Cryptographic primitives
Outline
Preliminary
Oblivious Transfer (OT)
Random share based methods
Homomorphic Encryption
ElGamal
Assumptions
Semi-honest party assumption
Parties honestly follow the security
protocol
Parties might be curious about the
transferred data
Malicious party assumption
The malicious party can do anything
Transfer false data
Turn down the protocol
Collusion
Often, we can handle
semi-honest + integrity verification
Public-key encryption
Let (G,E,D) be a public-key encryption
scheme
G is a key-generation algorithm (pk,sk) G
Pk: public key
Sk: secret key
Terms
Plaintext: the original text, denoted as m
Ciphertext: the encrypted text, denoted as c
Encryption: c = Epk(m)
Decryption: m = Dsk(c)
Concept of one-way function: knowing c, pk,
and the function Epk, it is still computationally
intractable to find m.
*Check literature for different implementations
1-out-of-2 Oblivious Transfer (OT)
Setting
Sender has two messages m0 and m1
Receiver has a single bit {0,1} and
wants to learn m , but does not want
the sender know which bit is selected.
Outputs
Sender knows nothing about
Receiver obtain m and learns nothing of
m1-
Assume that a public-key can be
sampled without knowledge of its
secret key (knowing pk only):
The protocol is simplified with this
assumption
Knowing pk but not knowing sk – tricky
to do that
Both parties are honest
Protocol for Oblivious Transfer
Receiver (with input ):
Receiver chooses one key-pair (pk,sk) and one
public-key pk’ (oblivious key generation), but
does not know sk’.
Receiver sets pk = pk, pk1- = pk’
Receiver sends pk0,pk1 to sender
Sender (with input m0,m1):
Sends c0=Epk0(m0), c1=Epk1(m1)
Receiver:
Decrypts c using sk and obtains m.
Note: receiver can decrypt for pk but not for
pk1-
Generalization
Similarly, we can define 1-out-of-k
oblivious transfer
Protocol remains the same:
Choose k-1 public keys for which the
secret key is unknown
Choose 1 public-key and secret-key pair
Random share based method
Settings
have >2 parties
No collusion – semi-honest
Let f be the function that the parties wish
to compute
Represent f as an arithmetic circuit with
addition and multiplication gates
Theoretically, any function can be implemented
with addition and multiplication
Goal: securely compute additions and
multiplications
Random Shares Paradigm
Let a be some value:
Party 1 holds a, distributes random
values ai to other parties (and party 1
knows a-ai)
Party i receives ai
Note that without knowing a-ai, and all
random shares ai , nothing of a is
revealed.
We say that the parties hold random
shares of a.
Securely computing addition
(xor for one-bit data)
Party 1,2,3 own a,b,c respectively
Generate random shares:
Party 1 has shares a1 , b1 and c1
Party 2 has shares a2 , b2 and c2
Party 3 has shares a3 , b3 and c3
Note: a1+a2 +a3 =a, b1+b2 +b3 =b, and c1+c2 +c3 =c
To compute random shares of output d=a+b+c
Party 1 locally computes d1=a1+b1+c1
Party 2 locally computes d2=a2+b2+c2
Party 3 locally computes d3=a3+b3+c3
Note: d1+d2 +d3 =d
The result shares do not reveal the original
value of a,b,c
Multiplication (2 parties)
Simplified 2party case
Assume a, b are binary bit
We work on “and” operation instead –
multiplication for one bit numbers
Input wires to gate have values a and b:
Party 1 has shares a1 and b1
Party 2 has shares a2 and b2
Wish to compute c = ab = (a1+a2)(b1+b2)
Party 2’s shares are unknown to Party 1,but
there are only 4 possibilities (depending on
correspondence to 00,01,10,11)
Multiplication (cont)
Party 1 prepares a table as follows:
Row
Row
Row
Row
1
2
3
4
corresponds
corresponds
corresponds
corresponds
to
to
to
to
Party
Party
Party
Party
2’s
2’s
2’s
2’s
input
input
input
input
00
01
10
11
Let r be a random bit chosen by Party 1:
Row
Row
Row
Row
1
2
3
4
contains
contains
contains
contains
the
the
the
the
value
value
value
value
ab+r
ab+r
ab+r
ab+r
when
when
when
when
a2=0,b2=0
a2=0,b2=1
a2=1,b2=0
a2=1,b2=1
Concrete Example
Assume: a1=0,
b1=1
Assume: r=1
Ro
w
1
2
3
4
Party 2’s
shares
Output value
a2=0,b2=0
(0+0).(1+0)+
1=1
a2=0,b2=1
(0+0).(1+1)+
1=1
a2=1,b2=0
(0+1).(1+0)+
1=0
a2=1,b2=1
(0+1).(1+1)+
1=1
The Protocol
The parties run a 1-out-of-4 oblivious
transfer protocol
Party 1 plays the sender: message i is row
i of the table.
Party 2 plays the receiver: it inputs 1 if
a2=0 and b2=0, 2 if a2=0 and b2=1, and so
on…
Output:
Party 2 receives c2=ab+r – this is its output
Party 1 outputs c1=r
Problems with OT and RS
Theoretically, any function can be
computed with addition and
multiplication gates
However, as we have seen, it is not
efficient at all
Huge communication/computational
cost for the multiplication protocol
Homomorphic encryption
They are “probabilistic encryptions”
using randomly selected numbers in generating
keys and encryption
properties
Homomorphic multiplication
Epk(m0) Epk(m1) = Epk(m0*m1)
Without knowing the secret key, we can still calculate
m0*m1
Implementations: ElGamal method
Homomorphic addition
Epk(m0)Epk(m1) = Epk(m0+m1)
Implementation: Paillier method
ElGamal method
System parameters (P,g)
Input 1n
P is a uniformly chosen prime |P|>n
g: a random number called “generator”
keys
Private key (P,g,x), x is randomly chosen
Public key pk=(P, g, y): y = gx mod P (one way
function, computationally intractable to guess x given
(P,g,y) )
Encryption:
E(pk, m, k) = (gk mod P, mgk mod P), k is a
random number, m is plaintext
ElGamal’s Homomorphic
property
For two ciphertext
E(pk, m0, k0)= (gk0 mod P,
(a0,b0)
E(pk, m1,k1) = (gk1 mod P,
(a1,b1)
m0gk0 mod P) =
m1gk1 mod P) =
E(pk, m0*m1, k0+k1)
= (gk0+k1 mod P, m0*m1*gk0+k1 mod P)
= (a0*a1, b0*b1)
Paillier Encryption
System parameters (p,q)
Input 1N
n=pq, and g = n+1
Encryption
c=gmrn mod n2.
Decryption
Paillier homomorphic property
E(m1, r1) * E(m2, r2) mod n2=
E(m1+m2 mod n)
Multiplication is implemented in
partially encrypted form
Summary
Three basic methods
Oblivious Transfer
Random share
Homomorphic encryption
We will see how to use them to
construct privacy preserving
algorithms
© Copyright 2026 Paperzz