CRYPTOGRAPHIC ALGORITHMS FOR PRIVACY-PRESERVING ONLINE APPLICATIONS

. Privacy in online applications has drawn tremendous attention in recent years. With the development of cloud-based applications, protecting users’ privacy while guaranteeing the expected service from the server has become a signiﬁcant issue. This paper surveyed the most popular cryptographic algorithms in privacy-preserving online applications to provide a tutorial-like introduction to researchers in this area. Particularly, this paper focuses on introduction to homomorphic encryption, secret sharing, secure multi-party computation and zero-knowledge proof.


1.
Introduction. Cloud computing [60] and big data [45] technology have been developed rapidly in the last decade, and privacy protection in online applications has become a more critical issue than ever before. Nowadays users are becoming more aware of their privacy issues when utilizing online service, and great efforts are made by researchers in building secure and robust applications with privacy protection. In this paper, we surveyed recent research in privacy-preserving online applications, and introduce the most popular and powerful cryptographic mechanisms in building practical applications. Fig. 1 illustrates a general online application model, and this is also a structure for generic cloud computing, where the users outsource personal data to a cloud server. In this model, users send their personal data to the server who performs computations and returns results to the users. The users and the server could be one-to-one, meaning that each user interacts with the server independently, or manyto one, meaning that a group of users interact with the server together. Under some conditions, it is also possible to have multiple servers working together in the cloud. This cloud-based structure introduces serious privacy issues, becasue the users need to submit their personal data to the server, which exposes private information of the users. Therefore, some careful-designed mechanisms are in need to protect users' privacy.
There are countless online applications that adopt the structure in Fig. 1 [85,39,81,59,5,4], and each application has its own feature. For example, in an electronic voting system, voter's votes should be kept secret such that the privacy of voters can be maintained; in a gene-testing application, not only the patient's genome data should be kept secret, but also the doctors' patent gene probe should be kept secret from the server. Nevertheless, a suitable cryptographic mechanism will solve these privacy issues with careful adjustments according to a specified application. In this paper we focus on some of the most popular and powerful cryptographic algorithms: homomorphic encryption, secret sharing, secure multi-party computation and zeroknowledge proof.
The concept of homomorphic encryption was firstly proposed in 1978 [72] and it raised lots of attention in the past 30 years. Homomorphic encryption enables the server to compute on the encrypted data in order to protect the privacy of users. A simple example is illustrated as follows. A user would like to compute a function f of his personal data, which needs lots of computation power. Therefore, the user would like to outsource this task to a server. To do this, this user encryptes his data using homomorphic encryption, and sends the ciphertext to the server. The server will do some computations on the ciphertext, and return the results (also a ciphertext) to the user. Once the user decrypt the results from the server, he will obtain the function of his data.
Homomorphic encryption includes partially homomorphic encryption and fully homomorphic encryption. Partially homomorphic encryption was known for many years and there are lots of public key cryptosystems that are partially homomorphic, such as unpadded RSA [73], Elgamal [25], and Paillier's scheme [65]. These algorithms support either additive or multiplicative operations, and are not suitable for applications that need mixed operations such as signal processing. Researchers have been focused on fully homomorphic encryption in recent years, and efficiency has been largely improved from original lattice-based encryption to current learningwith-errors based encryption. However, fully homomorphic encryption is still not practical in real applications due to its huge computational cost. Partially homomorphic encryption is more efficient than fully homomorphic encryption and is well stuied for reall applications, though efficiency is still a critical factor in the real deployment.
Secret sharing is another significant primitive in building cryptographic mechanisms. Introduced in 1979 by Shamir [75], secret sharing has been developed in the later twenty years [10,11,17]. Secret sharing enables a secret to be shared by a group of users, who can reconstruct the secret together. Take an voting scheme for example, the final computation usually needs multiple administrators to process at the same time, thus secret sharing protocol is in need such that a secret key to decrypt the result could be split to multiple administrators and reconstructed when all the administrators are at present. Secret sharing is also a foundation of secure multi-party computation (MPC), which is useful in many online applications such as online lottery and auctions. While useful in many cloud-based applications, secrets sharing has its limitations. For applications with a large group of users sharing a secret, tremendous inter-communications among these users are needed, rendering huge communication cost. Thus communication cost is one key factor while considering applying secret sharing.
