Presentation is loading. Please wait.

Presentation is loading. Please wait.

MATTHEW FRANKLIN PAYMAN MOHASSEL UC DAVIS U OF CALGARY Secure Evaluation of Multivariate Polynomials 1.

Similar presentations


Presentation on theme: "MATTHEW FRANKLIN PAYMAN MOHASSEL UC DAVIS U OF CALGARY Secure Evaluation of Multivariate Polynomials 1."— Presentation transcript:

1 MATTHEW FRANKLIN PAYMAN MOHASSEL UC DAVIS U OF CALGARY Secure Evaluation of Multivariate Polynomials 1

2 Oblivious Transfer x0x0 x1x1 b x b = x 0 (1-b) + x 1 b+ (1-b)br 2

3 Secure Matrix Multiplication c ij = b i1 a 1j + b i2 a 2j + b i3 a 3j Building block for secure linear algebra [KMWF`07] Solving ``shared” linear systems, … 3

4 DNF/CNF Formulas (a 1 a 2 ) (~a 1 a 3 )...  r (1 – a 1 ) (1 - a 2 ) + r a 1 (1-a 3 ) +... Check polynomial  [(1-a 1 ) a 1 + (1-a 2 ) a 2 + (1-a 3 ) a 3 + … ] r (a 1 a 2 ) (~a 1 a 3 )...  … Predicate evaluation  TRUE = 0  False = random 4

5 Conditional OT Retrieve a data item if condition met (Oblivious Transfer) + (Predicate Evaluation)  If predicate True  return a data item  If predicate False  return a random value Reduced to polynomial evaluation 5

6 Evaluating Multivariate Polynomials 6

7 Secure Two-Party Computation X Y f(X,Y) Security : Simulation of the Real protocol in an Ideal world 7

8 Security Definition (Semi-honest) Ideal World TTP x y y x f(x,y) AliceBob 8

9 Security Definition (Malicious) Ideal World TTP malicious honest x y y anything Cheat = 0 f(x,y) 9

10 Security Definition (Malicious) Ideal World TTP malicious honest x y y anything Cheat = 1 Send “corrupt” 10 f(x,y)

11 Security Definition Simulation-based security  For any adversary A in the real protocol  There is a simulator S in the ideal world 11 c

12 General Constructions Boolean circuits  [Yao`86, MF`06, LP`07, …] Arithmetic circuits  [CDN`00, IPS`09,…] Comm/comp proportional to circuit size Degree-3 multivariate polynomial in n variables  O(n 3 ) comm.  Input size is only O(n)  Can we do better? 12

13 Homomorphic Encryption Public-Key Encryption Additive  E pk (a) + h E pk (b) = E pk (a+b)  [Pai`99, DJ`01, …] Multiplicative  E pk (a) x h E pk (b) = E pk (ab)  [ElGamal`84, …] More powerful  2-DNF formulas [BGN`05]  Fully homomorphic [Gentry`09, …] 13

14 Via Full Homomorphism (pk, sk)pk E pk (y 1 ), …, E pk (y n ) E pk (f(X,Y)) Communication: O(n) ciphertexts 14

15 Problem Solved? Fully homomorphic encryption  Not practical at this stage We still have to deal with “malicious behavior” 15

16 Semi-honest Poly Additively homomorphic Let P(X,Y) be degree 3 P(X,Y) = P a (X,Y) + P b (X,Y)  monomials in P a are degree < 2 in x i  monomials in P b are degree < 2 in y i (pk a, sk a ) E pk_a (y 1 ), …, E pk_a (y n ) E pk_a (P b (X,Y)) E pk_b (x 1 ), …, E pk_b (x n ) (pk b, sk b ) E pk_b (P a (X,Y)) X Y 16

17 Comm: O(n) ciphertexts Using more efficient encryption schemes  Only additive homomorphism is needed Only secure against semi-honest adversaries How to defend against malicious adversaries?  And keep communication low 17

18 Preventing Malicious Behavior S i (0) = x i S i (1) = x i,1 S i (2) = x i,2 S i (k) = x i,k RS decoding 18

19 High Level Description 1) Semihonest-Poly for P 1 (X 1, Y 1 ) k) Semihonest-Poly for P k (X k, Y k ) Reveal/verify the secrets for protocols in C b Reveal/verify the secrets for protocols in C a Combine results and decode the output

20 The Intuition Cut-and-Choose  Majority of unopened protocols are performed honestly  |C a |+ |C b | > t 1 Reed-Solomon Decoding  Number of errors in the “Output Codeword” is small  Efficient and unambiguous decoding Secret Sharing  The number of opened shares is less than a threshold  |C a |+ |C b | < t 2  No information about the inputs is revealed |C a |+ |C b | = 2k/5 [DMRY`09]  Similar techniques for the set intersection problem 20

21 Better Amortized Efficiency Evaluating (X 1, Y 1 ), …, (X d, …, Y d ) at polynomial P  Batch evaluation  e.g. useful for linear algebra Run d instances of the protocol in parallel  Parallel composition (possible with small modifications)  O(dkn) communication Encode d inputs using one polynomial  Share-packing techniques [FK`92]  O(k+d)n ) communication! 21

22 Secure Linear Algebra [KMWF`07, MW`08]  Solving joint linear systems, joint rank/determinant computation  Reduced to secure matrix multiplication Secure matrix multiplication  Evaluation of O(n 2 ) polynomials (n x n matrix)  O(kn 2 ) communication Secure linear algebra  O(sn 1/s ) matrix multiplication  O(s) round, O(kn 2 + sn 2+1/s ) comm.  Security parameter only multiplied by the smaller factor 22

23 Working Over a Finite Field Goldwasser-Micali encryption [GM`82]  Works for GF(2) For RS codes, we need |F| = O(k) Extend GM to encrypt/decrypt over GF(2 s )  E(a 1 ), …, E(a s ) where a i in GF(2) Homomorphic properties?  Addition: component-wise addition  Plaintext-ciphertext multiplication  (enc. poly) x (pub. Poly) mod (pub poly)  Details in the paper 23

24 Working Over a Finite Field Paillier’s encryption [Pai`99]  Works over Z N where N = pq  “RS decoding” and “inversion” of elements? If inversion or RS decoding fail  Then we can factor N  Safe to pretend we work over a finite field Useful for other MPC protocols  Other alternative is (variant of) ElGamal: g m h r  Inefficient decryption, but sufficient for some applications 24

25 Other Extensions Higher degree polynomials  Protocols extend to degree-t polynomials  O(n └ (t/2) ┘ ) communication Security against “covert” adversaries  Between malicious and semi-honest security  Better efficiency Multiparty setting  Using techniques from [IPS`08]  Not as efficient as our two-party protocol 25

26 Open Questions Degree t>3 protocols are not optimal Can we design protocols with O(n) communication Security against malicious adversaries More powerful homomorphic encryption schemes Evaluating 2-DNF formulas [BGN`05] Defending against malicious behavior? Similar techniques do NOT seem to work Efficient semihonest-to-malicious compilers ZK compilers not efficient Ours is only optimal for low-degree polynomials How about other functions 26

27 27 Thank You!


Download ppt "MATTHEW FRANKLIN PAYMAN MOHASSEL UC DAVIS U OF CALGARY Secure Evaluation of Multivariate Polynomials 1."

Similar presentations


Ads by Google