Slide 1

Slide 1 text

(Banno, Kyoto U.) Oblivious Online Monitoring for Safety LTL Specification via Fully Homomorphic Encryption Ryotaro Banno*1, Kotaro Matsuoka*1, Naoki Matsumoto*1, Song Bian*2, Masaki Waga*1, and Kohei Suenaga*1 *1 Kyoto University *2 Beihang University August 8, 2022 34th International Conference on Computer Aided Verification (CAV’22) 1

Slide 2

Slide 2 text

(Banno, Kyoto U.) Background & Motivation Real-time monitoring of sensitive data ● e.g., Monitoring blood glucose levels and/or ECG by wearable devices Server Client Sensitive sensed data Monitoring result Online monitoring 2

Slide 3

Slide 3 text

(Banno, Kyoto U.) Background & Motivation Real-time monitoring of sensitive data ● e.g., Monitoring blood glucose levels and/or ECG by wearable devices Server Client Sensitive sensed data Monitoring result Online monitoring 3 The server may exploit the sensitive sensed data

Slide 4

Slide 4 text

(Banno, Kyoto U.) Background & Motivation Real-time monitoring of sensitive data ● e.g., Monitoring blood glucose levels and/or ECG by wearable devices Server Client Sensitive sensed data Monitoring result 4 Online monitoring

Slide 5

Slide 5 text

(Banno, Kyoto U.) Background & Motivation Real-time monitoring of sensitive data ● e.g., Monitoring blood glucose levels and/or ECG by wearable devices Server Client Sensitive sensed data Monitoring result 5 Online monitoring The client may steal proprietary monitoring specification

Slide 6

Slide 6 text

(Banno, Kyoto U.) Requirements of Remote Monitoring Protocol 2-party protocol that maintains both parties’ privacy 6 Server Client Sensed data Monitoring result Online monitoring

Slide 7

Slide 7 text

(Banno, Kyoto U.) Requirements of Remote Monitoring Protocol 2-party protocol that maintains both parties’ privacy The client’s privacy: ● Private data ● Private result 7 Server Client Sensed data Monitoring result Online monitoring

Slide 8

Slide 8 text

(Banno, Kyoto U.) Requirements of Remote Monitoring Protocol 2-party protocol that maintains both parties’ privacy The client’s privacy: ● Private data ● Private result 8 Server Client Sensed data Monitoring result Online monitoring The server’s privacy: ● Private spec.

Slide 9

Slide 9 text

(Banno, Kyoto U.) Requirements of Remote Monitoring Protocol 2-party protocol that maintains both parties’ privacy The client’s privacy: ● Private data ● Private result 9 Server Client Sensed data Monitoring result Online monitoring The server’s privacy: ● Private spec. w/o any decryption

Slide 10

Slide 10 text

(Banno, Kyoto U.) Requirements of Remote Monitoring Protocol 2-party protocol that maintains both parties’ privacy The client’s privacy: ● Private data ● Private result 10 Server Client Sensed data Monitoring result Online monitoring The server’s privacy: ● Private spec. How can we implement this protocol? w/o any decryption

Slide 11

Slide 11 text

(Banno, Kyoto U.) Contribution: Oblivious Online Monitoring Use fully homomorphic encryption (FHE) The client’s privacy: ● Private data ● Private result 11 Server Client Sensed data Monitoring result Online monitoring w/o any decryption The server’s privacy: ● Private spec. Encryption allowing computation without decryption

Slide 12

Slide 12 text

(Banno, Kyoto U.) Contribution: Oblivious Online Monitoring Use fully homomorphic encryption (FHE) The client’s privacy: ● Private data ● Private result 12 Server Client Sensed data Monitoring result Online monitoring w/o any decryption The server’s privacy: ● Private spec. (Safety) LTL Encryption allowing computation without decryption Run a monitor DFA w/o any decryption

Slide 13

Slide 13 text

(Banno, Kyoto U.) Challenge: Online, Obliviously, and Fast No known techniques provide fast oblivious online monitoring ● Oblivious offline algorithms are known (e.g., [Chillotti+, J. Crypto 2020]) ○ None of them is online ● Trivial online algorithm via universality of FHE is theoretically possible ○ Too slow 13

Slide 14

Slide 14 text

(Banno, Kyoto U.) Our Contribution ● Two online algorithms to run a DFA obliviously using FHE ○ Named Reverse and Block ● A protocol for oblivious online LTL monitoring ○ with proofs of correctness and security ● Experimentally demonstrated scalability and practicality ○ Monitoring of a blood glucose level in < 3ms/sample in the best case 14

