Efficiency
o
o
o
o
Constant factors are important
Symmetric ops superior to public-key ops
…
Can we improve practical efficiency of universal circuit
approach?
Our Framework
Hiding the Circuit
β€’ What is leaked
o Number of gates
o Input size
o Output size
β€’ What is private
o Functionality of gates
o Topology of the circuit
One can hide circuit size using an FHE-based construction
Private Gate Evaluation
β€’ Inputs are shared
o π‘₯ = π‘₯1 βŠ• π‘₯2
o 𝑦 = 𝑦1 βŠ• 𝑦2
β€’ Gate function
o 𝑔 = 𝐴𝑁𝐷, 𝑂𝑅, 𝑋𝑂𝑅
o 𝑔 = +,×
o Known only to 𝑃1
π‘₯2 , 𝑦2 π‘₯1 , 𝑦1 , π’ˆ
π’ˆ(𝒙, π’š)
𝑧1
β€’ Output is shared
o 𝑧 = 𝑧1 βŠ• 𝑧2
Actual sharing mechanism depends on the protocol
𝑧2
Circuit Topology
β€’ Topology captured using
a mapping
𝝅π‘ͺ
π‘œ1
𝑖3
𝑖4
π‘œ3
π‘œ2
𝑖2
π‘œ3
𝑖3
π‘œ4
𝑖4
𝑖5
π‘œ5
𝑖6
𝑖7
𝑖8
π‘œ6
𝑖5
𝑖9
𝑖6
𝑖10
π‘œ4
𝑖7
π‘œ5
𝑖8
π‘œ6
𝑖1
𝑖1
𝑖2
π‘œ2
π‘œ1
𝑖9
𝑖10
CTH
Functionality
β€’ Inputs are shared
Map
𝝅π‘ͺ
o π‘₯ = π‘₯1 βŠ• π‘₯2
β€’ Mapping
o πœ‹π‘ known by 𝑃1 only
β€’ Outputs are shared
o π‘₯ = π‘₯1β€² βŠ• π‘₯2β€²
β€’ Query types
o Map: done internally
o Reveal: reveal result of map
o On-demand mapping
π‘₯ = π‘₯1 βŠ• π‘₯2
π‘₯β€²1 βŠ• π‘₯ β€² 2 = π‘₯
𝑦 = 𝑦1 βŠ• 𝑦2
𝑦′1 βŠ• 𝑦 β€² 2 = 𝑦
π‘₯β€²β€²1 βŠ• π‘₯ β€²β€² 2 = π‘₯
Reveal
PGE + CTH
CTH
π‘œ1 𝟏
𝟐
π‘œ3
πŸ‘
π‘œ4
πŸ’
π‘œ5
πŸ–
π‘œ6 𝟏𝟐
Map
πŸ•
πŸ”
PGE
πŸ—
𝟏𝟏
𝟏𝟎
πŸπŸ‘
πŸπŸ’
πŸπŸ”
πŸπŸ•
πŸπŸ—
𝟐𝟎
PGE
πŸπŸ“
PGE
πŸπŸ–
PGE
𝟐𝟏
PGE
Reveal
π‘œ5
π‘œ6
Topological order
π‘œ2
πŸ“
π‘œ1
π‘œ2
𝑖1
𝑖2
π‘œ3
π‘œ4
𝑖3
𝑖4
π‘œ5
π‘œ6
𝑖5
𝑖6
𝑖7
𝑖8
𝑖9
𝑖10
Instantiating PGE
PGE for GMW
π‘₯2 , 𝑦2 π‘₯1 , 𝑦1 , π’ˆ
𝑐1
𝑃1
𝑐2
π‘₯2 , 𝑦2
1-out-of-4 OT
𝑐3
𝑃2
π’ˆ(𝒙, π’š)
𝑐4
𝑧1
g 𝒙 𝟐 π’šπŸ
π’›πŸ
𝑧2
g x
y
z
0
0
𝑐1 = 𝑔 π‘₯1 βŠ• 0, 𝑦1 βŠ• 0 βŠ• 𝑧1
