Secure computing: computing on encrypted or private data

This is the companion OCaml code for Xavier Leroy's 2025 course at Collège de France, Secure computing: computing on encrypted or private data.

Libraries

• Weakly homomorphic encryption (lecture #2)

  • ElGamal's cipher: interface, implementation
  • Paillier's cipher: interface, implementation

• Somewhat homomorphic encryption (lecture #2)

  • The impractical integer-based SHE of van Dijk, Gentry, Halevy, Vaikuntanathan (2010): interface, implementation

• Secure multiparty computation (lectures #4, #5)

  • GMW sharing of Booleans, using OT for multiplication (Goldreich, Micali, Wigderson, 1987): interface, implementation
  • GMW sharing of Booleans, using Beaver triples for multiplication: interface, implementation
  • Shamir sharing of small integers: interface, implementation
  • Replicated 2-among-3 sharing of large integers: interface, implementation
  • Yao's garbled circuits: interface, implementation

• Oblivious transfer (lecture #5)

  • 1-out-of-2 OT of small integers: interface, implementation
  • 1-out-of-4 OT of Booleans: interface, implementation

• Zero-knowledge proofs (lecture #6)

  • Sigma protocols: interface, implementation

• Private set intersection (lecture #1)

  • Freedman, Nissim, Pinkas (2004): interface, implementation

• Oblivious RAM (lecture #7)

  • Goldreich-Ostrovsky "square root" ORAM: interface, implementation

• Auxiliary modules

  • Groups, modular arithmetic, elliptic curves, rings, polynomials: interface, implementation
  • Multi-party communication using MPI: interface, implementation

Demos

• Yao's millionaire problem: compare two secret integers

  • using somewhat homomorphic encryption: Millionaires_SHE [uses SHE]
  • using GMW sharing: Millionaires_GMW [uses GMW, OT4]
  • using GMW sharing + Beaver triples: Millionaires_Beaver [uses Beaver]
  • using Shamir sharing: Millionaires_Shamir [uses Shamir]
  • using Yao's garbled circuits: Millionaires_Yao [uses GarbledCircuits, OT]

• Counting electronic votes

  • without protection against ballot stuffing: Vote1 [uses Paillier]
  • using ZKP to prove that ballots are not stuffed: Vote2 [uses ElGamal, SigmaZKP]

• Private Set Intersection

  • see which poets you have in common with the server: Poets [uses PSI, Paillier]

• Threshold decryption

  • sharing a private key between three shareholders; any two can decrypt: Threshold [uses Replicated23, ElGamal]

• Oblivious RAM

  • crude visualization of ORAM (absence of) memory access patterns: ObliviousRAM [uses ORAM]

Building and running demos

• Installing dependencies: opam install --deps-only . (watch the final dot!)
• Building: make all
• Running a demo: ./<demo-name>.exe. This will print instructions on how to run the demo.

Disclaimer

This code is provided for learning purposes only and should not be used in any high-security application. It contains many insecurities such as keys too small (SHE), insufficient randomness (GarbledCircuits), insecure messaging (MultiParty), naive protocols (Vote2), and timing leaks (everywhere).

Licensing

All files copyright 2026 Xavier Leroy.

The files in lib/ are distributed under the terms of the GNU Lesser General Public License version 2.1 (LGPL 2.1) or, at your option, any later version of the LGPL, with the OCaml LGPL linking exception.

All other files are distributed under the terms of the GNU General Public License version 2 (GPL 2) or, at your option, any later version of the GPL.