PRIVACY-PRESERVING PROCESSING OF REGULAR LANGUAGES Peeter Laud - - PowerPoint PPT Presentation

PRIVACY-PRESERVING PROCESSING OF REGULAR LANGUAGES

Peeter Laud

Joint work with Jan Willemson

17.05.2014

UaESMC

Deterministic Finite Automata

q1 q2 q3 q4 q5 q6 a b a b a b a b a b a b DFA A = (Q,Σ,q0,δ,F)

δ ∶ Q × Σ → Q, q0 ∈ Q, F ⊆ Q δ can be extended to δ ∶ Q × Σ∗ → Q

Given A and w ∈ Σ∗. Find whether δ(q0,w) ∈ F

17.05.2014

2

Deterministic Finite Automata

q1 q2 q3 q4 q5 q6 a b a b a b a b a b a b DFA A = (Q,Σ,q0,δ)

δ ∶ Q × Σ → Q, q0 ∈ Q δ can be extended to δ ∶ Q × Σ∗ → Q

Given A and w ∈ Σ∗. Find δ(q0,w)

17.05.2014

2

Secure multiparty computation

n parties P1,...,Pn, with inputs x1,...,xn. want to compute (y1,...,yn) = f (x1,...,xn), where Pi learns xi. Pi should not learn anything beyond xi,yi

More generally, for any I ⊆ {1,...,n}, ∣I∣ < t, the coalition {Pi}i∈I should not learn anything beyond (xi,yi)i∈I.

P1,...,Pn run a cryptographic protocol for that end

17.05.2014

3

The Sharemind model for Secure Computation

IP1 IP2 ⋯ IPn CP1 CP2 CP3 OP1 OP2 ⋯ OPm Three computing parties Passive security against one party Additive sharing of values:

⟦v⟧ = (⟦v⟧1,⟦v⟧2,⟦v⟧3) ⟦v⟧1 + ⟦v⟧2 + ⟦v⟧3 = v (in ZN)

Some other sharing mechanisms also available or in the works CP1,CP2,CP3 run protocols to compute sharings of

• utputs from the sharings of

inputs

17.05.2014

4

Available operations with shared values on Sharemind

Classification, declassification Addition, multiplication with public value Multiplication of shared values

17.05.2014

5

Available operations with shared values on Sharemind

Classification, declassification Addition, multiplication with public value Multiplication of shared values Equality, inequality comparisons

Result is a value shared over Z2

Converting a sharing over Z2n to sharing over Z2m Obtaining sharings of bits of shared values Division of shared values Floating- and fix-point operations . . .

17.05.2014

5

Storing the DFA and input string

∣Q∣ = m, ∣Σ∣ = n, ∣w∣ = ℓ are public ⟦δ⟧ = Σ/Q q1 q2 ⋯ qm a1 ⟦δ(q1,a1)⟧ ⟦δ(q2,a1)⟧ ⋯ ⟦δ(qm,a1)⟧ a2 ⟦δ(q1,a2)⟧ ⟦δ(q2,a2)⟧ ⋯ ⟦δ(qm,a2)⟧ ⋮ ⋮ ⋮ ⋱ ⋮ an ⟦δ(q1,an)⟧ ⟦δ(q2,an)⟧ ⋯ ⟦δ(qm,an)⟧ ⟦w⟧ = (⟦v1⟧,⟦v2⟧,...,⟦vℓ⟧) How to compute ⟦qi⟧ = ⟦δ⟧(⟦qi−1⟧,⟦vi⟧)?

17.05.2014

6

Storing the DFA and input string

∣Q∣ = m, ∣Σ∣ = n, ∣w∣ = ℓ are public ⟦δ⟧ = Σ/Q q1 q2 ⋯ qm a1 ⟦δ(q1,a1)⟧ ⟦δ(q2,a1)⟧ ⋯ ⟦δ(qm,a1)⟧ a2 ⟦δ(q1,a2)⟧ ⟦δ(q2,a2)⟧ ⋯ ⟦δ(qm,a2)⟧ ⋮ ⋮ ⋮ ⋱ ⋮ an ⟦δ(q1,an)⟧ ⟦δ(q2,an)⟧ ⋯ ⟦δ(qm,an)⟧ ⟦w⟧ = (⟦v1⟧,⟦v2⟧,...,⟦vℓ⟧) How to compute ⟦qi⟧ = ⟦δ⟧(⟦qi−1⟧,⟦vi⟧)?

Find characteristic vector ⟦χqi−1,vi⟧ Compute ⟦χqi−1,vi⟧ ⋅ ⟦δ⟧

This is an O(mn) solution. In public, we need O(1).

17.05.2014

6

Offline and online computation

Our algorithm may have offline and online parts:

Offline (pre)computation does not depend on inputs Online computation depends on inputs

Task: look up from a vector according to a private index:

Given (⟦v1⟧,...,⟦vm⟧) and ⟦j⟧, find ⟦vj⟧.

Even three stages make sense here:

Offline Vector-only Online

17.05.2014

7

Algorithm for private look-up

Let computations take place over a field F. Let λj,k ∈ F be the Lagrange interpolation coefficients:

m−1

∑

j=0

(

m

∑

k=1

λj,kvk)xj = vx for x ∈ {1,...,m} From (⟦v1⟧,...,⟦vm⟧), one can freely compute ⟦ci⟧ =

m

∑

k=1

λi,k⟦vk⟧ . Given ⟦j⟧, one can compute ⟦vj⟧ = ∑m−1

i=0 ⟦ci⟧ ⋅ ⟦ji⟧.