Zero-knolwedge proof(ZKP) was proposed by Goldwasser, Micali and Rakoff in 1989 [35]. Zero-knowledge proof is used to build authentication systems where a user could be authenticated, but the credentials of the users will not be leaked to the authenticator. While this concept is attracting, there are no designs for a general zero-knowledge proof protocol. Based on different applications and requirements, there could be various designs. ZKP includes interactive ZKP and non-interactive ZKP; the former requires the participants to interact with each other while the latter does not. We give detailed explanations of these two types of ZKP in our paper.
In the following sections, we give detailed discussions of homomorphic encryption, secret sharing, secure multi-party computation and zero-knowledge proof. We also give discussions on how to apply these mechanisms in real applications.
2. Homomorphic encryption. Homomorphic encryption allows computations on ciphertext of a message, therefore the computation party cannot see the content of the message [63]. Most state-of-art homomorphic encryption schemes are public key cryptosystems [65,25,34,73], and there are very few symmetric homomorphic encryption schemes [76]. Homomorphic encryption can be defined in the following way: where M is the set of plaintext, and presents either additive operation or multiplicative operation.
Homomorphic encryption is characterized by four functions: Gen, Enc, Dec and Eval. Take a public key cryptosystem for example, a pair of keys pk and sk are generated by Gen (pk for encryption Enc and sk for decryption Dec separately). Eval takes a group of ciphertext and outputs a ciphertext that corresponds to a functioned plaintext. More specifically, Eval takes a group of n ciphertext (c 1 , c 2 , · · · , c n ) ∈ C, where (c 1 , c 2 , · · · , c n ) are ciphertext from m 1 , m 2 , . · · · , m n ∈ M, and outputs a ciphertext that corresponds to f (m 1 , m 2 , · · · , m n ). Depending on the operations on the ciphertext, homomorphic can be classified as partially homomorphic encryption (FHE) and fully homomorphic encryption (PHE).
2.1. Partially homomorphic encryption. Partially homomorphic encryption supports only one kind of operation on the ciphertext, either additive or multiplicative operation. A homomorphic encryption scheme is said to be additively homomorphic if it supports additive operation, and multiplicatively homomorphic if it supports multiplicative operation. There are many designs of partially homomorphic encryptions, and we give examples of the most widely used homomorphic encryption as follows.
1. RSA We refer to unpadded RSA, which is also called plain RSA in this case. The detailed steps are listed as follows. (a) Gen: choose two large prime p and q, and compute integer N = pq.

ElGamal Encryption
(a) Gen: on input 1 n run G(1 n ) to obtain (G, q, g). Choose uniformly y ∈ Z q and compute h = g x . The public key is (G, q, g, h), and the private key is (G, q, g, x). (b) Enc: choose a uniform y ∈ Z q , and output the ciphertext c =< g y , h y · m >=< c 1 , c 2 >. (c) Dec: m = c 2 /c x 1 = (h y · m)/(g y ) x = g xy · m/g xy . (d) Homomorphic Property: 2.1.2. Additive Homomorphic Encryption.

Exponential ElGamal Encryption
ElGamal encryption is originally multiplicative homomorphic, but could be changed to be additive homomorphic after some simple modifications. The idea is to encrypt g m instead of encrypting the message m itself. This version of ElGamal encryption is called exponential ElGamal. The difficulty of running exponential ElGamal is that it requires the computation authority to solve the discrete logarithm problem (DLP) (see Definition. 2.2). Therefore, the algorithm usually works when m is small or the computation authority has a rough value of m and he could brute-force the value of m. Although with limitations, exponential ElGamal has useful applications and there are some interesting designs in the smart grid systems [18].
The computational DLP in a multiplicative group G with generator g is defined as follows: for an element Q in group G, where Q = g α , compute α from Q.

2.2.
Fully homomorphic encryption. Fully Homomorphic encryption (FHE) has limited applications due to its high computational cost [7]. However, the feature of FHE attracts lots of researchers as it allows arbitarty computations. The early research on FHE is focused on lattic-based schemes [31,77] integer-based schemes [80]. Current research on fully homomorphic encryption is mainly based on learning-with-errors(LWE) [71,16] and ring-learning-with-errors (RLWE) [16,15]. Optimization is still the biggest challenge in FHE and the huge costs of memory size hinders the development of FHE applications.
