Private Outsourcing of Polynomial Evaluation and Matrix - PowerPoint PPT Presentation

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps Liang Feng Zhang, Reihaneh Safavi-Naini Institute for Security, Privacy and Information Assurance Department of Computer Science University of Calgary

Cloud Computing • Weak Clients: Smart Phones; Netbooks • Clouds: Amazon EC2; Google Compute Engine • A Typical Model: • The client has a computationally intensive function F • The client gives F to the cloud • To compute F ( α ) , the client gives α to the cloud • The cloud returns ρ = F ( α ) if it is honest • The client must verify when the cloud is untrusted • The verification should be much more efficient • Solution: Gennaro, Gentry and Parno [GGP10]

Verifiable Computation (VC) Client ( F ) Cloud pk ( pk , sk ) ← KeyGen ( 1 λ , F ) σ ( σ, τ ) ← ProbGen ( sk , α ) ( ρ, π ) ( ρ, π ) ← Compute ( pk , σ ) { F ( α ) , ⊥} ← Verify ( sk , τ, ρ, π ) Correctness: Verify ( sk , τ, ρ, π ) = F ( α ) Security: cannot forge (¯ ρ, ¯ π ) s.t. Verify ( sk , τ, ¯ ρ, ¯ π ) / ∈ { F ( α ) , ⊥} Efficiency: T ProbGen + T Verify = o ( T F ( α ) )

Privacy • The client has no reason to trust the cloud with the knowledge of its function F and input α • Privacy is important when F or α is sensitive • F contains financial data and α indicates the client’s interest • F contains medial data and α indicates the client’s identity • Input privacy : hide the input α from the cloud • Function privacy : hide the function F from the cloud • Our goal: VC with input privacy and function privacy

Multilinear Maps and Assumptions • Postulated by Boneh and Silverberg [BS02] • Candidate multilinear maps by [GGH13,CLT13] • Multilinear map generator G Γ = ( N , G 1 , . . . , G k , e , g 1 , . . . , g k ) ← G ( 1 λ , k ) • N = pq for λ -bit primes p � = q ; G i = � g i � , order N ( i ∈ [ k ] ) • e : G i × G j → G i + j , where e ( g a i , g b j ) = g ab i + j ( i + j ≤ k ) • e : G 1 × · · · × G 1 → G k : e ( g a 1 1 , . . . , g a k 1 ) = g a 1 ··· a k k

Multilinear Maps and Assumptions (cont.) • SDA : (Γ , u ) ≡ c (Γ , u q ) , where u ← G i ; 1 1 , . . . , g s n • MSDH : Pr [ A (Γ , g 1 , g s s + a 1 ) = ( a , g )] , where s ← Z N k • 3-Linear : k = 3, u 0 , u 1 , u 2 , u 3 ← G 1 , a 0 , a 1 , a 2 , a 3 ← Z N � u 1 � u 1 � � u 2 u 3 u 0 u 2 u 3 u 0 ≡ c u a 1 u a 2 u a 3 u a 1 + a 2 + a 3 u a 1 u a 2 u a 3 u a 0 1 2 3 0 1 2 3 0 • 3-MDDH : k = 3, a 0 , a 1 , a 2 , a 3 , b ← Z N (Γ , g a 0 1 , g a 1 1 , g a 2 1 , g a 3 1 , g a 0 a 1 a 2 a 3 ) ≡ c (Γ , g a 0 1 , g a 1 1 , g a 2 1 , g a 3 1 , g b 3 ) 3

Our Results • Polynomial Evaluation ( k = 2 ⌊ log ( n + 1 ) ⌋ + 1 ) i = 0 f i x n ∈ F q [ x ] • Function: a high degree poly f ( x ) = � n • Input: a field element α ∈ F q • Assumptions: SDA, MSDH • Result: a VC Scheme with input and function privacy • Matrix Multiplication ( k = 3) • Function: a matrix M = ( M ij ) ∈ F n × n q • Input: a vector x = ( x 1 , . . . , x n ) ∈ F n q • Assumption: SDA, 3-Linear and 3-MDDH • Result: a VC Scheme with input and function privacy • Applications: Private information retrieval

