Oblivious Online Monitoring for Safety LTL Specification via Fully Homomorphic Encryption

Transcript

1. (Banno, Kyoto U.)
   Oblivious Online Monitoring for
   Safety LTL Specification via Fully
   Homomorphic Encryption
   Ryotaro Banno*1, Kotaro Matsuoka*1, Naoki Matsumoto*1,
   Song Bian*2, Masaki Waga*1, and Kohei Suenaga*1
   *1 Kyoto University *2 Beihang University
   August 8, 2022
   34th International Conference on Computer Aided Verification (CAV’22)
   1
   

   View Slide

2. (Banno, Kyoto U.)
   Background & Motivation
   Real-time monitoring of sensitive data
   ● e.g., Monitoring blood glucose levels and/or ECG by
   wearable devices
   Server
   Client
   Sensitive sensed data
   Monitoring result
   Online
   monitoring
   2
   

   View Slide

3. (Banno, Kyoto U.)
   Background & Motivation
   Real-time monitoring of sensitive data
   ● e.g., Monitoring blood glucose levels and/or ECG by
   wearable devices
   Server
   Client
   Sensitive sensed data
   Monitoring result
   Online
   monitoring
   3
   The server may exploit the sensitive sensed data
   

   View Slide

4. (Banno, Kyoto U.)
   Background & Motivation
   Real-time monitoring of sensitive data
   ● e.g., Monitoring blood glucose levels and/or ECG by
   wearable devices
   Server
   Client
   Sensitive sensed data
   Monitoring result
   4
   Online
   monitoring
   

   View Slide

5. (Banno, Kyoto U.)
   Background & Motivation
   Real-time monitoring of sensitive data
   ● e.g., Monitoring blood glucose levels and/or ECG by
   wearable devices
   Server
   Client
   Sensitive sensed data
   Monitoring result
   5
   Online
   monitoring
   The client may steal proprietary monitoring specification
   

   View Slide

6. (Banno, Kyoto U.)
   Requirements of Remote Monitoring Protocol
   2-party protocol that maintains both parties’ privacy
   6
   Server
   Client
   Sensed data
   Monitoring result
   Online
   monitoring
   

   View Slide

7. (Banno, Kyoto U.)
   Requirements of Remote Monitoring Protocol
   2-party protocol that maintains both parties’ privacy
   The client’s privacy:
   ● Private data
   ● Private result
   7
   Server
   Client
   Sensed data
   Monitoring result
   Online
   monitoring
   

   View Slide

8. (Banno, Kyoto U.)
   Requirements of Remote Monitoring Protocol
   2-party protocol that maintains both parties’ privacy
   The client’s privacy:
   ● Private data
   ● Private result
   8
   Server
   Client
   Sensed data
   Monitoring result
   Online
   monitoring
   The server’s privacy:
   ● Private spec.
   

   View Slide

9. (Banno, Kyoto U.)
   Requirements of Remote Monitoring Protocol
   2-party protocol that maintains both parties’ privacy
   The client’s privacy:
   ● Private data
   ● Private result
   9
   Server
   Client
   Sensed data
   Monitoring result
   Online
   monitoring
   The server’s privacy:
   ● Private spec.
   w/o any
   decryption
   

   View Slide

10. (Banno, Kyoto U.)
    Requirements of Remote Monitoring Protocol
    2-party protocol that maintains both parties’ privacy
    The client’s privacy:
    ● Private data
    ● Private result
    10
    Server
    Client
    Sensed data
    Monitoring result
    Online
    monitoring
    The server’s privacy:
    ● Private spec.
    How can we implement this protocol?
    w/o any
    decryption
    

    View Slide

11. (Banno, Kyoto U.)
    Contribution: Oblivious Online Monitoring
    Use fully homomorphic encryption (FHE)
    The client’s privacy:
    ● Private data
    ● Private result
    11
    Server
    Client
    Sensed data
    Monitoring result
    Online
    monitoring
    w/o any
    decryption
    The server’s privacy:
    ● Private spec.
    Encryption allowing
    computation without
    decryption
    

