#
Supporting Privacy of Computations in Mobile Big Data Systems^{ †}

^{1}

^{2}

^{3}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

## 2. A High-Level Overview of Our System

#### 2.1. Our Adversarial Model

#### 2.2. Main Characteristics of Our System

- Offloaded Computation: The client delegates the intensive computational tasks to the cloud servers of creating and evaluating the garbled circuit. The client only chooses the cloud servers, provides them with unique seed values, generates garbled inputs during evaluation, and interprets garbled outputs returned by the evaluator.
- Compact Cipher Text: While Gentry’s scheme has an extremely large cipher text size, the cipher text size can be as small as a few hundred bits with our scheme (Section 5.6). Thus, our proposed method is far more practical for cloud computing in mobile systems in comparison to FHE schemes.
- Decoupling: The process of creating the garbled circuit is decoupled from the process of evaluating the garbled circuit. While the servers, ${p}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le n)$, interact with one another for creating the garbled circuit, the server ${p}_{e}$ evaluates the garbled circuit, independently.
- Advance Construction: Since evaluation of the garbled circuit requires no interaction among the servers, if several versions of the garbled circuit for a given computation are precomputed and stored at the evaluator, in advance, then it can readily carry out the requested computation. Thus, the client will only incur the relatively short time taken to evaluate the garbled circuit. In other words, precomputation will drastically improve the response time for the client.
- Collusion Resistance: To interpret any garbled value, the evaluator, ${p}_{e}$, must collude with each of the n servers, ${p}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le n)$. Thus, even if $(n-1)$ out of the n servers are corrupt and collude with the evaluator, the privacy of the client’s inputs and the result of the computation are still preserved.
- Verification of Outputs: The client has the ability to verify that the evaluator actually carried out the requested computation.

## 3. Background

#### 3.1. Yao’s Garbled Circuit

#### 3.2. 1-Out-Of-2 Oblivious Transfer

#### 3.3. 1-Out-Of-4 Oblivious Transfer

## 4. Secure and Verifiable Cloud Computing for Mobile Systems

#### 4.1. Construction and Evaluation of Garbled Circuits

#### 4.1.1. Construction of the Garbled Circuit, $GC$

#### 4.1.2. Secure Multiparty Computation of an Entry, ${A}_{ab}$

#### 4.1.3. Evaluation of the Garbled Circuit, $GC$

- split the most significant $nk$ bits of α into n parts, ${\alpha}_{1},\phantom{\rule{3.33333pt}{0ex}}{\alpha}_{2},\phantom{\rule{3.33333pt}{0ex}}{\alpha}_{3},\phantom{\rule{3.33333pt}{0ex}}\dots ,\phantom{\rule{3.33333pt}{0ex}}{\alpha}_{n}$; each part has k bits; similarly, split the most significant $nk$ bits of β into n parts, ${\beta}_{1},\phantom{\rule{3.33333pt}{0ex}}{\beta}_{2},\phantom{\rule{3.33333pt}{0ex}}{\beta}_{3},\phantom{\rule{3.33333pt}{0ex}}\dots ,\phantom{\rule{3.33333pt}{0ex}}{\beta}_{n}$; each part has k bits; i.e., $|{\alpha}_{i}|=|{\beta}_{i}|=k$, where $1\le i\le n$.
- compute $\gamma =[{G}_{b}\left({\alpha}_{1}\right)\oplus {G}_{b}\left({\alpha}_{2}\right)\oplus \dots \oplus {G}_{b}\left({\alpha}_{n}\right)]\oplus [{G}_{a}\left({\beta}_{1}\right)\oplus {G}_{a}\left({\beta}_{2}\right)\oplus \dots \oplus {G}_{a}\left({\beta}_{n}\right)]\oplus {A}_{ab}$.

#### 4.2. Secure and Verifiable Cloud Computing through Secure Multiparty Computation

#### 4.3. Recovery and Verification of Outputs

- How does the client efficiently recover the result of the computation without carrying out the delegated computations by itself?
- How does the client verify that the evaluator, in fact, evaluated the garbled circuit? Stated differently, is it possible for the client to determine whether the evaluator returned arbitrary numbers without carrying out any computation at all, instead of the actual garbled output for each output wire?