17.05.2014

8

Algorithm for private look-up

Offline Vector-only

1 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧

Online

2 for k = 2 to m − 1 do ⟦jk⟧ ← ⟦j⟧ ⋅ ⟦jk−1⟧ 3 return ∑m−1 k=0 ⟦ck⟧⟦jk⟧

17.05.2014

9

Algorithm for private look-up

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rk⟧ ← ⟦r⟧ ⋅ ⟦rk−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧

Online

4 for k = 2 to m − 1 do ⟦jk⟧ ← ⟦j⟧ ⋅ ⟦jk−1⟧ 5 return ∑m−1 k=0 ⟦ck⟧⟦jk⟧

17.05.2014

9

Algorithm for private look-up

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rk⟧ ← ⟦r⟧ ⋅ ⟦rk−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧

Online

4 ⟦z⟧ ← ⟦j⟧ ⋅ ⟦r−1⟧ 5 for k = 2 to m − 1 do ⟦jk⟧ = ⟦zk⟧ ⋅ ⟦rk⟧ 6 return ∑m−1 k=0 ⟦ck⟧⟦jk⟧

17.05.2014

9

Algorithm for private look-up

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rk⟧ ← ⟦r⟧ ⋅ ⟦rk−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧

Online

4 z ← declassify(⟦j⟧ ⋅ ⟦r−1⟧) 5 for k = 2 to m − 1 do ⟦jk⟧ = zk ⋅ ⟦rk⟧ 6 return ∑m−1 k=0 ⟦ck⟧⟦jk⟧

17.05.2014

9

Algorithm for private look-up

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rk⟧ ← ⟦r⟧ ⋅ ⟦rk−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧

Online

4 z ← declassify(⟦j⟧ ⋅ ⟦r−1⟧) 5 return ∑m−1 k=0 zk⟦ck⟧⟦rk⟧

17.05.2014

9

Algorithm for private look-up

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rk⟧ ← ⟦r⟧ ⋅ ⟦rk−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧ 4 foreach k ∈ {0,...,m − 1} do ⟦yk⟧ ← ⟦ck⟧ ⋅ ⟦rk⟧

Online

5 z ← declassify(⟦j⟧ ⋅ ⟦r−1⟧) 6 return ∑m−1 k=0 zk⟦yk⟧

17.05.2014

9

Complexity

Complexity of the stages (without linear combinations):

Offline: m multiplications Vector-only: m multiplications Online: 1 multiplication, 1 declassification

Optimization possibilities:

Sharemind’s protocols, if char F = 2:

Offline stage:

1 2 ⋅ √m multiplications

Shamir’s sharing, GRR multiplication

Vector-only stage: 0 Online stage: 2 multiplications, one declassification

17.05.2014

10

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3

• 1. Reshare ⟦u⟧ and ⟦v⟧

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3

• 1. Reshare ⟦u⟧ and ⟦v⟧

r1u,r1v

$

← F r2u,r2v

$

← F r3u,r3v

$

← F

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3

• 1. Reshare ⟦u⟧ and ⟦v⟧

r1u,r1v

$

← F r2u,r2v

$

← F r3u,r3v

$

← F r1u,r1v r2u,r2v r3u,r3v

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3

• 1. Reshare ⟦u⟧ and ⟦v⟧

r1u,r1v

$

← F r2u,r2v

$

← F r3u,r3v

$

← F ∶= ⟦u⟧1 + r1u − r3u ∶= ⟦v⟧1 + r1v − r3v ∶= ⟦u⟧2 + r2u − r1u ∶= ⟦v⟧2 + r2v − r1v ∶= ⟦u⟧3 + r3u − r2u ∶= ⟦v⟧3 + r3v − r2v

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3

• 2. Replicate shares

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3

• 2. Replicate shares

⟦u⟧1,⟦v⟧1 ⟦u⟧2,⟦v⟧2 ⟦u⟧3,⟦v⟧3

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3 ⟦u⟧3 ⟦v⟧3 ⟦u⟧1 ⟦v⟧1 ⟦u⟧2 ⟦v⟧2

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3 ⟦u⟧3 ⟦v⟧3 ⟦u⟧1 ⟦v⟧1 ⟦u⟧2 ⟦v⟧2

• 3. Compute ⟦w⟧i ∶= ⟦u⟧i⟦v⟧i + ⟦u⟧i⟦v⟧i−1 + ⟦u⟧i−1⟦v⟧i

⟦w⟧1 ⟦w⟧2 ⟦w⟧3

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3 ⟦u⟧3 ⟦v⟧3 ⟦u⟧1 ⟦v⟧1 ⟦u⟧2 ⟦v⟧2 ⟦w⟧1 ⟦w⟧2 ⟦w⟧3

• 4. Reshare ⟦w⟧

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3 ⟦u⟧3 ⟦v⟧3 ⟦u⟧1 ⟦v⟧1 ⟦u⟧2 ⟦v⟧2 ⟦w⟧1 ⟦w⟧2 ⟦w⟧3

