4.4 Adding and Subtracting Polynomials; Graphing Simple Polynomials.
Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction
description
Transcript of Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction
![Page 1: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/1.jpg)
Multi-Party Computation for Polynomials and Branching Programs
without Simultaneous Interaction
Dov Gordon (Columbia University)Tal Malkin (Columbia University)
Mike Rosulek (University of Montana)Hoeteck Wee (George Washington University)
![Page 2: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/2.jpg)
Reminder from Benny’s talk :
Computing without Simultaneous Interaction [Halevi, Lindell, Pinkas 11]
![Page 3: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/3.jpg)
Can elections, auctions, statistical analysis of distributed parties’ data really be carried out using secure computation?
Does our model of secure computation really model the needs of these applications?◦And we’re not talking about efficiency concerns…
A Question
![Page 4: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/4.jpg)
Can secure computation be made non-simultaneous?◦A natural theoretical question
Deepens our understanding of the required communication model for secure computation
◦ Important ramifications to practice Especially if this can be done efficiently
Note: fully homomorphic encryption does not solve the problem
An Important Question
![Page 5: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/5.jpg)
Parties◦One server ◦ parties
Communication model◦Each party interacts with the server exactly once In all protocols, interaction is a single round
between server and party, but this is not essential Order may be important… (in some protocols)
◦At the end, the server obtains the output
Our Model
![Page 6: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/6.jpg)
An inherent limitation of the model: a semi-honest adversary controlling parties should be able to compute the residual function on any input of its choice
Security (=optimal privacy): no other information is leaked. (in particular, honest server = full security)◦ This talk: honest-but-curious setting. Paper: malicious, too.
Claim [HLP]: If there is a secure protocol computing in the one-pass model, then has a minimum disclosure decomposition.
Security in this Model (Reminders)
![Page 7: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/7.jpg)
A decomposition of an n-ary function f is a tuple of functions such that for all inputs , defining we have
A minimum disclosure decomposition of f is a decomposition such that there exists an efficient simulator that for all inputs and for all , can output given oracle access to the residual function
Minimum Disclosure Decomposition
![Page 8: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/8.jpg)
Combinatorial property of the function
Necessary condition for a secure protocol in the one-pass model ◦ Roughly: corresponds to the state of the server after
interacting with
Not sufficient◦ e.g., if any honest party is yet to go intermediate values should
be hidden, if server is honest we want standard full security, etc.
Minimum Disclosure Decomposition
![Page 9: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/9.jpg)
To show a protocol securely computing a function f in the one-pass (simultaneous interaction) model:
1) Prove that f has a minimum disclosure decomposition (and find it)
2) Show an efficient secure protocol for computing this minimum decomposition.
Two Steps
![Page 10: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/10.jpg)
1) Which functions have minimum disclosure decomposition?
2) Which functions , among those with minimum-disclosure decomposition, have practical secure protocols in the one-pass model?
Some partial answers by [HLP11]: 3) sum, selection, binary symmetric functions like majority 4) Same functions as above. Also general protocol for any given
decomposition.◦ General protocol not practical ◦ Given a function, don’t know how to check if it has a minimum
decomposition (and given a decomposition, don’t know how to check if it’s minimal).
Two Questions
![Page 11: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/11.jpg)
We prove there is a minimum disclosure decomposition, and show simple and efficient optimally private protocols for computing the following general classes of functions:
1) Read-once (layered) branching programs
2) Sparse polynomials over large domains
These generalize and abstract the HLP functions as special cases, and also include many new functions.
Other related work: [Ishai-Paskin 07, Harnik-Ishai-Kushilevitz 07]
Our Results: Two Classes of Functions
![Page 12: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/12.jpg)
BP: DAG in which internal nodes are labeled by input variables, terminal nodes labeled by output values.
w.l.o.g: layered (outgoing edges only from layer to layer ). Read once: layer corresponds to input
Read Once (Layered) Branching Programs
![Page 13: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/13.jpg)
Standard: top-down [ie., left-right] Alternative: bottom-up [IP07]
Computing on a BP
(𝑥1 , 𝑥2, 𝑥3 , 𝑥4 )=(1 ,0 ,0 ,1 )
![Page 14: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/14.jpg)
Standard: top-down [ie., left-right] Alternative: bottom-up [IP07] ◦ Need to store more states (width of program, vs one) ◦ But transition function simpler (copying, vs computation)
Computing on a BP
(𝑥1 , 𝑥2, 𝑥3 , 𝑥4 )=(1 ,0 ,0 ,1 )
![Page 15: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/15.jpg)
Standard: top-down [ie., left-right] Alternative: bottom-up [IP07] ◦ Need to store more states (width of program, vs one) ◦ But transition function simpler (copying, vs computation)
Computing on a BP
(𝑥1 , 𝑥2, 𝑥3 , 𝑥4 )=(1 ,0 ,0 ,1 )
![Page 16: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/16.jpg)
Using the bottom up approach (players order from right to left): Starting with output layer, each successive function maps◦ the labels of previous layer, and ◦ the value of the new
to labels for current layer.
