1. Cryptographic protocols 2014, Lecture 8 multi-round and multi-party
Helger Lipmaa
University of Tartu, Estonia

2. Up to now Introduction to the field
(Two-message) secure computation protocols
based on DDH and trapdoor DL
Can do "everything'' but not necessarily efficiently
Recall multiplication

3. this time Increase in rounds:
sometimes computation decreases significantly
another trade-off
Multi-round protocols based on threshold encryption
wow computationally-efficient, bad rounds
50% new material compared to minutes overtime in Some slides ((n, t) case) presented in tutorial but needed for exam

4. limitations of bdd 1 x₀ x₁ x₂ Let input be N bits Communication:
at least (N + 1) long ciphertexts
Can be decreased:
Any functionality can be computed with almost optimal rate 1 - o (1)
[Kiayias, Leonardos, Lipmaa, Pavlyk, Tang, 2014] 1 x₀ x₁ x₂

5. limitations of bdd Let input be N bits Computation:
Θ(size (BDD)) long-inp exp-s
Cannot be decreased much
one (mn)-bit exp => m n-bit exp
still expensive (public-key op) 1 x₀ x₁ x₂

6. limitations of bdd Let input be N bits Computation:
BDD size is often huge
Computation of middle bit of mult:
BDD size is Ω(N^(3/2) log N)
thus as many expensive expon-s 1 x₀ x₁ x₂

7. Improvements? BDD => more efficient computational model Circuits
More efficient public-key/symmetric-key operations
Lattice-based cryptography
Trade-off:
more communication but less computation
more rounds but less computation
Later

8. tradeoffs: 2 vs multi round
Two-message protocols, pros:
Cloud computing:
Undesirable to have communication with client
Multi-round protocols, pros:
Much better computation, but comp. is interactive
Choose the one you need depending on application
Enc(a)
Enc(f(a))

9. (n,t)-threshold encryption
Keep sensitive data encrypted throughout the protocol
Decryption can be done only when t out of n parties agree to decrypt
In protocols: parties agree to decrypt insensitive data that serves as "advice" to make the protocol execution more efficient
(n, t)-threshold en-/decryption

10. (2,2)-threshold encryption
(pk, sk) jointly generated
sk = sk₁ + sk₂
pk, sk₁
pk, sk₂
c=Enc(pk,m)
sk₁
f (sk₂)
m ← Dec(sk₁,c*)
c* = Dec*(sk₂,c)
Dec(sk₁, Dec* (sk₂, Enc (pk, m))) = Dec (sk₂, Dec* (sk₁, Enc (pk, m)))=m

11. Threshold (2,2)-elgamal y₁ ← ℤp h₁ ← g^(y₁) y₂ ← ℤp h₂ ← g^(y₂) h₁
h ← h₁ · h₂ h₂
h ← h₁ · h₂
/* Dec*(y₂, c) */
c₁* ← Dec (y₂, c) = c₁ / c₂^(y₂) = gᵐh₁ʳ
c* = (c₁*, c₂) := (gᵐh₁ʳ, gʳ) = Enc(h₁, m)
m ← Dec(y₁, c*)
c₂^(y₂)
c=(c₁,c₂)=Enc(h,m)=(gᵐhʳ, gʳ)=(gᵐ(h₁h₂)ʳ, gʳ) y₁ c*

12. security of (2,2)-threshold Encr
Correctness (intuition):
Dec(y₁,Dec*(y₂,Enc(h,m)))=Dec(y₂,Dec*(y₁,Enc(h,m) ))=m
IND-CPA security (against 1 corrupted party):
given (h, yₑ) for e ∈ {1, 2}, Enc (h, m₁) and Enc (h, m₂) should look indistinguishable even for m₁, m₂ chosen by the adversary

13. Notation Denote [[a]] := Enc (pk, a, r) for (some) random r
Denote operations additively:
[[a]] + b = [[a + b]]
c [[a]] = [[ca]]
Denote [[(a₁, ..., an)]] := ([[a₁]], ..., [[an]])
Omit sk in Dec (sk, ...)
Makes simpler to comprehend, but hides details

