Encryption Switching Protocols
 2.6k Downloads
Abstract
We formally define the primitive of encryption switching protocol (ESP), allowing to switch between two encryption schemes. Intuitively, this twoparty protocol converts given ciphertexts from one scheme into ciphertexts of the same messages under the other scheme, for any polynomial number of switches, in any direction. Although ESP is a special kind of twoparty computation protocol, it turns out that ESP implies general twoparty computation (2PC) under natural conditions. In particular, our new paradigm is tailored to the evaluation of functions over rings. Indeed, assuming the compatibility of two additively and multiplicatively homomorphic encryption schemes, switching ciphertexts makes it possible to efficiently reconcile the two internal laws. Since no such pair of publickey encryption schemes appeared in the literature, except for the noninteractive case of fully homomorphic encryption which still remains prohibitive in practice, we build the first multiplicatively homomorphic ElGamallike encryption scheme over \((\mathbb {Z}_n,\times )\) as a complement to the Paillier encryption scheme over \((\mathbb {Z}_n,+)\), where n is a strong RSA modulus. Eventually, we also instantiate secure ESPs between the two schemes, in front of malicious adversaries. This enhancement relies on a new technique called refreshable twin ciphertext pool, which we show being of independent interest. We additionally prove this is enough to argue the security of our general 2PC protocol against malicious adversaries.
Keywords
Encryption Scheme Homomorphic Encryption Oblivious Transfer Message Space Random Coin1 Introduction
The development of the Internet witnessed the explosive growth of the amount of available data. We now live in an era of big data in which there is an always increasing need for efficient tools to store and manipulate huge quantities of information. While most companies now outsource their data to get an arbitrarily large storage capacity with efficient access, manipulating data in the Cloud raises many security issues. Secure multiparty computation (MPC) has thus gained tremendous importance by providing privacypreserving tools allowing manipulations of sensitive inputs.
Secure TwoParty and Multiparty Computation. Secure twoparty computation (2PC) targets the following problem: Alice and Bob, modeled as probabilistic polynomialtime algorithms, wish to jointly compute a public function f of their respective inputs x and y, while keeping them private. We will focus on the case where Alice only gets the final result f(x, y), while Bob should learn nothing, but this is not really a loss of generality. To this end, they perform an interactive protocol, that is expected to be correct (i.e., the final output of the protocol is indeed f(x, y)) and private (i.e., no one can learn from his own view any information that he could not have deduced from his input, and the outcome f(x, y) for Alice). Secure multiparty computation is the natural extension of this problem to more than two players. Two kinds of adversarial behaviors are usually considered: semihonest adversaries (a.k.a. honestbutcurious) follow the specifications of the protocol and try to get as much information as possible from the transcript, while malicious adversaries might deviate from these specifications in any way to gain more information.
Starting with the seminal work of Yao [41], there have been a vast amount of publications targeting secure twoparty and multiparty computation. Today’s most efficient schemes are based on various paradigms, such as secret sharing with preprocessing (e.g. TinyOT [32], SPDZ [11], MiniMac [12]), oblivious transfers [1], garbled circuits [28], or homomorphic encryption [10]. In addition, there are several hybrid constructions which combine various approaches (e.g. garbled circuit and homomorphic encryption in [21], secret sharing and garbled circuits in [13]). Most of those schemes are very efficient when the circuit to be computed is of low depth. However, when highdepth circuits are involved, the efficiency drops down: protocols based on secret sharing, oblivious transfers, partially homomorphic encryption, or garbled circuits have a communication proportional to the depth of the circuit. At the exception of the latter one, they also have a round complexity proportional to the depth of the circuit. This can be avoided with somewhat homomorphic encryption, but as soon as the circuit has a high depth, the players will have to rely on prohibitively expensive bootstrapping procedures. In the honestbutcurious setting, hybrid protocols might provide efficient solutions in some particular cases (although they will still suffer from comparable downsides in general, as they combine approaches which do all have such downsides). However, enhancing hybrid protocols efficiently to security against malicious adversaries is highly nontrivial, due to the lack of a common structure between the various elements manipulated in those protocols; in fact, [13, 21] do only consider the honestbut curious setting.
Switching Between Homomorphic Schemes. The existence of very efficient MPC protocols for circuits containing a large number of additions, and few multiplications, suggests that multiplications might be way more expensive than additions. However, there exist encryption schemes which are multiplicatively homomorphic, the most famous one being the ElGamal encryption scheme [14]. In such cryptosystems, multiplications come essentially for free, but additions cannot be performed (unless a fully homomorphic scheme is used). Therefore, a natural way to design a MPC protocol in which multiplications would not incur a significant overhead compared to additions would be to combine a multiplicative cryptosystem with an additive cryptosystem: multiplications would be performed homomorphically on multiplicative ciphertexts, and additions on additive ciphertexts. The missing ingredient in such a protocol is a procedure to convert a multiplicative (resp. additive) ciphertext into an additive (resp. multiplicative) ciphertext encrypting the same plaintext: an encryption switching protocol.
To our knowledge, three papers have considered switching between ciphertexts under different homomorphic schemes in the past. The concept was initially introduced in [17], where the authors propose a variant of the ElGamal encryption scheme to work over \({\mathbb {Z}_n ^*} \), together with a protocol to switch between this scheme and the Paillier scheme. In [40], a trusted software is used to switch between various homomorphic schemes. In a recent unpublished paper [27], the authors propose methods to switch from the ElGamal scheme to the Paillier scheme, to evaluate DNF formulae.
As [40] relies on a trusted software, it cannot be compared to our work, which does not make this assumption. Moreover, we found both [17, 27] to be flawed: in [17], a variant of the ElGamal encryption scheme is proposed; however, the public key of the scheme contains a square root \(\beta \) of unity with Jacobi symbol \(1\). But then, computing \(\gcd (\beta 1,n)\) gives a nontrivial factor of n. Hence, the scheme leaks the factorization of the modulus. In [27], the following variant of the ElGamal scheme is proposed: to encrypt \(m \in {\mathbb {Z}_n ^*} \), pick a random scalar r in \({\mathbb {Z}_n ^*} \) and output \((g^r \bmod n, mh^r\bmod n)\), where g is a square (\(g = 16\) in the article) and h is \(g^x\) for some secret key x. Given a ciphertext \((c_0,c_1)\), any player can compute the Jacobi symbol of \(c_0\) and \(c_1\), and check whether they are equal or different. The former case corresponds to the Jacobi symbol of m being 1, while the latter case corresponds to the Jacobi symbol of m being \(1\): the scheme leaks the Jacobi symbol of the plaintext, which contradicts the semantic security, at least in \({\mathbb {Z}_n ^*} \).
Indeed, constructing a multiplicatively homomorphic variant of the ElGamal encryption scheme that is still semantically secure over \({\mathbb {Z}_n ^*} \) (and a fortiori over \(\mathbb {Z}_n \)) turns out to be a nontrivial task.
Our Contribution. In this work, we formally define encryption switching protocol (ESP), which allows two players to interactively and obliviously convert an encryption of a message m with a cryptosystem \(\varPi _1\) to an encryption of the same message with a cryptosystem \(\varPi _2\), provided that m lies in the intersection of the plaintext spaces of the cryptosystems. To instantiate this primitive, we introduce (and formally prove the security of) a new multiplicatively homomorphic variant of the ElGamal encryption scheme whose plaintext space is \({\mathbb {Z}_n ^*} \). To our knowledge, our scheme is the first secure construction of a multiplicatively homomorphic INDCPA encryption scheme over \({\mathbb {Z}_n ^*} \) and might be of independent interest. We extend our variant of the ElGamal cryptosystem to a space which is “nearly” equal to \(\mathbb {Z}_n \), in a sense that we formally define. We then construct encryption switching protocols between our new scheme and the Paillier encryption scheme. Our ESPs (between the two encryption schemes, in both directions) have a constant communication (counted as a number of group elements), and their security relies on standard assumptions (the decisional composite residuosity, the decisional DiffieHellman, and the quadratic residuosity assumptions). In addition to its application to twoparty computation, which will be outlined afterward, we believe that the primitive of ESP is of theoretical interest on its own.
To demonstrate the generality of our approach, we construct a generic twoparty computation protocol over a ring \((\mathscr {R},\oplus ,\otimes )\) assuming the existence of homomorphic cryptosystems for each law, \(\oplus \) and \(\otimes \), and encryption switching protocols. We formally prove that our generic protocol achieves the standard security notions for twoparty computation. Our new paradigm is particularly suited for high depth circuits.
We then turn our attention to the malicious setting. The natural way to provide security against malicious adversaries is to ask each player to prove, using a zeroknowledge proof, that he behaved honestly. However, ESPs can be seen as hybrid protocols, as they combine primitives with very different structures (in our case, the ElGamal scheme and the Paillier scheme). As is often the case in hybrid schemes, the lack of a common algebraic structure between the schemes prevents us from using standard zeroknowledge proofs. We tackle this issue by introducing a new technique for zeroknowledge, which we call a refreshable twinciphertext pool. In addition to providing an efficient way to enhance the security of ESPs to the malicious setting, we show that our new technique allows us to improve over several classical zeroknowledge proofs, such as proofs of knowledge of a double logarithm, or proof of primality of a committed value, which is of independent interest.
A nice feature of our twoparty computation paradigm is that it is in fact sufficient to instantiate it with an ESP secure against malicious adversaries for the full generic twoparty computation protocol to be secure against malicious adversaries.
Related Work. We already mentioned (and argued the insecurity of) [17, 27] which design methods for switching between homomorphic schemes, and [40], which relies on a trusted software to achieve a comparable goal. Fully homomorphic encryption (FHE), gathering both additive and multiplicative homomorphic properties in a single encryption scheme, has been a long standing open problem until the seminal work of Gentry [18]. It relies on a somewhat homomorphic encryption scheme, that allows to perform a bounded number of operations, and a technique called bootstrapping to remove this bound. Our work can be seen as a similar line of work, using homomorphic encryption schemes (HEs) to perform an unlimited number of specific operations, and then relying on a switching technique to replace one HE by another one to get access to other specific operations. However, a fundamental difference is that the bootstrapping is a noninteractive technique, while our encryption switching protocols are interactive.
We stress that our ESP primitive makes use of shared decryption keys to obliviously decrypt and reencrypt under the other encryption scheme, with a similar public key. This is totally different from proxy reencryption, where the proxy knows a key to convert a ciphertext under one key into a ciphertext under another independent key. For instance, disclosure of secret key of one encryption scheme in our realization breaks the semantic security of the other one too.
Preliminaries. Because of lack of space, basics on classical tools are postponed to the full version [6] (as well as the optimizations and detailed proofs), and the reader is recommended to refer to it for more details. But in short, a publickey encryption scheme \(\varPi \) is defined by the four algorithms \((\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\), where the two first generate the global parameters and the keys, and the two others encrypt and decrypt. If nothing else is specified we assume that a correctly encrypted message is always returned back by the decryption algorithm. We denote \(\mathscr {M} \) the message space.
Throughout this paper, \(\kappa \) denotes the security parameter. The notation Open image in new window indicates that x is sampled uniformly at random from the finite set S. We write \(a=b \bmod n\) to specify that \(a=b\) in \(\mathbb {Z}_n \) and we write \(a\leftarrow [b \bmod n]\) to affect the smallest nonnegative integer to a so that \(a=b \bmod n\).
2 TwoParty Computation from ESPs
We introduce a theoretical framework for alternating between different encryption schemes: the new primitive of encryption switching protocol (ESP) allows to switch a ciphertext under an encryption scheme into a ciphertext of the same message under the other encryption scheme without damaging their semantic security. We define this primitive as a 2party protocol and we show that secure ESP implies secure general 2party computation under natural conditions. This is the first main contribution of the paper.
2.1 Definitions
Definition 1
 1.
\(c_1\) is an encryption of \(m_1 \in \mathscr {M} _1\) under \(\varPi _1\);
 2.
\(c_2\) is an encryption of \(m_2 \in \mathscr {M} _2\) under \(\varPi _2\);
 3.
\(m_1 = m_2\) (which in turn belongs to \(\mathscr {M} _1 \cap \mathscr {M} _2\)).
Given an encryption c of a message \(m \in \mathscr {M} _1 \cap \mathscr {M} _2\), under one of the two above encryption schemes, we will say that any ciphertext \(c'\) which does encrypt m under the other encryption scheme is a twin ciphertext of c.
On the other hand, if c and \(c'\) encrypt the same m under the same encryption scheme, they are said equivalent. Informally, given a ciphertext c of a plaintext m under one of the two above encryption schemes, an encryption switching protocol (ESP) describes how users A and B, sharing the decryption key, can interact to construct a twin ciphertext of c. This is of course under the restriction that the plaintext m lies in the intersection of the two message spaces. We focus on two encryption schemes that use common \(\mathsf {Setup}\) and \(\mathsf {KeyGen}\) algorithms for generating the global parameters and the keys^{1}.
Definition 2

