Modulo Reduction for Paillier Encryptions and Application to ...
Upcoming SlideShare
Loading in...5
×
 

Modulo Reduction for Paillier Encryptions and Application to ...

on

  • 570 views

 

Statistics

Views

Total Views
570
Views on SlideShare
570
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Modulo Reduction for Paillier Encryptions and Application to ... Modulo Reduction for Paillier Encryptions and Application to ... Document Transcript

  • Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Jorge Guajardo1 , Bart Mennink ,2 and Berry Schoenmakers ,3 1 Information and System Security Group Philips Research Europe, Eindhoven, The Netherlands jorge.guajardo@philips.com 2 Dept. Electrical Engineering, ESAT/COSIC Katholieke Universiteit Leuven, Belgium bart.mennink@esat.kuleuven.be 3 Dept. of Mathematics and Computing Science Technische Universiteit Eindhoven, The Netherlands berry@win.tue.nl Abstract. For the homomorphic Paillier cryptosystem we construct a protocol for se- cure modulo reduction, that on input of an encryption x with x of bit length x and a public ‘modulus’ a of bit length a outputs an encryption x mod a . As a result, a protocol for computing an encrypted integer division x div a is obtained. Surprisingly, efficiency of the protocol is independent of x : the broadcast complexity of the protocol varies between O(nk a ) and O(n2 k a ), for n parties and security parameter k, and is very efficient in case of small a (in practical cases a often is much smaller than x ). Our protocol allows for efficient multiparty computation of statistics like mean, variance and median. Therefore, the protocol can be used in the context of medical surveys for the benefit of statistical analysis: medical data are very sensitive information, and people are generally reluctant to share these data. Implementing these surveys using multiparty statistics protocols offers an approach that enhances the privacy of the users. Keywords. Modulo reduction, multiparty computation on statistics, statistical analy- sis, medical surveys. 1 Introduction We consider the problem of integer division with remainder in the setting of secure multiparty computation. In its full generality, the problem is to evaluate securely the integer function (x, y) → (x div y, x mod y), where x = (x div y)y + x mod y and 0 ≤ x mod y < y. Whereas integer multiplication commonly allows for secure protocols for which the performance is independent of the bit length of the multiplicands, this is not true for known protocols for integer division. Typically, secure integer division pro- tocols use the binary decomposition of the inputs x and/or y, and consequently these protocols are generally much more elaborate than secure multiplication protocols. To a certain extent, this is to be expected because integer comparison (which generally also requires bitwise-represented inputs) reduces to equality testing given integer division: x < y if and only if x = x mod y. Work done while visiting Philips Research Labs. Work done partly while visiting Philips Research Labs.
  • In this paper we will focus on the computation of x mod a for a public modulus a. We observe that in many applications, particularly in secure statistical analysis, division is used with a public modulus only. For example, for the mean x = (x1 +· · ·+xL ) div L of ¯ a set of L values, it suffices to divide by the publicly known L. Similarly, computation of the variance of these values also involves division with a public modulus only. Hence, efficient protocols for the case of public a are clearly of interest, and we will show how to achieve efficient solutions. Although our results apply to a broad range of approaches in secure multiparty com- putation, we will present our protocols mostly for the framework based on threshold homomorphic cryptosystems (THCs) [14, 22, 6, 29]. This framework allows n parties, n ≥ 2, to securely and privately evaluate a given function f : given encrypted inputs x1 , . . . , xL , it will be ensured that the output is an encryption f (x1 , . . . , xL ) , without leaking any further information on the values x1 , . . . , xL . In general, one may construct a Boolean or arithmetic circuit for f , consisting of basic gates such as NAND gates or addition/multiplication gates, and then evaluate these circuits securely. For performance reasons, however, specific protocols are needed to obtain more practical solutions. The advantage of our THC-based protocols is that the malicious case can be treated without efficiency loss (asymptotically) compared to the semi-honest case. Our proto- cols can also be translated to the framework based on verifiable secret sharing (cf. [7]). In this case, however, the malicious case will be (asymptotically) more expensive than the semi-honest case. The technical reason is that some of the particularly efficient zero-knowledge interval proofs used in the THC-based approach do not carry over to the VSS-based approach. Our protocols can be seen as a generalization of the bit decomposition protocols of [30]. As observed in [30], the problem of evaluating