 Hi everybody, I'm Jofa Couto and so this talk is going to be about encryption switching protocols This is a joint work with Thomas Peterson David Mosheval So secure to body computation address the address is a challenge of Computing some public function F. So you have two players a listen Bob who each holds on private Input X1 and X2 and they would like to Compute F on those inputs without revealing anything more than this result in particular They don't want to reveal anything at all on their own input and there have been various methods that have been designed in the past to address this cryptographic challenge based on a large variety of tools and primitives one of the most common Primitives that have been used to build to body computation protocols is homomorphic encryption So quickly a public key homomorphic encryption scheme is a public encryption scheme So you have a public key which allows you to encrypt and the secret key which allows you to decrypt and You have in addition an algorithm eval Which takes as input an encrypted message M The public key and some functions from some class of function and outputs an encryption of this of F of M So it allows you to evaluate functions on the plain text without having to know the secret key of the scheme And it's fairly easy to see how we can build To body computation out of homomorphic encryption So if you have a homomorphic encryption scheme for some class of function think for example of linear operations Then you can let the players and create their input broadcast does homomorphic encryption homomorphically and on the locally compute Evaluate the function on those encrypted input and they end up with an encryption of the output And then there is methods to recover the output from an encrypted output in using a joint protocol And so if for example now you want to build a to body computation protocol For like linear operations, then you can use the pie encryption scheme, which is the linear homomorphic homomorphic and if you want to evaluate a function, which is like Expansion monomials or any product function, then you can lay let the players you'll use the outer market system Which is multiplicatively homomorphic If you want to do more Well, obviously it's way harder if for example, you want to be able to evaluate both additions on multiplications Then if you can do so you can evaluate any circuit in a gate by gate fashion But it's still possible and it's called fully homomorphic encryption So fully homomorphic encryption lets you evaluate any function given a ciphertext without having to decrypt the ciphertext But current implementation of fully homomorphic encryption scheme are quite slow so the natural approach For building secure to body computation out of homomorphic encryption is to say instead Well, let's forget about having an encryption scheme, which will be multiplicatively homomorphic We'll just assume that we have an additively homomorphic encryption scheme and We will evaluate all the additive gates of our protocol Homomorphic alien locally, but we will pay for each multiplicative gates using a dedicated multiplication protocol So this will cost interaction and and communication Still this way of building to body computation schemes As produced extremely efficient protocols, so it's a it's a quite efficient method But in in this work, we try to have some different approach and so our our core of the reaction was well We already have so additively homomorphic encryption scheme Which do allow us to evaluate homomorphically and locally any kind of linear operations without interactions communication, whatever And we also already have multiplicatively homomorphic encryption scheme, which let us evaluate Multiplicate multiplications Expansion and so on locally and homomorphically So what if we called some whole makes them work together and by makes them work together, I mean could we build some Encryption switching protocol Which is a protocol that will take as input a cipher text encrypting some message M and I'll put a cipher text encrypting the same message M, but with the other crypto system and The current security requirement for such a switch protocol is that during so this will be a two-party protocol And during this two-party protocol no players must learn anything about the message M The plain text M which is contained both in the input cipher text and the in the output cipher text And if we had such a switch protocol It's quite easy to see that we can easily have Secure the party computation for any function you write your circuit as layers of linear operations and multiplicative operations each time you want to evaluate linear operations you and you use Like pie encryptions of the inputs on you evaluate homomorphic. It is over this operations And each time you need to go to the next layer Then you just have to switch to multiplicatively homomorphic cipher text and you can keep on evaluating everything homomorphically and so on until you get an encryption of the output and so Okay, but what will be the benefit of doing so Because we already have as I said extremely efficient multi-party computation protocols based on Paying for each multiplicative gates. So here the advantage is essentially that You you won't have to pay for each multiplicative gates. So think think for example of your circuit Where at some point many multiplicative gates are grouped together You can't think for example of a circuit which at some point computes an expensation this involves many multiplications and Instead of paying in terms of communication for each of those multiplicative gates. He you will just have to switch to To a multiplicatively homomorphic encryption scheme evaluate everything locally and then switch back so essentially doing two-party computation out of Two complementary homomorphic encryption scheme together with an encryption switching protocols allows to have Two-party computation protocols with which might be sub linear in the size of the circuits If the circuit is well structured like multiplication gates are kind of grouped together and so on Okay, so I Said that we won't we would like to build such a non encryption switching protocol This is our goal in this work for the Pi encryption scheme and the L gamma encryption scheme. So let me present them in slightly more details so the pi acrypto system is a Semantically secure crypto system whose semantic security relies on the decisional composite residuosity assumption Which states that if you take an