文章目录
来自STOC2012的论文。算是第一篇关于多密钥全同态加密的文章。
摘要
我们提出了一个由计算能力强但不被信任的 "云 "服务器辅助的安全多方计算的新概念。在这个概念中,我们称之为实时多方计算(on-the-flyMPC),云可以非交互式地对属于实时选择的任意用户组的数据进行任意的、动态选择的计算。所有用户的输入数据和中间结果都受到保护,不会被云和其他用户窥视。这就扩展了全同态加密(FHE)的标准概念,用户能寻求云的帮助来评估他们自己的加密数据。
我们的贡献有两个方面。
- 我们展示了如何使用一种新型的加密方案实现即时的MPC,我们称之为多密钥FHE,它能够对在多个不相关的密钥下加密的输入进行操作。一个由多钥匙评估产生的密码文本可以使用参与计算的所有用户的密钥联合解密。
- 我们在NTRU的基础上构建了一个多密钥FHE方案。
引言
我们正在快速接近一个新的数字时代,在这个时代,我们在强大的服务器上远程存储我们的数据并进行昂贵的计算,用流行的话说就是 “云”。虽然云在成本和功能上有很多优势,但它也带来了严重的保密性问题,因为存储在云中的数据可能容易被云提供商甚至其他云客户窥探[RTSS09]。由于这些数据通常包含敏感信息(如个人谈话、医疗信息和组织秘密),因此用户在将数据存储在云中之前,会对其进行加密。完全同态加密(FHE)的最新进展[Gen09b, vDGHV10, BV11b, BV11a, GH11a, BGV12]使得在加密数据上进行任意计算成为可能,从而使个人电脑和移动设备作为可信但弱的接口进入强大但不可信的云,而大部分计算是在云上进行的。
FHE只适用于计算涉及单一用户的情况,因为它要求输入在同一密钥下加密。然而,在很多情况下,用户将他们的大型数据存储以加密的形式上传到云端,然后再决定对这些数据进行何种运算。例如,他们可能希望云计算他们的数据库的联合统计信息,在他们的集合中找到共同的文件,在这些文件上进行运算来得到某个结果(除了最终的结果,不泄露任何东西),或者一般来说,多个(相互不信任的)用户汇集他们的数据以计算一个共同的目标函数。
多方的情况要复杂得多,而且有一系列自然但严格的要求。首先,参与计算的参与者和要计算的函数可能是动态选择的,在数据被加密并上传到云端后,就会动态选择。其次,一旦选择了函数,我们不应该期望用户一直在线,因此,云必须能够非交互式地执行大部分的计算(在属于参与者的加密数据上),而根本不需要咨询参与者。最后,所有的计算负担确实应该由云来承担:用户的计算和通信复杂性应该只取决于单个输入和输出的大小,并且应该与计算的函数的复杂性和系统中的用户总数无关,这两者都可能非常大。
实时多方计算:考虑到一个有大量计算能力弱的用户和一个强大的云的环境。一个实时多方计算协议是这样进行的。
- 众多用户各自加密他们的数据并上传到云端,不知道系统中其他用户的身份甚至数量。数据根据用户的公钥进行加密,直接发送至云端(例如,作为加密的电子邮件到达基于云的邮箱)。
- 云决定对即时选择的用户数据的任意动态子集的数据评估一个任意的动态选择的函数。(该选择可能是由一些用户的要求,或作为一项服务,在满足某些标准的各方数据上计算该函数,或由云提供商自主预期的需求,等等)云可以非交互式地执行该计算,而无需用户的任何进一步帮助。其结果仍然是加密的。
- 云和其数据被用于计算的用户子集在解密阶段互动。随后用户追溯性地对函数的选择和对用户数据的选择进行批准,并合作解密得到输出。
NTRU加密
方案
参数:多项式环 R = def Z [ x ] / ⟨ x n + 1 ⟩ R \stackrel{\text { def }}{=} \mathbb{Z}[x] /\left\langle x^{n}+1\right\rangle R= def Z[x]/⟨xn+1⟩, 其中 n n n是 2 2 2的幂次, 奇素数 q q q, 在 R R R上的 B B B -bounded分布 χ \chi χ , 其中 B ≪ q . B \ll q . B≪q.
" B B B -bounded"的意思是,从 χ \chi χ中取样的多项式的系数大小小于 B B B。 R q = def R / q R R_{q} \stackrel{\text { def }}{=} R / q R Rq= def R/qR, [ ⋅ ] q [\ \cdot\ ]_{q} [ ⋅ ]q 表示用将多项式系数模 q q q映射入 { − ⌊ q 2 ⌋ , … , ⌊ q 2 ⌋ } \left\{-\left\lfloor\frac{q}{2}\right\rfloor, \ldots,\left\lfloor\frac{q}{2}\right\rfloor\right\} { −⌊2q⌋,…,⌊2q⌋} 中。
- Keygen ( 1 k ) \left(1^{k}\right) (1k): 取两个小多项式 f ′ , g ← χ f^{\prime}, g \leftarrow \chi f′,g←χ ,令 f = def 2 f ′ + 1 f \stackrel{\text { def }}{=} 2 f^{\prime}+1 f= def 2f′+1,那么 f ( m o d 2 ) = 1 f\pmod 2=1 f(mod2)=1,计算 f f f在 R q R_q Rq下的逆元 f − 1 f^{-1} f−1,令
s k = f and p k = [ 2 g f − 1 ] q \mathrm{sk}=f \quad \text { and } \quad \mathrm{pk}=\left[2 g f^{-1}\right]_{q} sk=f and pk=[2gf−1]q
- Enc ( p k , m ) (pk, m) (pk,m): m ∈ { 0 , 1 } m \in\{0,1\} m∈{ 0,1}, 选取小多项式 s , e ← χ s, e \leftarrow \chi s,e←χ, 令 c = [ h s + 2 e + m ] q c=[h s+2 e+m]_{q} c=[hs+2e+m]q
- Dec ( s k , c ) (sk, c) (sk,c): 计算 μ = [ f c ] q \mu=[f c]_{q} μ=[fc]q并返回 μ ( m o d 2 ) \mu \pmod 2 μ(mod2).
正确性
[ f c ] q = [ 2 g s + 2 f e + f m ] q [fc]_q = [2gs+2fe+fm]_q [fc]q=[2gs+2fe+fm]q,注意到 g , s , f , e g,s,f,e g,s,f,e都是B-bounded, B ≪ q B \ll q B≪q,所以 2 g s + 2 f e + f m < q / 2 2gs+2fe+fm<q/2 2gs+2fe+fm<q/2。又因为 f ≡ 1 ( m o d 2 ) f \equiv 1 \pmod 2 f≡1(mod2),所以 m = μ ( m o d 2 ) m = \mu \pmod 2 m=μ(mod2).
多密钥同态性
c 1 = [ h 1 s 1 + e 1 + m 1 ] q c_1 = [h_1s_1+e_1+m_1]_q c1=[h1s1+e1+m1]q, c 2 = [ h 2 s 2 + e 2 + m 2 ] q c_2 =[h_2s_2 + e_2 +m_2]_q c2=[h2s2+e2+m2]q,其中 h 1 = [ 2 g 1 f 1 − 1 ] q , h 2 = [ 2 g 2 f 2 − 1 ] q h_1 = [2g_1f_1^{-1}]_q,h_2=[2g_2f_2^{-1}]_q h1=[2g1f1−1]q,h2=[2g2f2−1]q.令 c a d d = d e f [ c 1 + c 2 ] q c_{add} \stackrel{def}{=}[c_1+c_2]_q cadd=def[c1+c2]q, c m u l = d e f [ c 1 c 2 ] q c_{mul}\stackrel{def}{=}[c_1c_2]_q cmul=def[c1c2]q.解密的密钥为 f 1 f 2 f_1f_2 f1f2:
f 1 f 2 ( c 1 + c 2 ) = 2 ( f 1 f 2 e 1 + f 1 f 2 e 2 + f 2 g 1 s 1 + f 1 g 2 s 2 ) + f 1 f 2 ( m 1 + m 2 ) = 2 e a d d + f 1 f 2 ( m 1 + m 2 ) \begin{aligned} f_{1} f_{2}\left(c_{1}+c_{2}\right) &=2\left(f_{1} f_{2} e_{1}+f_{1} f_{2} e_{2}+f_{2} g_{1} s_{1}+f_{1} g_{2} s_{2}\right)+f_{1} f_{2}\left(m 1+m_{2}\right) \\ &=2 e_{\mathrm{add}}+f_{1} f_{2}\left(m 1+m_{2}\right) \end{aligned} f1f2(c1+c2)=2(f1f2e1+f1f2e2+f2g1s1+f1g2s2)+f1f2(m1+m2)=2eadd+f1f2(m1+m2)
f 1 f 2 ( c 1 c 2 ) = 2 ( 2 g 1 g 2 s 1 s 2 + g 1 s 1 f 2 ( 2 e 2 + m 2 ) + g 2 s 2 f 1 ( 2 e 1 + m 1 ) + f 1 f 2 ( e 1 m 2 + e 2 m 1 + 2 e 1 e 2 ) ) + f 1 f 2 ( m 1 m 2 ) = 2 e m u l t + f 1 f 2 ( m 1 m 2 ) \begin{array}{r} f_{1} f_{2}\left(c_{1} c_{2}\right)=2\left(2 g_{1} g_{2} s_{1} s_{2}+g_{1} s_{1} f_{2}\left(2 e_{2}+m_{2}\right)+g_{2} s_{2} f_{1}\left(2 e_{1}+m_{1}\right)+\right. \\ \left.f_{1} f_{2}\left(e_{1} m_{2}+e_{2} m_{1}+2 e_{1} e_{2}\right)\right)+f_{1} f_{2}\left(m_{1} m_{2}\right) \\ =2 e_{\mathrm{mult}}+f_{1} f_{2}\left(m 1 m_{2}\right) \end{array} f1f2(c1c2)=2(2g1g2s1s2+g1s1f2(2e2+m2)+g2s2f1(2e1+m1)+f1f2(e1m2+e2m1+2e1e2))+f1f2(m1m2)=2emult+f1f2(m1m2)
分别引入了两个不大的噪声 e a d d , e m u l t e_{add},e_{mult} eadd,emult,只要噪声控制得当,就可以正确解密。
注意,这样的同态性存在一个问题:即对于某个外包函数,其第 i i i个参数的次数为 d i d_i di,那么解密时需要的密钥为 ∏ i = 1 N f i d i \prod_{i=1}^{N}{f_i^{d_i}} ∏i=1Nfidi。而这样做无疑会暴露外包函数给接收方。
所以在使用过程中,加入了Brakerski11提出的重线性化技术,使得解密需要的密钥次数从 d i d_i di降低为 1 1 1,即 ∏ i = 1 N f i \prod_{i=1}^{N}{f_i} ∏i=1Nfi。
初步噪声分析
