1 / 29

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications. Dana Dachman-Soled, Tal Malkin, Mariana Raykova , Moti Yung. x 1. x 2. x 3. x 4. x 1. F 1 (x 1 ,x 3 ,x 3 ). x 2. x 3. F 2 (x 1 ,x 3 ,x 3 ). F 4 (x 1 ,x 3 ,x 3 ). x 4. F 3 (x 1 ,x 3 ,x 3 ).

kathie
Download Presentation

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung

  2. x1 x2 x3 x4

  3. x1 F1(x1,x3,x3) x2 x3 F2(x1,x3,x3) F4(x1,x3,x3) x4 F3(x1,x3,x3)

  4. Secure Multiparty Computation How to compute a function on the private inputs of multiple parties not leaking more than the result?

  5. Secure Multiparty Computation Feasible – [Yao82], [GMW87], [CDv88], [BG89], [BG90], [Cha90], [Bea92], … Not Efficient – communication and computation proportional to circuit size

  6. x1 x2 Multivariate Polynomials x3 x4

  7. x1 x2 Multivariate Polynomials Applications x3 x4

  8. Multiparty Set Intersection x1 x2 Multivariate Polynomials Applications x3 x4

  9. x1 x2 Multivariate Polynomials Applications x3 x4 Linear Algebra matrix arithmetic, inverse, determinant, Eigen values

  10. x1 x2 Multivariate Polynomials Applications x3 x4 Statistics functions average, standard deviation, variance, chi-square test, computing Pearson’s correlation coefficients

  11. Taylor series approximation trigonometric functions, logarithms, exponents, square root x1 x2 Multivariate Polynomials Applications x3 x4

  12. Outsourced • computation • many workers • at least one honest

  13. Outsourced • computation • Computation on shares, • Reconstruction of output

  14. Our results • Multiparty computation protocol for functionalities that can be represented as multivariate polynomials • Improvement of generic complexity for multiple parties Left as open problem in FM10 • Security: • Against malicious majority • Proofs in the standard simulation model • Black box construction from homomorphic encryption with a natural property…. • Instantiated through threshold Paillier encryption (decisional composite residuosity)

  15. Our Results • Efficiency: • Communication complexity – FM10 subexponential in the number of parties, we achieve fully polynomial (in all parameters) complexity: • Broadcast complexity • Round table complexity • Constant number round table rounds • Application construction: Multiparty Set Intersection • Improve complexity of existing multiparty solutions KS05, SS09, CJS10

  16. Building Blocks • Input sharingusing committed Shamir/Reed-Solomon codes PX(0) = X sharesPX(1), …, PX(D) • Vector Homomorphic Encryption ENC(m1; r1) ⊗ ENC(m2; r2) = ENC(m1 + m2; r1 ⊕ r2) ENC(m; r)c = ENC(c · m; r ⊙ c) • Instantiation: threshold Paillier encryption

  17. Building Blocks • Polynomial code commutativity Interpolate (Poly-Eval (inputs shares)) = Poly-Eval (Interpolate (inputs shares)) = Poly-Eval(inputs) • Incremental encrypted polynomial evaluation • Each monomial M = c i=1 hi(inputs of party i) • b0 = ; = ⊕ #parties Enc(c) bi+1 bi hi(inputs of party i) Encryption of partial evaluation of M with inputs from first i+1/i parties Constant for homomorphic property

  18. Building blocks • Lagrange Interpolation Protocol Over Encrypted Values: • given A > d+1 encrypted points (1, ENCpk(y1, r1)), . . . (A, ENCpk(yA, rA)) • check that they lie on poly of degree d ENCpk(yi,ri) = j=1 (ENCpk(yj,rj)) Lj(i) • synchronized randomness • Randomness Interpolation • given (1,y1),...,(A,yA),r1,...,rd+1 • compute rd+2, . . . , rA • Encrypted interpolation holds for [i, ENCpk(yi, ri)]1≤i≤A d+1

  19. Efficient Input Preprocessing • Polynomial Degree Reduction • Change of variables • Polynomial Q(y) of degree n y0 = y y1 = y2 y2 = y4 ………. ylog n = y2 y log n Q(y) Q(y0,y1,y2 …, ylog n ) Deg: n Deg: log n

  20. Proof of Knowledge and Verification • Correct computation of new variables • Correct degree of input sharing polynomials Output Input Proof Prover: x1,…,xn Common: c1,…,cn, L Verifier: Accept/Reject (x1,…,xn)  L ci = ENC(xi) … 0 (r1,…,rn) L enc(r1) enc(r2) enc(rn) … (x1+r1,…,xn+rn) L c1 * enc(r1) c2 * enc(r2) cn *enc(rn) 1 open ci * enc(ri) = enc(xi+ri)

  21. Protocol Outline

  22. Efficient preprocessing for each variable in the multivariate polynomial • Commit to shares of new variables

  23. Each party Pi contributes his inputs • in each monomial s for each share j =· bi+1,j,s bi,j,s⊕hi(share j of Pi) Enc(0, ri,j,s) ri,j,s generated with randomness interpolation protocol

  24. Each party re-randomizes the final output shares S1, …, S10kD • Randomizng polynomial Pj,0(0) = 0 • Shares (1,Pj,0(1)),...,(10kD,Pj,0(10kD)) • Re-randomized output shares = · m S’i Si j=1ENCpk(Pj,0(i);rj,i) rj,kD+2,...,rj,10kDgenerated with randomness interpolation protocol

  25. All parties verify that the encrypted output shares Si lie on a polynomial of degree kD • Parties select a subset of the shares of size k and decommit corresponding shares • Parties verify the computation of the open shares … P1(1) Com(P1(2)) Com(P1(3)) P1(1) Com(P1(10kD)) Verify degree … Verify degree P2(1) Com(P2(2)) Com(P2(3)) P2(4) Com(P2(10kD)) Verify computation Verify computation

  26. The parties run threshold decryption for each of the output shares • The output receiver interpolates the output value from the shares

  27. Protocol Complexities • Amortized – sharing with multiple secrets • Communication complexity • Round table – between consecutive parties: intermediate protocol messages • O(Dn(m-1)), m parties, n monomials, D sum of log variable degrees • Broadcast – input commitments, decommitments in verification phase • Smaller than polynomial representation • O(D (j=1 j=1log αj,t )) • αj,thighest degree of variable, Lj inputs for party j • Computational complexity • O(Dnm) m Lj

  28. Multiparty set intersection m-1 P(x) Pi(x) = · + • Optimizations: • Only two parties have inputs per each monomial • Inputs that are used only once do not need to be shared • Complexity - m parties, d inputs each: • Communication - O(md + 10d log2 d); CJS10 – quadratic in number of parties, other solutions worse complexity • Computation - O(md2 log d) j=1 ri x ri = ri,1 + … + ri,m ri,j randomness from party j • Pi(x) represents the input set of party i

  29. Thank You! • Questions?

More Related