Encryption Switching Protocols Revisited: Switching Modulo p
 8 Citations
 3.1k Downloads
Abstract
At CRYPTO 2016, Couteau, Peters and Pointcheval introduced a new primitive called encryption switching protocols, allowing to switch ciphertexts between two encryption schemes. If such an ESP is built with two schemes that are respectively additively and multiplicatively homomorphic, it naturally gives rise to a secure 2party computation protocol. It is thus perfectly suited for evaluating functions, such as multivariate polynomials, given as arithmetic circuits. Couteau et al. built an ESP to switch between Elgamal and Paillier encryptions which do not naturally fit well together. Consequently, they had to design a clever variant of Elgamal over \(\mathbf {Z}/n\mathbf {Z}\) with a costly shared decryption.
In this paper, we first present a conceptually simple generic construction for encryption switching protocols. We then give an efficient instantiation of our generic approach that uses two wellsuited protocols, namely a variant of Elgamal in \(\mathbf {Z}/p\mathbf {Z}\) and the CastagnosLaguillaumie encryption which is additively homomorphic over \(\mathbf {Z}/p\mathbf {Z}\). Among other advantages, this allows to perform all computations modulo a prime p instead of an RSA modulus. Overall, our solution leads to significant reductions in the number of rounds as well as the number of bits exchanged by the parties during the interactive protocols. We also show how to extend its security to the malicious setting.
Keywords
Switching Protocol Encoding Decryption Share Ciphertext Couteaux1 Introduction
Through interactive cryptographic protocols, secure multiparty computation (MPC) allows several parties to compute the image of a preagreed function of their private inputs. At the end of the interaction, anything that a party (or a sufficiently small coalition of parties) has learned from the protocol could have been deduced from its public and secret inputs and outputs. In other words, the adversary’s view can be efficiently forged by a simulator that has only access to the data publicly known by the adversary. This important area of research emerged in the 80s with the works of Yao [46] and Goldreich et al. [22]. Formal security notions can be found in [4, 8, 34]. Initially considered as a theoretical subject due to overly inefficient protocols, MPC has nowadays reached a reasonable complexity and has became relevant for practical purposes [6] especially in the 2party case [31, 33, 40]. Several techniques may be used to design secure multiparty computation. Some recently proposed solutions use or combine tools from oblivious transfer [3, 30], secret sharing with preprocessing [16, 37], garbled circuits [31], homomorphic encryption [11, 15], and somewhat or fully homomorphic encryption [2, 5].
In [10], Couteau et al. formalized an innovative technique to securely compute functions between two players, thanks to interactive cryptographic protocols called encryption switching protocols (ESP). This mechanism permits secure 2party computations against semihonest adversaries (honestbutcurious) as well as malicious adversaries, i.e. opponents which might not follow the specifications of the protocol. Couteau et al.’s proposal relies on a pair of encryption schemes \((\varPi _{+},\varPi _{\times })\) which are respectively additively and multiplicatively homomorphic and which share a common message space. Furthermore, there exists switching algorithms to securely convert ciphertexts between \(\varPi _{+}\) and \(\varPi _{\times }\). More precisely, there exists a protocol \(\mathsf {Switch}_{+\rightarrow \times }\) which takes as input an encryption \(C^+_m\) of a message m under \(\varPi _{+}\), and returns a ciphertext \(C^\times _m\) of the same message m under \(\varPi _{\times }\). Symmetrically, there exists a second protocol \(\mathsf {Switch}_{\times \rightarrow +}\) which computes a ciphertext for m under \(\varPi _{+}\) when given a ciphertext for m under \(\varPi _{\times }\). The advantage of this construction is that it benefits from the intrinsic efficiency of multiplicatively homomorphic encryption like Elgamal [18] or additively homomorphic encryption like Paillier [38]. In [10], Couteau et al. present a natural construction for secure 2party computation from any ESP.
Applications. Twoparty computation is the most important application of an ESP. In [11], an MPC protocol is built from only an additively homomorphic encryption scheme which is a natural alternative to an ESP. The round complexity of their protocol is in \(\mathcal {O}(d)\), where d is the depth of the circuit \(\mathcal {C}\) to be evaluated, and if we suppose that the multiplicative gates can be evaluated in parallel at each level. With an ESP, gathering the additive and multiplicative gates separately would imply a dramatic improvement. Fortunately, the result by Valiant et al. from [45, Theorem 3], states that for any circuit \(\mathcal {C}\) of size s and degree d computing a polynomial f, there is another circuit \(\mathcal {C}'\) of size \(\mathcal {O}(s^3)\) and depth \(\mathcal {O}(\log (s)\log (d))\) which computes the same polynomial f. Moreover, Allender et al. showed that the circuit \(\mathcal {C}'\) is by construction layered (see [1]), in the sense that it is composed of layers whose gates are all the same and alternatively \(+\) and \(\times \). Roughly speaking, \(\mathcal {C}'\) is of the form \((\sum \prod )^{\mathcal {O}(\log (s)\log (d))}\) where \(\sum \) has only additive gates and \(\prod \) has only multiplicative gates. In other words, the polynomial f can be written as a composition of \({\mathcal {O}(\log (s)\log (d))}\) polynomials written in a sparse representation. The ESP allows to treat each \(\sum \) and \(\prod \) independently, so that the number of switches and therefore the number of rounds is essentially \(\mathcal {O}(\log (s)\log (d))\), instead of \(\mathcal {O}(d)\) for [11]. Any enhancement of an ESP will naturally improve any protocol which requires to evaluate on encrypted data a polynomial given in the form of a sum of monomials. Especially it is wellsuited to oblivious evaluation of multivariate polynomials [27, 36, 42] or private disjointness testing [47].
Related Works. The idea of switching between ciphertexts for different homomorphic encryption schemes was first proposed by Gavin and Minier in [20] in the context of oblivious evaluation of multivariate polynomials. They proposed to combine a variant of Elgamal over \((\mathbf {Z}/N\mathbf {Z})^*\) (where N is an RSA modulus) with a GoldwasserMicali encryption protocol [23]. Unfortunately, as noticed by Couteau et al. [10], their design contains a serious flaw which renders their scheme insecure (the public key contains a square root of unity with Jacobi symbol \(1\), which exposes the factorization of N). Another attempt was proposed in [44] with a compiler designed to embed homomorphic computation into C programs to operate on encrypted data. The security of this construction relies on a very strong assumption since switching between the encryption schemes is done using a secure device which decrypts and reencrypts using the secret key. In [29], Lim et al. proposed a primitive called switchable homomorphic encryption implemented using Paillier and Elgamal, in the context of computation on encrypted data. Again, this proposal uses an insecure version of Elgamal, which does not satisfy the indistinguishability under a chosen plaintext attack. It is indeed very difficult to design two compatible encryption schemes from unrelated protocols like Paillier and Elgamal. Couteau et al. managed to tune Elgamal so that it can switch with Paillier, but their construction remains fairly expensive. In particular, they constructed a variant of Elgamal over \((\mathbf {Z}/n\mathbf {Z})^*\), where n is an RSA modulus, which is the same as the Paillier modulus. As Elgamal is secure only in the subgroup \(\mathbf {J}_n\) of \((\mathbf {Z}/n\mathbf {Z})^*\) of elements of Jacobi symbol \(+1\), they need a careful encoding of the group \((\mathbf {Z}/n\mathbf {Z})^*\). The security relies on the DDH assumption in \(\mathbf {J}_n\) and the quadratic residuosity assumption in \((\mathbf {Z}/n\mathbf {Z})^*\). Because their Elgamal variant does not support a simple 2party decryption (a Paillier layer has to be added to Elgamal in order to simulate a threshold decryption), the switching protocols are intricate and specific to their construction.
Our Contributions and Overview of Our Results. In this paper, we first propose a generic ESP inspired by Couteau et al.’s solid basis. Our construction relies on the existence of an additively homomorphic encryption \(\varPi _{+}\) and a multiplicatively homomorphic encryption \(\varPi _{\times }\) which support a 1round threshold decryption and achieve classical security properties (INDCPA and zeroknowledge of the 2party decryption). Because the message spaces must be compatible, we suppose that \(\varPi _{+}\) works over a ring \(\mathcal {R}\) and \(\varPi _{\times }\) over a monoid \(\mathcal {M}\) with \(\mathcal {R}\cap \mathcal {M}= \mathcal {R}^*\) where \(\mathcal {R}^*\) is the set of invertible elements of \(\mathcal {R}\). A major issue when designing an ESP is to embed the zero message^{1} into the message space for \(\varPi _{\times }\), while preserving the homomorphic and security properties. In Sect. 4.2, we propose a generic technique to do so, inspired by the approach employed in [10]. Contrary to their construction, our switching protocols over \(\mathcal {R}^*\) (i.e. without the zeromessage) are symmetrical, i.e. both \(\mathsf {Switch}_{+\rightarrow \times }\) and \(\mathsf {Switch}_{\times \rightarrow +}\) follow the same elementary description given in Fig. 3. This is possible for two reasons: first because we suppose that both \(\varPi _{+}\) and \(\varPi _{+}\) admit a single round 2party decryption, and second because they both possess a \(\mathsf {ScalMul}\) algorithm which takes as input a ciphertext of m and a plaintext \(\alpha \) and outputs a ciphertext of \(\alpha \times m\) (which is why we consider a ring as the message space for \(\varPi _{+}\) instead of an additive group).