\(\mathsf {Share} (\mathsf {pk},\mathsf {sk})\) given the common keys \(\mathsf {sk}\) and \(\mathsf {pk}\) of both schemes, it outputs a secret sharing \((\mathsf {sk} _A,\mathsf {sk} _B)\) of \(\mathsf {sk}\) and updates \(\mathsf {pk} \) if necessary. The party A (resp. B) is intended to be given \(\mathsf {sk} _A\) (resp. \(\mathsf {sk} _B\));

\(\mathsf {Switch} _\mathsf {par} ((\mathsf {pk},\mathsf {sk} _A,c),(\mathsf {pk},\mathsf {sk} _B,c))\) is an interactive protocol in the direction \(\mathsf {par} \in \{{\scriptstyle 1\rightarrow 2},{\scriptstyle 2\rightarrow 1}\}\) which, from a ciphertext c under the source encryption scheme, jointly computes a twin ciphertext \(c'\) of c under the target encryption scheme or outputs \(\bot \) (in case of problems during the protocol execution).
2.2 Security Notions
We expect ESP not to break the INDCPA security of the encryption schemes, even in front of malicious adversaries: the adversary \(\mathscr {A}\) is given \(\mathsf {pk} \), but since it plays against Alice or Bob it can choose either \(\mathsf {sk} _B\) or \(\mathsf {sk} _A\), respectively. Then, even interacting with an oracle that emulates the other party as an honest player, \(\mathscr {A}\) should not be able to break INDCPA security of neither \(\varPi _1\) nor \(\varPi _2\). Let us more formally define this security notion.
Definition 3
( \(\mathscr {O}_A\) and \(\mathscr {O}_B\) Oracles). For appropriate keys \((\mathsf {pk},\mathsf {sk} _A,\mathsf {sk} _B)\), we denote the stateful oracle \(\mathscr {O}_A({\scriptstyle i\rightarrow j},c,\textsf {Flow})\) that emulates the honest player A: it provides the answers A would send back upon receiving the flow \(\textsf {Flow} \) when running the protocol \(\mathsf {Switch} _{\scriptstyle i\rightarrow j}((\mathsf {pk},\mathsf {sk} _A,c),(\mathsf {pk},\mathsf {sk} _B,c))\). We similarly define the oracle \(\mathscr {O}_B\) that emulates the honest player B. A special flow ‘Start’ is used to initialize the protocol.
In our target application of 2PC, these oracles will not be available on any input, but on controlled ciphertexts only. Hence our following security notion.
Definition 4
(ESP Security). An encryption switching protocol \(\varPi _1\rightleftharpoons \varPi _2\) is secure if it is strongly sound and zeroknowledge (see below).
The soundness property guarantees that no malicious player can successfully force the outcome of \(\mathsf {Switch}\) not to be a twin ciphertext of the input, when the input is indeed a switchable ciphertext. The strong requirement means that the soundness holds even if the adversary is also given the whole secret key \(\mathsf {sk}\) (or both \(\mathsf {sk} _A\) and \(\mathsf {sk} _B\)), instead of just one of the two shares.
Definition 5
The zeroknowledge property guarantees that no information leaks about the secret key shares to a malicious player when switches are performed on switchable ciphertexts: its view can be simulated without any additional information than its own secret share.
Definition 6

Oracle \(\mathscr {O}'_B({\scriptstyle i\rightarrow j},c,\bar{c},\textsf {Flow})\): on input a direction \({\scriptstyle i\rightarrow j}\), a ciphertext c under the encryption scheme \(\varPi _i\), a ciphertext \(\bar{c}\) under the encryption scheme \(\varPi _j\), and a message flow \(\textsf {Flow} \), ignores \(\bar{c}\) and runs \(\mathscr {O}_B({\scriptstyle i\rightarrow j},c,\textsf {Flow})\);

