BGW Multiplication: How does it work?

Question

I could not understand how multiplication is carried out in the BGW protocol for 3 parties. Reference: https://crypto.stanford.edu/pbc/notes/crypto/bgw.html

I've understood that in multiplication, we calculate $r(x) = p(x)q(x)$ but this means that $r(x)$ is a polynomial of degree $2t$. How is this polynomial redistributed in the circuit to get an $O(n^2)$ complexity in multiplication over BGW protocol?

Note that $p(x)$ and $q(x)$ are both polynomials of degree $t$ and as I am taking the case of semi-honest adversaries, $t < n/2$.

Answer 1

We can use the notation of the source document, except I will say we are trying to compute $ab = c$ (for $a,b,c\in\mathbb{F}_p$), so I can use $x$ as a variable when discussing polynomials.

Let $a_1,\dots, a_n$ and $b_1,\dots, b_n$ be $t$-out-of-$n$ secret sharings of $a, b$. Recall this means that they're computed by taking random $t$-degree polynomials: $$A(x) = \sum_{i = 0}^t \alpha_i x^i,\quad B(x) = \sum_{i = 0}^t\beta_i x^i$$

(Notation clarification : There is a difference between $α$ and $a$ in the text.)

Where $A(0) = a, B(0) = b$ (so random subject to this condition). The shares are then created by evaluating the polynomials on the points $\{1,2,\dots,n\}$. In particular: $$\forall i \in\{1,\dots,n\} : a_i = A(i),\quad b_i = B(i)$$ Now we want to compute the product. The polynomial $C(x) = A(x)B(x)$ has the right constant term (as $C(0) = A(0)B(0) = ab$), but is too high of degree (as you mention). Moreover the "shares" of $C(i)$ can be computed locally, as $C(i) = A(i)B(i) = a_ib_i$.

But $C(x)$ is degree $2t$ (as you mention). We want to find some other polynomial $\mathcal{C}(x)$ such that:

1. $\mathcal{C}(0) = C(0) = ab$
2. $\mathcal{C}(x)$ is degree $t$
3. Computing $\mathcal{C}(i)$ isn't "too expensive" (in communication) if you already know $A(i)$ and $B(i)$

What will we do then? The idea is to utilize that there are two different ways of representing degree $t$ polynomials:

1. Through their $t+1$ coefficients (this is the "obvious") way
2. Through the evaulation of them on (at least) $t+1$ distinct points

Either of these is enough information to uniquely reconstruct the polynomial. The surprising thing is that you can convert from one to the other using a linear operation.

---

To see how we might establish this, recall that for an $n\times n$ matrix $D$ and vector $\vec{v} = (v_1,\dots, v_n)$, we have that: $$(D\vec{v})_i = \sum_{k = 0}^{n-1}D_{i, k} v_k $$

Note that this is similar to the expression: $$A(x) = \sum_{i = 0}^t \alpha_i x^i$$ If we fix evaluation points $\{1,\dots, n\}$, then we have in fact that: $$A(i) = \sum_{k = 0}^t \alpha_k i^k$$ This suggests setting $D_{i, k} = i^k$ and $v_k = \alpha_k$. This is precisely what we'll do, by defining the Vandermonde matrix (with respect to the aforementioned evaluation points): $$V = \begin{pmatrix} 1^0 & 1^1 & \dots & 1^{n-1}\\ 2^0 & 2^1 & \dots & 2^{n-1} \\ \vdots && \ddots & \vdots\\ n^0 & n^1 & \dots & n^{n-1} \end{pmatrix}$$ Note that: $$V\begin{pmatrix}\alpha_0\\\vdots\\\alpha_{n-1}\end{pmatrix} =\begin{pmatrix} \sum_{k = 0}^{n-1} \alpha_i 1^i\\ \sum_{k = 0}^{n-1} \alpha_i 2^i\\ \vdots\\ \sum_{k = 0}^{n-1} \alpha_i n^i\\ \end{pmatrix} = \begin{pmatrix}A(1)\\ A(2)\\ \vdots\\ A(n) \end{pmatrix} = \begin{pmatrix}a_1\\ a_2\\ \vdots\\ a_n \end{pmatrix} $$ So the Vandermonde Matrix precisely maps the "coefficient representation" of a polynomial to its "evaluation representation". This ends up being extremely closely related to the Fourier transform. The Discrete Fourier Transform can be written as a Vandermonde Matrix, and the Fast Fourier Transform can be explained that it's Vandermonde Matrix is Toeplitz (and in fact circulant), so admits especially efficient representations and matrix/vector multiplications, but this is an ahistorical aside.

