Title: Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications
1Secure Efficient Multiparty Computing of
Multivariate Polynomials and Applications
- Dana Dachman-Soled, Tal Malkin,
- Mariana Raykova, Moti Yung
2x1
x2
x3
x4
3x1
F1(x1,x3,x3)
x2
x3
F2(x1,x3,x3)
F4(x1,x3,x3)
x4
F3(x1,x3,x3)
4Secure Multiparty Computation How to compute a
function on the private inputs of multiple
parties not leaking more than the result?
5Secure Multiparty Computation Feasible
Yao82, GMW87, CDv88, BG89, BG90,
Cha90, Bea92, Not Efficient
communication and computation proportional to
circuit size
6x1
x2
Multivariate Polynomials
x3
x4
7x1
x2
Multivariate Polynomials Applications
x3
x4
8 Multiparty Set Intersection
x1
x2
Multivariate Polynomials Applications
x3
x4
9x1
x2
Multivariate Polynomials Applications
x3
x4
Linear Algebra matrix arithmetic,
inverse, determinant, Eigen values
10x1
x2
Multivariate Polynomials Applications
x3
x4
Statistics functions average, standard
deviation, variance, chi-square test, computing
Pearsons correlation coefficients
11 Taylor series approximation
trigonometric functions, logarithms,
exponents, square root
x1
x2
Multivariate Polynomials Applications
x3
x4
12- Outsourced
- computation
- many workers
- at least one honest
13- Outsourced
- computation
- Computation on shares,
- Reconstruction of output
14Our results
- Multiparty computation protocol for
functionalities that can be represented as
multivariate polynomials - Improvement of generic complexity for multiple
parties Left as open problem in FM10 - Security
- Against malicious majority
- Proofs in the standard simulation model
- Black box construction from homomorphic
encryption with a natural property. - Instantiated through threshold Paillier
encryption (decisional composite residuosity)
15Our Results
- Efficiency
- Communication complexity FM10 subexponential in
the number of parties, we achieve fully
polynomial (in all parameters) complexity - Broadcast complexity
- Round table complexity
- Constant number round table rounds
- Application construction Multiparty Set
Intersection - Improve complexity of existing multiparty
solutions KS05, SS09, CJS10
16Building Blocks
- Input sharing using committed Shamir/Reed-Solomon
codes - PX(0) X shares PX(1), , PX(D)
- Vector Homomorphic Encryption
- ENC(m1 r1) ? ENC(m2 r2) ENC(m1 m2 r1 ?
r2) - ENC(m r)c ENC(c m r ? c)
- Instantiation threshold Paillier encryption
17Building Blocks
- Polynomial code commutativity
- Interpolate (Poly-Eval (inputs shares))
- Poly-Eval (Interpolate (inputs shares))
Poly-Eval(inputs) - Incremental encrypted polynomial evaluation
- Each monomial
- M c ?i1 hi(inputs of party i)
- b0
?
parties
bi1
Enc(c)
bi
hi(inputs of party i)
Encryption of partial evaluation of M with inputs
from first i1/i parties
Constant for homomorphic property
18Building blocks
- Lagrange Interpolation Protocol Over Encrypted
Values - given A gt d1 encrypted points
- (1, ENCpk(y1, r1)), . . . (A, ENCpk(yA, rA))
- check that they lie on poly of degree d
- ENCpk(yi,ri) ?j1 (ENCpk(yj,rj)) Lj(i)
- synchronized randomness
- Randomness Interpolation
- given (1,y1),...,(A,yA),r1,...,rd1
- compute rd2, . . . , rA
- Encrypted interpolation holds for i, ENCpk(yi,
ri)1iA
d1
19Efficient Input Preprocessing
- Polynomial Degree Reduction
- Change of variables
- Polynomial Q(y) of degree n
-
y0 y y1 y2 y2 y4 . y?log n? y2
y
?log n?
Q(y)
Q(y0,y1,y2 , y?log n? )
Deg n
Deg log n
20Proof of Knowledge and Verification
- Correct computation of new variables
- Correct degree of input sharing polynomials
Output
Input
Proof
Prover x1,,xn Common c1,,cn, L
Verifier Accept/Reject
(x1,,xn) ? L ci ENC(xi)
(r1,,rn) ? L
0
enc(r1)
enc(r2)
enc(rn)
(x1r1,,xnrn) ? L
c1 enc(r1)
c2 enc(r2)
cn enc(rn)
1
open
ci enc(ri) enc(xiri)
21Protocol Outline
22- Efficient preprocessing for each variable in the
multivariate polynomial - Commit to shares of new variables
23- Each party Pi contributes his inputs
- in each monomial s for each share j
-
-
-
-
bi1,j,s
bi,j,s?hi(share j of Pi)
Enc(0, ri,j,s)
ri,j,s generated with randomness interpolation
protocol
24- Each party re-randomizes the final output shares
S1, , S10kD - Randomizng polynomial Pj,0(0) 0
- Shares (1,Pj,0(1)),...,(10kD,Pj,0(10kD))
- Re-randomized output shares
-
-
m
Si
Si
?j1 ENCpk(Pj,0(i)rj,i)
rj,kD2,...,rj,10kD generated with randomness
interpolation protocol
25- All parties verify that the encrypted output
shares Si lie on a polynomial of degree kD - Parties select a subset of the shares of size k
and decommit corresponding shares - Parties verify the computation of the open shares
P1(1)
Com(P1(2))
Com(P1(3))
P1(1)
Com(P1(10kD))
Verify degree
Verify degree
P2(1)
Com(P2(2))
Com(P2(3))
P2(4)
Com(P2(10kD))
Verify computation
Verify computation
26- The parties run threshold decryption for each of
the output shares - The output receiver interpolates the output value
from the shares
27Protocol Complexities
- Amortized sharing with multiple secrets
- Communication complexity
- Round table between consecutive parties
intermediate protocol messages - O(Dn(m-1)), m parties, n monomials, D sum of log
variable degrees - Broadcast input commitments, decommitments in
verification phase - Smaller than polynomial representation
- O(D (?j1 ?j1 log aj,t ))
- aj,t highest degree of variable, Lj inputs for
party j - Computational complexity
- O(Dnm)
m
Lj
28Multiparty set intersection
m-1
P(x)
Pi(x)
-
- Optimizations
- Only two parties have inputs per each monomial
- Inputs that are used only once do not need to be
shared - Complexity - m parties, d inputs each
- Communication - O(md 10d log2 d) CJS10
quadratic in number of parties, other solutions
worse complexity - Computation - O(md2 log d)
ri
x
?j1
ri ri,1 ri,m ri,j randomness from party j
- Pi(x) represents the input set of party i
29Thank You!