#### 4.4. Summary of Our Proposed System

- The client chooses $\{{p}_{1},{p}_{2},\dots ,{p}_{n},{p}_{c},{p}_{e}\}$, a set of $(n+2)$ servers in the cloud. Then, to each server ${p}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le n)$, the client provides a unique seed value ${s}_{i}$, and a description of the desired computation. To each pair of servers, $({p}_{i},{p}_{k}),(1\le i,k\le n)$, the client also provides another seed value ${s}_{ik}$.
- For the requested computation, each server, ${p}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le n)$, creates (or retrieves from its repository, if available already) a corresponding Boolean circuit (B).
- Using the pseudo random generator of Blum, Blum, Shub, each server, ${p}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le n)$, uses the seed value ${s}_{i}$ to generate its shares for the pair of garbled values and a λ value for each wire in the circuit (B). Each server, ${p}_{i}$, generates a pseudorandom bit sequence of length $W(2k+1)$ bits using seed value ${s}_{i}$; here W denotes the number of wires in the Boolean circuit (B).
- The client instructs the n servers ${p}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le n)$ to construct the shares ($G{C}_{i}$) of a BMR garbled circuit, $GC$, using their shares as private inputs for the secure multiparty computation protocol of Goldreich. Each pair of servers, $({p}_{i},{p}_{k}),(1\le i,k\le n)$, generates pseudorandom bits using pairwise seed values ${s}_{ik}$ while using the protocol of Goldreich. Let ${A}_{i}={\left({A}_{00}\right)}_{i}\left|\right|{\left({A}_{01}\right)}_{i}\left|\right|{\left({A}_{10}\right)}_{i}\left|\right|{\left({A}_{11}\right)}_{i}$ denote the shares of server ${p}_{i}$ corresponding to the four garbled table entries of gate A. Then, $G{C}_{i}$ equals the concatenation of all bit strings of the form ${A}_{i}$, where the concatenation operation is carried out over all the gates in the circuit.
- The client instructs each of the n servers, ${p}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le n)$ to send their shares $G{C}_{i}$ to the server ${p}_{c}$. Performing only XOR operations, the server ${p}_{c}$ creates the desired circuit, $GC=G{C}_{1}\oplus G{C}_{2}\oplus \dots \oplus G{C}_{n}$, which is sent to server ${p}_{e}$ for evaluation.
- The client generates garbled input values for each input wire in the circuit using the unique seed values ${s}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le n)$, and sends them to the server ${p}_{e}$ for evaluation. The client also generates the λ values and the two possible garbled values for each output wire in the circuit using these seed values, and keeps the λ values as secret.
- The server ${p}_{e}$ evaluates $GC$ using the garbled inputs to obtain the garbled output for every output wire in the circuit and sends them to the client. The client now translates these garbled values into plaintext bits, using the λ values, to recover the result of the requested computation.
- For each output wire in the circuit, the client checks whether the garbled output that is received from the evaluator, ${p}_{e}$, matches with one of the two expected garbled values that it computed on its own. If the client determines that there is a match for all output wires, it declares that the evaluator in fact carried out the computation.

