Download presentation

Presentation is loading. Please wait.

1
**Secure Evaluation of Multivariate Polynomials**

Matthew Franklin Payman Mohassel UC Davis U of calgary

2
**Oblivious Transfer xb = x0 (1-b) + x1 b + (1-b)br x0 b x1**

Can be extended to 1-out-of-n OT, with larger degree polynomials xb = x0 (1-b) + x1 b + (1-b)br

3
**Secure Matrix Multiplication**

cij = bi1 a1j + bi2a2j + bi3a3j Building block for secure linear algebra [KMWF`07] Solving ``shared” linear systems, …

4
**DNF/CNF Formulas (a1 a2) (~a1 a3) . . . Check polynomial**

r (1 – a1) (1 - a2) + r a1 (1-a3) Check polynomial [(1-a1) a1 + (1-a2) a2 + (1-a3) a3 + … ] r … Predicate evaluation TRUE = 0 False = random

5
**Conditional OT Retrieve a data item if condition met**

(Oblivious Transfer) + (Predicate Evaluation) If predicate True return a data item If predicate False return a random value Reduced to polynomial evaluation

6
**Evaluating Multivariate Polynomials**

7
**Secure Two-Party Computation**

X Y f(X,Y) Security : Simulation of the Real protocol in an Ideal world

8
**Security Definition (Semi-honest)**

Ideal World TTP y x f(x,y) f(x,y) Make more colorfull y x Alice Bob

9
**Security Definition (Malicious)**

Ideal World TTP anything y Cheat = 0 f(x,y) f(x,y) y x honest malicious

10
**Security Definition (Malicious)**

Ideal World TTP y anything Send “corrupt” Cheat = 1 Make more colorfull f(x,y) y x malicious honest

11
**Security Definition Simulation-based security**

For any adversary A in the real protocol There is a simulator S in the ideal world c

12
**General Constructions**

Boolean circuits [Yao`86, MF`06, LP`07, …] Arithmetic circuits [CDN`00, IPS`09,…] Comm/comp proportional to circuit size Degree-3 multivariate polynomial in n variables O(n3) comm. Input size is only O(n) Can we do better?

13
**Homomorphic Encryption**

Public-Key Encryption Additive Epk(a) +h Epk(b) = Epk(a+b) [Pai`99, DJ`01, …] Multiplicative Epk(a) xh Epk(b) = Epk(ab) [ElGamal`84, …] More powerful 2-DNF formulas [BGN`05] Fully homomorphic [Gentry`09, …]

14
**Via Full Homomorphism Communication: O(n) ciphertexts pk (pk, sk)**

Epk(y1) , … , Epk(yn) Epk (f(X,Y)) Communication: O(n) ciphertexts

15
**Problem Solved? Fully homomorphic encryption**

Not practical at this stage We still have to deal with “malicious behavior”

16
**Semi-honest Poly Additively homomorphic Let P(X,Y) be degree 3**

P(X,Y) = Pa(X,Y) + Pb(X,Y) monomials in Pa are degree < 2 in xi monomials in Pb are degree < 2 in yi Y X Epk_a(y1) , … , Epk_a(yn) (pka , ska) (pkb , skb) Epk_b(x1) , … , Epk_b(xn) Epk_b (Pa(X,Y)) Epk_a (Pb(X,Y))

17
**Comm: O(n) ciphertexts Using more efficient encryption schemes**

Only additive homomorphism is needed Only secure against semi-honest adversaries How to defend against malicious adversaries? And keep communication low

18
**Preventing Malicious Behavior**

Si (1) = xi,1 . . Si(2) = xi,2 Si(0) = xi . Si(k) = xi,k . RS decoding

19
**High Level Description**

1) Semihonest-Poly for P1(X1, Y1) . k) Semihonest-Poly for Pk(Xk, Yk) Reveal/verify the secrets for protocols in Cb Simulation-based proof; Extract the inputs, run coin-tosses for the reveal/verify steps Reveal/verify the secrets for protocols in Ca Combine results and decode the output

20
**The Intuition Cut-and-Choose Reed-Solomon Decoding Secret Sharing**

Majority of unopened protocols are performed honestly |Ca|+ |Cb| > t1 Reed-Solomon Decoding Number of errors in the “Output Codeword” is small Efficient and unambiguous decoding Secret Sharing The number of opened shares is less than a threshold |Ca|+ |Cb| < t2 No information about the inputs is revealed |Ca|+ |Cb| = 2k/5 [DMRY`09] Similar techniques for the set intersection problem

21
**Better Amortized Efficiency**

Evaluating (X1, Y1), … , (Xd, … , Yd) at polynomial P Batch evaluation e.g. useful for linear algebra Run d instances of the protocol in parallel Parallel composition (possible with small modifications) O(dkn) communication Encode d inputs using one polynomial Share-packing techniques [FK`92] O(k+d)n ) communication!

22
**Secure Linear Algebra [KMWF`07, MW`08] Secure matrix multiplication**

Solving joint linear systems, joint rank/determinant computation Reduced to secure matrix multiplication Secure matrix multiplication Evaluation of O(n2) polynomials (n x n matrix) O(kn2) communication Secure linear algebra O(sn1/s) matrix multiplication O(s) round, O(kn2 + sn2+1/s) comm. Security parameter only multiplied by the smaller factor

23
**Working Over a Finite Field**

Goldwasser-Micali encryption [GM`82] Works for GF(2) For RS codes, we need |F| = O(k) Extend GM to encrypt/decrypt over GF(2s) E(a1) , …, E(as) where ai in GF(2) Homomorphic properties? Addition: component-wise addition Plaintext-ciphertext multiplication (enc. poly) x (pub. Poly) mod (pub poly) Details in the paper

24
**Working Over a Finite Field**

Paillier’s encryption [Pai`99] Works over ZN where N = pq “RS decoding” and “inversion” of elements? If inversion or RS decoding fail Then we can factor N Safe to pretend we work over a finite field Useful for other MPC protocols Other alternative is (variant of) ElGamal: gm hr Inefficient decryption, but sufficient for some applications

25
**Other Extensions Higher degree polynomials**

Protocols extend to degree-t polynomials O(n└(t/2)┘) communication Security against “covert” adversaries Between malicious and semi-honest security Better efficiency Multiparty setting Using techniques from [IPS`08] Not as efficient as our two-party protocol

26
**Open Questions Degree t>3 protocols are not optimal**

Can we design protocols with O(n) communication Security against malicious adversaries More powerful homomorphic encryption schemes Evaluating 2-DNF formulas [BGN`05] Defending against malicious behavior? Similar techniques do NOT seem to work Efficient semihonest-to-malicious compilers ZK compilers not efficient Ours is only optimal for low-degree polynomials How about other functions

27
Thank You!

Similar presentations

OK

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on eddy current sensor Ppt on computer malwares anti-malware Ppt on yoga and aerobics classes Ppt on conservation of wildlife and natural vegetation in pakistan Ppt on online banking Mis ppt on hospitality Ppt on junk food and its effects Ppt on access control system Ppt on nepali culture and people Ppt on effects of world war 1