x → x mod 2 is already non-trivial as it cannot be solved when ElGamal is used as the underlying (additively) homomorphic cryptosystem: an efficient protocol for computing the least significant bit x mod 2 for given x would imply efficient computation of a hard-core bit (of the one-way function x → g x ), hence contradict the discrete log assumption. Therefore, we will also assume a sufficiently strong homomorphic cryptosystem, concretely the Paillier cryptosystem, for our protocols. An immediate application of integer division is to securely access arbitrary bits of a given input x efficiently. For an x -bit integer x, the work to access the i-th least significant bit will be proportional to i, as xi = (x div 2i ) mod 2. Our protocols actually simplify considerably for the case that a is a power of 2, such that the overall work is much less than one would need using the bit decomposition protocol of [30]. 1.1 Our contributions For a set of n participants jointly sharing the decryption key of the Paillier cryptosys- tem, we construct a protocol that on input of x with x < 2 x and a public ‘modulus’ a such that 2 a −1 < a ≤ 2 a outputs an encryption of the modulo reduction of x with respect to a, x mod a . Consequently, this implies a protocol for computing an 2
  • encrypted integer division x div a . The efficiency of the protocol relies on the fact that a is known and, in particular, its length is known. The protocol has a broadcast complexity varying between O(nk a ) and O(n2 k a ) (with corresponding round com- plexities O(n) and O(1)), where k is a security parameter, and the variation depends on the building blocks used (e.g., for random bit generation several protocols are known, which differ in complexities). The protocol is proven secure in the framework of Cramer et al. [6]. It is statistically secure against static active adversaries under the decisional composite residuosity assumption (for the Paillier cryptosystem) and the strong RSA assumption (for the required interval proof). As an interesting application, this protocol can be used for secure and efficient statis- tical analysis on encrypted data. For the computation of the variance of L inputs, a protocol is constructed in detail. Other statistics can be implemented similarly. Secure statistical analysis is of particular importance in the area of medical surveys. In medical surveys, users can release medical data to some research institute which analyses the data and outputs some result (a diagnostic, a result of statistical analysis, etc.). How- ever, medical data are privacy sensitive and users might be unwilling to reveal these data in plaintext. Using secure multiparty computation, the institute is represented by a set of multiparty computation servers and the users can input their medical data in encrypted form. The servers can then use the modulo reduction protocol for secure statistical analysis. Finally, we illustrate that the protocol can easily be carried over to a client/server setting. This variation has many other practical applications, for instance in the area of secure face recognition [12], packing of encrypted values [19, 21, 32] and auctions [8, 15, 26]. 1.2 Related work The relation with the bit decomposition protocols of [30] is already illustrated. For the unconditional setting using verifiable secret sharing, Algesheimer et al. [1] constructed a modulo reduction protocol which actually works for encrypted modulus a. The pro- tocol relies on approximating 1/a (for which also a protocol by Kiltz et al. [24] can be used). This protocol is only of theoretical interest4 : instead of x mod a, the value x mod a+ia is computed, with |i| < (n+1)(5+24+ x − a − ) for some additional security parameter (the number of correctly approximated bits of 1/a). The value x mod a is then computed after O(n2 x − a − ) executions of a comparison protocol, which makes the protocol inefficient. We note that our protocol does not rely on approximations. More comparable to ours is the modulo reduction protocol by Damg˚ et al. [7], which ard can easily be carried over to the cryptographic setting. Unlike ours, their scheme does not make use of the form of a. In particular, in the cryptographic setting their protocol has a broadcast complexity varying between O(nk 2 ) and O(n2 k 2 ), where x ≥ a . In x x 4 We note that From and Jakobsen [16, Ch. 8] discuss the efficiency of the protocol of [1]. They conclude that the performance is generally low, in particular for a large number of participants. See also [31, Sec. 4.6]. 3
