1. Cryptographic protocols 2016, Lecture 8 multi-round protocols
Helger Lipmaa
University of Tartu, Estonia

2. Up to now Introduction to the field
(2-message) secure computation protocols
based on DDH and trapdoor DL
Can do "everything'' but not necessarily efficiently
BDD

3. this time Increase #rounds: computation can decrease significantly
another trade-off
Multi-round protocols based on threshold encryption
wow computationally-efficient, bad rounds

4. Case study: multiplication
Homomorphic protocols make it possible for Alice to compute any linear function Σi biai
Higher-degree polynomials: possible but costly
Alice encrypts all aiaj, Bob computes Enc (Σij bijaiaj)
Requires quadratic number of ciphertexts
Even worse when cubic+ polynomials are needed

5. multiplication with BDD
Assume inputs are m-bit long
[Wegener and Woelfel, 2007]:
BDD size to compute the middle bit of multiplication is Ω (m3/2 / log m)
Expensive!
Note: less expensive with circuits

6. unfortunately no time to cover during this course
Improvements?
BDD => more efficient computational model
Circuits
More efficient public-key/symmetric-key operations
Lattice-based cryptography
Trade-off:
more communication but less computation
more rounds but less computation
unfortunately no time to cover during this course
Later

7. tradeoffs: 2 vs multi round
Enc(a)
Enc(f(a))
Two-message protocols, pros:
Cloud computing
Undesirable to have communication with client
Multi-round protocols, pros:
Much better computation
Choose the one you need depending on application

8. (n,t)-threshold encryption: idea
Keep sensitive data encrypted throughout the protocol
(n, t)-threshold decryption: decryption can be done only when t out of n parties agree to decrypt
Why interesting: parties agree to decrypt insensitive intermediate data that serves as "advice" to make protocol execution more efficient
This lecture: (2, 2)-threshold en-/decryption

9. Threshold (2,2)-elgamal y1 ← ℤp h1 ← gy₁ y2 ← ℤp h2 ← gy₂ h1
// Dec*y₂ (c)
c1* ← Decy₂ (c) = c1 / c2 y₂ = gmh1r
c* ← (c1*, c2) // = (gmh1r, gr) = Ench₁(m)
h ← h1 · h2 h2
h ← h1 · h2
m ← Decy₁(c*) y2
c = (c1, c2) = Ench (m) = (gmhr, gr) = (gm(h1h2)r, gr) y1 c*

10. security of (2,2)-threshold Encr
Correctness:
Decy₁(Dec*y₂(Ench(m))) = Decy₂(Dec*y₁(Ench(m))) = m
IND-CPA security (against 1 corrupted party):
given (h, yi) (but not y3 - i) for i ∈ {1, 2}, Ench (m1) and Ench (m2) should look indistinguishable even if m1, m2 are chosen by the adversary
Both straightforward

11. Notation Denote operations additively: [[a]] + b = [[a + b]]
Threshold encryption
Denote [[a]] := Encpk (a; r) for (some) random r
Denote operations additively:
[[a]] + b = [[a + b]]
c [[a]] = [[ca]]
Denote [[(a1, ..., an)]] := ([[a1]], ..., [[an]])
Omit sk in Decsk (...)
Makes simpler to comprehend, but hides details
E.g., hides how is r chosen / blinded

12. local add. w/ elgamal h, y1 h, y2 c1 = [[a]], c2 = [[b]]
Known to both
h, y1
h, y2
c1 = [[a]], c2 = [[b]]
c3 ← c1 + c2
c3 ← c1 + c2
c3 = [[a + b]]

13. Idea: additive sharing
Known to both
[[a]]
[[a1]]
a1 ← ℤp
pk, sk1
pk, sk2
[[a2]] ← [[a - a1]]
Dec([[a2]]) a2
Alice knows random a1 and Bob knows random a2 such that a = a1 + a2
Nobody by himself/herself knows a

14. Threshold multiplication: idea
Common input: [[a]] and [[b]]
Alice and Bob secret-share a and b (neither knows a / b)
Alice picks random a1, b1, sends [[a2]] ← [[a]] - a1, [[b2]] ← [[b]] - b1 to Bob
Bob decrypts a2 (= a - a1), b2 (= b - b1), computes [[a2b2]]
Alice computes [[ab]] given her shares, [[a]], [[b]], and [[a2b2]]
[[ab]] = [[(a1 + a2)(b1 + b2)]]
= [[a2b2]] + b1[[a1 + a2]] + a1[[b1 + b2]] - [[a1b1]]
Can be computed by Alice

