Constant-Round Multiparty Private Function Evaluation with (Quasi-)Linear Complexities

Abstract

Private function evaluation (PFE) is a special case of secure multiparty computation. In multiparty PFE, the party \(P_1\) holds its private n-variable function \(f\) and private input \(x_1\), while other parties \(P_i~(n\ge i\ge 2)\) hold their private input \(x_i\). All n participants can jointly evaluate the function \(f\), and learn nothing from the interactions except the result \(f(x_1,...,x_n)\) (known to a subset or all of the parties). The existing multiparty PFE protocols (e.g., Mohassel et al. at Eurocrypt’13 and Asiacrypt’14) are with round complexity \(O(g)\) (\(g\) is the circuit size) which makes them extremely unpractical. In this work, we propose for the first time constant-round multiparty PFE protocols that are secure against any number of corrupted parties under the semi-honest security model. We design our first construction from oblivious evaluation of switching network (OSN) protocol (Mohassel et al. at Eurocrypt’13), which only needs 9 rounds of interaction and can achieve quasi-linear communication and computation complexities (i.e., \(O(ng\log (g))\)). Our second construction is based on singly homomorphic encryption, which only needs 8 rounds of interaction and can achieve linear complexities. The OSN-based construction also benefits from the design trick that it only relies on symmetric operations (which makes it really efficient in actual executions). We further optimize our constructions by half-gate technology.

Appendices

A OSN Protocol

1.1 A.1 Switching Network and Permutation Network

A switching network SN is a set of interconnected switches that take \(N\) inputs and a set of selection bits, and output \(N\) values. Each switch in the network accepts two \(l\)-bit strings as inputs and outputs two \(l\)-bit strings. A switch with two selection bits is called a 2-switch (2-SW), and with one selection bit is called a 1-switch (1-SW). There are 4 exchange types in 2-switch. If the input of a 2-switch is \((x_0,x_1)\), and the selection bits are \((s_0,s_1)\), then its outputs are \(y_0= x_{s_0}\), \(y_1=x_{s_1}\). In the OSN protocol, only one 1-switch (two exchange types) needs to be used.

Definition 3 (Mapping for a Switching Network)

The mapping \(\pi :\) \(\{1...N\}\) \(\rightarrow \{1...N\}\) corresponding to a switching network SN is defined such that \(\pi (i)=j\) if and only if after evaluation of SN on the N inputs, the value of the input wire \(i\) is assigned to the output wire \(j\).

A permutation network is a special switching network, and its corresponding mapping is a permutation, so only one 1-switch needs to be used in the permutation network. When the input of a switch is \((x_0,x_1)\), the corresponding output has two types, i.e., \((x_0,x_1)\) or \((x_1,x_0)\). An optimal permutation network is proposed in [28]. For any \(N=2^l\) inputs, there is a permutation network with \(N\log (N)-N+1\) switches and the depth is \(2\log (N)-1\).

1.2 A.2 OSN

In [23], Mohassel and Sadeghian implemented a constant-round 2-OEP protocol using a combination of switching network and permutation network (they called the oblivious evaluation of a switching network (OSN) protocol). We need to utilize the OSN protocol, so here we introduce the implementation of their protocol. We also refer the readers to [23] for the details of the OSN. The OSN protocol is mainly composed of two components, (1) implements extended permutation by using SN and PN, and (2) oblivious evaluation of switching networks by using OT protocol.

Construct EP with SN and PN. For a switching network, \(N\) inputs can finally get \(N\) outputs, but for extended permutation \(\pi :\{1...M\}\rightarrow \{ 1...N\}\), \(M\) inputs will finally get \(N\) outputs \((N\ge M)\). To simulate an extended permutation using a switching network, in addition to \(M\) real inputs of EP, \(N-M\) dummy values are required. In [23], the construction of the entire switching network is divided into three components: (1) dummy value placement, (2) replication, (3) permutation. Figure 8 shows a concrete example.

Fig. 8.

A Switching Network for EP \(\pi \)

Dummy value placement component takes \(M\) real values and \(N-M\) dummy values as inputs. For each real input that is mapped to \(k\) different outputs according to \(\pi \), the component outputs the real value followed by \(k-1\) dummy values. The process is similar to permuting \(N\) inputs, so it can be implemented using a permutation network.

Replication component takes the outputs of the previous component as inputs. If the input is the real value, it will be output directly, and the dummy value will be replaced with the real value before it. Because only two exchange types are required, 1-switch can be used. For \((x_0 ,x_1)\), possible output is \((x_0,x_1)\) or \((x_0,x_0)\). When outputting \((x_0,x_1)\), it means that both values are real values. When outputting \((x_0,x_0)\), it means that \(x_0\) is the real value, and \(x_1\) is the dummy value. This phase can be implemented using \(N-1\) switches.

