Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Published byRudolf Anderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung."— Presentation transcript:

1 Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung 1,2 1 Columbia University, 2 Google Inc.

2 Efficient and Robust Private Set Intersection Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung 1,2 1 Columbia University, 2 Google Inc. Warning: many details skipped, some cheating!

3 Client: X |X| = n Server: Y |Y| = m Trusted Party Set Intersection Functionality

4 Trusted Party Set Intersection Functionality Server: Y |Y| = m Client: X |X| = n

5 Trusted Party Set Intersection Functionality ? Client: X |X| = n Server: Y |Y| = m Widely used in area of Privacy Preserving Data Mining Enables institutions to share personal information such as medical or financial records.

6 Wasn’t this already done? FNP04 – semi-honest case, malicious in the random oracle model KS05 – semi-honest + ZKN proofs HL08 – one side simulatability and covert adversaries JL09 – malicious case, polynomial size domains, Decisional q-Diffie-Hellman Inversion Assumption

7 Our Results First Set Intersection protocol secure against malicious parties in the standard simulation model Black-box construction assuming (singly) homomorphic encryption with a natural property (satisfied by known constructions) Additive El-Gamal (DDH) ; Paillier (DCR) Extensions: multi-party set intersection general multivariate polynomials

8 Homomorphic Encryption Additive homomorphic property – Enc(x,r 1 )*Enc(y,r 2 )=Enc(x+y,r 3 ) Additional property: – Can compute r 3 from r 1 and r 2 – Known schemes have this property ElGamal – additive homomorphism variant – Inefficient decryption, equality comparison possible Paillier

9 Our Results Communication complexity: O(mk 2 log 2 (n)+nk) – SMC circuit evaluation – size of cicuit + ZK proofs (at least nm, even before ZK) – Realistic scenarios – m,n >> k

10 Overview of Technique (with missing steps) – Start from semi-honest [FNP] using a polynomial – Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW08] techniques) – Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation) – Cut and choose to enforce honest behavior – Input preprocessing for degree reduction

11 Semi-Honest Protocol [FNP04] Client represents its input set X, |X| = n with a polynomial Q(x) of deg n, s.t. Q(x i ) = 0 iff x i in X Client sends to Server encrypted coefficients of Q under homomorphic encryption Enc Server evaluates Enc of Q’(y i ) := Q(y i )*r i + y i (deg n) for every y i in his input set Y and sends to Client c i =Enc(Q’(y i )). Client decrypts each c i and outputs Dec(c i ) if and only if it is in X (=iff it is in the intersection)

12 Malicious Server Can use inconsistent values for its inputs Q(y i )*r i + y i a n *y i n a n-1 *y i n-1 a 1 *y i 1 = ++ … ++ a0a0 a0a0 yiyi yiyi + yiyi yiyi yi’yi’ yi”yi” Q’(y i ) =

13 Overview of Technique (with missing steps) – Start from semi-honest [FNP] using a polynomial  Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDDIM] techniques) – Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation) – Cut and choose to enforce honest behavior – Input preprocessing for degree reduction

14 Step 1: Input Sharing Server shares and commits to preprocessed inputs using Shamir secret sharing (=Reed-Solomon) Code For each preprocessed input: Send commitments to client: Server’s Computation yiyi P i where P i (0) = y i, deg(P i ) = k... Com(P i (1)) Com(P i (10kD)) Com(P i (2))Com(P i (3))Com(P i (4)) D = degree of output sharing polynomial: TBD

15 Step 2: Polynomial Evaluation on Shares For each y i : Server evaluates (encrypted) Q’ on the corresponding shares, to get (encrypted versions of) output shares: Server’s Computation... Q’(P i (1)) Q’(P i (10kD)) Q’(P i (2)) Q’(P i (3)) Q’(P i (4)) Client can decrypt, interpolate Q’P i, and evaluate on 0 to get Q’(P i (0))=Q’(y i ) as wanted.

16 Step 3: Cut and Choose Open k of the committed shares to show that Q’ was computed correctly for those shares: Server’s Computation... Q’(P i (1)) Q’(P i (10kD)) Q’(P i (2)) Q’(P i (3)) Q’(P i (4))

17 Output Polynomial Degree Determines the number of output shares Total degree D = nk + k Total number of shares 10kD Q’(y i ) = Q(y i )*r i + y i = Q(P i (j))*R ri (j) + P i (j) deg ndeg k

18 Overview of Technique (with missing steps) – Start from semi-honest [FNP] using a polynomial – Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW] techniques) – Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation) – Cut and choose to enforce honest behavior  Input preprocessing for degree reduction

19 Efficient Input Preprocessing Polynomial Degree Reduction Change of variables Polynomial Q(y) of degree n Q(y) Q(y 0,y 1,y 2 …, y  log n  ) y 0 = y y 1 = y 2 y 2 = y 4 ………. y  log n  = y 2  log n  deg ndeg log n y

20 Other Components (skipped) Homomorphic Encryption Zero Knowledge Proofs of Knowledge for client’s and server’s polynomials Coin tossing for cut and choose Etc. Improved Communication Complexity: O(mk 2 log 2 (n)+nk) Important in realistic scenarios with large input sets m,n >> k

21 Multi-Party Multivariate Polynomials Basic setting: public multivariate polynomial (poly size representation) over private inputs. Alternatively: coefficients are also private. Optmizations for specific polynomials, including multi-party set intersection Our results: Secure protocol (no honest majority, with broadcast) from homomorphic encryption with threshold decryption (Paillier) Round table protocol with constant rounds Same approach as above, but several technical issues to overcome (interpolating over encrypted values, handling errors, proofs of knowledge…)

22 Thank you!

23 Preprocessing Verification Correct computation of new variables Correct degree of input sharing polynomials HEPKPV Protocol Party 1: x 1,…,x n Common: c 1,…,c n, L (x 1,…,x n ) in L c i = ENC(x i ) input proof output Party 2: Accept/Reje ct enc(r 1 ) enc(r 2 ) enc(r n ) c 1 * enc(r 1 ) c 2 * enc(r 2 ) … c n * enc(r n ) x 1 +r 1,…,x n +r n in L r 1,…,r n in L open 0 1

24 Client Simulator Extract Client’s input in HEPKPV Submit to TP and receives output Shares output and commits as output shares Simulates Server in interaction with Client committing to random input Makes sure can open correctly and verify computation of k output shares Rewinds coin-tossing for cut-and-choose to select the above k shares

25 Server Simulator Simulates the Client in the interaction with the Server using random encryption of 0 Extracts Server’s inputs in HEPKPV Rewinds coin tossing to open all Server’s shares Makes sure that most output shares are consistent with extracted input If the above holds, submit extracted input to TP

26 Communication Complexity Improved Communication Complexity – O(mk 2 log 2 (n)+nk) – circuit evaluation – size of circuit – mn ZKN proofs – Important in realistic scenarios with large input sets m,n >> k

Download ppt "Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung."

Similar presentations

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.

How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Jens Groth BRICS, University of Aarhus Cryptomathic

Jens Groth BRICS, University of Aarhus Cryptomathic
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Similar presentations

Ads by Google