Efficient Cryptographic Protocol Design Based On Distributed El Gamal Encryption
Efficient Cryptographic Protocol Design Based On Distributed El Gamal Encryption
Felix Brandt
1 Introduction
Secure multiparty computation (MPC) deals with protocols that allow a group
of agents to jointly compute a function of their individual private inputs, so
that only the function value is revealed in the end. Since Yao’s and Goldreich
et al’s seminal completeness results [Yao86,GMW87], it is well known that any
function can be computed securely if trapdoor permutations exist. However, the
general constructions in [Yao86,GMW87] have proven to be rather inefficient and
unpractical. It has been shown that general MPC is feasible in a constant number
of rounds with polynomial communication complexity for various settings such
as 2-party MPC (without fairness) [Lin01] or n-party MPC (with an honest
majority) [BMR90]. Although theoretically interesting, the constructions of the
underlying proofs do not yield practical constant-round MPC schemes due to
the extensive use of generic proofs of knowledge.
In this paper, we propose a set of cryptographic techniques that enable the
efficient computation of “low-complexity” functions in the presence of active ad-
versaries. These techniques, some of which have been known for some time, can
be used straightforwardly to construct round-efficient protocols for the equal-
ity function (solving the so-called socialist millionaires’ problem), the Boolean
or function (e.g., for veto voting), or the maximum function. Furthermore, we
show how to privately count the number of true Boolean disjunctions of liter-
als and pairwise exclusive disjunctions of literals. Applications include efficient
two-party protocols for computing the Hamming distance of two bitstrings and
the greater-than function (thus providing a solution to Yao’s millionaires’ prob-
lem [Yao82] in which two millionaires (Alice and Bob) want to find out who
is richer without revealing their wealth). Our primary objective when designing
these protocols was to minimize round complexity as interaction over a computer
network is usually the most time-consuming operation in distributed protocols.
Our protocol for the millionaires’ problem only requires 6 rounds of interaction
(in the random oracle model) and its communication complexity is O(kQ) where
k is the length of bit-strings to be compared and Q is a security parameter. To
the best of our knowledge, this is the most efficient constant-round protocol for
the millionaires’ problem. Under reasonable conditions (see Section 5.2), each
party only needs to communicate about 73 Kbytes of data. This is achieved by
exploiting the homomorphicity of the underlying encryption scheme when eval-
uating a modified Boolean formula for the greater-than function. The protocol
is correct with error probability O(2−Q ). It does not provide fairness, i.e., one
party might learn the outcome and leave the other party uninformed by quitting
the protocol prematurely. However, fairness can be obtained by using known
standard techniques of gradual exchange (see e.g., [GMY04]). For this paper,
we assume that there is either a fairness-providing third-party, i.e., a party that
does not reveal information or quits prematurely,1 or that only one of the agents,
say Alice, is supposed to learn the function value.
Many representations for general secure MPC have been suggested in the
literature: Boolean circuits [Yao86], arithmetic circuits [GMW87], branching
programs [Kil88], low degree polynomials [BFKR90], randomizing polynomials
[IK00], etc. Our approach differs in that we provide a set of efficient building
blocks (distributed homomorphic encryption, random exponentiation, and veri-
fiable mixing) for which there exist efficient proofs of correctness and use these
to construct special-purpose protocols for a limited, but nevertheless relevant,
group of functions.
Our primitives are built around El Gamal encryption [El 85] because it allows
for the efficient generation of distributed keys and because encrypted values
can easily be exponentiated with jointly created random numbers. The building
blocks can be used for any number of parties. We consider full privacy, i.e.,
(n − 1)-privacy, rather than threshold privacy.2 Any party that deviates from
the prescribed protocol can be identified (because it fails to prove its correctness
in zero-knowledge) and removed from the set of participants. There are very
efficient (honest-verifier) zero-knowledge proofs to show the correctness of each
protocol step (see Section 3.2).
The remainder of this paper is structured as follows. In Section 2, we review
related work. Section 3 contains building blocks to be used in the protocols.
Basic protocols consisting of these primitives are presented in Section 4 whereas
more sophisticated protocols based on the evaluation of simple Boolean formulae
1
Please note that such a third-party will not be able to learn any information besides
the outcome.