Permutation component takes the outputs of the replication component as inputs, and \(N\) elements are placed in the final position according to the mapping relationship \(\pi \). This component can also be implemented using a permutation network.

The first and third components can be implemented using a permutation network, so the number of switches required is \(2(N\log (N)-N+1)\). The second component requires \(N-1\) switches. Since 1-switch can be used in all three components, a total of \((2N\log (N)-N+1)\) 1-switches are required to implement the switching network.

Oblivious Evaluation of Switching Networks (OSN). Next, we will show how 2-OEP can be achieved by computing the entire switching network. \(P_1\) has a mapping \(\pi \), so \(P_1\) can get the selection bit of each switch in the switching network through \(\pi \), and \(P_1\) also has a blind vector \(\vec {t}\), \(P_2\) has the input vector \(\vec {x}\). Finally, \(P_2\) learns the output \((x_{\pi ^{-1}(1)}\oplus t_1...x_{\pi ^{-1}(N)}\oplus t_N)\) of the switching network. In Fig. 9, we give two examples of 1-switch: Fig. 9(a) is mainly used for the dummy value component and permutation component, and Fig. 9(b) is used for the replication component. We take Fig. 9(a) as an example to explain, assuming that the input wires of a switch are \(w_i\) and \(w_j\), the output wires are \(w_k\) and \(w_l\), \(P_2\) generates random values on all four wires \(r_i\),\(r_j\),\(r_k\),\(r_l\). \(P_1\) has \((x_i\oplus r_i)\),\((x_j\oplus r_j)\) and the selection bit \(s_0\) of this switch. After evaluating the switch, \(P_1\) learns \(y_1\),\(y_2\), this can be implemented through the OT protocol where \(P_1\) as the receiver inputs the selection bit \(s_0\) and \(P_2\) as the sender inputs the two values of the \(\varGamma \) column in Fig. 9(a). For example, when \(s_0\) is 0, \(P_1\) will get \((r_i\oplus r_k, r_j\oplus r_l)\), then \(P_1\) uses \((x_i\oplus r_i )\) and \((r_i\oplus r_k)\) to perform XOR operation to get \((x_i\oplus r_k)\), and uses \((x_j\oplus r_j)\) and \((r_j\oplus r_l)\) to perform the XOR operation to get \((x_j\oplus r_l)\), which completes the evaluation of a switch. The evaluation process for the entire switching network is as follows. In the offline stage, \(P_2\) generates a random value for each wire in the switching network, \(P_1\) and \(P_2\) execute a series of parallel 1-out-of-2 OT protocols. In the online stage, \(P_2\) blinds its own input vector \(\vec {x}\) using the random values on the input wires of the switching network that are generated at the offline stage, and then sends the blinded result to \( P_1\). Now \(P_1\) has the necessary information to evaluate the entire switching network, and uses the XOR operation to evaluate the entire switching network locally. Finally, \(P_1\) uses the blinding vector \(\vec {t}\) to blind the output of the switching network and sends the blinded result to \(P_2\), \(P_2\) unblinds the result using random values on the output wires of the switching network generated at the offline stage and learns the final result \((x_{\pi ^{-1}(1)}\oplus t_1...x_{\pi ^{-1}(N)}\oplus t_N)\).

Fig. 9.

1-Switch

From the above description, we can know that the OSN protocol is constant-round. The total number of rounds is 3, because the OT protocol costs 2 rounds, and it also costs 1 round for \(P_1\) to send the result to \(P_2\). Note that 1 round of communication in which \(P_2\) sends the blinded vector \(\vec {x}\) to \(P_1\) can be incorporated into the OT protocol. The evaluation of each switch needs to cost 1 OT, and the entire OSN protocol needs to cost \((2N\log (N)-N+1)\) 1-out-of-2 OT protocols.

B Security Proof

Theorem 2

If \(H\) is modeled as a random oracle, the n-PFE protocol in Fig. 7 is secure in the \((\mathcal {F}_{n-OSN},\mathcal {F}_{bitOT},\mathcal {F}_{stringOT})\)-hybrid model against a semi-honest adversary corrupting up to \(n-1\) parties.

Proof

We will divide into two cases: \(P_1\in \mathcal {H}\), and \(P_1\in \mathcal {C}\) and \(P_2\in \mathcal {H}\). Note that the case of \(P_1\in \mathcal {C}\) and \(P_i\in \mathcal {H}~~ (i\ge 3)\) is similar to the second case.

