An Efficient and Secure Protocol for Privacy Preserving Set Intersection
|
|
- Karen Pope
- 5 years ago
- Views:
Transcription
1 An Efficient and Secure Protocol for Privacy Preserving Set Intersection Yingpeng Sang 1, Hong Shen 2, Laurence T. Yang 3, Naixue Xiong 1, Yasuo Tan 1 1 School of Information Science, Japan Advanced Institute of Science and Technology Asahidai, Nomi, Ishikawa, Japan, {yingpeng, naixue, ytan}@jaist.ac.jp 2 School of Computer Science, The University of Adelaide SA 5005, Australia hong@cs.adelaide.edu.au 3 Department of Computer Science, St. Francis Xavier University Antigonish, NS, B2G 2W5, Canada lyang@stfx.ca Abstract When datasets are distributed on different sources, finding out their intersection while preserving the privacy of the datasets is a widely required task. In this paper, we address the Privacy Preserving Set Intersection (PPSI) problem, in which each party learns no elements other than the intersection of the N private datasets. We propose an efficient protocol based on a threshold cryptosystem which is additive homomorphic. The protocol is firstly constructed assuming the adversary is semi-honest and controls arbitrary number of parties, then it s extended to resist the malicious behaviors of the adversary. In comparisons with the related work in [7], [11] and [12], our PPSI protocols in the semi-honest and malicious models achieve lower computation and communication costs. Keywords : cryptographic protocol, privacy preservation, distributed datasets, set intersection. 1 Introduction For datasets distributed on different sources, intersection among these sets is always required to gain useful information. For example, supermarkets need find out the same card numbers which have consuming records in all of their databases, and then provide better service for the card owners. For such kind of applications, privacy may be a critical concern of the data owners, so they are reluctant to directly publish their datasets. Specifically, one supermarket doesn t want other supermarkets to know the card numbers in its database except those in the intersection. Therefore, there should be some 1
2 privacy preserving techniques for them to determine the results of set intersection, without the datasets being directly published. In this paper, we address the problem of Privacy Preserving Set Intersection (PPSI), in which there are N (N 2) parties, each party P i (i = 1,..., N) has a set (or multiset) T i and T i = S, all parties want to learn the intersection T I = T 1... T N, without gleaning any information other than those computed from a coalition of parties inputs and outputs. Basically, we solve PPSI by efficiently constructing and evaluating polynomials whose roots are elements of the set intersection. This paper is an extended version of [18]. In [18] we have proposed an efficient PPSI protocol for the semi-honest model, which has lower computation and communication costs than the PPSI protocols in [11] and [7]. In this paper we give formal definitions of PPSI in both the semi-honest and malicious models, improve the PPSI protocol in the semi-honest model to be secure in the malicious model, and prove its security in the malicious model by the definition. A PPSI protocol for the malicious model has also been proposed in [12], but our protocol achieves lower computation and communication costs in comparisons. The remainder of the paper is organized as follows: Section 2 discusses some related work. The problem of PPSI is defined in Section 3. Section 4 lists the basic tools for our protocol. Section 5 and 6 propose the PPSI protocol for the semi-honest and malicious model respectively. In Section 7 we analyze the security of our PPSI protocol. In Section 8 we compare our protocols with the related work considering the computation and communication costs. Section 9 concludes the whole paper. 2 Related Work PPSI is a specific problem belonging to the general Secure Multiparty Computation (SMC) problem. There have been general solutions for the SMC problem ([9], [20]). In general SMC, the function to be computed is represented by a circuit, and every gate of the circuit is privately evaluated. However, when this general solution is used for a specific problem, the large size of the circuit and high cost of evaluating all gates will result in a much less efficient protocol than the non-private protocol for this problem. Therefore, many efficient private protocols for the specific problems have been proposed based on the specific properties of these problems. PPSI can be traced back to the specific problem of private equality test (PET) in two-party case, where each party has a single element and wants to test whether they are equal without publishing the elements. The problem of PET was considered in [1], [4], [14] and [15]. PET solutions can t be simply used for the multi-party cases of PPSI, otherwise too much sensitive information will be leaked, e.g., any two parties will know the intersection of their private sets. A solution for the multi-party case of PPSI was firstly proposed in [7]. The solution is based on evaluating polynomials representing elements in the sets. In [11], another solution for PPSI was proposed, in 2
3 which each polynomial representing each set is multiplied by a random polynomial which has the same degree with the former polynomial. In this paper, to get a solution with lower cost than [7] and [11], we multiply each polynomial representing each set by a random polynomial which has a low enough degree without compromising the security of the solution. We also multiply the randomized polynomials by a nonsingular matrix to improve the correctness of our solution. We will compare our solution for PPSI with [7] and [11] in details in Section 8. The PPSI protocol in the semi-honest model in [11] was fixed to be secure in the malicious model in [12]. We will also extend our PPSI protocol in the semi-honest model to the malicious model, and compare it with the work in [12]. 3 Problem Definition 3.1 Preliminaries Our PPSI problem aims to securely compute the set intersection among N (N 2) parties. Generally speaking there are two types of probabilistic polynomial-time (PPT) bounded adversaries in SMC: semi-honest and malicious. A semi-honest party is assumed to follow the protocol exactly as what is prescribed by the protocol, except that it keeps a record of all its intermediate computations. A malicious party will arbitrarily deviate from the protocol. For some practical applications, we assume that the number of parties that deviate from the protocol is also arbitrary, other than strictly less than half the total number of parties. Then a protocol secure against the malicious adversary should be tolerable to the following behaviors: refusing to participate in the protocol when the protocol is first invoked, arbitrarily substituting its original local input, and aborting the protocol whenever obtaining the desired result. The security in both types of adversaries is argued by the computational indistinguishability of the views in the ideal model and real model ([8, 13]). Suppose an ensemble X = {X n } n N be a sequence of random variables X n for n N, which are ranging over strings of length poly(n). Two ensembles X = {X n } n N and Y = {Y n } n N are computationally indistinguishable, denoted by X c Y, if for every PPT algorithm A, and every c > 0, there exists an integer N such that for all n N, P r[a(x n ) = 1] P r[a(y n ) = 1] < 1 n. P r[a(x) = 1] is the probability that A outputs 1 on input x. c 3.2 Privacy Preserving Set Intersection Suppose all sets held by the parties are subsets of a common set T, firstly we should prevent the dictionary attack, in which an adversary may defraud the honest party of inputs using T. Therefore, we assume that each party holds a set (or multiset) of the same size S and S T, such that given two arbitrarily selected subsets T i and T i, the probability that an input a T i equals any input a T i is 3