g , s , e g,s,e g,s,e都是 B B B以内的, f f f是 2 B + 1 2B+1 2B+1。那么 [ f c ] q [fc]_q [fc]q在 2 n B 2 ( 2 n B + 1 ) ( 2 B + 1 ) 2nB^2(2nB+1)(2B+1) 2nB2(2nB+1)(2B+1)内。这是根据引理2.5算出来的。
Lemma 2.4. Let n ∈ N n \in \mathbb{N} n∈N, let ϕ ( x ) = x n + 1 \phi(x)=x^{n}+1 ϕ(x)=xn+1 and let R = Z [ x ] / ⟨ ϕ ( x ) ⟩ . R=\mathbb{Z}[x] /\langle\phi(x)\rangle . R=Z[x]/⟨ϕ(x)⟩. For any s , t ∈ R s, t \in R s,t∈R,
∥ s ⋅ t ∥ ≤ n ⋅ ∥ s ∥ ⋅ ∥ t ∥ and ∥ s ⋅ t ∥ ∞ ≤ n ⋅ ∥ s ∥ ∞ ⋅ ∥ t ∥ ∞ \|s \cdot t\| \leq \sqrt{n} \cdot\|s\| \cdot\|t\| \quad \text { and } \quad\|s \cdot t\|_{\infty} \leq n \cdot\|s\|_{\infty} \cdot\|t\|_{\infty} ∥s⋅t∥≤n⋅∥s∥⋅∥t∥ and ∥s⋅t∥∞≤n⋅∥s∥∞⋅∥t∥∞
Corollary 2.5. Let n ∈ N n \in \mathbb{N} n∈N, let ϕ ( x ) = x n + 1 \phi(x)=x^{n}+1 ϕ(x)=xn+1 and R = Z [ x ] / ⟨ ϕ ( x ) ⟩ . R=\mathbb{Z}[x] /\langle\phi(x)\rangle . R=Z[x]/⟨ϕ(x)⟩. Let χ \chi χ be a B-bounded distribution over the ring R R R and let s 1 , … , s k ← χ . s_{1}, \ldots, s_{k} \leftarrow \chi . s1,…,sk←χ. Then s = def ∏ i = 1 k s i s \stackrel{\text { def }}{=} \prod_{i=1}^{k} s_{i} s= def ∏i=1ksi is ( n k − 1 B k ) \left(n^{k-1} B^{k}\right) (nk−1Bk) -bounded.
这里我觉得原文写错了,和李同学讨论后,感觉噪声最后是 2 n B 2 + ( 2 n B + 1 ) ( 2 B + 1 ) 2nB^2 + (2nB+1)(2B+1) 2nB2+(2nB+1)(2B+1)大小的。
安全性
(修改后的)NTRU加密方案的安全性可以基于两个假设-RLWE假设,(决策性)小多项式比率(DSPR)假设。
Definition 2.13. (THE RLWE ASSUMPTION) For all κ ∈ N \kappa \in \mathbb{N} κ∈N, let ϕ ( x ) = ϕ κ ( x ) ∈ Z [ x ] \phi(x)=\phi_{\kappa}(x) \in \mathbb{Z}[x] ϕ(x)=ϕκ(x)∈Z[x] be a polynomial of degree n = n ( κ ) n=n(\kappa) n=n(κ), let q = q ( κ ) ∈ Z q=q(\kappa) \in \mathbb{Z} q=q(κ)∈Z be an odd prime integer, let the ring R = def Z [ x ] / ⟨ ϕ ( x ) ⟩ \operatorname{ring} R \stackrel{\text { def }}{=} \mathbb{Z}[x] /\langle\phi(x)\rangle ringR= def Z[x]/⟨ϕ(x)⟩ and R q = def R / q R R_{q} \stackrel{\text { def }}{=} R / q R Rq= def R/qR, and let χ \chi χ denote a distribution over the ring R . R . R.
The Decisional Ring LWE assumption RLWE ϕ , q , χ _{\phi, q, \chi} ϕ,q,χ states that for any ℓ = poly ( κ ) \ell=\operatorname{poly}(\kappa) ℓ=poly(κ) it holds that
{ ( a i , a i ⋅ s + e i ) } i ∈ [ ℓ ] ≈ c { ( a i , u i ) } i ∈ [ ℓ ] \left\{\left(a_{i}, a_{i} \cdot s+e_{i}\right)\right\}_{i \in[\ell]} \stackrel{c}{\approx}\left\{\left(a_{i}, u_{i}\right)\right\}_{i \in[\ell]} {
(ai,ai⋅s+ei)}i∈[ℓ]≈c{
(ai,ui)}i∈[ℓ]
where s s s is sampled from the noise distribution χ , a i \chi, a_{i} χ,ai are uniform in R q R_{q} Rq, the “error polynomials” e i e_{i} ei are sampled from the error distribution χ \chi χ, and finally, the ring elements u i u_{i} ui are uniformly random over R q R_{q} Rq.
Definition 2.14. (DECISIONAL SMALL POLYNOMIAL RATIO ASSUMPTION) Let ϕ ( x ) ∈ Z [ x ] \phi(x) \in \mathbb{Z}[x] ϕ(x)∈Z[x] be a polynomial of degree n n n, let q ∈ Z q \in \mathbb{Z} q∈Z be a prime integer, and let χ \chi χ denote a distribution over the ring R = def Z [ x ] / ⟨ ϕ ( x ) ⟩ . R \stackrel{\text { def }}{=} \mathbb{Z}[x] /\langle\phi(x)\rangle . R= def Z[x]/⟨ϕ(x)⟩. The (decisional) small polynomial ratio assumption DSPR ϕ , q , χ _{\phi, q, \chi} ϕ,q,χ says that it is hard to distinguish the following two distributions:
- a a a polynomial h = def [ 2 g f − 1 ] q h \stackrel{\text { def }}{=}\left[2 g f^{-1}\right]_{q} h= def [2gf−1]q, where f ′ f^{\prime} f′ and g g g are sampled from the distribution χ \chi χ (conditioned on f = def 2 f + 1 f \stackrel{\text { def }}{=} 2 f+1 f= def 2f+1 being invertible over R q R_{q} Rq ) and f − 1 f^{-1} f−1 is the inverse of f f f in R q R_{q} Rq.
- a polynomial u sampled uniformly at random over R q R_{q} Rq.
DSPR假设在[SS11b]的文章中有证明为困难问题,RLWE在[LPR10]中。
根据两个假设,可以使用hybrid model进行证明:
- 基于DSPR假设,公钥 h = [ 2 g f − 1 ] q h=[2gf^{-1}]_q h=[2gf−1]q与随机选取的 h h h不可区分。
- 基于RLWE假设,密文 c ∗ = [ h s + 2 e + m ] q c^*=[hs+2e+m]_q c∗=[hs+2e+m]q与 c ∗ = [ u + m ] q c^*=[u+m]_q c∗=[u+m]q不可区分,其中 u u u由 R q R_q Rq中均匀选取。
多密钥同态加密
定义
Definition 3.1 (Multikey C \mathcal{C} C -Homomorphic Encryption). Let C \mathcal{C} C be a class of circuits. A family { E ( N ) = ( Keygen, Enc, Dec, Eval ) } N > 0 \left\{\mathcal{E}^{(N)}=(\text { Keygen, Enc, Dec, Eval })\right\}_{N>0} { E(N)=( Keygen, Enc, Dec, Eval )}N>0 of algorithms is multikey C \mathcal{C} C -homomorphic if for all integers N > 0 , E ( N ) N>0, \mathcal{E}^{(N)} N>0,E(N) has the following properties:
- ( p k , s k , e k ) ← (\mathrm{pk}, \mathrm{sk}, \mathrm{ek}) \leftarrow (pk,sk,ek)← Keygen ( 1 κ ) : \left(1^{\kappa}\right): (1κ): For a security parameter κ \kappa κ, outputs a public key pk, a secret key sk and a (public) evaluation key ek.
- c ← c \leftarrow c← Enc ( p k , m ) : (\mathrm{pk}, m): (pk,m): Given a public key pk and message m m m, outputs a ciphertext c . c . c.
- m : = Dec ( s k 1 , … , s k N , c ) : m:=\operatorname{Dec}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}, c\right): m:=Dec(sk1,…,skN,c): Given N N N secret keys s k 1 , … , s k N \mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N} sk1,…,skN and a ciphertext c c c, outputs a message m m m.
