REU Group 2 - Paper

Range Queries Over Encrypted Data on Cloud

Christian Granier1 and Scott Payne2

1 New Jersey Institute of Technology2 Missouri University of Science and Technology

Abstract. While Cloud Computing allows for massive amounts of datato be outsourced to off-site servers, it is in the best interest of consumerswith sensitive information to encrypt their data before storage. Giventhe potentially large amount of encrypted data and the computationalresources required for decryption, performing various operations on en-crypted data becomes important.

Secure range queries over encrypted data is one such operation, and thesubject of our research. In this paper, rather than focusing on rangequerying itself, we shall experiment and analyze the underlying proto-cols and computations required for its implementation, such as SecureComparison (SC) and Secure Bit Decomposition (SBD). Various SC andSBD protocols that have been suggested in our related works will beexplored and tested, having each been implemented using a basic secretsharing scheme and the Paillier cryptosystem.

Keywords: Secure Comparison, Secure Bit Decomposition, Range Queries,Secret Sharing, Pallier Encryption, Multi-Party Computing

1 Introduction

With the increasing availability of cloud computing services, many companiesare now finding it more cost effective to store and maintain the data they col-lect on servers maintained by third parties. Cloud computing offers a convenientand cost effective method for storing, maintaining, and operating on large quan-tities of data, all available on an as needed basis. As the outsourcing of databecomes more and more common, issues of privacy and security for that dataare a pressing concern. For companies outsourcing sensitive data, the solutionhas been to first encrypt their data before migrating it to the cloud, to undoubt-edly insure the integrity of that data. However, the layer of security providedby this encryption step reduces the number of operations that can be performedon the data, remotely, without decrypting or revealing information about thatdata to the cloud service provider. One of the more common features of manyoutsourced database services is the querying of data. To allow this feature to beimplemented when data is encrypted, the operation of querying encrypted datamust be refined to run extremely efficiently and securely.

In this paper, we focus on the underlying protocols that make queries onencrypted data possible. Secure comparison (SC) and secure bit decomposition

(SBD) are the two most integral, but these also rely heavily on the simpleroperations of adding and multiplying two encrypted values. By making the SCand SBD operations more secure and efficient, the process of querying encrypteddata also becomes more practical. The work we have done has involved the im-plementation of these major protocols using C/C++ to build towards a workingapplication for performing queries on an encrypted database.

The benefit of implementing various different pre-existing protocols for SCand SBD is to verify their accuracy, while building a solid understanding of theirproposed workings. Implementations for two different cryptographic schemes, se-cret sharing and Pallier encryption, were explored and developed independently,with unique methods for performing the operations of comparison and bit decom-position on their forms of encrypted data. Through our work to design functionalapplications using these protocols, some small errors were found in the originallyproposed algorithms, and changes were made to make them perform as intended.In our working C/C++ code, the inner workings of these protocols is displayedclearly in a way that should be very easy to understand with basic knowledge ofthe C programming language.

2 Preliminary

2.1 Secret Sharing

Secret Sharing is a method for protecting sensitive data, much like other crypto-graphic schemes. It does this by dividing a secret value into multiple shares, tobe distributed to different parties for storage or future computations. The orig-inal secret value can only be known by reconstructing a predetermined numberof shares, requiring collusion between parties. Security is ensured by requiring anumber of shares to be compromised before any information can be determined,thus reducing the feasibility of security breach.

Mathematical operations can still be performed on distributed secret shares,without revealing the original value or the separate partys shares, through coop-eration between parties. By allowing operations to be performed on/with shares,it is not required to reconstruct original values each time. This allows multipleoperations to be computed in sequence, without ever reconstructing solutionsor revealing the answers to any party, until the desired end solution is reached.For purposes of simplicity, in our implementations for secret sharing a very basictwo-party form of additive shares are used. In this way, a number X is split intotwo shares, x1 and x2, such that:

X = (x1 + x2) mod N (1)

Where N is a public global value known by both parties. As operations areperformed, the results are returned as shares of their solution, such that eachparty holds a share of the completed operation. This allows more computations totake place on these resulting shares, any number of times, until a final solutionis reached and they are recombined by the participating parties to reveal thedesired information.

2.2 Paillier Encryption

The Paillier encryption scheme is an asymmetric cryptosystem that is additivelyhomomorphic; two keys are generated, a public key given by pk(N, g) and a secretkey given by sk(λ, µ). The two keys are generated by performing a number ofmathematical operations on two randomly generated large prime numbers. Thepublic key is made public and given to anyone that the key owner desires, asdata can be encrypted, but not decrypted, with just the public key. The secretkey however is usually kept only by the key owner, or shared privately only withthose that are allowed access to encrypted information. To encrypt an integer mand store it in value c, the equation

c = gm ∗ rn mod N2 (2)

is used. To decrypt c and return the initial message m, the equation used is

m =cλ mod N2 − 1

N∗ µ mod N (3)

The homomorphic properties of this cryptosystem are imperative to the se-cure computations we will be performing with it; the two properties in questionare the homomorphic addition and multiplication. Given the pair of encryptionand decryption functions given respectively as Epk and Dsk as well as two in-tegers a and b within ZN , the homomorphic properties state that the followingare true:

Addition: Dsk(Epk(a) ∗ Epk(b)) = a+ b mod N (4)

Multiplication: Dsk(Epk(a)b) = a ∗ b mod N (5)

Understanding these properties is important in our implementation of protocolsthat utilize the Paillier encryption scheme.

Another property to note that is commonly used in this paper is that N − 1is equal to −1 under ZN , meaning that the following operation is true:

Epk(x) ∗ Epk(y)N−1 = Epk(x) ∗ E(y)−1 = Epk(x) ∗ Epk(−y) = Epk(x− y) (6)

Raising Epk(y) by the exponent N − 1 computes the value of Epk(x− y) usingonly integers, as Epk(y)−1 would return a fraction otherwise.

2.3 Secure Multi-Party Computation

Multi-party computation is a method for parties to cooperatively compute afunction over their individual inputs, while preserving the privacy of these inputs.Consider a scenario with multiple parties, each holding an input value xi , thatwant to compute some output value based on all of their inputs. This can beaccomplished by exchanging messages and performing local computations, untilthe desired output is calculated and revealed to all parties.

For multi-party computation to be secure, privacy of the data must be se-cured in the face of adversarial behavior, by an external party or some of theparticipants. This security is addressed in different ways by our two previouslymentioned cryptographic schemes, secret sharing and Pallier encryption.

3 Related Works

3.1 Secure Multiplication

Our implementations of SC and SBD, within the secret sharing cryptographyscheme, rely heavily on multiplications between secret shared integers. For theselarger protocols to remain secure and perform efficiently, a solid implementationof secure multiplication was very important. Using the shared multiplicationalgorithm proposed in [4] as a base, a modified and more simplified version wasdesigned for our purposes. In our secure multiplication protocol, three parties areneeded, two with shares of the individual values to be multiplied and a third togenerate random numbers for purposes of masking the shares. The shares mustbe securely masked, so that they can be securely sent back and forth betweenthe first two parties and used in computations.

3.2 Secure Comparison

Secure Comparison (SC) is, on its own, essential to performing range queries,as secure data must be compared to determine the range in which it falls in.Additionally, SC is often a necessary component of secure bit decomposition(SBD), and other such operations on secure data. The goal of SC is (given twoparties, one holding two secure values) to compare the two values and return asecure result as to their relation (whether greater than or equal to or less thanor equal to), all without revealing the actual values and result to either party.

Existing methods of secure comparison have been researched and exploredfor the purposes of this paper, as well as the implementation of SBD protocols.One such method we explored computes the comparison of two integers with theinput of two shares from each integer, using the secret sharing method. [3] XORand Prefix-OR operations must be performed in the SC protocol, both of whichwere manually implemented with help from the Prefix-OR protocol suggestedin the paper. Using these operations, a Bitwise less-than protocol is suggested,which computes a secure output of whether the first input is less than the secondinput, all of which are masked by shares. This SC protocol is necessary in ourimplementation of secure bit decomposition that utilizes secret sharing.

Another method of SC we have explored utilizes two encrypted integers (en-crypted with the Paillier encryption scheme) as input, and computes an en-crypted result of their comparison. [2] In this implementation, two parties areused, the first which holds the two encrypted values to be compared and thesecond holds the private key, the public key being known to both parties. Us-ing a series of calculations that serves to mask both the original values and theresulting comparison from both parties, a result is computed for one of the twocomparison functions, greater than or less than, which is randomly chosen. Un-like the SC of secret shared values, this SC protocol is not necessary to performsecure bit decomposition on encrypted values.

3.3 Secure Bit Decomposition

Bit decomposition is the process of converting, or decomposing an integer intoits binary representation through a mathematical process; Secure Bit Decompo-sition is performing this operation on secure values without revealing the actualvalue to any party involved. In our research we explored two methods of SBD,one that securely decomposes secret shared values and one that securely decom-poses encrypted values.

Assuming two parties, each of which holds a share of a certain value, theshares can be converted into shares of each bit of said value using the protocoloutlined in [5]. This protocol utilizes both the secret sharing multiplication aswell as SC in order to carry out the operation. The input value is first maskedby a randomly generated number, in order to prevent the reveal of data, as twoshares of each bit of the input are computed then given to the two participatingparties.

SBD can also be performed on an encrypted integer, using two parties ofwhich one has an encrypted value, the second has a secret key, and the pub-lic key is known to both. [1] Using the homomorphic properties of the Pailliercryptosystem, the encrypted input is masked by a random number, and a seriesof calculations are performed between the two parties to produce the encryptedvalue of each bit of the input. This is accomplished without revealing any infor-mation about the encrypted value to the party that holds the secret key.

4 Problem Statement and Motivation

While performing range queries over encrypted data securely, especially withdata stored in the cloud, is important, the actual process of performing thesequeries is relatively simple. The established protocols for these range queriesare straightforward and sufficiently efficient, and require a large database ofencrypted data in order to test any range query algorithms. For this reason, wehave decided to instead research the underlying protocols and algorithms that,while not exclusively useful to range queries, are essential for it to function.

