Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung."— Presentation transcript:

1 Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung

2 2 x1x1 x2x2 x3x3 x4x4

3 3 x1x1 x2x2 x3x3 x4x4 F 1 (x 1,x 3,x 3 ) F 2 (x 1,x 3,x 3 ) F 3 (x 1,x 3,x 3 ) F 4 (x 1,x 3,x 3 )

4 4 Secure Multiparty Computation How to compute a function on the private inputs of multiple parties not leaking more than the result? Secure Multiparty Computation How to compute a function on the private inputs of multiple parties not leaking more than the result?

5 5 Secure Multiparty Computation Feasible – [Yao82], [GMW87], [CDv88], [BG89], [BG90], [Cha90], [Bea92], … Not Efficient – communication and computation proportional to circuit size Secure Multiparty Computation Feasible – [Yao82], [GMW87], [CDv88], [BG89], [BG90], [Cha90], [Bea92], … Not Efficient – communication and computation proportional to circuit size

6 6 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials

7 7 x1x1 x2x2 x3x3 x4x4 Applications

8 8 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials Applications Multiparty Set Intersection

9 9 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials Applications Linear Algebra matrix arithmetic, inverse, determinant, Eigen values

10 10 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials Applications Statistics functions average, standard deviation, variance, chi-square test, computing Pearson’s correlation coefficients

11 11 x1x1 x2x2 x3x3 x4x4 Multivariate Polynomials Applications Taylor series approximation trigonometric functions, logarithms, exponents, square root

12 12 Outsourced computation many workers at least one honest

13 13 Outsourced computation Computation on shares, Reconstruction of output

14 Our results Multiparty computation protocol for functionalities that can be represented as multivariate polynomials – Improvement of generic complexity for multiple parties Left as open problem in FM10 Security: – Against malicious majority – Proofs in the standard simulation model Black box construction from homomorphic encryption with a natural property…. – Instantiated through threshold Paillier encryption (decisional composite residuosity) 14

15 Our Results Efficiency: – Communication complexity – FM10 subexponential in the number of parties, we achieve fully polynomial (in all parameters) complexity: Broadcast complexity Round table complexity – Constant number round table rounds Application construction: Multiparty Set Intersection – Improve complexity of existing multiparty solutions KS05, SS09, CJS10 15

16 Building Blocks Input sharing using committed Shamir/Reed- Solomon codes P X (0) = X shares P X (1), …, P X (D) Vector Homomorphic Encryption ENC(m 1 ; r 1 ) ⊗ ENC(m 2 ; r 2 ) = ENC(m 1 + m 2 ; r 1 ⊕ r 2 ) ENC(m; r) c = ENC(c · m; r ⊙ c) – Instantiation: threshold Paillier encryption 16

17 Building Blocks Polynomial code commutativity Interpolate (Poly-Eval (inputs shares)) = Poly-Eval (Interpolate (inputs shares)) = Poly-Eval(inputs) Incremental encrypted polynomial evaluation – Each monomial M = c  i=1 h i (inputs of party i) – b 0 = ; = ⊕ 17 b i+1 Enc(c) bibi bibi h i (inputs of party i) #parties Encryption of partial evaluation of M with inputs from first i+1/i parties Constant for homomorphic property

18 Building blocks Lagrange Interpolation Protocol Over Encrypted Values: – given A > d+1 encrypted points (1, ENC pk (y 1, r 1 )),... (A, ENC pk (y A, r A )) – check that they lie on poly of degree d ENC pk (y i,r i ) =  j=1 (ENC pk (y j,r j )) L j (i) – synchronized randomness Randomness Interpolation – given (1,y 1 ),...,(A,y A ),r 1,...,r d+1 – compute r d+2,..., r A – Encrypted interpolation holds for [i, ENC pk (y i, r i )] 1≤i≤A d+1 18

19 Efficient Input Preprocessing Polynomial Degree Reduction Change of variables Polynomial Q(y) of degree n Q(y) Q(y 0,y 1,y 2 …, y  log n  ) y 0 = y y 1 = y 2 y 2 = y 4 ………. y  log n  = y 2  log n  Deg: nDeg: log n y 19

20 Proof of Knowledge and Verification Correct computation of new variables Correct degree of input sharing polynomials Prover: x 1,…,x n Common: c 1,…,c n, L (x 1,…,x n )  L c i = ENC(x i ) InputProof Output Verifier: Accept/Reject enc(r 1 ) enc(r 2 ) enc(r n ) c 1 * enc(r 1 ) c 2 * enc(r 2 ) … c n * enc(r n ) (x 1 +r 1,…,x n +r n )  L (r 1,…,r n )  L open 0 1 … c i * enc(r i ) = enc(x i +r i ) 20

21 Protocol Outline 21

22 Efficient preprocessing for each variable in the multivariate polynomial Commit to shares of new variables 22

23 Each party P i contributes his inputs – in each monomial s for each share j = · 23 b i+1,j,s b i,j,s ⊕ h i (share j of P i ) Enc(0, r i,j,s ) r i,j,s generated with randomness interpolation protocol

24 Each party re-randomizes the final output shares S 1, …, S 10kD – Randomizng polynomial P j,0 (0) = 0 – Shares (1,P j,0 (1)),...,(10kD,P j,0 (10kD)) – Re-randomized output shares = · 24 S’i S’i S’i S’i Si Si Si Si  j=1 ENC pk (P j,0 (i);r j,i ) m r j,kD+2,...,r j,10kD generated with randomness interpolation protocol

25 All parties verify that the encrypted output shares S i lie on a polynomial of degree kD Parties select a subset of the shares of size k and decommit corresponding shares Parties verify the computation of the open shares 25 P 1 (1) P 2 (1) Com(P 1 (2)) Com(P 2 (2)) Com(P 1 (3)) Com(P 2 (3)) P 1 (1) P 2 (4) Com(P 1 (10kD) ) Com(P 2 (10kD) ) … … Verify computation Verify degree

26 The parties run threshold decryption for each of the output shares The output receiver interpolates the output value from the shares 26

27 Protocol Complexities Amortized – sharing with multiple secrets Communication complexity – Round table – between consecutive parties: intermediate protocol messages O(Dn(m-1)), m parties, n monomials, D sum of log variable degrees – Broadcast – input commitments, decommitments in verification phase Smaller than polynomial representation O(D (  j=1  j=1 log α j,t )) α j,t highest degree of variable, L j inputs for party j Computational complexity O(Dnm) mLjLj 27

28 Multiparty set intersection = · + Optimizations: – Only two parties have inputs per each monomial – Inputs that are used only once do not need to be shared Complexity - m parties, d inputs each: – Communication - O(md + 10d log 2 d); CJS10 – quadratic in number of parties, other solutions worse complexity – Computation - O(md 2 log d) 28 P(x) ri ri ri ri P i (x) x x r i = r i,1 + … + r i,m r i,j randomness from party j P i (x) represents the input set of party i  j=1 m-1

29 Thank You! Questions? 29

Download ppt "Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.

Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.

Similar presentations

Ads by Google