Verifiable Private Polynomial Evaluation

  • Xavier Bultel
  • Manik Lal Das
  • Hardik Gajera
  • David Gérault
  • Matthieu GiraudEmail author
  • Pascal Lafourcade
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10592)


Delegating the computation of a polynomial to a server in a verifiable way is challenging. An even more challenging problem is ensuring that this polynomial remains hidden to clients who are able to query such a server. In this paper, we formally define the notion of Private Polynomial Evaluation (PPE). Our main contribution is to design a rigorous security model along with relations between the different security properties. We define polynomial protection (\(\textsf {PP}\)), proof unforgeability (\(\textsf {UNF}\)), and indistinguishability against chosen function attack (\(\textsf {IND}\text {-}\textsf {CFA}\)), which formalizes the resistance of a PPE against attackers trying to guess which polynomial is used among two polynomials of their choice. As a second contribution, we give a cryptanalysis of two PPE schemes of the literature. Finally, we design a PPE scheme called \(\mathsf {PIPE}\) and we prove that it is \(\textsf {PP}\)-, \(\textsf {UNF}\)- and \(\textsf {IND}\text {-}\textsf {CFA}\)-secure under the decisional Diffie-Hellman assumption in the random oracle model.



This research was conducted with the support of the FEDER program of 2014–2020, the region council of Auvergne-Rhône-Alpes, the support of the “Digital Trust” Chair from the University of Auvergne Foundation, the Indo-French Centre for the Promotion of Advanced Research (IFCPAR) and the Center Franco-Indien Pour La Promotion De La Recherche Avancée (CEFIPRA) through the project DST/CNRS 2015-03 under DST-INRIA-CNRS Targeted Programme.


  1. [BBM00]
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_18 CrossRefGoogle Scholar
  2. [BDG+17]
    Bultel, X., Das, M.L., Gajera, H., Grault, D., Giraud, M., Lafourcade, P.: Verifiable private polynomial evaluation. Cryptology ePrint Archive, Report 2017/756 (2017).
  3. [Bon98]
    Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). doi: 10.1007/BFb0054851 CrossRefGoogle Scholar
  4. [CKKC13]
    Choi, S.G., Katz, J., Kumaresan, R., Cid, C.: Multi-client non-interactive verifiable computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 499–518. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36594-2_28 CrossRefGoogle Scholar
  5. [CP93]
    Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_7 Google Scholar
  6. [CRR12]
    Canetti, R., Riva, B., Rothblum, G.N.: Two protocols for delegation of computation. In: Smith, A. (ed.) ICITS 2012. LNCS, vol. 7412, pp. 37–61. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32284-6_3 CrossRefGoogle Scholar
  7. [DH76]
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  8. [ElG85]
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. 31, 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  9. [Fel87]
    Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th FOCS, pp. 427–437. IEEE Computer Society Press, October 1987Google Scholar
  10. [FG12]
    Fiore, D., Gennaro, R.: Publicly verifiable delegation of large polynomials and matrix computations, with applications. In: ACM CCS 2012. ACM Press (2012)Google Scholar
  11. [FIPR05]
    Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30576-7_17 CrossRefGoogle Scholar
  12. [FNP04]
    Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24676-3_1 CrossRefGoogle Scholar
  13. [FS87]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi: 10.1007/3-540-47721-7_12 Google Scholar
  14. [GFLL15]
    Guo, L., Fang, Y., Li, M., Li, P.: Verifiable privacy-preserving monitoring for cloud-assisted mHealth systems. In: INFOCOM. IEEE (2015)Google Scholar
  15. [GGP10]
    Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_25 CrossRefGoogle Scholar
  16. [GND16]
    Gajera, H., Naik, S., Das, M.L.: On the security of “Verifiable Privacy-Preserving Monitoring for Cloud-Assisted mHealth Systems”. In: Ray, I., Gaur, M.S., Conti, M., Sanghi, D., Kamakoti, V. (eds.) ICISS 2016. LNCS, vol. 10063, pp. 324–335. Springer, Cham (2016). doi: 10.1007/978-3-319-49806-5_17 CrossRefGoogle Scholar
  17. [KZG10]
    Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17373-8_11 CrossRefGoogle Scholar
  18. [LP02]
    Lindell, Y., Pinkas, B.: Privacy preserving data mining. J. Crypt. 15(3), 177–206 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  19. [NP99]
    Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In: Proceedings of the Thirty-First Annual ACM Symposium on Theory of Computing, STOC 1999, pp. 245–254. ACM, New York (1999)Google Scholar
  20. [PHGR13]
    Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy. IEEE (2013)Google Scholar
  21. [Pol78]
    Pollard, J.M.: A Monte Carlo method for index computation (mod p). Math. Comput. 32, 918–924 (1978). SpringerMathSciNetzbMATHGoogle Scholar
  22. [PRV12]
    Parno, B., Raykova, M., Vaikuntanathan, V.: How to delegate and verify in public: verifiable computation from attribute-based encryption. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 422–439. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28914-9_24 CrossRefGoogle Scholar
  23. [PST13]
    Papamanthou, C., Shi, E., Tamassia, R.: Signatures of correct computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 222–242. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36594-2_13 CrossRefGoogle Scholar
  24. [Sha79]
    Shamir, A.: How to share a secret. Commun. Assoc. Comput. Mach. 22(11), 612–613 (1979)MathSciNetzbMATHGoogle Scholar
  25. [TFS04]
    Teranishi, I., Furukawa, J., Sako, K.: k-times anonymous authentication (extended abstract). In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 308–322. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_22 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Xavier Bultel
    • 1
  • Manik Lal Das
    • 2
  • Hardik Gajera
    • 2
  • David Gérault
    • 1
  • Matthieu Giraud
    • 1
    Email author
  • Pascal Lafourcade
    • 1
  1. 1.Université Clermont Auvergne, CNRS, LIMOSClermont-FerrandFrance
  2. 2.DA-IICTGandhinagarIndia

Personalised recommendations