PRIVACY-PRESERVING PROCESSING OF REGULAR LANGUAGES Peeter Laud - PowerPoint PPT Presentation

Sharemind’s multiplication protocol ⟦ u ⟧ 3 ⟦ u ⟧ 2 w = uv ⟦ v ⟧ 3 ⟦ v ⟧ 2 ⟦ w ⟧ 3 CP 3 4. Reshare ⟦ w ⟧ ⟦ u ⟧ 1 ⟦ u ⟧ 3 ⟦ u ⟧ 2 ⟦ u ⟧ 1 ⟦ v ⟧ 1 ⟦ v ⟧ 3 ⟦ v ⟧ 2 ⟦ v ⟧ 1 ⟦ w ⟧ 1 ⟦ w ⟧ 2 CP 1 CP 2 11 17.05.2014

Sharemind’s multiplication protocol ⟦ u ⟧ 3 ⟦ u ⟧ 2 w = uv ⟦ v ⟧ 3 ⟦ v ⟧ 2 ⟦ w ⟧ 3 CP 3 $ r 3 w ← F 4. Reshare ⟦ w ⟧ ⟦ u ⟧ 1 ⟦ u ⟧ 3 ⟦ u ⟧ 2 ⟦ u ⟧ 1 ⟦ v ⟧ 1 ⟦ v ⟧ 3 ⟦ v ⟧ 2 ⟦ v ⟧ 1 ⟦ w ⟧ 1 ⟦ w ⟧ 2 CP 1 CP 2 $ $ ← F ← F r 1 w r 2 w 11 17.05.2014

Sharemind’s multiplication protocol ⟦ u ⟧ 3 ⟦ u ⟧ 2 w = uv ⟦ v ⟧ 3 ⟦ v ⟧ 2 ⟦ w ⟧ 3 CP 3 $ r 3 w r 3 w ← F r 2 w 4. Reshare ⟦ w ⟧ ⟦ u ⟧ 1 ⟦ u ⟧ 3 ⟦ u ⟧ 2 ⟦ u ⟧ 1 r 1 w ⟦ v ⟧ 1 ⟦ v ⟧ 3 ⟦ v ⟧ 2 ⟦ v ⟧ 1 ⟦ w ⟧ 1 ⟦ w ⟧ 2 CP 1 CP 2 $ $ ← F ← F r 1 w r 2 w 11 17.05.2014

Sharemind’s multiplication protocol ⟦ u ⟧ 3 ⟦ u ⟧ 2 w = uv ⟦ v ⟧ 3 ⟦ v ⟧ 2 ⟦ w ⟧ 3 ∶= ⟦ w ⟧ 3 + r 3 w − r 2 w CP 3 $ r 3 w ← F 4. Reshare ⟦ w ⟧ ⟦ u ⟧ 1 ⟦ u ⟧ 3 ⟦ u ⟧ 2 ⟦ u ⟧ 1 ⟦ v ⟧ 1 ⟦ v ⟧ 3 ⟦ v ⟧ 2 ⟦ v ⟧ 1 ⟦ w ⟧ 1 ∶= ⟦ w ⟧ 1 + r 1 w − r 3 w ⟦ w ⟧ 2 ∶= ⟦ w ⟧ 2 + r 2 w − r 1 w CP 1 CP 2 $ $ ← F ← F r 1 w r 2 w 11 17.05.2014

Sharemind’s multiplication protocol Let ⟦⟦ u ⟧⟧ denote the following replicated sharing of u : CP i knows ⟦ u ⟧ i , ⟦ u ⟧ i − 1 ⟦ u ⟧ 1 + ⟦ u ⟧ 2 + ⟦ u ⟧ 3 = u Multiplication protocol used the following operations: Reshare (⟦ u ⟧) ; Parties require access to pairwise common sources of randomness ⟦ u ⟧ ↦ ⟦⟦ u ⟧⟧ [requires communication]; (⟦⟦ u ⟧⟧ , ⟦⟦ v ⟧⟧) ↦ ⟦ uv ⟧ 12 17.05.2014

Sharemind’s multiplication protocol Let ⟦⟦ u ⟧⟧ denote the following replicated sharing of u : CP i knows ⟦ u ⟧ i , ⟦ u ⟧ i − 1 ⟦ u ⟧ 1 + ⟦ u ⟧ 2 + ⟦ u ⟧ 3 = u Multiplication protocol used the following operations: Reshare (⟦ u ⟧) ; Parties require access to pairwise common sources of randomness ⟦ u ⟧ ↦ ⟦⟦ u ⟧⟧ [requires communication]; (⟦⟦ u ⟧⟧ , ⟦⟦ v ⟧⟧) ↦ ⟦ uv ⟧ If char F = 2, then ( ∑ i a i ) 2 = ∑ i a 2 i More operations are available: ⟦ u ⟧ ↦ ⟦ u 2 ⟧ and ⟦⟦ u ⟧⟧ ↦ ⟦⟦ u 2 ⟧⟧ No communication necessary 12 17.05.2014

