5Conditional OT Retrieve a data item if condition met (Oblivious Transfer) + (Predicate Evaluation)If predicate True return a data itemIf predicate False return a random valueReduced to polynomial evaluation
10Security Definition (Malicious) Ideal WorldTTPyanythingSend “corrupt”Cheat = 1Make more colorfullf(x,y)yxmalicioushonest
11Security Definition Simulation-based security For any adversary A in the real protocolThere is a simulator S in the ideal worldc
12General Constructions Boolean circuits[Yao`86, MF`06, LP`07, …]Arithmetic circuits[CDN`00, IPS`09,…]Comm/comp proportional to circuit sizeDegree-3 multivariate polynomial in n variablesO(n3) comm.Input size is only O(n)Can we do better?
15Problem Solved? Fully homomorphic encryption Not practical at this stageWe still have to deal with “malicious behavior”
16Semi-honest Poly Additively homomorphic Let P(X,Y) be degree 3 P(X,Y) = Pa(X,Y) + Pb(X,Y)monomials in Pa are degree < 2 in ximonomials in Pb are degree < 2 in yiYXEpk_a(y1) , … , Epk_a(yn)(pka , ska)(pkb , skb)Epk_b(x1) , … , Epk_b(xn)Epk_b (Pa(X,Y))Epk_a (Pb(X,Y))
17Comm: O(n) ciphertexts Using more efficient encryption schemes Only additive homomorphism is neededOnly secure against semi-honest adversariesHow to defend against malicious adversaries?And keep communication low
19High Level Description 1) Semihonest-Poly for P1(X1, Y1).k) Semihonest-Poly for Pk(Xk, Yk)Reveal/verify the secrets for protocols in CbSimulation-based proof; Extract the inputs, run coin-tosses for the reveal/verify stepsReveal/verify the secrets for protocols in CaCombine results and decode the output
20The Intuition Cut-and-Choose Reed-Solomon Decoding Secret Sharing Majority of unopened protocols are performed honestly|Ca|+ |Cb| > t1Reed-Solomon DecodingNumber of errors in the “Output Codeword” is smallEfficient and unambiguous decodingSecret SharingThe number of opened shares is less than a threshold|Ca|+ |Cb| < t2No information about the inputs is revealed|Ca|+ |Cb| = 2k/5[DMRY`09]Similar techniques for the set intersection problem
21Better Amortized Efficiency Evaluating (X1, Y1), … , (Xd, … , Yd) at polynomial PBatch evaluatione.g. useful for linear algebraRun d instances of the protocol in parallelParallel composition (possible with small modifications)O(dkn) communicationEncode d inputs using one polynomialShare-packing techniques [FK`92]O(k+d)n ) communication!
22Secure Linear Algebra [KMWF`07, MW`08] Secure matrix multiplication Solving joint linear systems, joint rank/determinant computationReduced to secure matrix multiplicationSecure matrix multiplicationEvaluation of O(n2) polynomials (n x n matrix)O(kn2) communicationSecure linear algebraO(sn1/s) matrix multiplicationO(s) round, O(kn2 + sn2+1/s) comm.Security parameter only multiplied by the smaller factor
23Working Over a Finite Field Goldwasser-Micali encryption [GM`82]Works for GF(2)For RS codes, we need |F| = O(k)Extend GM to encrypt/decrypt over GF(2s)E(a1) , …, E(as) where ai in GF(2)Homomorphic properties?Addition: component-wise additionPlaintext-ciphertext multiplication(enc. poly) x (pub. Poly) mod (pub poly)Details in the paper
24Working Over a Finite Field Paillier’s encryption [Pai`99]Works over ZN where N = pq“RS decoding” and “inversion” of elements?If inversion or RS decoding failThen we can factor NSafe to pretend we work over a finite fieldUseful for other MPC protocolsOther alternative is (variant of) ElGamal: gm hrInefficient decryption, but sufficient for some applications
25Other Extensions Higher degree polynomials Protocols extend to degree-t polynomialsO(n└(t/2)┘) communicationSecurity against “covert” adversariesBetween malicious and semi-honest securityBetter efficiencyMultiparty settingUsing techniques from [IPS`08]Not as efficient as our two-party protocol
26Open Questions Degree t>3 protocols are not optimal Can we design protocols with O(n) communicationSecurity against malicious adversariesMore powerful homomorphic encryption schemesEvaluating 2-DNF formulas [BGN`05]Defending against malicious behavior?Similar techniques do NOT seem to workEfficient semihonest-to-malicious compilersZK compilers not efficientOurs is only optimal for low-degree polynomialsHow about other functions