Slide 15

Slide 15 text

(Banno, Kyoto U.) Outline ● Preparation ○ Offline Monitoring v.s. Online Monitoring ○ Fully Homomorphic Encryption ○ Offline algorithm to run a DFA obliviously ● Oblivious Online LTL Monitoring ○ Algorithm Reverse ○ Algorithm Block ● Experiments ○ Monitoring of blood glucose levels 15

Slide 16

Slide 16 text

(Banno, Kyoto U.) Offline Monitoring v.s. Online Monitoring Offline monitoring: ● Monitored data: given in advance ● Output: only once, after all data processed Online monitoring: ● Monitored data: given one by one ● Output: multiple times in the process 16 batch of data result 1st part of data partial result 2nd part of data partial result Offline monitoring Online monitoring

Slide 17

Slide 17 text

(Banno, Kyoto U.) Fully Homomorphic Encryption (FHE) 17 Common Encryption (e.g., AES) FHE

Slide 18

Slide 18 text

(Banno, Kyoto U.) Fully Homomorphic Encryption (FHE) 18 x x Encrypt Common Encryption (e.g., AES) FHE

Slide 19

Slide 19 text

(Banno, Kyoto U.) Fully Homomorphic Encryption (FHE) 19 x x f(x) Normal computation (e.g., addition) Encrypt Common Encryption (e.g., AES) FHE f

Slide 20

Slide 20 text

(Banno, Kyoto U.) Fully Homomorphic Encryption (FHE) 20 x x f(x) f(x) Normal computation (e.g., addition) Encrypt Common Encryption (e.g., AES) FHE f

Slide 21

Slide 21 text

(Banno, Kyoto U.) Fully Homomorphic Encryption (FHE) 21 x x f(x) f(x) Normal computation (e.g., addition) Encrypt Common Encryption (e.g., AES) FHE f x x f(x) Normal computation (e.g., addition) Encrypt f

Slide 22

Slide 22 text

(Banno, Kyoto U.) Fully Homomorphic Encryption (FHE) 22 x x f(x) f(x) Normal computation (e.g., addition) Encrypt Common Encryption (e.g., AES) FHE f x x f(x) f(x) Normal computation (e.g., addition) Encrypt Decrypt f Computation via FHE (w/o dec.) f

Slide 23

Slide 23 text

(Banno, Kyoto U.) Fully Homomorphic Encryption (FHE) 23 x x f(x) f(x) Normal computation (e.g., addition) Encrypt Common Encryption (e.g., AES) FHE f x x f(x) f(x) Normal computation (e.g., addition) Encrypt Decrypt f Computation via FHE (w/o dec.) f ● We can construct f from f automatically via universality of FHE, but such f is slow ● We need dedicated and fast algorithms

Slide 24

Slide 24 text

(Banno, Kyoto U.) Primitive FHE Operation for DFA Execution FHE supports many operations over ciphertexts ● It achieves its universality by combining them One primitive operation: CMux ● Many FHE operations are constructed on top of CMux We realize DFA execution mainly via CMux 24

Slide 25

Slide 25 text

(Banno, Kyoto U.) CMux (Controlled MUltipleXer) Gate A homomorphic operation FHE provides ● Input: Ciphertext d, c 1 , c 0 ● Output: Ciphertext o Calculate the following without decryption: ● Dec(o) = Dec(c 1 ) if Dec(d) = 1 ● Dec(o) = Dec(c 0 ) if Dec(d) = 0 Chosen value is not revealed ● c 1 ≠ o and c 0 ≠ o (in binary representation) 25

Slide 26

Slide 26 text

(Banno, Kyoto U.) Offline Execution of DFA via FHE The idea : ● Enumerate all transitions of the DFA M that may be taken with the input data to be monitored ● Select the correct one by CMux gates 26 [Chillotti+, J. Crypto 2020]

Slide 27

Slide 27 text

(Banno, Kyoto U.) Offline Execution of DFA via FHE The idea : ● Enumerate all transitions of the DFA M that may be taken with the input data to be monitored ● Select the correct one by CMux gates 27 [Chillotti+, J. Crypto 2020] Assume input s = σ 1 σ 2 σ 3 (n=3) DFA M

