1 / 22

Cryptographic primitives

Cryptographic primitives. Outline. Preliminary Oblivious Transfer (OT) Random share based methods Homomorphic Encryption ElGamal. Assumptions. Semi-honest party assumption Parties honestly follow the security protocol Parties might be curious about the transferred data

altessa
Download Presentation

Cryptographic primitives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptographic primitives

  2. Outline • Preliminary • Oblivious Transfer (OT) • Random share based methods • Homomorphic Encryption • ElGamal

  3. Assumptions • Semi-honest party assumption • Parties honestly follow the security protocol • Parties might be curious about the transferred data • Malicious party assumption • The malicious party can do anything • Transfer false data • Turn down the protocol • Collusion • Often, we can handle • semi-honest + integrity verification

  4. Public-key encryption • Let (G,E,D) be a public-key encryption scheme • G is a key-generation algorithm (pk,sk)  G • Pk: public key • Sk: secret key • Terms • Plaintext: the original text, denoted as m • Ciphertext: the encrypted text, denoted as c • Encryption: c = Epk(m) • Decryption: m = Dsk(c) • Concept of one-way function: knowing c, pk, and the function Epk, it is still computationally intractable to find m. *Check literature for different implementations

  5. 1-out-of-2 Oblivious Transfer (OT) • Setting • Sender has two messages m0 and m1 • Receiver has a single bit {0,1} and wants to learn m , but does not want the sender know which bit is selected. • Outputs • Sender knows nothing about  • Receiver obtain m and learns nothing ofm1-

  6. Assume that a public-key can be sampled without knowledge of its secret key (knowing pk only): • The protocol is simplified with this assumption • Knowing pk but not knowing sk – tricky to do that • Both parties are honest

  7. Protocol for Oblivious Transfer • Receiver (with input ): • Receiver chooses one key-pair (pk,sk) and one public-key pk’ (oblivious key generation), but does not know sk’. • Receiver sets pk = pk, pk1- = pk’ • Receiver sends pk0,pk1 to sender • Sender (with input m0,m1): • Sends c0=Epk0(m0), c1=Epk1(m1) • Receiver: • Decrypts c using sk and obtains m. • Note: receiver can decrypt for pk but not for pk1-

  8. Generalization • Similarly, we can define 1-out-of-k oblivious transfer • Protocol remains the same: • Choose k-1 public keys for which the secret key is unknown • Choose 1 public-key and secret-key pair

  9. Random share based method • Settings • have >2 parties • No collusion – semi-honest • Let f be the function that the parties wish to compute • Represent f as an arithmetic circuit with addition and multiplication gates • Theoretically, any function can be implemented with addition and multiplication • Goal: securely compute additions and multiplications

  10. Random Shares Paradigm • Let a be some value: • Party 1 holds a, distributes random values ai to other parties (and party 1 knows a-ai) • Party i receives ai • Note that without knowing a-ai, and all random shares ai , nothing of a is revealed. • We say that the parties hold random shares of a.

  11. Securely computing addition (xor for one-bit data) • Party 1,2,3 own a,b,c respectively • Generate random shares: • Party 1 has shares a1 , b1 andc1 • Party 2 has shares a2 , b2 andc2 • Party 3 has shares a3 , b3 andc3 • Note: a1+a2 +a3 =a, b1+b2 +b3 =b, and c1+c2 +c3 =c • To compute random shares of output d=a+b+c • Party 1 locally computes d1=a1+b1+c1 • Party 2 locally computes d2=a2+b2+c2 • Party 3 locally computes d3=a3+b3+c3 • Note: d1+d2 +d3 =d • The result shares do not reveal the original value of a,b,c

  12. Multiplication (2 parties) • Simplified 2party case • Assume a, b are binary bit • We work on “and” operation instead –multiplication for one bit numbers • Input wires to gate have values a and b: • Party 1 has shares a1 and b1 • Party 2 has shares a2 and b2 • Wish to compute c = ab = (a1+a2)(b1+b2) • Party 2’s shares are unknown to Party 1,but there are only 4 possibilities (depending on correspondence to 00,01,10,11)

  13. Multiplication (cont) • Party 1 prepares a table as follows: • Row 1 corresponds to Party 2’s input 00 • Row 2 corresponds to Party 2’s input 01 • Row 3 corresponds to Party 2’s input 10 • Row 4 corresponds to Party 2’s input 11 • Let rbe a random bit chosen by Party 1: • Row 1 contains the value ab+r when a2=0,b2=0 • Row 2 contains the value ab+r when a2=0,b2=1 • Row 3 contains the value ab+r when a2=1,b2=0 • Row 4 contains the value ab+r when a2=1,b2=1

  14. Concrete Example • Assume: a1=0, b1=1 • Assume: r=1

  15. The Protocol • The parties run a 1-out-of-4 oblivious transfer protocol • Party 1 plays the sender: message i is row i of the table. • Party 2 plays the receiver: it inputs 1 if a2=0 and b2=0, 2 if a2=0 and b2=1, and so on… • Output: • Party 2 receives c2=ab+r – this is its output • Party 1 outputs c1=r

  16. Problems with OT and RS • Theoretically, any function can be computed with addition and multiplication gates • However, as we have seen, it is not efficient at all • Huge communication/computational cost for the multiplication protocol

  17. Homomorphic encryption • They are “probabilistic encryptions” • using randomly selected numbers in generating keys and encryption • properties • Homomorphic multiplication • Epk(m0)  Epk(m1) = Epk(m0*m1) • Without knowing the secret key, we can still calculate m0*m1 • Implementations: ElGamal method • Homomorphic addition • Epk(m0)Epk(m1) = Epk(m0+m1) • Implementation: Paillier method

  18. ElGamal method • System parameters (P,g) • Input 1n • P is a uniformly chosen prime |P|>n • g: a random number called “generator” • keys • Private key (P,g,x), x is randomly chosen • Public key pk=(P, g, y): y = gx mod P (one way function, computationally intractable to guess x given (P,g,y) ) • Encryption: • E(pk, m, k) = (gk mod P, mgk mod P), k is a random number, m is plaintext

  19. ElGamal’s Homomorphic property • For two ciphertext • E(pk, m0, k0)= (gk0 mod P, m0gk0 mod P) = (a0,b0) • E(pk, m1,k1) = (gk1 mod P, m1gk1 mod P) = (a1,b1) • E(pk, m0*m1, k0+k1) = (gk0+k1 mod P, m0*m1*gk0+k1 mod P) = (a0*a1, b0*b1)

  20. Paillier Encryption • System parameters (p,q) • Input 1N • n=pq, and g = n+1 • Encryption • c=gmrn mod n2. • Decryption

  21. Paillier homomorphic property • E(m1, r1) * E(m2, r2) mod n2= E(m1+m2 mod n) • Multiplication is implemented in partially encrypted form

  22. Summary • Three basic methods • Oblivious Transfer • Random share • Homomorphic encryption • We will see how to use them to construct privacy preserving algorithms

More Related