Modulo Reduction for Paillier Encryptions andApplication to Secure Statistical Analysis

Jorge Guajardo1, Bart Mennink?,2 and Berry Schoenmakers??,3

1 Information and System Security GroupPhilips Research Europe, Eindhoven, The Netherlands

jorge.guajardo@philips.com2 Dept. Electrical Engineering, ESAT/COSIC

Katholieke Universiteit Leuven, Belgiumbart.mennink@esat.kuleuven.be

3 Dept. of Mathematics and Computing ScienceTechnische Universiteit Eindhoven, The Netherlands

berry@win.tue.nl

Abstract. For the homomorphic Paillier cryptosystem we construct a protocol for se-cure modulo reduction, that on input of an encryption JxK with x of bit length `x anda public ‘modulus’ a of bit length `a outputs an encryption Jx mod aK. As a result, aprotocol for computing an encrypted integer division Jx div aK is obtained. Surprisingly,efficiency of the protocol is independent of `x: the broadcast complexity of the protocolvaries between O(nk`a) and O(n2k`a), for n parties and security parameter k, and isvery efficient in case of small `a (in practical cases `a often is much smaller than `x). Ourprotocol allows for efficient multiparty computation of statistics like mean, variance andmedian. Therefore, the protocol can be used in the context of medical surveys for thebenefit of statistical analysis: medical data are very sensitive information, and peopleare generally reluctant to share these data. Implementing these surveys using multipartystatistics protocols offers an approach that enhances the privacy of the users.Keywords. Modulo reduction, multiparty computation on statistics, statistical analy-sis, medical surveys.

1 Introduction

We consider the problem of integer division with remainder in the setting of securemultiparty computation. In its full generality, the problem is to evaluate securelythe integer function (x, y) 7→ (xdiv y, x mod y), where x = (xdiv y)y + x mod y and0 ≤ x mod y < y. Whereas integer multiplication commonly allows for secure protocolsfor which the performance is independent of the bit length of the multiplicands, this isnot true for known protocols for integer division. Typically, secure integer division pro-tocols use the binary decomposition of the inputs x and/or y, and consequently theseprotocols are generally much more elaborate than secure multiplication protocols. To acertain extent, this is to be expected because integer comparison (which generally alsorequires bitwise-represented inputs) reduces to equality testing given integer division:x < y if and only if x = x mod y.? Work done while visiting Philips Research Labs.

?? Work done partly while visiting Philips Research Labs.

In this paper we will focus on the computation of x mod a for a public modulus a. Weobserve that in many applications, particularly in secure statistical analysis, division isused with a public modulus only. For example, for the mean x = (x1+ · · ·+xL) div L ofa set of L values, it suffices to divide by the publicly known L. Similarly, computationof the variance of these values also involves division with a public modulus only. Hence,efficient protocols for the case of public a are clearly of interest, and we will show howto achieve efficient solutions.Although our results apply to a broad range of approaches in secure multiparty com-putation, we will present our protocols mostly for the framework based on thresholdhomomorphic cryptosystems (THCs) [14, 22, 6, 29]. This framework allows n parties,n ≥ 2, to securely and privately evaluate a given function f : given encrypted inputsJx1K, . . . , JxLK, it will be ensured that the output is an encryption Jf(x1, . . . , xL)K,without leaking any further information on the values x1, . . . , xL. In general, one mayconstruct a Boolean or arithmetic circuit for f , consisting of basic gates such as NANDgates or addition/multiplication gates, and then evaluate these circuits securely. Forperformance reasons, however, specific protocols are needed to obtain more practicalsolutions.The advantage of our THC-based protocols is that the malicious case can be treatedwithout efficiency loss (asymptotically) compared to the semi-honest case. Our proto-cols can also be translated to the framework based on verifiable secret sharing (cf. [7]).In this case, however, the malicious case will be (asymptotically) more expensive thanthe semi-honest case. The technical reason is that some of the particularly efficientzero-knowledge interval proofs used in the THC-based approach do not carry over tothe VSS-based approach.Our protocols can be seen as a generalization of the bit decomposition protocols of [30].As observed in [30], the problem of evaluating x 7→ x mod 2 is already non-trivial as itcannot be solved when ElGamal is used as the underlying (additively) homomorphiccryptosystem: an efficient protocol for computing the least significant bit Jx mod 2K forgiven JxK would imply efficient computation of a hard-core bit (of the one-way functionx 7→ gx), hence contradict the discrete log assumption. Therefore, we will also assumea sufficiently strong homomorphic cryptosystem, concretely the Paillier cryptosystem,for our protocols.An immediate application of integer division is to securely access arbitrary bits of agiven input JxK efficiently. For an `x-bit integer x, the work to access the i-th leastsignificant bit will be proportional to i, as xi = (xdiv 2i) mod 2. Our protocols actuallysimplify considerably for the case that a is a power of 2, such that the overall work ismuch less than one would need using the bit decomposition protocol of [30].