2
Threshold privacy can easily be obtained by using standard secret sharing techniques.
are proposed in Section 5. The paper concludes with a summary of the results
and a brief outlook in Section 6.
2 Related Work
3 Building Blocks
This section contains building blocks to enable the construction of efficient pro-
tocols for simple functions. In the heart of the system lies El Gamal encryption
because it allows for the easy generation of distributed keys and because en-
crypted values can be exponentiated with a shared random number in a single
round. This random exponentiation will be used as a blinding step in our pro-
tocols as it transforms every plaintext, except 1, into a meaningless random
number.
We suggest the following general methodology for efficiently computing
low-complexity functions: All parties publish encryptions of their inputs in a
representation—e.g., binary (see Section 5) or unary (see Section 4.3)—that at
the same time allows efficient proofs of correctness and further processing in or-
der to compute the function outcome. By exploiting the homomorphic property
of the underlying encryption scheme, participants compute a vector of encrypted
values that contains the function outcome but may also contain additional, un-
wanted information. In order to get rid of this information, all agents jointly
execute random exponentiations for each vector component. Finally, if needed,
components can be shuffled to only reveal if (or how many) vector components
equal 1. We stress the fact the we do not rely on a strict Boolean or arithmetic
representation of the function. We rather suggest a bottom-up approach, i.e.,
trying to represent the function by using the mentioned limited set of primitives.
4
Furthermore, the protocol in [PBDL04] is flawed because the proposed primitive
“complex zero test” reveals statistical information.
3.1 El Gamal Encryption
(α, β) = (my r , g r )
Alice needs to send 2 log p + log q bits. It is possible to show the equality of any
polynomial number of discrete logarithms in parallel. Thus, for showing that the
discrete logarithms of k values are equal, Alice only sends k log p + log q bits.
Proof that an encrypted value is one out of two values The following
protocol was proposed by Cramer et al [CGS97]. Alice proves that an El Gamal
encrypted value (α, β) = (my r , g r ) either decrypts to 1 or to a fixed value z ∈ Gq
without revealing which is the case, in other words, it is shown that m ∈ {1, z}.
4 Basic Protocols
where, as above, Mj are jointly created random numbers. For all j greater
than the maximum, D(Aj ) is equal to 1. All other D(Aj ) are random numbers.
Clearly, the drawback of this protocol is that its communication complexity is
linear in k, i.e., exponential in the length of bitstrings. Nevertheless, it can be
practical for small k.
9
Similar protocols previously appeared in various contexts, e.g., password authenti-
cation key exchange or the “plaintext equality test” in [JJ00].
5 Counting Boolean Disjunctions of Literals
In this section, we will show how the primitives defined in Section 3 can be
used to evaluate simple Boolean expressions. Consider n parties whose inputs
are bitstrings bi of length k. We define E[b] to be an (El Gamal) encryption of
bit b if E[0] decrypts to 1 and E[1] decrypts to any other number in Gq :
(
{1} if b = 0
D[E[b]] ∈ .
Gq \{1} otherwise
As in Section 4.3, let Y be an arbitrary, publicly known, fixed element of Gq \{1}.
Before the actual protocol starts each agent publishes encryptions of his indi-
vidual input bits so that
(
E(1) if bij = 0
E[bij ] = .
E(Y ) otherwise
The correctness of inputs can be efficiently proven by showing that each cipher-
text either decrypts to 1 or to Y without revealing which case holds (Section 3.2).
Based on this representation, we can count the number of true Boolean disjunc-
tions of literals and pairwise exclusive disjunctions of literals by computing
!
_ _
f (b1 , b2 , . . . , bn ) = # Lr ∨ (Ls ⊕ Lt ) (1)
r s,t
– Exclusive Disjunctions
The exclusive or of pairs of literals can be computed by dividing the en-
cryptions of these bits,
E[Ls ]
E [Ls ⊕ Lt ] = .
E[Lt ]
When combining these exclusive ors via the disjunction operator, it has to
be made sure that two encryptions that represent E[1] do not “accidently”
multiply to E[0]. This can be achieved by raising the dth factor to the 2d−1 th
power: " k # k 2d−1
_ Y E[Lsd ]
E (Lsd ⊕ Ltd ) = .