4 negligible (i.e., S T 0). Let N (N 2) be the number of parties, each party P i (i = 1,..., N) has a set (or multiset): T i = {T (i, j) j = 1,..., S}. Let T I = T 1... T N. Let f be an N-ary function: f(t 1,..., T N ) = f(t ) = ({0, 1}) S N, with the (i, j)-th element f ij (T ) = 1 if T (i, j) T I, and f ij (T ) = 0 if T (i, j) / T I for i = 1,..., N, j = 1,..., S. Suppose I = {i 1,..., i c } {1,..., N} be the index set of c (1 c N 1) colluded parties controlled by an adversary. Let f i (T ) = {f ij (T ) j = 1,..., S} and f I (T ) = {f i1 (T ),..., f ic (T )}. Below we define the problem of privacy preserving set intersection in the semi-honest model and malicious model respectively. Definition 1 (PPSI in the semi honest model) Let Π be an N-party protocol for computing f. Let V IEWi Π (T ) denote the view of the i-th party on its input, output, randomness and public transcript during an execution of Π. Let V IEWI Π (x) = (I, V IEW Π i 1 (T ),..., V IEWi Π c (T )). Π is said to privately solve the problem of Privacy Preserving Set Intersection with respect to the semi-honest behavior, if there exists a PPT algorithm S, such that {S(I, (T i1,..., T ic ), f I (T ))} c {V IEW Π I (T )} (1) Definition 2 (PPSI in the malicious model) Let Π be an N-party protocol for computing f. Let a pair (I, A), where A is a PPT algorithm, represent an adversary in the real model. The joint execution of Π under (I, A) in the real model, denoted REAL Π,I,A (T ), is defined as the output sequence resulting from the interaction among the N parties in the execution of Π. Let a pair (I, B), where B is a PPT algorithm, represent an adversary in the ideal model, where there is an available trusted third party. The joint execution of f under (I, B) in the ideal model, denoted IDEAL f,i,b (T ), is defined as the output pair of B and the honest parties in the ideal execution. Π is said to securely solve the problem of privacy preserving set intersection in the malicious model, if for every PPT algorithm A (representing a real-model adversary strategy), there exists a PPT algorithm B (representing an ideal-model adversary strategy), such that {IDEAL f,i,b (T )} c {REAL Π,I,A (T )}. (2) It should be pointed out that both definitions of security have implied the correctness of Π. The views of parties in the real execution of Π should be computationally indistinguishable from their views in the ideal model, so it s necessary that the output of Π on T should also be computationally indistinguishable from the output of f on T. 4
5 4 Basic Tools 4.1 Homomorphic Encryption Our protocol is based on an additive Homomorphic Encryption (HE) scheme. Let ε be a probabilistic encryption scheme. Let M be the message space and C the ciphertext space such that M is a group under operation and C is a group under operation. ε is a (, )-HE scheme if for any instance E R ( ) of the encryption scheme, given c 1 = E r1 (m 1 ) and c 2 = E r2 (m 2 ), there exists an r such that c 1 c 2 = E r1 (m 1 ) E r2 (m 2 ) = E r (m 1 m 2 ). ε is additive when it s a (+, ) scheme, and multiplicative when it s a (, ) scheme. The HE scheme in our protocol is also required to support secure (N, N)-threshold decryption. The corresponding secret key is shared by a group of N parties, and the decryption can t be performed by any single party, unless all parties act together. Thus, we can use Paillier s cryptosystem ([16]) for its following properties: 1) it s an additive homomorphic encryption scheme. Given two encryptions E(m 1 ) and E(m 2 ), E(m 1 + m 2 ) = E(m 1 ) E(m 2 ); 2) given an encryption E(m) and a scalar a, E(a m) = E(m) a ; 3) (N, N)-threshold decryption can be supported (by [5],[6]). In this paper, N is the RSA-modulus which is the multiplication of two large prime numbers, and Z N is the plaintext space of Paillier s cryptosystem. 4.2 Calculations on encrypted polynomials In our protocol, we need do some calculations on encrypted polynomials. For a polynomial f(x) = m i=0 a ix i, we use E(f(x)) to denote the sequence of encrypted coefficients {E(a i ) i = 0,..., m}. Given E(f(x)), where E( ) is an additive HE scheme (e.g., Paillier), some computations can be made as follows (which have also been used in [7] and [11]): 1) At a value v, we can evaluate E(f(x)): E(f(v)) = E(a m v m +a m 1 v m a 0 ) = E(a m ) vm E(a m 1 ) vm 1 E(a 0 ). 2) Given E(f(x)), we can compute E(c f(x)) = {E(a m ) c,..., E(a 0 ) c }. 3) Given E(f(x)) and E(g(x)), g(x) = m j=0 b jx j, we can compute E(f(x)+g(x)) = {E(a m )E(b m ),..., E(a 0 )E(b 0 )}. 4) Given f(x) and E(g(x)), we can compute E(f(x) g(x)). Suppose that g(x) = n j=0 b jx j, f(x) g(x) = m+n k=0 c kx k, then E(c k ) = E(a 0 b k + a 1 b k a k b 0 ) = E(b k ) a0 E(b 0 ) a k. a i or b j are treated as zero if i > m or j > n. 4.3 Notations The major notations in this paper are listed in Table 1. 5
6 Notation N P i Table 1: Major Notations in This Paper Definition Total number of parties The i-th party T i S T (i, j) The set or multiset on P i Total number of elements on each party The j-th element on P i, j = 1,..., S c Total number of colluded parties, 1 c N 1 I The index set of c colluded parties, {i 1,..., i c } I f i Z N The index set of honest parties, {1,..., N} \ I The polynomial whose roots are elements in T i. f i = S j=1 (x T (i, j)) The plaintext space of Paillier s cryptosystem 5 Protocol for Privacy Preserving Set Intersection in the semi-honest model 5.1 Main Idea Our protocol for PPSI is based on evaluating randomized polynomials representing the intersection, which is a similar way with [7] and [11], but achieves lower cost. Each P i can compute a polynomial f i to represent its set T i : f i = (x T (i, 1)) (x T (i, S)). Then it randomizes f i to be f i N j=1 r i,j by the help of other parties, in which r i,j is generated by P j, r i,j = a i,j x + b i,j, a i,j and b i,j are uniformly selected from the plaintext space of the threshold HE scheme (for Paillier s scheme, it s Z N ). The N parties get a polynomial vector F = (f 1 N j=1 r 1,j,..., f N N j=1 r N,j) and compute G = F R, in which R is an N N nonsingular matrix whose entries R uv (1 u, v N) are random numbers. The resulting G is another polynomial vector (g 1,..., g N ) as following: N N g 1 = f 1 r 1,j R f N r N,j R N1 j=1 j=1... N N g N = f 1 r 1,j R 1N f N r N,j R NN j=1 j=1 (3) Then, each P i evaluates (g 1,..., g N ) at the element T (i, j). If for k = 1,..., N g k (T (i, j)) = 0, then P i determines T (i, j) T I. The correctness of this determination will be proved in Lemma 1. In the computation of G, to protect the privacy of each f i, f i is encrypted by P i, and the encryption of f i N j=1 r i,j is computed. Then each party P i generates a random matrix R i so that R = N i=1 R i is 6
