**Encryption Switching Protocols**

*Geoffroy Couteau and Thomas Peters and David Pointcheval*

**Abstract: **We put forth a novel cryptographic primitive: encryption switching protocol (ESP), allowing to switch between two encryption schemes. Intuitively, this two-party protocol converts given ciphertexts from one scheme into ciphertexts of the same messages in the other scheme, for any polynomial number of switches, in any direction. Although ESP is a special kind of two-party computation protocol, it turns out that ESP implies general two-party computation under natural conditions. In particular, our new paradigm is tailored to the evaluation of functions over rings. Indeed, assuming the compatibility of two additively and multiplicatively homomorphic encryption schemes, switching ciphertexts makes it possible to efficiently reconcile the two internal laws. Since no such pair of schemes appeared in the literature, except for the non-interactive case of fully homomorphic encryption which still remains prohibitive in practice, we build the first ElGamal-like encryption scheme over (Zn;x) as a complement to the Paillier encryption scheme over (Zn;+), where n is a strong RSA modulus. Eventually, we also instantiate secure ESP between the two schemes, in front of malicious adversaries. Thanks to a pre-processing step, we manage to get an online communication in terms of group elements which neither depends on the security parameter nor on the modulus n. This makes use of a new technique called refreshable twin-ciphertext pool that is of independent interest.

**Category / Keywords: **public-key cryptography / two-party computation, homomorphic encryption, malicious adversary, zero-knowledge proof

**Original Publication**** (with major differences): **IACR-CRYPTO-2016
**DOI: **10.1007/978-3-662-53018-4_12

**Date: **received 12 Oct 2015, last revised 23 Dec 2016

**Contact author: **geoffroy couteau at ens fr

**Available format(s): **PDF | BibTeX Citation

**Version: **20161223:160006 (All versions of this report)

**Short URL: **ia.cr/2015/990

[ Cryptology ePrint archive ]