Size-Hiding Computation for Multiple Parties Kazumasa Shinagawa 1,2 - - PowerPoint PPT Presentation

β–Ά
size hiding computation for multiple parties
SMART_READER_LITE
LIVE PREVIEW

Size-Hiding Computation for Multiple Parties Kazumasa Shinagawa 1,2 - - PowerPoint PPT Presentation

Nov 23, 2023 229 likes β€’528 views

Size-Hiding Computation for Multiple Parties Kazumasa Shinagawa 1,2 Koji Nuida 2,3 Takashi Nishide 1 Goichiro Hanaoka 2 Eiji Okamoto 1 1: University of Tsukuba, 2: AIST, 3: JST PRESTO 1 Secure Multiparty Computation l Each party "

slide-1
SLIDE 1

Size-Hiding Computation for Multiple Parties

Kazumasa Shinagawa1,2 Koji Nuida2,3 Takashi Nishide1 Goichiro Hanaoka2 Eiji Okamoto1

1: University of Tsukuba, 2: AIST, 3: JST PRESTO 1

slide-2
SLIDE 2

2

Secure Multiparty Computation

l Each party 𝑄

" has some private input 𝑦"

l The parties wish to compute a function 𝑧 = 𝑔(𝑦(, β‹―, 𝑦+) without revealing the inputs l Consider the single output, semi-honest, π‘œ βˆ’ 1 corruption

𝑦( 𝑦0 𝑦1 𝑦2 𝑦3 𝑦4

slide-3
SLIDE 3

l can hide some of input/output-sizes from some of parties l Each private size can be hidden from different set of parties l It is known that some of size-hiding is impossible in general l Which type of size-hiding is possible in general?

Size-Hiding Computation

3

complete characterization for the feasibility (assuming the existence of FHE) This Talk

slide-4
SLIDE 4

Set Intersection

l Police has a list of terrorists π‘Œ l Company has a list of customers 𝑍 l Police wants to compute π‘Œ ∩ 𝑍 without revealing |π‘Œ| l NaΓ―ve approach: Padding l Padding is inefficient

4

π‘Œ 𝑍 Compute π‘Œ ∩ 𝑍

slide-5
SLIDE 5

Millionaire Problem

5

l Aliens: β€œWhich planet has the largest population?” l The population is related to the military power l The input-size is also related to the military power l Padding doesn’t work ∡ The largest population in the universe is too large

slide-6
SLIDE 6

Outline

6

l Notations l Classification for two-party [LNO13] l Classification for multiparty

u Almost all sizes cannot be hidden

l Strong secure channel (SSC) model

u It is implementable by steganography

l Classification for multiparty in SSC model

u Many sizes can be hidden in SSC model

NEW NEW NEW NEW NEW NEW NEW NEW

slide-7
SLIDE 7

Notations

7

: 𝑄

9 can know |𝑦"|

: who must not know the output size Β‘ Β‘π‘˜ 𝑗

  • Def. A class is feasible if general MPC is possible

Β‘1 Β‘2 3

ü 𝑄

0 must not know |𝑦(|

ü 𝑄

1 must not know the output-size

・ A size-hiding class

slide-8
SLIDE 8

Two-party Cases [LNO13]

8

Feasible Infeasible Β‘1 Β‘2 Β‘1 Β‘2 2 Β‘1 2 Β‘1 1 Β‘2 Β‘1 Β‘2 2 Β‘1 Private nothing |𝑦( , |𝑦0 , |𝑧| |𝑦( , |𝑦0 |𝑦0|, |𝑧| |𝑦0|, |𝑧| |𝑧| 𝑦0 Private

Hiding two or more sizes is infeasible in two-party case

slide-9
SLIDE 9

Outline

9

l Notations l Classification for two-party [LNO13] l Classification for multiparty

u Almost all sizes cannot be hidden

l Strong secure channel (SSC) model

u It is implementable by steganography

l Classification for multiparty in SSC model

u Many sizes can be hidden in SSC model

NEW NEW NEW NEW NEW NEW NEW NEW

slide-10
SLIDE 10

10

Multiparty Cases (Our Result)

l The infeasibility is proven by techniques of [LNO13] l The protocol for hiding |𝑦(| u The parties invoke KeyGen for threshold FHE u Each party 𝑄

" sends πΉπ‘œπ‘‘(𝑦") to 𝑄 (

u 𝑄

( computes [𝑧] and broadcast it

u They invoke Decryption

Even in MPC, it is infeasible to hide two sizes

Our result in standard model

slide-11
SLIDE 11

11

Limitation of standard channel

∡ channel may leak the number of communication bits 𝑄

( cannot send πΉπ‘œπ‘‘(𝑦()

𝑄

0 cannot send πΉπ‘œπ‘‘(𝑦0)

𝑄

1 can know 𝑦( and 𝑦0

but

1 2 Infeasible 3 1 2 Infeasible

(with additional party)

slide-12
SLIDE 12

SSC model 𝑛′ Secure channel model 𝑛 Adv

|𝑛| ?

