This section expands on generic NAND logic, by providing examples of tar- geted result LUTs.
6.4.1 Addition
Section 6.3.1 detailed how to perform an addition operation using NAND gates and introduced the idea of specialising LUTs to reduce LUT sizes. This idea will be explored further, where the result is 5 bits, instead of a single bit. An example of 8 bits (4 bits ofA, and 4 bits ofB) plus a carry is given. The first operation will need to set the carry to zero. The output from the result LUT will be 4 bits plus a carry. The result LUTs are a moderate size at 80MB, but a 32-bit integer is only going to require 8 reduction requests. Each small obfuscated LUT that gets sent would be 320 bytes per row requested. With this type of operation, using the enhanced privacy model is recommended.
6.4.2 Multiplication
When compared to addition, multiplication is more difficult, because the re- sulting values are twice the size of the input, where the result of 4 bits×4 bits is 8 bits. The bits are also not just column based but affect each other column; therefore, no further time was spent on designing a dedicated multiplication LUT, where just using the addition function and AND function will be effi- cient for the purpose of this thesis. A speedup could be realised by building a result LUT for 4-bits multiplied by 4-bits, and adding the 8-bit results to-
gether. Below shows that only four addition operations are required, halving the number previously required. With reduction requests parallelised, this will perform similar to two additions. However, for 32-bit integers, it will perform worse. 00010101 × 00011011 00110111 00001011 00000101 + 00000001 0000001000110111 6.4.3 Conditional Statements
Supporting an operation to compare two values can dramatically affect the security of a secure processing scheme. For example, if a group of cipher values only encrypts the set {0,1}, then the ability to calculate if two cipher values are equal will result in two subgroups of cipher values, where one subgroup must either encrypt a 0 or 1 and the other subgroup must encrypt the opposite. However, our proposed scheme has the bits fragmented across many servers, meaning all the servers must compute over the same instruction set. This prevents a compromised server trying to compare all the fragments it has, as the other fragment servers would need to be doing the same malicious action. Therefore, our scheme has the ability to support conditional operations, which can be implemented to return the result in either a secure or non-secure manner.
Secure Results
Returning results securely means the result is a fragmented bit, where none of the fragment servers have knowledge of the result. This can make some programs difficult to implement, as the result of the comparison is not known. Two examples are given in Algorithms 4 and 5, for an equal and greater than or equal if statement. For both examples, we have to increment c without knowing the result of the comparison.
Algorithm 4 If equals example
1: if a=b then
2: c←c+ 1
3:
4: function ifEqual(a, b)
5: m←a−b
6: inout←0
7: carry ←0
8: for i←0 to 32do
9: tmp←m[i] +inout+carry
10: inout←tmp& 1
11: carry ←tmp >>1
12: return !(inout |carry)
13: c←c+ (1×if Equal(a, b))
Algorithm 5 If greater than or equal example
1: if a >=b then
2: c←c+ 1
3:
4: function ifGreaterEqual(a, b)
5: sign_neq ←a[31]ˆb[31]
6: c←a−b
7: return (!sign_neq & !c[31]) |(sign_neq & !a[31])
8: c←c+ (1×if GreaterEqual(a, b))
Non-Secure Results
Instead of returning a fragmented bit, this approach returns the whole bit by using a different set of LUTs than for a standard operation. This allows each server to know the result of the conditional statement, making programs easier to design and in some cases faster to compute. However, there is more risk associated with this method, so the secure method should be considered first.
6.4.4 Modulus
The work presented in Appendix A details a custom modulo algorithm devel- oped as initial research into the research question for this thesis. This algorithm uses a simple LUT to compute the modulo function; therefore, it can easily
be used with FRIBs (assuming a static modulo value). Bit shifting is a free operation, and a custom LUT can be created to add the overflow value, since this value is likely to be smaller (for example, adding a single bit to a 32-bit value). A static modulo value could be used to encrypt the data within the fragments, or to prevent array overflows. If the modulo value is dynamic, then the value that is being added with each overflow needs to be calculated first.
For a 32-bit value, modulo result LUTs of 8 bits can be constructed, meaning the best case scenario is only a few shift lookups and additions are required. The challenge with this algorithm is knowing if an overflow occurred after the shift addition is complete, because when this happens, another lookup and addition is required. With the worst-case overflow for addition being a single bit, the modulo LUT can include an extra bit, resulting in 8 bits plus 1 bit to handle the possibility of an overflow occurring previously. Note that this will work with larger numbers as well, such as 2048-bit values. This does not remove initial issues, as the final subtraction step needs to know when to stop subtracting such that the result is correct. Depending on the requirements, having the result a few bits larger could be acceptable. If not, then the program is going to need to know when to stop subtracting. This is a case where the non-secure conditional statement mentioned in the previous section could be used. In terms of privacy, this could reveal how close the modulo algorithm got to producing the right result but it will still difficult to learn meaningful information.
An approach to mitigate this would be to have another lookup for subtrac- tion, where a set number of subtractions occur before checking if the result is less than the modulo value. This subtraction would either remove modulo or zero from the result. Also, because the algorithm specifies working in blocks of size of the modulo value, this could help reveal the highest order bit of the modulo value. Therefore, the block size should be greater, but this then requires more subtractions at the last step. Ultimately, this is a challenging algorithm to implement in FRIBs, but it is possible.
6.4.5 Hidden Operations
With variable operations, the ability to try and hide the operation is possible. Instead of the program saying ADD, this could be replaced with FUN1. The
fragment servers would know to use the LUTs associated withFUN1; however, it may be possible to guess the function based on how it is used. For exam- ple, there is a big difference between an addition and multiplication operation because of the number of reductions required. Hence, hiding the program is out-of-scope of this thesis but worth mentioning.