7 nonsingular but no one knows what R is without publishing all R i. The encryptions of F R 1, F R 1 R 2,..., F R 1 R N are computed respectively on P 1, P 2,..., P N. Finally, the N parties get the encryption of G = F R. After decryption, each P i knows G, but not f i for i i. 5.2 The Protocol Protocol 1: Protocol for Privacy Preserving Set Intersection in the semi-honest model Inputs: There are N (N 2) parties, any of which may be semi-honest. Each party has a private set of S elements, denoted T i. Each party holds the public key and it s own share of the secret key for the threshold Paillier s cryptosystem. Output: Each party P i knows T I = T 1... T N. 1) Computing E(F ): For i = 1,..., N, 1.1) P i computes f i = (x T (i, 1)) (x T (i, S)), encrypts the coefficients to get E(f i ), and sends E(f i ) to all the other N 1 parties. 1.2) on each P j (j i), r i,j is generated as a i,j x + b i,j, in which a i,j and b i,j are uniformly selected from Z N. P j computes E(f i r i,j ) by computation 4) in Section 3.3, and sends it to P i. 1.3) P i also generates r i,i and computes E(f i r i,i ). Then P i computes E(f i N j=1 r i,j) by computation 3) in Section 3.3, and sends it to P 1. In the end, P 1 gets E(F ) in which F = (f 1 N j=1 r 1,j,..., f N N j=1 r N,j). 2) Computing E(G) : For i = 1,..., N, 2.1) P i generates a nonsingular N N matrix R i which is uniformly distributed over Z N ( by the method in [17]). 2.2) P i computes E(F R 1 R i ) according to computation 2) and 3) in Section 3.3, and sends it to P i+1 if i + 1 N. In the end, P N gets E(G) = E(F N i=1 R i) and sends it to all the other parties. 3) Decryption and Evaluation : 3.1) The parties cooperatively decrypt E(G) and gets G = F ( N i=1 R i). Let R = N i=1 R i, and R u,v (1 u, v N) is the (u, v)-th entry of R, G is a polynomial vector (g 1,..., g N ) as described in equation 2) of Section ) Every P i evaluates T (i, j) in G for j = 1,..., S by computation 1) in Section 3.3. If G(T (i, j)) = ( g 1 (T (i, j)),..., g N (T (i, j)) ) = (0,..., 0), the T (i, j) T I; otherwise, T (i, j) / T I. 7
8 We prove the correctness of Protocol 1 in the following lemma: Lemma 1 Protocol 1 is a correct protocol for the PPSI problem. Proof: Protocol 1 determines whether T (i, j) T I by G(T (i, j)). If T (i, j) T I, T (i, j) is a root of all f i for i = 1,..., N, then F (T (i, j)) = (f 1 (T (i, j)) N j=1 r 1,j,..., f N (T (i, j)) N j=1 r N,j) = (0,..., 0), G(T (i, j)) = F (T (i, j))r = (0,..., 0). That is, if the evaluation G(T (i, j)) (0,..., 0), T (i, j) / T I. Then we prove that if G(T (i, j)) = (0,..., 0), overwhelmingly T (i, j) T I. G = F R 1 R N = F ( N i=1 R i) = F R. Because R i for i = 1,..., N are generated to be nonsingular, R = N i=1 R i is also nonsingular. If G(T (i, j)) = (0,..., 0), a linear system F (T (i, j))r = (0,..., 0) can be made, and it has only one solution: F (T (i, j)) = (0,..., 0), i.e.,f l (T (i, j)) N j=1 r l,j(t (i, j)) = 0 for l = 1,..., N. The coefficients of r l,j are uniformly selected from Z N. Suppose N j=1 r l,j = a l x + b l, a l and b l are also uniformly distributed over Z N. The probability that any T (i, j) Z N is a root of a l x + b l is 1/N. If T (i, j), l {1,..., N}, f l (T (i, j)) N j=1 r l,j(t (i, j)) = 0, because f l (T (i, j)) must be 0 when l = i, so the probability that l (l i) f l (T (i, j)) = 0 is p = (1 1/N ) N 1. N is the number of parties and practically N N. When N is large enough, p 1, then overwhelmingly T (i, j) is a root of all f l and T (i, j) T I. 6 Protocol for Privacy Preserving Set Intersection in the malicious model 6.1 Zero-Knowledge Proofs Efficiently we can construct the following proofs based on proofs of knowledge on statements about discrete logarithms ([2, 10]), the completeness and soundness of which have been argued respectively in the related work. Our constructions compose the basic proofs using AN D ( ) operations, the closure of which is also argued in [3]. These proofs are used in our protocol for the malicious model. 1) Proof of knowing the plaintexts of the encrypted coefficients, P K{f : E(f)}. E(f) are encrypted coefficients of the polynomial f. This is from the proof of knowing a plaintext in [2]. 2) Proof of correct polynomials multiplication, P K{r : M = E(f r) E(f) E(r)}. f r is the multiplication of polynomials f and r. This is from the proof of correct multiplications in [2]. 3) Proof of the nonsingularity of an encrypted matrix, P K{R : D E(0) D = E(det(R)) R = E(R)}. R is an N N matrix, E(R) are the encrypted entries of R, det(r) is the determinant of R. This is from the proof of correct multiplications in [2] and private equality test in [10]. 4) Proof of correct matrix multiplication, P K{R : G = E(F R) F = E(F ) R = E(R)}. F = (f 1,..., f N ) is a vector of polynomials in which the i-th entry is a polynomial f i for i = 1,..., N. 8
9 R is an N N matrix, and E(R) are the encrypted entries of R. This is also from the proof of correct multiplications in [2]. 6.2 Protocols for the Malicious Model We assume the adversary controls arbitrary number of parties, i.e., suppose the number is c, then 1 c N 1. We improve Protocol 1 to be Protocol 2, preventing the following malicious behaviors of the adversary by the zero-knowledge proofs in Section 6.1: 1) arbitrarily sending to others an encrypted polynomial without knowing its coefficients, e.g., just sending to others the encrypted polynomial received from other parties. Therefore, each party P i should prove that he knows the coefficients of the polynomial he encrypts or multiplies, with the proof 1) and 2) of Section ) encrypting a polynomial whose coefficients are all zeros, then in equation 2) the malicious adversary will know the intersection of all honest parties. In Protocol 2, the honest parties can reset the leading coefficient of polynomials received from others to be E(1), and then g k for k = 1,..., N can still hide the polynomials of the honest parties. 3) generating a singular matrix R i, then if G(T (i, j)) = (0,..., 0), it s unnecessary that all f l (T (i, j)) = 0 for l = 1,..., N. Therefore, each party P i should prove that R i it generates is nonsingular with the proof 3) of Section ) doing multiplication with a matrix R i other than the committed matrix R i. Each party should prove that he does correct matrix multiplication with the matrix R i it has committed, with the proof 4) of Section 6.1. Under these zero-knowledge proofs, each party should either behave in a semi-honest manner or being detected as cheating. Protocol 2: Protocol for Privacy Preserving Set Intersection in the malicious model Inputs: There are N (N 2) parties, any of which may be malicious. Each party has a private set of S elements, denoted T i. Each party holds the public key and it s own share of the secret key for the threshold HE cryptosystem. Output: Each party P i knows T I = T 1... T N. Steps: 1) Computing E(F ): For i = 1,..., N, 9
