Multi-key Homomorphic Proxy Re-Encryption

Abstract

In this paper, we propose a new notion of multi-key homomorphic proxy re-encryption (MH-PRE) in which inputs of homomorphic evaluation are encrypted by different public keys and the evaluated ciphertext is decrypted by a single secret key. We obtain it by adding the re-encryption property of proxy re-encryption to multi-key homomorphic encryption (MHE). MHE, firstly proposed by López-Alt, Tromer and Vaikuntanathan (STOC 2012), can perform homomorphic evaluations on ciphertexts from different keys, but decrypting the output ciphertext of the homomorphic evaluation requires all the secret keys associated to the input ciphertexts. In order to decrypt the output ciphertext with a single secret key, we introduce the notion of the re-encryption to MHE. In particular, we construct an MH-PRE scheme by applying the key switching technique to the MHE scheme of Peikert and Shiehian (TCC 2016).

Appendix A The Description of the \(\mathsf {Eval}\) Algorithm

For completeness, in this section, we describe the algorithm \(\mathsf {Eval}\) of the MHE scheme of [PS16]. This algorithm works exactly same as the scheme described in Sect. 3 of [PS16].

Ciphertext Extending. First, in order to perform homomorphic operations correctly in the \(\mathsf {Eval}\) algorithm, all the input ciphertexts must correspond to the same secret key. Therefore, when the input ciphertexts correspond to the different secret keys, each ciphertext is expanded so that the same secret key properly corresponds.

Consider the ciphertext \(c = (\mathbf {C}, \mathbf {F}, \mathbf {D})\) and the associated secret key \(\mathbf {t} \in \mathbb {Z}^{n'}\), where \(n' = ns\) for some positive integer s and \(\mathbf {t}\) is the concatenation of s individual secret keys. Therefore the ciphertext c consists of component matrices

$$ \mathbf {C} \in \mathbb {Z}_q^{n' \times n'\ell }, \mathbf {F} \in \mathbb {Z}_q^{n \times n\ell }, \mathbf {D} \in \mathbb {Z}_q^{n'n\ell \times n\ell } $$

that satisfy Eqs. (5), (6) and (7) for some randomness \(\mathbf {R} \in \mathbb {Z}^{m \times n\ell }\). Our goal is to extend \(c = (\mathbf {C}, \mathbf {F}, \mathbf {D})\) to a new ciphertext \(c' = (\mathbf {C}', \mathbf {F}', \mathbf {D}')\) that satisfies Eqs. (5), (6) and (7) for the concatenated secret key \(\mathbf {t}' = (\mathbf {t}\Vert \mathbf {t}^*) \in \mathbb {Z}^{n'+n}\) where \(\mathbf {t}^*\) is an additional secret key and some randomness \(\mathbf {R}'\) without changing the encrypted message. For ciphertext extending, the public key \(\mathbf {b}^* \approx \mathbf {t}^*\mathbf {A}\) corresponding to the additional secret key \(\mathbf {t}^*\) is used. We do so as follows.

• \(\mathbf {F}\) and the randomness is unchanged: Define \(\mathbf {F}' = \mathbf {F}\) and \(\mathbf {R} = \mathbf {R}'\).

• Define

  $$\begin{aligned} \mathbf {D}' = (\mathbf {I}_{m\ell } \otimes \begin{pmatrix} \mathbf {I}_{n'} \\ \mathbf {0}_{n \times n'} \end{pmatrix} ) \cdot \mathbf {D}. \end{aligned}$$

  Then, Eq. (7) is preserved: \((\mathbf {I}_{m\ell } \otimes \mathbf {t}') \cdot \mathbf {D}' = (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot \mathbf {D} \approx \mathbf {R} \otimes \mathbf {g}^T\).

