Abstract
In this paper, we propose a new notion of multi-key homomorphic proxy re-encryption (MH-PRE) in which inputs of homomorphic evaluation are encrypted by different public keys and the evaluated ciphertext is decrypted by a single secret key. We obtain it by adding the re-encryption property of proxy re-encryption to multi-key homomorphic encryption (MHE). MHE, firstly proposed by López-Alt, Tromer and Vaikuntanathan (STOC 2012), can perform homomorphic evaluations on ciphertexts from different keys, but decrypting the output ciphertext of the homomorphic evaluation requires all the secret keys associated to the input ciphertexts. In order to decrypt the output ciphertext with a single secret key, we introduce the notion of the re-encryption to MHE. In particular, we construct an MH-PRE scheme by applying the key switching technique to the MHE scheme of Peikert and Shiehian (TCC 2016).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ateniese, G., Kevin, F., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1), 1–30 (2006)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325. ACM (2012)
Brakerski, Z., Halevi, S., Polychroniadou, A.: Four round secure computation without setup. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part II. LNCS, vol. 10677, pp. 645–677. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_22
Brakerski, Z., Perlman, R.: Lattice-based fully dynamic multi-key FHE with short ciphertexts. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 190–213. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_8
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS, pp. 97–106. IEEE Computer Society (2011)
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from Ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29
Chen, L., Zhang, Z., Wang, X.: Batched multi-hop multi-key FHE from Ring-LWE with compact ciphertext extension. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 597–627. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_20
Clear, M., McGoldrick, C.: Multi-identity and multi-key leveled FHE from learning with errors. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 630–656. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_31
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully Homomorphic Encryption over the Integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_2
Derler, D., Ramacher, S., Slamanig, D.: Homomorphic proxy re-authenticators and applications to verifiable multi-user data aggregation. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 124–142. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_7
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178. ACM (2009)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Ivan, A.-A., Dodis, Y.: Proxy cryptography revisited. In: NDSS. The Internet Society (2003)
Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In STOC, pp. 12–24. ACM (1989)
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: STOC, pp. 1219–1234. ACM (2012)
Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_21
Ma, C., Li, J., Ouyang, W.: A homomorphic proxy re-encryption from lattices. In: Chen, L., Han, J. (eds.) ProvSec 2016. LNCS, vol. 10005, pp. 353–372. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47422-9_21
Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 735–763. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_26
Peikert, C., Shiehian, S.: Multi-key FHE from LWE, revisited. In: Hirt, M., Smith, A. (eds.) TCC 2016-B, Part II. LNCS, vol. 9986, pp. 217–238. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_9
Polyakov, Y., Rohloff, K., Sahu, G., Vaikuntanathan, V.: Fast proxy re-encryption for publish/subscribe systems. ACM Trans. Priv. Secur. 20(4), 14:1–14:31 (2017)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005)
Acknowledgment
We would like to thank the anonymous reviewers of ISC 2018 for their careful reading and comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A The Description of the \(\mathsf {Eval}\) Algorithm
Appendix A The Description of the \(\mathsf {Eval}\) Algorithm
For completeness, in this section, we describe the algorithm \(\mathsf {Eval}\) of the MHE scheme of [PS16]. This algorithm works exactly same as the scheme described in Sect. 3 of [PS16].
Ciphertext Extending. First, in order to perform homomorphic operations correctly in the \(\mathsf {Eval}\) algorithm, all the input ciphertexts must correspond to the same secret key. Therefore, when the input ciphertexts correspond to the different secret keys, each ciphertext is expanded so that the same secret key properly corresponds.
Consider the ciphertext \(c = (\mathbf {C}, \mathbf {F}, \mathbf {D})\) and the associated secret key \(\mathbf {t} \in \mathbb {Z}^{n'}\), where \(n' = ns\) for some positive integer s and \(\mathbf {t}\) is the concatenation of s individual secret keys. Therefore the ciphertext c consists of component matrices
that satisfy Eqs. (5), (6) and (7) for some randomness \(\mathbf {R} \in \mathbb {Z}^{m \times n\ell }\). Our goal is to extend \(c = (\mathbf {C}, \mathbf {F}, \mathbf {D})\) to a new ciphertext \(c' = (\mathbf {C}', \mathbf {F}', \mathbf {D}')\) that satisfies Eqs. (5), (6) and (7) for the concatenated secret key \(\mathbf {t}' = (\mathbf {t}\Vert \mathbf {t}^*) \in \mathbb {Z}^{n'+n}\) where \(\mathbf {t}^*\) is an additional secret key and some randomness \(\mathbf {R}'\) without changing the encrypted message. For ciphertext extending, the public key \(\mathbf {b}^* \approx \mathbf {t}^*\mathbf {A}\) corresponding to the additional secret key \(\mathbf {t}^*\) is used. We do so as follows.
