A compact zero knowledge proof to restrict message space in homomorphic encryption
1. A compact zero-knowledge proof
to restrict message space
in homomorphic encryption
SCIS2019 2019/1/23
Mitsunari Shigeo (Cybozu Labs, Inc.)
2. • Background
• A protocol using homomorphic encryption (HE)
which message space is restricted in malicious model
• OT, privacy-preserving search/machine learning, et al.
• a plaintext must be 0 or 1
• 𝑛 plaintexts must be a 1-of-𝑛 bit vector
• range
• Motivation
• Safely reject illegal ciphertexts without knowing the value
Abstract
2 / 22
3. • Propose a generic conversion
to a constant-size zero-knowledge proof from a
condition that multiple ciphertexts are a root of 𝑛-
variable 𝑑-dimensional simultaneous polynomials
based on a 𝑑-level HE.
• 𝑥 ∈ {0,1} ⇔ 𝑓 𝑥 = 𝑥 1 − 𝑥 = 0
• ∃𝑖 s.t. 𝑥𝑖 = 1 ; 𝑥𝑗 = 0 for 𝑗 ≠ 𝑖
⇔ 𝑓 𝑥1, … , 𝑥 𝑛 ≔ σ𝑖 𝑥𝑖 − 1 = 0, 𝑓𝑖 𝑥1, … , 𝑥 𝑛 ≔ 𝑥𝑖 1 − 𝑥𝑖 = 0
• Construction for 2-level HE proposed ASIACCS2018
• one non-interactive zero-knowledge proof (4 𝔽 𝑝 elements)
to show the above equations
Results
3 / 22
4. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function
• 𝑥 ∈ 𝔽 𝑝
𝑛
• 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff.
• 𝑋 ≔ ℎ 𝑥, 1 𝑓1 𝑥 + ⋯ + ℎ 𝑥, 𝑡 𝑓𝑡 𝑥
• 𝑋 = 0 ⇔ 𝑓1 𝑥 = ⋯ = 𝑓𝑡 𝑥 = 0
with negligible probability
• use 𝑓1 𝑥 = ⋯ = 𝑓𝑡 𝑥 = 0
as the condition to restrict message
Core idea
4 / 22
5. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function
• 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff.
• 𝑔: 𝔽 𝑝
𝑛
→ 0,1 ∗ ; injective
• 𝑋(𝑥) ≔ ℎ(𝑔 𝑥 , 1)𝑓1 𝑥 + ⋯ + ℎ(𝑔 𝑥 , 𝑡)𝑓𝑡 𝑥
• 𝒜 ; an attacker who outputs 𝑥 ∈ 𝔽 𝑝
𝑛
s.t. 𝑋 𝑥 = 0
• 𝑆 𝑥 ≔ {𝑖 ∈ {1, … , 𝑡}|𝑓𝑖 𝑥 ≠ 0}
• Assume ℎ is modeled as a random oracle and that
𝒜 makes at most 𝑞 random oracle queries,
𝑃 𝑆 𝑥 ≠ ∅ ≤
𝑞 + 1
𝑝
Theorem
5 / 22
6. • ℎ: 0,1 ∗ → 𝔽 𝑝 ; hash function, 𝐸𝑛𝑐: ℳ → 𝒞, 𝐷𝑒𝑐: 𝒞 → ℳ
• 𝑓1(𝑥), … , 𝑓𝑡(𝑥) ; 𝑛-var. poly. of degree 𝑑 with 𝔽 𝑝 coeff.
• 𝑋 ≔ ℎ(𝑐, 1)𝑓1 𝑐 + ⋯ + ℎ(𝑐, 𝑡)𝑓𝑡 𝑐 ,
• 𝒜 ; an attacker who outputs 𝑐 = 𝑐1, … , 𝑐 𝑛 ∈ 𝒞 𝑛
s.t. 𝑋 = 0
• 𝑆 𝐷𝑒𝑐(𝑐) ≔ {𝑖 ∈ {1, … , 𝑡}|𝑓𝑖 𝑐 ≠ 0}, 𝐷𝑒𝑐 𝑐 ≔ 𝐷𝑒𝑐 𝑐𝑖
• Assume that 𝒜 makes at most 𝑞 RO queries,
𝑃 𝑆 𝐷𝑒𝑐 𝑐 ≠ ∅ ≤
𝑞 + 1
𝑝
• Outline of proof
• 𝑚𝑖 ≔ 𝐷𝑒𝑐 𝑐𝑖 , 𝑚 ≔ (𝑚𝑖), then 𝑔 𝑚 ≔ (𝐸𝑛𝑐 𝑚𝑖 ) is injective
𝑋 = 0 ⇔ σ𝑖 ℎ 𝑔(𝑚), 𝑖 𝑓𝑖 𝑚 = 0.
