[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Log in

Optimal-round preprocessing-MPC of polynomials over non-zero inputs via distributed random matrix

  • Original Paper
  • Published:
Wireless Networks Aims and scope Submit manuscript

Abstract

Secure multiparty computation (MPC) is an extensively studied research field in cryptography. It considers two main models—the plain model and the preprocessing model. The latter enables achieving objectives known to be unachievable for the plain model. One prominent example of such an objective is the perfectly secure evaluation of functions over private inputs, with the majority of the parties being dishonest. Recent results have shown that this objective can even be achieved in an optimal number of rounds of communication—two rounds. However, when the function to be evaluated is a polynomial with a possibly high degree over inputs taken from a large domain, existing solutions require an exponential amount of memory in the size of the domain. This paper presents preprocessing-MPC protocols for high-degree polynomials over non-zero inputs. These protocols are the first to have optimal round complexity, perfect security against coalitions of up to \(N-1\) out of N parties, and communication and space complexities that grow linearly with the number of monomials in the polynomial (independent of its degree). Furthermore, the results are extended to the client-server model. Namely, this paper presents a scheme that enables a user to outsource the storage of non-zero secrets to N distrusted servers and have the servers obliviously evaluate polynomials over the secrets in a single round of communication, perfectly secure against coalitions of up to \(N-1\) servers. These schemes are based on a novel secret sharing scheme, Distributed Random Matrix (DRM), first presented here. The DRM secret sharing scheme supports homomorphic multiplications and, after a single round of communication, supports homomorphic additions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Similar content being viewed by others

Data availability

Data sharing not applicable to this article as no datasets were generated or analyzed during the current study.

Notes

  1. The term active security refers to security against malicious parties. These parties might deviate from the protocol in an attempt to sabotage the computation process. Handling malicious parties is out of the scope of this work.

  2. If every two-party functionality had a protocol with polynomial space complexity, this would imply an unexpected answer to a longstanding open question on the complexity of information-theoretic private information retrieval. See [10, 37].

  3. Note that [34] suggests a specific example for a specific technique to cope with possible zeros, which is a special case for our techniques.

References

  1. Applebaum, B., Brakerski, Z., & Tsabary R. (2018). Perfect secure computation in two rounds. In Theory of cryptography conference (pp. 152–174). Springer.

  2. Beaver, D., Micali, S., & Rogaway, P. (1990). The round complexity of secure protocols. In Proceedings of the twenty-second annual ACM symposium on theory of computing (pp. 503–513). ACM.

  3. Ben-Or, M., Goldwasser, S., & Wigderson, A. (1988). Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proceedings of the twentieth annual ACM symposium on theory of computing (pp. 1–10). ACM.

  4. Chaum, D., Crépeau, C., Damgard, I. (1988). Multiparty unconditionally secure protocols. In Proceedings of the twentieth annual ACM symposium on theory of computing (pp. 11–19). ACM.

  5. Damgård, I., & Nielsen, J. B. (2003). Universally composable efficient multiparty computation from threshold homomorphic encryption. In Annual international cryptology conference (pp. 247–264). Springer.

  6. Goldreich, O., Micali, S., & Wigderson, A. (1987). How to play any mental game. In Proceedings of the nineteenth annual ACM symposium on theory of computing (pp. 218–229). ACM.

  7. Rivest, R. (1999). Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initializer.

  8. Yao, A. C.-C. (1982). Protocols for secure computations. FOCS, 82, 160–164.

    MathSciNet  Google Scholar 

  9. Beaver, D. (1997). Commodity-based cryptography. In Proceedings of the twenty-ninth annual ACM symposium on Theory of computing (pp. 446–455). ACM.

  10. Ishai, Y., Kushilevitz, E., Meldgaard, S., Orlandi, C., & Paskin-Cherniavsky, A. (2013). On the power of correlated randomness in secure computation. In Theory of cryptography conference (pp. 600–620). Springer.