- c : = Eval ( C , ( c 1 , p k 1 , e k 1 ) , … , ( c ℓ , p k ℓ , e k ℓ ) ) : c:=\operatorname{Eval}\left(C,\left(c_{1}, p k_{1}, e k_{1}\right), \ldots,\left(c_{\ell}, p k_{\ell}, e k_{\ell}\right)\right): c:=Eval(C,(c1,pk1,ek1),…,(cℓ,pkℓ,ekℓ)): Given a (description of) a boolean circuit C C C along with ℓ \ell ℓ tuples ( c i , p k i , e k i ) \left(c_{i}, \mathrm{pk}_{i}, \mathrm{ek}_{i}\right) (ci,pki,eki), each comprising of a ciphertext c i c_{i} ci, a public key p k i \mathrm{pk}_{i} pki, and an evaluation key ek i _{i} i, outputs a ciphertext c . c . c.
Correctness: Let c : = Eval ( C , ( c 1 , p k 1 , e k 1 ) , … , ( c ℓ , p k ℓ , e k ℓ ) ) . :=\operatorname{Eval}\left(C,\left(c_{1}, \mathrm{pk}_{1}, \mathrm{ek}_{1}\right), \ldots,\left(c_{\ell}, \mathrm{pk}_{\ell}, \mathrm{ek}_{\ell}\right)\right) . :=Eval(C,(c1,pk1,ek1),…,(cℓ,pkℓ,ekℓ)). Then
Dec ( s k 1 ′ , … , s k N ′ , c ) = C ( m 1 , … , m ℓ ) \operatorname{Dec}\left(\mathrm{sk}_{1}^{\prime}, \ldots, \mathrm{sk}_{N}^{\prime}, c\right)=C\left(m_{1}, \ldots, m_{\ell}\right) Dec(sk1′,…,skN′,c)=C(m1,…,mℓ)
Compactness: Let c : = Eval ( C , ( c 1 , p k 1 , e k 1 ) , … , ( c ℓ , p k ℓ , e k ℓ ) ) . c:=\operatorname{Eval}\left(C,\left(c_{1}, \mathrm{pk}_{1}, \mathrm{ek}_{1}\right), \ldots,\left(c_{\ell}, \mathrm{pk}_{\ell}, \mathrm{ek}_{\ell}\right)\right) . c:=Eval(C,(c1,pk1,ek1),…,(cℓ,pkℓ,ekℓ)). There exists a polynomial P P P
such that ∣ c ∣ ≤ P ( κ , N ) . |c| \leq P(\kappa, N) . ∣c∣≤P(κ,N). In other words, the size of c c c is independent of ℓ \ell ℓ and ∣ C ∣ . |C| . ∣C∣. Note, however, that we allow the evaluated ciphertext to depend on the number of keys N N N.
紧凑性保证了密文的大小与电路深度以及运算次数无关,但在本文的多公钥方案中,密文的大小与参与方数量有关。
从FHE到MKHE的通用构造方法
本文认为对于常数个参与方来说,所有的FHE方案都可以直接变为MKHE方案。理由如下:
定义 E n c ~ \widetilde{\mathrm{Enc}} Enc
为对于 x x x的逐比特加密:
Enc ~ ( p k , x ) = def ( Enc ( p k , x [ 1 ] ) , … , Enc ( p k , x [ ∣ x ∣ ] ) ) \widetilde{\operatorname{Enc}}(\mathrm{pk}, x) \stackrel{\text { def }}{=}(\operatorname{Enc}(\mathrm{pk}, x[1]), \ldots, \operatorname{Enc}(\mathrm{pk}, x[|x|])) Enc
(pk,x)= def (Enc(pk,x[1]),…,Enc(pk,x[∣x∣]))
对于 k ∈ N k\in \mathbb{N} k∈N,定义洋葱加密、解密,这里用 E n c \mathrm{Enc} Enc来代替 E n c ~ \widetilde{\mathrm{Enc}} Enc
:
Enc ∗ ( p k , x ) = def Enc ( p k , x ) Enc* ( p k 1 , … , p k k , x ) = def Enc ∗ ( p k 1 , … , p k k − 1 , Enc ( p k k , x ) ) = Enc ( p k 1 , Enc ( p k 2 , … , Enc ( ( p k k , x ) ) ) Dec ∗ ( s k , x ) = def Dec ( s k , x ) Dec ∗ ( s k 1 , … , s k k , x ) = def Dec ∗ ( s k 2 , … , p k k , Dec ( s k 1 , x ) ) = Dec ( s k k , Dec ( s k k − 1 , … , Dec ( s k 1 , x ) ) ) \begin{aligned} \operatorname{Enc}^{*}(\mathrm{pk}, x) & \stackrel{\text { def }}{=} \operatorname{Enc}(\mathrm{pk}, x) \\ \text { Enc* }\left(\mathrm{pk}_{1}, \ldots, \mathrm{pk}_{k}, x\right) & \stackrel{\text { def }}{=} \operatorname{Enc}^{*}\left(\mathrm{pk}_{1}, \ldots, \mathrm{pk}_{k-1}, \operatorname{Enc}\left(\mathrm{pk}_{k}, x\right)\right) \\ &\ = \operatorname{Enc}\left(\mathrm{pk}_{1}, \text { Enc }\left(\mathrm{pk}_{2}, \ldots, \operatorname{Enc}\left(\left(\mathrm{pk}_{k}, x\right)\right)\right)\right.\\ \operatorname{Dec}^{*}(\mathrm{~s} \mathrm{k}, x)&\ \stackrel{\text{def}}{=} \operatorname{Dec}(\mathrm{sk}, x) \\ \operatorname{Dec}^{*}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{k}, x\right) & \stackrel{\text { def }}{=} \operatorname{Dec}^{*}\left(\mathrm{sk}_{2}, \ldots, \mathrm{pk}_{k}, \operatorname{Dec}\left(\mathrm{sk}_{1}, x\right)\right) \\ &\ =\operatorname{Dec}\left(\mathrm{sk}_{k}, \operatorname{Dec}\left(\mathrm{sk}_{k-1}, \ldots, \operatorname{Dec}\left(\mathrm{sk}_{1}, x\right)\right)\right) \end{aligned} Enc∗(pk,x) Enc* (pk1,…,pkk,x)Dec∗( sk,x)Dec∗(sk1,…,skk,x)= def Enc(pk,x)= def Enc∗(pk1,…,pkk−1,Enc(pkk,x)) =Enc(pk1, Enc (pk2,…,Enc((pkk,x))) =defDec(sk,x)= def Dec∗(sk2,…,pkk,Dec(sk1,x)) =Dec(skk,Dec(skk−1,…,Dec(sk1,x)))
洋葱加密具有两个性质:
- 正确性: Dec ∗ ( s k 1 , … , s k k \operatorname{Dec}^{*}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{k}\right. Dec∗(sk1,…,skk, Enc* ( p k 1 , … , p k k , m ) ) = m \left.\left(\mathrm{pk}_{1}, \ldots, \mathrm{pk}_{k}, m\right)\right)=m (pk1,…,pkk,m))=m
- 密文扩张:如果加密算法 E n c \mathrm{Enc} Enc的密文长度为 λ \lambda λ,那么洋葱加密 E n c ∗ ( p k 1 , … , p k k , m ) \mathrm{Enc}^*\left(\mathrm{pk}_{1}, \ldots, \mathrm{pk}_{k}, m\right) Enc∗(pk1,…,pkk,m)的密文长度为 λ k \lambda^k λk
构造方法概览
给定一个密文 c i ← E n c ( p k i , m i ) c_i\gets \mathrm{Enc}(pk_i,m_i) ci←Enc(pki,mi),先通过 c i c_i ci构造一个 m i m_i mi的洋葱加密 z i z_i zi,使得 z i ≈ E n c ∗ ( p k 1 , . . . , p k N , m i ) z_i \approx \mathrm{Enc}^*(pk_1,...,pk_N,m_i) zi≈Enc∗(pk1,...,pkN,mi)。
具体方法为:
- 在 c i c_i ci上同态地执行函数 E n c ∗ ( p k i + 1 , … , p k N , ⋅ ) \mathrm{Enc}^* \left(\mathrm{pk}_{i+1}, \ldots, \mathrm{pk}_{N},\ \cdot\ \right) Enc∗(pki+1,…,pkN, ⋅ )来得到 z i ~ ≈ E n c ∗ ( p k i , . . . , p k N , m i ) \tilde{z_i}\approx\mathrm{Enc}^*(pk_i,...,pk_N,m_i) zi~≈Enc∗(pki,...,pkN,mi)。
- 对于 z i ~ \tilde{z_i} zi~继续执行加密得到 z i = E n c ∗ ( p k 1 , . . . , p k i − 1 , z i ~ ) z_i=\mathrm{Enc}^*\left(pk_1,...,pk_{i-1},\tilde{z_i}\right) zi=Enc∗(pk1,...,pki−1,zi~)
对每个密文 c i c_i ci运行上述的构造方法来得到 z 1 , . . . , z N z_1,...,z_N z1,...,zN,在 z 1 , . . . z N z_1,...z_N z1,...zN上进行运算来得到
c ≈ E n c ∗ ( p k 1 , . . , p k N , C ( m 1 , . . . , m N ) ) c\approx \mathrm{Enc}^*(pk_1,..,pk_N,C(m_1,...,m_N)) c≈Enc∗(pk1,..,pkN,C(m1,...,mN))
最后解密得到
D e c ∗ ( s k 1 , . . . , s k N , c ) = C ( m 1 , . . . , m N ) \mathrm{Dec}^*(sk_1,...,sk_N,c)=C(m_1,...,m_N) Dec∗(sk1,...,skN,c)=C(m1,...,mN)
这种构造方法的缺点显而易见,密文大小为 λ N \lambda^N λN,且同态地运行加密算法需要很大的开销。因此他只能支持 N = O ( 1 ) N=O(1) N=O(1)的情况。
形式化定义:
GMK: generic multikey construction
- GMK.Keygen ( 1 κ ) : \left(1^{\kappa}\right): (1κ): Run Keygen ( 1 κ ) \left(1^{\kappa}\right) (1κ)
- GMK.Enc(pk, m ) : m): m): Run Enc(pk,m).
