Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps Liang Feng Zhang, Reihaneh Safavi-Naini Institute for Security, Privacy and Information Assurance Department of Computer Science University of Calgary
Cloud Computing Weak Clients: Smart Phones; Netbooks Clouds: Amazon EC2; Google Compute Engine A Typical Model: The client has a computationally intensive function F The client gives F to the cloud To compute F (α), the client gives α to the cloud The cloud returns ρ = F (α) if it is honest The client must verify when the cloud is untrusted The verification should be much more efficient Solution: Gennaro, Gentry and Parno [GGP0]
Verifiable Computation (VC) Client (F ) Cloud (pk, sk) KeyGen( λ, F) (σ, τ) ProbGen(sk, α) pk σ (ρ, π) (ρ, π) Compute(pk, σ) {F(α), } Verify(sk, τ, ρ, π) Correctness: Verify(sk, τ, ρ, π) = F(α) Security: cannot forge ( ρ, π) s.t. Verify(sk, τ, ρ, π) / {F(α), } Efficiency: T ProbGen + T Verify = o(t F (α) )
Privacy The client has no reason to trust the cloud with the knowledge of its function F and input α Privacy is important when F or α is sensitive F contains financial data and α indicates the client s interest F contains medial data and α indicates the client s identity Input privacy: hide the input α from the cloud Function privacy: hide the function F from the cloud Our goal: VC with input privacy and function privacy
Multilinear Maps and Assumptions Postulated by Boneh and Silverberg [BS02] Candidate multilinear maps by [GGH3,CLT3] Multilinear map generator G Γ = (N, G,..., G k, e, g,..., g k ) G( λ, k) N = pq for λ-bit primes p q; G i = g i, order N (i [k]) e : G i G j G i+j, where e(gi a, gj b ) = gi+j ab (i + j k) e : G G G k : e(g a,..., ga k ) = ga a k k
Multilinear Maps and Assumptions (cont.) SDA: (Γ, u) c (Γ, u q ), where u G i ; MSDH: Pr[A(Γ, g, g s,..., gsn ) = (a, g s+a k )], where s Z N 3-Linear: k = 3, u 0, u, u 2, u 3 G, a 0, a, a 2, a 3 Z ( ) ( N ) u u 2 u 3 u 0 u u u a u a 2 2 u a 3 3 u a +a 2 +a 3 2 u 3 u 0 c 0 u a u a 2 2 u a 3 3 u a 0 0 3-MDDH: k = 3, a 0, a, a 2, a 3, b Z N (Γ, g a 0, ga, ga 2, ga 3, ga 0a a 2 a 3 3 ) c (Γ, g a 0, ga, ga 2, ga 3, gb 3 )
Our Results Polynomial Evaluation (k = 2 log(n + ) + ) Function: a high degree poly f (x) = n i=0 f ix n F q [x] Input: a field element α F q Assumptions: SDA, MSDH Result: a VC Scheme with input and function privacy Matrix Multiplication (k = 3) Function: a matrix M = (M ij ) F n n q Input: a vector x = (x,..., x n ) F n q Assumption: SDA, 3-Linear and 3-MDDH Result: a VC Scheme with input and function privacy Applications: Private information retrieval
An Encryption Scheme Based on SDA (pk, sk) Gen( λ, k) pick Γ = (N, G,..., G k, e, g,..., g k ) G( λ, k) pick u G, compute h = u q pk = (Γ, g, h); sk = p c Enc(pk, m): pick r Z N, compute c = g m hr m Dec(sk, c): compute m M s.t. c p = (g p )m Denoted as BGN k (recall [BGN05] for k = 2) M = poly(λ); C = G (G i ); SDA-based security Enc(α ), Enc(α 2 ) Enc(α + α 2 ) (multiplication) Enc(α ),..., Enc(α k ) Enc(α α k ) (pairing)
Computing on the Exponents Setting for polynomial evaluation f (x) = f 0 + f x + + f n x n ; α; k = log(n + ) Set up BGN k with pk = (Γ, g, h) and sk = p For l [k], σ l = Enc(α 2l ); σ = (σ,..., σ k ) s Z N and S = {g s2l : l [k]} From f (x) and σ to Enc(f (α)) 0 i n, i,..., i k {0, } s.t. i = k l= i l2 l f i α i = f i α i (α 2 ) i 2 (α 2 k ) i k e(σ i,..., σ i k k ) f i Enc(f (α)) = n i=0 Enc(f iα i ); = Enc(f i α i ); (σ i j j g when i j = 0)
Computing on the Exponents (cont.) From f (x), σ and S to Enc ( f (s) f (α)) s α ((2k + )-linear map) f (s) f (α) c(s) s α = n i i=0 j=0 f i+α j s i j From f (x), σ and S to π ij = Enc(f i+ α j s i j ) Compute Enc ( c(s) ) = n i i=0 j=0 π ij Setting for matrix multiplication M = (M ij ) is an n n matrix; x = (x,..., x n ) is a vector Set up BGN 3 with pk = (Γ, g, h) and sk = p For l [n], σ l = Enc(x l ); σ = (σ,..., σ n ) From M and Enc(x) to Enc(Mx) ρ i = n j= σm ij j = Enc( n j= M ijx j ) for every i [n]
