Multiparty Homomorphic Encryption from Ring-Learning-with-Errors

Page created by Carol Luna
 
CONTINUE READING
Proceedings on Privacy Enhancing Technologies ; 2021 (4):291–311

Christian Mouchet, Juan Troncoso-Pastoriza, Jean-Philippe Bossuat, and Jean-Pierre Hubaux

Multiparty Homomorphic Encryption from
Ring-Learning-with-Errors
Abstract:      We propose and evaluate a secure-
multiparty-computation (MPC) solution in the semi-
                                                                  1 Introduction
honest model with dishonest majority that is based on
                                                                  Secure Multiparty Computation (MPC) protocols enable
multiparty homomorphic encryption (MHE). To sup-
                                                                  a group of parties to securely compute joint functions
port our solution, we introduce a multiparty version
                                                                  over their private inputs while enforcing specific secu-
of the Brakerski-Fan-Vercauteren homomorphic cryp-
                                                                  rity guarantees throughout the computation. The exact
tosystem and implement it in an open-source library.
                                                                  definition of security depends on how the adversary is
MHE-based MPC solutions have several advantages:
                                                                  modeled, but the most common requirement, input pri-
Their transcript is public, their offline phase is com-
                                                                  vacy, informally states that parties should not obtain
pact, and their circuit-evaluation procedure is non-
                                                                  more information about other parties’ inputs than that
interactive. By exploiting these properties, the com-
                                                                  which can be deduced from the output of the compu-
munication complexity of MPC tasks is reduced from
                                                                  tation. Combining this strong security guarantee with
quadratic to linear in the number of parties, thus
                                                                  a general functionality makes the study of MPC tech-
enabling secure computation among potentially thou-
                                                                  niques highly relevant. This last decade has seen this
sands of parties and in a broad variety of comput-
                                                                  established theoretical field evolve into an applied one,
ing paradigms, from the traditional peer-to-peer set-
                                                                  notably due to its potential for securing data-sharing
ting to cloud-outsourcing and smart-contract technolo-
                                                                  scenarios in the financial [12, 13], biomedical [37, 49] and
gies. MHE-based approaches can also outperform the
                                                                  law-enforcement [10, 41] sectors, as well as for protect-
state-of-the-art solutions, even for a small number of
                                                                  ing digital assets [5]. The use of passively-secure MPC
parties. We demonstrate this for three circuits: private
                                                                  techniques in such scenarios has been demonstrated to
input selection with application to private-information
                                                                  be effective and practical [4, 21, 37], notably in the med-
retrieval, component-wise vector multiplication with ap-
                                                                  ical sector where data collaborations are mutually ben-
plication to private-set intersection, and Beaver mul-
                                                                  eficial and well-regulated, yet they legally require a cer-
tiplication triples generation. For the first circuit, pri-
                                                                  tain level of data-protection [21, 49].
vately selecting one input among eight thousand parties’
                                                                       In the settings where no honest majority of parties
(of 32 KB each) requires only 1.31 MB of communica-
                                                                  can be guaranteed, most of the currently implemented
tion per party and completes in 61.7 seconds. For the
                                                                  MPC systems are based on secret-sharing [53] of the in-
second circuit with eight parties, our approach is 8.6
                                                                  put data according to some linear secret-sharing scheme
times faster and requires 39.3 times less communication
                                                                  (LSSS), and on interactive circuit evaluation protocols
than the current methods. For the third circuit and ten
                                                                  [36]. These approaches have two practical limitations: (i)
parties, our approach generates 20 times more triples
                                                                  standard protocols require many rounds of communica-
per second while requiring 136 times less communication
                                                                  tion over private channels between the parties, which
per-triple than an approach based on oblivious transfer.
                                                                  makes them inadequate for low-end devices and unre-
We implemented our scheme in the Lattigo library and
                                                                  liable networks. (ii) current approaches require a per-
open-sourced the code at github.com/ldsec/lattigo.
                                                                  party communication that increases linearly in the cir-
Keywords: secure multiparty computation, homomor-                 cuit size (that increases at least linearly in the number
phic encryption
DOI 10.2478/popets-2021-0071
Received 2021-02-28; revised 2021-06-15; accepted 2021-06-16.     Juan Troncoso-Pastoriza: École polytechnique fédérale de
                                                                  Lausanne, E-mail: juan.troncoso-pastoriza@epfl.ch
                                                                  Jean-Philippe Bossuat: École polytechnique fédérale de
                                                                  Lausanne, E-mail: jean-philippe.bossuat@epfl.ch
                                                                  Jean-Pierre Hubaux: École polytechnique fédérale de Lau-
Christian Mouchet: École polytechnique fédérale de Lau-           sanne, E-mail: jean-pierre.hubaux@epfl.ch
sanne, E-mail: christian.mouchet@epfl.ch
Multiparty Homomorphic Encryption from RLWE       292

of parties). Hence, this quadratic factor quickly becomes    nantly implemented in generic MPC solutions [5, 36],
a bottleneck for large numbers of parties.                   consists in applying secret-sharing [53] to the input
     Homomorphic encryption (HE) techniques are well-        data. (b) Multiparty encryption schemes (for short:
known for reducing the communication complexity of           MHE-based), use a homomorphic scheme to encrypt and
MPC [24, 30], especially in their various threshold          exchange the input data, that can then be computed on
and multi-key variants that we generally refer to as         non-interactively with encrypted arithmetic.
multiparty-HE (MHE). However, in spite of several such       LSSS-based MPC (a). Most of the available generic
schemes proposed by the cryptographic community, the         MPC solutions, such as Sharemind [11] and SPDZ
most widely known being the MHE scheme of Asharov            [25, 26, 39], apply secret-sharing to the input data.
et al. [6], no concrete MPC solution implementing a          The evaluation of arithmetic circuits is generally en-
generic MHE-based MPC protocol has been built yet.           abled by the homomorphism of the LSSS, or by inter-
Instead, the use of HE in MPC is mostly confined to          active protocols (when no such homomorphism is avail-
the offline pre-computations of protocols based on lin-      able); the most widely implemented protocol is Beaver’s
ear secret-sharing schemes (LSSS) [39]. We argue that        triple-based protocol [9]. The strength of approach (a)
homomorphic encryption has reached the required level        is to enable evaluation through only simple and efficient
of usability to play a larger role in the online phase of    primitives in terms of which the circuit can be decom-
MPC protocols and to enable new applications.                posed by code-to-protocol compilers, thus strengthening
     We propose, implement, and evaluate a new in-           usability. However, this approach imposes two practi-
stance of the MHE-based MPC protocol in the passive-         cal constraints: First, the interactive protocols at each
adversary with dishonest-majority model. We make the         multiplication gate require all parties to be online and
following contributions:                                     active during the whole computation and to exchange
– We propose a novel multiparty extension of the BFV         messages with their peers at a high frequency that is
   homomorphic encryption scheme (Section 4). We fol-        determined by the round complexity of the circuit. Sec-
   low the blueprint of Asharov et al. [6] and adapt it      ond, the triple-based multiplication protocol requires a
   to the ring-learning-with-errors (RLWE) assumptions       prior distribution of one-time triples; this can be per-
   and to the BFV scheme. We also introduce novel            formed in a pre-computing phase, either by a trusted
   single-round protocols for bridging between the MHE-      third-party or by the parties themselves. The latter
   and LSSS-based approaches and for bootstrapping a         peer-to-peer case can also be formulated as an indepen-
   BFV ciphertext in multiparty settings.                    dent, yet equivalent, MPC task (generating the triples
– We instantiate our MHE scheme into a generic MPC           requires multiparty multiplication). Hence, these ap-
   protocol (Section 5) and show that this approach          proaches are hybrids that generate the triples by using
   has several advantages over their LSSS-based coun-        techniques such as oblivious transfer [38], plain HE [39]
   terparts: Notably, its per-party communication com-       or multiparty-HE [26] in an offline phase.
   plexity is only linear in the circuit’s inputs and out-        As a result of the aforementioned constraints, many
   puts, and its execution does not require private party-   current applications of LSSS-based MPC target the out-
   to-party communication channels.                          sourced models where the actual computation is dele-
– We demonstrate the efficiency of the latter instan-        gated to two parties [4, 21, 22, 37, 46, 47] that are as-
   tiation for three example MPC circuits (Section 6).       sumed not to collude (e.g., the two-cloud model). Un-
   We implemented and open-sourced our scheme in the         fortunately, this assumption might not be realistic in
   Lattigo library [1].                                      some contexts where the parties are required to have
With these contributions, our work bridges the gap be-       an active role in enforcing the access control over their
tween the existing theoretical work on MHE-based MPC         data (e.g., by law).
and its application as privacy-enhancing technologies.       MHE-based MPC (b). In this approach, the par-
                                                             ties use an HE scheme to encrypt their inputs, and the
                                                             computations are performed using the scheme’s homo-
                                                             morphic operations. To preserve the inputs’ privacy, the
2 Related Work                                               scheme’s secret key is securely distributed among the
                                                             parties and the decryption requires the collaboration
We classify N -party dishonest-majority MPC ap-
                                                             between the parties. We use the term multiparty en-
proaches in two categories: (a) Linear secret-sharing at
                                                             cryption scheme to designate these constructions in a
data level (for short: LSSS-based), which is predomi-
                                                             general way (we provide a definition in Section 3.1).
Multiparty Homomorphic Encryption from RLWE            293