14. Idea: additive sharing
Known to both
[[a]]
[[a₂]] = [[a - a₁]] a₁
pk, sk₁
pk, sk₂
Dec([[a₂]]) a₂
Alice knows random a₁ and Bob knows random a₂ such that a = a₁ + a₂

15. Threshold protocols: idea
Known to both
[[a]]
[[w₁]] = F₁([[a]],u₁)
pk, sk₁
pk, sk₂ u₁
Dec([[w₁]])
[[w₂]] = F₂(...,v₁)
Dec([[w₂]]) v₁
[[w₃]] = F₃(...,u₂) u₂
[[wrounds]] = Frounds(...)
c₁=[[f₁(a)]], c₂=[[f₂(a)]]
Dec(c₁)
Dec(c₂)
f₁(a)
f₂(a)

16. Threshold multiplication: idea
Common input: [[a]] and [[b]]
Alice and Bob secret-share a and b (neither knows a/b)
Alice picks random a₁, b₁, sends [[a]] - a₁, [[b]] - b₁ to Bob
Bob decrypts a₂ = a - a₁, b₂ = b - b₁, computes [[a₂b₂]]
Alice computes [[ab]] given her shares
[[ab]] = [[(a₁ + a₂)(b₁ + b₂)]] = [[a₂b₂]] + [[a₁ + a₂]]b₁ + [[b₁ + b₂]]a₁ - [[a₁b₁]]
Alice's shares
Bob's shares
Can be computed by Alice

17. threshold multiplication
Known to both
c₁ = Enc(h,a,r), c₂ = Enc(h,b,s)
a₁, b₁
d₁ ← c₁₂^(y₁)
d₂ ← c₂₂^(y₁)
h, y₁
h, y₂
d₁, d₂
c₁* ← (c₁₁ / d₁, c₁₂)
c₂* ← (c₂₁ / d₂, c₂₂)
a₂← Dec(y₂, c₁*)
b₂← Dec(y₂, c₂*)
t ← ℤp
c₃ ← Enc(h, a₂b₂, t) c₃
u ← ℤp
c* ← c₃ c₁^(b₁) c₂^(a₁) / Enc (h, a₁b₁, u)
c* = [[ab]]
[[ab]] = [[a₂b₂]] + b1 [[a₁ + a₂]] + a₁ [[b₁ + b₂]] - [[a₁b₁]]

18. security Alice only sees [[a]], [[b]], a₁, b₁, and [[a₂b₂]]
Bob only sees [[a]], [[b]], [[ab]], a₂, b₂
Privacy follows from IND-CPA of Elgamal, and from randomness of a₂ and b₂
d₁, d₂ c₃ c*

19. not efficient since a₂, b₂ random
Efficiency
Round complexity: 3 messages
4+, if we count sending [[a]], [[b]] as part of the protocol
Communication: 6 group elements
or more, if we count...
Computation:
Alice: 7 exponentiations
Bob: 5 exponentiations + two DLs
d₁, d₂ c₃ c*
not efficient since a₂, b₂ random

20. Threshold paillier Threshold Paillier can be implemented similarly
However techniques are more involved
Briefly:
Parties jointly compute cᵈ mod n² for "good" d
d = φ (n) as before: this leaks information
It is well known how to do this but we will not describe it. Nevertheless, in the next protocols one should use threshold Paillier, since we do not want to compute DL

21. recall: interpolation
Assume we are given (xᵢ, yᵢ) for S = (x₁, ..., xd)
Task: find the minimum-degree polynomial f such that f (xᵢ) = yᵢ for all i
In general deg f = d - 1
Lagrange interpolating polynomial:
= 1, x = xᵢ
= 0, x = xj for j ≠ i

22. More complex protocols
Every function over ℤp can be computed as its interpolating polynomial f (a) = ∑ ci aⁱ, i ≤ p
pk, sk₁
pk, sk₂
[[a]]
Compute all [[aⁱ]] by using mult.
"prefix-sum" protocol, needs Θ(log p) rounds
[[f₁ (a)]] ← ∑ ci [[aⁱ]]
[[f₂ (a)]] ← ∑ ci [[aⁱ]]
Bad: up to p ≈ 2¹⁶⁰ multiplication protocols in general
Threshold decrypt f₁ (a)
Threshold decrypt f₂ (a)