Besides, they are very efficient: as detailed in Sect. 5.3, they only require 2 rounds, whereas Couteau et al.’s \(\mathsf {Switch}_{\times \rightarrow +}\) needs 6. Our full switching protocols work over \(\mathcal {R}^* \cup \{0\}\). They are built on top of the switching protocols over \(\mathcal {R}^*\) (i.e. without 0), plus some additional tools like 2party reencryption, encrypted zero test, and a 2party protocol to homomorphically compute a product under \(\varPi _{+}\) (see Fig. 1). Our security proofs are simpler than Couteau et al.’s. In terms of round complexity, the savings are substantial: our full ESP protocols require 7 and 4 rounds respectively, whereas Couteau et al’s ESP need 7 and 11.
In a second part, we propose an efficient instantiation of our generic protocol over the field \(\mathbf {Z}/p\mathbf {Z}\). Working over \(\mathbf {Z}/p\mathbf {Z}\) has several advantages compared to \(\mathbf {Z}/n\mathbf {Z}\) (for an RSA modulus n): it means true message space equality, instead of computational equality. It also means faster arithmetic by carefully choosing the prime p. Our instantiation combines a variant of Elgamal together with the CastagnosLaguillaumie additively homomorphic encryption from [9]. Because Elgamal is only secure in the subgroup of squares modulo p, our variant over \(\mathbf {Z}/p\mathbf {Z}^*\), denoted \(\mathsf {Eg}^*\), encodes the messages into squares and adds the encryption of a witness bit (i.e. the Legendre Symbol) under GoldwasserMicali [23] for its homomorphic properties modulo 2. For \(\varPi _{+}\), we use a variant of the CastagnosLaguillaumie encryption scheme (\(\mathsf {CL}\)) described in [9, Sect. 4]. We work over (subgroups of) the class group of an order of a quadratic field of discriminant \(\varDelta _p = p^3\). Computations are done in this class group. The elements are represented by their unique reduced representative, i.e. by two integers of size \(\sqrt{\varDelta _p}\). Thus, an element of the class group requires \(3\log {p}\) bits. Under slightly different security assumptions, it is possible to further reduce the size of the elements and to achieve a better bit complexity. We discuss these implementation options in Sect. 5.3 and compare their costs with the ESP from Couteau et al. [10]. Our ESP protocol reduces the round complexity by a factor of almost 3 in the \(\times \rightarrow +\) direction, while remaining constant in the other direction. Using the variant of \(\mathsf {CL}\) optimized for size, the bit complexity is also significantly reduced in the \(\times \rightarrow +\), while remaining in the same order of magnitude in the other.
We also propose improvements on \(\mathsf {CL}\) that can be on independent interest. That system makes exponentiations in a group whose order is unknown but where a bound is known. We show that using discrete Gaussian distribution instead of uniform distribution improves the overall computational efficiency of the scheme. Moreover in order to use our generic construction, we devise a 2party decryption for \(\mathsf {CL}\).
Eventually we discuss in Sect. 6 how to adapt our generic construction and our instantiation against malicious adversaries.
2 Cryptographic Building Blocks
In this section, we recall some classical definitions and operations that will be useful in the rest of the paper.
2.1 Homomorphic Encryption Schemes
In Sect. 3, we will give a definition of Encryption Switching Protocols (ESP), previously proposed in [10]. An ESP allows to switch a ciphertext under an encryption protocol \(\varPi _1\) into a ciphertext under another encryption protocol \(\varPi _2\), and vice versa. ESP require the protocols \(\varPi _1\) and \(\varPi _2\) to be (partially) homomorphic. In this paper, we consider ESP between an additively homomorphic encryption \(\varPi _{+}\) and a multiplicatively homomorphic encryption \(\varPi _{\times }\).
In Definitions 1 and 2 below, we define \(\varPi _{+}\) and \(\varPi _{\times }\) formally in a generic context. An additive homomorphic encryption is most commonly defined over a group. In our setting, \(\varPi _{+}\) is defined over a ring \(\mathcal {R}\) to guarantee that for \(m, m' \in \mathcal {R}\), the product \(m \times m'\) is well defined. For genericity \(\varPi _{\times }\) is defined over an algebraic structure with a single associative binary operation (denoted \(\times \)) and an identity element; i.e. a monoid. By doing so, our definition encapsulates encryption schemes over \((\mathbf {Z}/pq\mathbf {Z})^* \cup \{0\}\) (with p, q primes) such as [10], as well as our instantiation over \(\mathbf {Z}/p\mathbf {Z}\) presented in Sect. 5.
Definition 1
(Additively homomorphic encryption). Let \((\mathcal {R}\), \(+\), \(\times \), \(1_{\mathcal {R}}\), \(0_{\mathcal {R}})\) be a ring. An additively homomorphic encryption scheme over the message space \(\mathcal {R}\) is a tuple \( \varPi _{+}= (\mathsf {Setup},\mathsf {KeyGen},\mathsf {Encrypt},\mathsf {Decrypt},\mathsf {Hom}_+, \mathsf {ScalMul}) \) such that:
\(\mathsf {Setup}\) is a PPT algorithm which takes as input a security parameter \(1^\lambda \) and outputs public parameters \(\mathsf{params}\) (these public parameters will be omitted in the algorithms’ inputs).
\(\mathsf {KeyGen}\) is a PPT algorithm taking public parameters as inputs and outputting a pair of public and secret key (pk, sk).
\(\mathsf {Encrypt}\) is a PPT algorithm which takes as input some public parameters, a public key pk and a message \(m \in \mathcal {R}\), and outputs an encryption c.
\(\mathsf {Decrypt}\) is a PPT algorithm which takes as input public parameters, a public key pk (omitted in \(\mathsf {Decrypt}\)’s input), a secret key sk and a ciphertext c, and outputs a message \(m \in \mathcal {R}\).
\(\mathsf {Hom}_+\) is a PPT algorithm which takes as inputs some public parameters, a public key pk and two ciphertexts c and \(c'\) of \(m \in \mathcal {R}\) and \(m' \in \mathcal {R}\) respectively, and outputs a ciphertext \(c''\) such that \(\varPi _{+}{.}\mathsf {Decrypt}(sk,c'') = m + m' \in \mathcal {R}\).
\(\mathsf {ScalMul}\) is a PPT algorithm which takes as inputs some public parameters, a public key pk, a ciphertext c of \(m \in \mathcal {R}\) and a plaintext \(\alpha \in \mathcal {R}\), and outputs a ciphertext \(c'\) such that \(\varPi _{+}{.}\mathsf {Decrypt}(sk,c') = \alpha \times m \in \mathcal {R}\).
Remark 1
A generic algorithm for computing \(\varPi _{+}{.}\mathsf {ScalMul}(pk, c, \alpha )\) is given by \(\mathsf {2Mul}_{+}(c, \varPi _{+}{.}\mathsf {Encrypt}(\alpha ))\), where \(\mathsf {2Mul}_{+}\) is an interactive PPT algorithm which computes homomorphically the product of two ciphertexts for \(\varPi _{+}\). \(\mathsf {2Mul}_{+}\) is defined more formally in Sect. 2.3. For our instantiation we provide a noninteractive, more efficient version over \(\mathbf {Z}/p\mathbf {Z}\) (see Sect. 5).
Definition 2
(Multiplicatively homomorphic encryption). Let \((\mathcal {M}\), \(\times \), \(1_{\mathcal {M}})\) be a monoid. A multiplicatively homomorphic encryption scheme over the message space \(\mathcal {M}\) is \(\varPi _{\times }= (\mathsf {Setup},\mathsf {KeyGen},\mathsf {Encrypt}, \mathsf {Decrypt},\mathsf {Hom}_\times , \mathsf {ScalMul})\) such that:
\(\mathsf {Setup}\), \(\mathsf {KeyGen}\), \(\mathsf {Encrypt}\) and \(\mathsf {Decrypt}\) as in Definition 1 except that \(\mathsf {Encrypt}\) and \(\mathsf {Decrypt}\) receives the input messages from \(\mathcal {M}\) instead of \(\mathcal {R}\).
\(\mathsf {Hom}_\times \) is a PPT algorithm which takes as input some public parameters, a public key pk and two ciphertexts c and \(c'\) of \(m \in \mathcal {M}\) and \(m' \in \mathcal {M}\) respectively, and outputs a ciphertext \(c''\) such that \(\varPi _{\times }{.}\mathsf {Decrypt}(sk,c'') = m \times m' \in \mathcal {M}\).
\(\mathsf {ScalMul}\) is a PPT algorithm which takes as inputs some public parameters, a public key pk, a ciphertext c of \(m \in \mathcal {M}\) and a plaintext \(\alpha \in \mathcal {M}\), and outputs a ciphertext \(c'\) such that \(\varPi _{\times }{.}\mathsf {Decrypt}(sk,c') = \alpha \times m \in \mathcal {M}\).