     The idea of reducing the volume of interaction        κ and require that the probability of incorrect decryp-
in MPC by using threshold homomorphic-encryption           tion must be a negligible function in κ.
can be traced back to a work by Franklin and Haber
[30], later improved by Cramer et al. [24]. At that
time, the lack of homomorphic schemes that preserve        3.1 Multiparty Homomorphic Encryption
two distinct algebraic operations ruled out complete
non-interactivity at the evaluation phase, thus render-    Let P = {P1 , P2 , . . . , PN } be a set of N parties; a multi-
ing these approaches less attractive than approach (a).    party homomorphic encryption-scheme over P is an HE
Recently, task-specific instances that use multiparty      scheme in which the secret-key is an N -party function
additive-homomorphic encryption have been successful       S(sk1 , sk2 , ..., skN ). The structure of S determines the
in supporting use-cases in distributed machine learning    Access Structure of the MHE scheme, which we define as
[32, 56], thus highlighting the potential that a generic   the set S ⊂ PowerSet(P) of all groups of parties that can
and usable fully homomorphic encryption (FHE) [33]         collectively reconstruct the secret-key. Indeed, S should
solution could have. This is the idea behind the line      never be disclosed in practice. Instead, each operation
of work by Asharov et al. [6] and López-Alt et al. [43].   Op of the single-party scheme that requires the secret-
These contributions propose various multiparty schemes     key is expressed as a multiparty protocol ΠOp .
in which the secret-key is additively shared among the          Let M be a plaintext space with arithmetic struc-
parties, and they analyze the theoretical MPC solution     ture, a Multiparty HE scheme over M is a tuple MHE =
these schemes enable. Although of great interest, this     (Setup , SecKeyGen , ΠPubKeyGen , Enc , ΠDec , Eval)
line of work did not find as much echo in applications     of algorithms and multiparty protocols.
as approach (a) has. One possible reason was the lack      – Setup: pp ← MHE.Setup(λ, κ). Takes the security
of available and efficient implementations of Learning        and homomorphic capacity parameters and outputs
with Errors [50] (LWE) -based homomorphic schemes,            a public parameterization. pp is an implicitly argu-
in terms of which these schemes were presented. Today,        ment to the other procedures.
multiple ongoing efforts aim at standardizing homomor-     – Key Generation: The parties Pi ∈ P generate
phic encryption [3] and at making its implementations         ski ← MHE.SecKeyGen() and take part in the mul-
available to a broader public. This new generation of         tiparty protocol pk ← MHE.ΠPubKeyGen (sk1 , ..., skN ).
schemes is based mostly on the Ring Learning with Er-         Outputs a key pair (ski , pk) to each party.
rors (RLWE) problem [45] and has brought HE from           – Encryption: ct ← MHE.Enc(m, pk). Given a public-
being practical to being efficient.                           key pk, and a plaintext message m ∈ M, outputs a
     We argue that MHE-based approaches are now ef-           ciphertext encrypting m under S(sk1 , sk2 , ..., skN ).
ficient and flexible enough to support more than the       – Evaluation: ctres ← MHE.Eval(f, pk, ct1 , ..., ctl ).
offline phase of LSSS-based approaches. Therefore, we         Given an arithmetic function f : MI → M, the
bring the theoretical work on multiparty schemes [6] to       public key pk and a I-tuple of ciphertexts encrypt-
RLWE cryptography and to an open-source implemen-             ing (m1 , ..., mI ) ∈ MI , outputs a result ciphertext
tation, and evaluate it as an MPC solution.                   encrypting mres = f (m1 , ..., mI ).
                                                           – Decryption: m ← MHE.ΠDec (ct, sk1 , ...skN ). Given
                                                              a ciphertext ct encrypting m and their respective key
                                                              ski , the parties take part in the decryption multiparty
3 Background                                                  protocol. Outputs m.

We provide a general definition of the multiparty homo-    Semantic Security (informal). We require that for all
morphic encryption (MHE) primitive, relate this prim-      adversarial subsets of parties A ∈
                                                                                            / S, for any two mes-
itive to the MPC setting and recall the plain BFV HE       sages m1 , m2 ∈ M, the advantage of the adversary in
scheme that we extend to the MHE in Section 4. We          distinguishing between distributions MHE.Enc(pk, m1 )
consider an abstract security parameter λ and require      and MHE.Enc(pk, m2 ) should be smaller than 2−λ .
that an adversary’s advantage in attacking the schemes
                                                           Correctness (informal). We require that, for
must be a negligible function in λ. HE schemes also re-
                                                           all arithmetic functions f : MI → M, there
quire proper parameterization to support the evaluation
                                                           exist a public parametrization pp such that
of the desired circuits. We model this dependency by in-
                                                           MHE.ΠDec (MHE.Eval(f, pk, ct1 , ..., ctI ), sk1 , ..., skN )  =
troducing an abstract homomorphic capacity parameter
                                                           f (m1 , ..., mI ) holds with probability larger than 1−2 .   −κ
Multiparty Homomorphic Encryption from RLWE          294

