270 likes | 377 Views
Secure Evaluation of Multivariate Polynomials. Matthew Franklin Payman Mohassel UC Davis U of calgary. Oblivious Transfer. x 0. b. x 1. x b = x 0 (1-b) + x 1 b . + (1-b) br. Secure Matrix Multiplication.
E N D
Secure Evaluationof Multivariate Polynomials Matthew Franklin PaymanMohassel UC Davis U of calgary
Oblivious Transfer x0 b x1 xb = x0 (1-b) + x1 b + (1-b)br
Secure Matrix Multiplication cij= bi1 a1j + bi2a2j + bi3a3j • Building block for secure linear algebra [KMWF`07] • Solving ``shared” linear systems, …
DNF/CNF Formulas • (a1 a2) (~a1 a3) . . . • r (1 – a1) (1 - a2) + ra1 (1-a3) + . . . • Check polynomial • [(1-a1) a1 + (1-a2) a2 + (1-a3) a3 + … ] r • (a1 a2) (~a1 a3) . . . • … • Predicate evaluation • TRUE = 0 • False = random
Conditional OT • Retrieve a data item if condition met • (Oblivious Transfer) + (Predicate Evaluation) • If predicate True return a data item • If predicate False return a random value • Reduced to polynomial evaluation
Secure Two-Party Computation Y X f(X,Y) Security : Simulation of the Real protocol in an Ideal world
Security Definition (Semi-honest) Ideal World TTP y x f(x,y) f(x,y) y x Alice Bob
Security Definition (Malicious) Ideal World TTP anything y Cheat = 0 f(x,y) f(x,y) y x honest malicious
Security Definition (Malicious) Ideal World TTP y anything Send “corrupt” Cheat = 1 y f(x,y) x malicious honest
Security Definition • Simulation-based security • For any adversary A in the real protocol • There is a simulator S in the ideal world c
General Constructions • Boolean circuits • [Yao`86, MF`06, LP`07, …] • Arithmetic circuits • [CDN`00, IPS`09,…] • Comm/comp proportional to circuit size • Degree-3 multivariate polynomial inn variables • O(n3) comm. • Input size is only O(n) • Can we do better?
Homomorphic Encryption • Public-Key Encryption • Additive • Epk(a) +hEpk(b) = Epk(a+b) • [Pai`99, DJ`01, …] • Multiplicative • Epk(a) xhEpk(b) = Epk(ab) • [ElGamal`84, …] • More powerful • 2-DNF formulas [BGN`05] • Fully homomorphic [Gentry`09, …]
Via Full Homomorphism pk (pk, sk) Epk(y1) , … , Epk(yn) Epk(f(X,Y)) Communication: O(n) ciphertexts
Problem Solved? • Fully homomorphic encryption • Not practical at this stage • We still have to deal with “malicious behavior”
Semi-honest Poly • Additively homomorphic • Let P(X,Y) be degree 3 • P(X,Y) = Pa(X,Y) + Pb(X,Y) • monomials in Pa are degree < 2 in xi • monomials in Pb are degree < 2 in yi Y X Epk_a(y1) , … , Epk_a(yn) (pka , ska) (pkb , skb) Epk_b(x1) , … , Epk_b(xn) Epk_b(Pa(X,Y)) Epk_a(Pb(X,Y))
Comm: O(n) ciphertexts • Using more efficient encryption schemes • Only additive homomorphism is needed • Only secure against semi-honest adversaries • How to defend against malicious adversaries? • And keep communication low
Preventing Malicious Behavior Si (1) = xi,1 . . . . . . Si(2) = xi,2 Si(0) = xi . . . Si(k) = xi,k . . . RS decoding
High Level Description 1) Semihonest-Poly for P1(X1, Y1) . . . k) Semihonest-Poly for Pk(Xk, Yk) Reveal/verify the secrets for protocols in Cb Reveal/verify the secrets for protocols in Ca Combine results and decode the output
The Intuition • Cut-and-Choose • Majority of unopened protocols are performed honestly • |Ca|+ |Cb| > t1 • Reed-Solomon Decoding • Number of errors in the “Output Codeword” is small • Efficient and unambiguous decoding • Secret Sharing • The number of opened shares is less than a threshold • |Ca|+ |Cb| < t2 • No information about the inputs is revealed • |Ca|+ |Cb| = 2k/5 • [DMRY`09] • Similar techniques for the set intersection problem
Better Amortized Efficiency • Evaluating (X1, Y1), … , (Xd, … , Yd) at polynomial P • Batch evaluation • e.g. useful for linear algebra • Run d instances of the protocol in parallel • Parallel composition (possible with small modifications) • O(dkn) communication • Encode d inputs using one polynomial • Share-packing techniques [FK`92] • O(k+d)n ) communication!
Secure Linear Algebra • [KMWF`07, MW`08] • Solving joint linear systems, joint rank/determinant computation • Reduced to secure matrix multiplication • Secure matrix multiplication • Evaluation of O(n2) polynomials (n x n matrix) • O(kn2) communication • Secure linear algebra • O(sn1/s) matrix multiplication • O(s) round, O(kn2+ sn2+1/s) comm. • Security parameter only multiplied by the smaller factor
Working Over a Finite Field • Goldwasser-Micali encryption [GM`82] • Works for GF(2) • For RS codes, we need |F| = O(k) • Extend GM to encrypt/decrypt over GF(2s) • E(a1) , …, E(as) where ai in GF(2) • Homomorphic properties? • Addition: component-wise addition • Plaintext-ciphertext multiplication • (enc. poly) x (pub. Poly) mod (pub poly) • Details in the paper
Working Over a Finite Field • Paillier’s encryption [Pai`99] • Works over ZN where N = pq • “RS decoding” and “inversion” of elements? • If inversion or RS decoding fail • Then we can factor N • Safe to pretend we work over a finite field • Useful for other MPC protocols • Other alternative is (variant of) ElGamal: gm hr • Inefficient decryption, but sufficient for some applications
Other Extensions • Higher degree polynomials • Protocols extend to degree-t polynomials • O(n└(t/2)┘) communication • Security against “covert” adversaries • Between malicious and semi-honest security • Better efficiency • Multiparty setting • Using techniques from [IPS`08] • Not as efficient as our two-party protocol
Open Questions • Degree t>3 protocols are not optimal • Can we design protocols with O(n) communication • Security against malicious adversaries • More powerful homomorphic encryption schemes • Evaluating 2-DNF formulas [BGN`05] • Defending against malicious behavior? • Similar techniques do NOT seem to work • Efficient semihonest-to-malicious compilers • ZK compilers not efficient • Ours is only optimal for low-degree polynomials • How about other functions