Remark 2
A generic algorithm for computing \(\varPi _{\times }{.}\mathsf {ScalMul}(pk, c, \alpha )\) is given by \(\varPi _{\times }{.}\mathsf {Hom}_\times (pk, c, c')\), where \(c' = \varPi _{\times }{.}\mathsf {Encrypt}(pk, \alpha )\). In Sect. 5, we provide a more efficient version over \((\mathbf {Z}/p\mathbf {Z})^*\).
The above encryption schemes must be correct in the usual sense. Moreover, we consider as a security requirement the indistinguishability under a chosen plaintext attack (INDCPA). We refer the reader to e.g., [25] for the standard definition of INDCPA.
2.2 One Round 2Party Decryption
A crucial feature of the encryption protocols which are used in the ESP is the fact that they support a 2party decryption (threshold cryptosystems were introduced in [17]). These encryption schemes are equipped with a Share procedure that is run by a trusted dealer, which works as follows: it takes as input a pair of keys (sk, pk) obtained from the \(\mathsf {KeyGen}\) algorithm and produces two shares \(sk_A\) and \(sk_B\) of the secret key sk. It outputs \((sk_A,sk_B)\) and an updated public part still denoted pk. Its decryption procedure is an interactive protocol denoted \(2\mathsf {Dec}\) which takes as inputs the public parameters, a ciphertext c, and the secret key of each participant \(sk_A\) and \(sk_B\) and outputs a plaintext m which would have been obtained as \(\mathsf {Decrypt}(sk, c)\).
Contrary to the classical definition of threshold decryption, we suppose that the protocol is in a single round. The protocol \(2\mathsf {Dec}(pk, c; sk_A; sk_B)\) is supposed as follows: Alice starts the protocol and sends her information in one flow to Bob which ends the computation and gets the plaintext. This is because in our context, we do not decrypt plaintexts but plaintexts which are masked by a random element. For example, protocols whose decryption only performs exponentiations with secret exponents gives one round 2party decryption by sharing the exponentiations. This is the case for many cryptosystems.
The semantic security is adapted from the standard INDCPA notion by giving the adversary one of the two secret keys, as well as a share decryption oracle which simulate the party with the other secret key. A formal definition can be found for instance in [11, 41].
We need as an additional security requirement the notion of zeroknowledge defined in Appendix A, which means that no information on the secret keys are leaked during an interaction with a curious adversary. Cryptosystems like Elgamal [17] or Paillier [19] satisfy all these properties. We will propose a variant of Elgamal and a variant of CastagnosLaguillaumie [9] that satisfy also these properties in Sect. 5.
2.3 Homomorphically Computing a Product with \(\varPi _+\)
Theorem 1
Let \(\varPi _+\) be an additively homomorphic encryption scheme with a zeroknowledge one round 2party decryption. Then, the protocol described in Fig. 1 is correct and zeroknowledge.
Proof
The correctness follows from the correctness of the encryption scheme and its homomorphic properties. Let us prove first that it is zeroknowledge for Alice. We describe a simulator \(\mathsf{Sim}\) whose behavior is indistinguishable from Alice’s behavior in front of an adversarial Bob. The simulator receives as input the public key \(pk_+\) and will set \(\mathsf{Sim}_\mathsf{Share}\) as follows: it calls out \(\mathsf{Sim}^{2d}_\mathsf{Share}\) procedure of the zeroknowledge property of 2party decryption for \(\varPi _{+}\) with \(pk_+\) as input. It obtains a simulated share \(sk_B=x_B^+\) and feeds the adversary with it. When \(\mathsf{Sim}\) is requested for the 2party computation of \(C^+_{XY}\) from \(C_X^+\) and \(C_Y^+\), it receives a pair of \(((C_X^+,C_Y^+),\bar{C})\) where \(\bar{C}\) is a ciphertext of XY, it does the following to simulate \(C^+_{rX},C^+_{r+Y}\) and \(C_A\): First, It picks R at random in the plaintext space and sets \(C^+_{r+Y}=\mathsf {Encrypt}(pk,R)\). Then it uses the simulator for the zeroknowledge for Alice of the 2party decryption \(\mathsf{Share}^{2d}_{A}(C^+_{r+Y},R,x_B^+)\) so that Bob decrypts R (which is equivalent to \({\mathsf {Decrypt}}(sk,C^+_{r+Y})\)). Eventually, it sets \(C_{rX}=\mathsf {Hom}_+(\bar{C},\mathsf {ScalMul}(C_X^+,R))\). This ciphertext encrypts \(XYRX\) so that Bob’s final \(\mathsf {Hom}_+\) evaluation will cancel out the RX part and lead to \(\bar{C}\).
The simulated view is the same as a genuine one with \(R=r+Y\), which means that they are indistinguishable, and the protocol is zeroknowledge for Alice. The protocol is obviously zeroknowledge for Bob: Bob’s contribution is simulated by just sending \(\bar{C}\). \(\square \)
2.4 2Party Reencryption
The final tool we need to build our encryption switching protocol is an interactive 2party protocol to reencrypt a ciphertext from an encryption scheme \(\varPi _+\) intended to pk into a ciphertext of the same encryption scheme of the same message, but intended to another key \(pk'\). This protocol is depicted in Fig. 2. Note that the initial ciphertext to be transformed is not known to Bob. This protocol readily extends to the multiplicative case, which is useless for our purpose. With a proof similar to the proof of Theorem 1, we showed that
Theorem 2
Let \(\varPi _+\) be an additively homomorphic encryption scheme with a zeroknowledge one round 2party decryption then the protocol described in Fig. 2 is correct and zeroknowledge.
3 Encryption Switching Protocols
The global scenario is established as follows: two semantically secure threshold homomorphic encryption schemes, one additive, and the other multiplicative, are at the disposal of two players. A public key is provided for each protocols, and the matching secret key is shared among the players by a trusted dealer. Ideally, these two encryption schemes should have the same plaintext space, which is assumed to be a ring or a field. An encryption switching protocols makes it possible to interactively transform a ciphertext from a source encryption scheme into a ciphertext for the other encryption scheme (the target one) and vice versa. The formal definitions are given in the following paragraphs.
Definition 3
(Twin ciphertexts). Let \(\varPi _+\) and \(\varPi _\times \) be two different encryption schemes with plaintext and ciphertext spaces respectively \(\mathcal {M}_+,\mathcal {C}_+\) and \(\mathcal {M}_\times ,\mathcal {C}_\times \). If \(C^+_m\in \mathcal {C}_+\) and \(C^\times _m \in \mathcal {C}_\times \) are two encryptions of the same message \(m \in \mathcal {M}_+\cap \mathcal {M}_\times \), they are said to be twin ciphertexts.
We will say that two ciphertexts from the same encryption scheme which decrypt to the same plaintext are equivalent.
Definition 4

\(\mathsf{Share}((pk_+,sk_+),(pk_\times ,sk_\times )) \rightarrow (pk,sk_A,sk_B)\): It is a protocol (run by \(\mathcal {D}\)) which takes as input two pairs of keys \((pk_+,sk_+)\) and \((pk_\times ,sk_\times )\) produced from \(\varPi _+{.}\mathsf {KeyGen}\), \(\varPi _\times {.}\mathsf {KeyGen}\) and Setup. It outputs the shares \(sk_A\) (sent to A) and \(sk_B\) (sent to B) of \((sk_+,sk_\times )\) and updates the public key pk.

\(\mathsf{Switch}_{\mathsf{way}}((pk,sk_A,c),(pk,sk_B,C)) \rightarrow C' \text { or } \perp \): It is an interactive protocol in the direction \(\mathsf{way} \in \{+ \rightarrow \times , \times \rightarrow +\}\) which takes as common input the public key and a ciphertext C under the source encryption scheme and as secret input the secret shares \(sk_A\) and \(sk_B\). The output is a twin ciphertext \(C'\) of C under the target encryption scheme or \(\perp \) if the execution encountered problems.
Definition 5
An encryption switching protocols \(\varPi _+ \rightleftharpoons \varPi _\times \) is zeroknowledge for A if there exists an efficient simulator \(\mathsf{Sim} = (\mathsf{Sim}_\mathsf{Share},\mathsf{Sim}_A)\) which simulates the sharing phase and the player A.
The subroutine \(\mathsf{Sim}_\mathsf{Share}\) takes as input a public key \((pk_+,pk_\times )\) and outputs \((pk',sk'_B)\) that simulates the public key obtained from the Share algorithm and Bob’s share of the secret key.
The subroutine \(\mathsf{Sim}_A\) takes as input a direction \(\mathsf{way} \in \{+\rightarrow \times , \times \rightarrow +\}\), a source ciphertext C, a twin ciphertext \(\bar{C}\) and a flow flow. It emulates the output of an honest player A would answer upon receiving the flow flow when running the protocol \(\mathsf{Switch}_{\mathsf{way}}((pk,sk_A,C),(pk,sk_B,C))\) without \(sk_A\) but possibly \(sk_B\), and forcing the output to be a ciphertext \(C'\) which is equivalent to \(\bar{C}\).
