TY - GEN
T1 - PFE
T2 - 19th International Conference on Information Security and Cryptology, Inscrypt 2023
AU - Jia, Hanyu
AU - Li, Xiangxue
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024.
PY - 2024
Y1 - 2024
N2 - We consider the private function evaluation (PFE) problem in the malicious adversary model. Current state-of-the-art in PFE based on Valiant’s universal circuits (Liu, Yu, etc., CRYPTO 2021) seems to reach a theoretical optimum (13g·logg) (g is the number of the gates in the circuit), but still does not avoid the logarithmic factor in circuit size. In constructing PFE with linear active security, one essential building block is to prove the correctness of an extended permutation (EP, Mohassel and Sadeghian at EUROCRYPT 2013) by a zero-knowledge (ZK) protocol with linear complexity. Mohassel, Sadeghian, and Smart (ASIACRYPT 2014) presented a three-phase instantiation ZKEP, which is supposed to validate that the function owner has done his local computation in the right way. In particular, ZKEP consists of a dummy placement phase, a replication phase, and a permutation phase, and each of the phases is of size 2g. The overhead required by ZKEP thus seems really heavy, reducing its practicability. We present in this paper a novel and efficient framework ZKDS for proving the correct EP. We show that double shuffles (DS) suffice in ZKDS: one shuffle is of size u+g-o (u is the number of input wires in the circuit and o the number of output wires, and we have generally g≫u,u≈o), another is of size 2g, and no replication phase is required. The verifier generates the randomness for the first shuffle whose outputs determine the outgoing wires. The second shuffle reuses and extends the randomness and determines the incoming wires. Besides its linear complexity and succinct double-shuffle structure, ZKDS reduces the communication overhead by more than 50% (including the ciphertexts and corresponding proofs), compared to ZKEP. From ZKDS, we can build an actively secure online/offline PFE framework with linear complexity. The online phase could be instantiated by any well-studied secure function evaluation (SFE) with linear active security (e.g., Tiny-OT at CRYPTO 2012). The offline phase depends only on the function and uses ZKDS to prove the EP relationship between u+g-o outgoing wires and 2g incoming wires in the topological circuit Cf derived from the private function f. The design pushes actively secure PFE to be more compact in practice.
AB - We consider the private function evaluation (PFE) problem in the malicious adversary model. Current state-of-the-art in PFE based on Valiant’s universal circuits (Liu, Yu, etc., CRYPTO 2021) seems to reach a theoretical optimum (13g·logg) (g is the number of the gates in the circuit), but still does not avoid the logarithmic factor in circuit size. In constructing PFE with linear active security, one essential building block is to prove the correctness of an extended permutation (EP, Mohassel and Sadeghian at EUROCRYPT 2013) by a zero-knowledge (ZK) protocol with linear complexity. Mohassel, Sadeghian, and Smart (ASIACRYPT 2014) presented a three-phase instantiation ZKEP, which is supposed to validate that the function owner has done his local computation in the right way. In particular, ZKEP consists of a dummy placement phase, a replication phase, and a permutation phase, and each of the phases is of size 2g. The overhead required by ZKEP thus seems really heavy, reducing its practicability. We present in this paper a novel and efficient framework ZKDS for proving the correct EP. We show that double shuffles (DS) suffice in ZKDS: one shuffle is of size u+g-o (u is the number of input wires in the circuit and o the number of output wires, and we have generally g≫u,u≈o), another is of size 2g, and no replication phase is required. The verifier generates the randomness for the first shuffle whose outputs determine the outgoing wires. The second shuffle reuses and extends the randomness and determines the incoming wires. Besides its linear complexity and succinct double-shuffle structure, ZKDS reduces the communication overhead by more than 50% (including the ciphertexts and corresponding proofs), compared to ZKEP. From ZKDS, we can build an actively secure online/offline PFE framework with linear complexity. The online phase could be instantiated by any well-studied secure function evaluation (SFE) with linear active security (e.g., Tiny-OT at CRYPTO 2012). The offline phase depends only on the function and uses ZKDS to prove the EP relationship between u+g-o outgoing wires and 2g incoming wires in the topological circuit Cf derived from the private function f. The design pushes actively secure PFE to be more compact in practice.
KW - Active Security
KW - Extended Permutation
KW - Private Function Evaluation
KW - Shuffle
KW - Zero-Knowledge Proof
UR - https://www.scopus.com/pages/publications/85187717155
U2 - 10.1007/978-981-97-0942-7_12
DO - 10.1007/978-981-97-0942-7_12
M3 - 会议稿件
AN - SCOPUS:85187717155
SN - 9789819709410
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 227
EP - 252
BT - Information Security and Cryptology - 19th International Conference, Inscrypt 2023, Revised Selected Papers
A2 - Ge, Chunpeng
A2 - Yung, Moti
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 9 December 2023 through 10 December 2023
ER -