Simulator \(\mathscr {S}\!\textit{im}_B({\scriptstyle i\rightarrow j},c,\bar{c},\textsf {Flow})\): on the same inputs as above, emulates the output an honest player B would answer upon receiving the flow \(\textsf {Flow} \) when running the protocol \(\mathsf {Switch} _{\scriptstyle i\rightarrow j}((\mathsf {pk},\mathsf {sk} _A,c),(\mathsf {pk},\mathsf {sk} _B,c))\), without \(\mathsf {sk} _B\) but possibly with \(\mathsf {sk} _A\), and forcing the output to be a ciphertext \(\bar{c}'\) equivalent to \(\bar{c}\) (i.e., a ciphertext \(\bar{c}'\) such that \(\mathsf {Dec}(\mathsf {sk},\bar{c}) = \mathsf {Dec}(\mathsf {sk}, \bar{c}')\)).
If the adversary \(\mathscr {A}\) can be unbounded, \(\varPi _1\rightleftharpoons \varPi _2\) is statistically zeroknowledge. We denote \(\mathsf {Adv}^{\mathsf{esp}\text {}\mathsf{zk}}(\kappa ,t)\) the maximal advantage an adversary can get against A or B within time t.
At a high level, Definition 4 says that (misbehaving) players A and B separately gain no information on the plaintexts even if they can switch the ciphertexts between \(\varPi _1\) and \(\varPi _2\). In that sense, switching ciphertexts is a special kind of twoparty computation. It is pretty clear that a secure ESP on appropriate encryption schemes allows to build twoparty protocols in \(\mathscr {M} _1\cap \mathscr {M} _2\).
2.3 Computational Equality
Let us consider an adversary \(\mathscr {A}\) which can efficiently sample messages in both the intersection of the message spaces \(\mathscr {M} _1\cap \mathscr {M} _2\) and their symmetric difference \(\mathscr {M} _1\oplus \mathscr {M} _2 = (\mathscr {M} _1\cup \mathscr {M} _2) \backslash (\mathscr {M} _1\cap \mathscr {M} _2)\). A simple observation shows that a secure ESP could not be safe to use inside a larger protocol, even in front of a passive adversary, since the switching protocol does not provide any guarantee on nonswitchable ciphertexts, that encrypt messages outside \(\mathscr {M} _1\cap \mathscr {M} _2\). They could help to distinguish ciphertexts. More generally, we would like \(\mathsf {Switch}\) not to help for distinguishing switchable ciphertexts from nonswitchable ciphertexts, which would break the INDCPA security with the \(\mathsf {Switch}\) oracle.
A solution could be a restriction on the choice of the ciphertexts asked to the \(\mathsf {Switch}\) oracles, so that the plaintexts lie in \(\mathscr {M} _1\cap \mathscr {M} _2\). But this would not be strong enough for practical purpose, since there is no reason that it cannot happen during a complex evaluation. We thus define the following additional property, to be satisfied by the message spaces, with the common public key \(\mathsf {pk} \) as auxiliary input:
Definition 7
(Computational Equality). Let \((\mathscr {M}_1,\mathscr {M}_2,\mathsf {aux})\) be two sets and some additional information. \(\mathscr {M}_1\) and \(\mathscr {M}_2\) are computationally equal given auxiliary input \(\mathsf {aux}\) if, for any adversary \(\mathscr {A}\), its success probability for outputting a message in the symmetric difference \(\mathscr {M}_1\oplus \mathscr {M}_2\), denoted \(\mathsf {Succ}^{\mathsf{comp}\text {}\mathsf{eq}} (\mathscr {A}) = \Pr [m\leftarrow \mathscr {A}(\mathscr {M}_1,\mathscr {M}_2,\mathsf {aux})\,:\, m\in \mathscr {M}_1\oplus \mathscr {M}_2]\), is negligible.
We have defined the security of ESP for switchable inputs and, informally, the computational equality will guarantee that nonswitchable inputs are quite unlikely during the execution of a protocol involving ESPs.
2.4 RingHomomorphic Encryption Schemes
2.5 General Secure TwoParty Computation
The reason of designing ESP is to take advantage of the nice (homomorphic) properties of the two schemes which may not be available in a single efficient encryption scheme. When additions \(\oplus \) are required, we use ciphertexts under the additively homomorphic encryption scheme w.r.t. \(\boxplus \), and when multiplications \(\otimes \) and exponentiations are needed, we convert the operands into the other multiplicatively homomorphic encryption scheme w.r.t. \(\boxtimes \). In other words, ESP aims at reconciling additively and multiplicatively homomorphic schemes, to jointly compute the encryption of f(x, y), for any public function f over \((\mathscr {R},\oplus ,\otimes )\), on encryptions of x and y. Below, we consider twoparty computation which reveals the result to a single party only (Alice).
Secure 2PC . More formally, assuming only Alice gets the outcome, the security game of such a privacypreserving evaluation is the following one: The adversary against Bob chooses its input x and the possible inputs \(y_0, y_1\) for Bob, with the additional restriction that \(f(x,y_0)=f(x,y_1)\) (otherwise the outcome would reveal Bob’s actual input value); It gets the encryption of x and the encryption of \(y_b\) for a random bit Open image in new window ; At the end of the joint evaluation with Bob, it should try to guess b, and thus Bob’s actual input value. If the adversary plays the role of Bob against Alice, then it chooses its input y and the possible inputs \(x_0, x_1\) for Alice but without any additional restriction. When no adversary can guess b in any of the two games (against Alice or Bob), with nonnegligible advantage, we say that the 2PC protocol is inputindistinguishable. This is formally defined in the full version [6].
Since we assume that Alice receives the outcome of the 2PC in our design we also assume that Alice and Bob are able to decrypt ciphertexts from their shares. Without loss of generality, we assume that \(\varPi _2\) admits a 2party decryption (as detailed in the full version [6]) so that only Alice gets the plaintexts. A rigorous construction \(\varPi _{\textsc {2PC}}\) is proposed in the full version [6], using a secure ESP between homomorphic encryption schemes over computationallyequal message spaces, following the above intuition, leads to the next result.
Theorem 8
Let \(\varPi _1\) and \(\varPi _2\) be INDCPA (complementary) homomorphic encryption schemes over a ring \((\mathscr {R},\oplus ,\otimes )\), whose message spaces are computationally equal, equipped with a secure ESP, \(\varPi _1\rightleftharpoons \varPi _2=(\mathsf {Share},\mathsf {Switch})\), so that \(\varPi _2\) admits a 2party decryption for A from the same key shares output by \(\mathsf {Share}\) and which is statistically sound and zeroknowledge, then the \(\varPi _{\textsc {2PC}}\) protocol is an inputindistinguishable 2PC for any function f over \((\mathscr {R},\oplus ,\otimes )\).
We stress that this theorem is for the malicious setting: if the ESP protocols (and the 2party decryption) are secure against malicious adversaries, the \(\varPi _{\textsc {2PC}}\) protocol is secure against malicious adversaries, without any additional zeroknowledge proofs.
Intuition. Our approach for \(\varPi _{\textsc {2PC}}\) consists in starting from ciphertexts of x and y, and to switch to the appropriate encryption scheme in order to be able to make operations through the homomorphic property, until the encryption of the result is reached. The rationale of the computationalequality property for the message spaces, with the public key as auxiliary input, is the following one: on encryptions of valid inputs x and \(y_b\), the evaluation of the encryption of \(f(x,y_b)\) follows a deterministic path of switches and public homomorphic operations on the ciphertexts. In the honestbutcurious setting, the sequences of involved plaintexts is indeed determined by x and \(y_b\), and in the malicious setting, the soundness property ensures that the same happens. Then, if all the ciphertexts are switchable, using the simulators from the zeroknowledge property of the ESP leads to the privacy of the computation: no information leaks on b. If a ciphertext happens to be nonswitchable with nonnegligible probability during the computation, simply generating the sequences of plaintexts from \((x,y_0)\) and from \((x,y_1)\) would efficiently generate an element in the symmetric difference: we need this to be intractable. Eventually, the outcome of the protocol is recovered by performing 2party decryption.
Sketch of the Proof. The structure of the proof follows a sequence of indistinguishable games from the real game with \((x,y_0)\), between the adversary and a simulator emulating the challenger using \(b=0\) with all the secret information to the real game with \((x,y_1)\), and so using \(b=1\). We consider the output guess \(b'\), which should remain the same. The first games consist of a preparation for replacing \(y_0\) by \(y_1\). We indeed cannot apply the semantic security of the encryption schemes yet since the decryption keys are known to the simulator. But first, with the computationalequality property, we can guarantee that all the input ciphertexts of the ESPs are switchable. Then, with the soundness of the ESPs, we know that the outputs of the ESPs are twin ciphertexts. Actually, we need here the strong flavor of soundness since the secret key is still known. Again we apply the soundness of the final 2party decryption to guarantee the correct decryption (since the decryption key is still known, we require the statistical soundness, but a strong flavor would be enough too). Now that we know all the inputoutput pairs of the internal primitives (ESPs and decryption) are correct, we can safely replace the honest emulation using the secret key by the simulators without the secret key, thanks to the zeroknowledge property. So, the secret key is not required anymore, and we can replace \(y_0\) by \(y_1\), applying the INDCPA security game to the first encryption scheme. We also have to propagate to the outputs of the ESPs, using again the INDCPA security game of the other encryption scheme. This is done sequentially, with hybrid games, to end with a game where the input is \((x,y_1)\) and all the intermediate ciphertexts are consistent. We can then move back to the honest emulation (and not the simulators for the ESPs and the decryption) using the secret key. The full construction is described and formally proven secure in the full version [6].
Our Next Goal. Three properties must be satisfied to securely evaluate functions over a ring: the homomorphism of the encryption schemes, the security of the ESPs and the computational equality of the messages spaces. Instantiating these building blocks would allow us to achieve our second objective: building an efficient twoparty computation over a ring as a realistic alternative to standard methods, particularly for arithmetic functions with a high multiplicative depth. After discussing some applications of ESPs, we provide a first step toward our goal by designing a secure ESP to switch between two homomorphic encryption schemes over \(\mathbb {Z}_n ^*\).
3 Applications
In this section, we motivate our paradigm for twoparty computation with some concrete examples involving highdepth circuits.
Private Disjointness Testing ( PDT ). Two players, Alice and Bob, holding respective databases \(A=(a_i)_{i \le a}\) and \(B=(b_i)_{i \le b}\), wish to know whether their databases have at least one common element or not, and nothing more. The stateoftheart solution to \(\textsf {PDT} \) is [42], which solves the problem with complexity \(O\left( (a+b)^2\right) \) (counting group elements).
A natural way to solve the \(\textsf {PDT} \) is to view the items of A as the roots of a polynomial \(P(X) = \sum _{i = 0}^a \alpha _i X^i\). Alice and Bob perform an interactive protocol which outputs \(u = r\prod _{i=1}^b P(b_i)\) to Alice, where r is a uniformly random value picked by Bob. If this value is 0, then one of the \(P(b_i)\)’s is zero, which means that one of the \(b_i\)’s is in A. However, the circuit computing u is of depth \(O(\log b)\), hence most 2PC protocols computing this circuit are not constant round. Using carefully constructed circuits such as the sortcompareshuffle circuit of [22] (adapted to the case of PDT), the (constantround) garbled circuit approach transmits \(O(\kappa \ell (a+b)\log (a+b) + \kappa bM(\kappa ))\) bits, where \(\ell \) is the size of the items in A and B and \(M(\kappa )\) the circuit size of modular multiplication (multiplications are performed modulo a \(\kappa \)bit value to avoid integer multiplication while maintaining statistical correctness).
 1.
Alice builds the polynomial \(P=\sum \alpha _i X^i\) so that \(P(a_i)=0\) for \(i\le a\), and sends \((C_i = \mathscr {E}_{\oplus }(\alpha _i))_i\);
 2.
Bob computes and sends \(D_i \leftarrow \boxplus _j b_i^j \bullet C_i = \mathscr {E}_{\oplus }(P(b_i))\) for \(i\le b\);
 3.
They perform b ESPs in parallel to get \((D'_i = \mathscr {E}_{\otimes }(P(b_i)))_{i \le b}\);
 4.
Bob picks Open image in new window and computes \(E \leftarrow r \bullet \boxtimes _i D'_i = \mathscr {E}_{\otimes }(r \times \prod P(b_i))\).
 5.
Alice and Bob jointly decrypt the ciphertext, Bob gets the result and checks whether the plaintext is zero or not.
The total communication complexity of this protocol is \(a+b+2\) ciphertexts and b parallel ESPs. With constant size ESPs (as we will construct in the following), this gives a total communication of \(O(a+b)\) in constant round. We want to stress that this does not mean that, for concrete parameters, this approach will necessarily beat the best superlinear garbled circuits for \(\textsf {PDT} \); however, garbled circuits have enjoyed decades of optimizations, and given its asymptomatic complexity, our new approach seems worth considering for further investigations and could benefit from numerous optimizations. Note also that hybrid frameworks (such as [21]) can also provide linearcommunication constantround solutions, but unlike these protocols, our approach is easily enhanced to the malicious setting: in a high level, items 1 and 2 are secure from [7] and the next items are secure against malicious adversaries if so are the ESPs performing the switches (and Sect. 6 provides an efficient technique to achieve this security).
Oblivious Multivariate Polynomial Evaluation ( OMPE ). This is the natural extension of oblivious polynomial evaluation [31] over multivariate polynomials [39]. Once an ESP is available, constructing an OMPE protocol is straightforward (we use the notations of [39]). Unlike previous solutions, it keeps the degree d of P hidden.