Tab. 1 presents the state-of-art homomorphic encryption schemes. The readers could explore each algorithm for details. Also, there are some good surveys that readers could refer to for extensive information [3,61,29]. 3. Secret sharing. Secret Sharing [10] is a critical cryptographic primitive where a dealer distributes shares of a secret to parties such that a subset of the parties are able to reconstruct the secret. Most secret sharing schemes in use are threshold schemes, and a typical (t, n)threshold secret sharing scheme is defined as follows: Definition 3.1. (Threshold Secret Sharing) A dealer holds a secret s to be shared to N users, and each user gets a share s i . A distribution scheme is said to be (t, n)-threshold secret sharing scheme if the following requirements hold: 1. For any subset of T users where T ≥ t, secret s could be reconstructed from s i of these T users. 2. For any subset of T users where T < t, secret s could not be reconstructed from s i of these T users.
We give descriptions of some mostly used secret sharing schemes here. The first two schemes we present, Sharmir's and Blakley's schems, are threshold secrets sharing schemes, while the others are regular secret sharing schemes and there are no settings for threshold.
1. Shamir's Scheme [75]: Shamir's scheme is based on a well-known fact that any nonzero, degree-t polynomial over a field has most t roots. The construction is as follows: (a) Pre-Construction: Given a secret s from a finite field F, an integer t where 1 ≤ t < n.
(b) Sharing: The dealer uniformly chooses a 1 , a 2 , · · · , a t from F, and defines a polynomial P (x) = s + t i=1 a i X i . Therefore, each user's share is (c) Reconstruction: t users are able to reconstruct the secret s by computing the unique degree-(t − 1) polynomial p for which p (x ij ) = s i .

2.
Blakley's Scheme [12]: Blakey's scheme is based on the fact that any n nonparallel (n − 1)-dimensional hyperplanes intersect at a specific point. Fig. 2 illustrates Blakley's scheme in three dimensions: A secret x is encoded with all the three planes; only when the three planes intersects, the secrets can be reconstructed. The construction can be illustrated as follows: (a) Pre-Construction: The dealer creates a point P (x 0 , y 0 , z 0 ) and let x 0 be the secret. (b) Sharing: the dealer picks a and b randomly, and a large prime p, and set c ≡ z 0 − ax 0 − by 0 (mod p), then the plan is z = ax + by + c. Each user gets a share of the secret.
Solution can be found to reveal the value of x 0 . Blakley's protocol requires each user to keep a share of a hyper-plane, and each hyper-plane is actually a set of many different points. This indicates that, in Blakley's protocol, each user has to keep a message space that is far greater than the secret itself. In Sharmir's scheme, however, each user only needs to keep a record of one point, which is the same size of the secret. Therefore, Sharmir's protocol is much more space-efficient than the Blakley's scheme.

Secret Splitting
Another type of secret sharing is secret splitting, where a secret k is split to n people and has to be reconstructed with these n people. Different from threshold secret sharing, secret splitting requires a fixed number of users to reconstruct the secret. A basic secret splitting protocol involves a one-timepad implementation and takes advantage of bit-wise exclusive-or operations. More specifically, for a sequence of bits, the exclusive-or result is determined by all the bits. A simple example could be as follows: the dealer selects a secret key k = 1010 and splits the key into 3 shares, e.g. (0, 1, 0, 0), (1, 0, 0, 0) and (0, 1, 1, 0). Each user obtains one share and could reconstruct the secret if they are all at present: The major drawback of secret splitting is that the number of users who share the secret is fixed. If a new user enters the set, the dealer has to recreate the shares and distribute the new shares to all users. This makes it very inconvenient for the dealer to manage the secret shares. 4. Ito, Saito, and Nishizeki's scheme [43]: Ito, Saito, and Nishizeki's (ISN) scheme is a special type of secret splitting, and it allows any number of users to reconstruct the secrets. ISN is based the computation of exclusive-or operations. The construction is as follows: (a) Pre-Construction: The dealer shares a secret k ∈ (0, 1). An authorized set that could reconstruct the secret is presented as s 1 , s 2 , s 3 , · · · , s n . (b) Sharing: The dealer chooses n − 1 random bits (r 1 , r 2 , r 3 , · · · , r n−1 ), computes r n = k ⊕ r 1 ⊕ r 2 ⊕ · · · ⊕ r n−1 , and gives s i the bit of r i . (c) Reconstruction: k = r 1 ⊕ r 2 ⊕ · · · ⊕ r n−1 ⊕ r n . Note that the dealer needs to create many sets for authorized groups, and the same user could appear in any of the authorized groups. This indicates that the number of bits that a user gets is equal to the number of authorized sets that contains this user. This makes the scheme highly inefficient if the number of necessary authorized set becomes large. For example, suppose there is 1 dealer and 5 users, and the dealer would like the following three sets of users to reconstruct the secret: {user1, user2, user3}, {user1, user3, user4, user5} and {user1, user2, user5}. For these three sets of users, the dealer has to create three sets of shared secrets; {r1, r2, r3}, {r1, r3, r4, r5} and {r1, r2, r5}. In this case, if one user appears in n such sets, then he needs to remember n secret shares. When the users' number becomes large, it becomes difficult for both the user and the dealer to manage the secret shares.