  • many practical applications the value a is even much smaller than x , as exemplified in Sect. 6. Using ideas of [1], their protocol can also be extended to secret a. We stress that for our purposes the protocol with public a suffices. Although our main concern is the modulo reduction protocol, we also consider the related work with respect to statistical multiparty computation, which is used as mo- tivational example. Many work on privacy-preserving statistical analysis (e.g., [10, 11, 24, 33]) only focuses on techniques other than THC-based secure multiparty computa- tion. In [23] computation of moments is considered for Paillier encryptions, and used to compute statistics like mean and variance. However, they circumvent the need of a modulo reduction protocol by applying division on the decrypted moments only. For in- L stance, for the computation of the mean of L values, they securely compute i=1 xi , decrypt it and divide the result by L. This protocol is not of practical interest: be- cause L xi is decrypted rather than ( L xi ) div L, the protocol unintentionally i=1 i=1 leaks information about the inputs, namely ( L xi ) mod L. Moreover, the protocol i=1 of [23] cannot be integrated as a sub-protocol with encrypted output. In this sense the construction of the modulo protocol offers a new approach of privacy-preserving statistical computation. 2 Preliminaries Throughout we denote [A, B) := {A, A + 1, . . . , B − 1}. By ‘random’ we implic- itly mean ‘uniformly randomly and independently distributed’, and we denote by x ∈R X the event that x is taken at random from X. For two distributions X and Y with sample spaces V and W , we denote the statistical distance by ∆(X, Y ) = 1 2 v∈V ∪W |P r(X = v) − P r(Y = v)| [20]. The two distributions are perfectly indis- tinguishable if ∆(X, Y ) = 0, and statistically indistinguishable if ∆(X, Y ) is negligible in a security parameter. Security model. For the multiparty computation protocols, we consider the secu- rity framework of [6]. We consider n parties P = {P1 , . . . , Pn }, of which P ⊂ P are corrupted, who want to compute a protocol for some function f . By the view of P on a protocol execution we denote all values the malicious part P learns during the execution. The protocol is said to securely evaluate f if it is possible to construct a simulator that may use the malicious part P as a subroutine, and that outputs views which are indistinguishable from views of the real executions. It practically means that anything an adversary can learn from the real execution of the protocol, he could have simulated himself as well. This framework is hybrid in the sense that for a secure func- tion evaluation, several sub-protocols (or gates) can be executed sequentially (but not concurrently), and security of the function evaluation then holds via the security of these gates. The reader is referred to [6, full version] for a more formal description. Paillier cryptosystem. Our protocol relies on the additively homomorphic cryp- tosystem by Paillier, which is proven semantically secure under the decisional composite 4
  • residuosity assumption [27]. We however consider its generalization and its threshold variant by Damg˚ and Jurik [9]. On input of a security parameter k, the public key ard consists of an RSA modulus N = pq of length k, for p = 2p + 1 and q = 2q + 1 safe primes, and a positive integer s. We define m := p q . The secret key is a value d co- prime to N s satisfying d = 0 mod m. The message space is the ring ZN s , and a message s x is encrypted by taking a r ∈R Z∗ s+1 and computing c = (N + 1)x rN mod N s+1 . N For the threshold decryption, d is polynomially shared among the n participants, each participant has a share di , and at least t participants are required to correctly decrypt a ciphertext. This decryption protocol operates in constant rounds and has broadcast complexity O(nk). For less than t actively corrupted participants, on input of an en- cryption and the corresponding plaintext, the threshold decryption protocol can be simulated in a statistically indistinguishable way. A more detailed specification of the cryptosystem and the simulation can be found in [9]. Encryptions are denoted by x . We denote by x b( ) = { x0 , . . . , x −1 } the least significant bits of x. Proofs of knowledge. Our modulo reduction protocol involves zero-knowledge proofs of knowledge in order to achieve security against malicious adversaries. We use the notion of Σ-protocols, due to Cramer [5]. In the random oracle model, these pro- tocols can be made non-interactive using the Fiat-Shamir heuristic [13]. In particular, our proposal involves interval proofs in which a prover shows that a published encryp- tion x encrypts a value x ∈ [A, B). For this one can use the protocol by Boudot [4], which relies on the strong RSA assumption [2, 17]. This protocol operates in constant rounds and has broadcast complexity O(k). It can be simulated on input x . 2.1 Multiparty computation gates and circuits The proposed protocol requires several efficient gates and circuits, all can be proven secure in the framework of [6]. We consider a multiplication gate, a comparison gate and a gate for generating random bits. In Table 1 we summarize the efficiencies of the gates. We recall that the Paillier cryptosystem is additively homomorphic, which means that given encryptions x , y and a public a, the encryptions x + y = x y and ax = x a can be computed non-interactively. Multiplication. Cramer et al. [6] constructed a protocol for n participants to se- curely compute xy given x , y . This protocol has broadcast complexity O(nk) and operates in constant rounds. If one participant knows the value y, the multipli- cation can be computed with round complexity O(k), by a simple modification of the ElGamal based private multiplier gate of [29]. Random bit generation. Several multiparty protocols for generating random bits are known, differing in their complexities. One can minimize to constant round com- plexity using the unbounded fan-in multiplication technique by [6], having broadcast complexity O(n2 k), or optimize broadcast complexity using the private multiplier gate 5
