準同型暗号の平文空間を制限するコンパクトなゼロ知識証明 SCIS2019発表資料

1. A compact zero-knowledge proof
to restrict message space
in homomorphic encryption
SCIS2019 2019/1/23
Mitsunari Shigeo (Cybozu Labs, Inc.)

2. • Background
• A protocol using homomorphic encryption (HE)
which message space is restricted in malicious model
• OT, privacy-preserving search/machine learning, et al.
• a plaintext must be 0 or 1
• 𝑛 plaintexts must be a 1-of-𝑛 bit vector
• range
• Motivation
• Safely reject illegal ciphertexts without knowing the value
Abstract
2 / 22

3. • Propose a generic conversion
to a constant-size zero-knowledge proof from a
condition that multiple ciphertexts are a root of 𝑛-
variable 𝑑-dimensional simultaneous polynomials
based on a 𝑑-level HE.
• 𝑥 ∈ {0,1} ⇔ 𝑓 𝑥 = 𝑥 1 − 𝑥 = 0
• ∃𝑖 s.t. 𝑥𝑖 = 1 ; 𝑥𝑗 = 0 for 𝑗 ≠ 𝑖
⇔ 𝑓 𝑥1, … , 𝑥 𝑛 ≔ σ𝑖 𝑥𝑖 − 1 = 0, 𝑓𝑖 𝑥1, … , 𝑥 𝑛 ≔ 𝑥𝑖 1 − 𝑥𝑖 = 0
• Construction for 2-level HE proposed ASIACCS2018
• one non-interactive zero-knowledge proof (4 𝔽 𝑝 elements)
to show the above equations
Results
3 / 22

4. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function
• 𝑥 ∈ 𝔽 𝑝
𝑛
• 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff.
• 𝑋 ≔ ℎ 𝑥, 1 𝑓1 𝑥 + ⋯ + ℎ 𝑥, 𝑡 𝑓𝑡 𝑥
• 𝑋 = 0 ⇔ 𝑓1 𝑥 = ⋯ = 𝑓𝑡 𝑥 = 0
with negligible probability
• use 𝑓1 𝑥 = ⋯ = 𝑓𝑡 𝑥 = 0
as the condition to restrict message
Core idea
4 / 22

5. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function
• 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff.
• 𝑔: 𝔽 𝑝
𝑛
→ 0,1 ∗ ; injective
• 𝑋(𝑥) ≔ ℎ(𝑔 𝑥 , 1)𝑓1 𝑥 + ⋯ + ℎ(𝑔 𝑥 , 𝑡)𝑓𝑡 𝑥
• 𝒜 ; an attacker who outputs 𝑥 ∈ 𝔽 𝑝
𝑛
s.t. 𝑋 𝑥 = 0
• 𝑆 𝑥 ≔ {𝑖 ∈ {1, … , 𝑡}|𝑓𝑖 𝑥 ≠ 0}
• Assume ℎ is modeled as a random oracle and that
𝒜 makes at most 𝑞 random oracle queries,
𝑃 𝑆 𝑥 ≠ ∅ ≤
𝑞 + 1
𝑝
Theorem
5 / 22

6. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function, 𝐸𝑛𝑐: ℳ → 𝒞, 𝐷𝑒𝑐: 𝒞 → ℳ
• 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff.
• 𝑋 ≔ ℎ(𝑐, 1)𝑓1 𝑐 + ⋯ + ℎ(𝑐, 𝑡)𝑓𝑡 𝑐 ,
• 𝒜 ; an attacker who outputs 𝑐 = 𝑐1, … , 𝑐 𝑛 ∈ 𝒞 𝑛
s.t. 𝑋 = 0
• 𝑆 𝐷𝑒𝑐(𝑐) ≔ {𝑖 ∈ {1, … , 𝑡}|𝑓𝑖 𝑐 ≠ 0}, 𝐷𝑒𝑐 𝑐 ≔ 𝐷𝑒𝑐 𝑐𝑖
• Assume that 𝒜 makes at most 𝑞 RO queries,
𝑃 𝑆 𝐷𝑒𝑐 𝑐 ≠ ∅ ≤
𝑞 + 1
𝑝
• Outline of proof
• 𝑚𝑖 ≔ 𝐷𝑒𝑐 𝑐𝑖 , 𝑚 ≔ (𝑚𝑖), then 𝑔 𝑚 ≔ (𝐸𝑛𝑐 𝑚𝑖 ) is injective
𝑋 = 0 ⇔ σ𝑖 ℎ 𝑔(𝑚), 𝑖 𝑓𝑖 𝑚 = 0.
• A Compact Non-Interactive Zero-Knowledge Binary Range Proof for Multiple
Messages based on 2-Level Homomorphic Encryption, Mitsunari, Sakai, Schuldt
Computer Security Symposium 2018 6 / 22
Main result for 𝑑-Level HE

