Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain

Size: px

Start display at page:

Download "Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain"

Sheila Todd
5 years ago
Views:

1 Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Bart Mennink (K.U.Leuven) Joint work with: Jorge Guajardo (Philips Research Labs) Berry Schoenmakers (TU Eindhoven) Financial Cryptography '10, Tenerife, Spain January 25, / 13

2 Overview Preliminaries Secure Modulo Reduction Eciency Analysis Applications Conclusions 2 / 13

3 Threshold Homomorphic Cryptosystems (THCs) x is a probabilistic encryption: x = Enc pk (x, r) under public key pk and for random r 3 / 13

4 Threshold Homomorphic Cryptosystems (THCs) x is a probabilistic encryption: x = Enc pk (x, r) under public key pk and for random r Homomorphic properties: Addition: x y = x + y Multiplication by constant: x c = xc Re-randomization: x 0 = x 3 / 13

5 Threshold Homomorphic Cryptosystems (THCs) x is a probabilistic encryption: x = Enc pk (x, r) under public key pk and for random r Homomorphic properties: Addition: x y = x + y Multiplication by constant: x c = xc Re-randomization: x 0 = x (t, n)-threshold decryption Private key is shared among n parties such that any t can decrypt 3 / 13

6 Threshold Homomorphic Cryptosystems (THCs) x is a probabilistic encryption: x = Enc pk (x, r) under public key pk and for random r Homomorphic properties: Addition: x y = x + y Multiplication by constant: x c = xc Re-randomization: x 0 = x (t, n)-threshold decryption Private key is shared among n parties such that any t can decrypt We use the Paillier cryptosystem [Pai99, DJ01] 3 / 13

7 Secure Function Evaluation based on THCs On input of x 1,..., x L and a function f, the parties jointly compute f (x 1,..., x L ) (circuit for f ) x 1,..., x L f (x 1,..., x L ) 4 / 13

8 Secure Function Evaluation based on THCs On input of x 1,..., x L and a function f, the parties jointly compute f (x 1,..., x L ) (circuit for f ) x 1,..., x L f (x 1,..., x L ) Approach based on arithmetic circuits Circuit for f consists of sequential evaluations of (+,,, /) 4 / 13

9 Secure Function Evaluation based on THCs (cont.) Addition and scalar multiplication by homomorphic properties: computation of x + y and cx given x, y, c Multiplication gate [CDN01]: outputs xy given x, y 5 / 13

10 Secure Function Evaluation based on THCs (cont.) Addition and scalar multiplication by homomorphic properties: computation of x + y and cx given x, y, c Multiplication gate [CDN01]: outputs xy given x, y Our contribution: ecient gate for x mod a given x, a Implies a gate for integer division x div a 5 / 13

11 Secure Function Evaluation based on THCs (cont.) Addition and scalar multiplication by homomorphic properties: computation of x + y and cx given x, y, c Multiplication gate [CDN01]: outputs xy given x, y Our contribution: ecient gate for x mod a given x, a Implies a gate for integer division x div a Several other ecient gates: Random bit generation gate [CDN01, ST06]: outputs r for random r {0, 1} Comparison gate [DFK + 06, GSV07]: outputs x < y given the encrypted bits of x, y Least signicant bit gate [ST06]: outputs x mod 2 given x 5 / 13

12 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 6 / 13

13 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required 6 / 13

14 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required Generate r (bitwise) for r R [0, a), and s for random s The blinded encryption x r + as is threshold decrypted 6 / 13

15 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required Generate r (bitwise) for r R [0, a), and s for random s The blinded encryption x r + as is threshold decrypted 2. The parties set x = (x r + as) mod a = x r mod a Notice that x x + r mod a and 0 x + r < 2a 6 / 13

16 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required Generate r (bitwise) for r R [0, a), and s for random s The blinded encryption x r + as is threshold decrypted 2. The parties set x = (x r + as) mod a = x r mod a Notice that x x + r mod a and 0 x + r < 2a 3. Correction: the parties compute c = a 1 x < r Notice that c = 0 x + r < a 6 / 13

