A General Framework of Homomorphic Encryption for Multiple Parties with Non-interactive Key-Aggregation

Abstract

Homomorphic Encryption (HE) is a useful primitive for secure computation, but it is not generally applicable when multiple parties are involved, as the authority is solely concentrated in a single party, the secret key owner. To solve this issue, several variants of HE have emerged in the context of multiparty setting, resulting in two major lines of work – Multi-Party HE (MPHE) and Multi-Key HE (MKHE). In short, MPHEs tend to be more efficient, but all parties should be specified at the beginning to collaboratively generate a public key, and the access structure is fixed throughout the entire computation. On the other hand, MKHEs have relatively poor performance but provide better flexibility in that a new party can generate its own key and join the computation anytime.

In this work, we propose a new HE primitive, called Multi-Group HE (MGHE). Stated informally, an MGHE scheme provides seamless integration between MPHE and MKHE, and has the best of both worlds. In an MGHE scheme, a group of parties jointly generates a public key for efficient single-key encryption and homomorphic operations similar to MPHE. However, it also supports computation on encrypted data under different keys, in the MKHE manner. We formalize the security and correctness notions for MGHE and discuss the relation with previous approaches.

We also present a concrete instantiation of MGHE from the BFV scheme and provide a proof-of-concept implementation to demonstrate its performance. In particular, our MGHE construction has a useful property that the key generation is simply done by aggregating individual keys without any interaction between the parties, while all the existing MPHE constructions relied on multi-round key-generation protocols. Finally, we propose a general methodology to build a multi-party computational protocol from our MGHE scheme.

Appendices

A Construction of MGHE with CKKS

The CKKS supports approximate arithmetic operations for complex numbers. The BFV and CKKS have similar structure, we can easily extend MGHE scheme of the CKKS. The difference is that it adds an error into the plaintext itself and additionally supports the rescaling algorithm to control the size of ciphertext. The ciphertext has a level and it decreases whenever rescaling is performed. To proceed arithmetics between two ciphertexts, they should have same level and it requires bootstrapping when level is low in order to continue evaluation. We are going to provide MGHE scheme without interactive key generation. In this description, we skip setup, key generation, and joint key generation phase since they are same as BFV. Galois automorphism is also not included since it has same procedure with the BFV. We assume the ciphertext modulus \(q = \prod _{i=1}^{L}{p_i}\) for some integers \(p_i\) and denote \(q_l = \prod _{i=1}^{l}{p_i}\).

1.1 A.1 MGHE with CKKS

\(\bullet \) \(\underline{\texttt {MG-CKKS}.\texttt{Enc}(\textsf{ek}; m)}\): For a joint encryption key \(\textsf{ek}\) and a message m, return \(\textsf{ct}\leftarrow \texttt {MP-CKKS}.\texttt{Enc}(\textsf{ek}; m)\).

\(\bullet \) \(\underline{\texttt {MG-CKKS}.\texttt{Add}(\textsf{ct}, \textsf{ct}')}\): If two given ciphertexts \(\textsf{ct}\) and \(\textsf{ct}'\) has same level, return the ciphertext \(\textsf{ct}_{add}=\textsf{ct}+ \textsf{ct}' \pmod q\). If not, modify ciphertexts to have same level before the computation.

\(\bullet \) \(\underline{\texttt {MG-CKKS}.\texttt{Mult}(\{\textsf{rlk}_j\}_{1 \le j \le k}; \textsf{ct}, \textsf{ct}')}\): Set \(\textsf{ct}\) and \(\textsf{ct}'\) have same level. Let \(\textsf{ct}=(c_i)_{0\le i\le k}\) and \(\textsf{ct}'=(c_i')_{0\le i\le k}\) be two multi-group ciphertexts and \(\{\textsf{rlk}_j\}_{1\le j\le k}\) the collection of the joint relinearization keys of groups \(I_j\) for \(1\le j\le k\). Compute \(\textsf{ct}_\mathsf {{mul}}= (c_{i,j})_{0\le i,j\le k}\) where \(c_{i,j}=c_i c_j' \pmod q\) for \(0\le i,j\le k\). Return the ciphertext \(\texttt {MG-CKKS}.\texttt{Relin}(\{\textsf{rlk}_j\}_{1 \le j \le k}; \textsf{ct}_\mathsf {{mul}})\) where \(\texttt {MG-CKKS}.\texttt{Relin}(\cdot )\) is the relinearization procedure described in Algorithm 1.

