- 56 Views
- Uploaded on
- Presentation posted in: General

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Efficient and Robust Private Set Intersectionand multiparty multivariate polynomials

Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2

1Columbia University, 2Google Inc.

Efficient and Robust Private Set Intersection

Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2

1Columbia University, 2Google Inc.

Warning: many details skipped, some cheating!

Server: Y

|Y| = m

Trusted Party

Client: X

|X| = n

Server: Y

|Y| = m

Trusted Party

Client: X

|X| = n

Server: Y

|Y| = m

Trusted Party

Client: X

|X| = n

?

Widely used in area of Privacy Preserving Data Mining

Enables institutions to share personal information such as medical or financial records.

- FNP04 – semi-honest case, malicious in the random oracle model
- KS05 – semi-honest + ZKN proofs
- HL08 – one side simulatability and covert adversaries
- JL09 – malicious case, polynomial size domains, Decisional q-Diffie-Hellman Inversion Assumption

- First Set Intersection protocol secure against malicious parties in the standard simulation model
- Black-box construction assuming (singly) homomorphic encryption with a natural property (satisfied by known constructions)
- Additive El-Gamal (DDH) ; Paillier (DCR)
Extensions:

- multi-party set intersection
- general multivariate polynomials

- Additive homomorphic property
- Enc(x,r1)*Enc(y,r2)=Enc(x+y,r3)

- Additional property:
- Can compute r3 from r1 and r2
- Known schemes have this property

- ElGamal – additive homomorphism variant
- Inefficient decryption, equality comparison possible

- Paillier

- Communication complexity: O(mk2log2(n)+nk)
- SMC circuit evaluation – size of cicuit + ZK proofs (at least nm, even before ZK)
- Realistic scenarios – m,n >> k

Start from semi-honest [FNP] using a polynomial

Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW08] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

Input preprocessing for degree reduction

- Client represents its input set X, |X| = n with a polynomial Q(x) of deg n, s.t. Q(xi) = 0 iff xi in X
- Client sends to Server encrypted coefficients of Q under homomorphic encryption Enc
- Server evaluates Enc of Q’(yi) := Q(yi)*ri + yi (deg n) for every yi in his input set Y and sends to Client ci=Enc(Q’(yi)).
- Client decrypts each ci and outputs Dec(ci) if and only if it is in X (=iff it is in the intersection)

- Can use inconsistent values for its inputs

Q’(yi)

Q(yi)*ri + yi

=

=

an*yin

an-1*yin-1

a1*yi1

a0

yi

+

+ … +

+

+

yi

yi”

yi’

yi

Start from semi-honest [FNP] using a polynomial

Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDDIM] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

Input preprocessing for degree reduction

Step 1: Input Sharing

Server shares and commits to preprocessed inputs using Shamir secret sharing (=Reed-Solomon) Code

For each preprocessed input:

Send commitments to client:

yi

Pi where Pi(0) = yi, deg(Pi) = k

. . .

Com(Pi(1))

Com(Pi(2))

Com(Pi(3))

Com(Pi(4))

Com(Pi(10kD))

D = degree of output sharing polynomial: TBD

Step 2: Polynomial Evaluation on Shares

For each yi: Server evaluates (encrypted) Q’ on the corresponding shares, to get (encrypted versions of) output shares:

. . .

Q’(Pi(1))

Q’(Pi(2))

Q’(Pi(3))

Q’(Pi(4))

Q’(Pi(10kD))

Client can decrypt, interpolate Q’Pi, and evaluate on 0 to get Q’(Pi(0))=Q’(yi) as wanted.

Step 3: Cut and Choose

Open k of the committed shares to show that Q’ was computed correctly for those shares:

. . .

Q’(Pi(1))

Q’(Pi(2))

Q’(Pi(3))

Q’(Pi(4))

Q’(Pi(10kD))

- Determines the number of output shares
- Total degree D = nk + k
- Total number of shares 10kD

Q’(yi)

Q(yi)*ri + yi

Q(Pi(j))*Rri(j) + Pi(j)

=

=

deg n

deg k

Start from semi-honest [FNP] using a polynomial

Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

Input preprocessing for degree reduction

- Polynomial Degree Reduction
- Change of variables
- Polynomial Q(y) of degree n

y0 = y

y1 = y2

y2 = y4

……….

ylog n = y2

y

log n

Q(y)

Q(y0,y1,y2 …, ylog n )

deg n

deg log n

Homomorphic Encryption Zero Knowledge Proofs of Knowledge for client’s and server’s polynomials

Coin tossing for cut and choose

Etc.

Improved Communication Complexity: O(mk2log2(n)+nk)

Important in realistic scenarios with large input sets m,n >> k

Basic setting: public multivariate polynomial (poly size representation) over private inputs.

Alternatively: coefficients are also private.

Optmizations for specific polynomials, including multi-party set intersection

Our results:

Secure protocol (no honest majority, with broadcast) from homomorphic encryption with threshold decryption (Paillier)

Round table protocol with constant rounds

Same approach as above, but several technical issues to overcome (interpolating over encrypted values, handling errors, proofs of knowledge…)

- Correct computation of new variables
- Correct degree of input sharing polynomials
- HEPKPV Protocol

output

Party 2:

Accept/Reject

proof

input

(x1,…,xn) in L

ci = ENC(xi)

Party 1: x1,…,xn

Common: c1,…,cn, L

r1,…,rn in L

0

enc(r1)

enc(r2)

enc(rn)

open

1

…

x1+r1,…,xn+rn in L

c1 * enc(r1)

c2 * enc(r2)

cn * enc(rn)

- Extract Client’s input in HEPKPV
- Submit to TP and receives output
- Shares output and commits as output shares
- Simulates Server in interaction with Client committing to random input
- Makes sure can open correctly and verify computation of k output shares
- Rewinds coin-tossing for cut-and-choose to select the above k shares

- Simulates the Client in the interaction with the Server using random encryption of 0
- Extracts Server’s inputs in HEPKPV
- Rewinds coin tossing to open all Server’s shares
- Makes sure that most output shares are consistent with extracted input
- If the above holds, submit extracted input to TP

- Improved Communication Complexity
- O(mk2log2(n)+nk)
- circuit evaluation – size of circuit
- mn ZKN proofs
- Important in realistic scenarios with large input sets m,n >> k