    View Slide

12. (Banno, Kyoto U.)
    Contribution: Oblivious Online Monitoring
    Use fully homomorphic encryption (FHE)
    The client’s privacy:
    ● Private data
    ● Private result
    12
    Server
    Client
    Sensed data
    Monitoring result
    Online
    monitoring
    w/o any
    decryption
    The server’s privacy:
    ● Private spec.
    (Safety) LTL
    Encryption allowing
    computation without
    decryption
    Run a monitor DFA
    w/o any decryption
    

    View Slide

13. (Banno, Kyoto U.)
    Challenge: Online, Obliviously, and Fast
    No known techniques provide fast oblivious online monitoring
    ● Oblivious offline algorithms are known (e.g., [Chillotti+, J. Crypto 2020])
    ○ None of them is online
    ● Trivial online algorithm via universality of FHE is theoretically
    possible
    ○ Too slow
    13
    

    View Slide

14. (Banno, Kyoto U.)
    Our Contribution
    ● Two online algorithms to run a DFA obliviously using FHE
    ○ Named Reverse and Block
    ● A protocol for oblivious online LTL monitoring
    ○ with proofs of correctness and security
    ● Experimentally demonstrated scalability and practicality
    ○ Monitoring of a blood glucose level in < 3ms/sample in the best case
    14
    

    View Slide

15. (Banno, Kyoto U.)
    Outline
    ● Preparation
    ○ Offline Monitoring v.s. Online Monitoring
    ○ Fully Homomorphic Encryption
    ○ Offline algorithm to run a DFA obliviously
    ● Oblivious Online LTL Monitoring
    ○ Algorithm Reverse
    ○ Algorithm Block
    ● Experiments
    ○ Monitoring of blood glucose levels
    15
    

    View Slide

16. (Banno, Kyoto U.)
    Offline Monitoring v.s. Online Monitoring
    Offline monitoring:
    ● Monitored data: given in advance
    ● Output: only once, after all data
    processed
    Online monitoring:
    ● Monitored data: given one by one
    ● Output: multiple times in the process
    16
    batch of data
    result
    1st part of data
    partial result
    2nd part of data
    partial result
    Offline monitoring
    Online monitoring
    

    View Slide

17. (Banno, Kyoto U.)
    Fully Homomorphic Encryption (FHE)
    17
    Common Encryption (e.g., AES) FHE
    

    View Slide

18. (Banno, Kyoto U.)
    Fully Homomorphic Encryption (FHE)
    18
    x
    x
    Encrypt
    Common Encryption (e.g., AES) FHE
    

    View Slide

19. (Banno, Kyoto U.)
    Fully Homomorphic Encryption (FHE)
    19
    x
    x
    f(x)
    Normal computation
    (e.g., addition)
    Encrypt
    Common Encryption (e.g., AES) FHE
    f
    

    View Slide

20. (Banno, Kyoto U.)
    Fully Homomorphic Encryption (FHE)
    20
    x
    x f(x)
    f(x)
    Normal computation
    (e.g., addition)
    Encrypt
    Common Encryption (e.g., AES) FHE
    f
    

    View Slide

21. (Banno, Kyoto U.)
    Fully Homomorphic Encryption (FHE)
    21
    x
    x f(x)
    f(x)
    Normal computation
    (e.g., addition)
    Encrypt
    Common Encryption (e.g., AES) FHE
    f x
    x
    f(x)
    Normal computation
    (e.g., addition)
    Encrypt
    f
    

    View Slide

22. (Banno, Kyoto U.)
    Fully Homomorphic Encryption (FHE)
    22
    x
    x f(x)
    f(x)
    Normal computation
    (e.g., addition)
    Encrypt
    Common Encryption (e.g., AES) FHE
    f x
    x f(x)
    f(x)
    Normal computation
    (e.g., addition)
    Encrypt Decrypt
    f
    Computation
    via FHE
    (w/o dec.)
    f
    

    View Slide

23. (Banno, Kyoto U.)
    Fully Homomorphic Encryption (FHE)
    23
    x
    x f(x)
    f(x)
    Normal computation
    (e.g., addition)
    Encrypt
    Common Encryption (e.g., AES) FHE
    f x
    x f(x)
    f(x)
    Normal computation
    (e.g., addition)
    Encrypt Decrypt
    f
    Computation
    via FHE
    (w/o dec.)
    f
    ● We can construct f from f automatically via
    universality of FHE, but such f is slow
    ● We need dedicated and fast algorithms
    

