Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications

1
Secure Efficient Multiparty Computing of
Multivariate Polynomials and Applications

• Dana Dachman-Soled, Tal Malkin,
• Mariana Raykova, Moti Yung

2
x1
x2
x3
x4
3
x1
F1(x1,x3,x3)
x2
x3
F2(x1,x3,x3)
F4(x1,x3,x3)
x4
F3(x1,x3,x3)
4
Secure Multiparty Computation How to compute a
function on the private inputs of multiple
parties not leaking more than the result?
5
Secure Multiparty Computation Feasible
Yao82, GMW87, CDv88, BG89, BG90,
Cha90, Bea92, Not Efficient
communication and computation proportional to
circuit size
6
x1
x2
Multivariate Polynomials
x3
x4
7
x1
x2
Multivariate Polynomials Applications
x3
x4
8
Multiparty Set Intersection
x1
x2
Multivariate Polynomials Applications
x3
x4
9
x1
x2
Multivariate Polynomials Applications
x3
x4
Linear Algebra matrix arithmetic,
inverse, determinant, Eigen values
10
x1
x2
Multivariate Polynomials Applications
x3
x4
Statistics functions average, standard
deviation, variance, chi-square test, computing
Pearsons correlation coefficients
11
Taylor series approximation
trigonometric functions, logarithms,
exponents, square root
x1
x2
Multivariate Polynomials Applications
x3
x4
12

• Outsourced
• computation
• many workers
• at least one honest

13

• Outsourced
• computation
• Computation on shares,
• Reconstruction of output

14
Our results

• Multiparty computation protocol for
  functionalities that can be represented as
  multivariate polynomials
• Improvement of generic complexity for multiple
  parties Left as open problem in FM10
• Security
• Against malicious majority
• Proofs in the standard simulation model
• Black box construction from homomorphic
  encryption with a natural property.
• Instantiated through threshold Paillier
  encryption (decisional composite residuosity)

15
Our Results

• Efficiency
• Communication complexity FM10 subexponential in
  the number of parties, we achieve fully
  polynomial (in all parameters) complexity
• Broadcast complexity
• Round table complexity
• Constant number round table rounds
• Application construction Multiparty Set
  Intersection
• Improve complexity of existing multiparty
  solutions KS05, SS09, CJS10

16
Building Blocks

• Input sharing using committed Shamir/Reed-Solomon
  codes
• PX(0) X shares PX(1), , PX(D)
• Vector Homomorphic Encryption
• ENC(m1 r1) ? ENC(m2 r2) ENC(m1 m2 r1 ?
  r2)
• ENC(m r)c ENC(c m r ? c)
• Instantiation threshold Paillier encryption

17
Building Blocks

• Polynomial code commutativity
• Interpolate (Poly-Eval (inputs shares))
• Poly-Eval (Interpolate (inputs shares))
  Poly-Eval(inputs)
• Incremental encrypted polynomial evaluation
• Each monomial
• M c ?i1 hi(inputs of party i)
• b0
  ?

parties
bi1
Enc(c)
bi
hi(inputs of party i)
Encryption of partial evaluation of M with inputs
from first i1/i parties
Constant for homomorphic property
18
Building blocks

• Lagrange Interpolation Protocol Over Encrypted
  Values
• given A gt d1 encrypted points
• (1, ENCpk(y1, r1)), . . . (A, ENCpk(yA, rA))
• check that they lie on poly of degree d
• ENCpk(yi,ri) ?j1 (ENCpk(yj,rj)) Lj(i)
• synchronized randomness
• Randomness Interpolation
• given (1,y1),...,(A,yA),r1,...,rd1
• compute rd2, . . . , rA
• Encrypted interpolation holds for i, ENCpk(yi,
  ri)1iA

d1
19
Efficient Input Preprocessing

• Polynomial Degree Reduction
• Change of variables
• Polynomial Q(y) of degree n

y0 y y1 y2 y2 y4 . y?log n? y2
y
?log n?
Q(y)
Q(y0,y1,y2 , y?log n? )
Deg n
Deg log n
20
Proof of Knowledge and Verification

• Correct computation of new variables
• Correct degree of input sharing polynomials

Output
Input
Proof
Prover x1,,xn Common c1,,cn, L
Verifier Accept/Reject
(x1,,xn) ? L ci ENC(xi)

(r1,,rn) ? L
0
enc(r1)
enc(r2)
enc(rn)

(x1r1,,xnrn) ? L
c1 enc(r1)
c2 enc(r2)
cn enc(rn)
1
open
ci enc(ri) enc(xiri)
21
Protocol Outline

22

• Efficient preprocessing for each variable in the
  multivariate polynomial
• Commit to shares of new variables

23

• Each party Pi contributes his inputs
• in each monomial s for each share j
• 
  
  

bi1,j,s
bi,j,s?hi(share j of Pi)
Enc(0, ri,j,s)
ri,j,s generated with randomness interpolation
protocol
24

• Each party re-randomizes the final output shares
  S1, , S10kD
• Randomizng polynomial Pj,0(0) 0
• Shares (1,Pj,0(1)),...,(10kD,Pj,0(10kD))
• Re-randomized output shares

m
Si
Si
?j1 ENCpk(Pj,0(i)rj,i)
rj,kD2,...,rj,10kD generated with randomness
interpolation protocol
25

• All parties verify that the encrypted output
  shares Si lie on a polynomial of degree kD
• Parties select a subset of the shares of size k
  and decommit corresponding shares
• Parties verify the computation of the open shares

P1(1)
Com(P1(2))
Com(P1(3))
P1(1)
Com(P1(10kD))
Verify degree

Verify degree
P2(1)
Com(P2(2))
Com(P2(3))
P2(4)
Com(P2(10kD))
Verify computation
Verify computation
26

• The parties run threshold decryption for each of
  the output shares
• The output receiver interpolates the output value
  from the shares

27
Protocol Complexities

• Amortized sharing with multiple secrets
• Communication complexity
• Round table between consecutive parties
  intermediate protocol messages
• O(Dn(m-1)), m parties, n monomials, D sum of log
  variable degrees
• Broadcast input commitments, decommitments in
  verification phase
• Smaller than polynomial representation
• O(D (?j1 ?j1 log aj,t ))
• aj,t highest degree of variable, Lj inputs for
  party j
• Computational complexity
• O(Dnm)

m
Lj
28
Multiparty set intersection
m-1
P(x)
Pi(x)

• 
  
• Optimizations
• Only two parties have inputs per each monomial
• Inputs that are used only once do not need to be
  shared
• Complexity - m parties, d inputs each
• Communication - O(md 10d log2 d) CJS10
  quadratic in number of parties, other solutions
  worse complexity
• Computation - O(md2 log d)

ri
x
?j1
ri ri,1 ri,m ri,j randomness from party j

• Pi(x) represents the input set of party i

29
Thank You!

• Questions?