Abstract
Public-key cryptograpy applications often require structuring decryption rights according to some hierarchy. This is typically addressed with re-encryption procedures or relying on trusted parties, in order to avoid secret-key transfers and leakages. Using a novel approach, Goubin and Vial-Prado (2016) take advantage of the Multikey FHE-NTRU encryption scheme to establish decryption rights at key-generation time, thus preventing leakage of all secrets involved (even by powerful key-holders). Their algorithms are intended for two parties, and can be reused to form chains of users with inherited decryption rights. In this article, we provide new protocols for generating Excalibur keys under any DAG-like hierarchy, and present formal proofs of security against semi-honest adversaries. Our protocols are compatible with the homomorphic properties of FHE-NTRU, and the base case of our security proofs may be regarded as a more formal, simulation-based proof of said work.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In the vector space \(R_q^m\). Recall that \(R_q\simeq \mathbb {F}_{q^n}\), the field of characteristic \(q^n\).
References
Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer and extensions for faster secure computation, November 2013
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 2001 Proceedings of 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001)
Canetti, R.: Security and composition of cryptographic protocols: a tutorial (part I). SIGACT News 37(3), 67–92 (2006)
Goubin, L., Vial Prado, F.J.: Blending FHE-NTRU keys – the excalibur property. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 3–24. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49890-4_1
Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_9
Li, S.-D., Dai, Y.-Q.: Secure two-party computational geometry. J. Comput. Sci. Technol. 20(2), 258–263 (2005)
Lindell, Y.: How to simulate it – a tutorial on the simulation proof technique. Tutorials on the Foundations of Cryptography. ISC, pp. 277–346. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57048-8_6
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Proceedings of the Forty-Fourth Annual ACM Symposium on Theory of Computing, STOC 2012, pp. 1219–1234. ACM, New York (2012)
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4
Thomae, E., Wolf, C.: Solving underdetermined systems of multivariate quadratic equations revisited. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 156–171. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_10
Acknowledgements
We would like to thank the anonymous reviewers for their comments. This work was supported by Instituto Milenio Fundamentos de los Datos, Vicuña Mackenna 4860, Santiago, Chile, and Fondecyt Chile (project number 1170866). The fourth author would like to thank Claudio Orlandi for his insight and for providing references on simulation-based proofs, and Martín Ugarte for his helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Scalar Product Protocol \(SP_m\)
In our k-Multiplication protocol (Algorithm 2), parties rely on a multiparty scalar product protocol as a subroutine to cancel additive noise.
Definition 9
For \(m\in \mathbb {N}\), let \(SP_m\) be a two-party protocol performing the following. Party A has a sequence of bits ordered in a binary vector \(\mathbf {b} = (b_1,\dots ,b_m)\). For each \(i=1,\dots ,m\), party B has a pair of polynomials \((p_i^{(0)},p_i^{(1)})\) of \(R_q\). In the end, party A learns \(\gamma = p_1^{(b_1)}+p_2^{(b_2)}+\dots +p_m^{(b_m)}\) and nothing more. Party B learns nothing.
We refer to this functionality as a scalar productFootnote 1, since it computes
where \(\mathbf {b}^c = (\bar{b}_1,\dots ,\bar{b}_m)\) is the binary complement of \(\mathbf {b}\). The protocol is outlined in Algorithm 8 below.
Remark: This protocol can be restated as a \({2^m\atopwithdelims ()1}{\text {-OT}}\) protocol, as follows. For each \(x\in \{0,1\}^m\), party B computes a mapping \(x\mapsto \sum _{i=1}^m p_i^{(x[i])}\) where x[i] is the i-th bit of x. Then, party A extracts the polynomial corresponding to \(x'=\mathbf {b}\) with a \({2^m\atopwithdelims ()1}{\text {-OT}}\) protocol. We point out that this is highly inefficient, because B needs to compute \(O(2^m)\) additions in \(R_q\).