Our research brought us to two main methods of querying, one using Paillierencryption and one using the secret sharing method. With each method, wediscovered that secure bit decomposition is essential to querying, as the queriesare performed with binary values as opposed to integer values. In addition to theSBD protocol, other secure computation algorithms such as secure comparisonand secure multiplication were found; since secure comparison and multiplicationare necessary for our secret sharing implementation of SBD to function, weresearched and implemented these protocols as well.

Our two goals in the research and implementation of these protocols are asfollows: to verify the multi-party security and accuracy of each protocol by im-plementing each on a simulated multi-party environment, and to compare theefficiency, strengths, and weaknesses of the two main methods (Paillier encryp-tion and secret sharing) of each protocol.

5 System Architecture and Algorithms

5.1 GMP Library

The use of the GNU Multi-Precision library (GMP) was vital in facilitating theuse of encryption keys with bit lengths numbering in the thousands, much largerthan would be possible with standard primitive data types. Functions providedby the GMP library streamline the process of performing simple mathematicaloperations on extremely large numbers. By allowing the use of extremely largeencryption keys and encrypted values, our applications stayed truer to the needsof modern cryptography.

5.2 Multi-Party Computing

Multi-party computation (MPC) is an integral part of both cryptosystem im-plementations we worked on. All of the protocols described below require someamount of cooperation between multiple machines, in order to prevent informa-tion about the data being discovered in the process of their execution. Providingsecurity while using a single computing party would be impossible, because if itwere to be compromised all data would be lost.

In both of our implementations more than one machine are used to preserveprivacy of data during processing. To facilitate their cooperation we establisheda very simple communication network between machines, to allow data to betransferred as needed. Many rounds of communication are required, with com-putations taking place locally on each machine between the transferring of data.Computations are done in parallel whenever possible, to minimize downtime ofmachines and decrease the overall time required for operations to take place.

5.3 Sockets

Our communication network is comprised of a very basic client/server relation-ship between machines using sockets provided with the GNU C library. Therequirement for three machines to all be simultaneously connected is addressedby having each machine launch as both client and server. In this way, eachmachine both hosts a socket connection requested by one machine, while itselfrequesting a connection hosted by the remaining machine.

For our purposes, this primitive communication network fulfilled the basicsof what was required to perform computations with multi-parties. Without pre-vious knowledge of networking, no more time was spent than necessary creatingan efficient network to satisfy our requirements for implementing . This aspectof our implementations, including both the establishment of connections andtransferring of messages, could be greatly improved upon to increase the speedat which our applications perform.

5.4 Secure Multiplication

Secure multiplication is the most critical building block of our method for securecomparison of secret shared values. All of the communication required for se-cure comparison to take place is done within the multiplication of secret sharedvalues. Since secure comparison is in turn the most crucial part of secure bitdecomposition of secret shared values, the multiplication protocol contains thevast majority of communications for the entire proposed implementation of rangequeries on data encrypted with a secret sharing scheme.

Our implementation of secure multiplication was heavily influenced by theprotocol presented in [4]. However, many changes were made to simplify andstreamline the process for our purposes. The basic concept is explained verywell in [4] and is still followed by our modified protocol, but our final algorithmsdiffer greatly from the ones proposed. Only the very similar underlying equationis examined here.

Assuming the two parties, P1 and P2, want to multiply two secret sharedvalues, x1 and x2, it is noticed that:

(x1 + a1) ∗ (x2 + a2) = x1 ∗ x2 + x1(x2 + a2) + x2(x1 + a1)− a1 ∗ a2 (7)

which allows the desired product x1 x2 to be expressed as:

x1 ∗ x2 = (x1 + a1) ∗ (x2 + a2)− x1(x2 + a2)− x2(x1 + a1) + a1 ∗ a2 (8)

The multiplication protocol used in our implementation still takes advantage ofthis simple algebraic equation. Through the use of the random values a1 and a2,generated by a third party, P1 and P2 are able to mask their respective sharesto be securely transmitted and used in local computations by each other. Theselocal computations produce different segments of the above equation, held byeach party, that become their new share values of the product x1 ∗ x2. Thedifferences in our modified protocol and the one suggested here by [4] lie inthe distribution of the random values a1 and a2 , explained in our later sectioncovering our own implementation.

5.5 Secure Comparison

Our implementation of secure comparison is directly based off the protocol pro-posed in [3] and detailed by Algorithm 1. This BIT-LT protocol compares twobitwise shared values to determine whether one is less than the other. The endresult is a secret shared value of either a 1 or 0 corresponding to the result ofthe functionality a < b, with 1 indicating that the functionality is true and 0indicating false. In the initial for loop, a bitwise XOR function is computed, re-turning bitwise shared values to P1 and P2 of the value A XOR B, representedby [e]p , where A and B are the plain-text values represented by the bitwiseshares [a]B and [b]B . This is done using the simple algebraic equation:

A XOR B = A+B + 2 ∗ (A ∗B) (9)

Algorithm 1 Bit LT([a]B , [b]B)→ [c]P1: for i = 0→ l − 1: do2: [ei]P ← XOR([ai]P , [bi]P )3: end for4: ([fl−1]P , . . . , [f0]P ) = PREV ([el−1]P , . . . , [e0]P )5: [gl−1]P = [fl−1]P6: for i = 0→ l − 2: do7: [gi]P ← [fi]P − [fi+1]P8: end for9: for i = 0→ l − 1: do

10: [hi]P ← MULT([gi]P , [bi =P )11: end for12: [h]P ←

∑l−1i=0[hi]P

13: Output [h]P

where each partys shares of A and B are used to locally construct shares ofA+B and a single secret multiplication operation is used to to compute sharesof the product A ∗B, all carried out for each bitwise share. The purpose of thisis to pinpoint the location of bit differences in the original values A and B, whilepreserving the privacy of their values.

Using the result of the previous XOR operation, a preOR function is calcu-lated on the bitwise shares of [e]p by first copying the most significant bitwiseshares in [e]p to [f ]p and then computing an OR operation on each followingbitwise share with the one before it using the equation:

A OR B = A+B +A ∗B (10)

carried out in the same way as the previous XOR computation. The purposeof this is to locate the most significant bit (MSB) difference between A and B,represented by the first location of a 1 in the value A XOR B, and replace allsubsequent bits with 1s.

After this preOR calculation has been made, a calculation can be made on thebitwise shares in [f ]p to further isolate the location of the bitwise shares of theMSB different between A and B. To accomplish this, first the MSB bitwise sharesof [f ]p are copied to [g]p , and then each subsequent bitwise share is subtractedfrom the previous one. The end result of this operation is a bitwise shared binaryvalue with a single 1, representing the location of the MSB difference betweenA and B.

Once the MSB difference between A and B is isolated, a bitwise secure mul-tiplication can be performed between each bitwise share of [g]p and [b]B . Thisresults in a bitwise shared binary value with either a 0 or a single 1 in place ofthe MSB difference location. If a 0 is calculated at this location, B is less thanA, as in this case the binary value B contained a 0 in the place of the MSB dif-ference, because (0 * 1) = 0. Otherwise, if a single 1 is calculated in this bitwisemultiplication, A is less than B, because B contained a 1 in the location of theMSB difference.

After this final bitwise shared binary value is calculated, all that is left is asummation of each bit, resulting in bitwise shares of either a 1 or 0. In this way, asecure comparison is computed on two bitwise shares and further computationscan be carried out on them, without revealing the result of the comparison toeither party, unless cooperatively reconstructed.

The Paillier encryption version of the SC method, given by Algorithm 2, [2]assumes the use of an additively homomorphic cryptosystem, in this case Pail-liers, with public key pk(N, g) and secret key sk(λ, µ), as well as two parties, P1

and P2. P2 holds both the private and public keys, while P1 holds the encryptedvalues to be compared, Epk(a) and Epk(b) (where 0 ≤ a, b ≤ 2m, meaning botha and b are less than m bits), as well as the public key. This setup gives P2 theability to encrypt and decrypt data, P1 the ability to encrypt data, and providesthe encrypted integers to the party that is unable to decrypt them, keeping thedata secure. The goal of this algorithm is to determine the functionality c : a ≥ b,where c = 1 if true and c = 0 if false. The result, c, is calculated in a fashionthat hides it from both parties.

The algorithm begins with P1 calculating l = 2−1 mod N . P1 then randomlychooses a functionality, between a ≥ b and b ≥ a + 1, denoted by F . This isa temporary functionality, used to mask the result of the operation from bothparties; the overall goal of the algorithm is still the comparison a ≥ b. If thefunctionality a ≥ b is chosen, then the encrypted value of a− b is determined byperforming the following calculations:

Epk(d) = Epk(a− b) = Epk(a) ∗ Epk(b)N−1 (11)

Similarly, if the functionality b ≥ a+1 is chosen, the encrypted value of b−(a+1)or b− a− 1 is computed as below:

Epk(d) = Epk(b− a− 1) = Epk(b) ∗ Epk(a+ 1)N−1 (12)

where Epk(a+ 1) = Epk(a) ∗Epk(1). All of these calculations are made possibleby the Paillier cryptosystems homomorphic properties.