0
0
g(0,0)
0
1
𝑐2 = 𝑔 π‘₯1 βŠ• 0, 𝑦1 βŠ• 1 βŠ• 𝑧1
0
1
g(0,1)
1
0
𝑐3 = 𝑔 π‘₯1 βŠ• 1, 𝑦1 βŠ• 0 βŠ• 𝑧1
1
0
g(1,0)
1
1
𝑐4 = 𝑔 π‘₯1 βŠ• 1, 𝑦1 βŠ• 1 βŠ• 𝑧1
1
1
g(1,1)
PGE for AC
β€’
β€’
β€’
β€’
π‘Ž, 𝑏 ∈ 𝐅
π‘Ž = π‘Ž1 + π‘Ž2 , 𝑏 = 𝑏1 + 𝑏2
𝑐 = 𝑐1 + 𝑐2 , 𝑐 = (π‘Ž + 𝑏) π‘œπ‘Ÿ 𝑐 = (π‘Ž × π‘)
𝐸𝑛𝑐 is an additively homomrphic encryption
πΈπ‘›π‘π‘π‘˜ π‘Ž2 , πΈπ‘›π‘π‘π‘˜ 𝑏2 , πΈπ‘›π‘π‘π‘˜ (π‘Ž2 𝑏2 )
π‘Ž1 , 𝑏1 , π‘π‘˜
𝑃1
(If +)
(If ×)
π‘Ÿβ†π…
𝑐1 ← π‘Ž1 + 𝑏1 βˆ’ π‘Ÿ
𝑐1 ← 𝐅
π‘Ž2 , 𝑏2 , π‘π‘˜, π‘ π‘˜
𝑃2
𝐢 = πΈπ‘›π‘π‘π‘˜ (π‘Ž2 + 𝑏2 + π‘Ÿ)
𝐢 = πΈπ‘›π‘π‘π‘˜ (π‘Ž1 𝑏1 + π‘Ž2 𝑏1 + π‘Ž1 𝑏2 + π‘Ž2 𝑏2 βˆ’ 𝑐1 )
𝑐2 ← π·π‘’π‘π‘ π‘˜ (𝐢)
PGE for Garbled Circuit
β€’ We kind of cheat!
o We assume all gates are NAND gates
β€’ Sharing associated with Yao
o To share a value π‘₯
o 𝑃2 holds (π‘˜0 , π‘˜1 )
o 𝑃1 holds π‘˜π‘₯
β€’ 𝑃2 sends a garbled table to 𝑃1
β€’ 𝑃1 decrypts one row of the table
Instantiating CTH
Oblivious Mapping
β€’ Assume inputs are ready
Oblivious mapping
π‘Ž1
Ο€: 𝒏 β†’ [π’Ž]
π‘Ž2
𝑃1
𝑑1
𝑑2
.
.
.
π‘‘π‘š
π‘Ž1
π‘Ž2
.
.
.
π‘Žπ‘›
π‘Žπœ‹βˆ’1
π‘Žπœ‹βˆ’1
π‘Žπœ‹βˆ’1
1
2
π‘š
𝝅π‘ͺ
π‘Ž1 βŠ• 𝑑1
π‘Ž2 βŠ• 𝑑2
π‘Ž3 βŠ• 𝑑3
π‘Ž4 βŠ• 𝑑4
𝑃2
βŠ• 𝑑1
βŠ• 𝑑2
.
.
.
βŠ• π‘‘π‘š
π‘Ž3
π‘Ž1 βŠ• 𝑑5
π‘Ž4
π‘Ž5 βŠ• 𝑑6
π‘Ž5 βŠ• 𝑑7
π‘Ž5
π‘Ž6
π‘Ž6 βŠ• 𝑑8
π‘Ž6 βŠ• 𝑑9
π‘Ž4 βŠ• 𝑑10
Oblivious Mapping
β€’ Using any MPC
o inefficient
o Not clear it has the on-demand property
o [HEK’12] implements Waksman using Yao’s protocol
β€’ Using singly HE
o Linear complexity
o Requires public-key operations
β€’ Using oblivious transfer
o Not linear
o But better concrete efficiency (OT extension)
HE-based
π‘π‘˜, π‘ π‘˜
𝝅
𝑑1
𝑑2
.
.
.
π‘‘π‘š
πΈπ‘›π‘π‘π‘˜ (π‘Ž1 )
πΈπ‘›π‘π‘π‘˜ (π‘Ž2 )
.
