The present invention relates to the field of distributed computation. More specifically, the present invention relates to a system and method for performing secure multiparty computation of arithmetic streams and evaluation of functions in a single round of communication.
Cloud services for storage and computing has significant benefits in price, speed, and manageability and therefore, became very popular. Companies like Amazon, Google, Microsoft, IBM, etc., are offering storage devices and computing engines to both private users and organizations. However, such services require users to send their information to an untrusted third party. In some cases, the information held by a user is confidential and the distribution of the information to untrusted parties should be avoided.
One existing solution to this problem may be a cryptographic scheme that enables a user to upload encrypted data to the cloud, perform computations in the cloud over the encrypted data and retrieve the encrypted version of the desired result, as shown in
Other existing solutions are Secure MultiParty Computation (SMPC) schemes over a distributed system, as shown in
Other existing solutions are fully homomorphic encryption schemes, which suggest a centralized (rather than distributed) computationally secure solutions to the above mentioned problem. However, these solutions are only computationally secure (rather than information-theoretically secure) and are currently too slow to be used in practice.
Ben-Or, Goldwasser and Wigderson [BOGW88] showed that every function of N inputs can be efficiently computed by N participants with a threshold of N/2 in case of honest-but-curious participants, or N/3 in case of malicious participants. Their methods are based on Shamir's secret sharing scheme [Sha79] and their protocols require multiple rounds of communication, proportional to the depth of the arithmetic circuit. Substantial efforts have been spent to achieve a better communication complexity in such tasks. Bar-Ilan and Beaver [BIB89] were the first to suggest a way to evaluate functions in a constant number of rounds of communication, followed by further works that attempt to minimize communication complexity of SMPC protocols. Gennaro, Ishai, Kushilevitz and Rabin [GIKR02] proved that, in the presence of malicious participants, some functions do not admit SMPC protocols with less than three rounds of communication. Specifically, they have shown that the functions XOR2n and AND2n do not admit protocols of SMPC with only two rounds of communication, while assuming that malicious participants are present. Nonetheless, they have shown that functions that depend only on the inputs of a single participant can be securely computed in two rounds of communication. When relaxing the assumptions and considering honest-but-curious participants, the round complexity of general SMPC protocols is reduced to two rounds of communication [BOGW88,IK02].
It is therefore an object of present invention to provide a method and system for performing secure multiparty computation of arithmetic streams and functions, which requires one-round of communication.
It is another object of the present invention to provide a method and system for performing secure multiparty computation of arithmetic streams and functions, without decrypting the secrets during the course of the computation.
It is a further object of the present invention to provide a method and system for performing secure multiparty computation of arithmetic streams and functions, which is information-theoretically secure with a threshold of all active participants.
It is still another object of the present invention to provide a method and system for performing secure multiparty computation of arithmetic streams and functions, which can support boolean circuits.
It is yet another object of the present invention to provide a method and system for performing secure multiparty computation of arithmetic streams and functions, which is not saved as plaintext anywhere and keeps the computation state of the stream secure at all times.
Other objects and advantages of this invention will become apparent as the description proceeds.
A method for performing, in a single round of communication and by a distributed computational system, Secure MultiParty Computation (SMPC) of an arithmetic function ƒ:pk→p represented as a multivariate polynomial over secret shares for a user, comprising the steps of:
A method for performing, by a distributed computational system, Secure MultiParty Computation (SMPC) of a function ƒ:k→ over k non-zero elements S=(s1, . . . , sk)∈k, where the minimal multivariate polynomial representation of ƒ is
ƒ(x1, . . . ,xk)=Σl=(l
A method for performing, by a distributed computational system, Secure MultiParty Computation (SMPC) of a p-bounded arithmetic function ƒ:pk→p over k elements S=(s1, . . . , sk)∈pk, where the minimal multivariate polynomial representation of ƒ is
ƒ(x1, . . . ,xk)=Σl=(l
The l'th monomial may be evaluated by:
U
i
=l
0·(α1)i· . . . ·(αn)i.
In one aspect, the method further comprises the step of adding additive shares of two functions that ƒ1 and ƒ2 evaluated on S, held by the participants to obtain additive shares of ƒ1(S)+ƒ2(S).
In one aspect, the methods further comprises the step of calculating a linear combination if additive shares of an arbitrary number of functions ƒ1, . . . , ƒd evaluated on S, to obtain additive shares of ƒ1(S)+ƒ2(S)+ . . . +ƒd(S).
The SMPC of the product ƒ(S)·l0·s1l
Additive shares of the product ƒ(S)·l0·s1l
Switching from multiplicative shares of s to additive shares of sj is implemented using evaluation to perform SMPC of the function ƒ(x1, . . . , xk)=sj and switching from additive shares of sj to multiplicative shares of sj is implemented e for computing a product ƒ(S)·l0·s1l
In one aspect, some of the secret shares are zero.
The number of participants may be extended to n1 M.parties+n2 A.parties (n1, n2≥2) by:
Additive shares of the secret shared data may be produced from multiplicative shares of the secret shared data by shifting information from n1 M.parties to n2 A.parties according to the following steps:
m=Π
i=1
n
x
i
=x
1·Πi=2n
Multiplicative shares of the secret shared data may be produced from additive shares of the secret shared data by shifting information from n2 A.parties to n1 M.parties according to the following steps:
Secure MultiParty Computation (SMPC) of Boolean circuits may be computed by working in 2.
Secure MultiParty Computation (SMPC) of arithmetic functions over inputs held by k users (1), . . . , (k), each of whom is holding a set of secret values in p, may be performed by the following steps:
a. each of the users distributes shares of his secrets;
b. one of the users sends the relevant information to the other participants;
c. the participants send their outputs to all of the users; and
d. each of the users obtains the result of evaluating ƒ over the entire set of secrets by adding the outputs.
Arithmetic streams may be secured by performing, at each stage of computation, both addition and multiplication operations that yield the same result that are obtained by one of the operations.
If the information held by the user is m=(m1, . . . , mn)∈pn, an arithmetic function ƒ may be secured by the following steps:
In one aspect, the method further comprises the step of detecting incorrect outputs caused by malicious participants by repeating the same computations while using different sets of participants.
In one aspect, the method further comprises the step of detecting incorrect outputs caused by malicious participants by computing different representations of the same function.
In one aspect, the method further comprises the step of detecting incorrect outputs caused by malicious participants by computing the same circuit several times using the same n participants with different randomization in each computation and different representations of the same circuit in each iteration.
Functions may be evaluated over inputs being held by all of the participant.
In one aspect, the user may be one of the participants.
A computerized system for performing, in a single round of communication and by a distributed computational system, Secure MultiParty Computation (SMPC) of an arithmetic function ƒ:pk→p represented as a multivariate polynomial over secret shares for a user, comprising:
In the drawings:
as shown in
The present invention proposes efficient Secure MultiParty Computation (SMPC) schemes over secret shares in scenarios in which the secrets are elements of a finite field p, which are information-theoretically secure with a threshold of all active participants. Any function ƒ:pn→p is represented as a multivariate polynomial and the evaluation of ƒ is implemented in a single round of communication. The proposed SMPC schemes are based on partitioning secrets to sums or products of random elements of, p. Secrets are shared using either multiplicative shares, the product of which is the secret, or additive shares, that sum up to the secret. Sequences of additions of secrets are implemented locally by addition of local shares, which require no communication among participants. Sequences of multiplications of secrets are implemented locally by multiplication of local shares, which require no communication among participants. The shift to handle a sequence of additions from the execution of multiplications or vice versa is efficiently handled as well, with no need to decrypt the secrets in the course of the computation. The proposed schemes can also be used to support SMPC of boolean circuits (that perform boolean commutation, rather than arithmetic).