  11. Kushilevitz, E., & Nisan, N. (2006). Communication complexity. Cambridge University Press.

    MATH  Google Scholar 

  12. Shamir, A. (1979). How to share a secret. Communications of the ACM, 22(11), 612–613.

    Article  MathSciNet  Google Scholar 

  13. Bar-Ilan, J., & Beaver, D. (1989). Non-cryptographic fault-tolerant computing in constant number of rounds of interaction. In Proceedings of the eighth annual ACM symposium on principles of distributed computing (pp. 201–209). ACM.

  14. Damgård, I., Larsen, K. G., & Nielsen, J. B. (2019). Communication lower bounds for statistically secure MPC, with or without preprocessing. IACR Cryptology, 2019, 220.

  15. Patra, A., & Ravi, D. (2018). On the exact round complexity of secure three-party computation. In Annual international cryptology conference (pp. 425–458). Springer.

  16. Ananth, P., Choudhuri, A. R., Goel, A., & Jain, A. (2018). Round-optimal secure multiparty computation with honest majority. In Annual international cryptology conference (pp. 395–424). Springer.

  17. Garg, S., Ishai, Y., & Srinivasan, A. (2018) Two-round MPC: information-theoretic and black-box. In Theory of cryptography conference (pp. 123–151). Springer.

  18. Couteau, G. (2019). A note on the communication complexity of multiparty computation in the correlated randomness model. In Advances in cryptology—EUROCRYPT 2019—38th annual international conference on the theory and applications of cryptographic techniques, Darmstadt, Germany, 2019, proceedings, part II (pp. 473–503).

  19. Damgård, I., Nielsen, J. B., Nielsen, M., & Ranellucci, S. (2017). The tinytable protocol for 2-party secure computation, or: Gate-scrambling revisited. In Advances in cryptology—CRYPTO 2017—37th annual international cryptology conference, Santa Barbara, CA, 2017, proceedings, part I (pp. 167–187).

  20. Ametepe, A. F.-X., Ahouandjinou, A. S. R. M., & Ezin, E. C. (2022). Robust encryption method based on AES-CBC using elliptic curves Diffie–Hellman to secure data in wireless sensor networks. Wireless Networks, 28(3), 991–1001.

    Article  Google Scholar 

  21. Akbari, M. R., Barati, H., & Barati, A. (2022). An overlapping routing approach for sending data from things to the cloud inspired by fog technology in the large-scale IoT ecosystem. Wireless Networks, 28(2), 521–538.

    Article  Google Scholar 

  22. Chen, X., Jiao, L., Li, W., & Xiaoming, F. (2016). Efficient multi-user computation offloading for mobile-edge cloud computing. IEEE/ACM Transactions on Networking, 24(5), 2795–2808.

    Article  Google Scholar 

  23. Derbeko, P., Dolev, S., & Gudes, E. (2021). Wavelet-based dynamic and privacy-preserving similitude data models for edge computing. Wireless Networks, 27(1), 351–366.

    Article  Google Scholar 

  24. Ganesan, S., & Muthuswamy, V. (2021). Ensuring reliability of high-priority data transport using expected congestion shortfall prediction in wireless sensor networks. Wireless Networks, 27(8), 5125–5143.

    Article  Google Scholar 

  25. Li, X., Shuo, X., Zhao, H., Han, S., & Yan, L. (2022). An adaptive multi-zone geographic routing protocol for underwater acoustic sensor networks. Wireless Networks, 28(1), 209–223.

    Article  Google Scholar 

  26. Liu, J., & Yang, W. (2022). Secure UAV communication against cooperative adaptive eavesdroppers. Wireless Networks, 28(3), 1113–1128.

    Article  Google Scholar 

  27. Rao, F.-Y., & Bertino, E. (2019). Privacy techniques for edge computing systems. Proceedings of the IEEE, 107(8), 1632–1654.

