Join Log in
Score:1
mactep Cheng avatar Crypto

Is there a secure two party protocol that makes P1 (with x as input) gets rx+r' and P2 gets (r,r')

za flag
mactep Cheng

It should be a secure two party protocol against malicious adversary.

P1's input is X in Zp* (p is a prime number); P2's input is nothing. P1's output is rX+r'. r,r' are random numbers from Zp* P2' output is r and r'.

Is there any efficent protocol to realize this functionality other than by using homomorphic encrytion? If only HE solves this problem, which is the most efficent one?

Thanks for help!

43
0 + 0
us flag
Mikero
This is a well-known problem called Oblivious Linear function Evaluation (OLE).
0
Reply
mactep Cheng avatar
za flag
mactep Cheng
Thanks for help!
0
Reply
Score:0
Daniel S avatar Crypto
ru flag
Daniel S

You can do this with any additive/logarithmically homomorphic scheme with $p$ dividing the order of the plaintext group. The Okamoto-Uchiyama system has plaintext space size exactly $p$ and may be suitable if you have no quantum resistance required.

The protocol is as follows:

P1 creates a public key for the scheme as well as encryptions of $X$ and 1, say $c_0=E(X)$ and $c_1=E(1)$. These are passed to P2.

Assuming a log-homomorphic scheme, P2 chooses random $r$ and $r’$, computes $c_2:=c_0^rc_1^{r’}=E(rX+r’)$ and sends this value to P1.

P1 decrypts $c_2$ to recover $rX+r’$.

0 + 0
mactep Cheng avatar
za flag
mactep Cheng
thank you! how about its efficiency compared with the Paillier scheme? I want an efficient one because I want it be secure against malicious adversary. Do you know any method other than HE?
0
Reply
mactep Cheng avatar
za flag
mactep Cheng
And I also want a random r and r', but in your scheme, r and r' are decided by P2 which could be malicious.
0
Reply
Daniel S avatar
ru flag
Daniel S
O-U is similar in efficiency to Paillier, and often more efficient for the same level of security. I don’t know of any non-HE solution.
0
Reply
Daniel S avatar
ru flag
Daniel S
To defend against malicious P2, P1 can choose random $s1$ and $s2$ and form $(r+s1)X+(r’+s2)$. Sending $s1$ and $s2$ to P2 allows them to form $r+s1$ and $r’+s2$
0
Reply
mactep Cheng avatar
za flag
mactep Cheng
Thanks! I will study O-U scheme. But i thinks to make it secure, some additonal ZKP may have to be added; things like proving the public parameter is rightly generated etc.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.