B Algorithmic Complexity
In this appendix we develop expressions for the computational complexity of our key generation protocols. In this section, let n, q, B be secure NTRU parameters, m be such that it is unfeasible to compute \(2^m\) additions in \(R_q\), and k parties are involved in the key generation procedure.
As we show below, an Excalibur key pair \((\mathsf{sk},\mathsf{pk})\) can be generated in \(O((2m)^k)\) products in \(R_q\) and \(O((2m)^{k-1})\) basic \({2\atopwithdelims ()1}{\text {-OT}}\) protocols. While this is certainly prohibitive for a large amount of parties and reasonable security, with fast polynomial multiplication and OT-extension techniques it is possible to generate a key pair with \(k=4\) and \(m=128\) in some minutes. Let us also mention that this key acts as other keys of the system, that is, after key generation is completed, no extra complexity is to be expected for encryption, decryption or homomorphic procedures (other than coefficient size, whose impact in complexity is analyzed in [8]).
Definition 10
Let \(\theta \) (resp. \(\pi \)) be the computational cost of performing a \({2\atopwithdelims ()1}{\text {-OT}}\) protocol (resp. performing a multiplication in \(R_q\)).
Proposition 6
The computational cost of performing is approximatively \((2m)^{k-1}\pi +(2m)^{k-1}\theta \). The computational cost of performing is approximatively \(mk(k-1)(2\pi +\theta )\).
Proof
First, note that the computational cost of performing \(SP_m\) (with \(\kappa =m\)) is \(m\theta \) (see Algorithm 8 from Appendix A and note that the scalar product is not expressed in terms of full \(R_q\) products), and the cost of performing is \((2\pi +\theta )m\). Let \(u_k\) be the computational cost of performing . Given the description of the protocol in Algorithm 2, we have the following recurrence:
To see this, note that parties first perform 2m instances of , then m \({2\atopwithdelims ()1}{\text {-OT}}\) extractions, and finally \((k-1)\) scalar products \(SP_m\). The solution to this equation for \(k\ge 3\) is given by
and therefore the cost of is approximately \((2m)^{k-1}\) products in \(R_q\) and \((2m)^{k-1}\) \({2\atopwithdelims ()1}{\text {-OT}}\) protocols.
Let now \(v_k\) be the computational cost of performing . Parties perform \(k(k-1)\) instances of (Algorithm 3), therefore we have
\(\square \)
Proposition 7
The cost of performing both \(\mathsf{Exc}_\mathsf{pk}\) and \(\mathsf{Exc}_\mathsf{sk}\) between k parties is \(O(u_k)\), that is, \(O((2m)^{k-1})\) products in \(R_q\) and \(O((2m)^{k-1})\) \({2\atopwithdelims ()1}{\text {-OT}}\) protocols.
Proof
In \(\mathsf{Exc}_\mathsf{pk}\) (Algorithm 4), parties perform one and \((k-1)\) instances of . Also, in \(\mathsf{Exc}_\mathsf{sk}\) (Algorithm 5) parties perform \((k-1)\) instances of and one final . The leading term of computational cost in both cases is therefore \(O((2m)^{k-1})\) products and \(((2m)^{k-1})\) oblivious transfers. \(\square \)
Remark: With \(m=128\) bits of security against brute force additions in \(R_q\), four parties need to compute around \(2^{24}\) products in \(R_q\) and \(2^{24}\) 1-out-of-2 oblivious transfer protocols.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Goubin, L., Monsalve, G., Reutter, J., Vial-Prado, F. (2019). Excalibur Key-Generation Protocols for DAG Hierarchic Decryption. In: Lee, K. (eds) Information Security and Cryptology – ICISC 2018. ICISC 2018. Lecture Notes in Computer Science(), vol 11396. Springer, Cham. https://doi.org/10.1007/978-3-030-12146-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-12146-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12145-7
Online ISBN: 978-3-030-12146-4
eBook Packages: Computer ScienceComputer Science (R0)