Computing ⟦ r 2 ⟧ ,..., ⟦ r m ⟧ from ⟦ r ⟧ in characteristic 2 Assume m = 2 2 k − 1. Compute ⟦ r i ⟧ and ⟦⟦ r i ⟧⟧ for i ∈ { 0 ,..., 2 k − 1 } If i is even, then use squaring Otherwise compute (⟦⟦ r ⟧⟧ , ⟦⟦ r i − 1 ⟧⟧) ↦ ⟦ r i ⟧ � � � � → ⟦ r i ⟧ ↦ ⟦⟦ r i ⟧⟧ . Reshare 13 17.05.2014

Computing ⟦ r 2 ⟧ ,..., ⟦ r m ⟧ from ⟦ r ⟧ in characteristic 2 Assume m = 2 2 k − 1. Compute ⟦ r i ⟧ and ⟦⟦ r i ⟧⟧ for i ∈ { 0 ,..., 2 k − 1 } If i is even, then use squaring Otherwise compute (⟦⟦ r ⟧⟧ , ⟦⟦ r i − 1 ⟧⟧) ↦ ⟦ r i ⟧ � � � � → ⟦ r i ⟧ ↦ ⟦⟦ r i ⟧⟧ . Reshare Let s , t ∈ { 0 ,..., 2 k − 1 } Compute ⟦ r 2 k s + t ⟧ as follows: ⟦⟦ r s ⟧⟧ ↦ ⟦⟦ r 2 s ⟧⟧ ↦ ⋯ ↦ ⟦⟦ r 2 k s ⟧⟧ (⟦⟦ r 2 k s ⟧⟧ , ⟦⟦ r t ⟧⟧) ↦ ⟦ r 2 k s + t ⟧ 13 17.05.2014

Shamir’s secret sharing n parties. Coalitions of t parties may recover the secret Secret v is an element of F To share v : $ Generate a 1 ,..., a t − 1 Let f ( x ) = v + a 1 x + a 2 x 2 + ⋯ + a t − 1 x t − 1 ← F Give the share s i = f ( i ) to party P i To recover v from shares s i 1 ,..., s i t , use Lagrange interpolation v = ∑ t j = 1 λ { i 1 ,..., i t } s i j j → t ( s 1 ,..., s n ) denote that v is shared among n parties as f Let v � s 1 ,..., s n , using the polynomial f of degree less than t 14 17.05.2014

Adding shared values � ( ) f v s 1 , ..., s n → t ( ) f ′ v ′ s ′ s ′ 1 , ..., � → t n v + v ′ ( s 1 + s ′ s n + s ′ ) f + f ′ � � → t 1 , ..., n 15 17.05.2014

Multiplying shared values ( n ≥ 2 t − 1 ) P n knows P 1 knows � ( ) f v s 1 , ..., s n → t ( ) f ′ v ′ s ′ s ′ 1 , ..., � → t n v ⋅ v ′ 16 17.05.2014

Multiplying shared values ( n ≥ 2 t − 1 ) P n knows P 1 knows � ( ) f v s 1 , ..., s n → t ( ) f ′ v ′ s ′ s ′ 1 , ..., � → t n ( ) f ⋅ f ′ v ⋅ v ′ s 1 ⋅ s ′ s n ⋅ s ′ � � → 2 t − 1 1 , ..., n 16 17.05.2014

Multiplying shared values ( n ≥ 2 t − 1 ) P n knows P 1 knows � ( ) f v s 1 , ..., s n → t ( ) f ′ v ′ s ′ s ′ 1 , ..., � → t n ( ) f ⋅ f ′ v ⋅ v ′ s 1 ⋅ s ′ s n ⋅ s ′ � � → 2 t − 1 1 , ..., n ⋯ ↓ t ↓ t ) ) r 11 , r n 1 , ⋮ ⋮ r 1 n , r nn ( ( 16 17.05.2014