• 4. Reshare ⟦w⟧

r1w

$

← F r2w

$

← F r3w

$

← F

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3 ⟦u⟧3 ⟦v⟧3 ⟦u⟧1 ⟦v⟧1 ⟦u⟧2 ⟦v⟧2 ⟦w⟧1 ⟦w⟧2 ⟦w⟧3

• 4. Reshare ⟦w⟧

r1w

$

← F r2w

$

← F r3w

$

← F r1w r2w r3w

17.05.2014

11

Sharemind’s multiplication protocol

CP1 CP2 CP3 w = uv ⟦v⟧1 ⟦v⟧2 ⟦v⟧3 ⟦u⟧1 ⟦u⟧2 ⟦u⟧3 ⟦u⟧3 ⟦v⟧3 ⟦u⟧1 ⟦v⟧1 ⟦u⟧2 ⟦v⟧2 ⟦w⟧1 ⟦w⟧2 ⟦w⟧3

• 4. Reshare ⟦w⟧

r1w

$

← F r2w

$

← F r3w

$

← F ∶= ⟦w⟧1 + r1w − r3w ∶= ⟦w⟧2 + r2w − r1w ∶= ⟦w⟧3 + r3w − r2w

17.05.2014

11

Sharemind’s multiplication protocol

Let ⟦⟦u⟧⟧ denote the following replicated sharing of u:

CPi knows ⟦u⟧i,⟦u⟧i−1 ⟦u⟧1 + ⟦u⟧2 + ⟦u⟧3 = u

Multiplication protocol used the following operations:

Reshare(⟦u⟧);

Parties require access to pairwise common sources of randomness

⟦u⟧ ↦ ⟦⟦u⟧⟧ [requires communication]; (⟦⟦u⟧⟧,⟦⟦v⟧⟧) ↦ ⟦uv⟧

17.05.2014

12

Sharemind’s multiplication protocol

Let ⟦⟦u⟧⟧ denote the following replicated sharing of u:

CPi knows ⟦u⟧i,⟦u⟧i−1 ⟦u⟧1 + ⟦u⟧2 + ⟦u⟧3 = u

Multiplication protocol used the following operations:

Reshare(⟦u⟧);

Parties require access to pairwise common sources of randomness

⟦u⟧ ↦ ⟦⟦u⟧⟧ [requires communication]; (⟦⟦u⟧⟧,⟦⟦v⟧⟧) ↦ ⟦uv⟧

If char F = 2, then (∑i ai)2 = ∑i a2

i

More operations are available:

⟦u⟧ ↦ ⟦u2⟧ and ⟦⟦u⟧⟧ ↦ ⟦⟦u2⟧⟧

No communication necessary

17.05.2014

12

Computing ⟦r2⟧,...,⟦rm⟧ from ⟦r⟧ in characteristic 2

Assume m = 22k − 1. Compute ⟦ri⟧ and ⟦⟦ri⟧⟧ for i ∈ {0,...,2k − 1}

If i is even, then use squaring Otherwise compute (⟦⟦r⟧⟧,⟦⟦r i−1⟧⟧) ↦ ⟦r i⟧

Reshare

• → ⟦r i⟧ ↦ ⟦⟦r i⟧⟧.

17.05.2014

13

Computing ⟦r2⟧,...,⟦rm⟧ from ⟦r⟧ in characteristic 2

Assume m = 22k − 1. Compute ⟦ri⟧ and ⟦⟦ri⟧⟧ for i ∈ {0,...,2k − 1}

If i is even, then use squaring Otherwise compute (⟦⟦r⟧⟧,⟦⟦r i−1⟧⟧) ↦ ⟦r i⟧

Reshare

• → ⟦r i⟧ ↦ ⟦⟦r i⟧⟧.

Let s,t ∈ {0,...,2k − 1} Compute ⟦r2ks+t⟧ as follows:

⟦⟦r s⟧⟧ ↦ ⟦⟦r 2s⟧⟧ ↦ ⋯ ↦ ⟦⟦r 2ks⟧⟧ (⟦⟦r 2ks⟧⟧,⟦⟦r t⟧⟧) ↦ ⟦r 2ks+t⟧

17.05.2014

13

Shamir’s secret sharing

n parties. Coalitions of t parties may recover the secret Secret v is an element of F To share v:

Generate a1,...,at−1

$

← F Let f (x) = v + a1x + a2x2 + ⋯ + at−1xt−1 Give the share si = f (i) to party Pi

To recover v from shares si1,...,sit, use Lagrange interpolation

v = ∑t

j=1 λ{i1,...,it} j

sij

Let v

f

• →t (s1,...,sn) denote that v is shared among n parties as

s1,...,sn, using the polynomial f of degree less than t

17.05.2014

14

Adding shared values

v

f

• →t

( s1, ..., sn ) v′

f ′

• →t

( s′

1,

..., s′

n

) v + v′

f +f ′

• →t

( s1 + s′

1,

..., sn + s′

n

)

17.05.2014

15

Multiplying shared values (n ≥ 2t − 1)

P1 knows Pn knows v

f

• →t

( s1, ..., sn ) v′

f ′

• →t

( s′

1,

..., s′

n

) v ⋅ v′

17.05.2014

16

Multiplying shared values (n ≥ 2t − 1)

P1 knows Pn knows v

f

• →t

( s1, ..., sn ) v′

f ′

• →t

( s′

1,

..., s′

n

) v ⋅ v′

f ⋅f ′

• →2t−1

( s1 ⋅ s′

1,

..., sn ⋅ s′

n

)