17 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required Generate r (bitwise) for r R [0, a), and s for random s The blinded encryption x r + as is threshold decrypted 2. The parties set x = (x r + as) mod a = x r mod a Notice that x x + r mod a and 0 x + r < 2a 3. Correction: the parties compute c = a 1 x < r Notice that c = 0 x + r < a 4. Output x mod a = x + r ca = x r / c a 6 / 13

18 Secure Modulo Reduction (cont.) Technical detail: x r + as should not exceed the Paillier modulus, to prevent wrap-arounds x should be suciently small Using ecient zero-knowledge proofs, the protocol can be proven secure against actively malicious parties (in the security framework of [CDN01]) How to securely generate r (bitwise) for r R [0, a)? 7 / 13

19 How to Securely Generate r (bitwise) for r R [0, a)? If a = 2 l a Write r = l a 1 i=0 r i 2 i, with r i {0, 1} Generate random bits r i and output r = l a 1 i=0 r i 2i If 2 l a 1 < a < 2 l a 8 / 13

20 How to Securely Generate r (bitwise) for r R [0, a)? If a = 2 l a Write r = l a 1 i=0 r i 2 i, with r i {0, 1} Generate random bits r i and output r = l a 1 i=0 r i 2i If 2 l a 1 < a < 2 l a Repeat generating r for random r [0, 2 l a ), until r < a At most 2 restarts on average 8 / 13

21 Ours [DFK + 06] Eciency Analysis broadcast round O(nkl a ) O(n) O(n 2 kl a ) O(1) O(nkl x (log l x + l a )) O(n + l x ) O(nkl x (n + log l x + l a )) O(1) n is the number of participants l x is length of x k is a security parameter l a is length of a (Broadcast complexity represents the number of bits broadcasted. E.g., for O(nkl a ): each party needs to broadcast O(l a ) encryptions) Always l a l x, but often l a l x 9 / 13

22 Ours [DFK + 06] Eciency Analysis broadcast round O(nkl a ) O(n) O(n 2 kl a ) O(1) O(nkl x (log l x + l a )) O(n + l x ) O(nkl x (n + log l x + l a )) O(1) n is the number of participants l x is length of x k is a security parameter l a is length of a (Broadcast complexity represents the number of bits broadcasted. E.g., for O(nkl a ): each party needs to broadcast O(l a ) encryptions) Always l a l x, but often l a l x 100 millionaires securely compute their mean fortune ( x 1,..., x 100 ) x1+ +x Say x i < 2 30 Here, x = 100 i=1 x i and a = 100, so l x = 37 and l a = 7 9 / 13

23 Applications Integer division: x = (x div a)a + (x mod a) x div a = ( x / x mod a ) 1/a 10 / 13

24 Applications Integer division: x = (x div a)a + (x mod a) x div a = ( x / x mod a ) 1/a Access arbitrary bits of x: x i = (x div 2 i ) mod 2 10 / 13

25 Applications Integer division: x = (x div a)a + (x mod a) x div a = ( x / x mod a ) 1/a Access arbitrary bits of x: x i = (x div 2 i ) mod 2 Secure computation of statistics: Mean, median, variance,... require division Concrete example: variance (where x = (x x L )/L) var(x 1,..., x L ) = 1 L 1 L (x i x) 2 i=1 10 / 13

26 var(x 1,..., x L ) = 1 L 1 Computation of Statistics ( L (x i x) 2 1 L = L(L 1) i=1 i=1 Lx 2 i ) ( L ) 2 x i i=1 How to compute var(x 1,..., x L ) given x 1,..., x L? 11 / 13

27 var(x 1,..., x L ) = 1 Computation of Statistics L 1 ( L L ) (x i x) 2 1 ( L ) 2 = Lx 2 i x i L(L 1) i=1 i=1 }{{} i=1 How to compute var(x 1,..., x L ) given x 1,..., x L? 1. Compute ( L i=1 x i) 2 and x 2 using L + 1 multiplications i L 2. Compute V = i=1 Lx 2 ( L i i=1 x i) 2 =:V 11 / 13