10 1.1) P i computes f i = (x T (i, 1)) (x T (i, S)), encrypts the coefficients to get E(f i ), and sends E(f i ) to all the other parties with the proof of knowing the plaintexts of the encrypted coefficients, P K{f i : E(f i )}, excluding the leading coefficient. 1.2) For j = 1,..., N, each P j sets the leading coefficient of E(f i ) to be E(1), generates a random polynomial r i,j. P j computes M i,j = E(f i r i,j ), P i,j = E(r i,j ), and sends them to all the other partes, with the proof of correct polynomials multiplication P K{r i,j : M i,j = E(f i r i,j ) E(f i ) P i,j = E(r i,j )}. 1.3) All P j for j = 1,..., N compute E(f i N j=1 r i,j). In the end, all P i for i = 1,..., N get E(F ) in which F = (f 1 N j=1 r 1,j,..., f N N j=1 r N,j). 2) Computing E(G) : For i = 1,..., N, 2.1) P i generates a random nonsingular N N matrix R i, and sends R i = E(R i ) and D i = E(det(R i )) to all the other parties, with the proof of the nonsingularity of the encrypted matrix P K{R i : D i E(0) D i = E(det(R i )) R i = E(R i )}. 2.2) P i computes G i = E(F R 1 R i ), and sends it to all the other parties, with the proof of correct matrix multiplication P K{R i : G i = E(F R 1 R i ) G i 1 = E(F R 1 R i 1 ) R i = E(R i )}. In the end, all P i for i = 1,..., N get E(G) = E(F N i=1 R i). 3) Decryption and Evaluation : 3.1) All parties cooperatively decrypt E(G). 3.2) Every P i evaluates T (i, j) in G for j = 1,..., S. If G(T (i, j)) = (0,..., 0), the T (i, j) T I; otherwise, T (i, j) / T I. 7 Security Analysis 7.1 Security Analysis on Protocol The Inferred Information by the Definition of PPSI Suppose there are c colluded parties P I, I = {i 1,..., i c }. It s unavoidable for P I to combine their inputs and outputs to infer information. However, by the definition of PPSI in Section 1, they should know no more information than T I in each T i, i I, I = {1,..., N} \ I. That is, 1) On P i P I, if T (i, j) T I, they know each T i has T (i, j). 2) On P i P I, if T (i, j) / T I, they don t know whether T (i, j) T i for i I. 10
11 7.1.2 The Inferred Information after Participating in Protocol 1 In Protocol 1, each P i gets G = (g 1,..., g N ), so P I may infer the roots of f i for i I by analyzing the coefficients in G. By the following lemma, we prove that G resists such kind of analysis. Lemma 2 In Protocol 1, any P i in the coalition of c (1 c N 1) semi-honest parties (P I ) can know no more elements than T I in any T i for i I. Proof: Due to the security of the threshold HE cryptosystem, P I can t know any information on the plaintexts of the encryptions unless they are decrypted. We use P i to denote any party in P I. P i gets only the decryption of E(G). If G(T (i, j)) = (0,..., 0), by Lemma 1, P i knows T (i, j) is a root for all f l (l = 1,..., N) and each T i has T (i, j). This accords with the case 1) in Section ) We firstly prove that, if G(T (i, j)) (0,..., 0), P i doesn t know whether T (i, j) T i for i I, that is, whether T (i, j) is a root of any f i. From the view of P i, G = F ( i I R i i I R i ), i I R i is generated by P I, and i I R i is generated by P I. P i doesn t know i I R i, thus if G(T (i, j)) (0,..., 0), P i can t compute F (T (i, j)). Then P i can t know any f i (T (i, j)) and whether T (i, j) T i for i I. This accords with the case 2) in Section ) P i may also analyze the coefficients of a single g l (l = 1,..., N). g l = f T I (F I + F I ), in which f T I is the polynomial whose roots are T I, F I = i I (f i/f T I N j=1 r i,jr il ), and F I = i I (f i /f T I N j=1 r i,jr i l). We should also prove that P i can t know F I, otherwise he will know i I T i by factoring F I. From the view of P i, in F I, i I, N j=1 r i,jr il can be supposed as b i,1 x + b i,0, in which b i,1 and b i,0 are random numbers. Given f i /f T I = S T I k=0 a i,k x k, suppose f i /f T I N j=1 r i,jr il = S T I +1 k=0 c i,k x k, then c i,k = a i,k b i,0 + a i,k 1 b i,1. Suppose F I = S T I +1 k=0 e k x k, then e k = i I c i,k. Suppose F I = S T I +1 k=0 e k xk, then the k-th coefficient of F I + F I : e k = e k + e k = i I (a i,kb i,0 + a i,k 1 b i,1 ) + e k. P i knows all e k from g l/f T I, and all a i,k from f i /f T I, but doesn t know all b i,1, b i,0, and e k. Thus from e k = i I (a i,kb i,0 + a i,k 1 b i,1 ) + e k, P i gets a set of S T I + 2 linear equations with 2c+S T I +2 unknowns. For 1 c N 1, P i can t compute the solutions for these unknowns. Therefore, P i can t know e k for k = 0,..., S T I + 1, and can t know any root of F I. In each g l (l = 1,..., N), P i can t know F I, which makes P i fail to know any f i /f T I in F I. In sum, in Protocol 1, P i P I can know no more roots than T I in any T i for i I. Theorem 1 Protocol 1 is a secure protocol Π in Definition 1, which privately solves the PPSI problem with respect to the semi-honest behaviors of arbitrary number of parties. 11
12 The proof of this theorem is postponed in the Appendix A. 7.2 Security Analysis on Protocol 2 Theorem 2 Assuming the threshold Paillier encryption is semantically secure and the zero-knowledge proofs in Protocol 2 can t be forged, Protocol 2 is a secure protocol Π in Definition 2, which securely solves the problem of PPSI when the number of malicious parties is arbitrary. This theorem can be proved following the ideal-vs.-real emulation paradigm. The detailed proof is postponed to the Appendix A. 8 Comparisons with Related Work 8.1 Comparisons for Protocol 1 Complexity of Protocol 1 : 1) Computation Cost: Each Paillier s encryption and decryption requires a cost of 2lgN modular multiplications (mod N 2 ). Each exponentiation has the same cost with the encryption. We compare our protocol with other related work regarding their computation cost on encryptions and multiplications of ciphertexts, and consider modular multiplication (mod N 2 ) as a basic computation. Thus, for each party in Protocol 1, the total encryptions are (S + 2)(N 1) 2 2, and the total multiplications of ciphertexts are (S + 2)(N 2 + 2N 3). Then the total computation cost for each party is 2((S + 2)(N 1) 2 2)lgN + (S + 2)(N 2 + 2N 3) modular multiplications. 2) Communication Cost: The length of each encryption is 2lgN. Then in Protocol 1, the total communication cost among all parties is 2N(N 1)(4S + 5)lgN bits. Speeding up techniques can be employed in Protocol 1. If all parties ensure that there is a coalition of c (1 c N 1) semi-honest parties, in Step 1) of Protocol 1 each E(f i ) can be randomized as E(f i c+1 j=1 r i,j) by sending E(f i ) to any c parties, instead of all the other N 1 parties. In Step 2) E(G) can be computed as E(F c+1 i=1 R i). What s more, in Step 1) the iterations i = 1,..., N can be made in parallel. Then the computation cost is 2(c(S + 2)(N 1) 2)lgN + c(s + 2)(N + 3) modular multiplications. The communication cost is 2cN(4S + 5)lgN bits. Kissner s Protocol : In Kissner s protocol for PPSI ([11]), a single polynomial F = N l=1 f l N k=1 r l,k is constructed and evaluated on each T (i, j). f l is a polynomial representing elements on P l, r l,k is a polynomial uniformly selected by P k and has the same degree with f l. In this protocol, it s easy 12