- GMK.Dec ( s k 1 , … , s k N , c ) : \left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}, c\right): (sk1,…,skN,c): Output Dec* ( s k 1 , … , s k N , c ) \left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}, c\right) (sk1,…,skN,c)
- GMK.Eval ( C , ( c 1 , p k 1 , e k 1 ) , … , ( c N , p k N , e k N ) ) : \left(C,\left(c_{1}, \mathrm{pk}_{1}, \mathrm{ek}_{1}\right), \ldots,\left(c_{N}, \mathrm{pk}_{N}, \mathrm{ek}_{N}\right)\right): (C,(c1,pk1,ek1),…,(cN,pkN,ekN)): For i ∈ [ N ] i \in[N] i∈[N], define
G i ( x ) = def Enc ∗ ( p k i + 1 , … , p k N , x ; r ) G_{i}(x) \stackrel{\text { def }}{=} \operatorname{Enc}^{*}\left(\mathrm{pk}_{i+1}, \ldots, \mathrm{pk}_{N}, x ; r\right) Gi(x)= def Enc∗(pki+1,…,pkN,x;r)
for some fixed and valid randomness r r r and recursively define
C ( k ) ( x 1 , … , x N ) = def { C ( x 1 , … , x N ) for k = N Eval ( e k k + 1 , C ( k + 1 ) , x 1 , … , x N ) for k < N C^{(k)}\left(x_{1}, \ldots, x_{N}\right) \stackrel{\text { def }}{=}\left\{\begin{array}{ll} C\left(x_{1}, \ldots, x_{N}\right) & \text { for } k=N \\ \text { Eval }\left(\mathrm{ek}_{k+1}, C^{(k+1)}, x_{1}, \ldots, x_{N}\right) & \text { for } k<N \end{array}\right. C(k)(x1,…,xN)= def {
C(x1,…,xN) Eval (ekk+1,C(k+1),x1,…,xN) for k=N for k<N
For i ∈ [ N ] i \in[N] i∈[N], compute
z ~ i = def Eval ( e k i , G i , c i ) , z i = def E n c ∗ ( p k 1 , … , p k i − 1 , z ~ i ) \widetilde{z}_{i} \stackrel{\text { def }}{=} \text { Eval }\left(\mathrm{ek}_{i}, G_{i}, c_{i}\right) \quad, \quad z_{i} \stackrel{\text { def }}{=} \mathrm{Enc}^{*}\left(\mathrm{pk}_{1}, \ldots, \mathrm{pk}_{i-1}, \widetilde{z}_{i}\right) z
i= def Eval (eki,Gi,ci),zi= def Enc∗(pk1,…,pki−1,z
i)
and output the ciphertext c = def c \stackrel{\text { def }}{=} c= def Eval ( e k 1 , C ( 1 ) , z 1 , … , z N ) \left(\mathrm{ek}_{1}, C^{(1)}, z_{1}, \ldots, z_{N}\right) (ek1,C(1),z1,…,zN).
BV11文章的MKHE构造方法
在Brakerski11类型的文章中,解密是由两个向量内积得到的 ⟨ c , s ⟩ ( m o d 2 ) \langle \mathbf{c},\mathbf{s}\rangle \pmod 2 ⟨c,s⟩(mod2)。
- 加法:给定相同长度的 c 1 , c 2 \mathbf{c}_1,\mathbf{c}_2 c1,c2,定义 c a d d = def c 1 + c 2 \mathbf{c}_{add}\stackrel{\text{def}}{=}\mathbf{c}_1+\mathbf{c}_2 cadd=defc1+c2。 c a d d \mathbf{c}_{add} cadd可由密钥 s \mathbf{s} s解密:
⟨ c 1 + c 2 , s ⟩ = ⟨ c 1 , s ⟩ + ⟨ c 2 , s ⟩ \langle \mathbf{c}_1+\mathbf{c}_2,\mathbf{s}\rangle = \langle \mathbf{c}_1,\mathbf{s} \rangle + \langle \mathbf{c}_2,\mathbf{s} \rangle ⟨c1+c2,s⟩=⟨c1,s⟩+⟨c2,s⟩
- 乘法:给定任意长度的 c 1 , c 2 \mathbf{c}_1,\mathbf{c}_2 c1,c2,定义 c m u l = def c 1 ⊗ c 2 \mathbf{c}_{mul}\stackrel{\text{def}}{=} \mathbf{c}_1 \otimes \mathbf{c}_2 cmul=defc1⊗c2,密文 c m u l \mathbf{c}_{mul} cmul可以由密钥 s ⊗ s \mathbf{s}\otimes\mathbf{s} s⊗s解密:
⟨ c 1 ⊗ c 2 , s ⊗ s ⟩ = ⟨ c 1 , s ⟩ ⋅ ⟨ c 2 , s ⟩ \left\langle\mathbf{c}_{1} \otimes \mathbf{c}_{2}, \mathbf{s} \otimes \mathbf{s}\right\rangle=\left\langle\mathbf{c}_{1}, \mathbf{s}\right\rangle \cdot\left\langle\mathbf{c}_{2}, \mathbf{s}\right\rangle ⟨c1⊗c2,s⊗s⟩=⟨c1,s⟩⋅⟨c2,s⟩
这样BV11类型的方案来构造MKHE非常简单,给定 c 1 , c 2 \mathbf{c}_1,\mathbf{c}_2 c1,c2分别是由 s 1 , s 2 \mathbf{s}_1,\mathbf{s}_2 s1,s2加密的密文。
- 加法: ⟨ ( c 1 , c 2 ) , ( s 1 , s 2 ) ⟩ = ⟨ c 1 , s 1 ⟩ + ⟨ c 2 , s 2 ⟩ \left\langle\left(\mathbf{c}_{1}, \mathbf{c}_{2}\right),\left(\mathbf{s}_{1}, \mathbf{s}_{2}\right)\right\rangle=\left\langle\mathbf{c}_{1}, \mathbf{s}_{1}\right\rangle+\left\langle\mathbf{c}_{2}, \mathbf{s}_{2}\right\rangle ⟨(c1,c2),(s1,s2)⟩=⟨c1,s1⟩+⟨c2,s2⟩
- 乘法: ⟨ c 1 ⊗ c 2 , s 1 ⊗ s 2 ⟩ = ⟨ c 1 , s 1 ⟩ ⋅ ⟨ c 2 , s 2 ⟩ \left\langle\mathbf{c}_{1} \otimes \mathbf{c}_{2}, \mathbf{s}_{1} \otimes \mathbf{s}_{2}\right\rangle=\left\langle\mathbf{c}_{1}, \mathbf{s}_{1}\right\rangle \cdot\left\langle\mathbf{c}_{2}, \mathbf{s}_{2}\right\rangle ⟨c1⊗c2,s1⊗s2⟩=⟨c1,s1⟩⋅⟨c2,s2⟩
但这篇文章没有提出怎么对多公钥的密文进行重现性化,也就是说,每次的evaluation计算会将密文的长度扩张两倍。这篇文章将如何多多公钥的RLWE类型方案进行重线性化作为一个未解的问题,后面Chen Hao19的年的文章里面有解决这个问题。
NTRU多密钥全同态方案
如之前所说,NTRU的方案天然满足多密钥同态性质:
[ f 1 f 2 ( c 1 + c 2 ) ] q = [ 2 f 1 f 2 e 1 + 2 f 1 f 2 e 2 + 2 f 2 g 1 s 1 + 2 f 1 g 2 s 2 + f 1 f 2 ( m 1 + m 2 ) ] q = m 1 + m 2 ( m o d 2 ) [ f 1 f 2 ( c 1 ⋅ c 2 ) ] q = [ 4 g 1 g 2 s 1 s 2 + 2 g 1 s 1 f 2 ( 2 e 2 + m 2 ) + 2 g 2 s 2 f 1 ( 2 e 1 + m 1 ) + 2 f 1 f 2 ( e 1 m 2 + e 2 m 1 + 2 e 1 e 2 ) + f 1 f 2 ( m 1 m 2 ) ] q = m 1 ⋅ m 2 ( m o d 2 ) \begin{array}{ll} {\left[f_{1} f_{2}\left(c_{1}+c_{2}\right)\right]_{q}=\left[2 f_{1} f_{2} e_{1}+2 f_{1} f_{2} e_{2}+2 f_{2} g_{1} s_{1}+2 f_{1} g_{2} s_{2}+f_{1} f_{2}\left(m_{1}+m_{2}\right)\right]_{q}} \\ =m_1+m_2 \pmod 2\\ {\left[f_{1} f_{2}\left(c_{1} \cdot c_{2}\right)\right]_{q} =\left[4 g_{1} g_{2} s_{1} s_{2}+2 g_{1} s_{1} f_{2}\left(2 e_{2}+m_{2}\right)+2 g_{2} s_{2} f_{1}\left(2 e_{1}+m_{1}\right)+\right.} \\ \left.\quad 2 f_{1} f_{2}\left(e_{1} m_{2}+e_{2} m_{1}+2 e_{1} e_{2}\right)+f_{1} f_{2}\left(m_{1} m_{2}\right)\right]_{q} \\ =m_{1} \cdot m_{2}\pmod 2 \end{array} [f1f2(c1+c2)]q=[2f1f2e1+2f1f2e2+2f2g1s1+2f1g2s2+f1f2(m1+m2)]q=m1+m2(mod2)[f1f2(c1⋅c2)]q=[4g1g2s1s2+2g1s1f2(2e2+m2)+2g2s2f1(2e1+m1)+2f1f2(e1m2+e2m1+2e1e2)+f1f2(m1m2)]q=m1⋅m2(mod2)
