Cryptographic primitives

Outline Preliminary Oblivious Transfer (OT) Random share based methods Homomorphic Encryption

ElGamal

Assumptions Semi-honest party assumption

Parties honestly follow the security protocol Parties might be curious about the

transferred data Malicious party assumption

The malicious party can do anything Transfer false data Turn down the protocol Collusion

Often, we can handle semi-honest + integrity verification

Public-key encryptionLet (G,E,D) be a public-key encryption scheme

G is a key-generation algorithm (pk,sk) GPk: public keySk: secret key

TermsPlaintext: the original text, denoted as mCiphertext: the encrypted text, denoted as c

Encryption: c = Epk(m) Decryption: m = Dsk(c) Concept of one-way function: knowing c, pk, and

the function Epk, it is still computationally intractable to find m.

*Check literature for different implementations

1-out-of-2 Oblivious Transfer (OT)

Setting Sender has two messages m0 and m1

Receiver has a single bit {0,1} and wants to learn m , but does not want the sender know which bit is selected.

Outputs Sender knows nothing about Receiver obtain m and learns nothing of

m1-

Assume that a public-key can be sampled without knowledge of its secret key (knowing pk only): The protocol is simplified with this

assumption Knowing pk but not knowing sk – tricky

to do that Both parties are honest

Protocol for Oblivious Transfer

Receiver (with input ): Receiver chooses one key-pair (pk,sk) and one

public-key pk’ (oblivious key generation), but does not know sk’.

Receiver sets pk = pk, pk1- = pk’

Receiver sends pk0,pk1 to sender

Sender (with input m0,m1): Sends c0=Epk0(m0), c1=Epk1(m1)

Receiver: Decrypts c using sk and obtains m.

Note: receiver can decrypt for pk but not for pk1-

Generalization Similarly, we can define 1-out-of-k

oblivious transfer

Protocol remains the same: Choose k-1 public keys for which the

secret key is unknown Choose 1 public-key and secret-key pair

Random share based method Settings

have >2 parties No collusion – semi-honest

Let f be the function that the parties wish to compute

Represent f as an arithmetic circuit with addition and multiplication gates Theoretically, any function can be implemented

with addition and multiplication

Goal: securely compute additions and multiplications

Random Shares Paradigm

Let a be some value: Party 1 holds a, distributes random

values ai to other parties (and party 1 knows a-ai)

Party i receives ai

Note that without knowing a-ai, and all random shares ai , nothing of a is revealed.

We say that the parties hold random shares of a.

Securely computing addition (xor for one-bit data) Party 1,2,3 own a,b,c respectively Generate random shares:

Party 1 has shares a1 , b1 and c1

Party 2 has shares a2 , b2 and c2

Party 3 has shares a3 , b3 and c3

Note: a1+a2 +a3 =a, b1+b2 +b3 =b, and c1+c2 +c3 =c

To compute random shares of output d=a+b+c Party 1 locally computes d1=a1+b1+c1

Party 2 locally computes d2=a2+b2+c2

Party 3 locally computes d3=a3+b3+c3

Note: d1+d2 +d3 =d The result shares do not reveal the original value of

a,b,c

Multiplication (2 parties)Simplified 2party case

Assume a, b are binary bit We work on “and” operation instead –

multiplication for one bit numbers

Input wires to gate have values a and b: Party 1 has shares a1 and b1

Party 2 has shares a2 and b2

Wish to compute c = ab = (a1+a2)(b1+b2)

Party 2’s shares are unknown to Party 1,but there are only 4 possibilities (depending on correspondence to 00,01,10,11)

Multiplication (cont)

Party 1 prepares a table as follows: Row 1 corresponds to Party 2’s input 00 Row 2 corresponds to Party 2’s input 01 Row 3 corresponds to Party 2’s input 10 Row 4 corresponds to Party 2’s input 11

Let r be a random bit chosen by Party 1: Row 1 contains the value ab+r when a2=0,b2=0 Row 2 contains the value ab+r when a2=0,b2=1 Row 3 contains the value ab+r when a2=1,b2=0 Row 4 contains the value ab+r when a2=1,b2=1

Concrete Example

Assume: a1=0, b1=1

Assume: r=1

Row

Party 2’s shares

Output value

1 a2=0,b2=0 (0+0).

(1+0)+1=1

2 a2=0,b2=1 (0+0).

(1+1)+1=1

3 a2=1,b2=0 (0+1).

(1+0)+1=0

4 a2=1,b2=1 (0+1).

(1+1)+1=1

The Protocol

The parties run a 1-out-of-4 oblivious transfer protocol

Party 1 plays the sender: message i is row i of the table.

Party 2 plays the receiver: it inputs 1 if a2=0 and b2=0, 2 if a2=0 and b2=1, and so on…

Output:

Party 2 receives c2=ab+r – this is its output Party 1 outputs c1=r

Problems with OT and RS

Theoretically, any function can be computed with addition and multiplication gates

However, as we have seen, it is not efficient at all Huge communication/computational

cost for the multiplication protocol

Homomorphic encryption They are “probabilistic encryptions”

using randomly selected numbers in generating keys and encryption

properties Homomorphic multiplication

Epk(m0) Epk(m1) = Epk(m0*m1) Without knowing the secret key, we can still calculate

m0*m1 Implementations: ElGamal method

Homomorphic addition Epk(m0)Epk(m1) = Epk(m0+m1) Implementation: Paillier method

ElGamal method System parameters (P,g)

Input 1n

P is a uniformly chosen prime |P|>n g: a random number called “generator”

keys Private key (P,g,x), x is randomly chosen Public key pk=(P, g, y): y = gx mod P (one way

function, computationally intractable to guess x given (P,g,y) )

Encryption: E(pk, m, k) = (gk mod P, mgk mod P), k is a

random number, m is plaintext

ElGamal’s Homomorphic property For two ciphertext

E(pk, m0, k0)= (gk0 mod P, m0gk0 mod P) =

(a0,b0) E(pk, m1,k1) = (gk1 mod P, m1gk1 mod P) =

(a1,b1)

E(pk, m0*m1, k0+k1)= (gk0+k1 mod P, m0*m1*gk0+k1 mod P)

= (a0*a1, b0*b1)

Paillier Encryption System parameters (p,q)

Input 1N

n=pq, and g = n+1

Encryption c=gmrn mod n2.

Decryption

Paillier homomorphic property E(m1, r1) * E(m2, r2) mod n2=

E(m1+m2 mod n) Multiplication is implemented in

partially encrypted form

Summary Three basic methods

Oblivious Transfer Random share Homomorphic encryption

We will see how to use them to construct privacy preserving algorithms