17.05.2014

16

Multiplying shared values (n ≥ 2t − 1)

P1 knows Pn knows v

f

• →t

( s1, ..., sn ) v′

f ′

• →t

( s′

1,

..., s′

n

) v ⋅ v′

f ⋅f ′

• →2t−1

( s1 ⋅ s′

1,

..., sn ⋅ s′

n

) ↓t ⋯ ↓t ) ) r11, rn1, ⋮ ⋮ r1n, rnn ( (

17.05.2014

16

Multiplying shared values (n ≥ 2t − 1)

P1 knows Pn knows v

f

• →t

( s1, ..., sn ) v′

f ′

• →t

( s′

1,

..., s′

n

) v ⋅ v′

f ⋅f ′

• →2t−1

( s1 ⋅ s′

1,

..., sn ⋅ s′

n

) ↓t ⋯ ↓t ( r11, ... rn1, ) P1 knows ⋮ ⋮ ( r1n, ... rnn ) Pn knows

17.05.2014

16

Multiplying shared values (n ≥ 2t − 1)

P1 knows Pn knows v

f

• →t

( s1, ..., sn ) v′

f ′

• →t

( s′

1,

..., s′

n

) v ⋅ v′

f ⋅f ′

• →2t−1

( s1 ⋅ s′

1,

..., sn ⋅ s′

n

) ↓t ↓t ⋯ ↓t ) w1, →2t−1 ( r11, ... rn1, ) P1 knows ⋮ ⋮ ⋮ wn →2t−1 ( r1n, ... rnn ) Pn knows (

17.05.2014

16

Scalar products of vectors of shared values

vj

fj

• →t

( sj1, ..., sjn ) v′

j f ′

j

• →t

( s′

j1,

..., s′

jn

) ∑

j

vj ⋅ v′

j

17.05.2014

17

Scalar products of vectors of shared values

vj

fj

• →t

( sj1, ..., sjn ) v′

j f ′

j

• →t

( s′

j1,

..., s′

jn

) ∑

j

vj ⋅ v′

j ∑j fj⋅f ′

j

• →2t−1

( ∑

j

sj1 ⋅ s′

j1,

..., ∑

j

sjn ⋅ s′

jn

)

17.05.2014

17

Scalar products of vectors of shared values

vj

fj

• →t

( sj1, ..., sjn ) v′

j f ′

j

• →t

( s′

j1,

..., s′

jn

) ∑

j

vj ⋅ v′

j ∑j fj⋅f ′

j

• →2t−1

( ∑

j

sj1 ⋅ s′

j1,

..., ∑

j

sjn ⋅ s′

jn

) ↓t ↓t ⋯ ↓t ) w1, →2t−1 ( r11, ... rn1, ) ⋮ ⋮ ⋮ wn →2t−1 ( r1n, ... rnn ) (

17.05.2014

17

Free vector-only stage in private lookup

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rj⟧ ← ⟦r⟧ ⋅ ⟦rj−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧ 4 foreach k ∈ {0,...,m − 1} do ⟦yk⟧ ← ⟦ck⟧ ⋅ ⟦rk⟧

Online

5 z ← declassify(⟦j⟧ ⋅ ⟦r−1⟧) 6 return ∑m−1 k=0 zk⟦yk⟧

17.05.2014

18

Free vector-only stage in private lookup

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rj⟧ ← ⟦r⟧ ⋅ ⟦rj−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧

Online

4 z ← declassify(⟦j⟧ ⋅ ⟦r−1⟧) 5 foreach k ∈ {0,...,m − 1} do ⟦yk⟧ ← ⟦ck⟧ ⋅ ⟦rk⟧ 6 return ∑m−1 k=0 zk⟦yk⟧

17.05.2014

18

Free vector-only stage in private lookup

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rj⟧ ← ⟦r⟧ ⋅ ⟦rj−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧

Online

4 z ← declassify(⟦j⟧ ⋅ ⟦r−1⟧) 5 return ∑m−1 k=0 zk⟦ck⟧ ⋅ ⟦rk⟧

17.05.2014

18

Free vector-only stage in private lookup

Offline

1 (⟦r⟧,⟦r−1⟧) $

← F∗

2 for k = 2 to m − 1 do ⟦rj⟧ ← ⟦r⟧ ⋅ ⟦rj−1⟧

Vector-only

3 foreach k ∈ {0,...,m − 1} do ⟦ck⟧ ← ∑m l=1 λk,l⟦vl⟧

Online

4 z ← declassify(⟦j⟧ ⋅ ⟦r−1⟧) 5 foreach k ∈ {0,...,m − 1} do ⟦zk⟧ ← zk⟦ck⟧ 6 return ∑m−1 k=0 ⟦zk⟧ ⋅ ⟦rk⟧

17.05.2014

18

Other uses for private lookup algorithm

We have implemented the (sequential) DFA execution algorithm The lookup algorithm can be used, whenever we need to

Read from private positions Write into public positions

Examples:

Bellman-Ford algorithm in sparse graphs Knuth-Morris-Pratt algorithm

17.05.2014

19

Minimizing deterministic finite automata

q1 q2 q3 q4 q5 q6 a b a b a b a b a b a b

17.05.2014

20

Minimizing deterministic finite automata

unreachable q1 q2 q3 q4 q5 q6 a b a b a b a b a b a b

17.05.2014

20

Minimizing deterministic finite automata

unreachable equivalent states q1 q2 q3 q4 q5 q6 a b a b a b a b a b a b

17.05.2014

20

Private shuffle

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧

17.05.2014

21

Private shuffle

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧ σ

17.05.2014

21

Private shuffle

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ σ bi = aσ(i) for all i ∈ {1,...,n}

17.05.2014

21

Private shuffle

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ σ bi = aσ(i) for all i ∈ {1,...,n} σ ∈ Sn is provided by an input party How to represent σ and do the shuffle if σ itself is private?