7. Introduction of 2-level HE

8. • a 2-level HE based on prime order pairings
• ASIACCS’18, Attrapadung, Hanaoka, Mitsunari, et. al.
• https://dl.acm.org/citation.cfm?doid=3196494.3196552
• Notation
• 𝑒: 𝐺1 × 𝐺2 → 𝐺 𝑇 ; type-3 pairing of order 𝑝
• 𝐺𝑖 = ⟨𝑔𝑖⟩ ; multiplicative cyclic group of a generator 𝑔𝑖
• Keygen
• 𝑠1, 𝑠2 ∈ 𝔽 𝑝 ; secret key, ℎ𝑖 ≔ 𝑔𝑖
𝑠 𝑖
; public key, ℎ3 ≔ 𝑒(ℎ1, ℎ2)
• L1 Enc
• 𝐸𝑛𝑐𝑖 𝑚 ∶= 𝑔𝑖
𝑚
ℎ𝑖
𝑟 𝑖
, 𝑔𝑖
𝑟 𝑖
∈ 𝐺𝑖
2
for 𝑟𝑖 ∈ 𝔽 𝑝 ; lifted ElGamal
• 𝐸𝑛𝑐 𝐴 𝑚 ∶= 𝐸𝑛𝑐1 𝑚 , 𝐸𝑛𝑐2 𝑚 ∈ 𝐺1
2
× 𝐺2
2
AHM+
8 / 22

9. • Mul of L1-ciphertexts
• Use one of each pair
• 𝐸𝑛𝑐 𝐴 𝑚 ⋅ 𝐸𝑛𝑐 𝐴 𝑚′ = 𝑐1, 𝑐2 ⋅ 𝑐1
′
, 𝑐2
′
≔ 𝑐1 ⋅ 𝑐2
′
𝑐2, 𝑐1′ are not used
• 𝑐1 ≔ 𝑆1, 𝑇1 ∈ 𝐺1
2
, 𝑐2′ ≔ 𝑆2, 𝑇2 ∈ 𝐺2
2
𝑐1 ⋅ 𝑐2′ ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 ∈ 𝐺 𝑇
4
• Dec of L2-ciphertext
• For 𝑐 ≔ 𝑠, 𝑡, 𝑢, 𝑣 ∈ 𝐺 𝑇
4
,
𝑑𝑒𝑐 𝑀 𝑐 ≔ (𝑠𝑣 𝑠1 𝑠2)/(𝑡 𝑠2 𝑢 𝑠1)
• 𝐷𝑒𝑐 𝑀 𝑐 ≔ 𝐷𝐿𝑃𝑔(𝑑𝑒𝑐 𝑀 𝑐 )
Multiplication and decryption
9 / 22

10. • Ciphertext space 𝒞 ≔ 𝐸𝑛𝑐1 𝑚 , 𝐸𝑛𝑐2 𝑚 |𝑚 ∈ 𝔽 𝑝
is a subset of 𝐺1
2
× 𝐺2
2
• cf. The ciphertext space of lifted ElGamal is 𝐺𝑖
2
• 𝐸𝑛𝑐1 𝑚 , 𝐸𝑛𝑐2 𝑚′
∈ 𝐺1
2
× 𝐺2
2
is a valid ciphertext
⇔ 𝑚 = 𝑚′
• Representation of validness by equation
• 𝑓𝑒𝑞,𝑖 𝑚𝑖, 𝑚𝑖
′
≔ 𝑚𝑖 − 𝑚𝑖′
𝐸𝑛𝑐1 𝑚𝑖 , 𝐸𝑛𝑐2 𝑚𝑖
′
∈ 𝐺1
2
× 𝐺2
2
⇔ 𝑓𝑒𝑞,𝑖 𝑚𝑖, 𝑚𝑖
′
= 0
• Append {𝑓𝑒𝑞,𝑖} to the polynomials which restricts
message space for AHM+
Remark of AHM+
10 / 22