1.1 Our contributions

For a set of n participants jointly sharing the decryption key of the Paillier cryptosys-tem, we construct a protocol that on input of JxK with x < 2`x and a public ‘modulus’a such that 2`a−1 < a ≤ 2`a outputs an encryption of the modulo reduction of xwith respect to a, Jx mod aK. Consequently, this implies a protocol for computing an

2

encrypted integer division Jxdiv aK. The efficiency of the protocol relies on the factthat a is known and, in particular, its length is known. The protocol has a broadcastcomplexity varying between O(nk`a) and O(n2k`a) (with corresponding round com-plexities O(n) and O(1)), where k is a security parameter, and the variation depends onthe building blocks used (e.g., for random bit generation several protocols are known,which differ in complexities). The protocol is proven secure in the framework of Crameret al. [6]. It is statistically secure against static active adversaries under the decisionalcomposite residuosity assumption (for the Paillier cryptosystem) and the strong RSAassumption (for the required interval proof).As an interesting application, this protocol can be used for secure and efficient statis-tical analysis on encrypted data. For the computation of the variance of L inputs, aprotocol is constructed in detail. Other statistics can be implemented similarly. Securestatistical analysis is of particular importance in the area of medical surveys. In medicalsurveys, users can release medical data to some research institute which analyses thedata and outputs some result (a diagnostic, a result of statistical analysis, etc.). How-ever, medical data are privacy sensitive and users might be unwilling to reveal thesedata in plaintext. Using secure multiparty computation, the institute is representedby a set of multiparty computation servers and the users can input their medical datain encrypted form. The servers can then use the modulo reduction protocol for securestatistical analysis.Finally, we illustrate that the protocol can easily be carried over to a client/serversetting. This variation has many other practical applications, for instance in the areaof secure face recognition [12], packing of encrypted values [19, 21, 32] and auctions[8, 15, 26].

1.2 Related work

The relation with the bit decomposition protocols of [30] is already illustrated. For theunconditional setting using verifiable secret sharing, Algesheimer et al. [1] constructeda modulo reduction protocol which actually works for encrypted modulus a. The pro-tocol relies on approximating 1/a (for which also a protocol by Kiltz et al. [24] canbe used). This protocol is only of theoretical interest4: instead of x mod a, the valuex mod a+ia is computed, with |i| < (n+1)(5+24+`x−`a−`′) for some additional securityparameter `′ (the number of correctly approximated bits of 1/a). The value x mod a isthen computed after O(n2`x−`a−`′) executions of a comparison protocol, which makesthe protocol inefficient. We note that our protocol does not rely on approximations.More comparable to ours is the modulo reduction protocol by Damgard et al. [7], whichcan easily be carried over to the cryptographic setting. Unlike ours, their scheme doesnot make use of the form of a. In particular, in the cryptographic setting their protocolhas a broadcast complexity varying between O(nk`2

x) and O(n2k`2x), where `x ≥ `a. In

4 We note that From and Jakobsen [16, Ch. 8] discuss the efficiency of the protocol of [1]. Theyconclude that the performance is generally low, in particular for a large number of participants. Seealso [31, Sec. 4.6].

3

many practical applications the value `a is even much smaller than `x, as exemplifiedin Sect. 6. Using ideas of [1], their protocol can also be extended to secret a. We stressthat for our purposes the protocol with public a suffices.Although our main concern is the modulo reduction protocol, we also consider therelated work with respect to statistical multiparty computation, which is used as mo-tivational example. Many work on privacy-preserving statistical analysis (e.g., [10, 11,24, 33]) only focuses on techniques other than THC-based secure multiparty computa-tion. In [23] computation of moments is considered for Paillier encryptions, and usedto compute statistics like mean and variance. However, they circumvent the need of amodulo reduction protocol by applying division on the decrypted moments only. For in-stance, for the computation of the mean of L values, they securely compute J

∑Li=1 xiK,

decrypt it and divide the result by L. This protocol is not of practical interest: be-cause

∑Li=1 xi is decrypted rather than (

∑Li=1 xi) div L, the protocol unintentionally

leaks information about the inputs, namely (∑L

i=1 xi) mod L. Moreover, the protocolof [23] cannot be integrated as a sub-protocol with encrypted output. In this sensethe construction of the modulo protocol offers a new approach of privacy-preservingstatistical computation.

2 Preliminaries

Throughout we denote [A,B) := {A,A + 1, . . . , B − 1}. By ‘random’ we implic-itly mean ‘uniformly randomly and independently distributed’, and we denote byx ∈R X the event that x is taken at random from X. For two distributions X andY with sample spaces V and W , we denote the statistical distance by ∆(X, Y ) =12

∑v∈V ∪W |Pr(X = v) − Pr(Y = v)| [20]. The two distributions are perfectly indis-

tinguishable if ∆(X, Y ) = 0, and statistically indistinguishable if ∆(X, Y ) is negligiblein a security parameter.