The present invention proposes several schemes for information-theoretically SMPC of arithmetic streams and for evaluation of arithmetic functions in a single round of communication.
In a first exemplary schemes for SMPC of arithmetic streams, two sets of participants are used by a dealer to securely outsource a computation of an arithmetic stream. The first set of participants consists of n1 M.parties, that locally handle sequences of multiplications, and the second set consists of n2 A.parties that locally handle sequences of additions. Switching from sequences of multiplications to sequences of additions and vice versa are made without decrypting the information. These schemes require the user to perform, practically, as much computational work as he would have needed to if computing the arithmetic stream on his hardware. The main purpose of these schemes is to keep the computation state of the stream secure at all time, not saved as plaintext anywhere.
These schemes are composed of (a) two procedures that enable computations in each mode; (b) two procedures that are used to switch between modes. These procedures give rise to SMPC schemes for evaluation of arithmetic functions in one round of communication. Since over finite fields every function may be written as a polynomial, these procedures may be used to outsource storage of information to untrusted participants (honest-but-curious) while allowing outsourcing of computations over the distributed data.
These schemes use two sets of participants and require the elimination of the previous set whenever there is a switch between modes. That need for ongoing elimination of participants is solved by presenting schemes for SMPC of arithmetic functions using one set of n participants for both operations. This solution costs in communication complexity in the following way. In the schemes proposed for stream computation and for SMPC of arithmetic functions in one round of communication, the procedures M→A and SMA require sending a total of n1·n2 messages between the participants. The procedures A→M or Cascading require sending a total amount of 2n2+n1−1 messages between the participants.
In the schemes for handling both operations by the same participants, in each round of communication the number of messages sent between participants is n2.
The present invention proposes two pairs of schemes for outsourcing arithmetic computations in a finite field, p. The first pair of schemes assumes that the computation state or the distributed values are non-vanishing in the field. The second pair of schemes solves the case where the mentioned values may vanish in p by embedding p in q (for large enough q). Such a q always exists. However, for some functions/streams, the resulting scheme is impractical since q is too large to work with. The schemes for the non-vanishing case are practical whenever the polynomial representation of the function is not too large to work with.
The proposed schemes allow evaluation of any arithmetic function in exactly one round of communication, assuming that the participants are honest-but-curious. This approach is based on representing each secret either as a sum of secret shares or as a product of secret shares, while shifting between representations when necessary. In schemes that use two sets of participants, at each stage, only one of the sets holds shares of the secrets. The participants in the first set handle multiplications and are called the multiplication participants, or the M.parties. The participants in the second set handle additions and are called the addition participants, or the A.parties.
The operations of the participants in a sequence of the same operation and the communication between them when there is a switch in operations and the immediate elimination of the previous participants (virtual machines, containers, etc.), are described. These schemes require communication among participants only when switching between operations, and support communicationless sequences of multiplications followed by communicationless sequences of additions and vice versa. These schemes are information-theoretically secure against attacks of coalitions that consist of all-but-one of the active participants.
The main ideas used to construct these two-set schemes give rise to a scheme that uses only one set of participants and allows evaluation of arithmetic functions in one round of communication.
a user receives a stream of values and arithmetic operations produced by some source and wishes to perform an arithmetic computation over the values received according to the operations received on the fly. The stream begins with an initial value, denoted by m0. At this stage, the user sets a value, referred to as the computation state and denoted by st, and initializes st as m0. Afterward, at each stage, a pair of value and arithmetic operation are produced by the source and received by the user, who in turn updates the computation state st accordingly. Explicitly, at stage i (for i≥1) a pair, consisting of a value m, and arithmetic operation opi are produced, where opi is either addition ‘+’ or multiplication ‘·’. The user updates the state either by multiplying st by mi or by adding mi to st, according to opi. Namely, st:=st opi mi.
It is assumed that the values received from the source are confidential, and so is the computation state that they yield at each stage. The user cannot keep (and update) st on his hardware, since it might be hacked by an adversary. Therefore, the desired cryptographic scheme is a cryptographic scheme that will allow the user to outsource the aforementioned computation, while keeping the values m, and st information-theoretically secure at all stages, without keeping st as plaintext at any stage. The value m, should also be eliminated at the end of each stage. The user should be able to retrieve st at any desired time.
Usually, outsourcing of computation considers a user that wishes to use a remote strong computer to run a computation over private data, where the main reason for outsourcing the computation is computing power. One of the main interests in such scenarios is to involve the user in the computation as little as possible and to shift most of the computational tasks to the cloud. Since the values are produced by the source and received by the user on-the-fly, the user must be on-line during the computation and take an active part in the computation. It is assumed that the user does have enough computing power to run the computation, but since the values and the computation state produced during computation are confidential, the user cannot save them as plaintext anywhere.
This scheme performs secure outsourcing of stream computation under the following assumptions. For the particular example detailed in the sequel, it is assumed that the values mi are elements of the field p of prime order p (in which the arithmetic operations are carried out), and that the values and operations produced never yield st=0. Such a stream is non-vanishing. It is assumed that the user has a secure connection channel with (at least) four honest-but-curious (Honest-but-curious means that all parties follow the protocol honestly, and a protocol is private if any parties who collude at the end of the protocol learn nothing beyond their own outputs from their transcripts) servers denoted (j) (for 1≤j≤4). The basic four participants scheme can be generalized to one with a larger number of participants. The scheme for the case of four participants is first presented. In this proposed scheme, some of the participants hold shares of the computation state st, denoted by st(j). The shares do not reveal any information about st and enable extrapolation of st by the user at any stage.
The proposed scheme has two modes: multiplication mode and addition mode. (1) and (2) are the M.parties and the rest of the servers are the A.parties. The proposed scheme is consists of five procedures as follows:
The general idea behind the scheme is that multiplications are handled by the M.parties and additions by the A.parties. At stage i, some of the procedures are invoked to update st according to opi and shift (if necessary) the shares from one set of participants to another, while eliminating the previous set of participants. When the shares of st are being held by the M.parties (respectively, A.parties), it is determined that the scheme is in multiplication (respectively, addition) mode. When the shares of st are being held by the A.parties, it is determined that the scheme is in addition mode.
The scheme stages are as follows:
All operations are carried out in p.
This procedure (called mult.-random-split of an element of px into two multiplicative shares) is invoked by the user and the M.parties only at stage zero, when the initial value m0 is produced and received by the user. At the first step, the user picks a non-zero element x0 of p uniformly at random and computes y0, such that x0·y0=m0. At the next step, the user sends x0 to (1) and y0 to (2), who in turn set st(1) to x0 and st(2) to y0, respectively. The values st(1) and st(2), kept by the M.parties after the execution of this protocol, are their shares of st. Since x0 is picked randomly, y0 is also random. Hence, no information concerning m0 is revealed to the M.parties.
This procedure is invoked by the user and the M.parties at stages i such that opi is multiplication (after switching to multiplication mode if necessary, using A→M). As described in
Procedure 3: M→A—Switching Mode from Multiplication to Addition
This procedure (called add.-random-split of an element of p into two additive shares, a and b) is invoked by all the participants at stages i such that opi is addition and the current mode is multiplication: First, (1) picks an element a of p and computes b such that a+b=st(1). Then, as described in
In this case:
st=st
(1)
·st
(2)=(a+b)·st(2)=a·st(2)+b·st(2)=st(3)+st(4).