11. NIZKP of 𝐸𝑛𝑐(0) of AHM+

12. • Compute 𝑋 from given ciphertexts
and verify 𝑋 = 𝐸𝑛𝑐 𝑀(0)
• Parameters
• 𝑠1, 𝑠2 ; secret
• 𝑔 ∈ 𝐺 𝑇, 𝑥 ≔ 𝑔 𝑠1, 𝑦 ≔ 𝑔 𝑠2, 𝑧 ≔ 𝑔 𝑠1 𝑠2 ; public
• 𝐸𝑛𝑐 𝑀(0)
• any 𝑋 ≔ 𝑠, 𝑡, 𝑢, 𝑣 ∈ 𝐺 𝑇
4
can described as
𝑠, 𝑡, 𝑢, 𝑣 = 𝑥 𝑤1 𝑦 𝑤2 𝑧−𝑤3
′
, 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3
with 𝑤1, 𝑤2, 𝑤3, 𝑤3
′
.
• 𝐸𝑛𝑐 𝑀 0; 𝑤1, 𝑤2, 𝑤3 = 𝑥 𝑤1 𝑦 𝑤2 𝑧−𝑤3, 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3 ,
then verify 𝑋 = 𝐸𝑛𝑐 𝑀(0) by proving 𝑤3
′
= 𝑤3.
Equation to be verified
12 / 22

13. • 𝑠1, 𝑠2 ; secret
• 𝑔, 𝑥 = 𝑔 𝑠1, 𝑦 = 𝑔 𝑠2, 𝑧 = 𝑔 𝑠1 𝑠2 ; given
• For 𝑠, 𝑡, 𝑢, 𝑣 ≔ (𝑦 𝑤1 𝑥 𝑤2 𝑧−𝑤3
′
, 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3),
pick 𝜌1, 𝜌2, 𝜌3 ← 𝔽 𝑟 and
𝑅1, 𝑅2, 𝑅3, 𝑅4 ≔ (𝑦 𝜌1 𝑥 𝜌2 𝑧−𝜌3, 𝑔 𝜌1, 𝑔 𝜌2, 𝑔 𝜌3),
𝑎 ≔ ℎ(𝑔, 𝑥, 𝑦, 𝑧, 𝑠, 𝑡, 𝑢, 𝑣, 𝑅1, 𝑅2, 𝑅3, 𝑅4),
𝜎𝑖 ≔ 𝜌𝑖 + 𝑎𝑤𝑖 for 𝑖 = 1,2,3,
output 𝜋 ≔ (𝑎, 𝜎1, 𝜎2, 𝜎3).
Construction of NIZKP
13 / 22

14. • For 𝜋 ≔ (𝑎, 𝜎1, 𝜎2, 𝜎3),
𝑅1
′
≔ 𝑦 𝜎1 𝑥 𝜎2 𝑧−𝜎3 𝑠−𝑎,
𝑅2
′
≔ 𝑔 𝜎1 𝑡−𝑎,
𝑅3
′
≔ 𝑔 𝜎2 𝑢−𝑎,
𝑅4
′
≔ 𝑔 𝜎3 𝑣−𝑎
,
𝑎′ ≔ ℎ(𝑔, 𝑥, 𝑦, 𝑧, 𝑠, 𝑡, 𝑢, 𝑣, 𝑅1
′
, 𝑅2
′
, 𝑅3
′
, 𝑅4
′
).
• Output 1 if 𝑎 = 𝑎′ and 0, otherwise
• Proof of correctness
• 𝑅1
′
= 𝑦 𝜎1−𝑎𝑤1 𝑥 𝜎2−𝑎𝑤2 𝑧−𝜎3+𝑎𝑤3 = 𝑦 𝜌1 𝑥 𝜌2 𝑧−𝜌3 = 𝑅1
• 𝑅𝑖+1
′
= 𝑔 𝜎 𝑖−𝑎𝑤 𝑖 = 𝑅𝑖+1
• Then 𝑎′ = 𝑎.
Verification
14 / 22

15. • Any 𝑠, 𝑡, 𝑢, 𝑣 ∈ 𝐺 𝑇
4
can be described as
𝑠, 𝑡, 𝑢, 𝑣 = 𝑦 𝑤1 𝑥 𝑤2 𝑧−𝑤3
′
, 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3 .
• For 𝜋 = (𝑎, 𝜎1, 𝜎2, 𝜎3), define 𝜌𝑖 ≔ 𝜎𝑖 − 𝑎𝑤𝑖 then
𝑅1
′
= 𝑦 𝜌1 𝑥 𝜌2 𝑧 𝑎 𝑤3
′−𝑤3 −𝜌3,
𝑅𝑖+1
′
= 𝑔 𝜎 𝑖 𝑔−𝑎𝑤 𝑖 = 𝑔 𝜌 𝑖 for 𝑖 = 1,2,3.
• Attacker must find 𝑤1, 𝑤2, 𝑤3, 𝑤3
′
, 𝜌1, 𝜌2, 𝜌3 and 𝑎 s.t.
𝑎 = ℎ(𝑔, 𝑥, 𝑦, 𝑧, 𝑦 𝑤1 𝑥 𝑤2 𝑧−𝑤3
′
, 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3,
𝑦 𝜌1 𝑥 𝜌2 𝑧 𝑎 𝑤3
′−𝑤3 −𝜌3, 𝑔 𝜌1, 𝑔 𝜌2, 𝑔 𝜌3)
• It is hard if 𝑤3
′
≠ 𝑤3
Proof of soundness (outline)
15 / 22