Security model. For the multiparty computation protocols, we consider the secu-rity framework of [6]. We consider n parties P = {P1, . . . ,Pn}, of which P ′ ⊂ P arecorrupted, who want to compute a protocol for some function f . By the view of P ′

on a protocol execution we denote all values the malicious part P ′ learns during theexecution. The protocol is said to securely evaluate f if it is possible to construct asimulator that may use the malicious part P ′ as a subroutine, and that outputs viewswhich are indistinguishable from views of the real executions. It practically means thatanything an adversary can learn from the real execution of the protocol, he could havesimulated himself as well. This framework is hybrid in the sense that for a secure func-tion evaluation, several sub-protocols (or gates) can be executed sequentially (but notconcurrently), and security of the function evaluation then holds via the security ofthese gates. The reader is referred to [6, full version] for a more formal description.

Paillier cryptosystem. Our protocol relies on the additively homomorphic cryp-tosystem by Paillier, which is proven semantically secure under the decisional composite

4

residuosity assumption [27]. We however consider its generalization and its thresholdvariant by Damgard and Jurik [9]. On input of a security parameter k, the public keyconsists of an RSA modulus N = pq of length k, for p = 2p′ + 1 and q = 2q′ + 1 safeprimes, and a positive integer s. We define m := p′q′. The secret key is a value d co-prime to N s satisfying d = 0 mod m. The message space is the ring ZNs , and a messagex is encrypted by taking a r ∈R Z∗

Ns+1 and computing c = (N + 1)xrNsmod N s+1.

For the threshold decryption, d is polynomially shared among the n participants, eachparticipant has a share di, and at least t participants are required to correctly decrypta ciphertext. This decryption protocol operates in constant rounds and has broadcastcomplexity O(nk). For less than t actively corrupted participants, on input of an en-cryption and the corresponding plaintext, the threshold decryption protocol can besimulated in a statistically indistinguishable way. A more detailed specification of thecryptosystem and the simulation can be found in [9]. Encryptions are denoted by JxK.We denote by JxKb(`) = {Jx0K, . . . , Jx`−1K} the ` least significant bits of x.

Proofs of knowledge. Our modulo reduction protocol involves zero-knowledgeproofs of knowledge in order to achieve security against malicious adversaries. We usethe notion of Σ-protocols, due to Cramer [5]. In the random oracle model, these pro-tocols can be made non-interactive using the Fiat-Shamir heuristic [13]. In particular,our proposal involves interval proofs in which a prover shows that a published encryp-tion JxK encrypts a value x ∈ [A,B). For this one can use the protocol by Boudot [4],which relies on the strong RSA assumption [2, 17]. This protocol operates in constantrounds and has broadcast complexity O(k). It can be simulated on input JxK.

2.1 Multiparty computation gates and circuits

The proposed protocol requires several efficient gates and circuits, all can be provensecure in the framework of [6]. We consider a multiplication gate, a comparison gateand a gate for generating random bits. In Table 1 we summarize the efficiencies ofthe gates. We recall that the Paillier cryptosystem is additively homomorphic, whichmeans that given encryptions JxK, JyK and a public a, the encryptions Jx+yK = JxKJyKand JaxK = JxKa can be computed non-interactively.

Multiplication. Cramer et al. [6] constructed a protocol for n participants to se-curely compute JxyK given JxK, JyK. This protocol has broadcast complexity O(nk)and operates in constant rounds. If one participant knows the value y, the multipli-cation can be computed with round complexity O(k), by a simple modification of theElGamal based private multiplier gate of [29].

Random bit generation. Several multiparty protocols for generating random bitsare known, differing in their complexities. One can minimize to constant round com-plexity using the unbounded fan-in multiplication technique by [6], having broadcastcomplexity O(n2k), or optimize broadcast complexity using the private multiplier gate

5

[30], obtaining broadcast and round complexity O(nk) and O(n), respectively.

Comparison gate. On input of two encrypted bit representations JxKb(`) and JyKb(`),a comparison gate outputs an encrypted bit J[x < y]K. In [18], a logarithmic roundcomplexity O(lg `) protocol is constructed. Damgard et al. [7] describe a constantround complexity protocol, but it has a considerably higher hidden constant, and forsmall values of ` (namely ` < 20) the logarithmic round protocol is more efficient.We note that in many applications of our protocol the comparisons are carried out onrather small values (of size `a). Both protocols have broadcast complexity O(nk`).

Gate broadcast roundmultiplication O(nk) O(1) [6]random bit O(nk) O(n) [30]generation O(n2k) O(1) [6]comparison O(nk`) O(lg `) [18]

O(nk`) O(1) [7]

Table 1. Efficiencies of the required multiparty computation gates.

3 Random bitwise value generation

The modulo reduction protocol introduced in Sect. 4 requires a sub-protocol to bit-wise generate a value r ∈R [0, a). We refer to this gate as the random bitwise valuegeneration protocol and we discuss such a protocol in this section. Other protocols forsecurely generating random values from a restricted domain are known as well [28]. Werecall that we have n participants (t, n)-threshold sharing the secret key for Paillierdecryption, and that the public key for the cryptosystem is (N, s).