---

So, we have an (invertible) matrix that maps an $n$-dimensional "coefficient vector" representation of a polynomial to an $n$-dimensional "evaluation vector" representation of a polynomial. For the moment, don't worry about how all of the people move around all the shares --- just make sure you understand how to do the computation.

We start with the "evaluation vector" representation $C(i) = A(i)B(i)$ for $i\in\{1,\dots,n\}$, which we can write as $\vec c = (c_1,\dots, c_n)$. We convert this to the "coefficient vector" representation via $V^{-1}\vec{c}$. This gives the coefficients of the polynomial $C(x) = A(x)B(x)$ as a vector. While there are $n$ coefficients, as discussed before this polynomial (uniquely determined from $\vec{c}$) is of degree $2t$.

We can convert this to a degree $t$ polynomial via truncation. Let: $$P = \begin{pmatrix} I_{t+1} & 0\\ 0 & 0\end{pmatrix}$$ Be an $n\times n$ block matrix, where $I_{t+1}$ is the $(t+1)\times (t+1)$ identity matrix. Then $PV^{-1}\vec{c}$ will "drop" higher order coefficients, leaving a degree $t$ polynomial. Importantly, it doesn't touch the constant term (so $\mathcal{C}(0) = C(0) = ab$ is preserved).

All that's left is to convert back to shares, so to convert from the "coefficient representation" to the "evaluation representation", again by using $V$. Thus $VPV^{-1}\vec{c}$ will output the shares (of a degree $t$ polynomial) that you want. Moreover, $VPV^{-1}$ can be precomputed by all participants in the protocol (it's just some $n\times n$ matrix. I could probably even write it out here, but won't).

This reduces the problem of multiplying shares to the problem of "computing a linear equation" of shares, which your source also discusses (at this link). As this is getting long I'll leave the answer here, but if you don't understand the linear case I encourage you to ask a new question about it.

Answer 2

This is a description of (basic version of) the BGW protocol following the original paper. A full proof can be found here.

Consider ${ n }$ parties ${ P _0, \ldots, P _{n-1} }$ (with secure pairwise communication channels) with private inputs

$${ \vec{x} = (x _0, \ldots, x _{n-1}) }$$

respectively. Their goal is to evaluate a public function

$${ F ( \vec{x} ) = (F _0 (\vec{x}), \ldots, F _{n-1} (\vec{x})) }$$

in such a way that at the end each ${ P _i }$ additionally learns ${ F _i (\vec{x}) }$ and nothing else.

A protocol for computing a function is a specification of ${ n }$ programs, one for each of the parties.

Two kinds of faults can occur: “Gossip” (involving semi-honest adversaries) and “Byzantine” (involving malicious adversaries). We can focus on the former, where faulty parties send messages according to their predetermined programs, but try to learn as much as they can by sharing with each other the information they received.

A protocol is ${ t -}$private if any set of atmost ${ t }$ parties cannot compute after the protocol more than they could jointly compute solely from their set of private inputs and outputs.

In this setup, we have:

Thm: For every function ${ F }$ and ${ t < \frac{n}{2} ,}$ there is a ${ t-}$private protocol.

Proof:

We are given ${ n > 2 t }$ that is ${ n \geq 2 t + 1 .}$ WLOG say the inputs ${ x _i \in \mathbb{E} }$ for some finite field ${ \mathbb{E} }$ with ${ \vert \mathbb{E} \vert > n },$ and ${ F }$ is a polynomial function over ${ \mathbb{E} .}$ So there is an arithmetic circuit computing ${ F }$ using ${ +, \times }$ and the constants from ${ \mathbb{E} .}$

The BGW protocol happens in ${ 3 }$ stages:

• Input stage: Each party enters its input using a secret sharing procedure.
• Computation stage: The parties simulate the arithmetic circuit for ${ F ,}$ gate by gate, keeping the value of each computed gate as a secret shared by all parties.
• Output stage: The secret shares of the final value of ${ F }$ are revealed to one party.

Input stage: Fix distinct nonzero values ${ \alpha _0, \ldots, \alpha _{n-1} \in \mathbb{E} .}$ Now each party holding a private input ${ s \in \mathbb{E} }$ introduces it into the computation by doing the following:

• Select random elements ${ a _1, \ldots, a _t \in \mathbb{E} }$ and consider the polynomial $${ f(x) = s + a _1 x + \ldots + a _t x ^t .}$$
• Send to each party ${ P _i }$ the share ${ s _i = f(\alpha _i) .}$

Output stage: During the whole computation, each gate which evaluates to some ${ s \in \mathbb{E} }$ is considered evaluated by the parties if ${ s }$ is shared amongst the parties via a random polynomial ${ f(x) }$ of degree ${ t }$ with the only restriction that ${ f(0) = s .}$
At the end of the computation, we will have the value of ${ F }$ shared amongst the parties in a similar way. All the parties can send their shares to a particular party, and to it the final output is revealed.

