An Efficient and Provably Secure Private Polynomial Evaluation Scheme

Abstract

Private Polynomial Evaluation (PPE) allows the service provider to outsource the computation of a polynomial to some third party (e.g. the Cloud) in a verifiable way. And meanwhile, the polynomial remains hidden to the clients who are able to query the service. In ProvSec 2017, Bultel et al. have presented the formal security definitions for PPE, including polynomial protection (PP), proof unforgeability (UNF) and indistinguishability against chosen function attack (IND-CFA). They have introduced a PPE scheme that satisfies all these properties, and they have also shown that a polynomial commitment scheme in Asiacrypt 2010, called \(\mathsf {PolyCommit_{Ped}}\), enjoys these properties as well. In this paper, we introduce another provably secure PPE scheme, which not only has computational advantages over these two existing ones, but also relies on a much weaker security assumption. Moreover, we further explore how our PPE scheme can be implemented in the distributed fashion, so that a number of third parties jointly respond to the query but none of them could learn the polynomial unless they all collude.

Appendices

Appendix A – \(\mathsf {PolyCommit_{Ped}}\)

The \(\mathsf {PolyCommit_{Ped}}\) scheme [15] contains four algorithms (Setup, Init, Compute, Verif), and it works as follows:

• Setup: This algorithm is operated by a trusted party. Given the security parameter \(\lambda \), it generates two cyclic groups G and \(G_T\) with prime order p such that there exists a symmetric bilinear pairing \(\hat{e}: G \times G \rightarrow G_T\). It also chooses two generators g and h of G such that \(\log _gh\) is unknown. Moreover, it selects \(\alpha {\mathop {\leftarrow }\limits ^{R}} \mathbb {Z}_p^*\) and sets \(\mathsf {params} = (G, G_T, p, \hat{e}, g, h, (g^{\alpha }, \ldots , g^{\alpha ^k}), (h^{\alpha }, \ldots , h^{\alpha ^k}))\).

• Init: For the secret polynomial \(f(z) = a_0 + a_1z + \ldots + a_kz^k\), the service provider chooses a random polynomial \(f'(z) = b_0 + b_1z + \ldots + b_kz^k\) over \(\mathbb {Z}_p^*\) with degree k. It computes the commitment \(C = \prod _{i=0}^k (g^{\alpha ^i})^{a_i}(h^{\alpha ^i})^{b_i} = g^{f(\alpha )}h^{f'(\alpha )}\) and sets \(\mathsf {vk} = C\).

• Compute: Once receiving the client’s input x. The third party computes \(y = f(x)\) and \(y' = f'(x)\). Moreover, it computes \(\phi (z) = \frac{f(z) - f(x)}{z - x} = \sum _{i=0}^k \delta _i z^i\) and \(\phi '(z) = \frac{f'(z) - f'(x)}{z - x} = \sum _{i=0}^k \sigma _i z^i\). It further computes \(w = \prod _{j=0}^k (g^{\alpha ^j})^{\delta _j}(h^{\alpha ^j})^{\sigma _j} = g^{\phi (\alpha )}h^{\phi '(\alpha )}\). It sets the proof as \(\pi = (x, y', w)\) and returns \((y, \pi )\) to the client.

• Verif: The client verifies whether \(\hat{e}(C, g) = \hat{e}(w, g^{\alpha - x}) \hat{e}(g^{f(x)}h^{g'(x)}, g)\). If this equation holds, the client outputs 1, and outputs 0 otherwise.

Appendix B – Bultel’s PPE Scheme

The Bultel’s PPE scheme [6] also contains four algorithms (Setup, Init, Compute, Verif) as follows:

• Setup: Given the security parameter \(\lambda \), the service provider generates a group G with prime order p and a generator g for the group. It chooses a hash function \(\mathsf {H}: \{0, 1\}^* \rightarrow \mathbb {Z}_p^*\), and it sets \(\mathsf {params} = (G, p, g, \mathsf {H})\). Note that the hash function is only used to generate non-interactive zero-knowledge proofs.

• Init: For the secret polynomial \(f(z) = a_0 + a_1z + \ldots + a_kz^k\), the service provider picks \(\mathsf {sk} {\mathop {\leftarrow }\limits ^{R}} \mathbb {Z}_p^*\) and computes \(\mathsf {pk} = g^{\mathsf {sk}}\). For \(i = 0, 1, \ldots , k\), it picks \(r_i {\mathop {\leftarrow }\limits ^{R}} \mathbb {Z}_p^*\) and computes \(c_i = g^{r_i}\) and \(d_i = \mathsf {pk}^{r_i} g^{a_i}\). Note that \((c_i, d_i)\) is an ElGamal ciphertext encrypting the commitment \(g^{a_i}\). Finally, it sets \(\mathsf {vk} = (\{c_i, d_i\}_{0 \le i \le k}, \mathsf {pk})\).

• Compute: Once receiving the client’s input x, the third party computes \(y = f(x)\). It also computes \(c = \prod _{i=0}^k (c_i)^{x^i} = \prod _{i=0}^k g^{r_i \cdot x^i} = g^{r(x)}\) and \(d = \prod _{i=0}^k (d_i)^{x^i} = (\prod _{i=0}^k h^{r_i \cdot x^i}) \cdot (\prod _{i=0}^k g^{a_i \cdot x^i}) = h^{r(x)}g^{f(x)}\) for some polynomial \(r(x) = \sum _{i=0}^k r_i \cdot x^i\). Moreover, it generates a non-interactive zero-knowledge proof \(\pi \) that (c, d) is an ElGamal ciphertext encrypting \(g^{f(x)}\). Finally, it return \((y, \pi )\) to the client.

• Verif: Using params and vk, the client can also compute (c, d). Then, she can verify whether \(\pi \) is a valid non-interactive zero-knowledge proof such that (c, d) encrypts \(g^y\). If the verification satisfies, the client outputs 1, and outputs 0 otherwise.