Alice holds an Nvariate polynomial P of degree d with M monomials;

Bob holds \((x_1, \cdots , x_N)\) and sends \((\mathscr {E}_{\otimes }(x_i))_{i \le N}\);

Alice computes all the M monomials of \(P(x_1, \cdots , x_N)\) encrypted under \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\), due to the multiplicativity;

Alice and Bob perform M parallel ESPs on the encrypted monomials to get the M additively encrypted monomials, and then get \(\mathscr {E}_{\oplus }(P(x_1, \cdots ,x_N))\);

Alice and Bob jointly decrypt it, so that Bob (or both) gets \(P(x_1, \cdots , x_N)\).
Our OMPE protocol transmits \(O((N+M)\log n)\) bits, to be compared with \(O(N d \kappa ^2)\) for [39]. In addition, our protocol can be adapted to the case of multivariate polynomials whose most compact representation is not their canonical form; for example, if the polynomial is of the form \(\prod _i \sum _j X_j^{\delta _{ij}}\), extending it to its canonical form would result in an expression with exponentially many terms. Instead, the polynomial can be directly evaluated from this compact form: first using the multiplicative homomorphism to evaluate the \(X_i^{\delta _{ij}}\)’s, they switch to perform the sums, and then switch again to perform the final product. Several applications of OMPE are discussed in [39], such as testing whether the union of two sets of vectors are of full rank which has applications in linear secret sharing schemes, where the secret can be recovered when a full rank set of vectors is known; the players can determine whether they could recover the secret together without revealing their set. We get a more efficient FullRank Test protocol.
4 An Encryption Switching Protocol over \({\mathbb {Z}_n ^*} \)
For the internal laws on the plaintexts in \(\mathbb {Z}_n \) we keep the usual notations \(+\) and \(\times \) (or \(\cdot \) and even nothing), but we still use the notations of the Sect. 2.4 for the external operations on the ciphertexts and the relations on the random coins.
We now recall basic computational assumptions and an implication to \(\mathbb {J}_n \), then we review the Paillier encryption which also admits a verifiable 2party decryption algorithm (where either the two players, or one player only, get the result) and we introduce our new ElGamal encryption schemes. Finally, we show how to switch between these schemes from encryptions over \({\mathbb {Z}_n ^*} \).
4.1 Computational Assumptions

The \(\textsf {DDH}\) (Decisional DiffieHellman) assumption in a cyclic group \(\mathbb {G} =\langle g\rangle \) of order q states that, given \((g^a, g^b)\) for Open image in new window , \(g^{ab}\) is indistinguishable from a random element in \(\mathbb {G} \).

The \(\mathsf {QR}\) (Quadratic Residuosity) assumption in \({\mathbb {Z}_n ^*} \), for an RSA modulus n, states that a random element in \(\mathsf {QR}_n \) (square in \({\mathbb {Z}_n ^*} \)) is indistinguishable from a random element in \(\mathbb {J}_n \) (element of \({\mathbb {Z}_n ^*} \) with Jacobi symbol \(+1\)).