We define similarly an encryption switching protocols \(\varPi _+ \rightleftharpoons \varPi _\times \) that is zeroknowledge for B. It is zeroknowledge if it is zeroknowledge for A and B.
4 Generic Construction of an ESP on a Ring
We describe in this section a generic construction of an encryption switching protocol in the semihonest model. Even though an ESP could allow to switch between any encryption schemes, its main interest is when its implemented with homomorphic encryptions. Therefore, we start with an additively homomorphic encryption \(\varPi _+\) and a multiplicatively homomorphic encryption \(\varPi _\times \) whose message space is respectively a ring \(\mathcal {R}\) and a monoid \(\mathcal {M}\). To fit most of the applications, we will make the assumption that \(\mathcal {M}= \mathcal {R}^*\), the subgroup of invertible elements of \(\mathcal {R}\), since in general the multiplicative homomorphic encryption will have a group as message space. In particular, this means that the intersection over which the switches are defined is \(\mathcal {R}\cap \mathcal {M}=\mathcal {R}^*\).
As in [10], in the first place, we are going to describe how we can switch between \(\varPi _{+}\)encryptions and \(\varPi _{\times }\)encryptions over \(\mathcal {R}^*\). Then we will show how to modify \(\varPi _\times \) in order to extend its message space to \(\mathcal {R}^*\cup \{0\}\).
Definition 6
(Compatible encryption protocols). Let \((\mathcal {R},+,\times )\) be a ring. Let \(\varPi _{+}\) and \(\varPi _{\times }\) be an additively and multiplicatively homomorphic encryption in the sense of Definitions 1 and 2. They are said to be compatible if \(\varPi _{+}\) and \(\varPi _{\times }\) have respectively \(\mathcal {R}\) and \(\mathcal {R}^*\) as message space, both of them admit a oneround 2party decryption as defined in Sect. 2.2, there exists a common setup algorithm \(\mathsf{Setup}\) and common \(\mathsf{KeyGen}\) which allows to set common parameters.
Remark 3
To illustrate this, our instantiation (resp. Couteau et al.’s instantiation) switches between an additively homomorphic encryption whose message space is the field \((\mathbf {Z}/p\mathbf {Z},+,\times )\) (resp. the ring \((\mathbf {Z}/N\mathbf {Z},+,\times )\)) and a multiplicative homomorphic encryption whose message space is the group \(((\mathbf {Z}/p\mathbf {Z})^*,\times )\) (resp. \(((\mathbf {Z}/N\mathbf {Z})^*,\times )\)) and the former is modified so that its message space is the monoid \((\mathbf {Z}/p\mathbf {Z},\times )\) (resp. \(((\mathbf {Z}/N\mathbf {Z})^*\cup \{0\},\times )\)). In particular, Couteau et al.’s make the additional algorithmic assumption that \((\mathbf {Z}/N\mathbf {Z})^*\) is computationally equal to \(\mathbf {Z}/N\mathbf {Z}\).
Share Protocol of the ESP. The keys of \(\varPi _{+}\) and \(\varPi _{\times }\) are first shared by a trusted dealer, this corresponds to the Share algorithm from Definition 4. From public parameters generated using the common Setup algorithm and two pairs of keys \((pk_+,sk_+)\) and \((pk_\times ,sk_\times )\) it outputs the secret share \(sk_A=(sk_A^+,sk_A^\times )\) for Alice and \(sk_B=(sk_B^+,sk_B^\times )\) for Bob using the Share procedures of the 2party decryption of \(\varPi _{+}\) and \(\varPi _{\times }\).
4.1 Switching Protocols over \(\mathcal {R}^*\)
We describe here the two 2party switching protocols from an additive homomorphic encryption of m to a multiplicative one and vice versa. Contrary to Couteau et al.’s protocol [10], the two protocols are actually the same since both the additive and the multiplicative scheme support a \(\mathsf {ScalMul}\) operation and a singleround 2party decryption. It is important to note that in our instantiation, the round complexity is only 2, since the first ciphertext \(C^{(2)}_{R^{1}}\) can be sent within the flow of the 2party decryption which is only one round (cf. Sect. 2.2 or Figs. 9 and 11). We suppose that \(m \ne 0\) here, and more precisely the message to be switched lies in \(\mathcal {R}\cap \mathcal {M}= \mathcal {R}^*\).
The correctness of these two protocols is clear. They are generic and the switch from \(\varPi _{\times }\) to \(\varPi _{+}\) is highly simpler than the one in [10] (ours is 2round instead of 6round) and our instantiation will keep this simplicity. We prove in the following theorem that they are zeroknowledge, and the security proof itself is also very simple. It only relies on the zeroknowledge property of the shared decryptions.
Theorem 3
The ESP between \(\varPi _+\) and \(\varPi _\times \), whose switching routines are described in Fig. 3, is zeroknowledge if \(\varPi _+\) and \(\varPi _\times \) are two compatible encryption schemes which have zeroknowledge one round 2party decryptions.
Proof
The proof consists in proving that after a share of the secret keys, both switching procedures are zeroknowledge for Alice and Bob. Let us start with the proof that the ESP is zeroknowledge for Alice. We are going to describe a simulator \(\mathsf{Sim}\) whose behavior is indistinguishable from Alice’s behavior in front of an adversarial Bob.
\(\mathsf{Sim_\mathsf{Share}}\): The simulator receives as input the public key \((pk_+,pk_\times )\) and simulates the \(\mathsf{Share}\) procedure as follows: it calls out the \(\mathsf{Sim}^{2d}_\mathsf{Share}\) procedures of the zeroknowledge property of Alice for 2party decryption of respectively \(\varPi _{+}\) and \(\varPi _{\times }\) with \(pk_+\) and \(pk_\times \) as input. In particular it obtains \(sk_B'=(x_B^+,x_{B}^\times )\) it can feed the adversary with. When \(\mathsf{Sim}\) is requested for a switch, it receives a pair of twin ciphertexts \((C,\bar{C})\).
Game \(G_0\) . This game is the real game. The simulator generates all the secret shares in an honest way and gives his share to Bob. It plays honestly any switching protocols on an input \((C,\bar{C})\) using Alice’s secret key.
Game \(G_1\) . The first modification concerns the additive to multiplicative direction. The setup and key generation are the same as in the previous game. When requested to participate to a \(\mathsf{Switch}_{+\rightarrow \times }\), with \((C,\bar{C})\) as input, the simulator picks uniformally at random \(x \in \mathcal {R}^*\) and sets \(C^+_{mR} = \varPi _+{.}\mathsf {Encrypt}(x)\) and \(C^\times _{R^{1}}=\varPi _\times {.}\mathsf {ScalMul}(\bar{C},x^{1})\). The simulator then concludes the protocol honestly. This game is indistinguishable from the previous since, as x is random, it is equivalent to a genuine protocol using \(R = x/m\), where m is the plaintext under C and \(\bar{C}\).
Game \(G_2\) . In this game, we modify the shared decryption for \(\varPi _+\) using the simulator of 2party decryption. First, the simulation gives the key \(x_{B}^+\) obtained by the simulation of the shares to Bob. Then after \(\mathsf{Sim}\) simulated the pair \((C^+_{mR},C^\times _{R^{1}})\) as above, it uses the simulator \(\mathsf{Sim}^{2d}_A(C^+_{mR},x,x_B^+,\cdot )\) for the 2party decryption of \(\varPi _{+}\) to interact with Bob, where \(C^+_{mR}\) is an encryption of x. Thanks to the property of this simulator this game is indistinguishable from the previous one (note that the key \(x_{B}^+\) is only used in that part of the protocol). Eventually, the last computation done by Bob, \(\varPi _{\times }{.}\mathsf {ScalMul}(C^\times _{R^{1}},x)\) gives a multiplicative ciphertext of m equivalent to \(\bar{C}\).
Game \(G_3\) . In this game, we address the multiplicative to additive way. The setup and key generation are the same as in the previous games. As in Game \(G_1\), when requested to participate to a \(\mathsf{Switch}_{\times \rightarrow +}\), with \((C,\bar{C})\) as input, the simulator picks uniformally at random \(x\in \mathcal {R}^*\) and sets \(C^\times _{mR} = \varPi _{\times }{.}\mathsf {Encrypt}(x)\) and \(C^+_{R^{1}}=\varPi _{+}{.}\mathsf {ScalMul}(\bar{C},x^{1})\). Then, \(\mathsf{Sim}\) continues honestly the protocol. This game is indistinguishable from the previous one.
Game \(G_4\) . The shared \(\varPi _\times \) decryption is modified as in Game \(G_2\). The simulation now gives the simulated key \(x_{B}^\times \) to Bob and then uses the simulator for the 2party decryption of \(\varPi _{\times }\) with ciphertext \(C^\times _{mR}\) and corresponding plaintext x. Thanks to the property of this simulator this game is indistinguishable from the previous one. Again, Bob’s last computation \(\varPi _{+}{.}\mathsf {ScalMul}(C^+_{R^{1}},x)\) gives a ciphertext equivalent to \(\bar{C}\).