• Define

  $$\begin{aligned} \mathbf {C}' = \begin{pmatrix} \mathbf {C} &{} \mathbf {X}\\ &{} \mathbf {F} \end{pmatrix}, \end{aligned}$$

  where \(\mathbf {X}\) is defined as follows:

  $$\begin{aligned} \mathbf {s}&= [-\mathbf {b}^*](\mathbf {I}_m \otimes \mathbf {g}^{-T}) \in \{0,1\}^{m\ell } \\ \mathbf {X}&= (\mathbf {s} \otimes \mathbf {I}_{n'}) \cdot \mathbf {D} \in \mathbb {Z}_q^{n' \times n\ell }. \end{aligned}$$

  Note that by the construction,

  $$\begin{aligned} \mathbf {t}\mathbf {X}&= (1 \otimes \mathbf {t}) \cdot (\mathbf {s} \otimes \mathbf {I}_{n'}) \cdot \mathbf {D}&\\&= (\mathbf {s} \otimes \mathbf {t})\cdot \mathbf {D}&\\&= (\mathbf {s} \otimes 1 ) \cdot (\mathbf {I}_{m\ell } \otimes \mathbf {t})\cdot \mathbf {D}&\\&\approx \mathbf {s}\cdot (\mathbf {R}\otimes \mathbf {g}^t)&(\text {error }m\ell \cdot E_D)\\&=[\mathbf {b}^*](\mathbf {I}_m \otimes \mathbf {g}^{-t})(\mathbf {R}\otimes \mathbf {g})&\\&=-\mathbf {b}^*\mathbf {R}. \end{aligned}$$

  Finally, we see that Eq. (5) is preserved:

  $$\begin{aligned} \mathbf {t}'\mathbf {C}'&=\mathbf {t}'\cdot \begin{pmatrix} \mathbf {C} &{} \mathbf {X}\\ &{} \mathbf {F} \end{pmatrix} \\&= (\mathbf {t}\mathbf {C} \;\;\;\; \mathbf {t}\mathbf {X}+\mathbf {t}^*\mathbf {F}) \\&\approx (\mu (\mathbf {t}\otimes \mathbf {g}) \;\;\;\; \mathbf {t}\mathbf {X}+\mathbf {t}^*\mathbf {AR}+\mu (\mathbf {t}^*\otimes \mathbf {g})) \;\;\;\; (\text {error } E_C) \\&\approx (\mu (\mathbf {t}\otimes \mathbf {g}) \;\;\;\; \mathbf {t}\mathbf {X} + \mathbf {b}^*\mathbf {R}+\mu (\mathbf {t}^*\otimes \mathbf {g})) \;\;\;\; (\text {error }m\Vert \mathbf {R}\Vert _\infty \cdot E) \\&\approx \mu (\mathbf {t}' \otimes \mathbf {g}) \;\;\;\; (\text {error } m\ell \cdot E_{D}). \end{aligned}$$

Homomorphic Operation. Next, we describe homomorphic addition and multiplication. Suppose two ciphertexts \(c_1 = (\mathbf {C}_1, \mathbf {F}_1, \mathbf {D}_1)\) and \(c_2 = (\mathbf {C}_2, \mathbf {F}_2, \mathbf {D}_2)\) that respectively encrypt \(\mu _1\) and \(\mu _2\), with the randomness \(\mathbf {R}_1\) and \(\mathbf {R}_2\), under a common secret key \(\mathbf {t} \in \mathbb {Z}^{n'}\).

• Homomorphic Additions: Add the corresponding matrices,

  $$ (\mathbf {C}_{\text {add}}, \mathbf {F}_{\text {add}}, \mathbf {D}_{\text {add}}) = (\mathbf {C}_1 + \mathbf {C}_2, \mathbf {F}_1 + \mathbf {F}_2, \mathbf {D}_1 + \mathbf {D}_2). $$

  We verify that Eqs. (5), (6) and (7) hold for the new ciphertext with the message \(\mu _1 + \mu _2\) and the randomness \(\mathbf {R}_{\text {add}} = \mathbf {R}_1 + \mathbf {R}_2\).