The \(\mathsf {DCR}\) (Decisional Composite Residuosity) assumption in \(\mathbb {Z}_{n^2} ^* \), for an RSA modulus n, states that a random nth power in \(\mathbb {Z}_{n^2} ^* \) is indistinguishable from a random element in \(\mathbb {Z}_{n^2} ^* \).
The \(\textsf {DDH}\) assumption is usually assumed to hold in large primeorder subgroups of \(\mathbb {Z}^*_p\). In the following, \(n=pq\) is a strong RSA modulus if \(p=2p'+1\) and \(q=2q'+1\) are safe primes (with both \(p'\) and \(q'\) also prime). With such a modulus n, \(\textsf {DDH}\) is also a reasonable assumption in \(\mathsf {QR}_n \), since the order is \(p'q'\) (see the full version [6] for more details). Adding the \(\mathsf {QR}\) assumption in \({\mathbb {Z}_n ^*} \), this makes the \(\textsf {DDH}\) assumption in \(\mathbb {J}_n\) (of order \(2p'q'\)) reasonable too:
Theorem 9
When \(n=pq\) is a strong RSA modulus, the \(\textsf {DDH}\) assumption in \(\mathbb {J}_n \) is implied by the \(\textsf {DDH}\) assumption in both the large primeorder subgroups of \(\mathbb {Z}^*_p\) and \(\mathbb {Z}^*_q\) and the \(\mathsf {QR}\) assumption in \({\mathbb {Z}_n ^*} \). (The proof is in the full version [6].)
However, given \(m\in {\mathbb {Z}_n ^*} \), computing Jacobi symbol \(J_n(m)\) is easy and then the \(\textsf {DDH}\) assumption does not hold in \({\mathbb {Z}_n ^*} \) which, in addition, is non cyclic.
4.2 \(\mathbb {Z}_n \text {}\textsf {P}\): The Paillier Encryption Scheme on \(\mathbb {Z}_n \)
For the Paillier encryption scheme (denoted \(\mathbb {Z}_n \text {}\textsf {P} \)), we will use the notation \(\mathscr {E}_{\oplus }(\cdot )\) since this will be our additively homomorphic encryption scheme. It implicitly uses the strong RSA modulus \(n=pq\), and we denote \(\lambda = \lambda (n) = (p1)(q1)/2\), the maximal order of an element of \({\mathbb {Z}_n ^*} \). One can note that \(\lambda = (n1)/2 + (2(p+q))/2\) is statistically close to \((n1)/2\) or n / 2 if we consider the Euclidean division (we will abuse this notation n / 2 in the following).
The Paillier Cryptosystem. In [33], Paillier proposed an encryption scheme \(\mathbb {Z}_n \text {}\textsf {P} \) for a modulus \(\mathsf {pk} = n\) as public key, and \(\mathsf {sk} = d \leftarrow [\lambda ^{1} \mod n] \times \lambda \bmod n\lambda \) as secret key: \(\mathbb {Z}_{n}\text {}\textsf {P.}\mathsf {Enc} (\mathsf {pk},m;r)\), for a message \(m\in \mathbb {Z}_n \) and random coins r in \({\mathbb {Z}_n ^*} \), outputs \(c= (1+n)^m\cdot r^n \bmod n^2\); \(\mathbb {Z}_{n}\text {}\textsf {P.}\mathsf {Dec} (\mathsf {sk},c)\) returns \(m = ([c^d \bmod n^2]  1)/n\). (See details in the full version [6]). This scheme is \({\textsf {IND}\text {}\textsf {CPA}} \) under the \(\mathsf {DCR}\) assumption over \(\mathbb {Z}_{n^2} ^* \), and it is additively homomorphic in \(\mathbb {Z}_n \). It satisfies Eq. (1), \(\boxplus \) being the multiplication in \(\mathbb {Z}_{n^2}^*\). The randomization algorithm \(\mathsf {Rand}\) is given by \(\mathbb {Z}_{n}\text {}\textsf {P.}\mathsf {Rand} (c;r) = c\cdot r^n \bmod n^2\), for any random coins r in \({\mathbb {Z}_n ^*} \).
2Party Paillier Decryption. In this section, we briefly recall the semihonest case where players are honestbutcurious. The reader can refer to the full version [6] for more details and a description in the malicious case which makes use of classical zeroknowledge proofs.
We assume that a trusted dealer generates the key shares for the two parties, Alice and Bob (distributed key generation can be found in [20]). The dealer generates random \(d_A,d_B\in \mathbb {Z}_{n\lambda } \) subject to \(d_A+d_B=d\bmod n\lambda \) defined above. Then, Alice gets \(d_A\) and Bob gets \(d_B\).
In order to allow Bob to decrypt the ciphertext C, Alice computes and sends \(C_A \leftarrow C^{d_A} \bmod n^2\), which allows Bob to get the plaintext \(m\leftarrow ([C_A \times C^{d_B} \bmod n^2] 1)/n\). Note that we do intentionally not disclose m to Alice in general. But this is perfectly symmetric if one wants Alice to get the result instead of Bob.
The correctness of this protocol is straightforward. Let us show that it is statistically zeroknowledge: To emulate Alice in front of a curious Bob, we first pick \(d_B\) in \(\mathbb {Z}_{n^2/2} \) instead of \(\mathbb {Z}_{n\lambda } \) (since n / 2 is statistically close to \(\lambda \)) and we give it to Bob. The simulator with input \((m, d_B)\) sends \(C_A \leftarrow (1+n \cdot m) \times C^{d_B}\), which enforces the decryption to m for Bob. This simulation is statistically indistinguishable from a real execution when C does indeed encrypt m. No emulation of Bob is needed as he does not send any message.
4.3 \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\): An ElGamal Variant in \({\mathbb {Z}_n ^*} \)
The ElGamal Cryptosystem. In [14], ElGamal proposed the famous encryption scheme that applies in any cyclic group \(\mathbb {G} =\langle g\rangle \) of order q, in which the \(\textsf {DDH}\) assumption holds: for a secret scalar Open image in new window , the public key is \(\mathsf {pk} = h \leftarrow g^x\): \(\mathsf {Enc}(\mathsf {pk},m;r)\), for a message \(m\in \mathbb {G} \) and random coins r in \(\mathbb {Z}_q\), outputs \(c= (c_0 = g^r, c_1 = h^r \cdot m)\); \(\mathsf {Dec}(\mathsf {sk},c)\) returns \(m = c_1/c_0^x\).
This scheme is \({\textsf {IND}\text {}\textsf {CPA}} \) under the \(\textsf {DDH}\) assumption over \(\mathbb {G} \), and it is multiplicatively homomorphic in \(\mathbb {G} \). ElGamal encryption scheme satisfies Eq. (1), \(\boxtimes \) being the componentwise multiplication in \(\mathbb {G} ^2\). The randomization algorithm \(\mathsf {Rand}\) is given by \(\mathsf {Rand}(c;r) = (c_0 \cdot g^r, c_1 \cdot h^r)\), for any random coins r in \(\mathbb {Z}_q\). The 2party decryption protocol is quite similar to the above Paillier one.
In the following, we will essentially use \(\mathsf {QR}_n \text {}\textsf {EG}\) and \(\mathbb {J}_n \text {}\textsf {EG}\), the ElGamal encryption schemes in \(\mathsf {QR}_n \) and \(\mathbb {J}_n \) respectively.
Description. Since the larger space that ElGamal can securely encrypt is \(\mathbb {J}_n \), in order to encrypt a message \(m\in {\mathbb {Z}_n ^*} \), we have to split m into two parts, \(m_1,m_2\in \mathbb {J}_n \): given \(\chi \in {\mathbb {Z}_n ^*} \setminus \mathbb {J}_n \), a natural encoding is \(m_1=J_n(m)=(1)^a\) and \(m_2=\chi ^{a}m\), with an appropriate integer a. But, even if \(\{\pm 1\}\) could be seen as a subgroup of \(\mathbb {J}_n \), \(\psi :\mathbb {Z}_2\times \mathbb {J}_n \mapsto {\mathbb {Z}_n ^*} \), \(\psi (a,m)=\chi ^{a}m\) is not an homomorphism when the order of \(\chi \) is not 2. But we cannot leave in the clear^{2} a square root of 1 lying in \({\mathbb {Z}_n ^*} \setminus \mathbb {J}_n \) (as done in [17]). However, for a generator g of \(\mathbb {J}_n \), we can instead encode m with \(m_1=g^a\) and \(m_2=\chi ^{a} m\) for any integer a such that \(J_n(m) = (1)^a\), and encrypt \(m_2\) into \((C_0,C_1)\) using \(\mathbb {J}_n \text {}\textsf {EG}\), and appending \(m_1\) in clear. The intricate point in the decryption phase will be to reconstruct \(\chi ^a\) from \(m_1 = g^a\): if one defines \(v = [p^{1} \bmod q]\cdot p \bmod n\) and \(\chi \leftarrow (1v)\cdot g^{t_p} + v \cdot g^{t_q} \bmod n\), for even \(t_p\) and odd \(t_q\) randomly drawn in \(\mathbb {Z}_{\lambda } \), then \(\chi \in {\mathbb {Z}_n ^*} \setminus \mathbb {J}_n \). In addition, from \(m_1 = g^a\), one gets \(\chi ^a\) as \((1v) m_1^{t_p} + v m_1^{t_q}\bmod n\). The complete description of the scheme is described on Fig. 1.
Properties. The correctness follows from the Chinese Remainder Theorem: by construction, \(\chi \leftarrow (1v)\cdot g^{t_p} + v \cdot g^{t_q} \bmod n\), with v such that \(v=0 \bmod p\) and \(v=1 \bmod q\), then, \(\chi = g^{t_p} \bmod p\) (so that \(\chi \in \mathsf {QR}_p \)) and \(\chi = g^{t_q} \bmod q\) (so that \(\chi \not \in \mathsf {QR}_q \)). Then, from \(m_0 \leftarrow (1v) m_1^{t_p} + v m_1^{t_q}\bmod n\), we also have \(m_0=g^{a t_p} =\chi ^a \bmod p\) and \(m_0=g^{a t_q} =\chi ^a \bmod q\), and so \(m_0 = \chi ^a \bmod n\). Hence, \(m_0 \cdot m_2 \bmod n\) is indeed the plaintext m in \({\mathbb {Z}_n ^*} \).
The multiplicative homomorphism comes from the fact that a does not need to be in \(\mathbb {Z}_2\), but just has to satisfy \((1)^a = J_n(m)\) to make both \(m_1\) and \(m_2\) in \(\mathbb {J}_n \). If one multiplies two ciphertexts c and \(c'\), of m and \(m'\) respectively, one gets \((g^{r+r'}, \chi ^{aa'} m m' \cdot g_1^{r+r'}, g^{a+a'}) = (g^{r''}, \chi ^{a''} m m' \cdot g_1^{r''}, g^{a''})\), which is statistically indistinguishable from a direct encryption of \(m m'\) since \(\mathbb {Z}_{n/2} \) is statistically close to \(\mathbb {Z}_{\lambda } \).
As usual, the randomization just consists in multiplying by a ciphertext of \(m=1\), and so with any random encoding of 1: \((m_1 = g^{2a}, m_2 = \chi ^{2a})\). Hence, on input a ciphertext \(C=(C_0,C_1,\alpha )\) and two random integers \((r_1,r_2)\), \(\mathsf {Rand}(C;r_1,r_2)\) outputs \(C' \leftarrow (g^{r_1} \cdot C_0, \chi ^{2 r_2} \cdot g_1^{r_1} \cdot C_1, g^{2r_2}\cdot \alpha )\). Note that this algorithm returns a ciphertext in which both the random coins and the encoding of the plaintext are uniform, hence this is a perfect randomization algorithm.
Security. A ciphertext \(c = (C = (c_0,c_1), m_1)\) contains \(m_1\) in clear but \(m_2\) is encrypted using \(\mathbb {J}_n \text {}\textsf {EG}\). While \(m_1\) encodes the Jacobi symbol of the plaintext m (if \(m_1\) is a square, \(m\in \mathbb {J}_n \) and if \(m_1\) is not a square, \(m\in {\mathbb {Z}_n ^*} \setminus \mathbb {J}_n \)), under the \(\mathsf {QR}\) assumption in \({\mathbb {Z}_n ^*} \), it is infeasible to distinguish squares from nonsquares in \(\mathbb {J}_n \): \(m_1\) does not leak anything. The choice of \(\chi \) is completely independent from the \(\mathbb {J}_n \text {}\textsf {EG}\) decryption key. This means that the INDCPA security of the scheme just relies on the \(\textsf {DDH}\) assumption in \(\mathbb {J}_n \) (Theorem 9) and the \(\mathsf {QR}\) assumption in \({\mathbb {Z}_n ^*} \).
4.4 \(\mathbb {Z}_n ^*\text {}\textsf {ESP} \): Encryption Switching Protocols on \({\mathbb {Z}_n ^*} \)
Proof of Security of \({\mathbb {Z}_{{\varvec{n}}}^{*}}{\text {}{\mathbf {\mathsf{{ESP}}}}}\) . About the correctness, C encrypts m, \(C'_A\) encrypts \(R_A^{1}\), and \(C_A\) encrypts \(x = R_A \cdot m\), in both directions. Then \(x\bullet C'_A\) is a ciphertext of m under the second encryption scheme. In the multiplicative to additive direction, this is a bit more intricate, but \(A_3 =  B^{t_{pA}} B_1 + B^{t_{qA}} B_2 =~ B^{t_p} + B^{t_q}\) and \(A_4 = A_1 B_1 + A_2 B_2 = (1v_A) B^{t_p} + v_A B^{t_q}\), hence \(E_5\) and \(E_6\) contain encryption of \(B' \times ( v_B ( B^{t_q}  B^{t_p} ) + ((1v_A) B^{t_p} + v_A B^{t_q} + kn)) = B' \times ( (1v) B^{t_p} + v B^{t_p})\). But as already remarked, \((1v) B^{t_p} + v B^{t_p} = \chi ^{a+r_1} \bmod n\) if \(\alpha = g^a\). Hence, the plaintext \(m_6 = \chi ^a\), and x is the expected value. (The blinding factor kn added in \(E_6\), which masks the number of reductions modulo n, disappears in the end.)
About the zeroknowledge, the full and detailed proof in the honestbutcurious setting of Theorem 10 can be found in the full version [6]. But in short, the proof is done in two steps, for Alice and for Bob. For each player, we exhibit a simulator which, essentially, generates the key share of its opponent from the public key without having any information on the key of the player it emulates, and is given for each switch a target output of the protocol. The simulator forces the output of the switch to be a rerandomization of its target output. He does so by sending random ciphertexts instead of correct ciphertexts and computing some intermediate values using either its input or its target output (both being a twinciphertext pair). The Paillier scheme with a second larger modulus N is necessary to hide some redundancy in the flows sent by the player that a simulator could not have sampled without the knowledge of the keys. The full proof involves several subtleties (typically, ensuring that indistinguishability between two situations involving values over \(\mathbb {J}_n \) is implied by the \(\textsf {DDH}\) assumption over \(\mathsf {QR}_n \)).
Theorem 10
When instantiated with the Paillier encryption scheme and the \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\) encryption scheme, both over \({\mathbb {Z}_n ^*} \), the \({\mathbb {Z}_n ^*}\textsf {ESP} \) are zeroknowledge under the \(\textsf {DDH}\) assumption in \(\mathsf {QR}_n \), the \(\mathsf {QR}\) assumption in \({\mathbb {Z}_n ^*} \), the \(\mathsf {DCR}\) assumption over \({\mathbb {Z}_n ^*} \), and the \(\mathsf {DCR}\) assumption over \(\mathbb {Z}_N^* \).
Using our two complementary homomorphic schemes and \({\mathbb {Z}_n ^*}\textsf {ESP} \) allows to evaluate functions over \({\mathbb {Z}_n ^*} \), but no information leaks only if no intermediate computation will evaluate to 0 during the protocol. This is the goal of the next section to extend the message space of our ElGamal variant to \({\mathbb {Z}_n ^*} \cup \{0\}\), which can be shown to be computationally equal to \(\mathbb {Z}_n \).
5 An Encryption Switching Protocol over the Ring \(\mathbb {Z}_n \)
In order to allow computations over encrypted data in the full ring \((\mathbb {Z}_n,+,\times )\), we need to extend \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\) to a message space that is computationally equal to \(\mathbb {Z}_n \). To this aim, we just have to handle zero. This will indeed make the two sets \(\mathscr {M} _1 = \mathbb {Z}_n \) and \(\mathscr {M} _2 = {\mathbb {Z}_n ^*} \cup \{0\}\) computationally equal: finding an element in the symmetric difference provides a nontrivial noninvertible element, which breaks the factorization of n.
In the following, we use the notation \(\mathscr {E}_{\otimes }(\cdot )\) for our above \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\), and still \(\mathscr {E}_{\oplus }(\cdot )\) for the Paillier encryption scheme \(\mathbb {Z}_n \text {}\textsf {P} \), both homomorphic on \(({\mathbb {Z}_n ^*},\times )\) and \((\mathbb {Z}_n,+)\) respectively, with the same strong RSA modulus n. We will also denote \(\mathsf {QR}_n \text {}\textsf {EG}\) and \(\mathsf {QR}_n \text {}\textsf {EG}'\), two ElGamal encryption schemes over \(\mathsf {QR}_n \), and so with additional secret keys \(s_2\), \(s_3\), and \(g_2=g^{2s_2}\), \(g_3=g^{2s_3}\). \(\mathsf {QR}_n \text {}\textsf {EG}\) and \(\mathsf {QR}_n \text {}\textsf {EG}'\) are clearly homomorphic in \((\mathsf {QR}_n,\times )\), and the INDCPA security just relies on the \(\textsf {DDH}\) assumption in \(\mathsf {QR}_n \), which is independent of the factorization of n. Note however that \(\mathsf {QR}_n \text {}\textsf {EG}' \) will be used as an extractable commitment and not an encryption scheme: the secret key \(s_3\) is not kept by anybody (excepted the simulator in the security proof).
5.1 \(\mathbb {Z}_n \text {}\textsf {EG}\): ZeroHandling ElGamal Encryption Scheme in \(\mathbb {Z}_n \)
The global setup and the algorithms are represented in Fig. 3, but our \(\mathbb {Z}_n \text {}\textsf {EG}\) encryption scheme essentially uses \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\) to encrypt \(m+b\), where \(b=0\) if \(m\not =0\) and \(b=1\) otherwise, in \(C_1\leftarrow \mathscr {E}_{\otimes }(m+b)\), and is completed with two ciphertexts of b: \(C_2\leftarrow \mathsf {QR}_n \text {}\textsf {EG} \textsf {.}\mathsf {Enc} (T^b)\) and \(C_3\leftarrow \mathsf {QR}_n \text {}\textsf {EG}' \textsf {.}\mathsf {Enc} ({T'}^b)\), with two random squares T and \(T'\).
Properties. This scheme is correct, although the decryption is only statistically correct since the random square T can be equal to 1 with negligible probability. Since this is a combination of ElGamal encryption schemes, the resulting scheme is also INDCPA. The 2party decryption algorithms of \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\) and \(\mathsf {QR}_n \text {}\textsf {EG}\) immediately give rise to a 2party decryption algorithm for \(\mathbb {Z}_n \text {}\textsf {EG}\): this is in two steps, as above, since the decryption of \(C_2\) leads to either 1 or a random value.
Homomorphism. The multiplicativity of \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\) makes this scheme homomorphic until a zero is involved. And thanks to the absorbing property of random values T, it also captures the absorbing property of the zero value in the ring \(\mathbb {Z}_n \): the multiplication is thus performed componentwise. In Fig. 3, we propose a randomization algorithm. One could note that \(C_1\) will keep track of the operations performed on the ciphertexts when the global ciphertext encrypts zero, even after randomization. We will limit the decryption of \(C_1\) only if \(C_2\) contains 1, and then \(C_1\) contains the plaintext, independent of the previous steps.
Computational Equality of Message Spaces. The message space of \(\mathbb {Z}_n \text {}\textsf {EG}\) is now \({\mathbb {Z}_n ^*} \cup \{0\}\), which is computationally equal to \(\mathbb {Z}_n \), the message space of the Paillier encryption scheme: elements in the symmetric difference are nontrivial multiples of p or q, which lead to the factorization of the modulus n.
5.2 Encrypted Zero Test
To switch between encryption schemes over \(\mathbb {Z}_n \), we have to obliviously detect the zeroes during the switch; this will be done by a subprotocol, the encrypted zerotest (EZT). An EZT is a protocol in which two players share a decryption key, with an encryption C of a message m as input, and wish to get an encryption \(C'\) of a bit b as output, where \(b=1\) if \(m=0\), and \(b=0\) otherwise. An EZT is zeroknowledge if there is an efficient simulator for each player which is indistinguishable from an honest player, and runs on input \((C,C')\), where \(C'\) is a twin ciphertext of C, without the knowledge of the share of the secret key of the player it emulates, but just the share of the other player.