The result of this calculation is assigned to Epk(d), where Epk(d) is thenassigned to δ. P1 and P2 then begin computing the encrypted value Epk(d′).First, P1 masks the value of Epk(d) by multiplying τ = δ ∗ Epk(ri) where riis a random number in ZN ; τ is then sent to P2 and decrypted, the previousoperation serving to randomize the result, making it impossible for P2 to knowthe value of d. The decrypted value, denoted as τ , is then examined, and thevariable s is set to Epk(0) if τ is even, and Epk(1) if τ is odd. s is then sent toP1, where Epk(di) is set to either s if the above ri is even, or Epk(1) ∗ sN−1 if riis odd. Epk(d′) is then updated each iteration by multiplying Epk(di), resultingin Epk(d′) = Epk(

∑mi=1 di). P1 then updates δ to Epk(bd2c) by performing the

calculations:φ = δ ∗ Epk(di)

N−1 (13)

δ = φl (14)

Algorithm 2 PallierSecureComparison(Epk(a), Epk(b))→ Epk(c)

Require: P1 holds Epk(a) and Epk(b) where a and b are not known to either parties,and 0 ≤ a, b ≤ 2m. The Public and secret keys, pk(N, g) and sk(λ, µ), are knownto P2, while only the public key is known to P1

1: P1:

(a) l← 2−1 mod N and d′ ← 0(b) Randomly choose the functionality F(c) if F : a ≥ b then Epk(d)← Epk(a− b)

if F : b ≥ a+ 1 then Epk(d)← Epk(b− a− 1)(d) δ ← Epk(d)

2: for i = 1→ m do:

(a) P1:

• τi ← δ ∗ Epk(ri), where ri ∈ ZN

• Send τi to P2

(b) P2:

• τ ′i ← Dsk(τi)• if τ ′i is even, then si ← Epk(0)

else si ← Epk(1)• Send si to P1

(c) P1:

• if ri is even, then Epk(di)← sielse Epk(di)← Epk(1) ∗ sN−1

i

• Epk(d′)← Epk(d′) ∗ Epk(di)2i−1

• φ← δ ∗ Epk(di)N−1 and δ ← φl

• if i = m then

- G← Epk(d) ∗ Epk(d′)N−1

- G′ ← Gr, where r ∈ ZN

- Send G′ to P2

3: P2:

(a) Receive G′ from P1

(b) if Dsk(G′) = 0 then c′ ← 1else c′ ← 0

(c) Send Epk(c′) to P1

4: P1:

(a) Receive Epk(c′) from P2

(b) if F : a ≥ b then Epk(c)← Epk(c′)if F : b ≥ a+ 1 then Epk(c)← Epk(1) ∗ Epk(c′)N−1

These operations serve to securely compute Epk(d − d′), where Epk(d) is

defined as above, and Epk(d′) is defined by∑ij=1 dj∗2j−1. The result, Epk(d−d′),

is computed in the final round of the protocol and assigned to the variable G byperforming G = Epk(d) ∗Epk(d′)N−1. The value of d− d′ is then randomized byperforming G′ = Gr, where r is a random number under ZN , multiplying d− d′by a random number and disguising it from P2. P2 then receives and decryptsG′, and sets the value c′ = 1 if Dsk(G′) = 0, or c′ = 0 otherwise. The encryptedvalue of this, Epk(c′) is then sent to P1, where depending on the functionality,the result is determined by Epk(c) = Epk(c′) if the functionality F is given asa ≥ b, or Epk(c) = Epk(1) ∗ Epk(c′)N−1 otherwise, where c is either 1 or 0, andis the final result of the comparison a ≥ b.

5.6 Secure Bit Decomposition

For secure bit decomposition of secret shared values, Algorithm 3 is used. [5]The protocol takes [X], a single share of an integer X, where 0 ≤ X ≤ 2m − 1;additionally, the secret sharing scheme uses the integer N as its global modulusvariable. The intended output of the algorithm is a single share of the bitwiserepresentation of X, denoted by ([Xm−1], . . . , [X0]), or more easily as [X]B .

First, a random number r within ZN is generated and bitwise shared, andthe output of X+r mod N is computed, denoted by the variable c. The variablec′ is then calculated as c′ = c+N . A secure comparison of the bitwise share ofr and c is then performed, to determine if [r]B is greater than c. The result, [f ],is a share of 1 or 0, representing true or false respectively. A bitwise share of c̄is then computed using the formula

[c̄i] = [f ] ∗ (c′i − ci) + [ci] (15)

where the unshared bits in the ith position of c′ and c are subtracted, multipliedby the share [f ], then the share of the bit in the ith position of [c]B is added.

Algorithm 3 SecretSharingSBD([X])→ ([Xm−1], . . . , [X0]).

1: [r]B ∈ ZN

2: c← output([X] + [r]B)3: c′ ← c+N4: [f ]← [r]B >?c5: for i = 0→ m do6: [c̄]B ← [f ] ∗ (c′i − ci) + [ci]7: end for8: [c̄]B ← ([c̄m], . . . , [c̄0])9: [X mod 2m]← [X]

10: for i = m− 1→ 1 do11: [ui]← [r mod 2i]B >?[c̄ mod 2i]B12: [X mod 2i]← [c̄ mod 2i]− [r mod 2i] + 2i ∗ [ui]13: [Xi]← 2−i ∗ ([X mod 2i+1]− [X mod 2i])14: end for

This computes [c̄]B , a bitwise share of c̄, where c̄ is the true value of X + r.These calculations are necessary to compute c̄, as in the initial output of addingthe shares of X and r, the result is modulo N , as per the rules of secret sharing.If the true value of X + r is in fact greater than N , then simply computing c isproblematic. Thus, c̄ = X + r is computed in this fashion.

Following this, the calculation of the bitwise share of X is started. First, thevalue of [X mod 2m] is set equal to the input share [X]. Then, starting fromm− 1, the comparison of [r mod 2i]B and [c̄ mod 2i]B is computed, resulting inthe share [ui]. This notation means that, for example, [r mod 2i]B would be thei least significant bit shares of r, or the shares of the rightmost i bits. Followingthis comparison, [X mod 2i] is calculated like so:

[X mod 2i] = [c̄ mod 2i]− [r mod 2i] + 2i ∗ [ui] (16)

where [c̄ mod 2i] and [r mod 2i] are the integer shares of [r mod 2i]B and [c̄ mod2i]B , computed by the equation [z] =

∑mi=0 2i ∗ [zi]. Next, the calculation

[Xi] = ([X mod 2i+1]− [X mod 2i]) ∗ 2−i (17)

is performed. In the initial case of i = m − 1, the previously set value of[X mod 2m] is used as [X mod 2i+1]. The operation [X mod 2i+1]− [X mod 2i]is equal to 2i ∗ [Xi], thus the multiplication by 2−i. Thus, a share of the ith bitof X is calculated; the loop is then repeated until a share of every bit of X iscalculated.

Algorithm 4, the algorithm for encrypted SBD [1] utilizes the Paillier cryptosys-tem, and is performed without the need for secure comparison. We assume twoparties, P1 and P2, where P2 holds both the secret key sk(λ, µ) and the publickey pk(N, g), while P1 holds the public key as well as an encrypted value Epk(z),where z is the integer to be securely decomposed, and 0 ≤ z ≤ 2m. Epk(z) is theinput of this algorithm, with the encrypted binary representation of z, denotedby Epk(z1), . . . , Epk(zm), being the intended result.

P1 begins by computing the modular multiplicative inverse of 2 and N , stor-ing the value in variable a. The encrypted input Epk(z) is then set to the variableU . With z being less than m bits, each bit of z, from 1 to m, is computed.

For each step from 1 to m, P1 disguises the value of z by first adding arandom bit rb to z, calculated by Epk(z) ∗ Epk(rb) and stored in variable L. Lis then raised to the power of a and multiplied by Epk(r), where r is a randomnumber under ZN , and stored in the variable M . M is represented as:

M = L′ ∗ Epk(r)

= La ∗ Epk(r)

= (U ∗ Epk(rb))a ∗ Epk(r)

= (Epk(z) ∗ Epk(rb))a ∗ Epk(r)

= Epk(a ∗ (z + rb) + r)

Algorithm 4 PallierSBD(Epk(z))→ [Epk(z1), . . . , Epk(zm)]

Require: P1 holds Epk(z) where z is not known to either parties, and 0 ≤ z ≤ 2m.The Public and secret keys, pk(N, g) and sk(λ, µ), are known to P2, while only thepublic key is known to P1

1: P1:

(a) a← 2−1 mod N(b) U ← Epk(z)

2: for i = 1→ m do:

(a) P1:

• L← U ∗ Epk(rb), where rb is a random bit• L′ ← La

• M ← L′ ∗ Epk(r), where r is a random number in ZN

• Send M to P2

(b) P2:

• Receive M from P1

• M ′ ← Dsk(M)• M ′k ← IP(M ′, k)• W ← Epk(M ′k)• Send si to P1

(c) P1:

• Receive W from P2

• rk ← IP(r, k)• H ←W ∗ Epk(N − rk)

• H ′ ← Hr′ where r′ is a random number in ZN

• Send H ′ to P2

(d) P2:

• Receive H ′ from P1

• τ ← Dsk(H ′)• if τ is even, then β ← Epk(0)

else β ← Epk(1)• Send β to P1

(d) P1:

• Receive β from P2

• τ ← Dsk(H ′)• if rb = 0 then Epk(zi)← β

else Epk(zi)← Epk(1) ∗ βN−1

• V ← U ∗ Epk(zi)N−1

• U ← V a

This calculation holds for the first iteration, where U is equal to E(z). P2 thenreceives M , and receives M ′ after decryption. The IP function, which returnsthe integer corresponding to the k-bit prefix of M ′, is then used. [1] In thisalgorithm, k is a randomly generated number between 1 and K−m, where K isthe bit length of N , and m is the bit length of z; the IP function takes the k-mostsignificant bits of the binary value of M ′, or the k left-most bits, and convertsthem to an integer. This integer is stored in the variable M ′k, encrypted, and sentto P1. P1 receives this value, stored in the variable W , and performs the sameIP function on the previously generated random number r, storing the result invariable rk. H = W ∗ Epk(N − rk) is then calculated, where, by homomorphic

properties, H = Epk(M ′k − rk); H is then masked by the operation H = Hr′

(where r′ is a newly generated random number within ZN ) and sent to P2.If we give z′ as z′ = z + rb, then the previous operations will result in

M ′k − rk = 0 if z′ is even, and M ′k − rk 6= 0 otherwise. Thus, when P2 decryptsH ′, if the result is 0, the variable β is set to Epk(0), or Epk(1) if the result is notequal to zero. In standard binary decomposition, a bit is set to 1 if the currentU is odd, and 0 if even. In this algorithm, P2 calculates either 1 or 0 based onwhether z′ is odd or even; since z′ hides the integer z by adding a random bit,P2 is given no information about the integer z as a result.

When P1 receives β, the encrypted bit, or Epk(zi) is then computed. If therandom bit rb = 0, then z′ = z, and Epk(zi) = β. However, if rb = 1, thenz′ = z + 1, meaning the value of β is incorrect; in the latter case, the correctresult is determined by calculating

Epk(zi) = Epk(1) ∗ βN−1 (18)

In this case, Epk(zi) = Epk(1) ∗βN−1 = Epk(1−Dpk(β)) = Epk(z mod 2). Withthese calculations, Epk(zi) is calculated then stored. U is then updated to thevalue of Epk(b z2c) by calculating

V = U ∗ Epk(zi)N−1 (19)

U = V a (20)

and the loop repeats with the updated value of U , continuing until each en-crypted bit of z is calculated and stored. Based on the calculations performed inthe protocol, no information about either z or the binary value of z is revealedto either P1 or P2.

