Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.                         Upcoming SlideShare
Loading in …5
×

# A compact zero knowledge proof to restrict message space in homomorphic encryption

493 views

Published on

SCIS2019発表資料

Published in: Technology
• Full Name
Comment goes here.

Are you sure you want to Yes No
Your message goes here • Be the first to comment

• Be the first to like this

### A compact zero knowledge proof to restrict message space in homomorphic encryption

1. 1. A compact zero-knowledge proof to restrict message space in homomorphic encryption SCIS2019 2019/1/23 Mitsunari Shigeo (Cybozu Labs, Inc.)
2. 2. • Background • A protocol using homomorphic encryption (HE) which message space is restricted in malicious model • OT, privacy-preserving search/machine learning, et al. • a plaintext must be 0 or 1 • 𝑛 plaintexts must be a 1-of-𝑛 bit vector • range • Motivation • Safely reject illegal ciphertexts without knowing the value Abstract 2 / 22
3. 3. • Propose a generic conversion to a constant-size zero-knowledge proof from a condition that multiple ciphertexts are a root of 𝑛- variable 𝑑-dimensional simultaneous polynomials based on a 𝑑-level HE. • 𝑥 ∈ {0,1} ⇔ 𝑓 𝑥 = 𝑥 1 − 𝑥 = 0 • ∃𝑖 s.t. 𝑥𝑖 = 1 ; 𝑥𝑗 = 0 for 𝑗 ≠ 𝑖 ⇔ 𝑓 𝑥1, … , 𝑥 𝑛 ≔ σ𝑖 𝑥𝑖 − 1 = 0, 𝑓𝑖 𝑥1, … , 𝑥 𝑛 ≔ 𝑥𝑖 1 − 𝑥𝑖 = 0 • Construction for 2-level HE proposed ASIACCS2018 • one non-interactive zero-knowledge proof (4 𝔽 𝑝 elements) to show the above equations Results 3 / 22
4. 4. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function • 𝑥 ∈ 𝔽 𝑝 𝑛 • 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff. • 𝑋 ≔ ℎ 𝑥, 1 𝑓1 𝑥 + ⋯ + ℎ 𝑥, 𝑡 𝑓𝑡 𝑥 • 𝑋 = 0 ⇔ 𝑓1 𝑥 = ⋯ = 𝑓𝑡 𝑥 = 0 with negligible probability • use 𝑓1 𝑥 = ⋯ = 𝑓𝑡 𝑥 = 0 as the condition to restrict message Core idea 4 / 22