16. Application

17. • Alice queries 𝑎-th data to Bob who has 𝑛 data
• Requirements
• Alice does not tell 𝑎 to Bob
• Bob does not tell 𝑥𝑖(𝑖 ≠ 𝑎) to Alice
Oblivious Transfer
Alice Bob
𝑥1 𝑥2 𝑥3 𝑥4 𝑥5 𝑥6
query 𝑎-th data
return 𝑥 𝑎
17 / 22

18. • Alice
• For 𝑎, select 𝑞 and 𝑟 s.t. 𝑎 = 𝑞𝑚 + 𝑟 (0 ≤ 𝑟 < 𝑚 ≔ 𝑛 )
• Send (𝐸𝑛𝑐 𝛿 𝑞,0 , … , 𝐸𝑛𝑐 𝛿 𝑞,𝑚−1 ), 𝐸𝑛𝑐 𝛿 𝑟,0 , … , 𝐸𝑛𝑐 𝛿 𝑟,𝑚−1
where 𝛿𝑖,𝑗 is the Kronecker delta
• Bob
• 𝑐 ≔ σ𝑖𝑗 𝑥𝑖𝑚+𝑗 𝐸𝑛𝑐 𝛿 𝑞,𝑖 𝐸𝑛𝑐 𝛿 𝑟,𝑗
= 𝐸𝑛𝑐(෍
𝑖,𝑗
𝑥𝑖𝑚+𝑗 𝛿 𝑞,𝑖 𝛿 𝑟,𝑗) = 𝐸𝑛𝑐 𝑥 𝑞𝑚+𝑟 = 𝐸𝑛𝑐(𝑥 𝑎)
• Alice : 𝐷𝑒𝑐 𝑐 = 𝑥 𝑎
• Traffic size is 2𝑚 ciphertexts= 𝑂( 𝑛)
• 𝑛 = 106, 2.5sec response, iPhone with JavaScript(wasm)
OT by L2HE
18 / 22

19. • Bob checks whether 𝑐𝑖 = 𝐸𝑛𝑐(𝑚𝑖) sent by Alice satisfies
𝑚𝑖 ∈ {0,1} and σ𝑚𝑖 = 1 (1-of-𝑛) without decrypting
• Polynomials of Theorem
• 𝑓𝑖 𝑚 ≔ 𝑚𝑖(1 − 𝑚𝑖) for 𝑖 = 1, … , 𝑛
• 𝑓𝑛+1 𝑚 : = σ𝑚𝑖 − 1
• 𝑋: = σ𝑖 ℎ 𝑐, 𝑖 𝑓𝑖(𝑐) = 𝐸𝑛𝑐 𝑀 0
• 𝑚𝑖 ∈ 0,1 and σ𝑚𝑖 = 1 by NIZKP of 𝑋 = 𝐸𝑛𝑐 𝑀(0)
• Transfer size for large 𝑛
• smaller than Chou, Orlandi. The simplest protocol for oblivious
transfer, LATINCRYPT 2015
• Other application for 𝑘-of-𝑛 bit vector
• Take 𝑘 s.t. 0 < 𝑘 < 𝑛 and use 𝑓𝑛+1 𝑚 ≔ σ𝑚𝑖 − 𝑘, then
we can verify that {𝐸𝑛𝑐(𝑚𝑖)} is a encrypted 𝑘-of-𝑛 bit vector
Malicious Alice
19 / 22

20. • 𝐸𝑛𝑐(𝑚) where 0 ≤ 𝑚 < 𝑛
• Let 𝑙 s.t. 2𝑙 ≤ 𝑛 < 2𝑙+1, 𝑅 ≔ 𝑛 − 2𝑙
• A binary expansion of 𝑚 if 𝑚 < 2𝑙
and 𝑚 − 𝑅 if 𝑚 ≥ 2𝑙
• 𝑚 = σ𝑖=0
𝑙−1
𝑚𝑖2𝑖 + 𝑚𝑙 𝑅 where 𝑚𝑖 ∈ {0,1}
• Check whether 𝑚𝑖 ∈ {0,1} for 𝐸𝑛𝑐 𝑚𝑖 by NIZKP and
compute
𝐸𝑛𝑐 𝑚 ≔ ෍
𝑖=0
𝑙−1
𝐸𝑛𝑐 𝑚𝑖 2𝑖 + 𝑚𝑙 𝑅
The idea when 𝑅 ≠ 0 by Nuida Koji
Range of message
20 / 22