Computation stage: Let ${ a, b \in \mathbb{E} }$ be two secrets shared via polynomials ${ f(x), g(x) }$ respectively. It is enough to show how the parties can compute (in the sense described above) values ${ a + b, }$ ${ a \cdot b }$ and ${ c \cdot a }$ (where ${ c \in \mathbb{E} }$ is a nonzero constant).

Note addition and scalar multiplication are trivial to perform. If ${ f(x), g(x) }$ encode ${ a,b }$ respectively then ${ f(x)+g(x), c \cdot f(x) }$ encode ${ a + b, c \cdot a }$ respectively. So for example to compute ${ a + b ,}$ each party ${ P _i }$ holding the shares ${ f(\alpha _i ) , g(\alpha _i) }$ can compute ${ f(\alpha _i) + g(\alpha _i) }$ and this will be its share of ${ a + b .}$

It is left to show how multiplication ${ a \cdot b }$ is performed (as asked by the OP).

Note ${ h(x) = f(x)g(x) }$ is a bad choice of a polynomial to encode ${ a \cdot b ,}$ because its degree is ${ 2 t }$ and more importantly because the non-free coefficients are not random (for eg ${ h(x) }$ is known to be a reducible polynomial). We remedy the problem by introducing randomness to the non-free coefficients, and reducing the degree of encoding polynomial from ${ 2t }$ to ${ t .}$

To randomise the non-free coefficients: Each party ${ P _i }$ selects a random polynomial ${ q _i (x) }$ of degree ${ 2 t }$ with zero free coefficient, and distributes its shares amongst the parties. Now the polynomial

$${ h(x) := f(x)g(x) + \sum _{i=0} ^{n-1} q _i (x) }$$

is a degree ${ 2t }$ polynomial with free coefficient ${ a \cdot b }$ and random non-free coefficients. Each party ${ P _i }$ is equipped with the share ${ h(\alpha _i) }$ as well. The only problem now is that the degree is ${ 2 t }$ instead of ${ t ,}$ which will be remedied by truncation.

The goal now is to truncate ${ h(x) }$ of degree ${ 2 t }$ to ${ \tilde{h}(x) }$ of degree ${ t ,}$ and equip each party ${ P _i }$ with its share ${ \tilde{h} (\alpha _i) .}$

The natural truncation of ${ h(x) = h _0 + h _1 x + \ldots + h _{2t} x ^{2t} }$ is

$${ \tilde{h}(x) = h _0 + h _1 x + \ldots + h _t x ^t .}$$

Now shares

$${ \begin{align*} &\quad (\tilde{h}(\alpha _0), \ldots, \tilde{h}(\alpha _{n-1}) ) \\ &= (h _0, \ldots, h _t, 0, \ldots, 0) \underbrace{\begin{pmatrix} 1 &1 &\ldots &1 \\ \alpha _0 &\alpha _1 &\ldots &\alpha _{n-1} \\ \vdots &\vdots &\ddots &\vdots \\ \alpha _0 ^{n-1} &\alpha _1 ^{n-1} &\ldots &\alpha _{n-1} ^{n-1} \end{pmatrix}} _{=: V} \\ &= (h _0, \ldots, h _{2t}, 0, \ldots, 0) \underbrace{\begin{pmatrix} I _{t+1} &0 \\ 0 &0 \end{pmatrix}} _{=: P} V \\ &= (h (\alpha _0), \ldots, h(\alpha _{n-1})) \, V ^{-1} P V \end{align*} . }$$

We already have ${ (h(\alpha _0), \ldots, h(\alpha _{n-1})) }$ distributed such that each party ${ P _i }$ has its private share ${ h(\alpha _i) .}$ By the manipulation above, we can compute ${ (\tilde{h}(\alpha _0), \ldots, \tilde{h}(\alpha _{n-1})) }$ in such a way that each party ${ P _i }$ is revealed its private share ${ \tilde{h}(\alpha _i) }.$

Finally ${ a \cdot b }$ is encoded by the degree ${ t }$ polynomial ${ \tilde{h}(x) }$ with random non-free coefficients, and has its shares ${ \tilde{h}(\alpha _i) }$ distributed, as needed.