    Article  Google Scholar 

  28. Srinivas, M., & Amgoth, T. (2022). Data acquisition in large-scale wireless sensor networks using multiple mobile sinks: A hierarchical clustering approach. Wireless Networks, 28(2), 603–619.

  29. Saida, R., Hadj Kacem, Y., BenSaleh, M. S., & Abid, M. (2022). A model based process for reconfigurable wireless sensor network development. Wireless Networks, 28(2), 567–585.

    Article  Google Scholar 

  30. Santhosh Kumar, S. V. N., Palanichamy, Y., Selvi, M., Ganapathy, S., Kannan, A., & Pariserum Perumal, S. (2021). Energy efficient secured k means based unequal fuzzy clustering algorithm for efficient reprogramming in wireless sensor networks. Wireless Networks, 27(6), 3873–3894.

    Article  Google Scholar 

  31. Wang, K., XiaoYi, Y., Lin, W. L., Deng, Z. L., & Liu, X. (2021). Computing aware scheduling in mobile edge computing system. Wireless Networks, 27(6), 4229–4245.

    Article  Google Scholar 

  32. Wigderson, A. (2017). Technical perspective: Low-depth arithmetic circuits. Communications of the ACM, 60(6), 91–91.

    Article  Google Scholar 

  33. Damgård, I., & Zakarias, S. (2013). Constant-overhead secure computation of Boolean circuits using preprocessing. In Proceedings of theory of cryptography 2013—The 10th theory of cryptography conference TCC (pp. 621–641).

  34. Ghodosi, H., Pieprzyk, J., & Steinfeld, R. (2012). Multi-party computation with conversion of secret sharing. Designs, Codes and Cryptography, 62(3), 259–272.

    Article  MathSciNet  Google Scholar 

  35. Halevi, S., Ishai, Y., Kushilevitz, E., & Rabin, T. (2018). Best possible information-theoretic MPC. In Theory of cryptography conference (pp. 255–281). Springer.

  36. Valiant, L. G. (1979). Completeness classes in algebra. In Proceedings of the eleventh annual ACM symposium on theory of computing (pp. 249–261). ACM.

  37. Chor, B., Goldreich, O., Kushilevitz, E., & Sudan, M. (1995). Private information retrieval. In Proceedings of IEEE 36th annual foundations of computer science (pp. 41–50). IEEE.

Download references

Acknowledgements

We thank Dani Berend for being involved during the entire research providing original ideas throughout. We thank the participants of the Crypto seminar, held at Tel Aviv University at July 18th 2019—Iftach Haitner, Ran Canetti, and students and researchers from the computer science department—for useful comments.

Funding

Research partially supported by the Lynne and William Frankel Center for Computer Science, the Rita Altura Trust Chair in Computer Science and also supported by a grant from the Ministry of Science, Technology and Space, Infrastructure Research in the Field of Advanced Computing and Cyber Security, the Israel & the Japan Science and Technology Agency (JST), and the German Research Funding Organization (DFG, Grant#8767581199).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Dor Bitan.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

1.1 A non-zero inputs and general functions

We now show some simple ways in which our schemes may be adjusted to support evaluation of arbitrary functions over possibly-zero inputs. We stress that the performances of the resulting schemes are often inferior to those of existing solutions. We present these ways mainly to show that, theoretically, our approach is capable of supporting general scenarios.Footnote 3

First, we note that any function \(f : \mathbb {F}_{p}^N \rightarrow \mathbb {F}_{p}\) can be represented as a multivariate polynomial. This representation may be obtained, for example, by solving a system of linear equations, or using other polynomial interpolation methods. Due to Fermat’s little theorem, that states that \(x^p \equiv x \pmod {p}\), f can be written as a polynomial of degree at most \(N(p-1)\) and with at most \(p^N\) monomials. Namely, one may write

$$\begin{aligned} f(x_1,\dots ,x_N)=\sum _{ l=(l_1,\dots ,l_N)\in \mathcal {L}} a_l \cdot x_1^{l_1} \dots x_N^{l_N}, \end{aligned}$$
(3)

where \(\mathcal {L}=\{0,\dots ,p-1\}^N\), for appropriate elements \(a_l\in \mathbb {F}_{p}\).

