Abstract
We present constructions of CPA-secure (leveled) homomorphic encryption from learning with errors (LWE) problem. We use the construction introduced by Gentry, Sahai and Waters ‘GSW’ (CRYPTO’13) as building blocks of our schemes. We apply their approximate eigenvector method to our scheme. In contrast to the GSW scheme we provide extensions of the (leveled) homomorphic identity-based encryption (IBE) and (leveled) homomorphic attribute-based encryption (ABE) on the multi-identity and multi-attribute settings respectively. We realize the (leveled) homomorphic property for the multi-party setting by applying tensor product and natural logarithm. Tensor product and natural logarithm allow to evaluate different ciphertexts computed under different public keys. Similar to the GSW scheme, our constructions do not need any evaluation key, which enables evaluation even without the knowledge of user’s public key.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Agrawal, S., Boyen, X.: Identity-based encryption from lattices in the standard model. http://www.cs.stanford.edu/~xb/ab09/
Agrawal, S., Boyen, X., Vaikuntanathan, V., Voulgaris, P., Wee, H.: Functional encryption for threshold functions (or fuzzy IBE) from lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 280–297. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_17
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of 28th Annual ACM Symposium on the Theory of Computing, pp. 99–108. ACM (1996)
Attrapadung, N., Herranz, J., Laguillaumie, F., Libert, B., de Panafieu, E., Ràfols, C.: Attribute-based encryption schemes with constant-size ciphertexts. Theoret. Comput. Sci. 422, 15–38 (2012)
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), pp. 321–334. IEEE Computer Society (2007)
Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. In: Proceedings of 32nd Annual ACM Symposium on Theory of Computing, pp. 435–440 (2000)
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_29
Boyen, X.: Attribute-based functional encryption on lattices. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 122–142. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_8
Brakerski, Z., Cash, D., Tsabary, R., Wee, H.: Targeted homomorphic attribute-based encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 330–360. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_13
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: Fully homomorphic encryption without bootstrapping. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 18, p. 111 (2011)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS, 2011, pp. 97–106. IEEE Computer Society (2011)
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_27
Chase, M.: Multi-authority attribute based encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 515–534. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_28
Cheung, L., Newport, C.C.: Provably secure ciphertext policy ABE. In: Proceedings of 2007 ACM Conference on Computer and Communications Security, CCS 2007, pp. 456–465. ACM (2007)
Clear, M., McGoldrick, C.: Multi-identity and multi-key leveled FHE from learning with errors. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 630–656. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_31
Clear, M., McGoldrick, C.: Attribute-based fully homomorphic encryption with a bounded number of inputs. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 307–324. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1_16
Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_32
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of 40th Annual ACM Symposium on Theory of Computing, STOC 2008, pp. 197–206. ACM (2008)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Symposium on Theory of Computing Conference, STOC 2013, pp. 545–554. ACM (2013)
Goyal, V., Jain, A., Pandey, O., Sahai, A.: Bounded ciphertext policy attribute based encryption. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 579–591. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_47
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data, pp. 89–98 (2006)
Kamara, S., Mohassel, P., Raykova, M.: Outsourcing multi-party computation. IACR Cryptology ePrint Archive, 2011:272 (2011)
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4
Li, M., Yu, S., Ren, K., Lou, W.: Securing personal health records in cloud computing: patient-centric and fine-grained data access control in multi-owner settings. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 89–106. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16161-2_6