21. • 𝐴 = (𝑎𝑖𝑗) ; 𝑛-dim. matrix s.t.
𝑎𝑖𝑗 ∈ 0,1 , ෍
𝑖
𝑎𝑖𝑗 = 1 , ෍
𝑗
𝑎𝑖𝑗 = 1
• Polynomials {𝑓𝑖𝑗
1
, 𝑓𝑖
2
, 𝑓𝑗
3
} defined as
• 𝑓𝑖𝑗
1
𝐴 ≔ 𝑎𝑖𝑗(1 − 𝑎𝑖𝑗)
• 𝑓𝑖
2
𝐴 ≔ σ𝑖 𝑎𝑖𝑗 − 1
• 𝑓𝑗
3
𝐴 ≔ σ 𝑗 𝑎𝑖𝑗 − 1
• Other application
• The condition that 𝐴 is an orthogonal matrix (𝐴 𝑡 𝐴 = 𝐼) can be
represented by polynomials of degree 2.
Permutation matrix
21 / 22

22. • A constant-size zero-knowledge proof to give the
restriction which is represented by a root of
polynomials of degree 2 based on AHM+ (L2HE).
• Future work
• Apply the construction to the other HE (lattice-based HE, etc.)
Conclusion
22 / 22

23. Appendix

24. • Add
• 𝐸𝑛𝑐 𝑚1; 𝑟1 + 𝐸𝑛𝑐 𝑚2; 𝑟2 = 𝐸𝑛𝑐(𝑚1 + 𝑚2; 𝑟1 + 𝑟2)
• same as lifted ElGamal
• Mul
• 𝐸𝑛𝑐 𝑀 𝑚; 𝑤1, 𝑤2, 𝑤3 ≔ 𝑔 𝑚+𝑠2 𝑤1+𝑠1 𝑤2−𝑠1 𝑠2 𝑤3, 𝑔 𝑤1, 𝑔 𝑤2, 𝑔 𝑤3
• 𝐸𝑛𝑐1 𝑚1; 𝑟1 × 𝐸𝑛𝑐2 𝑚2; 𝑟2
= 𝐸𝑛𝑐 𝑀(𝑚1 𝑚2; 𝑚1 𝑟2 + 𝑟1 𝑟2 𝑠1, 𝑚2 𝑟1 + 𝑟1 𝑟2 𝑠2, 𝑟1 𝑟2)
Formula on random numbers
24 / 22

25. • Generic 2-dim. polynomials
• 𝑥 ≔ (𝑥1, … , 𝑥 𝑛), 𝑥′ ≔ 𝑥1
′
, … , 𝑥 𝑛
′ , 𝐸𝑛𝑐1(𝑥𝑖; 𝑟𝑖), 𝐸𝑛𝑐2(𝑥𝑖
′
; 𝑟𝑖
′
),
For 𝑓 𝑥, 𝑥′
≔ σ𝑖,𝑗 𝑎𝑖𝑗 𝑥𝑖 𝑥𝑗
′
+ σ𝑖 𝑏𝑖 𝑥𝑖 + σ𝑖 𝑐𝑖 𝑥𝑖′,
𝐸𝑛𝑐 𝑓 𝑥, 𝑥′
= 𝐸𝑛𝑐 𝑀(𝑓 𝑥, 𝑥′
, ҧ𝑟′
ҧ𝑥 + 1 + ҧ𝑟 + 1 𝑠1 ,
ҧ𝑟 ഥ𝑥′ + 1 + ҧ𝑟 + 1 𝑠2 , ҧ𝑟𝑟′)
where ҧ𝑥 ≔ σ𝑖 𝑥𝑖, ҧ𝑟 ≔ σ𝑖 𝑟𝑖.
• can compute 𝑤1, 𝑤2, 𝑤3 of 𝑋 = 𝐸𝑛𝑐 𝑀 0; 𝑤1, 𝑤2, 𝑤3
from ciphertexts 𝑥 = 𝑥𝑖 , 𝑥′ and 𝑟 = 𝑟𝑖 , 𝑟′
Evaluation of ciphertexts by polynomials
25 / 22