Slide 28

Slide 28 text

(Banno, Kyoto U.) Offline Execution of DFA via FHE The idea : ● Enumerate all transitions of the DFA M that may be taken with the input data to be monitored ● Select the correct one by CMux gates 28 [Chillotti+, J. Crypto 2020] Assume input s = σ 1 σ 2 σ 3 (n=3) DFA M n is known in advance in the offline setting

Slide 29

Slide 29 text

(Banno, Kyoto U.) 1. Enumerate all transitions at depth n=3 Assume input s = σ 1 σ 2 σ 3 (n=3) 29 [Chillotti+, J. Crypto 2020] DFA M Offline Execution of DFA via FHE

Slide 30

Slide 30 text

(Banno, Kyoto U.) Offline Execution of DFA via FHE 1. Enumerate all transitions at depth n=3 2. Select by CMux gates 30 [Chillotti+, J. Crypto 2020]

Slide 31

Slide 31 text

(Banno, Kyoto U.) Offline Execution of DFA via FHE 1. Enumerate all transitions at depth n=3 2. Select by CMux gates 31 [Chillotti+, J. Crypto 2020] The monitored ciphertexts

Slide 32

Slide 32 text

(Banno, Kyoto U.) Offline Execution of DFA via FHE 1. Enumerate all transitions at depth n=3 2. Select by CMux gates 32 [Chillotti+, J. Crypto 2020] The monitored ciphertexts Flags indicating ● accepting state (1) ● not-accepting state (0)

Slide 33

Slide 33 text

(Banno, Kyoto U.) Offline Execution of DFA via FHE 1. Enumerate all transitions at depth n=3 2. Select by CMux gates 33 [Chillotti+, J. Crypto 2020] The monitored ciphertexts Flags indicating ● accepting state (1) ● not-accepting state (0) Result: δ(q 0 , σ 1 σ 2 σ 3 ) F (encrypted) ∈

Slide 34

Slide 34 text

(Banno, Kyoto U.) Why is the Algorithm Offline? ● It consumes all the data from back to front ● We cannot start the algorithm before we obtain the last input 34 Outline figure of the algorithm offline

Slide 35

Slide 35 text

(Banno, Kyoto U.) Outline ● Preparation ○ Offline Monitoring v.s. Online Monitoring ○ Fully Homomorphic Encryption ○ Offline algorithm to run a DFA obliviously ● Oblivious Online LTL Monitoring ○ Algorithm Reverse ○ Algorithm Block ● Experiments ○ Monitoring of blood glucose levels 35

Slide 36

Slide 36 text

(Banno, Kyoto U.) Proposed Online Algorithms ● Algorithm Reverse: 1. Reverse the DFA to obtain MR 2. Apply the offline algorithm to MR ● Algorithm Block: 1. Split the monitored ciphertexts into fixed-length blocks 2. Process each block sequentially with the modified offline alg. 36 [Contribution]

Slide 37

Slide 37 text

(Banno, Kyoto U.) Proposed Online Algorithms ● Algorithm Reverse: 1. Reverse the DFA to obtain MR 2. Apply the offline algorithm to MR ● Algorithm Block: 1. Split the monitored ciphertexts into fixed-length blocks 2. Process each block sequentially with the modified offline alg. 37 [Contribution] ● Essentially reverse M twice ● Time complexity is O(2|M|) due to powerset construction

Slide 38

Slide 38 text

(Banno, Kyoto U.) Proposed Online Algorithms ● Algorithm Reverse: 1. Reverse the DFA to obtain MR 2. Apply the offline algorithm to MR ● Algorithm Block: 1. Split the monitored ciphertexts into fixed-length blocks 2. Process each block sequentially with the modified offline alg. 38 [Contribution] ● Essentially reverse M twice ● Time complexity is O(2|M|) due to powerset construction This talk focuses on algorithm Block

Slide 39

Slide 39 text

(Banno, Kyoto U.) Revisit the Offline Algorithm Observation: The offline algorithm can output the reached state (i.e., δ(q 0 , σ 1 σ 2 …σ n ) ) 39

Slide 40

Slide 40 text

(Banno, Kyoto U.) Revisit the Offline Algorithm Observation: The offline algorithm can output the reached state (i.e., δ(q 0 , σ 1 σ 2 …σ n ) ) 40 Use states as inputs instead of flags

Slide 41

Slide 41 text

(Banno, Kyoto U.) Revisit the Offline Algorithm Observation: The offline algorithm can output the reached state (i.e., δ(q 0 , σ 1 σ 2 …σ n ) ) 41 Use states as inputs instead of flags Result: δ(q 0 , σ 1 σ 2 σ 3 )

