Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oblivious Branching Program Evaluation

Similar presentations

Presentation on theme: "Oblivious Branching Program Evaluation"— Presentation transcript:

1 Oblivious Branching Program Evaluation
Payman Mohassel and Salman Niksefat University of Calgary

2 Branching Programs A function representation, just like truth tables, decision trees, OBDDs, Boolean circuits Provide you a model to compute the function. [image: Wikipedia]

3 Binary Decision Trees Each internal node labeled
with a binary variable Each leaf labeled with an output value [image: Wikipedia]

4 Ordered Binary Decision Diagrams (OBDD)
Directed Acyclic Graphs Nodes can have multiple incoming edges Variables processed in order xi is processed in layer i Applications Formal verification Circuit design Fault-tree analysis [image: Wikipedia]

5 Branching Programs Each variable can appear at multiple layers, in arbitrary order x2 x3 x1 x1 You remove the last condition so each variable can appear at any places x2 x3 1

6 Other Generalizations
Non-binary variables Multivariate branching programs Each node a function of multiple variables Non-linear functions Non-binary outputs Arbitrary output labels

7 Oblivious Branching Program (OBP) Evaluation
X = (x1 , … , xn) BP(x)

8 Security Requirements
Secure two-party computation Keep the BP private Keep the BP’s input private Guarantee correctness Security against malicious parties Corrupted party can behave arbitrarily Cannot trick the other party into accepting an invalid output

9 Potential Applications
Daignostic programs Medical diagnostic Remote software fault-diagnostic Spam filters Intrusion detection keeping the program private Proprietary program Program reveals vulnerabilities Keeping inputs to the programs private Client’s data privacy These are applications people have looked at

10 Private Database Queries
Represent server’s data as a BP Represent client’s input as input to BP Private information retrieval Private keyword search Private element rank

11 Symmetric PIR (1-Out-of-N OT)
Client I = i1 i2 … ilogN Server D = d1 , … , dN i1 i2 i2 dI i3 i3 i3 i3 d1 d2 d3 d4 d5 d6 d7 d8 Only keep the leaves private

12 Computation vs. Communication
Most SPIRs computationally expensive Public-key ops proportional to database size Focus on communication for large databases Experiments on PIR: [SC 07, OG 11] Communicating the database maybe more efficient The only SPIR focusing on computation is [NP 99] O(logN) public-key ops O(NlogN) symmetric-key ops Significantly less computation, more communication

13 Private Keyword Search
Server D = (k1,d1) , … , (kN,dN) Client w = w1 w2 … wt x1 x2 x3 d1 d2 d3 d4 di if ki = w Evaluation paths have different lengths They leak information about the keyword or database

14 Private Keyword Search
Server D = (k1,d1) , … , (kN,dN) Client w = w1 w2 … wt x1 x2 x3 d1 d2 d3 x1 x2 x3 d1 d2 d3 x2 x3 x3

15 Secure Evaluation of Public Decision Trees
Alice knows The input to the tree (x1 , … , xn) Bob knows Labels of the leaves of the tree Both parties know Structure of the tree

16 The Protocol kxnn kx22 kx11 xi X = x1 … xn (k0n , k1n )
. . Oblivious Transfer kx22 (k02 , k12 ) kx11 (k01 , k11 ) xi padi G(padi) padk padj k0i pad2 k1i pad3

17 The Protocol Cont’d Server sends encrypted DT to client
Client can decrypt a single path from root to a leaf Node 1 Node 2 Node i G(padi) ki0

18 Security and Efficiency
Security against malicious adversaries If the OT is secure against malicious adversaries Efficiency V PRG invocation n oblivious transfers Consider SPIR Naor-Pinkas construction NlogN symmetric-key ops Our new construction N symmetric-key ops

19 Hiding the Structure kxnn kx22 kx11 X = x1 … xn (k0n , k1n )
. . Oblivious Transfer kx22 (k02 , k12 ) kx11 (k01 , k11 ) Return OT answers randomly permuted We need a strong OT Queries and answers cannot be connected Kx44 Kx77 Kx11

20 Hiding the Structure xi G(pad1) K0i K1i Permuted list of
encrypted nodes Node j Node i Node k xi padi padj padk G(pad1) K0i K1i j’ || Padj|| j || 0k Padk || k || 0k $ Permuted list of OT answers Kx44 Kx77 Kx11

21 Extension to DAGs In DTs In BPs
Each path from the root to a leaf contains unique variables If a variable appears twice we can remove the second instance A single key needs to be accessed only once In BPs Each variable can appear multiple times in a single path

22 Oblivious BP Evaluation
Permuted list of encrypted nodes Node j Node i Node k xi pad1 pad2 pad3 G(pad1) K0i K1i j’ || Pad2 || j || 0k Pad3 || k || 0k $ Permuted list for each level Kx44 Kx77 Kx11 K’x66 K’x44 K’x22

23 Security and Efficiency
Secure against a malicious input holder Private against a malicious BP holder Efficiency O(nl) oblivious transfers O(V) PRG invocations V is the number of nodes in the graph, l is the depth of the BP

24 Comparison Yao IP07 Barnie09, Brickell 07 Ours

25 Conclusions A computationally efficient protocols for OBP
Applications to private database queries Future Work Avoid strong OTs Needs Paillier’s encryption Work in progress: achieve this using any standard OT Ambitious open question Achieve communication and computation efficiency

Download ppt "Oblivious Branching Program Evaluation"

Similar presentations

Ads by Google