Multiparty Homomorphic Encryption from Ring-Learning-with-Errors
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Proceedings on Privacy Enhancing Technologies ; 2021 (4):291–311 Christian Mouchet, Juan Troncoso-Pastoriza, Jean-Philippe Bossuat, and Jean-Pierre Hubaux Multiparty Homomorphic Encryption from Ring-Learning-with-Errors Abstract: We propose and evaluate a secure- multiparty-computation (MPC) solution in the semi- 1 Introduction honest model with dishonest majority that is based on Secure Multiparty Computation (MPC) protocols enable multiparty homomorphic encryption (MHE). To sup- a group of parties to securely compute joint functions port our solution, we introduce a multiparty version over their private inputs while enforcing specific secu- of the Brakerski-Fan-Vercauteren homomorphic cryp- rity guarantees throughout the computation. The exact tosystem and implement it in an open-source library. definition of security depends on how the adversary is MHE-based MPC solutions have several advantages: modeled, but the most common requirement, input pri- Their transcript is public, their offline phase is com- vacy, informally states that parties should not obtain pact, and their circuit-evaluation procedure is non- more information about other parties’ inputs than that interactive. By exploiting these properties, the com- which can be deduced from the output of the compu- munication complexity of MPC tasks is reduced from tation. Combining this strong security guarantee with quadratic to linear in the number of parties, thus a general functionality makes the study of MPC tech- enabling secure computation among potentially thou- niques highly relevant. This last decade has seen this sands of parties and in a broad variety of comput- established theoretical field evolve into an applied one, ing paradigms, from the traditional peer-to-peer set- notably due to its potential for securing data-sharing ting to cloud-outsourcing and smart-contract technolo- scenarios in the financial [12, 13], biomedical [37, 49] and gies. MHE-based approaches can also outperform the law-enforcement [10, 41] sectors, as well as for protect- state-of-the-art solutions, even for a small number of ing digital assets [5]. The use of passively-secure MPC parties. We demonstrate this for three circuits: private techniques in such scenarios has been demonstrated to input selection with application to private-information be effective and practical [4, 21, 37], notably in the med- retrieval, component-wise vector multiplication with ap- ical sector where data collaborations are mutually ben- plication to private-set intersection, and Beaver mul- eficial and well-regulated, yet they legally require a cer- tiplication triples generation. For the first circuit, pri- tain level of data-protection [21, 49]. vately selecting one input among eight thousand parties’ In the settings where no honest majority of parties (of 32 KB each) requires only 1.31 MB of communica- can be guaranteed, most of the currently implemented tion per party and completes in 61.7 seconds. For the MPC systems are based on secret-sharing [53] of the in- second circuit with eight parties, our approach is 8.6 put data according to some linear secret-sharing scheme times faster and requires 39.3 times less communication (LSSS), and on interactive circuit evaluation protocols than the current methods. For the third circuit and ten [36]. These approaches have two practical limitations: (i) parties, our approach generates 20 times more triples standard protocols require many rounds of communica- per second while requiring 136 times less communication tion over private channels between the parties, which per-triple than an approach based on oblivious transfer. makes them inadequate for low-end devices and unre- We implemented our scheme in the Lattigo library and liable networks. (ii) current approaches require a per- open-sourced the code at github.com/ldsec/lattigo. party communication that increases linearly in the cir- Keywords: secure multiparty computation, homomor- cuit size (that increases at least linearly in the number phic encryption DOI 10.2478/popets-2021-0071 Received 2021-02-28; revised 2021-06-15; accepted 2021-06-16. Juan Troncoso-Pastoriza: École polytechnique fédérale de Lausanne, E-mail: juan.troncoso-pastoriza@epfl.ch Jean-Philippe Bossuat: École polytechnique fédérale de Lausanne, E-mail: jean-philippe.bossuat@epfl.ch Jean-Pierre Hubaux: École polytechnique fédérale de Lau- Christian Mouchet: École polytechnique fédérale de Lau- sanne, E-mail: jean-pierre.hubaux@epfl.ch sanne, E-mail: christian.mouchet@epfl.ch
Multiparty Homomorphic Encryption from RLWE 292 of parties). Hence, this quadratic factor quickly becomes nantly implemented in generic MPC solutions [5, 36], a bottleneck for large numbers of parties. consists in applying secret-sharing [53] to the input Homomorphic encryption (HE) techniques are well- data. (b) Multiparty encryption schemes (for short: known for reducing the communication complexity of MHE-based), use a homomorphic scheme to encrypt and MPC [24, 30], especially in their various threshold exchange the input data, that can then be computed on and multi-key variants that we generally refer to as non-interactively with encrypted arithmetic. multiparty-HE (MHE). However, in spite of several such LSSS-based MPC (a). Most of the available generic schemes proposed by the cryptographic community, the MPC solutions, such as Sharemind [11] and SPDZ most widely known being the MHE scheme of Asharov [25, 26, 39], apply secret-sharing to the input data. et al. [6], no concrete MPC solution implementing a The evaluation of arithmetic circuits is generally en- generic MHE-based MPC protocol has been built yet. abled by the homomorphism of the LSSS, or by inter- Instead, the use of HE in MPC is mostly confined to active protocols (when no such homomorphism is avail- the offline pre-computations of protocols based on lin- able); the most widely implemented protocol is Beaver’s ear secret-sharing schemes (LSSS) [39]. We argue that triple-based protocol [9]. The strength of approach (a) homomorphic encryption has reached the required level is to enable evaluation through only simple and efficient of usability to play a larger role in the online phase of primitives in terms of which the circuit can be decom- MPC protocols and to enable new applications. posed by code-to-protocol compilers, thus strengthening We propose, implement, and evaluate a new in- usability. However, this approach imposes two practi- stance of the MHE-based MPC protocol in the passive- cal constraints: First, the interactive protocols at each adversary with dishonest-majority model. We make the multiplication gate require all parties to be online and following contributions: active during the whole computation and to exchange – We propose a novel multiparty extension of the BFV messages with their peers at a high frequency that is homomorphic encryption scheme (Section 4). We fol- determined by the round complexity of the circuit. Sec- low the blueprint of Asharov et al. [6] and adapt it ond, the triple-based multiplication protocol requires a to the ring-learning-with-errors (RLWE) assumptions prior distribution of one-time triples; this can be per- and to the BFV scheme. We also introduce novel formed in a pre-computing phase, either by a trusted single-round protocols for bridging between the MHE- third-party or by the parties themselves. The latter and LSSS-based approaches and for bootstrapping a peer-to-peer case can also be formulated as an indepen- BFV ciphertext in multiparty settings. dent, yet equivalent, MPC task (generating the triples – We instantiate our MHE scheme into a generic MPC requires multiparty multiplication). Hence, these ap- protocol (Section 5) and show that this approach proaches are hybrids that generate the triples by using has several advantages over their LSSS-based coun- techniques such as oblivious transfer [38], plain HE [39] terparts: Notably, its per-party communication com- or multiparty-HE [26] in an offline phase. plexity is only linear in the circuit’s inputs and out- As a result of the aforementioned constraints, many puts, and its execution does not require private party- current applications of LSSS-based MPC target the out- to-party communication channels. sourced models where the actual computation is dele- – We demonstrate the efficiency of the latter instan- gated to two parties [4, 21, 22, 37, 46, 47] that are as- tiation for three example MPC circuits (Section 6). sumed not to collude (e.g., the two-cloud model). Un- We implemented and open-sourced our scheme in the fortunately, this assumption might not be realistic in Lattigo library [1]. some contexts where the parties are required to have With these contributions, our work bridges the gap be- an active role in enforcing the access control over their tween the existing theoretical work on MHE-based MPC data (e.g., by law). and its application as privacy-enhancing technologies. MHE-based MPC (b). In this approach, the par- ties use an HE scheme to encrypt their inputs, and the computations are performed using the scheme’s homo- morphic operations. To preserve the inputs’ privacy, the 2 Related Work scheme’s secret key is securely distributed among the parties and the decryption requires the collaboration We classify N -party dishonest-majority MPC ap- between the parties. We use the term multiparty en- proaches in two categories: (a) Linear secret-sharing at cryption scheme to designate these constructions in a data level (for short: LSSS-based), which is predomi- general way (we provide a definition in Section 3.1).
