Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
  • G06F17/10—Complex mathematical operations
  • G06F17/14—Fourier, Walsh or analogous domain transformations, e.g. Laplace, Hilbert, Karhunen-Loeve, transforms
  • G06F17/147—Discrete orthonormal transforms, e.g. discrete cosine transform, discrete sine transform, and variations therefrom, e.g. modified discrete cosine transform, integer transforms approximating the discrete cosine transform
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
  • G06F17/10—Complex mathematical operations
  • G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
  • G06N3/00—Computing arrangements based on biological models
  • G06N3/02—Neural networks
  • G06N3/04—Architecture, e.g. interconnection topology
  • G06N3/048—Activation functions
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
  • G06N3/00—Computing arrangements based on biological models
  • G06N3/02—Neural networks
  • G06N3/08—Learning methods
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
  • G06N3/00—Computing arrangements based on biological models
  • G06N3/02—Neural networks
  • G06N3/08—Learning methods
  • G06N3/09—Supervised learning
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/04—Masking or blinding
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/04—Masking or blinding
  • H04L2209/046—Masking or blinding of operations, operands or results of the operations
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/26—Testing cryptographic entity, e.g. testing integrity of encryption key or encryption algorithm
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/46—Secure multiparty computation, e.g. millionaire problem

Definitions

• a method for performing privacy-preserving or secure multi-party computations enables multiple parties to collaborate to produce a shared result while preserving the privacy of input data contributed by individual parties.
• the method can produce a result with a specified high degree of precision or accuracy in relation to an exactly accurate plaintext (non-privacy-preserving) computation of the result, without unduly burdensome amounts of inter-party communication.
• the multi-party computations can include a Fourier series approximation of a continuous function or an approximation of a continuous function using trigonometric polynomials, for example, in training a machine learning classifier using secret shared input data.
• the multi-party computations can include a secret share reduction that transforms an instance of computed secret shared data stored in floatingpoint representation into an equivalent, equivalently precise, and equivalently secure instance of computed secret shared data having a reduced memory storage requirement.
• a method for performing secure multi-party computations can produce a result while preserving the privacy of input data contributed by individual parties.
• a dealer computing system can create a plurality of sets of related numerical masking data components, wherein for each set of related numerical masking data components, each component of the set is one of: a scalar, a vector and a matrix.
• the dealer computing system can secret share, among a plurality of party computing systems, each component of each set of the plurality of sets of related numerical masking data components.
• the party computing system can receive a respective secret share of each component of each set of the plurality of sets of numerical masking data components from the trusted dealer.
• the party computing system can, for at least one set of input data, receive a secret share of the set of input data.
• the party computing system can execute a set of program instructions that cause the party computing system to perform, in conjunction and communication with others of the party computing systems, one or more multi-party computations to create one or more instances of computed secret shared data.
• the party computing system can compute a secret share of the instance based on at least one secret share of a set of input data or at least one secret share of another instance of computed secret shared data.
• Received secret shares of numerical masking data components can be used to mask data communicated during the computations.
• the computations can include, for example, a Fourier series approximation of a continuous function or an approximation of a continuous function using trigonometric polynomials.
• the computations can also or alternatively include, for example, a secret share reduction that transforms an instance of computed secret shared data stored in floatingpoint representation into an equivalent, equivalently precise, and equivalently secure instance of computed secret shared data having a reduced memory storage requirement.
• the party computing system can transmit a secret share of an instance of computed secret shared data to one or more others of the plurality of party computing systems.
• the party computing system can receive one or more secret shares of an instance of computed secret shared data from one or more others of the plurality of party computing systems.
• the party computing system can combine the received secret shares of the instance of computed secret shared data to produce the result.
• the method can be performed such that the computations further include partitioning a domain of a function into a plurality of subintervals; and for each subinterval of the plurality of subintervals: determining an approximation of the function on the subinterval, and computing an instance of computed secret shared data using at least one of garbled circuits and oblivious selection.
• the approximation of the continuous function can be on an interval.
• the approximation can be a uniform approximation of the continuous function.
• the continuous function can be a machine learning activation function.
• the machine learning activation function can be the sigmoid function.
• the machine learning activation function can be the hyperbolic tangent function.
• the machine learning activation function can be a rectifier activation function for a neural network.
• the continuous function can be the sigmoid function.
• the secret share reduction can include masking one or more most significant bits of each secret share of an instance of computed secret shared data.
• the result can be a set of coefficients of a logistic regression classification model.
• the method can implement a logistic regression classifier, and the result can be a prediction of the logistic regression classifier based on the input data.
• the dealer computing system can be a trusted dealer computing system, and communications between the party computing systems can be made inaccessible to the trusted dealer computing system.
• the dealer computing system can be an honest-but-curious dealer computing system, and privacy of secret shared input data contributed by one or more of the party computing systems can be preserved regardless of whether communications between the party computing systems can be accessed by the honest-but-curious dealer computing system.
• the method can further include: for at least one set of input data, performing a statistical analysis on the set of input data to determine a set of input data statistics;