    View Slide

24. (Banno, Kyoto U.)
    Primitive FHE Operation for DFA Execution
    FHE supports many operations over ciphertexts
    ● It achieves its universality by combining them
    One primitive operation: CMux
    ● Many FHE operations are constructed on top of CMux
    We realize DFA execution mainly via CMux
    24
    

    View Slide

25. (Banno, Kyoto U.)
    CMux (Controlled MUltipleXer) Gate
    A homomorphic operation FHE provides
    ● Input: Ciphertext d, c
    1
    , c
    0
    ● Output: Ciphertext o
    Calculate the following without decryption:
    ● Dec(o) = Dec(c
    1
    ) if Dec(d) = 1
    ● Dec(o) = Dec(c
    0
    ) if Dec(d) = 0
    Chosen value is not revealed
    ● c
    1
    ≠ o and c
    0
    ≠ o
    (in binary representation)
    25
    

    View Slide

26. (Banno, Kyoto U.)
    Offline Execution of DFA via FHE
    The idea :
    ● Enumerate all transitions of the
    DFA M that may be taken with
    the input data to be monitored
    ● Select the correct one by CMux
    gates
    26
    [Chillotti+, J. Crypto 2020]
    

    View Slide

27. (Banno, Kyoto U.)
    Offline Execution of DFA via FHE
    The idea :
    ● Enumerate all transitions of the
    DFA M that may be taken with
    the input data to be monitored
    ● Select the correct one by CMux
    gates
    27
    [Chillotti+, J. Crypto 2020]
    Assume input s = σ
    1
    σ
    2
    σ
    3
    (n=3)
    DFA M
    

    View Slide

28. (Banno, Kyoto U.)
    Offline Execution of DFA via FHE
    The idea :
    ● Enumerate all transitions of the
    DFA M that may be taken with
    the input data to be monitored
    ● Select the correct one by CMux
    gates
    28
    [Chillotti+, J. Crypto 2020]
    Assume input s = σ
    1
    σ
    2
    σ
    3
    (n=3)
    DFA M
    n is known in advance
    in the offline setting
    

    View Slide

29. (Banno, Kyoto U.)
    1. Enumerate all transitions at
    depth n=3
    Assume input s = σ
    1
    σ
    2
    σ
    3
    (n=3)
    29
    [Chillotti+, J. Crypto 2020]
    DFA M
    Offline Execution of DFA via FHE
    

    View Slide

30. (Banno, Kyoto U.)
    Offline Execution of DFA via FHE
    1. Enumerate all transitions at
    depth n=3
    2. Select by CMux gates
    30
    [Chillotti+, J. Crypto 2020]
    

    View Slide

31. (Banno, Kyoto U.)
    Offline Execution of DFA via FHE
    1. Enumerate all transitions at
    depth n=3
    2. Select by CMux gates
    31
    [Chillotti+, J. Crypto 2020]
    The monitored ciphertexts
    

    View Slide

32. (Banno, Kyoto U.)
    Offline Execution of DFA via FHE
    1. Enumerate all transitions at
    depth n=3
    2. Select by CMux gates
    32
    [Chillotti+, J. Crypto 2020]
    The monitored ciphertexts
    Flags indicating
    ● accepting state (1)
    ● not-accepting state (0)
    

    View Slide

33. (Banno, Kyoto U.)
    Offline Execution of DFA via FHE
    1. Enumerate all transitions at
    depth n=3
    2. Select by CMux gates
    33
    [Chillotti+, J. Crypto 2020]
    The monitored ciphertexts
    Flags indicating
    ● accepting state (1)
    ● not-accepting state (0)
    Result: δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    ) F (encrypted)
    ∈
    

    View Slide

34. (Banno, Kyoto U.)
    Why is the Algorithm Offline?
    ● It consumes all the data from back to front
    ● We cannot start the algorithm before we obtain the last input
    34
    Outline figure of the algorithm offline
    

