Zhi Can, Qiang Li, Kefei Chen
Department of computer science and engineering Shanghai JiaoTong University
Shanghai 200030, China {gan-zhi, chen-kf}@cs.sjtu.edu.cn qiangl@sjtu.edu.cn
Abstract Equation solving is a important scientific computations that’s generally employed.
Solutions to this problem are widely used in many areas such as banking, man-ufacturing, electric engineering and telecommunications. However, the existing solutions do not extend to the privacy–preserving cooperative computation situ-ation, in which the equations are shared by multiple parties, who do not want to disclose their data to other parties.
In this paper, we formally define these specific privacy–preserving cooperative computation problems, and present protocols to solve them. Besides, a new multi–party protocol to handle computation over reals is presented.
Keywords: secure multi–party computation, equation solving
1. Introduction
The rapid development of distributed systems raised the natural question of what tasks can be securely performed. With the application of multi–party computation, cooperative computation could occur between mutually untrusted parties, or even between competitors.
In this paper, we introduce the privacy–preserving cooperative equation solv-ing(PPCES) problem. The general definition of the PPCES problem is that two or more parties want to solve an equation based on their private inputs, but neither party is willing to disclose its own input to anybody else(including a so–called trusted third party).
*This work was supported by NSFC under grants 90104005, 60273049.
Generally speaking, a secure multi–party computation problem deals with computing a function on any input, in a distributed network where each partic-ipant holds one of the inputs, ensuring that no more information is revealed to a participant in the computation than can be computed from that participant’s input and output. The history of the multi–party computation problem is ex-tensive since it was introduced by Yao [2]and extended by Goldreich, Micali, and Wigderson[8], and by many others.
In theory, the general secure multi–party computation problem is solvable using circuit evaluation protocol[2, 8, 7]. In the circuit evaluation protocol, each functionality F is represented as a Boolean circuit, and then the parties run a protocol for every gate in the circuit. While this approach is appealing in its generality, the communication complexity of the protocol it generates depends on the size of the circuit that expresses the functionality F to be computed, and in addition, involves large constant factors in their complexity. Therefore, as Goldreich points out in [7], using the solutions derived by these general results for special cases of multi–party computation can be impractical; special solutions should be developed for special cases for efficiency reasons[10, 4].
This is our motivation of seeking special solutions to equation solving problems, solutions that are more efficient than the general theoretical solutions.
There are several ways to share an equation. Depending on how such an equation is shared by Alice and Bob, or in another word how Alice and Bob cooperate with each other, the problems could appear in a variety of forms.
Table 1 describes two different types of cooperation.
2.
Approximately Multi–party Computation over Reals
All we known existed methods deal with computation in a finite field[3, 2, 1, 7, 9]. We now present a multi–party protocol over reals based on verifiable secret sharing scheme[5]. Every function over reals of inputs can be efficiently computed by a complete network of participates. And if no faults occur, no set of size of players gets any additional information. Even if Byzantine faults are allowed, no set of size can either disrupt the computation or get additional information. As Gennaro points out in [6], multi–
party computation can be efficiently performed in Then a natural idea is to find a way to code real number into a element of and decode field
Privacy-Preserving Approximately Equation Solving over Reals 147 element to real number, then we can perform approximate computing over reals.
For example, we can employ following conversion rule between field element F and real number R:
1
2
3
Select an adequate prime which is large enough to serve following computations. Public parameter should satisfy the condition that is greater than any of the inputs, temporary results and final results.
According to required accuracy, Alice and Bob select another public parameter as the conversion rate between real number and field element.
For example, if error should be controlled in the range of should be
Using following function to encode real number:
where [ ] means the nearest integer function.
4 Using following function to decode:
After conversion, three operations–addition, subtraction and multiplication–
can be securely conducted in finite field[5]. When multiplication is mixed with other operations, then conversion rate should be adjusted. For example, if we
want to securely compute we compute over
finite field.
What we should think about carefully is division operation. Division over reals is completely different than over finite field. Assume and are shared by Alice and Bob, then can be computed as following:
1 2 3 4
Alice selects random number and shares it with Bob. Bob selects random number and shares it with Alice.
Alice and Bob now jointly compute and publish
Since is published, Alice and Bob can compute and share
Alice and Bob now jointly compute which is the final result.
There is a problem in above protocol. Since is published, then must be a factor of Therefore Alice and Bob get some information about
It’s a violation to security requirements of secure multi–party computation.
We provide a modified version to deal with this problem.
1
2 3 4
Alice selects two random number and shares it with Bob. And Bob selects two random number and shares it with Alice, and are real numbers in the range of
Alice and Bob now jointly compute and publish
Since is published, Alice and Bob can compute and share
Alice and Bob now jointly compute which is the final result.
