Multi-party (Leveled) Homomorphic Encryption on Identity-Based and Attribute-Based Settings

Abstract

We present constructions of CPA-secure (leveled) homomorphic encryption from learning with errors (LWE) problem. We use the construction introduced by Gentry, Sahai and Waters ‘GSW’ (CRYPTO’13) as building blocks of our schemes. We apply their approximate eigenvector method to our scheme. In contrast to the GSW scheme we provide extensions of the (leveled) homomorphic identity-based encryption (IBE) and (leveled) homomorphic attribute-based encryption (ABE) on the multi-identity and multi-attribute settings respectively. We realize the (leveled) homomorphic property for the multi-party setting by applying tensor product and natural logarithm. Tensor product and natural logarithm allow to evaluate different ciphertexts computed under different public keys. Similar to the GSW scheme, our constructions do not need any evaluation key, which enables evaluation even without the knowledge of user’s public key.

Appendices

A Lattices

Let \(B=\{b_1,\ldots ,b_n\}\subset \mathbb {R}^{n}\) be a basis of a lattice \(\varLambda \) which consists of n linearly independent vectors. The n-dimensional lattice \(\varLambda \) is then defined as \(\varLambda =\sum \limits _{i=1}^{n}\mathbb {Z}b_i\). The i-th minimum of a lattice \(\varLambda \), denoted by \(\lambda _i(\varLambda )\) is the smallest radius r such that \(\varLambda \) contains i linearly independent vectors of norms \(\le r\). (The norm of vector \(b_i\) is defined as \(\left\| b_i\right\| =\sqrt{\sum \limits _{j=1}^{n}c_{i,j}^2}\), where \(c_{i,j}, j\in \{1,\ldots ,n\}\) are the coefficients of vector \(b_i\). We denote by \(\lambda _1^{\infty }(\varLambda )\) the minimum distance measured in the infinity norm, which is defined as \(\left\| b_i\right\| _{\infty }:=\max (\left| c_{i,1}\right| ,\ldots ,\left| c_{i,n}\right| )\). Additionally we recall \(\left\| B\right\| =\max \left\| b_i\right\| \) and its fundamental parallelepiped is given by \(P(B)=\left\{ \sum \limits _{i=1}^{n}a_ib_i\ |\ \mathbf{a}\in \left[ 0,1\right) ^n\right\} \). The integer n is called the rank of the basis. Note that a lattice basis is not unique, since for any unimodular matrix \(A\in \mathbb {Z}^{n\times n}\) the product \(B\cdot U\) is also a basis of \(\varLambda \).

Integer Lattices. The following specific lattices contain \(q\mathbb {Z}^{m}\) as a sub-lattice for a prime q. For \(A\in \mathbb {Z}_{q}^{n\times m}\) and \(s\in \mathbb {Z}_{q}^{n}\), define:

$$\begin{aligned}&\varLambda _{q}(A):=\{e\in \mathbb {Z}^{m}| \exists s\in \mathbb {Z}_{q}^{n},\ \text {where}\ A^{T}s=e\mod \ q\},\\&\varLambda _{q}^{\bot }(A):=\{e\in \mathbb {Z}^{m}| Ae=0\mod \ q\}, \end{aligned}$$

Many lattice-based works rely on Gaussian-like distributions called Discrete Gaussians. In the following paragraph we recall the main notations of this distribution.

Discrete Gaussians. Let L be a subset of \(\mathbb {Z}^{m}\). For a vector \(c\in \mathbb {R}^m\) and a positive \(\sigma \in \mathbb {R}\), define

$$\begin{aligned} \rho _{\sigma ,c}(x)=\exp \left( -\pi \frac{\left\| x-c\right\| ^2}{\sigma ^2}\right) \quad \text {and}\quad \rho _{\sigma ,c}(L)=\sum \limits _{x\in L}\rho _{\sigma ,c}(x). \end{aligned}$$

The discrete Gaussian distribution over L with center c and parameter \(\sigma \) is given by \(\mathcal {D}_{L,\sigma ,c}(y)=\frac{\rho _{\sigma ,c}(y)}{\rho _{\sigma ,c}(L)}, \ \forall y\in L\). The distribution \(\mathcal {D}_{L,\sigma ,c}\) is usually defined over the lattice \(L=\varLambda _{q}^{\bot }(A)\) for \(A\in \mathbb {Z}_{q}^{n\times m}\).