Protocol 1 (Random bitwise value generation). Given a publicly known value asuch that 2`a−1 < a ≤ 2`a , the following protocol generates an encrypted bit represen-tation {Jr0K, . . . , Jr`a−1K} of r such that r ∈R [0, a). The participants Pi (i = 1, . . . , n)perform the following steps:

1. For j = 0, . . . , `a− 1, the participants jointly generate random bit encryptions JrjKfor rj ∈R {0, 1};

2. Using a comparison gate, J[r < a]K is computed and jointly decrypted. If [r < a] = 0,the protocol is restarted.

Notice that in case a 6= 2`a , the number of restarts of the protocol is 2`a/a < 2on average: the success probability is a/2`a , and the number of restarts follows thegeometric distribution (the participants restart until they have success). Hence, theyneed 2`a/a < 2 restarts on average. We now prove that Prot. 1 is correct. Security isproven in Sect. 5.

6

Proposition 1 (Correctness of Prot. 1). On input of a publicly known value asuch that 2`a−1 < a ≤ 2`a, the output of Prot. 1 is an encrypted bit representation ofr ∈R [0, a).

Proof. We need to prove that the outcome r =∑`a−1

j=0 rj2j is an element from [0, a)and that it is uniformly random. The first requirement is satisfied by phase 2 of theprotocol. For the second requirement, let α ∈ [0, a). We need to prove that Pr(r = α |r < a) = 1/a. But this holds as we have:

Pr(r = α | r < a) =Pr(r = α, r < a)

Pr(r < a)=

1/2`a

a/2`a= 1/a. ut

4 Multiparty modulo reduction

We consider input JxK with x ∈ {0, 1}`x and a public value a such that 2`a−1 < a ≤ 2`a

for some `a, and construct a protocol for the computation of Jx mod aK. Without lossof generality, we assume that `a ≤ `x: clearly, if `a > `x then certainly a > x, in whichcase x mod a = x. The protocol relies on the fact that it is unnecessary to computethe `x bits of x if the modulus a ≤ 2`a is known for some `a ≤ `x. In particular, ifa = 2`a , computing Jx mod aK can also be done by computing the `a least significantbits of x, as x mod a =

∑`a−1j=0 xj2j . As in many cases `a is relatively small compared

to `x (see for instance Sect. 6), this reduces the costs.

We recall that we have n participants (t, n)-threshold sharing the secret key for Paillierdecryption, and that the public key for the cryptosystem is (N, s). We introduce asecurity parameter `s, which we require to satisfy an2`x+`s < N s.

Protocol 2 (Modulo reduction). Given JxK for x ∈ {0, 1}`x and a publicly knownvalue a, the following protocol outputs an encryption Jx mod aK. The participants Pi

(i = 1, . . . , n) perform the following steps:

1. The participants jointly generate a random encrypted bit representation {Jr0K, . . . ,Jr`a−1K} of r such that r ∈R [0, a), using Prot. 1. In parallel, each participanttakes si ∈R {0, 1}`x+`s and publishes Si = JsiK together with an interval proof ofknowledge for relation

{(Si; si) | Si = JsiK ∧ si ∈ [0, 2`x+`s)}; (1)

2. Each participant individually computes

JxK ← JxKJrK−1

(n∏

i=1

JsiK

)a

=

t

x− r + a

n∑i=1

si

|

; (2)

3. Using threshold decryption the participants obtain x, and compute x← x mod a;

7

4. Using a comparison gate the participants compute

JcK ← J[a− 1− x < r]K. (3)

Notice that a−1− x is known in plaintext, and for r the participants know the en-crypted bit representation. In particular, the comparison gates described in Sect. 2.1can be used;

5. Each participant individually computes

mod(JxK, a)← JxKJrKJcK−a = Jx + r − caK. (4)

We now prove that Prot. 1 is correct. Security is proven in Sect. 5.

Proposition 2 (Correctness of Prot. 2). On input of JxK with x ∈ {0, 1}`x, and apublicly known value a, the output in (4) equals Jx mod aK.

Proof. For the value computed in phase 5, firstly observe that x + r ≡ x mod a:

x + r = (x mod a) + r {phase 3}

=

((x− r + a

n∑i=1

si

)mod N s

)mod a + r {equation (2)},

=

(x− r + a

n∑i=1

si

)mod a + r {0 ≤ x < N s},

from which x + r ≡ x mod a clearly follows. Note that 0 ≤ x < N s indeed holdswith overwhelming probability (in `s) by the bound an2`x+`s < N s. Now, the value ccomputed in phase 4 satisfies:

c = 0 ⇐⇒ a− 1− x ≥ r ⇐⇒ x + r + 1 ≤ a ⇐⇒ x + r < a.

