How to Hide Circuits in MPC an Efficient Framework for Private Function Evaluation

We revisit the problem of general-purpose private function evaluation (PFE) wherein a single party P1 holds a circuit C, while each Pi for 1 ≤ i ≤ n holds a private input xi, and the goal is for a subset (or all) of the parties to learn C(x1, . . . , xn) but nothing else. We put forth a general framework for designing PFE where the task of hiding the circuit and securely evaluating its gates are addressed independently: First, we reduce the task of hiding the circuit topology to oblivious evaluation of a mapping that encodes the topology of the circuit, which we refer to as oblivious extended permutation (OEP) since the mapping is a generalization of the permutation mapping. Second, we design a subprotocol for private evaluation of a single gate (PFE for one gate), which we refer to as private gate evaluation (PGE). Finally, we show how to naturally combine the two components to obtain efficient and secure PFE. We apply our framework to several well-known general-purpose MPC constructions, in each case, obtaining the most efficient PFE construction to date, for the considered setting. Similar to the previous work we only consider semi-honest adversaries in this paper. • In the multiparty case with dishonest majority, we apply our techniques to the seminal GMW protocol [GMW87] and obtain the first general-purpose PFE with linear complexity in the circuit size. • In the two-party case, we transform Yao’s garbled circuit protocol [Yao86] into a constant-round two-party PFE. Depending on the instantiation of the underlying subprotocol, we either obtain a two-party PFE with linear complexity that improves on the only other work with similar asymptotic efficiency (Katz and Malka, ASIACRYPT 2011 [KM11]), or a two-party PFE that provides the best concrete efficiency to date despite not being linear. • The above two constructions are for boolean circuits. In case of arithmetic circuits, we obtain the first PFE with linear complexity based on any additively homomorphic encryption scheme. Though each construction uses different techniques, a common feature in all three is that the overhead of hiding the circuit C is essentially equal to the cost of running the OEP protocol on a vector of size |C|. As a result, to improve efficiency, one can focus on lowering the cost of the underlying OEP protocol. OEP can be instantiated using a singly homomorphic encryption or any general-purpose MPC but we introduce a new construction that we show is significantly more efficient than these alternatives, in practice. The main building block in our OEP construction is an efficient protocol for oblivious switching network evaluation (OSN), a generalization of the previously studied oblivious shuffling problem which is of independent interest. Our results noticeably improve efficiency of the previous solutions to oblivious shuffling, yielding a factor of 25 or more gain in computation and communication. ∗email address: [email protected] †email address: [email protected]