Multiparty Homomorphic Encryption from Ring-Learning-with-Errors
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Proceedings on Privacy Enhancing Technologies ; 2021 (4):291–311
Christian Mouchet, Juan Troncoso-Pastoriza, Jean-Philippe Bossuat, and Jean-Pierre Hubaux
Multiparty Homomorphic Encryption from
Ring-Learning-with-Errors
Abstract: We propose and evaluate a secure-
multiparty-computation (MPC) solution in the semi-
1 Introduction
honest model with dishonest majority that is based on
Secure Multiparty Computation (MPC) protocols enable
multiparty homomorphic encryption (MHE). To sup-
a group of parties to securely compute joint functions
port our solution, we introduce a multiparty version
over their private inputs while enforcing specific secu-
of the Brakerski-Fan-Vercauteren homomorphic cryp-
rity guarantees throughout the computation. The exact
tosystem and implement it in an open-source library.
definition of security depends on how the adversary is
MHE-based MPC solutions have several advantages:
modeled, but the most common requirement, input pri-
Their transcript is public, their offline phase is com-
vacy, informally states that parties should not obtain
pact, and their circuit-evaluation procedure is non-
more information about other parties’ inputs than that
interactive. By exploiting these properties, the com-
which can be deduced from the output of the compu-
munication complexity of MPC tasks is reduced from
tation. Combining this strong security guarantee with
quadratic to linear in the number of parties, thus
a general functionality makes the study of MPC tech-
enabling secure computation among potentially thou-
niques highly relevant. This last decade has seen this
sands of parties and in a broad variety of comput-
established theoretical field evolve into an applied one,
ing paradigms, from the traditional peer-to-peer set-
notably due to its potential for securing data-sharing
ting to cloud-outsourcing and smart-contract technolo-
scenarios in the financial [12, 13], biomedical [37, 49] and
gies. MHE-based approaches can also outperform the
law-enforcement [10, 41] sectors, as well as for protect-
state-of-the-art solutions, even for a small number of
ing digital assets [5]. The use of passively-secure MPC
parties. We demonstrate this for three circuits: private
techniques in such scenarios has been demonstrated to
input selection with application to private-information
be effective and practical [4, 21, 37], notably in the med-
retrieval, component-wise vector multiplication with ap-
ical sector where data collaborations are mutually ben-
plication to private-set intersection, and Beaver mul-
eficial and well-regulated, yet they legally require a cer-
tiplication triples generation. For the first circuit, pri-
tain level of data-protection [21, 49].
vately selecting one input among eight thousand parties’
In the settings where no honest majority of parties
(of 32 KB each) requires only 1.31 MB of communica-
can be guaranteed, most of the currently implemented
tion per party and completes in 61.7 seconds. For the
MPC systems are based on secret-sharing [53] of the in-
second circuit with eight parties, our approach is 8.6
put data according to some linear secret-sharing scheme
times faster and requires 39.3 times less communication
(LSSS), and on interactive circuit evaluation protocols
than the current methods. For the third circuit and ten
[36]. These approaches have two practical limitations: (i)
parties, our approach generates 20 times more triples
standard protocols require many rounds of communica-
per second while requiring 136 times less communication
tion over private channels between the parties, which
per-triple than an approach based on oblivious transfer.
makes them inadequate for low-end devices and unre-
We implemented our scheme in the Lattigo library and
liable networks. (ii) current approaches require a per-
open-sourced the code at github.com/ldsec/lattigo.
party communication that increases linearly in the cir-
Keywords: secure multiparty computation, homomor- cuit size (that increases at least linearly in the number
phic encryption
DOI 10.2478/popets-2021-0071
Received 2021-02-28; revised 2021-06-15; accepted 2021-06-16. Juan Troncoso-Pastoriza: École polytechnique fédérale de
Lausanne, E-mail: juan.troncoso-pastoriza@epfl.ch
Jean-Philippe Bossuat: École polytechnique fédérale de
Lausanne, E-mail: jean-philippe.bossuat@epfl.ch
Jean-Pierre Hubaux: École polytechnique fédérale de Lau-
Christian Mouchet: École polytechnique fédérale de Lau- sanne, E-mail: jean-pierre.hubaux@epfl.ch
sanne, E-mail: christian.mouchet@epfl.chMultiparty Homomorphic Encryption from RLWE 292
of parties). Hence, this quadratic factor quickly becomes nantly implemented in generic MPC solutions [5, 36],
a bottleneck for large numbers of parties. consists in applying secret-sharing [53] to the input
Homomorphic encryption (HE) techniques are well- data. (b) Multiparty encryption schemes (for short:
known for reducing the communication complexity of MHE-based), use a homomorphic scheme to encrypt and
MPC [24, 30], especially in their various threshold exchange the input data, that can then be computed on
and multi-key variants that we generally refer to as non-interactively with encrypted arithmetic.
multiparty-HE (MHE). However, in spite of several such LSSS-based MPC (a). Most of the available generic
schemes proposed by the cryptographic community, the MPC solutions, such as Sharemind [11] and SPDZ
most widely known being the MHE scheme of Asharov [25, 26, 39], apply secret-sharing to the input data.
et al. [6], no concrete MPC solution implementing a The evaluation of arithmetic circuits is generally en-
generic MHE-based MPC protocol has been built yet. abled by the homomorphism of the LSSS, or by inter-
Instead, the use of HE in MPC is mostly confined to active protocols (when no such homomorphism is avail-
the offline pre-computations of protocols based on lin- able); the most widely implemented protocol is Beaver’s
ear secret-sharing schemes (LSSS) [39]. We argue that triple-based protocol [9]. The strength of approach (a)
homomorphic encryption has reached the required level is to enable evaluation through only simple and efficient
of usability to play a larger role in the online phase of primitives in terms of which the circuit can be decom-
MPC protocols and to enable new applications. posed by code-to-protocol compilers, thus strengthening
We propose, implement, and evaluate a new in- usability. However, this approach imposes two practi-
stance of the MHE-based MPC protocol in the passive- cal constraints: First, the interactive protocols at each
adversary with dishonest-majority model. We make the multiplication gate require all parties to be online and
following contributions: active during the whole computation and to exchange
– We propose a novel multiparty extension of the BFV messages with their peers at a high frequency that is
homomorphic encryption scheme (Section 4). We fol- determined by the round complexity of the circuit. Sec-
low the blueprint of Asharov et al. [6] and adapt it ond, the triple-based multiplication protocol requires a
to the ring-learning-with-errors (RLWE) assumptions prior distribution of one-time triples; this can be per-
and to the BFV scheme. We also introduce novel formed in a pre-computing phase, either by a trusted
single-round protocols for bridging between the MHE- third-party or by the parties themselves. The latter
and LSSS-based approaches and for bootstrapping a peer-to-peer case can also be formulated as an indepen-
BFV ciphertext in multiparty settings. dent, yet equivalent, MPC task (generating the triples
– We instantiate our MHE scheme into a generic MPC requires multiparty multiplication). Hence, these ap-
protocol (Section 5) and show that this approach proaches are hybrids that generate the triples by using
has several advantages over their LSSS-based coun- techniques such as oblivious transfer [38], plain HE [39]
terparts: Notably, its per-party communication com- or multiparty-HE [26] in an offline phase.