Next, if f is a Boolean function, our scheme may be used to support MPC of f by working in \(\mathbb {F}_{2}\). A True Boolean value is \(1\in \mathbb {F}_{2}\) and a False Boolean value is \(0\in \mathbb {F}_{2}\). Boolean operations may be identified with field operations in the following way. The \(\wedge\) operation is identified with \(\mathbb {F}_{2}\) multiplication, the \(\oplus\) operation with \(\mathbb {F}_{2}\) addition, and the \(\lnot\) operation with adding 1 in \(\mathbb {F}_{2}\). The \(\vee\) operation of two literals is identified with \(x+y+xy\), where x and y are the elements of \(\mathbb {F}_{2}\) corresponding to the literals. Then, given a Boolean formula \(\varphi\) over Boolean literals \(b_1,\dots ,b_M\in \{True,False\}\), one can take the \(\mathbb {F}_{2}\) correspondents \(s_1,\dots ,s_M\in \mathbb {F}_{2}\) of \(b_1,\dots ,b_M\), and evaluate the Boolean formula \(\varphi :\{True,False\}^M \rightarrow \{True,False\}\) using the polynomial \(\tilde{\varphi }: \mathbb {F}_{2}^M \rightarrow \mathbb {F}_{2}\), obtained by replacing Boolean operations and literals with their \(\mathbb {F}_{2}\) correspondents.

Now, the communication and space complexities of our schemes are analyzed with respect to the number k of monomials in the polynomial representation of the function. Most of the known MPC schemes assume that f is given as an arithmetic circuit, and their communication and space complexities are analyzed with respect to the size s and depth d of the circuit. In order to (asymptotically) compare the performances of our schemes to those of a different scheme that assumes f is given as a circuit with size s and depth d, one must write k in terms of s and d. For an arbitrary f, that task might be hard. In general, consider the following question.

What is the relation between the size and depth of a circuit which computes an arbitrary function f and the size of a polynomial which computes f?

This question is an open problem, rooted in the algebraic analog of the \(P{\mathop {=}\limits ^{?}}NP\) problem, suggested by Valiant in [36], and is out of the scope of this paper.

So far, we have shown how MPC of Boolean or arithmetic functions reduces to MPC of polynomials over finite fields. This reduction still does not make our schemes suitable for all Boolean and arithmetic functions, since our schemes assume that the inputs are non-zero elements of the field. Next, we suggest several ways of handling possibly-zero inputs.

First, we suggest the q-bounded approach. Let \(s=(s_1, \dots , s_N)\in \mathbb {F}_{p}^N\). One can compute f(s) by performing operations in \(\mathbb {F}_{p}\) according to the representation of f as a multivariate polynomial. The same result is obtained if one computes f(s) over the positive integers and then takes the result modulo p. Formally, for each entry \(s_j\) of s, let \(a_j\) denote the minimal positive integer such that \(a_j \equiv s_j \pmod {p}\). Then, performing the computation over the \(a_j\)’s using integer operations one obtains an integer result \(f(s)_\mathbb {N}\), such that \(f(s)_\mathbb {N}\equiv f(s) \pmod {p}\). If q is a prime number such that for every \(s\in \mathbb {F}_{p}^N\), computation of f(s) over the integers yields an integer result, \(f(s)_\mathbb {N}\), which is smaller than q, then f is q-bounded. Since there are at most \(p^N\) monomials in f, for every \(s\in \mathbb {F}_{p}^N\) it holds that \(f(s)_\mathbb {N}<p^N\cdot (p-1)\cdot (p^{p-1})^N=p^N\cdot (p-1) \cdot p^{Np-N}=(p-1)\cdot p^{Np}\). Hence, f is q bounded for a prime q larger than \((p-1)\cdot p^{Np}\). In practice, one may find a smaller prime \(q'\) for which f is \(q'\)-bounded.