Strong Secure Channel (SSC)

12

l It is implementable by steganography

slide-13
SLIDE 13

Outline

13

l Notations l Classification for two-party [LNO13] l Classification for multiparty

u Almost all sizes cannot be hidden

l Strong secure channel (SSC) model

u It is implementable by steganography

l Classification for multiparty in SSC model

u Many sizes can be hidden in SSC model

NEW NEW NEW NEW NEW NEW NEW NEW

slide-14
SLIDE 14

Our Result in SSC model

# of private sizes 1 2 3 4 … Secure channel βœ” ❌ ❌ ❌ … SSC model βœ” βœ”/❌ βœ”/❌ βœ”/❌ …

14

l Complete classification in SSC model l Maximum number of private sizes is π‘œ

slide-15
SLIDE 15

Case 1

When the output-size is public

15

slide-16
SLIDE 16

Case 1 (public output-size)

Infeasible Feasible!

16

l Suppose the output-size is public l Size-hiding computation is feasible in SSC model ⇔ for every and

Β‘ ‘𝑗 Β‘ Β‘π‘˜ Β‘ ‘𝑗 Β‘ Β‘π‘˜ Β‘ ‘𝑗 Β‘ Β‘π‘˜

  • r
  • r

Β‘ ‘𝑗 Β‘ ‘𝑙 Β‘ Β‘π‘˜

βˆƒ :

Β‘ ‘𝑙

slide-17
SLIDE 17

Main Idea for Construction

Β‘2 Β‘3 Β‘1

[𝑦] : FHE ciphertext Sharing Protocol for 𝑄

(:

𝑄

1 sends to 𝑄 (:

[1 ‘𝑦1] 𝑄

0 sends to 𝑄 (:

If 𝑦( β‰₯ 𝑦0 [1 Β‘0 JK L JM ‘𝑦0] Otherwise [0 Β‘0 JK ]

l Invoke Sharing Protocols for 𝑄

(, 𝑄 0, 𝑄 1

One of them can obtain all flagged ciphertexts! β†’ [𝑔(𝑦(, 𝑦0, 𝑦1)] can be computed

17

Longest input

slide-18
SLIDE 18

Infeasibility (Reduced to [LNO13])

l Suppose the class is feasible l Let 𝐺 𝑦(, 𝑦0, 𝑦1,𝑦2 = 𝑔 𝑦(, 𝑦0 l Two private sizes (in two-party) is feasible l It contradicts [LNO13]

18

Β‘3 Β‘2 Β‘1 Β‘4 Β‘3 Β‘2 Β‘1 Β‘4

𝐺 𝑦(,𝑦0,𝑦1,𝑦2

PA PB

slide-19
SLIDE 19

Case 2

When the output-size is private

19

slide-20
SLIDE 20

Case 2 (private output-size)

20

l Suppose the output-size is private l Size-hiding computation is feasible in SSC model ⇔ for every ü The party can know all input-sizes; and ü βˆƒ :

Infeasible Feasible!

slide-21
SLIDE 21

l 𝑄

1, 𝑄 2 are not involved in KeyGen

∡ 𝑄

1, 𝑄 2 must not join threshold Decryption of 𝒛

l 𝑄

1, 𝑄 2 do Evaluation, and obtain 𝑧 with zero paddings

Thanks to the padding, they can do this without knowing |𝑧|

Main Idea for Construction (1)

21

FHE MPC

Β‘1 Β‘2 3 4

+

slide-22
SLIDE 22

Main Idea for Construction (2)

22

Β‘1 Β‘2 3 4

l 𝑄

(, 𝑄0 do KeyGen

l 𝑄1, 𝑄

2 get encrypted input-shares

l 𝑄1, 𝑄

2 do Evaluate using MPC

l 𝑄

(, 𝑄0 do threshold Decryption

If 𝑄

(, 𝑄 0 are corrupted

FHE does not work

𝑄

1 or 𝑄 2 is honest

Security by MPC If 𝑄

1, 𝑄 2 are corrupted

MPC does not work

𝑄

( or 𝑄 0 is honest

Security by FHE

FHE or MPC guarantee the security!

slide-23
SLIDE 23

Infeasibility (Reduced to [LNO13])

l Suppose the class is feasible l Let 𝐺 𝑦(, 𝑦0, 𝑦1 = 𝑔 𝑦(, 𝑦0 l Two private sizes (in two-party) is feasible l It contradicts [LNO13]

23

1 3 2 1 3 2

𝐺 𝑦(,𝑦0,𝑦1

PA PB

slide-24
SLIDE 24

Conclusion

24

Thank you for your attention! l Hiding two is infeasible (standard model) l SSC model is rich for size-hiding l Some of them are still infeasible

slide-25
SLIDE 25

Q&A

l How to implement SSC by steganography?

u A party can hide message of an arbitrary length

25

Q3&5?9A8K7#*AS4W356 Adv

?

slide-26
SLIDE 26

Q&A

l How to implement SSC by steganography?

u A party can hide message of an arbitrary length

26

Q3&5?9A8K7#*AS4W356 Adv

?

slide-27
SLIDE 27

Conclusion

27

l We introduce the strong secure channel (SSC) model l We construct size-hiding protocols in the SSC model l We also prove the (weaker) limitation for the SSC model

This work

l [LNO13] constructed size-hiding protocol for two parties l They also proved the strong limitation

Background

Thank you for your attention!

slide-28
SLIDE 28

Set Intersection

l Police has a list of terrorists π‘Œ l Company has a list of customers 𝑍 l Police wish to compute π‘Œ ∩ 𝑍 without revealing |π‘Œ| l NaΓ―ve approach, Padding, is inefficient

28

・Millionaire Problem (Population version)

l Aliens: β€œWhich planet has the largest population?” l The population is related to the military power l Its size is also related to the military power l Padding doesn’t work since the upper-bound is too large