## 5. Complexity

#### 5.1. Circuit Size of One Garbled Table Entry

#### 5.2. Communication Cost to Compute One Garbled Table Entry

#### 5.3. Computation Cost of Creating the Garbled Circuit

#### 5.4. Cost of Evaluating the Garbled Circuit

#### 5.5. Cost for the Client

#### 5.6. Comparison of Our Scheme with Gentry’s FHE Scheme

#### 5.7. Construction and Evaluation Time

## 6. Privacy Preserving Search for the Nearest Bank/ATM

#### 6.1. Circuit for Computing Manhattan Distance

#### 6.2. Circuit for Computing the Nearest ATM

#### 6.3. Server-Side and Client-Side Cost

## 7. Related Work

## 8. Concluding Remarks

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References

- Armbrust, M.; Fox, A.; Griffith, R.; Joseph, A.D.; Katz, R.; Konwinski, A.; Lee, G.; Patterson, D.; Rabkin, A.; Stoica, I.; Zaharia, M. A view of cloud computing. Commun. ACM
**2010**, 53, 50–58. [Google Scholar] [CrossRef] - Rivest, R.L.; Adleman, L.; Dertouzos, M.L. On data banks and privacy homomorphisms. Found. Secur. Comput.
**1978**, 4, 169–180. [Google Scholar] - Gentry, C. Computing arbitrary functions of encrypted data. Commun. ACM
**2010**, 53, 97–105. [Google Scholar] [CrossRef] - Brakerski, Z.; Vaikuntanathan, V. Efficient fully homomorphic encryption from (standard) LWE. In IEEE 52Nd Annual Symposium on Foundations of Computer Science; IEEE Computer Society: Washington, DC, USA, 2011; pp. 97–106. [Google Scholar]
- Zhang, X.; Xu, C.; Jin, C.; Xie, R.; Zhao, J. Efficient fully homomorphic encryption from {RLWE} with an extension to a threshold encryption scheme. Future Gener. Comput. Syst.
**2014**, 36, 180–186. [Google Scholar] [CrossRef] - Yao, A.C. Protocols for secure computations. In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science, SFCS ’08, Chicago, IL, USA, 3–5 November 1982.
- Yao, A.C.-C. How to generate and exchange secrets. In Proceedings of the 27th Annual Symposium on Foundations of Computer Science, Toronto, ON, Canada, 27–29 October 1986.
- Goldreich, O. Foundations of Cryptography: Volume 2, Basic Applications; Cambridge University Press: Cambridge, UK, 2004. [Google Scholar]
- Goldreich, O.; Micali, S.; Wigderson, A. How to play ANY mental game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, New York, NY, USA, 25–27 May 1987; pp. 218–229.
- Premnath, S.N.; Haas, Z.J. A Practical, Secure, and Verifiable Cloud Computing for Mobile Systems. In Proceedings of the 9th International Conference on Future Networks and Communications (FNC’14)/The 11th International Conference on Mobile Systems and Pervasive Computing (MobiSPC’14)/Affiliated Workshops, Niagara Falls, Canada, 17–20 August 2014; Series Procedia Computer Science. Volume 34, pp. 474–483.
- Beaver, D.; Micali, S.; Rogaway, P. The round complexity of secure protocols. In Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 13–17 May 1990; pp. 503–513.
- Rogaway, P. The Round Complexity of Secure Protocols. Ph.D. Thesis, Massachusetts Institute of Technology, Cambridge, MA, USA, 22 April 1991. [Google Scholar]
- Blum, L.; Blum, M.; Shub, M. A simple unpredictable pseudo random number generator. SIAM J. Comput.
**1986**, 15, 364–383. [Google Scholar] [CrossRef] - Schneier, B. Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed.; John Wiley & Sons, Inc.: Hoboken, NJ, USA, 1995. [Google Scholar]
- Naor, M.; Pinkas, B. Efficient oblivious transfer protocols. In Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, Washington, DC, USA, 7–9 January 2001; pp. 448–457.
- Naor, M.; Pinkas, B. Computationally secure oblivious transfer. J. Cryptol.
**2005**, 18, 1–35. [Google Scholar] [CrossRef] - Barker, E.; Barker, W.; Burr, W.; Polk, W.; Smid, M. Recommendation for key management—Part 1: General (Revision 3). NIST Spec. Publ.
**2012**, 700–857. Available online: http://www.amazon.com/Recommendation-Key-Management-General-Revision/dp/1499160224 (accessed on 5 May 2016). [Google Scholar] - Tillich, S.; Smart, N. Circuits of Basic Functions Suitable For MPC and FHE. Available online: http://www.cs.bris.ac.uk/Research /CryptographySecurity/MPC/ (accessed on 15 April 2014).
- Chase. Available online: http://www.chase.com (accessed on 15 April 2014).
- Wells Fargo. Available online: http://www.wellsfargo.com (accessed on 15 April 2014).
- Kolesnikov, V.; Sadeghi, A.R.; Schneider, T. Improved garbled circuit building blocks and applications to auctions and computing minima. In Cryptology and Network Security; Springer: Berlin/Heidelberg, Germany, 2009; pp. 1–20. [Google Scholar]
- Huang, Y.; Evans, D.; Katz, J. Private set intersection: Are garbled circuits better than custom protocols. In NDSS; The Internet Society: San Diego, CA, USA, 2012. [Google Scholar]
- Domingo-Ferrer, J. A provably secure additive and multiplicative privacy homomorphism. In Information Security; Springer: Berlin/Heidelberg, Germany, 2002; pp. 471–483. [Google Scholar]
- Lindell, Y.; Pinkas, B. A proof of security of yao’s protocol for two-party computation. J. Cryptol.
**2009**, 22, 168–188. [Google Scholar] [CrossRef] - Lindell, Y.; Pinkas, B. Secure multiparty computation for privacy-preserving data mining. J. Priv. Confid.
**2009**, 1, 59–98. [Google Scholar] - Henecka, W.; Sadeghi, A.R.; Schneider, T.; Wehrenberg, I. TASTY: Tool for automating secure two-party computations. In Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, IL, USA, 4–8 October 2010; pp. 451–462.
- Malkhi, D.; Nisan, N.; Pinkas, B.; Sella, Y. Fairplay—A secure two-party computation system. In USENIX Security Symposium; USENIX Association: San Diego, CA, USA, 2004. [Google Scholar]
- Ben-David, A.; Nisan, N.; Pinkas, B. FairplayMP: A system for secure multi-party computation. In Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 27–31 October 2008; pp. 257–266.
- Burkhart, M.; Strasser, M.; Many, D.; Dimitropoulos, X. SEPIA: Privacy-preserving aggregation of multi-domain network events and statistics. In Proceedings of the 19th USENIX conference on Security, Washington, DC, USA, 11–13 August 2010.
- Damgård, I.; Pastro, V.; Smart, N.; Zakarias, S. Multiparty computation from somewhat homomorphic encryption. In Advances in Cryptology–CRYPTO 2012; Springer: Berlin/Heidelberg, Germany, 2012. [Google Scholar]
- Ames, S.; Venkitasubramaniam, M.; Page, A.; Kocabas, O.; Soyata, T. Secure health monitoring in the cloud using homomorphic encryption, a branching-program formulation. In Enabling Real-Time Mobile Cloud Computing through Emerging Technologies; Soyata, T., Ed.; IGI Global: Hershey, PA, USA, 2015; pp. 116–152. [Google Scholar]
- Bugiel, S.; Nürnberger, S.; Sadeghi, A.R.; Schneider, T. Twin clouds: Secure cloud computing with low latency. In Communications and Multimedia Security; Springer: Berlin/Heidelberg, Germany, 2011; pp. 32–44. [Google Scholar]
- Goldwasser, S.; Kalai, Y.; Popa, R.A.; Vaikuntanathan, V.; Zeldovich, N. Reusable garbled circuits and succinct functional encryption. In Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, Palo Alto, CA, USA, 1–4 June 2013; pp. 555–564.
- Gennaro, R.; Gentry, C.; Parno, B. Non interactive verifiable computing: Outsourcing computation to untrusted workers. In Advances in Cryptology–CRYPTO 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 465–482. [Google Scholar]
- Naehrig, M.; Lauter, K.; Vaikuntanathan, V. Can homomorphic encryption be practical? In Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, Chicago, IL, USA, 17–21 October 2011; pp. 113–124.
- Duan, Y.; Canny, J.; Zhan, J. P4P: Practical large-scale privacy-preserving distributed computation robust against malicious users. In Proceedings of the 19th USENIX conference on Security, Washington, DC, USA, 11–13 August 2010.
- Carter, H.; Mood, B.; Traynor, P.; Butler, K. Secure outsourced garbled circuit evaluation for mobile devices. In Proceedings of the 22nd USENIX Conference on Security, Washington, DC, USA, 14–16 August 2013.
- Computing in the Cloud. Available online: https://people.ece.cornell.edu/haas/wnl/CiC (accessed on 15 July 2014).