17.05.2014

21

Private shuffle

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ σ bi = aσ(i) for all i ∈ {1,...,n} σ ∈ Sn is provided by an input party How to represent σ and do the shuffle if σ itself is private? σ = ((σ1,σ2),(σ2,σ3),(σ3,σ1))

σ = σ1 ○ σ2 ○ σ3; σ1,σ2,σ3 are random elements of Sn.

17.05.2014

21

Private shuffle

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ σ ⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ σ1 σ2 σ3

17.05.2014

21

Private shuffle

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ σ ⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦a7⟧ ⟦a8⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ σ1 σ2 σ3 unknown to CP2 unknown to CP3 unknown to CP1

17.05.2014

21

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 ⃗ r1 ⟦⃗ a⟧2 − ⃗ r1

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 ⃗ r1 ⟦⃗ a⟧2 − ⃗ r1 ∶= ⟦⃗ a⟧1 + ⃗ r1 ∶= ⃗ ∶= ⟦⃗ a⟧3 + ⟦⃗ a⟧2 − ⃗ r1

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 Party CPi shuffles ⟦⃗ a⟧i using σ1 = ⃗

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 ⃗ r2 ⟦⃗ a⟧3 − ⃗ r2

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 ⃗ r2 ⟦⃗ a⟧3 − ⃗ r2 ∶= ⟦⃗ a⟧1 + ⟦⃗ a⟧3 − ⃗ r2 ∶= ⃗ ∶= ⟦⃗ a⟧2 + ⃗ r2

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 Party CPi shuffles ⟦⃗ a⟧i using σ2 = ⃗

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 ⃗ r3 ⟦⃗ a⟧1 − ⃗ r3

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 ⃗ r3 ⟦⃗ a⟧1 − ⃗ r3 ∶= ⟦⃗ a⟧3 + ⟦⃗ a⟧1 − ⃗ r3 ∶= ⃗ ∶= ⟦⃗ a⟧2 + ⃗ r3

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 Party CPi shuffles ⟦⃗ a⟧i using σ3 = ⃗

17.05.2014

22

Shuffling protocol

CP1 CP2 CP3 ⟦⃗ a⟧1 ⟦⃗ a⟧2 ⟦⃗ a⟧3 σ1,σ2 σ2,σ3 σ3,σ1 Reshare

17.05.2014

22

Security against malicious adversaries

. . . is possible. Use Shamir’s (4,2)-secret sharing.

One malicious party among four is tolerated.

Use a protocol set based on homomorphic commitments.

Cramer and Damg˚

• ard. Multiparty Computation, an Introduction.

Contemporary Cryptology, Adv. Courses in Math. CRM Barcelona, 2005

Let σ = σ1 ○ ⋯ ○ σ4. Party CPi misses σi. CP1 and CP2 can detect if CP3 did not permute its shares according to σ4.

They’ll complain. σ4 can then be made public.

17.05.2014

23

Use for sorting

Computing parties can generate a sharing σ of a random σ.

CPi constructs a random σi ∈ Sn and sends it to CPi−1.

After randomly shuffling an array, the comparison results between its elements may be made public

If all elements of the array are different

After shuffling, we can use any sorting method to sort a private array.

No need to use data-oblivious methods, e.g. sorting networks

17.05.2014

24

Remembering the sorting permutation

3 2 5 6 1 4

17.05.2014

25

Remembering the sorting permutation

3 2 5 6 1 4 σ′

1

σ′

2

σ′

3

17.05.2014

25

Remembering the sorting permutation

3 2 5 6 1 4 4 2 5 3 6 1 σ′

1

5 3 2 1 4 6 σ′

2

5 2 6 3 4 1 σ′

3

17.05.2014

25

Remembering the sorting permutation

3 2 5 6 1 4 4 2 5 3 6 1 σ′

1

5 3 2 1 4 6 σ′

2

5 2 6 3 4 1 σ′

3

1 2 3 4 5 6 τ

17.05.2014

25

Remembering the sorting permutation

3 2 5 6 1 4 4 2 5 3 6 1 σ′

1

5 3 2 1 4 6 σ′

2

5 2 6 3 4 1 σ′

3

1 2 3 4 5 6 τ σ1 ∶= σ′

1; σ2 ∶= σ′ 2; σ3 ∶= σ′ 3 ○ τ

σ′

i is generated by those CPj1 and CPj2 that are supposed to

know σi afterwards

17.05.2014

25

From ⟦σ⟧ to σ

3 2 5 6 1 4

17.05.2014

26

From ⟦σ⟧ to σ

3 2 5 6 1 4 4 2 5 3 6 1 σ′

1

5 3 2 1 4 6 σ′

2

5 2 6 3 4 1 σ′

3

1 2 3 4 5 6 τ

17.05.2014

26

From ⟦σ⟧ to σ

3 2 5 6 1 4 4 2 5 3 6 1 σ′

1

5 3 2 1 4 6 σ′

2

5 2 6 3 4 1 σ′

3

1 2 3 4 5 6 τ σ1 ∶= τ −1 ○ σ′

3 −1

σ2 ∶= σ′

2 −1

σ3 ∶= σ′

1 −1

17.05.2014

26

Extended permutations

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ ⟦b9⟧ ⟦b10⟧ f f ∶ [m] → [n], where [n] = {1,...,n}