6 Implementation and Experiments

6.1 Experiment Setup

The programming environment for our implementation of these researched al-gorithms consists mainly of three separate virtual machines, each with a cur-rent version of Ubuntu installed. Each virtual machine has a functioning GNUC/C++ compiler with the GMP library installed as well. Our programs use the

C++ language, using the GMP librarys custom functions for the mathematicaloperations on GMP integers. In order to communicate between the three virtualmachines, socket connections are used to connect the machines through an in-ternal network. Our implementation of socket communication can only send anarray of characters between parties, whereas we require large GMP integers tobe sent; this is remedied by custom functions that first convert a GMP integerinto a character array, send the array to the receiving party, and then convertthe character array back to a GMP integer upon receival on the other side. Threeseparate programs are created, one for each machine with their correspondingrole in the algorithm, and distributed to each machine. Each program is thenrun in sequence, and the protocols are carried out.

6.2 Secret Sharing

For our implementation of secret sharing, three machines launch applicationswith C++ code written to take place between communications in a certain order.To set up a simulation for multi-party computation to take place, party 3, P3,generates two random GMP integers and finds the next biggest prime numbersin order to create a global modulus variable N , as a product of two large primes.The variable N is then written to a socket, sending it to parties 1 and 2, P1 andP2. Using N , P1 and P2 randomly generate the original plain text values to beoperated on, A for P1 and B for P2, within the domain of N . These plain textvalues are then split into two shares, so that a share of each can be exchangedbetween the two parties. P1 splits the value A into two shares, a1 and a2 , andsends a2 to P2 to be used in calculations. Simultaneously, P2 does the samewith the value B, splitting into two shares, b1 and b2 , and sending b1 to P1

to be used in calculations. This leaves P1 with knowledge of shares a1 and b1,and P2 with knowledge of shares a2 and b2, setting up the required scenario formultiplication, secure comparison, and secure bit decomposition to take place.

Secret Sharing - Secure Multiplication The multiplication protocol usedin our implementation takes advantage of the following equation:

x1 ∗ x2 = x2(x1 + r1) + r3 − r1(x2 + r2) + r1 ∗ r2 − r3 (21)

which is very similar to the one proposed in [4], with changes concerning the useof random numbers to decrease the participation required by a third party.

The equation can be split into two parts to be locally computed by P1 andP2 in the following way:

x1 ∗ x2 = [x2 ∗ (x1 + r1) + r3]P2+ [−r1 ∗ (x2 + r2) + c]P1

(22)

where c = r1 ∗ r2 − r3.In this method for the different parties to perform their local computations

they need only know the one or two of the random values, not all three, in orderto mask their own shares and build the equation in a way that when recombined

eliminates all random values from the product. The steps of cooperation for theseshares to be calculated are made clear in working C/C++ implementation, butwill be explained briefly here.

For the secret shared product of a1 ∗ b2 to be computed cooperation betweenP1, P2, and P3 must take place, since neither P1 nor P2 has access to bothshares. The random numbers required for this operation ( r1 , r2 , and r3 )must be generated by P3 to allow masking of shares to be done without allowingthe parties to unmask them upon receival. After these three random values arecalculated P3 must combine them to calculate the value c = r1 ∗ r2− r3 . P3 canthen transfer the values of r2 and r3 to P2 and the values of c and r1 to P1.

Now that P1 and P2 hold their respective random values, P3 is no longeran active participant in calculating the shares of a1 ∗ b2 . The two parties cannow mask their shares to be shared with each other for computations. P1 addsr1 to a1 and sends the value (a1 + r1) to P2 for local computations, withoutcompromising the privacy of the share a1. Simultaneously, P2 adds r2 to b2 andthen sends the value (b2 + r2) to P1 for their own local computations.

After all of these data transmissions have taken place P1 and P2 have all ofthe data they need to construct their shares of the secret shared product a1 ∗ b2.The same procedure is repeated for the product a1 ∗ b2, which sets up P1 andP2 to calculate their shares of the desired product A ∗B based on the followingequation:

(a1 + a2)(b1 + b2) = a1 ∗ b1 + a1 ∗ b2 + a2 ∗ b1 + a2 ∗ b2 (23)

Here P1 is able to locally compute the product a1 ∗ b1 since it has knowledge ofboth shares, while P2 is able to locally compute the product a2 ∗ b2 . With theseproducts and their secret shared values of the products a1 ∗ b2 and a1 ∗ b2 thefollowing distributed shares of the equation are established:

A ∗B = [A ∗B]P1 + [A ∗B]P2 (24)

[A ∗B]P1 = a1 ∗ b1 + [a1 ∗ b2]P1 + [a2 ∗ b1]P1 (25)

[A ∗B]P2 = a2 ∗ b2 + [a1 ∗ b2]P2 + [a2 ∗ b1]P2 (26)

where the notation [a1 ∗ b2]P1 represents the secret share held by P1 of theproduct a1 ∗ b2 .

Secret Sharing - Secure Comparison All communication required for se-cure comparison to be done on secret shared values takes place in the use ofmultiplication. Using multiplication, XOR and OR operations are done on thesecret shared values to result in a final true or false value for the functionality ofA < B, with a 1 representing the truth of the functionality and a 0 representingfalsity. The operation of this is shown in the implemented code, but follows thesteps exactly from the protocol proposed in [?] and explained earlier in section5.5.

Using the GMP library, bitwise shares of each bit in A and B were createdand stored in arrays of GMP integers with length equal to the bit size of the

global modulus value N . The XOR and preOR operations were then calculatedon these arrays of bitwise shares, bit by bit, to reach the final shares of a 1 or 0representing the desired true or false solution.

Secret Sharing - Secure Bit Decomposition Our implementation of securebit decomposition using secret sharing utilizes three parties; P3 acts as a trusteddata owner, who generates the secret sharing modulo N as well as the inputinteger x, providing P1 and P2 with separate shares of x. This protocol uses boththe above secure comparison protocol and the secure multiplication protocol,requiring communication between all three parties for much of the algorithmscalculations. As the output, both P1 and P2 are left with a share of the binaryvalue of x, meaning each party holds an array of shares that, when combinedwith the other party, each share corresponds to either 1 or 0, resulting in thebinary value of x.

After P3 generates and distributes N and the shares of x, it generates arandom number r, in binary form, and sends a binary share to each party;additionally, the variable c is computed by P3 as the value of x+ r mod N , andsent to both parties.The ensuing calculations are the same for P1 and P2, asthey each compute their own binary share of x in tandem.

First, the value c′ is computed as c+N . A secure comparison between r andc is then performed between P1 and P2, with each holding a separate share ofthe result. Both parties then begin their calculations of the bitwise share of c̄,using the equation

[c̄i] = [f ] ∗ (c′i − ci) + [ci] (27)

where c̄ is the true value of x+ r.Following this, the calculation of each bitwise share of x is started. First,

the value of [x mod 2m] is set equal to the input share [x]. Then, starting fromm− 1, the comparison of [r mod 2i]B and [c̄ mod 2i]B is computed, resulting inthe share [ui]. Following this comparison, [x mod 2i] is calculated like so:

[X mod 2i] = [c̄ mod 2i]− [r mod 2i] + 2i ∗ [ui] (28)

where [c̄ mod 2i] and [r mod 2i] are the integer shares of [r mod 2i]B and [c̄ mod2i]B . Next, the calculation

[xi] = ([x mod 2i+1]− [x mod 2i]) (29)

is performed. In the initial case of i = m− 1, the previously set value of [x mod2m] is used as [x mod 2i+1]; the loop is then repeated until a share of every bitof x is calculated.

The resulting bitwise shares [x]B is not yet complete. The algorithm requiresthe division of each resulting share by 2i; however, in this implementation, weare using GMP integers, and most shares will result in a fraction when dividedby 2i. While we could use GMP floating point numbers to represent the result,we fear the loss of accuracy due to rounding in that implementation. Therefore,the resulting share is not divided by 2i initially, but rather at the end; once P1

and P2 compute their shares, they are sent to P3 where the shares are properlycombined and finally divided by 2i, which results in the correct bit value. Thoughan extra step is needed in the combination of the resulting bitwise shares, theresult is accurate.

6.3 Paillier Cryptosystem

In order to test the secure algorithms that utilize an additively homomorphicasymmetrical encryption scheme, we first had to implement such a scheme prac-tically in the C++ language. Paillier encryption scheme was chosen, as it is thescheme that was used in the papers that proposed these algorithms. Using theGMP library to facilitate sufficiently large numbers, two prime numbers of anequal bit size (a bit size that is easily adjustable for more secure key generation)were generated, denoted as variables p and q. The public key and secret key,denoted as pk(N, g) and sk(λ, µ), were computed thusly:

N = p ∗ qg = N + 1

λ = (p− 1) ∗ (q − 1)

µ = λ− 1 mod N

The public and secret keys, after being generated by an assumed trusted thirdparty, were then distributed amongst two parties, with the usual case being oneparty holding the public key while the second party held both the public andthe secret key.

Functions for encrypting and decrypting messages were also created in orderto simplify the code. The function for encryption carried out the equation c =gm ∗ rN mod N2 where m is the input integer and c is the output result, and

the function for decryption carried out the equation m = cλ mod N2−1N ∗ µ mod

N where c is the input encrypted integer and m is the output result. Thesefunctions, as well as the method of generating the public and secret keys, weresufficiently tested beforehand, and verified to be correct with a very high degreeof certainty

Although each of the algorithms requiring Paillier encryption scheme requiredonly two parties in order to carry out the calculations, a third party was used ineach implementation; this third party acted as a uninvolved and trusted thirdparty, akin to a system administrator, who generates the encryption keys, dis-tributes them amongst the two parties, and encrypts the initial input integer(created either by random number generation or direct input from the user) tobe distributed as well. Though the third party is important in setting up thealgorithms, it does not take place in any calculations.