• the pre-execution can be performed subsequent to: unrolling loops in the set of source code instructions having a determinable number of iterations; and unrolling function calls in the set of source code instructions.
• the method can be performed such that at least one set of related numerical masking data components consists of three components having a relationship where one of the components is equal to a multiplicative product of a remaining two of the components.
• the method can be performed such that at least one set of related numerical masking data components comprises a number and a set of one or more associated values of Fourier basis functions evaluated on the number.
• the method can be performed such that the result has a predetermined degree of precision in relation to a plaintext computation of the result.
• a system can include a plurality of computer systems, wherein the plurality of computer systems are configured to perform the method.
• a non-transitory computer-readable medium can be encoded with the set of program instructions.
• a non-transitory computer-readable medium can be encoded with computer code that, when executed by plurality of computer systems, cause the plurality of computer systems to perform the method.
• Figure 1 illustrates a graph of the odd-even periodic extension of the rescaled sigmoid.
• Figure 2 illustrates an asymptotic approximation of the sigmoid via Theorem 1.
• Figure 3 illustrates a schematic of the connections during the offline phase of the MPC protocols in accordance with one embodiment.
• Figure 4 illustrates a schematic of the communication channels between players during the online phase in accordance with one embodiment.
• Figure 6 shows the evolution of the cost function during the logistic regression as a function of the number of iterations.
• Figure 7 shows the evolution of the F-score during the same logistic regression as a function of the number of iterations.
• Figure 8 illustrates an example truth table and a corresponding encrypted truth table (encryption table).
• Figure 9 illustrates a table in which we give the garbling time, garbling size and the evaluation time for different garbling optimizations.
• Figure 10 illustrates an example comparison circuit.
• Figure 11 illustrates and example secret addition circuit.
• Figure 12 illustrates a diagram of two example functions.
• Figure 13 illustrates a schematic of a state machine that processes n letters.
• Figure 14 illustrates a method for performing a compilation in accordance with one embodiment.
• Figure 15 illustrates a general computer architecture that can be appropriately configured to implement components disclosed in accordance with various embodiments.
• Figure 16 illustrates a method for performing secure multi-party computations in accordance with various embodiments.
• a first contribution is a Fourier approximation of the sigmoid function.
• the first approach yields a superalgebraic convergence at best, whereas the second converges exponentially fast.
• the first one is numerically stable whereas the second one is not (under the standard Fourier basis).
• the sigmoid we show that one can achieve both properties at the same time.
• a second contribution is a Floating-point representation and masking.
• a typical approach to multi-party computation protocols with masking is to embed fixed-point values into finite groups and use uniform masking and secret sharing. Arithmetic circuits can then be evaluated using, e.g., precomputed multiplication numerical masking data and following Beaver's method [4]. This idea has been successfully used in [13] and [12]. Whereas the method works well on low multiplicative depth circuits like correlations or linear regression [17], in general, the required group size increases exponentially with the multiplicative depth. In [25], this exponential growth is mitigated by a two-party rounding solution, but the technique does not extend to three or more players where an overflow in the most significant bits can occur. In this work, we introduce an alternative sharing scheme, where fixed-point values are shared directly using (possibly multibit) floating points, and present a technique to reduce the share sizes after each multiplication. This technique easily extends to an arbitrary number of players.
• Masks and operations are aware of the type of vector or matrix dimensions and benefit from the vectorial nature of the high-level operations. For example, multiplying two matrices requires a single round of communication instead of up to 0(/i 3 ) for coefficient-wise approaches, depending on the batching quality of the compiler. Furthermore, masking is defined per immutable variable rather than per elementary operation, so a constant matrix is masked only once during the whole method. Combined with non-trivial local operations, these numerical masking data can be used to achieve much more than just ring additions or multiplications. In a nutshell, the amount of
• a fourth contribution is a new protocol for the honest but curious offline phase extendable to n players.
• the authors propose a very efficient method in the trusted dealer model; yet the execution time of the oblivious transfer protocol is quite slow.
• G is not compact, the condition can be relaxed to statistical or computational indistinguishability.
• a closely related notion is the one of group masking. Given a subset X of G, the goal of masking X is to find a distribution D over G such that the distributions of x»D for x G X are all indistinguishable. Indeed, such distribution can be used to create a secret share: one can sample ⁇ ⁇ - D, and give ⁇ _1 to a player and x ⁇ ⁇ to the other. Masking can also be used to evaluate non-linear operations in clear over masked data, as soon as the result can be privately unmasked via homomorphisms (as in, e.g., the Beaver's triplet multiplication technique [4]).
• the computed ⁇ , . . . , ⁇ ⁇ are the additive shares of ⁇ ( ⁇ , y).
• a given ⁇ can be used to mask only one variable, so one triplet (more generally, set of numerical masking data) must be precomputed for each multiplication during the offline phase (i.e. before the data is made available to the players).
• this abstract scheme allows to evaluate a product in a ring, but also a vectors dot product, a matrix- vector product, or a matrix-matrix product.
• a straightforward approach consists of implementing a full floating point arithmetic framework [6, 12], and to compile a data-oblivious method that evaluates the function over floats. This is for instance what Sharemind and SPDZ use. However, these two generic methods lead to prohibitive running times if the floating point function has to be evaluated millions of times.
• the leakage could be mitigated by translating and rescaling the variable x so that it falls in the range [1, 2). Yet, in general, the coefficients of the polynomials that approximate the translated function explode, thus causing serious numerical issues.
• Each class C(B, p) is finite, and contains 2 P+1 +1 numbers. They could be rescaled and stored as (p + 2)-bit integers. Alternatively, the number x G C(B, p) can also be represented by the floating point value x, provided that the floating point representation has at least p bits of mantissa. In this case, addition and multiplication of numbers across classes of the same numerical precision are natively mapped to floating-point arithmetic. The main arithmetic operations on these classes are:
