Lets say A has a binary vector of length n, B has a permutation matrix of size n. Is there a way for B to permute A's vector so that A only learns about the result of permutation and B does not learn about the original vector?
Asked
Active
Viewed 153 times
2
-
Correct me if I'm wrong but surely if B knows the permutation p and the output he can invert p and use it to get the original vector again. – Jackoson Feb 21 '18 at 13:03
-
B doesn't know the output of the permutation, at the beginning A knows v, B knows P, and at the end A should know Pv while B still only knows P – Adam Feb 21 '18 at 14:30
-
If B knows the result, he knows the hamming weight, so some (usually small) information leakage is unavoidable – kodlu Feb 21 '18 at 20:36
-
1Just as a random observation, if A can make $\log_2 n$ queries with $n$-bit vectors against the same permutation matrix, then they can trivially recover the entire permutation. So if this is possible at all, the number of queries must be strictly limited. – Ilmari Karonen Mar 23 '18 at 18:03
1 Answers
2
Using an encryption scheme that is rerandomizable (such as ElGamal for example), A can just send n ciphertexts encrypting her values, then B shuffles those ciphertexts and rerandomize them. B never learns anything and the rerandomization destroys information about the original ciphertexts so that A cannot trace back the permutation.
Florian Bourse
- 986
- 5
- 16
-
1It's a binary vector, which implies the entries are all 0 and 1. With basic ElGamal you can't encrypt 0s. This question/answer provides a small modification that facilitates encryptions of 0. – Ella Rose Apr 24 '18 at 13:57