1 / 26

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials. Dana Dachman-Soled 1 , Tal Malkin 1 , Mariana Raykova 1 , Moti Yung 1,2 1 Columbia University, 2 Google Inc. Efficient and Robust Private Set Intersection.

semah
Download Presentation

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient and Robust Private Set Intersectionand multiparty multivariate polynomials Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2 1Columbia University, 2Google Inc.

  2. Efficient and Robust Private Set Intersection Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2 1Columbia University, 2Google Inc. Warning: many details skipped, some cheating!

  3. Set Intersection Functionality Server: Y |Y| = m Trusted Party Client: X |X| = n

  4. Set Intersection Functionality Server: Y |Y| = m Trusted Party Client: X |X| = n

  5. Set Intersection Functionality Server: Y |Y| = m Trusted Party Client: X |X| = n ? Widely used in area of Privacy Preserving Data Mining Enables institutions to share personal information such as medical or financial records.

  6. Wasn’t this already done? • FNP04 – semi-honest case, malicious in the random oracle model • KS05 – semi-honest + ZKN proofs • HL08 – one side simulatability and covert adversaries • JL09 – malicious case, polynomial size domains, Decisional q-Diffie-Hellman Inversion Assumption

  7. Our Results • First Set Intersection protocol secure against malicious parties in the standard simulation model • Black-box construction assuming (singly) homomorphic encryption with a natural property (satisfied by known constructions) • Additive El-Gamal (DDH) ; Paillier (DCR) Extensions: • multi-party set intersection • general multivariate polynomials

  8. Homomorphic Encryption • Additive homomorphic property • Enc(x,r1)*Enc(y,r2)=Enc(x+y,r3) • Additional property: • Can compute r3 from r1 and r2 • Known schemes have this property • ElGamal – additive homomorphism variant • Inefficient decryption, equality comparison possible • Paillier

  9. Our Results • Communication complexity: O(mk2log2(n)+nk) • SMC circuit evaluation – size of cicuit + ZK proofs (at least nm, even before ZK) • Realistic scenarios – m,n >> k

  10. Overview of Technique(with missing steps) Start from semi-honest [FNP] using a polynomial Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW08] techniques) Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation) Cut and choose to enforce honest behavior Input preprocessing for degree reduction

  11. Semi-Honest Protocol [FNP04] • Client represents its input set X, |X| = n with a polynomial Q(x) of deg n, s.t. Q(xi) = 0 iff xi in X • Client sends to Server encrypted coefficients of Q under homomorphic encryption Enc • Server evaluates Enc of Q’(yi) := Q(yi)*ri + yi (deg n) for every yi in his input set Y and sends to Client ci=Enc(Q’(yi)). • Client decrypts each ci and outputs Dec(ci) if and only if it is in X (=iff it is in the intersection)

  12. Malicious Server • Can use inconsistent values for its inputs Q’(yi) Q(yi)*ri + yi = = an*yin an-1*yin-1 a1*yi1 a0 yi + + … + + + yi yi” yi’ yi

  13. Overview of Technique(with missing steps) Start from semi-honest [FNP] using a polynomial  Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDDIM] techniques) Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation) Cut and choose to enforce honest behavior Input preprocessing for degree reduction

  14. Server’s Computation Step 1: Input Sharing Server shares and commits to preprocessed inputs using Shamir secret sharing (=Reed-Solomon) Code For each preprocessed input: Send commitments to client: yi Pi where Pi(0) = yi, deg(Pi) = k . . . Com(Pi(1)) Com(Pi(2)) Com(Pi(3)) Com(Pi(4)) Com(Pi(10kD)) D = degree of output sharing polynomial: TBD

  15. Server’s Computation Step 2: Polynomial Evaluation on Shares For each yi: Server evaluates (encrypted) Q’ on the corresponding shares, to get (encrypted versions of) output shares: . . . Q’(Pi(1)) Q’(Pi(2)) Q’(Pi(3)) Q’(Pi(4)) Q’(Pi(10kD)) Client can decrypt, interpolate Q’Pi, and evaluate on 0 to get Q’(Pi(0))=Q’(yi) as wanted.

  16. Server’s Computation Step 3: Cut and Choose Open k of the committed shares to show that Q’ was computed correctly for those shares: . . . Q’(Pi(1)) Q’(Pi(2)) Q’(Pi(3)) Q’(Pi(4)) Q’(Pi(10kD))

  17. Output Polynomial Degree • Determines the number of output shares • Total degree D = nk + k • Total number of shares 10kD Q’(yi) Q(yi)*ri + yi Q(Pi(j))*Rri(j) + Pi(j) = = deg n deg k

  18. Overview of Technique(with missing steps) Start from semi-honest [FNP] using a polynomial Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW] techniques) Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation) Cut and choose to enforce honest behavior  Input preprocessing for degree reduction

  19. Efficient Input Preprocessing • Polynomial Degree Reduction • Change of variables • Polynomial Q(y) of degree n y0 = y y1 = y2 y2 = y4 ………. ylog n = y2 y log n Q(y) Q(y0,y1,y2 …, ylog n ) deg n deg log n

  20. Homomorphic Encryption Zero Knowledge Proofs of Knowledge for client’s and server’s polynomials Coin tossing for cut and choose Etc. Improved Communication Complexity: O(mk2log2(n)+nk) Important in realistic scenarios with large input sets m,n >> k Other Components (skipped)

  21. Basic setting: public multivariate polynomial (poly size representation) over private inputs. Alternatively: coefficients are also private. Optmizations for specific polynomials, including multi-party set intersection Our results: Secure protocol (no honest majority, with broadcast) from homomorphic encryption with threshold decryption (Paillier) Round table protocol with constant rounds Same approach as above, but several technical issues to overcome (interpolating over encrypted values, handling errors, proofs of knowledge…) Multi-Party Multivariate Polynomials

  22. Thank you!

  23. Preprocessing Verification • Correct computation of new variables • Correct degree of input sharing polynomials • HEPKPV Protocol output Party 2: Accept/Reject proof input (x1,…,xn) in L ci = ENC(xi) Party 1: x1,…,xn Common: c1,…,cn, L r1,…,rn in L 0 enc(r1) enc(r2) enc(rn) open 1 … x1+r1,…,xn+rn in L c1 * enc(r1) c2 * enc(r2) cn * enc(rn)

  24. Client Simulator • Extract Client’s input in HEPKPV • Submit to TP and receives output • Shares output and commits as output shares • Simulates Server in interaction with Client committing to random input • Makes sure can open correctly and verify computation of k output shares • Rewinds coin-tossing for cut-and-choose to select the above k shares

  25. Server Simulator • Simulates the Client in the interaction with the Server using random encryption of 0 • Extracts Server’s inputs in HEPKPV • Rewinds coin tossing to open all Server’s shares • Makes sure that most output shares are consistent with extracted input • If the above holds, submit extracted input to TP

  26. Communication Complexity • Improved Communication Complexity • O(mk2log2(n)+nk) • circuit evaluation – size of circuit • mn ZKN proofs • Important in realistic scenarios with large input sets m,n >> k

More Related