Verifiable Homomorphic Secret Sharing for Low Degree Polynomials

Abstract

An <inline-formula><tex-math notation="LaTeX">$(n,m,t)$</tex-math></inline-formula>-homomorphic secret sharing (HSS) scheme for a function family <inline-formula><tex-math notation="LaTeX">$\cal F$</tex-math></inline-formula> allows <inline-formula><tex-math notation="LaTeX">$n$</tex-math></inline-formula> clients to share their data <inline-formula><tex-math notation="LaTeX">$x_{1}, \ldots ,x_{n}$</tex-math></inline-formula> among <inline-formula><tex-math notation="LaTeX">$m$</tex-math></inline-formula> servers and then distribute the computation of any function <inline-formula><tex-math notation="LaTeX">$f\in {\cal F}$</tex-math></inline-formula> to the servers such that: (i) any <inline-formula><tex-math notation="LaTeX">$t$</tex-math></inline-formula> colluding servers learn no information about the data; (ii) each server is able to compute a partial result and <inline-formula><tex-math notation="LaTeX">$f(x_{1}, \ldots ,x_{n})$</tex-math></inline-formula> can be reconstructed from the servers&#x0027; partial results. HSS schemes cannot guarantee correct reconstruction, if some servers are malicious and provide wrong partial results. Recently, verifiable HSS (VHSS) has been introduced to achieve an additional property: (iii) any <inline-formula><tex-math notation="LaTeX">$t$</tex-math></inline-formula> colluding servers cannot persuade the client(s) to accept their partial results and reconstruct a wrong value. The property (iii) is usually achieved by the client verifying the servers&#x0027; partial results. A VHSS scheme is compact if the verification is substantially faster than locally computing <inline-formula><tex-math notation="LaTeX">$f(x_{1},\ldots ,x_{n})$</tex-math></inline-formula>. Of the existing VHSS schemes for polynomials, some are not compact; the others are compact but impose very heavy workload on the servers, even for low degree polynomials (e.g., they are at least 4000&#x00D7; slower than the existing HSS schemes in order to evaluate polynomials of degree <inline-formula><tex-math notation="LaTeX">$\leq 5$</tex-math></inline-formula>, which have many applications such as privacy-preserving machine learning). In this paper, we propose both a single-client VHSS (SVHSS) model and a multi-client VHSS (MVHSS) model. Our SVHSS allows a client to use a secret key to share its data among servers; our MVHSS allows multiple clients to share their data with a public key. For any integers <inline-formula><tex-math notation="LaTeX">$m,t&gt;0$</tex-math></inline-formula>, we constructed both an <inline-formula><tex-math notation="LaTeX">$(m,t)$</tex-math></inline-formula>-SVHSS scheme and an <inline-formula><tex-math notation="LaTeX">$(m,t)$</tex-math></inline-formula>-MVHSS scheme that satisfy the properties of (i)-(iii). Our constructions are based on level-<inline-formula><tex-math notation="LaTeX">$k$</tex-math></inline-formula> homomorphic encryptions. The <inline-formula><tex-math notation="LaTeX">$(m,t)$</tex-math></inline-formula>-SVHSS and <inline-formula><tex-math notation="LaTeX">$(m,t)$</tex-math></inline-formula>-MVHSS are compact and allow the computations of degree-<inline-formula><tex-math notation="LaTeX">$d$</tex-math></inline-formula> polynomials for <inline-formula><tex-math notation="LaTeX">$d\leq ((k+1)m-1)/t$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">$d\leq ((k+1)(m-t)-1)/t$</tex-math></inline-formula>, respectively. Experiments show that our schemes are much more efficient than the existing compact VHSS for low degree polynomials. For example, to compute polynomials of degree <inline-formula><tex-math notation="LaTeX">$\leq 5$</tex-math></inline-formula>, our MVHSS scheme is at least 420&#x00D7;faster. By applying SVHSS and MVHSS, we may add verifiability to privacy-preserving machine learning (PPML) algorithms. Experiments show that the resulting schemes are at least 52&#x00D7; and 20&#x00D7; faster than the existing verifiable PPML schemes.