2.3 Oblivious Transfer
2.3.2 Applications and Extensions
Before we look at the applications and extensions, we will provide an example to show the operation an oblivious transfer scheme and help explain the associated
conditions. This example will consider an oblivious transfer protocol between two parties: Alice and Bob. In this setup, Alice will play the role of the sender, while Bob will play the role of the receiver.
1. Alice generates an instance of the RSA cryptosystem and sends the public key
e, N to Bob.
2. Alice chooses two random messagesx0, x1 PZ and sends to Bob.
3. Bob selects one of the two messages and computes v “ pxb `keq pmod Nq, wherebP t0,1u, eis the public key of Alice, and k PZis chosen randomly. Bob
sends v to Alice.
4. Alice computes two possible k values as k0 “ pv ´x0qd pmod Nq and k1 “ pv´x1qdpmod Nq, wheredis the private key of Alice. Alice sendsm10 “m0`k0 and m1
1 “m1`k1 to Bob.
5. Bob either computes m0 “m10´k orm1 “m11´k based on his choice of xb. This simple example demonstrates the two main requirements of oblivious transfer. Alice cannot determine which message Bob received. This is due to the randomly chosen k, Alice cannot distinguish which message was chosen in step 3. At the same time, Bob is unable to obtain to learn both message in one iteration of this protocol. This is because only one ofk0, k1 is the actualk value chosen by Bob.
The work of Naor and Pinkas [74] was developed into what is known as adaptive oblivious transfer [75, 22, 23], which is denoted as OTN
kˆ1. Contrasting with the original oblivious transfer, adaptive oblivious transfer enables the user to successively query the database server, where each sequential query is based on the query history. The basic structure is in two phases. In the first phase, a commitment of keys is transferred from the server to the user, which takes OpNq work, where N is the number of elements. In the second phase, these commitments are adaptively queried and with each query, one (and only one is revealed). The original construction of OTN
kˆ1 used the idea of sum consistent synthesizers that have two identifying properties: (1) the function S is sum consistent (e.g. for all x1, x2, y1, y2 where
random. They realise this component in the standard model using the Decisional Diffie Hellman assumption.
One of the most attractive reasons for creating an efficient oblivious transfer scheme [76]3 is that it permits secure multi-party computation [48], via Yao’s Garbled Circuit method [103] (or some variation of this idea [62]). Briefly, a circuit is represented as a tree structure where all inputs are replaced by a key in a predefined range. Once this tree is constructed, it is evaluated by obtaining the keys at the leaf nodes using oblivious transfer.
Cryptanalysis of a Somewhat
Homomorphic Encryption Scheme
This chapter is based on content from the paper entitled ‘Cryptanalysis of Brenner et al.’s Somewhat Homomorphic Encryption Scheme’, which was published in the Australasian Information Security Conference 2013.We begin this chapter by reviewing the performance results for fully homomorphic encryption schemes. We then turn our attention to the security of the somewhat encryption schemes, which are used as a foundation to construct fully homomorphic encryption schemes. In particular, we explore the security claims of a somewhat homomorphic encryption scheme by Brenner, Perl and Smith [15].
It is easy to see that the content in this chapter enables the creation of private queries, and hence, protection for the client. Thus, it suits the private query/public server privacy model type given in Chapter 1.
3.1 Practicality of Fully Homomorphic Schemes
Initial efforts to implement a fully homomorphic encryption scheme has shown to be impractical for anything other than theoretical interest [39]. There have
been improvements, due to [94], to increase the performance of the original scheme proposed by Gentry.
Different optimisations and techniques have been introduced to improve the per- formance of fully homomorphic schemes. The original fully homomorphic encryption scheme was based on ideal lattices, which contained additional structure that can potentially be exploited. To overcome this potential weakness, a scheme based on the standard Learning With Errors (LWE) problem was introduced [11]. The scheme included a unique re-linearisation that was used after multiplication of two ciphertexts to transform a quadratic into a standard linear size ciphertext.
A modulus switching technique has been proposed as a better method for managing the noise associated with ciphertexts [12]. Essentially, we can choose a large q and have a series of levels down to zero, where at each level we scale back the ciphertext bypp{qq, which reduces the noise without requiring the bootstrapping procedure.
A technique was explored to achieve SIMD fully homomorphic encryption [41]. Due to the noise associated with adding and multiplying, a scheme is designed whereby many messages can be packed into one ciphertext. Hence, we can add and multiply ciphertexts and affect many messages. They also describe a clever permutation trick that allows one to achieve a complete set of operations.
Certain applications, like cloud computing, require endless computation on data since we want to delegate our data processing and storage to a third party. However, it seems that a somewhat homomorphic scheme (without bootstrapping) is also useful if the function to be evaluated is simple and a known stopping point exists. In other words, we know the exact function we wish to compute, and we can set the parameters of the scheme such that it avoids decryption errors.
The security of somewhat homomorphic encryption schemes, which have been introduced recently as a stepping stone to achieve fully homomorphic encryption, are based on new hardness assumptions. These are not as well known and not as well studied as classical security assumptions like the discrete logarithm problem. A recent work by [15] aims to fill this gap by constructing a somewhat homomorphic encryption scheme that is as hard as factoring a large semiprime integer. Before
we investigate the security properties of this scheme, we will explore the security problem of a previous scheme, which is also based on elementary number theory for its construction.