Cryptology ePrint Archive: Report 2017/503

Encryption Switching Protocols Revisited: Switching modulo $p$

Guilhem Castagnos and Laurent Imbert and Fabien Laguillaumie

Abstract: At CRYPTO 2016, Couteau, Peters and Pointcheval introduced a new primitive called Encryption Switching Protocols, allowing to switch ciphertexts between two encryption schemes. If such an ESP is built with two schemes that are respectively additively and multiplicatively homomorphic, it naturally gives rise to a secure 2-party computation protocol. It is thus perfectly suited for evaluating functions, such as multivariate polynomials, given as arithmetic circuits. Couteau et al. built an ESP to switch between Elgamal and Paillier encryptions which do not naturally fit well together. Consequently, they had to design a clever variant of Elgamal over $\mathbf{Z}/n\mathbf{Z}$ with a costly shared decryption.

In this paper, we first present a conceptually simple generic construction for encryption switching protocols. We then give an efficient instantiation of our generic approach that uses two well-suited protocols, namely a variant of Elgamal in $\mathbf{Z}/p\mathbf{Z}$ and the Castagnos-Laguillaumie encryption which is additively homomorphic over $\mathbf{Z}/p\mathbf{Z}$. Among other advantages, this allows to perform all computations modulo a prime $p$ instead of an RSA modulus. Overall, our solution leads to significant reductions in the number of rounds as well as the number of bits exchanged by the parties during the interactive protocols. We also show how to extend its security to the malicious setting.

Category / Keywords: Two-party computation, encryption switching protocols, homomorphic encryption, malicious adversary

Original Publication (in the same form): IACR-CRYPTO-2017

Date: received 31 May 2017, last revised 2 Jun 2017

Contact author: laurent imbert at lirmm fr

Available format(s): PDF | BibTeX Citation

Version: 20170602:162751 (All versions of this report)

Short URL: ia.cr/2017/503

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]