Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications

Description:

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung We introduce for ... – PowerPoint PPT presentation

Number of Views:126
Avg rating:3.0/5.0
Slides: 30
Provided by: Mariana53
Category:

less

Transcript and Presenter's Notes

Title: Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications


1
Secure Efficient Multiparty Computing of
Multivariate Polynomials and Applications
  • Dana Dachman-Soled, Tal Malkin,
  • Mariana Raykova, Moti Yung

2
x1
x2
x3
x4
3
x1
F1(x1,x3,x3)
x2
x3
F2(x1,x3,x3)
F4(x1,x3,x3)
x4
F3(x1,x3,x3)
4
Secure Multiparty Computation How to compute a
function on the private inputs of multiple
parties not leaking more than the result?
5
Secure Multiparty Computation Feasible
Yao82, GMW87, CDv88, BG89, BG90,
Cha90, Bea92, Not Efficient
communication and computation proportional to
circuit size
6
x1
x2
Multivariate Polynomials
x3
x4
7
x1
x2
Multivariate Polynomials Applications
x3
x4
8
Multiparty Set Intersection
x1
x2
Multivariate Polynomials Applications
x3
x4
9
x1
x2
Multivariate Polynomials Applications
x3
x4
Linear Algebra matrix arithmetic,
inverse, determinant, Eigen values
10
x1
x2
Multivariate Polynomials Applications
x3
x4
Statistics functions average, standard
deviation, variance, chi-square test, computing
Pearsons correlation coefficients
11
Taylor series approximation
trigonometric functions, logarithms,
exponents, square root
x1
x2
Multivariate Polynomials Applications
x3
x4
12
  • Outsourced
  • computation
  • many workers
  • at least one honest

13
  • Outsourced
  • computation
  • Computation on shares,
  • Reconstruction of output

14
Our results
  • Multiparty computation protocol for
    functionalities that can be represented as
    multivariate polynomials
  • Improvement of generic complexity for multiple
    parties Left as open problem in FM10
  • Security
  • Against malicious majority
  • Proofs in the standard simulation model
  • Black box construction from homomorphic
    encryption with a natural property.
  • Instantiated through threshold Paillier
    encryption (decisional composite residuosity)

15
Our Results
  • Efficiency
  • Communication complexity FM10 subexponential in
    the number of parties, we achieve fully
    polynomial (in all parameters) complexity
  • Broadcast complexity
  • Round table complexity
  • Constant number round table rounds
  • Application construction Multiparty Set
    Intersection
  • Improve complexity of existing multiparty
    solutions KS05, SS09, CJS10

16
Building Blocks
  • Input sharing using committed Shamir/Reed-Solomon
    codes
  • PX(0) X shares PX(1), , PX(D)
  • Vector Homomorphic Encryption
  • ENC(m1 r1) ? ENC(m2 r2) ENC(m1 m2 r1 ?
    r2)
  • ENC(m r)c ENC(c m r ? c)
  • Instantiation threshold Paillier encryption

17
Building Blocks
  • Polynomial code commutativity
  • Interpolate (Poly-Eval (inputs shares))
  • Poly-Eval (Interpolate (inputs shares))
    Poly-Eval(inputs)
  • Incremental encrypted polynomial evaluation
  • Each monomial
  • M c ?i1 hi(inputs of party i)
  • b0
    ?

parties
bi1
Enc(c)
bi
hi(inputs of party i)
Encryption of partial evaluation of M with inputs
from first i1/i parties
Constant for homomorphic property
18
Building blocks
  • Lagrange Interpolation Protocol Over Encrypted
    Values
  • given A gt d1 encrypted points
  • (1, ENCpk(y1, r1)), . . . (A, ENCpk(yA, rA))
  • check that they lie on poly of degree d
  • ENCpk(yi,ri) ?j1 (ENCpk(yj,rj)) Lj(i)
  • synchronized randomness
  • Randomness Interpolation
  • given (1,y1),...,(A,yA),r1,...,rd1
  • compute rd2, . . . , rA
  • Encrypted interpolation holds for i, ENCpk(yi,
    ri)1iA

d1
19
Efficient Input Preprocessing
  • Polynomial Degree Reduction
  • Change of variables
  • Polynomial Q(y) of degree n

y0 y y1 y2 y2 y4 . y?log n? y2
y
?log n?
Q(y)
Q(y0,y1,y2 , y?log n? )
Deg n
Deg log n
20
Proof of Knowledge and Verification
  • Correct computation of new variables
  • Correct degree of input sharing polynomials

Output
Input
Proof
Prover x1,,xn Common c1,,cn, L
Verifier Accept/Reject
(x1,,xn) ? L ci ENC(xi)

(r1,,rn) ? L
0
enc(r1)
enc(r2)
enc(rn)

(x1r1,,xnrn) ? L
c1 enc(r1)
c2 enc(r2)
cn enc(rn)
1
open
ci enc(ri) enc(xiri)
21
Protocol Outline

22
  • Efficient preprocessing for each variable in the
    multivariate polynomial
  • Commit to shares of new variables

23
  • Each party Pi contributes his inputs
  • in each monomial s for each share j



bi1,j,s
bi,j,s?hi(share j of Pi)
Enc(0, ri,j,s)
ri,j,s generated with randomness interpolation
protocol
24
  • Each party re-randomizes the final output shares
    S1, , S10kD
  • Randomizng polynomial Pj,0(0) 0
  • Shares (1,Pj,0(1)),...,(10kD,Pj,0(10kD))
  • Re-randomized output shares

m
Si
Si
?j1 ENCpk(Pj,0(i)rj,i)
rj,kD2,...,rj,10kD generated with randomness
interpolation protocol
25
  • All parties verify that the encrypted output
    shares Si lie on a polynomial of degree kD
  • Parties select a subset of the shares of size k
    and decommit corresponding shares
  • Parties verify the computation of the open shares


P1(1)
Com(P1(2))
Com(P1(3))
P1(1)
Com(P1(10kD))
Verify degree

Verify degree
P2(1)
Com(P2(2))
Com(P2(3))
P2(4)
Com(P2(10kD))
Verify computation
Verify computation
26
  • The parties run threshold decryption for each of
    the output shares
  • The output receiver interpolates the output value
    from the shares

27
Protocol Complexities
  • Amortized sharing with multiple secrets
  • Communication complexity
  • Round table between consecutive parties
    intermediate protocol messages
  • O(Dn(m-1)), m parties, n monomials, D sum of log
    variable degrees
  • Broadcast input commitments, decommitments in
    verification phase
  • Smaller than polynomial representation
  • O(D (?j1 ?j1 log aj,t ))
  • aj,t highest degree of variable, Lj inputs for
    party j
  • Computational complexity
  • O(Dnm)

m
Lj
28
Multiparty set intersection
m-1
P(x)
Pi(x)

  • Optimizations
  • Only two parties have inputs per each monomial
  • Inputs that are used only once do not need to be
    shared
  • Complexity - m parties, d inputs each
  • Communication - O(md 10d log2 d) CJS10
    quadratic in number of parties, other solutions
    worse complexity
  • Computation - O(md2 log d)

ri
x
?j1
ri ri,1 ri,m ri,j randomness from party j
  • Pi(x) represents the input set of party i

29
Thank You!
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com