**Figure 1.**Our secure cloud computing model with $(n+2)=5$ servers. (1) Client sends unique seed value, ${s}_{i}$, to each ${p}_{i}\phantom{\rule{3.33333pt}{0ex}}(1\le i\le 3)$; (2) ${p}_{1},\phantom{\rule{3.33333pt}{0ex}}{p}_{2},\phantom{\rule{3.33333pt}{0ex}}{p}_{3}$ interact (${I}_{ij},1\le i<j\le 3$) to construct shares of the garbled circuit $GC$; (3) Each ${p}_{i}$ sends its share ($G{C}_{i}$) to ${p}_{c}$; (4) ${p}_{c}$ computes $GC=G{C}_{1}\oplus G{C}_{2}\oplus G{C}_{3}$, and sends it to ${p}_{e}$; (5) Client generates garbled inputs, and sends them to ${p}_{e}$ for evaluation; (6) ${p}_{e}$ evaluates $GC$, and returns the garbled outputs to the client.

**Figure 2.**A circuit with three gates, $P,Q,R$, and seven wires, ${\omega}_{i}\phantom{\rule{3.33333pt}{0ex}}(0\le i\le 6)$.

**Figure 5.**Total number of Mbits generated randomly while creating one garbled table entry for the 32-bit adder.

**Figure 7.**Total number of Kbits that the client generates to delegate the construction and evaluation of the garbled circuit, and to verify the outputs for the 32-bit adder.