In conclusion, the advantage of the attacker is negligible.
We now prove that the ESP is zeroknowledge for Bob, by describing a simulator Sim whose behavior is indistinguishable from Bob’s behavior in front of an adversarial Alice. The simulator receives as input the public key \(pk= (pk_+,pk_\times )\) and simulates the \(\mathsf{Share}\) procedure as above and feed the adversary (Alice) with the corresponding secret key. When \(\mathsf{Sim}\) is requested for a switch, it receives a pair of twin ciphertexts \((C,\bar{C})\). In both directions, the simulation is trivial, since Bob’s only flow is the final forward of the twin ciphertext (we have suppose that the 2party decryption has only one round from Alice to Bob), which is done by sending the \(\bar{C}\) ciphertext. This is indistinguishable from a true execution since \(\bar{C}\) is a random ciphertext which encrypts the same plaintext that C. \(\square \)
4.2 Modification of \(\varPi _\times \) to Embed the Zero Message
One technical issue to design switching protocols between \(\varPi _+\) and \(\varPi _\times \) is to embed the zero message into \(\varPi _\times \)’s message space so that the message spaces match. To do so, we need to modify the \(\varPi _\times \) encryption. We will use a technique quite similar to those in [10]: During their encryption, if the message m is equal to 0, a bit b is set to 1. It is set to 0 for any other message. Then, the message \(m+b\) (which is never 0) is encrypted using their Elgamal encryption. As this encryption scheme is no longer injective, to discriminate an encryption of 0, the ciphertext is accompanied by two encryptions under classical Elgamal of \(T^b\) and \(T'^b\) where \(T,T'\) are random elements. We note that these two encryptions are in fact encryptions of b which are homomorphic for the or gate: If \(b=0\), we get an Elgamal encryption of 1 and if \(b=1\), an Elgamal encryption of a random element (which is equal to 1 only with negligible probability). Thanks to the multiplicativity of Elgamal, if we multiply an encryption of b and an encryption of \(b'\), we get an Elgamal encryption of 1 only if \(b=b'=0\) and an Elgamal encryption of a random element otherwise. In [10] the second encryption of b is actually an extractable commitment, the corresponding secret key is only known by the simulator in the security proof.
The protocol \(\varPi _\times ^0\) directly inherits the indistinguishability under a chosen message attack from those of \(\varPi _\times \) and \(\varPi _+\). By a standard hybrid argument, we can prove the following theorem, whose proof is omitted.
Theorem 4
If \(\varPi _+\) and \(\varPi _\times \) are INDCPA, then \(\varPi _\times ^0\) is also INDCPA.
4.3 Full Switching Protocols
Encrypted ZeroTest. In [10] an encrypted zero test (EZT) to obliviously detect the zero messages during switches is presented. In our case, EZT takes as input a ciphertext \(C^+_m\) from the additively homomorphic encryption \(\varPi _+\) of a message m and outputs a \(\varPi _+\) ciphertext \(C^+_{b}\) of a bit b equals to 1 if \(m=0\) and equals to 0 otherwise. The EZT has to be zeroknowledge in the sense that there exists an efficient simulator for each player which, on input a pair of twin ciphertext \((C,\bar{C})\), is indistinguishable from these honest players. This simulator runs without the secret share of the user it simulates.
During the security proof, the simulator will obtain the bit b thanks to the knowledge of the secret key which decrypts the additional encryption of r appended during encryption (see Fig. 4).
4.4 2Party ESP Between \(\varPi _+{.}\mathsf {Encrypt}(m)\) and \(\varPi _\times ^0{.}\mathsf {Encrypt}(m)\)
The protocol of Fig. 6 is quite similar to the one of [10]. First we use the \(\mathsf {EZT}\) subprotocol to get a \(\varPi _{+}\) encryption of the bit b. A notable difference with the protocol of [10] is that this encryption of b can be used directly to set an element of the ciphertext for \(\varPi _{+}^0\), which saves many rounds in the interaction. Since the bit b is encrypted twice (this second encryption is only used during the security proof), the \(\mathsf{ReEnc}_+\) protocols allows to reencrypt the output of \(\mathsf {EZT}\) to the right public key. Then, thanks to the homomorphic property of the \(\varPi _{+}\) scheme, Alice can construct an additive encryption of \(m+b\) and the \(\mathsf{Switch}_{+ \rightarrow \times }\) protocol of Fig. 3 is used to get the \(\varPi _{+}\)encryption of \(m+b\). The two ciphertexts of b are randomized to get a proper multiplicative ciphertext.
In Fig. 7, starting from a multiplicative ciphertext of m, we run an \(\mathsf{Switch}_{\times \rightarrow +}\) with the first component of \(C_m^\times \), which is a \(\varPi _{\times }\)encryption of \(m+b\). Hence, we get \(C^+_{m+b}\). Then, we run the \(\mathsf{EZT}\) protocol on the second component \(C_r^+\) and the output the encryption of a bit \(b'\) whose value is 1 when \(r = 0\), i.e., when \(b=0\) and 0 otherwise. Therefore \(b'=\bar{b}\) and \(\mathsf{EZT}\) actually outputs an encryption of \(\bar{b}\). It is now possible to homomorphically remove the bit b remaining in the \(\varPi _{+}\)encryption of \(m+b\), \(C_{m+b}^+\). Inspired by the implicit technique used in [10], we use the \(\mathsf {2Mul}_{+}\) protocol to obtain, from \(C_{\bar{b}}^+\) and \(C_{m+b}^+\), a \(\varPi _{+}\)encryption of \((m+b)\bar{b}\) which is equal to a \(\varPi _{+}\)encryption of m.
Note that we can not simply use the fact that \(m+b+\bar{b}1 = m\) over \(\mathbf {Z}\) to get m: The expression \(m+b\) is really equal to the message m plus the bit b only for fresh multiplicative ciphertexts. After an homomorphic multiplication between a ciphertext of a non zero message with a ciphertext of zero it becomes something random. As a result, we have to multiply it by \(\bar{b}\) to get 0.
The zeroknowledge property of our ESP essentially comes from the fact that each routine (\(\mathsf{ReEnc}_+\) and \(\mathsf {2Mul}_{+}\)) is individually zeroknowledge, inherited from the zeroknowledge of the 2party decryption of the encryption protocols. We also use the fact that the encryption schemes are INDCPA, in order to be able to simulate intermediate ciphertexts. This means that the assumptions in our theorem are weak and very natural.
Theorem 5
The ESP between \(\varPi _+\) and \(\varPi _\times ^0\) whose routines are described in Figs. 6 and 7 is zeroknowledge if \(\varPi _{+}\) and \(\varPi _{\times }\) are two compatible encryptions that are INDCPA and whose 2party decryptions are zeroknowledge, and \(\mathsf {EZT}\) is zeroknowledge.
Proof
(sketch). The full proof of this theorem can be found in Appendix B. This proof can be sketched as follows: First we give the secret key \(sk'\) to the simulation. From a pair of twin ciphertexts, it allows the simulation to know the bit that encode the fact that the plaintext is 0 or not. With that knowledge, the simulation can retrieve the ciphertexts that constitute the input and the output of each building block, and use their zeroknowledge simulator to emulate them. Then, we remove the knowledge of \(sk'\) from the simulation which replaces each input and output by random ciphertexts. Thanks to the INDCPA property of the encryption schemes this is indistinguishable from the previous step. As a result, the whole protocol is simulated without knowing any secret. \(\square \)
5 Instantiation of Our Generic Construction on \(\mathbf {Z}/p\mathbf {Z}\)
In this section we provide an instantiation of our generic construction on a field \(\mathbf {Z}/p\mathbf {Z}\) for a prime p, by describing an additively homomorphic encryption and a multiplicatively homomorphic one. Both schemes enjoy an Elgamal structure. For the additively homomorphic encryption scheme, we will use as a basis the scheme introduced in [9] (denoted \(\mathsf {CL}\) in the following). It uses the notion of a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup, which is instantiated using class groups of quadratic fields. For the multiplicatively homomorphic scheme, we devise a variant of the traditional Elgamal encryption over the whole group \((\mathbf {Z}/p\mathbf {Z})^{*}\). Both schemes are described in the next subsection. We also describe their 2party decryption, since it is required by the generic construction.
5.1 Additively Homomorphic Scheme over \(\mathbf {Z}/p\mathbf {Z}\)
CastagnosLaguillaumie Encryption. The encryption scheme from [9] is additively homomorphic modulo a prime p. The general protocol is well suited for relatively small p. For the ESP context, we need a large message space as p must be at least of 2048 bits for the security of the Elgamal protocol. As a result, we use the first variant of \(\mathsf {CL}\) described in [9, Sect. 4]. This variant is defined with subgroups of the class group of an order of a quadratic field of discriminant \(\varDelta _p=p^3\). Thus all computations are done in this class group. Note that elements are classes of ideals, that can be represented by their unique reduced elements, i.e., by two integers of roughly the size of \(\sqrt{\varDelta _p}\). As a consequence, a group element can be represented with \(3\log p\) bits.
