Paper 2005/378

A New Protocol for Conditional Disclosure of Secrets And Its Applications

Sven Laur and Helger Lipmaa

Abstract

Many protocols that are based on homomorphic encryption are private only if a client submits inputs from a limited range $S$. Conditional disclosure of secrets (CDS) helps to overcome this restriction. In a CDS protocol for a set $S$, the client obtains server's secret if and only if the client's inputs belong to $S$ and thus the server can guard itself against malformed queries. We extend the existing CDS protocols to work over additively homomorphic cryptosystems for every set from $NP/poly$. The new construction is modular and easy to apply. As an example, we derive a new oblivious transfer protocol with log-squared communication and a millionaire's protocol with logarithmic communication. We also implement private, universally verifiable and robust multi-candidate electronic voting so that all voters only transmit an encryption of their vote. The only hardness assumption in all these protocols is that the underlying public-key cryptosystem is IND-CPA secure and the plaintext order does not have small factors.

Note: The main results of this paper (the new DIE protocol, CDS protocol, CDS transformation) date from August 2004. First eprint version (20.10.2005) was a delibrately old version from May 2005. Second eprint version (21.11.2005): better readability, more applications, more general. Third eprint version (08.08.2006): this version has better readability. The most important additions: the use of Elliptic Curve Method of factoring to achieve additional security, and the unified explanation of several protocols by using a forked compostion together with a communication-efficient CPIR, see Thm 2. Fourth eprint version (March 2007): corresponds to the published version. No new contents, better readability.