.
.
πΈπ‘›π‘π‘π‘˜ (π‘Žπ‘› )
𝑃1
πΈπ‘›π‘π‘π‘˜ (π‘Žπœ‹βˆ’1 1 βŠ• 𝑑1 )
πΈπ‘›π‘π‘π‘˜ (π‘Žπœ‹βˆ’1 2 βŠ• 𝑑2 )
.
.
.
πΈπ‘›π‘π‘π‘˜ (π‘Žπœ‹βˆ’1 π‘š βŠ• π‘‘π‘š )
Easy to make on-demand
𝑃2
π‘Ž1
π‘Ž2
.
.
.
π‘Žπ‘›
Permutation Networks
Switches
selection bit
Permutation Network
0
…
π‘Ž
π‘Ž
𝑏
𝑏
…
1
π‘Ž
𝑏
…
𝑏
π‘Ž
…
[Waksman’ 68]: any permutation πœ‹: 𝑛 β†’ [𝑛] can be implemented using a
permutation network of size π‘›π‘™π‘œπ‘” 𝑛 βˆ’ 𝑛 + 1
The permutation is determined using π‘›π‘™π‘œπ‘” 𝑛 βˆ’ 𝑛 + 1 selection bits
Switching Networks
β€’ Our mapping is not a permutation
β€’ Need one more switch type
0
π‘Ž
π‘Ž
𝑏
𝑏
0
π‘Ž
π‘Ž
𝑏
𝑏
1
π‘Ž
𝑏
1
𝑏
π‘Ž
π‘Ž
π‘Ž
𝑏
π‘Ž
Mapping from SN
π‘Ž1
π‘Ž2
.
.
.
π‘Žπ‘›
𝑑
𝑑
.
.
.
𝑑
Waksman
network
mπ‘™π‘œπ‘”π‘š βˆ’ π‘š + 1
π‘Ž1
𝑑
𝑑
π‘Ž2
𝑑
π‘Ž3
π‘Ž4
.
.
.
𝑑
π‘Žπ‘›
1
π‘Ž1
π‘Ž1
1
π‘Ž1
π‘Ž1
0
π‘Ž1
π‘Ž2
Waksman
network
.
.
.
+
π‘š
+
π‘šπ‘™π‘œπ‘”π‘š βˆ’ π‘š + 1
Oblivious Switch 1
π‘Ž, 𝑏
𝑃2
𝑠
π‘Ÿ1
π‘Ÿ3
π‘Ÿ2
π‘Ÿ4
(π‘Ÿ1 βŠ• π‘Ÿ3 , π‘Ÿ2 βŠ• π‘Ÿ4 )
(π‘Ÿ1 βŠ• π‘Ÿ4 , π‘Ÿ2 βŠ• π‘Ÿ3 )
𝑃1
𝑠
1-out-of-2 OT
π‘Ž βŠ• π‘Ÿ1 , 𝑏 βŠ• π‘Ÿ2
𝑠=0β†’
𝑠=1β†’
(π‘Ž βŠ• π‘Ÿ1 ) βŠ• π‘Ÿ1 βŠ• π‘Ÿ3 = 𝒂 βŠ• π’“πŸ‘
(𝑏 βŠ• π‘Ÿ2 ) βŠ• π‘Ÿ2 βŠ• π‘Ÿ4 = 𝒃 βŠ• π’“πŸ’
(𝑏 βŠ• π‘Ÿ2 ) βŠ• π‘Ÿ2 βŠ• π‘Ÿ3 = 𝒃 βŠ• π’“πŸ‘
(π‘Ž βŠ• π‘Ÿ1 ) βŠ• π‘Ÿ1 βŠ• π‘Ÿ4 = 𝒂 βŠ• π’“πŸ’
Oblivious Switch 2
π‘Ž, 𝑏
𝑃2
𝑠
π‘Ÿ1
π‘Ÿ3
π‘Ÿ2
π‘Ÿ4
(π‘Ÿ1 βŠ• π‘Ÿ3 , π‘Ÿ2 βŠ• π‘Ÿ4 )
(π‘Ÿ1 βŠ• π‘Ÿ3 , π‘Ÿ1 βŠ• π‘Ÿ4 )
𝑃1
1-out-of-2 OT
𝑠
π‘Ž βŠ• π‘Ÿ1 , 𝑏 βŠ• π‘Ÿ2
𝑠=0β†’
𝑠=1β†’
(π‘Ž βŠ• π‘Ÿ1 ) βŠ• π‘Ÿ1 βŠ• π‘Ÿ3 = 𝒂 βŠ• π’“πŸ‘
(𝑏 βŠ• π‘Ÿ2 ) βŠ• π‘Ÿ2 βŠ• π‘Ÿ4 = 𝒃 βŠ• π’“πŸ’
(π‘Ž βŠ• π‘Ÿ1 ) βŠ• π‘Ÿ1 βŠ• π‘Ÿ3 = 𝒂 βŠ• π’“πŸ‘
(π‘Ž βŠ• π‘Ÿ1 ) βŠ• π‘Ÿ1 βŠ• π‘Ÿ4 = 𝒂 βŠ• π’“πŸ’
Oblivious SN Evaluation
MAP
π‘Ž βŠ• π‘Ÿ1
0
π‘Ÿ1
π‘Ÿπ‘Ž
3 βŠ• π‘Ÿ3
π‘Ÿ2
π‘Ÿ4
1
π‘Ÿ3
π‘Ÿ4
π‘Ÿ5
π‘Žπ‘Ÿ βŠ• π‘Ÿ6
6
1
π‘Ž βŠ• 𝑑7
π‘Ÿ6
π‘Ž βŠ• π‘Ÿ7
π‘Ÿ7
π‘Ÿ5
π‘Ÿ8
π‘Ž βŠ• π‘Ÿ7 βŠ• 𝑑7
Reveal
Oblivious SN Evaluation
β€’ One OT per switch
o O(mlog m) OTs total
β€’ On-demand
o All OTs done offline
o Only Xoring online
β€’ Practical when using OT extension
β€’ Constant round
Oblivious Mapping οƒ 
CTH Functionality