But as x, r ∈ [0, a), we have x + r ∈ [0, 2a), and thus the output in (4) clearly equalsx + r mod a = x mod a. ut

5 Security analysis

Security of Protocols 1 and 2 is proven in light of the security framework by Crameret al. [6], as explained in Sect. 2. However, we need to adjust this model slightly usinga technique of Cramer et al., which is elaborated on by [30, 18]. This technique relieson ‘Yet Another Distribution’ (YAD). For a bit b ∈ {0, 1}, YADb is defined suchthat for b = 0 it is perfectly indistinguishable from the distribution of ideal views,and for b = 1 it is statistically indistinguishable from the distribution of real views.Therefore, the real and ideal views are indistinguishable if and only if YAD0 and YAD1

are indistinguishable. But the difference between these two distributions only dependson the encrypted value b ∈ {0, 1}, and hence the success probability of distinguishing

8

between YAD0 and YAD1 equals the success probability of distinguishing betweenJ0K and J1K, which is negligible as the Paillier cryptosystem is semantically secure [9].Therefore, given two values x(0) and x(1) drawn at random from the distributions YAD0

and YAD1, respectively, and a bit encryption JbK, corresponding to either the ideal orreal model, the real views need to be simulated for encrypted input Jx(0)(1−b)+x(1)bK.It is clear that this model is less general, but it is still sufficiently general to fit inthe framework of [6], [30]. In this model, we now construct simulators that simulateProtocols 1 and 2 in a statistically indistinguishable way. We recall that both simulatorsmay use the malicious parties as a subroutine, and need to output views of theseparties on the protocols that are indistinguishable from views of the real executions.The simulator for Prot. 1 has input a and r(0), r(1) ∈ [0, a), and a bit encryption JbK,and simulates the random bitwise value generation of JrK, where r = r(0)(1− b)+r(1)b.The simulator for Prot. 2 has input a and x(0), x(1) ∈ {0, 1}`x , and a bit encryptionJbK, and simulates the protocol for output Jx mod aK, where x = x(0)(1− b) + x(1)b.

Proposition 3 (Security of Prot. 1). On input of a publicly known value a, r(0), r(1) ∈[0, a) and a JbK for b ∈ {0, 1}, Prot. 1 can be simulated in a perfectly indistinguishableway.

Proof. We construct a simulator for the random bitwise value generation of JrK, wherer = r(0)(1−b)+r(1)b. The simulator may use the malicious parties P ′ = {P1, . . . ,Pt−1} ⊂P as a subroutine. We note that the random bit gates used in phase 1 can be simulated[30]. Moreover, the comparison gate can be simulated on input (JbK, r(0), r(1)) [18]. Letr(b)j (j = 0, . . . , `a − 1) be the bits of r(b), for b = 0, 1.

Phase 1. The simulator simulates each random bit gate (j = 0, . . . , `a − 1) on inputJrjK, with rj = r

(0)j (1− b) + r

(1)j b.

Phase 2. The simulator simulates this phase on input (JbK, r(0), r(1)). ut

Proposition 4 (Security of Prot. 2). On input of x(0), x(1) of length `x, JbK forb ∈ {0, 1}, and a publicly known value a, Prot. 2 can be simulated in a statisticallyindistinguishable way.

Proof. We construct a simulator for the computation of mod(JxK, a), where x = x(0)(1−b) + x(1)b. The simulator may use the malicious parties P ′ = {P1, . . . ,Pt−1} ⊂ P as asubroutine. We note that by Prop. 3 the random bitwise value generation protocol canbe simulated on input (JbK, r(0), r(1)) with r(0), r(1) ∈ [0, a). Moreover, threshold de-cryption can be simulated given JxK, x, and the comparison gate on input (JbK, r(0), r(1))[18].Phase 1. The simulator takes r ∈R [0, a) and simulates phase 1 with r = r(0)(1− b) +r(1)b, where:

r(b) ←(r + x(b)

)mod a. (5)

Note that the simulator knows the plaintext values r(b), and therefore the randombitwise value generation can be simulated on input (JbK, r(0), r(1)). For the parallelgeneration of the si’s, the simulator lets the adversary publish JsiK for i = 1, . . . , t− 1,

9

rewinding the proof (recall that the interval proof is a proof of knowledge) lets thesimulator obtain si. For the participants i = t, . . . , n − 1 he executes this phase as is.For Pn, he takes sn ∈R {0, 1}`x+`s , but he publishes JsnK = Js(0)

n (1− b)+ s(1)n bK, where:

s(b)n ← sn −

(r + x(b)

)div a.

He simulates the proof of knowledge (1). By construction, r, sn satisfy:

x− r + asn = −r + asn. (6)

Phase 2. Executed as is. Note that due to (6) x satisfies:

x = x− r + a

n−1∑i=1

si + asn = −r + a

n∑i=1

si.