Access-structure Families. We distinguish between                the sampling of an element a ∈ R according to α, and
two types of MHE schemes:                                        a ← R implicitly denotes uniform sampling in R. For a
– In threshold [28] or distributed encryption schemes,           polynomial a, we denote its infinity norm by kak.
   the secret-key S is set before the computation and
   is fixed, hence so is the access structure set S. The
   parties provide their inputs encrypted under S, hence         3.3 The BFV Encryption Scheme
   the decryption is conditioned to the participation of
   the parties according to the structure of S (which is         We recall the plain Brakerski-Fan-Vercauteren [29]
   often, but not necessarily, a secret-sharing scheme).         scheme that we will extend in Section 4. It is a ring-
   We use this approach for our proposed MHE scheme.             learning-with-errors [45] scheme that supports both
– In multi-key encryption schemes [44], the secret-key           additive and multiplicative homomorphic operations.
   does not have to be defined before the evaluation and         Due to its practicality, it has been implemented in
   S is, instead, dynamic: The parties provide their in-         most of the current lattice-based cryptographic libraries
   puts encrypted under their own secret-key and the             [1, 48, 52] and is part of the draft HE standard [3].
   evaluation of homomorphic operations f : MI → M                    Scheme 1 details the most common instantiation
   yields a result that is encrypted under an on-the-fly         of the BFV scheme. The ciphertext space is Rq =
   key S(sk1 , ..., skI ). Hence, only the parties involved in   Zq [X]/(X n + 1), the quotient ring of the polynomials
   a given computation are required to participate in the        with coefficients in Zq modulo (X n + 1), where n is a
   decryption of its output.                                     power of 2. We use [− 2q , 2q ) as the set of representatives
In their RLWE instantiations, these two types of multi-          for the congruence classes modulo q. Unless otherwise
party schemes have different structures for their cipher-        stated, we consider the arithmetic in Rq and polynomial
text and public-key material, as well as different algo-         reductions are omitted in the notation. The plaintext
rithmic complexity figures for their homomorphic oper-           space is the ring Rt = Zt [X]/(X n + 1) for t < q. We
ations. In Section 4, we construct a distributed version         denote ∆ = bq/tc, the integer division of q by t.
of the BFV scheme [29], and compare it to the multi-key               The scheme is based on two kinds of secrets,
BFV scheme of Chen et al. [18] in Section 4.10.                  commonly sampled from small-normed yet different
                                                                 distributions: The key distribution is denoted R3 =
MHE-based Generic MPC. The construction of pas-
                                                                 Z3 [X]/(X n + 1), where coefficients are uniformly dis-
sively secure and MHE-based generic MPC protocols
                                                                 tributed in {−1, 0, 1}. The error distribution χ over Rq
is natural from the MHE correctness and semantic se-
                                                                 has coefficients distributed according to a centered dis-
curity properties: Given a circuit and the desired se-
                                                                 crete Gaussian with standard deviation σ and truncated
curity properties, the parties can use an MHE-scheme
                                                                 support over [−B, B] where σ and B are two cryptosys-
enforcing the sought access structure to encrypt their
                                                                 tem parameters.
inputs (MHE.Enc), compute the circuit homomorphi-
                                                                      The security of BFV is based on the hardness of the
cally (MHE.Eval), and collectively decrypt the output
                                                                 decisional-RLWE problem [45] that is informally stated
(MHE.ΠDec protocol). We defer the detailed protocol de-
                                                                 as follows: Given a uniformly random a ← Rq , a secret
scription and the discussion of its features to Section 5,
                                                                 s ← R3 , and an error term e ← χ, it is computationally
where we instantiate it with the MHE-scheme proposed
                                                                 hard for an adversary that does not know s and e to
in Section 4.
                                                                 distinguish between the distribution of (sa + e, a) and
                                                                 that of (b, a) where b ← Rq .
                                                                      Encrypted arithmetic operations must preserve the
3.2 Notation
                                                                 plaintext arithmetic. We denote BFV.Add and BFV.Mul
                                                                 the homomorphic addition and multiplication, respec-
We denote [·]q the reduction of an integer modulo q,
                                                                 tively, and we refer the reader to [29] for their imple-
and d·e, b·c, b·e the rounding to the next, previous, and
                                                                 mentation. The BFV.Mul operation outputs a ciphertext
nearest integer respectively. When applied to polyno-
                                                                 consisting of three Rq elements that can be seen as a de-
mials, these operations are performed coefficient-wise.
                                                                 gree two ciphertext. This higher degree ciphertext can
We use regular letters for integers and polynomials, and
                                                                 be further operated on and decrypted. Yet it is often
boldface letters for vectors of integers and of polyno-
                                                                 desirable to reduce this degree back to one, by using
mials. aT denotes the transpose of a vector a. Given a
                                                                 a BFV.Relinearize operation [29]. This operation is pub-
probability distribution α over a ring R, a ← α denotes
Multiparty Homomorphic Encryption from RLWE          295

Scheme 1. BFV(t, n, q, w, σ, B)                              3.4 Parameter Selection

                                                             Selecting the parameters for a given application con-
BFV.SecKeyGen(): Sample s ← R3 . Output: sk = s
                                                             stitutes a significantly more challenging task for
BFV.PubKeyGen(sk):                                           homomorphic-encryption schemes than for traditional
  Let sk = s. Sample p1 ← Rq , and e ← χ. Output:            encryption. Although the standardization document [3]
                                                             is a good basis for mapping the subset of commonly
              pk = (p0 , p1 ) = (−sp1 + e, p1 )              used parameter values to bit-security levels, mapping
                                                             the correctness and efficiency requirements to concrete
BFV.RelinKeyGen(sk, w):                                      parameters in a systematic way is still an open question
  Let sk = s. Sample r1 ← Rql , e ← χl . Output:             in FHE research: it goes beyond the scope of this work.
                                                             Nowadays, we see the rise of compilers for HE [54] that
           rlk = (r0 , r1 ) = (s2 w − sr1 + e, r1 )          will, as they evolve, automate this process.
                                                                  We describe the common heuristic approach for se-
BFV.Encrypt(pk, m):                                          lecting BFV parameters; the one we used for the evalu-
  Let pk = (p0 , p1 ). Sample u ← R3 and e0 , e1 ← χ.        ation of our work (Section 6). The task consists in find-
  Output: ct = (∆m + up0 + e0 , up1 + e1 )                   ing (t, n, q, w, σ, B) that satisfy the required security and
                                                             homomorphic-capacity parameters (λ, κ) for the set of
BFV.Decrypt(sk, ct):
                                                             considered homomorphic circuits. The standardization
  Let sk = s, ct = (c0 , c1 ). Output:
                                                             document and most implementations fix the noise stan-
                         t                                   dard deviation and bound to σ ≈ 3.2 and B ≈ 20,
                  m0 = [b [c0 + c1 s]q e]t
                         q                                   respectively. Hence, only the ring degree n, plaintext-
                                                             space and ciphertext-space moduli t and q, and the de-
lic but requires the generation of a specific public key,
                                                             composition basis w remain to be determined.
referred to as the relinearization key (rlk).
                                                                  The message-space characteristics of the application
     The decryption of a ciphertext (c0 , c1 ) can be seen
                                                             usually sets t directly, by considering the bit-width of
as a two-step process. The first step requires the secret
                                                             the input values. The targeted set of homomorphic cir-
key to compute a noisy plaintext in Rq as
                                                             cuits constrain q and n: Choosing larger q permits larger
                 [c0 + sc1 ]q = ∆m + ect ,            (1)    circuit depth (Equation (2)) but also reduces the hard-
                                                             ness of the RLWE problem. Choosing larger w reduces
where ect is the ciphertext overall error, or ciphertext     the noise incurred by Relinearize (hence enables smaller
noise. In the second step, the message is decoded from       q) and increases its computation cost and the rlk size.
the noisy term in Rq to a plaintext in Rt , by rescaling     Choosing larger n increases the security (hence enables
and rounding                                                 larger q for a fixed security level) but has a significant
            t                                                impact on the cost incurred by polynomial multiplica-
          [b (∆m + ect )e]t = [bm + at + ve]t ,       (2)    tion. Hence, the most common strategy is to set q and w
            q
                                                             experimentally, as an acceptable trade-off for the appli-
where m ∈ Rt , a has integer coefficients, and v has co-     cation, then to choose the smallest power-of-two n for
efficients in Q. Provided that kvk < 21 , Eq. (2) out-       the desired security level.
puts m. Hence, the correctness of the scheme is con-
ditioned on the noise magnitude kect k that must be
              q
kept below 2t   throughout the homomorphic computa-
tion, notably by choosing a sufficiently large q. To pre-    4 The Multiparty BFV Scheme
serve this condition when multiplying with the rlk (as
a part of BFV.Relinearize), ciphertexts are temporarily      We introduce a novel multiparty version of the
decomposed in a basis w < q and the product is per-          Brakerski-Fan-Vercauteren (BFV) cryptosystem [29].
formed on each element of the decomposition [29]. We         Although formulated for the BFV scheme, the intro-
write l = dlogw (q)e the number of coefficients in this      duced protocols can be straightforwardly adapted to
decomposition, and w = (w0 , w1 , ..., wl−1 )T the base-w    other RLWE-based cryptosystems, such as BGV [16] or
reconstruction vector.                                       the more recent CKKS [20], which enables homomorphic
                                                             approximate arithmetic. We implemented both multi-
Multiparty Homomorphic Encryption from RLWE                    296