  • [30], obtaining broadcast and round complexity O(nk) and O(n), respectively. Comparison gate. On input of two encrypted bit representations x b( ) and y b( ) , a comparison gate outputs an encrypted bit [x < y] . In [18], a logarithmic round complexity O(lg ) protocol is constructed. Damg˚ et al. [7] describe a constant ard round complexity protocol, but it has a considerably higher hidden constant, and for small values of (namely < 20) the logarithmic round protocol is more efficient. We note that in many applications of our protocol the comparisons are carried out on rather small values (of size a ). Both protocols have broadcast complexity O(nk ). Gate broadcast round multiplication O(nk) O(1) [6] random bit O(nk) O(n) [30] generation O(n2 k) O(1) [6] comparison O(nk ) O(lg ) [18] O(nk ) O(1) [7] Table 1. Efficiencies of the required multiparty computation gates. 3 Random bitwise value generation The modulo reduction protocol introduced in Sect. 4 requires a sub-protocol to bit- wise generate a value r ∈R [0, a). We refer to this gate as the random bitwise value generation protocol and we discuss such a protocol in this section. Other protocols for securely generating random values from a restricted domain are known as well [28]. We recall that we have n participants (t, n)-threshold sharing the secret key for Paillier decryption, and that the public key for the cryptosystem is (N, s). Protocol 1 (Random bitwise value generation). Given a publicly known value a such that 2 a −1 < a ≤ 2 a , the following protocol generates an encrypted bit represen- tation { r0 , . . . , r a −1 } of r such that r ∈R [0, a). The participants Pi (i = 1, . . . , n) perform the following steps: 1. For j = 0, . . . , a − 1, the participants jointly generate random bit encryptions rj for rj ∈R {0, 1}; 2. Using a comparison gate, [r < a] is computed and jointly decrypted. If [r < a] = 0, the protocol is restarted. Notice that in case a = 2 a , the number of restarts of the protocol is 2 a /a < 2 on average: the success probability is a/2 a , and the number of restarts follows the geometric distribution (the participants restart until they have success). Hence, they need 2 a /a < 2 restarts on average. We now prove that Prot. 1 is correct. Security is proven in Sect. 5. 6
  • Proposition 1 (Correctness of Prot. 1). On input of a publicly known value a such that 2 a −1 < a ≤ 2 a , the output of Prot. 1 is an encrypted bit representation of r ∈R [0, a). a −1 Proof. We need to prove that the outcome r = j=0 rj 2j is an element from [0, a) and that it is uniformly random. The first requirement is satisfied by phase 2 of the protocol. For the second requirement, let α ∈ [0, a). We need to prove that P r(r = α | r < a) = 1/a. But this holds as we have: P r(r = α, r < a) 1/2 a P r(r = α | r < a) = = = 1/a. P r(r < a) a/2 a 4 Multiparty modulo reduction We consider input x with x ∈ {0, 1} x and a public value a such that 2 a −1 < a ≤ 2 a for some a , and construct a protocol for the computation of x mod a . Without loss of generality, we assume that a ≤ x : clearly, if a > x then certainly a > x, in which case x mod a = x. The protocol relies on the fact that it is unnecessary to compute the x bits of x if the modulus a ≤ 2 a is known for some a ≤ x . In particular, if a = 2 a , computing x mod a can also be done by computing the a least significant a −1 bits of x, as x mod a = j=0 xj 2j . As in many cases a is relatively small compared to x (see for instance Sect. 6), this reduces the costs. We recall that we have n participants (t, n)-threshold sharing the secret key for Paillier decryption, and that the public key for the cryptosystem is (N, s). We introduce a security parameter s , which we require to satisfy an2 x + s < N s . Protocol 2 (Modulo reduction). Given x for x ∈ {0, 1} x and a publicly known value a, the following protocol outputs an encryption x mod a . The participants Pi (i = 1, . . . , n) perform the following steps: 1. The participants jointly generate a random encrypted bit representation { r0 , . . . , r a −1 } of r such that r ∈R [0, a), using Prot. 1. In parallel, each participant takes si ∈R {0, 1} x + s and publishes Si = si together with an interval proof of knowledge for relation x+ s {(Si ; si ) | Si = si ∧ si ∈ [0, 2 )}; (1) 2. Each participant individually computes n a n −1 x ← x r ˜ si = x−r+a si ; (2) i=1 i=1 3. Using threshold decryption the participants obtain x, and compute x ← x mod a; ˜ ¯ ˜ 7