13 to see that T (i, j) T I is a sufficient condition for the evaluation F (T (i, j)) = 0, but F (T (i, j)) = 0 is not a sufficient condition for l {1,..., N} f l (T (i, j)) N k=1 r l,k(t (i, j)) = 0. In Lemma 1 we have proved that if l {1,..., N} f l (T (i, j)) N k=1 r l,k(t (i, j)) = 0, the probability that T (i, j) T I is (1 1/N ) N 1. Therefore, in Kissner s protocol, if F (T (i, j)) = 0, the probability that T (i, j) T I is less than the probability achieved by our Protocol 1. The major cost of this protocol is on computing the encrypted F. cryptosystem. shown in Table 2. It s also based on Paillier s The computation cost for each party and communication cost among all parties are Freedman s Protocol : In Freedman s protocol for PPSI ([7]), each party P i (i = 1,..., N 1) sends the encrypted polynomial f i representing its elements to P N. P N evaluates its elements T (N, j) for j = 1,..., S on all these polynomials, randomizes the evaluations and sends them to all the other parties. These parties decrypt and combine the evaluations to determine whether T (i, j) T I. In this protocol each party also generates a random matrix, but the matrices are used in a different way from our Protocol 1 for they aren t full rank and not for multiplications. The XOR of each row of the matrices is required to be zero, and they are used to randomize the decryptions on each party. The major cost of this protocol is on the evaluations of encrypted polynomials at all elements of P N. The protocol is also based on Paillier s cryptosystem. The average computation cost for each party and communication cost among all parties are shown in Table 2. In [7] only the protocol for the semi-honest model is given. Comparisons of 3 protocols : From Table 2, the computation costs of Protocol 1, protocol in [11] and [7] are respectively O(cSNlgN ), O(cS 2 lgn ), O(S(S + N)lgN ). Practically the size of a set, S, may be much larger than the number of parties, N. Then it s easy to see that Protocol 1 is more efficient in computation than [11] and [7], and more efficient in communication than [11]. For a quantitative analysis, we conservatively set S = 20, N = 5, and set c = 3, lgn = 1024, then Protocol 1 saves 81% and 63% computation costs, 17% and 20% communication costs in comparison with [11] and [7]. We also notice that if c = 4, i.e., all of the N parties are semi-honest, then the communication cost in Protocol 1 will increase by 6% in comparison with [7]. Thus Protocol 1 can utilize the knowledge on honest relationships among some of the N parties to reduce the communication cost. Table 2: Comparisons of solutions for the PPSI problem in the semi-honest model Computation Cost Communication Cost Security Model Our Protocol 1 2(c(S + 2)(N 1) 2)lgN + c(s + 2)(N + 3) 2cN(4S + 5)lgN Semi-honest Protocol in [11] 2(c(S + 1) 2 + 5S + 3)lgN + c(s 2 + 4S + 2) 2cN(5S + 2)lgN Semi-honest Protocol in [7] ((S + 1)(S + 2) + 3S(N 1) 1)2lgN + S(S + 1) 10S(N 1) 2 lgn Semi-honest 13
14 8.2 Comparisons for Protocol 2 The complexity of Protocol 2 is determined by the complexity of Protocol 1, and a linear combination of the complexity of the zero-knowledge proofs in Section 6.1. The proofs in Section 6.1 are based on the basic blocks, such as proof of knowing the plaintext, proof of correct multiplication, and private equality test, all of which have a computation cost of O(lgN ) modular multiplications, and a communication cost of O(lgN ) bits, according to [2] and [10]. Thus Protocol 2 keeps the same level of complexity as Protocol 1, that is, it has a computation cost of O(cSNlgN ) modular multiplications, and a communication cost of O(cSNlgN ) bits. In [12] the PPSI protocol for the semi-honest model is also extended to the malicious model. The computation cost of that protocol is O(cS 2 lgn ) modular multiplications, and the communication cost is O(cSNlgN ) bits. In the following Table 3, we list the costs of the two protocols. In practical applications, the size of a set S can be much larger than the number of parties N, so our Protocol 2 can be faster than the protocol in [12]. Table 3: Comparisons of solutions for the PPSI problem in the malicious model Computation Cost Communication Cost Security Model Our Protocol 2 O(cSN lgn ) O(cSN lgn ) Malicious Protocol in [12] O(cS 2 lgn ) O(cSNlgN ) Malicious 9 Concluding Remarks We address the problem of Privacy Preserving Set Intersection (PPSI) among N parties. The problem is solved by constructing polynomials representing elements in the set intersection, and evaluating the polynomials to determine whether an element is in the set intersection, without publishing the datasets on each party. Our protocol is firstly constructed and the security is analyzed assuming there is a coalition of arbitrary c (1 c N 1) semi-honest parties. Then the protocol is extended by some zero-knowledge proofs and the security is also analyzed assuming there is a coalition of arbitrary number of malicious parties. In comparison with related work in [11], [7] and [12], our protocol has less computation and communication costs in both models. In the future, we will utilize our protocol to protect the privacy in some practical problems, e.g., internet congestion control ([19]). 14
15 Acknowledgment This research is conducted as a program for the Fostering Talent in Emergent Research Fields in Special Coordination Funds for Promoting Science and Technology by Ministry of Education, Culture, Sports, Science and Technology, Japan. References [1] F. Boudot, B. Schoenmakers and J. Traor e, A Fair and Efficient Solution to the Socialist Millionaires Problem, in Discrete Applied Mathematics, 111(1-2), pp , [2] R. Cramer, I. Damgard, and J. Nielsen, Multiparty Computation from Threshold Homomorphic Encryption, in Advances in Cryptology - EUROCRYPT 2001, LNCS, Springer, vol. 2045, pp , [3] A. D. Santis, G. D. Crescenzo, G. Persiano, and M. Yung. On Monotone Formula Closure of SZK. in Proc. of the 35th Annual Symposium on Foundations of Computer Science, pp , IEEE Computer Society, [4] R. Fagin, M. Naor, and P. Winkler, Comparing Information without Leaking It, in Communications of the ACM, 39(5): 77-85, [5] P. Fouque, G. Poupard and J. Stern, Sharing Decryption in the Context of Voting or Lotteries, in Proc. of the 4th International Conference on Financial Cryptography, pp , [6] P. Fouque and D. Pointcheval, Threshold Cryptosystems Secure against Chosen-ciphertext Attacks, in Proc. of Asiacrypt 2001, pp , [7] M. Freedman, K. Nissim and B. Pinkas, Efficient Private Matching and Set Intersection, in Proc. of Eurocrypt 04, LNCS, Springer, vol. 3027, pp. 1-19, [8] O. Goldreich, Foundations of Cryptography: Volume 2, Basic Applications, Cambridge University Press, [9] O. Goldreich, S. Micali, and A. Wigderson, How to Play Any Mental Game, in Proc. of 19th STOC, pp , [10] M. Jakobsson and A. Juels, Mix and Match: Secure Function Evaluation via Ciphertexts, in ASIACRYPT 2000, pp , [11] L. Kissner and D. Song, Privacy-Preserving Set Operations, in Advances in Cryptology - CRYPTO 2005, LNCS, Springer, vol.3621, pp ,