In our example, m = 10, n = 6

f is private, given by some IPi f could represent

Structure of some arithmetic circuit

Private function evaluation

Transition function of some state machine

Operations with finite automata

17.05.2014

27

Representing an extended permutation

Theorem

For any m,n, there exist ℓm,n = (1 + o(1))(m ⋅ lnm), gm,n ∶ [ℓm,n] → [n], such that for all f ∶ [m] → [n], there exist τ ∈ Sℓm,n, σ ∈ Sn, such that f = σ ○ gm,n ○ τ. Private f can be encoded as σ,τ

17.05.2014

28

ℓm,n and gm,n

n ℓm,n =

n

∑

i=1

⌊m i ⌋ m ⌊m/2⌋ ⌊m/3⌋ ⌊m/n⌋ . . . . . . gm,n σ sorts (a1,...,an) by the number of copies made from each element by the extended permutation.

17.05.2014

29

Example

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ ⟦b9⟧ ⟦b10⟧

17.05.2014

30

Example

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ ⟦b9⟧ ⟦b10⟧

17.05.2014

30

Example

⟦a1⟧ ⟦a2⟧ ⟦a3⟧ ⟦a4⟧ ⟦a5⟧ ⟦a6⟧ ⟦b1⟧ ⟦b2⟧ ⟦b3⟧ ⟦b4⟧ ⟦b5⟧ ⟦b6⟧ ⟦b7⟧ ⟦b8⟧ ⟦b9⟧ ⟦b10⟧

17.05.2014

30

Moore’s partition refining algorithm

q1 q2 q3 q4 q5 q6 a b a b a b a b a b a b

1 1 2 3 3 1

π δ(⋅,a) ∶ Q → Q is an extended permutation.

17.05.2014

31

Moore’s partition refining algorithm

q1 q2 q3 q4 q5 q6 a b a b a b a b a b a b

1 1 2 3 3 1

π

1 1 1 3 3 3

π ○ δ(⋅,a) δ(⋅,a) ∶ Q → Q is an extended permutation.

17.05.2014

31

Moore’s partition refining algorithm

q1 q2 q3 q4 q5 q6 a b a b a b a b a b a b

1 1 2 3 3 1

π

1 1 1 3 3 3

π ○ δ(⋅,a)

3 2 3 1 1 2

π ○ δ(⋅,b) δ(⋅,a) ∶ Q → Q is an extended permutation.

17.05.2014

31

Recomputing the identities of parts

1 3 2 3 3 1 3 3 1 2 1 3 1 1 2 1 1 3 v1 q6 q5 q4 q3 q2 q1

17.05.2014

32

Recomputing the identities of parts

1 3 2 3 3 1 3 3 1 2 1 3 1 1 2 1 1 3 v1 q6 q5 q4 q3 q2 q1 1 1 2 1 1 3 1 3 2 2 1 3 3 3 1 3 3 1 v1 σ σ = sort(v1)

17.05.2014

32

Recomputing the identities of parts

1 3 2 3 3 1 3 3 1 2 1 3 1 1 2 1 1 3 v1 q6 q5 q4 q3 q2 q1 1 1 2 1 1 3 1 3 2 2 1 3 3 3 1 3 3 1 v1 σ 1 1 1 1 1 v2 σ = sort(v1) v2

i ∶= v1 i ≠ v1 i−1

17.05.2014

32

Recomputing the identities of parts

1 3 2 3 3 1 3 3 1 2 1 3 1 1 2 1 1 3 v1 q6 q5 q4 q3 q2 q1 1 1 2 1 1 3 1 3 2 2 1 3 3 3 1 3 3 1 v1 σ 1 1 1 1 1 v2 1 2 3 4 5 5 v3 σ = sort(v1) v2

i ∶= v1 i ≠ v1 i−1

v3 ∶= prefixsum(v2)

17.05.2014

32

Recomputing the identities of parts

1 3 2 3 3 1 3 3 1 2 1 3 1 1 2 1 1 3 v1 q6 q5 q4 q3 q2 q1 1 1 2 1 1 3 1 3 2 2 1 3 3 3 1 3 3 1 v1 σ 1 1 1 1 1 v2 1 2 3 4 5 5 v3 2 1 4 5 5 3 v3 σ−1 σ = sort(v1) v2

i ∶= v1 i ≠ v1 i−1

v3 ∶= prefixsum(v2) unsort(σ,v3)

17.05.2014

32

Finding reachable states

Transitive closure of a graph can be found in O(log n) time with O(n2 log n) work.

Too much work: our automata result from the product construction.

We can run an extended permutation“backwards” :

Given f ∶ [m] → [n] and ⟦b1⟧,...,⟦bm⟧, compute ⟦a1⟧,...,⟦an⟧ by ai = ∑

j∈f −1(i)

bj .

This allows us to iterate“reachability”from the initial state.