Now, we can use this fact to evaluate \(\mathbb {F}_{p}\)-polynomials over possibly-zero inputs by working in \(\mathbb {F}_{q}\) for large enough q. To this end we present the DRM two-round OTS-qB scheme. OTS-qB supports evaluating polynomials over possibly-zero inputs by embedding \(\mathbb {F}_{p}\) in a larger field, \(\mathbb {F}_{q}\), and using OTS as a subroutine. The larger field \(\mathbb {F}_{q}\) is chosen to satisfy the condition that f is q-bounded. The embedding is performed as follows. For \(s_j\in \mathbb {F}_{p}\), let \(\sigma _j\) denote the minimal positive integer such that \(\sigma _j \equiv s_j \pmod {p}\). Let \(\tilde{s}_j \equiv \sigma _j \pmod {q}\) be the \(\mathbb {F}_{q}\) correspondent of \(s_j\) in the q world. Let \(\tilde{s}=(\tilde{s}_1,\dots ,\tilde{s}_N)\). Now, let \(\tilde{f}:\mathbb {F}_{q}^N\rightarrow \mathbb {F}_{q}\) denote the function corresponding to f in the q-world. That is, \(\tilde{f}\) is obtained from f by replacing the leading coefficients of the monomials with their q-world correspondents. OTS-qB may be invoked by the parties to find f(s).

figure i

Theorem A.1

OTS-qB is a two-round N-party P-MPC scheme for arithmetic functions which has perfect correctness, perfect passive security, threshold \(N-1\), communication complexity \(\mathcal {O}(kN^3n2^n)\), space complexity \(\mathcal {O}(kN^2n2^n)\), and f-independent CR.

Proof

Since all q-world inputs are non-zero elements of \(\mathbb {F}_{q}\), security of OTS-qB follows from that of OTS. Correctness follows from that of OTS and the fact that f is q-bounded. By construction, the round complexity is two. Now, in OTS-qB, all the messages and the CR are \(\mathbb {F}_{q}\) elements. At the worst case, \(q\approx p^{pN}\), and hence, the number of bits required for each element is \(\lceil \log q \rceil \approx \log \bigl (p^{pN}\bigr ) =pN \log p=2^{\log p}N\log p=nN2^n.\) Since the number of messages and amount of CR remains unchanged, the exact space and communication complexities of OTS-qB are obtained from those of OTS by replacing n with \(nN2^n\). \(\square\)

OTS-qB solves the general case by replacing \(\mathbb {F}_{p}\) elements with \(\mathbb {F}_{q}\) elements, hence the factor \(2^n\). OTS-IS and OTS-IS\(_2\), which we now present, avoid the \(2^n\) factor. Instead, these schemes replace f with a K-monomials version of it.

The DRM two-round OTS-IS scheme solves the general case by splitting each input to a sum of two non-zero elements, and replacing f with the split-inputs version of f. That is, for a polynomial f, let \(\varphi :\mathbb {F}_{p}^{2N}\rightarrow \mathbb {F}_{p}\) denote the function obtained from f by replacing each variable \(x_i\) of f with the sum of two variables, \(z_i\) and \(w_i\), as follows:

$$\begin{aligned} \begin{aligned}&\varphi (z_1\dots ,z_N,w_1,\dots ,w_N)\\&\quad = \sum _{ l\in \mathcal {L}} a_l \cdot (z_1+w_1)^{l_1} \cdots (z_N+w_N)^{l_N}\\&\quad =\sum _{\lambda \in \Lambda } b_\lambda \cdot z_1^{\lambda _1} \cdots z_N^{\lambda _N}\cdot w_1^{\lambda _{N+1}}\cdots w_N^{\lambda _{2N}}, \end{aligned} \end{aligned}$$
(4)

where \(\lambda =(\lambda _1,\dots ,\lambda _{2N})\), \(\Lambda =\{0,1,\dots ,p-1\}^{2N}\), and \(b_\lambda \in \mathbb {F}_{p}\). \(\varphi\) is the split-inputs version of f. We note that, since f is a polynomial of N variables, \(k\le p^N\), and since \(\varphi\) is a polynomial of 2N variables, \(K\le p^{2N}=(p^N)^2\).