Namely, from the two mult.-random-split shares of st that were held by the M.parties, the A.parties receive add.-random-split shares of st. Since a and b are random elements of the field, the A.parties gain no information about st and the M.parties are eliminated.
This procedure is invoked by the user and the A.parties at stages i such that opi is addition (after switching to addition mode if necessary, using M→A). As described in
Procedure 5: A→M—Switching Mode from Addition to Multiplication.
This procedure is invoked by the user and all the participants at stages i such that opi is multiplication and the current mode is addition. As described in
In this case,
st=st
(3)
+st
(4)
=r
−1·(r·(st(3)+st(4)))=r−1·(r·st(3)+r·st(4))=st(1)·st(2).
Thus, from the two add.-random-split shares of st that were held by the A.parties, the M.parties receive mult.-random-split shares of st. At this stage, (1) obviously has no information about st. Since st≠0 and r is random, (2) also has no information about the current state.
At any stage of the scheme:
This scheme allows a user to perform information-theoretically secure outsourcing of any non-vanishing stream using four participants.
In the scheme proposed for a Non-vanishing stream, the depth and length of the arithmetic circuit are practically unbounded. This fact can be used to outsource arbitrarily long computation streams, containing any number of multiplications and additions in p. There is a constraint, though, on the possible result of each stage of the computation. Namely, none of them may be zero. In some cases, one has a computation stream that does not meet this limitation.
According to an embodiment of the invention, it is possible to outsource stream computations that may vanish by assuming that the depth and length of the stream are bounded. The proposed scheme is based on the non-vanishing scheme. Similarly to the assumptions of the non-vanishing scheme, it is assumed that the values m, are elements of a finite field q (q is prime), and that the arithmetic operations are multiplication and addition in q.
Assuming that M=(m0, m1, . . . , mn)∈qn+1 is a sequence of values produced by a source in some stream computation, and that OP=(op1, . . . , opn)∈{‘+’,‘·’}n is the sequence of operations produced by it corresponding to M, at each stage of the computation, the computation state st is the result of applying the operations in OP to the corresponding values in M, where operations are carried out in q. One gets the exact same result by performing the computation over the positive integers and taking the result modulo q. Formally, for each entry mi of M, let ai∈{1, 2, . . . , q}⊆ denote the minimal positive integer such that ai≡mi(mod q). The ai's are the integer correspondents of the mi's. Then, by performing the stream computation over the ai's (while using the same operations over the integers), an integer result stis obtained, such that s≡st(mod q). Assuming a computation stream over elements in q is such that, when performing the corresponding stream computation over the integers, an integer-computation state, s, that never exceeds a large prime p is obtained. Such a computation stream is called p-bounded.
The following scheme is proposed to perform information-theoretically secure outsourcing of a p-bounded computation stream. As in the non-vanishing scheme, it is assumed that the user has a secure connection channel with four honest-but-curious participants (j) (1≤j≤4). The general idea behind the scheme is to run at each stage the procedures described above over the integer correspondents of the mi's, modulo p, where operations are carried in p.
The scheme stages are:
The user can extrapolate st∈q at any stage by retrieving the shares from the participants, computing the computation state modulo p, and then taking the integer correspondent to the result modulo q. The correctness of the scheme is derived from the fact that the stream is p-bounded. The security of this scheme for p-bounded streams is derived from the security of the non-vanishing stream scheme, since from the participants perspective, there is no difference between the cases.
The solutions used to outsource stream computations, give rise to SMPC schemes that allow evaluation of arithmetic functions in one round of communication. The present invention propose schemes that support this task in two different cases: the non-vanishing case and the p-bounded case. In the proposed schemes st, the set of variables over which the function is evaluated may be dynamic, and so may be the function itself.
The present invention proposes an SMPC scheme that allows a user to securely outsource storage and computations of data under the following assumptions.
At each stage of the proposed scheme, the participants hold shares of m. This proposed enables a user to secret share m=(m1, . . . , mn) amongst honest-but-curious servers in a way that allows the user to evaluate ƒ(m) using computing engines provided by the servers, where ƒ:pn→p.
Since p is a finite field, any function ƒ:pn→p can be represented as a multivariate polynomial. The fact that xp≡x(mod p) implies that this representation is not unique (generally, there are infinitely many polynomials of n variables and only a finite number of functions ƒ:pn→p). Given a function ƒ, it is desired to assign ƒ with a minimal multivariate polynomial representation of it. To this end, a representation of ƒ as a multivariate polynomial such that the degree of each variable is at most p−1 is used. For any given ƒ there is exactly one such multivariate polynomial denoted by Qƒ and ƒ is assigned with Qƒ as its minimal multivariate polynomial representation.
The total degree1 of Qƒ (The total degree of a multivariate polynomial is the maximal sum of exponents in a single monomial of it) is at most n(p−1) and write
ƒ(m)=ai·m2i
where ={0, . . . , p−1}n and ai∈p. There are pp
The proposed scheme consists of two protocols:
As in the arithmetic stream schemes presented above, (1) and (2) are the M.parties and (3) and (4) are the A.parties. In the distribution protocol, the user secret shares m amongst the M.parties. The Evaluation protocol is composed of four stages:
At the first stage, the user sends information regarding ƒ to the participants, and the M.parties perform operations over their shares of m that correspond to SMPC of each of the (non-zero leading coefficient) monomials Ai of ƒ.
At the second stage, the M.parties send to the A.parties information that allows the A.parties to achieve additive shares of each of the monomials of ƒ. At this point the M.parties are eliminated.
At the third stage, the A.parties use the information they received from the M.parties to achieve shares of ƒ(m).
At the fourth stage, the user can choose between either retrieving the shares of ƒ(m) from the A.parties and computing ƒ(m), or shifting the information from the A.parties to a new set of M.parties (as in A→M) to allow further computations over (m, ƒ(m)) without decrypting ƒ(m).
This Distribution protocol is invoked by the user to secret share m=(m1, . . . , mn)∈pn amongst the M.parties. For each mj, 1≤j≤n, as described in
This protocol is invoked by the user to perform SMPC of a function ƒ over m using the participants. The protocol has four stages.
Stage 1—MonEv—Monomial evaluation
At this stage, the user sends information about ƒ to the participants. The M.parties compute multiplicative shares of the monomials of ƒ. ƒ can be writ in the form ƒ the/monomials
ƒ(m1, . . . ,mn)=ai·Ai,
where Ai is the i'th monomial and is determined by i=(i1, . . . , in). At this stage, for each monomial Ai with non-zero leading coefficient, the user sends i∈ to the M.parties and ai∈p to the A.parties. Each of the M.parties evaluates each monomial Ai over his shares. (1) sets Ax
A
x
·A
y
=Πj=1nxji
Stage 2—SMA—Shift from M.parties to A.parties
At this stage, for each i received from the user, the M.parties manipulate the multiplicative shares of Ax
The multiplicative shares of Ai that were held by the M.parties, the A.parties achieve additive shares of Ai:
A
i
=A
x
·A
y
=(bi+ci)·Ay
Since ai and bi are random, the A.parties gain no information about Ai.
