Secure merge with O(n log log n) secure operation

Data-oblivious algorithms are a key component of many secure computation protocols. In this work, we show that advances in secure multiparty shuffling algorithms can be used to increase the efficiency of several key cryptographic tools. The key observation is that many secure computation protocols rely heavily on secure shuffles. The best data-oblivious shuffling algorithms require O(n log n), operations, but in the two-party or multiparty setting, secure shuffling can be achieved with only O(n) communication. Leveraging the efficiency of secure multiparty shuffling, we give novel algorithms that improve the efficiency of securely sorting sparse lists, secure stable compaction, and securely merging two sorted lists. Securely sorting private lists is a key component of many larger secure computation protocols. The best data-oblivious sorting algorithms for sorting a list of n elements require O(n log n) comparisons. Using black-box access to a linear-communication secure shuffle, we give a secure algorithm for sorting a list of length n with t n nonzero elements with communication O(t log n+n), which beats the best oblivious algorithms when the number of nonzero elements, t, satisfies t < n/ log n. Secure compaction is the problem of removing dummy elements from a list, and is essentially equivalent to sorting on 1-bit keys. The best oblivious compaction algorithms run in O(n)-time, but they are unstable, i.e., the order of the remaining elements is not preserved. Using black-box access to a linear-communication secure shuffle, we give a stable compaction algorithm with only O(n) communication. Our main result is a novel secure merge protocol. The best previous algorithms for securely merging two sorted lists into a sorted whole required O(n log n) secure operations. Using blackbox access to an O(n)-communication secure shuffle, we give the first secure merge algorithm that requires only O(n log log n) communication. Our algorithm takes as input n secret-shared values, and outputs a secret-sharing of the sorted list. All our algorithms are generic, i.e., they can be implemented using generic secure computations techniques and make black-box access to a secure shuffle. Our techniques extend naturally to the multiparty situation (with a constant number of parties) as well as to handle malicious adversaries without changing the asymptotic efficiency. These algorithm have applications to securely computing database joins and order statistics on private data as well as multiparty Oblivious RAM protocols. Patent pending fbrett@cis.upenn.edu Work done while consulting for Stealth Software Technologies, Inc. rafail@cs.ucla.edu Work done while consulting for Stealth Software Technologies, Inc.

[1]  Elaine Shi,et al.  Can We Overcome the n log n Barrier for Oblivious Sorting? , 2019, IACR Cryptol. ePrint Arch..

[2]  Michael Zohner,et al.  ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation , 2015, NDSS.

[3]  Craig Gentry,et al.  Private Database Access with HE-over-ORAM Architecture , 2015, ACNS.

[4]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[5]  Michael T. Goodrich,et al.  Zig-zag sort: a simple deterministic data-oblivious sorting algorithm running in O(n log n) time , 2014, STOC.

[6]  Rafail Ostrovsky,et al.  Oblivious tight compaction in O(n) time with smaller constant , 2020, IACR Cryptol. ePrint Arch..

[7]  Peeter Laud,et al.  Privacy-preserving record linkage in large databases using secure multiparty computation , 2018, BMC Medical Genomics.

[8]  Abel N. Kho,et al.  SMCQL: Secure Query Processing for Private Data Networks , 2016, Proc. VLDB Endow..

[9]  Jan Willemson,et al.  Round-Efficient Oblivious Database Manipulation , 2011, ISC.

[10]  Vašek Chvátal AKS Sorting Network , 2011, Encyclopedia of Parallel Computing.

[11]  Akira Maruoka,et al.  On Optimal Merging Networks , 2003, MFCS.

[12]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[13]  Katsumi Takahashi,et al.  Oblivious Radix Sort: An Efficient Sorting Algorithm for Practical Secure Multi-party Computation , 2014, IACR Cryptol. ePrint Arch..

[14]  Yehuda Lindell,et al.  Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries , 2007, Journal of Cryptology.

[15]  Joel I. Seiferas,et al.  Sorting Networks of Logarithmic Depth, Further Simplified , 2009, Algorithmica.

[16]  Dan Bogdanov,et al.  A Practical Analysis of Oblivious Sorting Algorithms for Secure Multi-party Computation , 2014, NordSec.

[17]  Kenneth E. Batcher,et al.  The 0/1-Principle , 2011 .

[18]  Michael T. Goodrich,et al.  Randomized Shellsort: a simple oblivious sorting algorithm , 2009, SODA '10.

[19]  Benny Pinkas,et al.  Secure Computation of the Median (and Other Elements of Specified Ranks) , 2010, Journal of Cryptology.

[20]  Katsumi Takahashi,et al.  Practically Efficient Multi-party Sorting Protocols from Comparison Sort Algorithms , 2012, ICISC.

[21]  Rafail Ostrovsky,et al.  Efficient computation on oblivious RAMs , 1990, STOC '90.

[22]  Kenneth E. Batcher,et al.  Sorting networks and their applications , 1968, AFIPS Spring Joint Computing Conference.

[23]  Jonathan Katz,et al.  Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? , 2012, NDSS.

[24]  Kartik Nayak,et al.  More is Less: Perfectly Secure Oblivious Algorithms in the Multi-Server Setting , 2018, IACR Cryptol. ePrint Arch..

[25]  Michael T. Goodrich,et al.  Data-oblivious external-memory algorithms for the compaction, selection, and sorting of outsourced data , 2011, SPAA '11.

[26]  Jens Groth,et al.  A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Journal of Cryptology.

[27]  Aggelos Kiayias,et al.  MCMix: Anonymous Messaging via Secure Multiparty Computation , 2017, USENIX Security Symposium.

[28]  Torsten Suel,et al.  On probabilistic networks for selection, merging, and sorting , 1995, SPAA '95.

[29]  A. Yao How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[30]  B. Beauquier,et al.  On Arbitrary Waksman Networks and their Vulnerability , 1999 .

[31]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[32]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[33]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[34]  David Evans,et al.  Obliv-C: A Language for Extensible Data-Oblivious Computation , 2015, IACR Cryptol. ePrint Arch..

[35]  Jonathan Katz,et al.  Global-Scale Secure Multiparty Computation , 2017, CCS.

[36]  Benny Pinkas,et al.  An Efficient Secure Three-Party Sorting Protocol with an Honest Majority , 2019, IACR Cryptol. ePrint Arch..

[37]  John C. Mitchell,et al.  Data-Oblivious Data Structures , 2014, STACS.

[38]  Abraham Waksman,et al.  A Permutation Network , 1968, JACM.

[39]  Torsten Suel,et al.  On Probabilistic Networks for Selection, Merging, and Sorting , 1995, SPAA '95.

[40]  Jens Groth,et al.  Efficient Zero-Knowledge Argument for Correctness of a Shuffle , 2012, EUROCRYPT.

[41]  Azer Bestavros,et al.  Conclave: secure multi-party computation on big data , 2019, EuroSys.

[42]  Kartik Nayak,et al.  OptORAMa: Optimal Oblivious RAM , 2020, IACR Cryptol. ePrint Arch..