Efficient and robust private set intersection and multiparty multivariate polynomials
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials PowerPoint PPT Presentation


  • 56 Views
  • Uploaded on
  • Presentation posted in: General

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials. Dana Dachman-Soled 1 , Tal Malkin 1 , Mariana Raykova 1 , Moti Yung 1,2 1 Columbia University, 2 Google Inc. Efficient and Robust Private Set Intersection.

Download Presentation

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Efficient and robust private set intersection and multiparty multivariate polynomials

Efficient and Robust Private Set Intersectionand multiparty multivariate polynomials

Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2

1Columbia University, 2Google Inc.


Efficient and robust private set intersection

Efficient and Robust Private Set Intersection

Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2

1Columbia University, 2Google Inc.

Warning: many details skipped, some cheating!


Set intersection functionality

Set Intersection Functionality

Server: Y

|Y| = m

Trusted Party

Client: X

|X| = n


Set intersection functionality1

Set Intersection Functionality

Server: Y

|Y| = m

Trusted Party

Client: X

|X| = n


Set intersection functionality2

Set Intersection Functionality

Server: Y

|Y| = m

Trusted Party

Client: X

|X| = n

?

Widely used in area of Privacy Preserving Data Mining

Enables institutions to share personal information such as medical or financial records.


Wasn t this already done

Wasn’t this already done?

  • FNP04 – semi-honest case, malicious in the random oracle model

  • KS05 – semi-honest + ZKN proofs

  • HL08 – one side simulatability and covert adversaries

  • JL09 – malicious case, polynomial size domains, Decisional q-Diffie-Hellman Inversion Assumption


Our results

Our Results

  • First Set Intersection protocol secure against malicious parties in the standard simulation model

  • Black-box construction assuming (singly) homomorphic encryption with a natural property (satisfied by known constructions)

  • Additive El-Gamal (DDH) ; Paillier (DCR)

    Extensions:

  • multi-party set intersection

  • general multivariate polynomials


Homomorphic encryption

Homomorphic Encryption

  • Additive homomorphic property

    • Enc(x,r1)*Enc(y,r2)=Enc(x+y,r3)

  • Additional property:

    • Can compute r3 from r1 and r2

    • Known schemes have this property

  • ElGamal – additive homomorphism variant

    • Inefficient decryption, equality comparison possible

  • Paillier


Our results1

Our Results

  • Communication complexity: O(mk2log2(n)+nk)

    • SMC circuit evaluation – size of cicuit + ZK proofs (at least nm, even before ZK)

    • Realistic scenarios – m,n >> k


Overview of technique with missing steps

Overview of Technique(with missing steps)

Start from semi-honest [FNP] using a polynomial

Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW08] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

Input preprocessing for degree reduction


Semi honest protocol fnp04

Semi-Honest Protocol [FNP04]

  • Client represents its input set X, |X| = n with a polynomial Q(x) of deg n, s.t. Q(xi) = 0 iff xi in X

  • Client sends to Server encrypted coefficients of Q under homomorphic encryption Enc

  • Server evaluates Enc of Q’(yi) := Q(yi)*ri + yi (deg n) for every yi in his input set Y and sends to Client ci=Enc(Q’(yi)).

  • Client decrypts each ci and outputs Dec(ci) if and only if it is in X (=iff it is in the intersection)


Malicious server

Malicious Server

  • Can use inconsistent values for its inputs

Q’(yi)

Q(yi)*ri + yi

=

=

an*yin

an-1*yin-1

a1*yi1

a0

yi

+

+ … +

+

+

yi

yi”

yi’

yi


Overview of technique with missing steps1

Overview of Technique(with missing steps)

Start from semi-honest [FNP] using a polynomial

 Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDDIM] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

Input preprocessing for degree reduction


Server s computation

Server’s Computation

Step 1: Input Sharing

Server shares and commits to preprocessed inputs using Shamir secret sharing (=Reed-Solomon) Code

For each preprocessed input:

Send commitments to client:

yi

Pi where Pi(0) = yi, deg(Pi) = k

. . .