plexity is only linear in the circuit’s inputs and out- As a result of the aforementioned constraints, many
puts, and its execution does not require private party- current applications of LSSS-based MPC target the out-
to-party communication channels. sourced models where the actual computation is dele-
– We demonstrate the efficiency of the latter instan- gated to two parties [4, 21, 22, 37, 46, 47] that are as-
tiation for three example MPC circuits (Section 6). sumed not to collude (e.g., the two-cloud model). Un-
We implemented and open-sourced our scheme in the fortunately, this assumption might not be realistic in
Lattigo library [1]. some contexts where the parties are required to have
With these contributions, our work bridges the gap be- an active role in enforcing the access control over their
tween the existing theoretical work on MHE-based MPC data (e.g., by law).
and its application as privacy-enhancing technologies. MHE-based MPC (b). In this approach, the par-
ties use an HE scheme to encrypt their inputs, and the
computations are performed using the scheme’s homo-
morphic operations. To preserve the inputs’ privacy, the
2 Related Work scheme’s secret key is securely distributed among the
parties and the decryption requires the collaboration
We classify N -party dishonest-majority MPC ap-
between the parties. We use the term multiparty en-
proaches in two categories: (a) Linear secret-sharing at
cryption scheme to designate these constructions in a
data level (for short: LSSS-based), which is predomi-
general way (we provide a definition in Section 3.1).Multiparty Homomorphic Encryption from RLWE 293
The idea of reducing the volume of interaction κ and require that the probability of incorrect decryp-
in MPC by using threshold homomorphic-encryption tion must be a negligible function in κ.
can be traced back to a work by Franklin and Haber
[30], later improved by Cramer et al. [24]. At that
time, the lack of homomorphic schemes that preserve 3.1 Multiparty Homomorphic Encryption
two distinct algebraic operations ruled out complete
non-interactivity at the evaluation phase, thus render- Let P = {P1 , P2 , . . . , PN } be a set of N parties; a multi-
ing these approaches less attractive than approach (a). party homomorphic encryption-scheme over P is an HE
Recently, task-specific instances that use multiparty scheme in which the secret-key is an N -party function
additive-homomorphic encryption have been successful S(sk1 , sk2 , ..., skN ). The structure of S determines the
in supporting use-cases in distributed machine learning Access Structure of the MHE scheme, which we define as
[32, 56], thus highlighting the potential that a generic the set S ⊂ PowerSet(P) of all groups of parties that can
and usable fully homomorphic encryption (FHE) [33] collectively reconstruct the secret-key. Indeed, S should
solution could have. This is the idea behind the line never be disclosed in practice. Instead, each operation
of work by Asharov et al. [6] and López-Alt et al. [43]. Op of the single-party scheme that requires the secret-
These contributions propose various multiparty schemes key is expressed as a multiparty protocol ΠOp .
in which the secret-key is additively shared among the Let M be a plaintext space with arithmetic struc-
parties, and they analyze the theoretical MPC solution ture, a Multiparty HE scheme over M is a tuple MHE =
these schemes enable. Although of great interest, this (Setup , SecKeyGen , ΠPubKeyGen , Enc , ΠDec , Eval)
line of work did not find as much echo in applications of algorithms and multiparty protocols.
as approach (a) has. One possible reason was the lack – Setup: pp ← MHE.Setup(λ, κ). Takes the security
of available and efficient implementations of Learning and homomorphic capacity parameters and outputs
with Errors [50] (LWE) -based homomorphic schemes, a public parameterization. pp is an implicitly argu-
in terms of which these schemes were presented. Today, ment to the other procedures.
multiple ongoing efforts aim at standardizing homomor- – Key Generation: The parties Pi ∈ P generate
phic encryption [3] and at making its implementations ski ← MHE.SecKeyGen() and take part in the mul-
available to a broader public. This new generation of tiparty protocol pk ← MHE.ΠPubKeyGen (sk1 , ..., skN ).
schemes is based mostly on the Ring Learning with Er- Outputs a key pair (ski , pk) to each party.
rors (RLWE) problem [45] and has brought HE from – Encryption: ct ← MHE.Enc(m, pk). Given a public-
being practical to being efficient. key pk, and a plaintext message m ∈ M, outputs a
We argue that MHE-based approaches are now ef- ciphertext encrypting m under S(sk1 , sk2 , ..., skN ).
ficient and flexible enough to support more than the – Evaluation: ctres ← MHE.Eval(f, pk, ct1 , ..., ctl ).
offline phase of LSSS-based approaches. Therefore, we Given an arithmetic function f : MI → M, the
bring the theoretical work on multiparty schemes [6] to public key pk and a I-tuple of ciphertexts encrypt-
RLWE cryptography and to an open-source implemen- ing (m1 , ..., mI ) ∈ MI , outputs a result ciphertext
tation, and evaluate it as an MPC solution. encrypting mres = f (m1 , ..., mI ).
– Decryption: m ← MHE.ΠDec (ct, sk1 , ...skN ). Given
a ciphertext ct encrypting m and their respective key
ski , the parties take part in the decryption multiparty
3 Background protocol. Outputs m.
We provide a general definition of the multiparty homo- Semantic Security (informal). We require that for all
morphic encryption (MHE) primitive, relate this prim- adversarial subsets of parties A ∈
/ S, for any two mes-
itive to the MPC setting and recall the plain BFV HE sages m1 , m2 ∈ M, the advantage of the adversary in
scheme that we extend to the MHE in Section 4. We distinguishing between distributions MHE.Enc(pk, m1 )
consider an abstract security parameter λ and require and MHE.Enc(pk, m2 ) should be smaller than 2−λ .
that an adversary’s advantage in attacking the schemes
Correctness (informal). We require that, for
must be a negligible function in λ. HE schemes also re-
all arithmetic functions f : MI → M, there
quire proper parameterization to support the evaluation
exist a public parametrization pp such that
of the desired circuits. We model this dependency by in-
MHE.ΠDec (MHE.Eval(f, pk, ct1 , ..., ctI ), sk1 , ..., skN ) =
troducing an abstract homomorphic capacity parameter
f (m1 , ..., mI ) holds with probability larger than 1−2 . −κMultiparty Homomorphic Encryption from RLWE 294
Access-structure Families. We distinguish between the sampling of an element a ∈ R according to α, and
two types of MHE schemes: a ← R implicitly denotes uniform sampling in R. For a
– In threshold [28] or distributed encryption schemes, polynomial a, we denote its infinity norm by kak.
the secret-key S is set before the computation and
is fixed, hence so is the access structure set S. The
parties provide their inputs encrypted under S, hence 3.3 The BFV Encryption Scheme
the decryption is conditioned to the participation of
the parties according to the structure of S (which is We recall the plain Brakerski-Fan-Vercauteren [29]
often, but not necessarily, a secret-sharing scheme). scheme that we will extend in Section 4. It is a ring-
We use this approach for our proposed MHE scheme. learning-with-errors [45] scheme that supports both
– In multi-key encryption schemes [44], the secret-key additive and multiplicative homomorphic operations.