  • 4. Using a comparison gate the participants compute c ← [a − 1 − x < r] . ¯ (3) Notice that a − 1 − x is known in plaintext, and for r the participants know the en- ¯ crypted bit representation. In particular, the comparison gates described in Sect. 2.1 can be used; 5. Each participant individually computes −a mod( x , a) ← x r c ¯ = x + r − ca . ¯ (4) We now prove that Prot. 1 is correct. Security is proven in Sect. 5. Proposition 2 (Correctness of Prot. 2). On input of x with x ∈ {0, 1} x , and a publicly known value a, the output in (4) equals x mod a . Proof. For the value computed in phase 5, firstly observe that x + r ≡ x mod a: ¯ x + r = (˜ mod a) + r ¯ x {phase 3} n = x−r+a si mod N s mod a + r {equation (2)}, i=1 n = x−r+a si mod a + r {0 ≤ x < N s }, ˜ i=1 from which x + r ≡ x mod a clearly follows. Note that 0 ≤ x < N s indeed holds ¯ ˜ with overwhelming probability (in s ) by the bound an2 x + s < N s . Now, the value c computed in phase 4 satisfies: c = 0 ⇐⇒ a − 1 − x ≥ r ⇐⇒ x + r + 1 ≤ a ⇐⇒ x + r < a. ¯ ¯ ¯ But as x, r ∈ [0, a), we have x + r ∈ [0, 2a), and thus the output in (4) clearly equals ¯ ¯ x + r mod a = x mod a. ¯ 5 Security analysis Security of Protocols 1 and 2 is proven in light of the security framework by Cramer et al. [6], as explained in Sect. 2. However, we need to adjust this model slightly using a technique of Cramer et al., which is elaborated on by [30, 18]. This technique relies on ‘Yet Another Distribution’ (YAD). For a bit b ∈ {0, 1}, YADb is defined such that for b = 0 it is perfectly indistinguishable from the distribution of ideal views, and for b = 1 it is statistically indistinguishable from the distribution of real views. Therefore, the real and ideal views are indistinguishable if and only if YAD0 and YAD1 are indistinguishable. But the difference between these two distributions only depends on the encrypted value b ∈ {0, 1}, and hence the success probability of distinguishing 8
  • between YAD0 and YAD1 equals the success probability of distinguishing between 0 and 1 , which is negligible as the Paillier cryptosystem is semantically secure [9]. Therefore, given two values x(0) and x(1) drawn at random from the distributions YAD0 and YAD1 , respectively, and a bit encryption b , corresponding to either the ideal or real model, the real views need to be simulated for encrypted input x(0) (1−b)+x(1) b . It is clear that this model is less general, but it is still sufficiently general to fit in the framework of [6], [30]. In this model, we now construct simulators that simulate Protocols 1 and 2 in a statistically indistinguishable way. We recall that both simulators may use the malicious parties as a subroutine, and need to output views of these parties on the protocols that are indistinguishable from views of the real executions. The simulator for Prot. 1 has input a and r(0) , r(1) ∈ [0, a), and a bit encryption b , and simulates the random bitwise value generation of r , where r = r(0) (1 − b) + r(1) b. The simulator for Prot. 2 has input a and x(0) , x(1) ∈ {0, 1} x , and a bit encryption b , and simulates the protocol for output x mod a , where x = x(0) (1 − b) + x(1) b. Proposition 3 (Security of Prot. 1). On input of a publicly known value a, r(0) , r(1) ∈ [0, a) and a b for b ∈ {0, 1}, Prot. 1 can be simulated in a perfectly indistinguishable way. Proof. We construct a simulator for the random bitwise value generation of r , where r = r(0) (1−b)+r(1) b. The simulator may use the malicious parties P = {P1 , . . . , Pt−1 } ⊂ P as a subroutine. We note that the random bit gates used in phase 1 can be simulated [30]. Moreover, the comparison gate can be simulated on input ( b , r(0) , r(1) ) [18]. Let (b) rj (j = 0, . . . , a − 1) be the bits of r(b) , for b = 0, 1. Phase 1. The simulator simulates each random bit gate (j = 0, . . . , a − 1) on input (0) (1) rj , with rj = rj (1 − b) + rj b. Phase 2. The simulator simulates this phase on input ( b , r(0) , r(1) ). Proposition 4 (Security of Prot. 2). On input of x(0) , x(1) of length x , b for b ∈ {0, 1}, and a publicly known value a, Prot. 2 can be simulated in a statistically indistinguishable way. Proof. We construct a simulator for the computation of mod( x , a), where x = x(0) (1− b) + x(1) b. The simulator may use the malicious parties P = {P1 , . . . , Pt−1 } ⊂ P as a subroutine. We note that by Prop. 3 the random bitwise value generation protocol can be simulated on input ( b , r(0) , r(1) ) with r(0) , r(1) ∈ [0, a). Moreover, threshold de- cryption can be simulated given x , x, and the comparison gate on input ( b , r(0) , r(1) ) ˜ ˜ [18]. Phase 1. The simulator takes r ∈R [0, a) and simulates phase 1 with r = r(0) (1 − b) + ˜ ˜ r(1) b, where: ˜ r(b) ← r + x(b) mod a. ˜ (5) Note that the simulator knows the plaintext values r(b) , and therefore the random ˜ bitwise value generation can be simulated on input ( b , r(0) , r(1) ). For the parallel ˜ ˜ generation of the si ’s, the simulator lets the adversary publish si for i = 1, . . . , t − 1, 9