Stage 3—fEv—Evaluation of ƒ
At this stage the A.parties compute additive shares of ƒ(m) using the information received from the user at stage 1 and the additive shares of Ai obtained at stage 2.
u
3
+u
4
=Σ
a
i·αi+ai·βi=ai·(αi+βi)=ai·Ai=ƒ(m).
At this stage, the user has a choice between two options: retrieving and cascading. In the retrieving option, the user retrieves the additive shares of ƒ(m) from the A.parties and adds them to obtain ƒ(m). In the cascading option, the user has the A.parties manipulate the shares they hold and send information to a new set of M.parties (in the same fashion as in procedure A→M described above). Then the A.parties are eliminated and the user may begin a new computation over (m1, . . . , mn, ƒ(m)).
As described in
ƒ(m)=u3+u4=xm+1·(r·(u3+u4))=xm+1·ym+1.
Thus, from the additive shares of ƒ(m) that were held by the A.parties, the M.parties obtain multiplicative shares of ƒ(m), and further functions can be evaluated over (m1, . . . , mn, ƒ(m)) by the user and the participants using stages 1-3 of this protocol. This option is secure only if ƒ(m)≠0, since if ƒ(m) vanishes, then so does ym+1.
Since each mj is secret shared independently, the set of secrets over which any function can be evaluated is dynamic and further secrets can be shared on the fly. The fact that each monomial is evaluated over the secret shares independently implies that the function itself is dynamic in the sense that new monomials can be evaluated and added on the fly.
One-Round SMPC of p-Bounded Arithmetic Functions
In the scenario considered above, SMPC of arithmetic functions over non-zero elements, there is a limitation on the possible values that the mj's may take. Namely, they cannot be zero. Moreover, if the user wishes to perform further computations over (m, ƒ(m)) without first decrypting ƒ(m), then ƒ(m) must be non-zero, as well.
It is possible to avoid these limitations over the mj's and ƒ(m). In a possible scenario, in which some of the mj's may be zero and ƒ may vanish, the present invention proposes a scheme that overcomes the limitations of the previous scenario assuming ƒ is p-bounded for small enough p. The term p-bounded is defined below.
Similarly to the assumptions of the previous scenario, it is assumed that the values mj are elements of a finite field of prime order q, denoted q.
It is assumed that the user holds m=(m1, . . . , mn)∈qn and wishes to evaluate ƒ(m) for some ƒ. It is possible to compute ƒ(m) by performing operations in q on m according to a representation of ƒ as a multivariate polynomial. The same result is obtained if one computes ƒ(m) over the positive integers and then takes the result modulo q. Formally, for each entry mj of m let aj∈{1, 2, . . . , q}⊆ denote the minimal positive integer such that aj≡mj(mod q). Then, by performing the computation over the aj's using integer operations, an integer result ƒ is obtained, such that ƒ≡ƒ(m)(mod q). A function ƒ:qn→q is p-bounded (considering the minimal multivariate polynomial representation of ƒ, actually, all functions ƒ:qn→q are p-bounded for p≥qnq+1. This fact is not useful for large p) such that for every m∈qn, computation of ƒ(m) over the integers yields an integer result, ƒ, which is strictly smaller than a large prime p.
The proposed scheme is based on that suggested in the previous case for non-zero elements and enables SMPC of p-bounded functions over elements, some of which may be zero. As in the non-zero scheme, it is assumed that the user has a secure connection channel with four honest-but-curious servers, (k), 1≤k≤4. The general idea behind the scheme is to run at each stage the same procedures as in the scheme suggested in the previous case, over the integer correspondents of the mj's modulo p.
The scheme stages are as follows:
For m=(m1, . . . , mn)∈qn, let {tilde over (m)}=({tilde over (m)}1, . . . , {tilde over (m)}n)∈pn denote the element of pn corresponding to m. That is, {tilde over (m)}j:=aj(mod q) for 1≤j≤n. Similarly, for ƒ:qn→q, let {tilde over (ƒ)}:pn→p denote the function corresponding to ƒ in the p-world. The Distribution and Evaluation protocols are as follows:
For m∈qn use the Distribution protocol of the non-zero scheme to secret share {tilde over (m)}∈pn among the M.parties.
For ƒ:qn→q use the Evaluation protocol of the non-zero scheme to evaluate {tilde over (ƒ)} over {tilde over (m)}:
This protocol has the same dynamic attributes as those suggested in the previous scenario and it requires a single round of communication.
The schemes presented above are perfectly secure against attacks of coalitions, smaller than the number of currently active participants.
It is possible to perform SMPC of arithmetic functions over secret shares using the same set of participants for both operations.
Similarly to the scenarios mentioned above, SMPC of arithmetic functions over secret shares, some of which may be zero, can be performed assuming the function is p-bounded. It is assumed that a user, holding k non-zero elements S=(s1, . . . , sk)∈pk, has a private connection channel with n honest-but-curious participants, (1), . . . , (n).
For sj, 1≤j≤k, perform mutt.-random-split of sj to multiplicative shares, mij, such that sj=Πi=1n mij and distribute mij to (i). This is illustrated in
Assuming a user that wishes to perform SMPC of a function ƒ:pk→p over S, where the minimal multivariate polynomial representation of ƒ is
ƒ(x1, . . . ,xk)=Σl=(l
and ={0, . . . , p−1}k+1. In the this procedure, the monomials of ƒ are evaluated by the participants separately and then added to obtain secret shares of ƒ(s1, . . . , sk). For l∈, the l'th monomial is l0·x1l
αi: =(Πj=1kmijl
αi is (i)'s alpha vector.
U
i
=l
0·(α1)i· . . . ·(αn)i.
For each l, the Ui's obtained by the participants at stage 6 of the evaluation protocol are additive shares of the l'th monomial of ƒ evaluated on S. One has
Since Σi=1n γi=1, the sum of the Ui's equals to the l'th monomial of ƒ evaluated on S.
Now, following the procedure described above, each participant (i) obtains such Ui for each of the monomials of ƒ. Denote by Ui(l) the Ui obtained by (i) regarding the l'th monomial of ƒ. Adding the Ui(l)'s, the i'th participant obtains an additive share of ƒ evaluated on S. These shares can be used to perform consecutive computations in the following way:
Assuming that ƒ1 and ƒ2 are two functions evaluated on S as suggested above, the additive shares of ƒ1(S) and ƒ2(S) held by the participants can be added by the participants to obtain additive shares of ƒ1(S)+ƒ2(S). The same holds for a linear combination of an arbitrary number of functions ƒ1, . . . , ƒd evaluated on S.
SMPC of the product ƒ(S)·l0·s1l
The procedures described above allow SMPC of arithmetic functions over secret shares in one round of communication using one set of participants. A variation of these procedures allows SMPC of arithmetic streams using one set of participants. The procedures MinM and AinA, described in Section 2, are implemented in the same way in this case. Switching from multiplicative shares of sj to additive shares of sj is implemented using Evaluation to perform SMPC of the function ƒ(x1, . . . , xk)=sj. Switching from additive shares of sj to multiplicative shares of sj is implemented as described above for computing a product ƒ(S)·l0·s1l
The case where S may contain zeros is handled in the same way as in Section 3, assuming the function is q-bounded for some large prime q.
The scheme presented above is perfectly secure against coalitions of up to all but one of the participants.
An Example of More than Four Participants
The schemes described above employ four participants. However, the ideas behind the procedures, from which the schemes are composed, generalize to a larger number of participants. Assuming that one wishes to run the schemes using n1 M.parties and n2 A.parties (n1, n2≥2), the present invention proposes ways to generalize the procedures described above to suit n1+n2 participants.