does not have to be defined before the evaluation and Due to its practicality, it has been implemented in
S is, instead, dynamic: The parties provide their in- most of the current lattice-based cryptographic libraries
puts encrypted under their own secret-key and the [1, 48, 52] and is part of the draft HE standard [3].
evaluation of homomorphic operations f : MI → M Scheme 1 details the most common instantiation
yields a result that is encrypted under an on-the-fly of the BFV scheme. The ciphertext space is Rq =
key S(sk1 , ..., skI ). Hence, only the parties involved in Zq [X]/(X n + 1), the quotient ring of the polynomials
a given computation are required to participate in the with coefficients in Zq modulo (X n + 1), where n is a
decryption of its output. power of 2. We use [− 2q , 2q ) as the set of representatives
In their RLWE instantiations, these two types of multi- for the congruence classes modulo q. Unless otherwise
party schemes have different structures for their cipher- stated, we consider the arithmetic in Rq and polynomial
text and public-key material, as well as different algo- reductions are omitted in the notation. The plaintext
rithmic complexity figures for their homomorphic oper- space is the ring Rt = Zt [X]/(X n + 1) for t < q. We
ations. In Section 4, we construct a distributed version denote ∆ = bq/tc, the integer division of q by t.
of the BFV scheme [29], and compare it to the multi-key The scheme is based on two kinds of secrets,
BFV scheme of Chen et al. [18] in Section 4.10. commonly sampled from small-normed yet different
distributions: The key distribution is denoted R3 =
MHE-based Generic MPC. The construction of pas-
Z3 [X]/(X n + 1), where coefficients are uniformly dis-
sively secure and MHE-based generic MPC protocols
tributed in {−1, 0, 1}. The error distribution χ over Rq
is natural from the MHE correctness and semantic se-
has coefficients distributed according to a centered dis-
curity properties: Given a circuit and the desired se-
crete Gaussian with standard deviation σ and truncated
curity properties, the parties can use an MHE-scheme
support over [−B, B] where σ and B are two cryptosys-
enforcing the sought access structure to encrypt their
tem parameters.
inputs (MHE.Enc), compute the circuit homomorphi-
The security of BFV is based on the hardness of the
cally (MHE.Eval), and collectively decrypt the output
decisional-RLWE problem [45] that is informally stated
(MHE.ΠDec protocol). We defer the detailed protocol de-
as follows: Given a uniformly random a ← Rq , a secret
scription and the discussion of its features to Section 5,
s ← R3 , and an error term e ← χ, it is computationally
where we instantiate it with the MHE-scheme proposed
hard for an adversary that does not know s and e to
in Section 4.
distinguish between the distribution of (sa + e, a) and
that of (b, a) where b ← Rq .
Encrypted arithmetic operations must preserve the
3.2 Notation
plaintext arithmetic. We denote BFV.Add and BFV.Mul
the homomorphic addition and multiplication, respec-
We denote [·]q the reduction of an integer modulo q,
tively, and we refer the reader to [29] for their imple-
and d·e, b·c, b·e the rounding to the next, previous, and
mentation. The BFV.Mul operation outputs a ciphertext
nearest integer respectively. When applied to polyno-
consisting of three Rq elements that can be seen as a de-
mials, these operations are performed coefficient-wise.
gree two ciphertext. This higher degree ciphertext can
We use regular letters for integers and polynomials, and
be further operated on and decrypted. Yet it is often
boldface letters for vectors of integers and of polyno-
desirable to reduce this degree back to one, by using
mials. aT denotes the transpose of a vector a. Given a
a BFV.Relinearize operation [29]. This operation is pub-
probability distribution α over a ring R, a ← α denotesMultiparty Homomorphic Encryption from RLWE 295
Scheme 1. BFV(t, n, q, w, σ, B) 3.4 Parameter Selection
Selecting the parameters for a given application con-
BFV.SecKeyGen(): Sample s ← R3 . Output: sk = s
stitutes a significantly more challenging task for
BFV.PubKeyGen(sk): homomorphic-encryption schemes than for traditional
Let sk = s. Sample p1 ← Rq , and e ← χ. Output: encryption. Although the standardization document [3]
is a good basis for mapping the subset of commonly
pk = (p0 , p1 ) = (−sp1 + e, p1 ) used parameter values to bit-security levels, mapping
the correctness and efficiency requirements to concrete
BFV.RelinKeyGen(sk, w): parameters in a systematic way is still an open question
Let sk = s. Sample r1 ← Rql , e ← χl . Output: in FHE research: it goes beyond the scope of this work.
Nowadays, we see the rise of compilers for HE [54] that
rlk = (r0 , r1 ) = (s2 w − sr1 + e, r1 ) will, as they evolve, automate this process.
We describe the common heuristic approach for se-
BFV.Encrypt(pk, m): lecting BFV parameters; the one we used for the evalu-
Let pk = (p0 , p1 ). Sample u ← R3 and e0 , e1 ← χ. ation of our work (Section 6). The task consists in find-
Output: ct = (∆m + up0 + e0 , up1 + e1 ) ing (t, n, q, w, σ, B) that satisfy the required security and
homomorphic-capacity parameters (λ, κ) for the set of
BFV.Decrypt(sk, ct):
considered homomorphic circuits. The standardization
Let sk = s, ct = (c0 , c1 ). Output:
document and most implementations fix the noise stan-
t dard deviation and bound to σ ≈ 3.2 and B ≈ 20,
m0 = [b [c0 + c1 s]q e]t
q respectively. Hence, only the ring degree n, plaintext-
space and ciphertext-space moduli t and q, and the de-
lic but requires the generation of a specific public key,
composition basis w remain to be determined.
referred to as the relinearization key (rlk).
The message-space characteristics of the application
The decryption of a ciphertext (c0 , c1 ) can be seen
usually sets t directly, by considering the bit-width of
as a two-step process. The first step requires the secret
the input values. The targeted set of homomorphic cir-
key to compute a noisy plaintext in Rq as
cuits constrain q and n: Choosing larger q permits larger
[c0 + sc1 ]q = ∆m + ect , (1) circuit depth (Equation (2)) but also reduces the hard-
ness of the RLWE problem. Choosing larger w reduces
where ect is the ciphertext overall error, or ciphertext the noise incurred by Relinearize (hence enables smaller
noise. In the second step, the message is decoded from q) and increases its computation cost and the rlk size.
the noisy term in Rq to a plaintext in Rt , by rescaling Choosing larger n increases the security (hence enables
and rounding larger q for a fixed security level) but has a significant
t impact on the cost incurred by polynomial multiplica-
[b (∆m + ect )e]t = [bm + at + ve]t , (2) tion. Hence, the most common strategy is to set q and w
q
experimentally, as an acceptable trade-off for the appli-
where m ∈ Rt , a has integer coefficients, and v has co- cation, then to choose the smallest power-of-two n for
efficients in Q. Provided that kvk < 21 , Eq. (2) out- the desired security level.
puts m. Hence, the correctness of the scheme is con-
ditioned on the noise magnitude kect k that must be
q
kept below 2t throughout the homomorphic computa-
tion, notably by choosing a sufficiently large q. To pre- 4 The Multiparty BFV Scheme
serve this condition when multiplying with the rlk (as
a part of BFV.Relinearize), ciphertexts are temporarily We introduce a novel multiparty version of the
decomposed in a basis w < q and the product is per- Brakerski-Fan-Vercauteren (BFV) cryptosystem [29].
