Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications
description
Transcript of Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications
Secure Efficient Multiparty Computing of Multivariate Polynomials and
Applications
Dana Dachman-Soled, Tal Malkin,Mariana Raykova, Moti Yung
2
x1
x2
x3
x4
3
x1
x2
x3
x4
F1(x1,x3,x3)
F2(x1,x3,x3)
F3(x1,x3,x3)
F4(x1,x3,x3)
4
Secure Multiparty Computation
How to compute a function on the private inputs of multiple parties not leaking more than the result?
Secure Multiparty Computation
How to compute a function on the private inputs of multiple parties not leaking more than the result?
5
Secure Multiparty Computation
Feasible – [Yao82], [GMW87], [CDv88], [BG89], [BG90], [Cha90], [Bea92], …
Not Efficient – communication and computation proportional to circuit size
Secure Multiparty Computation
Feasible – [Yao82], [GMW87], [CDv88], [BG89], [BG90], [Cha90], [Bea92], …
Not Efficient – communication and computation proportional to circuit size
6
x1
x2
x3
x4
Multivariate Polynomials
7
x1
x2
x3
x4
Multivariate Polynomials
Applications
8
x1
x2
x3
x4
Multivariate Polynomials
Applications
MultipartySet Intersection
9
x1
x2
x3
x4
Multivariate Polynomials
Applications
Linear Algebra matrix arithmetic, inverse, determinant, Eigen values
10
x1
x2
x3
x4
Multivariate Polynomials
Applications
Statistics functions average, standard deviation, variance, chi-square test, computing Pearson’s correlation coefficients
11
x1
x2
x3
x4
Multivariate Polynomials
Applications
Taylor series approximation trigonometric functions, logarithms, exponents, square root
12
Outsourced computation• many workers• at least one honest
13
Outsourced computation•Computation on shares,•Reconstruction of output
Our results
• Multiparty computation protocol for functionalities that can be represented as multivariate polynomials– Improvement of generic complexity for multiple parties Left
as open problem in FM10• Security:
– Against malicious majority – Proofs in the standard simulation model
• Black box construction from homomorphic encryption with a natural property….– Instantiated through threshold Paillier encryption (decisional
composite residuosity)
14
Our Results
• Efficiency:– Communication complexity – FM10 subexponential in the
number of parties, we achieve fully polynomial (in all parameters) complexity:
• Broadcast complexity• Round table complexity
– Constant number round table rounds• Application construction: Multiparty Set Intersection
– Improve complexity of existing multiparty solutions KS05, SS09, CJS10
15
Building Blocks
• Input sharing using committed Shamir/Reed-Solomon codes
PX(0) = X shares PX(1), …, PX(D)• Vector Homomorphic Encryption
ENC(m1; r1) ENC(m⊗ 2; r2) = ENC(m1 + m2; r1 r⊕ 2)ENC(m; r)c = ENC(c · m; r c)⊙
– Instantiation: threshold Paillier encryption
16
Building Blocks
• Polynomial code commutativityInterpolate (Poly-Eval (inputs shares)) =Poly-Eval (Interpolate (inputs shares)) = Poly-Eval(inputs)
• Incremental encrypted polynomial evaluation– Each monomial M = c i=1 hi(inputs of party i)
– b0 = ; = ⊕
17
bi+1bi+1Enc(c)Enc(c) bibi hi(inputs of party i)hi(inputs of party i)
#parties
Encryption of partial evaluation of M with inputs from first i+1/i parties
Constant for homomorphic property
Building blocks• Lagrange Interpolation Protocol Over Encrypted Values:
– given A > d+1 encrypted points(1, ENCpk(y1, r1)), . . . (A, ENCpk(yA, rA))
– check that they lie on poly of degree dENCpk(yi,ri) = j=1 (ENCpk(yj,rj)) Lj(i)
– synchronized randomness• Randomness Interpolation
– given (1,y1),...,(A,yA),r1,...,rd+1
– compute rd+2, . . . , rA
– Encrypted interpolation holds for [i, ENCpk(yi, ri)]1≤i≤A
d+1
18
Efficient Input Preprocessing
• Polynomial Degree Reduction• Change of variables• Polynomial Q(y) of degree n
Q(y)Q(y) Q(y0,y1,y2 …, ylog n )Q(y0,y1,y2 …, ylog n )
y0 = yy1 = y2
y2 = y4
……….