The procedure mult.-random-split described above can be generalized to n1 M.parties by taking n1−1 random non-zero elements of the field, x1, . . . , xn
Additive Shares from Multiplicative Shares
Procedure M→A of the arithmetic streams scenario and procedure SMA of the Evaluation protocol in the arithmetic functions scenario demonstrate shifting of information from two M.parties, (1) and (2), to two A.parties, (3) and (4). These procedures are used to produce additive shares of the secret shared data from multiplicative shares of it. These procedures may be generalized to be procedures by which information is shifted from n1 M.parties to n2 A.parties in the following way. Assuming that n1 M.parties, (i), 1≤i≤n1, hold n1 multiplicative shares, xi, of an element m, to achieve n2 additive shares of m held by n2 A.parties, (1) add.-random-splits x1 to n2 additive shares bj, 1≤j≤n2, and sends each bj to the j'th A.party. The rest of the M.parties, (i), 2≤i≤n1, send xi to each of the A.parties. At this stage, the M.parties are eliminated and the A.parties multiply the values received to obtain additive shares of m.
Observe that:
m=Π
i=1
n
x
i
=x
1·Πi=2n
Multiplicative Shares from Additive Shares
Procedure A→M of the arithmetic streams scenario and procedure RetCas of the Evaluation protocol (the cascading options of RetCas) in the arithmetic functions scenario demonstrate shifting of information from two A.parties to two M.parties. These procedures are used to produce multiplicative shares of the secret shared data from additive shares of its. These procedures generalize to procedures by which information is shifted from n2 A.parties to n1 M.parties in the following way. Assume n2 A.parties, (i), 1≤i≤n2, hold n2 additive shares, xi, of an element m. To obtain n1 multiplicative shares of m held by n1 M.parties, the user mult.-random-splits 1 to n1 multiplicative shares. The user sends n1−1 M.parties one (distinct) multiplicative share of 1, and sends the last share of 1 to all of the A.parties. Each of the A.parties then multiplies the multiplicative share of 1 received by its additive share of m and sends the product to the last M.party. At this stage, the A.parties are eliminated and the last M.party adds the values received. Now the M.parties hold multiplicative shares of m.
Evaluation of boolean circuits. The schemes suggested in Sections 2 and 3 may be used to perform computations of boolean streams and SMPC of boolean circuits by working in 2. A True boolean value is 1∈2 and a False boolean value is 0∈2. Boolean operations may be identified with field operations in the following way. The A operation is identified with 2 multiplication, the ⊕ operation with 2 addition, and the ┐ operation with adding 1 in 2. The V operation of two literals is identified with x+y+x·y, where x and y are the elements of 2 corresponding to the literals. Then, given a boolean circuit C over boolean literals b1, . . . , bn∈{True, False}, one can use the schemes, suggested above for p-bounded functions, to perform boolean streams computation and SMPC of boolean circuits by taking m1, . . . ,mn∈2, where the mi's are the 2 correspondents of the bi's. The boolean circuit C: {True, False}n→{True, False} will be taken as a function {tilde over (C)}: 2n→2.
Evaluating functions over inputs held by more than one participant. The schemes suggested in Sections 3 and 4 can be used to perform SMPC of arithmetic functions over inputs held by several participants. Instead of having only one participant holding inputs, assume (1), . . . , (k) are k users, each of whom is holding a set of secret values in p. The users wish to privately evaluate a function ƒ over the entire set of variables. Following the distribution protocol, each of the users distributes shares of her secrets. Let one of the users invoke the evaluation protocol, sending the relevant information to the other participants. At the final stage of the evaluation protocol, the participants send their outputs to all of the users. Adding these outputs, each of the users obtains the result of evaluating ƒ over the entire set of secrets. This way, the proposed scheme is extended to support SMPC of functions over inputs held by several participants.
His example describes how the scheme suggested in Section 4 may be used to perform secure multiparty computation. Consider the following scenario. Three millionaires wish to find out who of them is the wealthiest, while not revealing to each other the exact number of millions they possess. Denote the three millionaires by (1), (2), (3) and the number of millions they possess by s1, s2, s3, respectively. For simplicity, assume si (1≤i≤3) are positive integers between 1 and 10 (other cases may be solved similarly). The first step is distribution, where p=11. For 1≤i≤3, (i) mult.-random-splits si to a product of multiplicative shares m1,i·m2,i and distributes m1,i to (1) and m2,i to (2).2 This is illustrated in
In order to find out which of them is the wealthiest, the participants may evaluate ƒ(x1, x2, x3) at (s1, s2, s3), where ƒ:113→11 (one may correctly state that, the procedure mult.-random-split is defined for elements of p, while the si's are integers. Hence, for 1≤i≤3, one should consider
ƒ(x1,x2,x3)=Σi,j,k=010ai,j,k·x1ix2jx3k.
(3) takes the role of the user, performing, for each monomial ai,j,k·x1ix2jx3k of ƒ, an independent matrix-random-split of 1∈11 to
and sending the left column of Ci,j,k to (1) and the right column to (2). Subsequently, for each column vector they receive, (1) and (2) compute
respectively. For each alpha vector, (1) sends the second entry of α1(i,j,k), denoted by (α1(i,j,k))2, to (2), while (2) sends the first entry of α2(i,j,k), denoted by (α2(i,j,k))1, to (1). Using the values received, (1) computes
A=Σ
i,j,k
a
i,j,k·(α1(i,j,k))1·(α2(i,j,k))1,
while (2) computes
B=Σ
i,j,k
a
i,j,k·(α1(i,j,k))2·(α2(i,j,k))2.
Eventually, (1) and (2) publish A and B. Observe that
B=Σ
i,j,k
a
i,j,k
·s
1
i
s
2
j
s
3
k
·c
21
(i,j,k)
·c
22
(i,j,k).
Adding, one obtains
A+B=Σ
i,j,k
a
i,j,k
·s
1
i
s
2
j
s
3
k·(c11(i,j,k)·c12(i,j,k)·c21(i,j,k)·c22(i,j,k)).
The fact that each Ci,j,k is a matrix-random-split of 1 implies that
A+B=Σ
i,j,k
a
i,j,k
·s
1
i
s
2
j
s
3
k·=ƒ(s1,s2,s3).
In the schemes suggested in Sections 2 and 3, some information about the circuit itself is revealed to the participants. In the arithmetic streams schemes, the M.parties (respectively, A.parties) know exactly how many consecutive multiplications (respectively, additions) are computed in a specific part of the circuit. In the SMPC schemes, some information about ƒ itself is revealed to the participants, as according to the Evaluation protocol, the user sends the relevant elements i∈ to the M.parties and the corresponding ai's to the A.parties. That leakage of information may be prevented by adding noise to the procedure in cost of communication complexity.
The arithmetic streams schemes are adjusted to prevent leakage of information about the computation circuit itself. At each stage of the computation, perform both addition and multiplication operations that yield the same result that would have been obtained normally. If at stage i one has opi=‘·’ (meaning that the user needs to multiply st by mi), then
If at stage i the user needs to add mi to st, then
This adjustment costs in communication complexity, but it keeps the arithmetic circuit secure in a way that none of the participants can tell what are the arithmetic operations that are actually being performed.