\(\bullet \) \(\underline{\texttt {MG-CKKS}.\texttt{Rescale}(\textsf{ct})}\): Given a ciphertext \(\textsf{ct}= (c_0, c_1, \dots , c_k) \in R_{q_{l}}^{k+1}\) at level l, compute \(c'_i = \left\lfloor {p_{l}^{-1} \cdot c_i}\right\rceil \) for \(1 \le i \le k\), and return \(\textsf{ct}' = (c'_0, c'_1, \dots ,c'_k) \in R_{q_{l} - 1}^{k+1}\) which is at level \(l-1\).

\(\bullet \) \(\underline{\texttt {MG-CKKS}.\texttt{Dec}(\{\textsf{sk}_j\}_{1\le j\le k};\textsf{ct})}\): Given a ciphertext \(\textsf{ct}=(c_0, c_1,\dots , c_k)\) and joint secret keys \(\textsf{sk}_j=s_j\) for \(1\le j\le k\), return \(m =\left\langle \textsf{ct}, \textsf{sk}\right\rangle = (c_0+\sum _{1\le j\le k} c_i\cdot s_j) \pmod t\).

\(\bullet \) \(\underline{\texttt {MG-CKKS}.\texttt{DistDec}(\{[\textsf{sk}_j]_i\}_{1\le j\le k, i\in I_j}, \sigma ';\textsf{ct})}\): Let \(\textsf{ct}=(c_0, \dots , c_k)\) be a multi-group ciphertext corresponding to the set of groups \( \{I_1, \dots , I_k\}\) and \([\textsf{sk}]_i=[s]_i\) be the secret of party \(i\in I_j\).

• Partial decryption: For \(1\le j\le k\), each party \(i\in I_j\) samples \([e'_j]_i\leftarrow D_{\sigma '}\), then computes and publishes \([\mu _j]_i= c_j\cdot [s]_i+[e'_j]_i\pmod q\).

• Merge: Compute \(m=(c_0+\sum _{1\le j\le k}\sum _{i\in I_j} [\mu _j]_i) \pmod t\).

B Noise Analysis

Before estimating a noise growth, we specify some distributions for sampling randomness or errors. Let the key distribution \(\chi \) be the distribution where each coefficient is sampled from the set \(\{0, \pm 1\}\) with probability 0.25 for each of \(-1\) and 1 and with probability 0.5 for 0. Set the error distribution \(\psi _\ell \) be the discrete Gaussian distribution of variance \(\sigma ^{2}\). We also assume that the coefficients of the polynomials are independent zero-mean random variables with the same variances. We denote by \(\textsf {Var}(a) = \textsf {Var}(a_i)\) the variance of coefficients for random variable \(a = \sum _i a_i \cdot X^{i}\) over the ring R. Then the variance of the product \(c = a \cdot b\) of two polynomials with degree n can be represented as \(\textsf {Var}(c) = n \cdot \textsf {Var}(a) \cdot \textsf {Var}(b)\) if a and b are independent. Similarly, we define variance for a vector \(\textbf{a}\in R^d\) of random variables as \(\textsf {Var}(\textbf{a}) =\frac{1}{d}\sum _{i=1}^{d}{\textsf {Var}(\textbf{a}[i])}\). We also assume that each ciphertext behaves as if it is a uniform random variable over \(R_{q}^{k+1}\). We analyze the noise growth of k-group case, each comprising \(N_{i}\) parties for \(1 \le i \le k\).