Minimum Disclosure Decomposition for Read-once layered Branching Programs
![Page 17: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/17.jpg)
Theorem: This is a minimum disclosure decomposition
Proof: Need to show an efficient simulator algorithm to compute the values in a layer, using oracle access to residual function Here:
Minimum Disclosure Decomposition for Read-once layered Branching Programs
![Page 18: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/18.jpg)
Theorem: This is a minimum disclosure decomposition
Proof: Need to show an efficient simulator algorithm to compute the values in a layer, using oracle access to residual function Here:
Minimum Disclosure Decomposition for Read-once layered Branching Programs
• Assume each node is reachable from start state (can preprocess to achieve this)
• For each node, use BFS to find a path from start state.
• Call residual function on inputs induced by the path (edge labels)
Efficient simulation
![Page 19: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/19.jpg)
Branching Programs: From Minimal Disclosure Decomposition to Secure ProtocolUse threshold PKE (inspired by HLP). Allow “aggregate”, “eval”, and “strip+rerandomize”
Server encrypts each value under aggregate()
First player, , takes appropriate encryption to be copied, strips his , and rerandomizes, getting each value encrypted under aggregate()
Second player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting each value encrypted under aggregate()
Third player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting each value encrypted under aggregate()
Fourth player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting the value encrypted under
Server decrypts using his secret key to get final output.
![Page 20: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/20.jpg)
Required properties of encryption scheme: Threshold PKE allowing “aggregate”, “eval”, and
“strip+rerandomize”
Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol
![Page 21: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/21.jpg)
Required properties of encryption scheme: Threshold PKE allowing “aggregate”, “eval”, and
“strip+rerandomize” Required homomorphic property of “eval” for
transition: in this case only need to copy
We show concrete implementations based on DDH (based on El Gamal) -- similar to [HLP] DLIN (based on Boneh-Boyen-Shacham)
Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol
![Page 22: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/22.jpg)
Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol
Theorem: Under the DDH or DLIN assumptions, there is an efficient optimally private one-pass protocol computing any read-once layered branching program, where each party performs exponentiations.
![Page 23: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/23.jpg)
Using top down approach (players order from left to right). Starting with initial node, each successive function maps the active node in the
previous layer and the current to the unique active node in the next layer. Theorem: this is a minimum disclosure decomposition.
Can we use top-down evaluation ?
Proof: Need to show an efficient simulator algorithm to compute the active node in a layer, using oracle access to the residual function, e.g.
• For each two nodes in a layer, find a distinguishing path, leading to different outputs (terminal nodes)
• Call residual function on these paths to determine the next state
Can be done efficiently via Myhill-Nerode.
![Page 24: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/24.jpg)
Theorem: this is a minimum disclosure decomposition.
This can be used to get an optimally private protocol if we have a threshold PKE allowing homomorphic evaluation of the BP forward computation function (in addition to aggregate and strip+rerandomized).
Can we use top-down evaluation ?
• For addition example, can do it with additive homomorphic encryption supporting aggregate and strip+rerandomize• We give DCR based instantiation
(HLP do too). Don’t know DDH/DLIN.• More generally, not clear
• E.g., for second-price auction, need homomorphic computation of comparison function (don’t know)
![Page 25: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/25.jpg)
Our general framework:
Find a decomposition of into ( and prove this is a minimum disclosure decomposition.
Use a threshold encryption supporting homomorphic evaluation of each as well as aggregate and strip+rerandomize
Combine the two (for malicious, add NIZK)
Works as long as appropriate primitives can be found…
Other Function Classes
![Page 26: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/26.jpg)
Let be a known multivariate polynomial of total degree and with monomials over (where is square free and for any prime dividing )
Theorem: The following is a minimum decomposition of : the coefficients of the (at most ) monomials in he coefficients of the monomials in
Proof idea: show that polynomial coefficients are efficiently learnable from oracle access to the polynomial.
Sparse Multivariate Polynomials
![Page 27: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/27.jpg)
Note: for a known , mapping the coefficients in to the coefficients in is an affine function
We use DCR (based on ElGamal version of Paillier ) to show a threshold PKE that supports eval of affine functions, as well as aggregate and strip+rerandomize
Theorem: Under the DCR assumption, there is an efficient optimally private one-pass protocol for computing any multi-variate polynomial over , where is an RSA modulus, running in time polynomial in and , where each party performs exponentiations.
Sparse Multivariate Polynomials
![Page 28: Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction](https://reader034.fdocuments.in/reader034/viewer/2022051821/5681668f550346895dda6462/html5/thumbnails/28.jpg)
We prove there is a minimum disclosure decomposition, and show simple and efficient optimally private protocols for computing two general classes of functions:
1) Read-once layered branching programs 2) Sparse polynomials over large domains
New: implementing branching-program for second-price auction, with arbitrary player order (with Dov Gordon, Christian Moscardi and Zack Newman)
Future directions: more practical instantiations, new functions,
characterizing which functions have minimum disclosure decomposition (upper and lower bounds), which functions have secure protocols (find appropriate homomorphic encryption)
Conclusion