• A Compact Non-Interactive Zero-Knowledge Binary Range Proof for Multiple
Messages based on 2-Level Homomorphic Encryption, Mitsunari, Sakai, Schuldt
Computer Security Symposium 2018 6 / 22
Main result for 𝑑-Level HE
17. • Alice queries 𝑎-th data to Bob who has 𝑛 data
• Requirements
• Alice does not tell 𝑎 to Bob
• Bob does not tell 𝑥𝑖(𝑖 ≠ 𝑎) to Alice
Oblivious Transfer
Alice Bob
𝑥1 𝑥2 𝑥3 𝑥4 𝑥5 𝑥6
query 𝑎-th data
return 𝑥 𝑎
17 / 22
18. • Alice
• For 𝑎, select 𝑞 and 𝑟 s.t. 𝑎 = 𝑞𝑚 + 𝑟 (0 ≤ 𝑟 < 𝑚 ≔ 𝑛 )
• Send (𝐸𝑛𝑐 𝛿 𝑞,0 , … , 𝐸𝑛𝑐 𝛿 𝑞,𝑚−1 ), 𝐸𝑛𝑐 𝛿 𝑟,0 , … , 𝐸𝑛𝑐 𝛿 𝑟,𝑚−1
where 𝛿𝑖,𝑗 is the Kronecker delta
• Bob
• 𝑐 ≔ σ𝑖𝑗 𝑥𝑖𝑚+𝑗 𝐸𝑛𝑐 𝛿 𝑞,𝑖 𝐸𝑛𝑐 𝛿 𝑟,𝑗
= 𝐸𝑛𝑐(
𝑖,𝑗
𝑥𝑖𝑚+𝑗 𝛿 𝑞,𝑖 𝛿 𝑟,𝑗) = 𝐸𝑛𝑐 𝑥 𝑞𝑚+𝑟 = 𝐸𝑛𝑐(𝑥 𝑎)
• Alice : 𝐷𝑒𝑐 𝑐 = 𝑥 𝑎
• Traffic size is 2𝑚 ciphertexts= 𝑂( 𝑛)
• 𝑛 = 106, 2.5sec response, iPhone with JavaScript(wasm)
OT by L2HE
18 / 22
19. • Bob checks whether 𝑐𝑖 = 𝐸𝑛𝑐(𝑚𝑖) sent by Alice satisfies
𝑚𝑖 ∈ {0,1} and σ𝑚𝑖 = 1 (1-of-𝑛) without decrypting
• Polynomials of Theorem
• 𝑓𝑖 𝑚 ≔ 𝑚𝑖(1 − 𝑚𝑖) for 𝑖 = 1, … , 𝑛
• 𝑓𝑛+1 𝑚 : = σ𝑚𝑖 − 1
• 𝑋: = σ𝑖 ℎ 𝑐, 𝑖 𝑓𝑖(𝑐) = 𝐸𝑛𝑐 𝑀 0
• 𝑚𝑖 ∈ 0,1 and σ𝑚𝑖 = 1 by NIZKP of 𝑋 = 𝐸𝑛𝑐 𝑀(0)
• Transfer size for large 𝑛
• smaller than Chou, Orlandi. The simplest protocol for oblivious
transfer, LATINCRYPT 2015
• Other application for 𝑘-of-𝑛 bit vector
• Take 𝑘 s.t. 0 < 𝑘 < 𝑛 and use 𝑓𝑛+1 𝑚 ≔ σ𝑚𝑖 − 𝑘, then
we can verify that {𝐸𝑛𝑐(𝑚𝑖)} is a encrypted 𝑘-of-𝑛 bit vector
Malicious Alice
19 / 22
20. • 𝐸𝑛𝑐(𝑚) where 0 ≤ 𝑚 < 𝑛
• Let 𝑙 s.t. 2𝑙 ≤ 𝑛 < 2𝑙+1, 𝑅 ≔ 𝑛 − 2𝑙
• A binary expansion of 𝑚 if 𝑚 < 2𝑙
and 𝑚 − 𝑅 if 𝑚 ≥ 2𝑙
• 𝑚 = σ𝑖=0
𝑙−1
𝑚𝑖2𝑖 + 𝑚𝑙 𝑅 where 𝑚𝑖 ∈ {0,1}
• Check whether 𝑚𝑖 ∈ {0,1} for 𝐸𝑛𝑐 𝑚𝑖 by NIZKP and
compute
𝐸𝑛𝑐 𝑚 ≔
𝑖=0
𝑙−1
𝐸𝑛𝑐 𝑚𝑖 2𝑖 + 𝑚𝑙 𝑅
The idea when 𝑅 ≠ 0 by Nuida Koji
Range of message
20 / 22
21. • 𝐴 = (𝑎𝑖𝑗) ; 𝑛-dim. matrix s.t.
𝑎𝑖𝑗 ∈ 0,1 ,
𝑖
𝑎𝑖𝑗 = 1 ,
𝑗
𝑎𝑖𝑗 = 1
• Polynomials {𝑓𝑖𝑗
1
, 𝑓𝑖
2
, 𝑓𝑗
3
} defined as
• 𝑓𝑖𝑗
1
𝐴 ≔ 𝑎𝑖𝑗(1 − 𝑎𝑖𝑗)
• 𝑓𝑖
2
𝐴 ≔ σ𝑖 𝑎𝑖𝑗 − 1
• 𝑓𝑗
3
𝐴 ≔ σ 𝑗 𝑎𝑖𝑗 − 1
• Other application
• The condition that 𝐴 is an orthogonal matrix (𝐴 𝑡 𝐴 = 𝐼) can be
represented by polynomials of degree 2.
Permutation matrix
21 / 22
22. • A constant-size zero-knowledge proof to give the
restriction which is represented by a root of
polynomials of degree 2 based on AHM+ (L2HE).
• Future work
• Apply the construction to the other HE (lattice-based HE, etc.)
Conclusion
22 / 22