Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Evaluation of Multivariate Polynomials

Published byBennett Birch Modified over 10 years ago

Similar presentations

Presentation on theme: "Secure Evaluation of Multivariate Polynomials"— Presentation transcript:

1 Secure Evaluation of Multivariate Polynomials
Matthew Franklin Payman Mohassel UC Davis U of calgary

2 Oblivious Transfer xb = x0 (1-b) + x1 b + (1-b)br x0 b x1
Can be extended to 1-out-of-n OT, with larger degree polynomials xb = x0 (1-b) + x1 b + (1-b)br

3 Secure Matrix Multiplication
cij = bi1 a1j + bi2a2j + bi3a3j Building block for secure linear algebra [KMWF`07] Solving ``shared” linear systems, …

4 DNF/CNF Formulas (a1 a2) (~a1 a3) . . . Check polynomial
r (1 – a1) (1 - a2) + r a1 (1-a3) Check polynomial [(1-a1) a1 + (1-a2) a2 + (1-a3) a3 + … ] r Predicate evaluation TRUE = 0 False = random

5 Conditional OT Retrieve a data item if condition met
(Oblivious Transfer) + (Predicate Evaluation) If predicate True  return a data item If predicate False  return a random value Reduced to polynomial evaluation

6 Evaluating Multivariate Polynomials

7 Secure Two-Party Computation
X Y f(X,Y) Security : Simulation of the Real protocol in an Ideal world

8 Security Definition (Semi-honest)
Ideal World TTP y x f(x,y) f(x,y) Make more colorfull y x Alice Bob

9 Security Definition (Malicious)
Ideal World TTP anything y Cheat = 0 f(x,y) f(x,y) y x honest malicious

10 Security Definition (Malicious)
Ideal World TTP y anything Send “corrupt” Cheat = 1 Make more colorfull f(x,y) y x malicious honest

11 Security Definition Simulation-based security
For any adversary A in the real protocol There is a simulator S in the ideal world c

12 General Constructions
Boolean circuits [Yao`86, MF`06, LP`07, …] Arithmetic circuits [CDN`00, IPS`09,…] Comm/comp proportional to circuit size Degree-3 multivariate polynomial in n variables O(n3) comm. Input size is only O(n) Can we do better?

13 Homomorphic Encryption
Public-Key Encryption Additive Epk(a) +h Epk(b) = Epk(a+b) [Pai`99, DJ`01, …] Multiplicative Epk(a) xh Epk(b) = Epk(ab) [ElGamal`84, …] More powerful 2-DNF formulas [BGN`05] Fully homomorphic [Gentry`09, …]

14 Via Full Homomorphism Communication: O(n) ciphertexts pk (pk, sk)
Epk(y1) , … , Epk(yn) Epk (f(X,Y)) Communication: O(n) ciphertexts

15 Problem Solved? Fully homomorphic encryption
Not practical at this stage We still have to deal with “malicious behavior”

16 Semi-honest Poly Additively homomorphic Let P(X,Y) be degree 3
P(X,Y) = Pa(X,Y) + Pb(X,Y) monomials in Pa are degree < 2 in xi monomials in Pb are degree < 2 in yi Y X Epk_a(y1) , … , Epk_a(yn) (pka , ska) (pkb , skb) Epk_b(x1) , … , Epk_b(xn) Epk_b (Pa(X,Y)) Epk_a (Pb(X,Y))

17 Comm: O(n) ciphertexts Using more efficient encryption schemes
Only additive homomorphism is needed Only secure against semi-honest adversaries How to defend against malicious adversaries? And keep communication low

18 Preventing Malicious Behavior
Si (1) = xi,1 . . Si(2) = xi,2 Si(0) = xi . Si(k) = xi,k . RS decoding

19 High Level Description
1) Semihonest-Poly for P1(X1, Y1) . k) Semihonest-Poly for Pk(Xk, Yk) Reveal/verify the secrets for protocols in Cb Simulation-based proof; Extract the inputs, run coin-tosses for the reveal/verify steps Reveal/verify the secrets for protocols in Ca Combine results and decode the output

20 The Intuition Cut-and-Choose Reed-Solomon Decoding Secret Sharing
Majority of unopened protocols are performed honestly |Ca|+ |Cb| > t1 Reed-Solomon Decoding Number of errors in the “Output Codeword” is small Efficient and unambiguous decoding Secret Sharing The number of opened shares is less than a threshold |Ca|+ |Cb| < t2 No information about the inputs is revealed |Ca|+ |Cb| = 2k/5 [DMRY`09] Similar techniques for the set intersection problem

21 Better Amortized Efficiency
Evaluating (X1, Y1), … , (Xd, … , Yd) at polynomial P Batch evaluation e.g. useful for linear algebra Run d instances of the protocol in parallel Parallel composition (possible with small modifications) O(dkn) communication Encode d inputs using one polynomial Share-packing techniques [FK`92] O(k+d)n ) communication!

22 Secure Linear Algebra [KMWF`07, MW`08] Secure matrix multiplication
Solving joint linear systems, joint rank/determinant computation Reduced to secure matrix multiplication Secure matrix multiplication Evaluation of O(n2) polynomials (n x n matrix) O(kn2) communication Secure linear algebra O(sn1/s) matrix multiplication O(s) round, O(kn2 + sn2+1/s) comm. Security parameter only multiplied by the smaller factor

23 Working Over a Finite Field
Goldwasser-Micali encryption [GM`82] Works for GF(2) For RS codes, we need |F| = O(k) Extend GM to encrypt/decrypt over GF(2s) E(a1) , …, E(as) where ai in GF(2) Homomorphic properties? Addition: component-wise addition Plaintext-ciphertext multiplication (enc. poly) x (pub. Poly) mod (pub poly) Details in the paper

24 Working Over a Finite Field
Paillier’s encryption [Pai`99] Works over ZN where N = pq “RS decoding” and “inversion” of elements? If inversion or RS decoding fail Then we can factor N Safe to pretend we work over a finite field Useful for other MPC protocols Other alternative is (variant of) ElGamal: gm hr Inefficient decryption, but sufficient for some applications

25 Other Extensions Higher degree polynomials
Protocols extend to degree-t polynomials O(n└(t/2)┘) communication Security against “covert” adversaries Between malicious and semi-honest security Better efficiency Multiparty setting Using techniques from [IPS`08] Not as efficient as our two-party protocol

26 Open Questions Degree t>3 protocols are not optimal
Can we design protocols with O(n) communication Security against malicious adversaries More powerful homomorphic encryption schemes Evaluating 2-DNF formulas [BGN`05] Defending against malicious behavior? Similar techniques do NOT seem to work Efficient semihonest-to-malicious compilers ZK compilers not efficient Ours is only optimal for low-degree polynomials How about other functions

27 Thank You!

Download ppt "Secure Evaluation of Multivariate Polynomials"

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.

Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google