Multiparty Homomorphic Encryption from RLWE 293 The idea of reducing the volume of interaction κ and require that the probability of incorrect decryp- in MPC by using threshold homomorphic-encryption tion must be a negligible function in κ. can be traced back to a work by Franklin and Haber [30], later improved by Cramer et al. [24]. At that time, the lack of homomorphic schemes that preserve 3.1 Multiparty Homomorphic Encryption two distinct algebraic operations ruled out complete non-interactivity at the evaluation phase, thus render- Let P = {P1 , P2 , . . . , PN } be a set of N parties; a multi- ing these approaches less attractive than approach (a). party homomorphic encryption-scheme over P is an HE Recently, task-specific instances that use multiparty scheme in which the secret-key is an N -party function additive-homomorphic encryption have been successful S(sk1 , sk2 , ..., skN ). The structure of S determines the in supporting use-cases in distributed machine learning Access Structure of the MHE scheme, which we define as [32, 56], thus highlighting the potential that a generic the set S ⊂ PowerSet(P) of all groups of parties that can and usable fully homomorphic encryption (FHE) [33] collectively reconstruct the secret-key. Indeed, S should solution could have. This is the idea behind the line never be disclosed in practice. Instead, each operation of work by Asharov et al. [6] and López-Alt et al. [43]. Op of the single-party scheme that requires the secret- These contributions propose various multiparty schemes key is expressed as a multiparty protocol ΠOp . in which the secret-key is additively shared among the Let M be a plaintext space with arithmetic struc- parties, and they analyze the theoretical MPC solution ture, a Multiparty HE scheme over M is a tuple MHE = these schemes enable. Although of great interest, this (Setup , SecKeyGen , ΠPubKeyGen , Enc , ΠDec , Eval) line of work did not find as much echo in applications of algorithms and multiparty protocols. as approach (a) has. One possible reason was the lack – Setup: pp ← MHE.Setup(λ, κ). Takes the security of available and efficient implementations of Learning and homomorphic capacity parameters and outputs with Errors [50] (LWE) -based homomorphic schemes, a public parameterization. pp is an implicitly argu- in terms of which these schemes were presented. Today, ment to the other procedures. multiple ongoing efforts aim at standardizing homomor- – Key Generation: The parties Pi ∈ P generate phic encryption [3] and at making its implementations ski ← MHE.SecKeyGen() and take part in the mul- available to a broader public. This new generation of tiparty protocol pk ← MHE.ΠPubKeyGen (sk1 , ..., skN ). schemes is based mostly on the Ring Learning with Er- Outputs a key pair (ski , pk) to each party. rors (RLWE) problem [45] and has brought HE from – Encryption: ct ← MHE.Enc(m, pk). Given a public- being practical to being efficient. key pk, and a plaintext message m ∈ M, outputs a We argue that MHE-based approaches are now ef- ciphertext encrypting m under S(sk1 , sk2 , ..., skN ). ficient and flexible enough to support more than the – Evaluation: ctres ← MHE.Eval(f, pk, ct1 , ..., ctl ). offline phase of LSSS-based approaches. Therefore, we Given an arithmetic function f : MI → M, the bring the theoretical work on multiparty schemes [6] to public key pk and a I-tuple of ciphertexts encrypt- RLWE cryptography and to an open-source implemen- ing (m1 , ..., mI ) ∈ MI , outputs a result ciphertext tation, and evaluate it as an MPC solution. encrypting mres = f (m1 , ..., mI ). – Decryption: m ← MHE.ΠDec (ct, sk1 , ...skN ). Given a ciphertext ct encrypting m and their respective key ski , the parties take part in the decryption multiparty 3 Background protocol. Outputs m. We provide a general definition of the multiparty homo- Semantic Security (informal). We require that for all morphic encryption (MHE) primitive, relate this prim- adversarial subsets of parties A ∈ / S, for any two mes- itive to the MPC setting and recall the plain BFV HE sages m1 , m2 ∈ M, the advantage of the adversary in scheme that we extend to the MHE in Section 4. We distinguishing between distributions MHE.Enc(pk, m1 ) consider an abstract security parameter λ and require and MHE.Enc(pk, m2 ) should be smaller than 2−λ . that an adversary’s advantage in attacking the schemes Correctness (informal). We require that, for must be a negligible function in λ. HE schemes also re- all arithmetic functions f : MI → M, there quire proper parameterization to support the evaluation exist a public parametrization pp such that of the desired circuits. We model this dependency by in- MHE.ΠDec (MHE.Eval(f, pk, ct1 , ..., ctI ), sk1 , ..., skN ) = troducing an abstract homomorphic capacity parameter f (m1 , ..., mI ) holds with probability larger than 1−2 . −κ
Multiparty Homomorphic Encryption from RLWE 294 Access-structure Families. We distinguish between the sampling of an element a ∈ R according to α, and two types of MHE schemes: a ← R implicitly denotes uniform sampling in R. For a – In threshold [28] or distributed encryption schemes, polynomial a, we denote its infinity norm by kak. the secret-key S is set before the computation and is fixed, hence so is the access structure set S. The parties provide their inputs encrypted under S, hence 3.3 The BFV Encryption Scheme the decryption is conditioned to the participation of the parties according to the structure of S (which is We recall the plain Brakerski-Fan-Vercauteren [29] often, but not necessarily, a secret-sharing scheme). scheme that we will extend in Section 4. It is a ring- We use this approach for our proposed MHE scheme. learning-with-errors [45] scheme that supports both – In multi-key encryption schemes [44], the secret-key additive and multiplicative homomorphic operations. does not have to be defined before the evaluation and Due to its practicality, it has been implemented in S is, instead, dynamic: The parties provide their in- most of the current