The information held by the user is m=(m1, . . . , mn)∈pn. It is possible to take redundant copies of each (or some) of the mi's, take redundant variables that equal 1∈p, take redundant variables that equal 0∈p, and permute them all to obtain m′=(m′1, . . . , m′r) which contains the information began with, along the added redundancy. This expansion of m costs in communication complexity but now it is possible to hide ƒ in several ways.
Recall that
ƒ(m)=ai·Ai, ai∈p,
where Ai is the i'th monomial. In most applications, most of the ai's are zero, and their corresponding monomials are called the zero monomials. The other monomials are called the non-zero monomials. Now, one can mask ƒ by the following procedures. To evaluate ƒ:pn→p over m, take some suitable ƒ′:pr→p and evaluate it over m′ in such a way that ƒ(m)=ƒ′(m′).
An appropriate choice of ƒ′ may mask ƒ in the following ways:
These procedures add noise to the computation circuit but cost in an expansion of m and communication complexity.
The correction and security of our schemes are based on the assumption that the participants are honest-but-curious, and that they do not form coalitions. Therefore, it is assumed that each of the participants follows the exact directions of each procedure of the scheme and is not sending to any of the other participants information not supposed to be sent. Nevertheless, it is assumed that the participants are trying to learn information about the secret shared inputs and about the computation circuits through the data received during the execution of the scheme. In case of deviation of a participant from the directions of the scheme, either the scheme might yield an incorrect solution or the security of the secret shared data may be compromised.
The following description discusses ways to detect incorrect outputs caused by malicious participants and analyze the threshold for ensuring the security of the schemes against coalitions of participants.
Detection of incorrect output caused by malicious participants is achieved either by repeating the same computations while using different sets of participants, or by computing different representations of the same function. Assume one runs our scheme using a total of n participants. Fora positive integer, s, one can uses sets of n participants, where in each set the participants run the same protocol independently. As s is taken to be larger, the correction of the output can be verified with higher certainty. Another approach to detect an incorrect output is to compute the same circuit several times using the same n participants with different randomization in each computation and different representations of the same circuit in each iteration. In this case, one may use schemes for masking the computation as described above, thus ensuring that the participants cannot force repeated incorrect output in successive computations of the same circuit. A repeated incorrect zero output can be forced by a malicious M.party by outputting zero regardless of the inputs received. These two approaches can be combined to reveal malicious participants in the following way. The user can use more than n participants and repeat the same computations (independently) using different n participants on each iteration. Assuming the user receives different outcomes, she can eliminate both sets of participants and repeat the process until identical results are obtained.
The security of the proposed schemes against attacks of coalitions of participants that join their shares of m in an attempt to learn information about the secret shared inputs will be described. Assume a user runs a scheme, as suggested above, using n1 M.parties and n2 A.parties. For each product of n1−1 non-zero elements of a finite field, xi, 1≤i≤n1−1, and for each non-zero element m of the field, there exists exactly one element xn
In Section 4 the description showed how to perform SMPC of arithmetic functions over secret shares using the same set of n participants for both operations. That scheme is information-theoretically secure against coalitions of up to n−1 honest-but-curious participants. The security of the distribution protocol is derived from the same arguments as in the two sets scenario.
The security of the evaluation protocol of the single set scenario:
Assuming that (1), . . . , (n−1) is a coalition of n−1 participants joining the information they received in an attempt to extract information regarding the values of the si's. The coalition is referred to as the adversary and summarize the information held by it by the following equations.
During the distribution protocol, the adversary receives the following information regarding the secrets:
s
1
=m
n,1·Πi=1n−1mi1
s
k
=m
n,k·Πi=1n−1mik (1)
The unknowns in (1) are mn,j, sj for 1≤j≤k. The products Πi=1n−1 mij for 1≤j≤k are known.
By same arguments as in the two sets scenario, the adversary gains no information regarding the si's from (1).
During stage 3 of the evaluation protocol, the adversary receives the following information regarding C=(cij)i,j=1n, the matrix-random-split of 1∈p:
c
1,n·Πi=1n−1c1i+ . . . +cn,n·Πi=1n−1cni=1 (2)
The unknowns in (2) are ci,n for 1≤i≤n. The products Πi=1n−1cji for 1≤j≤n are known. The matrix C is generated at stage 2 of Evaluation for the computation of the l'th monomial. C is independent of S (and of the l'th monomial), and hence the adversary cannot gain any information regarding S from (2).
Assuming that the l'th monomial of ∂ is l0·A(x1, . . . ,xk), where A(x1, . . . ,xk)=x1l
The values (αn)j for 1≤j≤n−1, appearing in (3), are known to the adversary, since these are the first n−1 entries of the alpha vector, αn, computed by (n) at stage 4 of the distribution protocol, and sent to the adversary at stage 5 of the protocol. The rest of the quantities in (3) are unknown. Since the si's are non-zero, by (3), for every possible (mn,1, . . . , mn,k)∈pk with non-zero entries there exists a (c1,n, . . . , cn−1,n)∈pn with non-zero entries such that mn,1, . . . , mn,k, c1,n, . . . , cn−1,n form a solution of (3). For each such a solution, substituting in (2), one obtains
Σj=1n−1(Πi=1ncji)+cn,m·Πi=1n−1cn,i=1.
Since all other variables are known, solving for cn, and obtaining
For every possible choice of non-zero (mn,1, . . . ,mn,k), the system of equations (2)+(3) has a unique solution, implying that no further information regarding the si's or A(s1, . . . , sk) can be gained by the adversary. Hence, the fact that each monomial is evaluated independently (as shown in
Although embodiments of the invention have been described by way of illustration, it will be understood that the invention may be carried out with many variations, modifications, and adaptations, without exceeding the scope of the claims.