E[Ltd ]
d=1 d=1
– Count Operator
Finally, we can count the number of true bits in a vector of encrypted bits by
consecutively letting each party verifiably shuffle its vector of bits (see Sec-
tion 3.2), thus effectively emulating a mix-net. After exponentiating each
component with a jointly created random number (as described in Sec-
tion 3.1) and decrypting all components, the number of true bits is exactly
the number of components not equal to 1.
An efficient 6-round protocol for computing this function can be designed based
on the constructions proposed in the beginning of this section. For reasons of
limited space, we just spell out the similar, but more sophisticated, protocol for
computing the greater-than function in the following section.
The outer disjunction is exclusive, i.e., at most one of the k terms can be satisfied.
By applying De Morgan’s laws, the right expression in Implication 2 can be
rewritten as
k
_ _k !
¬ ¬b1j ∨ b2j ∨ (b1d ⊕ b2d ) .
j=1 d=j+1
| {z }
Bj :=
Using the techniques proposed at the beginning of this section, the inner term
Bj can be computed as follows.
k 2d −2
Y · E[b2j ] Y E[b1d ]
E[Bj ] = · .
E[b1j ] E[b2d ]
d=j+1
Recall that the outer disjunction is exclusive, i.e., counting the number of false
Bj ’s will yield either 0 or 1. This implies that b1 > b2 holds if and only if #(Bj ) =
k − 1. For this reason, the following procedure suffices: Alice sends a verifiable
shuffle of all E[Bj ] to Bob who verifiably shuffles the resulting ciphertexts himself
and sends them back to Alice. Finally, both parties raise each E[Bj ] to a jointly
created random exponent Mj and decrypt all (E[Bj ])Mj . If any of these values
equals 1, then b1 > b2 , i.e., Alice is richer than Bob. The detailed 6-round
protocol is given in Figure 1.
In the remainder of this section, we use the millionaires’ protocol as an ex-
ample to analyze security and efficiency of our proposed techniques.
Proof. (sketch)
Correctness: The protocol only fails when the P random exponentiation for any
n
outcome vector “accidently” yields a one, i.e., h=1 m+h ij = 0 mod q for any i
and j. Due to the exponential size of Gq and the polynomial number of output
components, the probability of this event is negligible. Error probability of the
protocol is (1 − (1 − 2−Q )k ) = O(2−Q ) where Q = log q. The malleability of
El Gamal encryption does not pose a problem because bidders prove that they
know each plaintext using non-malleable zero-knowledge proofs.
Security: The security of El Gamal cipher as well as the applied zero-knowledge
proofs can be based on the intractability of the decisional Diffie-Hellman assump-
tion [TY98]. The security of distributed El Gamal cipher, in particular Pedersen’s
straightforward key generation [Ped91] which might result in non-uniformly dis-
tributed keys, follows from a recent argument by Gennaro et al [GJKR03]. Since
encryption keys are essentially distributed by using 2-out-of-2 secret sharing,
privacy can not be breached (unless Alice and Bob collude). ⊓
⊔
6 Conclusion
10
36 bits are currently sufficient to compare the wealth of any given pair of human
beings with a precision of one US dollar.
Depending on i ∈ {1, 2}, the directions address Alice (i = 1) or Bob (i = 2)).
– Publish αij = Y bij · y rij and βij = g rij for each j.
αij
– Prove that ∀j : logg (βij ) equals logy (αij ) or logy (Section 3.2)
Y
Round 3: Mix output (1/2)
Y
k 2d −2 Y
k 2d −2
Y · α2j α1d β2j β1d
γj = · and δj = ·
α1j α2d β1j β2d
d=j+1 d=j+1
References
[ACS02] J. Algesheimer, J. Camenisch, and V. Shoup. Efficient computation mod-
ulo a shared secret with application to the generation of shared safe-prime
products. In Proc. of 22th CRYPTO Conference, volume 2442 of LNCS,
pages 417–432. Springer, 2002.