3.1. Verifiable Secret sharing. The secret sharing scheme introduced above are vulnerable to two attacks: 1). The dealer dishonestly gives inconsistent shares to users. 2). A malicious user presents a wrong share to construct the secret s. To prevent these two attacks, a secret sharing scheme need to be improved to detect a dishonest dealer or user. Here we introduce verifiable secret sharing (VSS) [68,79,66]. The goal of VSS is to ensure that there is a well-defined secret that can be reconstructed even with a corrupted dealer or some dishonest users. A simple example is the algorithm introduced by Feldman [28], which is based on the Shamir's secret sharing. The basic construction is the same as in Shamir's scheme, but the dealer also distributes commitment to the coefficient of the polynomial P (x): With this construction, any user P i is able to verify his share by computing: Note that the above equation holds if the dealer is honest: The security of this scheme is based on the hardness of solving the discrete-logarithm problem. More specifically, an adversary has negligible probability to solve the following computational discrete logarithm problem (DLP) within any polynomial time. See Definition. 2.2.
4. Secure multi-party computation. Secure Multi-party computation or multiparty computation (MPC) is a cryptographic primitive in which a group of entities are able to perform some computations without exposing individual's private information. Since the protocol needs the participants to work cooperatively without the supervision of a trusted third party, it is necessary to assume that the participants are not malicious. Therefore MPC protocols are commonly designed in an honestbut-curious model, in which the participants will try to infer other entities' private information, but will follow the protocol honestly. A MPC protocol is defined as follows: Definition 4.1. (MPC) A group of n parties {p 1 , p 2 , · · · , p n } would like to compute some function f based on each individual's private data x i . A protocol P is said to be MPC protocol if it meets the two requirements after the execution: 1. Correstness: The execution of the protocol outputs f (x 1 , x 2 , · · · , x n ). 2. Privacy: The execution of the protocol does not leak any private information of x i to other parties.
A MPC is said to be fair if all parties can obtain the final results at the same time. Based on the number of participants, MPC protocols are classified as twoparty protocol and multi-party protocol.
1. Two-party Protocol Two party protocol(2PC) was first proposed as the Millionair's Problem: Two millionairs would like to know who is richer, but no one would like the other entity to know his property, then how to solve this problem? This problem was generalized in 1986 by Andrew Yao [83,84] who proposed garbled circuits as a solution to 2PC. Garbled circuits takes one participant as circuits creator, and another participant as circuits evaluator. The truth table of the circuits is obscured by the creator and the execution of the circuits is run by the circuits evaluator. The evaluator needs to send the obscured result to the creator, who is able to map the obscured value to the final result. We give a detailed presentation of garbled circuits below. Fig. 3 illustrates the structure of garbled circuits. Suppose Alice and Bob are two participants of the protocol: Alice is the circuit creator, and Bob is the circuit evaluator. To evaluate the circuit, Alice inputs his value on the left side of each gate, while Bob inputs his value on the right side of each gate. In a non-garbled circuit, either "0" or "1" would be used as input; in garbled circuits, the inputs of "0" and "1" have been garbled and and there is a mapping from each "0" or "1" to a pseudo-random looking string; to evaluate the circuit, the evaluator has to input the pseudo-random looking strings that represent either "0s" or "1s". The detailed steps of evaluating garbled circuits are as follows.  