• C(B, p, r) C(B + r, p + r) fits in floating point numbers of p + ⁇ - bits of mantissa, so they can be used to securely mask fixed point numbers with numerical precision p.
• all additive shares for C(B, p) will be taken in C(B, p, r).
• the whole trigonometric polynomial t can be evaluated in a single round of communication, given precomputed trigonometric polynomial or Fourier series masking data such as ([ ⁇ ] ⁇ , [[e M ]+, . . . , [[e "MP ]+) and thanks to the fact that x 0 ⁇ has been revealed. [0098] Also, we notice that to work with complex numbers of absolute value 1 makes the method numerically stable, compared to power functions in regular polynomials. It is for this reason that the evaluation of trigonometric polynomials is a better solution in our context.
• Figure 1 illustrates a graph of the odd-even periodic extension of the rescaled sigmoid.
• the Fourier series of the output function has only odd sinus terms: 0.5 + ⁇ 3 ⁇ 4n+i sin((2n + l)x).
• Figure 2 illustrates an asymptotic approximation of the sigmoid via Theorem 1.
• the discontinuity in the rescaled sigmoid function g(ccx)—— vanishes, and it gets exponentially close to an analytic periodic function, whose Fourier coefficients decrease geometrically fast.
• This method is numerically stable, and can evaluate the sigmoid with arbitrary precision in polynomial time.
• the figures presented in this section represent the communication channels between the players and the dealer in both the trusted dealer and the honest but curious models.
• Two types of communication channels are used: the private channels, that correspond in practice to SSL channels (generally ⁇ 20MB/s), and the public channels, corresponding in practice to TCP connections (generally from 100MB to lGB/s).
• private channels are represented with dashed lines, while public channels are represented with plain lines.
• FIG. 3 illustrates a schematic of the connections during the offline phase of the MPC protocols in accordance with one embodiment.
• the figure shows the communication channels in both the trusted dealer model (left) and in the honest but curious model (right) used during the offline phase.
• the dealer sends the numerical masking data to each player via a private channel.
• the players have access to a private broadcast channel, shared between all of them and each player shares an additional private channel with the dealer.
• the private channels are denoted with dashed lines.
• the figure represents 3 players, but each model can be extended to an arbitrary number n of players.
• the dealer is the only one generating all the precomputed data.
• the players collaborate for the generation of the numerical masking data. To do that, they need an additional private broadcast channel between them, that is not accessible to the dealer.
• FIG. 4 illustrates a schematic of the communication channels between players during the online phase in accordance with one embodiment.
• the figure shows the communication channels used during the online phase.
• the players send and receive masked values via a public broadcast channel (public channels are denoted with plain lines). Their number, limited to 3 in the example, can easily be extended to a generic number n of players.
• the online phase is the same in both the TD and the HBC models and the dealer is not present.
• the dealer evaluates the nonlinear parts in the numerical masking data generation, over the masked data produced by the players, then he distributes the masked shares.
• the mask is common to all players, and it is produced thanks to the private broadcast channel that they share.
• each player produces his numerical masking data by unmasking the precomputed data received from the dealer.
• the players then mask their secret shares with the common mask and send them to the dealer, who evaluates the non-linear parts (product in the first method and power in the second method).
• the dealer generates new additive shares for the result and sends these values back to each player via the private channel. This way, the players don't know each other's shares.
• the players who know the common mask, ca n independently unmask their secret shares, and obtain their final share of the numerical masking data, which is therefore unknown to the dealer.
• Each player P generates ⁇ , , b, , ⁇ , , ⁇ , (from the according distribution).
• Each player ⁇ , ⁇ sends to the dealer ⁇ , + ⁇ , and b, + ⁇ ,.
• Each player P generates ⁇ , , a, (from the according distribution).
• Each player P generates ⁇ , , a, (uniformly modulo 2 ⁇ ) 2: Each player P, broadcasts a, to all other players.
• a classification problem one is given a data set, also called a training set, that we will represent here by a matrix X E M ⁇ k ( ), and a training vector y E ⁇ 0, 1 ⁇ N .
• the data set consists of N input vectors of k features each, and the coordinate y, of the vector y corresponds to the class (0 or 1) to which the -th element of the data set belongs to.
• the goal is to determine a function he : L k -> ⁇ 0, 1 ⁇ that takes as input a vector x, containing k features, and which outputs he (x) predicting reasonably well y, the
• the overall goal is to determine a model ⁇ whose cost function is as close to 0 as possible.
• a common method to achieve this is the so called gradient descent which consists of constantly updating the model ⁇ as
• ⁇ : e - aVCx y (0), where C V [Q) is the gradient of the cost function and a > 0 is a constant called the learning rate.
• C V [Q) is the gradient of the cost function
• a > 0 is a constant called the learning rate.
• tuning this parameter requires either to reveal information on the data, or to have access to a public fake training set, which is not always feasible in private MPC computations. This step is often silently ignored in the literature.
• preprocessing techniques such as feature scaling, or orthogonalization techniques can improve the dataset, and allow to increase the learning rate significantly. But again, these techniques cannot easily be implemented when the input data is shared, and when correlation information should remain private.
• Model training method Train(X, y)
• the Hessian system (step 9) is masked by two (uniformly random) orthonormal matrices on the left and the right, and revealed, so the resolution can be done in plaintext. Although this method reveals the norm of the gradient (which is predictable anyway), it hides its direction entirely, which is enough to ensure that the final model remains private. Finally, since the input data is not necessarily feature-scaled, it is recommended to start from the zero position (step 2) and not a random position, because the first one is guaranteed to be in the IRLS convergence domain.
• the trusted dealer During the offline phase, the trusted dealer generates one random mask value for each immutable variable, and secret shares these masks. For all matrix-vector or matrix- matrix products between any two immutable variables U and V (coming from lines 1, 4, 6, 7 and 8 of the model-training method, above), the trusted dealer also generates a specific multiplication triplet using the masks ⁇ of U and A ⁇ of V. More precisely, it generates and distributes additive shares for Au ⁇ Ay as well as integer vectors/matrices of the same dimensions as the product for the share-reduction phase. These integer coefficients are taken modulo 256 for efficiency reasons.
