1 / 28

Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction

Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction. Dov Gordon (Columbia University) Tal Malkin (Columbia University) Mike Rosulek (University of Montana) Hoeteck Wee (George Washington University).

ellery
Télécharger la présentation

Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-Party Computation for Polynomials and Branching Programs without Simultaneous Interaction Dov Gordon (Columbia University) Tal Malkin (Columbia University) Mike Rosulek (University of Montana) Hoeteck Wee (George Washington University)

  2. Computing without Simultaneous Interaction [Halevi, Lindell, Pinkas 11] Reminder from Benny’s talk :

  3. A Question • Can elections, auctions, statistical analysis of distributed parties’ data really be carried out using secure computation? • Does our model of secure computation really model the needs of these applications? • And we’re not talking about efficiency concerns…

  4. An Important Question • Can secure computation be made non-simultaneous? • A natural theoretical question • Deepens our understanding of the required communication model for secure computation • Important ramifications to practice • Especially if this can be done efficiently • Note: fully homomorphic encryption does not solve the problem

  5. Our Model • Parties • One server • parties • Communication model • Each party interacts with the server exactly once • In all protocols, interaction is a single round between server and party, but this is not essential • Order may be important… (in some protocols) • At the end, the server obtains the output

  6. Security in this Model (Reminders) • An inherent limitation of the model: a semi-honest adversary controlling parties should be able to compute the residual function on any input of its choice • Security (=optimal privacy): no other information is leaked. (in particular, honest server = full security) • This talk: honest-but-curious setting. Paper: malicious, too. • Claim [HLP]: If there is a secure protocol computing in the one-pass model, then has a minimum disclosure decomposition.

  7. Minimum Disclosure Decomposition • A decomposition of an n-ary function f is a tuple of functions such that for all inputs , defining we have • A minimum disclosure decomposition of f is a decomposition such that there exists an efficient simulator that for all inputs and for all , can output given oracle access to the residual function

  8. Minimum Disclosure Decomposition • Combinatorial property of the function • Necessary condition for a secure protocol in the one-pass model • Roughly: corresponds to the state of the server after interacting with • Not sufficient • e.g., if any honest party is yet to go intermediate values should be hidden, if server is honest we want standard full security, etc.

  9. Two Steps To show a protocol securely computing a function f in the one-pass (simultaneous interaction) model: • Prove that f has a minimum disclosure decomposition (and find it) • Show an efficient secure protocol for computing this minimum decomposition.

  10. Two Questions • Which functions have minimum disclosure decomposition? • Which functions , among those with minimum-disclosure decomposition, have practical secure protocols in the one-pass model? Some partial answers by [HLP11]: • sum, selection, binary symmetric functions like majority • Same functions as above. Also general protocol for any given decomposition. • General protocol not practical • Given a function, don’t know how to check if it has a minimum decomposition (and given a decomposition, don’t know how to check if it’s minimal).

  11. Our Results: Two Classes of Functions We prove there is a minimum disclosure decomposition, and show simple and efficient optimally private protocols for computing the following general classes of functions: • Read-once (layered) branching programs • Sparse polynomials over large domains These generalize and abstract the HLP functions as special cases, and also include many new functions. Other related work: [Ishai-Paskin 07, Harnik-Ishai-Kushilevitz 07]

  12. Read Once (Layered) Branching Programs BP: DAG in which internal nodes are labeled by input variables, terminal nodes labeled by output values. w.l.o.g: layered (outgoing edges only from layer to layer ). Read once: layer corresponds to input

  13. Computing on a BP • Standard: top-down [ie., left-right] • Alternative: bottom-up [IP07]

  14. Computing on a BP • Standard: top-down [ie., left-right] • Alternative: bottom-up [IP07] • Need to store more states (width of program, vs one) • But transition function simpler (copying, vs computation)

  15. Computing on a BP • Standard: top-down [ie., left-right] • Alternative: bottom-up [IP07] • Need to store more states (width of program, vs one) • But transition function simpler (copying, vs computation)

  16. Minimum Disclosure Decomposition for Read-once layered Branching Programs Using the bottom up approach (players order from right to left): • Starting with output layer, each successive function maps • the labels of previous layer, and • the value of the new to labels for current layer.