We provide some improvements detailed in the following. The \(\mathsf {CL}\) scheme does exponentiations to some random powers in a cyclic group of unknown order. Let us denote by \(\mathfrak {g}\) a generator of this group. Only an upper bound B on this order is known. In order to make the result of these exponentiations look like uniform elements of the cyclic group, the authors of [9] choose to sample random exponents from a large enough uniform distribution, and more precisely over \(\{0,\dots ,B'\}\) where \(B'= 2^{\lambda 2} B\), so that the resulting distribution is as distance to uniform less than \(2^{\lambda }\).
However, it is more efficient to use a folded discrete Gaussian Distribution instead of a folded uniform distribution. Let \(z\in \mathbf {Z}\) and \(\sigma >0\) a real number and let us denote by \(\rho _{\sigma }(z) = \exp (\pi z^2 / \sigma ^2)\) a Gaussian centered function and define the probability mass function \(\mathcal D_{\sigma }\) over \(\mathbf {Z}\) by \(\mathcal D_{\sigma }(z):= \rho _{\sigma }(z) / \sum _{z \in \mathbf {Z}} \rho _\sigma (z)\).
If z is sampled from \(\mathcal D_\sigma \), we have \(z> \tau \sigma \) with probability smaller than \(\sqrt{2\pi e} \tau \exp (\pi \tau ^2)\) (cf. [35, Lemma 2.10]). We denote by \(\tau (\lambda )\) the smallest \(\tau \) such that this probability is smaller than \(2^{\lambda }\).
If we set \(\sigma = \sqrt{\ln (2(1+ 2^{\lambda +1}))/\pi } B\), Lemma 1 of Appendix C of the long version shows that the distribution obtained by sampling z from \(\mathcal D_\sigma \) and computing \(\mathfrak {g}^z\) is at distance less than \(2^{\lambda }\) to the uniform distribution in \(\langle \mathfrak {g}\rangle \).
For instance for \(\lambda =128\), we only add, in the worst case, 6 iterations in the square and multiply algorithm to compute \(\mathfrak {g}^z\), whereas one has to add 126 iterations with a folded uniform distribution.
Description of the Scheme. We denote by \(\mathsf {CL}{.}\mathsf {Gen}\) a parameter generator for \(\mathsf {CL}\). It takes as input \(1^\lambda \) and outputs a tuple \((p,\mathfrak g, \mathfrak f,\sigma )\). This tuple is such that p is a prime satisfying \(p\equiv 3 \pmod 4\) so that computing discrete logarithms in \(C(p)\), the ideal class group of the quadratic order of discriminant \(p\), takes \(2^\lambda \) times. Then \(\mathfrak g \in C(p^3)\) is a class of order ps where s is unknown and expected to be of the order of magnitude of the class number of \(C(p)\): a concrete implementation for \(\mathfrak g\) is given in [9, Fig. 2]. It consists in generating a random ideal of the maximal order of discriminant \(p\), and lifting it in the order of discriminant \(p^3\). Eventually, \(\mathfrak {f} \in C(p^3)\) is the class of the ideal \(p^2\mathbf {Z}+ ((p+\sqrt{p^3})/2)\mathbf {Z}\) and \(\sigma \) will be the standard deviation of the Gaussian Distribution discussed before: \(\sigma = \sqrt{\ln (2(1+ 2^{\lambda +1}))/\pi } B\), with \(B = \log (p)p^{3/2}/(4\pi )\).
Theorem 6
[9]. The \(\mathsf {CL}\) scheme of Fig. 8 is an additively homomorphic encryption scheme over \(\mathbf {Z}/p\mathbf {Z}\), INDCPA under the \(\mathsf {DDH}\) assumption in the ideal class group of the quadratic order of discriminant \(p^3\).
One Round 2Party Decryption for \(\mathsf {CL}\) . We now devise in Fig. 9 a one round 2party decryption for \(\mathsf {CL}\) as defined in Sect. 2.2, i.e. subroutines to share the secret key and the interactive protocol for decryption. As the scheme has an Elgamal structure, it can be readily adapted from the threshold variant of the original Elgamal scheme (cf. [39] for instance) with a simple additive secret sharing of the key \(x = x_A + x_B\). However, as the group order is unknown, this secret sharing must be done over the integers. This kind of sharing has been addressed before (cf. [14, Sect. 4] for instance).
Theorem 7
The 2party Decryption for \(\mathsf {CL}\) described in Fig. 9 is correct and zeroknowledge.
Proof
Correctness follows from the shared exponentiation. Let us prove first that the protocol is zeroknowledge for Alice (see Definition 7 in Appendix A).
For the secret key shares, the simulator \(\mathsf{Sim}^{2d}_\mathsf{Share}\) picks \(x'\) from \(\mathcal {D_\sigma }\), \(x'_A \xleftarrow {\$}\{\tau (\lambda )\sigma 2^{\lambda },\dots ,\tau (\lambda )\sigma 2^{\lambda } \}\) and set \(x'_B = x'  x'_A\). As the secret sharing is private, the distribution of \(x'_B\) is statistically indistinguishable from the distribution of the real \(x_B\) (see Appendix D of the long version for the computation of the statistical distance).
Then we describe the simulator \(\mathsf{Sim}^{2d}_A\) which emulates Alice. From a ciphertext C, a plaintext m, it computes \(\mathfrak M = \mathfrak f^m\). Then it simulates \(\mathfrak {c}_{1,A}\) by setting \(\mathfrak {c}_{1,A} = \mathfrak {c}_2/(\mathfrak M \mathfrak {c}_1^{x'_B})\), so that Bob’s computations leads to \(\mathfrak M\). The value sent by the simulation is thus perfectly indistinguishable from the real one.
It is straightforward to see that the protocol is zeroknowledge for Bob: secret key shares are simulated as previously, and \(x'_A\) is obviously indistinguishable from the real \(x_A\), and then Bob sends nothing during the protocol. \(\square \)
5.2 Multiplicatively Homomorphic Scheme over \(\mathbf {Z}/p\mathbf {Z}\)
Elgamal over (Z/ p Z)*. Let q be an odd Sophie Germain prime, and let us denote by p the associated prime, i.e., \(p=2q+1\). The \(\mathsf {DDH}\) assumption is widely supposed to hold in the subgroup of order q of \((\mathbf {Z}/p\mathbf {Z})^{*}\) which is the subgroup of quadratic residues modulo p, denoted \(S_p\). The Elgamal cryptosystem defined in \(S_p\) is multiplicatively homomorphic and semantically secure if the \(\mathsf {DDH}\) assumption holds in that subgroup.
It is wellknown that the \(\mathsf {DDH}\) assumption does not hold in the whole group \((\mathbf {Z}/p\mathbf {Z})^{*}\). As a result, in order to extend the message space to \((\mathbf {Z}/p\mathbf {Z})^{*}\), we need to encode elements of \((\mathbf {Z}/p\mathbf {Z})^{*}\) as quadratic residues. The situation is quite similar to the Elgamal over \((\mathbf {Z}/n\mathbf {Z})^{*}\) of [10], but actually simpler to handle since we work modulo a prime p and not modulo an RSA integer n (in particular, we can publicly compute square roots or distinguish quadratic and non quadratic residues and we do not have to hide the factorization of n).
Description of the Scheme. Let \(\lambda \) be a security parameter. Let \(\mathsf {GM}{.}\mathsf {Gen}\) be a parameter generator for the GoldwasserMicali encryption scheme. It takes as input \(1^\lambda \) and outputs \((N,p',q')\) such that \(p',q' \equiv 3 \pmod 4\) are primes and \(N=p'q'\) is such that factoring N takes \(2^\lambda \) time. We use the threshold variant of GoldwasserMicali described in [26] to define a suitable 2party decryption.
The following theorem is a consequence of the previous discussion and the properties of the GoldwasserMicali variant. Note that modulo N, \(c_3^{(Np'q'+1)/4}\) equals 1 if \(c_3\) is a quadratic residue, and \(1\) if \(c_3\) has Jacobi symbol 1 and is not a quadratic residue.
Theorem 8
The \(\mathsf {Eg}^*\) scheme of Fig. 10 is multiplicatively homomorphic over \((\mathbf {Z}/p\mathbf {Z})^{*}\), and it is INDCPA under the \(\mathsf {DDH}\) assumption in the subgroup of quadratic residues of \((\mathbf {Z}/p\mathbf {Z})^{*}\) and the \(\mathsf {QR}\) assumption in \((\mathbf {Z}/N\mathbf {Z})^\times \).
One Round 2Party Decryption for \(\mathsf {Eg}^*\) . We describe in Fig. 11 a one round 2party decryption for \(\mathsf {Eg}^*\). This protocol is adapted from the threshold variant of the original Elgamal scheme and the basic threshold GoldwasserMicali of [26, Subsect. 3.1].
Theorem 9
The 2party Decryption for \(\mathsf {Eg}^*\) described in Fig. 11 is correct and zeroknowledge.
