Oblivious random permutation

The procedure

This is the main building block of the oblivious sort. We briefly describe here the recent construction of Peeter Laud; it specifically requires SPDZ, so it might need to be replaced in case one wants to use different sharing scheme.

For each pair of parties i,ji, j, we need to precompute the following data Xi,XjX_i, X_j for each party:

  1. The party ii picks a permutation π\pi. Honest parties are assumed to pick it uniformly at random.
  2. Pick a pair of random vectors xˉ,yˉRFm\bar x, \bar y \in_R \mathbb{F}^m. Set zˉ=π(xˉ)yˉ\bar z = \pi(\bar x) - \bar y.
  3. Set Xi=(π,zˉ)X_i = (\pi, \bar z), Xj=(xˉ,yˉ)X_j = (\bar x, \bar y).

In practice, this can be done in the offline phase in a few different ways.

Then, this precomputed data can be used to construct from a vector aˉj=(a1,...,am)j\bar a_j = (a_1, ..., a_m)_j belonging to the jj-th party a permuted vector [π(aˉ)]ij=([aπ(1)],...,[aπ(m)])ij[\pi(\bar a)]_{ij} = ([a_{\pi(1)}], ..., [a_{\pi(m)}])_{ij} shared between ii and jj in a following way:

  1. jj sends to ii the vector aˉ=aˉ+xˉ\bar a' = \bar a + \bar x
  2. jj sets π(aˉ)j=yˉ\pi (\bar a)_j = -\bar y
  3. ii sets π(aˉ)i=π(aˉ)zˉ\pi(\bar a)_i = \pi(\bar a') - \bar z

Now, the oblivious random permutation protocol of a shared value [aˉ][\bar a] is the following:

Repeat for each party ii: Permute with πi\pi_i each of the shares aˉj\bar a_j, setting the new shares value aˉj:=yˉij\bar a_j := -\bar y_{ij}; set ii-th share to be the sum of discrepancies: aˉi:=j=1;jin[aˉij]\bar a_i :=\overset{n}{\underset{j = 1; j \neq i}\sum}[\bar a'_{ij}].

This requires nn rounds and total O(n2m)O(n^2 m) communication.

Active security

The protocol above is passively secure. The active check can be made post-factum: to check that a pair of vectors aˉ,bˉ\bar a, \bar b are permutations of each other, we sample a random value tt and check 1ait=1bit\sum \frac{1}{a_i - t} = \sum \frac{1}{b_i - t}.

Offline phase

Offline phase can be done in various ways. We are currently planning to use butterfly network to apply a permutation π\pi to a shared value [x][x] in the offline phase, but other approaches are also possible (mixnet approach might outperform butterfly network for large mm), this is largely TBD.

results matching ""

    No results matching ""