6

I have two secret values $a$ and $b$ (i.e. they are arbitrary values). I mask them as follow:

$v_1=r_1a+r_2$

$v_2=r_1(b-a)$

where $r_1$ and $r_2$ are uniformly random values. I send $v_1$ and $v_2$ to a malicious server, and ask him to compute $v_1+v_2=r_1b+r_2$

Question: Given $v_1$ and $v_2$, can the server learn anything about $a$ and $b$?

Note: We know that if the server learns $r_1$ or $r_2$ it can figure out the values $a$ and $b$ too.

Edit: I consider modular operations, so they are done mod $p$ where $p$ is a large prime number. So $r_i$ is picked uniformly at random from the field $\mathbb{F}_p$

user153465
  • 1,583
  • 12
  • 23

2 Answers2

7

Given $v_1$ and $v_2$, can the server learn anything about $a$ and $b$?

Yes, they can (with high probability) determine whether $a = b$; if $v_2 = 0$, then either $r_1 = 0$ or $a = b$; given that $r_1 = 0$ occurs with probability $1/p$, the attacker can conclude that $a = b$.

Now, that's the only thing the attacker can learn; for any observed $v_1, v_2$, then for any $a, b$ pair with $a \ne b$, there is a unique $r_1, r_2$ pair that makes it work. As $r_1, r_2$ are selected randomly and uniformly, the attacker gets no information on what the actual $a, b$ pair is.

poncho
  • 154,064
  • 12
  • 239
  • 382
2

The adversary can learn whether or not $a$ and $b$ are equivalent (with high probablility). All other information is protected.

I asked in the comments whether nor not a finite field was used or if we were working in the integers. This is important, because in the unsigned (positive) integers, the adversary can learn order. Since he has $r_1a+r_2$ and can compute $r_1b+r_2$, he has an ordering. Thus, by comparing $v_1$ and this value, the adversary knows the ordering of $a$ and $b$.

mikeazo
  • 39,117
  • 9
  • 118
  • 183