Paillier Cryptosystem - Secure Comparison Our implementation of securecomparison assumes a setup of three parties: P1, who holds the public key andthe two encrypted inputs, Epk(x) and Epk(y); P2, who holds both the public key

and the private key; and P3, who as previously explained, exists only to generatethe encryption keys, create and encrypt the input integers, distribute the dataamongst the other two parties, and receive and display the result at the end ofthe protocol, in order to verify its correctness. Though P3 is vital to the setup ofthe protocol, it does not partake in any calculations, and its role could be easilyexcluded from our implementation by manually providing P1 and P2 with thedata instead.

After the encryption keys and input values are distributed, P1 begins by firstcalculating a as the modular multiplicative inverse of 2 and N , and choosingthe random functionality F , with either F : x ≥ y or F : y ≥ x + 1. Thisfunctionality is decided with a random generation of a 1 or 0, akin to a coin flip,with 0 representing the former functionality and 1 representing the latter. Thisvalue is then stored in a variable F (known only to P1).

The implementation proceeds to faithfully follow the proposed algorithmfrom [2]. P1 disguises the encrypted value of d (set to either x− y or y − x− 1,depending on the functionality chosen) by homomorphically adding a randomnumber. This value, denoted by variable τ , is then securely sent to P2 using asocket function for sending and receiving GMP integers. P2 receives τ , decryptsit, and computes variable s as the encrypted value of 0 if the decrypted τ iseven, and computes s as the encrypted value of 1 otherwise. s is then sent toP1. P1 proceeds to, following the proposed algorithm, update d′ and δ; with theupdated value of δ, P1 begins the loop again, beginning with the computationof τ . This loop carries on for m iterations, where 0 ≤ x, y,≤ 2m. Each iterationof this loop sees two instances of communication between P1 and P2: once whenP1 sends τ to P2, and once when P2 sends s to P1.

At the final iteration of this loop, P1 computes G′ by accurately following theproposed calculations. G′ is then sent to P2, where it is decrypted and examined.If the decrypted value is equal to 0, then the variable c′ is set to 1; otherwise,c′ is set to 0. c′ is then encrypted and sent to P1. If the functionality F is equalto 0 (F : x ≥ y), then the final result, Epk(c), is set equal to Epk(c′); if F = 1(F : y ≥ x + 1), then further calculations are taken out to securely convert thevalue of c′ to its opposite (c = 0 if c′ = 1, and c = 1 if c′ = 0). This result,Epk(c), is then sent to P3, where it is decrypted and the result, c, provides theresult of the comparison x > y, where c = 0 denotes false and c = 1 denotestrue. This result is computed in such a way that neither P1 nor P2 may everknow the values of either integer x or y, nor the true value or meaning of theresult. Overall, the amount of necessary communications that take place can begiven as n = 2 ∗ (m+ 1).

Paillier Cryptosystem - Secure Bit Decomposition The protocol for se-cure bit decomposition follows the same general setup as secure comparison, withthree parties, party 3 generating and distributing the encryption keys and inputinteger, and parties 1 and 2 carrying out the actual calculations. P3 is used toprovide this context as well as receive and display the final result to be checkedfor accuracy.

P1, after receiving the public key and encrypted integer z to be securelydecomposed, begins by computing a as the modular multiplicative inverse of 2and N. Within a loop, P1 performs a series of computations to calculate variableM , which is equal to Epk(a∗(z+rb)+r), and sends M to P2. M is then decryptedand stored in the variable M ′, and P2 proceeds to compute M ′k as the integercorresponding to the k-bit prefix of M ′ (where 1 < k < K −m, where K is thebit length of N , m is the bit length of z, and k is known to both parties) andsends this value to P1.

While [1] made no specifications as to k other than the range, we found thatsimply assigning it to a random number between 1 and K −m would result inerrors in the decomposition, returning incorrect binary values. By setting k tohalf of the value of K −m, however, the protocol ran and output as intended.

After calculating the integer corresponding to the k-bit prefix of a previouslygenerated random number and storing it in the variable rk, the encrypted valueof M ′k−rk is then calculated by P1 through homomorphic operations. This result,masked by a random number and denoted as variable H ′, is then sent to P2. P2

decrypts this value, left with the value of (M ′k − rk) ∗ r′. If this value is equal to0, then the value of z+ rb is even, so the variable β is set to the encrypted valueof 0; otherwise, if the decrypted value is not equal to 0, then the value of z + rbis odd, and β is set to the encrypted value of 1. β is then sent to P1, where it iseither set as the encrypted ith bit of z if the initial rb = 0, or the opposite of β iscomputed (Epk(0) if β = Epk(1), or Epk(1) if β = Epk(0)) if rb = 1. Afterwards,P1 securely computes the value of b z2c with homomorphic operations, and theloop is repeated.

This loop sees i iterations, from 1 to m, each time computing the encryptedvalue of the ith bit of z, known only to P1. Each iteration sees 4 instances ofcommunication between P1 and P2, with the total instances of communicationbeing given as n = 4 ∗m. P1 then sends an array storing each encrypted bit of zto P3, to be decoded for the sake of verifying the correctness of this algorithm.

6.4 Analysis

With the successful implementation of the above protocols, we were able toexperiment and run tests with both implementations. With two main encryptionmethods used for different implementations of the same concept, we were ableto compare the efficiency of the two variations.

As the Table 1 shows, efficiency for all of the implemented protocols wasmeasured in clock cycles. This represents the amount of resources occupied oneach machine throughout the execution of each implementation. We chose thismethod of testing, so the results would apply universally to all machines, sincethe resources available may affect the actual (calendar) time in which an imple-mentation executes.

Tests of the protocols for each implementation were run 20 times, to providean accurate average of their CPU usage during execution. Clock usage was mea-sured for only the execution of the code pertaining to the proposed protocols,

not for the setup of the scenario in which they were used. The generation of ran-dom values to be compared/decomposed and various other non-essentials wereignored when testing.

Table 1. Party Clock Cycles

Party Secret Sharing SC Secret Sharing SBD Paillier SC Paillier SBD

P1 114967 458592 10124 24701

P2 121037 433747 9559 23211

P3 144744 527766 - -

Total 380747 1420105 19682 47912

Analysis - Secure Comparison Separate implementations of secure compar-ison had vastly different CPU usage averages. As seen in Table 1, the imple-mentation of SC for Pallier encryption required less than a tenth of the CPUresources as the secret sharing alternative. This was attributed mostly to theinefficiency of our communications with sockets, which the secret sharing im-plementation requires much more of than the pallier one. However, since bothimplementation were using the same methods for communication, the outcomeis still roughly comparable. If the communication method is improved for one,it is improved for both.

Another benefit of the Pallier implementation for SC was that it requiredparticipation from one less machine. Party 3 for the implementation of thisprotocol was only required for setting up the scenario in which a comparison isused, and in no way participated in the actual comparison of data.

Future work here would involve first and foremost improving the efficiencyof message sending between sockets. This would vastly improve the overall ef-ficiency of the entire protocols. This improvement would also greatly improvethe comparability of these implementations when judging their viability in realworld usage.

Analysis - Secure Bit Decomposition Implementations of SBD also hadvery different CPU usage averages between the two cryptographic schemes. Thisis due heavily to the usage of SC in the secret sharing implementation, whichoccurs twice. Pallier encryption did not require reuse of SC for its own imple-mentation of SBD, and required less than 4

As before, improving the method of communication between machines wouldgreatly improve the efficiency of both implementations, while also improving thecomparability of them. This is where future contributions to our research shouldfocus first, before solid comparisons and improvements on the implementationstakes place.

7 Conclusion and Future Work

In terms of future work, there is much that can be done; our work saw us only im-plementing one proposed algorithm for each of the 5 protocols (SC and SBD withPaillier encryption, and secure multiplication, SC, and SBD with secret sharing)we explored. Potential future work could begin with exploring other proposedalgorithms for these protocols, perhaps those that are more efficient; addition-ally, these same protocols could be researched and implemented for encryptionmethods besides secret sharing or Paillier encryption. Our goal in our researchwas to explore and experiment the underlying functions and protocols behindsecure range queries; however, we never actually experimented with securelyrange querying encrypted data. This is another step we can take in our futurework, exploring different range query protocols and implementing them with afabricated database of encrypted information. For any future implementation ofprotocols in this area of computer science, we could explore and analyze eachmethod, learning much about operations on encrypted data and potentially dis-covering certain improvements, however minor, for making the algorithms moreefficient.

While the secure range querying of encrypted data is undoubtedly importantin the field of cloud computing and storage, our ultimate goal was to implementand analyze the underlying algorithms necessary for range queries to operate,such as SC and SBD. We succeeded in this goal, and although no errors norpotential improvements in the algorithms were discovered, we were able to gain adeeper understanding of mathematical operations on encrypted integers, as wellas verify the validity and correctness of the algorithms. With these protocolstested, understood, and implemented, the actual application of secure rangequeries can be done with remarkable ease and efficiency.

References

1. B. Samanthula, W.Jiang. Efficient Privacy-Preserving Range Queries over En-crypted Data in Cloud Computing. 2013 IEEE Sixth International Conference onCloud Computing,pages 51-58. IEEE, 2013.

2. B. Samanthula, W.Jiang, E. Bertino. Lightweight and Secure Two-Party RangeQueries over Outsourced Encrypted Databases. 2014.

3. I. Damg̊ard, M. Fitzi, E. Kiltz, J. Nielsen, T. Toft. Unconditionally Secure Constant-Rounds Multi-Party Comparison, Bits and Exponentiation.