16 [12] L. Kissner and D. Song, Privacy-Preserving Set Operations, in Technical Report CMU-CS , Carnegie Mellon University, June [13] Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. in Journal of Cryptology, 16(3): pp , [14] H. Lipmaa, Verifiable Homomorphic Oblivious Transfer and Private Equality Test, in Advances in Cryptography ASIACRYPT 2003, pp , [15] M. Naor and B. Pinkas, Oblivious Transfer and Polynomial Evaluation, in Proc. of the 31st Annual ACM Symposium on Theory of Computing, pp , [16] P. Paillier, Public-key Cryptosystems based on Composite Degree Residuosity Classes, in Proc. of EUROCRYPT 1999, pp , [17] D. Randall, Efficient Generation of Random Nonsingular Matrices, in Random Structures and Algorithms, vol. 4(1), pp , [18] Y. Sang, H. Shen, Y. Tan and N. Xiong, Efficient Protocols for Privacy Preserving Matching Against Distributed Datasets, accepted by the 8th International Conference on Information and Communications Security (ICICS 06), LNCS, [19] N. Xiong, X. Defago, X. Jia, Y. Yang, and Y. He, Design and Analysis of a Self-tuning Proportional and Integral Controller for Active Queue Management Routers to support TCP Flows, in Proc. of IEEE INFOCOM, [20] A.C. Yao, Protocols for Secure Computations, in Proc. of the 23rd Annual IEEE Symposium on Foundations of Computer Science, pp , A Proofs of Theorems Theorem 1: Protocol 1 is a secure protocol Π in Definition 1, which privately solves the PPSI problem with respect to the semi-honest behaviors of arbitrary number of parties. Proof: Protocol 1 provides a Π to compute f. Given any coalition of c (c N 1) semi-honest parties indexed by I = {i 1,..., i c }, by Definition 1 in Section 3.2, we have to show that there exists a PPT algorithm S such that S(I, (T i1,..., T ic ), f I (T )) and V IEWI Π (T ) are computationally indistinguishable. V IEWI Π(T ) = {V 1, V 2, V 3, V 4 }: 1) V 1 is I = {i 1,..., i c }. 2)V 2 are T i1,..., T ic. 3)V 3 are E(G) and the intermediate encryptions received by P I. 4)V 4 are G(T (i t, j)) for any i t I. With these views, the coalition can do the following two types of analysis: 16
17 1) Cryptanalysis on (V 1, V 2, V 3 ): Due to the semantic security of the threshold HE cryptosystem, P i can t gain extra information from the encryptions in V 3. That is, supposing V 3 has s encryptions, with only negligible probability, P i can distinguish V 3 and ER 1 = (E(r 1 ),..., E(r s )) by randomly choosing R 1 = (r 1,..., r s ) over the plaintext space of the HE scheme. Thus, (V 1, V 2, V 3 ) c (V 1, V 2, R 1, ER 1 ). 2) Roots analysis on (V 1, V 2, V 4 ): From Lemma 2, P I can t know roots other than T I in any f i for i I. Thus, V 4 = (A, T I). A = {a it,j i t {i 1,..., i c }, j = 1,..., S} in which a it,j = 1 if G(T (i t, j)) = (0,..., 0), and a it,j = 0 otherwise. In sum, V IEW Π I (T ) c (V 1, V 2, R 1, ER 1, A, T I). f I (T ) = (A, T I) by the analysis in Section Let R 1 = {r i i = 1,..., s} are randomly chosen by P I, and ER 1 are the encryptions of the sequence in R 1, then S(I, (T i 1,..., T ic ), f I (T )) c (I, (T i1,..., T ic ), A, T I, R 1, ER 1) c (V 1, V 2, A, T I, R 1, ER 1 ) c V IEWI Π (T ). Then Protocol 1 privately computes PPSI against the coalition of any c (c N 1) semi-honest parties. Theorem 2: Assuming the threshold Paillier encryption is semantically secure and the zero-knowledge proofs in Protocol 2 can t be forged, Protocol 2 is a secure protocol Π in Definition 2, which securely solves the problem of PPSI when the number of malicious parties is arbitrary. Proof: Suppose A and B are respectively adversarial strategies in the real and ideal model, and they control the same set of parties P I (1 I N 1) during the executions. Protocol 2 actually provides a Π to compute the function f as defined in Section 3. We need to prove that the views of A and B are computationally indistinguishable, in order to prove the the joint executions {IDEAL f,i,b (T )} c {REAL Π,I,A (T )}. Firstly we analyze the view of A. In the real execution of Protocol 2, A can t know the plaintexts of encryptions received from the honest parties, can t extract information other than the statements in the zero-knowledge proofs in Step 1.1), 1.2), 2.1), 2.2), and can t convince the honest parties on any false statement. In Step 1.2), A can t commit zero polynomials so that in Step 3.1), k {1,..., N}, g k won t become l I f l N j=1 r l,jr l,k (I is the set of honest parties), otherwise A will know the intersection of i I P i. By Lemma 2, A can t know more elements than T I on P i (i I ). Secondly we analyze the view of B. In the ideal model, the honest parties (denoted by P I ) and malicious parties controlled by B compute f by the help of the trusted third party (TTP). B can be constructed using A as a subroutine as following: 1) Computing F : 1.1) B invokes A. A intentionally generates f j for each party P j in it, and sends E(f j ) to B. B sets the leading coefficient of E(f j ) to be E(1), and emulates the proof P K{f j : E(f j )} to 17
18 check whether a verifier will be convinced that P j knows the plaintexts of each coefficient in E(f j ) excluding the leading coefficient. If the verifier would be convinced, B sends f j to the TTP, otherwise he aborts. For the honest parties in P I, they send their polynomials directly to the TTP. 1.2) The TTP encrypts all f i for i = 1,..., N and sends them to the honest parties and B. B invokes A again. B forwards all E(f i ) to A. For i = 1,..., N, A generates a random polynomial r i,j for each party P j in it, computes M i,j = E(f i r i,j ), P i,j = E(r i,j ), and sends them to B. B checks whether a verifier will be convinced that the polynomials multiplication is correct by emulating the proof P K{r i,j : M i,j = E(f i r i,j ) E(f i ) P i,j = E(r i,j )}. If the verifier would be convinced, B sends all f i r i,j to the TTP, otherwise he aborts. For the honest parties P j in P I, they generate a random polynomial r i,j for i = 1,..., N and send all f i r i,j directly to the TTP. 1.3) The TTP computes F = (f 1 N j=1 r 1,j,..., f N N j=1 r N,j). 2) Computing G : The TTP sets R 0 to be an N N identity matrix. For j = 1,..., N, the TTP computes G j = F R 0 R j 1, and sends E(G j ) to P j. 2.1) If P j is in B, B invokes A. A generates a random nonsingular N N matrix R j for each P j, and sends R i = E(R j ) and D j = E(det(R j )) to B. B checks whether a verifier will be convinced that R j is nonsingular by emulating the proof of P K{R j : D j E(0) D j = E(det(R j )) R j = E(R j )}. Then A computes G j+1 = E(F R 0 R j ), and sends it to B. B checks whether a verifier will be convinced that the matrix multiplication is correct by emulating the proof P K{R j : G j+1 = E(F R 0 R j ) G j = E(F R 0 R j 1 ) R j = E(R j )}. If the verifier would be convinced by both proofs, B sends R j to the TTP, otherwise he aborts. 2.2) If P j is an honest party, he generates a nonsingular matrix R j and send it directly to the TTP. 3) Evaluation : 3.1) The TTP gets G = F R 0 R N and sends it to all parties. 3.2) Every P i evaluates T (i, j) in G for j = 1,..., S. If G(T (i, j)) = (0,..., 0), the T (i, j) T I; otherwise, T (i, j) / T I. According to the above procedure, in assumption of the Paillier encryption is semantically secure and the zero knowledge proofs can t be forged, the view of B is computationally indistinguishable from the view of A, so the joint executions {IDEAL f,i,b (T )} c {REAL Π,I,A (T )}. 18
Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors
Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors Yingpeng Sang, Hong Shen School of Computer Science The University of Adelaide Adelaide, South Australia, 5005, Australia
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection PhD Candidate: Yingpeng Sang Advisor: Associate Professor Yasuo Tan School of Information Science Japan Advanced Institute of Science
More informationEfficient Protocols for Privacy Preserving Matching Against Distributed Datasets
Efficient Protocols for Privacy Preserving Matching Against Distributed Datasets Yingpeng Sang 1, Hong Shen 2,YasuoTan 1, and Naixue Xiong 1 1 School of Information Science, Japan Advanced Institute of
More informationPrivacy Preserving Set Intersection Based on Bilinear Groups
Privacy Preserving Set Intersection Based on Bilinear Groups Yingpeng Sang Hong Shen School of Computer Science The University of Adelaide, Adelaide, South Australia 5005, Australia, Email: {yingpeng.sang,
More informationANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET
J. Korean Math. Soc. 46 (2009), No. 1, pp. 59 69 ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET Jae Hong Seo, HyoJin Yoon, Seongan Lim, Jung Hee Cheon, and Dowon Hong Abstract. The element
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationPrivacy Preserving Multiset Union with ElGamal Encryption
Privacy Preserving Multiset Union with ElGamal Encryption Jeongdae Hong 1, Jung Woo Kim 1, and Jihye Kim 2 and Kunsoo Park 1, and Jung Hee Cheon 3 1 School of Computer Science and Engineering, Seoul National
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationSingle Database Private Information Retrieval with Logarithmic Communication
Single Database Private Information Retrieval with Logarithmic Communication Yan-Cheng Chang Harvard University ycchang@eecs.harvard.edu February 10, 2004 Abstract In this paper, we study the problem of
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationThesis Proposal: Privacy Preserving Distributed Information Sharing
Thesis Proposal: Privacy Preserving Distributed Information Sharing Lea Kissner leak@cs.cmu.edu July 5, 2005 1 1 Introduction In many important applications, a collection of mutually distrustful parties
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho Mistunaga 1, Yoshifumi Manabe 2, Tatsuaki Okamoto 3 1 Graduate School of Informatics, Kyoto University, Sakyo-ku Kyoto
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationSealed-bid Auctions with Efficient Bids
Sealed-bid Auctions with Efficient Bids Toru Nakanishi, Daisuke Yamamoto, and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University 3-1-1 Tsushima-naka,
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationHonest-Verifier Private Disjointness Testing without Random Oracles
Honest-Verifier Private Disjointness Testing without Random Oracles Susan Hohenberger and Stephen A. Weis Massachusetts Institute of Technology Cambridge, MA, USA {srhohen,sweis}@mit.edu Abstract. We present
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationGeneration of Shared RSA Keys by Two Parties
Generation of Shared RSA Keys by Two Parties Guillaume Poupard and Jacques Stern École Normale Supérieure, Laboratoire d informatique 45 rue d Ulm, F-75230 Paris Cedex 05, France email: {Guillaume.Poupard,Jacques.Stern}@ens.fr
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationEfficient Cryptographic Protocol Design Based on Distributed El Gamal Encryption
Efficient Cryptographic Protocol Design Based on Distributed El Gamal Encryption Felix Brandt Stanford University, Stanford CA 94305, USA brandtf@cs.stanford.edu Abstract. We propose a set of primitives
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationOblivious Evaluation of Multivariate Polynomials. and Applications
The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationPrivacy-preserving cooperative statistical analysis
Syracuse University SURFACE Electrical Engineering and Computer Science College of Engineering and Computer Science 2001 Privacy-preserving cooperative statistical analysis Wenliang Du Syracuse University,
More informationEfficient Private Bidding and Auctions with an Oblivious Third Party
Efficient Private Bidding and Auctions with an Oblivious Third Party Christian Cachin IBM Research Division Zurich Research Laboratory CH-8803 Rüschlikon, Switzerland cca@zurich.ibm.com July 12, 1999 Abstract
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationCovert Multi-party Computation
Covert Multi-party Computation Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai University of California, Los Angeles {nishanth,vipul,rafail,sahai}@cs.ucla.edu Abstract In STOC 05, Ahn, Hopper
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationEfficient Conversion of Secret-shared Values Between Different Fields
Efficient Conversion of Secret-shared Values Between Different Fields Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We show how to effectively convert a
More informationOne-Round Secure Computation and Secure Autonomous Mobile Agents
One-Round Secure Computation and Secure Autonomous Mobile Agents (Extended Abstract) Christian Cachin 1, Jan Camenisch 1, Joe Kilian 2, and Joy Müller 1 Abstract. This paper investigates one-round secure
More informationPrivacy-Preserving Ridge Regression Without Garbled Circuits
Privacy-Preserving Ridge Regression Without Garbled Circuits Marc Joye NXP Semiconductors, San Jose, USA marc.joye@nxp.com Abstract. Ridge regression is an algorithm that takes as input a large number
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationSecure Multiparty Computation from Graph Colouring
Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Acknowledgements Based on joint
More informationA Generalization of Paillier s Public-Key System with Applications to Electronic Voting
A Generalization of Paillier s Public-Key System with Applications to Electronic Voting Ivan Damgård, Mads Jurik and Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS Abstract. We
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationFounding Cryptography on Smooth Projective Hashing
Founding Cryptography on Smooth Projective Hashing Bing Zeng a a School of Software Engineering, South China University of Technology, Guangzhou, 510006, China Abstract Oblivious transfer (OT) is a fundamental
More informationHighly-Efficient Universally-Composable Commitments based on the DDH Assumption
Highly-Efficient Universally-Composable Commitments based on the DDH Assumption Yehuda Lindell March 6, 2013 Abstract Universal composability (or UC security) provides very strong security guarantees for
More informationImpossibility and Feasibility Results for Zero Knowledge with Public Keys
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen 1, Giuseppe Persiano 2, and Ivan Visconti 2 1 Technical University of Vienna A-1010 Vienna, Austria. e9926980@stud3.tuwien.ac.at
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSecure Equality and Greater-Than Tests with Sublinear Online Complexity
Secure Equality and Greater-Than Tests with Sublinear Online Complexity Helger Lipmaa 1 and Tomas Toft 2 1 Institute of CS, University of Tartu, Estonia 2 Dept. of CS, Aarhus University, Denmark Abstract.