formed on each element of the decomposition [29]. We Although formulated for the BFV scheme, the intro-
write l = dlogw (q)e the number of coefficients in this duced protocols can be straightforwardly adapted to
decomposition, and w = (w0 , w1 , ..., wl−1 )T the base-w other RLWE-based cryptosystems, such as BGV [16] or
reconstruction vector. the more recent CKKS [20], which enables homomorphic
approximate arithmetic. We implemented both multi-Multiparty Homomorphic Encryption from RLWE 296
party versions for the BFV and CKKS schemes in the MBFV KeySwitch-correctness. For all arithmetic func-
Lattigo open-source library [1]. Our approach follows tions f : RtI → Rt over the parties’ inputs m1 , . . . , mI ,
the blueprint of the LWE-based protocols by Asharov there exist pp = (t, n, q, w, σ, B) such that for sk0 =
et al. [6], and introduces several improvements to their S 0 (sk01 , ..., sk0N ) an output secret-key and
schemes. In particular, we propose a novel procedure for
the generation of relinearization keys that adds signif- ski ← BFV.SecKeyGen() i ∈ 1...N,
icantly less noise in the output key. We also propose a cpk, rlk ← ΠEncKeyGen (sk1 , ..., skN ), ΠRelinKeyGen (sk1 , ..., skN ),
generalization of the distributed decryption procedure, cti ← BFV.Enc(cpk, mi ) i ∈ 1...I,
from which we derive novel protocols that bridge be-
ctf ← BFV.Eval(f, rlk, ct1 , ..., ctI ),
tween the MHE-based and LSSS-based MPC protocols
and that enable the practical bootstrapping of a BFV ct0f ← MBFV.ΠKeySwitch (ct0P , sk01 , ..., sk0N , sk1 , ..., skN ),
ciphertext.
it holds that Pr[BFV.Dec(sk0 , ct0f )6=f (m1 , ..., mI )]< 2−κ .
In the next subsections, we reformulate all the
secret-key-dependent operations of the original BFV
The PubKeySwitch-correctness property can be di-
scheme as secure N -party protocols. We refer to the
rectly derived from the previous definition by comput-
original centralized scheme as the ideal scheme: the
ing a public key for sk0 and replacing ΠKeySwitch by
ideal centralized functionality that is emulated in a
ΠPubKeySwitch .
multiparty setting. By extension, we refer to sk =
S(sk1 , ..., skN ) as the ideal secret key, because it exists MBFV Semantic Security. For all subsets of at most
as such only through interaction between the parties. N − 1 passive adversaries in P, for any two messages
m1 , m2 ∈ Rt , the advantage of the adversary in dis-
tinguishing between distributions BFV.Enc(cpk, m1 ) and
4.1 Scheme Overview BFV.Enc(cpk, m2 ) should be smaller than 2−λ .
As a result, the security properties of the MBFV
Let P be a set of N parties that have access scheme is that of a N-out-of-N threshold encryption
to an authenticated channel and to a random scheme. We now detail each of its underlying protocols.
common reference string (CRS) [17]. Our pro-
posed multiparty BFV scheme is a tuple MBFV =
(ΠEncKeyGen , ΠRelinKeyGen , ΠKeySwitch , ΠPubKeySwitch ) that 4.2 Ideal-Secret-Key Generation
extends the BFV scheme:
– Setup: Select pp ← (t, n, q, w, σ, B), the parameters Our scheme uses an additive structure for the combined
of the BFV scheme. secret-key, denoted as s in the following. We denote si
– Key Generation: Each party Pi ∈ P generates the secret key share of party Pi , thus
its share ski ← BFV.SecKeyGen() of sk and takes " #
part in the cpk ← MBFV.ΠEncKeyGen (sk1 , ..., skN ) and
X
sk = s = si . (3)
rlk ← MBFV.ΠRelinKeyGen (sk1 , ..., skN ) multiparty pro- Pi ∈P q
tocols with output (cpk, rlk).
– Encryption: The usual BFV.Encrypt procedure is We propose a simple ideal-secret-key generation
used to encrypt messages under sk given the cpk. procedure in which each party samples independently
– Evaluation: The usual BFV.Eval set of homomorphic its own share as si = BFV.SecKeyGen(). Thus, the ideal
operations is used to evaluate functions given rlk. secret-key is generated in a non-interactive way. The
– Key-switching: norm of the resulting ideal secret key grows with O(N ),
ct0 ← ΠKeySwitch (ct, sk01 , ..., sk0N , sk1 , ..., skN ). Given a which has an effect on the noise growth (analyzed in Ap-
ciphertext ct encrypted under the ideal secret-key sk pendix A). By using techniques such as those described
and an output ideal secret-key sk0 = S 0 (sk01 , ...sk0N ), in [51], it might be possible to generate ideal secret keys
the parties re-encrypt ct under sk0 . in R3 as if they were produced in a trusted setup (e.g.,
– Public-key-switching: as an additive secret-sharing of a usual BFV secret-key
ct0 ← ΠPubKeySwitch (ct, pk0 , sk1 , ..., skN ). Given a ci- over Rq ). However, this would introduce the need for
phertext ct under sk and an output public-key pk0 private channels between the parties.
for secret-key sk0 , the parties re-encrypt ct under sk0 .Multiparty Homomorphic Encryption from RLWE 297
4.3 Collective Encryption-Key Generation Protocol 1. EncKeyGen
The collective encryption-key generation, detailed in Public Input: p1 (common random polynomial)
Protocol 1, emulates the BFV.PubKeyGen procedure. In Private Input for Pi : si = ski (secret key share)
addition to the public parameters of the cryptosystem Public Output: cpk =(p0 , p1 ) (collect. encrypt. key)
(which we will omit in the following), the procedure re- Each party Pi :
quires a public polynomial p1 , uniformly sampled in Rq , 1. samples ei ← χ and discloses p0,i = −p1 si + ei
to be agreed upon by all the parties. For this purpose,
Out: from p0 = Pj ∈P p0,j , outputs cpk = (p0 , p1 )
P
they sample its coefficients from the common reference
string (CRS). In the passive-adversary model, the CRS
Protocol 2. RelinKeyGen
can be implemented by any keyed pseudorandom func-
tion. We used BLAKE2b [7] in our implementation. Public Input: a ∈ Rql and w the decomposition basis
After the execution of the EncKeyGen protocol, the Private Input of Pi : si = ski
parties have access to the collective public key Output: rlk = (r0 , r1 )
Each party Pi :
X X X
cpk = p0,i q , p1 = −( si )p1 + ei q , p1 ,
Pi ∈P Pi ∈P Pi ∈P 1. samples ui ← R3 , e0,i , e1,i ← χl and discloses
(4) (h0,i , h1,i ) = (−ui a + si w + e0,i , si a + e1,i )
that has the same form as the ideal public key pk in
2. from h0 = Pj ∈P h0,j and h1 = Pj ∈P h1,j ,
P P
Scheme 1, with larger worst-case norms ksk and kek.