5. 5. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function • 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff. • 𝑔: 𝔽 𝑝 𝑛 → 0,1 ∗ ; injective • 𝑋(𝑥) ≔ ℎ(𝑔 𝑥 , 1)𝑓1 𝑥 + ⋯ + ℎ(𝑔 𝑥 , 𝑡)𝑓𝑡 𝑥 • 𝒜 ; an attacker who outputs 𝑥 ∈ 𝔽 𝑝 𝑛 s.t. 𝑋 𝑥 = 0 • 𝑆 𝑥 ≔ {𝑖 ∈ {1, … , 𝑡}|𝑓𝑖 𝑥 ≠ 0} • Assume ℎ is modeled as a random oracle and that 𝒜 makes at most 𝑞 random oracle queries, 𝑃 𝑆 𝑥 ≠ ∅ ≤ 𝑞 + 1 𝑝 Theorem 5 / 22
6. 6. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function, 𝐸𝑛𝑐: ℳ → 𝒞, 𝐷𝑒𝑐: 𝒞 → ℳ • 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff. • 𝑋 ≔ ℎ(𝑐, 1)𝑓1 𝑐 + ⋯ + ℎ(𝑐, 𝑡)𝑓𝑡 𝑐 , • 𝒜 ; an attacker who outputs 𝑐 = 𝑐1, … , 𝑐 𝑛 ∈ 𝒞 𝑛 s.t. 𝑋 = 0 • 𝑆 𝐷𝑒𝑐(𝑐) ≔ {𝑖 ∈ {1, … , 𝑡}|𝑓𝑖 𝑐 ≠ 0}, 𝐷𝑒𝑐 𝑐 ≔ 𝐷𝑒𝑐 𝑐𝑖 • Assume that 𝒜 makes at most 𝑞 RO queries, 𝑃 𝑆 𝐷𝑒𝑐 𝑐 ≠ ∅ ≤ 𝑞 + 1 𝑝 • Outline of proof • 𝑚𝑖 ≔ 𝐷𝑒𝑐 𝑐𝑖 , 𝑚 ≔ (𝑚𝑖), then 𝑔 𝑚 ≔ (𝐸𝑛𝑐 𝑚𝑖 ) is injective 𝑋 = 0 ⇔ σ𝑖 ℎ 𝑔(𝑚), 𝑖 𝑓𝑖 𝑚 = 0. • A Compact Non-Interactive Zero-Knowledge Binary Range Proof for Multiple Messages based on 2-Level Homomorphic Encryption, Mitsunari, Sakai, Schuldt Computer Security Symposium 2018 6 / 22 Main result for 𝑑-Level HE
7. 7. Introduction of 2-level HE
8. 8. • a 2-level HE based on prime order pairings • ASIACCS’18, Attrapadung, Hanaoka, Mitsunari, et. al. • https://dl.acm.org/citation.cfm?doid=3196494.3196552 • Notation • 𝑒: 𝐺1 × 𝐺2 → 𝐺 𝑇 ; type-3 pairing of order 𝑝 • 𝐺𝑖 = ⟨𝑔𝑖⟩ ; multiplicative cyclic group of a generator 𝑔𝑖 • Keygen • 𝑠1, 𝑠2 ∈ 𝔽 𝑝 ; secret key, ℎ𝑖 ≔ 𝑔𝑖 𝑠 𝑖 ; public key, ℎ3 ≔ 𝑒(ℎ1, ℎ2) • L1 Enc • 𝐸𝑛𝑐𝑖 𝑚 ∶= 𝑔𝑖 𝑚 ℎ𝑖 𝑟 𝑖 , 𝑔𝑖 𝑟 𝑖 ∈ 𝐺𝑖 2 for 𝑟𝑖 ∈ 𝔽 𝑝 ; lifted ElGamal • 𝐸𝑛𝑐 𝐴 𝑚 ∶= 𝐸𝑛𝑐1 𝑚 , 𝐸𝑛𝑐2 𝑚 ∈ 𝐺1 2 × 𝐺2 2 AHM+ 8 / 22
