Threshold Fully Homomorphic Encryption Over the Torus

Abstract

Fully homomorphic encryption (FHE) enables arithmetic operations to be performed over plaintext by operations on undecrypted ciphertext. The Chillotti-Gama-Georgieva-Izabachene (CGGI) scheme is a typical FHE scheme, has attracted attention because of its fast bootstrapping and the availability of open-source implementation software.

A threshold FHE (ThFHE) scheme has protocols for distributed key generation and distributed decryption that are executed cooperatively among the parties while keeping the decryption key distributed among them. It is useful for secure computations with inputs from multiple parties. However, a ThFHE scheme based on CGGI has yet to be proposed.

In this paper, we propose a client-aided ThFHE scheme based on CGGI. Our scheme achieves the same bootstrapping as CGGI without affecting the noise analysis or any CGGI parameter. Therefore, existing open-source software implementing CGGI can easily be extended to our scheme, a ThFHE variant of the CGGI scheme, without changing the implementation part regarding homomorphic operations.

Appendices

A TLWE and TRLWE Problems

Definition 1 (LWE Problem Over \(\mathbb {T}\) (TLWE Problem)). We call the pair of \((\vec {a},b)\in \mathbb {T}^{n+1}\) TLWE sample where \(\vec {a}\xleftarrow {\textsf{U}}\mathbb {T}^{n}\), \(\vec {s}\xleftarrow {\textsf{U}}\mathbb {B}^{n}\), \(e\leftarrow \chi _{(0,\sigma ^{2})}\), and \(b=\vec {a}\cdot \vec {s}+e\). For the TLWE sample, we define the following two problems:

• Decisional TLWE Problem: The problem of distinguishing between a given TLWE sample \((\vec {a},b)\) and uniformly randomly sampled elements from \(\mathbb {T}^{n+1}\), when the secret \(\vec {s}\) is fixed.

• Search TLWE Problem: The problem of finding the (common) secret \(\vec {s}\) from a given arbitrary number of TLWE samples.

Definition 2 (LWE Problem Over \(\mathbb {T}_{N}[X ]\) (TRLWE Problem)). We call the pair of TRLWE sample where , , , and . For the TRLWE sample, we can define the decisional and search TRLWE problems as well as the TLWE problem.

B Security Definition and Proof

Our protocols, BMUX, \(\textsf{DistDKGen}\), \(\textsf{DistEKGen}\), \(\textsf{DistEnc}\), and \(\textsf{DistDec}\) are secure in the presence of corrupted parties by a semi-honest adversary if the view of corrupted parties in a real-world protocol execution can be generated by a probabilistic polynomial-time simulator \(\mathcal {S}\) given only the corrupted parties’ inputs and outputs of a function f. Let \(x_i\) and \(f_{i}(\vec {x})\) be \(P_i\)’s input and output where \(\vec {x}=(x_0,\ldots ,x_{N'-1})\), respectively. Let \(\textsf{VIEW}^{\varPi }_{i}(\vec {x})\) and \(\textsf{Output}^{\varPi }(\vec {x})\) be \(P_i\)’s view (including \(P_i\)’s inputs, outputs, and random coins) of execution of protocol \(\varPi \) on \(\vec {x}\) and the output of all parties from the execution of \(\varPi \), respectively.

Definition 3 . Let \(f:(\{0,1\}^{*})^{N'}\rightarrow (\{0,1\}^{*})^{N'}\) be a probabilistic \(N'\)-ary functionality. We say that \(\varPi \) computes f with perfect security in \(t(<N'/2)\) corruptions by a semi-honest adversary for f if there exists \(\mathcal {S}\) for every corrupted party and every \(\vec {x}\in (\{0,1\}^{*})^{N'}\) where \(|x_0|=\cdots =|x_{N^{'}-1}|\) as follows.

$$\begin{aligned} \{(\mathcal {S}(x_{i},f_{i}(\vec {x})),f(\vec {x}))\}\equiv \{(\textsf{VIEW}^{\varPi }_{i}(\vec {x}),\textsf{Output}^{\varPi }(\vec {x}))\} \end{aligned}$$

(1)

We prove that our protocols achieve UC-security [10] by assuming input availability [23] and hybrid model. Loosely speaking, in the hybrid model, a protocol can replace calls to subprotocol by invocations of ideal functionalities \(\mathcal {F}\). By replacing the subprotocols with ideal functionalities of subprotocols, we prove that our protocols compute its ideal functionalities with perfect security in t corruptions by a semi-honest adversary in a classic stand-alone setting. Then, as shown in [23], we can prove that our protocols achieve UC-security automatically by assuming input availability (i.e., the property that the inputs of all parties are fixed before protocol executions).

For example, we can prove that \(\varPi _{\textsf{BMUX}}\) in the \(\mathcal {F}_{\textsf{Open}}\)-hybrid model computes \(\mathcal {F}_{\textsf{BMUX}}\) with perfect security in t corruptions by a semi-honest adversary. \(\varPi _{\textsf{BMUX}}\) is composed of invoking \(\textsf{Open}\) and operations among shares without communications. Hence, if \(\textsf{Open}\) computes \(\mathcal {F}_{\textsf{Open}}\) with perfect security in t corruptions by a semi-honest adversary, we can replace \(\textsf{Open}\) by \(\mathcal {F}_{\textsf{Open}}\) and \(\mathcal {S}\) can be composed in the t corruptions by a semi-honest adversary. Since our other protocols are composed of invoking subprotocols written in Sect. 2.4 and operations among shares without communications, \(\mathcal {S}\) for our other protocols can also be composed as long as building blocks are secure, that is, as long as building blocks can compute its ideal functionalities with perfect security in t corruptions by a semi-honest adversary.