-
\(\mathbf {F}\) and the randomness is unchanged: Define \(\mathbf {F}' = \mathbf {F}\) and \(\mathbf {R} = \mathbf {R}'\).
-
Define
$$\begin{aligned} \mathbf {D}' = (\mathbf {I}_{m\ell } \otimes \begin{pmatrix} \mathbf {I}_{n'} \\ \mathbf {0}_{n \times n'} \end{pmatrix} ) \cdot \mathbf {D}. \end{aligned}$$Then, Eq. (7) is preserved: \((\mathbf {I}_{m\ell } \otimes \mathbf {t}') \cdot \mathbf {D}' = (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot \mathbf {D} \approx \mathbf {R} \otimes \mathbf {g}^T\).
-
Define
$$\begin{aligned} \mathbf {C}' = \begin{pmatrix} \mathbf {C} &{} \mathbf {X}\\ &{} \mathbf {F} \end{pmatrix}, \end{aligned}$$where \(\mathbf {X}\) is defined as follows:
$$\begin{aligned} \mathbf {s}&= [-\mathbf {b}^*](\mathbf {I}_m \otimes \mathbf {g}^{-T}) \in \{0,1\}^{m\ell } \\ \mathbf {X}&= (\mathbf {s} \otimes \mathbf {I}_{n'}) \cdot \mathbf {D} \in \mathbb {Z}_q^{n' \times n\ell }. \end{aligned}$$Note that by the construction,
$$\begin{aligned} \mathbf {t}\mathbf {X}&= (1 \otimes \mathbf {t}) \cdot (\mathbf {s} \otimes \mathbf {I}_{n'}) \cdot \mathbf {D}&\\&= (\mathbf {s} \otimes \mathbf {t})\cdot \mathbf {D}&\\&= (\mathbf {s} \otimes 1 ) \cdot (\mathbf {I}_{m\ell } \otimes \mathbf {t})\cdot \mathbf {D}&\\&\approx \mathbf {s}\cdot (\mathbf {R}\otimes \mathbf {g}^t)&(\text {error }m\ell \cdot E_D)\\&=[\mathbf {b}^*](\mathbf {I}_m \otimes \mathbf {g}^{-t})(\mathbf {R}\otimes \mathbf {g})&\\&=-\mathbf {b}^*\mathbf {R}. \end{aligned}$$Finally, we see that Eq. (5) is preserved:
$$\begin{aligned} \mathbf {t}'\mathbf {C}'&=\mathbf {t}'\cdot \begin{pmatrix} \mathbf {C} &{} \mathbf {X}\\ &{} \mathbf {F} \end{pmatrix} \\&= (\mathbf {t}\mathbf {C} \;\;\;\; \mathbf {t}\mathbf {X}+\mathbf {t}^*\mathbf {F}) \\&\approx (\mu (\mathbf {t}\otimes \mathbf {g}) \;\;\;\; \mathbf {t}\mathbf {X}+\mathbf {t}^*\mathbf {AR}+\mu (\mathbf {t}^*\otimes \mathbf {g})) \;\;\;\; (\text {error } E_C) \\&\approx (\mu (\mathbf {t}\otimes \mathbf {g}) \;\;\;\; \mathbf {t}\mathbf {X} + \mathbf {b}^*\mathbf {R}+\mu (\mathbf {t}^*\otimes \mathbf {g})) \;\;\;\; (\text {error }m\Vert \mathbf {R}\Vert _\infty \cdot E) \\&\approx \mu (\mathbf {t}' \otimes \mathbf {g}) \;\;\;\; (\text {error } m\ell \cdot E_{D}). \end{aligned}$$
Homomorphic Operation. Next, we describe homomorphic addition and multiplication. Suppose two ciphertexts \(c_1 = (\mathbf {C}_1, \mathbf {F}_1, \mathbf {D}_1)\) and \(c_2 = (\mathbf {C}_2, \mathbf {F}_2, \mathbf {D}_2)\) that respectively encrypt \(\mu _1\) and \(\mu _2\), with the randomness \(\mathbf {R}_1\) and \(\mathbf {R}_2\), under a common secret key \(\mathbf {t} \in \mathbb {Z}^{n'}\).
