cryptographic methods
DESCRIPTION
Cryptographic methods. Outline. Preliminary Assumptions Public-key encryption Oblivious Transfer (OT) Random share based methods Homomorphic Encryption ElGamal. Assumptions. Semi-honest party assumption Parties honestly follow the security protocol - PowerPoint PPT PresentationTRANSCRIPT
Cryptographic methods
Outline Preliminary
Assumptions Public-key encryption
Oblivious Transfer (OT) Random share based methods Homomorphic Encryption
ElGamal
Assumptions Semi-honest party assumption
Parties honestly follow the security protocol
Parties might be curious about the transferred data
Malicious party assumption The malicious party can do anything
Transfer false data Turn down the protocol Collusion
Public-key encryption Let (G,E,D) be a public-key encryption scheme
G is a key-generation algorithm (pk,sk) G Pk: public key Sk: secret key
Terms Plaintext: the original text, notated as m Ciphertext: the encrypted text, notated as c
Encryption: c = Epk(m) Decryption: m = Dsk(c) Concept of one-way function: knowing c, pk, and
the function Epk, it is still computationally intractable to find m.
*Check literature for different implementations
1-out-of-2 Oblivious Transfer (OT)
Inputs Sender has two messages m0 and m1
Receiver has a single bit {0,1} Outputs
Sender receives nothing Receiver obtain m and learns nothing of
m1-
Assume that a public-key can be sampled without knowledge of its secret key (knowing pk only): Oblivious key generation: pk OG Protocol is simplified with this
assumption
Protocol for Oblivious Transfer
Receiver (with input ): Receiver chooses one key-pair (pk,sk) and one
public-key pk’ (oblivious key generation). Receiver sets pk = pk, pk1- = pk’ Receiver sends pk0,pk1 to sender
Sender (with input m0,m1): Sends receiver c0=Epk0(m0), c1=Epk1(m1)
Receiver: Decrypts c using sk and obtains m. Note: receiver can decrypt for pk but not for pk1-
Generalization Can define 1-out-of-k oblivious
transfer
Protocol remains the same: Choose k-1 public keys for which the
secret key is unknown Choose 1 public-key and secret-key pair
Random share based method For simplicity – we may consider two-party
case The addition/multiplication protocols have to have
>2 parties Let f be the function that the parties wish to
compute
Represent f as an arithmetic circuit with addition and multiplication gates Any function can be implemented with addition
and multiplication
Aim – compute gate-by-gate, revealing only random shares each time
Random Shares Paradigm
Let a be some value: Party 1 holds a, distributes random
values ai and thus knows a-ai
Party i receives ai
Note that without knowing a-ai, and all random shares ai , nothing of a is revealed.
We say that the parties hold random shares of a.
Securely computing addition Party 1,2,3 hold a,b,c respectively Generate random shares:
Party 1 has shares a1 , b1 and c1
Party 2 has shares a2 , b2 and c2
Party 3 has shares a3 , b3 and c3
Note: a1+a2 +a3 =a, b1+b2 +b3 =b, and c1+c2 +c3 =c
To compute random shares of output d=a+b+c Party 1 locally computes d1=a1+b1+c1
Party 2 locally computes d2=a2+b2+c2
Party 3 locally computes d3=a3+b3+c3
Note: d1+d2 +d3 =d The result shares do not reveal the original value of
a,b,c
Multiplication (2 parties) Simplified (a, b are binary bit) Input wires to gate have values a and b:
Party 1 has shares a1 and b1
Party 2 has shares a2 and b2
Wish to compute c = ab = (a1+a2)(b1+b2)
Party 1 knows its concrete share values. Party 2’s values are unknown to Party 1, but
there are only 4 possibilities (depending on correspondence to 00,01,10,11)
Multiplication (cont)
Party 1 prepares a table as follows: Row 1 corresponds to Party 2’s input 00 Row 2 corresponds to Party 2’s input 01 Row 3 corresponds to Party 2’s input 10 Row 4 corresponds to Party 2’s input 11
Let r be a random bit chosen by Party 1: Row 1 contains the value ab+r when a2=0,b2=0 Row 2 contains the value ab+r when a2=0,b2=1 Row 3 contains the value ab+r when a2=1,b2=0 Row 4 contains the value ab+r when a2=1,b2=1
Concrete Example
Assume: a1=0, b1=1
Assume: r=1
Row
Party 2’s shares
Output value
1 a2=0,b2=0 (0+0).
(1+0)+1=1
2 a2=0,b2=1 (0+0).
(1+1)+1=1
3 a2=1,b2=0 (0+1).
(1+0)+1=0
4 a2=1,b2=1 (0+1).
(1+1)+1=1
The Protocol
The parties run a 1-out-of-4 oblivious transfer protocol
Party 1 plays the sender: message i is row i of the table.
Party 2 plays the receiver: it inputs 1 if a2=0 and b2=0, 2 if a2=0 and b2=1, and so on…
Output:
Party 2 receives c2=c+r – this is its output Party 1 outputs c1=r Note: c1 and c2 are random shares of c, as required
Problems with OT and RS
Theoretically, any function can be computed with addition and multiplication gates
However, as we have seen, it is not efficient at all Huge communication/computational
cost for the multiplication protocol
Homomorphic encryption They are “probabilistic encryptions”
using randomly selected numbers in generating keys and encryption
properties Homomorphic multiplication
Epk(m0)*Epk(m1) = Epk(m0*m1) Without knowing the secret key, we can still calculate
m0*m1 Implementations: ElGamal method, Pailier
Homomorphic addition Epk(m0)*Epk(m1) = Epk(m0+m1) Implementation: Pailier method
ElGamal method System parameters (P,g)
Input 1n
P is a uniformly chosen prime |P|>n g: a random number called “generator”
keys Private key (P,g,x), x is randomly chosen Public key pk=(P, g, y): y = gx mod P (one way
function, impossible to guess x given (P,g,y) )
Encryption: E(pk, m, k) = (gk mod P, mgk mod P), k is a
random number, m is plaintext
Important property For two ciphertext
E(pk, m0, k0)= (gk0 mod P, m0gk0 mod P) =
(a0,b0) E(pk, m1,k1) = (gk1 mod P, m1gk1 mod P) =
(a1,b1)
E(pk, m0*m1, k0+k1)= (gk0+k1 mod P, m0*m1*gk0+k1 mod P)
= (a0*a1, b0*b1)
Summary Three basic methods
Oblivious Transfer Random share Homomorphic encryption
We will see how to use them to construct privacy preserving algorithms