摘要
私有函数计算(private function evaluation,PFE)的目的是安全地计算函数f(x1,x2,…,xn),而不泄露除了输出所揭示的信息之外的任何其他信息,适用于计算多方联合数据集的大数据分析任务,且其分析算法 f 是不方便公开的.Mohassel 等在 EUROCRYPT 2013 提出了一个基于多方秘密共享方案(GMW)的被动安全多方私有函数计算方案,他们的协议具有线性轮交互,不适用于高延迟网络,限制了多方私有函数计算的实用性.针对上述问题,本文利用 Ben-Efraim 等人的优化多方混淆电路 BMR 方案、Katz等人的基于同态加密的不经意扩展置换方案(HE-OEP)和Mohassel等人的基于交换网络的不经意扩展置换方案(SN-OEP),通过隐藏由函数 f 编译得到的电路 Cf 的拓扑结构达到保护电路私有性的目的,分别构造基于同态加密的多方私有函数计算协议ΠBMR-PFE(HE-OEP)和基于交换网络的多方私有函数计算协议 ΠBMR-PFE(SN-OEP).所提两个协议都具有常数交互轮次,前者主要基于非对称密码原语构造,具有线性复杂度 O(g),交互轮次可以压缩至 7 轮;后者主要基于对称密码原语构造,具有复杂度O(g log(g)),交互轮次可以压缩至 8 轮.所提方案能够抵抗半诚实敌手腐化最多 n-1 个参与方,在大多数不信任的参与方的协议执行环境下,这能够有效保护自己重要的私有数据财产,避免因数据泄露而被侵犯利益.另外,所提协议与 2023 年Xu等人提出的协议具有相近的通信、计算复杂度和交互轮次,当参与方数量从 5 开始,在电路门数量级在 210 ∼ 220 之间,所提协议对比他们的协议具有更低的通信开销,而混淆电路提出至今,通信开销一直是其性能瓶颈,因此所提基于多方混淆电路的常数轮多方私有函数计算方案,能够有效提升高延迟网络环境下计算大型电路时多方私有函数计算协议的效率.
Abstract
The purpose of private function evaluation(PFE)is to securely compute a function f(x1,x2,…,xn)without revealing any information other than that revealed by the output,and PFE is suitable for computing multi-party big data analysis tasks of joint dataset whose analysis algorithm f is not conveniently public.Mohassel et al.proposed a passively secure multi-party private function evaluation scheme based on a multi-party secret sharing scheme(GMW)in EUROCRYPT 2013.Their protocol has linear rounds of interaction and is not applicable to high latency networks,which limits the practicality of multi-party private function evaluation.To address such problems,this study utilizes the optimized multi-party garbled circuit BMR scheme proposed by Ben-Efraim et al,the oblivious extended permutation based on homomorphic encryption scheme(HE-OEP)proposed by Mohassel et al.and the oblivious extended permutation based on switching network scheme(SN-OEP)proposed by Katz et al.to achieve circuit protection by hiding the topology of the circuit Cf compiled from the function f and constructing the multi-party private function evaluation protocol ΠBMR-PFE(HE-OEP)based on homomorphic encryption and ΠBMR-PFE(SN-OEP)based on switching network,respectively.Both protocols proposed in this study have a constant rounds of interaction,the former is constructed mainly based on asymmetric cryptographic primitives with linear complexity O(g),and its rounds of interaction can be compressed to 7 rounds of interaction,while the latter is constructed mainly based on symmetric cryptographic primitives construction with complexity O(g log(g)),and its rounds of interaction can be compressed to 8 rounds of interaction.The scheme proposed in this study can resist semi-honest adversaries to corrupt at most n-1 participants,which can effectively protect one's important private data property from data leakage in a protocol execution environment where most of the participants are untrusted.In addition,the protocols proposed in this study has similar communication and computation complexities and rounds of interaction as the protocols proposed by Xu et al.in 2023.When the number of participants starts from 5,the proposed protocols in this study has lower specific communication overhead than their protocols in the number of circuit gates between 210 and 220,while the communication overhead has been the performance bottleneck of the garbled circuit since it was proposed.Therefore,the multi-party private function evaluation scheme based on the multi-party garbled circuit with constant rounds of interaction proposed in this study can effectively improve the efficiency of the multi-party private function evaluation protocol when computing large circuits in a high-latency network environment.
国家科技期刊平台
NSTL
万方数据