23. optimization
Even very simple functions f : ℤp × ℤp → ℤp have complicated expressions as polynomials
Example:
given [[a]], [[b]] compute [[a = b]]
[[1]] if a = b, [[0]] otherwise
not clear how to compute

24. Closer to equality test
[[a]], [[b]] → [[a = b]] = [[a - b = 0]
Interpolation (brute force) approach:
If a, b ∈ {0, ..., n}: z = a - b ∈ S := { -n, ..., 0, ..., n }
Define f (z) = 1 if z = 0, f (z) = 0 if z∈S but z ≠ 0
Can compute f by interpolation, but f has degree 2n
Requires computation of [[z]], [[z²]], ..., [[z²ⁿ]]
Costly if n is not small // log n = 40?

25. trick: bitwise computation
[[a]], [[b]] → [[a = b]] where a, b ∈ {0, ..., n}
Trick 2 (universal): bitwise sharing
share [[aᵢ]] and [[bᵢ]] for all bits i
results often in much less computation
...but sometimes in more communication
We have seen it before

26. equality test Compute [[w]]
[[aᵢ]], [[bᵢ]] → [[a = b]] where a, b ∈ {0, ..., n}
Define [[zᵢ]] := [[aᵢ]] - [[bᵢ]] // local computation, zᵢ∈{-1, 0, 1}
w = weight (z) := |{i : zᵢ ≠ 0}| = ∑zᵢ²
[[z = 0]] ⇔ [[w = 0]]
Protocol idea:
Compute [[w]]
[[w]] ∈ {0, ..., log₂ n} --- exponentially smaller set
Interpolate [[f (w)]], f (w) = 1 iff w = 0

27. equality test ∀ i: cᵢ = [[aᵢ]], dᵢ = [[bᵢ]] pk, sk₁ pk, sk₂
∀i: [[zᵢ]] ← [[aᵢ - bᵢ]]
∀i: [[zᵢ]] ← [[aᵢ - bᵢ]]
pk, sk₂
Compute [[zᵢ²]] for i ≤ log n
Let f (0) = 1, f (w) =0 for w ∈ {1, ..., log n}
[[a = b]] ← ∑ fᵢ [[wⁱ]]
[[w]] ← ∑ [[zᵢ²]]
[[w]] ← ∑ [[zᵢ²]]
Let f (0) = 1, f (w) =0 for w ∈ {1, ..., log n}
[[a = b]] ← ∑ fᵢ [[wⁱ]]
Prefix-sum protocol to compute [[wⁱ]] for i ≤ log n

28. efficiency Computation: Θ (log n) exponentiations:
squarings [[zᵢ]] → [[zᵢ²]]
computation of [[wⁱ]]
Exponentially more computation-efficient than trivial protocol
Rounds: Θ (log log n) (due to prefix-sum protocol)

29. [[a = b]], [[a < b]]: remarks
[Toft 2011]:
first protocol for [[a = b]] that requires less than log n public-key (online) ops
a protocol for [[a < b]] that uses log n iterations of [[a = b]] (akin binary search)
[Lipmaa Toft 2013]: somewhat more efficient version

30. quiz: private IF Clause
Non-private:
if a = b then
z ← z + 1
else
z ← z + a
Private (cannot reveal information flow):
[[a = b]] ← EQ ([[a]], [[b]])
[[a ≠ b]] ← 1 - [[a = b]]
[[z]] ← [[a=b]]·[[z + 1]] + [[a≠b]]·[[z + a]]
Equality test can be used to implement if clauses efficiently

31. information-theoretic version
For every sensitive a, Alice and Bob shared either
Enc (pk, a) and/or
additive shares a₁ and a₂ of a = a₁ + a₂
It is possible to not use PKC, but only additive sharing
Much more efficient: no need to do expensive exponentiations
[[a]]
[[a₂]] = [[a - a₁]] a₂ a₁ a₂
that is, no encryptions...