[AMP04] G. Aggarwal, N. Mishra, and B. Pinkas. Secure computation of the kth-
ranked element. In Proc. of 21st Eurocrypt Conference, volume 3027 of
LNCS, pages 40–55. Springer, 2004.
[BF97] D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In
Proc. of 17th CRYPTO Conference, volume 1294 of LNCS, pages 425–439.
Springer, 1997.
[BFKR90] D. Beaver, J. Feigenbaum, J. Kilian, and P. Rogaway. Security with low
communication overhead. In Proc. of 10th CRYPTO Conference, number
537 in LNCS, pages 62–76. Springer, 1990.
[BGN05] D. Boneh, E. Goh, and K. Nissim. Evaluating 2-DNF formulas on cipher-
texts. In Proc. of 2nd Theory of Cryptography Conference (TCC), volume
3378 of LNCS, pages 325–341. Springer, 2005.
[BMR90] D. Beaver, S. Micali, and P. Rogaway. The round complexity of secure
protocols. In Proc. of 22nd STOC, pages 503–513. ACM Press, 1990.
[BST01] F. Boudot, B. Schoenmakers, and J. Traoré. A fair and efficient solution
to the socialist millionaires’ problem. Discrete Applied Mathematics, 111(1-
2):23–36, 2001.
[CC00] C. Cachin and J. Camenisch. Optimistic fair secure computation. In Proc. of
20th CRYPTO Conference, volume 1880 of LNCS, pages 93–111. Springer,
2000.
[CDN01] R. Cramer, I. Damgård, and J. B. Nielsen. Multiparty computation from
threshold homomorphic encryption. In Proc. of 18th Eurocrypt Conference,
volume 2045 of LNCS, pages 280–300. Springer, 2001.
[CDS94] R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partial knowledge
and simplified design of witness hiding protocols. In Proc. of 14th CRYPTO
Conference, volume 893 of LNCS, pages 174–187. Springer, 1994.
[CGS97] R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally
efficient multi-authority election scheme. In Proc. of 14th Eurocrypt Con-
ference, volume 1233 of LNCS, pages 103–118. Springer, 1997.
[CP92] D. Chaum and T. P. Pedersen. Wallet databases with observers. In Proc. of
12th CRYPTO Conference, volume 740 of LNCS, pages 3.1–3.6. Springer,
1992.
[Dam02] I. Damgård. On Σ-protocols. Lecture Notes, University of Aarhus, Depart-
ment for Computer Science, 2002.
[DDO+ 01] A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, and A. Sahai.
Robust non-interactive zero knowledge. In Proc. of 21th CRYPTO Confer-
ence, volume 2139 of LNCS, pages 566–598. Springer, 2001.
[DK01] I. Damgård and M. Koprowski. Practical threshold RSA signatures without
a trusted dealer. In Proc. of 18th Eurocrypt Conference, volume 2045 of
LNCS, pages 152–165. Springer, 2001.
[El 85] T. El Gamal. A public key cryptosystem and a signature scheme based on
discrete logarithms. IEEE Transactions on Information Theory, 31:469–472,
1985.
[Fis01] M. Fischlin. A cost-effective pay-per-multiplication comparison method for
millionaires. In Proceedings of the Cryptographers’ Track at the 10th RSA
Conference, volume 2020 of LNCS, pages 457–472, 2001.
[FS87] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to iden-
tification and signature problems. In Proc. of 12th CRYPTO Conference,
LNCS, pages 186–194. Springer, 1987.
[Gil99] N. Gilboa. Two party RSA key generation. In Proc. of 19th CRYPTO
Conference, volume 1666 of LNCS, pages 116–129. Springer, 1999.
[GJKR99] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure distributed key
generation for discrete-log based cryptosystems. In Proc. of 16th Eurocrypt
Conference, volume 1592 of LNCS, pages 295–310. Springer, 1999.
[GJKR03] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Applications of Ped-
ersen’s distributed key generation protocol. In Proc. of Cryptographers’
Track at the 12th RSA Conference, volume 2612 of LNCS, pages 373–390.
Springer, 2003.
[GMW87] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game
or a completeness theorem for protocols with honest majority. In Proc. of
19th STOC, pages 218–229. ACM Press, 1987.