Alice picks Open image in new window and sends Open image in new window to Bob. Both players jointly decrypt \(C_A\); Bob gets the result y. Let \(x' \leftarrow x \bmod 2^\kappa \) (that Alice computes) and \(y' \leftarrow y \bmod 2^\kappa \) (that Bob computes).

Let f(u, v) be the function which returns 1 if \(u = v\), and 0 else. Alice picks Open image in new window and builds a garbled circuit computing \(b_A\;\textsf {xor}\; f(x',y')\). Using [25], the resulting circuit has \(2\kappa \) gates.

Bob gets a bit \(b_B\) from evaluating the garbled circuit with Yao’s protocol. He sends an encryption \(C_B\) of \(b_B\) to Alice.

Alice outputs \(C' \leftarrow \mathsf {Rand}(b_A \boxplus C_B \boxminus (2b_A)\bullet C_B) = \mathsf {Enc}(b_A + b_B  2 b_A b_B) = \mathsf {Enc}(b_A \oplus b_B) = \mathsf {Enc}(f(x',y'))\).
The correctness follows from the fact that \(x' = y'\) implies, with overwhelming probability, that \(x  y = m = 0\), which is the plaintext of C.
Figure 4 sums up the efficiency the protocol of [25], and of the protocol of [30], which is the most efficient solution based on homomorphic encryption. Both protocols involve three rounds of online communication.
5.3 Encryption Switching Protocols on \(\mathbb {Z}_n \)
Theorem 11
When instantiated with the \(\mathbb {Z}_n \text {}\textsf {P}\) and \(\mathbb {Z}_n \text {}\textsf {EG}\) encryption schemes, both over \(\mathbb {Z}_n \), if both \({\mathbb {Z}_n ^*}\textsf {ESP} \) and EZT are zeroknowledge and if \(\textsf {com} \) is hiding, then the \(\mathbb {Z}_n\textsf {ESP} \) given in Fig. 5 is zeroknowledge under the \(\textsf {DDH}\) assumption in \(\mathsf {QR}_n \), the \(\mathsf {QR}\) assumption in \({\mathbb {Z}_n ^*} \) and the \(\mathsf {DCR}\) assumption over \({\mathbb {Z}_n ^*} \).
Instantiating the \({\mathbb {Z}_n ^*}\textsf {ESP} \) with our construction of Sect. 4, we additionally require the \(\mathsf {DCR}\) assumption over \(\mathbb {Z}_N^* \).
6 Security Against Malicious Adversaries
In the previous sections, we built two homomorphic encryption schemes with zeroknowledge ESPs that achieve our goal of secure twoparty computation from ESP: namely, at the end of the ESP executions, the semihonest users do not know more than before about the input plaintexts. To prevent malicious behaviors, and move from the semihonest setting to the malicious setting, additional validity checks are required. They are performed with zeroknowledge proofs.
Indeed, the last step toward secure ESPs is to ensure its soundness, so that malicious adversaries will not gain more information than an honest adversary would do. Moreover, the use of the simulators of the additional proofs will preserve the zeroknowledge of our ESPs. In this section, we provide this final building block.
Unfortunately, ESPs are essentially nonarithmetic protocols, and namely the internal decryptions and reencryptions. Hence, ensuring honest behavior might require garbled circuitsbased zeroknowledge proofs such as [15, 23, 35], or cutandchoose techniques, both at a very high computational cost, but also from the communication point of view, which we cannot afford.
In this section, we present a more efficient technique for such zeroknowledge proofs, based on a particular preprocessing phase. We first explain how a pool of random twinciphertext pairs allows designing efficient (amortized) proofs of honest behavior in our ESPs.
6.1 Refreshable TwinCiphertext Pool
First, we set up a perfectly hiding commitment scheme \(\textsf {com} _{\oplus }\) over a group of order n: let k be a small integer such that \(t \leftarrow 2kn+1\) is prime. Let \((g_t,h_t)\) be two generators of the subgroup of \(\mathbb {Z}^*_t\) of order n. On input \(m \in \mathbb {Z}_n \) and a randomness \(r\in \mathbb {Z}_n \), the scheme outputs \(\textsf {com} _{\oplus }(m;r) = g_t^mh_t^r\).
Preprocessing Random TwinCiphertext Pairs. Our starting point is a protocol that allows a prover to convince a verifier that two ciphertexts, from two different cryptosystems, do indeed encrypt the same value. This means they form a twinciphertext pair. Such a proof will be denoted TCP, for TwinCiphertext Proof. It comes at a cost of the cutandchoose technique and thus requires \(O(\kappa )\) communication. However, we show in the full version [6] how to amortize \(\ell \) TCPs using only a single cutandchoose protocol, for any arbitrarily large \(\ell \). It relies on the techniques developed by Groth and Bayer on generalized Pedersen commitments [3, 34]. But we use a new zeroknowledge proof on multiexponentiation with committed base, of independent interest: we can create a pool of \(\ell \) proven twinciphertext pairs in \(O(\ell +\kappa )\). We then show several applications to speedup various zeroknowledge arguments.