但是他也存在着一些问题:比如两个密文 c = c 1 c 2 c=c_1c_2 c=c1c2, c ′ = c 2 c 3 c'=c_2c_3 c′=c2c3
考虑两个密文的加法:
[ f 1 f 2 f 3 ⋅ ( c + c ′ ) ] q = [ f 3 ( f 1 f 2 ⋅ c ) + f 1 ( f 2 f 3 ⋅ c ′ ) ] q = 2 ( f 3 e + f 1 e ′ ) + f 1 f 2 f 3 ( m + m ′ ) \left[f_{1} f_{2} f_{3} \cdot\left(c+c^{\prime}\right)\right]_{q}=\left[f_{3}\left(f_{1} f_{2} \cdot c\right)+f_{1}\left(f_{2} f_{3} \cdot c^{\prime}\right)\right]_{q}=2\left(f_{3} e+f_{1} e^{\prime}\right)+f_{1} f_{2} f_{3}\left(m+m^{\prime}\right) [f1f2f3⋅(c+c′)]q=[f3(f1f2⋅c)+f1(f2f3⋅c′)]q=2(f3e+f1e′)+f1f2f3(m+m′)
可以由密钥 f 1 f 2 f 3 f_1f_2f_3 f1f2f3进行解密,但是乘法:
[ f 1 f 2 2 f 3 ⋅ ( c ⋅ c ′ ) ] q = [ ( f 1 f 2 ⋅ c ) ⋅ ( f 2 f 3 ⋅ c ′ ) ] q = 2 E m u l t + f 1 f 2 2 f 3 ( m ⋅ m ′ ) \left[f_{1} f_{2}^{2} f_{3} \cdot\left(c \cdot c^{\prime}\right)\right]_{q}=\left[\left(f_{1} f_{2} \cdot c\right) \cdot\left(f_{2} f_{3} \cdot c^{\prime}\right)\right]_{q}=2 E_{\mathrm{mult}}+f_{1} f_{2}^{2} f_{3}\left(m \cdot m^{\prime}\right) [f1f22f3⋅(c⋅c′)]q=[(f1f2⋅c)⋅(f2f3⋅c′)]q=2Emult+f1f22f3(m⋅m′)
需要用密钥 f 1 f 2 2 f 3 f_1f_2^2f_3 f1f22f3来进行解密。也就是说他的解密密钥的大小会与要执行的乘法次数成线性关系。因此需要使用一个重线性化技术,将所有需要 f i 2 f_i^2 fi2解密的密文变为只需要 f i f_i fi解密的密文。
形式化定义
- SH.Keygen ( 1 κ ) : \left(1^{\kappa}\right): (1κ): Sample f ′ , g ← χ f^{\prime}, g \leftarrow \chi f′,g←χ and set f : = 2 f ′ + 1 f:=2 f^{\prime}+1 f:=2f′+1 so that f ≡ 1 ( m o d 2 ) f \equiv 1(\bmod 2) f≡1(mod2). If f f f is not invertible in R q R_{q} Rq, resample f ′ f^{\prime} f′; otherwise let f − 1 f^{-1} f−1 be the inverse of f f f in R q R_{q} Rq. Set
p k = def h : = [ 2 g f − 1 ] q ∈ R q , s k = def f ∈ R \mathrm{pk} \stackrel{\text { def }}{=} h:=\left[2 g f^{-1}\right]_{q} \in R_{q} \quad, \quad \mathrm{sk} \stackrel{\text { def }}{=} f \in R pk= def h:=[2gf−1]q∈Rq,sk= def f∈R
Sample s ~ , e ~ ← χ ⌈ log q ⌉ \widetilde{\mathbf{s}}, \widetilde{\mathbf{e}} \leftarrow \chi^{\lceil\log q\rceil} s
,e
←χ⌈logq⌉ and compute ek = def [ h s ~ + 2 e ~ + Pow ( f ) ] q ∈ R q [ log q ] \stackrel{\text { def }}{=}[h \widetilde{\mathbf{s}}+2 \widetilde{\mathbf{e}}+\text { Pow }(f)]_{q} \in R_{q}^{[\log q]} = def [hs
+2e
+ Pow (f)]q∈Rq[logq]. Output the key
tuple (pk,sk, ek).
- SH.Enc ( p k , m ) : (\mathrm{pk}, m): (pk,m): Sample s , e ← χ . s, e \leftarrow \chi . s,e←χ. Output the ciphertext c : = h s + 2 e + m ∈ R q c:=h s+2 e+m \in R_{q} c:=hs+2e+m∈Rq.
- SH.Dec(sk 1 , … , s k N , c ) : \left._{1}, \ldots, \mathrm{sk}_{N}, c\right): 1,…,skN,c): Parse s k i = f i \mathrm{sk}_{i}=f_{i} ski=fi for i ∈ [ N ] . i \in[N] . i∈[N]. Compute μ = [ f 1 ⋯ f N ⋅ c ] q ∈ R q \mu=\left[f_{1} \cdots f_{N} \cdot c\right]_{q} \in R_{q} μ=[f1⋯fN⋅c]q∈Rq and
output m : = μ ( m o d 2 ) m:=\mu(\bmod 2) m:=μ(mod2). - SH.Eval ( C , ( c 1 , p k 1 , e k 1 ) , … , ( c ℓ , p k ℓ , e k ℓ ) ) : \left(C,\left(c_{1}, p k_{1}, e k_{1}\right), \ldots,\left(c_{\ell}, p k_{\ell}, e k_{\ell}\right)\right): (C,(c1,pk1,ek1),…,(cℓ,pkℓ,ekℓ)): 在 ℓ \ell ℓ个输入上执行深度为 D D D的布尔电路 C : { 0 , 1 } ℓ → { 0 , 1 } C:\{0,1\}^{\ell} \rightarrow\{0,1\} C:{
0,1}ℓ→{
0,1}。下面的方案展示了如何对 { 0 , 1 } \{0,1\} {
0,1}上的两个输入做同台的加和乘。
- 给定两个密文 c , c ′ c, c^{\prime} c,c′,假定他们相应的公钥分别为集合 K , K ′ K, K^{\prime} K,K′。加法为
c a d d = [ c + c ′ ] q ∈ R q c_{\mathrm{add}}=\left[c+c^{\prime}\right]_{q} \in R_{q} cadd=[c+c′]q∈Rq
输出密文的公钥集合为 K add = K ∪ K ′ K_{\text {add }}=K \cup K^{\prime} Kadd =K∪K′。
- 给定两个密文 c , c ′ c, c^{\prime} c,c′,假定他们相应的公钥分别为集合 K , K ′ K, K^{\prime} K,K′。乘法为:
先计算 c 0 = [ c ⋅ c ′ ] q ∈ R q c_{0}=\left[c \cdot c^{\prime}\right]_{q} \in R_{q} c0=[c⋅c′]q∈Rq
- If K ∩ K ′ = ∅ K \cap K^{\prime}=\emptyset K∩K′=∅, let c mult = c 0 c_{\text {mult }}=c_{0} cmult =c0
- Otherwise, let K ∩ K ′ = { p k i 1 , … , p k i t } . K \cap K^{\prime}=\left\{\mathrm{pk}_{i_{1}}, \ldots, \mathrm{pk}_{i_{t}}\right\} . K∩K′={
pki1,…,pkit}. For j ∈ [ t ] j \in[t] j∈[t], compute c j = c_{j}= cj=
[ ⟨ Bit ( c j − 1 ) , e k i j ⟩ ] q \left[\left\langle\operatorname{Bit}\left(c_{j-1}\right), \mathrm{ek}_{i_{j}}\right\rangle\right]_{q} [⟨Bit(cj−1),ekij⟩]q, and let c mult = c t c_{\text {mult }}=c_{t} cmult =ct at the end of the iteration.