party versions for the BFV and CKKS schemes in the                     MBFV KeySwitch-correctness. For all arithmetic func-
Lattigo open-source library [1]. Our approach follows                  tions f : RtI → Rt over the parties’ inputs m1 , . . . , mI ,
the blueprint of the LWE-based protocols by Asharov                    there exist pp = (t, n, q, w, σ, B) such that for sk0 =
et al. [6], and introduces several improvements to their               S 0 (sk01 , ..., sk0N ) an output secret-key and
schemes. In particular, we propose a novel procedure for
the generation of relinearization keys that adds signif-                   ski ← BFV.SecKeyGen() i ∈ 1...N,
icantly less noise in the output key. We also propose a                cpk, rlk ← ΠEncKeyGen (sk1 , ..., skN ), ΠRelinKeyGen (sk1 , ..., skN ),
generalization of the distributed decryption procedure,                     cti ← BFV.Enc(cpk, mi ) i ∈ 1...I,
from which we derive novel protocols that bridge be-
                                                                           ctf ← BFV.Eval(f, rlk, ct1 , ..., ctI ),
tween the MHE-based and LSSS-based MPC protocols
and that enable the practical bootstrapping of a BFV                       ct0f ← MBFV.ΠKeySwitch (ct0P , sk01 , ..., sk0N , sk1 , ..., skN ),
ciphertext.
                                                                       it holds that Pr[BFV.Dec(sk0 , ct0f )6=f (m1 , ..., mI )]< 2−κ .
    In the next subsections, we reformulate all the
secret-key-dependent operations of the original BFV
                                                                           The PubKeySwitch-correctness property can be di-
scheme as secure N -party protocols. We refer to the
                                                                       rectly derived from the previous definition by comput-
original centralized scheme as the ideal scheme: the
                                                                       ing a public key for sk0 and replacing ΠKeySwitch by
ideal centralized functionality that is emulated in a
                                                                       ΠPubKeySwitch .
multiparty setting. By extension, we refer to sk =
S(sk1 , ..., skN ) as the ideal secret key, because it exists          MBFV Semantic Security. For all subsets of at most
as such only through interaction between the parties.                  N − 1 passive adversaries in P, for any two messages
                                                                       m1 , m2 ∈ Rt , the advantage of the adversary in dis-
                                                                       tinguishing between distributions BFV.Enc(cpk, m1 ) and
4.1 Scheme Overview                                                    BFV.Enc(cpk, m2 ) should be smaller than 2−λ .
                                                                            As a result, the security properties of the MBFV
Let P be a set of N parties that have access                           scheme is that of a N-out-of-N threshold encryption
to an authenticated channel and to a random                            scheme. We now detail each of its underlying protocols.
common reference string (CRS) [17]. Our pro-
posed multiparty BFV scheme is a tuple MBFV =
(ΠEncKeyGen , ΠRelinKeyGen , ΠKeySwitch , ΠPubKeySwitch ) that         4.2 Ideal-Secret-Key Generation
extends the BFV scheme:
– Setup: Select pp ← (t, n, q, w, σ, B), the parameters                Our scheme uses an additive structure for the combined
  of the BFV scheme.                                                   secret-key, denoted as s in the following. We denote si
– Key Generation: Each party Pi ∈ P generates                          the secret key share of party Pi , thus
  its share ski ← BFV.SecKeyGen() of sk and takes                                                 "         #
  part in the cpk ← MBFV.ΠEncKeyGen (sk1 , ..., skN ) and
                                                                                                    X
                                                                                         sk = s =         si .             (3)
  rlk ← MBFV.ΠRelinKeyGen (sk1 , ..., skN ) multiparty pro-                                               Pi ∈P     q
  tocols with output (cpk, rlk).
– Encryption: The usual BFV.Encrypt procedure is                            We propose a simple ideal-secret-key generation
  used to encrypt messages under sk given the cpk.                     procedure in which each party samples independently
– Evaluation: The usual BFV.Eval set of homomorphic                    its own share as si = BFV.SecKeyGen(). Thus, the ideal
  operations is used to evaluate functions given rlk.                  secret-key is generated in a non-interactive way. The
– Key-switching:                                                       norm of the resulting ideal secret key grows with O(N ),
  ct0 ← ΠKeySwitch (ct, sk01 , ..., sk0N , sk1 , ..., skN ). Given a   which has an effect on the noise growth (analyzed in Ap-
  ciphertext ct encrypted under the ideal secret-key sk                pendix A). By using techniques such as those described
  and an output ideal secret-key sk0 = S 0 (sk01 , ...sk0N ),          in [51], it might be possible to generate ideal secret keys
  the parties re-encrypt ct under sk0 .                                in R3 as if they were produced in a trusted setup (e.g.,
– Public-key-switching:                                                as an additive secret-sharing of a usual BFV secret-key
  ct0 ← ΠPubKeySwitch (ct, pk0 , sk1 , ..., skN ). Given a ci-         over Rq ). However, this would introduce the need for
  phertext ct under sk and an output public-key pk0                    private channels between the parties.
  for secret-key sk0 , the parties re-encrypt ct under sk0 .
Multiparty Homomorphic Encryption from RLWE         297

4.3 Collective Encryption-Key Generation                      Protocol 1. EncKeyGen

The collective encryption-key generation, detailed in         Public Input: p1 (common random polynomial)
Protocol 1, emulates the BFV.PubKeyGen procedure. In          Private Input for Pi : si = ski (secret key share)
addition to the public parameters of the cryptosystem         Public Output: cpk =(p0 , p1 ) (collect. encrypt. key)
(which we will omit in the following), the procedure re-      Each party Pi :
quires a public polynomial p1 , uniformly sampled in Rq ,     1. samples ei ← χ and discloses p0,i = −p1 si + ei
to be agreed upon by all the parties. For this purpose,
                                                              Out: from p0 = Pj ∈P p0,j , outputs cpk = (p0 , p1 )
                                                                              P
they sample its coefficients from the common reference
string (CRS). In the passive-adversary model, the CRS
                                                              Protocol 2. RelinKeyGen
can be implemented by any keyed pseudorandom func-
tion. We used BLAKE2b [7] in our implementation.              Public Input: a ∈ Rql and w the decomposition basis
     After the execution of the EncKeyGen protocol, the       Private Input of Pi : si = ski
parties have access to the collective public key              Output: rlk = (r0 , r1 )