The norm grows only linearly in N hence is not a con- sample e2,i , e3,i ← χl and discloses
0 0 ) = (s h + e
cern (as shown in Appendix A), even for large number (h0,i , h1,i i 0 2,i , (ui − si )h1 + e3,i )
of nodes. Another notable feature of the EncKeyGen pro- Out: from h00 = Pj ∈P h0,j
P 0 and h10 = Pj ∈P h1,j
P 0 ,
tocol is that it would apply to any kind of linear sharing outputs rlk = (h0 + h1 , h1 )
0 0
of s, as long as the shares are valid RLWE secrets and
the norm of the reconstruction is small enough. This After completing the RelinKeyGen protocol, the par-
includes uniformly random sharing over Rq of a tradi- ties have access to a relinearization key of the form
tional BFV secret key in R3 .
rlk = (r0 , r1 ) = (−sb + s2 w + se0 + e1 + ue2 + e3 , b ),
(5)
where b = sa + e2 and ek = j ek,j for k = 0, 1, 2, 3.
P
4.4 Relinearization-Key Generation
Hence, compared to the keys generated with the ap-
Protocol 2 (RelinKeyGen) emulates the centralized proach of Asharov et al., our keys have lower error in r0
BFV.RelinKeyGen. Informally, it produces pseudo- and no error at all in r1 (i.e., they have the same form
encryptions of s2 wb for each power b = 0, ..., l − 1 of as those of the centralized scheme). This significantly
the decomposition basis parameter w. It requires a pub- reduces the noise induced by relinearization.
lic input a, uniformly sampled in Rql from the CRS. A relevant feature of the proposed RelinKeyGen pro-
We use vector notation to express that these pseudo- tocol is its independence from the actual decomposition
encryptions are generated in parallel for every element basis w: It is compatible with other decomposition tech-
of the decomposition base w = (w0 , w1 , ..., wl−1 )T . niques, such as the one used for Type II relinearization
Asharov et al. proposed a method to produce re- [29], those based on the Chinese Remainder Theorem
linearization keys for multiparty schemes based on the (as proposed by Bajard et al. [8] and Cheon et al. [19]),
LWE problem [6]. This method could be adapted to our and the hybrid approach of Bossuat et al. [15] (which
scheme but results in significantly increased noise in the we use in our implementation).
rlk (hence, higher noise in relinearized ciphertexts) with
respect to the centralized scheme. One cause for this ex-
tra noise is the use of the public encryption algorithm 4.5 Collective Key-Switching Protocols
to produce the mentioned pseudo-encryptions. By ob-
serving that the collective encryption key is not needed The key-switching functionality enables the oblivious
for this purpose (because the secret key is collectively re-encryption operation. Given a ciphertext ct en-
known), we propose Protocol 2 as an improvement over crypted under an input key s along with an out-
the method by Asharov et al. put key s0 , the key-switching procedure outputs ct0 =Multiparty Homomorphic Encryption from RLWE 298
Enc(s0 , Dec(s, ct)). Because the first step of the plain Protocol 3. KeySwitch
BFV decryption (Eq. (1)) is equivalent to switching
Public input: ct = (c0 , c1 ) with var(ct) = σct
2
from the ideal secret-key to an output key s0 = 0, this
Private input for Pi : si , s0i
protocol generalizes the decryption protocol. The de-
Public output: ct0 = (c00 , c1 )
coding part of the decryption (Eq. (2)) does not require
the secret-key and can be performed locally. Each party Pi :
Smudging. We observe that the aforementioned 1. samples ei ← χCKS (σct
2 ) and discloses
decryption procedure, and the MBFV key-switching pro-
cedures in general, provide the output-key owner(s) with hi = (si − s0i )c1 + ei
the ciphertext noise. Because this noise depends on in-
Out: from h = Pj ∈P hj ,
P
termediate values in the encryption, homomorphic com-
outputs ct0 = (c00 , c1 ) = (c0 + h, c1 )
putation and key-switching procedures, it could be ex-
ploited as a side-channel by curious receivers (although After the execution of the KeySwitch protocol on
characterizing this indirect leakage in a computational input ct = (c0 , c1 ), c0 + sc1 = ∆m + ect where ect is the
setting is still an open question). The smudging tech- ciphertext’s error, the parties have access to ct0 s.t.
nique, as introduced by Asharov et al. [6], aims at t X
BFV.Dec(s0 , ct0 ) = b [c0 + (sj −s0j )c1 + ej + s0 c1 ]q e
making the ciphertext-noise inexploitable by flooding q
it with some freshly sampled noise terms in a distri- j
bution of larger-variance. In the MBFV scheme, this is t
= b [c0 + (s − s0 )c1 + eCKS + s0 c1 ]q e
achieved by sampling the relevant error terms in the q
t
key-switching protocols from a discrete Gaussian distri- = b [∆m + ect + eCKS ]q e = m, (6)
q
bution χCKS (σct 2 ) of variance σ 2
smg = 2 σct where σct is
λ 2 2
the ciphertext’s noise variance (see Appendix A) and where eCKS = j ej , and where the last equality holds
P
λ the desired security level (e.g., λ = 128, see Appendix provided that kect + eCKS k < q/(2t); i.e., if the output
B). Hence, this technique assumes that the system keeps ciphertext noise plus the protocol-induced noise remains
track of the ciphertext noise-level and has access to this within decryptable bounds.
property. For a ciphertext ct, we denote var(ct) the vari- The use of the KeySwitch protocol is limited to the
ance of its noise term (see Eq. (1)). cases where parties have collective knowledge of the out-
Receiver. The protocol’s instantiation depends put secret key s0 . Yet, this might not be the case, for ex-
on whether the parties performing the re-encryption ample, when considering an external receiver R for the
have a collective access to the output secret-key di- key-switched ciphertext (we elaborate on external re-
rectly, or have only its corresponding public-key. Both ceivers in Section 5.1). This situation would require con-
these settings are relevant when instantiating the MBFV fidential channels between the receiver and each party
scheme as an MPC protocol, which we discuss in Sec- in P, in order either (i) to collect decryption shares from
tion 5. Therefore, we develop protocols that perform all parties, or (ii) to distribute an additive sharing of its
key-switching for these two settings: When s0 is col- secret key to the system. However, (i) would become
lectively known, the KeySwitch protocol is used. When expensive for a large number of parties, and (ii) would
only a public key is known, the PubKeySwitch protocol require R to trust at least one party in P. Furthermore,
is used. confidential point-to-point channels might not fit the
system model (e.g., on smart-contract systems).
