Decentralized Evaluation of Quadratic Polynomials on Encrypted Data

Abstract

Since the seminal paper on Fully Homomorphic Encryption (FHE) by Gentry in 2009, a lot of work and improvements have been proposed, with an amazing number of possible applications. It allows outsourcing any kind of computations on encrypted data, and thus without leaking any information to the provider who performs the computations. This is quite useful for many sensitive data (finance, medical, etc.).

Unfortunately, FHE fails at providing some computation on private inputs to a third party, in cleartext: the user that can decrypt the result is able to decrypt the inputs. A classical approach to allow limited decryption power is distributed decryption. But none of the actual FHE schemes allows distributed decryption, at least with an efficient protocol.

In this paper, we revisit the Boneh-Goh-Nissim (BGN) cryptosystem, and the Freeman’s variant, that allow evaluation of quadratic polynomials, or any 2-DNF formula. Whereas the BGN scheme relies on integer factoring for the trapdoor in the composite-order group, and thus possesses one public/secret key only, the Freeman’s scheme can handle multiple users with one general setup that just needs to define a pairing-based algebraic structure. We show that it can be efficiently decentralized, with an efficient distributed key generation algorithm, without any trusted dealer, but also efficient distributed decryption and distributed re-encryption, in a threshold setting. We then provide some applications of computations on encrypted data, without central authority.

A Freeman’s Approach

1.1 A.1 Description

For the Freeman’s construction, we will use the brackets notation, also extended to vectors and matrices, as explained in Fig. 2.

Fig. 2.

Bracket notations

The main goal of Freeman’s approach was to generalize the BGN cryptosystem to any hard-subgroup problems. We instantiate a variant of the Freeman’s cryptosystem allowing multiple users, without the twin ciphertexts (in G and H). Since we will work in groups \(\mathbb {G}_1\), \(\mathbb {G}_2\), and , the algorithms \(\mathsf {Keygen},\mathsf {Encrypt}\) and \(\mathsf {Decrypt}\) will take a sub-script s to precise the group \(\mathbb {G}_s\) in which they operate, but the \(\mathsf {Setup}\) is common.

• \(\mathsf {Setup}(\lambda )\): Given a security parameter \(\lambda \), run and output .

• \(\mathsf {Keygen}_{s}(\mathsf {param})\): For \(s \in \{1,2\}\), choose \(\mathbf {B}_{s}\overset{{}_\$}{\leftarrow }\mathrm {GL}_{2}(\mathbb {Z}_{p})\), let \(\mathbf {P}_{s} = \mathbf {B}_{s}^{-1}\mathbf {U}_2\mathbf {B}_{s}\) (where \(\mathbf {U}_2\) is the canonical matrix for projection on the first coordinate, in dimension 2) and \(\mathbf {p}_{s} \in \ker (\mathbf {P}_{s})\setminus \{\mathbf {0}\}\), and output the public key \(\mathsf {pk}_{s} = [\mathbf {p}_{s}]_{s}\) and the private key \(\mathsf {sk}_{s} = \mathbf {P}_{s}\). In the following, we always implicitly assume that the public keys contain the public parameters \(\mathsf {param}\), and the private keys contain the public keys. From \((\mathsf {pk}_1,\mathsf {sk}_1)\leftarrow \mathsf {Keygen}_1(\mathsf {param})\) and \((\mathsf {pk}_2,\mathsf {sk}_2)\leftarrow \mathsf {Keygen}_2(\mathsf {param})\), one can consider \(\mathsf {pk}_{T}=(\mathsf {pk}_{1},\mathsf {pk}_{2})\) and \(\mathsf {sk}_{T} = (\mathsf {sk}_{1},\mathsf {sk}_{2})\).

• \(\mathsf {Encrypt}_{s}(\mathsf {pk}_{s},m,A_{s})\): For \(s \in \{1,2\}\), to encrypt a message \(m\in \mathbb {Z}_{p}\) using public key \(\mathsf {pk}_{s}\) and \(A_{s } = [\mathbf {a}]_{s}\in \mathbb {G}_{s}^{2}\), choose \(r \overset{{}_\$}{\leftarrow }\mathbb {Z}_{p}\) and output the ciphertext . For \(s = T\), with \(A_{s} = ([\mathbf {a}_{1}]_{1},[\mathbf {a}_{2}]_{2})\), set , choose \([\mathbf {r}_{1}]_{1} \overset{{}_\$}{\leftarrow }\mathbb {G}_{1}^{2},[\mathbf {r}_{2}]_{2} \overset{{}_\$}{\leftarrow }\mathbb {G}_{2}^{2}\), and output .