Com(Pi(1))

Com(Pi(2))

Com(Pi(3))

Com(Pi(4))

Com(Pi(10kD))

D = degree of output sharing polynomial: TBD


Server s computation1

Server’s Computation

Step 2: Polynomial Evaluation on Shares

For each yi: Server evaluates (encrypted) Q’ on the corresponding shares, to get (encrypted versions of) output shares:

. . .

Q’(Pi(1))

Q’(Pi(2))

Q’(Pi(3))

Q’(Pi(4))

Q’(Pi(10kD))

Client can decrypt, interpolate Q’Pi, and evaluate on 0 to get Q’(Pi(0))=Q’(yi) as wanted.


Server s computation2

Server’s Computation

Step 3: Cut and Choose

Open k of the committed shares to show that Q’ was computed correctly for those shares:

. . .

Q’(Pi(1))

Q’(Pi(2))

Q’(Pi(3))

Q’(Pi(4))

Q’(Pi(10kD))


Output polynomial degree

Output Polynomial Degree

  • Determines the number of output shares

  • Total degree D = nk + k

  • Total number of shares 10kD

Q’(yi)

Q(yi)*ri + yi

Q(Pi(j))*Rri(j) + Pi(j)

=

=

deg n

deg k


Overview of technique with missing steps2

Overview of Technique(with missing steps)

Start from semi-honest [FNP] using a polynomial

Add redundancy using [Shamir] polynomial secret sharing (motivated by [CDMW] techniques)

Rely on commutative nature of polynomials to translate input shares to output shares for reconstruction (Lagrange interpolation)

Cut and choose to enforce honest behavior

 Input preprocessing for degree reduction


Efficient input preprocessing

Efficient Input Preprocessing

  • Polynomial Degree Reduction

  • Change of variables

  • Polynomial Q(y) of degree n

y0 = y

y1 = y2

y2 = y4

……….

ylog n = y2

y

log n

Q(y)

Q(y0,y1,y2 …, ylog n )

deg n

deg log n


Other components skipped

Homomorphic Encryption Zero Knowledge Proofs of Knowledge for client’s and server’s polynomials

Coin tossing for cut and choose

Etc.

Improved Communication Complexity: O(mk2log2(n)+nk)

Important in realistic scenarios with large input sets m,n >> k

Other Components (skipped)


Multi party multivariate polynomials

Basic setting: public multivariate polynomial (poly size representation) over private inputs.

Alternatively: coefficients are also private.

Optmizations for specific polynomials, including multi-party set intersection

Our results:

Secure protocol (no honest majority, with broadcast) from homomorphic encryption with threshold decryption (Paillier)

Round table protocol with constant rounds

Same approach as above, but several technical issues to overcome (interpolating over encrypted values, handling errors, proofs of knowledge…)

Multi-Party Multivariate Polynomials


Thank you

Thank you!


Preprocessing verification

Preprocessing Verification

  • Correct computation of new variables

  • Correct degree of input sharing polynomials

  • HEPKPV Protocol

output

Party 2:

Accept/Reject

proof

input

(x1,…,xn) in L

ci = ENC(xi)

Party 1: x1,…,xn

Common: c1,…,cn, L

r1,…,rn in L

0

enc(r1)

enc(r2)

enc(rn)

open

1

x1+r1,…,xn+rn in L

c1 * enc(r1)

c2 * enc(r2)

cn * enc(rn)


Client simulator

Client Simulator

  • Extract Client’s input in HEPKPV

  • Submit to TP and receives output

  • Shares output and commits as output shares

  • Simulates Server in interaction with Client committing to random input

  • Makes sure can open correctly and verify computation of k output shares

  • Rewinds coin-tossing for cut-and-choose to select the above k shares


Server simulator

Server Simulator

  • Simulates the Client in the interaction with the Server using random encryption of 0

  • Extracts Server’s inputs in HEPKPV

  • Rewinds coin tossing to open all Server’s shares

  • Makes sure that most output shares are consistent with extracted input

  • If the above holds, submit extracted input to TP


Communication complexity

Communication Complexity

  • Improved Communication Complexity

    • O(mk2log2(n)+nk)

    • circuit evaluation – size of circuit

    • mn ZKN proofs

    • Important in realistic scenarios with large input sets m,n >> k


  • Login