lattice-based cryptographic libraries puts encrypted under their own secret-key and the [1, 48, 52] and is part of the draft HE standard [3]. evaluation of homomorphic operations f : MI → M Scheme 1 details the most common instantiation yields a result that is encrypted under an on-the-fly of the BFV scheme. The ciphertext space is Rq = key S(sk1 , ..., skI ). Hence, only the parties involved in Zq [X]/(X n + 1), the quotient ring of the polynomials a given computation are required to participate in the with coefficients in Zq modulo (X n + 1), where n is a decryption of its output. power of 2. We use [− 2q , 2q ) as the set of representatives In their RLWE instantiations, these two types of multi- for the congruence classes modulo q. Unless otherwise party schemes have different structures for their cipher- stated, we consider the arithmetic in Rq and polynomial text and public-key material, as well as different algo- reductions are omitted in the notation. The plaintext rithmic complexity figures for their homomorphic oper- space is the ring Rt = Zt [X]/(X n + 1) for t < q. We ations. In Section 4, we construct a distributed version denote ∆ = bq/tc, the integer division of q by t. of the BFV scheme [29], and compare it to the multi-key The scheme is based on two kinds of secrets, BFV scheme of Chen et al. [18] in Section 4.10. commonly sampled from small-normed yet different distributions: The key distribution is denoted R3 = MHE-based Generic MPC. The construction of pas- Z3 [X]/(X n + 1), where coefficients are uniformly dis- sively secure and MHE-based generic MPC protocols tributed in {−1, 0, 1}. The error distribution χ over Rq is natural from the MHE correctness and semantic se- has coefficients distributed according to a centered dis- curity properties: Given a circuit and the desired se- crete Gaussian with standard deviation σ and truncated curity properties, the parties can use an MHE-scheme support over [−B, B] where σ and B are two cryptosys- enforcing the sought access structure to encrypt their tem parameters. inputs (MHE.Enc), compute the circuit homomorphi- The security of BFV is based on the hardness of the cally (MHE.Eval), and collectively decrypt the output decisional-RLWE problem [45] that is informally stated (MHE.ΠDec protocol). We defer the detailed protocol de- as follows: Given a uniformly random a ← Rq , a secret scription and the discussion of its features to Section 5, s ← R3 , and an error term e ← χ, it is computationally where we instantiate it with the MHE-scheme proposed hard for an adversary that does not know s and e to in Section 4. distinguish between the distribution of (sa + e, a) and that of (b, a) where b ← Rq . Encrypted arithmetic operations must preserve the 3.2 Notation plaintext arithmetic. We denote BFV.Add and BFV.Mul the homomorphic addition and multiplication, respec- We denote [·]q the reduction of an integer modulo q, tively, and we refer the reader to [29] for their imple- and d·e, b·c, b·e the rounding to the next, previous, and mentation. The BFV.Mul operation outputs a ciphertext nearest integer respectively. When applied to polyno- consisting of three Rq elements that can be seen as a de- mials, these operations are performed coefficient-wise. gree two ciphertext. This higher degree ciphertext can We use regular letters for integers and polynomials, and be further operated on and decrypted. Yet it is often boldface letters for vectors of integers and of polyno- desirable to reduce this degree back to one, by using mials. aT denotes the transpose of a vector a. Given a a BFV.Relinearize operation [29]. This operation is pub- probability distribution α over a ring R, a ← α denotes
Multiparty Homomorphic Encryption from RLWE 295 Scheme 1. BFV(t, n, q, w, σ, B) 3.4 Parameter Selection Selecting the parameters for a given application con- BFV.SecKeyGen(): Sample s ← R3 . Output: sk = s stitutes a significantly more challenging task for BFV.PubKeyGen(sk): homomorphic-encryption schemes than for traditional Let sk = s. Sample p1 ← Rq , and e ← χ. Output: encryption. Although the standardization document [3] is a good basis for mapping the subset of commonly pk = (p0 , p1 ) = (−sp1 + e, p1 ) used parameter values to bit-security levels, mapping the correctness and efficiency requirements to concrete BFV.RelinKeyGen(sk, w): parameters in a systematic way is still an open question Let sk = s. Sample r1 ← Rql , e ← χl . Output: in FHE research: it goes beyond the scope of this work. Nowadays, we see the rise of compilers for HE [54] that rlk = (r0 , r1 ) = (s2 w − sr1 + e, r1 ) will, as they evolve, automate this process. We describe the common heuristic approach for se- BFV.Encrypt(pk, m): lecting BFV parameters; the one we used for the evalu- Let pk = (p0 , p1 ). Sample u ← R3 and e0 , e1 ← χ. ation of our work (Section 6). The task consists in find- Output: ct = (∆m + up0 + e0 , up1 + e1 ) ing (t, n, q, w, σ, B) that satisfy the required security and homomorphic-capacity parameters (λ, κ) for the set of BFV.Decrypt(sk, ct): considered homomorphic circuits. The standardization Let sk = s, ct = (c0 , c1 ). Output: document and most implementations fix the noise stan- t dard deviation and bound to σ ≈ 3.2 and B ≈ 20, m0 = [b [c0 + c1 s]q e]t q respectively. Hence, only the ring degree n, plaintext- space and ciphertext-space moduli t and q, and the de- lic but requires the generation of a specific public key, composition basis w remain to be determined. referred to as the relinearization key (rlk). The message-space characteristics of the application The decryption of a ciphertext (c0 , c1 ) can be seen usually sets t directly, by considering the bit-width of as a two-step process. The first step requires the secret the input values. The targeted set of homomorphic cir- key to compute a noisy plaintext in Rq as cuits constrain q and n: Choosing larger q permits larger [c0 + sc1 ]q = ∆m + ect , (1) circuit depth (Equation (2)) but also reduces the hard- ness of the RLWE problem. Choosing larger w reduces where