• I n the results that are provided, we fixed the number of I RLS iterations to 8, which is enough to reach a perfect convergence for most datasets, and we experimentally verified that the MPC computation outputs the same model as the one with plaintext iterations.
• the total running time of the online phase ranges from 1 to 5 minutes.
• the communication time is insignificant compared to the whole running time, even with regular WAN bandwidth.
• Figure 6 shows the evolution of the cost function during the logistic regression as a function of the number of iterations, on a test dataset of 150000 samples, with 8 features and an acceptance rate of 0.5%.
• yellow is the standard gradient descent with optimal learning rate, in red, the gradient descent using the piecewise linear approximation of the sigmoid function (as in [25]), and in green, our MPC model (based on the IRLS method).
• the MPC IRLS method (as well as the plaintext IRLS) method converge in less than 8 iterations, against 500 iterations for the standard gradient method. As expected, the approx method does not reach the minimal cost.
• Figure 7 shows the evolution of the F-score during the same logistic regression as a function of the number of iterations.
• the standard gradient descent and our MPC produce the same model, with a limit F-score of 0.64.
• no positive samples are detected by the piecewise linear approximation, leading to a null F-score.
• the accuracy is nearly 100% from the first iteration.
• Cryptonets Applying neural networks to encrypted data with high throughput and accuracy.
• Cryptonets In Proceedings of the 33nd International Conference on Machine Learning, ICML 2016, New York City, NY, USA, June 19-24, 2016, pages 201-210, 2016.
• Polynomial and Fourier splines are pieceswise functions defined by either polynomials or Fourier series (trigonometric functions) that are helpful for approximating various functions in machine learning.
• [0162] Disclosed is a method for high-precision privacy-preserving function evaluation of such splines based on a hybrid multi-party computation solution.
• the method combines Fourier series and polynomial evaluation via secret sharing methods with checking bounds via garbled circuits.
• garbled automata via dualizing classical garbled circuits (where public functions are evaluating on secret inputs) into circuits where one evaluates secret functions on public inputs. This allows to speed up some of the evaluations in the garbled circuits setting, such as the comparison operator.
• Each logical gate (AN D or XOR) has two input wires (typically denoted by a and b) and an output wire (denoted by c).
• the garbler chooses labels kTM and (in ⁇ 0, l ⁇ k ) corresponding to the two possible values.
• Figure 8 illustrates an example truth table and a corresponding encrypted truth table (encryption table).
• One uses each row to symmetrically encrypt the corresponding label for the output wire using the two keys for the corresponding input wires.
• the garbler then randomly permutes the rows of the encryption table to obtain the garbled table which is sent to the evaluator (for each gate).
• each bit Ui or Vi has a private value in ⁇ 0, 1 ⁇ that should not be revealed to the other party.
• the evaluator In the evaluation phase, the evaluator, having received its keys K Vl , K Vz , . . . , K Vn (via OT) and the keys K Ul , K Uz , . . . , K Un of the garbler, begins to evaluate the Boolean circuit sequentially. Assuming that for a given gate, the evaluator has already determined the labels for the input wires K a and K b , the evaluator tries to decrypt with K a K b the entries in the corresponding garbled table until a successful decryption of K c - the label for the output wire.
• the evaluator can simply decrypt one row of the garbled table rather than all four. This is due to sorting the table based on a random select bit. See [8] for more details.
• Remark 1 The garbler chooses a global offset R (known only to the garbler), and valid throughout the whole circuit. The labels of the true and false logical value
• This optimization reduces the size of a garbled table from four rows to three rows.
• the label of the output wire is generated as a function of the input labels.
• the first row of the garbled table is generated so that it fully consists of 0s and does not need to be sent. See [9] for more details.
• the half-gates method reduces the size of garbled table from 3 rows after Row Reduction to 2 rows. This optimization applies to AN D gates.
• Figure 9 illustrates a table in which we give the garbling time, garbling size and the evaluation time for different garbling optimizations.
• Garbling and evaluation times are in number of hash (AES) per gate, and garbling size in number of 128-bit ciphertexts per gate. See [10] for more details.
• Sequential circuit garbling are circuits with traditional gates, a global clock and shift registers. Logical values in a wire are not constant, but vary between clock ticks: we ca n represent them as a sequence of values. Since clock and shift registers do not involve any secret, MPC and FHE circuits can natively handle them.
• circuits are more compact (the description is smaller), and only two consecutive time stamps need to be kept in memory at a given time during the evaluation (less memory). It does however NOT reduce the total running time, the OT transmissions, or the precomputed data size, compared to pure combinational circuits.
• M GC is a GC secret shared value.
• TD trusted dealer
• the garbler i.e., the garbler also generates the numerical masking data for the secret sharing
• computing parties are the evaluators.
• Figure 10 illustrates an example comparison circuit as follows:
• Input x known by the evaluator (possibly masked with a color only known to the garbler)
• Figure 11 illustrates and example secret addition circuit as follows:
• Input x known by the evaluator (possibly masked with a color only known to the garbler)
• each wire has two possible logical states (their truth value 0,1) and gates encode transitions between these states.
• F can be thought of as a Boolean gate in the classical garbled circuit sense and x and y can be thought of as private inputs.
• a function G operating on the revealed values a and b such that U F makes the diagram commutative.
• this function is only known to the garbler (who is the only party knowing the masks ⁇ , ⁇ and v. As such, it can be thought of as a secret function.
• Remark 2 Note that we do not require mask to be a uniformly random bijection between T> and !R. This is, e.g., the case of statistical masking described in [3].
• the garbler creates the garbled table as follows: the rows of the table are where a, b are enumerated in the order of the corresponding revealed sets (which we call the natural order).
• Figure 13 illustrates a schematic of a state machine that processes n letters.
• the state machine can be described as follows:
• the machine has a state qi E Q ⁇ .
• the domain Qi is public, but qi is usually private (meaning, it is known by neither the garbler, nor the evaluator).
• q Q is the initial state: it can be either public or private depending on the function we want to evaluate.