9. 9. • Mul of L1-ciphertexts • Use one of each pair • 𝐸𝑛𝑐 𝐴 𝑚 ⋅ 𝐸𝑛𝑐 𝐴 𝑚′ = 𝑐1, 𝑐2 ⋅ 𝑐1 ′ , 𝑐2 ′ ≔ 𝑐1 ⋅ 𝑐2 ′ 𝑐2, 𝑐1′ are not used • 𝑐1 ≔ 𝑆1, 𝑇1 ∈ 𝐺1 2 , 𝑐2′ ≔ 𝑆2, 𝑇2 ∈ 𝐺2 2 𝑐1 ⋅ 𝑐2′ ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 ∈ 𝐺 𝑇 4 • Dec of L2-ciphertext • For 𝑐 ≔ 𝑠, 𝑡, 𝑢, 𝑣 ∈ 𝐺 𝑇 4 , 𝑑𝑒𝑐 𝑀 𝑐 ≔ (𝑠𝑣 𝑠1 𝑠2)/(𝑡 𝑠2 𝑢 𝑠1) • 𝐷𝑒𝑐 𝑀 𝑐 ≔ 𝐷𝐿𝑃𝑔(𝑑𝑒𝑐 𝑀 𝑐 ) Multiplication and decryption 9 / 22
10. 10. • Ciphertext space 𝒞 ≔ 𝐸𝑛𝑐1 𝑚 , 𝐸𝑛𝑐2 𝑚 |𝑚 ∈ 𝔽 𝑝 is a subset of 𝐺1 2 × 𝐺2 2 • cf. The ciphertext space of lifted ElGamal is 𝐺𝑖 2 • 𝐸𝑛𝑐1 𝑚 , 𝐸𝑛𝑐2 𝑚′ ∈ 𝐺1 2 × 𝐺2 2 is a valid ciphertext ⇔ 𝑚 = 𝑚′ • Representation of validness by equation • 𝑓𝑒𝑞,𝑖 𝑚𝑖, 𝑚𝑖 ′ ≔ 𝑚𝑖 − 𝑚𝑖′ 𝐸𝑛𝑐1 𝑚𝑖 , 𝐸𝑛𝑐2 𝑚𝑖 ′ ∈ 𝐺1 2 × 𝐺2 2 ⇔ 𝑓𝑒𝑞,𝑖 𝑚𝑖, 𝑚𝑖 ′ = 0 • Append {𝑓𝑒𝑞,𝑖} to the polynomials which restricts message space for AHM+ Remark of AHM+ 10 / 22
11. 11. NIZKP of 𝐸𝑛𝑐(0) of AHM+
12. 12. • Compute 𝑋 from given ciphertexts and verify 𝑋 = 𝐸𝑛𝑐 𝑀(0) • Parameters • 𝑠1, 𝑠2 ; secret • 𝑔 ∈ 𝐺 𝑇, 𝑥 ≔ 𝑔 𝑠1, 𝑦 ≔ 𝑔 𝑠2, 𝑧 ≔ 𝑔 𝑠1 𝑠2 ; public • 𝐸𝑛𝑐 𝑀(0) • any 𝑋 ≔ 𝑠, 𝑡, 𝑢, 𝑣 ∈ 𝐺 𝑇 4 can described as 𝑠, 𝑡, 𝑢, 𝑣 = 𝑥 𝑤1 𝑦 𝑤2 𝑧−𝑤3 ′ , 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3 with 𝑤1, 𝑤2, 𝑤3, 𝑤3 ′ . • 𝐸𝑛𝑐 𝑀 0; 𝑤1, 𝑤2, 𝑤3 = 𝑥 𝑤1 𝑦 𝑤2 𝑧−𝑤3, 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3 , then verify 𝑋 = 𝐸𝑛𝑐 𝑀(0) by proving 𝑤3 ′ = 𝑤3. Equation to be verified 12 / 22
13. 13. • 𝑠1, 𝑠2 ; secret • 𝑔, 𝑥 = 𝑔 𝑠1, 𝑦 = 𝑔 𝑠2, 𝑧 = 𝑔 𝑠1 𝑠2 ; given • For 𝑠, 𝑡, 𝑢, 𝑣 ≔ (𝑦 𝑤1 𝑥 𝑤2 𝑧−𝑤3 ′ , 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3), pick 𝜌1, 𝜌2, 𝜌3 ← 𝔽 𝑟 and 𝑅1, 𝑅2, 𝑅3, 𝑅4 ≔ (𝑦 𝜌1 𝑥 𝜌2 𝑧−𝜌3, 𝑔 𝜌1, 𝑔 𝜌2, 𝑔 𝜌3), 𝑎 ≔ ℎ(𝑔, 𝑥, 𝑦, 𝑧, 𝑠, 𝑡, 𝑢, 𝑣, 𝑅1, 𝑅2, 𝑅3, 𝑅4), 𝜎𝑖 ≔ 𝜌𝑖 + 𝑎𝑤𝑖 for 𝑖 = 1,2,3, output 𝜋 ≔ (𝑎, 𝜎1, 𝜎2, 𝜎3). Construction of NIZKP 13 / 22
14. 14. • For 𝜋 ≔ (𝑎, 𝜎1, 𝜎2, 𝜎3), 𝑅1 ′ ≔ 𝑦 𝜎1 𝑥 𝜎2 𝑧−𝜎3 𝑠−𝑎, 𝑅2 ′ ≔ 𝑔 𝜎1 𝑡−𝑎, 𝑅3 ′ ≔ 𝑔 𝜎2 𝑢−𝑎, 𝑅4 ′ ≔ 𝑔 𝜎3 𝑣−𝑎 , 𝑎′ ≔ ℎ(𝑔, 𝑥, 𝑦, 𝑧, 𝑠, 𝑡, 𝑢, 𝑣, 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ ). • Output 1 if 𝑎 = 𝑎′ and 0, otherwise • Proof of correctness • 𝑅1 ′ = 𝑦 𝜎1−𝑎𝑤1 𝑥 𝜎2−𝑎𝑤2 𝑧−𝜎3+𝑎𝑤3 = 𝑦 𝜌1 𝑥 𝜌2 𝑧−𝜌3 = 𝑅1 • 𝑅𝑖+1 ′ = 𝑔 𝜎 𝑖−𝑎𝑤 𝑖 = 𝑅𝑖+1 • Then 𝑎′ = 𝑎. Verification 14 / 22