4.5.1 Collective Key-Switching
4.5.2 Collective Public-Key Switching
Protocol 3 (KeySwitch) details the steps for perform-
ing a key switching when the input parties collectively Protocol 4 (PubKeySwitch) details the steps for key
know the output secret key s0 . This protocol can be switching when the input parties know only a public
used as a decryption protocol (s0 = 0) or for updating key for the output secret key s0 . As it requires only
the access-structure (see Section 4.6), and it is the basis public input from the receiver, the PubKeySwitch en-
for bridging MHE-based and LSSS-based approaches, as ables an external party (i.e., that is not part of an input
explained in Section 4.7. access-structure) to obtain an output without the need
for private channels with the parties. In Section 5.2, weMultiparty Homomorphic Encryption from RLWE 299
Protocol 4. PubKeySwitch Protocol 5. ColBootstrap
Public input: pk0 = (p00 , p01 ), ct = (c0 , c1 ), var(ct) = σct
2 Public input: a (from CRS), ct = (c0 , c1 ) var(ct) = σct2
Private input for Pi : si Private input for Pi : si
Public output: ct0 = (c00 , c01 ) Public output: ct0 = (c00 , c01 ) with noise variance N σ 2
Each party Pi : Each party Pi
1. samples ui ← R3 , e0,i ← χCKS (σct
2 ), e
1,i ← χ and 1. samples Mi ← Rt , e0,i ← χCKS (σct
2 ), e
1,i ← χ and
discloses discloses
(h0,i , h1,i ) = (si c1 + ui p00 + e0,i , ui p01 + e1,i )
(h0,i , h1,i ) = (si c1 −∆Mi +e0,i , −si a+∆Mi +e1,i )
Out: from h0 = j h0,j and h1 = h1,j ,
P P
Pj ∈P Out: from h0 = j h0,j and h1 = j h1,j ,
P P
outputs ct0 = (c00 , c01 ) = (c0 + h0 , h1 )
outputs (c00 , c01 ) = ([b qt ([c0 + h0 ]q )e]t ∆ + h1 , a)
discuss the benefits of this property when instantiating
the MBFV as an MPC solution. Encryption-to-Shares (Enc2Share). Given an encryp-
Let ct = (c0 , c1 ) be an input ciphertext such that tion (c0 , c1 ) of a plaintext m ∈ Rt , the parties can pro-
c0 + sc1 = ∆m + ect and pk0 = (p00 , p01 ) be a public key duce an additive sharing of m over Rt by masking their
such that p00 = −(s0 p01 + epk0 ). After the execution of the share in the decryption (i.e., KeySwitch with s0 = 0)
PubKeySwitch protocol on ct with output public key pk0 , protocol: Each party Pi ∈ {P2 , PN } samples its own ad-
the parties hold ct0 satisfying ditive share Mi ← Rt and adds a −∆Mi term to its
decryption share hi before disclosing it. Party P1 does
Dec(s0, ct0 ) not disclose its decryption share h1 and derives its own
t additive share of m as
X X
sj c1+uj p00+e0,j +s0 uj p01+e1,j ]q e
= b [c0 +
q
j j N
X N
X
t M1 = BFV.Decrypt(s1 , (c0 + hi , c1 )) = m − Mi .
= b [c0 +sc1 +up00 +s0 up01 +e0 +s0 e1 ]q e
q i=2 i=2
t
= b [∆m + ect + ePubKeySwitch ]q e = m, (7) Shares-to-Encryption (Share2Enc). Given a secret-
q PN
shared value m ∈ Rt such that m = i=1 Mi , the
where ed = j ed,j for d = 0, 1, u = j uj , and the
P P
parties produce an encryption ct = (c0 , c1 ). To do so,
total added noise ePubKeySwitch = e0 +s0 e1 +uepk depends each party Pi samples a from the CRS and produces a
on both the protocol-induced and the target-public-key KeySwitch share for the ciphertext (∆Mi , a) with input
noises. If kect +ePubKeySwitch k< q/(2t), Equation (7) holds. key 0 and output key s. The ciphertext centralizing the
PN
secret-shared value m is then ct = ( i=1 c0,i , a). This
is equivalent to a multiparty encryption protocol.
4.6 Dynamic Access-Structure
The scenario of parties joining and leaving the system
4.8 Collective Bootstrapping
corresponds to a secret-key update and is handled by
the KeySwitch and PubKeySwitch protocols. More specif-
We combine the Share2Enc and Enc2Share protocols
ically, we consider the task of transferring a ciphertext
into a multiparty bootstrapping procedure (Protocol 5,
from an input set of parties P to an output set P 0 .
ColBootstrap) that enables the reduction of a ciphertext
If P 0 ⊂ P, the parties in P − P 0 can simply use the
noise to further compute on it. This is a crucial func-
KeySwitch protocol with output key s0 = 0. Otherwise
tionality for the BFV scheme, for which the centralized
the parties use the PubKeySwitch protocol with pk0 set
bootstrapping procedure is expensive. Intuitively, the
to the collective public-key of P 0 .
ColBootstrap protocol consists in a conversion from an
encryption to secret-shares and back, implemented as a
parallel execution of the Enc2Share and Share2Enc proto-
4.7 Bridging MPC Approaches
cols. It is an efficient single-round interactive protocol
The flexibility of the KeySwitch protocol can be har- that the parties can use during the evaluation phase,
nessed to bridge the MHE-based and LSSS-based MPC instead of a computationally heavy bootstrapping pro-
approaches. cedure. In practice, a broad range of applications wouldMultiparty Homomorphic Encryption from RLWE 300
not (or seldom) need to rely on this primitive, as the cir- Table 1. Comparison with the multi-key BFV: dependency in N
cuit complexity enabled by the practical parameters of Size Time
Scheme Ciphertext Switch. key Mult.+Relin. Rotate
the BFV scheme suffices. But the ColBootstrap protocol
[18] O(N ) O(N ) O(N 2 ) O(N )
offers a trade-off between computation and communica-
This Work O(1) O(1) O(1) O(1)
tion (we demonstrate this in Section 6.3).
used to emulate a single key within a multi-key setting,
are promising ways of tailoring the access structure to
4.9 Packed-Encoding and Rotation Keys the sought security and functionality requirements. For
example, in an encrypted federated learning system, a
One of the most powerful features of RLWE-based fixed group of parties could train a model under thresh-
schemes is the ability to embed vectors of plaintext val- old encryption and enable the prediction to be evaluated
ues into a single ciphertext. Such techniques, commonly on-the-fly under multi-key encryption.
referred to as packing, enable arithmetic operations to
be performed in a single-instruction multiple-data fash-
ion, where encrypted arithmetic results in element-wise
plaintext arithmetic. Provided with public rotation keys,
5 Secure Multiparty Computation
arbitrary rotations over the vector components [19] can
We discuss the instantiation of the MBFV scheme pre-
be operated homomorphically. Generating these rota-
sented in Section 4 in a generic secure-multiparty-
tion keys (which are pseudo-encryptions of rotations of
computation (MPC) protocol. Using MHE schemes to
the secret-key) can be done in the multiparty scheme,
achieve MPC is not new [6, 24], but each new genera-
by means of an RotKeyGen sub-protocol. We do not de-
tion of HE schemes makes this approach more efficient
tail this protocol, as it is a straightforward adaptation of
and flexible. However, to the best of our knowledge, no
EncKeyGen. This enables a vast family of homomorphi-
generic MPC solution has been implemented yet to ex-
cally computable linear and non-linear transformations
ploit those ideas. We discuss how MHE-based solutions
on ciphertexts. We will make use of rotations in the
can lead to a new generation of MPC systems, not only
input-selection example circuit in Section 6.2.