More informationA Round and Communication Efficient Secure Ranking Protocol
A Round and Communication Efficient Secure Ranking Protocol Shaoquan Jiang 1,2 and Guang Gong 2 1 Department of Computer Science, University of Electronic Science and Technology, Chengdu, CHINA. 2 Department
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationPrivate Intersection of Certified Sets
Private Intersection of Certified Sets Jan Camenisch 1 and Gregory M. Zaverucha 2 1 IBM Research Zürich Research Laboratory CH-8803 Rüschlikon jca@zurich.ibm.com 2 Cheriton School of Computer Science University
More informationAbstract. Often the core diculty in designing zero-knowledge protocols arises from having to
Interactive Hashing Simplies Zero-Knowledge Protocol Design Rafail Ostrovsky Ramarathnam Venkatesan y Moti Yung z (Extended abstract) Abstract Often the core diculty in designing zero-knowledge protocols
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationPrivacy-Preserving Data Imputation
Privacy-Preserving Data Imputation Geetha Jagannathan Stevens Institute of Technology Hoboken, NJ, 07030, USA gjaganna@cs.stevens.edu Rebecca N. Wright Stevens Institute of Technology Hoboken, NJ, 07030,
More informationAn Efficient Protocol for Fair Secure Two-Party Computation
Appears in Cryptographers Track-RSA Conference (CT-RSA 2008), Lecture Notes in Computer Science 4964 (2008) 88 105. Springer-Verlag. An Efficient Protocol for Fair Secure Two-Party Computation Mehmet S.
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationOne Round Threshold Discrete-Log Key Generation without Private Channels
One Round Threshold Discrete-Log Key Generation without Private Channels Pierre-Alain Fouque and Jacques Stern École Normale Supérieure, Département d Informatique 45, rue d Ulm, F-75230 Paris Cedex 05,
More informationThe Theory and Applications of Homomorphic Cryptography
The Theory and Applications of Homomorphic Cryptography by Kevin Henry A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationGeneralized Oblivious Transfer by Secret Sharing
Generalized Oblivious Transfer by Secret Sharing Tamir Tassa Abstract The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationA Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness
A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness Gilad Asharov Yehuda Lindell Tal Rabin February 25, 2013 Abstract It is well known that it is impossible
More informationComplete Fairness in Secure Two-Party Computation
Complete Fairness in Secure Two-Party Computation S. Dov Gordon Dept. of Computer Science University of Maryland gordon@cs.umd.edu Carmit Hazay Dept. of Computer Science Bar-Ilan University harelc@cs.biu.ac.il
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More informationCryptographic Asynchronous Multi-Party Computation with Optimal Resilience
Cryptographic Asynchronous Multi-Party Computation with Optimal Resilience Martin Hirt 1, Jesper Buus Nielsen 2, and Bartosz Przydatek 1 1 Department of Computer Science, ETH Zurich 8092 Zurich, Switzerland
More informationSecure Vickrey Auctions without Threshold Trust
Secure Vickrey Auctions without Threshold Trust Helger Lipmaa Helsinki University of Technology, {helger}@tcs.hut.fi N. Asokan, Valtteri Niemi Nokia Research Center, {n.asokan,valtteri.niemi}@nokia.com
More informationUniversally Composable Multi-Party Computation with an Unreliable Common Reference String
Universally Composable Multi-Party Computation with an Unreliable Common Reference String Vipul Goyal 1 and Jonathan Katz 2 1 Department of Computer Science, UCLA vipul@cs.ucla.edu 2 Department of Computer
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationError-Tolerant Combiners for Oblivious Primitives
Error-Tolerant Combiners for Oblivious Primitives Bartosz Przydatek 1 and Jürg Wullschleger 2 1 Google Switzerland, (Zurich, Switzerland) przydatek@google.com 2 University of Bristol (Bristol, United Kingdom)
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationEfficient Fuzzy Matching and Intersection on Private Datasets
Efficient Fuzzy Matching and Intersection on Private Datasets Qingsong Ye 1, Ron Steinfeld 1, Josef Pieprzyk 1, and Huaxiong Wang 1,2 1 Centre for Advanced Computing Algorithms and Cryptography Department
More informationCovert Multi-party Computation
Covert Multi-party Computation Nishanth Chandran Vipul Goyal Rafail Ostrovsky Amit Sahai University of California, Los Angeles {nishanth,vipul,rafail,sahai}@cs.ucla.edu Abstract In STOC 05, Ahn, Hopper
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
68 IEICE TRANS. FUNDAMENTALS, VOL.E96 A, NO.1 JANUARY 2013 PAPER Special Section on Cryptography and Information Security Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho
More informationSecret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationAbstract In a (k; n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an ecient (k;
New ElGamal Type Threshold Digital Signature Scheme Choonsik PARK y and Kaoru KUROSAWA z y Electronics and Telecommunications Research Institute, P.O.Box 106, Yusong-ku, Taejeon, 305-600, Korea z Tokyo
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationSecure Modulo Zero-Sum Randomness as Cryptographic Resource
Secure Modulo Zero-Sum Randomness as Cryptographic Resource Masahito Hayashi 12 and Takeshi Koshiba 3 1 Graduate School of Mathematics, Nagoya University masahito@math.nagoya-u.ac.jp 2 Centre for Quantum
More informationComplete Fairness in Multi-Party Computation Without an Honest Majority
Complete Fairness in Multi-Party Computation Without an Honest Maority Samuel Dov Gordon Abstract A well-known result of Cleve shows that complete fairness is impossible, in general, without an honest
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationCryptoComputing with rationals
CryptoComputing with rationals Pierre-Alain Fouque 1,2, Jacques Stern 2, and Geert-Jan Wackers 3 1 D.C.S.S.I. Crypto Lab 51, bd Latour-Maubourg, F-75007 Paris, France 2 École Normale Supérieure, Département
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationModulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain
Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Bart Mennink (K.U.Leuven) Joint work with: Jorge Guajardo (Philips Research Labs) Berry Schoenmakers (TU Eindhoven)
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More information