• \(\mathsf {Decrypt}_{s}(\mathsf {sk}_{s},C_{s})\): For \(s \in \{1,2\}\), given \(C_{s}=([\mathbf {c}_{s,1}]_{s},[\mathbf {c}_{s,2}]_{s})\) and \(\mathsf {sk}_{s} = \mathbf {P}_{s}\), let \(C'_{s}=([\mathbf {c}_{s,1}]_{s} \cdot \mathbf {P}_{s},[\mathbf {c}_{s,2}]_{s} \cdot \mathbf {P}_{s})\). For \(s = T\), compute \(C'_{T}=([\mathbf {c}_{T,1}]_{T} \cdot (\mathbf {P}_{1}\otimes \mathbf {P}_{2}),[\mathbf {c}_{T,2}]_{T} \cdot (\mathbf {P}_{1}\otimes \mathbf {P}_{2}))\).

  In both cases, output the logarithm of the first component of \(\mathbf {c}'_{s,1}\) in base the first component of \(\mathbf {c}'_{s,2}\).

One can note that matrices \(\mathbf {B}_{1}\) and \(\mathbf {B}_{2}\) are drawn independently, so the keys in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are independent. For any pair \((\mathsf {pk}_{1}=[\mathbf {p}_1]_1,\mathsf {pk}_{2}=[\mathbf {p}_2]_2)\), one can implicitly define a public key for the target group. To decrypt in the target group, both private keys \(\mathsf {sk}_{1}=\mathbf {P}_1\) and \(\mathsf {sk}_{2} = \mathbf {P}_2\) are needed. Actually, one just needs \(\mathbf {P}_{1}\otimes \mathbf {P}_{2}\) to decrypt: \(C'_{T}=([\mathbf {c}_{T,1}]_{T} \cdot (\mathbf {P}_{1}\otimes \mathbf {P}_{2}),[\mathbf {c}_{T,2}]_{T} \cdot (\mathbf {P}_{1}\otimes \mathbf {P}_{2}))\), but \(\mathbf {P}_{1}\otimes \mathbf {P}_{2}\) and \((\mathbf {P}_{1},\mathbf {P}_{2})\) contain the same information and the latter is more compact.

1.2 A.2 Distributed Decryption

When a third-party performs the decryption, it is important to be able to prove the correct decryption, which consists of classical zero-knowledge proofs. But this is even better if the decryption process can be distributed among several servers, under the assumption that only a small fraction of them can be corrupted or under the control of an adversary.

To decrypt a ciphertext in \(\mathbb {G}_{s}\) with \(s \in \{1,2\}\), one needs to compute \(([\mathbf {c}_{s,1}]_{s} \cdot \mathsf {sk}_{s},[\mathbf {c}_{s,2}]_{s} \cdot \mathsf {sk}_{s})\). In a Shamir’s like manner [29], one can perform a t-out-of-n threshold secret sharing by distributing \(\mathsf {sk}_{s}\) such that \(\mathsf {sk}_{s} = \sum _{i \in I} \lambda _{I,i}\mathsf {sk}_{s,i}\) with \(I \subset \{1, \ldots , n \}\) a subset of t users, and for all \(i \in I\), \(\lambda _{I,i} \in \mathbb {Z}_{p}\) and \(\mathsf {sk}_{s,i}\) is the secret key of the party \(P_{i}\). For \(s = T\) and with just the distribution of \(\mathsf {sk}_{1}\) and \(\mathsf {sk}_{2}\), it is also possible to perform a distributed decryption, using the relation \(\mathsf {sk}_{1} \otimes \mathsf {sk}_{2} = (\mathsf {sk}_{1} \otimes \mathbf {1}) \times (\mathbf {1} \otimes \mathsf {sk}_{2})\). One can thus make a two-round decryption, first in \(\mathbb {G}_1\) and then in \(\mathbb {G}_2\).

However, in this scheme, the secret key must be a projection matrix, which is not easy to generate at random: for this key generation algorithm, a trusted dealer is required, which is not ideal when nobody is trusted.