17.05.2014

33

Private function evaluation with extended permutations

I1 I2 I3 * * + + * O1 O2

1 2 3 4 5

Hide the contents of nodes and the connections

17.05.2014

34

Private function evaluation with extended permutations

I1 I2 I3 * * + + * O1 O2

1 2 3 4 5

I1 I2 I3 * * + + * * * + + * O1 O2

1 2 3 4 5

Hide the contents of nodes and the connections

17.05.2014

34

Benchmarking PFE

We built a random arithmetic circuit with 200 inputs, K gates, and 100 outputs

Each gate: addition or multiplication (over Z232) Connections: extended permutation with n = K + 200 and m = 2K + 100.

We benchmarked one iteration

• f evaluating the circuit on

Sharemind cluster

One extended permutation An evaluation of all gates Moving data between them

Local operation Rather heavyweight on Sharemind 3

K/106 Perm. Gates Move 0.1 0.5 0.05 0.45 1 6 0.5 4.5 5 35 2.5 23 7 49 3.6 31 8 58 4 35 Times in seconds tperm ≈ 4.54 ⋅ 10−7 ⋅ K lnK (s)

17.05.2014

35

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2

17.05.2014

36

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2 4 7 1 3 8 10 5 6 9 2 v1 1 1 3 3 3 3 4 4 4 5 v2 Sort by v2

17.05.2014

36

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2 4 7 1 3 8 10 5 6 9 2 v1 1 1 3 3 3 3 4 4 4 5 v2 1 1 1 1 v3 v3

i ∶= v2 i /

= v2

i−1

17.05.2014

36

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2 4 7 1 3 8 10 5 6 9 2 v1 1 1 3 3 3 3 4 4 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 v4

i ∶= i ⋅ v3 i

17.05.2014

36

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2 4 7 1 3 8 10 5 6 9 2 v1 1 1 3 3 3 3 4 4 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 4 1 3 8 5 6 7 10 9 2 v1 1 3 3 3 4 4 1 3 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 Sort by v4

17.05.2014

36

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2 4 7 1 3 8 10 5 6 9 2 v1 1 1 3 3 3 3 4 4 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 4 1 3 8 5 6 7 10 9 2 v1 1 3 3 3 4 4 1 3 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 2 4 3 1 v5 v5

i ∶= v3 i ⋅ (v4 i+1 − v4 i )

17.05.2014

36

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2 4 7 1 3 8 10 5 6 9 2 v1 1 1 3 3 3 3 4 4 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 4 1 3 8 5 6 7 10 9 2 v1 1 3 3 3 4 4 1 3 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 2 4 3 1 v5 For σ, take last n rows of v2 and v5, masked by v3

17.05.2014

36

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2 4 7 1 3 8 10 5 6 9 2 v1 1 1 3 3 3 3 4 4 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 4 1 3 8 5 6 7 10 9 2 v1 1 3 3 3 4 4 1 3 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 Sort by v5, decreasing

17.05.2014

36

From ⟦f ⟧ to f

1 2 3 4 5 6 7 8 9 10 v1 3 5 3 1 4 4 1 3 4 3 v2 4 7 1 3 8 10 5 6 9 2 v1 1 1 3 3 3 3 4 4 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 4 1 3 8 5 6 7 10 9 2 v1 1 3 3 3 4 4 1 3 4 5 v2 1 1 1 1 v3 1 3 7 10 v4 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 This is almost σ

17.05.2014

36

Filling the missing values

1 2 6 3 5 8 v1

17.05.2014

37

Filling the missing values

1 2 6 3 5 8 v1 1 2 3 5 6 8 v1 σ1

17.05.2014

37

Filling the missing values

1 2 6 3 5 8 v1 1 2 3 5 6 8 v1 σ1 1 1 v2 v2

i ∶= v1 i ≤ ⌈n/2⌉

17.05.2014

37

Filling the missing values

1 2 6 3 5 8 v1 1 2 3 5 6 8 v1 σ1 1 1 v2 3 5 1 2 6 8 v1 σ2 v2

i ∶= v1 i ≤ ⌈n/2⌉

σ2 is locally computed from ⟦⟦v2⟧⟧ (shared over Z2)

17.05.2014

37

Filling the missing values

1 2 6 3 5 8 v1 1 2 3 5 6 8 v1 σ1 1 1 v2 3 5 1 2 6 8 v1 σ2 v2

i ∶= v1 i ≤ ⌈n/2⌉

σ2 is locally computed from ⟦⟦v2⟧⟧ (shared over Z2) Do both sides separately Bottom is already sorted. Top is almost sorted.