15. 15. • Any 𝑠, 𝑡, 𝑢, 𝑣 ∈ 𝐺 𝑇 4 can be described as 𝑠, 𝑡, 𝑢, 𝑣 = 𝑦 𝑤1 𝑥 𝑤2 𝑧−𝑤3 ′ , 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3 . • For 𝜋 = (𝑎, 𝜎1, 𝜎2, 𝜎3), define 𝜌𝑖 ≔ 𝜎𝑖 − 𝑎𝑤𝑖 then 𝑅1 ′ = 𝑦 𝜌1 𝑥 𝜌2 𝑧 𝑎 𝑤3 ′−𝑤3 −𝜌3, 𝑅𝑖+1 ′ = 𝑔 𝜎 𝑖 𝑔−𝑎𝑤 𝑖 = 𝑔 𝜌 𝑖 for 𝑖 = 1,2,3. • Attacker must find 𝑤1, 𝑤2, 𝑤3, 𝑤3 ′ , 𝜌1, 𝜌2, 𝜌3 and 𝑎 s.t. 𝑎 = ℎ(𝑔, 𝑥, 𝑦, 𝑧, 𝑦 𝑤1 𝑥 𝑤2 𝑧−𝑤3 ′ , 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3, 𝑦 𝜌1 𝑥 𝜌2 𝑧 𝑎 𝑤3 ′−𝑤3 −𝜌3, 𝑔 𝜌1, 𝑔 𝜌2, 𝑔 𝜌3) • It is hard if 𝑤3 ′ ≠ 𝑤3 Proof of soundness (outline) 15 / 22
16. 16. Application
17. 17. • Alice queries 𝑎-th data to Bob who has 𝑛 data • Requirements • Alice does not tell 𝑎 to Bob • Bob does not tell 𝑥𝑖(𝑖 ≠ 𝑎) to Alice Oblivious Transfer Alice Bob 𝑥1 𝑥2 𝑥3 𝑥4 𝑥5 𝑥6 query 𝑎-th data return 𝑥 𝑎 17 / 22
18. 18. • Alice • For 𝑎, select 𝑞 and 𝑟 s.t. 𝑎 = 𝑞𝑚 + 𝑟 (0 ≤ 𝑟 < 𝑚 ≔ 𝑛 ) • Send (𝐸𝑛𝑐 𝛿 𝑞,0 , … , 𝐸𝑛𝑐 𝛿 𝑞,𝑚−1 ), 𝐸𝑛𝑐 𝛿 𝑟,0 , … , 𝐸𝑛𝑐 𝛿 𝑟,𝑚−1 where 𝛿𝑖,𝑗 is the Kronecker delta • Bob • 𝑐 ≔ σ𝑖𝑗 𝑥𝑖𝑚+𝑗 𝐸𝑛𝑐 𝛿 𝑞,𝑖 𝐸𝑛𝑐 𝛿 𝑟,𝑗 = 𝐸𝑛𝑐(෍ 𝑖,𝑗 𝑥𝑖𝑚+𝑗 𝛿 𝑞,𝑖 𝛿 𝑟,𝑗) = 𝐸𝑛𝑐 𝑥 𝑞𝑚+𝑟 = 𝐸𝑛𝑐(𝑥 𝑎) • Alice : 𝐷𝑒𝑐 𝑐 = 𝑥 𝑎 • Traffic size is 2𝑚 ciphertexts= 𝑂( 𝑛) • 𝑛 = 106, 2.5sec response, iPhone with JavaScript(wasm) OT by L2HE 18 / 22
19. 19. • Bob checks whether 𝑐𝑖 = 𝐸𝑛𝑐(𝑚𝑖) sent by Alice satisfies 𝑚𝑖 ∈ {0,1} and σ𝑚𝑖 = 1 (1-of-𝑛) without decrypting • Polynomials of Theorem • 𝑓𝑖 𝑚 ≔ 𝑚𝑖(1 − 𝑚𝑖) for 𝑖 = 1, … , 𝑛 • 𝑓𝑛+1 𝑚 : = σ𝑚𝑖 − 1 • 𝑋: = σ𝑖 ℎ 𝑐, 𝑖 𝑓𝑖(𝑐) = 𝐸𝑛𝑐 𝑀 0 • 𝑚𝑖 ∈ 0,1 and σ𝑚𝑖 = 1 by NIZKP of 𝑋 = 𝐸𝑛𝑐 𝑀(0) • Transfer size for large 𝑛 • smaller than Chou, Orlandi. The simplest protocol for oblivious transfer, LATINCRYPT 2015 • Other application for 𝑘-of-𝑛 bit vector • Take 𝑘 s.t. 0 < 𝑘 < 𝑛 and use 𝑓𝑛+1 𝑚 ≔ σ𝑚𝑖 − 𝑘, then we can verify that {𝐸𝑛𝑐(𝑚𝑖)} is a encrypted 𝑘-of-𝑛 bit vector Malicious Alice 19 / 22