computing a specified function f , and maps "0s" and "1s" to pseudorandom looking strings, as shown in Fig. 4. For example, for a simple AND gate, Alice's input for "0" is mapped to "k 0x ", and Alice's input for "1" is mapped to "k 1x ". In the same way, Bob's input for "0" is mapped to "k 0y ", and Bob's input for "1" is mapped to "k 1y ". Therefore, to input "0" for Alice, the circuit evaluator needs to input "k 0x " instead of "0". The output of the AND gate is also garbled, and the output is produced according to the truth table, e,g, "k 0z " is mapped to "0" and "k 1z " is mapped to 1. (b) Alice then encrypt the outputs of the gate twice using the pseudo-random string as the symmetric encryption key, and obtains four values: α, β, θ, and γ. Alice then sends the garbled circuits along with the four values to Bob. Note that Bob is not aware of how to evaluate the circuit at this moment, because the mapping is hidden from him. (c) After receiving the gabled circuit, Bob starts to evaluate the circuits. To do this, Bob has to get the mapping from Alice. Specifically, Bob needs two inputs: Alice's input and his own input. To get Alice's input is very simple, as he could just ask Alice to send him the garbled value of Alice. For example, if Alice would like to input "0", she could send "k 0x " to Bob, and Bob will not be aware of the true value of "k 0x " is "0" or "1". To get Bob's input, Bob needs to get the mapping from Alice without letting Alice know what Bob gets from her. To do this, Bob has to run an Oblivious transfer Protocol. A simple 1-out-of-n oblivious transfer protocol is defined in the following way: Definition 4.2. A sender inputs a string x 0 , x 1 , · · · , x n , and a receiver inputs one bit σ ∈ (0, 1, · · · , n). After the execution of the protocol, the receiver outputs x σ while the sender has no output.
Through the oblivious transfer, Bob could successfully gets his inputs from Alice. Take one gate for example, if Bob would like to input "1", he could run oblivious transfer and obtains "k 1y " from Alice, while Alice does not know Bob asks for the mapping of "1" or "0". After that, Bob has both his and Alice's input to evaluate a gate. Bob needs to run oblivious transfer for each gate that he has an input, and he is able to get all the necessary inputs for each gate. Then Bob is able to evaluate the whole circuit. (d) For each gate, Bob would get two inputs from Alice, e.g. "k 0x " and "k 1y ", and he tries to decryp α, β, θ and γ using "k 0x " and "k 1y " as the keys. If "k 0z " and "k 1z " are carefully encrypted with padding, e.g. they are encrypted after padded with a sequence of "0s", then the decryption with correct keys would be rather obvious to Bob. Hence, Bob is able to know that "k 0x " and "k 1y " are the right keys for "β", not for "α","θ", or"γ". Hence, Bob successfully obtains"k 0z " and uses it as the input of the next gate. (e) Bob will continue the process until he reaches the output wires of the entire circuit. Then Bob will tell Alice the garbled output value, and Alice will tell Bob if it represents 1 or 0. Yao's garbled circuit protocol is quite efficient and no private information is leaked. However, it only supports two parties, and the protocol is not fair for the participants: The circuits creator always knows the final result before the circuits evaluator, and he could maliciously choose not to tell the true result to the evaluator.

Multi-party Protocol
A multi-party protocol (MPC) MPCs are generally built in two ways: garbled circuits and secret sharing. Oblivious transfer, homomorphic encryption, and zero-knowledge proof and are major tools in implementing the MPC protocols. We have showed how to build a verifiable secret sharing scheme based on Shamir's scheme, which is an example to build multi-party computation protocol. One interesting research building MPC protocol comes from Andrychowicz et al. [6], who proposed to utilize bitcoin as a platform for multy-party computation. The authors illustrated how to utilize bitcoin's structure to build a secure lottery scheme and incentivize users to take part in computations without the involvement of a trusted third party. This work is distinctively from other work focusing on secret sharing, and opens a new research direction towards building secure MPC protocols with cryptocurrency.
Tab. 2 presents the implementations of MPC. The projects of these MPC could be found online. Readers could refer to each protocol for details.  [58] Boolean Circuits Two-Party SPDZ [23] Arithmetic Circuits Two-Party MASCOT [47] Arithmetic Circuits Two-Party Tasty [40] Boolean & Arithmetic Circuits Two-Party Sharemind [14] Boolean Circuits Three-Party FairPlayMP [8] Boolean Circuits Two or More VIFF [22] Arithmetic Circuits Two or More 5. Zero-knowledge proof. A zero-knowledge proof protocol (ZKP) [26] is a protocol with proof of statement that reveals nothing but the veracity of the statement. In a ZKP, there is a prover and a verifier, where the prover needs to prove to the verifier that he knows some secret without exposing the secret. Generally, ZKP are classified as Interactive ZKP [35] and Non-interactive ZKP [69].
