Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oblivious Branching Program Evaluation Payman Mohassel and Salman Niksefat University of Calgary.

Similar presentations


Presentation on theme: "Oblivious Branching Program Evaluation Payman Mohassel and Salman Niksefat University of Calgary."— Presentation transcript:

1 Oblivious Branching Program Evaluation Payman Mohassel and Salman Niksefat University of Calgary

2 Branching Programs A function representation, just like truth tables, decision trees, OBDDs, Boolean circuits [image: Wikipedia]

3 Binary Decision Trees Each internal node labeled with a binary variable Each leaf labeled with an output value [image: Wikipedia]

4 Ordered Binary Decision Diagrams (OBDD) Directed Acyclic Graphs – Nodes can have multiple incoming edges Variables processed in order x i is processed in layer i Applications – Formal verification – Circuit design – Fault-tree analysis [image: Wikipedia]

5 Branching Programs Each variable can appear at multiple layers, in arbitrary order x2x2 x3x3 x3x3 x2x2 x1x1 x1x1 0 1

6 Other Generalizations Non-binary variables Multivariate branching programs – Each node a function of multiple variables – Non-linear functions Non-binary outputs – Arbitrary output labels

7 Oblivious Branching Program (OBP) Evaluation BP = BP(x) X = (x 1, …, x n )

8 Security Requirements Secure two-party computation – Keep the BP private – Keep the BP’s input private – Guarantee correctness Security against malicious parties – Corrupted party can behave arbitrarily

9 Potential Applications Daignostic programs – Medical diagnostic – Remote software fault-diagnostic – Spam filters – Intrusion detection keeping the program private – Proprietary program – Program reveals vulnerabilities Keeping inputs to the programs private – Client’s data privacy

10 Private Database Queries Represent server’s data as a BP Represent client’s input as input to BP Private information retrieval Private keyword search Private element rank …

11 Symmetric PIR (1-Out-of-N OT) i1i1 i2i2 i2i2 i3i3 i3i3 i3i3 i3i3 d1d1 d2d2 d3d3 d4d4 d5d5 d6d6 d7d7 d8d8 Server D = d 1, …, d N Client I = i 1 i 2 … i logN dIdI Only keep the leaves private

12 Computation vs. Communication Most SPIRs computationally expensive – Public-key ops proportional to database size – Focus on communication for large databases Experiments on PIR: [SC 07, OG 11] – Communicating the database maybe more efficient The only SPIR focusing on computation is [NP 99] – O(logN) public-key ops – O(NlogN) symmetric-key ops – Significantly less computation, more communication

13 Private Keyword Search x1x1 x2x2 x2x2 x3x3 x3x3 d1d1 d2d2 d3d3 d4d4 Server D = (k 1,d 1 ), …, (k N,d N ) Client w = w 1 w 2 … w t d i if k i = w Evaluation paths have different lengths They leak information about the keyword or database

14 Private Keyword Search x1x1 x2x2 x2x2 x3x3 x3x3 d1d1 d2d2 d3d3 Server D = (k 1,d 1 ), …, (k N,d N ) Client w = w 1 w 2 … w t x1x1 x2x2 x2x2 x3x3 x3x3 d1d1 d2d2 d3d3 x2x2 x3x3 x3x3

15 Secure Evaluation of Public Decision Trees Alice knows – The input to the tree (x 1, …, x n ) Bob knows – Labels of the leaves of the tree Both parties know – Structure of the tree

16 The Protocol (k 0 1, k 1 1 ) (k 0 2, k 1 2 ) (k 0 n, k 1 n ) Oblivious Transfer X = x 1 … x n k xn n k x1 1 k x xixi pad i pad j pad k k0ik0i pad 2 k1ik1i pad 3 G(pad i )

17 The Protocol Cont’d Server sends encrypted DT to client Client can decrypt a single path from root to a leaf Node 1Node 2Node i G(pad i ) ki0ki0

18 Security and Efficiency Security against malicious adversaries – If the OT is secure against malicious adversaries Efficiency – V PRG invocation – n oblivious transfers Consider SPIR – Naor-Pinkas construction NlogN symmetric-key ops – Our new construction N symmetric-key ops

19 Hiding the Structure (k 0 1, k 1 1 ) (k 0 2, k 1 2 ) (k 0 n, k 1 n ) Oblivious Transfer X = x 1 … x n k xn n k x1 1 k x Return OT answers randomly permuted K x4 4 K x7 7 K x1 1 … We need a strong OT Queries and answers cannot be connected

20 Hiding the Structure K x4 4 K x7 7 K x1 1 … Node jNode iNode k Permuted list of encrypted nodes Permuted list of OT answers xixi pad i pad j pad k K0iK0i Pad j || j K1iK1i Pad k || k || 0 k $ G(pad 1 ) j’ ||

21 Extension to DAGs In DTs – Each path from the root to a leaf contains unique variables – If a variable appears twice we can remove the second instance – A single key needs to be accessed only once In BPs – Each variable can appear multiple times in a single path

22 Oblivious BP Evaluation K x4 4 K x7 7 K x1 1 … Node jNode iNode k Permuted list of encrypted nodes Permuted list for each level xixi pad 1 pad 2 pad 3 K0iK0i Pad 2 || j K1iK1i Pad 3 || k || 0 k $ G(pad 1 ) j’ || K’ x6 6 K’ x4 4 K’ x2 2 …

23 Security and Efficiency Security – Secure against a malicious input holder – Private against a malicious BP holder Efficiency – O(nl) oblivious transfers – O(V) PRG invocations – V is the number of nodes in the graph, l is the depth of the BP

24 Comparison Yao IP07 Barnie09, Brickell 07 Ours

25 Conclusions A computationally efficient protocols for OBP Applications to private database queries Future Work – Avoid strong OTs Needs Paillier’s encryption Work in progress: achieve this using any standard OT – Ambitious open question Achieve communication and computation efficiency


Download ppt "Oblivious Branching Program Evaluation Payman Mohassel and Salman Niksefat University of Calgary."

Similar presentations


Ads by Google