• the machine reads a letter from an alphabet ⁇ ⁇ .
• the alphabets ⁇ ⁇ are public and can be different for the different iterations. In our model, the letters are known to the evaluator but unknown to the garbler.
• the garbler can also define the garbled table T;.
• the garbler also picks masking values mask i ; - for all possible letters a ⁇ j E ⁇ it but this time without any privacy requirement on the ordering (the index j can publicly reveal the letter or even be equal to the letter).
• the garbler For each iteration i, for each letter a E ⁇ it the garbler encrypts the transition functions T .
• Q i ⁇ x ⁇ i ⁇ Qi consisting of a list of i Qi-J ciphertexts. More precisely, the garbler computes the garbled table defined as in Section 5.1.3 using the mask mask ⁇ . for Qi ! and mask v . for ⁇ ⁇ as well as the private function U T ..
• Labels can always be chosen so that the first ciphertext of each transition function (i.e. C it a, 0) is always 0 and does not need to be transmitted.
• the label of the last state is the result of the circuit. Depending whether the result should be private, masked or public, the mapping unmask can be provided by the garbler.
• the base-4 automata is even better than the traditional garbled circuit with all known optimizations (half gates, point-and-permute).
• DSL domain-specific programming language
• the privacy-preserving computing itself can be performed using the methods disclosed in section I above titled "High-Precision Privacy-Preserving Real-Valued Function Evaluation”.
• the DSL code can be compiled by a special-purpose compiler for multi-party computation into low-level virtual machine code that can be executed by multiple computing system nodes specific to distinct private data sources or parties.
• the programming language can support functions and function calls, for loops with bounded number of iterations (known at compile time) as well as conditional statements with public condition.
• the language can support scoped variables.
• variables can be typed and types can have certain type statistical parameters deduced from user input or by the compiler.
• the DSL code can include function definitions.
• One function definition can be an entry point (a void main ( ) function without arguments).
• the content of a function can be syntactically a tree of statements: block, public if-then-else, public bounded for, and other specific statements supported in MPC computing. Statements can have child statements, as well as other parameters. Certain statements are described below in accordance with one embodiment.
• a block is a list of child statements which are evaluated sequentially, both in the offline evaluation, and in the online evaluation. For example:
• a scoped variable is a variable declared in a statement, or at top level (global variable).
• a public if-then-else is parameterized by a scoped variable, and two child statements.
• a bounded for loop is parameterized by a scoped variable that iterates on a public integer range of N values, one child instruction, and a break condition.
• the child instruction is repeated N times in a sequence.
• the break condition is publicly evaluated to true, in which case, the for loop terminates. If the break condition is absent, it is false by default. For example: for i in range (0,10) ⁇
• An immutable corresponds to one particular occurrence of a scoped variable, at a certain point in time, in the offline execution.
• Each immutable gets a global sequential index.
• the special-purpose compiler resolves scoped variable to immutables.
• the compiler translates the DSL code into a tree of instructions and immutable declarations (a statement, e.g., a block, may contain more than one instruction or immutable declaration). This tree can then be converted into low-level virtual machine code that runs on each party computing system via the methods described in section I above titled "High-Precision Privacy-Preserving Real-Valued Function Evaluation”.
• the offline evaluation which runs through each instruction at least once
• the online evaluation which is a subset of the offline evaluation (see, e.g., "public if-then-else", below).
• Each execution of an instruction during the offline evaluation gets a global sequential index, the instruction index.
• a syntactical instruction can have multiple offline indices. Most offline indices are executed sequentially during the online phase, except during if-then-else or for loops, where a conditional jump can occur.
• variable The scope of the variable is the lifespan of the offline evaluation of the instruction in which the variable is defined. Each variable gets a global unique sequential index variableidx, as it appears during the offline evaluation.
• each variable must be declared before it is used, and the user has the option of specifying (partial) type information, for instance, if a variable is intended to contain a matrix, a vector or a number.
• the compiler Based on the information provided by the user, the compiler performs a full type deduction using a component known as statistical calculator. For function arguments or immediate declarations with their assignment, the user can provide just var or auto type, meaning that the compiler will do a full deduction.
• the compiler needs to use the deduced types to do function or operator to intrinsic resolution. Suppose, for example, that we have the following piece of code:
• the compiler needs to do type checking. This will be done after the abstract syntax tree (AST) has been built (during the time when variables are resolved to immutables and type checking has been done). At this stage, the compiler determines which operator "+" it needs to use based on the type of a and b, and deduced the full type of c.
• AST abstract syntax tree
• each block statement can have a designated blockid.
• each immutable gets a global sequential index - immutableidx.
• An immutable has a parameterized type (MPCType) that is determined at compile time. Once initialized, the logical value of an immutable is constant.
• an immutable is associated to at most one mask per masking type, and has therefore at most one masked value per masking type.
• the actual values (representations) of an immutable are lazily computed during the online evaluation, and are stored by each player in its own container. These vales can include, for example:
• x3 x2 * x2; where xl, x2, x3 are immutables all corresponding to the MPC variable x.
• /* xi, yi are the immutables corresponding to x and y
• x5 is an auxiliary immutable with the maximum of the parameters for x2 and x .
• x5 serves to synchronize the two blocks.
• x is associated with an occurrence of some immutable. Since each immutable is a parameterized MPCType, each xi will have specific parameters and masking data. Since x is local for neither the if, nor the then block, the immutables x2 and x4 need to be synchronized after the conditional block. This requires the compiler to create an extra auxiliary immutable x5 corresponding to x to which it will copy the result of either of the blocks.
• the condition is an immediate Boolean known by the compiler: in this case, the compiler generates either the then block, or the else block depending on the computed Boolean value.