\(P_1\in \mathcal {H}\). Let \(\mathcal {A}\) denote an adversary that corrupts \(\{P_i\}_{i\in \mathcal {C}}\). We construct a simulator \(\mathcal {S}\) to simulate \(\mathcal {A}\) and play the role of \(\{P_i\}_{i\in \mathcal {C}}\) in an ideal world involving an ideal functionality \(\mathcal {F}_{n-PFE}\) evaluating \(f\). \(\mathcal {S}\) is defined as follows:

1. 1-5

     \(\mathcal {S}\) acts as honest \(\{P_i\}_{i\in \mathcal {H}}\) and plays the functionalities \(\mathcal {F}_{n-OSN}\), \(\mathcal {F}_{bitOT}\) and \(\mathcal {F}_{stringOT}\), recording all values sent to and received from \(\mathcal {A}\) .

2. 6

     \(\mathcal {S}\) interacts with \(\mathcal {A}\) acting as honest \(\{P_i\}_{i\in \mathcal {H}}\), using input \(\{x_{I_i}:=0\}_{i\in \mathcal {H}}\) for input wire \(I_i\), \(\mathcal {S}\) sends \(\varLambda _{I_i}=x_{I_i}\oplus \lambda _{I_i}^i\) to \(\mathcal {A}\). For each \(i\in \mathcal {C}\) and each input wire \(I_i\), \(\mathcal {S}\) receives \(\varLambda _{I_i}\) from \(\mathcal {A}\) and computes \(x_{I_i}=\varLambda _{I_i}\oplus \lambda _{I_i}^i\).

3. 7

     \(\mathcal {S}\) interacts with \(\mathcal {A}\) acting as honest \(\{P_i\}_{i\in \mathcal {H}}\), for each \(i\in \mathcal {C}\) and all input wires \(I\), \(\mathcal {S}\) receives \(L_{I,\varLambda _{I}}^i\) from \(\mathcal {A}\).

4. 8-10

     \(\mathcal {S}\) interacts with \(\mathcal {A}\) acting as honest \(\{P_i\}_{i\in \mathcal {H}}\). For each \(i\in \mathcal {C}\), \(\mathcal {S}\) sends \((input, x_{I_i})\) on behalf of \(P_i\) to \(\mathcal {F}_{n-PFE}\).

Next we will show that the joint distribution of the outputs of \(\mathcal {A}\) and honest \(\{P_i\}_{i\in \mathcal {H}}\) in the real world is indistinguishable from the joint distribution of the outputs of \(\mathcal {S}\) and \(\{P_i\}_{i\in \mathcal {H}}\) in the ideal world.

• Hybrid1. This is the hybrid-world protocol. \(\mathcal {S}\) plays the role of honest \(\{P_i\}_{i\in \mathcal {H}}\), using real input \(\{x_{I_i}\}_{i\in \mathcal {H}}\) instead of making \(\{x_{I_i}:=0\}_{i\in \mathcal {H}}\), and plays the role of \(\mathcal {F}_{n-OSN}\), \(\mathcal {F}_{bitOT}\), \(\mathcal {F}_{stringOT}\).

• Hybrid2. Same as Hybrid1, except in step 6, for each \(i\in \mathcal {C}\), for each input wire \(I_i\), \(\mathcal {S}\) receives \(\varLambda _{I_i}\) from \(\mathcal {A}\), and computes \(x_{I_i}=\varLambda _{I_i}\oplus \lambda _{I_i}^i\). Then \(\mathcal {S}\) sends \((input, x_{I_i})\) on behalf of \(P_i\) to \(\mathcal {F}_{n-PFE}\). So \(P_1\) outputs \(\mathcal {F}(x_{I_1},...x_{I_n})\). The distributions on the view of \(\mathcal {A}\) in Hybrid1 and Hybrid2 are identical. \(P_1\) will generate the same outputs in both Hybrid1 and Hybrid2 under the semi-honest security model.

• Hybrid3. Same as Hybrid2, except in step 6, for each \(i\in \mathcal {H}\), for each input wire \(I_i\), \(\mathcal {S}\) uses \(\{x_{I_i}:=0\}_{i\in \mathcal {H}}\) as input. The distributions on the view of \(\mathcal {A}\) in Hybrid2 and Hybrid3 are iden- tical, because \(\{\lambda _{I_i}^i\}_{i\in \mathcal {H}}\) are uniform, so \(\{\varLambda _{I_i}\}_{i\in \mathcal {H}}\) are uniform for \(\mathcal {A}\).

Note that Hybrid1 is the real-world execution and Hybrid3 is the ideal-word execution. This completes the proof for honest \(P_1\).