4. D. Bogdanov. How to securely perform computations on secret-shared data. 2007.

5. T. Toft. Constant-Rounds, Almost-Linear Bit-Decomposition of Secret Shared Val-ues. LNCS 5473, pages 357-371. 2009.

Appendix

sendMPZ Code

void sendMPZ( int socket , mpz t X){char temp [ 1 0 2 4 ] ;int n ;bzero ( temp , 1024 ) ;mpz get s t r ( temp , 10 , X) ;n = wr i t e ( socket , temp , s t r l e n ( temp ) ) ;n = read ( socket , temp , 1 0 2 3 ) ;

}

receiveMPZ Code

void receiveMPZ ( int socket , mpz t X){char temp [ 1 0 2 4 ] ;int n ;bzero ( temp , 1024 ) ;n = read ( socket , temp , 1 0 2 3 ) ;mpz s e t s t r (X, temp , 1 0 ) ;n = wr i t e ( socket , temp , s t r l e n ( temp ) ) ;

}

P1 Secret Multiplication Code

void secre tMult ( const int party2sock , const int party3sock ,const mpz t X, const mpz t N, mpz t & P1xy){

// r e c e i v i n g random #’s r1 and c1 from party3receiveMPZ ( party3sock , r1 ) ;receiveMPZ ( party3sock , c1 ) ;

// Xr1sum = X + r1mpz add (Xr1sum , X, r1 ) ;

// sending / r e c e i v i n g masked shares to /from party2sendMPZ( party2sock , Xr1sum ) ;receiveMPZ ( party2sock , Yr2sum ) ;

// c a l c u l a t i n g va lue o f P1xy// P1xy = −r1mpz neg (P1xy , r1 ) ;// P1xy = −r1 ( y + r2 )mpz mul (P1xy , P1xy , Yr2sum ) ;// P1xy = −r1 ( y + r2 ) + c1mpz add (P1xy , P1xy , c1 ) ;// P1xy = (−r1 ( y + r2 ) + c1 ) mod N

mpz mod(P1xy , P1xy , N) ;}


void secre tMult ( const int party1sock , const int party3sock ,const mpz t Y, const mpz t N, mpz t & P2xy){

// r e c e i v i n g random #’s r2 and r3 from party3receiveMPZ ( party3sock , r2 ) ;receiveMPZ ( party3sock , r3 ) ;

// Yr2sum = Y + r2mpz add (Yr2sum , Y, r2 ) ;

// r e c e i v i n g / sending masked shares from/ to party1receiveMPZ ( party1sock , Xr1sum ) ;sendMPZ( party1sock , Yr2sum ) ;

// c a l c u l a t i n g va lue o f P2xy// P2xy = y ( x + r1 )mpz mul (P2xy , Y, Xr1sum ) ;// P2xy = y ( x + r1 ) + r3mpz add (P2xy , P2xy , r3 ) ;// P2xy = ( y ( x + r1 ) + r3 ) mod Nmpz mod(P2xy , P2xy , N) ;

}


void secre tMult ( const int party1sock , const int party2sock ){

// assignment o f t h r e e random va r i a b l e smpz urandomb ( r1 , s ta te , 7 ) ;mpz urandomb ( r2 , s ta te , 7 ) ;mpz urandomb ( r3 , s ta te , 7 ) ;

// c1 = r1 ∗ r2 − r3mpz mul ( c1 , r1 , r2 ) ; // c1 = r1 ∗ r2mpz sub ( c1 , c1 , r3 ) ; // c1 = c1 − r3

// sending random #’s r1 and c1 to party1sendMPZ( party1sock , r1 ) ;sendMPZ( party1sock , c1 ) ;

// sending random #’s r2 and r3 to party2sendMPZ( party2sock , r2 ) ;sendMPZ( party2sock , r3 ) ;

}

P1 Secure Multiplication Code

void secureMult ( const int party2sock , const int party3sock ,mpz t& P1ab , const mpz t a1 , const mpz t b1 ,const mpz t N){

// c a l c u l a t i n g shares o f a1b2 and a2b1secre tMult ( party2sock , party3sock , a1 , N, P1a1b2 ) ;sec re tMult ( party2sock , party3sock , b1 , N, P1a2b1 ) ;

// c a l c u l a t i n g P1ab// P1ab = a1 ∗ b1mpz mul (P1ab , a1 , b1 ) ;// P1ab = ( a1 ∗ b1 ) + P1a1b2mpz add (P1ab , P1ab , P1a1b2 ) ;// P1ab = ( a1 ∗ b1 ) + P1a1b2 + P1a2b1mpz add (P1ab , P1ab , P1a2b1 ) ;// P1ab = [ ( a1 ∗ b1 ) + P1a1b2 + P1a2b1 ] mod Nmpz mod(P1ab , P1ab , N) ;

}


void secureMult ( const int party1sock , const int party3sock ,mpz t& P2ab , const mpz t a2 , const mpz t b2 ,const mpz t N){

// c a l c u l a t i n g shares o f a1b2 and a2b1secre tMult ( party1sock , party3sock , b2 , N, P2a1b2 ) ;sec re tMult ( party1sock , party3sock , a2 , N, P2a2b1 ) ;

// c a l c u l a t i n g P2ab// P1ab = a2 ∗ b2mpz mul (P2ab , a2 , b2 ) ;// P1ab = ( a2 ∗ b2 ) + P2a1b2mpz add (P2ab , P2ab , P2a1b2 ) ;// P1ab = ( a2 ∗ b2 ) + P2a1b2 + P2a2b1mpz add (P2ab , P2ab , P2a2b1 ) ;// P1ab = [ ( a2 ∗ b2 ) + P2a1b2 + P2a2b1 ] mod Nmpz mod(P2ab , P2ab , N) ;

}


void secureMult ( const int party1sock , const int party2sock ){

secre tMult ( party1sock , party2sock ) ;sec re tMult ( party1sock , party2sock ) ;

return ;}

P1 XOR Code

void sharedXOR( const int party2sock , const int party3sock ,mpz t& P1aXORb, const mpz t N, const mpz t P1A,const mpz t P1B){

mpz add ( temp1 , P1A, P1B ) ; // temp1 = P1A + P1B

// temp2 = P1absecureMult ( party2sock , party3sock , temp2 , P1A, P1B, N) ;

// f i n a l c a l c u l a t i o n o f P1aXORb// P1aXORb = 2(P1ab )mpz mul ui (P1aXORb, temp2 , 2 ) ;// P1aXORb = P1A + P1B − 2(P1ab )mpz sub (P1aXORb, temp1 , P1aXORb ) ;// P1aXORb = [ (P1A + P1B) − 2(P1ab ) ] mod Nmpz mod(P1aXORb, P1aXORb, N) ;

}

P2 XOR Code

void sharedXOR( const int party1sock , const int party3sock ,mpz t& P2aXORb, const mpz t N, const mpz t P2A,const mpz t P2B){



// f i n a l c a l c u l a t i o n o f P2aXORb// P2aXORb = 2(P2ab )mpz mul ui (P2aXORb, temp2 , 2 ) ;// P2aXORb = (P2A + P2B) − 2(P2ab )mpz sub (P2aXORb, temp1 , P2aXORb ) ;// P2aXORb = [ (P2A + P2B) − 2(P2ab ) ] mod Nmpz mod(P2aXORb, P2aXORb, N) ;

}

P1 OR Code

void sharedOR ( const int party2sock , const int party3sock ,mpz t& P1aORb, const mpz t N, const mpz t P1A,const mpz t P1B){



// f i n a l c a l c u l a t i o n o f P1aORb// P1aORb = (P1A + P1B) − P1ABmpz sub (P1aORb, temp1 , temp2 ) ;// P1aORb = [ (P1A + P1B) − P1AB] mod Nmpz mod(P1aORb, P1aORb, N) ;

}

P2 OR Code

void sharedOR ( const int party1sock , const int party3sock ,mpz t& P2aORb, const mpz t N, const mpz t P2A,const mpz t P2B){



// f i n a l c a l c u l a t i o n o f P2aORb// P2aORb = (P2A + P2B) − P2abmpz sub (P2aORb, temp1 , temp2 ) ;// P2aORb = [ (P2A + P2B) − P2ab ] mod Nmpz mod(P2aORb, P2aORb, N) ;

}

P1 Secret Sharing SC Code

void bitLT ( const int party2sock , const int party3sock ,const mpz t N, const int bitLength ,const mpz t P1Abits , const mpz t P1Bbits ,mpz t & P1bitLT ){

// computing P1aXORbfor ( int i = 0 ; i < bitLength ; i ++){

sharedXOR( party2sock , party3sock , P1aXORb[ i ] ,N, P1Abits [ i ] , P1Bbits [ i ] ) ;

}

mpz set (P1preOR [ 0 ] , P1aXORb [ 0 ] ) ;

// computing P1preORfor ( int i = 1 ; i < bitLength ; i ++){

sharedOR ( party2sock , party3sock , P1preOR [ i ] ,N, P1aXORb[ i ] , P1preOR [ i −1 ] ) ;

}

mpz set ( P 1 d i f f I s o [ 0 ] , P1preOR [ 0 ] ) ;

for ( int i = ( bitLength − 1 ) ; i > 0 ; i−−){mpz sub ( P 1 d i f f I s o [ i ] , P1preOR [ i ] , P1preOR [ i −1 ] ) ;

mpz mod( P 1 d i f f I s o [ i ] , P 1 d i f f I s o [ i ] , N) ;}

for ( int i = 0 ; i < bitLength ; i ++){secureMult ( party2sock , party3sock , P1binaryLT [ i ] ,

P1Bbits [ i ] , P 1 d i f f I s o [ i ] , N) ;}

for ( int i = 0 ; i < bitLength ; i ++){mpz add ( P1bitLT , P1bitLT , P1binaryLT [ i ] ) ;

}}

P2 Secret Sharing SC Code

void bitLT ( const int party1sock , const int party3sock ,const mpz t N, const int bitLength ,const mpz t P2Abits , const mpz t P2Bbits ,mpz t & P2bitLT ){

// computing P2aXORbfor ( int i = 0 ; i < bitLength ; i ++){

sharedXOR( party1sock , party3sock , P2aXORb[ i ] ,N, P2Abits [ i ] , P2Bbits [ i ] ) ;

}

mpz set (P2preOR [ 0 ] , P2aXORb [ 0 ] ) ;

// computing P2preORfor ( int i = 1 ; i < bitLength ; i ++){

sharedOR ( party1sock , party3sock , P2preOR [ i ] ,N, P2aXORb[ i ] , P2preOR [ i −1 ] ) ;

}

mpz set ( P 2 d i f f I s o [ 0 ] , P2preOR [ 0 ] ) ;

for ( int i = ( bitLength − 1 ) ; i > 0 ; i−−){mpz sub ( P 2 d i f f I s o [ i ] , P2preOR [ i ] , P2preOR [ i −1 ] ) ;mpz mod( P 2 d i f f I s o [ i ] , P 2 d i f f I s o [ i ] , N) ;

}

for ( int i = 0 ; i < bitLength ; i ++){secureMult ( party1sock , party3sock , P2binaryLT [ i ] ,

P2Bbits [ i ] , P 2 d i f f I s o [ i ] , N) ;}

for ( int i = 0 ; i < bitLength ; i ++){mpz add ( P2bitLT , P2bitLT , P2binaryLT [ i ] ) ;