  • rewinding the proof (recall that the interval proof is a proof of knowledge) lets the simulator obtain si . For the participants i = t, . . . , n − 1 he executes this phase as is. (0) (1) For Pn , he takes sn ∈R {0, 1} x + s , but he publishes sn = sn (1 − b) + sn b , where: ˜ ˜ ˜ s(b) ← sn − r + x(b) div a. ˜n He simulates the proof of knowledge (1). By construction, r, sn satisfy: ˜ ˜ x − r + a˜n = −r + asn . ˜ s (6) Phase 2. Executed as is. Note that due to (6) x satisfies: ˜ n−1 n x=x−r+a ˜ ˜ si + a˜n = −r + a s si . i=1 i=1 n Phase 3. Simulated on input x and −r + a ˜ i=1 si . Phase 4. Simulated on input ( b , r(0) , r(1) ). Notice that a − 1 − x is indeed known in ˜ ˜ ¯ plaintext. Phase 5. Executed as is. We note that the simulated view is statistically indistinguishable from the real view. To see this, first observe that by symmetry it suffices to consider b = 0. Now, the value r is taken uniformly at random from [0, a), and is perfectly indistinguishable ˜ from a value r taken at random in the real execution. The value sn is taken uniformly ˜ at random from [−z, 2 x + s − z), where z := (r + x(0) ) div a < 2 x is a fixed value. This distribution (called X) is statistically close to the uniform distribution Y on [0, 2 x + s ): the statistical distance between X and Y is ∆(X, Y ) = z/2 x + s < 2− s , which is negligible in the security parameter s . This completes the simulation, and by construction of the protocol (Prop. 2) the outcome in phase 5 indeed satisfies x + r mod a = x mod a. ¯ ˜ 6 Efficiency analysis Protocol 1 consists of a random bit generation executions and a comparison gate on bit representations of length a , and these gates need to be executed at most 2 times on average. Following Table 1, this random bitwise value generation protocol has broad- cast complexity varying between O(nk a ) (with round complexity O(n)) and O(n2 k a ) (in constant rounds). The modulo reduction protocol, Prot. 2, uses this sub-protocol, and moreover needs one comparison on bit representations of length a . Therefore, the modulo reduction protocol has average broadcast complexity varying between O(nk a ) (in O(n) rounds) and O(n2 k a ) (in constant rounds). In [7], Damg˚ et al. also construct a modulo reduction gate, although for verifiable ard secret sharing. The threshold homomorphic encryption analogue of this gate is less ef- ficient than the one proposed here. Their protocol has a broadcast complexity varying between O(nk 2 ) and O(n2 k 2 ) (with round complexities O(n + x ) and O(1), respec- x x tively). Even stronger however, in many practical applications of modulo reduction 10
  • the value a is rather small compared to x : consider for example a scenario where 100 millionaires want to securely compute an encryption of their average fortune. In this case a = 7, while x = 37 but needs to be extended to 47 to cover billionaires as well5 . Note that Damg˚ et al.’s construction requires to compute the complete bit ard representation of x, while the idea of the proposed scheme relies on the shape of a, as mentioned before. The efficiencies are summarized in Table 2. broadcast round Ours O(nk a ) O(n) O(n2 k a ) O(1) [7] O(nk 2 ) O(n + x x) O(n2 k 2 ) O(1) x Table 2. Efficiency analysis of our protocol. 7 Modulo reduction in the client/server setting In many of the practical applications of the modulo reduction protocol, for instance for secure face recognition [12] or auctions [8, 15, 26], a client/server variant would be more suitable. In this section, an efficient client/server variant of our protocol is introduced, which can be considered to be a generalization of a protocol of [12]. In the client/server setting, the server owns the secret key for decryption, and a client wants to obtain x mod a on input x with x ∈ {0, 1} x . The protocol introduced in this section relies on a comparison protocol on private inputs, for which a protocol by Erkin et al. [12] can be used, which optimizes a protocol by [8]. This protocol outputs, on private inputs v and w of the server and client, respectively, encryption [v < w] to the client. For convenience, we assume both client and server to be semi-honest, as in [12]. We recall that the server owns the decryption key for the Paillier cryptosystem with public key (N, s). Similar to Sect. 4, we introduce security parameter s such that an2 x + s < N s . We consider a public value a such that 2 a −1 < a ≤ 2 a and client’s private input x with x ∈ {0, 1} x . The protocol is given in Fig. 1. The private input comparison protocol by [12] suffices to fulfill the last round. Notice that indeed the client is not allowed to learn the plaintext value [a−1− x < r]. The proof of correctness ¯ is similar to Prop. 2, and therefore omitted. 8 Applications The modulo reduction protocol constructed in Sect. 4 can be used to compute statistics functions efficiently in the multiparty setting. Indeed, many statistics require integer 5 For simplicity we assume that the fortune of a millionaire is upper bounded by one billion. Now, the average is computed as (x1 + . . . + x100 )/100, where xi is the fortune of millionaire i. In the notation of the protocol, we have x = 100 xi and a = 100. Thus, x = 37 and a = 7. P i=1 11