20. 20. • 𝐸𝑛𝑐(𝑚) where 0 ≤ 𝑚 < 𝑛 • Let 𝑙 s.t. 2𝑙 ≤ 𝑛 < 2𝑙+1, 𝑅 ≔ 𝑛 − 2𝑙 • A binary expansion of 𝑚 if 𝑚 < 2𝑙 and 𝑚 − 𝑅 if 𝑚 ≥ 2𝑙 • 𝑚 = σ𝑖=0 𝑙−1 𝑚𝑖2𝑖 + 𝑚𝑙 𝑅 where 𝑚𝑖 ∈ {0,1} • Check whether 𝑚𝑖 ∈ {0,1} for 𝐸𝑛𝑐 𝑚𝑖 by NIZKP and compute 𝐸𝑛𝑐 𝑚 ≔ ෍ 𝑖=0 𝑙−1 𝐸𝑛𝑐 𝑚𝑖 2𝑖 + 𝑚𝑙 𝑅 The idea when 𝑅 ≠ 0 by Nuida Koji Range of message 20 / 22
21. 21. • 𝐴 = (𝑎𝑖𝑗) ; 𝑛-dim. matrix s.t. 𝑎𝑖𝑗 ∈ 0,1 , ෍ 𝑖 𝑎𝑖𝑗 = 1 , ෍ 𝑗 𝑎𝑖𝑗 = 1 • Polynomials {𝑓𝑖𝑗 1 , 𝑓𝑖 2 , 𝑓𝑗 3 } defined as • 𝑓𝑖𝑗 1 𝐴 ≔ 𝑎𝑖𝑗(1 − 𝑎𝑖𝑗) • 𝑓𝑖 2 𝐴 ≔ σ𝑖 𝑎𝑖𝑗 − 1 • 𝑓𝑗 3 𝐴 ≔ σ 𝑗 𝑎𝑖𝑗 − 1 • Other application • The condition that 𝐴 is an orthogonal matrix (𝐴 𝑡 𝐴 = 𝐼) can be represented by polynomials of degree 2. Permutation matrix 21 / 22
22. 22. • A constant-size zero-knowledge proof to give the restriction which is represented by a root of polynomials of degree 2 based on AHM+ (L2HE). • Future work • Apply the construction to the other HE (lattice-based HE, etc.) Conclusion 22 / 22
23. 23. Appendix
24. 24. • Add • 𝐸𝑛𝑐 𝑚1; 𝑟1 + 𝐸𝑛𝑐 𝑚2; 𝑟2 = 𝐸𝑛𝑐(𝑚1 + 𝑚2; 𝑟1 + 𝑟2) • same as lifted ElGamal • Mul • 𝐸𝑛𝑐 𝑀 𝑚; 𝑤1, 𝑤2, 𝑤3 ≔ 𝑔 𝑚+𝑠2 𝑤1+𝑠1 𝑤2−𝑠1 𝑠2 𝑤3, 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3 • 𝐸𝑛𝑐1 𝑚1; 𝑟1 × 𝐸𝑛𝑐2 𝑚2; 𝑟2 = 𝐸𝑛𝑐 𝑀(𝑚1 𝑚2; 𝑚1 𝑟2 + 𝑟1 𝑟2 𝑠1, 𝑚2 𝑟1 + 𝑟1 𝑟2 𝑠2, 𝑟1 𝑟2) Formula on random numbers 24 / 22
25. 25. • Generic 2-dim. polynomials • 𝑥 ≔ (𝑥1, … , 𝑥 𝑛), 𝑥′ ≔ 𝑥1 ′ , … , 𝑥 𝑛 ′ , 𝐸𝑛𝑐1(𝑥𝑖; 𝑟𝑖), 𝐸𝑛𝑐2(𝑥𝑖 ′ ; 𝑟𝑖 ′ ), For 𝑓 𝑥, 𝑥′ ≔ σ𝑖,𝑗 𝑎𝑖𝑗 𝑥𝑖 𝑥𝑗 ′ + σ𝑖 𝑏𝑖 𝑥𝑖 + σ𝑖 𝑐𝑖 𝑥𝑖′, 𝐸𝑛𝑐 𝑓 𝑥, 𝑥′ = 𝐸𝑛𝑐 𝑀(𝑓 𝑥, 𝑥′ , ҧ𝑟′ ҧ𝑥 + 1 + ҧ𝑟 + 1 𝑠1 , ҧ𝑟 ഥ𝑥′ + 1 + ҧ𝑟 + 1 𝑠2 , ҧ𝑟𝑟′) where ҧ𝑥 ≔ σ𝑖 𝑥𝑖, ҧ𝑟 ≔ σ𝑖 𝑟𝑖. • can compute 𝑤1, 𝑤2, 𝑤3 of 𝑋 = 𝐸𝑛𝑐 𝑀 0; 𝑤1, 𝑤2, 𝑤3 from ciphertexts 𝑥 = 𝑥𝑖 , 𝑥′ and 𝑟 = 𝑟𝑖 , 𝑟′ Evaluation of ciphertexts by polynomials 25 / 22