Phase 3. Simulated on input JxK and −r + a∑n

i=1 si.Phase 4. Simulated on input (JbK, r(0), r(1)). Notice that a− 1− x is indeed known inplaintext.Phase 5. Executed as is.We note that the simulated view is statistically indistinguishable from the real view.To see this, first observe that by symmetry it suffices to consider b = 0. Now, thevalue r is taken uniformly at random from [0, a), and is perfectly indistinguishablefrom a value r taken at random in the real execution. The value sn is taken uniformlyat random from [−z, 2`x+`s − z), where z := (r + x(0)) div a < 2`x is a fixed value.This distribution (called X) is statistically close to the uniform distribution Y on[0, 2`x+`s): the statistical distance between X and Y is ∆(X, Y ) = z/2`x+`s < 2−`s ,which is negligible in the security parameter `s. This completes the simulation, andby construction of the protocol (Prop. 2) the outcome in phase 5 indeed satisfiesx + r mod a = x mod a. ut

6 Efficiency analysis

Protocol 1 consists of `a random bit generation executions and a comparison gate onbit representations of length `a, and these gates need to be executed at most 2 times onaverage. Following Table 1, this random bitwise value generation protocol has broad-cast complexity varying between O(nk`a) (with round complexity O(n)) and O(n2k`a)(in constant rounds). The modulo reduction protocol, Prot. 2, uses this sub-protocol,and moreover needs one comparison on bit representations of length `a. Therefore, themodulo reduction protocol has average broadcast complexity varying between O(nk`a)(in O(n) rounds) and O(n2k`a) (in constant rounds).In [7], Damgard et al. also construct a modulo reduction gate, although for verifiablesecret sharing. The threshold homomorphic encryption analogue of this gate is less ef-ficient than the one proposed here. Their protocol has a broadcast complexity varyingbetween O(nk`2

x) and O(n2k`2x) (with round complexities O(n + `x) and O(1), respec-

tively). Even stronger however, in many practical applications of modulo reduction

10

the value `a is rather small compared to `x: consider for example a scenario where100 millionaires want to securely compute an encryption of their average fortune. Inthis case `a = 7, while `x = 37 but needs to be extended to 47 to cover billionaires aswell5. Note that Damgard et al.’s construction requires to compute the complete bitrepresentation of x, while the idea of the proposed scheme relies on the shape of a, asmentioned before. The efficiencies are summarized in Table 2.

broadcast roundOurs O(nk`a) O(n)

O(n2k`a) O(1)[7] O(nk`2

x) O(n + `x)O(n2k`2

x) O(1)

Table 2. Efficiency analysis of our protocol.

7 Modulo reduction in the client/server setting

In many of the practical applications of the modulo reduction protocol, for instancefor secure face recognition [12] or auctions [8, 15, 26], a client/server variant wouldbe more suitable. In this section, an efficient client/server variant of our protocol isintroduced, which can be considered to be a generalization of a protocol of [12]. Inthe client/server setting, the server owns the secret key for decryption, and a clientwants to obtain Jx mod aK on input JxK with x ∈ {0, 1}`x . The protocol introduced inthis section relies on a comparison protocol on private inputs, for which a protocol byErkin et al. [12] can be used, which optimizes a protocol by [8]. This protocol outputs,on private inputs v and w of the server and client, respectively, encryption J[v < w]Kto the client. For convenience, we assume both client and server to be semi-honest, asin [12].

We recall that the server owns the decryption key for the Paillier cryptosystem withpublic key (N, s). Similar to Sect. 4, we introduce security parameter `s such thatan2`x+`s < N s. We consider a public value a such that 2`a−1 < a ≤ 2`a and client’sprivate input JxK with x ∈ {0, 1}`x . The protocol is given in Fig. 1. The private inputcomparison protocol by [12] suffices to fulfill the last round. Notice that indeed theclient is not allowed to learn the plaintext value [a−1−x < r]. The proof of correctnessis similar to Prop. 2, and therefore omitted.

8 Applications

The modulo reduction protocol constructed in Sect. 4 can be used to compute statisticsfunctions efficiently in the multiparty setting. Indeed, many statistics require integer5 For simplicity we assume that the fortune of a millionaire is upper bounded by one billion. Now,

the average is computed as (x1 + . . . + x100)/100, where xi is the fortune of millionaire i. In thenotation of the protocol, we have x =

P100i=1 xi and a = 100. Thus, `x = 37 and `a = 7.

11

Server Client

(knows: d) (know: a) (knows: JxK)r ∈R [0, a)

s ∈R [0, 2`x+`s)

JxK ← Jx− r + asKJxK←−−−−−−−−−−−−−x← D(JxK)

x← x mod a JxK−−−−−−−−−−−−−→comparison a − 1 − x

?< r←−−−−−−−−−−−−→ JcK = J[a− 1− x < r]K

Jx mod aK ← JxKJrKJcK−a

Fig. 1. Modulo reduction in the client/server setting

division (e.g. mean and variance), which can be computed by deploying the moduloreduction protocol. Particularly, in combination with an efficient secure multipartysorting protocol for sorting L encrypted values6, one can construct multiparty proto-cols for the mean, the variance, the median and the MAD (median absolute deviation).The modulo reduction protocol also allows to compute, on input of a list of encryp-tions, the percentile of the values that is below a certain threshold. We note that allof these functions require a public modulus a, as in our protocol.The possibility to compute statistics on encrypted data has many practical applica-tions, for instance in the area of medical surveys where users can enter medical data tosome institute who does analysis on these data and outputs some result (a diagnostic,a result of statistical analysis, etc.): the problem with these surveys is that the medicaldata are privacy sensitive and users might be unwilling to reveal these data in public.Using multiparty computation, where the institute is represented by a set of multi-party computation servers, this privacy problem can be solved, but as a consequencethe (statistical) analysis needs to be done in the encrypted domain instead. To thisend, the modulo reduction protocol can be used. As already mentioned in Sect. 7, theprotocol has many other applications, for instance in the area of secure face recogni-tion, packing of encrypted data and buyer/seller protocols.

