Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Published byShavonne Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption."— Presentation transcript:

1 Cryptographic methods

2 Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption ElGamal

3 Assumptions  Semi-honest party assumption Parties honestly follow the security protocol Parties might be curious about the transferred data  Malicious party assumption The malicious party can do anything  Transfer false data  Turn down the protocol  Collusion

4 Public-key encryption  Let (G,E,D) be a public-key encryption scheme G is a key-generation algorithm (pk,sk)  G  Pk: public key  Sk: secret key Terms  Plaintext: the original text, notated as m  Ciphertext: the encrypted text, notated as c Encryption: c = E pk (m) Decryption: m = D sk (c) Concept of one-way function: knowing c, pk, and the function E pk, it is still computationally intractable to find m. *Check literature for different implementations

5 1-out-of-2 Oblivious Transfer (OT)  Inputs Sender has two messages m 0 and m 1 Receiver has a single bit {0,1}  Outputs Sender receives nothing Receiver obtain m  and learns nothing of m 1-

6  Assume that a public-key can be sampled without knowledge of its secret key (knowing pk only): Oblivious key generation: pk  OG Protocol is simplified with this assumption

7 Protocol for Oblivious Transfer  Receiver (with input ): Receiver chooses one key-pair (pk,sk) and one public-key pk’ (oblivious key generation). Receiver sets pk  = pk, pk 1- = pk’ Receiver sends pk 0,pk 1 to sender  Sender (with input m 0,m 1 ): Sends receiver c 0 =E pk0 (m 0 ), c 1 =E pk1 (m 1 )  Receiver: Decrypts c  using sk and obtains m . Note: receiver can decrypt for pk  but not for pk 1-

8 Generalization  Can define 1-out-of-k oblivious transfer  Protocol remains the same: Choose k-1 public keys for which the secret key is unknown Choose 1 public-key and secret-key pair

9 Random share based method  For simplicity – we may consider two-party case The addition/multiplication protocols have to have >2 parties  Let f be the function that the parties wish to compute  Represent f as an arithmetic circuit with addition and multiplication gates Any function can be implemented with addition and multiplication  Aim – compute gate-by-gate, revealing only random shares each time

10 Random Shares Paradigm  Let a be some value: Party 1 holds a, distributes random values a i and thus knows a-a i Party i receives a i Note that without knowing a-a i, and all random shares a i, nothing of a is revealed. We say that the parties hold random shares of a.

11 Securely computing addition  Party 1,2,3 hold a,b,c respectively  Generate random shares: Party 1 has shares a 1, b 1 and c 1 Party 2 has shares a 2, b 2 and c 2 Party 3 has shares a 3, b 3 and c 3 Note: a 1 +a 2 +a 3 =a, b 1 +b 2 +b 3 =b, and c 1 +c 2 +c 3 =c  To compute random shares of output d=a+b+c Party 1 locally computes d 1 =a 1 +b 1 +c 1 Party 2 locally computes d 2 =a 2 +b 2 +c 2 Party 3 locally computes d 3 =a 3 +b 3 +c 3 Note: d 1 +d 2 +d 3 =d  The result shares do not reveal the original value of a,b,c

12 Multiplication (2 parties)  Simplified (a, b are binary bit)  Input wires to gate have values a and b: Party 1 has shares a 1 and b 1 Party 2 has shares a 2 and b 2 Wish to compute c = ab = (a 1 +a 2 )(b 1 +b 2 )  Party 1 knows its concrete share values.  Party 2’s values are unknown to Party 1, but there are only 4 possibilities (depending on correspondence to 00,01,10,11)

13 Multiplication (cont)  Party 1 prepares a table as follows: Row 1 corresponds to Party 2’s input 00 Row 2 corresponds to Party 2’s input 01 Row 3 corresponds to Party 2’s input 10 Row 4 corresponds to Party 2’s input 11  Let r be a random bit chosen by Party 1: Row 1 contains the value ab+r when a 2 =0,b 2 =0 Row 2 contains the value ab+r when a 2 =0,b 2 =1 Row 3 contains the value ab+r when a 2 =1,b 2 =0 Row 4 contains the value ab+r when a 2 =1,b 2 =1

14 Concrete Example  Assume: a 1 =0, b 1 =1  Assume: r=1 Ro w Party 2’s shares Output value 1a 2 =0,b 2 =0 (0+0). (1+0)+ 1=1 2a 2 =0,b 2 =1 (0+0). (1+1)+ 1=1 3a 2 =1,b 2 =0 (0+1). (1+0)+ 1=0 4a 2 =1,b 2 =1 (0+1). (1+1)+ 1=1

15 The Protocol  The parties run a 1-out-of-4 oblivious transfer protocol  Party 1 plays the sender: message i is row i of the table.  Party 2 plays the receiver: it inputs 1 if a 2 =0 and b 2 =0, 2 if a 2 =0 and b 2 =1, and so on…  Output: Party 2 receives c 2 =c+r – this is its output Party 1 outputs c 1 =r Note: c 1 and c 2 are random shares of c, as required

16 Problems with OT and RS  Theoretically, any function can be computed with addition and multiplication gates  However, as we have seen, it is not efficient at all Huge communication/computational cost for the multiplication protocol

17 Homomorphic encryption  They are “probabilistic encryptions” using randomly selected numbers in generating keys and encryption  properties Homomorphic multiplication  E pk (m 0 )*E pk (m 1 ) = E pk (m 0 *m 1 )  Without knowing the secret key, we can still calculate m0*m1  Implementations: ElGamal method, Pailier Homomorphic addition  E pk (m 0 )*E pk (m 1 ) = E pk (m 0 +m 1 )  Implementation: Pailier method

18 ElGamal method  System parameters (P,g) Input 1 n P is a uniformly chosen prime |P|>n g: a random number called “generator”  keys Private key (P,g,x), x is randomly chosen Public key pk=(P, g, y): y = g x mod P (one way function, impossible to guess x given (P,g,y) )  Encryption: E(pk, m, k) = (g k mod P, mg k mod P), k is a random number, m is plaintext

19 Important property  For two ciphertext E(pk, m0, k0)= (g k0 mod P, m0g k0 mod P) = (a0,b0) E(pk, m1,k1) = ( g k1 mod P, m1g k1 mod P) = (a1,b1)  E(pk, m0*m1, k0+k1) = (g k0+k1 mod P, m0*m1*g k0+k1 mod P) = (a0*a1, b0*b1)

20 Summary  Three basic methods Oblivious Transfer Random share Homomorphic encryption  We will see how to use them to construct privacy preserving algorithms

Download ppt "Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
7. Asymmetric encryption-

7. Asymmetric encryption-
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent

Similar presentations

Ads by Google