Alice generates \(\kappa \) twinciphertext pairs \((C_i,C'_i)_i = (\mathscr {E}_{\oplus }(\mu _i;r_i),\mathscr {E}_{\otimes }(\mu _i;s_i))_i\), for values \(\mu _i\) picked at random over \(\mathbb {Z}_n \), and commits to those pairs (using any commitment scheme);

Bob sends a challenge Open image in new window ;
 Alice opens the \(\kappa \) commitments on the twinciphertext pairs, and for each \(i \le {\kappa }\), she sends

the plaintext \(\mu _i\) and the random coins \((r_i,s_i)\), if \(c_i =0\);

the ratio \(R_i = m/\mu _i\) and the random coins \(\rho _i \leftarrow (R_i \cdot r_i) \odot ((1) \cdot r)\) according to the additive case, and \(\sigma _i \leftarrow (R_i \cdot s_i) \odot ((1) \cdot s)\) according to the multiplicative case — using the notations from Sect. 2.4;

 Bob checks the openings of commitments and

either checks the validity of \((C_i,C'_i)\) with \(\mu _i\) and the random coins;

or computes \(D_i = R_i \bullet C_i \boxplus (1) \bullet C\) and \(D'_i = R_i \bullet C'_i \boxtimes (1) \bullet C'\), according to the relations (1) and (2). Bod then checks whether both \(D_i = \mathscr {E}_{\oplus }(0;\rho _i)\) and \(D'_i = \mathscr {E}_{\otimes }(1;\sigma _i)\) hold.