Multiplying shared values ( n ≥ 2 t − 1 ) P n knows P 1 knows � ( ) f v s 1 , ..., s n → t ( ) f ′ v ′ s ′ s ′ 1 , ..., � → t n ( ) f ⋅ f ′ v ⋅ v ′ s 1 ⋅ s ′ s n ⋅ s ′ � � → 2 t − 1 1 , ..., n ⋯ ↓ t ↓ t ( ) P 1 knows r 11 , ... r n 1 , ⋮ ⋮ ( ) P n knows r 1 n , r nn ... 16 17.05.2014

Multiplying shared values ( n ≥ 2 t − 1 ) P n knows P 1 knows � ( ) f v s 1 , ..., s n → t ( ) f ′ v ′ s ′ s ′ 1 , ..., � → t n ( ) f ⋅ f ′ v ⋅ v ′ s 1 ⋅ s ′ s n ⋅ s ′ � � → 2 t − 1 1 , ..., n ⋯ ↓ t ↓ t ↓ t ) ( ) P 1 knows w 1 , r 11 , ... r n 1 , → 2 t − 1 ⋮ ⋮ ⋮ ( ) P n knows w n r 1 n , r nn → 2 t − 1 ... ( 16 17.05.2014

Scalar products of vectors of shared values � ( ) f j v j → t s j 1 , ..., s jn ( ) f ′ j v ′ s ′ s ′ � → t j 1 , ..., j jn v j ⋅ v ′ ∑ j j 17 17.05.2014

Scalar products of vectors of shared values � ( ) f j v j → t s j 1 , ..., s jn ( ) f ′ j v ′ s ′ s ′ � → t j 1 , ..., j jn ( ) ∑ j f j ⋅ f ′ j v j ⋅ v ′ s j 1 ⋅ s ′ s jn ⋅ s ′ ∑ � � � → 2 t − 1 ∑ j 1 , ..., ∑ j jn j j j 17 17.05.2014

Scalar products of vectors of shared values � ( ) f j v j → t s j 1 , ..., s jn ( ) f ′ j v ′ s ′ s ′ � → t j 1 , ..., j jn ( ) ∑ j f j ⋅ f ′ j v j ⋅ v ′ s j 1 ⋅ s ′ s jn ⋅ s ′ ∑ � � � → 2 t − 1 ∑ j 1 , ..., ∑ j jn j j j ⋯ ↓ t ↓ t ↓ t ) ( ) w 1 , r 11 , ... r n 1 , → 2 t − 1 ⋮ ⋮ ⋮ ( ) w n r 1 n , ... r nn → 2 t − 1 ( 17 17.05.2014

Free vector-only stage in private lookup Offline 1 (⟦ r ⟧ , ⟦ r − 1 ⟧) $ ← F ∗ 2 for k = 2 to m − 1 do ⟦ r j ⟧ ← ⟦ r ⟧ ⋅ ⟦ r j − 1 ⟧ Vector-only 3 foreach k ∈ { 0 ,..., m − 1 } do ⟦ c k ⟧ ← ∑ m l = 1 λ k , l ⟦ v l ⟧ 4 foreach k ∈ { 0 ,..., m − 1 } do ⟦ y k ⟧ ← ⟦ c k ⟧ ⋅ ⟦ r k ⟧ Online 5 z ← declassify (⟦ j ⟧ ⋅ ⟦ r − 1 ⟧) k = 0 z k ⟦ y k ⟧ 6 return ∑ m − 1 18 17.05.2014

Free vector-only stage in private lookup Offline 1 (⟦ r ⟧ , ⟦ r − 1 ⟧) $ ← F ∗ 2 for k = 2 to m − 1 do ⟦ r j ⟧ ← ⟦ r ⟧ ⋅ ⟦ r j − 1 ⟧ Vector-only 3 foreach k ∈ { 0 ,..., m − 1 } do ⟦ c k ⟧ ← ∑ m l = 1 λ k , l ⟦ v l ⟧ Online 4 z ← declassify (⟦ j ⟧ ⋅ ⟦ r − 1 ⟧) 5 foreach k ∈ { 0 ,..., m − 1 } do ⟦ y k ⟧ ← ⟦ c k ⟧ ⋅ ⟦ r k ⟧ k = 0 z k ⟦ y k ⟧ 6 return ∑ m − 1 18 17.05.2014

Free vector-only stage in private lookup Offline 1 (⟦ r ⟧ , ⟦ r − 1 ⟧) $ ← F ∗ 2 for k = 2 to m − 1 do ⟦ r j ⟧ ← ⟦ r ⟧ ⋅ ⟦ r j − 1 ⟧ Vector-only 3 foreach k ∈ { 0 ,..., m − 1 } do ⟦ c k ⟧ ← ∑ m l = 1 λ k , l ⟦ v l ⟧ Online 4 z ← declassify (⟦ j ⟧ ⋅ ⟦ r − 1 ⟧) k = 0 z k ⟦ c k ⟧ ⋅ ⟦ r k ⟧ 5 return ∑ m − 1 18 17.05.2014