  $$\begin{aligned} \mathbf {t} \cdot (\mathbf {C}_1 + \mathbf {C}_2 )&= \mathbf {t} \cdot ( \overline{\mathbf {C}}_1 + \mu _1(\mathbf {I}_n \otimes \mathbf {g}) + \overline{\mathbf {C}}_2 + \mu _2(\mathbf {I}_n \otimes \mathbf {g}))\\&\approx (\mu _1+\mu _2)(\mathbf {t} \otimes \mathbf {g}) \ \ \ \ (\text {error }E_{C_1} + E_{C_2}) \end{aligned}$$
  $$\begin{aligned} \mathbf {F}_1 + \mathbf {F}_2&= \mathbf {AR}_1 + \mu _1(\mathbf {I}_n \otimes \mathbf {g}) + \mathbf {AR}_2 + \mu _2(\mathbf {I}_n \otimes \mathbf {g}) \\&= \mathbf {AR}_{\text {add}} + (\mu _1 + \mu _2)(\mathbf {I}_n \otimes \mathbf {g}) \end{aligned}$$
  $$\begin{aligned} (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot (\mathbf {D}_1 + \mathbf {D}_2)&= (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot \mathbf {D}_1 + (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot \mathbf {D}_2 \\&\approx (\mathbf {R}_1 \otimes \mathbf {g}) + (\mathbf {R}_2 \otimes \mathbf {g}) \\&= \mathbf {R}_\text {add} \otimes \mathbf {g} \ \ \ \ (\text {error }E_{D_1} + E_{D_2}) \end{aligned}$$

• Homomorphic Multiplications: Define the following matrices:

  $$\begin{aligned} \mathbf {S}_c&= (\mathbf {I}_{n'} \otimes \mathbf {g}^{-1})[\mathbf {C}_2] \\ \mathbf {S}_f&= (\mathbf {I}_{n} \otimes \mathbf {g}^{-1})[\mathbf {F}_2]\\ \mathbf {S}_d&= (\mathbf {I}_{n'm\ell } \otimes \mathbf {g}^{-1})[\mathbf {D}_2] \end{aligned}$$

  and output the ciphertext

  $$\begin{aligned} \mathbf {C}_{\text {mul}}&= \mathbf {C}_1 \cdot \mathbf {S}_c \\ \mathbf {F}_{\text {mul}}&= \mathbf {F}_1 \cdot \mathbf {S}_f \\ \mathbf {D}_{\text {mul}}&= \mathbf {D}_1 \cdot \mathbf {S}_f + (\mathbf {I}_{m\ell } \otimes \mathbf {C}_1) \cdot \mathbf {S}_d. \end{aligned}$$

  The associated randomness is defined as

  $$ \mathbf {R}_{\text {mul}} = \mathbf {R}_1\mathbf {S}_f + \mu _1\mathbf {R}_2. $$

We show that the output ciphertext of the homomorphic multiplications satisfies Eqs. (5), (6) and (7) for the secret key \(\mathbf {t}\), the message \(\mu _1\mu _2\) and the randomness \(\mathbf {R}_{\text {mul}}\). First, we can see \(\mathbf {C}_{\text {mul}}\) satisfies Eq. (5):

$$\begin{aligned} \mathbf {t}\mathbf {C}_{\text {mul}} = \mathbf {t}\mathbf {C}_1 \cdot \mathbf {S}_c&= \mathbf {t}\overline{\mathbf {C}}_1\cdot \mathbf {S}_c + \mu _1(\mathbf {t} \otimes \mathbf {g})\cdot \mathbf {S}_c \\&\approx \mu _1(\mathbf {t} \otimes \mathbf {g}) \cdot \mathbf {S}_c \ \ \ \ (\text {error }n'\ell \cdot E_{C_1}) \\&= \mu _1(\mathbf {t} \otimes \mathbf {g}) \cdot (\mathbf {I}_{n'} \otimes \mathbf {g}^{-1})[\mathbf {C}_2] \\&= \mu _1\mathbf {t}\mathbf {C}_2 \\&\approx \mu _1\mu _2(\mathbf {t} \otimes \mathbf {g}) \ \ \ \ (\text {error }\mu _1E_{C_2}). \end{aligned}$$