  • Server Client (knows: d) (know: a) (knows: x ) r ∈R [0, a) x+ s s ∈R [0, 2 ) x ˜ x ← x − r + as ˜ ←− − − − − − − −−−−−− x ← D( x ) ˜ ˜ x ← x mod a ¯ ˜ x ¯ − − − − − − −→ −−−−−− ? comparison a − 1 − x < r ¯ ←− − − − − − − − − − − −→ c = [a − 1 − x < r] ¯ −a x mod a ← x r c ¯ Fig. 1. Modulo reduction in the client/server setting division (e.g. mean and variance), which can be computed by deploying the modulo reduction protocol. Particularly, in combination with an efficient secure multiparty sorting protocol for sorting L encrypted values6 , one can construct multiparty proto- cols for the mean, the variance, the median and the MAD (median absolute deviation). The modulo reduction protocol also allows to compute, on input of a list of encryp- tions, the percentile of the values that is below a certain threshold. We note that all of these functions require a public modulus a, as in our protocol. The possibility to compute statistics on encrypted data has many practical applica- tions, for instance in the area of medical surveys where users can enter medical data to some institute who does analysis on these data and outputs some result (a diagnostic, a result of statistical analysis, etc.): the problem with these surveys is that the medical data are privacy sensitive and users might be unwilling to reveal these data in public. Using multiparty computation, where the institute is represented by a set of multi- party computation servers, this privacy problem can be solved, but as a consequence the (statistical) analysis needs to be done in the encrypted domain instead. To this end, the modulo reduction protocol can be used. As already mentioned in Sect. 7, the protocol has many other applications, for instance in the area of secure face recogni- tion, packing of encrypted data and buyer/seller protocols. As an example on how to construct statistics protocols, we show how participants P = {P1 , . . . , Pn }, who (t, n)-threshold share the secret key for the Paillier cryptosystem, can compute the variance given L Paillier encryptions { x1 , . . . , xL }. We recall from literature that the variance is the value L−1 L (xi − x)2 , where x is the mean, 1 i=1 ¯ ¯ x1 +···+xL x= ¯ L . The computation of the other statistics functions is straightforward. 6 For the construction of a multiparty sorting protocol, one can deploy Batcher’s ‘odd-even mergesort’ [3] that requires O(L(lg L)2 ) comparisons and O((lg L)2 ) rounds, and thus results in a protocol having broadcast and round complexity O(L(lg L)2 nk) and O((lg L)2 lg ), respectively. The reader is referred to [25, Sec. 4.4] for a concrete implementation. 12
  • Example. Let X := { x1 , . . . , xL } be a set of L Paillier encryptions, such that for each i = 1, . . . , L we have xi < 2 x . The participants P want to compute var(X). Notice that this function is equivalent to computing L L 2 1 var(X) = L x2 − i xi . L(L − 1) i=1 i=1 We denote V := L L x2 − ( L xi )2 . Now, the participants can compute var(X) i=1 i i=1 in the following way: firstly using L + 1 multiplication gates, encryptions x2 and i ( L xi )2 are computed. By the homomorphic property of the cryptosystem these i=1 easily result in V . Then, the modulo reduction protocol is applied to encryption V and public modulus L(L − 1). This results in encryption var(X) = V div L(L − 1) . The remainder after division is given by V mod L(L − 1) . In order for the modulo reduction protocol to succeed we need nL4 22 x + s < N s , where (N, s) is the public key of the Paillier cryptosystem and s is a security parameter. The protocol has broadcast complexity O(nkL) and round complexity O(n). We note that the O(nkL) broadcast complexity is attained in the first phase of the protocol, the computation of V . References [1] Joy Algesheimer, Jan Camenisch, and Victor Shoup. Efficient computation modulo a shared secret with application to the generation of shared safe-prime products. In Advances in Cryptology - CRYPTO ’02, volume 2442 of LNCS, pages 417–432, Berlin, 2002. Springer-Verlag. [2] Niko Bari´ and Birgit Pfitzmann. Collision-free accumulators and fail-stop signature schemes c without trees. In Advances in Cryptology - EUROCRYPT ’97, volume 1233 of LNCS, pages 480–494, Berlin, 1997. Springer-Verlag. [3] Ken Batcher. Sorting networks and their applications. In Proceedings of the AFIPS Spring Joint Computing Conference ’68, volume 32, pages 307–314, 1968. [4] Fabrice Boudot. Efficient proofs that a committed number lies in an interval. In Advances in Cryptology - EUROCRYPT ’00, volume 1807 of LNCS, pages 431–444, Berlin, 2000. Springer- Verlag. [5] Ronald Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, University of Amsterdam, Amsterdam, 1997. [6] Ronald Cramer, Ivan Damg˚ ard, and Jesper Nielsen. Multiparty computation from threshold homomorphic encryption. In Advances in Cryptology - EUROCRYPT ’01, volume 2045 of LNCS, pages 280–300, Berlin, 2001. Springer-Verlag. [7] Ivan Damg˚ Matthias Fitzi, Eike Kiltz, Jesper Nielsen, and Tomas Toft. Unconditionally se- ard, cure constant-rounds multi-party computation for equality, comparison, bits and exponentiation. In Theory of Cryptography, volume 3876 of LNCS, pages 285–304, Berlin, 2006. Springer-Verlag. [8] Ivan Damg˚ Martin Geisler, and Mikkel Krøigaard. Efficient and secure comparison for on-line ard, auctions. In ACISP ’07, volume 4586 of LNCS, pages 416–430, Berlin, 2007. Springer-Verlag. [9] Ivan Damg˚ and Mads Jurik. A generalisation, a simplification and some applications of ard Paillier’s probabilistic public-key system. In Public Key Cryptography ’01, volume 1992 of LNCS, pages 119–136, Berlin, 2001. Springer-Verlag. [10] Wenliang Du and Mikhail Atallah. Privacy-preserving cooperative statistical analysis. In An- nual Computer Security Applications Conference - ACSAC ’01, pages 102–112. IEEE Computer Society, 2001. 13