ect is the ciphertext overall error, or ciphertext the noise incurred by Relinearize (hence enables smaller noise. In the second step, the message is decoded from q) and increases its computation cost and the rlk size. the noisy term in Rq to a plaintext in Rt , by rescaling Choosing larger n increases the security (hence enables and rounding larger q for a fixed security level) but has a significant t impact on the cost incurred by polynomial multiplica- [b (∆m + ect )e]t = [bm + at + ve]t , (2) tion. Hence, the most common strategy is to set q and w q experimentally, as an acceptable trade-off for the appli- where m ∈ Rt , a has integer coefficients, and v has co- cation, then to choose the smallest power-of-two n for efficients in Q. Provided that kvk < 21 , Eq. (2) out- the desired security level. puts m. Hence, the correctness of the scheme is con- ditioned on the noise magnitude kect k that must be q kept below 2t throughout the homomorphic computa- tion, notably by choosing a sufficiently large q. To pre- 4 The Multiparty BFV Scheme serve this condition when multiplying with the rlk (as a part of BFV.Relinearize), ciphertexts are temporarily We introduce a novel multiparty version of the decomposed in a basis w < q and the product is per- Brakerski-Fan-Vercauteren (BFV) cryptosystem [29]. formed on each element of the decomposition [29]. We Although formulated for the BFV scheme, the intro- write l = dlogw (q)e the number of coefficients in this duced protocols can be straightforwardly adapted to decomposition, and w = (w0 , w1 , ..., wl−1 )T the base-w other RLWE-based cryptosystems, such as BGV [16] or reconstruction vector. the more recent CKKS [20], which enables homomorphic approximate arithmetic. We implemented both multi-
Multiparty Homomorphic Encryption from RLWE 296 party versions for the BFV and CKKS schemes in the MBFV KeySwitch-correctness. For all arithmetic func- Lattigo open-source library [1]. Our approach follows tions f : RtI → Rt over the parties’ inputs m1 , . . . , mI , the blueprint of the LWE-based protocols by Asharov there exist pp = (t, n, q, w, σ, B) such that for sk0 = et al. [6], and introduces several improvements to their S 0 (sk01 , ..., sk0N ) an output secret-key and schemes. In particular, we propose a novel procedure for the generation of relinearization keys that adds signif- ski ← BFV.SecKeyGen() i ∈ 1...N, icantly less noise in the output key. We also propose a cpk, rlk ← ΠEncKeyGen (sk1 , ..., skN ), ΠRelinKeyGen (sk1 , ..., skN ), generalization of the distributed decryption procedure, cti ← BFV.Enc(cpk, mi ) i ∈ 1...I, from which we derive novel protocols that bridge be- ctf ← BFV.Eval(f, rlk, ct1 , ..., ctI ), tween the MHE-based and LSSS-based MPC protocols and that enable the practical bootstrapping of a BFV ct0f ← MBFV.ΠKeySwitch (ct0P , sk01 , ..., sk0N , sk1 , ..., skN ), ciphertext. it holds that Pr[BFV.Dec(sk0 , ct0f )6=f (m1 , ..., mI )]< 2−κ . In the next subsections, we reformulate all the secret-key-dependent operations of the original BFV The PubKeySwitch-correctness property can be di- scheme as secure N -party protocols. We refer to the rectly derived from the previous definition by comput- original centralized scheme as the ideal scheme: the ing a public key for sk0 and replacing ΠKeySwitch by ideal centralized functionality that is emulated in a ΠPubKeySwitch . multiparty setting. By extension, we refer to sk = S(sk1 , ..., skN ) as the ideal secret key, because it exists MBFV Semantic Security. For all subsets of at most as such only through interaction between the parties. N − 1 passive adversaries in P, for any two messages m1 , m2 ∈ Rt , the advantage of the adversary in dis- tinguishing between distributions BFV.Enc(cpk, m1 ) and 4.1 Scheme Overview BFV.Enc(cpk, m2 ) should be smaller than 2−λ . As a result, the security properties of the MBFV Let P be a set of N parties that have access scheme is that of a N-out-of-N threshold encryption to an authenticated channel and to a random scheme. We now detail each of its underlying protocols. common reference string (CRS) [17]. Our pro- posed multiparty BFV scheme is a tuple MBFV = (ΠEncKeyGen , ΠRelinKeyGen , ΠKeySwitch , ΠPubKeySwitch ) that 4.2 Ideal-Secret-Key Generation extends the BFV scheme: – Setup: Select pp ← (t, n, q, w, σ, B), the parameters Our scheme uses an additive structure for the combined of the BFV scheme. secret-key, denoted as s in the following. We denote si – Key Generation: Each party Pi ∈ P generates the secret key share of party Pi , thus its share ski ← BFV.SecKeyGen() of sk and takes " # part in the cpk ← MBFV.ΠEncKeyGen (sk1 , ..., skN ) and X sk = s = si . (3) rlk ← MBFV.ΠRelinKeyGen (sk1 , ..., skN ) multiparty pro- Pi ∈P q tocols with output (cpk, rlk). – Encryption: The usual BFV.Encrypt procedure is We propose a simple ideal-secret-key generation used to encrypt messages under sk given the cpk. procedure in which each party samples independently – Evaluation: The usual BFV.Eval set of homomorphic its own share as si = BFV.SecKeyGen(). Thus, the ideal operations is used to evaluate functions given rlk. secret-key is generated in a non-interactive way. The – Key-switching: norm of the resulting ideal secret key grows with O(N ), ct0 ← ΠKeySwitch (ct, sk01 , ..., sk0N , sk1 , ..., skN ). Given a which has an effect on the noise growth (analyzed in Ap- ciphertext ct encrypted under the ideal secret-key sk pendix A). By using techniques such as those described and an output ideal secret-key sk0 = S 0 (sk01 , ...sk0N ), in [51], it might be possible to generate ideal secret keys the parties re-encrypt ct under sk0 . in R3 as if they were produced in a trusted setup (e.g., – Public-key-switching: as an additive secret-sharing of a usual BFV secret-key ct0 ← ΠPubKeySwitch (ct, pk0 , sk1 , ..., skN ). Given a ci- over Rq ). However, this would introduce the need for phertext ct under sk and an output public-key pk0 private channels between the parties. for secret-key sk0 , the parties re-encrypt ct under sk0 .