}}

P1 Secret Sharing SBD Code

int main ( int argc , char ∗argv [ ] ) {

// r e c e i v i n g va lue o f N from party3receiveMPZ ( party3sock , N) ;

// s e t s g l o b a l b i t l e n g t h f o r b inary convers ions based on Nint bitLength = reqBitLength (N) ;

receiveMPZ ( party3sock , X1 ) ;

//Rece iv ing b i t w i s e share o f Rfor ( int i = 0 ; i <= bitLength ; i ++){

receiveMPZ ( party3sock , P1Rbits [ i ] ) ;}

//Rece iv ing b i t w i s e share o f Cfor ( int i = 0 ; i <= bitLength ; i ++){

receiveMPZ ( party3sock , Cshare1 [ i ] ) ;}

// r e c e i v e b inary r ep r e s en t a t i on o f Cfor ( int i = 0 ; i <= bitLength ; i ++){

receiveMPZ ( party3sock , Cbin [ i ] ) ;}

//Rece iv ing b inary r ep r e s en t a t i on o f C ’for ( int i = 0 ; i <= bitLength ; i ++){

receiveMPZ ( party3sock , Cprimebin [ i ] ) ;}

//compare r >? cbitLT ( party2sock , party3sock , N, bitLength +1, Cshare1 , P1Rbits , F1 ) ;

// c a l c u l a t i n g C˜mpz t tmp ;for ( int i = 0 ; i<=bitLength ; i ++){

mpz in i t (tmp ) ;mpz sub (tmp , Cprimebin [ i ] , Cbin [ i ] ) ;mpz mul (tmp , tmp , F1 ) ;mpz add ( Ct i lde1 [ i ] , tmp , Cshare1 [ i ] ) ;mpz c lear (tmp ) ;

}

// computing f i n a l b i t w i s e share o f xfor ( int i=bitLength −2; i >0; i−−){

// c r ea t e s temperary arrays o f r mod 2ˆ i//and c˜ mod 2ˆ ifor ( int j = i ; j > 0 ; j−−){

mpz set ( tempCtilde1 [ i−j ] , Ct i lde1 [ bitLength+1− j ] ) ;mpz set ( tempR1 [ i−j ] , P1Rbits [ b itLength+1− j ] ) ;

}

//comparison , t a k e s p l ace between a l l 3 p a r t i e sbitLT ( party2sock , party3sock , N, i , tempCtilde1 , tempR1 , u1 ) ;

// conver t s the b i t w i s e shares to i n t e g e r shares// in order to perform ba s i c opera t i onsbinToIntShare (cmod1 , tempCtilde1 , i ) ;binToIntShare ( rmod1 , tempR1 , i ) ;

// c a l c u l a t e s Xmod1 [ i ] , the share o f the// i t h b i t o f xmpz sub (xmod1 , cmod1 , rmod1 ) ;mpz pow ui ( twoi , two , i ) ;mpz mul ( u1 , twoi , u1 ) ;mpz add (xmod1 , xmod1 , u1 ) ;mpz set (Xmod1 [ i ] , xmod1 ) ;

}

//SENDING RESULTfor ( int i = 0 ; i < bitLength ; i ++){

sendMPZ( party3sock , Xmod1 [ i ] ) ;}

}



// r e c e i v i n g va lue o f N from party3receiveMPZ ( party3sock , N) ;

// s e t s g l o b a l b i t l e n g t h f o r b inary convers ions based on Nint bitLength = reqBitLength (N) ;

receiveMPZ ( party3sock , X2 ) ;

//Rece iv ing b i t w i s e share o f Rfor ( int i = 0 ; i <= bitLength ; i ++){

receiveMPZ ( party3sock , P2Rbits [ i ] ) ;}

//Rece iv ing b i t w i s e share o f Cfor ( int i = 0 ; i <= bitLength ; i ++){

receiveMPZ ( party3sock , Cshare2 [ i ] ) ;}

// r e c e i v e b inary r ep r e s en t a t i on o f Cfor ( int i = 0 ; i <= bitLength ; i ++){

receiveMPZ ( party3sock , Cbin [ i ] ) ;}

//Rece iv ing b inary r ep r e s en t a t i on o f C ’for ( int i = 0 ; i <= bitLength ; i ++){

receiveMPZ ( party3sock , Cprimebin [ i ] ) ;}

//compare r >? cbitLT ( party1sock , party3sock , N, bitLength +1, Cshare2 , P2Rbits , F2 ) ;

// c a l c u l a t i n g C˜mpz t tmp ;for ( int i = 0 ; i<=bitLength ; i ++){

mpz in i t (tmp ) ;mpz sub (tmp , Cprimebin [ i ] , Cbin [ i ] ) ;mpz mul (tmp , tmp , F2 ) ;mpz add ( Ct i lde2 [ i ] , tmp , Cshare2 [ i ] ) ;

mpz clear (tmp ) ;}

// computing f i n a l b i t w i s e share o f xfor ( int i=bitLength −2; i >0; i−−){

// c r ea t e s temperary arrays o f r mod 2ˆ i//and c˜ mod 2ˆ ifor ( int j = i ; j > 0 ; j−−){

mpz set ( tempCtilde2 [ i−j ] , Ct i lde2 [ bitLength+1− j ] ) ;mpz set ( tempR2 [ i−j ] , P2Rbits [ b itLength+1− j ] ) ;

}

//comparison , t a k e s p l ace between a l l 3 p a r t i e sbitLT ( party1sock , party3sock , N, i , tempCtilde2 , tempR2 , u2 ) ;

// conver t s the b i t w i s e shares to i n t e g e r shares// in order to perform ba s i c opera t i onsbinToIntShare (cmod2 , tempCtilde2 , i ) ;binToIntShare ( rmod2 , tempR2 , i ) ;

// c a l c u l a t e s Xmod2 [ i ] , the share o f the// i t h b i t o f xmpz sub (xmod2 , cmod2 , rmod2 ) ;mpz pow ui ( twoi , two , i ) ;mpz mul ( u2 , twoi , u2 ) ;mpz add (xmod2 , xmod2 , u2 ) ;mpz set (Xmod2 [ i ] , xmod2 ) ;

}

//SENDING RESULTfor ( int i = 0 ; i < bitLength ; i ++){

sendMPZ( party3sock , Xmod2 [ i ] ) ;}

}



// genera t ing NgenerateN (N) ;int bitLength = reqBitLength (N) ;

// genera t ing X and Rmpz urandomb (X, s tate , bitLength −2);

mpz urandomm(R, s tate , N) ;

// crea t e shares o f Xdecompose (X, X1 , X2 , N) ;

// send N and shares o f x to par ty 1 and 2sendMPZ( party1sock , N) ;sendMPZ( party2sock , N) ;sendMPZ( party1sock , X1 ) ;sendMPZ( party2sock , X2 ) ;

// conver t r to binary , c r e a t e s shares , sends thembitConvert (R, Rbits , NbitLength ) ;bitDecompose ( Rbits , NbitLength , P1Rb , P2Rb , N) ;for ( int i =0; i < NbitLength ; i ++){

sendMPZ( party1sock , P1Rb [ i ] ) ;sendMPZ( party2sock , P2Rb [ i ] ) ;

}

// c a l c u l a t e s c as x + r mod NgenC (C, X1 , X2 , P1Rb , P2Rb , N, NbitLength ) ;

// conver t c to binary , c r ea t e shares , sends them// sends non−shared b inary o f c as w e l lbitConvert (C, Cbin , NbitLength ) ;bitDecompose ( Cbin , NbitLength , Cshare1 , Cshare2 , N) ;for ( int i =0; i < NbitLength ; i ++){

sendMPZ( party1sock , Cshare1 [ i ] ) ;sendMPZ( party2sock , Cshare2 [ i ] ) ;

}for ( int i =0; i < NbitLength ; i ++){

sendMPZ( party1sock , Cbin [ i ] ) ;sendMPZ( party2sock , Cbin [ i ] ) ;

}

// c a l c u l a t e C ’ , conver t to binary , send to both p a r t i e smpz add ( Cprime , C, N) ;b itConvert ( Cprime , Cprimebin , NbitLength ) ;for ( int i =0; i < NbitLength ; i ++){

sendMPZ( party1sock , Cprimebin [ i ] ) ;sendMPZ( party2sock , Cprimebin [ i ] ) ;

}

// R >? C comparison// XOR c a l l

for ( int i = 0 ; i < NbitLength ; i ++){secureMult ( party1sock , party2sock ) ;}

// preOR c a l lfor ( int i = 1 ; i < NbitLength ; i ++){

secureMult ( party1sock , party2sock ) ;}

// binaryLT c a l lfor ( int i = 0 ; i < NbitLength ; i ++){


// comparison o f u : rmod2i >? c˜mod2ifor ( int j=bitLength −2; j >0; j−−){

// XOR c a l lfor ( int i = 0 ; i < j ; i ++){


// preOR c a l lfor ( int i = 1 ; i < j ; i ++){


// binaryLT c a l lfor ( int i = 0 ; i < j ; i ++){


}

// r e c e i v e s r e s u l t s from both p a r t i e sfor ( int i = 0 ; i < bitLength ; i ++){

receiveMPZ ( party1sock , Xmod1 [ i ] ) ;}for ( int i = 0 ; i < bitLength ; i ++){

receiveMPZ ( party2sock , Xmod2 [ i ] ) ;}

//modi f ied recombining both shares//XRES i s the r e s u l t i n g b inary va luefor ( int i = 0 ; i<bitLength −1; i ++){

mpz sub (XRES1[ i ] , Xmod1 [ bitLength−1− i ] , Xmod1 [ bitLength−2− i ] ) ;mpz sub ( tempfin , Xmod2 [ bitLength−1− i ] , Xmod2 [ bitLength−2− i ] ) ;

mpz add (XRES1[ i ] , XRES1[ i ] , tempfin ) ;mpz mod(XRES1[ i ] , XRES1[ i ] , N) ;mpz pow ui ( twoi i , two , bitLength−2− i ) ;mpz cdiv q (XRES1[ i ] , XRES1[ i ] , t w o i i ) ;}