Free vector-only stage in private lookup Offline 1 (⟦ r ⟧ , ⟦ r − 1 ⟧) $ ← F ∗ 2 for k = 2 to m − 1 do ⟦ r j ⟧ ← ⟦ r ⟧ ⋅ ⟦ r j − 1 ⟧ Vector-only 3 foreach k ∈ { 0 ,..., m − 1 } do ⟦ c k ⟧ ← ∑ m l = 1 λ k , l ⟦ v l ⟧ Online 4 z ← declassify (⟦ j ⟧ ⋅ ⟦ r − 1 ⟧) 5 foreach k ∈ { 0 ,..., m − 1 } do ⟦ z k ⟧ ← z k ⟦ c k ⟧ k = 0 ⟦ z k ⟧ ⋅ ⟦ r k ⟧ 6 return ∑ m − 1 18 17.05.2014

Other uses for private lookup algorithm We have implemented the (sequential) DFA execution algorithm The lookup algorithm can be used, whenever we need to Read from private positions Write into public positions Examples: Bellman-Ford algorithm in sparse graphs Knuth-Morris-Pratt algorithm 19 17.05.2014

Minimizing deterministic finite automata a b q 1 q 2 q 3 a a b b b b b a q 4 q 5 q 6 a a 20 17.05.2014

Minimizing deterministic finite automata a b q 1 q 2 q 3 a a b b b b b a q 4 q 5 q 6 unreachable a a 20 17.05.2014

Minimizing deterministic finite automata a b q 1 q 2 q 3 a a b b b b b a q 4 q 5 q 6 unreachable a a equivalent states 20 17.05.2014

Private shuffle ⟦ a 1 ⟧ ⟦ a 2 ⟧ ⟦ a 3 ⟧ ⟦ a 4 ⟧ ⟦ a 5 ⟧ ⟦ a 6 ⟧ ⟦ a 7 ⟧ ⟦ a 8 ⟧ 21 17.05.2014

Private shuffle ⟦ a 1 ⟧ ⟦ a 2 ⟧ ⟦ a 3 ⟧ ⟦ a 4 ⟧ ⟦ a 5 ⟧ ⟦ a 6 ⟧ ⟦ a 7 ⟧ ⟦ a 8 ⟧ σ 21 17.05.2014

Private shuffle ⟦ a 1 ⟧ ⟦ b 1 ⟧ ⟦ a 2 ⟧ ⟦ b 2 ⟧ b i = a σ ( i ) for all i ∈ { 1 ,..., n } ⟦ a 3 ⟧ ⟦ b 3 ⟧ ⟦ a 4 ⟧ ⟦ b 4 ⟧ ⟦ a 5 ⟧ ⟦ b 5 ⟧ ⟦ a 6 ⟧ ⟦ b 6 ⟧ ⟦ a 7 ⟧ ⟦ b 7 ⟧ ⟦ a 8 ⟧ ⟦ b 8 ⟧ σ 21 17.05.2014

Private shuffle ⟦ a 1 ⟧ ⟦ b 1 ⟧ ⟦ a 2 ⟧ ⟦ b 2 ⟧ b i = a σ ( i ) for all i ∈ { 1 ,..., n } ⟦ a 3 ⟧ ⟦ b 3 ⟧ σ ∈ S n is provided by an input party ⟦ a 4 ⟧ ⟦ b 4 ⟧ How to represent σ and do the shuffle if ⟦ a 5 ⟧ ⟦ b 5 ⟧ σ itself is private? ⟦ a 6 ⟧ ⟦ b 6 ⟧ ⟦ a 7 ⟧ ⟦ b 7 ⟧ ⟦ a 8 ⟧ ⟦ b 8 ⟧ σ 21 17.05.2014

