Post on 13-Jan-2016
description
Cryptographic primitives
Outline Preliminary Oblivious Transfer (OT) Random share based methods Homomorphic Encryption
ElGamal
Assumptions Semi-honest party assumption
Parties honestly follow the security protocol Parties might be curious about the
transferred data Malicious party assumption
The malicious party can do anything Transfer false data Turn down the protocol Collusion
Often, we can handle semi-honest + integrity verification
Public-key encryptionLet (G,E,D) be a public-key encryption scheme
G is a key-generation algorithm (pk,sk) GPk: public keySk: secret key
TermsPlaintext: the original text, denoted as mCiphertext: the encrypted text, denoted as c
Encryption: c = Epk(m) Decryption: m = Dsk(c) Concept of one-way function: knowing c, pk, and
the function Epk, it is still computationally intractable to find m.
*Check literature for different implementations
1-out-of-2 Oblivious Transfer (OT)
Setting Sender has two messages m0 and m1
Receiver has a single bit {0,1} and wants to learn m , but does not want the sender know which bit is selected.
Outputs Sender knows nothing about Receiver obtain m and learns nothing of
m1-
Assume that a public-key can be sampled without knowledge of its secret key (knowing pk only): The protocol is simplified with this
assumption Knowing pk but not knowing sk – tricky
to do that Both parties are honest
Protocol for Oblivious Transfer
Receiver (with input ): Receiver chooses one key-pair (pk,sk) and one
public-key pk’ (oblivious key generation), but does not know sk’.
Receiver sets pk = pk, pk1- = pk’
Receiver sends pk0,pk1 to sender
Sender (with input m0,m1): Sends c0=Epk0(m0), c1=Epk1(m1)
Receiver: Decrypts c using sk and obtains m.
Note: receiver can decrypt for pk but not for pk1-
Generalization Similarly, we can define 1-out-of-k
oblivious transfer
Protocol remains the same: Choose k-1 public keys for which the
secret key is unknown Choose 1 public-key and secret-key pair
Random share based method Settings
have >2 parties No collusion – semi-honest
Let f be the function that the parties wish to compute
Represent f as an arithmetic circuit with addition and multiplication gates Theoretically, any function can be implemented
with addition and multiplication
Goal: securely compute additions and multiplications
Random Shares Paradigm
Let a be some value: Party 1 holds a, distributes random
values ai to other parties (and party 1 knows a-ai)
Party i receives ai
Note that without knowing a-ai, and all random shares ai , nothing of a is revealed.
We say that the parties hold random shares of a.
Securely computing addition (xor for one-bit data) Party 1,2,3 own a,b,c respectively Generate random shares:
Party 1 has shares a1 , b1 and c1
Party 2 has shares a2 , b2 and c2
Party 3 has shares a3 , b3 and c3
Note: a1+a2 +a3 =a, b1+b2 +b3 =b, and c1+c2 +c3 =c
To compute random shares of output d=a+b+c Party 1 locally computes d1=a1+b1+c1
Party 2 locally computes d2=a2+b2+c2
Party 3 locally computes d3=a3+b3+c3
Note: d1+d2 +d3 =d The result shares do not reveal the original value of
a,b,c
Multiplication (2 parties)Simplified 2party case
Assume a, b are binary bit We work on “and” operation instead –
multiplication for one bit numbers
Input wires to gate have values a and b: Party 1 has shares a1 and b1
Party 2 has shares a2 and b2
Wish to compute c = ab = (a1+a2)(b1+b2)
Party 2’s shares are unknown to Party 1,but there are only 4 possibilities (depending on correspondence to 00,01,10,11)
Multiplication (cont)
Party 1 prepares a table as follows: Row 1 corresponds to Party 2’s input 00 Row 2 corresponds to Party 2’s input 01 Row 3 corresponds to Party 2’s input 10 Row 4 corresponds to Party 2’s input 11
Let r be a random bit chosen by Party 1: Row 1 contains the value ab+r when a2=0,b2=0 Row 2 contains the value ab+r when a2=0,b2=1 Row 3 contains the value ab+r when a2=1,b2=0 Row 4 contains the value ab+r when a2=1,b2=1
Concrete Example
Assume: a1=0, b1=1
Assume: r=1
Row
Party 2’s shares
Output value
1 a2=0,b2=0 (0+0).
(1+0)+1=1
2 a2=0,b2=1 (0+0).
(1+1)+1=1
3 a2=1,b2=0 (0+1).
(1+0)+1=0
4 a2=1,b2=1 (0+1).
(1+1)+1=1
The Protocol
The parties run a 1-out-of-4 oblivious transfer protocol
Party 1 plays the sender: message i is row i of the table.
Party 2 plays the receiver: it inputs 1 if a2=0 and b2=0, 2 if a2=0 and b2=1, and so on…
Output:
Party 2 receives c2=ab+r – this is its output Party 1 outputs c1=r
Problems with OT and RS
Theoretically, any function can be computed with addition and multiplication gates
However, as we have seen, it is not efficient at all Huge communication/computational
cost for the multiplication protocol
Homomorphic encryption They are “probabilistic encryptions”
using randomly selected numbers in generating keys and encryption
properties Homomorphic multiplication
Epk(m0) Epk(m1) = Epk(m0*m1) Without knowing the secret key, we can still calculate
m0*m1 Implementations: ElGamal method
Homomorphic addition Epk(m0)Epk(m1) = Epk(m0+m1) Implementation: Paillier method
ElGamal method System parameters (P,g)
Input 1n
P is a uniformly chosen prime |P|>n g: a random number called “generator”
keys Private key (P,g,x), x is randomly chosen Public key pk=(P, g, y): y = gx mod P (one way
function, computationally intractable to guess x given (P,g,y) )
Encryption: E(pk, m, k) = (gk mod P, mgk mod P), k is a
random number, m is plaintext
ElGamal’s Homomorphic property For two ciphertext
E(pk, m0, k0)= (gk0 mod P, m0gk0 mod P) =
(a0,b0) E(pk, m1,k1) = (gk1 mod P, m1gk1 mod P) =
(a1,b1)
E(pk, m0*m1, k0+k1)= (gk0+k1 mod P, m0*m1*gk0+k1 mod P)
= (a0*a1, b0*b1)
Paillier Encryption System parameters (p,q)
Input 1N
n=pq, and g = n+1
Encryption c=gmrn mod n2.
Decryption
Paillier homomorphic property E(m1, r1) * E(m2, r2) mod n2=
E(m1+m2 mod n) Multiplication is implemented in
partially encrypted form
Summary Three basic methods
Oblivious Transfer Random share Homomorphic encryption
We will see how to use them to construct privacy preserving algorithms