1. Interactive ZKP Interactive ZKP requires interactions between the verifier and prover. An interactive input from the verifier is called a challenge. Through responses to the challenges, the prover could prove to the verifier that he knows a secret, without exposing the secret to the verifier. A classic example of ZKP is as shown in Fig. 5. In this scenario, there is a door inside the cave, and Peggy (the woman) claims that she knows a magic word to open the door inside the cave. Now Peggy would like to prove to Victor (the man) that she indeed knows the magic word without telling Peggy the word. In this scenario Victor is the verifier and Peggy is the prover. A solution protocol will run in one way that after some interactions between Peggy and Victor, Victor will accept the fact that Peggy knows the magic word or not.
A simple protocol run in the following way [67]. Victor (Verifier) stands outside the cave while Peggy (Prover) enters the cave. Peggy has two ways to go, either A or B, while Victor does not see it. Then Victor will enter the cave and announces that he wants Peggy to show up at either A or B. Since the decisions of Victor and Peggy are independent, Peggy will only have fifty percent of chance to come to the right place followed by Peggy's order, if she does not have the magic word to open the door. If Peggy does know the magic word, then she will definitely be able to show up at the right place. Suppose that this process is repeated for n times, then the chance that Peggy always shows up at the right place is 2 n . When n becomes large, the probability becomes rather small. Therefore, if the process is repeated form many times while Peggy always successfully fulfills Victor's requests, then it is very provable that Peggy really knows the magic word to open the door.
Based on different applications, there could be various designs of ZKPs. ZKPs are widely adopted in electronic voting systems where the voters need to prove to the voting authority that the encrypted votes are generated in the right form (e.g. contains either 1 or 0 and each candidate only appear once). Different designs are needed for different secret/credential, but generally a ZKP need to fulfill the following three requirements: = g r mod q; if (x + r)mod q is requested and received from Peggy, Victor computes C ·y ? = g x+r mod q. If after enough rounds of executions, the challenge validation is always successful, then Victor is convinced that Peggy knows the value of x.
In this protocol, if Peggy knows the secret x, he could definitely send the correct value of r or (x + r)mod q to Victor. If Peggy does not know x, he will be able to send the correct value of r or (x + r)mod q with 50 percent of probability respectively. To understand this clearly, the two possible conditions are illustrated here if Peggy does not know the secret of x: 1) In the preparation stage of the protocol, Peggy honestly sends the value of C = g r to Victor, then he will not be able to know the value of x + r because he does not know x. 2) In the preparation stage of the protocol, Peggy randomly picks a value r , computes C = g r · (g x ) −1 , and sends C to Peggy. In this way, if Victor requests the value of (x + r)mod q, Peggy could cheat Victor by sending the value of r instead of (x + r)mod q, and pass the validation, as g r · (g x ) −1 · y = g r mod q. However, if Victor requests the value of r, then Victor is not able to pass the validation.