β€’ GMW or Arithmetic Circuits
o Inputs to mapping are ADDITIVE- or XOR-shared
o (MAP) Each party 𝑃𝑖 runs an oblivious mapping with 𝑃1
β€’ 𝑃𝑖 uses his vector of shares as input
β€’ 𝑃1 uses his mapping and blinding vector 𝑑𝑖
o (Reveal) Each party obtains his blinded β€œmapped” vector
of shares
o 𝑃1 maps his own vector of shares and XOR/SUBTRACTs 𝑑𝑖 s to
adjust values.
β€’ Yao’s Protocol
o Slightly more involved due to β€œweird sharing” mechanism
Summary of Results
β€’ First Multiparty PFE with linear complexity
o GMW + HE-Based oblivious mapping
β€’ First Arithmetic PFE with linear complexity
o [CDN 01] + HE-based oblivious mapping
β€’ More efficient two-party PFE with linear
complexity
o Yao + HE-based oblivious mapping
o Subsumes and improves construction of [KM’11]
β€’ More practical PFE
o Yao/GMW + OT-based oblivious mapping + OT extension
Future Work
Other Security Notions
β€’ Security against stronger adversaries
o Covert, malicious
o Can we still achieve linear complexity?
β€’ PFE in the information theoretic setting
o Our OT-based solution seems generalizable to IT setting
o But linear PFE is open
β€’ Can we hide circuit size without using FHE?
o or use FHE in a limited way, or use somewhat FHE?
Round Complexity of PFE
β€’ Can we do PFE non-interactively?
o Our Yao-based protocol requires at least 3 messages
o SFE can be done in two messages
β€’ Can we achieve constant round multiparty
PFE with linear complexity?
o We only know it for two-party case
β€’ Can we achieve constant round arithmetic
PFE?
o Without switching to a Boolean circuit
PFE for Practice
β€’ PFE with good concrete + asymptotic
efficiency
o E.g. designing OT-based oblivious mapping with linear
complexity
β€’ Can PFE help improve efficiency of SFE?
o Idea:
β€’ One party embeds his input in the circuit
β€’ Shrinks the circuit significantly
β€’ Circuit structure leaks information
β€’ We use PFE to hide the structure
β€’ PFE for RAM programs
Thank you!

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz