Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secret Sharing Protocols [Sha79,Bla79]
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.
Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas.
Chapter 11 Multiple Regression.
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Great Theoretical Ideas in Computer Science.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Secure Computation (Lecture 3 & 4) Arpita Patra. Recap >> Why secure computation? >> What is secure (multi-party) computation (MPC)? >> Secret Sharing.
Welcome to to Autumn School! Some practical issues.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
DISTRIBUTED CRYPTOSYSTEMS Moti Yung. Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
The Paillier Cryptosystem
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.
Secure Computation Lecture Arpita Patra. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Degrees of a Monomial. Degree of a monomial: Degree is the exponent that corresponds to the variable. Examples: 32d -2x 4 16x 3 y 2 4a 4 b 2 c 44 has.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Topic 36: Zero-Knowledge Proofs
On the Size of Pairing-based Non-interactive Arguments
Polynomials Functions
MPC and Verifiable Computation on Committed Data
Do Now: Evaluate the function for the given value of x.
Advanced Protocols.
Privacy Preserving Similarity Evaluation of Time Series Data
Foundations of Secure Computation
Committed MPC Multiparty Computation from Homomorphic Commitments
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Oblivious Transfer and GMW MPC
Using low-degree Homomorphism for Private Conjunction Queries
Maliciously Secure Two-Party Computation
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
On the Power of Hybrid Networks in Multi-Party Computation
Cryptography for Quantum Computers
Malicious-Secure Private Set Intersection via Dual Execution
Cryptographic protocols 2016, Lecture 8 multi-round protocols
Polynomial Vocabulary
Helen: Maliciously Secure Coopetitive Learning for Linear Models
Presentation transcript:

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung

2 x1x1 x2x2 x3x3 x4x4

3 x1x1 x2x2 x3x3 x4x4 F 1 (x 1,x 3,x 3 ) F 2 (x 1,x 3,x 3 ) F 3 (x 1,x 3,x 3 ) F 4 (x 1,x 3,x 3 )

4 Secure Multiparty Computation How to compute a function on the private inputs of multiple parties not leaking more than the result? Secure Multiparty Computation How to compute a function on the private inputs of multiple parties not leaking more than the result?

5 Secure Multiparty Computation Feasible – [Yao82], [GMW87], [CDv88], [BG89], [BG90], [Cha90], [Bea92], … Not Efficient – communication and computation proportional to circuit size Secure Multiparty Computation Feasible – [Yao82], [GMW87], [CDv88], [BG89], [BG90], [Cha90], [Bea92], … Not Efficient – communication and computation proportional to circuit size

6 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials

7 x1x1 x2x2 x3x3 x4x4 Applications

8 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials Applications Multiparty Set Intersection

9 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials Applications Linear Algebra matrix arithmetic, inverse, determinant, Eigen values

10 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials Applications Statistics functions average, standard deviation, variance, chi-square test, computing Pearson’s correlation coefficients

11 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials Applications Taylor series approximation trigonometric functions, logarithms, exponents, square root

12 Outsourced computation many workers at least one honest

13 Outsourced computation Computation on shares, Reconstruction of output

Our results Multiparty computation protocol for functionalities that can be represented as multivariate polynomials – Improvement of generic complexity for multiple parties Left as open problem in FM10 Security: – Against malicious majority – Proofs in the standard simulation model Black box construction from homomorphic encryption with a natural property…. – Instantiated through threshold Paillier encryption (decisional composite residuosity) 14

Our Results Efficiency: – Communication complexity – FM10 subexponential in the number of parties, we achieve fully polynomial (in all parameters) complexity: Broadcast complexity Round table complexity – Constant number round table rounds Application construction: Multiparty Set Intersection – Improve complexity of existing multiparty solutions KS05, SS09, CJS10 15

Building Blocks Input sharing using committed Shamir/Reed- Solomon codes P X (0) = X shares P X (1), …, P X (D) Vector Homomorphic Encryption ENC(m 1 ; r 1 ) ⊗ ENC(m 2 ; r 2 ) = ENC(m 1 + m 2 ; r 1 ⊕ r 2 ) ENC(m; r) c = ENC(c · m; r ⊙ c) – Instantiation: threshold Paillier encryption 16