    View Slide

35. (Banno, Kyoto U.)
    Outline
    ● Preparation
    ○ Offline Monitoring v.s. Online Monitoring
    ○ Fully Homomorphic Encryption
    ○ Offline algorithm to run a DFA obliviously
    ● Oblivious Online LTL Monitoring
    ○ Algorithm Reverse
    ○ Algorithm Block
    ● Experiments
    ○ Monitoring of blood glucose levels
    35
    

    View Slide

36. (Banno, Kyoto U.)
    Proposed Online Algorithms
    ● Algorithm Reverse:
    1. Reverse the DFA to obtain MR
    2. Apply the offline algorithm to MR
    ● Algorithm Block:
    1. Split the monitored ciphertexts
    into fixed-length blocks
    2. Process each block sequentially
    with the modified offline alg.
    36
    [Contribution]
    

    View Slide

37. (Banno, Kyoto U.)
    Proposed Online Algorithms
    ● Algorithm Reverse:
    1. Reverse the DFA to obtain MR
    2. Apply the offline algorithm to MR
    ● Algorithm Block:
    1. Split the monitored ciphertexts
    into fixed-length blocks
    2. Process each block sequentially
    with the modified offline alg.
    37
    [Contribution]
    ● Essentially reverse M twice
    ● Time complexity is O(2|M|) due to
    powerset construction
    

    View Slide

38. (Banno, Kyoto U.)
    Proposed Online Algorithms
    ● Algorithm Reverse:
    1. Reverse the DFA to obtain MR
    2. Apply the offline algorithm to MR
    ● Algorithm Block:
    1. Split the monitored ciphertexts
    into fixed-length blocks
    2. Process each block sequentially
    with the modified offline alg.
    38
    [Contribution]
    ● Essentially reverse M twice
    ● Time complexity is O(2|M|) due to
    powerset construction
    This talk focuses on algorithm Block
    

    View Slide

39. (Banno, Kyoto U.)
    Revisit the Offline Algorithm
    Observation: The offline algorithm can output the reached state
    (i.e., δ(q
    0
    , σ
    1
    σ
    2
    …σ
    n
    ) )
    39
    

    View Slide

40. (Banno, Kyoto U.)
    Revisit the Offline Algorithm
    Observation: The offline algorithm can output the reached state
    (i.e., δ(q
    0
    , σ
    1
    σ
    2
    …σ
    n
    ) )
    40
    Use states as inputs
    instead of flags
    

    View Slide

41. (Banno, Kyoto U.)
    Revisit the Offline Algorithm
    Observation: The offline algorithm can output the reached state
    (i.e., δ(q
    0
    , σ
    1
    σ
    2
    …σ
    n
    ) )
    41
    Use states as inputs
    instead of flags
    Result: δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    )
    

    View Slide

42. (Banno, Kyoto U.)
    Algorithm Block
    42
    Monitored ciphertexts:
    

    View Slide

43. (Banno, Kyoto U.)
    Algorithm Block
    43
    Monitored ciphertexts:
    1. Split the monitored ciphertexts
    into blocks of size B (here B=3)
    

    View Slide

44. (Banno, Kyoto U.)
    Algorithm Block
    44
    Monitored ciphertexts:
    1. Split the monitored ciphertexts
    into blocks of size B (here B=3)
    2. Apply the modified offline alg.
    ● to obtain δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    )
    

    View Slide

45. (Banno, Kyoto U.)
    Algorithm Block
    45
    Monitored ciphertexts:
    1. Split the monitored ciphertexts
    into blocks of size B (here B=3)
    How can we handle the block #2?
    ● We want δ(δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    ), σ
    4
    σ
    5
    σ
    6
    )
    ● But, we don’t know δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    )
    because it’s encrypted
    2. Apply the modified offline alg.
    ● to obtain δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    )
    

    View Slide

46. (Banno, Kyoto U.)
    Algorithm Block
    46
    Monitored ciphertexts:
    2. Apply the modified offline alg.
    ● to obtain δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    )
    1. Split the monitored ciphertexts
    into blocks of size B (here B=3)
    3. Apply the modified offline alg. to
    every state q
    i
    ● to obtain δ(q
    i
    , σ
    4
    σ
    5
    σ
    6
    )
    