An Encryption Scheme Based on SDA • ( pk , sk ) ← Gen ( 1 λ , k ) • pick Γ = ( N , G 1 , . . . , G k , e , g 1 , . . . , g k ) ← G ( 1 λ , k ) • pick u ← G 1 , compute h = u q pk = (Γ , g 1 , h ) ; sk = p • c ← Enc ( pk , m ) : pick r ← Z N , compute c = g m 1 h r • m ← Dec ( sk , c ) : compute m ∈ M s.t. c p = ( g p 1 ) m • Denoted as BGN k (recall [BGN05] for k = 2) • | M | = poly ( λ ) ; C = G 1 ( G i ) ; SDA-based security • Enc ( α 1 ) , Enc ( α 2 ) ⇒ Enc ( α 1 + α 2 ) (multiplication) • Enc ( α 1 ) , . . . , Enc ( α k ) ⇒ Enc ( α 1 · · · α k ) (pairing)

Computing on the Exponents • Setting for polynomial evaluation • f ( x ) = f 0 + f 1 x + · · · + f n x n ; α ; k = ⌈ log ( n + 1 ) ⌉ • Set up BGN k with pk = (Γ , g 1 , h ) and sk = p • For ℓ ∈ [ k ] , σ ℓ = Enc ( α 2 ℓ − 1 ) ; σ = ( σ 1 , . . . , σ k ) • s ∈ Z N and S = { g s 2 ℓ − 1 : ℓ ∈ [ k ] } 1 • From f ( x ) and σ to Enc ( f ( α )) • 0 ≤ i ≤ n , ∃ i 1 , . . . , i k ∈ { 0 , 1 } s.t. i = � k ℓ = 1 i ℓ 2 ℓ − 1 • f i α i = f i · α i 1 ( α 2 ) i 2 · · · ( α 2 k − 1 ) i k k ) f i = Enc ( f i α i ) ; ( σ i j • e ( σ i 1 1 , . . . , σ i k j � g 1 when i j = 0) • Enc ( f ( α )) = � n i = 0 Enc ( f i α i ) ;

Computing on the Exponents (cont.) � f ( s ) − f ( α ) � • From f ( x ) , σ and S to Enc ( ( 2 k + 1 ) -linear map) s − α • c ( s ) � f ( s ) − f ( α ) = � n − 1 � i j = 0 f i + 1 α j s i − j s − α i = 0 • From f ( x ) , σ and S to π ij = Enc ( f i + 1 α j s i − j ) = � n − 1 � i � � • Compute Enc c ( s ) j = 0 π ij i = 0 • Setting for matrix multiplication • M = ( M ij ) is an n × n matrix; x = ( x 1 , . . . , x n ) ′ is a vector • Set up BGN 3 with pk = (Γ , g 1 , h ) and sk = p • For ℓ ∈ [ n ] , σ ℓ = Enc ( x ℓ ) ; σ = ( σ 1 , . . . , σ n ) • From M and Enc ( x ) to Enc ( Mx ) M ij • ρ i = � n = Enc ( � n j = 1 σ j = 1 M ij x j ) for every i ∈ [ n ] j

Polynomial Evaluation (No Input Privacy) • KeyGen ( 1 λ , f ) : • Pick Γ 2 = ( N , G 1 , G 2 , e , g 1 , g 2 ) , s ← Z N , t = g f ( s ) ; 1 1 , . . . , g s n • public key pk = (Γ 2 , g s 1 , f ) ; secret key sk = s . • ProbGen ( sk , α ) : output σ = α , τ = ⊥ ; • Compute ( pk , σ ) : • compute c ( x ) such that f ( x ) − f ( α ) = ( x − α ) c ( x ) ; • compute and output y = f ( α ) and π = g c ( s ) ; 1 • Verify ( sk , τ, ρ, π ) : ? e ( tg − y 1 , g 1 ) = e ( g s − α , π ) 1 Privacy: no privacy; Security: MSDH (k=2)

Polynomial Evaluation (Input Privacy) • KeyGen ( 1 λ , f ( x )) : f ( x ) = f 0 + f 1 x + · · · + f n x n ; k = ⌈ log ( n + 1 ) ⌉ • Γ ← G ( 1 λ , 2 k + 1 ) , s ← Z N , t = g f ( s ) ; u ← G 1 , h = u q ; 1 1 , . . . , g s 2 k − 1 • sk = ( p , q , s , t ) , pk = (Γ , h , g s , f ) . 1 • ProbGen ( sk , α ) : • pick r ℓ ← Z N and compute σ ℓ = g α 2 ℓ − 1 h r ℓ for ℓ ∈ [ k ] 1 • σ = ( σ 1 , . . . , σ k ) , τ = ⊥ . • Compute ( pk , σ ) : output ρ = Enc ( f ( α )) , π = Enc ( c ( s )) • Verify ( sk , τ, ρ, π ) : • compute y ∈ Z q such that ρ p = ( g p k ) y t / g y 1 , g p g s − α � � � , π p � • check if e = e 2 k 1 Privacy: SDA; Security: MSDH (2 k + 1)