RSE modulus and the product of to save prime It's computationally infeasible to distinguish and spore from random elements over Zin and squared On the other hand, we are the air gamma crypto system whose semantic security rely on the decisional DfL man assumption Which states that you cannot distinguish Turbles of the form g g to the a g to the b g to the a times b from uniformly random to pose and Which which is multiplicatively homomorphic and the important thing is The biacrypto system allows you to encrypt any plain text over Zn while the Algama crypto system allows you to encrypt Well any plain text which belongs to a group over reach the decisional DfL man assumption is believed to hold And you might already see the problem here when I ask can we build encryption switching protocol The question that should come first is does that even make sense? Because my encryption switching protocol ideally will take an encryption of some message and outputs another encryption of the same message So it must at least be meaningful to talk about an encryption with the other scheme of the same message So we must at least have encryption scheme where the two plain text spaces Have some intersection and moreover we really need that the two plain text spaces are essentially the same because if it's not the case and Our encryption switching protocol could be used to distinguish during a two-part computation protocol between inputs on which We can switch we which does belong to the intersection of the plain text spaces from inputs on which we cannot switch Which would cause a failure and so this will leak information on the inputs of the players in our two-party computation protocol So what we would need would be to our first two crypto system an additively homomorphic one on the multiplicatively homomorphic one that operate on the same plain text space and Unfortunately while pay it does allow you to encrypt over ZN The decision of the film and assumption doesn't hold over ZN nor does it hold over ZN star the asset of invertible elements over ZN and so Our first task if we want even our goal to make sense Will be to design a variant of the L gamma crypto system which remains multiplicatively homomorphic But which will allow us to encrypt message over ZN so as to complement the bio-crypto system That makes sense Okay So we will start with a slightly Simpler goal which would be to design a male gamma like multiplicatively homomorphic crypto system over ZN star and So let's dig a bit into the structure of ZN star So you can see ZN star has been divided into four equal size parts So the two columns here correspond to element having Jacobi symbol one or minus one Why the two lines here corresponds to element having what I call sine one or minus one and The group of elements with Jacobi symbol minus one here is Jn. This is a larger subgroup over ZN star and So as our goal is to build an L gamma like encryption scheme, we need to have some hardness assumption to rely on So let's see what is hard about that over ZN star So not DDH as I we said before DH doesn't hold over ZN star But the decision only feel man assumption is believed to hold over the subgroup of squares Even if the players know the factorization Because it reduces to the decision only feel man assumption over the subgroup of squares of both that P and that Q Where P and Q are the factors of our models Moreover, it is believed to be computationally infeasible to distinguish between squares and minus squares over Jn This is the quadratic residuality assumption and so but this holds When players do not know the factorization it it's at least Easier than factorization Computing the Jacobi symbol is always easy Even if players do not know the factorization So the hard task essentially will be to hide this Jacobi symbol when encrypting the plain text from ZN star Because you can easily see that if we can encrypt with L gamma over the squares If it's impossible to distinguish squares from minus squares then essentially it means that if no players know the factorization We can use an L gamma like crypto system over Jn Everything works fine. The hard part is Encrypting and hiding the Jacobi symbol of the plain text So let's see how we will do it So To encrypt a message M we first add to the public key some uniformly random element with Jacobi symbol minus one so from the second column here and a generator G of Jn and With a decomposition of M will be a topo a M one So that a is a uniformly random value which will be even if M as Jacobi symbol one and Odd if M as Jacobi symbol minus one so that key to the A as the same Jacobi symbol than M And M one is the value that satisfies M equals key to the A times M one and you can easily see that M one always has Jacobi symbol minus one Because the product of two elements with Jacobi symbol. Let's say alpha beta is alpha beta. So So this M one part does belong to Jn So we can simply encrypt it over Jn using a standard algorithmal crypto system The hard part is hiding this key to the A and This is done as follow While it is easy to distinguish between key to the 2x and key to the 2x plus one This is just computing the Jacobi symbol It's believed to be infeasible to distinguish between our two lines here So we will encode this key to the A as G to the A So that key to the A as Jacobi symbol one is equivalent to G to the A being a square So from G to the A you cannot recover the Jacobi symbol unless you break the quadratic residue of this assumption and It's quite easy to see that this encryption Remains multiplicatively homomorphic because that one is multiplicatively homomorphic and that one we just change the basis So what remains to see is whether we can decrypt that because it looks like we might have to compute some discrete log here to decrypt So the intuitive way of avoiding to have to compute some discrete log would be to add Let's say the discrete log of key in base G to our secret key So as to read to construct key to the A from G to the A using this discrete log But this doesn't make sense as a key and G doesn't belong to the same group at all G is the generator of Jn key as Jacobi symbol minus one But what we do is essentially that mod p and mod q so We generate key by picking two uniformly random value t1 and t2 with opposite parities and We set key to be G to the t1 mod p and G to the t2 mod q And we reconstruct key mod n using the Chinese remainder theorem and Ask you want it to have opposite parities. This is guaranteed to be an