Multiparty Homomorphic Encryption from RLWE 297 4.3 Collective Encryption-Key Generation Protocol 1. EncKeyGen The collective encryption-key generation, detailed in Public Input: p1 (common random polynomial) Protocol 1, emulates the BFV.PubKeyGen procedure. In Private Input for Pi : si = ski (secret key share) addition to the public parameters of the cryptosystem Public Output: cpk =(p0 , p1 ) (collect. encrypt. key) (which we will omit in the following), the procedure re- Each party Pi : quires a public polynomial p1 , uniformly sampled in Rq , 1. samples ei ← χ and discloses p0,i = −p1 si + ei to be agreed upon by all the parties. For this purpose, Out: from p0 = Pj ∈P p0,j , outputs cpk = (p0 , p1 ) P they sample its coefficients from the common reference string (CRS). In the passive-adversary model, the CRS Protocol 2. RelinKeyGen can be implemented by any keyed pseudorandom func- tion. We used BLAKE2b [7] in our implementation. Public Input: a ∈ Rql and w the decomposition basis After the execution of the EncKeyGen protocol, the Private Input of Pi : si = ski parties have access to the collective public key Output: rlk = (r0 , r1 ) Each party Pi : X X X cpk = p0,i q , p1 = −( si )p1 + ei q , p1 , Pi ∈P Pi ∈P Pi ∈P 1. samples ui ← R3 , e0,i , e1,i ← χl and discloses (4) (h0,i , h1,i ) = (−ui a + si w + e0,i , si a + e1,i ) that has the same form as the ideal public key pk in 2. from h0 = Pj ∈P h0,j and h1 = Pj ∈P h1,j , P P Scheme 1, with larger worst-case norms ksk and kek. The norm grows only linearly in N hence is not a con- sample e2,i , e3,i ← χl and discloses 0 0 ) = (s h + e cern (as shown in Appendix A), even for large number (h0,i , h1,i i 0 2,i , (ui − si )h1 + e3,i ) of nodes. Another notable feature of the EncKeyGen pro- Out: from h00 = Pj ∈P h0,j P 0 and h10 = Pj ∈P h1,j P 0 , tocol is that it would apply to any kind of linear sharing outputs rlk = (h0 + h1 , h1 ) 0 0 of s, as long as the shares are valid RLWE secrets and the norm of the reconstruction is small enough. This After completing the RelinKeyGen protocol, the par- includes uniformly random sharing over Rq of a tradi- ties have access to a relinearization key of the form tional BFV secret key in R3 . rlk = (r0 , r1 ) = (−sb + s2 w + se0 + e1 + ue2 + e3 , b ), (5) where b = sa + e2 and ek = j ek,j for k = 0, 1, 2, 3. P 4.4 Relinearization-Key Generation Hence, compared to the keys generated with the ap- Protocol 2 (RelinKeyGen) emulates the centralized proach of Asharov et al., our keys have lower error in r0 BFV.RelinKeyGen. Informally, it produces pseudo- and no error at all in r1 (i.e., they have the same form encryptions of s2 wb for each power b = 0, ..., l − 1 of as those of the centralized scheme). This significantly the decomposition basis parameter w. It requires a pub- reduces the noise induced by relinearization. lic input a, uniformly sampled in Rql from the CRS. A relevant feature of the proposed RelinKeyGen pro- We use vector notation to express that these pseudo- tocol is its independence from the actual decomposition encryptions are generated in parallel for every element basis w: It is compatible with other decomposition tech- of the decomposition base w = (w0 , w1 , ..., wl−1 )T . niques, such as the one used for Type II relinearization Asharov et al. proposed a method to produce re- [29], those based on the Chinese Remainder Theorem linearization keys for multiparty schemes based on the (as proposed by Bajard et al. [8] and Cheon et al. [19]), LWE problem [6]. This method could be adapted to our and the hybrid approach of Bossuat et al. [15] (which scheme but results in significantly increased noise in the we use in our implementation). rlk (hence, higher noise in relinearized ciphertexts) with respect to the centralized scheme. One cause for this ex- tra noise is the use of the public encryption algorithm 4.5 Collective Key-Switching Protocols to produce the mentioned pseudo-encryptions. By ob- serving that the collective encryption key is not needed The key-switching functionality enables the oblivious for this purpose (because the secret key is collectively re-encryption operation. Given a ciphertext ct en- known), we propose Protocol 2 as an improvement over crypted under an input key s along with an out- the method by Asharov et al. put key s0 , the key-switching procedure outputs ct0 =
Multiparty Homomorphic Encryption from RLWE 298 Enc(s0 , Dec(s, ct)). Because the first step of the plain Protocol 3. KeySwitch BFV decryption (Eq. (1)) is equivalent to switching Public input: ct = (c0 , c1 ) with var(ct) = σct 2 from the ideal secret-key to an output key s0 = 0, this Private input for Pi : si , s0i protocol generalizes the decryption protocol. The de- Public output: ct0 = (c00 , c1 ) coding part of the decryption (Eq. (2)) does not require the secret-key and can be performed locally. Each party Pi : Smudging. We observe that the aforementioned 1. samples ei ← χCKS (σct 2 ) and discloses decryption procedure, and the MBFV key-switching pro- cedures in general, provide the output-key owner(s) with hi = (si − s0i )c1 + ei the ciphertext noise. Because this noise depends on in- Out: from h = Pj ∈P hj , P termediate values in the encryption, homomorphic com- outputs ct0 = (c00 , c1 ) = (c0 + h, c1 ) putation and key-switching procedures, it could be ex- ploited as a side-channel by curious receivers (although After the execution of the KeySwitch protocol on characterizing this indirect leakage in a computational input ct = (c0 , c1 ), c0 + sc1 = ∆m + ect where ect is the setting is still an open question). The smudging tech- ciphertext’s error, the parties have access to ct0 s.t. nique, as introduced by Asharov et al. [6], aims at t X BFV.Dec(s0 , ct0 ) = b [c0 + (sj −s0j )c1 + ej + s0 c1 ]q e making the ciphertext-noise inexploitable by flooding q it with some freshly sampled noise terms in a distri- j bution of larger-variance. In the MBFV scheme, this is t = b [c0 + (s − s0 )c1 + eCKS + s0 c1 ]q e achieved by sampling the relevant error terms in the q t key-switching protocols from a discrete Gaussian distri- = b [∆m + ect + eCKS ]q e = m, (6) q bution χCKS (σct 2 ) of variance σ 2 smg = 2 σct where σct is λ 2 2 the ciphertext’s noise variance (see Appendix A) and where eCKS = j ej , and where the last equality holds P λ the desired security level (e.g., λ = 128, see Appendix provided that kect + eCKS k < q/(2t); i.e., if the output B). Hence, this technique assumes that the system keeps ciphertext noise plus the protocol-induced noise remains track of the ciphertext noise-level and has access to this within decryptable bounds. property. For a ciphertext ct, we denote var(ct) the vari- The use of the KeySwitch protocol is limited to the ance of its noise term (see Eq. (1)). cases where parties have collective knowledge of the out- Receiver. The protocol’s instantiation depends put secret key s0 . Yet, this might not be the case, for ex- on whether the parties performing the re-encryption ample, when considering an external receiver R for the have a collective access to the output secret-key di- key-switched ciphertext (we elaborate on external re- rectly, or have only its corresponding public-key. Both ceivers in Section 5.1). This situation would require con- these settings are relevant when instantiating the MBFV fidential channels between the receiver and each party scheme as an MPC protocol, which we discuss in Sec- in P, in order either (i) to collect decryption shares from tion 5. Therefore, we develop protocols that perform all parties, or (ii) to distribute an additive sharing of its key-switching for these two settings: When s0 is col- secret key to the system. However, (i) would become lectively known, the KeySwitch protocol is used. When expensive for a large number of parties, and (ii) would only a public key is known, the PubKeySwitch protocol require R to trust at least one party in P. Furthermore, is used. confidential point-to-point channels might not fit the system model (e.g., on smart-contract systems). 4.5.1 Collective Key-Switching 4.5.2 Collective Public-Key Switching Protocol 3 (KeySwitch) details the steps for perform- ing a key switching when the input parties collectively Protocol 4 (PubKeySwitch) details the steps for key know the output secret key s0 . This protocol can be switching when the input parties know only a public used as a decryption protocol (s0 = 0) or for updating key for the output secret key s0 . As it requires only the access-structure (see Section 4.6), and it is the basis public input from the receiver, the PubKeySwitch en- for bridging MHE-based and LSSS-based approaches, as ables an external party (i.e., that is not part of an input explained in Section 4.7. access-structure) to obtain an output without the need for private channels with the parties. In Section 5.2, we