Polynomial Evaluation (Input and Function Privacy) • KeyGen ( 1 λ , f ( x )) : • Γ , s ← Z N , t = g f ( s ) ; u ← G 1 , h = u q ; v i ← Z N , γ i = g f i 1 h v i ; 1 1 , . . . , g s 2 k − 1 • sk = ( p , q , s , t ) ; pk = (Γ , h , g s ; γ 0 , . . . , γ n ) . 1 • ProbGen ( sk , x ) : σ = ( σ 1 , . . . , σ k ) and τ = ⊥ ; • r ℓ ← Z N , σ ℓ = g α 2 ℓ − 1 h r ℓ for every ℓ ∈ [ k ] 1 • Compute ( pk , σ ) : output ρ = Enc ( f ( α )) and π = Enc ( c ( s )) • Verify ( sk , τ, ρ, π ) : • compute y ∈ Z q such that ρ p = ( g p k + 1 ) y t / g y 1 , g p g s − α � � � , π p � • check if e = e 2 k + 1 1

PRF with Closed-Form Efficiency • A Construction Based on 3-Linear Assumption: • Γ ← G ( 1 λ , 3 ) ; A j , B j , C j ← G 1 , α i , β i , γ i ← Z N • F K : [ n ] 2 → G 1 , ( i , j ) → A α i j B β i j C γ i j • Closed-Form Efficiency: Comp i = � n j = 1 F K ( i , j ) x j ( i ∈ [ n ] ) • A = � n i , B = � n i , C = � n i = 1 A x i i = 1 B x i i = 1 C x i i • Comp i = A α i B β i C γ i for every i ∈ [ n ] • Introduced by Benabbas, Gennaro and Vahlis [BGV11]

Matrix Multiplication (Input Privacy) • KeyGen ( 1 λ , M ) : p 2 aM ij · F K ( i , j ) for ( i , j ) ∈ [ n ] 2 • Pick Γ , K and a ← Z N ; T ij = g 1 • Pick u ← G 1 , h = u q ; sk = ( p , q , K , a ) ; pk = (Γ , h , M , T ) • ProbGen ( sk , x ) : σ = ( σ 1 , . . . , σ n ) , τ = ( τ 1 , . . . , τ n ) x j 1 h r j , τ i = e ( � n j = 1 F K ( i , j ) x j , g p • r j ← Z N , σ j = g 2 ) ( i , j ∈ [ n ] ) • Compute ( pk , σ ) : M ij • compute ρ i = � n and π i = � n j = 1 σ j = 1 e ( T ij , σ j ) for i ∈ [ n ] j • Verify ( sk , τ, ρ, π ) : 1 ) = g p 3 ay i • compute y i s.t. ρ p i = ( g p 1 ) y i and verify if e ( π i , g p · τ i 3 • output y = ( y 1 , . . . , y n ) if the 2nd equality holds for i ∈ [ n ] Privacy: SDA; Security: 3-Linear and 3-MDDH

Matrix Multiplication (Input and Function Privacy) • KeyGen ( 1 λ , M ) : p 2 aM ij · F K ( i , j ) ; u ← G 1 , h = u q • Γ , K and a ← Z N ; T ij = g 1 M ij 1 h v ij • v ij ← Z N , γ ij = g • sk = ( p , q , K , a ) and pk = (Γ , h , γ, T ) • ProbGen ( sk , x ) : output σ = ( σ 1 , . . . , σ n ) , τ = ( τ 1 , . . . , τ n ) 1 h r j ; τ i = e ( � n x j j = 1 F K ( i , j ) x j , g p 2 ) ( ( i , j ) ∈ [ n ] 2 ) • r j ← Z N , σ j = g • Compute ( pk , σ ) : output ρ = ( ρ 1 , . . . , ρ n ) , π = ( π 1 , . . . , π n ) • ρ i = � n j = 1 e ( γ ij , σ j ) ; π i = � n j = 1 e ( T ij , σ j ) • Verify ( sk , τ, ρ, π ) : • compute y i s.t. ρ p i = ( g p 2 ) y i and check if e ( π i , g p 1 ) = η py i · τ i • output y = ( y 1 , . . . , y n ) if the 2nd equality holds for i ∈ [ n ]