1 / 27

Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials. Matthew Franklin Payman Mohassel UC Davis U of calgary. Oblivious Transfer. x 0. b. x 1. x b = x 0 (1-b) + x 1 b . + (1-b) br. Secure Matrix Multiplication.

wilona
Download Presentation

Secure Evaluation of Multivariate Polynomials

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Evaluationof Multivariate Polynomials Matthew Franklin PaymanMohassel UC Davis U of calgary

  2. Oblivious Transfer x0 b x1 xb = x0 (1-b) + x1 b + (1-b)br

  3. Secure Matrix Multiplication cij= bi1 a1j + bi2a2j + bi3a3j • Building block for secure linear algebra [KMWF`07] • Solving ``shared” linear systems, …

  4. DNF/CNF Formulas • (a1 a2) (~a1 a3) . . . • r (1 – a1) (1 - a2) + ra1 (1-a3) + . . . • Check polynomial • [(1-a1) a1 + (1-a2) a2 + (1-a3) a3 + … ] r • (a1 a2) (~a1 a3) . . . • … • Predicate evaluation • TRUE = 0 • False = random

  5. Conditional OT • Retrieve a data item if condition met • (Oblivious Transfer) + (Predicate Evaluation) • If predicate True  return a data item • If predicate False  return a random value • Reduced to polynomial evaluation

  6. Evaluating Multivariate Polynomials

  7. Secure Two-Party Computation Y X f(X,Y) Security : Simulation of the Real protocol in an Ideal world

  8. Security Definition (Semi-honest) Ideal World TTP y x f(x,y) f(x,y) y x Alice Bob

  9. Security Definition (Malicious) Ideal World TTP anything y Cheat = 0 f(x,y) f(x,y) y x honest malicious

  10. Security Definition (Malicious) Ideal World TTP y anything Send “corrupt” Cheat = 1 y f(x,y) x malicious honest

  11. Security Definition • Simulation-based security • For any adversary A in the real protocol • There is a simulator S in the ideal world c

  12. General Constructions • Boolean circuits • [Yao`86, MF`06, LP`07, …] • Arithmetic circuits • [CDN`00, IPS`09,…] • Comm/comp proportional to circuit size • Degree-3 multivariate polynomial inn variables • O(n3) comm. • Input size is only O(n) • Can we do better?

  13. Homomorphic Encryption • Public-Key Encryption • Additive • Epk(a) +hEpk(b) = Epk(a+b) • [Pai`99, DJ`01, …] • Multiplicative • Epk(a) xhEpk(b) = Epk(ab) • [ElGamal`84, …] • More powerful • 2-DNF formulas [BGN`05] • Fully homomorphic [Gentry`09, …]

  14. Via Full Homomorphism pk (pk, sk) Epk(y1) , … , Epk(yn) Epk(f(X,Y)) Communication: O(n) ciphertexts

  15. Problem Solved? • Fully homomorphic encryption • Not practical at this stage • We still have to deal with “malicious behavior”

  16. Semi-honest Poly • Additively homomorphic • Let P(X,Y) be degree 3 • P(X,Y) = Pa(X,Y) + Pb(X,Y) • monomials in Pa are degree < 2 in xi • monomials in Pb are degree < 2 in yi Y X Epk_a(y1) , … , Epk_a(yn) (pka , ska) (pkb , skb) Epk_b(x1) , … , Epk_b(xn) Epk_b(Pa(X,Y)) Epk_a(Pb(X,Y))

  17. Comm: O(n) ciphertexts • Using more efficient encryption schemes • Only additive homomorphism is needed • Only secure against semi-honest adversaries • How to defend against malicious adversaries? • And keep communication low

  18. Preventing Malicious Behavior Si (1) = xi,1 . . . . . . Si(2) = xi,2 Si(0) = xi . . . Si(k) = xi,k . . . RS decoding

  19. High Level Description 1) Semihonest-Poly for P1(X1, Y1) . . . k) Semihonest-Poly for Pk(Xk, Yk) Reveal/verify the secrets for protocols in Cb Reveal/verify the secrets for protocols in Ca Combine results and decode the output

  20. The Intuition • Cut-and-Choose • Majority of unopened protocols are performed honestly • |Ca|+ |Cb| > t1 • Reed-Solomon Decoding • Number of errors in the “Output Codeword” is small • Efficient and unambiguous decoding • Secret Sharing • The number of opened shares is less than a threshold • |Ca|+ |Cb| < t2 • No information about the inputs is revealed • |Ca|+ |Cb| = 2k/5 • [DMRY`09] • Similar techniques for the set intersection problem

  21. Better Amortized Efficiency • Evaluating (X1, Y1), … , (Xd, … , Yd) at polynomial P • Batch evaluation • e.g. useful for linear algebra • Run d instances of the protocol in parallel • Parallel composition (possible with small modifications) • O(dkn) communication • Encode d inputs using one polynomial • Share-packing techniques [FK`92] • O(k+d)n ) communication!

  22. Secure Linear Algebra • [KMWF`07, MW`08] • Solving joint linear systems, joint rank/determinant computation • Reduced to secure matrix multiplication • Secure matrix multiplication • Evaluation of O(n2) polynomials (n x n matrix) • O(kn2) communication • Secure linear algebra • O(sn1/s) matrix multiplication • O(s) round, O(kn2+ sn2+1/s) comm. • Security parameter only multiplied by the smaller factor

  23. Working Over a Finite Field • Goldwasser-Micali encryption [GM`82] • Works for GF(2) • For RS codes, we need |F| = O(k) • Extend GM to encrypt/decrypt over GF(2s) • E(a1) , …, E(as) where ai in GF(2) • Homomorphic properties? • Addition: component-wise addition • Plaintext-ciphertext multiplication • (enc. poly) x (pub. Poly) mod (pub poly) • Details in the paper

  24. Working Over a Finite Field • Paillier’s encryption [Pai`99] • Works over ZN where N = pq • “RS decoding” and “inversion” of elements? • If inversion or RS decoding fail • Then we can factor N • Safe to pretend we work over a finite field • Useful for other MPC protocols • Other alternative is (variant of) ElGamal: gm hr • Inefficient decryption, but sufficient for some applications

  25. Other Extensions • Higher degree polynomials • Protocols extend to degree-t polynomials • O(n└(t/2)┘) communication • Security against “covert” adversaries • Between malicious and semi-honest security • Better efficiency • Multiparty setting • Using techniques from [IPS`08] • Not as efficient as our two-party protocol

  26. Open Questions • Degree t>3 protocols are not optimal • Can we design protocols with O(n) communication • Security against malicious adversaries • More powerful homomorphic encryption schemes • Evaluating 2-DNF formulas [BGN`05] • Defending against malicious behavior? • Similar techniques do NOT seem to work • Efficient semihonest-to-malicious compilers • ZK compilers not efficient • Ours is only optimal for low-degree polynomials • How about other functions

  27. Thank You!

More Related