    View Slide

47. (Banno, Kyoto U.)
    Algorithm Block
    47
    Monitored ciphertexts:
    2. Apply the modified offline alg.
    ● to obtain δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    )
    1. Split the monitored ciphertexts
    into blocks of size B (here B=3)
    Candidates
    3. Apply the modified offline alg. to
    every state q
    i
    ● to obtain δ(q
    i
    , σ
    4
    σ
    5
    σ
    6
    )
    

    View Slide

48. (Banno, Kyoto U.)
    Algorithm Block
    48
    Monitored ciphertexts:
    2. Apply the modified offline alg.
    ● to obtain δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    )
    1. Split the monitored ciphertexts
    into blocks of size B (here B=3)
    Candidates
    Selector
    3. Apply the modified offline alg. to
    every state q
    i
    ● to obtain δ(q
    i
    , σ
    4
    σ
    5
    σ
    6
    )
    

    View Slide

49. (Banno, Kyoto U.)
    Algorithm Block
    49
    Monitored ciphertexts:
    2. Apply the modified offline alg.
    ● to obtain δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    )
    1. Split the monitored ciphertexts
    into blocks of size B (here B=3)
    Candidates
    Selector
    3. Apply the modified offline alg. to
    every state q
    i
    ● to obtain δ(q
    i
    , σ
    4
    σ
    5
    σ
    6
    )
    4. Select the correct current state
    ● i.e, δ(δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    ), σ
    4
    σ
    5
    σ
    6
    ) = δ(q
    0
    , σ
    1
    σ
    2
    σ
    3
    σ
    4
    σ
    5
    σ
    6
    )
    This “Big CMux” is
    essentially a tree of
    CMux gates
    Selector
    Candidates
    

    View Slide

50. (Banno, Kyoto U.)
    Algorithm Block: Pros and Cons
    ● Pros: # of CMux gates is linear to |M| as well as to n
    ○ In contrast, it’s exponential to |M| in algorithm Reverse
    ● Cons: “Big CMux” can be slow
    ○ It contains a very slow operation (~ 1,000 times slower than CMux)
    ○ Tolerate B bits of delay of monitoring results for better performance
    ■ Large B Fewer “Big CMux”
    ⇒
    50
    

    View Slide

51. (Banno, Kyoto U.)
    Outline
    ● Preparation
    ○ Offline Monitoring v.s. Online Monitoring
    ○ Fully Homomorphic Encryption
    ○ Offline algorithm to run a DFA obliviously
    ● Oblivious Online LTL Monitoring
    ○ Algorithm Reverse
    ○ Algorithm Block
    ● Experiments
    ○ Monitoring of blood glucose levels
    51
    

    View Slide

52. (Banno, Kyoto U.)
    Monitoring of Blood Glucose Levels (BG)
    Monitor BG of simulated type 1 diabetes patients
    ● Use 6 LTL formulae (ψ
    1
    , ψ
    2
    , ψ
    4
    , φ
    1
    , φ
    4
    , φ
    5
    )
    ○ Originally presented by [Cameron+, RV’15] and [Young+, IoTDI’18]
    ○ Use discrete sampling to convert original STL formulae to LTL ones
    ● Record BG every 1 minute
    ● Encode each BG in 9 bits
    52
    Experimental environment:
    ● CPU: Intel Xeon Silver 4216
    (32C64T @ 3.2 GHz)
    ● RAM: 128 GiB
    

    View Slide

53. (Banno, Kyoto U.)
    Experimental Result
    53
    Formula |M| |MR|
    Mean Runtime (ms/value)
    Block Reverse
    ψ
    1
    10524 2712974 184.02 22220.62
    ψ
    2
    11126 2885376 182.43 23626.97
    ψ
    4
    7026 —*1 49.12 —*1
    φ
    1
    21 20 172.72 2.21
    φ
    4
    237 237 205.68 4.19
    φ
    5
    390 390 206.78 5.44
    *1: Construction of MR for ψ
    4
    was
    aborted due to memory limit
    