in the traditional peer-to-peer setting but also in the
outsourced one where parties are assisted by a semi-
honest entity without relying on non-collusion assump-
4.10 Comparison with Multi-key-HE tions such as those of the two-clouds model.
Multi-key HE schemes, as introduced by López-Alt [44],
enable the evaluation of homomorphic operations di-
5.1 MBFV-Based MPC Protocol
rectly over ciphertexts encrypted under different secret-
keys. The access-structure of these schemes can be seen
Let P = {P1 , P2 , . . . , PN } be a set of N parties holding
as dynamic; they include on-the-fly each new party in
respective inputs (x1 , . . . , xN ) and R be a receiver. Let C
the computation circuit. Hence, the schemes do not re-
be a set of computing parties which may have non-empty
quire the generation of a collective public encryption-
intersection with P ∪ {R}. Given a public arithmetic
key. In their current instantiation, however, they re-
function f over the parties’ inputs, the MHE−MPC pro-
quire the generation of public relinearization and ro-
tocol (Protocol 6) privately computes y = f (x1 , . . . , xN )
tations keys for which the size depends on the number
and outputs the result to R.
of parties N . Furthermore, their ciphertext size and ho-
Semantic Security (informal). Let A ⊂ (P ∪ C ∪ R)
momorphic operations complexity also grows with N .
be a set of corrupted parties (the adversary) in the
Chen et al. [18] propose multi-key extensions for the
MHE−MPC protocol where |A ∩ P| ≤ N − 1. We re-
BFV and CKKS schemes for which these dependencies
quire that the adversary does not learn anything more
are reported in Table 1.
about {xi }Pi ∈A
/ than that which can be learnt from its
We observe that, when on-the-fly computation is
own inputs {xi }Pi ∈A and, if R ∈ A, from the output.
not required by the application (e.g., the set of nodes is
known in advance), threshold schemes result in a more MHE−MPC Protocol Overview. The Setup step in-
efficient construction. However, note that the multi-key stantiates the MBFV scheme. It is independent from the
and threshold approaches are not mutually exclusive. rest of the protocol: It has to be run only once for a given
Hybrid constructions, where the threshold scheme is set of parties and a given choice of public cryptographicMultiparty Homomorphic Encryption from RLWE 301
Protocol 6. MHE−MPC protocol, the computing parties are not required to be
part of the computation data access-structure, thus re-
Public input: f the ideal functionality, pp the public
moving the need for such assumptions.
parameterization, pkR the receiver’s public-key
The Out step enables the receiver R to obtain its
Private input: xi for each Pi ∈ P
output. This requires collaboration among the parties
Output for R: y = f (x1 , x2 , . . . , xN )
in P to re-encrypt the output under the key of R. This
is achieved with the PubKeySwitch protocol, which does
Setup: the parties instantiate the MBFV scheme
not require online interaction between the input parties
ski ← BFV.SecKeyGen(pp), and the receiver.
MHE−MPC Protocol Security. Provided that the
cpk ← MBFV.ΠEncKeyGen (sk1 , . . . , skN ),
Setup phase correctly (see Equations (4) and (5) in Sec-
rlk ← MBFV.ΠRelinKeyGen (sk1 , . . . , skN ), tion 4) and securely (see Appendix B.1) generates the
BFV keys, the private inputs are encrypted as valid
In: each Pi encrypts its input and sends it to C BFV ciphertexts during the computation (the In and
Eval steps). Hence, the MHE−MPC protocol security in
ci ← BFV.Encrypt(cpk, xi ),
the semi-honest model can be formulated as a composi-
Eval: C computes the encrypted output and sends it tion theorem (see Theorem 2 in Appendix B.2).
to the parties in P.
c0 ← BFV.Eval(f, c1 , c2 , . . . , cN ), 5.2 Feature Analysis
Out: the parties in P re-encrypt the output under
In the following subsections, we discuss the properties of
the receiver’s key
the MHE−MPC protocol, as well as the various system
c0R ← MBFV.ΠPubKeySwitch (sk1 , . . . , skN , pkR , c0 ). models these properties enable.
parameters pp = (t, n, q, σ, B). Whereas this step can re-
semble the offline phase of the LSSS-based approaches, 5.2.1 Public Non-interactive Circuit Evaluation
it is fundamentally different in that it produces public-
keys that can be used for an unlimited number of circuit Although the homomorphic operations of HE schemes
evaluations. This implies that the Setup step does not are computationally more expensive than local opera-
directly depend on the number of multiplication gates tions of secret-shared arithmetic, the former do not re-
in the circuit, but on the maximum circuit depth the quire private inputs from the parties. Hence, as long as
parties want to support. This is because the encryption no output or collective bootstrapping is needed, the cir-
scheme has to be parameterized to support a sufficient cuit evaluation procedure is non-interactive and can be
homomorphic capacity. performed by any semi-honest entity. This not only en-
The In step corresponds to the input phase: The ables the evaluation to be efficiently distributed among
parties use the plain BFV.Encrypt algorithm to encrypt the parties in the usual peer-to-peer setting but also
their inputs and provide them to C for evaluation. enables new computation models for MPC:
The Eval step consists in the evaluation of the Cloud-Outsourced Model. The homomorphic
circuit-representation of f , using the BFV.Eval set of ho- circuit evaluation can be outsourced to a cloud-like ser-
momorphic operations. As this step requires no secret vice, by providing it with the inputs and necessary eval-
input from the parties, it can be performed by any semi- uation keys. The parties can arbitrarily go offline during
honest entity C. In purely peer-to-peer settings, the par- the evaluation and reconnect for the final output phase.
ties themselves assume the role of C, either by distribut- In this model, the overhead for each input party is inde-
ing the circuit computation, or by delegating it to one pendent of the total number of parties. Hence, resource-
designated party. In the cloud-assisted setting, a semi- constrained parties can take part in MPC tasks involv-
honest cloud provider can assume this role. Although ing thousands of other parties. We demonstrate two in-
it is frequent to define the role of computing party in stances of the cloud setting as a part of our evaluation
current MPC applications [4, 5, 37], it is usually a part (Sections 6.3 and 6.2).
of the N -party to 2-party problem reduction that in- Smart Contracts. A special case of an outsourced
troduces non-collusion assumptions. In the MHE−MPC MPC task is the execution of a smart contract over pri-Multiparty Homomorphic Encryption from RLWE 302
vate data; this is feasible by means of the MHE-based for the input parties to be online and active for the pro-
MPC solution. In this scenario, the contract stakehold- tocol to progress. Hence, the cloud-assisted MHE−MPC
ers (any party that has a private input to the contract) protocol has a clear advantage in terms of tolerance
are the MHE secret-key owners, and the smart-contract to unreliable parties, which is a significant step toward
platform acts as an oblivious contract evaluator. large-scale MPC. We use the cloud-assisted model for
the first two example circuits of Section 6 and demon-
strate its practicality for computations involving thou-
5.2.2 Public-Transcript Protocols sands of parties. Adapting the multiparty BFV scheme
(Section 4) to a T -out-of-N threshold scheme is a nat-
All the protocols of Section 4 have public transcripts, ural next step to address the challenge of parties going
which removes the need for direct party-to-party com- offline for an arbitrary amount of time; indeed, the se-
munication. Hence, not only the evaluation step, but curity requirements of the application must tolerate a
the whole MHE−MPC protocol can be executed over weaker access-structure.