• the condition depends on data that is not known at compile time.
• the compiler generates the code for both then and else block and synchronizes the immutable indexes between both blocks.
• the Boolean condition value is publicly revealed and the execution jumps either to the then or the else start.
• the compiler reveals only the Boolean value of the condition, not the intermediate steps to compute this Boolean: for instance, it the condition is y ⁇ 3, the comparison is evaluated in a privacy- preserving manner (y remains secret). If the value of y is not sensible, the user can gain performance by writing reveal(y) ⁇ 3, which publicly reveals the value of y and then performs a public comparison.
• the public condition cannot include side-effects, as its code of breakif is completely omitted if the compiler resolves the condition to an immediate.
• a public bounded MPC for loop is the following construct: for (i in range (0,10)) ⁇
• the breakif condition cannot include side-effects, as the code of break-if is completely omitted if the compiler resolves the condition to an immediate.
• the compiler generates the code for all executions in sequence, and tries to evaluate the breakif condition at all iterations. If one of the conditions is an immediate true, then a warning is issued saying that the for loop always breaks after the current iteration. If all conditions are immediate false (or if the breakif is absent), then the code of all blocks is generated in sequence. Else, the compiler generates the code for all accessible iterations and synchronizes each variable after each non-immediate condition. Just as in the case of public if-then-else constructs, here we also need to synchronize the variables according to how many times we have looped.
• Figure 14 illustrates a method for performing a compilation in accordance with one embodiment.
• the compiler first converts the DSL code into an intermediate representations performing various type checkings, substituting variables with immutables as well as resolving bounded for loops, public if- then-else, functions and function calls. There are two immediate representations:
• Immediate Representation 1 (IRl) and Immediate Representation 2 (IR2).
• the abstract syntax tree (AST) is converted into IRl by performing the first stage of the semantic analysis and type checking; yet, no variables are resolved to immutables at this stage. Here, partial types are determined, but full types are not yet verified (statistical type parameters are not yet computed at this stage).
• the representation IRl is then translated into IR2 by replacing variables with immutables, unrolling and synchronizing for loops, synchronizing if-then- else statements, unrolling function calls and most importantly, determining the full types by computing the statistical type parameters. The latter is achieved via user input parameters and/or the compiler's statistical calculator.
• the DSL grammar will include statements (these include blocks, if-then-else, bounded for, function bodies, assignments, etc.) as well as expressions. Unlike statements, expressions can be evaluated. Expressions include special ones, arithmetic expressions.
• the Intermediate Representation 1 is the intermediate language that is a result of partial semantic analysis of the DSL.
• the idea is that the semantic analysis is done in two phases: one before variable resolution and type parameter calculation (Semantic Phase 1; or SPl) and another one where variables are replaced by immutables, full types are determined by deducing the type parameters (Semantic Phase 2; or SP2).
• SPl variable resolution and type parameter calculation
• SP 2 type parameter calculation
• the main reason for separating the two phases is that IRl (the result of SPl) will be serializable and as such, one can define precompiled libraries in IRl. Anything beyond IR2 depends on the statistics of the input data and as such, cannot be precompiled (hence, the reason we separate the semantic analysis into SPl and SP2).
• IRl has its own abstract syntax tree (AST-IR1). At this point, variables are not yet replaced by immutables; yet, IRl achieves the following compiler properties and compiler checks:
• the Intermediate Representation 2 (IR2) is a compiled and unrolled program, almost in bijection with the final compiled program.
• IR2 Intermediate Representation 2
• all loops and function calls are unrolled, immediate constants are propagated throughout the execution and all variables are fully resolved as immutables whose types are fully qualified.
• triplets and masking data As a consequence, there is no function definition node anymore, and all function calls are expanded as a single tree (function calls are not leafs any more, but internal nodes). Possible errors reported to the user are:
• this representation includes:
• Immutables are also fully qualified, including:
• the method of compilation has the following phases:
• the lexical analyzer scans the source code and produces the lexemes (tokens). These are then passed to the parser to create the abstract syntax tree (AST) using a precise description of the rules for the DSL grammar. Categories of tokens can include, for example: identifiers, keywords, literals, operators, delimiters.
• the main method for SP1 performs a depth-first search (DFS) on the graph AST.
• DFS depth-first search
• the idea is that by DFS traversing AST one can determine the AST-IR1 nodes and populate the node contexts (see next section for the definition of those) for each of these nodes. This approach allows to detect undeclared variables or incompatible partial types, or to detect whether non-void functions return incompatible types.
• tmp2 foo (tmpl);
• This symbol table is only temporary and is used to generate the AST-IR1.
• the representation of this temporary table is associating a context to each node (node context).
• This context contains all declarations and slots corresponding to a given node.
• Each node of the AST-IR1 graph will have a node context including all variable declarations for this node as well as the (partial) type of the variable.
• In order to check whether a variable is declared we walk from that node to the root and check the environment of each node. It is the first occurrence of a declaration that takes priority. For example: void main ( ) ⁇
• variable r is defined in the block of the main function (nodel) and then is redefined in the child block (node2). There is then an assignment in the inner-most block (node3).
• the compiler will first check the context of the parent of node3, that is node2, and it will then detect that there is a declaration and an assignment of r. The slot corresponding to this declaration/assignment will already appear in the node context of node2 (because of the depth-first search method used to traverse AST).
• This semantic analysis phase is very specific to the method of privacy preserving computing.
• a resolved statement is a statement where function calls have been resolved (replaced by blocks), variables are replaced by immutables and variable bindings (maps from variables to immutables and backwards) have been populated.
• Resolved statements may be in a tree form whereas final compiled program is just a sequence of instructions.
• AST1 Abstract syntax tree produced directly from the DSL.