As an example on how to construct statistics protocols, we show how participants P ={P1, . . . ,Pn}, who (t, n)-threshold share the secret key for the Paillier cryptosystem,can compute the variance given L Paillier encryptions {Jx1K, . . . , JxLK}. We recall fromliterature that the variance is the value 1

L−1

∑Li=1(xi − x)2, where x is the mean,

x = x1+···+xLL . The computation of the other statistics functions is straightforward.

6 For the construction of a multiparty sorting protocol, one can deploy Batcher’s ‘odd-even mergesort’[3] that requires O(L(lg L)2) comparisons and O((lg L)2) rounds, and thus results in a protocolhaving broadcast and round complexity O(L(lg L)2`nk) and O((lg L)2 lg `), respectively. The readeris referred to [25, Sec. 4.4] for a concrete implementation.

12

Example. Let X := {Jx1K, . . . , JxLK} be a set of L Paillier encryptions, such that foreach i = 1, . . . , L we have xi < 2`x . The participants P want to compute var(X).Notice that this function is equivalent to computing

var(X) =

t1

L(L− 1)

(L

L∑i=1

x2i −

( L∑i=1

xi

)2)|

.

We denote V := L∑L

i=1 x2i − (

∑Li=1 xi)2. Now, the participants can compute var(X)

in the following way: firstly using L + 1 multiplication gates, encryptions Jx2i K and

J(∑L

i=1 xi)2K are computed. By the homomorphic property of the cryptosystem theseeasily result in JV K. Then, the modulo reduction protocol is applied to encryption JV Kand public modulus L(L − 1). This results in encryption var(X) = JV div L(L − 1)K.The remainder after division is given by JV mod L(L− 1)K.In order for the modulo reduction protocol to succeed we need nL422`x+`s < N s, where(N, s) is the public key of the Paillier cryptosystem and `s is a security parameter. Theprotocol has broadcast complexity O(nkL) and round complexity O(n). We note thatthe O(nkL) broadcast complexity is attained in the first phase of the protocol, thecomputation of JV K.

References

[1] Joy Algesheimer, Jan Camenisch, and Victor Shoup. Efficient computation modulo a sharedsecret with application to the generation of shared safe-prime products. In Advances in Cryptology- CRYPTO ’02, volume 2442 of LNCS, pages 417–432, Berlin, 2002. Springer-Verlag.

[2] Niko Baric and Birgit Pfitzmann. Collision-free accumulators and fail-stop signature schemeswithout trees. In Advances in Cryptology - EUROCRYPT ’97, volume 1233 of LNCS, pages480–494, Berlin, 1997. Springer-Verlag.

[3] Ken Batcher. Sorting networks and their applications. In Proceedings of the AFIPS Spring JointComputing Conference ’68, volume 32, pages 307–314, 1968.

[4] Fabrice Boudot. Efficient proofs that a committed number lies in an interval. In Advances inCryptology - EUROCRYPT ’00, volume 1807 of LNCS, pages 431–444, Berlin, 2000. Springer-Verlag.

[5] Ronald Cramer. Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis,University of Amsterdam, Amsterdam, 1997.

[6] Ronald Cramer, Ivan Damgard, and Jesper Nielsen. Multiparty computation from thresholdhomomorphic encryption. In Advances in Cryptology - EUROCRYPT ’01, volume 2045 of LNCS,pages 280–300, Berlin, 2001. Springer-Verlag.

[7] Ivan Damgard, Matthias Fitzi, Eike Kiltz, Jesper Nielsen, and Tomas Toft. Unconditionally se-cure constant-rounds multi-party computation for equality, comparison, bits and exponentiation.In Theory of Cryptography, volume 3876 of LNCS, pages 285–304, Berlin, 2006. Springer-Verlag.

[8] Ivan Damgard, Martin Geisler, and Mikkel Krøigaard. Efficient and secure comparison for on-lineauctions. In ACISP ’07, volume 4586 of LNCS, pages 416–430, Berlin, 2007. Springer-Verlag.

[9] Ivan Damgard and Mads Jurik. A generalisation, a simplification and some applications ofPaillier’s probabilistic public-key system. In Public Key Cryptography ’01, volume 1992 of LNCS,pages 119–136, Berlin, 2001. Springer-Verlag.

[10] Wenliang Du and Mikhail Atallah. Privacy-preserving cooperative statistical analysis. In An-nual Computer Security Applications Conference - ACSAC ’01, pages 102–112. IEEE ComputerSociety, 2001.

13

[11] Wenliang Du, Yunghsiang Han, and Shigang Chen. Privacy-preserving multivariate statisticalanalysis: Linear regression and classification. In SIAM International Conference on Data Mining- SDM ’04, pages 102–112. SOAM, 2004.