记公钥表示方法: S ⊆ [ N ] S \subseteq[N] S⊆[N], f S = def ∏ i ∈ S f i . f_{S} \stackrel{\text { def }}{=} \prod_{i \in S} f_{i} . fS= def ∏i∈Sfi.。注意到 c 0 c_0 c0是一个对应公钥为 f K f K ′ f_{K} f_{K^{\prime}} fKfK′的密文,我们的目的是把他变为对应公钥为 f K ∪ K ′ f_{K \cup K^{\prime}} fK∪K′的密文,其中
f K f K ′ ( ∏ j ∈ K ∩ K ′ f j ) − 1 = f K ∪ K ′ f_{K} f_{K^{\prime}}\left(\prod_{j \in K \cap K^{\prime}} f_{j}\right)^{-1}=f_{K \cup K^{\prime}} fKfK′⎝⎛j∈K∩K′∏fj⎠⎞−1=fK∪K′
相当于是将密钥中的 f i 1 2 … f i t 2 f_{i_{1}}^{2} \ldots f_{i_{t}}^{2} fi12…fit2 替换为 f i 1 … f i t f_{i_{1}} \ldots f_{i_{t}} fi1…fit。
噪声分析&正确性
主要考虑的是乘法的情况。令 K ∩ K ′ = { i 1 , … , i t } K \cap K^{\prime}=\left\{i_{1}, \ldots, i_{t}\right\} K∩K′={ i1,…,it},定义 F 0 = def f K f K ′ F_{0} \stackrel{\text { def }}{=} f_{K} f_{K^{\prime}} F0= def fKfK′, 对于 j ∈ [ t ] j \in[t] j∈[t], 定义 F j = F j − 1 ⋅ f i j − 1 F_{j}=F_{j-1} \cdot f_{i_{j}}^{-1} Fj=Fj−1⋅fij−1 ,那么 F t = f K ∪ K ′ F_{t}=f_{K \cup K^{\prime}} Ft=fK∪K′。
首先看到对于 c 0 c_0 c0,有:
[ F 0 ⋅ c 0 ] q = [ ( f K ⋅ c ) ( f K ′ ⋅ c K ) ] q = ( 2 e + m ) ( 2 e ′ + m ′ ) \left[F_{0} \cdot c_{0}\right]_{q}=\left[\left(f_{K} \cdot c\right)\left(f_{K^{\prime}} \cdot c_{K}\right)\right]_{q}=(2 e+m)\left(2 e^{\prime}+m^{\prime}\right) [F0⋅c0]q=[(fK⋅c)(fK′⋅cK)]q=(2e+m)(2e′+m′)
对于 c j = [ ⟨ Bit ( c j − 1 ) , e k i j ⟩ ] q c_{j}=[\langle\operatorname{Bit}\left(c_{j-1}\right),\mathrm{ek}_{i_{j}}\rangle]_{q} cj=[⟨Bit(cj−1),ekij⟩]q来说
[ F j ⋅ c j ] q = [ F j ⋅ ⟨ Bit ( c j − 1 ) , h i j s ~ + 2 e ~ + Pow ( f i j ) ⟩ ] q = [ F j ⋅ ⟨ Bit ( c j − 1 ) , h i j s ~ ⟩ + F j ⋅ ⟨ Bit ( c j − 1 ) , 2 e ~ ⟩ + F j c j − 1 f i j ] q = F j f i j − 1 ⋅ ⟨ Bit ( c j − 1 ) , 2 g i j s ~ ⟩ + F j ⋅ ⟨ Bit ( c j − 1 ) , 2 e ~ ⟩ + F j − 1 c j − 1 \begin{aligned}\left[F_{j} \cdot c_{j}\right]_{q} &=\left[F_{j} \cdot\left\langle\operatorname{Bit}\left(c_{j-1}\right), h_{i_{j}} \widetilde{\mathbf{s}}+2 \widetilde{\mathbf{e}}+\operatorname{Pow}\left(f_{i_{j}}\right)\right\rangle\right]_{q} \\ &=\left[F_{j} \cdot\left\langle\operatorname{Bit}\left(c_{j-1}\right), h_{i_{j}} \widetilde{\mathbf{s}}\right\rangle+F_{j} \cdot\left\langle\operatorname{Bit}\left(c_{j-1}\right), 2 \widetilde{\mathbf{e}}\right\rangle+F_{j} c_{j-1} f_{i_{j}}\right]_{q} \\ &=F_{j} f_{i_{j}}^{-1} \cdot\left\langle\operatorname{Bit}\left(c_{j-1}\right), 2 g_{i_{j}} \widetilde{\mathbf{s}}\right\rangle+F_{j} \cdot\left\langle\operatorname{Bit}\left(c_{j-1}\right), 2 \widetilde{\mathbf{e}}\right\rangle+F_{j-1} c_{j-1} \end{aligned} [Fj⋅cj]q=[Fj⋅⟨Bit(cj−1),hijs
+2e
+Pow(fij)⟩]q=[Fj⋅⟨Bit(cj−1),hijs
⟩+Fj⋅⟨Bit(cj−1),2e
⟩+Fjcj−1fij]q=Fjfij−1⋅⟨Bit(cj−1),2gijs
⟩+Fj⋅⟨Bit(cj−1),2e
⟩+Fj−1cj−1
得出结论:
[ F j ⋅ c j ] q = [ F 0 ⋅ c 0 ] q + e m u l t [F_j\cdot c_j]_q = [F_0\cdot c_0]_q + e_{mult} [Fj⋅cj]q=[F0⋅c0]q+emult
此处 e m u l t ≤ ( n B ) 2 N E 2 e_{mult}\le (nB)^{2N}E^2 emult≤(nB)2NE2,这个噪声是怎么得到的就省略了,直接看结论。
其中 E E E是初始噪声,在之前我们也提到过, E ≤ 3 ( n B ) 2 E \leq 3(n B)^{2} E≤3(nB)2,因此对于 D D D深度的电路来说,NTRU方案的噪声为:
( ( n B ) 2 N E ) 2 D ≤ ( ( 3 n B ) 2 D ⋅ ( 2 N + 2 ) ) \left((n B)^{2 N} E\right)^{2^{D}} \leq\left((3 n B)^{2^{D} \cdot(2 N+2)}\right) ((nB)2NE)2D≤((3nB)2D⋅(2N+2))
所以NTRU的电路深度为 D < log log q − log log n − log N − O ( 1 ) D<\log \log q-\log \log n-\log N-O(1) D<loglogq−loglogn−logN−O(1),当我们取 B = poly ( n ) B=\operatorname{poly}(n) B=poly(n) , N = O ( n δ ) N=O\left(n^{\delta}\right) N=O(nδ) , q = 2 n ε q=2^{n^{\varepsilon}} q=2nε时,深度为: D < ( ε − δ ) log n − log log n − O ( 1 ) D<(\varepsilon-\delta) \log n-\log \log n-O(1) D<(ε−δ)logn−loglogn−O(1)。
从SomeWhat转换为全同态
总的来说,要将SomeWhat HE方案转换为FHE方案还是需要使用Gentry09提出的Bootstrapping方案。思路就是同态地执行解密电路:
在原本的FHE定义[BV11]中,Bootstraping的定义为:
DEFINITION 3.7 3.7 3.7 (bootstrappable encryption scheme). Let H E \mathrm{HE} HE be C \mathcal{C} C -homomorphic, and let f add f_{\text {add }} fadd and f mult f_{\text {mult }} fmult be the the augmented decryption functions of the scheme defined a s a s as
f add c 1 , c 2 ( s ) = H E ⋅ D e c s ( c 1 ) X O R H E . Dec s ( c 2 ) f_{\text {add }}^{c_{1}, c_{2}}(s)=\mathrm{HE} \cdot \mathrm{Dec}_{s}\left(c_{1}\right) XOR\ \mathrm{HE} . \operatorname{Dec}_{s}\left(c_{2}\right) fadd c1,c2(s)=HE⋅Decs(c1)XOR HE.Decs(c2)
and
f mult c 1 , c 2 ( s ) = H E . D e c s ( c 1 ) A N D H E . D e c s ( c 2 ) , f_{\text {mult }}^{c_{1}, c_{2}}(s)=\mathrm{HE.Dec}_{s}\left(c_{1}\right) A N D \ \mathrm{HE.Dec}_{s}\left(c_{2}\right), fmult c1,c2(s)=HE.Decs(c1)AND HE.Decs(c2),
where c 1 , c 2 c_{1}, c_{2} c1,c2 are either properly encrypted ciphertexts of the scheme, or outputs of the homomorphic evaluation function, applied to such. Then E \mathcal{E} E is bootstrappable if
{ f add c 1 , c 2 , f mult c 1 , c 2 } c 1 , c 2 ⊆ C \left\{f_{\text {add }}^{c_{1}, c_{2}}, f_{\text {mult }}^{c_{1}, c_{2}}\right\}_{c_{1}, c_{2}} \subseteq \mathcal{C} {
fadd c1,c2,fmult c1,c2}c1,c2⊆C
而本文对其进行了到MKHE下的扩展,定义如下:
Definition 3.3 (Multikey Bootstrappable Schemes). Let E = \mathcal{E}= E= { E ( N ) = ( Keygen, Enc, Dec, Eval ) } N > 0 \left\{\mathcal{E}^{(N)}=(\text { Keygen, Enc, Dec, Eval })\right\}_{N>0} {
E(N)=( Keygen, Enc, Dec, Eval )}N>0 be a family of multikey C-homomorphic encryption schemes, and let f add f_{\text {add }} fadd and f mult f_{\text {mult }} fmult be the the augmented decryption functions of the scheme defined as
f add c 1 , c 2 ( s k 1 , … , s k N ) = Dec ( s k 1 , … , s k N , c 1 ) X O R Dec ( s k 1 , … , s k N , c 2 ) f mult c 1 , c 2 ( s k 1 , … , s k N ) = Dec ( s k 1 , … , s k N , c 1 ) A N D Dec ( s k 1 , … , s k N , c 2 ) \begin{array}{l} f_{\text {add }}^{c_{1}, c_{2}}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}\right)=\operatorname{Dec}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}, c_{1}\right) \quad X O R \quad \operatorname{Dec}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}, c_{2}\right) \\ f_{\text {mult }}^{c_{1}, c_{2}}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}\right)=\operatorname{Dec}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}, c_{1}\right) \quad A N D \quad \operatorname{Dec}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}, c_{2}\right) \end{array} fadd c1,c2(sk1,…,skN)=Dec(sk1,…,skN,c1)XORDec(sk1,…,skN,c2)fmult c1,c2(sk1,…,skN)=Dec(sk1,…,skN,c1)ANDDec(sk1,…,skN,c2)
Then E \mathcal{E} E is bootstrappable if { f add c 1 , c 2 , f mult c 1 , c 2 } c 1 , c 2 ⊆ C . \left\{f_{\text {add }}^{c_{1}, c_{2}}, f_{\text {mult }}^{c_{1}, c_{2}}\right\}_{c_{1}, c_{2}} \subseteq \mathcal{C} . {
fadd c1,c2,fmult c1,c2}c1,c2⊆C. Namely, the scheme can homomorphically evaluate f add f_{\text {add }} fadd and f mult f_{\text {mult }} fmult .
