Efficient Binary Conversion for Paillier Encrypted Values

摘要

We consider the framework of secure n-party computation based on threshold homomorphic cryptosystems as put forth by Cramer, Damgard, and Nielsen at Eurocrypt 2001. When used with Paillier's cryptosystem, this framework allows for efficient secure evaluation of any arithmetic circuit defined over Z_N, where N is the RSA modulus of the underlying Paillier cryptosystem. In this paper, we extend the scope of the framework by considering the problem of converting a given Paillier encryption of a value x ∈ Z_N into Paillier encryptions of the bits of x. We present solutions for the general case in which x can be any integer in {0, 1,... ,N — 1}, and for the restricted case in which x < N/(n2~κ) for a security parameter κ. In the latter case, we show how to extract the l least significant bits of x (in encrypted form) in time proportional to l, typically saving a factor of log_2 N/l compared to the general case. Thus, intermediate computations that rely in an essential way on the binary representations of their input values can be handled without enforcing that the entire computation is done bitwise. Typical examples involve the relational operators such as < and =. As a specific scenario we will consider the setting for (approximate) matching of biometric templates, given as bit strings.