Multiparty Homomorphic Encryption from RLWE 299 Protocol 4. PubKeySwitch Protocol 5. ColBootstrap Public input: pk0 = (p00 , p01 ), ct = (c0 , c1 ), var(ct) = σct 2 Public input: a (from CRS), ct = (c0 , c1 ) var(ct) = σct2 Private input for Pi : si Private input for Pi : si Public output: ct0 = (c00 , c01 ) Public output: ct0 = (c00 , c01 ) with noise variance N σ 2 Each party Pi : Each party Pi 1. samples ui ← R3 , e0,i ← χCKS (σct 2 ), e 1,i ← χ and 1. samples Mi ← Rt , e0,i ← χCKS (σct 2 ), e 1,i ← χ and discloses discloses (h0,i , h1,i ) = (si c1 + ui p00 + e0,i , ui p01 + e1,i ) (h0,i , h1,i ) = (si c1 −∆Mi +e0,i , −si a+∆Mi +e1,i ) Out: from h0 = j h0,j and h1 = h1,j , P P Pj ∈P Out: from h0 = j h0,j and h1 = j h1,j , P P outputs ct0 = (c00 , c01 ) = (c0 + h0 , h1 ) outputs (c00 , c01 ) = ([b qt ([c0 + h0 ]q )e]t ∆ + h1 , a) discuss the benefits of this property when instantiating the MBFV as an MPC solution. Encryption-to-Shares (Enc2Share). Given an encryp- Let ct = (c0 , c1 ) be an input ciphertext such that tion (c0 , c1 ) of a plaintext m ∈ Rt , the parties can pro- c0 + sc1 = ∆m + ect and pk0 = (p00 , p01 ) be a public key duce an additive sharing of m over Rt by masking their such that p00 = −(s0 p01 + epk0 ). After the execution of the share in the decryption (i.e., KeySwitch with s0 = 0) PubKeySwitch protocol on ct with output public key pk0 , protocol: Each party Pi ∈ {P2 , PN } samples its own ad- the parties hold ct0 satisfying ditive share Mi ← Rt and adds a −∆Mi term to its decryption share hi before disclosing it. Party P1 does Dec(s0, ct0 ) not disclose its decryption share h1 and derives its own t additive share of m as X X sj c1+uj p00+e0,j +s0 uj p01+e1,j ]q e = b [c0 + q j j N X N X t M1 = BFV.Decrypt(s1 , (c0 + hi , c1 )) = m − Mi . = b [c0 +sc1 +up00 +s0 up01 +e0 +s0 e1 ]q e q i=2 i=2 t = b [∆m + ect + ePubKeySwitch ]q e = m, (7) Shares-to-Encryption (Share2Enc). Given a secret- q PN shared value m ∈ Rt such that m = i=1 Mi , the where ed = j ed,j for d = 0, 1, u = j uj , and the P P parties produce an encryption ct = (c0 , c1 ). To do so, total added noise ePubKeySwitch = e0 +s0 e1 +uepk depends each party Pi samples a from the CRS and produces a on both the protocol-induced and the target-public-key KeySwitch share for the ciphertext (∆Mi , a) with input noises. If kect +ePubKeySwitch k< q/(2t), Equation (7) holds. key 0 and output key s. The ciphertext centralizing the PN secret-shared value m is then ct = ( i=1 c0,i , a). This is equivalent to a multiparty encryption protocol. 4.6 Dynamic Access-Structure The scenario of parties joining and leaving the system 4.8 Collective Bootstrapping corresponds to a secret-key update and is handled by the KeySwitch and PubKeySwitch protocols. More specif- We combine the Share2Enc and Enc2Share protocols ically, we consider the task of transferring a ciphertext into a multiparty bootstrapping procedure (Protocol 5, from an input set of parties P to an output set P 0 . ColBootstrap) that enables the reduction of a ciphertext If P 0 ⊂ P, the parties in P − P 0 can simply use the noise to further compute on it. This is a crucial func- KeySwitch protocol with output key s0 = 0. Otherwise tionality for the BFV scheme, for which the centralized the parties use the PubKeySwitch protocol with pk0 set bootstrapping procedure is expensive. Intuitively, the to the collective public-key of P 0 . ColBootstrap protocol consists in a conversion from an encryption to secret-shares and back, implemented as a parallel execution of the Enc2Share and Share2Enc proto- 4.7 Bridging MPC Approaches cols. It is an efficient single-round interactive protocol The flexibility of the KeySwitch protocol can be har- that the parties can use during the evaluation phase, nessed to bridge the MHE-based and LSSS-based MPC instead of a computationally heavy bootstrapping pro- approaches. cedure. In practice, a broad range of applications would
Multiparty Homomorphic Encryption from RLWE 300 not (or seldom) need to rely on this primitive, as the cir- Table 1. Comparison with the multi-key BFV: dependency in N cuit complexity enabled by the practical parameters of Size Time Scheme Ciphertext Switch. key Mult.+Relin. Rotate the BFV scheme suffices. But the ColBootstrap protocol [18] O(N ) O(N ) O(N 2 ) O(N ) offers a trade-off between computation and communica- This Work O(1) O(1) O(1) O(1) tion (we demonstrate this in Section 6.3). used to emulate a single key within a multi-key setting, are promising ways of tailoring the access structure to 4.9 Packed-Encoding and Rotation Keys the sought security and functionality requirements. For example, in an encrypted federated learning system, a One of the most powerful features of RLWE-based fixed group of parties could train a model under thresh- schemes is the ability to embed vectors of plaintext val- old encryption and enable the prediction to be evaluated ues into a single ciphertext. Such techniques, commonly on-the-fly under multi-key encryption. referred to as packing, enable arithmetic operations to be performed in a single-instruction multiple-data fash- ion, where encrypted arithmetic results in element-wise plaintext arithmetic. Provided with public rotation keys, 5 Secure Multiparty Computation arbitrary rotations over the vector components [19] can We discuss the instantiation of the MBFV scheme pre- be operated homomorphically. Generating these rota- sented in Section 4 in a generic secure-multiparty- tion keys (which are pseudo-encryptions of rotations of computation (MPC) protocol. Using MHE schemes to the secret-key) can be done in the multiparty scheme, achieve MPC is not new [6, 24], but each new genera- by means of an RotKeyGen sub-protocol. We do not de- tion of HE schemes makes this approach more efficient tail this protocol, as it is a straightforward adaptation of and flexible. However, to the best of our knowledge, no EncKeyGen. This enables a vast family of homomorphi- generic MPC solution has been implemented yet to ex- cally computable linear and non-linear transformations ploit those ideas. We discuss how MHE-based solutions on ciphertexts. We will make use of rotations in the can lead to a new generation of MPC systems, not only input-selection example circuit in Section 6.2. in the traditional peer-to-peer setting but also in the outsourced one where parties are assisted by a semi- honest entity without relying on non-collusion assump- 4.10 Comparison with Multi-key-HE tions such as those of the two-clouds model. Multi-key HE schemes, as introduced by López-Alt [44], enable the evaluation of homomorphic operations di- 5.1 MBFV-Based MPC Protocol rectly over ciphertexts encrypted under different secret- keys. The access-structure of these schemes can be seen Let P = {P1 , P2 , . . . , PN } be a set of N parties holding as dynamic; they include on-the-fly each new party in respective inputs (x1 , . . . , xN ) and R be a receiver. Let C the computation circuit. Hence, the schemes do not re- be a set of computing parties which may have non-empty quire the generation of a collective public encryption- intersection with P ∪ {R}. Given a public arithmetic key. In their current instantiation, however, they re- function f over the parties’ inputs, the MHE−MPC pro- quire the generation of public relinearization and ro- tocol (Protocol 6) privately computes y = f (x1 , . . . , xN ) tations keys for which the size depends on the number and outputs the result to R. of parties N . Furthermore, their ciphertext size and ho- Semantic Security (informal). Let A ⊂ (P ∪ C ∪ R) momorphic operations complexity also grows with N . be a set of corrupted parties (the adversary) in the Chen et al. [18] propose multi-key extensions for the MHE−MPC protocol where |A ∩ P| ≤ N − 1. We re- BFV and CKKS schemes for which these dependencies quire that the adversary does not learn anything more are reported in Table 1. about {xi }Pi ∈A / than that which can be learnt from its We observe that, when on-the-fly computation is own inputs {xi }Pi ∈A and, if R ∈ A, from the output. not required by the application (e.g., the set of nodes is known in advance), threshold schemes result in a more MHE−MPC Protocol Overview. The Setup step in- efficient construction. However, note that the multi-key stantiates the MBFV scheme. It is independent from the and threshold approaches are not mutually exclusive. rest of the protocol: It has to be run only once for a given Hybrid constructions, where the threshold scheme is set of parties and a given choice of public cryptographic
Multiparty Homomorphic Encryption from RLWE 301 Protocol 6. MHE−MPC protocol, the computing parties are not required to be part of the computation data access-structure, thus re- Public input: f the ideal functionality, pp the public moving the need for such assumptions. parameterization, pkR the receiver’s public-key The Out step enables the receiver R to obtain its Private input: xi for each Pi ∈ P output. This requires collaboration among the parties Output for R: y = f (x1 , x2 , . . . , xN ) in P to re-encrypt the output under the key of R. This is achieved with the PubKeySwitch protocol, which does Setup: the parties instantiate the MBFV scheme not require online interaction between the input parties ski ← BFV.SecKeyGen(pp), and the receiver. MHE−MPC Protocol Security. Provided that the cpk ← MBFV.ΠEncKeyGen (sk1 , . . . , skN ), Setup phase correctly (see Equations (4) and (5) in Sec- rlk ← MBFV.ΠRelinKeyGen (sk1 , . . . , skN ), tion 4) and securely (see Appendix B.1) generates the BFV keys, the private inputs are encrypted as valid In: each Pi encrypts its input and sends it to C BFV ciphertexts during the computation (the In and Eval steps). Hence, the MHE−MPC protocol security in ci ← BFV.Encrypt(cpk, xi ), the semi-honest model can be formulated as a composi- Eval: C computes the encrypted output and sends it tion theorem (see Theorem 2 in Appendix B.2). to the parties in P. c0 ← BFV.Eval(f, c1 , c2 , . . . , cN ), 5.2 Feature Analysis Out: the parties in P re-encrypt the output under In the following subsections, we discuss the properties of the receiver’s key the MHE−MPC protocol, as well as the various system c0R ← MBFV.ΠPubKeySwitch (sk1 , . . . , skN , pkR , c0 ). models these properties enable. parameters pp = (t, n, q, σ, B). Whereas this step can re- semble the offline phase of the LSSS-based approaches, 5.2.1 Public Non-interactive Circuit Evaluation it is fundamentally different in that it produces public- keys that can be used for an unlimited number of circuit Although the homomorphic operations of HE schemes evaluations. This implies that the Setup step does not are computationally more expensive than local opera- directly depend on the number of multiplication gates tions of secret-shared arithmetic, the former do not re- in the circuit, but on the maximum circuit depth the quire private inputs from the parties. Hence, as long as parties want to support. This is because the encryption no output or collective bootstrapping is needed, the cir- scheme has to be parameterized to support a sufficient cuit evaluation procedure is non-interactive and can be homomorphic capacity. performed by any semi-honest entity. This not only en- The In step corresponds to the input phase: The ables the evaluation to be efficiently distributed among parties use the plain BFV.Encrypt algorithm to encrypt the parties in the usual peer-to-peer setting but also their inputs and provide them to C for evaluation. enables new computation models for MPC: The Eval step consists in the evaluation of the Cloud-Outsourced Model. The homomorphic circuit-representation of f , using the BFV.Eval set of ho- circuit evaluation can be outsourced to a cloud-like ser- momorphic operations. As this step requires no secret vice, by providing it with the inputs and necessary eval- input from the parties, it can be performed by any semi- uation keys. The parties can arbitrarily go offline during honest entity C. In purely peer-to-peer settings, the par- the evaluation and reconnect for the final output phase. ties themselves assume the role of C, either by distribut- In this model, the overhead for each input party is inde- ing the circuit computation, or by delegating it to one pendent of the total number of parties. Hence, resource- designated party. In the cloud-assisted setting, a semi- constrained parties can take part in MPC tasks involv- honest cloud provider can assume this role. Although ing thousands of other parties. We demonstrate two in- it is frequent to define the role of computing party in stances of the cloud setting as a part of our evaluation current MPC applications [4, 5, 37], it is usually a part (Sections 6.3 and 6.2). of the N -party to 2-party problem reduction that in- Smart Contracts. A special case of an outsourced troduces non-collusion assumptions. In the MHE−MPC MPC task is the execution of a smart contract over pri-
Multiparty Homomorphic Encryption from RLWE 302 vate data; this is feasible by means of the MHE-based for the input parties to be online and active for the pro- MPC solution. In this scenario, the contract stakehold- tocol to progress. Hence, the cloud-assisted MHE−MPC ers (any party that has a private input to the contract) protocol has a clear advantage in terms of tolerance are the MHE secret-key owners, and the smart-contract to unreliable parties, which is a significant step toward platform acts as an oblivious contract evaluator. large-scale MPC. We use the cloud-assisted model for the first two example circuits of Section 6 and demon- strate its practicality for computations involving thou- 5.2.2 Public-Transcript Protocols sands of parties. Adapting the multiparty BFV scheme (Section 4) to a T -out-of-N threshold scheme is a nat- All the protocols of Section 4 have public transcripts, ural next step to address the challenge of parties going which removes the need for direct party-to-party com- offline for an arbitrary amount of time; indeed, the se- munication. Hence, not only the evaluation step, but curity requirements of the application must tolerate a the whole MHE−MPC protocol can be executed over weaker access-structure. any public authenticated channel. This also brings new possibilities in designing MPC systems: Efficient Communication Patterns. The pre- 5.3 Current Limitations sented protocols rely solely on the ability of the parties to publicly disclose their shares and to aggregate them. We discuss the current limitations of the MHE−MPC This gives flexibility for using efficient communication protocol and outline