any public authenticated channel. This also brings new
possibilities in designing MPC systems:
Efficient Communication Patterns. The pre- 5.3 Current Limitations
sented protocols rely solely on the ability of the parties
to publicly disclose their shares and to aggregate them. We discuss the current limitations of the MHE−MPC
This gives flexibility for using efficient communication protocol and outline potential solutions. We observe
patterns: The parties can be organized in a topologi- that our proposed MBFV scheme is not the source of
cal way, as nodes in a tree, where each node interacts these limitations. Instead, they are current constraints
solely with its parent and children nodes. We observe of the MHE-based MPC approach that were not ad-
that for all the protocols, the shares are always com- dressed in this work.
bined by computing their sum. Hence, for a given party
in our protocols, a round consists in
Gen: computing its own share in the protocol, 5.3.1 Arithmetic Circuits
Agg: collecting and aggregating the share of each of
its children and its own share, A purely MHE-based MPC solution is indeed limited to
Out: sending the result up the tree to its parent, or computing arithmetic functions over its plaintext space.
outputting it. The MBFV plaintext space, (Rt [X], +, ×), is particularly
Such an execution enables the parties to compute suited for expressing vector and matrix arithmetic, due
their shares in parallel and results in a network traffic to the ability to rotate vectors of Zt elements. Further-
that is constant at each node. By trading-off some la- more, analytic functions such sin(x) or ex can be ef-
tency, the inbound traffic can be kept low by ensuring ficiently evaluated through polynomial approximations.
that the branching factor of the tree (i.e., the number of Although mapping application-specific functionalities to
children per node) is manageable for each node. As the this computing model and finding the appropriate pa-
share aggregation can also be computed by any semi- rameters is still a fairly manual process, the current ef-
honest third-party, the tree can contain nodes that are fort in HE-compilers will significantly simplify it [54].
not part of P (i.e., nodes that would not have input in Non-arithmetic functions such as comparisons and
the MPC problem and have no share of the ideal secret branching programs constitute a more fundamental lim-
key) and are simply aggregating and forwarding their itation that also applies to LSSS-based MPC. How-
children’s shares. We demonstrate the efficiency of the ever, the compilers of these solutions already propose
tree topology in the multiplication triple generation ex- workarounds either by mapping them back to an arith-
ample benchmark in Section 6.4. metic representation or by accepting the conditional
Cloud-Assisted MPC Model. The special case variable leakage.
of a single root node that does not hold a share of the key As the sets of functions supported by the LSSS-
can be mapped to a cloud-assisted setting where parties and MHE-based approaches continue to grow, we ex-
run the protocols interacting solely with a central node. pect that each system will have its own strengths and
This model complements the circuit evaluation out- weaknesses. Hence, the ability to switch between the
sourcing feature by removing the need for synchronous two representations with the Enc2Share and Share2Enc
and private party-to-party communication and the need protocols is pivotal.Multiparty Homomorphic Encryption from RLWE 303
5.3.2 Active Adversary Model Table 2. Experimental cryptographic parameters: Overview
Set log2 t log2 n log2 q log2 w σ sec. (bits)
Zero-knowledge-proof systems for lattice-based schemes I 32 13 218 26 3.2 128
II-A 32 14 438 110 3.2 128
are another active research topic [14, 55] which is es-
II-B 16 14 438 110 3.2 128
sential to extend the MHE−MPC protocol to active se-
II-C 16 15 880 180 3.2 128
curity. We observe that, as the local operations of the III 32 13 218 55 3.2 128
MBFV scheme are of relatively low depth, proving their
correct execution in zero-knowledge is practical. Rotaru complex example, we refer the reader to the work of
et al. propose an actively secure distributed-key genera- Froelicher et al., who used the CKKS implementation
tion procedure for the BGV cryptosystem [51] that, de- of our proposed scheme for machine-learning training
spite its performance impact, could be adapted to BFV. and prediction tasks [31].
Proving the correct execution of the homomorphic In the cloud-assisted setting, we consider two ex-
execution by the abstract computing party C, however, ample circuits: (i) A multiparty input selection circuit
can be significantly more challenging and is circuit- and its application to multiparty private-information-
dependent. As the MHE−MPC has a public transcript, retrieval (Section 6.2). (ii) The element-wise product
a trivial solution is to publish this transcript as a proof. of integer vectors and its application as a simple mul-
But this non-compact solution might be unsatisfactory tiparty private-set-intersection protocol (Section 6.3).
in some applications. We compare the performance for both circuits against
Presently, honest-but-curious is the de-facto threat a baseline system that uses a LSSS-based approach:
model for cloud services and passively-secure MPC pro- the MP-SPDZ library implementation [2] of the Over-
vides a way of protecting sensitive client-data in these drive protocol [39] for the semi-honest, dishonest major-
scenarios. In the peer-to-peer model, prototypes of such ity setting. In the peer-to-peer setting, we consider the
systems have been deployed in operational settings [49]. task of generating Beaver multiplication triples (i.e., the
An example is the medical sector where data collabo- "offline" phase of LSSS-based approaches, Section 6.4).
rations are mutually beneficial and well-regulated, yet We compare the performance against the SPDZ2K [23]
they legally require a certain level of data-protection. Oblivious-Transfer-based and the Overdrive [39] HE-
based triple-generation protocols.
6 Performance Analysis 6.1 Experimental Setup and Parameters
We implemented the multiparty BFV scheme in the Lat- For the cloud-assisted setting, the client-side timings
tigo open-source library [1]. It provides Go implementa- were measured on a MacBook Pro with a 3.1 GHz Intel
tions of the two most widespread RLWE homomorphic i5 processor. The server-side timings were measured on
schemes: BFV and CKKS, along with their multiparty a 2.5 GHz Intel Xeon E5-2680 v3 processor (2x12 cores).
versions. The library uses state-of-the-art optimizations For the peer-to-peer setting, we run all parties on the
based on the Chinese remainder theorem [8]. In addi- latter machine, over the localhost interface. We measure
tion to around an order of magnitude acceleration, the the network-related cost in terms of number of commu-
RNS variant enables a more efficient way (i) of repre- nicated bytes (upstream + downstream), which does not
senting the key-switching intermediary basis w [35] and account for network-introduced delays. We observe that
(ii) of implementing the smudging technique through this could slightly advantage the baseline LSSS-based
RNS modular-reduction and rounding [27]. system due to its non-constant number of rounds.
In order to analyze the performance of the Cryptographic Parameters. Each experiment rep-
MHE−MPC protocol in both the cloud-assisted and the resents a different circuit hence uses a different set of
peer-to-peer settings, we evaluate three generic yet pow- parameters (see Section 3.4). Therefore, we discuss the
erful circuits. These circuits represent common building choice of parameters for each experiment. For conve-
blocks for more complex functionalities (that we briefly nience, we summarize all the parameters in Table 2,
discuss), yet they do not introduce advanced domain- along with their security levels according to the Homo-
specific requirements and constraints. Thus, these cir- morphicEncryption.org standardization document [3].
cuits enable a compact and reproducible comparison
with a baseline system for generic MPC. For a moreYou can also read