                                                              Each party Pi :
        X                 X               X         
cpk =         p0,i q , p1 = −(       si )p1 +   ei q , p1 ,
        Pi ∈P                   Pi ∈P       Pi ∈P             1. samples ui ← R3 , e0,i , e1,i ← χl and discloses
                                                       (4)        (h0,i , h1,i ) = (−ui a + si w + e0,i , si a + e1,i )
that has the same form as the ideal public key pk in
                                                              2. from h0 = Pj ∈P h0,j and h1 = Pj ∈P h1,j ,
                                                                               P                        P
Scheme 1, with larger worst-case norms ksk and kek.
The norm grows only linearly in N hence is not a con-            sample e2,i , e3,i ← χl and discloses
                                                                   0      0 ) = (s h + e
cern (as shown in Appendix A), even for large number             (h0,i , h1,i        i 0     2,i , (ui − si )h1 + e3,i )
of nodes. Another notable feature of the EncKeyGen pro-       Out: from h00 = Pj ∈P h0,j
                                                                                P          0    and h10 = Pj ∈P h1,j
                                                                                                          P         0 ,
tocol is that it would apply to any kind of linear sharing       outputs rlk = (h0 + h1 , h1 )
                                                                                    0    0
of s, as long as the shares are valid RLWE secrets and
the norm of the reconstruction is small enough. This               After completing the RelinKeyGen protocol, the par-
includes uniformly random sharing over Rq of a tradi-         ties have access to a relinearization key of the form
tional BFV secret key in R3 .
                                                              rlk = (r0 , r1 ) = (−sb + s2 w + se0 + e1 + ue2 + e3 , b ),
                                                                                                                     (5)
                                                              where b = sa + e2 and ek = j ek,j for k = 0, 1, 2, 3.
                                                                                                P
4.4 Relinearization-Key Generation
                                                              Hence, compared to the keys generated with the ap-
Protocol 2 (RelinKeyGen) emulates the centralized             proach of Asharov et al., our keys have lower error in r0
BFV.RelinKeyGen. Informally, it produces pseudo-              and no error at all in r1 (i.e., they have the same form
encryptions of s2 wb for each power b = 0, ..., l − 1 of      as those of the centralized scheme). This significantly
the decomposition basis parameter w. It requires a pub-       reduces the noise induced by relinearization.
lic input a, uniformly sampled in Rql from the CRS.                A relevant feature of the proposed RelinKeyGen pro-
We use vector notation to express that these pseudo-          tocol is its independence from the actual decomposition
encryptions are generated in parallel for every element       basis w: It is compatible with other decomposition tech-
of the decomposition base w = (w0 , w1 , ..., wl−1 )T .       niques, such as the one used for Type II relinearization
     Asharov et al. proposed a method to produce re-          [29], those based on the Chinese Remainder Theorem
linearization keys for multiparty schemes based on the        (as proposed by Bajard et al. [8] and Cheon et al. [19]),
LWE problem [6]. This method could be adapted to our          and the hybrid approach of Bossuat et al. [15] (which
scheme but results in significantly increased noise in the    we use in our implementation).
rlk (hence, higher noise in relinearized ciphertexts) with
respect to the centralized scheme. One cause for this ex-
tra noise is the use of the public encryption algorithm       4.5 Collective Key-Switching Protocols
to produce the mentioned pseudo-encryptions. By ob-
serving that the collective encryption key is not needed      The key-switching functionality enables the oblivious
for this purpose (because the secret key is collectively      re-encryption operation. Given a ciphertext ct en-
known), we propose Protocol 2 as an improvement over          crypted under an input key s along with an out-
the method by Asharov et al.                                  put key s0 , the key-switching procedure outputs ct0 =
Multiparty Homomorphic Encryption from RLWE             298

Enc(s0 , Dec(s, ct)). Because the first step of the plain     Protocol 3. KeySwitch
BFV decryption (Eq. (1)) is equivalent to switching
                                                              Public input: ct = (c0 , c1 ) with var(ct) = σct
                                                                                                            2
from the ideal secret-key to an output key s0 = 0, this
                                                              Private input for Pi : si , s0i
protocol generalizes the decryption protocol. The de-
                                                              Public output: ct0 = (c00 , c1 )
coding part of the decryption (Eq. (2)) does not require
the secret-key and can be performed locally.                  Each party Pi :
     Smudging. We observe that the aforementioned             1. samples ei ← χCKS (σct
                                                                                     2 ) and discloses

decryption procedure, and the MBFV key-switching pro-
cedures in general, provide the output-key owner(s) with                             hi = (si − s0i )c1 + ei
the ciphertext noise. Because this noise depends on in-
                                                              Out: from h = Pj ∈P hj ,
                                                                             P
termediate values in the encryption, homomorphic com-
                                                                 outputs ct0 = (c00 , c1 ) = (c0 + h, c1 )
putation and key-switching procedures, it could be ex-
ploited as a side-channel by curious receivers (although          After the execution of the KeySwitch protocol on
characterizing this indirect leakage in a computational       input ct = (c0 , c1 ), c0 + sc1 = ∆m + ect where ect is the
setting is still an open question). The smudging tech-        ciphertext’s error, the parties have access to ct0 s.t.
nique, as introduced by Asharov et al. [6], aims at                                  t      X
                                                              BFV.Dec(s0 , ct0 ) = b [c0 +      (sj −s0j )c1 + ej + s0 c1 ]q e
                                                                                                                 
making the ciphertext-noise inexploitable by flooding                                q
it with some freshly sampled noise terms in a distri-                                        j

bution of larger-variance. In the MBFV scheme, this is                               t
                                                                                = b [c0 + (s − s0 )c1 + eCKS + s0 c1 ]q e
achieved by sampling the relevant error terms in the                                 q
                                                                                     t
key-switching protocols from a discrete Gaussian distri-                        = b [∆m + ect + eCKS ]q e = m,            (6)
                                                                                     q
bution χCKS (σct 2 ) of variance σ 2
                                  smg = 2 σct where σct is
                                         λ 2          2

the ciphertext’s noise variance (see Appendix A) and          where eCKS = j ej , and where the last equality holds
                                                                               P

λ the desired security level (e.g., λ = 128, see Appendix     provided that kect + eCKS k < q/(2t); i.e., if the output
B). Hence, this technique assumes that the system keeps       ciphertext noise plus the protocol-induced noise remains
track of the ciphertext noise-level and has access to this    within decryptable bounds.
property. For a ciphertext ct, we denote var(ct) the vari-         The use of the KeySwitch protocol is limited to the
ance of its noise term (see Eq. (1)).                         cases where parties have collective knowledge of the out-
     Receiver. The protocol’s instantiation depends           put secret key s0 . Yet, this might not be the case, for ex-
on whether the parties performing the re-encryption           ample, when considering an external receiver R for the
have a collective access to the output secret-key di-         key-switched ciphertext (we elaborate on external re-
rectly, or have only its corresponding public-key. Both       ceivers in Section 5.1). This situation would require con-
these settings are relevant when instantiating the MBFV       fidential channels between the receiver and each party
scheme as an MPC protocol, which we discuss in Sec-           in P, in order either (i) to collect decryption shares from
tion 5. Therefore, we develop protocols that perform          all parties, or (ii) to distribute an additive sharing of its
key-switching for these two settings: When s0 is col-         secret key to the system. However, (i) would become
lectively known, the KeySwitch protocol is used. When         expensive for a large number of parties, and (ii) would
only a public key is known, the PubKeySwitch protocol         require R to trust at least one party in P. Furthermore,
is used.                                                      confidential point-to-point channels might not fit the
                                                              system model (e.g., on smart-contract systems).