Private shuffle ⟦ a 1 ⟧ ⟦ b 1 ⟧ ⟦ a 2 ⟧ ⟦ b 2 ⟧ b i = a σ ( i ) for all i ∈ { 1 ,..., n } ⟦ a 3 ⟧ ⟦ b 3 ⟧ σ ∈ S n is provided by an input party ⟦ a 4 ⟧ ⟦ b 4 ⟧ How to represent σ and do the shuffle if ⟦ a 5 ⟧ ⟦ b 5 ⟧ σ itself is private? � σ � = (( σ 1 ,σ 2 ) , ( σ 2 ,σ 3 ) , ( σ 3 ,σ 1 )) ⟦ a 6 ⟧ ⟦ b 6 ⟧ σ = σ 1 ○ σ 2 ○ σ 3 ; ⟦ a 7 ⟧ ⟦ b 7 ⟧ σ 1 ,σ 2 ,σ 3 are random elements of S n . ⟦ a 8 ⟧ ⟦ b 8 ⟧ σ 21 17.05.2014

Private shuffle ⟦ a 1 ⟧ ⟦ b 1 ⟧ ⟦ a 1 ⟧ ⟦ b 1 ⟧ ⟦ a 2 ⟧ ⟦ b 2 ⟧ ⟦ a 2 ⟧ ⟦ b 2 ⟧ ⟦ a 3 ⟧ ⟦ b 3 ⟧ ⟦ a 3 ⟧ ⟦ b 3 ⟧ ⟦ a 4 ⟧ ⟦ b 4 ⟧ ⟦ a 4 ⟧ ⟦ b 4 ⟧ ⟦ a 5 ⟧ ⟦ b 5 ⟧ ⟦ a 5 ⟧ ⟦ b 5 ⟧ ⟦ a 6 ⟧ ⟦ b 6 ⟧ ⟦ a 6 ⟧ ⟦ b 6 ⟧ ⟦ a 7 ⟧ ⟦ b 7 ⟧ ⟦ a 7 ⟧ ⟦ b 7 ⟧ ⟦ a 8 ⟧ ⟦ b 8 ⟧ ⟦ a 8 ⟧ ⟦ b 8 ⟧ σ 1 σ 2 σ 3 σ 21 17.05.2014

Private shuffle ⟦ a 1 ⟧ ⟦ b 1 ⟧ ⟦ a 1 ⟧ ⟦ b 1 ⟧ ⟦ a 2 ⟧ ⟦ b 2 ⟧ ⟦ a 2 ⟧ ⟦ b 2 ⟧ ⟦ a 3 ⟧ ⟦ b 3 ⟧ ⟦ a 3 ⟧ ⟦ b 3 ⟧ unknown to CP 2 unknown to CP 3 unknown to CP 1 ⟦ a 4 ⟧ ⟦ b 4 ⟧ ⟦ a 4 ⟧ ⟦ b 4 ⟧ ⟦ a 5 ⟧ ⟦ b 5 ⟧ ⟦ a 5 ⟧ ⟦ b 5 ⟧ ⟦ a 6 ⟧ ⟦ b 6 ⟧ ⟦ a 6 ⟧ ⟦ b 6 ⟧ ⟦ a 7 ⟧ ⟦ b 7 ⟧ ⟦ a 7 ⟧ ⟦ b 7 ⟧ ⟦ a 8 ⟧ ⟦ b 8 ⟧ ⟦ a 8 ⟧ ⟦ b 8 ⟧ σ 1 σ 2 σ 3 σ 21 17.05.2014