15. threshold mult. w/ elgamal
Known to both
c1 = Ench(a; r), c2 = Ench(b; s)
h, y1
a1, b1, r1, s1 ← ℤp
d11 ← c11 / c12y₁ / ga₁
d21 ← c21 / c22y₁ / gb₁
d1 ← d1 / Ench₂ (0; r1)
d2 ← d2 / Ench₂ (0; s1)
d1, d2
h, y2
a2← Decy₂(d1)
b2← Decy₂(d2)
t ← ℤp
c3 ← Ench(a2b2; t) c3
d₁ = (ga hr, gr) / (gry₁, 1) / (ga₁, 1) / (h₂r₁, gr₁)
= (ga - a₁ h2r - r₁, gr - r₁) = Ench₂ (a2; r2)
u ← ℤp
c* ← c3 c1b₁ c2a₁ / Ench (a1b1; u)
c* = Ench (a2b2 + ab1 + ba1 - a1b1; u)
c* = [[ab]]
[[ab]] = [[a2b2]] + b1 [[a1 + a2]] + a1 [[b1 + b2]] - [[a1b1]]

16. security Alice only sees [[a]], [[b]], a1, b1, and [[a2b2]]
Bob only sees [[a]], [[b]], [[ab]], a2, b2
Privacy follows from IND-CPA of Elgamal, and from randomness of a2 and b2
d1, d2 c3 c*

17. DL not efficient since a2, b2 random
Efficiency
Round complexity: 3 messages
Communication: 8 group elements
Computation:
Alice: 13 exponentiations
Bob: 5 exponentiations + two DLs
d1, d2 c3 c*
DL not efficient since a2, b2 random

18. Threshold Paillier Elgamal will be described in tutorial
Threshold Paillier can be implemented similarly
However techniques are more involved
A simple threshold version exists for the “Paillier Elgamal” cryptosystem, proposed by Damgård and Jurik (2003)
Encpks (m; r) = (gr mod N, (1 + N)m hr mod Ns + 1)
Public key: h. Secret key: y, such that h = gy
Threshold Paillier Elgamal will be described in tutorial

19. recall: arithmetic circuits
Standard computation model
Inputs are variables or constants
Every node multiplies or adds its inputs
Output of circuit: top value + + + + 2 y z

20. recall: arithmetic circuits
[[2+z+2y+2y(y+z)]]
[[(2+z)(y+z)]]
Inputs encrypted and shared by their owner
Each addition gate computed locally
Mult. gates: by using last protocol
Outputs threshold-decrypted and given to corresponding parties +
[[2+z+2y]]
[[2y(y+z)]] +
[[2+z]]
[[2y]]
[[y+z]] + +
requires communication / additional rounds
[[2]]
[[y]]
[[z]] 2 y z

21. general 2-party computation
[[2+z+2y+2y(y+z)]]
[[(2+z)(y+z)]]
Computation:
Θ (size + #inputs +#outputs)
Communication:
Θ (#mult gates)
Rounds:
Θ (multiplicative depth): max number of mult. gates in any path +
[[2+z+2y]]
[[2y(y+z)]]
size: 7, #inputs: 3 +
#mult gates: 3
[[2+z]]
[[2y]]
[[y+z]] + +
[[2]]
[[y]]
[[z]] 2 y z
mult depth: 2

22. Idea: find the simplest polynomial that agrees with data
trick: interpolation
Generalizes linearization
Assume we are given (xi, yi) for S = (x1, ..., xd)
Interpolation: find the minimum-degree polynomial f such that f (xi) = yi for all i
In general deg f = d - 1
Idea: find the simplest polynomial that agrees with data

23. recall: interpolation
Assume we are given (xi, yi) for S = (x1, ..., xd)
Interpolation: find the minimum-degree polynomial f such that f (xi) = yi for all i
In general deg f = d - 1
Lagrange interpolating polynomial:
= 1, x = xi
= 0, x = xj for j ≠ i

