what crypto can do for you: solutions in search of problems anna lysyanskaya brown university
TRANSCRIPT
Who Puts Together the Big Picture?
Cryptography tells us:
For any efficiently computable function F, there is an “efficient” interactive algorithm that n data owners, P1(x1),…,Pn(xn), can run together such that:
•They learn F(x1,x2,…,xn) •Other than that, Pi learns nothing about xj, j≠i[Yao, GMW, BGW, …]
How to compute the intersection w/o learning the rest of each other’s
sets?
[FMP04,…,BCCKLS09,…,KMRS14]
Step 1: Alice’s set becomes a polynomial
12
18
5
6
31
Alice’s set
p(x) = (x-12)(x-18)(x-5)(x-6)(x-31) mod q = x5 + c4x4 + c3x3 + c2x2 + c1x + c0
c4 c3 c2 c1 c0
Step 2: Alice encrypts her polynomial
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
Step 2: Alice encrypts her polynomial…
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
…using an “additive” encryption scheme
E(x) * E(y) = E(x+y) [Paillier’99]
Step 2: Alice encrypts her polynomial…
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
…using an “additive” encryption scheme…for which she holds the decryption
key
Step 3: Alice sends the encrypted
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
polynomial to Bob
Step 4: Bob evaluates the encrypted
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
polynomial on his set 42
5
24
12
3
Bob’s set
p(42) = 425 + c4424 + c3423+c2422+c142+c0 mod q
E(p(42)) = E(425) * E(c4)424 * E(c3)423
* E(c2)422 * E(c1)42 * E(c0)
Step 4: Bob evaluates the encrypted
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
polynomial on his set 42
5
24
12
3
Bob’s setp(x) evaluated on Bob’s set
E(p(42)) E(p(5)) E(p(24)) E(p(12)) E(p(3))
Step 4: Bob evaluates the encrypted
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
polynomial on his set
p(x) evaluated on Bob’s set
E(p(42)) E(0) E(p(24)) E(0) E(p(3))
Note: p(y) = 0iff y is in Alice’s set
A More General Solution for Two Parties:Yao’s Encrypted Circuit
Alice’s logical circuit C Bob’s input x
0
1
1
Encrypted circuit
Oblivious transfer of keys
A More General Solution for N Parties: Secure Multi-Party Computation
• Split the computation into logical steps (ANDs, ORs, NOTs) or algebraic steps (ADD, MULT)
• Securely evaluate step by step• [GMW, BGW, …]