Conditional Encrypted Mapping

andComparing Encrypted

Numbers

Vladimir KolesnikovJoint work with Ian F. Blake

University of Toronto

Privacy in Auctions

I am selling a ticket to Anguilla.

$1000One hundred million dollars!

Note to self: spam Austin with $999 tickets offers

Deal!Sorry

Comparing Encrypted Numbers

Enc($1000) Enc($100000000)Enc(0) Enc(1)

I lost I won

I have no idea what the bids were

What if bidders lie about the result?

Conditional Encrypted Mapping (CEM)

Enc($1000) Enc($100000000)Enc(s0) Enc(s1)

s0 s1

Prepare two secrets:s1 – signed contracts0 – loser notification

Q-CEM

m=Rmap(s0, s1, e0, e1, pk)

e0 = Enc(x) e1 = Enc(y)

mRec(m, sk) = sQ(x,y)

Q(x,y)

Pair (Rmap, Rec) for Q is a Q-CEM

s0, s1

? ?

Definitional Choices

Strong notion of privacy

• Output of Rmap contains no statistical information other than the value sQ(x,y)

• Strong composability

• Holds for all generated key pairs, valid inputs and randomness used in encryption

• E.g. Adv does not benefit from maliciouslychoosing randomness when encrypting inputs

CEM: Rmap(s0, s1, e0, e1, pk), Rec(m, sk)

Definitional Choices

Do not specify security requirements of the encryption scheme

• One definition is useable in most settings• Delay discussion of easy but tedious details (e.g. what if inputs contain decryption keys)• Q-CEM with semantically secure encryption gives a protocol in the semi-honest model

• can be modified to withstand malicious players (ZK or the light-weight CDS)

CEM: Rmap(s0, s1, e0, e1, pk), Rec(m, sk)

Some of Related Work Auctions and GT

Naor, Pinkas, Sumner 1999 Di Crescenzo 2000 Fischlin 2001 Laur, Lipmaa 2005 Many others

CEM Conditional Oblivious Transfer and variants

Di Crescenzo, Ostrovsky, Rajagopalan 1999 Gertner, Ishai, Kushilevitz, Malkin 1998 Aiello, Ishai, Reingold 2001 Di Crescenzo 2000 Laur Lipmaa 2005

Tools – Homomorphic Encryption

Encryption scheme, such that:

Given E(m1), E(m2) and public key,allows to compute E(m1 m2)

• Additively homomorphic ( = +) schemes• Large plaintext group

We will need:

The Paillier scheme satisfies our requirementsCan compute E(cm1 + m2) from c, E(m1), E(m2)

The GT-CEM Construction

x1, …, xn y1, …, yn

x1-y1, …, xn-ynd =

0 = 0, i = rii-1+di

s0, s1

d = 0 0 0 0 0… 1-1

1-1

1-1

= 0 0 0 t1 t2 t3 t4 t5… 1-1

Linear Map 0 R-1 s01 s1

0 R-1 ES01 ES1

ESi is a randomized encoding of si• contains no other information

x y

Randomized MappingGiven s0, s1ES0, ES1, f(x) = ax + b

f(-1) = b-a = ES0 (1)f(1) = a+b = ES1 (2)f(0) = b = ½ (ES0 + ES1)

Assume s0, s1 contain redundancyChoose R 2R ZN. View R as blocks r0, r1: R = r0 2k + r1

_ _ _ _ _ _. _ _ _ _ _ES0 =

ES1 = r0

r0

r1

r1

_ _ _ _ _ _. _ _ _ _ _

s0

s1

Set f = ax+b to satisfy (1),(2)• f(-1), f(1) contain s0, s1 and no extra information*• f(0) = ½ (ES0 + ES1) = ½ (s0 2k + r1 + r0 2k + s1) =

½ (R + … ) = R’

_ _ _ _ _ _. _ _ _ _ _r0

r1_ _ _ _ _ _. _ _ _ _ _

s0

s1

c 2R {0,1}c=0 c=1

Resource Comparison

c-bit secrets are transferred based on comparison of n-bit numbers. and are the correctness and security parameter

Orders of magnitude improvement over GM-based schemesPerformance similar to previous Paillier-based COT schemes

Conclusions General and convenient definition of CEM CEM for any NC1 predicate GT-CEM Constructions

Simple and composable Especially efficient for transferring larger

secrets ( e.g. ¼500-1000 bits ) Applications to auctions, etc