matthew franklin payman mohassel uc davis u of calgary secure evaluation of multivariate polynomials...
Post on 14-Dec-2015
218 Views
Preview:
TRANSCRIPT
1
M ATT H E W F R A N K L I N PAY M A N M O H A SS E L
U C D AV I S U O F C A L G A RY
Secure Evaluationof
Multivariate Polynomials
3
Secure Matrix Multiplication
333231
232221
131211
aaa
aaa
aaa
333231
232221
131211
bbb
bbb
bbb
cij = bi1 a1j + bi2a2j + bi3a3j
• Building block for secure linear algebra [KMWF`07]• Solving ``shared” linear systems, …
4
DNF/CNF Formulas
(a1 a2) (~a1 a3) . . . r (1 – a1) (1 - a2) + r a1 (1-a3) + . . .
Check polynomial [(1-a1) a1 + (1-a2) a2 + (1-a3) a3 + … ] r
(a1 a2) (~a1 a3) . . . …
Predicate evaluation TRUE = 0 False = random
5
Conditional OT
Retrieve a data item if condition met
(Oblivious Transfer) + (Predicate Evaluation) If predicate True return a data item If predicate False return a random value
Reduced to polynomial evaluation
7
Secure Two-Party Computation
X Y
f(X,Y)
Security : Simulation of the Real protocol in an Ideal world
9
Security Definition (Malicious)
Ideal World
TTP
malicious honest
x y
yanything
Cheat = 0f(x,y) f(x,y)
10
Security Definition (Malicious)
Ideal World
TTP
malicious honest
x y
yanything
Cheat = 1 Send “corrupt”
f(x,y)
11
Security Definition
Simulation-based security For any adversary A in the real protocol There is a simulator S in the ideal world
),(),( ,,,, AREALBob
AREALAlice
SIDEALBob
SIDEALAlice OOOO c
12
General Constructions
Boolean circuits [Yao`86, MF`06, LP`07, …]
Arithmetic circuits [CDN`00, IPS`09,…]
Comm/comp proportional to circuit sizeDegree-3 multivariate polynomial in n
variables O(n3) comm. Input size is only O(n) Can we do better?
13
Homomorphic Encryption
Public-Key EncryptionAdditive
Epk(a) +h Epk(b) = Epk(a+b) [Pai`99, DJ`01, …]
Multiplicative Epk(a) xh Epk(b) = Epk(ab) [ElGamal`84, …]
More powerful 2-DNF formulas [BGN`05] Fully homomorphic [Gentry`09, …]
14
Via Full Homomorphism
(pk, sk)pk
Epk(y1) , … , Epk(yn)
nn FyyyY ),,,( 21
n
n FxxxX ),,,( 21
Epk (f(X,Y))
Communication: O(n) ciphertexts
15
Problem Solved?
Fully homomorphic encryption Not practical at this stage
We still have to deal with “malicious behavior”
16
Semi-honest Poly
Additively homomorphicLet P(X,Y) be degree 3P(X,Y) = Pa(X,Y) + Pb(X,Y)
monomials in Pa are degree < 2 in xi monomials in Pb are degree < 2 in yi
(pka , ska)Epk_a(y1) , … , Epk_a(yn)
Epk_a (Pb(X,Y))
Epk_b(x1) , … , Epk_b(xn)
(pkb , skb)
Epk_b (Pa(X,Y))
X Y
17
Comm: O(n) ciphertexts
Using more efficient encryption schemes Only additive homomorphism is needed
Only secure against semi-honest adversaries
How to defend against malicious adversaries? And keep communication low
18
Preventing Malicious Behavior
Si(0) = xi
Si (1) = xi,1
Si(2) = xi,2
Si(k) = xi,k
.
.
.
nn FxxxX ),,,( 21
),,,( 1,1,21,11 nxxxX
...
.
.
.
),,,( ,,2,1 knkkk xxxX
),(),( 111 YXPYXP
...
),(),( kkk YXPYXP
),( YXP
),( YXP
RS decoding
19
High Level Description
1) Semihonest-Poly for P1(X1, Y1)
k) Semihonest-Poly for Pk(Xk, Yk)
},...,1{ kCb
Reveal/verify the secrets for protocols in Cb
},...,1{ kCa
Reveal/verify the secrets for protocols in Ca
Combine results and decode the output
.
.
.
20
The Intuition
Cut-and-Choose Majority of unopened protocols are performed honestly |Ca|+ |Cb| > t1
Reed-Solomon Decoding Number of errors in the “Output Codeword” is small Efficient and unambiguous decoding
Secret Sharing The number of opened shares is less than a threshold |Ca|+ |Cb| < t2
No information about the inputs is revealed
|Ca|+ |Cb| = 2k/5[DMRY`09]
Similar techniques for the set intersection problem
21
Better Amortized Efficiency
Evaluating (X1, Y1), … , (Xd, … , Yd) at polynomial P Batch evaluation e.g. useful for linear algebra
Run d instances of the protocol in parallel Parallel composition (possible with small
modifications) O(dkn) communication
Encode d inputs using one polynomial Share-packing techniques [FK`92] O(k+d)n ) communication!
22
Secure Linear Algebra
[KMWF`07, MW`08] Solving joint linear systems, joint rank/determinant
computation Reduced to secure matrix multiplication
Secure matrix multiplication Evaluation of O(n2) polynomials (n x n matrix) O(kn2) communication
Secure linear algebra O(sn1/s) matrix multiplication O(s) round, O(kn2 + sn2+1/s) comm. Security parameter only multiplied by the smaller factor
23
Working Over a Finite Field
Goldwasser-Micali encryption [GM`82] Works for GF(2)
For RS codes, we need |F| = O(k)Extend GM to encrypt/decrypt over GF(2s)
E(a1) , …, E(as) where ai in GF(2)
Homomorphic properties? Addition: component-wise addition Plaintext-ciphertext multiplication
(enc. poly) x (pub. Poly) mod (pub poly) Details in the paper
24
Working Over a Finite Field
Paillier’s encryption [Pai`99] Works over ZN where N = pq “RS decoding” and “inversion” of elements?
If inversion or RS decoding fail Then we can factor N Safe to pretend we work over a finite field
Useful for other MPC protocols Other alternative is (variant of) ElGamal: gm hr Inefficient decryption, but sufficient for some
applications
25
Other Extensions
Higher degree polynomials Protocols extend to degree-t polynomials O(n└(t/2)┘) communication
Security against “covert” adversaries Between malicious and semi-honest security Better efficiency
Multiparty setting Using techniques from [IPS`08] Not as efficient as our two-party protocol
26
Open Questions
• Degree t>3 protocols are not optimal• Can we design protocols with O(n) communication• Security against malicious adversaries
• More powerful homomorphic encryption schemes• Evaluating 2-DNF formulas [BGN`05]• Defending against malicious behavior?
• Similar techniques do NOT seem to work
• Efficient semihonest-to-malicious compilers• ZK compilers not efficient• Ours is only optimal for low-degree polynomials• How about other functions
top related