B Learning With Errors (LWE)

The LWE problem, first introduced by Regev [36], relies on the Gaussian error distribution \(\chi \), which is given as \(\chi =D_{\mathbb {Z},s}\) over the integers. The LWE problem assumes of access to a challenge oracle \(\mathcal {O}\), which is either a purely random sampler \(\mathcal {O}_r\) or a noisy pseudo-random sampler \(\mathcal {O}_s\), with some random secret key \(s\in \mathbb {Z}_{q}^{s}\). For positive integers n and \(q\ge 2\), a vector \({\varvec{s}}\in \mathbb {Z}_{q}^{n}\) and error term \(e\leftarrow \chi \), the LWE distribution \(A_{{\varvec{s}},\chi }\) is sampled over \(\mathbb {Z}_{q}^{n}\times \mathbb {Z}_q\). Chosen a vector \({\varvec{a}}\in \mathbb {Z}_q^n\) uniformly at random it outputs the pair \(({\varvec{a}},t=\left\langle {\varvec{a}},{\varvec{s}}\right\rangle +e\mod q)\in \mathbb {Z}_q^n\times \mathbb {Z}_q\). A more detailed description of \(\chi \) can be found in [36]. The sampling oracles work in the following way:  

\(\mathcal {O}_s\)::

outputs samples of the form \(({\varvec{a}},t)=({\varvec{a}},{\varvec{a}}{\varvec{s}}+e)\in \mathbb {Z}_{q}^{n}\times \mathbb {Z}_q\), where \({\varvec{s}}\in \mathbb {Z}_{q}^{n}\) is uniformly distributed value across all invocations and \(e\in \mathbb {Z}_q\) is a fresh sample from \(\chi \).

\(\mathcal {O}_r\)::

outputs truly random samples from \(\mathbb {Z}_{q}^{n}\times \mathbb {Z}_q\).

 

C Proof of Theorem 2

Proof

Since the security of this construction relies on the hardness of LWE problem we show how to build an algorithm which can simulate the outputs for the LHABE adversary. Let \(\mathcal {A}_{ind}\) be an adversary against IND-CPA security of our leveled homomorphic ABE scheme. We use \(\mathcal {A}_{ind}\) to construct an algorithm \(\mathcal {B}\) against the LWE problem. As known from the Definition of LWE, the decision algorithm has access to a sampling oracle \(\mathcal {O}\), which can be either a pseudorandom sampler \(\mathcal {O}_s\) or a truly random sampler \(\mathcal {O}_r\). We assume a simulator \(\mathcal {B}\) which simulates the environment for LHABE adversary \(\mathcal {A}_{ind}\) in order to decide which oracle is given. \(\mathcal {B}\) queries from its oracle \(\mathcal {O}\) the LWE samples and obtains n pairs \(({\varvec{a}}_i,t_i)\in \mathbb {Z}_q^N\times \mathbb {Z}_q\), for \(N=l(m+1)\). \(\mathcal {A}_{ind}\) announces a set of strings \(\{x_i\}_{i\in k}\) it wants to be challenged on. The simulator \(\mathcal {B}\) constructs the public key using the obtained LWE instance of l pairs \(({\varvec{a}}_i,t_i)\) for \(i\in [l(m+1)]\), where the public key is represented by a \(n\times m\) matrix and a m-dimensional vector. When \(\mathcal {A}\) issues key generation queries on input apk, the LWE adversary simulates the queries using previously sampled public key apk and setting \({\varvec{s}}=(1,s_1)\in \mathbb {Z}_{q}^{l(m+1)}\), where \(apk\cdot {\varvec{s}}={\varvec{e}}\) that is small and \(s_1\in \mathbb {Z}_q^{lm}\) is also assumed to be small according to distribution \(\chi \). In order to encrypt 0, \(\mathcal {B}\) samples N times the vectors according to \(\chi \) and outputs a ciphertext \(C\leftarrow {\varvec{b}}\cdot apk+{\varvec{e}}'\). This ciphertext is indistinguishable from random by applying a standard hybrid argument. The decryption is possible by computing a product of \(\left\langle C,{\varvec{s}}\right\rangle \) and outputting \(\mu =0\) if the result is small or \(\mu =1\) otherwise.    \(\square \)