The minimal multivariate polynomial representation of ƒ: ƒ(x, y, z)=x10+7x2y+6x4y+7x6y+9x8y+3x9y+10x10y+4xy2+10x3y2+x5y2+8xy2+3x8y2+5x9y2+x2y3+2x4y+7x3y3+3x7y3+7x8y3+5xy4+9x3y4+6x5y4+3x6y4+8xy4+10xy5+5x4y5+3x5y5+2x6y5+4xy6+4x3y6+3x4y6+9x5y6+3x2y7+3x3y7+3x4y7+2xy8+3x2y8+4x3y8+3xy9+6x2y9+2y10+xy10+7x10y10+3x2z+x4z+3x6z+7x8z+8x9z+9x10z+8xyz+9x3yz+3x4yz+2x5yz+10xyz+5xyz+5x8yz+10x9yz+8x10yz+7y2z+3x2y2+7x3y2+8x4y2+2x5y2z+5x7y2+10x8y2z+10x9y2z+4x0y2z+6x2y3z+x2y3z+3x3y3z+4x4y3z+6x5y3z+3x6y3z+7x7y3z+x9y3z+7x10y3z+6y4z+4x2y4z+7x3y4z+x4y4z+2x5y4z+9x6y4z+x8y4z+9x9y2z+5x10y4z+6xy5z+10x2y5z+7x3y5z+x4y5z+5x5y5z+2x6y5z+x7y5z+7x8y5z+4x9y5z+6x10y5z+7y6z+2x2y6z+7x3y6z+3x4y6z+8x5y6z+x6y6z+6x6y6z+4x8y6z+3x9y6z+4x10y6z+8xy7z+3x2y7z+9x3y7z+6x4y7z+x5y7z+5x6y7z+4x7y7z+5x8y7z+x9y7z+7x10y7z+9y8z+10xy8z+5x2y8z+7x3y8z+x4y8z+4x5y8z+4x6y8z+6x7y8z+x8y8z+9x9y8z+2x10y8z+2y9z+xy9z+3x2y9z+x3y9z+2x4y9z+4x5y9z+8x6y9z+x7y9z+2x8y9z+6x9y9z+10x10y9z+10y10z+8x2y10z+4x3y10z+10x4y10z+5x5y10z+8x6y10z+4x7y10z+4x8y10z+8x9y10z+8xz2+9x3z2+2x5z2+5x7z2+8x8z2+10x9z2+4yz2+x2yz2+6x3yz2+3x5yz2+6x6yz2+x7yz2+7x8yz2+7x9yz2+7x10yz2+10xy2z2+7x3y2z2+x5y2z2+7x6y2z2+5x7y2z2+7x8y2z2+x10y2z2+10y3z2+10xy3z2+x2y3z2+7x4y3z2+5x5y32+10x6y3z2+3x7y3z2+10x8y3z2+2x9y3z2+x10y3z2+10xy4z2+2x3y4z2+6x4y4z2+5x5y4z2+10x6y4z2+10x7y4z2+x8y4z2+7x9y4z2+9x10y4z2+y5z2+xy5z2+8x2y5z2+8x4y5z2+6x5y5z2+10x6y5z2+9x7y5z2+3x8y5z2+5x9y5z2+10x10y5z2+3xy6z2+10x2y6z2+9x3y6z2+2x4y6z2+10x5y6z2+2x6y6z2+3x7y6z2+3x8y6z2+99y6z2+9x10y6z2+8y2z2+6xy7z2+6x2y7z2+5x3y7z2+10x4y7z2+2x5y7z2+3x6y7z2+8x8y7z2+6x9y7z2+3x10y7z2+2y8z2+10xy8z2+10x3y8z2+7x4y8z2+3x5y8z2+10x6y8z2+8x7y8z2+6x8y8z2+4x9y8z2+2x10y8z2+5y9z2+8xy9z2+2x2y9z2+9x3y9z2+4x4y9z2+6x5y9z2+5x7y9z2+5x8y9z2+6x9y9z2+4x10y9z2+3xy10z2+2x3y10z2+6x4y10z2+9x5y10z2+3x6y10z2+6x7y10z2+4x9y10z2+7x10y10z2+2x2z3+4x4z3+3x6z3+8x7z3+3x8z3+3xyz3+5x2yz3+8x4yz3+7x5yz3+6x6yz3+3x7yz3z+4x8yz3+10x9yz3+3x10yz3+y2z3+4xy2z3+6x2y2z3+2x4y2z3+4x5y2z3+9x6y2z3+9x7y2z3+x8y2z3+4x9y2z3+10x10y2z3+8xy3z3+8x3y3z3+3x4y3z3+7x5y3z3+3x6y3z3+6x8y3z3+3x10y3z3+2y4z3+4xy4z3+3x2y4z3+10x3y4z3+9x4y4z3+2x5y4z3+x8y4z3+9x10y4z3+9xy5z3+9x2y5z3+4x3y5z3+9x4y5z3+4x6y5z3+8x7y5z3+4x8y5z3+2x9y5z3+7y6z3+2xy6z3+7x2y6z3+6x5y6z3+8x6y6z3+6x8y6z3+5x9y6z3+4x10y6z3+2y7z3+xy7z3+6x2y7z3+x4y7z3+8x5y7z3+3x6y7z3+5x7y7z3+x8y7z3+10x9y7z3+3x10y7z3+7y8z3+4xy8z3+3x2y8z3+9x4y8z3+x5y8z3+8x6y8z3+6x7y8z3+3x8y8z3+2x9y8z3+2x10y8z3+8xy9z3+2x2y9z3+6x3y9z3+2x4y9z3+7x5y9z3+x6y9z3+6x7y9z3+2x8y9z3+7x9y9z3+8x10y9z3+7xy10z3+9x2y10z3+7x4y10z3+8x5y10z3+8x6y10z3+2x7y10z3+x9y1z3+10yz4+7x3z4+x5z4+8x6z4+5x7z4+5yz4+8xyz4+3x2yz4+3x3yz4+8x4yz4+10x6yz4+5x7yz4+10x8yz4+7x9yz4+6x10yz4+6xy2z4+3x3y2z4+10x4y2z4+9x5y2z4+8x6y2z4+x7y2z4+5x8y2z4+4x9y2z4+3x10y2z4+9y3z4+7xy3z4+9x2y3z4+6x3y3z4+3x4y3z4+4x5y3z4+1x7y3z4+
10x8y3z4+9x9y3z4+2x10y3z4+4xy4z4+3x2y4z4+8x3y4z4+3x6y4z4+4x8y4z4+5x10y4z4+6y5z4+8xy5z4+5x2y5z4+2x3y5z4+7x5y5z4+7x6y5z4+3x8y5z4+3x8y5z4+9x9y5z4+5x10y5z4+2y6z4+xy6z4+9x2y6z4+7x5y6z4+4x6y6z4+7x7y6z4+8x8y6z4+5x9y6z4+4x10y6z4+8y7z4+5xy7z4+3x2y7z4+10x3y7z4+8x4y4z4+0x5y7z4+9x6y7z4+8x7y7z4+9x8y7z4+8x9y7z4+x10y7z4+8xy8z4+4x2y8z4+5x3y8z4+8x5y8z4+9x6y8z4+4x7y8z4+8x8y8z4+9x9y8z4+5x10y8z4+9xy9z4+9x2y9z4+9x3y9z4+10x4y9z4+6x5y9z4+7x6y9z4+3x7y9z4+8x8y9z4+10x9y9z4+xy10z4+5x2y10z4+4x3y10z4+10x5y10z4+4x6y10z4+9x7y10z4+7x8y10z4+9x2z5+10x4z5+8x5z5+4x6z5+10xyz5+8x2yz5+9x3yz5+9x4yz5+9x5yz5+5x6yz5+10x7yz5+3x8yz5+7x9y5+x10yz5+10y2z5+9xy2z5+4x2y2z5+5x3y2z5+4x4y2z5+x6y2z5+7x7y2z5+8x8y2z5+10x9y2z5+x10y2z5+10xy3z5+4x2y3z5+x3y3z5+7x4y3z5+9x6y3z5+3x7y3z5+3x8y3z5+9x9y3z5+3x10y3z5+5y4z5+7xy4z5+8x2y4z5+9x3y4z5+4x6y4z5+4x7y4z5+8x8y4z5+3x9y4z5+6x10y4z5+2y5z5+2xy5z5+5x2y5z5+4x4y5z5+4x6y5z5+7x8y5z5+5x10y5z