32. multi-party computation
MULT/EQ/... protocols generalize for n parties
assuming appropriate secret sharing
Will be secure if majority of parties are honest
Both computational and information-theoretic setting are possible

33. Study outcomes Threshold encryption, threshold Elgamal
Simple threshold multiplication protocol
Trade-off: rounds vs computation
Other protocols (EQ), simple tricks
interpolation, bitwise computation
Multi-party computation, inf-th security (idea)

34. Material explained in tutorials
The next slides were explained in tutorials
NB: needed for exam

35. What next? We showed how to compute almost anything securely
in the semihonest model
Starting from the next lecture:
What to do when parties are malicious?

36. (n,t)-threshold encryption
Assume we have n > t parties
Every party generates her random key yₑ and public key hₑ
Let h be the joint public key
Completeness: given access to h, Enc (h, m), and at least t + 1 different secret keys, one can recover m
IND-CPA under t-corruption: given access to h, Enc (h, m), and at most t different secret keys, an adversary cannot break IND-CPA

37. IDEA: secret sharing (2,2) case: y = y₁ + y₂
Completeness: from y₁ and y₂ one can recover y
Hiding: if (say) y₁ is random, then just knowing y₂ does not give any information about y
We need the same for arbitrary (n, t), t < n

38. QUIZ: (n, n)-secret sharing
Assume the case (n, t = n)
Question:
how to combine y from (y₁, ..., yn) so that no n - 1 parties can obtain any information about y?
Answer:
generalization of (2,2)
y = y₁ yn

39. quiz: General case Assume the case (n, t) for any t < n Question:
how to combine y from (y₁, ..., yn) so that no t - 1 parties can obtain any information about y?
Answer:
not so simple anymore
need error-correcting codes... privacy preserving

40. Commonly known as Shamir secret sharing
Reed-solomon* codes
Commonly known as Shamir secret sharing
Assume yₑ∈ℤp for all 1 ≤ e ≤ t, t ≤ n ≤ p - 1
Construct a degree-(t - 1) polynomial f : ℤp → ℤp, such that f (e) = yₑ for 1 ≤ e ≤ t
Such a polynomial exists and is unique
Found by using interpolation (again!)
RSt,n(yx₁, ..., yxt) := (y₁, ..., yn) = (f (1), ..., f (n))
S = {1, ..., t}

41. QUIZ: What is the secret?
Secret: y := f (0) = ∑ yᵢlᵢ (0)
Given f (i) for any t inputs 1 ≤ i ≤ n:
since f is a degree-(t - 1) polynomial, can recover f by using Lagrange interpolation, and thus also f (i) for any other input, including f (0)
Given f (i) for any t - 1 inputs 1 ≤ i ≤ n:
for any s', there exists a unique t - 1 degree polynomial g that agrees with f (i) on these t - 1 inputs and has g (0) = s'

42. Threshold (n,t)-elgamal
y1,...,yt ← ℤp
(y1,...,yn) ← RS(y1,...,yt)
with polyn. f
y ← f (0)
pk = h ← g^y
Dealer y1 y3 yn y2

43. Threshold (n,t)-elgamal
h1= g^y1, y1
h3= g^y3, y3
c = (c₁,c₂) = Enc(m,r) = (gᵐhʳ, gʳ)
h2= g^y2, y2
ht= g^yn, yn
d₃ = c₂^(y₃)
d₁ = c₂^(y₁)
d₄ = c₂^(y₄)
Dec({yᵢ},c) = log (c₁ / ∏ dᵢ^(lᵢ (0)))

44. thr-elgamal: correctness
Enc (m, r) = (gᵐhʳ, gʳ), dᵢ = c₂^(yᵢ) for i ∈ {x₁,...,xt}
log ∏ dᵢ^(lᵢˢ (0)) = r ∑ yᵢlᵢˢ (0) = r f (0) = ry
∏ dᵢ^(lᵢˢ (0)) = g^(ry) = hʳ
Thus log (c₁ / ∏ dᵢ^(lᵢˢ (0))) = log (gᵐhʳ / hʳ) = m
= g^(ryᵢ)

45. remarks Dealing can be done without a trusted third party out of scope
If users are semihonest, can take any n ≥ t
For decryption, at least t must be present
Also works when a minority of users is malicious
then n ≥ 2t + 1 (out of scope)