24. More complex protocols
Every function over ℤp can be computed as its interpolating polynomial f (a) = ∑0 ≤ i ≤ p ciai
pk, sk1
pk, sk2
[[a]]
Compute all [[ai]] by using mult.
"prefix-sum" protocol, needs Θ(log p) rounds
[[f1 (a)]] ← ∑ c1i [[ai]]
[[f2 (a)]] ← ∑ c2i [[ai]]
Bad: up to p ≈ 2160 multiplication protocols in general
Threshold decrypt f1 (a)
Threshold decrypt f2 (a)

25. optimisation
Even very simple functions f : ℤp × ℤp → ℤp can have complicated expressions as polynomials
Example:
given [[a]], [[b]] compute [[a = b]]
[[1]] if a = b, [[0]] otherwise
not clear how to compute efficiently

26. Closer to equality test
[[a]], [[b]] → [[a = b]] = [[a - b = 0]]
Interpolation (brute force) approach:
If a, b ∈ {0, ..., n}: z := a - b ∈ S := { -n, ..., 0, ..., n }
Define f (z) = 1 if z = 0, f (z) = 0 if z ∈ S but z ≠ 0
Can compute f by interpolation, but f has degree 2n
Requires computation of [[z]], [[z2]], ..., [[z2n]]
Costly if n is not small // n = 240?

27. trick: bitwise computation
[[a]], [[b]] → [[a = b]] where a, b ∈ {0, ..., n}
Trick 2 (universal): bitwise sharing
share [[ai]] and [[bi]] for all bits i
results often in much less computation
...but sometimes in more communication
We have seen something similar before (bitwise CPIR)

28. equality test Compute [[w]]
{[[ai]], [[bi]]}i → [[a = b]] where a, b ∈ {0, ..., n}
Set [[zi]] ← [[ai]] - [[bi]] // local computation, zi ∈ {-1, 0, 1}
w = weight (z) := |{i : zi ≠ 0}| = ∑zi²
[[z = 0]] ⇔ [[w = 0]]
Protocol idea:
Compute [[w]]
w ∈ {0, ..., log2 n} --- exponentially smaller set
Interpolate [[f (w)]], f (w) = 1 iff w = 0

29. equality test ∀ i: ci = [[ai]], di = [[bi]] pk, sk1 pk, sk2
∀i: [[zi]] ← [[ai - bi]]
∀i: [[zi]] ← [[ai - bi]]
pk, sk2
For i ≤ log2 n: compute [[zi2]]
Let f (0) = 1, f (w) =0 for w ∈ {1, ..., log2 n}
Interpolate f
[[a = b]] ← ∑ fi [[wi]]
[[w]] ← ∑ [[zi2]]
[[w]] ← ∑ [[zi2]]
Let f (0) = 1, f (w) =0 for w ∈ {1, ..., log2 n}
Interpolate f
[[a = b]] ← ∑ fi [[wi]]
Prefix-sum protocol to compute [[wi]] for i ≤ log n

30. efficiency Computation: Θ (log n) exponentiations:
squarings [[zi]] → [[zi2]]
computation of [[wi]]
Exponentially more computation-efficient than trivial protocol
Rounds: Θ (log log n) (due to prefix-sum protocol)

31. quiz: private IF Clause
Non-private:
if a = b then
z ← z · b
else
z ← z + a
Private (cannot reveal information flow):
[[a = b]] ← EQ ([[a]], [[b]])
[[a ≠ b]] ← 1 - [[a = b]]
[[z]] ← [[a=b]]·[[z · b]] + [[a≠b]]·[[z + a]]
Equality test can be used to implement if clauses “efficiently”
Need to execute both branches, though

32. general 2-party comp.
In principle, what we told in this lecture can be used to implement arbitrary 2-party computation on top of threshold Paillier
A lot of small tricks: interpolation, bitwise, ...
Computation much better than with PrivateBDD of the last lecture, but potentially many rounds
Another very active research area

33. Study outcomes Threshold encryption, threshold Elgamal
Simple threshold multiplication protocol
Trade-off: rounds vs computation
Other protocols (EQ), simple tricks
interpolation, bitwise computation

34. What next? We defined two-party multi-round protocols
quite computation-efficient
Still: need to use a lot of PK cryptography
Next lecture: multi-party protocols
in principle no need for PK crypto
but need to trust a sizable portion of participants is honest
somewhere between the "real" and "ideal" model

35. tutorial Will explain the prefix-sum protocol…
and threshold Paillier Elgamal