Efficient and Scalable Universal Circuits

Abstract: A universal circuit (UC) can be programmed to simulate any circuit up to a given size n by specifying its program inputs. It provides elegant solutions in various application scenarios, e.g., for private function evaluation (PFE) and for improving the flexibility of attribute-based encryption schemes. The asymptotic lower bound for the size of a UC is (n log n), and Valiant (STOC'76) provided two theoretical constructions, the so-called 2-way and 4-way UCs (i.e., recursive constructions with 2 and 4 substructu… Show more

“…, m n−1 ) and a client/receiver inputs an index i. The client learns only m i and the server learns nothing about i. n 1 -OT can be done by using log n 2 1 -OT [35], [25]. OT extension [20], [5] "extends" a small number of base OT's requiring public-key operations to a larger number of OT's by using symmetric-key operations.…”

“…Our protocols only embed a GC-based secure comparison and a 2 1 -OT in the COT. The 2 1 -OT can be run in parallel with the GC.…”

“…The computation cost for the client/server is n/1 hash function. A COT requires a GC with t AND-gates, one 2 1 -OT with output length λ, transmissions of two λ-bit hash values, and two (λ + 1)-bit encrypted messages. The communication cost of GC with t AND-gates and OT with output length λ is 7tλ bits and 2λ bits, respectively.…”

“…According to Definition 2, the server should learn nothing about the client's attribute vector, and the client should learn nothing about the server's decision tree except the classification result. Unlike [28], [34], [2], we do not hide the fact that a decision tree evaluation is going on.…”

“…Privacy-preserving inference protects the privacy of both the client and the model owner. While generic cryptographic tools exist (e.g., [28], [34], [2]), classifier-specific solutions can be more efficient. We focus on the decision-tree classifier [9], which is widely used [24], e.g., for spam detection, multimedia protocol tunneling, and content classification.…”

Let’s Stride Blindfolded in a Forest: Sublinear Multi-Client Decision Trees Evaluation

“…, m n−1 ) and a client/receiver inputs an index i. The client learns only m i and the server learns nothing about i. n 1 -OT can be done by using log n 2 1 -OT [35], [25]. OT extension [20], [5] "extends" a small number of base OT's requiring public-key operations to a larger number of OT's by using symmetric-key operations.…”

“…Our protocols only embed a GC-based secure comparison and a 2 1 -OT in the COT. The 2 1 -OT can be run in parallel with the GC.…”

“…The computation cost for the client/server is n/1 hash function. A COT requires a GC with t AND-gates, one 2 1 -OT with output length λ, transmissions of two λ-bit hash values, and two (λ + 1)-bit encrypted messages. The communication cost of GC with t AND-gates and OT with output length λ is 7tλ bits and 2λ bits, respectively.…”

“…According to Definition 2, the server should learn nothing about the client's attribute vector, and the client should learn nothing about the server's decision tree except the classification result. Unlike [28], [34], [2], we do not hide the fact that a decision tree evaluation is going on.…”

“…Privacy-preserving inference protects the privacy of both the client and the model owner. While generic cryptographic tools exist (e.g., [28], [34], [2]), classifier-specific solutions can be more efficient. We focus on the decision-tree classifier [9], which is widely used [24], e.g., for spam detection, multimedia protocol tunneling, and content classification.…”

Let’s Stride Blindfolded in a Forest: Sublinear Multi-Client Decision Trees Evaluation

Linear-Complexity Private Function Evaluation is Practical

$$\textsf {LogStack}$$: Stacked Garbling with $$O(b \log b)$$ Computation