5+2y6z5+3xy6z5+3x2y6z5+5x3y6z5+x4y6z5+7x6y6z5+5x7y6z5+4x8y6z5+3x9y6z5+7x10y6z5+8xy7z5+9x2y7z5+9x3y7z5+x4y7z5+5x5y7z5+x6y7z5+10x7y7z5+7x8y7z5+2x9y7z5+8x10y7z5+7xy8z5+2x2y8z5+10x3y8z5+7x4y8z5+5x6y8z5+4x7y8z5+9x8y8z5+5x9y8z5+10xy9z5+5x2y9z5+10x3y9z5+5x4y9z5+8x5y9z5+4x6y9z5+6x7y9z5+x8y9z5+6xy10z5+2x2y10z5+3x3y10z5+x4y10z5+6x5y10z5+10x6y10z5+x7y10z5+8xz6+8x3z6+8x4z6+7x5z6+4yz6+xyz6+10x2yz6+3x3yz6+9x4yz6+6x5yz6+10y6yz6+x7yz6+7x8yz6+6x9yz6+7x10yz6+5xy2z6+2x2y2z6+7x3y2z6+3x4y2z6+x5y2z6+8x7y2z6+4x8y2z6+2x9y2z6+6x10y2z6+4y3z6+6y3z6+6xy3z6+3x2y3z6+8x3y3z6+2x5y3z6+3x6y3z6+8x7y3z6+5x8y3z6+4x9y3z6+7x10y3z6+2y4z6+10xy4z6+x2y4z6+8x4y4z6+4x5y4z6+4x7y4z6+10x8y4z6+6x9y4z6+6x10y4z6+9y5z6+9xy5z6+3x2y5z6+7x3y5z6+x4y5z6+7x5y5z6+10x6y5z6+4x7y5z6+10x8y5z6+9x9y5z6+8xy6z6+9x2y6z6+9x3y6z6+7x4y6z6+2x5y6z6+5x7y6z6+5x8y6z6+10x9y6z6+5x10y6z6+6xy7z6+2x2y7z6+8x3y7z6+3x4y7z6+10x5y7z6+7x8y7z6+2x9y7z6+10xy8z6+x2y8z6+6x3y8z6+2x4y8z6+6x5y8z6+10x6y8z6+x7y8z6+2x8y8z6+3xy9z6+8x2y9z6+10x3y9z6+9x4y9z6+5x5y9z6+6x6y9z6+8x7y9z6+3xy10z6+8x2y10z6+3x3y10z6+8x4y10z6+7x5y10z6+6x2z7+8x3z7+6x4z7+8x2yz7+7x3yz7+6x4yz7+10x5yz7+10x6yz7+7x7yz7+10x8yz7+10x9yz7+3x10yz7+3y2z7+4xy2z7+7x2y2z7+2x3y2z7+x4y2z7+4x5y2z7+8x6y2z7+3x8y2z7+x9y2z7+8x10y2z7+2y3z7+3xy3z7+8x2y3z7+x4y3z7+3x5y3z7+3x6y3z7+6x7y3z7+6x8y3z7+x9y3z7+7x10y3z7+3y4z7+3x2y4z7+5x4y4z7+7x5y4z7+8x6y4z7+5x8y4z7+4x9y4z7+6x10y4z7+8xy5z7+2x2y5z7+9x3y5z7+8x4y5z7+10x5y5z7+7x6y5z7+2x8y5z7+7x9y5z7+7x10y5z7+5xy6z7+2x2y6z7+5x4y5z7+6x5y6z7+6x6y6z7+10x7y6z7+10x8y6z7+5x9y6z7+10xy7z7+7x3y7z7+3x4y7z7+x5y7z7+9x6y7z7+5x7y7z7+3x8y7z7+5xy8z7+9x2y8z7+5x3y8z7+7x4y8z7+5x5y8z7+7x6y8z7+xy9z7+6x2y9z7+10x3y9z7+6x4y9z7+5x5y9z7+3x6y9z7+7xy10z7+5x2y10z7+10x3y10z7+8x4y10z7+10x5y10z7+4xz8+8x2z8+8x3z8+2yz8+4xyz8+8x2yz8+7x3yz8+10x4yz8+8x5yz8++7x6yz8+7x7yz8+10x8yz8+7x9yz8+9x10yz8+2y2z8+5xy2z8+4x2y2z8+x3y2z8+6x4y2z8+8x5y2z8+7x6y2z8+3x7y2z8+7x9y2z8+8x10y2z8+4y3z8+3x2y3z8+5x3y3z8+4x4y3z8+8x5z8+9x6y3z8+5x7y3z8+10x9y3z8+5x10y3z8+
8xy4z8+10x2y4z8+2x3y4z8+7x4y4z8+7x5y4z8+x6y4z8+6x7y4z8+10x8y4z8+9x10y4z8+4xy5z8+2x2y5z8+7x3y5z8+x4y5z8+4x5y5z8+x6y5z8+7x7y5z8+8x8y5z8+4x9y5z8+10y6z8+8x2y6z8+8x3y6z8+3x4y6z8+7x5y6z8+4x6y6z8+9x7y6z8+6xy7z8+9x2y7z8+10x3y7z8+2x4y7z8+2x5y7z8+x6y7z8+8x7y7z8+8xy8z8+5x2y8z8+8x3y8z8+x4y8z8+7x5y8z8+9x6y8z8+9xy9z8+7x3y9z8+x4y9z8+10x5y9z8+7xy10z8+x2y10z8+6x3y10z8+4x4y10z8+8xz9+x2z9+2yz9+3xyz9+4x2yz9+10x3yz9+4x4y9+7x5y9+5x6yz9+10x7yz9+4x8yz9+5x9yz9+8x10yz9+6y2z9+xy2z9+4x2y2z9+7x3y2z9+9x4y2z9+x5y2z9+6x6y2z9+10x7y2z9+9x8y2z9+10x9y2z9+3x10y2z9+8xy3z9+9x2y3z9+x3yz9+2x4y3z9+8x5y3z9+7x6y3z9+4x7y3z9+10x8y3z9+2x9y3z9+9x10y3z9+2xy4z9+6x2y4z9+9x4y4z9+8x5y4z9+10x6y4z9+5x7y4z9+9x8y4z9+10xy5z9+6x2y5z9+4x3y5z9+2x4y5z9+5x5y5z9+4x7y5z9+7x8y5z9+8xy6z9+10x2y6z9+6x3y6z9+6x5y6z9+2x6y6z9+6x7y6z9+8xy7z9+5x2y7z9+6x3y7z9+x4y7z9+9x5y7z9+9x6y7z9+2xy8z9+x2y8z9+7x3y8z9+6x5y8z9+4xy9z9+3x2y9z9+8x3y9z9+x4y9z9+4xy10z9+2x2y10z9+x3y10z9+3z10+2xz10+6x10z10+yz10+3+yz10+4x2yz10+8x3yz10+5x4yz10+10x5yz10+4x6yz10+8x7yz10+2x8yz1+4x9yz10+3x10yz10+7xy2z10+10x2y2z10+x3y2z10+8x4y2z10+10x5y2z10+5x6y2z10+3x7y2z10+4x8y2z10+3x9y2z10+4xy3z10+10x2y3z10+8x3y3z10+9x4y3z10+8x5y3z10+4x6y3z10+5x7y3z10+x8y3z10+9y3z10+6xy4z10+2x2y4z10+2x3y4z10+6x4y4z10+5x5y4z10+6x6y4z10+2x8y4z10+5xy5z10+x2y5z10+6x4y5z10+7x5y5z10+6x6y5z10+4x7y5z10+7xy6z10+2x2y6z10+7x3y6z10+8x4y6z10+10x5y6z10+6x6y6z10+4xy7z10+8x2y7z10+9x3y7z10+5x4y7z10+3x5y7z10+9xy8z10+10x2y8z10+4z3y8z10+6x4y8z10+2x2y9z10+2x2y9z10+3x3y9z10+5y10z10+6xy10z10+4x2y10z10
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/IL2019/050420 | 4/14/2019 | WO | 00 |
Number | Date | Country | |
---|---|---|---|
62700351 | Jul 2018 | US | |
62658624 | Apr 2018 | US |