Slide 42

Slide 42 text

(Banno, Kyoto U.) Algorithm Block 42 Monitored ciphertexts:

Slide 43

Slide 43 text

(Banno, Kyoto U.) Algorithm Block 43 Monitored ciphertexts: 1. Split the monitored ciphertexts into blocks of size B (here B=3)

Slide 44

Slide 44 text

(Banno, Kyoto U.) Algorithm Block 44 Monitored ciphertexts: 1. Split the monitored ciphertexts into blocks of size B (here B=3) 2. Apply the modified offline alg. ● to obtain δ(q 0 , σ 1 σ 2 σ 3 )

Slide 45

Slide 45 text

(Banno, Kyoto U.) Algorithm Block 45 Monitored ciphertexts: 1. Split the monitored ciphertexts into blocks of size B (here B=3) How can we handle the block #2? ● We want δ(δ(q 0 , σ 1 σ 2 σ 3 ), σ 4 σ 5 σ 6 ) ● But, we don’t know δ(q 0 , σ 1 σ 2 σ 3 ) because it’s encrypted 2. Apply the modified offline alg. ● to obtain δ(q 0 , σ 1 σ 2 σ 3 )

Slide 46

Slide 46 text

(Banno, Kyoto U.) Algorithm Block 46 Monitored ciphertexts: 2. Apply the modified offline alg. ● to obtain δ(q 0 , σ 1 σ 2 σ 3 ) 1. Split the monitored ciphertexts into blocks of size B (here B=3) 3. Apply the modified offline alg. to every state q i ● to obtain δ(q i , σ 4 σ 5 σ 6 )

Slide 47

Slide 47 text

(Banno, Kyoto U.) Algorithm Block 47 Monitored ciphertexts: 2. Apply the modified offline alg. ● to obtain δ(q 0 , σ 1 σ 2 σ 3 ) 1. Split the monitored ciphertexts into blocks of size B (here B=3) Candidates 3. Apply the modified offline alg. to every state q i ● to obtain δ(q i , σ 4 σ 5 σ 6 )

Slide 48

Slide 48 text

(Banno, Kyoto U.) Algorithm Block 48 Monitored ciphertexts: 2. Apply the modified offline alg. ● to obtain δ(q 0 , σ 1 σ 2 σ 3 ) 1. Split the monitored ciphertexts into blocks of size B (here B=3) Candidates Selector 3. Apply the modified offline alg. to every state q i ● to obtain δ(q i , σ 4 σ 5 σ 6 )

Slide 49

Slide 49 text

(Banno, Kyoto U.) Algorithm Block 49 Monitored ciphertexts: 2. Apply the modified offline alg. ● to obtain δ(q 0 , σ 1 σ 2 σ 3 ) 1. Split the monitored ciphertexts into blocks of size B (here B=3) Candidates Selector 3. Apply the modified offline alg. to every state q i ● to obtain δ(q i , σ 4 σ 5 σ 6 ) 4. Select the correct current state ● i.e, δ(δ(q 0 , σ 1 σ 2 σ 3 ), σ 4 σ 5 σ 6 ) = δ(q 0 , σ 1 σ 2 σ 3 σ 4 σ 5 σ 6 ) This “Big CMux” is essentially a tree of CMux gates Selector Candidates

Slide 50

Slide 50 text

(Banno, Kyoto U.) Algorithm Block: Pros and Cons ● Pros: # of CMux gates is linear to |M| as well as to n ○ In contrast, it’s exponential to |M| in algorithm Reverse ● Cons: “Big CMux” can be slow ○ It contains a very slow operation (~ 1,000 times slower than CMux) ○ Tolerate B bits of delay of monitoring results for better performance ■ Large B Fewer “Big CMux” ⇒ 50

Slide 51

Slide 51 text

(Banno, Kyoto U.) Outline ● Preparation ○ Offline Monitoring v.s. Online Monitoring ○ Fully Homomorphic Encryption ○ Offline algorithm to run a DFA obliviously ● Oblivious Online LTL Monitoring ○ Algorithm Reverse ○ Algorithm Block ● Experiments ○ Monitoring of blood glucose levels 51

Slide 52

Slide 52 text

(Banno, Kyoto U.) Monitoring of Blood Glucose Levels (BG) Monitor BG of simulated type 1 diabetes patients ● Use 6 LTL formulae (ψ 1 , ψ 2 , ψ 4 , φ 1 , φ 4 , φ 5 ) ○ Originally presented by [Cameron+, RV’15] and [Young+, IoTDI’18] ○ Use discrete sampling to convert original STL formulae to LTL ones ● Record BG every 1 minute ● Encode each BG in 9 bits 52 Experimental environment: ● CPU: Intel Xeon Silver 4216 (32C64T @ 3.2 GHz) ● RAM: 128 GiB