[12] Zekeriya Erkin, Martin Franz, Jorge Guajardo, Stefan Katzenbeisser, Inald Lagendijk, and TomasToft. Privacy-preserving face recognition. In Privacy Enhancing Technologies Symposium - PETS’09, volume 5672 of LNCS, pages 235–253, Berlin, 2009. Springer-Verlag.

[13] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification andsignature problems. In Advances in Cryptology - CRYPTO ’86, volume 263 of LNCS, pages186–194, Berlin, 1987. Springer-Verlag.

[14] Matthew Franklin and Stuart Haber. Joint encryption and message-efficient secure computation.Journal of Cryptology, 9(4):217–232, January 1996.

[15] Matthew Franklin and Michael Reiter. The design and implementation of a secure auction service.IEEE Transactions on Software Engineering, 22(5):302–312, 1996.

[16] Strange From and Thomas Jakobsen. Secure multi-party computation on integers. Master’sthesis, University of Arhus, Arhus, 2006. http://www.cs.au.dk/~tpj/uni/thesis/report.pdf.

[17] Eiichiro Fujisaki and Tatsuaki Okamoto. Statistical zero knowledge protocols to prove modularpolynomial relations. In Advances in Cryptology - CRYPTO ’97, volume 1294 of LNCS, pages16–30, Berlin, 1997. Springer-Verlag.

[18] Juan Garay, Berry Schoenmakers, and Jose Villegas. Practical and secure solutions for integercomparison. In Public Key Cryptography ’07, volume 4450 of LNCS, pages 330–342, Berlin, 2007.Springer-Verlag.

[19] Bart Goethals, Sven Laur, Helger Lipmaa, and Taneli Mielikainen. On private scalar productcomputation for privacy-preserving data mining. In Information Security and Cryptology - ICISC’04, volume 3506 of LNCS, pages 104–120, Berlin, 2004. Springer-Verlag.

[20] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and SystemSciences, 28(2):270–299, April 1984.

[21] Geetha Jagannathan and Rebecca Wright. Privacy-preserving distributed k-means clusteringover arbitrarily partitioned data. In KDD ’05: Proc. of the 11th ACM SIGKDD InternationalConference on Knowledge Discovery in Data Mining, pages 593–599, New York, 2005. ACM.

[22] Markus Jakobsson and Ari Juels. Mix and match: Secure function evaluation via ciphertexts. InAdvances in Cryptology - ASIACRYPT ’00, volume 1976 of LNCS, pages 162–177, Berlin, 2000.Springer-Verlag.

[23] Aggelos Kiayias, Bulent Yener, and Moti Yung. Privacy-preserving information markets forcomputing statistical data. In Financial Cryptography ’09, volume 5628 of LNCS, pages 32–50,Berlin, 2009. Springer-Verlag.

[24] Eike Kiltz, Gregor Leander, and John Malone-Lee. Secure computation of the mean and re-lated statistics. In Theory of Cryptography Conference - TCC ’05, pages 283–302, Berlin, 2005.Springer-Verlag.

[25] Bart Mennink. Encrypted certificate schemes and their security and privacy analysis. Master’sthesis, Eindhoven University of Technology, Eindhoven, 2009.

[26] Moni Naor, Benny Pinkas, and Reuban Sumner. Privacy preserving auctions and mechanismdesign. In ACM Conference on Electronic Commerce, pages 129–139, New York, 1999. ACM.

[27] Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. InAdvances in Cryptology - EUROCRYPT ’99, volume 1592 of LNCS, pages 223–238, Berlin, 1999.Springer-Verlag.

[28] Berry Schoenmakers and Andrey Sidorenko. Distributed generation of uniformly randombounded integers. Unpublished manuscript, October 1, 2007.

[29] Berry Schoenmakers and Pim Tuyls. Practical two-party computation based on the conditionalgate. In Advances in Cryptology - ASIACRYPT ’04, volume 3329 of LNCS, pages 119–136,Berlin, 2004. Springer-Verlag.

[30] Berry Schoenmakers and Pim Tuyls. Efficient binary conversion for Paillier encrypted values.In Advances in Cryptology - EUROCRYPT ’06, volume 4004 of LNCS, pages 522–537, Berlin,2006. Springer-Verlag.

14

[31] SecureSCM. Secure computation models and frameworks. Technical Report D9.1, SecureSCM,July 2008. http://www.securescm.org.

[32] Jaideep Vaidya and Chris Clifton. Privacy-preserving k-means clustering over vertically parti-tioned data. In KDD ’03: Proc. of the 9th ACM SIGKDD International Conference on KnowledgeDiscovery in Data Mining, pages 206–215, New York, 2003. ACM.

[33] Liangliang Xiao, Mulan Liu, and Zhifang Zhang. Statistical multiparty computation based onrandom walks on graphs. Cryptology ePrint Archive, Report 2005/337, 2005. http://eprint.

iacr.org/2005/337.

15