1.1 B.1 Encryption

Recall that the encryption \(\textsf{ct}= (c_0,c_1) \in R_q^2\) of \(m \in R_p\) is \(\textsf{ct}= t \cdot \textsf{ek}+ (\varDelta \cdot m + e_0, e_1) \pmod q\) where \(t \leftarrow \chi \) and \(e_{0}, e_{1} \leftarrow D_\sigma \). For \(\textsf{ek}= ({\textbf{b}}[0], \textbf{a}[0]) \in R_q^2\), we remark that \({\textbf{b}}[0] + \textbf{a}[0] \cdot s = \sum _{i \in I}[{\textbf{e}}_0]_i[0]\) and each \([{\textbf{e}}_0]_i[0]\) is sampled from \(D_\sigma \). Then, it satisfies that \(c_0 + c_1 \cdot s = \varDelta \cdot m + t ({\textbf{b}}[0] + \textbf{a}[0] \cdot s) + (e_0 + e_1 \cdot s) = \varDelta \cdot m + (t \sum _{i \in I}[{\textbf{e}}_0]_i[0] + e_{0} + e_{1} \cdot s) \pmod q\). The encryption noise \(e_{\mathsf {{enc}}} = t \sum _{i \in I}[{\textbf{e}}_0]_i[0] + e_{0} + e_{1} \cdot s\) has the variance of \(V_{\mathsf {{enc}}} = \sigma ^{2} \cdot (\frac{n|I|}{2} + 1 + \frac{n}{2}) \approx \frac{n\sigma ^{2}(|I|+1)}{2}.\)

The CKKS scheme has the same encryption error as the BFV scheme. The only difference is that there is no scaling factor \(\varDelta \) in the result of decryption.

1.2 B.2 Relinearization

In Algorithm 1 of Sect. 4.3, it satisfies that

$$\begin{aligned} \sum _{1\le i\le k}c_i''\boxdot ({\textbf{v}}_i+s_i\cdot {\textbf{u}}) &= - \sum _{1\le i\le k} r_i \cdot c_i'' + \sum _{1\le i\le k} c''_{i} \boxdot {\textbf{e}}_{i,2} \\ &= - \sum _{1\le i,j\le k} r_i \cdot (c_{i,j}\boxdot {\textbf{b}}_j) + \sum _{1 \le i \le k}{c''_{i} \boxdot {\textbf{e}}_{i,2}}\pmod {q} \end{aligned}$$

and

$$\begin{aligned} & \sum _{1\le i,j\le k} (c_{i,j}\boxdot {\textbf{d}}_i ) \cdot s_{j} \\ =& \sum _{1\le i,j\le k} {r_i \cdot \left( c_{i,j} \boxdot ({\textbf{b}}_j - {\textbf{e}}_{j,0}) \right) } + \sum _{1\le i,j\le k} s_is_j \cdot c_{i,j} + \sum _{1\le i,j\le k} {s_j \cdot (c_{i,j} \boxdot {\textbf{e}}_{i,1})} \\ =& \sum _{1\le i,j\le k} r_i\cdot (c_{i,j} \boxdot {\textbf{b}}_j) + \sum _{1\le i,j\le k} s_is_j \cdot c_{i,j} + \sum _{1\le i,j\le k}{e_{i,j}'} \pmod q \end{aligned}$$

where \(e_{i,j}'= c_{i,j} \boxdot (s_j \cdot {\textbf{e}}_{i,1} - r_i \cdot {\textbf{e}}_{j,0})\).

We denote by \(V_{g} = \textsf {Var}(h(a))\) where a is a uniform random variable over \(R_{q}\). Then, the variance of relinearization error \(e_{\mathsf {{relin}}} = \sum _{1 \le i \le k}{c''_{i} \boxdot {\textbf{e}}_{i,2}} + \sum _{1 \le i,j \le k} {e_{i,j}'} \) is obtained as follows:

$$V_{\mathsf {{relin}}} = n d V_g \sigma ^2 \sum _{1 \le i \le k}N_i^2 + 2n^2 d V_g \sigma ^2 k^2 \sum _{1 \le i \le k}N_i^2 \approx 2n^2 d V_g \sigma ^2 k \sum _{1 \le i \le k}N_i^2$$

In our implementation, we use RNS-friendly decomposition \(R_q = \prod _i{R_{p_i}}\) such that \(p_i\)’s have the same bit-size. Here, we have \(V_{g} = \frac{1}{12d} \sum ^{d}_{i=1}{p_{i}^{2}}\) for \(d = \lceil {\log q / \log {p_{i}}} \rceil \).