4.5.1 Collective Key-Switching
                                                              4.5.2 Collective Public-Key Switching
Protocol 3 (KeySwitch) details the steps for perform-
ing a key switching when the input parties collectively       Protocol 4 (PubKeySwitch) details the steps for key
know the output secret key s0 . This protocol can be          switching when the input parties know only a public
used as a decryption protocol (s0 = 0) or for updating        key for the output secret key s0 . As it requires only
the access-structure (see Section 4.6), and it is the basis   public input from the receiver, the PubKeySwitch en-
for bridging MHE-based and LSSS-based approaches, as          ables an external party (i.e., that is not part of an input
explained in Section 4.7.                                     access-structure) to obtain an output without the need
                                                              for private channels with the parties. In Section 5.2, we
Multiparty Homomorphic Encryption from RLWE                  299

Protocol 4. PubKeySwitch                                           Protocol 5. ColBootstrap

Public input: pk0 = (p00 , p01 ), ct = (c0 , c1 ), var(ct) = σct
                                                              2    Public input: a (from CRS), ct = (c0 , c1 ) var(ct) = σct2

Private input for Pi : si                                          Private input for Pi : si
Public output: ct0 = (c00 , c01 )                                  Public output: ct0 = (c00 , c01 ) with noise variance N σ 2

Each party Pi :                                                    Each party Pi
1. samples ui ← R3 , e0,i ← χCKS (σct
                                   2 ), e
                                         1,i ← χ and               1. samples Mi ← Rt , e0,i ← χCKS (σct
                                                                                                      2 ), e
                                                                                                            1,i ← χ and
    discloses                                                          discloses
      (h0,i , h1,i ) = (si c1 + ui p00 + e0,i , ui p01 + e1,i )
                                                                        (h0,i , h1,i ) = (si c1 −∆Mi +e0,i , −si a+∆Mi +e1,i )
Out: from h0 = j h0,j and h1 =                            h1,j ,
                    P                          P
                                                  Pj ∈P            Out: from h0 = j h0,j and h1 = j h1,j ,
                                                                                     P                       P
   outputs ct0 = (c00 , c01 ) = (c0 + h0 , h1 )
                                                                      outputs (c00 , c01 ) = ([b qt ([c0 + h0 ]q )e]t ∆ + h1 , a)
discuss the benefits of this property when instantiating
the MBFV as an MPC solution.                                       Encryption-to-Shares (Enc2Share). Given an encryp-
    Let ct = (c0 , c1 ) be an input ciphertext such that           tion (c0 , c1 ) of a plaintext m ∈ Rt , the parties can pro-
c0 + sc1 = ∆m + ect and pk0 = (p00 , p01 ) be a public key         duce an additive sharing of m over Rt by masking their
such that p00 = −(s0 p01 + epk0 ). After the execution of the      share in the decryption (i.e., KeySwitch with s0 = 0)
PubKeySwitch protocol on ct with output public key pk0 ,           protocol: Each party Pi ∈ {P2 , PN } samples its own ad-
the parties hold ct0 satisfying                                    ditive share Mi ← Rt and adds a −∆Mi term to its
                                                                   decryption share hi before disclosing it. Party P1 does
  Dec(s0, ct0 )                                                    not disclose its decryption share h1 and derives its own
     t                                                             additive share of m as
             X                    X
                sj c1+uj p00+e0,j +s0 uj p01+e1,j ]q e
                                                 
  = b [c0 +
     q
              j                            j                                                        N
                                                                                                    X                        N
                                                                                                                             X
       t                                                           M1 = BFV.Decrypt(s1 , (c0 +            hi , c1 )) = m −         Mi .
   = b [c0 +sc1 +up00 +s0 up01 +e0 +s0 e1 ]q e
       q                                                                                            i=2                      i=2
       t
   = b [∆m + ect + ePubKeySwitch ]q e = m,                (7)      Shares-to-Encryption (Share2Enc). Given a secret-
       q                                                                                                     PN
                                                                   shared value m ∈ Rt such that m =            i=1 Mi , the
where ed =        j ed,j for d = 0, 1, u =     j uj , and the
                P                            P
                                                                   parties produce an encryption ct = (c0 , c1 ). To do so,
total added noise ePubKeySwitch = e0 +s0 e1 +uepk depends          each party Pi samples a from the CRS and produces a
on both the protocol-induced and the target-public-key             KeySwitch share for the ciphertext (∆Mi , a) with input
noises. If kect +ePubKeySwitch k< q/(2t), Equation (7) holds.      key 0 and output key s. The ciphertext centralizing the
                                                                                                         PN
                                                                   secret-shared value m is then ct = ( i=1 c0,i , a). This
                                                                   is equivalent to a multiparty encryption protocol.
4.6 Dynamic Access-Structure
The scenario of parties joining and leaving the system
                                                                   4.8 Collective Bootstrapping
corresponds to a secret-key update and is handled by
the KeySwitch and PubKeySwitch protocols. More specif-
                                                                   We combine the Share2Enc and Enc2Share protocols
ically, we consider the task of transferring a ciphertext
                                                                   into a multiparty bootstrapping procedure (Protocol 5,
from an input set of parties P to an output set P 0 .
                                                                   ColBootstrap) that enables the reduction of a ciphertext
If P 0 ⊂ P, the parties in P − P 0 can simply use the
                                                                   noise to further compute on it. This is a crucial func-
KeySwitch protocol with output key s0 = 0. Otherwise
                                                                   tionality for the BFV scheme, for which the centralized
the parties use the PubKeySwitch protocol with pk0 set
                                                                   bootstrapping procedure is expensive. Intuitively, the
to the collective public-key of P 0 .
                                                                   ColBootstrap protocol consists in a conversion from an
                                                                   encryption to secret-shares and back, implemented as a
                                                                   parallel execution of the Enc2Share and Share2Enc proto-
4.7 Bridging MPC Approaches
                                                                   cols. It is an efficient single-round interactive protocol
The flexibility of the KeySwitch protocol can be har-              that the parties can use during the evaluation phase,
nessed to bridge the MHE-based and LSSS-based MPC                  instead of a computationally heavy bootstrapping pro-
approaches.                                                        cedure. In practice, a broad range of applications would
Multiparty Homomorphic Encryption from RLWE            300

not (or seldom) need to rely on this primitive, as the cir-    Table 1. Comparison with the multi-key BFV: dependency in N
cuit complexity enabled by the practical parameters of                                Size                    Time
                                                               Scheme      Ciphertext Switch. key Mult.+Relin. Rotate
the BFV scheme suffices. But the ColBootstrap protocol
                                                               [18]           O(N )         O(N )         O(N 2 )      O(N )
offers a trade-off between computation and communica-
                                                               This Work      O(1)          O(1)           O(1)        O(1)
tion (we demonstrate this in Section 6.3).
                                                               used to emulate a single key within a multi-key setting,
                                                               are promising ways of tailoring the access structure to
4.9 Packed-Encoding and Rotation Keys                          the sought security and functionality requirements. For
                                                               example, in an encrypted federated learning system, a
One of the most powerful features of RLWE-based                fixed group of parties could train a model under thresh-
schemes is the ability to embed vectors of plaintext val-      old encryption and enable the prediction to be evaluated
ues into a single ciphertext. Such techniques, commonly        on-the-fly under multi-key encryption.
referred to as packing, enable arithmetic operations to
be performed in a single-instruction multiple-data fash-
ion, where encrypted arithmetic results in element-wise
plaintext arithmetic. Provided with public rotation keys,
                                                               5 Secure Multiparty Computation
arbitrary rotations over the vector components [19] can
                                                               We discuss the instantiation of the MBFV scheme pre-
be operated homomorphically. Generating these rota-
                                                               sented in Section 4 in a generic secure-multiparty-
tion keys (which are pseudo-encryptions of rotations of
                                                               computation (MPC) protocol. Using MHE schemes to
the secret-key) can be done in the multiparty scheme,
                                                               achieve MPC is not new [6, 24], but each new genera-
by means of an RotKeyGen sub-protocol. We do not de-
                                                               tion of HE schemes makes this approach more efficient
tail this protocol, as it is a straightforward adaptation of
                                                               and flexible. However, to the best of our knowledge, no
EncKeyGen. This enables a vast family of homomorphi-
                                                               generic MPC solution has been implemented yet to ex-
cally computable linear and non-linear transformations
                                                               ploit those ideas. We discuss how MHE-based solutions
on ciphertexts. We will make use of rotations in the
                                                               can lead to a new generation of MPC systems, not only
input-selection example circuit in Section 6.2.
                                                               in the traditional peer-to-peer setting but also in the
                                                               outsourced one where parties are assisted by a semi-
                                                               honest entity without relying on non-collusion assump-
4.10 Comparison with Multi-key-HE                              tions such as those of the two-clouds model.

