1

M ATT H E W F R A N K L I N PAY M A N M O H A SS E L

U C D AV I S U O F C A L G A RY

Secure Evaluationof

Multivariate Polynomials

2

Oblivious Transfer

x0

x1

b

xb = x0 (1-b) + x1 b + (1-b)br

3

Secure Matrix Multiplication

333231

232221

131211

aaa

aaa

aaa

333231

232221

131211

bbb

bbb

bbb

cij = bi1 a1j + bi2a2j + bi3a3j

• Building block for secure linear algebra [KMWF`07]• Solving ``shared” linear systems, …

4

DNF/CNF Formulas

(a1 a2) (~a1 a3) . . . r (1 – a1) (1 - a2) + r a1 (1-a3) + . . .

Check polynomial [(1-a1) a1 + (1-a2) a2 + (1-a3) a3 + … ] r

(a1 a2) (~a1 a3) . . . …

Predicate evaluation TRUE = 0 False = random

5

Conditional OT

Retrieve a data item if condition met

(Oblivious Transfer) + (Predicate Evaluation) If predicate True return a data item If predicate False return a random value

Reduced to polynomial evaluation

6

Evaluating Multivariate Polynomials

32312

21),( yxbxyaxYXf

nn FxxxX ),,,( 21

n

n FyyyY ),,,( 21

7

Secure Two-Party Computation

X Y

f(X,Y)

Security : Simulation of the Real protocol in an Ideal world

8

Security Definition (Semi-honest)

Ideal World

TTP

x y

yx

f(x,y) f(x,y)

Alice Bob

9

Security Definition (Malicious)

Ideal World

TTP

malicious honest

x y

yanything

Cheat = 0f(x,y) f(x,y)

10

Security Definition (Malicious)

Ideal World

TTP

malicious honest

x y

yanything

Cheat = 1 Send “corrupt”

f(x,y)

11

Security Definition

Simulation-based security For any adversary A in the real protocol There is a simulator S in the ideal world

),(),( ,,,, AREALBob

AREALAlice

SIDEALBob

SIDEALAlice OOOO c

12

General Constructions

Boolean circuits [Yao`86, MF`06, LP`07, …]

Arithmetic circuits [CDN`00, IPS`09,…]

Comm/comp proportional to circuit sizeDegree-3 multivariate polynomial in n

variables O(n3) comm. Input size is only O(n) Can we do better?

13

Homomorphic Encryption

Public-Key EncryptionAdditive

Epk(a) +h Epk(b) = Epk(a+b) [Pai`99, DJ`01, …]

Multiplicative Epk(a) xh Epk(b) = Epk(ab) [ElGamal`84, …]

More powerful 2-DNF formulas [BGN`05] Fully homomorphic [Gentry`09, …]

14

Via Full Homomorphism

(pk, sk)pk

Epk(y1) , … , Epk(yn)

nn FyyyY ),,,( 21

n

n FxxxX ),,,( 21

Epk (f(X,Y))

Communication: O(n) ciphertexts

15

Problem Solved?

Fully homomorphic encryption Not practical at this stage

We still have to deal with “malicious behavior”

16

Semi-honest Poly

Additively homomorphicLet P(X,Y) be degree 3P(X,Y) = Pa(X,Y) + Pb(X,Y)

monomials in Pa are degree < 2 in xi monomials in Pb are degree < 2 in yi

(pka , ska)Epk_a(y1) , … , Epk_a(yn)

Epk_a (Pb(X,Y))

Epk_b(x1) , … , Epk_b(xn)

(pkb , skb)

Epk_b (Pa(X,Y))

X Y

17

Comm: O(n) ciphertexts

Using more efficient encryption schemes Only additive homomorphism is needed

Only secure against semi-honest adversaries

How to defend against malicious adversaries? And keep communication low

18

Preventing Malicious Behavior

Si(0) = xi

Si (1) = xi,1

Si(2) = xi,2

Si(k) = xi,k

.

.

.

nn FxxxX ),,,( 21

),,,( 1,1,21,11 nxxxX

...

.

.

.

),,,( ,,2,1 knkkk xxxX

),(),( 111 YXPYXP

...

),(),( kkk YXPYXP

),( YXP

),( YXP

RS decoding

19

High Level Description

1) Semihonest-Poly for P1(X1, Y1)

k) Semihonest-Poly for Pk(Xk, Yk)

},...,1{ kCb

Reveal/verify the secrets for protocols in Cb

},...,1{ kCa

Reveal/verify the secrets for protocols in Ca

Combine results and decode the output

.

.

.

20

The Intuition

Cut-and-Choose Majority of unopened protocols are performed honestly |Ca|+ |Cb| > t1

Reed-Solomon Decoding Number of errors in the “Output Codeword” is small Efficient and unambiguous decoding

Secret Sharing The number of opened shares is less than a threshold |Ca|+ |Cb| < t2

No information about the inputs is revealed

|Ca|+ |Cb| = 2k/5[DMRY`09]

Similar techniques for the set intersection problem

21

Better Amortized Efficiency

Evaluating (X1, Y1), … , (Xd, … , Yd) at polynomial P Batch evaluation e.g. useful for linear algebra

Run d instances of the protocol in parallel Parallel composition (possible with small

modifications) O(dkn) communication

Encode d inputs using one polynomial Share-packing techniques [FK`92] O(k+d)n ) communication!

22

Secure Linear Algebra

[KMWF`07, MW`08] Solving joint linear systems, joint rank/determinant

computation Reduced to secure matrix multiplication

Secure matrix multiplication Evaluation of O(n2) polynomials (n x n matrix) O(kn2) communication

Secure linear algebra O(sn1/s) matrix multiplication O(s) round, O(kn2 + sn2+1/s) comm. Security parameter only multiplied by the smaller factor

23

Working Over a Finite Field

Goldwasser-Micali encryption [GM`82] Works for GF(2)

For RS codes, we need |F| = O(k)Extend GM to encrypt/decrypt over GF(2s)

E(a1) , …, E(as) where ai in GF(2)

Homomorphic properties? Addition: component-wise addition Plaintext-ciphertext multiplication

(enc. poly) x (pub. Poly) mod (pub poly) Details in the paper

24

Working Over a Finite Field

Paillier’s encryption [Pai`99] Works over ZN where N = pq “RS decoding” and “inversion” of elements?

If inversion or RS decoding fail Then we can factor N Safe to pretend we work over a finite field

Useful for other MPC protocols Other alternative is (variant of) ElGamal: gm hr Inefficient decryption, but sufficient for some

applications

25

Other Extensions

Higher degree polynomials Protocols extend to degree-t polynomials O(n└(t/2)┘) communication

Security against “covert” adversaries Between malicious and semi-honest security Better efficiency

Multiparty setting Using techniques from [IPS`08] Not as efficient as our two-party protocol

26

Open Questions

• Degree t>3 protocols are not optimal• Can we design protocols with O(n) communication• Security against malicious adversaries

• More powerful homomorphic encryption schemes• Evaluating 2-DNF formulas [BGN`05]• Defending against malicious behavior?

• Similar techniques do NOT seem to work

• Efficient semihonest-to-malicious compilers• ZK compilers not efficient• Ours is only optimal for low-degree polynomials• How about other functions

27

Thank You!