(a) Completeness: Schnorr's protocol is complete as the verifier is convinced that the prover has the secret x such that g x = y. The reason is that if the verifier does not has the secret x, then in each round he only has 50 percent of probability to pass the challenge validation. If the verifier repeats the challenge for many times, then the chance for the verifier to give the correct values is very low. (b) Soundess: Schnorr's protocol is sound because if the prover does not know x, he will not be able to convince the verifier in repeated challenges. (c) Zero-knowledge: Schnorr's protocol maintains the property of zeroknowledge because the verifier does not obtain any knowledge of the secret x. 2. Non-Interactive ZKP: Compared to interactive ZKP, there are no interactions between the verifier and the prover in the non-interactive ZKP. One general model of non-interactive ZKP consists of a prover, a verifier and a uniformly selected random string [13]. The string is selected by a trusted party who associate in constructing the protocol. If the prover and verifier share this common random string, the prover can non-interactively and yet zero-knowledge convince the verifier the validity of a theorem that he may discover. In this model, the only"interaction" is the transfer of a message from the prover to the verifier, and the message is left with the final decision of accept of decline. Blum, Feldman and Micali were the first to propose non-interactive ZKP. It is proved by Oren et al. [33] that Non-interactive ZKP system only exists for Bounded-error Probabilistic (BPP) languages in the plain model. Noninteractive ZKP is useful in building cryptographic mechanisms, but there lacks practical applications as it is quite inefficient. Researchers have been making lots of effort improving efficiency of NIZK. In 2008, Groth et al. [38]shows how to obtain efficient NIZK proof by instantiating the proposed GS proof (Groth-Sahai) according to different application background. Two years later, Groth et al. makes further improvement based on GS proof framework to reduce computational cost of NIZK protocol [36,37]. 6. Applications. Cryptographic primitives are very useful in building real applications. Particularly, cloud-based applications benefits highly from the mechanisms we introduced in this paper. Recent development of internet of things (IoT) [78,52,54,53,20,87,56,86] also demonstrates high demand of the deployment of cryptographic mechanisms. For example, in a smart grid system, the smart meters send fine-grained data to the server for data aggregation, and the fine-grained data expose the private information of the users, such as the daily routines. In order to protect user's privacy while maintaining the service, cryptographic methods are powerful and effective methods as a solution. Security and privacy in social networks is another area that has attracked tremendous attention in recent years [50,41,19,87,39,88]. In social network, each user has a personal profile that should be kept secret. However, some powerful and necessary functions in social networks, such as friend matching, expose users' profile while computing the match of users' intersts. Therefore, privacy-preserving methods are in need to protect user's privacy while enabling popular features in social network.
We give a concrete example of Homomorphic encryption in an auction scheme here. In a privacy-preserving auction scheme [49,48,55,42,51], a group of n bidders submit their bidding values b i to an auctioneer. The auctioneer needs to compute the sum of the bidding values without seeing each individual bidding value.
A generic protocol presented by Fig. 6 could be constructed on Paillier encryption could be as follows: 1. A public key N for Paillier encryption is created and and publicized by an the auctioneer. 2. Each bidder encrypts its bidding value b i as c i and broadcasts c i : c i = Enc(b i ) = (1 + N ) bi · (r i ) N mod N 2 , where r i ∈ Z * N is uniformly chosen. 3. The evaluation of c i is computed as : c sum = n i−1 c i mod N 2 by a trusted authority that is not colluding with the auctioneer. 4. c i is given to the auctioneer who decrypts it to the sum of the bidder values: b sum = Dec(c sum ) = n i=1 b i mod N . Through the above protocol, the auctioneer is only able to decrypt the final result without seeing each bidder's bidding values. This prevent the auctioneer from manipulating the auction for his own good.
Auctioneer Server Bidders Figure 6. An Online Auction Scheme Model Another practical protocol could be built for privacy-preserving auctions schemes by making some changes in step 3: We could adopt a group of distributed servers to compute and decryp the messages from the bidders, instead of utilizing a trusted third party for collecting and computing the data. To do this, we need to take advantage of secret sharing scheme such that the key to decrypt the message from a bidder is shared with a group of servers. Note that it is necessary to have distributed servers, because a single server could simply dishonestly decrypt all messages from the bidders without utilizing the property of homomorphic encryption. In this protocol, all the servers should be at present to compute the collected data from the bidders. As long as there is one or more than one honest server, nobody is able to decrypt the the individual encrypted bids. Therefore, the privacy of bidders is preserved.
Another useful protocol in the auction protocol is the zero-knowledge proof. Note that all the bid values are encrypted, and there should be some way to check if the Here the auctioneer could act as the verifier, and the bidders act as the prover: the prover should prove to the verifier that the bid values are created and encrypted in a correct form.
We surveyed the recent reseach in privacy-preserving applications, and present the most cutting-edge research area that adopts the cryptographic primitives we introduced in Tab. 3.

7.
Conclusion. In this paper, we surveyed the most popular cryptgraphic mechanisms for privacy-preserving applications. In particular, we give a tutorial-like introduction to homomorphic encryption, secret sharing, secure multi-party computation and zero-knowledge proof. We present the definitions, state-of-art work, technique details and applications. We also give examples of how to apply these cryptographic mechanisms, and we hope our work advances researchers in studying applied cryptography.
8. Acknowledgment. This research was partially supported by the National Natural Science Foundation of China (61702062), the Natural Science Foundation of Chongqing, China (cstc2018jcyjAX0334), and Overseas Returnees Support Program for Innovation and Entrepreneurship of Chongqing (cx2018015).