Shuffling protocol ⟦⃗ a ⟧ 3 CP 3 σ 3 ,σ 1 ⟦⃗ a ⟧ 1 ⟦⃗ a ⟧ 2 CP 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ a ⟧ 3 CP 3 σ 3 ,σ 1 ⟦⃗ a ⟧ 2 − ⃗ r 1 ⟦⃗ a ⟧ 1 ⟦⃗ a ⟧ 2 ⃗ CP 1 r 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ ∶= ⟦⃗ a ⟧ 3 + ⟦⃗ a ⟧ 2 − ⃗ a ⟧ 3 r 1 CP 3 σ 3 ,σ 1 ⟦⃗ a ⟧ 2 − ⃗ r 1 ⟦⃗ a ⟧ 1 ∶= ⟦⃗ a ⟧ 1 + ⃗ ⟦⃗ a ⟧ 2 ∶= ⃗ r 1 0 ⃗ CP 1 r 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ a ⟧ 3 CP 3 σ 3 ,σ 1 Party CP i shuffles ⟦⃗ a ⟧ i using σ 1 ⟦⃗ a ⟧ 1 ⟦⃗ a ⟧ 2 = ⃗ 0 CP 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ a ⟧ 3 CP 3 σ 3 ,σ 1 ⟦⃗ a ⟧ 3 − ⃗ ⃗ r 2 r 2 ⟦⃗ a ⟧ 1 ⟦⃗ a ⟧ 2 CP 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ ∶= ⃗ a ⟧ 3 0 CP 3 σ 3 ,σ 1 ⟦⃗ a ⟧ 3 − ⃗ ⃗ r 2 r 2 ⟦⃗ a ⟧ 1 ∶= ⟦⃗ a ⟧ 1 + ⟦⃗ a ⟧ 3 − ⃗ ⟦⃗ a ⟧ 2 ∶= ⟦⃗ a ⟧ 2 + ⃗ r 2 r 2 CP 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ = ⃗ a ⟧ 3 0 CP 3 σ 3 ,σ 1 Party CP i shuffles ⟦⃗ a ⟧ i using σ 2 ⟦⃗ a ⟧ 1 ⟦⃗ a ⟧ 2 CP 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ a ⟧ 3 CP 3 σ 3 ,σ 1 ⟦⃗ a ⟧ 1 − ⃗ r 3 ⟦⃗ a ⟧ 1 ⟦⃗ a ⟧ 2 ⃗ CP 1 r 3 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ ∶= ⟦⃗ a ⟧ 3 + ⟦⃗ a ⟧ 1 − ⃗ a ⟧ 3 r 3 CP 3 σ 3 ,σ 1 ⟦⃗ a ⟧ 1 − ⃗ r 3 ⟦⃗ a ⟧ 1 ∶= ⃗ ⟦⃗ a ⟧ 2 ∶= ⟦⃗ a ⟧ 2 + ⃗ r 3 0 ⃗ CP 1 r 3 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ a ⟧ 3 CP 3 σ 3 ,σ 1 Party CP i shuffles ⟦⃗ a ⟧ i using σ 3 ⟦⃗ a ⟧ 1 = ⃗ ⟦⃗ a ⟧ 2 0 CP 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Shuffling protocol ⟦⃗ a ⟧ 3 CP 3 σ 3 ,σ 1 Reshare ⟦⃗ a ⟧ 1 ⟦⃗ a ⟧ 2 CP 1 CP 2 σ 1 ,σ 2 σ 2 ,σ 3 22 17.05.2014

Security against malicious adversaries . . . is possible. Use Shamir’s (4,2)-secret sharing. One malicious party among four is tolerated. Use a protocol set based on homomorphic commitments. Cramer and Damg˚ ard. Multiparty Computation, an Introduction . Contemporary Cryptology, Adv. Courses in Math. CRM Barcelona, 2005 Let σ = σ 1 ○ ⋯ ○ σ 4 . Party CP i misses σ i . CP 1 and CP 2 can detect if CP 3 did not permute its shares according to σ 4 . They’ll complain. σ 4 can then be made public. 23 17.05.2014

Use for sorting Computing parties can generate a sharing � σ � of a random σ . CP i constructs a random σ i ∈ S n and sends it to CP i − 1 . After randomly shuffling an array, the comparison results between its elements may be made public If all elements of the array are different After shuffling, we can use any sorting method to sort a private array. No need to use data-oblivious methods, e.g. sorting networks 24 17.05.2014

Remembering the sorting permutation 3 2 5 6 1 4 25 17.05.2014

Remembering the sorting permutation 3 2 5 6 1 4 σ ′ σ ′ σ ′ 1 2 3 25 17.05.2014

Remembering the sorting permutation 3 4 5 5 2 2 3 2 5 5 2 6 6 3 1 3 1 6 4 4 4 1 6 1 σ ′ σ ′ σ ′ 1 2 3 25 17.05.2014

Remembering the sorting permutation 3 4 5 5 1 2 2 3 2 2 5 5 2 6 3 6 3 1 3 4 1 6 4 4 5 4 1 6 1 6 τ σ ′ σ ′ σ ′ 1 2 3 25 17.05.2014

Remembering the sorting permutation 3 4 5 5 1 2 2 3 2 2 5 5 2 6 3 6 3 1 3 4 1 6 4 4 5 4 1 6 1 6 τ σ ′ σ ′ σ ′ 1 2 3 σ 1 ∶= σ ′ 1 ; σ 2 ∶= σ ′ 2 ; σ 3 ∶= σ ′ 3 ○ τ i is generated by those CP j 1 and CP j 2 that are supposed to σ ′ know σ i afterwards 25 17.05.2014

From ⟦ σ ⟧ to � σ � 3 2 5 6 1 4 26 17.05.2014

From ⟦ σ ⟧ to � σ � 3 4 5 5 1 2 2 3 2 2 5 5 2 6 3 6 3 1 3 4 1 6 4 4 5 4 1 6 1 6 τ σ ′ σ ′ σ ′ 1 2 3 26 17.05.2014