Building Blocks Polynomial code commutativity Interpolate (Poly-Eval (inputs shares)) = Poly-Eval (Interpolate (inputs shares)) = Poly-Eval(inputs) Incremental encrypted polynomial evaluation – Each monomial M = c  i=1 h i (inputs of party i) – b 0 = ; = ⊕ 17 b i+1 Enc(c) bibi bibi h i (inputs of party i) #parties Encryption of partial evaluation of M with inputs from first i+1/i parties Constant for homomorphic property

Building blocks Lagrange Interpolation Protocol Over Encrypted Values: – given A > d+1 encrypted points (1, ENC pk (y 1, r 1 )),... (A, ENC pk (y A, r A )) – check that they lie on poly of degree d ENC pk (y i,r i ) =  j=1 (ENC pk (y j,r j )) L j (i) – synchronized randomness Randomness Interpolation – given (1,y 1 ),...,(A,y A ),r 1,...,r d+1 – compute r d+2,..., r A – Encrypted interpolation holds for [i, ENC pk (y i, r i )] 1≤i≤A d+1 18

Efficient Input Preprocessing Polynomial Degree Reduction Change of variables Polynomial Q(y) of degree n Q(y) Q(y 0,y 1,y 2 …, y  log n  ) y 0 = y y 1 = y 2 y 2 = y 4 ………. y  log n  = y 2  log n  Deg: nDeg: log n y 19

Proof of Knowledge and Verification Correct computation of new variables Correct degree of input sharing polynomials Prover: x 1,…,x n Common: c 1,…,c n, L (x 1,…,x n )  L c i = ENC(x i ) InputProof Output Verifier: Accept/Reject enc(r 1 ) enc(r 2 ) enc(r n ) c 1 * enc(r 1 ) c 2 * enc(r 2 ) … c n * enc(r n ) (x 1 +r 1,…,x n +r n )  L (r 1,…,r n )  L open 0 1 … c i * enc(r i ) = enc(x i +r i ) 20

Protocol Outline 21

Efficient preprocessing for each variable in the multivariate polynomial Commit to shares of new variables 22

Each party P i contributes his inputs – in each monomial s for each share j = · 23 b i+1,j,s b i,j,s ⊕ h i (share j of P i ) Enc(0, r i,j,s ) r i,j,s generated with randomness interpolation protocol

Each party re-randomizes the final output shares S 1, …, S 10kD – Randomizng polynomial P j,0 (0) = 0 – Shares (1,P j,0 (1)),...,(10kD,P j,0 (10kD)) – Re-randomized output shares = · 24 S’i S’i S’i S’i Si Si Si Si  j=1 ENC pk (P j,0 (i);r j,i ) m r j,kD+2,...,r j,10kD generated with randomness interpolation protocol

All parties verify that the encrypted output shares S i lie on a polynomial of degree kD Parties select a subset of the shares of size k and decommit corresponding shares Parties verify the computation of the open shares 25 P 1 (1) P 2 (1) Com(P 1 (2)) Com(P 2 (2)) Com(P 1 (3)) Com(P 2 (3)) P 1 (1) P 2 (4) Com(P 1 (10kD) ) Com(P 2 (10kD) ) … … Verify computation Verify degree

The parties run threshold decryption for each of the output shares The output receiver interpolates the output value from the shares 26

Protocol Complexities Amortized – sharing with multiple secrets Communication complexity – Round table – between consecutive parties: intermediate protocol messages O(Dn(m-1)), m parties, n monomials, D sum of log variable degrees – Broadcast – input commitments, decommitments in verification phase Smaller than polynomial representation O(D (  j=1  j=1 log α j,t )) α j,t highest degree of variable, L j inputs for party j Computational complexity O(Dnm) mLjLj 27

Multiparty set intersection = · + Optimizations: – Only two parties have inputs per each monomial – Inputs that are used only once do not need to be shared Complexity - m parties, d inputs each: – Communication - O(md + 10d log 2 d); CJS10 – quadratic in number of parties, other solutions worse complexity – Computation - O(md 2 log d) 28 P(x) ri ri ri ri P i (x) x x r i = r i,1 + … + r i,m r i,j randomness from party j P i (x) represents the input set of party i  j=1 m-1

Thank You! Questions? 29

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.