  • [11] Wenliang Du, Yunghsiang Han, and Shigang Chen. Privacy-preserving multivariate statistical analysis: Linear regression and classification. In SIAM International Conference on Data Mining - SDM ’04, pages 102–112. SOAM, 2004. [12] Zekeriya Erkin, Martin Franz, Jorge Guajardo, Stefan Katzenbeisser, Inald Lagendijk, and Tomas Toft. Privacy-preserving face recognition. In Privacy Enhancing Technologies Symposium - PETS ’09, volume 5672 of LNCS, pages 235–253, Berlin, 2009. Springer-Verlag. [13] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology - CRYPTO ’86, volume 263 of LNCS, pages 186–194, Berlin, 1987. Springer-Verlag. [14] Matthew Franklin and Stuart Haber. Joint encryption and message-efficient secure computation. Journal of Cryptology, 9(4):217–232, January 1996. [15] Matthew Franklin and Michael Reiter. The design and implementation of a secure auction service. IEEE Transactions on Software Engineering, 22(5):302–312, 1996. [16] Strange From and Thomas Jakobsen. Secure multi-party computation on integers. Master’s thesis, University of ˚rhus, ˚rhus, 2006. http://www.cs.au.dk/~tpj/uni/thesis/report.pdf. A A [17] Eiichiro Fujisaki and Tatsuaki Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In Advances in Cryptology - CRYPTO ’97, volume 1294 of LNCS, pages 16–30, Berlin, 1997. Springer-Verlag. [18] Juan Garay, Berry Schoenmakers, and Jos´ Villegas. Practical and secure solutions for integer e comparison. In Public Key Cryptography ’07, volume 4450 of LNCS, pages 330–342, Berlin, 2007. Springer-Verlag. [19] Bart Goethals, Sven Laur, Helger Lipmaa, and Taneli Mielik¨inen. On private scalar product a computation for privacy-preserving data mining. In Information Security and Cryptology - ICISC ’04, volume 3506 of LNCS, pages 104–120, Berlin, 2004. Springer-Verlag. [20] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, April 1984. [21] Geetha Jagannathan and Rebecca Wright. Privacy-preserving distributed k-means clustering over arbitrarily partitioned data. In KDD ’05: Proc. of the 11th ACM SIGKDD International Conference on Knowledge Discovery in Data Mining, pages 593–599, New York, 2005. ACM. [22] Markus Jakobsson and Ari Juels. Mix and match: Secure function evaluation via ciphertexts. In Advances in Cryptology - ASIACRYPT ’00, volume 1976 of LNCS, pages 162–177, Berlin, 2000. Springer-Verlag. [23] Aggelos Kiayias, B¨lent Yener, and Moti Yung. Privacy-preserving information markets for u computing statistical data. In Financial Cryptography ’09, volume 5628 of LNCS, pages 32–50, Berlin, 2009. Springer-Verlag. [24] Eike Kiltz, Gregor Leander, and John Malone-Lee. Secure computation of the mean and re- lated statistics. In Theory of Cryptography Conference - TCC ’05, pages 283–302, Berlin, 2005. Springer-Verlag. [25] Bart Mennink. Encrypted certificate schemes and their security and privacy analysis. Master’s thesis, Eindhoven University of Technology, Eindhoven, 2009. [26] Moni Naor, Benny Pinkas, and Reuban Sumner. Privacy preserving auctions and mechanism design. In ACM Conference on Electronic Commerce, pages 129–139, New York, 1999. ACM. [27] Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology - EUROCRYPT ’99, volume 1592 of LNCS, pages 223–238, Berlin, 1999. Springer-Verlag. [28] Berry Schoenmakers and Andrey Sidorenko. Distributed generation of uniformly random bounded integers. Unpublished manuscript, October 1, 2007. [29] Berry Schoenmakers and Pim Tuyls. Practical two-party computation based on the conditional gate. In Advances in Cryptology - ASIACRYPT ’04, volume 3329 of LNCS, pages 119–136, Berlin, 2004. Springer-Verlag. [30] Berry Schoenmakers and Pim Tuyls. Efficient binary conversion for Paillier encrypted values. In Advances in Cryptology - EUROCRYPT ’06, volume 4004 of LNCS, pages 522–537, Berlin, 2006. Springer-Verlag. 14
  • [31] SecureSCM. Secure computation models and frameworks. Technical Report D9.1, SecureSCM, July 2008. http://www.securescm.org. [32] Jaideep Vaidya and Chris Clifton. Privacy-preserving k-means clustering over vertically parti- tioned data. In KDD ’03: Proc. of the 9th ACM SIGKDD International Conference on Knowledge Discovery in Data Mining, pages 206–215, New York, 2003. ACM. [33] Liangliang Xiao, Mulan Liu, and Zhifang Zhang. Statistical multiparty computation based on random walks on graphs. Cryptology ePrint Archive, Report 2005/337, 2005. http://eprint. iacr.org/2005/337. 15