Similarly, Eq. (6) is preserved by construction of \(\mathbf {F}_{\text {mul}}\):

$$\begin{aligned} \mathbf {F}_{\text {mul}} = \mathbf {F}_1 \cdot \mathbf {S}_f&= (\mathbf {AR}_1+\mu _1(\mathbf {I}_n \otimes \mathbf {g}))\cdot \mathbf {S}_f \\&= \mathbf {AR}_1 \cdot \mathbf {S}_f + \mu _1(\mathbf {I}_n \otimes \mathbf {g})\cdot (\mathbf {I}_n \otimes \mathbf {g}^{-1})[\mathbf {F}_2] \\&= \mathbf {AR}_1 \cdot \mathbf {S}_f + \mu _1\mathbf {F}_2 \\&= \mathbf {AR}_1 \cdot \mathbf {S}_f + \mu _1\mathbf {AR}_2 + \mu _1\mu _2(\mathbf {I}_n \otimes \mathbf {g}) \\&= \mathbf {A}\mathbf {R}_{\text {mul}} + \mu _1\mu _2(\mathbf {I}_n \otimes \mathbf {g}). \end{aligned}$$

Finally, to see that Eq. (7) holds for \(\mathbf {D}_{\text {mul}}\), first note that

$$\begin{aligned} (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot \mathbf {D}_1 \cdot \mathbf {S}_f&= ((\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot \overline{\mathbf {D}}_1 + (\mathbf {R}_1 \otimes \mathbf {g}^T))\cdot \mathbf {S}_f \\&\approx (\mathbf {R}_1 \otimes \mathbf {g}^T) \cdot (\mathbf {S}_f \otimes 1) \ \ \ \ (\text {error }n\ell \cdot E_{D_1})\\&= (\mathbf {R}_1 \cdot \mathbf {S}_f) \otimes \mathbf {g}^T. \end{aligned}$$

In addition,

$$\begin{aligned} (\mathbf {I}_{m\ell } \otimes&\mathbf {t}) \cdot (\mathbf {I}_{m\ell } \otimes \mathbf {C}_1) \cdot \mathbf {S}_d \\&= (\mathbf {I}_{m\ell } \otimes \mathbf {t}\mathbf {C}_1) \cdot \mathbf {S}_d \\&=((\mathbf {I}_{m\ell } \otimes \mathbf {t}\overline{\mathbf {C}}_1) + \mu _1(\mathbf {I}_{m\ell } \otimes \mathbf {t} \otimes \mathbf {g})) \cdot \mathbf {S}_d \\&\approx \mu _1(\mathbf {I}_{m\ell } \otimes \mathbf {t} \otimes \mathbf {g})\cdot \mathbf {S}_d \ \ \ \ (\text {error }n'\ell \cdot E_{C_1})\\&= \mu _1(\mathbf {I}_{m\ell } \otimes \mathbf {t} \otimes \mathbf {g})\cdot (\mathbf {I}_{n'm\ell } \otimes \mathbf {g}^{-1})[\mathbf {D}_2] \\&=\mu _1(\mathbf {I}_{m\ell }\otimes \mathbf {t})\cdot \mathbf {D}_2&\\&\approx \mu _1(\mathbf {R}_2 \otimes \mathbf {g}^T)\ \ \ \ (\text {error }\mu _1\cdot E_{D_2}). \end{aligned}$$

Thus, Eq. (7) holds for \(\mathbf {D}_{\text {mul}}\):

$$\begin{aligned} (\mathbf {I}_{m\ell }&\otimes \mathbf {t}) \cdot \mathbf {D}_{\text {mul}} \\&\approx (\mathbf {R}_1\cdot \mathbf {S}_f) \otimes \mathbf {g}^T + \mu _1(\mathbf {R}_2 \otimes \mathbf {g}^T) \ \ \ \ (\text {error }n\ell \cdot E_{D_1}+n'\ell \cdot E_{C_1} + \mu _1 \cdot E_{D_2}) \\&= \mathbf {R}_{\text {mul}}\otimes \mathbf {g}^T. \end{aligned}$$