    View Slide

54. (Banno, Kyoto U.)
    Experimental Result
    54
    Formula |M| |MR|
    Mean Runtime (ms/value)
    Block Reverse
    ψ
    1
    10524 2712974 184.02 22220.62
    ψ
    2
    11126 2885376 182.43 23626.97
    ψ
    4
    7026 —*1 49.12 —*1
    φ
    1
    21 20 172.72 2.21
    φ
    4
    237 237 205.68 4.19
    φ
    5
    390 390 206.78 5.44
    *1: Construction of MR for ψ
    4
    was
    aborted due to memory limit
    |MR| is large ⇨ Block is faster
    <
    

    View Slide

55. (Banno, Kyoto U.)
    Experimental Result
    55
    Formula |M| |MR|
    Mean Runtime (ms/value)
    Block Reverse
    ψ
    1
    10524 2712974 184.02 22220.62
    ψ
    2
    11126 2885376 182.43 23626.97
    ψ
    4
    7026 —*1 49.12 —*1
    φ
    1
    21 20 172.72 2.21
    φ
    4
    237 237 205.68 4.19
    φ
    5
    390 390 206.78 5.44
    *1: Construction of MR for ψ
    4
    was
    aborted due to memory limit
    |MR| is large ⇨ Block is faster
    |MR| is small ⇨ Reverse is faster
    <
    >
    

    View Slide

56. (Banno, Kyoto U.)
    Experimental Result
    56
    Formula |M| |MR|
    Mean Runtime (ms/value)
    Block Reverse
    ψ
    1
    10524 2712974 184.02 22220.62
    ψ
    2
    11126 2885376 182.43 23626.97
    ψ
    4
    7026 —*1 49.12 —*1
    φ
    1
    21 20 172.72 2.21
    φ
    4
    237 237 205.68 4.19
    φ
    5
    390 390 206.78 5.44
    *1: Construction of MR for ψ
    4
    was
    aborted due to memory limit
    Both algorithms took at most 24 sec./value
    ⇨ Faster than sampling interval (1 min.)
    

    View Slide

57. (Banno, Kyoto U.)
    The client’s privacy:
    ● Private data
    ● Private result
    Server
    Client
    Sensed data
    Monitoring result
    Online
    monitoring
    The server’s privacy:
    ● Private spec.
    w/o any
    decryption
    Conclusion
    57
    

    View Slide

58. (Banno, Kyoto U.)
    The client’s privacy:
    ● Private data
    ● Private result
    Server
    Client
    Sensed data
    Monitoring result
    Online
    monitoring
    The server’s privacy:
    ● Private spec.
    w/o any
    decryption
    Conclusion
    58
    1. We proposed a protocol of oblivious
    online LTL monitoring
    

    View Slide

59. (Banno, Kyoto U.)
    The client’s privacy:
    ● Private data
    ● Private result
    Server
    Client
    Sensed data
    Monitoring result
    Online
    monitoring
    The server’s privacy:
    ● Private spec.
    w/o any
    decryption
    Conclusion
    59
    1. We proposed a protocol of oblivious
    online LTL monitoring
    2. We proposed online
    algorithms Reverse and Block
    

    View Slide

60. (Banno, Kyoto U.)
    The client’s privacy:
    ● Private data
    ● Private result
    Server
    Client
    Sensed data
    Monitoring result
    Online
    monitoring
    The server’s privacy:
    ● Private spec.
    w/o any
    decryption
    Conclusion
    60
    1. We proposed a protocol of oblivious
    online LTL monitoring
    2. We proposed online
    algorithms Reverse and Block
    3. We experimentally showed
    scalability and practicality of
    our algorithms
    

    View Slide

61. (Banno, Kyoto U.)
    The client’s privacy:
    ● Private data
    ● Private result
    Server
    Client
    Sensed data
    Monitoring result
    Online
    monitoring
    The server’s privacy:
    ● Private spec.
    w/o any
    decryption
    Conclusion
    61
    1. We proposed a protocol of oblivious
    online LTL monitoring
    2. We proposed online
    algorithms Reverse and Block
    3. We experimentally showed
    scalability and practicality of
    our algorithms
    Thank you!
    In the paper, we discuss:
    ● Details on Reverse and Block
    ● Proposed 2-party protocol
    ● Other experiments
    

    View Slide