potential solutions. We observe patterns: The parties can be organized in a topologi- that our proposed MBFV scheme is not the source of cal way, as nodes in a tree, where each node interacts these limitations. Instead, they are current constraints solely with its parent and children nodes. We observe of the MHE-based MPC approach that were not ad- that for all the protocols, the shares are always com- dressed in this work. bined by computing their sum. Hence, for a given party in our protocols, a round consists in Gen: computing its own share in the protocol, 5.3.1 Arithmetic Circuits Agg: collecting and aggregating the share of each of its children and its own share, A purely MHE-based MPC solution is indeed limited to Out: sending the result up the tree to its parent, or computing arithmetic functions over its plaintext space. outputting it. The MBFV plaintext space, (Rt [X], +, ×), is particularly Such an execution enables the parties to compute suited for expressing vector and matrix arithmetic, due their shares in parallel and results in a network traffic to the ability to rotate vectors of Zt elements. Further- that is constant at each node. By trading-off some la- more, analytic functions such sin(x) or ex can be ef- tency, the inbound traffic can be kept low by ensuring ficiently evaluated through polynomial approximations. that the branching factor of the tree (i.e., the number of Although mapping application-specific functionalities to children per node) is manageable for each node. As the this computing model and finding the appropriate pa- share aggregation can also be computed by any semi- rameters is still a fairly manual process, the current ef- honest third-party, the tree can contain nodes that are fort in HE-compilers will significantly simplify it [54]. not part of P (i.e., nodes that would not have input in Non-arithmetic functions such as comparisons and the MPC problem and have no share of the ideal secret branching programs constitute a more fundamental lim- key) and are simply aggregating and forwarding their itation that also applies to LSSS-based MPC. How- children’s shares. We demonstrate the efficiency of the ever, the compilers of these solutions already propose tree topology in the multiplication triple generation ex- workarounds either by mapping them back to an arith- ample benchmark in Section 6.4. metic representation or by accepting the conditional Cloud-Assisted MPC Model. The special case variable leakage. of a single root node that does not hold a share of the key As the sets of functions supported by the LSSS- can be mapped to a cloud-assisted setting where parties and MHE-based approaches continue to grow, we ex- run the protocols interacting solely with a central node. pect that each system will have its own strengths and This model complements the circuit evaluation out- weaknesses. Hence, the ability to switch between the sourcing feature by removing the need for synchronous two representations with the Enc2Share and Share2Enc and private party-to-party communication and the need protocols is pivotal.
Multiparty Homomorphic Encryption from RLWE 303 5.3.2 Active Adversary Model Table 2. Experimental cryptographic parameters: Overview Set log2 t log2 n log2 q log2 w σ sec. (bits) Zero-knowledge-proof systems for lattice-based schemes I 32 13 218 26 3.2 128 II-A 32 14 438 110 3.2 128 are another active research topic [14, 55] which is es- II-B 16 14 438 110 3.2 128 sential to extend the MHE−MPC protocol to active se- II-C 16 15 880 180 3.2 128 curity. We observe that, as the local operations of the III 32 13 218 55 3.2 128 MBFV scheme are of relatively low depth, proving their correct execution in zero-knowledge is practical. Rotaru complex example, we refer the reader to the work of et al. propose an actively secure distributed-key genera- Froelicher et al., who used the CKKS implementation tion procedure for the BGV cryptosystem [51] that, de- of our proposed scheme for machine-learning training spite its performance impact, could be adapted to BFV. and prediction tasks [31]. Proving the correct execution of the homomorphic In the cloud-assisted setting, we consider two ex- execution by the abstract computing party C, however, ample circuits: (i) A multiparty input selection circuit can be significantly more challenging and is circuit- and its application to multiparty private-information- dependent. As the MHE−MPC has a public transcript, retrieval (Section 6.2). (ii) The element-wise product a trivial solution is to publish this transcript as a proof. of integer vectors and its application as a simple mul- But this non-compact solution might be unsatisfactory tiparty private-set-intersection protocol (Section 6.3). in some applications. We compare the performance for both circuits against Presently, honest-but-curious is the de-facto threat a baseline system that uses a LSSS-based approach: model for cloud services and passively-secure MPC pro- the MP-SPDZ library implementation [2] of the Over- vides a way of protecting sensitive client-data in these drive protocol [39] for the semi-honest, dishonest major- scenarios. In the peer-to-peer model, prototypes of such ity setting. In the peer-to-peer setting, we consider the systems have been deployed in operational settings [49]. task of generating Beaver multiplication triples (i.e., the An example is the medical sector where data collabo- "offline" phase of LSSS-based approaches, Section 6.4). rations are mutually beneficial and well-regulated, yet We compare the performance against the SPDZ2K [23] they legally require a certain level of data-protection. Oblivious-Transfer-based and the Overdrive [39] HE- based triple-generation protocols. 6 Performance Analysis 6.1 Experimental Setup and Parameters We implemented the multiparty BFV scheme in the Lat- For the cloud-assisted setting, the client-side timings tigo open-source library [1]. It provides Go implementa- were measured on a MacBook Pro with a 3.1 GHz Intel tions of the two most widespread RLWE homomorphic i5 processor. The server-side timings were measured on schemes: BFV and CKKS, along with their multiparty a 2.5 GHz Intel Xeon E5-2680 v3 processor (2x12 cores). versions. The library uses state-of-the-art optimizations For the peer-to-peer setting, we run all parties on the based on the Chinese remainder theorem [8]. In addi- latter machine, over the localhost interface. We measure tion to around an order of magnitude acceleration, the the network-related cost in terms of number of commu- RNS variant enables a more efficient way (i) of repre- nicated bytes (upstream + downstream), which does not senting the key-switching intermediary basis w [35] and account for network-introduced delays. We observe that (ii) of implementing the smudging technique through this could slightly advantage the baseline LSSS-based RNS modular-reduction and rounding [27]. system due to its non-constant number of rounds. In order to analyze the performance of the Cryptographic Parameters. Each experiment rep- MHE−MPC protocol in both the cloud-assisted and the resents a different circuit hence uses a different set of peer-to-peer settings, we evaluate three generic yet pow- parameters (see Section 3.4). Therefore, we discuss the erful circuits. These circuits represent common building choice of parameters for each experiment. For conve- blocks for more complex functionalities (that we briefly nience, we summarize all the parameters in Table 2, discuss), yet they do not introduce advanced domain- along with their security levels according to the Homo- specific requirements and constraints. Thus, these cir- morphicEncryption.org standardization document [3]. cuits enable a compact and reproducible comparison with a baseline system for generic MPC. For a more
You can also read