Proof
The proof is similar to the proof of Theorem 7. For the Elgamal part of the protocol, secret key shares are simply taken uniformly at random in \(\{ 0,\dots , q1 \}\), and the value sent by Alice is computed as \(c_{1,A} = c_2/(M c_1^{x_B})\), where \(M = ( m / p )m\). The GoldwasserMicali part of the protocol is also simulated in a similar fashion from \(c_3\) and L(m) and the key share from a fake factorization of N just as in [26, Subsect. 3.1] \(\square \)
5.3 ESP over \(\mathbf {Z}/p\mathbf {Z}\): Efficiency and Comparisons
In Table 1 we give the round complexity (rc) and bit complexity (bc) of our algorithms and we compare our full ESP protocols with that of Couteau et al. [10]. For sake of clarity, and because it is identical to that of [10], we omit the complexities resultant from the garbled circuitbased \(\mathsf {EZT}\) protocols. Our 2party decryption algorithms (both for \(\mathsf {CL}\) and \(\mathsf {Eg}^*\)) only require 1 round. Note that we carefully analyzed the interactive algorithms so as to gather consecutive flows when possible within a single round. For example our \(\mathsf {2Mul}_{+}\) and \(\mathsf {ReEnc}_+\) protocols (see Figs. 1 and 2) require only 2 rounds since Alice can send \(C^+_{rX}\) (resp. \(C'_{r}\)) and her \(2\mathsf {Dec}\) data simultaneously. For the same reason, our generic switches in \(\mathcal {R}^*\) also require 2 rounds. Therefore, our \((\varPi _+ \rightleftharpoons \varPi _\times ^0){.}\mathsf {Switch}_{+\rightarrow \times }\) needs 7 rounds: 2 for the initial \(\mathsf {EZT}\), 2 for \(\mathsf {ReEnc}_+\), 2 for sending \(C^+_{m+b}\) and the \(\mathsf {Switch}_{+\rightarrow \times }\), and 1 for sending the final result to Bob. In the other direction, the initial \(\mathsf {Switch}_{\times \rightarrow +}\) and the \(\mathsf {EZT}\) are independent and can thus be processed simultaneously in 2 rounds. Adding 2 rounds for the \(\mathsf {2Mul}_{+}\), the round complexity for \((\varPi _+ \rightleftharpoons \varPi _\times ^0){.}\mathsf {Switch}_{\times \rightarrow +}\) adds up to 4 rounds only. In comparison, and using the same optimizations, the ESP switches from Couteau et al. requires 7 and 11 rounds respectively.
We express the communication cost in terms of the number of bits exchanged between the parties. The bit complexity (bc) is given as a function of the ring/field size. Observe that although, the best (conjectured) asymptotic complexity to compute a discrete logarithm in the ideal class group used in \(\mathsf {CL}\) is in \(L_{p}[1/2,1+o(1)]\) (see [24]), one must consider a prime p that is large enough to guarantee that the DLP over \((\mathbf {Z}/p\mathbf {Z})^{*}\) is hard, i.e. such that \(L_{p}[1/3,(64/9)^{1/3}+o(1)] > 2^\lambda \) (see e.g. [43]). In Table 1, \(\ell \), represents the bit length of p for our protocol over \(\mathbf {Z}/p\mathbf {Z}\) and of n for Couteau et al.’s protocol over \(\mathbf {Z}/n\mathbf {Z}\).
Comparisons of the round complexities and bit complexities of our protocols (v1 and v2) with that of Couteau et al. [10]. \((*)\) For the \(\mathsf {EZT}\) protocol the communication cost for the garbled circuit is omitted as it is the same for v1, v2 and [10] (cf. Subsect. 4.3 for the cost).
Round complexity  Bit complexity  

This work  [10]  v1  v2  [10]  
Algorithms  
\(\mathsf {Eg}^*{.}2\mathsf {Dec}\)  1  n/a  \(5\ell \)  \(5\ell \)  n/a 
\(\mathsf {CL}{.}2\mathsf {Dec}\)  1  n/a  \(9\ell \)  \(5\ell \)  n/a 
\(\mathsf {CL}{.}\mathsf {EZT}(*)\)  2  n/a  \(15\ell \)  \(9\ell \)  n/a 
\(\mathsf {CL}{.}\mathsf {2Mul}_{+}\)  2  n/a  \(21\ell \)  \(13\ell \)  n/a 
\(\mathsf {CL}{.}\mathsf {ReEnc}_+\)  2  n/a  \(21\ell \)  \(13\ell \)  n/a 
\((\varPi _+ \rightleftharpoons \varPi _\times ){.}\mathsf {Switch}_{+\rightarrow \times }\)  2  2  \(15\ell \)  \(11\ell \)  \(10\ell \) 
\((\varPi _+ \rightleftharpoons \varPi _\times ){.}\mathsf {Switch}_{\times \rightarrow +}\)  2  6  \(17\ell \)  \(13\ell \)  \(36\ell \) 
ESP protocols  
\((\varPi _+ \rightleftharpoons \varPi _\times ^0){.}\mathsf {Switch}_{+\rightarrow \times }\)  7  7  \(69\ell \)  \(45\ell \)  \(37\ell \) 
\((\varPi _+ \rightleftharpoons \varPi _\times ^0){.}\mathsf {Switch}_{\times \rightarrow +}\)  4  11  \(53\ell \)  \(35\ell \)  \(61\ell \) 
Algorithmic assumptions
This work (v1)  This work (v2)  [10] 

DDH in \(C(p^3)\)  LDDH in \(C(p^3)\)  DCR 
DDH in \(S_p\)  DDH in \(S_p\)  DDH in \(S_n\) 
QR  QR  QR 
6 ESP Secure Against Malicious Adversaries
To reach the security against malicious adversaries, it is necessary to add zeroknowledge proofs by all parties that every computation is done correctly with the knowledge of every plaintext. In [10], the zeroknowledge proofs are classical Schnorrlike proofs and range proofs, but they need also to design a new strong primitive called twin ciphertext proof (TCP) to prove that a pair of ciphertexts from two different encryption schemes is actually a pair of twin ciphertexts. This allows to avoid generic circuitbased zeroknowledge proofs, but still requires a costly cutandchoose technique (which can be amortized). This proof consists first in gathering a large pool of random genuine twin ciphertexts (proved thanks to the knowledge of the plaintext and the randomness, and of the homomorphic property of the encryption schemes). This part is done once for all. During an ESP, each time a twin ciphertext proof is needed, a fresh twin ciphertext pair is taken from the pool to perform a simple colinearity proof.
To enhance our generic construction against malicious adversaries, we use the same method. In fact, the additional properties needed for the homomorphic encryption schemes are the same as in [11]: the \(\varPi _+\) and the \(\varPi _\times \) encryption schemes must support zeroknowledge proof of plaintext knowledge, proof that the \(\mathsf {ScalMul}\) operation has been performed correctly and also support a 2party decryption in the malicious setting. Then we use the TCP technique as in [10] for twin ciphertext proofs.
As a result, we modify our generic construction by adding such proofs in each step of the switching protocols. This ensures honest behavior and thus make the \(\mathsf {ESP}\) secure in the malicious settings. In particular this brings soundness in the sense of [10]: no malicious player can force the output of an \(\mathsf {ESP}\) not to be a twin ciphertext.
The protocols \(\varPi _+\) and \(\varPi _\times \) described in the instantiation from the previous section support the required features. For the \(\varPi _\times \) encryption scheme, we need zero knowledge proofs and 2party decryption secure against malicious adversary for the classical Elgamal and for the GoldwasserMicali encryption scheme. This can be done with classical methods: zeroknowledge proof \(\acute{a}\) la Schnorr, adding verification keys to the public keys for 2party decryption and proof of exponentiations to the same power. Note that for GoldwasserMicali, we need to modify key generation to use strong primes \(p'\) and \(q'\) as in [26].
For the \(\varPi _+\) encryption scheme which is based on the CastagnosLaguillaumie encryption scheme, we need proofs for an Elgamal variant in a group of unknown order, namely a class group of a quadratic order. Then 2party decryption secure against malicious adversary is obtained as for the \(\varPi _\times \) scheme.
Generalizations of Schnorr proofs in group of unknown orders have been addressed extensively in [7]. In this framework, a generalized Schnorr proof can be used if the cyclic group considered is what is called a safeguard group, which is roughly a group whose set of small orders elements is small and known, and for which it is hard to find roots of elements. The case of class groups has been explicitly taken in account for example in [12, 13], where it is argue in particular that class groups of discriminant \(p\), \(C(p)\), can be considered to have the properties of safeguard groups. As a result, we can apply directly the framework of [7] for the faster variant of \(\mathsf {CL}\) mentioned in Subsect. 5.3 as exponentiations are defined in \(C(p)\) for this variant.
