Multi-Party Computation for Polynomials and Branching Programs

without Simultaneous Interaction

Dov Gordon (Columbia University)Tal Malkin (Columbia University)

Mike Rosulek (University of Montana)Hoeteck Wee (George Washington University)

Reminder from Benny’s talk :

Computing without Simultaneous Interaction [Halevi, Lindell, Pinkas 11]

Can elections, auctions, statistical analysis of distributed parties’ data really be carried out using secure computation?

Does our model of secure computation really model the needs of these applications?◦And we’re not talking about efficiency concerns…

A Question

Can secure computation be made non-simultaneous?◦A natural theoretical question

Deepens our understanding of the required communication model for secure computation

◦ Important ramifications to practice Especially if this can be done efficiently

Note: fully homomorphic encryption does not solve the problem

An Important Question

Parties◦One server ◦ parties

Communication model◦Each party interacts with the server exactly once In all protocols, interaction is a single round

between server and party, but this is not essential Order may be important… (in some protocols)

◦At the end, the server obtains the output

Our Model

An inherent limitation of the model: a semi-honest adversary controlling parties should be able to compute the residual function on any input of its choice

Security (=optimal privacy): no other information is leaked. (in particular, honest server = full security)◦ This talk: honest-but-curious setting. Paper: malicious, too.

Claim [HLP]: If there is a secure protocol computing in the one-pass model, then has a minimum disclosure decomposition.

Security in this Model (Reminders)

A decomposition of an n-ary function f is a tuple of functions such that for all inputs , defining we have

A minimum disclosure decomposition of f is a decomposition such that there exists an efficient simulator that for all inputs and for all , can output given oracle access to the residual function

Minimum Disclosure Decomposition

Combinatorial property of the function

Necessary condition for a secure protocol in the one-pass model ◦ Roughly: corresponds to the state of the server after

interacting with

Not sufficient◦ e.g., if any honest party is yet to go intermediate values should

be hidden, if server is honest we want standard full security, etc.

Minimum Disclosure Decomposition

To show a protocol securely computing a function f in the one-pass (simultaneous interaction) model:

1) Prove that f has a minimum disclosure decomposition (and find it)

2) Show an efficient secure protocol for computing this minimum decomposition.

Two Steps

1) Which functions have minimum disclosure decomposition?

2) Which functions , among those with minimum-disclosure decomposition, have practical secure protocols in the one-pass model?

Some partial answers by [HLP11]: 3) sum, selection, binary symmetric functions like majority 4) Same functions as above. Also general protocol for any given

decomposition.◦ General protocol not practical ◦ Given a function, don’t know how to check if it has a minimum

decomposition (and given a decomposition, don’t know how to check if it’s minimal).

Two Questions

We prove there is a minimum disclosure decomposition, and show simple and efficient optimally private protocols for computing the following general classes of functions:

1) Read-once (layered) branching programs

2) Sparse polynomials over large domains

These generalize and abstract the HLP functions as special cases, and also include many new functions.

Other related work: [Ishai-Paskin 07, Harnik-Ishai-Kushilevitz 07]

Our Results: Two Classes of Functions

BP: DAG in which internal nodes are labeled by input variables, terminal nodes labeled by output values.

w.l.o.g: layered (outgoing edges only from layer to layer ). Read once: layer corresponds to input

Read Once (Layered) Branching Programs

Standard: top-down [ie., left-right] Alternative: bottom-up [IP07]

Computing on a BP

(𝑥1 , 𝑥2, 𝑥3 , 𝑥4 )=(1 ,0 ,0 ,1 )

Standard: top-down [ie., left-right] Alternative: bottom-up [IP07] ◦ Need to store more states (width of program, vs one) ◦ But transition function simpler (copying, vs computation)

Computing on a BP

(𝑥1 , 𝑥2, 𝑥3 , 𝑥4 )=(1 ,0 ,0 ,1 )

Standard: top-down [ie., left-right] Alternative: bottom-up [IP07] ◦ Need to store more states (width of program, vs one) ◦ But transition function simpler (copying, vs computation)

Computing on a BP

(𝑥1 , 𝑥2, 𝑥3 , 𝑥4 )=(1 ,0 ,0 ,1 )

Using the bottom up approach (players order from right to left): Starting with output layer, each successive function maps◦ the labels of previous layer, and ◦ the value of the new

to labels for current layer.

