Download presentation

Presentation is loading. Please wait.

Published byBennett Birch Modified about 1 year ago

1
MATTHEW FRANKLIN PAYMAN MOHASSEL UC DAVIS U OF CALGARY Secure Evaluation of Multivariate Polynomials 1

2
Oblivious Transfer x0x0 x1x1 b x b = x 0 (1-b) + x 1 b+ (1-b)br 2

3
Secure Matrix Multiplication c ij = b i1 a 1j + b i2 a 2j + b i3 a 3j Building block for secure linear algebra [KMWF`07] Solving ``shared” linear systems, … 3

4
DNF/CNF Formulas (a 1 a 2 ) (~a 1 a 3 )... r (1 – a 1 ) (1 - a 2 ) + r a 1 (1-a 3 ) +... Check polynomial [(1-a 1 ) a 1 + (1-a 2 ) a 2 + (1-a 3 ) a 3 + … ] r (a 1 a 2 ) (~a 1 a 3 )... … Predicate evaluation TRUE = 0 False = random 4

5
Conditional OT Retrieve a data item if condition met (Oblivious Transfer) + (Predicate Evaluation) If predicate True return a data item If predicate False return a random value Reduced to polynomial evaluation 5

6
Evaluating Multivariate Polynomials 6

7
Secure Two-Party Computation X Y f(X,Y) Security : Simulation of the Real protocol in an Ideal world 7

8
Security Definition (Semi-honest) Ideal World TTP x y y x f(x,y) AliceBob 8

9
Security Definition (Malicious) Ideal World TTP malicious honest x y y anything Cheat = 0 f(x,y) 9

10
Security Definition (Malicious) Ideal World TTP malicious honest x y y anything Cheat = 1 Send “corrupt” 10 f(x,y)

11
Security Definition Simulation-based security For any adversary A in the real protocol There is a simulator S in the ideal world 11 c

12
General Constructions Boolean circuits [Yao`86, MF`06, LP`07, …] Arithmetic circuits [CDN`00, IPS`09,…] Comm/comp proportional to circuit size Degree-3 multivariate polynomial in n variables O(n 3 ) comm. Input size is only O(n) Can we do better? 12

13
Homomorphic Encryption Public-Key Encryption Additive E pk (a) + h E pk (b) = E pk (a+b) [Pai`99, DJ`01, …] Multiplicative E pk (a) x h E pk (b) = E pk (ab) [ElGamal`84, …] More powerful 2-DNF formulas [BGN`05] Fully homomorphic [Gentry`09, …] 13

14
Via Full Homomorphism (pk, sk)pk E pk (y 1 ), …, E pk (y n ) E pk (f(X,Y)) Communication: O(n) ciphertexts 14

15
Problem Solved? Fully homomorphic encryption Not practical at this stage We still have to deal with “malicious behavior” 15

16
Semi-honest Poly Additively homomorphic Let P(X,Y) be degree 3 P(X,Y) = P a (X,Y) + P b (X,Y) monomials in P a are degree < 2 in x i monomials in P b are degree < 2 in y i (pk a, sk a ) E pk_a (y 1 ), …, E pk_a (y n ) E pk_a (P b (X,Y)) E pk_b (x 1 ), …, E pk_b (x n ) (pk b, sk b ) E pk_b (P a (X,Y)) X Y 16

17
Comm: O(n) ciphertexts Using more efficient encryption schemes Only additive homomorphism is needed Only secure against semi-honest adversaries How to defend against malicious adversaries? And keep communication low 17

18
Preventing Malicious Behavior S i (0) = x i S i (1) = x i,1 S i (2) = x i,2 S i (k) = x i,k RS decoding 18

19
High Level Description 1) Semihonest-Poly for P 1 (X 1, Y 1 ) k) Semihonest-Poly for P k (X k, Y k ) Reveal/verify the secrets for protocols in C b Reveal/verify the secrets for protocols in C a Combine results and decode the output

20
The Intuition Cut-and-Choose Majority of unopened protocols are performed honestly |C a |+ |C b | > t 1 Reed-Solomon Decoding Number of errors in the “Output Codeword” is small Efficient and unambiguous decoding Secret Sharing The number of opened shares is less than a threshold |C a |+ |C b | < t 2 No information about the inputs is revealed |C a |+ |C b | = 2k/5 [DMRY`09] Similar techniques for the set intersection problem 20

21
Better Amortized Efficiency Evaluating (X 1, Y 1 ), …, (X d, …, Y d ) at polynomial P Batch evaluation e.g. useful for linear algebra Run d instances of the protocol in parallel Parallel composition (possible with small modifications) O(dkn) communication Encode d inputs using one polynomial Share-packing techniques [FK`92] O(k+d)n ) communication! 21

22
Secure Linear Algebra [KMWF`07, MW`08] Solving joint linear systems, joint rank/determinant computation Reduced to secure matrix multiplication Secure matrix multiplication Evaluation of O(n 2 ) polynomials (n x n matrix) O(kn 2 ) communication Secure linear algebra O(sn 1/s ) matrix multiplication O(s) round, O(kn 2 + sn 2+1/s ) comm. Security parameter only multiplied by the smaller factor 22

23
Working Over a Finite Field Goldwasser-Micali encryption [GM`82] Works for GF(2) For RS codes, we need |F| = O(k) Extend GM to encrypt/decrypt over GF(2 s ) E(a 1 ), …, E(a s ) where a i in GF(2) Homomorphic properties? Addition: component-wise addition Plaintext-ciphertext multiplication (enc. poly) x (pub. Poly) mod (pub poly) Details in the paper 23

24
Working Over a Finite Field Paillier’s encryption [Pai`99] Works over Z N where N = pq “RS decoding” and “inversion” of elements? If inversion or RS decoding fail Then we can factor N Safe to pretend we work over a finite field Useful for other MPC protocols Other alternative is (variant of) ElGamal: g m h r Inefficient decryption, but sufficient for some applications 24

25
Other Extensions Higher degree polynomials Protocols extend to degree-t polynomials O(n └ (t/2) ┘ ) communication Security against “covert” adversaries Between malicious and semi-honest security Better efficiency Multiparty setting Using techniques from [IPS`08] Not as efficient as our two-party protocol 25

26
Open Questions Degree t>3 protocols are not optimal Can we design protocols with O(n) communication Security against malicious adversaries More powerful homomorphic encryption schemes Evaluating 2-DNF formulas [BGN`05] Defending against malicious behavior? Similar techniques do NOT seem to work Efficient semihonest-to-malicious compilers ZK compilers not efficient Ours is only optimal for low-degree polynomials How about other functions 26

27
27 Thank You!

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google