-
Homomorphic Additions: Add the corresponding matrices,
$$ (\mathbf {C}_{\text {add}}, \mathbf {F}_{\text {add}}, \mathbf {D}_{\text {add}}) = (\mathbf {C}_1 + \mathbf {C}_2, \mathbf {F}_1 + \mathbf {F}_2, \mathbf {D}_1 + \mathbf {D}_2). $$We verify that Eqs. (5), (6) and (7) hold for the new ciphertext with the message \(\mu _1 + \mu _2\) and the randomness \(\mathbf {R}_{\text {add}} = \mathbf {R}_1 + \mathbf {R}_2\).
$$\begin{aligned} \mathbf {t} \cdot (\mathbf {C}_1 + \mathbf {C}_2 )&= \mathbf {t} \cdot ( \overline{\mathbf {C}}_1 + \mu _1(\mathbf {I}_n \otimes \mathbf {g}) + \overline{\mathbf {C}}_2 + \mu _2(\mathbf {I}_n \otimes \mathbf {g}))\\&\approx (\mu _1+\mu _2)(\mathbf {t} \otimes \mathbf {g}) \ \ \ \ (\text {error }E_{C_1} + E_{C_2}) \end{aligned}$$$$\begin{aligned} \mathbf {F}_1 + \mathbf {F}_2&= \mathbf {AR}_1 + \mu _1(\mathbf {I}_n \otimes \mathbf {g}) + \mathbf {AR}_2 + \mu _2(\mathbf {I}_n \otimes \mathbf {g}) \\&= \mathbf {AR}_{\text {add}} + (\mu _1 + \mu _2)(\mathbf {I}_n \otimes \mathbf {g}) \end{aligned}$$$$\begin{aligned} (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot (\mathbf {D}_1 + \mathbf {D}_2)&= (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot \mathbf {D}_1 + (\mathbf {I}_{m\ell } \otimes \mathbf {t}) \cdot \mathbf {D}_2 \\&\approx (\mathbf {R}_1 \otimes \mathbf {g}) + (\mathbf {R}_2 \otimes \mathbf {g}) \\&= \mathbf {R}_\text {add} \otimes \mathbf {g} \ \ \ \ (\text {error }E_{D_1} + E_{D_2}) \end{aligned}$$ -
Homomorphic Multiplications: Define the following matrices:
$$\begin{aligned} \mathbf {S}_c&= (\mathbf {I}_{n'} \otimes \mathbf {g}^{-1})[\mathbf {C}_2] \\ \mathbf {S}_f&= (\mathbf {I}_{n} \otimes \mathbf {g}^{-1})[\mathbf {F}_2]\\ \mathbf {S}_d&= (\mathbf {I}_{n'm\ell } \otimes \mathbf {g}^{-1})[\mathbf {D}_2] \end{aligned}$$and output the ciphertext
$$\begin{aligned} \mathbf {C}_{\text {mul}}&= \mathbf {C}_1 \cdot \mathbf {S}_c \\ \mathbf {F}_{\text {mul}}&= \mathbf {F}_1 \cdot \mathbf {S}_f \\ \mathbf {D}_{\text {mul}}&= \mathbf {D}_1 \cdot \mathbf {S}_f + (\mathbf {I}_{m\ell } \otimes \mathbf {C}_1) \cdot \mathbf {S}_d. \end{aligned}$$The associated randomness is defined as
$$ \mathbf {R}_{\text {mul}} = \mathbf {R}_1\mathbf {S}_f + \mu _1\mathbf {R}_2. $$
We show that the output ciphertext of the homomorphic multiplications satisfies Eqs. (5), (6) and (7) for the secret key \(\mathbf {t}\), the message \(\mu _1\mu _2\) and the randomness \(\mathbf {R}_{\text {mul}}\). First, we can see \(\mathbf {C}_{\text {mul}}\) satisfies Eq. (5):
Similarly, Eq. (6) is preserved by construction of \(\mathbf {F}_{\text {mul}}\):
Finally, to see that Eq. (7) holds for \(\mathbf {D}_{\text {mul}}\), first note that
In addition,
Thus, Eq. (7) holds for \(\mathbf {D}_{\text {mul}}\):
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Yasuda, S., Koseki, Y., Hiromasa, R., Kawai, Y. (2018). Multi-key Homomorphic Proxy Re-Encryption. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-99136-8_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99135-1
Online ISBN: 978-3-319-99136-8
eBook Packages: Computer ScienceComputer Science (R0)