  17. Minimum Disclosure Decomposition for Read-once layered Branching Programs Theorem: This is a minimum disclosure decomposition Proof: Need to show an efficient simulator algorithm to compute the values in a layer, using oracle access to residual function Here:

  18. Minimum Disclosure Decomposition for Read-once layered Branching Programs Theorem: This is a minimum disclosure decomposition Proof: Need to show an efficient simulator algorithm to compute the values in a layer, using oracle access to residual function Here: • Assume each node is reachable from start state (can preprocess to achieve this) • For each node, use BFS to find a path from start state. • Call residual function on inputs induced by the path (edge labels) •  Efficient simulation

  19. Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol Use threshold PKE (inspired by HLP). Allow “aggregate”, “eval”, and “strip+rerandomize” First player, , takes appropriate encryption to be copied, strips his , and rerandomizes, getting each value encrypted under aggregate() Server encrypts each value under aggregate() Second player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting each value encrypted under aggregate() Third player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting each value encrypted under aggregate() Fourth player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting the value encrypted under Server decrypts using his secret key to get final output.

  20. Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol Required properties of encryption scheme: • Threshold PKE allowing “aggregate”, “eval”, and “strip+rerandomize”

  21. Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol Required properties of encryption scheme: • Threshold PKE allowing “aggregate”,“eval”, and “strip+rerandomize” • Required homomorphic property of “eval” for transition: in this case only need to copy We show concrete implementations based on • DDH (based on El Gamal) -- similar to [HLP] • DLIN (based on Boneh-Boyen-Shacham)

  22. Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol Theorem: Under the DDH or DLIN assumptions, there is an efficient optimally private one-pass protocol computing any read-once layered branching program, where each party performs exponentiations.

  23. Can we use top-down evaluation ? Using top down approach (players order from left to right). • Starting with initial node, each successive function maps the active node in the previous layer and the current to the unique active node in the next layer. Theorem: this is a minimum disclosure decomposition. Proof: Need to show an efficient simulator algorithm to compute the active node in a layer, using oracle access to the residual function, e.g. • For each two nodes in a layer, find a distinguishing path, leading to different outputs (terminal nodes) • Call residual function on these paths to determine the next state •  Can be done efficiently via Myhill-Nerode.

  24. Can we use top-down evaluation ? Theorem: this is a minimum disclosure decomposition. This can be used to get an optimally private protocol if we have a threshold PKE allowing homomorphic evaluation of the BP forward computation function (in addition to aggregate and strip+rerandomized). • For addition example, can do it with additive homomorphic encryption supporting aggregate and strip+rerandomize • We give DCR based instantiation (HLP do too). Don’t know DDH/DLIN. • More generally, not clear • E.g., for second-price auction, need homomorphic computation of comparison function (don’t know)

  25. Other Function Classes Our general framework: • Find a decomposition of into ( and prove this is a minimum disclosure decomposition. • Use a threshold encryption supporting homomorphic evaluation of each as well as aggregate and strip+rerandomize • Combine the two (for malicious, add NIZK) Works as long as appropriate primitives can be found…

  26. Sparse Multivariate Polynomials Let be a known multivariate polynomial of total degree and with monomials over (where is square free and for any prime dividing ) Theorem: The following is a minimum decomposition of : • the coefficients of the (at most ) monomials in • he coefficients of the monomials in Proof idea: show that polynomial coefficients are efficiently learnable from oracle access to the polynomial.

  27. Sparse Multivariate Polynomials • Note: for a known , mapping the coefficients in to the coefficients in is an affine function • We use DCR (based on ElGamal version of Paillier ) to show a threshold PKE that supports eval of affine functions, as well as aggregate and strip+rerandomize • Theorem: Under the DCR assumption, there is an efficient optimally private one-pass protocol for computing any multi-variate polynomial over , where is an RSA modulus, running in time polynomial in and , where each party performs exponentiations.

  28. Conclusion • We prove there is a minimum disclosure decomposition, and show simple and efficient optimally private protocols for computing two general classes of functions: • Read-once layered branching programs • Sparse polynomials over large domains • New: implementing branching-program for second-price auction, with arbitrary player order (with Dov Gordon, Christian Moscardi and Zack Newman) • Future directions: more practical instantiations, new functions, characterizing which functions have minimum disclosure decomposition (upper and lower bounds), which functions have secure protocols (find appropriate homomorphic encryption)

More Related