##
###
Efficient and Secure Evaluation of Multivariate Polynomials and Applications
[chapter]

Matthew Franklin, Payman Mohassel

2010
*
Lecture Notes in Computer Science
*

In this work, we design two-party and multiparty protocols for evaluating multivariate polynomials at participants' inputs with security against a malicious adversary who may corrupt all but one of the parties. Our protocols are round and communication efficient, and use the underlying cryptographic primitives in a black-box way. Our construction achieves optimal communication complexity for degree 2 and 3 polynomials. Our constructions can be used to securely and efficiently realize a wide
## more »

... e of functionalities. For instance, we demonstrate how our techniques lead to efficient protocols for secure linear algebra with security against malicious adversaries. Other applications include secure evaluation of DNF/CNF formulas, and conditional secret reconstruction (or conditional oblivious transfer) for a large family of condition functions. problems of interest in cryptography can be represented as such. Examples include, linear algebra computation, and conditional oblivious transfers or secret reconstruction. The efficiency criteria we consider when trying to answer the above question are: • Round, communication, computation. We require that the round, computation and communication complexity (in terms of the input size) of the protocol in the malicious model matches those of the best existing constructions (for realizing f ) in the semi-honest model. Note that this is the best we can hope for since malicious adversaries are strictly stronger than semi-honest ones. • Black-box use of the primitives. We aim for a black-box use of the underlying cryptographic primitives. Non-black-box techniques require parties to prove in zero-knowledge, statements that involve the computation of the underlying primitives. A black box construction, on the other hand, would make the number of invocations of the primitives independent of the complexity of implementing them. Furthermore, black-box constructions can potentially be instantiated based on a variety of computational assumptions. The existing techniques for defending against malicious adversaries fall short of giving a positive answer to the question we asked. Generic zero-knowledge compilers [10, 11] for transforming a protocol that is secure in the semi-honest model into one that is secure in the malicious model, require communication complexity that is polynomial in the computational complexity of the original semi-honest protocol. The only exception in this framework is the compiler of [25] based on sublinear-communication zero-knowledge techniques such as [20] , which preserves the communication complexity of the original semi-honest protocol up to a poly-logarithmic factor. This method, however, does not meet our efficiency criteria as it requires a non-black-box use of the primitives, and invokes inefficient procedures such as reductions to the circuit satisfiability problem and applications of the PCP theorem. A different line of research has focused on our second criteria for efficiency, i.e., a black-box use of the underlying primitives. This includes the variants of Yao's garbled circuit protocol in the malicious model such as [22, 13] in the twoparty case and works such as [17] [18] [19] in the multi-party case. Due to their generic nature, however, these constructions have communication complexities that are proportional to the size of the circuit being computed which, for many functions of interest (including multivariate polynomials), is higher than the best existing protocols in the semi-honest model. Our Results Let P be a multivariate polynomial of degree 3 in n variables and let k be a security parameter. Note that P can have as many as n 3 terms. In the semihonest model, the most efficient protocols for securely evaluating P at parties inputs require the communication of O(n) ciphertexts between the participants. In this paper, we design efficient two-party and multiparty protocols for the same task, with security against malicious adversaries: Two-party case. In the two-party setting, we design a protocol for this task that runs in a constant number of rounds and requires the communication of O(kn) − → V f inal is the Reed-Solomon encoding of output + ra where output is the final output of the protocol, i.e., polynomial P evaluated at parties' inputs. Alice uses a Reed-Solomon decoding algorithm (see Lemma 1) to unambiguously recover the final result (Note that the degree of the polynomial corresponding to the Reed-Solomon encoding of the output is 3d). 17. Bob receives his output: This is almost identical to Alice's strategy.

doi:10.1007/978-3-642-13708-2_15
fatcat:zrp7qxsdgbdsxmzmylxhfzdzum