• AST2 Abstract syntax tree derived from AST1 where arithmetic expressions are MPC- optimized (initially, we assume that AST1 and AST2 are the same).
• AST-IR1 Abstract syntax tree corresponding to the Intermediate Language 1 (IL1) block: A basic statement used to define a scope
• scoped variable A variable visible to only a particular block (scope)
• SP1 Partial semantic analysis independent of type parameters and immutables
• SP2 semantic phase 2
• Components of the embodiments disclosed herein can be implemented by configuring one or more computers or computer systems using special purpose software embodied as instructions on a non-transitory computer readable medium.
• the one or more computers or computer systems can be or include standalone, client and/or server computers, which can be optionally networked through wired and/or wireless networks as a networked computer system.
• Figure 15 illustrates a general computer architecture 1500 that can be
• the computing architecture 1500 can include various common computing elements, such as a computer 1501, a network 1518, and one or more remote computers 1530.
• the embodiments disclosed herein, however, are not limited to implementation by the general computing architecture 1500.
• the computer 1501 can be any of a variety of general purpose computers such as, for example, a server, a desktop computer, a laptop computer, a tablet computer or a mobile computing device.
• the computer 1501 can include a processing unit 1502, a system memory 1504 and a system bus 1506.
• the processing unit 1502 can be any of various commercially available computer processors that can include one or more processing cores, which can operate independently of each other. Additional co-processing units, such as a graphics processing unit 1503, also can be present in the computer.
• the system memory 1504 can include volatile devices, such as dynamic random access memory (DRAM) or other random access memory devices.
• volatile devices such as dynamic random access memory (DRAM) or other random access memory devices.
• system memory 1504 can also or alternatively include non-volatile devices, such as a read-only memory or flash memory.
• the computer 1501 can include local non-volatile secondary storage 1508 such as a disk drive, solid state disk, or removable memory card.
• the local storage 1508 can include one or more removable and/or non-removable storage units.
• the local storage 1508 can be used to store an operating system that initiates and manages various applications that execute on the computer.
• the local storage 1508 can also be used to store special purpose software configured to implement the components of the embodiments disclosed herein and that can be executed as one or more applications under the operating system.
• the computer 1501 can also include communication device(s) 1512 through which the computer communicates with other devices, such as one or more remote computers 1530, over wired and/or wireless computer networks 1518.
• Communications device(s) 1512 can include, for example, a network interface for communicating data over a wired computer network.
• the communication device(s) 1512 can include, for example, one or more radio transmitters for communications over Wi-Fi, Bluetooth, and/or mobile telephone networks.
• the computer 1501 can also access network storage 1520 through the computer network 1518.
• the network storage can include, for example, a network attached storage device located on a local network, or cloud-based storage hosted at one or more remote data centers.
• the operating system and/or special purpose software can alternatively be stored in the network storage 1520.
• the computer 1501 can have various input device(s) 1514 such as a keyboard, mouse, touchscreen, camera, microphone, accelerometer, thermometer, magnetometer, or any other sensor.
• Output device(s) 1516 such as a display, speakers, printer, eccentric rotating mass vibration motor can also be included.
• the various storage 1508, communication device(s) 1512, output devices 1516 and input devices 1514 can be integrated within a housing of the computer, or can be connected through various input/output interface devices on the computer, in which case the reference numbers 1508, 1512, 1514 and 1516 can indicate either the interface for connection to a device or the device itself as the case may be.
• Any of the foregoing aspects may be embodied in one or more instances as a computer system, as a process performed by such a computer system, as any individual component of such a computer system, or as an article of manufacture including computer storage in which computer program instructions are stored and which, when processed by one or more computers, configure the one or more computers to provide such a computer system or any individual component of such a computer system.
• a server, computer server, a host or a client device can each be embodied as a computer or a computer system.
• a computer system may be practiced in distributed computing environments where operations are performed by multiple computers that are linked through a communications network. In a distributed computing environment, computer programs can be located in both local and remote computer storage media.
• Each component of a computer system such as described herein, and which operates on one or more computers, can be implemented using the one or more processing units of the computer and one or more computer programs processed by the one or more processing units.
• a computer program includes computer-executable instructions and/or computer-interpreted instructions, such as program modules, which instructions are processed by one or more processing units in the computer.
• such instructions define routines, programs, objects, components, data structures, and so on, that, when processed by a processing unit, instruct the processing unit to perform operations on data or configure the processor or computer to implement various components or data structures.
• Components of the embodiments disclosed herein can be implemented in hardware, such as by using special purpose hardware logic components, by configuring general purpose computing resources using special purpose software, or by a combination of special purpose hardware and configured general purpose computing resources.
• Illustrative types of hardware logic components include, for example, Field-programmable Gate Arrays (FPGAs), Application-specific Integrated Circuits (ASICs), Application-specific Standard Products (ASSPs), System-on-a-chip systems (SOCs), and Complex Programmable Logic Devices (CPLDs).
• FPGAs Field-programmable Gate Arrays
• ASICs Application-specific Integrated Circuits
• ASSPs Application-specific Standard Products
• SOCs System-on-a-chip systems
• CPLDs Complex Programmable Logic Devices
• the term "based upon” shall include situations in which a factor is taken into account directly and/or indirectly, and possibly in conjunction with other factors, in producing a result or effect.
• a portion shall include greater than none and up to the whole of a thing; encryption of a thing shall include encryption of a portion of the thing.
• any reference characters are used for convenience of description only, and do not indicate a particular order for performing a method.

