Excalibur Key-Generation Protocols for DAG Hierarchic Decryption

Abstract

Public-key cryptograpy applications often require structuring decryption rights according to some hierarchy. This is typically addressed with re-encryption procedures or relying on trusted parties, in order to avoid secret-key transfers and leakages. Using a novel approach, Goubin and Vial-Prado (2016) take advantage of the Multikey FHE-NTRU encryption scheme to establish decryption rights at key-generation time, thus preventing leakage of all secrets involved (even by powerful key-holders). Their algorithms are intended for two parties, and can be reused to form chains of users with inherited decryption rights. In this article, we provide new protocols for generating Excalibur keys under any DAG-like hierarchy, and present formal proofs of security against semi-honest adversaries. Our protocols are compatible with the homomorphic properties of FHE-NTRU, and the base case of our security proofs may be regarded as a more formal, simulation-based proof of said work.

Appendices

A Scalar Product Protocol \(SP_m\)

In our k-Multiplication protocol (Algorithm 2), parties rely on a multiparty scalar product protocol as a subroutine to cancel additive noise.

Definition 9

For \(m\in \mathbb {N}\), let \(SP_m\) be a two-party protocol performing the following. Party A has a sequence of bits ordered in a binary vector \(\mathbf {b} = (b_1,\dots ,b_m)\). For each \(i=1,\dots ,m\), party B has a pair of polynomials \((p_i^{(0)},p_i^{(1)})\) of \(R_q\). In the end, party A learns \(\gamma = p_1^{(b_1)}+p_2^{(b_2)}+\dots +p_m^{(b_m)}\) and nothing more. Party B learns nothing.

We refer to this functionality as a scalar product¹, since it computes

$$\gamma = \sum _{i=1}^m p_i^{(b_i)} = (p_1^0,\dots ,p_m^0)\cdot \mathbf {b}^c + (p_1^1,\dots ,p_m^1)\cdot \mathbf {b},$$

where \(\mathbf {b}^c = (\bar{b}_1,\dots ,\bar{b}_m)\) is the binary complement of \(\mathbf {b}\). The protocol is outlined in Algorithm 8 below.

Remark: This protocol can be restated as a \({2^m\atopwithdelims ()1}{\text {-OT}}\) protocol, as follows. For each \(x\in \{0,1\}^m\), party B computes a mapping \(x\mapsto \sum _{i=1}^m p_i^{(x[i])}\) where x[i] is the i-th bit of x. Then, party A extracts the polynomial corresponding to \(x'=\mathbf {b}\) with a \({2^m\atopwithdelims ()1}{\text {-OT}}\) protocol. We point out that this is highly inefficient, because B needs to compute \(O(2^m)\) additions in \(R_q\).

B Algorithmic Complexity

In this appendix we develop expressions for the computational complexity of our key generation protocols. In this section, let n, q, B be secure NTRU parameters, m be such that it is unfeasible to compute \(2^m\) additions in \(R_q\), and k parties are involved in the key generation procedure.

As we show below, an Excalibur key pair \((\mathsf{sk},\mathsf{pk})\) can be generated in \(O((2m)^k)\) products in \(R_q\) and \(O((2m)^{k-1})\) basic \({2\atopwithdelims ()1}{\text {-OT}}\) protocols. While this is certainly prohibitive for a large amount of parties and reasonable security, with fast polynomial multiplication and OT-extension techniques it is possible to generate a key pair with \(k=4\) and \(m=128\) in some minutes. Let us also mention that this key acts as other keys of the system, that is, after key generation is completed, no extra complexity is to be expected for encryption, decryption or homomorphic procedures (other than coefficient size, whose impact in complexity is analyzed in [8]).

Definition 10

Let \(\theta \) (resp. \(\pi \)) be the computational cost of performing a \({2\atopwithdelims ()1}{\text {-OT}}\) protocol (resp. performing a multiplication in \(R_q\)).

Proposition 6

The computational cost of performing is approximatively \((2m)^{k-1}\pi +(2m)^{k-1}\theta \). The computational cost of performing is approximatively \(mk(k-1)(2\pi +\theta )\).

Proof

First, note that the computational cost of performing \(SP_m\) (with \(\kappa =m\)) is \(m\theta \) (see Algorithm 8 from Appendix A and note that the scalar product is not expressed in terms of full \(R_q\) products), and the cost of performing is \((2\pi +\theta )m\). Let \(u_k\) be the computational cost of performing . Given the description of the protocol in Algorithm 2, we have the following recurrence:

$$\begin{aligned} \left\{ \begin{array}{l} u_k = 2mu_{k-1}+k m\theta ,\\ u_2 = (2\pi +\theta )m. \end{array} \right. \end{aligned}$$

To see this, note that parties first perform 2m instances of , then m \({2\atopwithdelims ()1}{\text {-OT}}\) extractions, and finally \((k-1)\) scalar products \(SP_m\). The solution to this equation for \(k\ge 3\) is given by

$$u_k = (2m)^{k-2}u_2+m\theta \sum _{i=3}^{k}i(2m)^{k-i},$$

and therefore the cost of is approximately \((2m)^{k-1}\) products in \(R_q\) and \((2m)^{k-1}\) \({2\atopwithdelims ()1}{\text {-OT}}\) protocols.

Let now \(v_k\) be the computational cost of performing . Parties perform \(k(k-1)\) instances of (Algorithm 3), therefore we have

$$\begin{aligned} v_k = mk(k-1)(2\pi +\theta ). \end{aligned}$$

   \(\square \)

Proposition 7

The cost of performing both \(\mathsf{Exc}_\mathsf{pk}\) and \(\mathsf{Exc}_\mathsf{sk}\) between k parties is \(O(u_k)\), that is, \(O((2m)^{k-1})\) products in \(R_q\) and \(O((2m)^{k-1})\) \({2\atopwithdelims ()1}{\text {-OT}}\) protocols.

Proof

In \(\mathsf{Exc}_\mathsf{pk}\) (Algorithm 4), parties perform one and \((k-1)\) instances of . Also, in \(\mathsf{Exc}_\mathsf{sk}\) (Algorithm 5) parties perform \((k-1)\) instances of and one final . The leading term of computational cost in both cases is therefore \(O((2m)^{k-1})\) products and \(((2m)^{k-1})\) oblivious transfers.    \(\square \)

Remark: With \(m=128\) bits of security against brute force additions in \(R_q\), four parties need to compute around \(2^{24}\) products in \(R_q\) and \(2^{24}\) 1-out-of-2 oblivious transfer protocols.