Now, if \(p\ne 2\), OTS-IS may be invoked by the parties to find f(s).

figure j

Theorem A.2

OTS-IS is a two-round N-party P-MPC scheme for \(\mathbb {F}_{p}\) functions (\(p\ne 2\)) which has perfect correctness, perfect passive security, threshold \(N-1\), f-independent CR, communication complexity \(\mathcal {O}(N^2nK)\), and space complexity \(\mathcal {O}(NnK)\), where K is the number of monomials of the split-inputs version of f.

Proof

Correctness follows from that of OTS and from the observation that if \(\alpha _i,\beta _i\in \mathbb {F}_{p}\) (\(1\le i\le N\)) are such that for every \(i\in [N]\) it holds that \(s_i=\alpha _i+\beta _i\), then \(f(s_1,\dots ,s_N)=\varphi (\alpha _1,\dots ,\alpha _N,\beta _1,\dots ,\beta _N)\). The security and complexity properties follow immediately from those of OTS. \(\square\)

Now, in \(\mathbb {F}_{2}\), 1 cannot be written as a sum of two non-zero elements. This is the reason for the requirement \(p\ne 2\) in Theorem A.2. OTS-IS\(_2\) solves the case \(p=2\) by embedding \(\mathbb {F}_{2}\) in \(\mathbb {F}_{3}\) and using OTS-IS as a subroutine. The embedding is performed as follows. The elements \(0,1\in \mathbb {F}_{2}\) are identified with \(0,1\in \mathbb {F}_{3}\). For \(s_j\in \mathbb {F}_{2}\) let \(\overline{s_j}\) denote the \(\mathbb {F}_{3}\) correspondent of \(s_j\). \(\mathbb {F}_{2}\) operations are identified with \(\mathbb {F}_{3}\) operations as follows. \(\mathbb {F}_{2}\)-multiplication is identified with \(\mathbb {F}_{3}\)-multiplication, and \(\mathbb {F}_{2}\)-addition is identified with \(Add:\mathbb {F}_{3}^2\rightarrow \mathbb {F}_{3}\), \(Add(x,y)=x+y+xy\). Let \(\overline{f}:\mathbb {F}_{3}^N\rightarrow \mathbb {F}_{3}\) denote the \(\mathbb {F}_{3}\) correspondent of f. That is, \(\overline{f}\) is obtained from f by replacing the \(\mathbb {F}_{2}\)-operations ‘\(\cdot\)’ and ‘\(+\)’ of f with the \(\mathbb {F}_{3}\)-operations ‘\(\cdot\)’ and ‘Add’. The parties may invoke OTS-IS\(_2\) to find f(s).

figure k

Theorem A.3

OTS-IS\(_2\) is a two-round N-party P-MPC scheme for arithmetic functions over \(\mathbb {F}_{2}\) which has perfect correctness, perfect passive security, threshold \(N-1\), f-independent CR, communication complexity \(\mathcal {O}(N^2nK)\), and space complexity \(\mathcal {O}(NnK)\), where K is the number of monomials of the split-input version of the \(\mathbb {F}_{3}\) correspondent of f.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bitan, D., Dolev, S. Optimal-round preprocessing-MPC of polynomials over non-zero inputs via distributed random matrix. Wireless Netw 28, 3261–3274 (2022). https://doi.org/10.1007/s11276-022-03040-7

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11276-022-03040-7

Keywords

Mathematics Subject Classification

Navigation