From ⟦ σ ⟧ to � σ � 3 4 5 5 1 2 2 3 2 2 5 5 2 6 3 6 3 1 3 4 1 6 4 4 5 4 1 6 1 6 τ σ ′ σ ′ σ ′ 1 2 3 σ 1 ∶= τ − 1 ○ σ ′ − 1 3 σ 2 ∶= σ ′ − 1 2 σ 3 ∶= σ ′ − 1 1 26 17.05.2014

Extended permutations ⟦ b 1 ⟧ ⟦ b 2 ⟧ f ∶ [ m ] → [ n ] , where [ n ] = { 1 ,..., n } ⟦ a 1 ⟧ ⟦ b 3 ⟧ In our example, m = 10, n = 6 ⟦ a 2 ⟧ ⟦ b 4 ⟧ f is private, given by some IP i ⟦ a 3 ⟧ ⟦ b 5 ⟧ f could represent ⟦ a 4 ⟧ ⟦ b 6 ⟧ Structure of some arithmetic circuit ⟦ a 5 ⟧ ⟦ b 7 ⟧ Private function evaluation Transition function of some state ⟦ a 6 ⟧ ⟦ b 8 ⟧ machine ⟦ b 9 ⟧ Operations with finite automata ⟦ b 10 ⟧ f 27 17.05.2014

Representing an extended permutation Theorem For any m , n, there exist ℓ m , n = ( 1 + o ( 1 ))( m ⋅ ln m ) , g m , n ∶ [ ℓ m , n ] → [ n ] , such that for all f ∶ [ m ] → [ n ] , there exist τ ∈ S ℓ m , n , σ ∈ S n , such that f = σ ○ g m , n ○ τ . Private f can be encoded as � σ � , � τ � 28 17.05.2014

ℓ m , n and g m , n . . . n g m , n n ℓ m , n = ⌊ m i ⌋ ∑ . . . i = 1 ⌊ m / 2 ⌋ ⌊ m / 3 ⌋ ⌊ m / n ⌋ m σ sorts ( a 1 ,..., a n ) by the number of copies made from each element by the extended permutation. 29 17.05.2014

Example ⟦ b 1 ⟧ ⟦ b 2 ⟧ ⟦ a 1 ⟧ ⟦ b 3 ⟧ ⟦ a 2 ⟧ ⟦ b 4 ⟧ ⟦ a 3 ⟧ ⟦ b 5 ⟧ ⟦ a 4 ⟧ ⟦ b 6 ⟧ ⟦ a 5 ⟧ ⟦ b 7 ⟧ ⟦ a 6 ⟧ ⟦ b 8 ⟧ ⟦ b 9 ⟧ ⟦ b 10 ⟧ 30 17.05.2014

Example ⟦ b 1 ⟧ ⟦ b 2 ⟧ ⟦ a 1 ⟧ ⟦ b 3 ⟧ ⟦ a 2 ⟧ ⟦ b 4 ⟧ ⟦ a 3 ⟧ ⟦ b 5 ⟧ ⟦ a 4 ⟧ ⟦ b 6 ⟧ ⟦ a 5 ⟧ ⟦ b 7 ⟧ ⟦ a 6 ⟧ ⟦ b 8 ⟧ ⟦ b 9 ⟧ ⟦ b 10 ⟧ 30 17.05.2014

Example ⟦ b 1 ⟧ ⟦ b 2 ⟧ ⟦ a 1 ⟧ ⟦ b 3 ⟧ ⟦ a 2 ⟧ ⟦ b 4 ⟧ ⟦ a 3 ⟧ ⟦ b 5 ⟧ ⟦ a 4 ⟧ ⟦ b 6 ⟧ ⟦ a 5 ⟧ ⟦ b 7 ⟧ ⟦ a 6 ⟧ ⟦ b 8 ⟧ ⟦ b 9 ⟧ ⟦ b 10 ⟧ 30 17.05.2014

Moore’s partition refining algorithm a b 1 1 2 q 1 q 2 q 3 a a π b b b b b a q 4 q 5 q 6 a a 3 3 1 δ ( ⋅ , a ) ∶ Q → Q is an extended permutation. 31 17.05.2014

Moore’s partition refining algorithm a b 1 1 1 1 2 1 q 1 q 2 q 3 a a π π ○ δ ( ⋅ , a ) b b b b b a q 4 q 5 q 6 a a 3 3 1 3 3 3 δ ( ⋅ , a ) ∶ Q → Q is an extended permutation. 31 17.05.2014

