# Secure Evaluation of Multivariate Polynomials

## Presentation on theme: "Secure Evaluation of Multivariate Polynomials"— Presentation transcript:

Secure Evaluation of Multivariate Polynomials
Matthew Franklin Payman Mohassel UC Davis U of calgary

Oblivious Transfer xb = x0 (1-b) + x1 b + (1-b)br x0 b x1
Can be extended to 1-out-of-n OT, with larger degree polynomials xb = x0 (1-b) + x1 b + (1-b)br

Secure Matrix Multiplication
cij = bi1 a1j + bi2a2j + bi3a3j Building block for secure linear algebra [KMWF`07] Solving ``shared” linear systems, …

DNF/CNF Formulas (a1 a2) (~a1 a3) . . . Check polynomial
r (1 – a1) (1 - a2) + r a1 (1-a3) Check polynomial [(1-a1) a1 + (1-a2) a2 + (1-a3) a3 + … ] r Predicate evaluation TRUE = 0 False = random

Conditional OT Retrieve a data item if condition met
(Oblivious Transfer) + (Predicate Evaluation) If predicate True  return a data item If predicate False  return a random value Reduced to polynomial evaluation

Evaluating Multivariate Polynomials

Secure Two-Party Computation
X Y f(X,Y) Security : Simulation of the Real protocol in an Ideal world

Security Definition (Semi-honest)
Ideal World TTP y x f(x,y) f(x,y) Make more colorfull y x Alice Bob

Security Definition (Malicious)
Ideal World TTP anything y Cheat = 0 f(x,y) f(x,y) y x honest malicious

Security Definition (Malicious)
Ideal World TTP y anything Send “corrupt” Cheat = 1 Make more colorfull f(x,y) y x malicious honest

Security Definition Simulation-based security
For any adversary A in the real protocol There is a simulator S in the ideal world c

General Constructions
Boolean circuits [Yao`86, MF`06, LP`07, …] Arithmetic circuits [CDN`00, IPS`09,…] Comm/comp proportional to circuit size Degree-3 multivariate polynomial in n variables O(n3) comm. Input size is only O(n) Can we do better?

Homomorphic Encryption
Public-Key Encryption Additive Epk(a) +h Epk(b) = Epk(a+b) [Pai`99, DJ`01, …] Multiplicative Epk(a) xh Epk(b) = Epk(ab) [ElGamal`84, …] More powerful 2-DNF formulas [BGN`05] Fully homomorphic [Gentry`09, …]

Via Full Homomorphism Communication: O(n) ciphertexts pk (pk, sk)
Epk(y1) , … , Epk(yn) Epk (f(X,Y)) Communication: O(n) ciphertexts

Problem Solved? Fully homomorphic encryption
Not practical at this stage We still have to deal with “malicious behavior”

Semi-honest Poly Additively homomorphic Let P(X,Y) be degree 3
P(X,Y) = Pa(X,Y) + Pb(X,Y) monomials in Pa are degree < 2 in xi monomials in Pb are degree < 2 in yi Y X Epk_a(y1) , … , Epk_a(yn) (pka , ska) (pkb , skb) Epk_b(x1) , … , Epk_b(xn) Epk_b (Pa(X,Y)) Epk_a (Pb(X,Y))

Comm: O(n) ciphertexts Using more efficient encryption schemes
Only additive homomorphism is needed Only secure against semi-honest adversaries How to defend against malicious adversaries? And keep communication low

Preventing Malicious Behavior
Si (1) = xi,1 . . Si(2) = xi,2 Si(0) = xi . Si(k) = xi,k . RS decoding

High Level Description
1) Semihonest-Poly for P1(X1, Y1) . k) Semihonest-Poly for Pk(Xk, Yk) Reveal/verify the secrets for protocols in Cb Simulation-based proof; Extract the inputs, run coin-tosses for the reveal/verify steps Reveal/verify the secrets for protocols in Ca Combine results and decode the output

The Intuition Cut-and-Choose Reed-Solomon Decoding Secret Sharing
Majority of unopened protocols are performed honestly |Ca|+ |Cb| > t1 Reed-Solomon Decoding Number of errors in the “Output Codeword” is small Efficient and unambiguous decoding Secret Sharing The number of opened shares is less than a threshold |Ca|+ |Cb| < t2 No information about the inputs is revealed |Ca|+ |Cb| = 2k/5 [DMRY`09] Similar techniques for the set intersection problem

Better Amortized Efficiency
Evaluating (X1, Y1), … , (Xd, … , Yd) at polynomial P Batch evaluation e.g. useful for linear algebra Run d instances of the protocol in parallel Parallel composition (possible with small modifications) O(dkn) communication Encode d inputs using one polynomial Share-packing techniques [FK`92] O(k+d)n ) communication!

Secure Linear Algebra [KMWF`07, MW`08] Secure matrix multiplication
Solving joint linear systems, joint rank/determinant computation Reduced to secure matrix multiplication Secure matrix multiplication Evaluation of O(n2) polynomials (n x n matrix) O(kn2) communication Secure linear algebra O(sn1/s) matrix multiplication O(s) round, O(kn2 + sn2+1/s) comm. Security parameter only multiplied by the smaller factor

Working Over a Finite Field
Goldwasser-Micali encryption [GM`82] Works for GF(2) For RS codes, we need |F| = O(k) Extend GM to encrypt/decrypt over GF(2s) E(a1) , …, E(as) where ai in GF(2) Homomorphic properties? Addition: component-wise addition Plaintext-ciphertext multiplication (enc. poly) x (pub. Poly) mod (pub poly) Details in the paper

Working Over a Finite Field
Paillier’s encryption [Pai`99] Works over ZN where N = pq “RS decoding” and “inversion” of elements? If inversion or RS decoding fail Then we can factor N Safe to pretend we work over a finite field Useful for other MPC protocols Other alternative is (variant of) ElGamal: gm hr Inefficient decryption, but sufficient for some applications

Other Extensions Higher degree polynomials
Protocols extend to degree-t polynomials O(n└(t/2)┘) communication Security against “covert” adversaries Between malicious and semi-honest security Better efficiency Multiparty setting Using techniques from [IPS`08] Not as efficient as our two-party protocol

Open Questions Degree t>3 protocols are not optimal
Can we design protocols with O(n) communication Security against malicious adversaries More powerful homomorphic encryption schemes Evaluating 2-DNF formulas [BGN`05] Defending against malicious behavior? Similar techniques do NOT seem to work Efficient semihonest-to-malicious compilers ZK compilers not efficient Ours is only optimal for low-degree polynomials How about other functions

Thank You!