[GMY04] J. Garay, P. MacKenzie, and K. Yang. Efficient and secure multi-party
computation with faulty majority and complete fairness. To appear, 2004.
[Gro03] J. Groth. A verifiable secret shuffle of homomorphic encryptions. In Proc. of
6th PKC Conference, volume 2567 of LNCS, pages 145–160, 2003.
[IG03] I. Ioannidis and A. Grama. An efficient protocol for Yao’s millionaires’ prob-
lem. In Proc. of 36th Hawaii International Conference on System Sciences
(HICSS), pages 205–210. IEEE Press, 2003.
[IK00] Y. Ishai and E. Kushilevitz. Randomizing polynomials: A new represen-
tation with applications to round-efficient secure computation. In Proc. of
41st FOCS Symposium, pages 294–304. IEEE Press, 2000.
[JJ00] M. Jakobsson and A. Juels. Mix and match: Secure function evaluation via
ciphertexts. In Proc. of 6th Asiacrypt Conference, volume 1976 of LNCS,
pages 162–177. Springer, 2000.
[Kil88] J. Kilian. Founding cryptography on oblivious transfer. In Proc. of 20th
ACM STOC, pages 20–31. ACM Press, 1988.
[KO02] K. Kurosawa and W. Ogata. Bit-slice auction circuit. In Proc. of 7th Eu-
ropean Symposium on Research in Computer Security (ESORICS), volume
2502 of LNCS, pages 24–38. Springer, 2002.
[Lin01] Y. Lindell. Parallel coin-tossing and constant-round secure two-party com-
putation. In Proc. of 21st CRYPTO Conference, volume 2139 of LNCS,
pages 171–189. Springer, 2001.
[LT05] H.-Y. Lin and W.-G. Tzeng. An efficient solution to the Millionaires’ Prob-
lem based on homomorphic encryption. In Proc. of 3rd International Con-
ference on Applied Cryptography and Network Security (ACNS), volume
3531 of LNCS, pages 456–466, 2005.
[NN01] M. Naor and K. Nissim. Communication preserving protocols for secure
function evaluation. In Proc. of 33rd STOC, pages 590–599. ACM Press,
2001.
[NPS99] M. Naor, B. Pinkas, and R. Sumner. Privacy preserving auctions and mech-
anism design. In Proc. of 1st ACM Conference on E-Commerce, pages
129–139. ACM Press, 1999.
[Pai99] P. Paillier. Public-key cryptosystems based on composite degree residuosity
classes. In Proc. of 16th Eurocrypt Conference, volume 1592 of LNCS, pages
223–238. Springer, 1999.
[PBDL04] K. Peng, C. Boyd, E. Dawson, and B. Lee. An efficient and verifiable
solution to the millionaire problem. In Proc. of 7th International Conference
on Information Security and Cryptology (ICISC), volume 3506 of LNCS,
pages 51–66. Springer, 2004.
[Ped91] T. Pedersen. Non-interactive and information-theoretic secure verifiable
secret sharing. In J. Feigenbaum, editor, Proc. of 11th CRYPTO Conference,
volume 576 of LNCS, pages 129–140. Springer, 1991.
[Sch91] C. P. Schnorr. Efficient signature generation by smart cards. Journal of
Cryptology, 4(3):161–174, 1991.
[Sch96] B. Schneier. Applied Cryptography. John Wiley and Sons, Inc., 2nd edition,
1996.
[ST04] B. Schoenmakers and P. Tuyls. Practical two-party computation based on
the conditional gate. In Proc. of 10th Asiacrypt Conference, number 3329
in LNCS, pages 119–136. Springer, 2004.
[TY98] Y. Tsiounis and M. Yung. On the security of ElGamal-based encryption.
In Proc. of 1st International Workshop on Practice and Theory in Public
Key Cryptography (PKC), volume 1431 of LNCS, pages 117–134. Springer,
1998.
[Yao82] A. C. Yao. Protocols for secure computation. In Proc. of 23th FOCS Sym-
posium, pages 160–164. IEEE Computer Society Press, 1982.
[Yao86] A. C. Yao. How to generate and exchange secrets. In Proc. of 27th FOCS
Symposium, pages 162–167. IEEE Computer Society Press, 1986.