1.3 B.3 Multiplication

We again consider k-group case, each comprising \(N_{i}\) parties for \(1 \le i \le k\). Let \(\textsf{ct}_1\) and \(\textsf{ct}_2\) be the input ciphertexts of messages \(m_1\) and \(m_2\) respectively. Each ciphertext \(\textsf{ct}_i\) satisfies that \(\left\langle \textsf{ct}_i, \overline{\textsf{sk}}\right\rangle = q \cdot I_i + \varDelta \cdot m_i + e_i\) for \(I_i = \lfloor {\frac{1}{q} \left\langle \textsf{ct}_i, \overline{\textsf{sk}}\right\rangle } \rceil \) and some \(e_i\). Here, we have the variance \(\textsf {Var}(I_i) \approx \frac{1}{12} (1 + \frac{1}{2} kn) \approx \frac{1}{24} kn\) since \(\frac{1}{q} \cdot \textsf{ct}_i\) behaves as an uniform random variable over \(\frac{1}{q} \cdot R_{q}^{k+1}\).

The result of tensor product satisfies that \(\left\langle \textsf{ct}_1 \otimes \textsf{ct}_2, \overline{\textsf{sk}}\otimes \overline{\textsf{sk}}\right\rangle = \left\langle \textsf{ct}_1, \overline{\textsf{sk}}\right\rangle \cdot \left\langle \textsf{ct}_2, \overline{\textsf{sk}}\right\rangle = \varDelta ^2 \cdot m_1 m_2 + q \cdot (I_1 e_2 + I_2 e_1) + \varDelta \cdot (m_1 e_2 + m_2 e_1) + e_1 e_2 \pmod {q \cdot \varDelta }\) and for \(\textsf{ct}_{\mathsf {{mul}}} = \left\lfloor {\frac{p}{q} \cdot \textsf{ct}_1 \otimes \textsf{ct}_2}\right\rceil \), we have \(\left\langle \textsf{ct}_{\mathsf {{mul}}}, \overline{\textsf{sk}}\otimes \overline{\textsf{sk}}\right\rangle = \varDelta \cdot m_1 m_2 + p \cdot (I_1 e_2 + I_2 e_1) + (m_1 e_2 + m_2 e_1) + \varDelta ^{-1} \cdot e_1 e_2 + e_{rd}\) where \(e_{rd} = \left\langle \frac{p}{q} \cdot \textsf{ct}_1 \otimes \textsf{ct}_2 - \textsf{ct}_{mul}, \overline{\textsf{sk}}\otimes \overline{\textsf{sk}}\right\rangle \). That is, the multiplication error is obtained by \(e_{\mathsf {{mul}}} = p \cdot (I_1 e_2 + I_2 e_1) + (m_1 e_2 + m_2 e_1) + \varDelta ^{-1} \cdot e_1 e_2 + e_{rd}.\) From the above equation, the first term \(p \cdot (I_1 e_2 + I_2 e_1)\) dominates the whole multiplication error. Therefore, we have the variance of multiplication error by

$$V_{\mathsf {{mul}}} \approx np^2 \cdot (\textsf {Var}(I_1) \textsf {Var}(e_2) + \textsf {Var}(I_2) \textsf {Var}(e_1)) \approx \frac{1}{24} k n^2p^2 (\textsf {Var}(e_1) + \textsf {Var}(e_2)).$$

While the relinearization error has a fixed size depending on the parameters, the multiplication error increases by a certain ratio as the computation proceeds. Therefore, the total noise is eventually dominated by the multiplication error unless \((\textsf {Var}(e_1) + \textsf {Var}(e_2))\) is very small (e.g. fresh ciphertext).