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Proceedings of 44th Symposium on Theory of Computing Conference, STOC 2012, pp. 1219–1234 (2012)
Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst case complexity assumptions. In: FOCS 2002, pp. 356–365 (2002)
Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. SIAM J. Comput. 42(3), 1364–1391 (2013)
Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 735–763. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_26
Peikert, C.: Bonsai trees (or, arboriculture in lattice-based cryptography). IACR Cryptology ePrint Archive, 2009:359 (2009)
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 333–342 (2009)
Regev, O.: On lattices, learning with errors, random linear codes and cryptography. In: Proceedings of 37th Annual ACM Symposium on Theory of Computing, STOC 2005, pp. 84–93 (2005)
Sahai, A., Waters, B.: Fuzzy identity based encryption. IACR Cryptology ePrint Archive, 2004:86 (2004)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_25
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_2
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_4
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Lattices
Let \(B=\{b_1,\ldots ,b_n\}\subset \mathbb {R}^{n}\) be a basis of a lattice \(\varLambda \) which consists of n linearly independent vectors. The n-dimensional lattice \(\varLambda \) is then defined as \(\varLambda =\sum \limits _{i=1}^{n}\mathbb {Z}b_i\). The i-th minimum of a lattice \(\varLambda \), denoted by \(\lambda _i(\varLambda )\) is the smallest radius r such that \(\varLambda \) contains i linearly independent vectors of norms \(\le r\). (The norm of vector \(b_i\) is defined as \(\left\| b_i\right\| =\sqrt{\sum \limits _{j=1}^{n}c_{i,j}^2}\), where \(c_{i,j}, j\in \{1,\ldots ,n\}\) are the coefficients of vector \(b_i\). We denote by \(\lambda _1^{\infty }(\varLambda )\) the minimum distance measured in the infinity norm, which is defined as \(\left\| b_i\right\| _{\infty }:=\max (\left| c_{i,1}\right| ,\ldots ,\left| c_{i,n}\right| )\). Additionally we recall \(\left\| B\right\| =\max \left\| b_i\right\| \) and its fundamental parallelepiped is given by \(P(B)=\left\{ \sum \limits _{i=1}^{n}a_ib_i\ |\ \mathbf{a}\in \left[ 0,1\right) ^n\right\} \). The integer n is called the rank of the basis. Note that a lattice basis is not unique, since for any unimodular matrix \(A\in \mathbb {Z}^{n\times n}\) the product \(B\cdot U\) is also a basis of \(\varLambda \).
Integer Lattices. The following specific lattices contain \(q\mathbb {Z}^{m}\) as a sub-lattice for a prime q. For \(A\in \mathbb {Z}_{q}^{n\times m}\) and \(s\in \mathbb {Z}_{q}^{n}\), define:
Many lattice-based works rely on Gaussian-like distributions called Discrete Gaussians. In the following paragraph we recall the main notations of this distribution.
Discrete Gaussians. Let L be a subset of \(\mathbb {Z}^{m}\). For a vector \(c\in \mathbb {R}^m\) and a positive \(\sigma \in \mathbb {R}\), define
The discrete Gaussian distribution over L with center c and parameter \(\sigma \) is given by \(\mathcal {D}_{L,\sigma ,c}(y)=\frac{\rho _{\sigma ,c}(y)}{\rho _{\sigma ,c}(L)}, \ \forall y\in L\). The distribution \(\mathcal {D}_{L,\sigma ,c}\) is usually defined over the lattice \(L=\varLambda _{q}^{\bot }(A)\) for \(A\in \mathbb {Z}_{q}^{n\times m}\).
B Learning With Errors (LWE)
The LWE problem, first introduced by Regev [36], relies on the Gaussian error distribution \(\chi \), which is given as \(\chi =D_{\mathbb {Z},s}\) over the integers. The LWE problem assumes of access to a challenge oracle \(\mathcal {O}\), which is either a purely random sampler \(\mathcal {O}_r\) or a noisy pseudo-random sampler \(\mathcal {O}_s\), with some random secret key \(s\in \mathbb {Z}_{q}^{s}\). For positive integers n and \(q\ge 2\), a vector \({\varvec{s}}\in \mathbb {Z}_{q}^{n}\) and error term \(e\leftarrow \chi \), the LWE distribution \(A_{{\varvec{s}},\chi }\) is sampled over \(\mathbb {Z}_{q}^{n}\times \mathbb {Z}_q\). Chosen a vector \({\varvec{a}}\in \mathbb {Z}_q^n\) uniformly at random it outputs the pair \(({\varvec{a}},t=\left\langle {\varvec{a}},{\varvec{s}}\right\rangle +e\mod q)\in \mathbb {Z}_q^n\times \mathbb {Z}_q\). A more detailed description of \(\chi \) can be found in [36]. The sampling oracles work in the following way:
- \(\mathcal {O}_s\)::
-
outputs samples of the form \(({\varvec{a}},t)=({\varvec{a}},{\varvec{a}}{\varvec{s}}+e)\in \mathbb {Z}_{q}^{n}\times \mathbb {Z}_q\), where \({\varvec{s}}\in \mathbb {Z}_{q}^{n}\) is uniformly distributed value across all invocations and \(e\in \mathbb {Z}_q\) is a fresh sample from \(\chi \).