We prove the security of TCP in the full version [6].
Using \({{\textsf {\textit{com}}}}_{\oplus }\) Instead of Paillier. The Paillier encryption scheme \(\mathscr {E}_{\oplus }()\) in the twinciphertext proof can be replaced by the above perfectly hiding commitment scheme \(\textsf {com} _{\oplus }: (m;r) \mapsto g_t^mh_t^r\), that is also additively homomorphic. But then the proofs become arguments. Alice generates \({\kappa }\) pairs, each pair consisting of an additive commitment and a \({\mathbb {Z}_n ^*} \text {}\textsf {EG}\) ciphertext, and the rest of the proof is exactly the same. We keep using the notation \(\mathscr {E}_{\oplus }()\) below.
Efficient Online TCP . Let us assume that we have already proven that a random twinciphertext pair \(P_i = (\mathscr {E}_{\oplus }(m_i;r_i), \mathscr {E}_{\otimes }(m_i;s_i))\) is correct. When one wants to perform a TCP during a protocol on a new twinciphertext pair \(P = (\mathscr {E}_{\oplus }(m;r),\mathscr {E}_{\otimes }(m;s))\), it is enough to reveal some relations between the random coins of the pairs P and \(P_i\), in order to show that the plaintexts are colinear: if one of them is correct, so is the other. And this can be done without disclosing m (as \(m_i\) is random, disclosing \(m/m_i\) will not reveal m). Thereby, all our protocols are described in the following model: first, in a preprocessing phase, a large pool of random twinciphertext pairs are generated and proven correct with a batch argument. Then, in the online phase, each time a TCP is required, a twinciphertext pair from the pool is used and the player performs a cheap colinearity proof. This proof consumes \(P_i\) and ensures the correctness of the switch.
Refreshing the TwinCiphertext Pool. The expected number of TCPs might not be known to the players; however, once a pool of twinciphertext pairs has been set up, the same batch technique that we describe in the full version [6] can be used to generate \(\ell \) new random twinciphertext pairs, while consuming a single pair of the pool. The batch argument transmits \(O(\ell + \kappa )\) group elements but does not rely on cutandchoose, hence cutandchoose in only needed once, when generating the very first element of the pool.
6.2 ZeroKnowledge Proofs
The pool of twinciphertext pairs allows the players to perform TCPs efficiently. Apart from TCPs, the zeroknowledge proofs needed to enhance ESPs to the malicious setting are classical protocols. For zeroknowledge proofs involving the decryption keys, we have to add the corresponding verification keys in the public key: first, we pick Open image in new window , Open image in new window and set \(h \leftarrow h_0^2\), then we add \((h_p,h_q) = (h^{t_p},h^{t_q})\) and \((u,U) \leftarrow ((1+n)\cdot r_0^{2n} \bmod n^2\), \((1+N)\cdot R_0^{2N} \bmod N^2) \in \mathsf {QR}_{n^2} \times \mathsf {QR}_{N^2} \) to the public key. The latter pair satisfies \(u^d = 1+n \bmod n^2\) and \(U^D = 1+N \bmod N^2\). Second, we set up the commitment scheme \(\textsf {com} _{\oplus }\) previously described. Each time a player performs computations, he commits to the operands if they are not already encrypted, and proves his honest behavior, with a zeroknowledge proof, using the above elements in the public key. Note that in our generic 2PC from ESP, the switches run either sequentially or in parallel, but they are never intertwined; hence, we do not need to use zeroknowledge proofs secure in the concurrent setting (which would be less efficient).
Range Proofs. In the multiplicative to additive direction, a second Paillier encryption scheme is used, with a different modulus N. The plaintext space of this scheme is large enough to ensure that no modular reduction occurs during computations over input ciphertexts encrypting values in \(\{0,\cdots , n1\}\). Thereby, it is necessary to prove that these values are indeed in that range, which is handled by range proofs. The method of [4] provides an efficient (constantcommunication) proof. Hence, we first have to commit to the encrypted value, using a generator of a space with a different modulus \(n' > n\) whose factorization is unknown as in [8, 16]: the plaintext is thus committed over \(\mathbb {Z}_{\lambda (n')}\), a space of unknown order. Then, equality between the encrypted value (over \(\mathbb {Z}_N \)) and the committed value (over \(\mathbb {Z}_{\lambda (n')}\), whose order is unknown) can be proven using [9], and the range proof is performed on the committed value. The soundness of this proof relies on the strong RSA assumption [2, 16] modulo \(n' > n\). We stress that it is necessary that the factorization of \(n'\) is not known by anyone nor shared between the parties, as the strong soundness requirement of our proof of 2PC states that the adversary is given the full secret key; hence, unlike [9], we cannot use \(n' = N\). Note also that \(n'\) can be taken way smaller than N (which has to be large enough to allow for some multiplications without overflow).
We stress that the need of the strong RSA assumption in the security of our constantsize online ESP comes from the range proof, only. To date, there is no constantsize range proof over \(\mathbb {Z}_n\) in the literature whose soundness does not rely on this assumption.
Classical ZeroKnowledge Proofs. Appart from TCP and range proofs, all the proofs are classical zeroknowledge proofs á la Schnorr [36]: Proof of rerandomization of ciphertexts and proof of correct computation of \(R\bullet C\) given \(\textsf {com} _{\oplus }(R)\) are just proofs of exponentiations to the same power either in the same groups or in two groups which one order (\(\mathbb {J}_n \)) is unknown. It is also easy to generate \(\mathscr {E}_{\otimes }(m^{1})\) from \(\mathscr {E}_{\otimes }(m)\), just inverting all the components in \(\mathbb {J}_n \).
6.3 Ensuring Honest Behavior in ESP Protocols
Let us illustrate how TCP are used on the \(\mathbb {Z}_n ^*\text {}\textsf {ESP} \) from Paillier to \({\mathbb {Z}_n ^*} \text {}\textsf {EG} \) (see Fig. 2): Alice sends \((C_A, C'_A)\) and commits to \(R_A\): \(c\leftarrow \textsf {com} _{\oplus }(R_A)\). She makes a \({\textsf {TCP}} \) on the pair \((c,{C'_A}^{1})\), and a classical proof of product to show that \(C_A\) encrypts the product of the value committed in c and the value encrypted in C; combined together, those proofs are enough to ensure Alice’s honest behavior. Additional proofs (including range proofs) are needed in the other direction as it is a more complex case.
 1.
from this game, each time the simulator is asked to perform a zeroknowledge proof, it fakes it instead. This game is indistinguishable from the honest game due to the zeroknowledge property of the proofs;
 2.
from this game, each time the simulator has to commit, the simulator sends a uniformly random commitment. As \(\textsf {com} _{\oplus }\) is perfectly hiding, this game is perfectly indistinguishable from the previous one.
The rest of the gamebased proof is exactly the same as the semihonest proof.
6.4 From Secure ESP to Secure 2PC
We stress that our 2PC protocol is made fully secure as soon as ESPs is secure against malicious adversaries (as well as the 2party decryption procedure at the end of the protocol). This comes from the fact, that apart from ESPs and the final decryption, all the operations are local homomorphic evaluations of public functions on ciphertexts known by both players. The homomorphic operations themselves are deterministic and performed by both players.
A sequence of public operations is followed by either an ESP or, at the very end of the protocol, a 2party decryption. From the strong soundness of the ESP, any honest player is guaranteed that his output of the ESP is necessarily a twin ciphertext of his input, or an abort is triggered. Similarly, in the 2party decryption protocol, an honest player is guaranteed that the output is the plaintext of his input ciphertext, unless an error is raised.
Therefore, an honest player that correctly performs his (local) homomorphic evaluations is also guaranteed of the correct evaluation of the switches and of the decryption: the final answer is necessarily correct, or an error is raised in case of a misbehaving partner.
6.5 Exponential Relations Among Committed Values
We describe several applications of our preprocessing technique. In the following applications, we use a commitment scheme \(\textsf {com} (\cdot )\) we assume to be additively homomorphic. This can either be \(\mathscr {E}_{\oplus }(\cdot )\) (perfectly binding) or the previous \(\textsf {com} _{\oplus }(\cdot )\) (perfectly hiding).
Proof of Knowledge of an Exponential Relation over Committed Values. A prover has sent a tuple \((C_a = \textsf {com} (a), C_b = \textsf {com} (b),d)\) and wishes to prove that \(b = a^d\). Let \(C'_a\) and \(C'_b\) be twin ciphertexts under \(\mathscr {E}_{\otimes }()\) of \(C_a\) and \(C_b\); the prover sends them and proves them with two TCPs. Both players can compute \(D \leftarrow \boxtimes ^d C'_a = \mathscr {E}_{\otimes }(a^d)\). She then proves that D encrypts the same value as \(C'_b\), which can be done since she knows all the random coins.
Extension to the Case of a Committed Exponent. Let us now suppose d has also been committed in \(C_d = \textsf {com} (d)\). The prover sends \(C'_a = (C'_{a0},C'_{a1},\alpha )\), \(C'_b\), and \(C'_d\), twin ciphertexts of \(C_a\) and \(C_d\) respectively, and proves them with two TCPs. The prover computes \(D = (D_0,D_1,D_2) \leftarrow \boxtimes ^d C'_a = \mathscr {E}_{\otimes }(a^d)\), and proves its knowledge of (b, r) such that \(C_b = \textsf {com} (b;r)\), \(D_0 = (C'_{a0})^d\), \(D_1 = (C'_{a1})^d\), and \(D_2 = \alpha ^d\). She then proves that \(C'_b\) and D encrypt the same plaintext.
Proof of Knowledge of a Double Logarithm (or Double Decker Exponentiation). In this case, the prover wants to prove her knowledge of x that satisfies \(X = g^{(h^x)}\), for public values (g, h, X). Such proofs are required for example in some publicly verifiable secret sharing schemes [38], in group signature or group encryption [24]. Let \(n = pq\) be an RSA modulus such that \(\pi = 2n+1\) is a prime. Let g be a generator of a subgroup of \(\mathbb {Z}^*_{\pi }\) of order n. Let h be a generator of \(\mathbb {J}_n \) and x be an element of \(\mathbb {Z}_{\lambda }\). The prover computes \(H \leftarrow h^x\), \(C \leftarrow \mathbb {Z}_n \text {}\textsf {P} \textsf {.}\mathsf {Enc}(H)\), and \(C'\leftarrow \mathbb {J}_n \text {}\textsf {EG} \textsf {.}\mathsf {Enc} (H)\). She sends \((C,C')\), proves that she knows the discrete log of this encrypted value in \(C'\) (a classical Schnorrlike proof), and makes a TCP on \((C,C')\). She then proves her knowledge of H and r such that \(X = g^{H} \bmod \pi \) and \(C = \mathbb {Z}_n \text {}\textsf {P} \textsf {.}\mathsf {Enc}(H;r)\) (again a Schnorrlike proof).
Proof that a Committed Value Is Prime. In [5], the authors design a zeroknowledge proof that a committed value is a product of two safe primes, which has applications in numerous RSAbased protocols. The idea is the following: to prove that a committed number \(\pi \) is a prime, one proves that it passed each step of the Lehmann’s primality test [26, 37], i.e. commit to \(\kappa \) random numbers (in an interactive way to ensure they are random) and for each of the \(\kappa \) random committed a, prove that \(a^{(\pi 1)/2} = \pm 1 \bmod \pi \) by committing to each bit of \((\pi 1)/2\), and by using a zeroknowledge proof for each step of the squareandmultiply algorithm. This can be done way more efficiently with our above proof of knowledge of an exponential relation over a committed exponent, enhanced using the technique from [29] to work modulo a committed value. Overall, we improve [5] by a factor of \(O(\log (\pi ))\). In typical applications, \(\pi \) will be 1024 to 2048 bitlong.
Footnotes
Notes
Acknowledgments
We thank Fabrice Ben Hamouda for the fruitful discussions on the ElGamal variant. This work was supported in part by the European Research Council under the European Community’s Seventh Framework Programme (FP7/20072013 Grant Agreement no. 339563 – CryptoCloud). The second author is supported by the F.R.SFNRS as a postdoctoral researcher.
References
 1.Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer extensions with security for malicious adversaries. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 673–701. Springer, Heidelberg (2015)Google Scholar
 2.Barić, N., Pfitzmann, B.: Collisionfree accumulators and failstop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 3.Bayer, S., Groth, J.: Efficient zeroknowledge argument for correctness of a shuffle. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 263–280. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 4.Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000)CrossRefGoogle Scholar
 5.Camenisch, J.L., Michels, M.: Proving in zeroknowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 6.Couteau, G., Peters, T., Pointcheval, D.: Encryption switching protocols. Cryptology ePrint Archive, Report 2015/990 (2015). http://eprint.iacr.org/2015/990
 7.DachmanSoled, D., Malkin, T., Raykova, M., Yung, M.: Efficient robust private set intersection. In: Abdalla, M., Pointcheval, D., Fouque, P.A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 125–142. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 8.Damgård, I.B., Fujisaki, E.: A statisticallyhiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 9.Damgård, I.B., Jurik, M.: Client/server tradeoffs for online elections. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 125–140. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 10.Damgård, I.B., Nielsen, J.B.: Universally composable efficient multiparty computation from threshold homomorphic encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 247–264. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 11.Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 12.Damgård, I., Zakarias, S.: Constantoverhead secure computation of Boolean circuits using preprocessing. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 621–641. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 13.Demmler, D., Schneider, T., Zohner, M.: ABYa framework for efficient mixedprotocol secure twoparty computation. In: Network and Distributed System Security, NDSS (2015)Google Scholar
 14.ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Tran. Inf. Theory 31, 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
 15.Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacyfree garbled circuits with applications to efficient zeroknowledge. Cryptology ePrint Archive, Report 2014/598 (2014). http://eprint.iacr.org/2014/598
 16.Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 17.Gavin, G., Minier, M.: Oblivious multivariate polynomial evaluation. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 430–442. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 18.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 169–178. ACM Press, May/June 2009Google Scholar
 19.Gentry, C., Halevi, S., Jutla, C., Raykova, M.: Private database access with HEoverORAM architecture. Cryptology ePrint Archive, Report 2014/345 (2014). http://eprint.iacr.org/2014/345
 20.Hazay, C., Mikkelsen, G.L., Rabin, T., Toft, T.: Efficient RSA key generation and threshold paillier in the twoparty setting. In: Dunkelman, O. (ed.) CTRSA 2012. LNCS, vol. 7178, pp. 313–331. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 21.Henecka, W., Kögl, S., Sadeghi, A.R., Schneider, T., Wehrenberg, I.: TASTY: tool for automating secure twoparty computations. In: AlShaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 2010, pp. 451–462. ACM Press, October 2010Google Scholar
 22.Huang, Y., Evans, D., Katz, J.: Private set intersection: are garbled circuits better than custom protocols? In: NDSS 2012. The Internet Society, February 2012Google Scholar
 23.Jawurek, M., Kerschbaum, F., Orlandi, C.: Zeroknowledge using garbled circuits: how to prove nonalgebraic statements efficiently. Cryptology ePrint Archive, Report 2013/073 (2013). http://eprint.iacr.org/2013/073
 24.Kiayias, A., Tsiounis, Y., Yung, M.: Group encryption. Cryptology ePrint Archive, Report 2007/015 (2007). http://eprint.iacr.org/2007/015
 25.Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 26.Kranakis, E.: Primality and Cryptography. Wiley, Hoboken (1986)CrossRefzbMATHGoogle Scholar
 27.Lim, H.W., Tople, S., Saxena, P., Chang, E.C.: Faster secure arithmetic computation using switchable homomorphic encryption. Cryptology ePrint Archive, Report 2014/539 (2014). http://eprint.iacr.org/2014/539
 28.Lindell, Y., Pinkas, B.: Secure twoparty computation via cutandchoose oblivious transfer. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 329–346. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 29.Lipmaa, H.: On diophantine complexity and statistical zeroknowledge arguments. Cryptology ePrint Archive, Report 2003/105 (2003). http://eprint.iacr.org/2003/105
 30.Lipmaa, H., Toft, T.: Secure equality and greaterthan tests with sublinear online complexity. In: Fomin, F.V., Freivalds, R., Kwiatkowska, M., Peleg, D. (eds.) ICALP 2013, Part II. LNCS, vol. 7966, pp. 645–656. Springer, Heidelberg (2013)Google Scholar
 31.Naor, M., Pinkas, B.: Oblivious polynomial evaluation. SIAM J. Comput. 35, 1254–1281 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
 32.Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical activesecure twoparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 33.Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 34.Pedersen, T.P.: Noninteractive and informationtheoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
 35.Ranellucci, S., Tapp, A., Zakarias, R.W.: Efficient generic zeroknowledge proofs from commitments. Cryptology ePrint Archive, Report 2014/934 (2014). http://eprint.iacr.org/2014/934
 36.Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Quisquater, J.J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 688–689. Springer, Heidelberg (1990)Google Scholar
 37.Solovay, R., Strassen, V.: A fast montecarlo test for primality. SIAM J. Comput. 6(1), 84–85 (1977)MathSciNetCrossRefzbMATHGoogle Scholar
 38.Stadler, M.A.: Publicly verifiable secret sharing. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996)Google Scholar
 39.Tassa, T., Jarrous, A., BenYa’akov, Y.: Oblivious evaluation of multivariate polynomials. J. Math. Cryptol. 7, 1–29 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 40.Tople, S., Shinde, S., Chen, Z., Saxena, P.: AUTOCRYPT: enabling homomorphic computation on servers to protect sensitive web content. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 1297–1310. ACM Press, November 2013Google Scholar
 41.Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: 27th FOCS, pp. 162–167. IEEE Computer Society Press, October 1986Google Scholar
 42.Ye, Q., Wang, H., Pieprzyk, J., Zhang, X.M.: Efficient disjointness tests for private datasets. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 155–169. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 43.Yu, C.H., Yang, B.Y.: Probabilistically correct secure arithmetic computation for modular conversion, zero test, comparison, MOD and exponentiation. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 426–444. Springer, Heidelberg (2012)CrossRefGoogle Scholar