但本文的MKHE的NTRU方案不能直接应用Bootstrapping算法,以为多密钥解密电路的复杂度为 c log N log n c \log{N}\log{n} clogNlogn,其中 c > 1 c>1 c>1,而根据之前的噪声分析,本文的MKHE的电路深度仅为 ε log n \varepsilon \log n εlogn,其中 ε < 1 \varepsilon<1 ε<1。所以需要一种增加电路深度的方法,这里采用了[BGV12]的模数缩减方法。
模数缩减
p < q p<q p<q,将一个 R q R_q Rq中的密文 c c c变为 R p R_p Rp中的 c ′ c' c′。他们满足
[ f c ] p = [ f c ′ ] q ( m o d 2 ) [f c]_{p}=\left[f c^{\prime}\right]_{q}(\bmod 2) [fc]p=[fc′]q(mod2)
具体方法是取 c ′ c' c′为 R p R_p Rp中最接近 ( p / q ) ⋅ c (p/q)\cdot c (p/q)⋅c的元素,使得 c ′ ≡ c ( m o d 2 ) c'\equiv c \pmod 2 c′≡c(mod2)。使得原本密文中的噪声变为 B ⋅ ( p / q ) B\cdot (p/q) B⋅(p/q)。
使用这样的一个模数缩减机制,对于一个深度为 D D D的电路,我们可以取一个递减的模数 q 0 , . . . , q D q_0,...,q_D q0,...,qD,在每次乘法之后进行一次模数递减。只要令 D > D d e c D>D_{dec} D>Ddec,就可以进行bootstrapping操作了。
通过模数缩减和重线性化来得到一个层级的多密钥全同态方案:
-
方案额外增加了一个参数 D D D,代表这个需要进行同态运算的电路的深度,根据深度生成 D D D个递减的模数 q 0 , . . . , q D q_0,...,q_D q0,...,qD。
-
在原本的方案中,我们公钥为 h = 2 g f − 1 h=2gf^{-1} h=2gf−1,私钥为 f f f,那么扩展到一个 D D D层的全同态加密方案后,需要生成 D D D个不同的公私钥对 ( h ( d ) , f ( d ) ) , d ∈ { 0 , . . . , D } \left( h^{(d)},f^{(d)}\right), d\in \{0,...,D\} (h(d),f(d)),d∈{ 0,...,D},密文由公钥 p k = d e f h ( 0 ) pk\stackrel{def}{=}h^{(0)} pk=defh(0)加密,第 d d d层的密文由私钥 s k ( d ) = d e f f ( d ) sk^{(d)}\stackrel{def}{=}f^{(d)} sk(d)=deff(d)解密。
-
重线性化现在不仅要将 f 2 f^2 f2项变为 f f f,同时还要进行模数缩减,也就是说,将解密密钥从 ( f ( d − 1 ) ) 2 (f^{(d-1)})^2 (f(d−1))2变为 f ( d ) f^{(d)} f(d)。
方案构造:
- LH.Keygen ( 1 κ ) : \left(1^{\kappa}\right): (1κ): For every i ∈ { 0 , … , D } i \in\{0, \ldots, D\} i∈{
0,…,D}, sample g ( i ) , u ( i ) ← χ g^{(i)}, u^{(i)} \leftarrow \chi g(i),u(i)←χ and set f ( i ) : = 2 u ( i ) + 1 f^{(i)}:=2 u^{(i)}+1 f(i):=2u(i)+1 so that f ( i ) ≡ 1 ( m o d 2 ) . f^{(i)} \equiv 1(\bmod 2) . f(i)≡1(mod2). If f ( i ) f^{(i)} f(i) is not invertible in R q i R_{q_{i}} Rqi, resample u ( i ) u^{(i)} u(i); otherwise, let ( f ( i ) ) − 1 \left(f^{(i)}\right)^{-1} (f(i))−1
be the inverse of f ( i ) f^{(i)} f(i) in R q . R_{q} . Rq. Let h ( i ) = def [ 2 g ( i ) ( f ( i ) ) − 1 ] q i ∈ R q i h^{(i)} \stackrel{\text { def }}{=}\left[2 g^{(i)}\left(f^{(i)}\right)^{-1}\right]_{q_{i}} \in R_{q_{i}} h(i)= def [2g(i)(f(i))−1]qi∈Rqi, and set
p k = def h ( 0 ) ∈ R q 0 , s k = def f ( D ) ∈ R q D \mathrm{pk} \stackrel{\text { def }}{=} h^{(0)} \in R_{q_{0}} \quad, \quad \mathrm{sk} \stackrel{\text { def }}{=} f^{(D)} \in R_{q_{D}} pk= def h(0)∈Rq0,sk= def f(D)∈RqD
For all i ∈ [ D ] i \in[D] i∈[D], sample s ~ γ ( i ) , e ~ γ ( i ) , s ~ ζ ( i ) , e ~ ζ ( i ) ← χ ⌈ log q ⌉ \widetilde{\mathbf{s}}_{\gamma}^{(i)}, \widetilde{\mathbf{e}}_{\gamma}^{(i)}, \widetilde{\mathbf{s}}_{\zeta}^{(i)}, \widetilde{\mathbf{e}}_{\zeta}^{(i)} \leftarrow \chi^{\lceil\log q\rceil} s
γ(i),e
γ(i),s
ζ(i),e
ζ(i)←χ⌈logq⌉ and compute
γ ( i ) : = [ h ( i ) s ~ γ ( i ) + 2 e ~ γ ( i ) + Pow ( f ( i − 1 ) ) ] q i ∈ R q i [ log q i ⌉ ζ ( i ) : = [ h ( i ) s ~ ζ ( i ) + 2 e ~ ζ ( i ) + Pow ( ( f ( i − 1 ) ) 2 ) ] q i ∈ R q i [ log q i ] \begin{array}{l} \gamma^{(i)}:=\left[h^{(i)} \widetilde{\mathbf{s}}_{\gamma}^{(i)}+2 \widetilde{\mathbf{e}}_{\gamma}^{(i)}+\operatorname{Pow}\left(f^{(i-1)}\right)\right]_{q_{i}} \in R_{q_{i}}^{\left[\log q_{i}\right\rceil} \\ \zeta^{(i)}:=\left[h^{(i)} \widetilde{\mathbf{s}}_{\zeta}^{(i)}+2 \widetilde{\mathbf{e}}_{\zeta}^{(i)}+\operatorname{Pow}\left(\left(f^{(i-1)}\right)^{2}\right)\right]_{q_{i}} \in R_{q_{i}}^{\left[\log q_{i}\right]} \end{array} γ(i):=[h(i)s
γ(i)+2e
γ(i)+Pow(f(i−1))]qi∈Rqi[logqi⌉ζ(i):=[h(i)s
ζ(i)+2e
ζ(i)+Pow((f(i−1))2)]qi∈Rqi[logqi]
Set ek = def { γ ( i ) , ζ ( i ) } i ∈ [ D ] \stackrel{\text { def }}{=}\left\{\gamma^{(i)}, \zeta^{(i)}\right\}_{i \in[D]} = def {
γ(i),ζ(i)}i∈[D], and output the key tuple ( p k , s k , e k ) (pk,sk,ek) (pk,sk,ek).
-
LH.Enc ( p k , m ) : (\mathrm{pk}, m): (pk,m): Sample s , e ← χ . s, e \leftarrow \chi . s,e←χ. Output the ciphertext c : = [ h s + 2 e + m ] q 0 ∈ R q 0 c:=[h s+2 e+m]_{q_{0}} \in R_{q_{0}} c:=[hs+2e+m]q0∈Rq0.
-
LH.Dec ( s k 1 , … , s k N , c ) : \left(s k_{1}, \ldots, s k_{N}, c\right): (sk1,…,skN,c): Assume w.loo.g. that c ∈ R q D c \in R_{q_{D}} c∈RqD. Parse sk i = f i _{i}=f_{i} i=fi for i ∈ [ N ] i \in[N] i∈[N]. Let μ : = [ f 1 ⋯ f N ⋅ c ] q D ∈ R q D . \mu:=\left[f_{1} \cdots f_{N} \cdot c\right]_{q_{D}} \in R_{q_{D}} . μ:=[f1⋯fN⋅c]qD∈RqD. Output m ′ : = μ ( m o d 2 ) m^{\prime}:=\mu(\bmod 2) m′:=μ(mod2)
-
LH.Eval ( C , ( c 1 , p k 1 , e k 1 ) , … , ( c ℓ , p k ℓ , e k ℓ ) ) \left(C,\left(c_{1}, p k_{1}, e k_{1}\right), \ldots,\left(c_{\ell}, p k_{\ell}, e k_{\ell}\right)\right) (C,(c1,pk1,ek1),…,(cℓ,pkℓ,ekℓ)) :
- Given two ciphertexts c , c ∈ R q d c, c \in R_{q_{d}} c,c∈Rqd with corresponding public-key sets K , K ′ K, K^{\prime} K,K′, compute c 0 = [ c + c ′ ] q d ∈ R q d c_{0}=\left[c+c^{\prime}\right]_{q_{d}} \in R_{q_{d}} c0=[c+c′]qd∈Rqd and let K ∪ K ′ = { p k i 1 , … , p k i t } . K \cup K^{\prime}=\left\{\mathrm{pk}_{i_{1}}, \ldots, \mathrm{pk}_{i_{t}}\right\} . K∪K′={ pki1,…,pkit}. For j = 1 , … , r j=1, \ldots, r j=1,…,r, parse ek i j = _{i_{j}}= ij= { γ i j ( δ ) , ζ i j ( δ ) } δ ∈ [ D ] \left\{\gamma_{i_{j}}^{(\delta)}, \boldsymbol{\zeta}_{i_{j}}^{(\delta)}\right\}_{\delta \in[D]} { γij(δ),ζij(δ)}δ∈[D] and compute
c j = [ ⟨ Bit ( c j − 1 ) , γ i j ( d ) ⟩ ] q ∈ R q d c_{j}=\left[\left\langle\operatorname{Bit}\left(c_{j-1}\right), \gamma_{i_{j}}^{(d)}\right\rangle\right]_{q} \in R_{q_{d}} cj=[⟨Bit(cj−1),γij(d)⟩]q∈Rqd
Finally, reduce the modulus: let c add c_{\text {add }} cadd be the integer vector closest to ( q d + 1 / q d ) ⋅ c t \left(q_{d+1} / q_{d}\right) \cdot c_{t} (qd+1/qd)⋅ct such that c a d d ≡ c t ( m o d 2 ) . c_{\mathrm{add}} \equiv c_{t}(\bmod 2) . cadd≡ct(mod2). Output c a d d ∈ R q d + 1 c_{\mathrm{add}} \in R_{q_{d+1}} cadd∈Rqd+1 as an encryption of the sum of the underlying messages. Output the set K add = def K ∪ K ′ K_{\text {add }} \stackrel{\text { def }}{=} K \cup K^{\prime} Kadd = def K∪K′ as its corresponding public-key set.