In above protocol, and are small enough to keep the accuracy of calculation.
The new protocol is secure and can be easily modified to serve any number of participates. Here is some sample text.
3. Secure Multi–Party Equation Solving Problems and Protocols
Newton–Raphson Method is a root–finding algorithm which uses the first few terms of the Taylor series of a function in the vicinity of a suspected root to zero in on the root. For a polynomial, Newton’s method is essentially the same as Horner’s method. The Taylor series of about the point
is given by
Keeping terms only to first order,
This expression can be used to estimate the amount of offset needed to land closer to the root starting from an initial guess Setting and solving (4) for gives
which is the first–order adjustment to the root’s position. By letting calculating a new and so on, the process can be repeated until it converges to a root using
When the method converges, it does so quadratically.
Privacy-Preserving Approximately Equation Solving over Reals 149 In a multi-party environment, after selecting adequate we can solve equa-tion using Newton-Raphson method if we can compute out and on arbitrary In both the two cases listed in Table 1, we can easily compute the function results and their derivatives.
In the first case, Alice has Bob has and they want to solve equation where is a function of two inputs and uses only addition, subtraction, division, and multiplication operations. And can be securely computed as following:
where Alice can privately computes and Bob can privately computes Then we can use Newton–Raphson method to solve the equation In the second case, Alice has Bob has and they want to solve equation where is a polynomial function. Let
Since we limit to be a polynomial function, and can be securely computed out. And can be computed as following:
After initial value of is selected, participants can perform multi–party computation continuously until the approximate result is found. The whole computation process can be divided several iterations. And each iteration is composed of two phases: a checking phase and a computing phase. In checking phase, all participates check together if resides in If the answer is true, then is the approximate root of equation. Else, the computing phase is performed. In this phase, all participates compute together to get
For some equations, Newton–Raphson method can’t converge into right an-swer. We can employ other methods such as bisection method to deal with such situation. In fact, we found bisection method can deal with much more kinds of one–dimensional equations than Newton–Raphson method in multi-party computation scenario. But bisection method has shortcomings too. It’s well–known that bisection method can’t be used to resolve multi–dimensional problem, and it’s much slower than Newton–Raphson method. So we still choose Newton–Raphson method as the default one.
4. Summary and Future Work
In this paper, we provide a new multi–party computation protocol over reals.
Through encoding real number into member of a finite field, addition, subtrac-tion and multiplicasubtrac-tion can be done in a very simple way. And we can easily
know that the addition, subtraction, and multiplication protocols are as secure as Gennaro’s protocol[6]. The division is done in a much complexer way.
We also studied the problem of equation solving in a cooperative environment where neither of the cooperating parties wants to disclose its private data to the other party. Our preliminary work has shown that this problem, the secure multi–party equation solving problem, could be solved in a way more efficient than the general circuit evaluation approach.
Apart from those basic equations studied in this paper, many other types of equations are also used in practice. A future direction would be to study more complicated equation solving problems.
Abe, M. (1999). Mix-networks on permutation networks. In ASIACRYPT’99, pages 258–
273.
A.C.Yao (1982). Protocols for secure computations. In In Proc. 23rd IEEE Symp. On the Foundation of Computer Science, pages 160–164. IEEE.
Cramer, R., Damgård, I., and Maurer, U. (2000). General secure multi-party computation from any linear secret-sharing scheme. Lecture Notes in Computer Science, 1807:316–??
Du, W. and Atallah, M. J. (2001). Privacy-preserving statistical analysis. In Proceedings of the 17th Annual Computer Security Applications Conference, pages 102–110, New Orleans, Louisiana, USA.
Feldman, P. (1987). A practical scheme for non-interactive verifiable secret sharing. In 28th FOCS, pages 427–437.
Gennaro, R., Rabin, M., and Rabin, T. (1998). Simplified VSS and fast-track multiparty computations with applications to threshold Cryptography. In Proceedings of the 1998 ACM Symposium on Principles of Distributed Computing, pages 101–111.
Goldreich, O. (2000). Secure multi-party computation. Working Draft.
Goldreich, O., Micali, S., and Wigderson, A. (1987). How to play any mental game. In In Proceedings of the 19th Annual ACM Symposium on Theory of Computing, pages 218–229.
Matthew, Franklin, and Habert, S. (1996). Joint encryption and message–efficient secure computation. Journal of Cryptology, 9(4):217–232.
W.Du and Atallah, M. J. (2001). Privacy-preserving cooperative scientific computations.
In 14th IEEE Computer Security Foundations Workshop, pages 273–282, Nova Scotia, Canada.