Cryptographic methods

1
Cryptographic methods
2
Outline

• Preliminary
• Assumptions
• Public-key encryption
• Oblivious Transfer (OT)
• Random share based methods
• Homomorphic Encryption
• ElGamal

3
Assumptions

• Semi-honest party assumption
• Parties honestly follow the security protocol
• Parties might be curious about the transferred
  data
• Malicious party assumption
• The malicious party can do anything
• Transfer false data
• Turn down the protocol
• Collusion

4
Public-key encryption

• Let (G,E,D) be a public-key encryption scheme
• G is a key-generation algorithm (pk,sk) ? G
• Pk public key
• Sk secret key
• Terms
• Plaintext the original text, notated as m
• Ciphertext the encrypted text, notated as c
• Encryption c Epk(m)
• Decryption m Dsk(c)
• Concept of one-way function knowing c, pk, and
  the function Epk, it is still computationally
  intractable to find m.
• Check literature for different implementations

5
1-out-of-2 Oblivious Transfer (OT)

• Inputs
• Sender has two messages m0 and m1
• Receiver has a single bit ??0,1
• Outputs
• Sender receives nothing
• Receiver obtain m? and learns nothing of m1-?

6

• Assume that a public-key can be sampled without
  knowledge of its secret key (knowing pk only)
• Oblivious key generation pk ? OG
• Protocol is simplified with this assumption

7
Protocol for Oblivious Transfer

• Receiver (with input ?)
• Receiver chooses one key-pair (pk,sk) and one
  public-key pk (oblivious key generation).
• Receiver sets pk? pk, pk1-? pk
• Receiver sends pk0,pk1 to sender
• Sender (with input m0,m1)
• Sends receiver c0Epk0(m0), c1Epk1(m1)
• Receiver
• Decrypts c? using sk and obtains m?.
• Note receiver can decrypt for pk? but not for
  pk1-?

8
Generalization

• Can define 1-out-of-k oblivious transfer
• Protocol remains the same
• Choose k-1 public keys for which the secret key
  is unknown
• Choose 1 public-key and secret-key pair

9
Random share based method

• For simplicity we may consider two-party case
• The addition/multiplication protocols have to
  have gt2 parties
• Let f be the function that the parties wish to
  compute
• Represent f as an arithmetic circuit with
  addition and multiplication gates
• Any function can be implemented with addition and
  multiplication
• Aim compute gate-by-gate, revealing only random
  shares each time

10
Random Shares Paradigm

• Let a be some value
• Party 1 holds a, distributes random values ai and
  thus knows a-?ai
• Party i receives ai
• Note that without knowing a-?ai, and all random
  shares ai , nothing of a is revealed.
• We say that the parties hold random shares of a.

11
Securely computing addition

• Party 1,2,3 hold a,b,c respectively
• Generate random shares
• Party 1 has shares a1 , b1 and c1
• Party 2 has shares a2 , b2 and c2
• Party 3 has shares a3 , b3 and c3
• Note a1a2 a3 a, b1b2 b3 b, and c1c2 c3
  c
• To compute random shares of output dabc
• Party 1 locally computes d1a1b1c1
• Party 2 locally computes d2a2b2c2
• Party 3 locally computes d3a3b3c3
• Note d1d2 d3 d
• The result shares do not reveal the original
  value of a,b,c

12
Multiplication (2 parties)

• Simplified (a, b are binary bit)
• Input wires to gate have values a and b
• Party 1 has shares a1 and b1
• Party 2 has shares a2 and b2
• Wish to compute c ab (a1a2)(b1b2)
• Party 1 knows its concrete share values.
• Party 2s values are unknown to Party 1, but
  there are only 4 possibilities (depending on
  correspondence to 00,01,10,11)

13
Multiplication (cont)

• Party 1 prepares a table as follows
• Row 1 corresponds to Party 2s input 00
• Row 2 corresponds to Party 2s input 01
• Row 3 corresponds to Party 2s input 10
• Row 4 corresponds to Party 2s input 11
• Let r be a random bit chosen by Party 1
• Row 1 contains the value a?br when a20,b20
• Row 2 contains the value a?br when a20,b21
• Row 3 contains the value a?br when a21,b20
• Row 4 contains the value a?br when a21,b21

14
Concrete Example

• Assume a10, b11
• Assume r1

Row Party 2s shares Output value
1 a20,b20 (00).(10)11
2 a20,b21 (00).(11)11
3 a21,b20 (01).(10)10
4 a21,b21 (01).(11)11
15
The Protocol

• The parties run a 1-out-of-4 oblivious transfer
  protocol
• Party 1 plays the sender message i is row i of
  the table.
• Party 2 plays the receiver it inputs 1 if a20
  and b20, 2 if a20 and b21, and so on
• Output
• Party 2 receives c2cr this is its output
• Party 1 outputs c1r
• Note c1 and c2 are random shares of c, as
  required

16
Problems with OT and RS

• Theoretically, any function can be computed with
  addition and multiplication gates
• However, as we have seen, it is not efficient at
  all
• Huge communication/computational cost for the
  multiplication protocol

17
Homomorphic encryption

• They are probabilistic encryptions
• using randomly selected numbers in generating
  keys and encryption
• properties
• Homomorphic multiplication
• Epk(m0)Epk(m1) Epk(m0m1)
• Without knowing the secret key, we can still
  calculate m0m1
• Implementations ElGamal method, Pailier
• Homomorphic addition
• Epk(m0)Epk(m1) Epk(m0m1)
• Implementation Pailier method

18
ElGamal method

• System parameters (P,g)
• Input 1n
• P is a uniformly chosen prime Pgtn
• g a random number called generator
• keys
• Private key (P,g,x), x is randomly chosen
• Public key pk(P, g, y) y gx mod P (one way
  function, impossible to guess x given (P,g,y) )
• Encryption
• E(pk, m, k) (gk mod P, mgk mod P), k is a
  random number, m is plaintext

19
Important property

• For two ciphertext
• E(pk, m0, k0) (gk0 mod P, m0gk0 mod P)
  (a0,b0)
• E(pk, m1,k1) (gk1 mod P, m1gk1 mod P)
  (a1,b1)
• E(pk, m0m1, k0k1)
• (gk0k1 mod P, m0m1gk0k1 mod P)
• (a0a1, b0b1)

20
Summary

• Three basic methods
• Oblivious Transfer
• Random share
• Homomorphic encryption
• We will see how to use them to construct privacy
  preserving algorithms