- Given two ciphertexts c , c ∈ R q d c, c \in R_{q_{d}} c,c∈Rqd with corresponding public-key sets K , K ′ K, K^{\prime} K,K′, compute c 0 = [ c + c ′ ] q d ∈ R q d c_{0}=\left[c+c^{\prime}\right]_{q_{d}} \in R_{q_{d}} c0=[c+c′]qd∈Rqd and let K ∪ K ′ = { p k i 1 , … , p k i t } . K \cup K^{\prime}=\left\{\mathrm{pk}_{i_{1}}, \ldots, \mathrm{pk}_{i_{t}}\right\} . K∪K′={
pki1,…,pkit}. For j = 1 , … , r j=1, \ldots, r j=1,…,r, parse ek i j = _{i_{j}}= ij=
{ γ i j ( δ ) , ζ i j ( δ ) } δ ∈ [ D ] \left\{\gamma_{i_{j}}^{(\delta)}, \boldsymbol{\zeta}_{i_{j}}^{(\delta)}\right\}_{\delta \in[D]} { γij(δ),ζij(δ)}δ∈[D] and compute c j c_{j} cj as follows:
∗ * ∗ If p k i j ∈ K ∩ K ′ \mathrm{pk}_{i_{j}} \in K \cap K^{\prime} pkij∈K∩K′, let
c j = [ ⟨ Bit ( c j − 1 ) , γ i j ( d ) ⟩ ] q ∈ R q d c_{j}=\left[\left\langle\operatorname{Bit}\left(c_{j-1}\right), \gamma_{i_{j}}^{(d)}\right\rangle\right]_{q} \in R_{q_{d}} cj=[⟨Bit(cj−1),γij(d)⟩]q∈Rqd
Otherwise, let
c j = [ ⟨ Bit ( c j − 1 ) , ζ i j ( d ) ⟩ ] q ∈ R q d c_{j}=\left[\left\langle\operatorname{Bit}\left(c_{j-1}\right), \boldsymbol{\zeta}_{i_{j}}^{(d)}\right\rangle\right]_{q} \in R_{q_{d}} cj=[⟨Bit(cj−1),ζij(d)⟩]q∈Rqd
Finally, reduce the modulus: let c mult c_{\text {mult }} cmult be the integer vector closest to ( q d + 1 / q d ) ⋅ c t \left(q_{d+1} / q_{d}\right) \cdot c_{t} (qd+1/qd)⋅ct such that c mult ≡ c t ( m o d 2 ) c_{\text {mult }} \equiv c_{t}(\bmod 2) cmult ≡ct(mod2). Output c mult ∈ R q d + 1 c_{\text {mult }} \in R_{q_{d+1}} cmult ∈Rqd+1 as an encryption of the product of the underlying messages. Output the set K mult = def K ∪ K ′ K_{\text {mult }} \stackrel{\text { def }}{=} K \cup K^{\prime} Kmult = def K∪K′ as its corresponding public-key set.
这样的方案满足如下性质:
Lemma 3.6. Let χ \chi χ is a B B B -bounded distribution for B = poly ( n ) B=\operatorname{poly}(n) B=poly(n), let q 0 = 2 n ε q_{0}=2^{n^{\varepsilon}} q0=2nε for ε ∈ ( 0 , 1 ) \varepsilon \in(0,1) ε∈(0,1) and for d ∈ [ D ] d \in[D] d∈[D], let q d − 1 / q d = 8 n ( n B ) 2 N + 2 . q_{d-1} / q_{d}=8 n(n B)^{2 N+2} . qd−1/qd=8n(nB)2N+2. Then the encryption scheme E L H = ( \mathcal{E}_{\mathrm{LH}}=( ELH=( LH.Keygen, LH.Enc, LH.Dec, LH.Eval) described above is multikey homomorphic for N N N keys and circuits of depth D D D as long as N D = O ( n ε / log n ) N D=O\left(n^{\varepsilon} / \log n\right) ND=O(nε/logn)
证明过程省略,引理3.6也就表示,可以通过改变n的大小来对增加深度 D D D。
通过MKHE构造一个on-the-fly多方安全计算
基本方案
Let { E ( N ) = ( Keygen, Enc, Dec, Eval ) } N > 0 \left\{\mathcal{E}^{(N)}=(\text { Keygen, Enc, Dec, Eval })\right\}_{N>0} { E(N)=( Keygen, Enc, Dec, Eval )}N>0 be a multikey fully-homomorphic family of encryption schemes. The following construction is an on-the-fly MPC protocol secure against semi-malicious adversaries. The protocol is defined as follows:
Step 1: For i ∈ [ U ] i \in[U] i∈[U], party P i P_{i} Pi samples a key tuple ( p k i , s k i , e k i ) ← \left(\mathrm{pk}_{i}, \mathrm{sk}_{i}, \mathrm{ek}_{i}\right) \leftarrow (pki,ski,eki)← Keygen ( 1 κ ) \left(1^{\kappa}\right) (1κ) and encrypts its input x i x_{i} xi under p k i : c i ← Enc ( p k i , x i ) . \mathrm{pk}_{i}: c_{i} \leftarrow \operatorname{Enc}\left(\mathrm{pk}_{i}, x_{i}\right) . pki:ci←Enc(pki,xi). It sends ( p k i , e k i , c i ) \left(\mathrm{pk}_{i}, \mathrm{ek}_{i}, c_{i}\right) (pki,eki,ci) to the server S S S.
At this point a function F F F, represented as a circuit C C C, has been selected on inputs { x i } i ∈ V \left\{x_{i}\right\}_{i \in V} {
xi}i∈V for some V ⊆ U V \subseteq U V⊆U. Let N = ∣ V ∣ . N=|V| . N=∣V∣. For ease of notation, assume w.l.o.g. that V = [ N ] . V=[N] . V=[N]. The parties proceed as follows.
Step 2: The server S S S computes c : = Eval ( C , ( c 1 , p k 1 , e k 1 ) , … , ( c N , p k N , e k N ) ) c:=\operatorname{Eval}\left(C,\left(c_{1}, \mathrm{pk}_{1}, \mathrm{ek}_{1}\right), \ldots,\left(c_{N}, \mathrm{pk}_{N}, \mathrm{ek}_{N}\right)\right) c:=Eval(C,(c1,pk1,ek1),…,(cN,pkN,ekN)) and broadcasts c c c to
parties P 1 , … , P N P_{1}, \ldots, P_{N} P1,…,PN
Step 3: The parties P 1 , … , P N P_{1}, \ldots, P_{N} P1,…,PN run a secure MPC protocol Π D E C S M {\Pi_{\mathrm{DEC}} }^\mathrm{SM} ΠDECSM to compute the function g c ( s k 1 , … , s k N ) = def Dec ( s k 1 , … , s k N , c ) g_{c}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}\right) \stackrel{\text { def }}{=} \operatorname{Dec}\left(\mathrm{sk}_{1}, \ldots, \mathrm{sk}_{N}, c\right) gc(sk1,…,skN)= def Dec(sk1,…,skN,c)
安全性
如上述方法构造的MPC方案在半诚实敌手模型下安全。使用混合模型证明安全性
Hybrid 0: 真实世界
Hybrid 1: 将step3中的 Π D E C S M \Pi_{\mathrm{DEC}}^{SM} ΠDECSM 改为模拟器 S Π D E C S M \mathcal{S}_{\Pi_{\mathrm{DEC}}}^{\mathrm{SM}} SΠDECSM,和 A S M \mathcal{A}^{\mathrm{SM}} ASM交互。
Hybrid 2: 将 S Π D E C S M \mathcal{S}_{\Pi_{\mathrm{DEC}}}^{\mathrm{SM}} SΠDECSM返回的 Dec ( s ~ k 1 , … , s k ~ N , c ) \operatorname{Dec}\left(\widetilde{\mathrm{s}} \mathrm{k}_{1}, \ldots, \widetilde{\mathrm{sk}}_{N}, c\right) Dec(s k1,…,sk N,c)改为返回 f ( x ~ 1 , … , x ~ N ) f\left(\widetilde{x}_{1}, \ldots, \widetilde{x}_{N}\right) f(x 1,…,x N)
Hybrid 3.k: 将前k个密文改为 E n c ( 0 ) Enc(0) Enc(0)。返回 f ( x ~ 1 , … , x ~ N ) f\left(\widetilde{x}_{1}, \ldots, \widetilde{x}_{N}\right) f(x 1,…,x N)
首先根据MPC方案的安全性,0和1不可区分,1和2的不可区分在于没改变任何输入输出。2就相当于3.0,3.k-1和3.k的不可区分性来自于加密方案的语义安全。