Multi-key HE schemes, as introduced by López-Alt [44],
enable the evaluation of homomorphic operations di-
                                                               5.1 MBFV-Based MPC Protocol
rectly over ciphertexts encrypted under different secret-
keys. The access-structure of these schemes can be seen
                                                               Let P = {P1 , P2 , . . . , PN } be a set of N parties holding
as dynamic; they include on-the-fly each new party in
                                                               respective inputs (x1 , . . . , xN ) and R be a receiver. Let C
the computation circuit. Hence, the schemes do not re-
                                                               be a set of computing parties which may have non-empty
quire the generation of a collective public encryption-
                                                               intersection with P ∪ {R}. Given a public arithmetic
key. In their current instantiation, however, they re-
                                                               function f over the parties’ inputs, the MHE−MPC pro-
quire the generation of public relinearization and ro-
                                                               tocol (Protocol 6) privately computes y = f (x1 , . . . , xN )
tations keys for which the size depends on the number
                                                               and outputs the result to R.
of parties N . Furthermore, their ciphertext size and ho-
                                                               Semantic Security (informal). Let A ⊂ (P ∪ C ∪ R)
momorphic operations complexity also grows with N .
                                                               be a set of corrupted parties (the adversary) in the
Chen et al. [18] propose multi-key extensions for the
                                                               MHE−MPC protocol where |A ∩ P| ≤ N − 1. We re-
BFV and CKKS schemes for which these dependencies
                                                               quire that the adversary does not learn anything more
are reported in Table 1.
                                                               about {xi }Pi ∈A
                                                                             /   than that which can be learnt from its
     We observe that, when on-the-fly computation is
                                                               own inputs {xi }Pi ∈A and, if R ∈ A, from the output.
not required by the application (e.g., the set of nodes is
known in advance), threshold schemes result in a more          MHE−MPC Protocol Overview. The Setup step in-
efficient construction. However, note that the multi-key       stantiates the MBFV scheme. It is independent from the
and threshold approaches are not mutually exclusive.           rest of the protocol: It has to be run only once for a given
Hybrid constructions, where the threshold scheme is            set of parties and a given choice of public cryptographic
Multiparty Homomorphic Encryption from RLWE        301

Protocol 6. MHE−MPC                                               protocol, the computing parties are not required to be
                                                                  part of the computation data access-structure, thus re-
Public input: f the ideal functionality, pp the public
                                                                  moving the need for such assumptions.
parameterization, pkR the receiver’s public-key
                                                                       The Out step enables the receiver R to obtain its
Private input: xi for each Pi ∈ P
                                                                  output. This requires collaboration among the parties
Output for R: y = f (x1 , x2 , . . . , xN )
                                                                  in P to re-encrypt the output under the key of R. This
                                                                  is achieved with the PubKeySwitch protocol, which does
Setup: the parties instantiate the MBFV scheme
                                                                  not require online interaction between the input parties
           ski ← BFV.SecKeyGen(pp),                               and the receiver.
                                                                  MHE−MPC Protocol Security. Provided that the
           cpk ← MBFV.ΠEncKeyGen (sk1 , . . . , skN ),
                                                                  Setup phase correctly (see Equations (4) and (5) in Sec-
            rlk ← MBFV.ΠRelinKeyGen (sk1 , . . . , skN ),         tion 4) and securely (see Appendix B.1) generates the
                                                                  BFV keys, the private inputs are encrypted as valid
In: each Pi encrypts its input and sends it to C                  BFV ciphertexts during the computation (the In and
                                                                  Eval steps). Hence, the MHE−MPC protocol security in
                  ci ← BFV.Encrypt(cpk, xi ),
                                                                  the semi-honest model can be formulated as a composi-
Eval: C computes the encrypted output and sends it                tion theorem (see Theorem 2 in Appendix B.2).
    to the parties in P.

               c0 ← BFV.Eval(f, c1 , c2 , . . . , cN ),           5.2 Feature Analysis
Out: the parties in P re-encrypt the output under
                                                                  In the following subsections, we discuss the properties of
    the receiver’s key
                                                                  the MHE−MPC protocol, as well as the various system
      c0R ← MBFV.ΠPubKeySwitch (sk1 , . . . , skN , pkR , c0 ).   models these properties enable.

parameters pp = (t, n, q, σ, B). Whereas this step can re-
semble the offline phase of the LSSS-based approaches,            5.2.1 Public Non-interactive Circuit Evaluation
it is fundamentally different in that it produces public-
keys that can be used for an unlimited number of circuit          Although the homomorphic operations of HE schemes
evaluations. This implies that the Setup step does not            are computationally more expensive than local opera-
directly depend on the number of multiplication gates             tions of secret-shared arithmetic, the former do not re-
in the circuit, but on the maximum circuit depth the              quire private inputs from the parties. Hence, as long as
parties want to support. This is because the encryption           no output or collective bootstrapping is needed, the cir-
scheme has to be parameterized to support a sufficient            cuit evaluation procedure is non-interactive and can be
homomorphic capacity.                                             performed by any semi-honest entity. This not only en-
     The In step corresponds to the input phase: The              ables the evaluation to be efficiently distributed among
parties use the plain BFV.Encrypt algorithm to encrypt            the parties in the usual peer-to-peer setting but also
their inputs and provide them to C for evaluation.                enables new computation models for MPC:
     The Eval step consists in the evaluation of the                  Cloud-Outsourced Model. The homomorphic
circuit-representation of f , using the BFV.Eval set of ho-       circuit evaluation can be outsourced to a cloud-like ser-
momorphic operations. As this step requires no secret             vice, by providing it with the inputs and necessary eval-
input from the parties, it can be performed by any semi-          uation keys. The parties can arbitrarily go offline during
honest entity C. In purely peer-to-peer settings, the par-        the evaluation and reconnect for the final output phase.
ties themselves assume the role of C, either by distribut-        In this model, the overhead for each input party is inde-
ing the circuit computation, or by delegating it to one           pendent of the total number of parties. Hence, resource-
designated party. In the cloud-assisted setting, a semi-          constrained parties can take part in MPC tasks involv-
honest cloud provider can assume this role. Although              ing thousands of other parties. We demonstrate two in-
it is frequent to define the role of computing party in           stances of the cloud setting as a part of our evaluation
current MPC applications [4, 5, 37], it is usually a part         (Sections 6.3 and 6.2).
of the N -party to 2-party problem reduction that in-                 Smart Contracts. A special case of an outsourced
troduces non-collusion assumptions. In the MHE−MPC                MPC task is the execution of a smart contract over pri-
Multiparty Homomorphic Encryption from RLWE        302