- \(\mathcal {O}_r\)::
-
outputs truly random samples from \(\mathbb {Z}_{q}^{n}\times \mathbb {Z}_q\).
C Proof of Theorem 2
Proof
Since the security of this construction relies on the hardness of LWE problem we show how to build an algorithm which can simulate the outputs for the LHABE adversary. Let \(\mathcal {A}_{ind}\) be an adversary against IND-CPA security of our leveled homomorphic ABE scheme. We use \(\mathcal {A}_{ind}\) to construct an algorithm \(\mathcal {B}\) against the LWE problem. As known from the Definition of LWE, the decision algorithm has access to a sampling oracle \(\mathcal {O}\), which can be either a pseudorandom sampler \(\mathcal {O}_s\) or a truly random sampler \(\mathcal {O}_r\). We assume a simulator \(\mathcal {B}\) which simulates the environment for LHABE adversary \(\mathcal {A}_{ind}\) in order to decide which oracle is given. \(\mathcal {B}\) queries from its oracle \(\mathcal {O}\) the LWE samples and obtains n pairs \(({\varvec{a}}_i,t_i)\in \mathbb {Z}_q^N\times \mathbb {Z}_q\), for \(N=l(m+1)\). \(\mathcal {A}_{ind}\) announces a set of strings \(\{x_i\}_{i\in k}\) it wants to be challenged on. The simulator \(\mathcal {B}\) constructs the public key using the obtained LWE instance of l pairs \(({\varvec{a}}_i,t_i)\) for \(i\in [l(m+1)]\), where the public key is represented by a \(n\times m\) matrix and a m-dimensional vector. When \(\mathcal {A}\) issues key generation queries on input apk, the LWE adversary simulates the queries using previously sampled public key apk and setting \({\varvec{s}}=(1,s_1)\in \mathbb {Z}_{q}^{l(m+1)}\), where \(apk\cdot {\varvec{s}}={\varvec{e}}\) that is small and \(s_1\in \mathbb {Z}_q^{lm}\) is also assumed to be small according to distribution \(\chi \). In order to encrypt 0, \(\mathcal {B}\) samples N times the vectors according to \(\chi \) and outputs a ciphertext \(C\leftarrow {\varvec{b}}\cdot apk+{\varvec{e}}'\). This ciphertext is indistinguishable from random by applying a standard hybrid argument. The decryption is possible by computing a product of \(\left\langle C,{\varvec{s}}\right\rangle \) and outputting \(\mu =0\) if the result is small or \(\mu =1\) otherwise. \(\square \)
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Kuchta, V., Sharma, G., Sahu, R.A., Markowitch, O. (2018). Multi-party (Leveled) Homomorphic Encryption on Identity-Based and Attribute-Based Settings. In: Kim, H., Kim, DC. (eds) Information Security and Cryptology – ICISC 2017. ICISC 2017. Lecture Notes in Computer Science(), vol 10779. Springer, Cham. https://doi.org/10.1007/978-3-319-78556-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-78556-1_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78555-4
Online ISBN: 978-3-319-78556-1
eBook Packages: Computer ScienceComputer Science (R0)