1 / 20

Cryptographic methods

Cryptographic methods. Outline. Preliminary Assumptions Public-key encryption Oblivious Transfer (OT) Random share based methods Homomorphic Encryption ElGamal. Assumptions. Semi-honest party assumption Parties honestly follow the security protocol

lacota-cooper
Download Presentation

Cryptographic methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptographic methods

  2. Outline • Preliminary • Assumptions • Public-key encryption • Oblivious Transfer (OT) • Random share based methods • Homomorphic Encryption • ElGamal

  3. Assumptions • Semi-honest party assumption • Parties honestly follow the security protocol • Parties might be curious about the transferred data • Malicious party assumption • The malicious party can do anything • Transfer false data • Turn down the protocol • Collusion

  4. Public-key encryption • Let (G,E,D) be a public-key encryption scheme • G is a key-generation algorithm (pk,sk)  G • Pk: public key • Sk: secret key • Terms • Plaintext: the original text, notated as m • Ciphertext: the encrypted text, notated as c • Encryption: c = Epk(m) • Decryption: m = Dsk(c) • Concept of one-way function: knowing c, pk, and the function Epk, it is still computationally intractable to find m. *Check literature for different implementations

  5. 1-out-of-2 Oblivious Transfer (OT) • Inputs • Sender has two messages m0 and m1 • Receiver has a single bit {0,1} • Outputs • Sender receives nothing • Receiver obtain m and learns nothing ofm1-

  6. Assume that a public-key can be sampled without knowledge of its secret key (knowing pk only): • Oblivious key generation: pk  OG • Protocol is simplified with this assumption

  7. Protocol for Oblivious Transfer • Receiver (with input ): • Receiver chooses one key-pair (pk,sk) and one public-key pk’ (oblivious key generation). • Receiver sets pk = pk, pk1- = pk’ • Receiver sends pk0,pk1 to sender • Sender (with input m0,m1): • Sends receiver c0=Epk0(m0), c1=Epk1(m1) • Receiver: • Decrypts c using sk and obtains m. • Note: receiver can decrypt for pk but not for pk1-

  8. Generalization • Can define 1-out-of-k oblivious transfer • Protocol remains the same: • Choose k-1 public keys for which the secret key is unknown • Choose 1 public-key and secret-key pair

  9. Random share based method • For simplicity – we may consider two-party case • The addition/multiplication protocols have to have >2 parties • Let f be the function that the parties wish to compute • Represent f as an arithmetic circuit with addition and multiplication gates • Any function can be implemented with addition and multiplication • Aim – compute gate-by-gate, revealing only random shares each time

  10. Random Shares Paradigm • Let a be some value: • Party 1 holds a, distributes random values ai and thus knows a-ai • Party i receives ai • Note that without knowing a-ai, and all random shares ai , nothing of a is revealed. • We say that the parties hold random shares of a.

  11. Securely computing addition • Party 1,2,3 hold a,b,c respectively • Generate random shares: • Party 1 has shares a1 , b1 andc1 • Party 2 has shares a2 , b2 andc2 • Party 3 has shares a3 , b3 andc3 • Note: a1+a2 +a3 =a, b1+b2 +b3 =b, and c1+c2 +c3 =c • To compute random shares of output d=a+b+c • Party 1 locally computes d1=a1+b1+c1 • Party 2 locally computes d2=a2+b2+c2 • Party 3 locally computes d3=a3+b3+c3 • Note: d1+d2 +d3 =d • The result shares do not reveal the original value of a,b,c

  12. Multiplication (2 parties) • Simplified (a, b are binary bit) • Input wires to gate have values a and b: • Party 1 has shares a1 and b1 • Party 2 has shares a2 and b2 • Wish to compute c = ab = (a1+a2)(b1+b2) • Party 1 knows its concrete share values. • Party 2’s values are unknown to Party 1, but there are only 4 possibilities (depending on correspondence to 00,01,10,11)

  13. Multiplication (cont) • Party 1 prepares a table as follows: • Row 1 corresponds to Party 2’s input 00 • Row 2 corresponds to Party 2’s input 01 • Row 3 corresponds to Party 2’s input 10 • Row 4 corresponds to Party 2’s input 11 • Let rbe a random bit chosen by Party 1: • Row 1 contains the value ab+r when a2=0,b2=0 • Row 2 contains the value ab+r when a2=0,b2=1 • Row 3 contains the value ab+r when a2=1,b2=0 • Row 4 contains the value ab+r when a2=1,b2=1

  14. Concrete Example • Assume: a1=0, b1=1 • Assume: r=1

  15. The Protocol • The parties run a 1-out-of-4 oblivious transfer protocol • Party 1 plays the sender: message i is row i of the table. • Party 2 plays the receiver: it inputs 1 if a2=0 and b2=0, 2 if a2=0 and b2=1, and so on… • Output: • Party 2 receives c2=c+r – this is its output • Party 1 outputs c1=r • Note: c1 and c2 are random shares of c, as required

  16. Problems with OT and RS • Theoretically, any function can be computed with addition and multiplication gates • However, as we have seen, it is not efficient at all • Huge communication/computational cost for the multiplication protocol

  17. Homomorphic encryption • They are “probabilistic encryptions” • using randomly selected numbers in generating keys and encryption • properties • Homomorphic multiplication • Epk(m0)*Epk(m1) = Epk(m0*m1) • Without knowing the secret key, we can still calculate m0*m1 • Implementations: ElGamal method, Pailier • Homomorphic addition • Epk(m0)*Epk(m1) = Epk(m0+m1) • Implementation: Pailier method

  18. ElGamal method • System parameters (P,g) • Input 1n • P is a uniformly chosen prime |P|>n • g: a random number called “generator” • keys • Private key (P,g,x), x is randomly chosen • Public key pk=(P, g, y): y = gx mod P (one way function, impossible to guess x given (P,g,y) ) • Encryption: • E(pk, m, k) = (gk mod P, mgk mod P), k is a random number, m is plaintext

  19. Important property • For two ciphertext • E(pk, m0, k0)= (gk0 mod P, m0gk0 mod P) = (a0,b0) • E(pk, m1,k1) = (gk1 mod P, m1gk1 mod P) = (a1,b1) • E(pk, m0*m1, k0+k1) = (gk0+k1 mod P, m0*m1*gk0+k1 mod P) = (a0*a1, b0*b1)

  20. Summary • Three basic methods • Oblivious Transfer • Random share • Homomorphic encryption • We will see how to use them to construct privacy preserving algorithms

More Related