vate data; this is feasible by means of the MHE-based         for the input parties to be online and active for the pro-
MPC solution. In this scenario, the contract stakehold-       tocol to progress. Hence, the cloud-assisted MHE−MPC
ers (any party that has a private input to the contract)      protocol has a clear advantage in terms of tolerance
are the MHE secret-key owners, and the smart-contract         to unreliable parties, which is a significant step toward
platform acts as an oblivious contract evaluator.             large-scale MPC. We use the cloud-assisted model for
                                                              the first two example circuits of Section 6 and demon-
                                                              strate its practicality for computations involving thou-
5.2.2 Public-Transcript Protocols                             sands of parties. Adapting the multiparty BFV scheme
                                                              (Section 4) to a T -out-of-N threshold scheme is a nat-
All the protocols of Section 4 have public transcripts,       ural next step to address the challenge of parties going
which removes the need for direct party-to-party com-         offline for an arbitrary amount of time; indeed, the se-
munication. Hence, not only the evaluation step, but          curity requirements of the application must tolerate a
the whole MHE−MPC protocol can be executed over               weaker access-structure.
any public authenticated channel. This also brings new
possibilities in designing MPC systems:
     Efficient Communication Patterns. The pre-               5.3 Current Limitations
sented protocols rely solely on the ability of the parties
to publicly disclose their shares and to aggregate them.      We discuss the current limitations of the MHE−MPC
This gives flexibility for using efficient communication      protocol and outline potential solutions. We observe
patterns: The parties can be organized in a topologi-         that our proposed MBFV scheme is not the source of
cal way, as nodes in a tree, where each node interacts        these limitations. Instead, they are current constraints
solely with its parent and children nodes. We observe         of the MHE-based MPC approach that were not ad-
that for all the protocols, the shares are always com-        dressed in this work.
bined by computing their sum. Hence, for a given party
in our protocols, a round consists in
 Gen: computing its own share in the protocol,                5.3.1 Arithmetic Circuits
 Agg: collecting and aggregating the share of each of
        its children and its own share,                       A purely MHE-based MPC solution is indeed limited to
 Out: sending the result up the tree to its parent, or        computing arithmetic functions over its plaintext space.
        outputting it.                                        The MBFV plaintext space, (Rt [X], +, ×), is particularly
     Such an execution enables the parties to compute         suited for expressing vector and matrix arithmetic, due
their shares in parallel and results in a network traffic     to the ability to rotate vectors of Zt elements. Further-
that is constant at each node. By trading-off some la-        more, analytic functions such sin(x) or ex can be ef-
tency, the inbound traffic can be kept low by ensuring        ficiently evaluated through polynomial approximations.
that the branching factor of the tree (i.e., the number of    Although mapping application-specific functionalities to
children per node) is manageable for each node. As the        this computing model and finding the appropriate pa-
share aggregation can also be computed by any semi-           rameters is still a fairly manual process, the current ef-
honest third-party, the tree can contain nodes that are       fort in HE-compilers will significantly simplify it [54].
not part of P (i.e., nodes that would not have input in            Non-arithmetic functions such as comparisons and
the MPC problem and have no share of the ideal secret         branching programs constitute a more fundamental lim-
key) and are simply aggregating and forwarding their          itation that also applies to LSSS-based MPC. How-
children’s shares. We demonstrate the efficiency of the       ever, the compilers of these solutions already propose
tree topology in the multiplication triple generation ex-     workarounds either by mapping them back to an arith-
ample benchmark in Section 6.4.                               metic representation or by accepting the conditional
     Cloud-Assisted MPC Model. The special case               variable leakage.
of a single root node that does not hold a share of the key        As the sets of functions supported by the LSSS-
can be mapped to a cloud-assisted setting where parties       and MHE-based approaches continue to grow, we ex-
run the protocols interacting solely with a central node.     pect that each system will have its own strengths and
This model complements the circuit evaluation out-            weaknesses. Hence, the ability to switch between the
sourcing feature by removing the need for synchronous         two representations with the Enc2Share and Share2Enc
and private party-to-party communication and the need         protocols is pivotal.
Multiparty Homomorphic Encryption from RLWE           303

5.3.2 Active Adversary Model                                   Table 2. Experimental cryptographic parameters: Overview
                                                                Set    log2 t log2 n log2 q log2 w            σ sec. (bits)

Zero-knowledge-proof systems for lattice-based schemes         I         32        13      218        26   3.2         128
                                                               II-A      32        14      438       110   3.2         128
are another active research topic [14, 55] which is es-
                                                               II-B      16        14      438       110   3.2         128
sential to extend the MHE−MPC protocol to active se-
                                                               II-C      16        15      880       180   3.2         128
curity. We observe that, as the local operations of the        III       32        13      218        55   3.2         128
MBFV scheme are of relatively low depth, proving their
correct execution in zero-knowledge is practical. Rotaru       complex example, we refer the reader to the work of
et al. propose an actively secure distributed-key genera-      Froelicher et al., who used the CKKS implementation
tion procedure for the BGV cryptosystem [51] that, de-         of our proposed scheme for machine-learning training
spite its performance impact, could be adapted to BFV.         and prediction tasks [31].
     Proving the correct execution of the homomorphic               In the cloud-assisted setting, we consider two ex-
execution by the abstract computing party C, however,          ample circuits: (i) A multiparty input selection circuit
can be significantly more challenging and is circuit-          and its application to multiparty private-information-
dependent. As the MHE−MPC has a public transcript,             retrieval (Section 6.2). (ii) The element-wise product
a trivial solution is to publish this transcript as a proof.   of integer vectors and its application as a simple mul-
But this non-compact solution might be unsatisfactory          tiparty private-set-intersection protocol (Section 6.3).
in some applications.                                          We compare the performance for both circuits against
     Presently, honest-but-curious is the de-facto threat      a baseline system that uses a LSSS-based approach:
model for cloud services and passively-secure MPC pro-         the MP-SPDZ library implementation [2] of the Over-
vides a way of protecting sensitive client-data in these       drive protocol [39] for the semi-honest, dishonest major-
scenarios. In the peer-to-peer model, prototypes of such       ity setting. In the peer-to-peer setting, we consider the
systems have been deployed in operational settings [49].       task of generating Beaver multiplication triples (i.e., the
An example is the medical sector where data collabo-           "offline" phase of LSSS-based approaches, Section 6.4).
rations are mutually beneficial and well-regulated, yet        We compare the performance against the SPDZ2K [23]
they legally require a certain level of data-protection.       Oblivious-Transfer-based and the Overdrive [39] HE-
                                                               based triple-generation protocols.

6 Performance Analysis                                         6.1 Experimental Setup and Parameters

We implemented the multiparty BFV scheme in the Lat-           For the cloud-assisted setting, the client-side timings
tigo open-source library [1]. It provides Go implementa-       were measured on a MacBook Pro with a 3.1 GHz Intel
tions of the two most widespread RLWE homomorphic              i5 processor. The server-side timings were measured on
schemes: BFV and CKKS, along with their multiparty             a 2.5 GHz Intel Xeon E5-2680 v3 processor (2x12 cores).
versions. The library uses state-of-the-art optimizations      For the peer-to-peer setting, we run all parties on the
based on the Chinese remainder theorem [8]. In addi-           latter machine, over the localhost interface. We measure
tion to around an order of magnitude acceleration, the         the network-related cost in terms of number of commu-
RNS variant enables a more efficient way (i) of repre-         nicated bytes (upstream + downstream), which does not
senting the key-switching intermediary basis w [35] and        account for network-introduced delays. We observe that
(ii) of implementing the smudging technique through            this could slightly advantage the baseline LSSS-based
RNS modular-reduction and rounding [27].                       system due to its non-constant number of rounds.
     In order to analyze the performance of the                Cryptographic Parameters. Each experiment rep-
MHE−MPC protocol in both the cloud-assisted and the            resents a different circuit hence uses a different set of
peer-to-peer settings, we evaluate three generic yet pow-      parameters (see Section 3.4). Therefore, we discuss the
erful circuits. These circuits represent common building       choice of parameters for each experiment. For conve-
blocks for more complex functionalities (that we briefly       nience, we summarize all the parameters in Table 2,
discuss), yet they do not introduce advanced domain-           along with their security levels according to the Homo-
specific requirements and constraints. Thus, these cir-        morphicEncryption.org standardization document [3].
cuits enable a compact and reproducible comparison
with a baseline system for generic MPC. For a more
You can also read