Landscapes

• Engineering & Computer Science (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Mathematical Physics (AREA)
• Data Mining & Analysis (AREA)
• Software Systems (AREA)
• General Engineering & Computer Science (AREA)
• Mathematical Optimization (AREA)
• Mathematical Analysis (AREA)
• Computational Mathematics (AREA)
• Pure & Applied Mathematics (AREA)
• Computing Systems (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• Computer Security & Cryptography (AREA)
• Artificial Intelligence (AREA)
• Life Sciences & Earth Sciences (AREA)
• General Health & Medical Sciences (AREA)
• Evolutionary Computation (AREA)
• Computational Linguistics (AREA)
• Biophysics (AREA)
• Biomedical Technology (AREA)
• Molecular Biology (AREA)
• Health & Medical Sciences (AREA)
• Algebra (AREA)
• Databases & Information Systems (AREA)
• Discrete Mathematics (AREA)
• Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
• Complex Calculations (AREA)
• Storage Device Security (AREA)

Priority Applications (10)

Applications Claiming Priority (8)

Related Child Applications (2)

Publications (3)

Family

ID=63678682

Family Applications (1)

Country Status (9)

Cited By (20)

Families Citing this family (72)

Family Cites Families (60)

• 2018
  • 2018-08-30 KR KR1020207008986A patent/KR102667837B1/ko active Active
  • 2018-08-30 SG SG11202001591UA patent/SG11202001591UA/en unknown
  • 2018-08-30 EP EP18773904.0A patent/EP3676985B1/en active Active
  • 2018-08-30 US US16/643,833 patent/US20200304293A1/en not_active Abandoned
  • 2018-08-30 CN CN201880064100.7A patent/CN111543025A/zh active Pending
  • 2018-08-30 WO PCT/US2018/048963 patent/WO2019046651A2/en not_active Ceased
  • 2018-08-30 JP JP2020534803A patent/JP7272363B2/ja active Active
  • 2018-08-30 CA CA3072638A patent/CA3072638A1/en active Pending
• 2020
  • 2020-02-20 IL IL272824A patent/IL272824B/en unknown
  • 2020-07-23 US US16/937,310 patent/US10917235B2/en not_active Expired - Fee Related
• 2021
  • 2021-02-08 US US17/170,724 patent/US11539515B2/en active Active

Non-Patent Citations (39)

Also Published As

Similar Documents

Legal Events