Slide 53

Slide 53 text

(Banno, Kyoto U.) Experimental Result 53 Formula |M| |MR| Mean Runtime (ms/value) Block Reverse ψ 1 10524 2712974 184.02 22220.62 ψ 2 11126 2885376 182.43 23626.97 ψ 4 7026 —*1 49.12 —*1 φ 1 21 20 172.72 2.21 φ 4 237 237 205.68 4.19 φ 5 390 390 206.78 5.44 *1: Construction of MR for ψ 4 was aborted due to memory limit

Slide 54

Slide 54 text

(Banno, Kyoto U.) Experimental Result 54 Formula |M| |MR| Mean Runtime (ms/value) Block Reverse ψ 1 10524 2712974 184.02 22220.62 ψ 2 11126 2885376 182.43 23626.97 ψ 4 7026 —*1 49.12 —*1 φ 1 21 20 172.72 2.21 φ 4 237 237 205.68 4.19 φ 5 390 390 206.78 5.44 *1: Construction of MR for ψ 4 was aborted due to memory limit |MR| is large ⇨ Block is faster <

Slide 55

Slide 55 text

(Banno, Kyoto U.) Experimental Result 55 Formula |M| |MR| Mean Runtime (ms/value) Block Reverse ψ 1 10524 2712974 184.02 22220.62 ψ 2 11126 2885376 182.43 23626.97 ψ 4 7026 —*1 49.12 —*1 φ 1 21 20 172.72 2.21 φ 4 237 237 205.68 4.19 φ 5 390 390 206.78 5.44 *1: Construction of MR for ψ 4 was aborted due to memory limit |MR| is large ⇨ Block is faster |MR| is small ⇨ Reverse is faster < >

Slide 56

Slide 56 text

(Banno, Kyoto U.) Experimental Result 56 Formula |M| |MR| Mean Runtime (ms/value) Block Reverse ψ 1 10524 2712974 184.02 22220.62 ψ 2 11126 2885376 182.43 23626.97 ψ 4 7026 —*1 49.12 —*1 φ 1 21 20 172.72 2.21 φ 4 237 237 205.68 4.19 φ 5 390 390 206.78 5.44 *1: Construction of MR for ψ 4 was aborted due to memory limit Both algorithms took at most 24 sec./value ⇨ Faster than sampling interval (1 min.)

Slide 57

Slide 57 text

(Banno, Kyoto U.) The client’s privacy: ● Private data ● Private result Server Client Sensed data Monitoring result Online monitoring The server’s privacy: ● Private spec. w/o any decryption Conclusion 57

Slide 58

Slide 58 text

(Banno, Kyoto U.) The client’s privacy: ● Private data ● Private result Server Client Sensed data Monitoring result Online monitoring The server’s privacy: ● Private spec. w/o any decryption Conclusion 58 1. We proposed a protocol of oblivious online LTL monitoring

Slide 59

Slide 59 text

(Banno, Kyoto U.) The client’s privacy: ● Private data ● Private result Server Client Sensed data Monitoring result Online monitoring The server’s privacy: ● Private spec. w/o any decryption Conclusion 59 1. We proposed a protocol of oblivious online LTL monitoring 2. We proposed online algorithms Reverse and Block

Slide 60

Slide 60 text

(Banno, Kyoto U.) The client’s privacy: ● Private data ● Private result Server Client Sensed data Monitoring result Online monitoring The server’s privacy: ● Private spec. w/o any decryption Conclusion 60 1. We proposed a protocol of oblivious online LTL monitoring 2. We proposed online algorithms Reverse and Block 3. We experimentally showed scalability and practicality of our algorithms

Slide 61

Slide 61 text

(Banno, Kyoto U.) The client’s privacy: ● Private data ● Private result Server Client Sensed data Monitoring result Online monitoring The server’s privacy: ● Private spec. w/o any decryption Conclusion 61 1. We proposed a protocol of oblivious online LTL monitoring 2. We proposed online algorithms Reverse and Block 3. We experimentally showed scalability and practicality of our algorithms Thank you! In the paper, we discuss: ● Details on Reverse and Block ● Proposed 2-party protocol ● Other experiments