Minimum Disclosure Decomposition for Read-once layered Branching Programs

Theorem: This is a minimum disclosure decomposition

Proof: Need to show an efficient simulator algorithm to compute the values in a layer, using oracle access to residual function Here:

Minimum Disclosure Decomposition for Read-once layered Branching Programs

Theorem: This is a minimum disclosure decomposition

Proof: Need to show an efficient simulator algorithm to compute the values in a layer, using oracle access to residual function Here:

Minimum Disclosure Decomposition for Read-once layered Branching Programs

• Assume each node is reachable from start state (can preprocess to achieve this)

• For each node, use BFS to find a path from start state.

• Call residual function on inputs induced by the path (edge labels)

Efficient simulation

Branching Programs: From Minimal Disclosure Decomposition to Secure ProtocolUse threshold PKE (inspired by HLP). Allow “aggregate”, “eval”, and “strip+rerandomize”

Server encrypts each value under aggregate()

First player, , takes appropriate encryption to be copied, strips his , and rerandomizes, getting each value encrypted under aggregate()

Second player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting each value encrypted under aggregate()

Third player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting each value encrypted under aggregate()

Fourth player, , takes appropriate encryption to be copied, strips his and rerandomizes, getting the value encrypted under

Server decrypts using his secret key to get final output.

Required properties of encryption scheme: Threshold PKE allowing “aggregate”, “eval”, and

“strip+rerandomize”

Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol

Required properties of encryption scheme: Threshold PKE allowing “aggregate”, “eval”, and

“strip+rerandomize” Required homomorphic property of “eval” for

transition: in this case only need to copy

We show concrete implementations based on DDH (based on El Gamal) -- similar to [HLP] DLIN (based on Boneh-Boyen-Shacham)

Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol

Branching Programs: From Minimal Disclosure Decomposition to Secure Protocol

Theorem: Under the DDH or DLIN assumptions, there is an efficient optimally private one-pass protocol computing any read-once layered branching program, where each party performs exponentiations.

Using top down approach (players order from left to right). Starting with initial node, each successive function maps the active node in the

previous layer and the current to the unique active node in the next layer. Theorem: this is a minimum disclosure decomposition.

Can we use top-down evaluation ?

Proof: Need to show an efficient simulator algorithm to compute the active node in a layer, using oracle access to the residual function, e.g.

• For each two nodes in a layer, find a distinguishing path, leading to different outputs (terminal nodes)

• Call residual function on these paths to determine the next state

Can be done efficiently via Myhill-Nerode.

Theorem: this is a minimum disclosure decomposition.

This can be used to get an optimally private protocol if we have a threshold PKE allowing homomorphic evaluation of the BP forward computation function (in addition to aggregate and strip+rerandomized).

Can we use top-down evaluation ?

• For addition example, can do it with additive homomorphic encryption supporting aggregate and strip+rerandomize• We give DCR based instantiation

(HLP do too). Don’t know DDH/DLIN.• More generally, not clear

• E.g., for second-price auction, need homomorphic computation of comparison function (don’t know)

Our general framework:

Find a decomposition of into ( and prove this is a minimum disclosure decomposition.

Use a threshold encryption supporting homomorphic evaluation of each as well as aggregate and strip+rerandomize

Combine the two (for malicious, add NIZK)

Works as long as appropriate primitives can be found…

Other Function Classes

Let be a known multivariate polynomial of total degree and with monomials over (where is square free and for any prime dividing )

Theorem: The following is a minimum decomposition of : the coefficients of the (at most ) monomials in he coefficients of the monomials in

Proof idea: show that polynomial coefficients are efficiently learnable from oracle access to the polynomial.

Sparse Multivariate Polynomials

Note: for a known , mapping the coefficients in to the coefficients in is an affine function

We use DCR (based on ElGamal version of Paillier ) to show a threshold PKE that supports eval of affine functions, as well as aggregate and strip+rerandomize

Theorem: Under the DCR assumption, there is an efficient optimally private one-pass protocol for computing any multi-variate polynomial over , where is an RSA modulus, running in time polynomial in and , where each party performs exponentiations.

Sparse Multivariate Polynomials

We prove there is a minimum disclosure decomposition, and show simple and efficient optimally private protocols for computing two general classes of functions:

1) Read-once layered branching programs 2) Sparse polynomials over large domains

New: implementing branching-program for second-price auction, with arbitrary player order (with Dov Gordon, Christian Moscardi and Zack Newman)

Future directions: more practical instantiations, new functions,

characterizing which functions have minimum disclosure decomposition (upper and lower bounds), which functions have secure protocols (find appropriate homomorphic encryption)

Conclusion