Loading in 5 sec....

Efficient and Robust Private Set Intersection and multiparty multivariate polynomialsPowerPoint Presentation

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials

- By
**semah** - Follow User

- 79 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Efficient and Robust Private Set Intersection and multiparty multivariate polynomials' - semah

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Efficient and Robust Private Set Intersectionand multiparty multivariate polynomials

### Efficient and Robust Private Set Intersection

Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2

1Columbia University, 2Google Inc.

Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2

1Columbia University, 2Google Inc.

Warning: many details skipped, some cheating!

Set Intersection Functionality

Server: Y

|Y| = m

Trusted Party

Client: X

|X| = n

?

Widely used in area of Privacy Preserving Data Mining

Enables institutions to share personal information such as medical or financial records.

Wasn’t this already done?

- FNP04 – semi-honest case, malicious in the random oracle model
- KS05 – semi-honest + ZKN proofs
- HL08 – one side simulatability and covert adversaries
- JL09 – malicious case, polynomial size domains, Decisional q-Diffie-Hellman Inversion Assumption

Our Results

- First Set Intersection protocol secure against malicious parties in the standard simulation model
- Black-box construction assuming (singly) homomorphic encryption with a natural property (satisfied by known constructions)
- Additive El-Gamal (DDH) ; Paillier (DCR)
Extensions:

- multi-party set intersection
- general multivariate polynomials

Homomorphic Encryption

- Additive homomorphic property
- Enc(x,r1)*Enc(y,r2)=Enc(x+y,r3)

- Additional property:
- Can compute r3 from r1 and r2
- Known schemes have this property

- ElGamal – additive homomorphism variant
- Inefficient decryption, equality comparison possible

- Paillier

Our Results

- Communication complexity: O(mk2log2(n)+nk)
- SMC circuit evaluation – size of cicuit + ZK proofs (at least nm, even before ZK)
- Realistic scenarios – m,n >> k

Overview of Technique(with missing steps)

Start from semi-honest [FNP] using a polynomial

Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW08] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

Input preprocessing for degree reduction

Semi-Honest Protocol [FNP04]

- Client represents its input set X, |X| = n with a polynomial Q(x) of deg n, s.t. Q(xi) = 0 iff xi in X
- Client sends to Server encrypted coefficients of Q under homomorphic encryption Enc
- Server evaluates Enc of Q’(yi) := Q(yi)*ri + yi (deg n) for every yi in his input set Y and sends to Client ci=Enc(Q’(yi)).
- Client decrypts each ci and outputs Dec(ci) if and only if it is in X (=iff it is in the intersection)

Malicious Server

- Can use inconsistent values for its inputs

Q’(yi)

Q(yi)*ri + yi

=

=

an*yin

an-1*yin-1

a1*yi1

a0

yi

+

+ … +

+

+

yi

yi”

yi’

yi

Overview of Technique(with missing steps)

Start from semi-honest [FNP] using a polynomial

Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDDIM] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

Input preprocessing for degree reduction

Server’s Computation

Step 1: Input Sharing

Server shares and commits to preprocessed inputs using Shamir secret sharing (=Reed-Solomon) Code

For each preprocessed input:

Send commitments to client:

yi

Pi where Pi(0) = yi, deg(Pi) = k

. . .

Com(Pi(1))

Com(Pi(2))

Com(Pi(3))

Com(Pi(4))

Com(Pi(10kD))

D = degree of output sharing polynomial: TBD

Server’s Computation

Step 2: Polynomial Evaluation on Shares

For each yi: Server evaluates (encrypted) Q’ on the corresponding shares, to get (encrypted versions of) output shares:

. . .

Q’(Pi(1))

Q’(Pi(2))

Q’(Pi(3))

Q’(Pi(4))

Q’(Pi(10kD))

Client can decrypt, interpolate Q’Pi, and evaluate on 0 to get Q’(Pi(0))=Q’(yi) as wanted.

Server’s Computation

Step 3: Cut and Choose

Open k of the committed shares to show that Q’ was computed correctly for those shares:

. . .

Q’(Pi(1))

Q’(Pi(2))

Q’(Pi(3))

Q’(Pi(4))

Q’(Pi(10kD))

Output Polynomial Degree

- Determines the number of output shares
- Total degree D = nk + k
- Total number of shares 10kD

Q’(yi)

Q(yi)*ri + yi

Q(Pi(j))*Rri(j) + Pi(j)

=

=

deg n

deg k

Overview of Technique(with missing steps)

Start from semi-honest [FNP] using a polynomial

Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

Input preprocessing for degree reduction

Efficient Input Preprocessing

- Polynomial Degree Reduction
- Change of variables
- Polynomial Q(y) of degree n

y0 = y

y1 = y2

y2 = y4

……….

ylog n = y2

y

log n

Q(y)

Q(y0,y1,y2 …, ylog n )

deg n

deg log n

Homomorphic Encryption Zero Knowledge Proofs of Knowledge for client’s and server’s polynomials

Coin tossing for cut and choose

Etc.

Improved Communication Complexity: O(mk2log2(n)+nk)

Important in realistic scenarios with large input sets m,n >> k

Other Components (skipped)Basic setting: public for client’s and server’s polynomials multivariate polynomial (poly size representation) over private inputs.

Alternatively: coefficients are also private.

Optmizations for specific polynomials, including multi-party set intersection

Our results:

Secure protocol (no honest majority, with broadcast) from homomorphic encryption with threshold decryption (Paillier)

Round table protocol with constant rounds

Same approach as above, but several technical issues to overcome (interpolating over encrypted values, handling errors, proofs of knowledge…)

Multi-Party Multivariate PolynomialsThank you! for client’s and server’s polynomials

Preprocessing Verification for client’s and server’s polynomials

- Correct computation of new variables
- Correct degree of input sharing polynomials
- HEPKPV Protocol

output

Party 2:

Accept/Reject

proof

input

(x1,…,xn) in L

ci = ENC(xi)

Party 1: x1,…,xn

Common: c1,…,cn, L

r1,…,rn in L

0

enc(r1)

enc(r2)

enc(rn)

open

1

…

x1+r1,…,xn+rn in L

c1 * enc(r1)

c2 * enc(r2)

cn * enc(rn)

Client Simulator for client’s and server’s polynomials

- Extract Client’s input in HEPKPV
- Submit to TP and receives output
- Shares output and commits as output shares
- Simulates Server in interaction with Client committing to random input
- Makes sure can open correctly and verify computation of k output shares
- Rewinds coin-tossing for cut-and-choose to select the above k shares

Server Simulator for client’s and server’s polynomials

- Simulates the Client in the interaction with the Server using random encryption of 0
- Extracts Server’s inputs in HEPKPV
- Rewinds coin tossing to open all Server’s shares
- Makes sure that most output shares are consistent with extracted input
- If the above holds, submit extracted input to TP

Communication Complexity for client’s and server’s polynomials

- Improved Communication Complexity
- O(mk2log2(n)+nk)
- circuit evaluation – size of circuit
- mn ZKN proofs
- Important in realistic scenarios with large input sets m,n >> k

Download Presentation

Connecting to Server..