Polynomial Evaluation (No Input Privacy) KeyGen( λ, f ): Pick Γ 2 = (N, G, G 2, e, g, g 2 ), s Z N, t = g f (s) ; public key pk = (Γ 2, g s,..., gsn, f ); secret key sk = s. ProbGen(sk, α): output σ = α, τ = ; Compute(pk, σ): compute c(x) such that f (x) f (α) = (x α)c(x); compute and output y = f (α) and π = g c(s) ; Verify(sk, τ, ρ, π):?e(tg y, g ) = e(g s α, π) Privacy: no privacy; Security: MSDH (k=2)
Polynomial Evaluation (Input Privacy) KeyGen( λ, f (x)): f (x) = f 0 + f x + + f n x n ; k= log(n+) Γ G( λ, 2k + ), s Z N, t = g f (s) ; u G, h = u q ; sk = (p, q, s, t), pk = (Γ, h, g s,..., gs2k, f ). ProbGen(sk, α): pick r l Z N and compute σ l = g α2l h r l for l [k] σ = (σ,..., σ k ), τ =. Compute(pk, σ): output ρ = Enc(f (α)), π = Enc(c(s)) Verify(sk, τ, ρ, π): compute y Z q such that ρ p = (g p k )y check if e ( t/g y, gp 2k) = e ( g s α, π p) Privacy: SDA; Security: MSDH (2k + )
Polynomial Evaluation (Input and Function Privacy) KeyGen( λ, f (x)): Γ, s Z N, t = g f (s) ; u G, h = u q ; v i Z N, γ i = g f i hv i ; sk = (p, q, s, t); pk = (Γ, h, g s,..., gs2k ; γ 0,..., γ n ). ProbGen(sk, x): σ = (σ,..., σ k ) and τ = ; r l Z N, σ l = g α2l h r l for every l [k] Compute(pk, σ): output ρ = Enc(f (α)) and π = Enc(c(s)) Verify(sk, τ, ρ, π): compute y Z q such that ρ p = (g p k+ )y check if e ( t/g y, gp 2k+) = e ( g s α, π p)
PRF with Closed-Form Efficiency A Construction Based on 3-Linear Assumption: Γ G( λ, 3); A j, B j, C j G, α i, β i, γ i Z N F K : [n] 2 G, (i, j) A α i j B β i j C γ i j Closed-Form Efficiency: Comp i = n j= F K (i, j) x j (i [n]) A = n i= Ax i i, B = n i= Bx i i, C = n i= Cx i i Comp i = A α i B β i C γ i for every i [n] Introduced by Benabbas, Gennaro and Vahlis [BGV]
Matrix Multiplication (Input Privacy) KeyGen( λ, M): Pick Γ, K and a Z N ; T ij = g p2 am ij F K (i, j) for (i, j) [n] 2 Pick u G, h = u q ; sk = (p, q, K, a); pk = (Γ, h, M, T ) ProbGen(sk, x): σ = (σ,..., σ n ), τ = (τ,..., τ n ) r j Z N, σ j = g x j hr j, τi = e( n j= F K (i, j) x j, g p 2 ) (i, j [n]) Compute(pk, σ): compute ρ i = n j= σm ij j and π i = n j= e(t ij, σ j ) for i [n] Verify(sk, τ, ρ, π): compute y i s.t. ρ p i = (g p )y i and verify if e(π i, g p ) = gp3 ay i 3 τ i output y = (y,..., y n ) if the 2nd equality holds for i [n] Privacy: SDA; Security: 3-Linear and 3-MDDH
Matrix Multiplication (Input and Function Privacy) KeyGen( λ, M): Γ, K and a Z N ; T ij = g p2 am ij F K (i, j); u G, h = u q v ij Z N, γ ij = g M ij hv ij sk = (p, q, K, a) and pk = (Γ, h, γ, T ) ProbGen(sk, x): output σ = (σ,..., σ n ), τ = (τ,..., τ n ) r j Z N, σ j = g x j hr j ; τi = e( n j= F K (i, j) x j, g p 2 ) ((i, j) [n]2 ) Compute(pk, σ): output ρ = (ρ,..., ρ n ), π = (π,..., π n ) ρ i = n j= e(γ ij, σ j ); π i = n j= e(t ij, σ j ) Verify(sk, τ, ρ, π): compute y i s.t. ρ p i = (g p 2 )y i and check if e(π i, g p ) = ηpy i τ i output y = (y,..., y n ) if the 2nd equality holds for i [n]
Applications: Private Information Retrieval Private information retrieval: [CGKS95,KO97] i C query S x = x x 2 x n x i answer PIR server computation is intensive outsourcing Solution : using the scheme for polynomial evaluation f (x) = f 0 + f x + + f n x n, where f (i) = D i for i [n] α = i for retrieving D i Solution 2: using the scheme for matrix multiplication D is considered as a matrix M = (M uv ), i (u, v) α = (α,..., α n ) is the vth unit vector (α v =, α v = 0)
Comparisions and Future Work [GGP0]: FHE, Boolean circuits [BF]: FHE, FEs that compute MACs (Hard to realize) [PRV2]: Attribute-hiding KP-ABE, Boolean formulas This work: FHE-free; no Boolean circuits or formulas Future work: multilinear map-based VC schemes with special properties such as public verification, public delegation, multi-function delegation
Thank you!