17.05.2014

37

Filling the missing values

1 2 6 3 5 8 v1 1 2 3 5 6 8 v1 σ1 1 1 v2 3 5 1 2 6 8 v1 σ2 1 v3 v2

i ∶= v1 i ≤ ⌈n/2⌉

σ2 is locally computed from ⟦⟦v2⟧⟧ (shared over Z2) Do both sides separately Bottom is already sorted. Top is almost sorted. v3

i ∶= v1 i > v1 i+1

17.05.2014

37

Filling the missing values

1 2 6 3 5 8 v1 1 2 3 5 6 8 v1 σ1 1 1 v2 3 5 1 2 6 8 v1 σ2 1 v3 1 2 3 5 σ3 v1 v2

i ∶= v1 i ≤ ⌈n/2⌉

σ2 is locally computed from ⟦⟦v2⟧⟧ (shared over Z2) Do both sides separately Bottom is already sorted. Top is almost sorted. v3

i ∶= v1 i > v1 i+1

Let ⟦s⟧ = (1,...,⌈n

2⌉) ⋅ ⟦v3⟧

⟦s⟧ is shared over Z⌈n/2⌉

σ3 is locally computed from ⟦⟦s⟧⟧

17.05.2014

37

Composing shared permutations

permutation σ1,τ1 σ2,τ2 σ3,τ3 known by CP1,CP2 CP1,CP3 CP2,CP3 σ = σ1 ○ σ2 ○ σ3. τ = τ1 ○ τ2 ○ τ3. Represent σ ○ τ = f1 ○ f2 ○ f3

17.05.2014

38

Composing shared permutations

permutation σ1,τ1 σ2,τ2 σ3,τ3 known by CP1,CP2 CP1,CP3 CP2,CP3 σ = σ1 ○ σ2 ○ σ3. τ = τ1 ○ τ2 ○ τ3. Represent σ ○ τ = f1 ○ f2 ○ f3 CP2 randomly generates ρ1,ρ3, such that ρ1 ○ ρ3 = σ3 ○ τ1 CP1 and CP3 together randomly generate ρ′

1,ρ′ 2,ρ′ 3, such that

ρ′

1 ○ ρ′ 2 ○ ρ′ 3 = 1

CP2 sends ρi to CPi Define

f1 = σ1 ○ σ2 ○ ρ1 ○ ρ′

1

f2 = ρ′

2

f3 = ρ′

3 ○ ρ3 ○ τ2 ○ τ3

CPi sends fi to CP2 (i ∈ {1,3}) Secure: everybody receives only random permutations

17.05.2014

38

From ⟦f ⟧ to f

1 3 3 3 4 4 1 3 4 5 v2 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5

17.05.2014

39

From ⟦f ⟧ to f

1 3 3 3 4 4 1 3 4 5 v2 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 1 11 16 19 21 v6 v6

m−n+i = 1 + ∑i−1 j=1⌊m j ⌋

17.05.2014

39

From ⟦f ⟧ to f

1 3 3 3 4 4 1 3 4 5 v2 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 1 11 16 19 21 v6 1 3 4 5 v2 2 4 3 1 v5 21 16 1 11 19 v6 Undo last sort

17.05.2014

39

From ⟦f ⟧ to f

1 3 3 3 4 4 1 3 4 5 v2 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 1 11 16 19 21 v6 1 3 4 5 v2 2 4 3 1 v5 21 16 1 11 19 v6 1 16

• 16

7 6 v7

i =

⎧ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎩ 1, v2

i = 0

v6

i ,

v2

i /

= 0 ∧ v2

i−1 = 0

v6

i − v6 i−1 − v5 i−1 + 1,

v2

i−1 /

= 0 v7

17.05.2014

39

From ⟦f ⟧ to f

1 3 3 3 4 4 1 3 4 5 v2 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 1 11 16 19 21 v6 1 3 4 5 v2 2 4 3 1 v5 21 16 1 11 19 v6 1 16

• 16

7 6 1 1 1 1 1 v7

17.05.2014

39

From ⟦f ⟧ to f

1 3 3 3 4 4 1 3 4 5 v2 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 1 11 16 19 21 v6 1 3 4 5 v2 2 4 3 1 v5 21 16 1 11 19 v6 1 16

• 16

7 6 1 1 1 1 1 v7 1 1 3 3 3 3 4 4 4 5 16 1

• 16

1 1 1 7 1 1 6 v2 v7 Anti-stable sort by v2

17.05.2014

39

From ⟦f ⟧ to f

1 3 3 3 4 4 1 3 4 5 v2 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 1 11 16 19 21 v6 1 3 4 5 v2 2 4 3 1 v5 21 16 1 11 19 v6 1 16

• 16

7 6 1 1 1 1 1 v7 1 1 3 3 3 3 4 4 4 5 16 1

• 16

1 1 1 7 1 1 6 v2 v7 16 17 1 2 3 4 11 12 13 19 v8 v8 = prefixsum(v7)

17.05.2014

39

From ⟦f ⟧ to f

1 3 3 3 4 4 1 3 4 5 v2 2 4 3 1 v5 3 4 1 5 v2 4 3 2 1 v5 1 11 16 19 21 v6 1 3 4 5 v2 2 4 3 1 v5 21 16 1 11 19 v6 1 16

• 16

7 6 1 1 1 1 1 v7 1 1 3 3 3 3 4 4 4 5 16 1

• 16

1 1 1 7 1 1 6 v2 v7 16 17 1 2 3 4 11 12 13 19 v8 ⋮ 4 7 1 3 8 10 5 6 9 2 v1

17.05.2014

39

From ⟦f ⟧ to f

16 17 1 2 3 4 11 12 13 19 v8 Undo all sorts v8 is almost τ −1 ⋮ 4 7 1 3 8 10 5 6 9 2 v1

17.05.2014

39

High-level take-away

Secure multiparty computation is a versatile technology. There are certain functionalities that

can be efficiently implemented in privacy-preserving manner; are useful subroutines in many tasks.

One should actively look for such functionalities.

The search for them is not too active right now. Successful search can quickly bring significant rewards.

17.05.2014

40