**Figure 13.**Server-side network traffic to construct the garbled circuit for determining the nearest ATM.

P | Q | R |
---|---|---|

${E}_{{\omega}_{0}^{0}}[{E}_{{\omega}_{1}^{1}}\left[{\omega}_{4}^{1}\right]]$ | ${E}_{{\omega}_{2}^{0}}[{E}_{{\omega}_{3}^{1}}\left[{\omega}_{5}^{0}\right]]$ | ${E}_{{\omega}_{4}^{1}}[{E}_{{\omega}_{5}^{1}}\left[{\omega}_{6}^{0}\right]]$ |

${E}_{{\omega}_{0}^{0}}[{E}_{{\omega}_{1}^{0}}\left[{\omega}_{4}^{0}\right]]$ | ${E}_{{\omega}_{2}^{1}}[{E}_{{\omega}_{3}^{0}}\left[{\omega}_{5}^{0}\right]]$ | ${E}_{{\omega}_{4}^{0}}[{E}_{{\omega}_{5}^{0}}\left[{\omega}_{6}^{0}\right]]$ |

${E}_{{\omega}_{0}^{1}}[{E}_{{\omega}_{1}^{1}}\left[{\omega}_{4}^{1}\right]]$ | ${E}_{{\omega}_{2}^{0}}[{E}_{{\omega}_{3}^{0}}\left[{\omega}_{5}^{0}\right]]$ | ${E}_{{\omega}_{4}^{1}}[{E}_{{\omega}_{5}^{0}}\left[{\omega}_{6}^{1}\right]]$ |

${E}_{{\omega}_{0}^{1}}[{E}_{{\omega}_{1}^{0}}\left[{\omega}_{4}^{1}\right]]$ | ${E}_{{\omega}_{2}^{1}}[{E}_{{\omega}_{3}^{1}}\left[{\omega}_{5}^{1}\right]]$ | ${E}_{{\omega}_{4}^{0}}[{E}_{{\omega}_{5}^{1}}\left[{\omega}_{6}^{1}\right]]$ |

Bank/ATM | Location |
---|---|

Chase | 201 South 0 East |

Chase | 185 South 100 East |

Chase | 376 East 400 South |

Chase | 531 East 400 South |

Wells Fargo | 299 South 0 East |

Wells Fargo | 381 East 300 South |

Wells Fargo | 79 South 0 East |

Wells Fargo | 778 South 0 East |

Wells Fargo | 570 South 700 East |

Wells Fargo | 235 South 1300 East |

Block | $\mathbf{\#}\mathit{X}\mathit{O}\mathit{R}$ Gates | $\mathbf{\#}\mathit{A}\mathit{N}\mathit{D}$ Gates |
---|---|---|

$2\times SUB$ | $2\times 4l$ | $2\times l$ |

$2\times INV$ | $2\times l$ | 0 |

$ADD$ | $4l$ | l |

$INC$ | $l+1$ | l |

$Total$ | $15l+1$ | $4l$ |

Block | $\mathbf{\#}\mathit{X}\mathit{O}\mathit{R}$ Gates | $\mathbf{\#}\mathit{A}\mathit{N}\mathit{D}$ Gates |
---|---|---|

$CMP$ | $3(l+1)$ | $l+1$ |

$MU{X}_{min}$ | $2(l+1)$ | $l+1$ |

$MU{X}_{index}$ | $2{L}_{ind}$ | ${L}_{ind}$ |

$Total$ | $5(l+1)+2{L}_{ind}$ | $2(l+1)+{L}_{ind}$ |

**Table 5.**Complete circuit size for nearest ATM. $DIST\left(L\right)$ denotes distance to L locations. $T\left(MIN\right)$ denotes the tree of MIN blocks.

Block | $\mathbf{\#}\mathit{X}\mathit{O}\mathit{R}$ Gates | $\mathbf{\#}\mathit{A}\mathit{N}\mathit{D}$ Gates |
---|---|---|

$DIST\left(L\right)$ | ${v}_{1}=(15l+1)L$ | ${v}_{3}=4lL$ |

$T\left(MIN\right)$ | ${v}_{2}=[5(l+1)+2{L}_{ind}]\times (L-1)$ | ${v}_{4}=[2(l+1)+{L}_{ind}]\times (L-1)$ |

$Total$ | ${v}_{1}+{v}_{2}$ | ${v}_{3}+{v}_{4}$ |

$Application$ | 2596 | 854 |

© 2016 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC-BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Nandha Premnath, S.; Haas, Z.J.
Supporting Privacy of Computations in Mobile Big Data Systems. *Future Internet* **2016**, *8*, 17.
https://doi.org/10.3390/fi8020017

**AMA Style**

Nandha Premnath S, Haas ZJ.
Supporting Privacy of Computations in Mobile Big Data Systems. *Future Internet*. 2016; 8(2):17.
https://doi.org/10.3390/fi8020017

**Chicago/Turabian Style**

Nandha Premnath, Sriram, and Zygmunt J. Haas.
2016. "Supporting Privacy of Computations in Mobile Big Data Systems" *Future Internet* 8, no. 2: 17.
https://doi.org/10.3390/fi8020017