\(P_1\in \mathcal {C}\), \(P_2\in \mathcal {H}\). Let \(\mathcal {A}\) denote an adversary that corrupts \(\{P_i\}_{i\in \mathcal {C}}\). We construct a simulator \(\mathcal {S}\) to simulate \(\mathcal {A}\) and play the role of \(\{P_i\}_{i\in \mathcal {C}}\) in an ideal world involving an ideal functionality \(\mathcal {F}_{n-PFE}\) evaluating \(f\). \(\mathcal {S}\) is defined as follows:

1. 1-4

     \(\mathcal {S}\) acts as honest \(\{P_i\}_{i\in \mathcal {H}}\) and plays the functionality \(\mathcal {F}_{n-OSN}\), recording all values sent to and received from \(\mathcal {A}\) .

2. 5

     \(\mathcal {S}\) acts as honest \(\{P_i\}_{i\in \mathcal {H}}\) and plays the functionalities \(\mathcal {F}_{bitOT}\) and \(\mathcal {F}_{stringOT}\), and sends the garbled tables to \(\mathcal {A}\).

3. 6

     \(\mathcal {S}\) interacts with \(\mathcal {A}\) acting as honest \(\{P_i\}_{i\in \mathcal {H}}\), using input \(\{x_{I_i}:=0\}_{i\in \mathcal {H}}\) for input wire \(I_i\), \(\mathcal {S}\) sends \(\varLambda _{I_i}=x_{I_i}\oplus \lambda _{I_i}^i\) to \(\mathcal {A}\). For each \(i\in \mathcal {C}\), for each input wire \(I_i\), \(\mathcal {S}\) receives \(\varLambda _{I_i}\) from \(\mathcal {A}\), and computes \(x_{I_i}=\varLambda _{I_i}\oplus \lambda _{I_i}^i\).

4. 7

     \(\mathcal {S}\) interacts with \(\mathcal {A}\) acting as honest \(\{P_i\}_{i\in \mathcal {H}}\), for each \(i\in \mathcal {H}\), for all input wires \(I\), \(\mathcal {S}\) sends \(L_{I,\varLambda _{I}}^i\) to \(\mathcal {A}\).

5. 8-10

   \(\mathcal {S}\) interacts with \(\mathcal {A}\) acting as honest \(\{P_i\}_{i\in \mathcal {H}}\). For each \(i\in \mathcal {C}\), \(\mathcal {S}\) sends \((input, x_{I_i})\) computed in step 6 on behalf of \(P_i\) to \(\mathcal {F}_{n-PFE}\).

Next we will show that the joint distribution of the outputs of \(\mathcal {A}\) and honest \(\{P_i\}_{i\in \mathcal {H}}\) in the real world is indistinguishable from the joint distribution of the outputs of \(\mathcal {S}\) and \(\{P_i\}_{i\in \mathcal {H}}\) in the ideal world.

• Hybrid1. Same as the hybrid-word protocol. \(\mathcal {S}\) plays the roles of honest \(\{P_i\}_{i\in \mathcal {H}}\), using real input \(\{x_{I_i}\}_{i\in \mathcal {H}}\) instead of making \(\{x_{I_i}:=0\}_{i\in \mathcal {H}}\), and plays the roles of \(\mathcal {F}_{n-OSN}\), \(\mathcal {F}_{bitOT}\), \(\mathcal {F}_{stringOT}\).

• Hybrid2. Same as Hybrid1, except in step 6, for each \(i\in \mathcal {C}\), for each input wire \(I_i\), \(\mathcal {S}\) receives \(\varLambda _{I_i}\) from \(\mathcal {A}\), and computes \(x_{I_i}=\varLambda _{I_i}\oplus \lambda _{I_i}^i\), and \(\mathcal {S}\) sends \((input, x_{I_i})\) on behalf of \(P_i\) to \(\mathcal {F}_{n-PFE}\). The distributions on the view of \(\mathcal {A}\) in Hybrid1 and Hybrid2 are iden-tical.

• Hybrid3. Same as Hybrid2, except in step 6, for each \(i\in \mathcal {H}\), for each input wire \(I_i\), \(\mathcal {S}\) uses \(\{x_{I_i}:=0\}_{i\in \mathcal {H}}\) as input. It follows from the security of garbling with \(H\) modeled as a random oracle and \(\{\lambda _{I_i}^i\}_{i\in \mathcal {H}}\) are uniform that the distributions on the view of \(\mathcal {A}\) in Hybrid3 and Hybrid2 are identical.

Note that Hybrid1 is the real-world execution and Hybrid3 is the ideal-word execution. This completes the proof for corrupted \(P_1\).