element with Jacobi symbol minus one But now from G to the A using t1 and t2 we can construct key to the a mod p and mod q and again reconstruct key to the A Using the Chinese remainder theorem Why they think on part is quite easy to decrypt so we just We just reconstruct this key to the A decrypt the second part and recover the message M Okay, so this works. It's fine, but I promised that then For the moment we only have an encryption scheme over Z and star So a first step a very small step toward getting Z then would be to add a zero So that's what we will do first How to have and how to build a multiplicative a homomorphic encryption scheme over Z and star union zero and The trick here is quite simple Any element over then a star union zero will be encoded as a pair of element both over Z and star So that we don't lose the multiplicative the home the multiplicative properties and so to encode a message M and uncoding would be either M one if M is An M zero and on zero and if M is zero then our encoding will be random and random Why because then if you multiply 10 by 10 many such encodings Either the first part is what you're looking for the product of all the messages or at some point Some random value happen in the computation it and it's a uniformly random value that loses all information on the message And the second part of the encoding allows you to check whether this is a zero in which case you would have a Random value or it Would the All the messages that were multiplied were non-zero in which case the second part will be a one And so the what we do is simply we encode its message From that inside union zero as a pair of message over Z and star and we encrypt Both element a boss element of our pair with the scheme that we just designed over Z and star This is still not Z then but almost and by almost I mean that if no players knows a factorization Then it's computationally infeasible To find an element which will be in Z then but not in Z then star union zero Because any such element is a multiple of either P or Q and so finding such an element is perfectly equivalent to the findings of actualization of M and so It is possible to assume that no players will know the factorization By relying by using a threshold encryption scheme instead of just a standard encryption encryption scheme So in our construction Rather than using standard homomorphic encryption scheme We will use threshold schemes in which the secret key of the scheme is secretly shared between the two players so that each player individually has no knowledge on the full secret key and Then decryption of some message is performed by using a joint decryption procedure Which is a an interactive protocol which outputs the plain text containing the ciphertext and such Distributed description procedure are known for most homomorphic public encryption schemes and so That's all what we can do is simply with a threshold scheme instead of a standard scheme and we can just assume that everything will be exactly as if Our El Gamal scheme over Z then star union zero was in fact a scheme over Z then and we know that we have a very mean probability This won't cause any error in the protocol and this can be formally proven Okay, so now we we kind of have an El Gamal a multiplicative homomorphic variant of the El Gamal encryption scheme and We can assume that it works over Z then somehow So our goal was to be an encryption switching protocol out of that and so rather than presenting the full construction I will give a toy scheme Which will give you the intuition on how we can do that and in particular our tool scheme won't even handle the case where M is 0 But the core ID and this encryption switching protocol is If we have an additive scheme on a on a multiplicative scheme, they are likely to have very different algebraic properties However, they must share at least one common algebraic property Which is that in both schemes? You can have external multiplication either on the additive scheme by using a square on multiple algorithm or on in the multiplicative scheme by just like Encrypting your external value before and then performing the multiplication Okay, so so we have two players and they start they start with an additive encryption of some message M and To make the presentation simpler. We assume here that M is non-zero on the players knows that The first player picks a uniformly random value R and using the fact that it can do external multiplication on the additive scheme It multiplies are inside this encryption of M, which gives an encryption of R times M And he sends a multiplicative lyomorphic encryption of R minus 1 Then both players perform a joint encryption protocol using their shares of the secret key on The additive scheme think first of all of the paya scheme so that only the second players learn the result and As we assume here that M was non-zero this R times M leaks no information on M. It's a uniformly random value over the So with this R times M We can again use this external Multiplicate this external multiplication, but on the other scheme So the second player simply multiplies this R times M In the encryption of R minus 1 and sends back the result which is an encryption of M And that's it So that's a toy scheme you can see many problems here related to the fact that we would have to randomize thing, but okay And so what do we have to do next to solve all the other problems related to encryption switching protocol? Well, first we have to deal with the other direction which essentially requires to build a joint encryption procedure to the To the multiplicative scheme that we designed We need to extend the construction so that it under the case where the plain text is zero So that add some more technicalities in the paper Proformally that if we have all of that complimentary homomorphic encryption scheme and Encryption switching protocol we can evaluate any function That's quite long on technical, but there is nothing particularly exceptional with this with this and add security against malicious adversaries This is quite interesting because at some point it requires to be able to prove statements of the form two different Encryption scheme do encrypt the same message and no Efficient proof for such a statement do appear in the literature So we have to design one and it appears that this gives a new zero knowledge proof for various more classical statements, so this is a side contribution of the paper and That's all. Thank you for your attention