ylog n = y2log n
Deg: n Deg: log n
y
19
Proof of Knowledge and Verification
• Correct computation of new variables• Correct degree of input sharing polynomials
Prover: x1,…,xn
Common: c1,…,cn, L(x1,…,xn) L ci = ENC(xi)
Input Proof Output
Verifier: Accept/Reject
enc(r1)enc(r1) enc(r2)enc(r2) enc(rn)enc(rn)
c1 * enc(r1)c1 * enc(r1) c2 * enc(r2)c2 * enc(r2)… cn * enc(rn)cn * enc(rn) (x1+r1,…,xn+rn) L
(r1,…,rn) L
open
0
1
…
ci * enc(ri) = enc(xi+ri) 20
Protocol Outline
21
• Efficient preprocessing for each variable in the multivariate polynomial
• Commit to shares of new variables
22
• Each party Pi contributes his inputs – in each monomial s for each share j
= ·
23
bi+1,j,sbi+1,j,s bi,j,s h⊕ i(share j of Pi)bi,j,s h⊕ i(share j of Pi) Enc(0, ri,j,s)Enc(0, ri,j,s)
ri,j,s generated with randomness interpolation protocol
• Each party re-randomizes the final output shares S1, …, S10kD
– Randomizng polynomial Pj,0(0) = 0
– Shares (1,Pj,0(1)),...,(10kD,Pj,0(10kD))
– Re-randomized output shares = ·
24
S’i S’i Si Si j=1 ENCpk(Pj,0(i);rj,i)j=1 ENCpk(Pj,0(i);rj,i)m
rj,kD+2,...,rj,10kD generated with randomness interpolation protocol
• All parties verify that the encrypted output shares Si lie on a polynomial of degree kD
• Parties select a subset of the shares of size k and decommit corresponding shares
• Parties verify the computation of the open shares
25
P1(1)P1(1)
P2(1)P2(1)
Com(P1(2))Com(P1(2))
Com(P2(2))Com(P2(2))
Com(P1(3))Com(P1(3))
Com(P2(3))Com(P2(3))
P1(1)P1(1)
P2(4)P2(4)
Com(P1(10kD))Com(P1(10kD))
Com(P2(10kD))Com(P2(10kD))
…
…
Verify computation
Verify computation
Verify degree
Verify degree
• The parties run threshold decryption for each of the output shares
• The output receiver interpolates the output value from the shares
26
Protocol Complexities• Amortized – sharing with multiple secrets• Communication complexity
– Round table – between consecutive parties: intermediate protocol messages
• O(Dn(m-1)), m parties, n monomials, D sum of log variable degrees– Broadcast – input commitments, decommitments in
verification phase• Smaller than polynomial representation• O(D (j=1 j=1 log αj,t ))• αj,t highest degree of variable, Lj inputs for party j
• Computational complexity• O(Dnm)
m Lj
27
Multiparty set intersection = · +
• Optimizations:– Only two parties have inputs per each monomial– Inputs that are used only once do not need to be shared• Complexity - m parties, d inputs each:– Communication - O(md + 10d log2 d); CJS10 – quadratic in
number of parties, other solutions worse complexity– Computation - O(md2 log d)
28
P(x) P(x) ri ri Pi(x)Pi(x) x x
ri = ri,1 + … + ri,m
ri,j randomness from party j
Pi(x) represents the input set of party i
j=1 j=1
m-1
Thank You!
• Questions?
29