Moore’s partition refining algorithm a b 1 1 3 1 1 2 2 1 3 q 1 q 2 q 3 a a π π ○ δ ( ⋅ , a ) b b b b b π ○ δ ( ⋅ , b ) a q 4 q 5 q 6 a a 3 1 3 1 1 2 3 3 3 δ ( ⋅ , a ) ∶ Q → Q is an extended permutation. 31 17.05.2014

Recomputing the identities of parts v 1 q 1 1 1 3 q 2 1 1 2 q 3 2 1 3 q 4 3 3 1 q 5 3 3 1 q 6 1 3 2 32 17.05.2014

Recomputing the identities of parts v 1 v 1 σ = sort ( v 1 ) q 1 1 1 3 1 1 2 q 2 1 1 2 1 1 3 q 3 2 1 3 1 3 2 q 4 3 3 1 2 1 3 q 5 3 3 1 3 3 1 q 6 1 3 2 3 3 1 σ 32 17.05.2014

Recomputing the identities of parts v 1 v 1 v 2 σ = sort ( v 1 ) q 1 1 1 3 1 1 2 1 i ∶= v 1 i ≠ v 1 q 2 1 1 2 1 1 3 1 v 2 i − 1 q 3 2 1 3 1 3 2 1 q 4 3 3 1 2 1 3 1 q 5 3 3 1 3 3 1 1 q 6 1 3 2 3 3 1 0 σ 32 17.05.2014

Recomputing the identities of parts v 1 v 1 v 2 v 3 σ = sort ( v 1 ) q 1 1 1 3 1 1 2 1 1 i ∶= v 1 i ≠ v 1 q 2 1 1 2 1 1 3 1 2 v 2 i − 1 v 3 ∶= prefixsum ( v 2 ) q 3 2 1 3 1 3 2 1 3 q 4 3 3 1 2 1 3 1 4 q 5 3 3 1 3 3 1 1 5 q 6 1 3 2 3 3 1 0 5 σ 32 17.05.2014

Recomputing the identities of parts v 1 v 1 v 2 v 3 v 3 σ = sort ( v 1 ) q 1 1 1 3 1 1 2 1 1 2 i ∶= v 1 i ≠ v 1 q 2 1 1 2 1 1 3 1 2 1 v 2 i − 1 v 3 ∶= prefixsum ( v 2 ) q 3 2 1 3 1 3 2 1 3 4 q 4 3 3 1 2 1 3 1 4 5 unsort ( σ, v 3 ) q 5 3 3 1 3 3 1 1 5 5 q 6 1 3 2 3 3 1 0 5 3 σ σ − 1 32 17.05.2014

Finding reachable states Transitive closure of a graph can be found in O ( log n ) time with O ( n 2 log n ) work. Too much work: our automata result from the product construction. We can run an extended permutation“backwards” : Given f ∶ [ m ] → [ n ] and ⟦ b 1 ⟧ ,..., ⟦ b m ⟧ , compute ⟦ a 1 ⟧ ,..., ⟦ a n ⟧ by a i = ∑ b j . j ∈ f − 1 ( i ) This allows us to iterate“reachability”from the initial state. 33 17.05.2014

Private function evaluation with extended permutations O1 O2 5 * 4 + 3 + 1 2 * * I1 I2 I3 Hide the contents of nodes and the connections 34 17.05.2014

Private function evaluation with extended permutations O1 O2 5 * + + * * * O1 O2 4 + 3 1 2 3 4 5 + + + I1 I2 I3 * * * 1 2 * * I1 I2 I3 Hide the contents of nodes and the connections 34 17.05.2014

Benchmarking PFE We built a random arithmetic circuit with 200 inputs, K gates, and 100 outputs Each gate: addition or multiplication (over Z 2 32 ) Connections: extended permutation with n = K + 200 and m = 2 K + 100. K / 10 6 Perm. Gates Move We benchmarked one iteration 0.1 0.5 0.05 0.45 of evaluating the circuit on Sharemind cluster 1 6 0.5 4.5 One extended permutation 5 35 2.5 23 An evaluation of all gates 7 49 3.6 31 Moving data between them 8 58 4 35 Local operation Times in seconds t perm ≈ 4 . 54 ⋅ 10 − 7 ⋅ K ln K (s) Rather heavyweight on Sharemind 3 35 17.05.2014

From ⟦ f ⟧ to � f � v 1 v 2 1 3 2 5 3 3 4 1 5 4 6 4 7 1 8 3 9 4 10 3 36 17.05.2014