28 var(x 1,..., x L ) = 1 Computation of Statistics L 1 ( L L ) (x i x) 2 1 ( L ) 2 = Lx 2 i x i L(L 1) i=1 i=1 }{{} i=1 How to compute var(x 1,..., x L ) given x 1,..., x L? 1. Compute ( L i=1 x i) 2 and x 2 using L + 1 multiplications i L 2. Compute V = i=1 Lx 2 ( L i i=1 x i) 2 3. Compute and output integer division V div L(L 1) =:V 11 / 13

29 var(x 1,..., x L ) = 1 Computation of Statistics L 1 ( L L ) (x i x) 2 1 ( L ) 2 = Lx 2 i x i L(L 1) i=1 i=1 }{{} i=1 How to compute var(x 1,..., x L ) given x 1,..., x L? 1. Compute ( L i=1 x i) 2 and x 2 using L + 1 multiplications i L 2. Compute V = i=1 Lx 2 ( L i i=1 x i) 2 3. Compute and output integer division V div L(L 1) =:V O(Lnk) broadcast complexity and O(n) rounds 11 / 13

30 Conclusions Modulo reduction: computing x mod a given x and a Integer division: computation of x div a Applicable to secure computation of statistics (mean, variance, median, range,...), packing of encrypted data, and many more! Our protocols improved performance. We take advantage of the fact that the modulus a is much smaller than x Complexities are independent of the length of x Proof of security can be found in the paper (full version) 12 / 13

31 Q u e s t i o n s? 13 / 13

32 HIDDEN SLIDES!!! 13 / 13

33 Sub-Protocol: Random Bitwise Value Generation Input: a with 2 la 1 < a 2 l a For generating r (bitwise) such that r R [0, a), the n servers do: 1. Jointly construct l a random bit encryptions r j (note that r = l a 1 j=0 r j2 j R [0, 2 l a )) 2. Compute and decrypt r < a. If r a, restart protocol If a = 2 l a, no restarts. Otherwise 2 l a/a < 2 restarts on average 13 / 13

34 Secure Modulo Reduction: Protocol Input: x, a, with x < 2 l x and 2 l a 1 < a 2 l a Requirement: an2 l x +l s < N s for security parameter l s For computing x mod a, the n servers do: 1. Jointly construct r b(la) for r R [0, a) 2. Individually construct s i for s i R {0, 1} l x +l s 3. Individually compute x = x r 1 n i=1 s i a n (note that x = x r + a i=1 s i and 0 x < N s ) 4. Jointly decrypt x and compute x = x mod a x r mod a (note that x + r x mod a and 0 x + r < 2a) 5. Using comparison gate, compute c = [a 1 x < r] (note that c = 0 x + r < a) 6. Individually compute output x r c a Protocol can be simulated in framework of [CDN01] 13 / 13

35 Secure Modulo Reduction: Security Proof Simulated for x = x (0) (1 b) + x (1) b given x (0), x (1), b Distinguisher for simulator is a distinguisher for bit-decryption n participants {P 1,..., P n } of which {P 1,..., P t 1} are malicious 1. Simulator takes r R [0, a), but simulates this phase with r = r (0) (1 b) + r (1) b, where r (b) = ( r + x (b)) mod a 2. Simulator lets the malicious parties construct and prove s i. For P t,..., P n 1 he executes the protocol as is. For P n he takes s n R [0, 2 l x +l s ), but simulates with s n = s (0) n (1 b) + s (1) n b, where s (b) n = s n ( r + x (b)) div a 3. Executes this phase. He obtains n 1 x = x r + a i=1 s n i + a s n = r + a i=1 s i n 4. Simulates the decryption on input x and r + a i=1 s i 5. Comparison gate is simulated r and s n indistinguishable from r and s n 13 / 13

Anonymous Credential Schemes with Encrypted Attributes

Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network