}

P1 Paillier SC Code


// r e c e i v i n g necessary v a r i a b l e s from par ty 3receiveMPZ ( party3sock , N) ;receiveMPZ ( party3sock , g ) ;mpz mul ( nsq , N, N) ;receiveMPZ ( party3sock , encX ) ;receiveMPZ ( party3sock , encY ) ;

// e s t a b l i s h i n g b i t l e n g t hreceiveMPZ ( party3sock , inpBitLen ) ;sendMPZ( party2sock , inpBitLen ) ;int SCinLength = mpz get ui ( inpBitLen ) ;

// c r ea t i n g o ther e s s e n t i a l v a r i a b l e smpz sub ui (nmin , N, 1 ) ;mpz invert ( l , two , N) ;

//Generate random f u n c t i o n a l i t y Fmpz urandomm(F, s ta te , two ) ;

// i f F: x>=yi f ( ( mpz cmp ui (F , 0))==0){

mpz powm(Ed , encY , nmin , nsq ) ;mpz mul (Ed , Ed , encX ) ;

}// e l s e i f F : y>=x+1else {

//computes E( x+1)mpz mul ( encX , encX , Eone ) ;mpz powm(Ed , encX , nmin , nsq ) ;mpz mul (Ed , Ed , encY ) ;

}

mpz set ( de l ta , Ed ) ;

//main f o r loop

for ( int i =1; i<=SCinLength ; i ++){

// randomizes de l t a , send i t to par ty 2mpz urandomm( r i , s ta te , N) ;encrypt (Er , r i ) ;mpz mul ( tau , de l ta , Er ) ;sendMPZ( party2sock , tau ) ;

receiveMPZ ( party2sock , s ) ;i f ( mpz odd p ( r i )==0) // i f r i s even

mpz set ( Edi , s ) ;else {

mpz powm( s , s , nmin , nsq ) ;mpz mul ( Edi , Eone , s ) ;

}

// update E(d ’)i f ( i ==1)

mpz set ( Edprime , Edi ) ;else {

//temp1 = 2ˆ i−1//temp2 = E( d i )ˆ(2ˆ i−1)mpz pow ui ( temp1 , two , i −1);mpz powm( temp2 , Edi , temp1 , nsq ) ;mpz mul ( Edprime , Edprime , temp2 ) ;

}

//temp3 = E( d i )ˆN−1mpz powm( temp3 , Edi , nmin , nsq ) ;mpz mul ( phi , de l ta , temp3 ) ;mpz powm( de l ta , phi , l , nsq ) ;

// c a l c u l a t e G’i f ( i==SCinLength ){

mpz powm( temp4 , Edprime , nmin , nsq ) ;mpz mul (G, Ed , temp4 ) ;mpz urandomm( r , s ta te , N) ;mpz powm( Gprime , G, r , nsq ) ;

}}

sendMPZ( party2sock , Gprime ) ;

receiveMPZ ( party2sock , Ecprime ) ;// c a l c u l a t e encrypted r e s u l t based Ecprime

i f ( mpz cmp ui (F , 0)==0)mpz set (Ec , Ecprime ) ;

else {mpz powm( temp5 , Ecprime , nmin , nsq ) ;mpz mul (Ec , Eone , temp5 ) ;

}

sendMPZ( party3sock , Ec ) ;}

P2 Paillier SC Code


// r e c e i v i n g necessary v a r i a b l e s from par ty 3receiveMPZ ( party3sock , N) ;receiveMPZ ( party3sock , g ) ;receiveMPZ ( party3sock , lamda ) ;receiveMPZ ( party3sock , u ) ;mpz mul ( nsq , N, N) ;

// e s t a b l i s h i n g b i t l e n g t hreceiveMPZ ( party1sock , inpBitLen ) ;int SCinLength = mpz get ui ( inpBitLen ) ;

// c r ea t i n g o ther e s s e n t i a l v a r i a b l e smpz sub ui (nmin , N, 1 ) ;

//main f o r loopfor ( int i =1; i<=SCinLength ; i ++){

receiveMPZ ( party1sock , tau ) ;

decrypt ( tauprime , tau ) ;i f ( mpz odd p ( tauprime)==0) // i f tau ’ i s even

encrypt ( s , ze ro ) ;else

encrypt ( s , one ) ;

sendMPZ( party1sock , s ) ;}

receiveMPZ ( party1sock , Gprime ) ;

decrypt (Dgp , Gprime ) ;i f ( mpz cmp ui (Dgp , 0)==0) // i f G’ = 0

mpz set ( cprime , one ) ;else

mpz set ( cprime , ze ro ) ;

encrypt ( Ecprime , cprime ) ;sendMPZ( party1sock , Ecprime ) ;

}

P3 Paillier SC Code


// sending necessary v a r i a b l e s to par ty 1 and 2sendMPZ( party1sock , N) ;sendMPZ( party1sock , g ) ;sendMPZ( party2sock , N) ;sendMPZ( party2sock , g ) ;sendMPZ( party2sock , lamda ) ;sendMPZ( party2sock , u ) ;

// randomly genera te X and Ympz urandomb (X, s tate , 1 6 ) ;mpz urandomb (Y, s tate , 1 6 ) ;

// encrypt x and y , send to par ty 1encrypt ( encX , X) ;encrypt ( encY , Y) ;sendMPZ( party1sock , encX ) ;sendMPZ( party1sock , encY ) ;

// c a l c u l a t e h i g h e s t b i t l e n g t h between x and y , send to par ty 1mpz t BLen ; m p z i n i t s e t u i (BLen , f s i z e ) ;sendMPZ( party1sock , BLen ) ;

// r e c e i v e r e s u l t from par ty 1receiveMPZ ( party1sock , r e s ) ;

// decryp t and d i s p l a y r e s u l tdecrypt ( res , r e s ) ;cout << ”\nF : x>=y : ” ;mpz out str ( stdout , 10 , r e s ) ;

}

P1 Paillier SBD Code


// r e c e i v i n g necessary v a r i a b l e s from par ty 3receiveMPZ ( party3sock , N) ;receiveMPZ ( party3sock , g ) ;mpz mul ( nsq , N, N) ;receiveMPZ ( party3sock , SBDINPUT) ;receiveMPZ ( party3sock , inpBitLen ) ;sendMPZ( party2sock , inpBitLen ) ;

// e s t a b l i s h i n g b i t l e n g t h f o r f o r loopint SBDinLength = mpz get ui ( inpBitLen ) ;

// genera t ing kint Nlen = reqBitLength (N) ;m p z i n i t s e t u i (K, Nlen ) ;mpz in i t ( Kminl ) ;mpz sub ui ( Kminl , K, SBDinLength ) ;mpz in i t ( k ) ;while ( mpz cmp ui (k , 0)==0 | | mpz cmp ui (k , 1)==0)

mpz urandomm(k , s ta te , Kminl ) ;sendMPZ( party2sock , k ) ;

// c r ea t i n g o ther e s s e n t i a l v a r i a b l e smpz sub ui (nmin , N, 1 ) ;mpz set (U, SBDINPUT) ;mpz invert ( a , two , N) ;

//main f o r loopfor ( int i =0; i<SBDinLength ; i ++){

mpz urandomm( rb , s ta te , two ) ;encrypt ( Erb , rb ) ;mpz mul (L , U, Erb ) ;mpz powm(Lp , L , a , nsq ) ;mpz urandomm( r , s ta te , N) ;encrypt (Er , r ) ;mpz mul (M, Lp , Er ) ;// sends to par ty 2sendMPZ( party2sock , M) ;

// r e c e i v e s from par ty 2receiveMPZ ( party2sock , W) ;IP ( rk , r , k ) ;mpz sub ( nrk , N, rk ) ;encrypt (Enk , nrk ) ;mpz mul (H, W, Enk ) ;

mpz urandomm( rp , s ta te , N) ;mpz powm(Hp, H, rp , nsq ) ;// sends to par ty 2sendMPZ( party2sock , Hp ) ;

receiveMPZ ( party2sock , B) ;i f ( ( mpz cmp ui ( rb , 0))==0)

mpz set ( LSBout , B) ;else {

mpz powm(B, B, nmin , nsq ) ;encrypt ( Eone , one ) ;mpz mul ( LSBout , B, Eone ) ;

}mpz set (SBDout [ i ] , LSBout ) ;

mpz powm(tmp2 , LSBout , nmin , nsq ) ;mpz mul (V, U, tmp2 ) ;mpz powm(U, V, a , nsq ) ;

}}



// r e c e i v i n g necessary v a r i a b l e s from par ty 3receiveMPZ ( party3sock , N) ;receiveMPZ ( party3sock , g ) ;receiveMPZ ( party3sock , lamda ) ;receiveMPZ ( party3sock , u ) ;mpz mul ( nsq , N, N) ;

receiveMPZ ( party1sock , inpBitLen ) ;int SBDinLength = mpz get ui ( inpBitLen ) ;

// r e c e i v e kreceiveMPZ ( party1sock , k ) ;

for ( int i =0; i<SBDinLength ; i ++){

// r e c e i v e from par ty 1receiveMPZ ( party1sock , M) ;decrypt (Mp, M) ;IP (Mpk, Mp, k ) ;encrypt (W, Mpk) ;// send to par ty 1

sendMPZ( party1sock , W) ;

// r e c e i v e from par ty 1receiveMPZ ( party1sock , Hp ) ;decrypt ( phi , Hp ) ;i f ( ( mpz cmp ui ( phi , 0))==0)

encrypt (B, zero ) ;else

encrypt (B, one ) ;sendMPZ( party1sock , B) ;

}}



// sending necessary v a r i a b l e s to par ty 1 and 2sendMPZ( party1sock , N) ;sendMPZ( party1sock , g ) ;sendMPZ( party2sock , N) ;sendMPZ( party2sock , g ) ;sendMPZ( party2sock , lamda ) ;sendMPZ( party2sock , u ) ;

// take s input i n t e g e r xcout <<”\nPlease input a number to decompose : ” ;c in >> x ;m p z i n i t s e t u i (GMPx, x ) ;

// encryp t s x , sends to par ty 1encrypt ( encX , GMPx) ;sendMPZ( party1sock , encX ) ;

// determines b i t l e n g t h o f x , sends to par ty 1int bl = reqBitLength (GMPx) ;sendMPZ( party1sock , BLen ) ;

}

Documents

REU Group 2 - Paper