7 Conclusion
The encryption switching protocol is a promising cryptographic primitive formalized by Couteau et al. in [10]. We propose in this article a generic framework to build such an ESP. Our approach makes the design of an ESP simple and efficient. In particular, we propose an instantiation whose round complexity is dramatically improved compared to Couteau et al., since we reduce by a factor 3 the number of round in the multiplicative to additive direction (while we have the same number of rounds in the other way). Again, in terms of bit complexity, our switching protocol in the multiplicative to additive direction gains a factor almost 1.7, while in the other direction Couteau et al.’s switch is smaller by a factor 1.2. This is essentially because in our case, the additively homomorphic encryption has large ciphertexts. In particular, any additively homomorphic encryption satisfying the conditions of our construction with smaller elements will allow to gain in terms of bit complexity. Our instantiation, which is secure in the semihonest model under classical assumptions can be extended to the malicious case. We believe that it is possible to improve our instantiation by deviating a bit more from the generic construction. Moreover, an interesting open problem is to design an encryption scheme which is homomorphic for the \(+\) in \(\mathbf {F}_2\) without the factorization assumption. A consequence could be to have an ESP whose security relies only on a discrete logarithm related assumption. Designing a more efficient encrypted zerotest is also a direction which will allow a significant improvement in the protocol.
Footnotes
 1.
The zero message has to be taken into account since it can arise easily by homomorphically subtracting two equivalent ciphertexts of the same message.
Notes
Acknowledgments
The authors would like to thank Geoffroy Couteau for fruitful discussions, careful reading and constructive comments on the preliminary version of this work. We also express our thanks to Bruno Grenet, Romain Lebreton, Benoît Libert and Damien Stehlé for their feedbacks.
The authors are supported in part by the French ANR ALAMBIC project (ANR16CE390006), by the “Investments for the future” Programme IdEx Bordeaux  CPU (ANR10IDEX0302), and by ERC Starting Grant ERC2013StG335086LATTAC.
References
 1.Allender, E., Jiao, J., Mahajan, M., Vinay, V.: Noncommutative arithmetic circuits: depth reduction and size lower bounds. Theor. Comput. Sci. 209(1), 47–86 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
 2.Asharov, G., Jain, A., LópezAlt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012). doi: 10.1007/9783642290114_29 CrossRefGoogle Scholar
 3.Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer extensions with security for malicious adversaries. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 673–701. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_26 Google Scholar
 4.Beaver, D.: Foundations of secure interactive computing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 377–391. Springer, Heidelberg (1992). doi: 10.1007/3540467661_31 Google Scholar
 5.Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semihomomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_11 CrossRefGoogle Scholar
 6.Bogetoft, P., Damgård, I., Jakobsen, T., Nielsen, K., Pagter, J., Toft, T.: A practical implementation of secure auctions based on multiparty integer computation. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 142–147. Springer, Heidelberg (2006). doi: 10.1007/11889663_10 CrossRefGoogle Scholar
 7.Camenisch, J., Kiayias, A., Yung, M.: On the portability of generalized Schnorr proofs. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 425–442. Springer, Heidelberg (2009). doi: 10.1007/9783642010019_25 CrossRefGoogle Scholar
 8.Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
 9.Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). doi: 10.1007/9783319167152_26 Google Scholar
 10.Couteau, G., Peters, T., Pointcheval, D.: Encryption switching protocols. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 308–338. Springer, Heidelberg (2016). doi: 10.1007/9783662530184_12 CrossRefGoogle Scholar
 11.Cramer, R., Damgård, I., Nielsen, J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–300. Springer, Heidelberg (2001). doi: 10.1007/3540449876_18 CrossRefGoogle Scholar
 12.Damgård, I., Fujisaki, E.: A statisticallyhiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). doi: 10.1007/3540361782_8 CrossRefGoogle Scholar
 13.Damgård, I., Koprowski, M.: Generic lower bounds for root extraction and signature schemes in general groups. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 256–271. Springer, Heidelberg (2002). doi: 10.1007/3540460357_17 CrossRefGoogle Scholar
 14.Damgård, I., Mikkelsen, G.L.: Efficient, robust and constantround distributed RSA key generation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 183–200. Springer, Heidelberg (2010). doi: 10.1007/9783642117992_12 CrossRefGoogle Scholar
 15.Damgård, I., Nielsen, J.B.: Universally composable efficient multiparty computation from threshold homomorphic encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 247–264. Springer, Heidelberg (2003). doi: 10.1007/9783540451464_15 CrossRefGoogle Scholar
 16.Damgård, I., Zakarias, S.: Constantoverhead secure computation of boolean circuits using preprocessing. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 621–641. Springer, Heidelberg (2013). doi: 10.1007/9783642365942_35 CrossRefGoogle Scholar
 17.Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). doi: 10.1007/0387348050_28 CrossRefGoogle Scholar
 18.ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
 19.Fouque, P.A., Poupard, G., Stern, J.: Sharing decryption in the context of voting or lotteries. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 90–104. Springer, Heidelberg (2001). doi: 10.1007/3540454721_7 CrossRefGoogle Scholar
 20.Gavin, G., Minier, M.: Oblivious multivariate polynomial evaluation. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 430–442. Springer, Heidelberg (2009). doi: 10.1007/9783642106286_28 CrossRefGoogle Scholar
 21.Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC, pp. 197–206. ACM Press (2008)Google Scholar
 22.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: 19th ACM STOC, pp. 218–229. ACM Press (1987)Google Scholar
 23.Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
 24.Jacobson, M.J.: Computing discrete logarithms in quadratic orders. J. Cryptol. 13(4), 473–492 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
 25.Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. Chapman & Hall/CRC, Boca Raton (2014)zbMATHGoogle Scholar
 26.Katz, J., Yung, M.: Threshold cryptosystems based on factoring. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 192–205. Springer, Heidelberg (2002). doi: 10.1007/3540361782_12 CrossRefGoogle Scholar
 27.Kiayias, A., Yung, M.: Secure games with polynomial expressions. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 939–950. Springer, Heidelberg (2001). doi: 10.1007/3540482245_76 CrossRefGoogle Scholar
 28.Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008). doi: 10.1007/9783540705833_40 CrossRefGoogle Scholar
 29.Lim, H.W., Tople, S., Saxena, P., Chang, E.C.: Faster secure arithmetic computation using switchable homomorphic encryption. Cryptology ePrint Archive, Report 2014/539 (2014)Google Scholar
 30.Lindell, Y., Pinkas, B.: Secure twoparty computation via cutandchoose oblivious transfer. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 329–346. Springer, Heidelberg (2011). doi: 10.1007/9783642195716_20 CrossRefGoogle Scholar
 31.Lindell, Y., Pinkas, B., Smart, N.P.: Implementing twoparty computation efficiently with security against malicious adversaries. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 2–20. Springer, Heidelberg (2008). doi: 10.1007/9783540858553_2 CrossRefGoogle Scholar
 32.Lipmaa, H., Toft, T.: Secure equality and greaterthan tests with sublinear online complexity. In: Fomin, F.V., Freivalds, R., Kwiatkowska, M., Peleg, D. (eds.) ICALP 2013. LNCS, vol. 7966, pp. 645–656. Springer, Heidelberg (2013). doi: 10.1007/9783642392122_56 CrossRefGoogle Scholar
 33.Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay  secure twoparty computation system. In: Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, 9–13 August 2004, pp. 287–302. USENIX (2004)Google Scholar
 34.Micali, S., Rogaway, P.: Secure computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992). doi: 10.1007/3540467661_32 Google Scholar
 35.Micciancio, D., Regev, O.: Worstcase to averagecase reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
 36.Naor, M., Pinkas, B.: Oblivious polynomial evaluation. SIAM J. Comput. 35(5), 1254–1281 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
 37.Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical activesecure twoparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_40 CrossRefGoogle Scholar
 38.Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). doi: 10.1007/354048910X_16 CrossRefGoogle Scholar
 39.Pedersen, T.P.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991). doi: 10.1007/3540464166_47 CrossRefGoogle Scholar
 40.Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure twoparty computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009). doi: 10.1007/9783642103667_15 CrossRefGoogle Scholar
 41.Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptol. 15(2), 75–96 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
 42.Tassa, T., Jarrous, A., BenYa’akov, Y.: Oblivious evaluation of multivariate polynomials. J. Math. Cryptol. 7(1), 1–29 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 43.Thomé, E.: Algorithmic number theory and applications to the cryptanalysis of cryptographical primitives. Habilitation à diriger des recherches, Université de Lorraine (2012)Google Scholar
 44.Tople, S., Shinde, S., Chen, Z., Saxena, P.: AUTOCRYPT: enabling homomorphic computation on servers to protect sensitive web content. In: ACM CCS 2013, pp. 1297–1310. ACM Press (2013)Google Scholar
 45.Valiant, L.G., Skyum, S., Berkowitz, S., Rackoff, C.: Fast parallel computation of polynomials using few processors. SIAM J. Comput. 12(4), 641–644 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
 46.Yao, A.C.C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE Computer Society Press, November 1982Google Scholar
 47.Ye, Q., Wang, H., Pieprzyk, J., Zhang, X.M.: Efficient disjointness tests for private datasets. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 155–169. Springer, Heidelberg (2008). doi: 10.1007/9783540705000_12 CrossRefGoogle Scholar