Turning HATE into LOVE: Compact Homomorphic Ad Hoc Threshold Encryption for Scalable MPC

In a public-key threshold encryption scheme, the sender produces a single ciphertext, and any t+ 1 out of n intended recipients can combine their partial decryptions to obtain the plaintext. Ad hoc threshold encryption (ATE) schemes require no correlated setup, enabling each party to simply generate its own key pair. In this paper, we initiate a systematic study of the possibilities and limitations of ad-hoc threshold encryption, and introduce a key application to scalable multiparty computation (MPC). Assuming indistinguishability obfuscation (iO), we construct the first ATE that is sender-compact—that is, with ciphertext length independent of n. This allows for succinct communication once public keys have been shared. We also show a basic lower bound on the extent of key sharing: every sender-compact scheme requires that recipients of a message know the public keys of other recipients in order to decrypt. We then demonstrate that threshold encryption that is ad hoc and homomorphic can be used to build efficient large-scale fault-tolerant multiparty computation (MPC) on a minimal (star) communication graph. We explore several homomorphic schemes, in particular obtaining one iO-based ATE scheme that is both sender-compact and homomorphic: each recipient can derive what they need for evaluation from a single short ciphertext. In the resulting MPC protocol, once the public keys have been distributed, all parties in the graph except for the central server send and receive only short messages, whose size is independent of the number of participants. Taken together, our results chart new possibilities for threshold encryption and raise intriguing open questions.

[1]  John Bloom,et al.  A modular approach to key safeguarding , 1983, IEEE Trans. Inf. Theory.

[2]  David Pointcheval,et al.  Dynamic Threshold Public-Key Encryption , 2008, CRYPTO.

[3]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[4]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[5]  Paz Morillo,et al.  Ad-Hoc Threshold Broadcast Encryption with Shorter Ciphertexts , 2008, Electron. Notes Theor. Comput. Sci..

[6]  Markus Jakobsson,et al.  Towards Trustworthy Elections, New Directions in Electronic Voting , 2010, Towards Trustworthy Elections.

[7]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[8]  Mark Zhandry,et al.  Differing-Inputs Obfuscation and Applications , 2013, IACR Cryptol. ePrint Arch..

[9]  Mark Zhandry,et al.  Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation , 2014, Algorithmica.

[10]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.

[11]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[12]  Martin Hirt,et al.  Receipt-Free K-out-of-L Voting Based on ElGamal Encryption , 2010, Towards Trustworthy Elections.

[13]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[14]  Amit Sahai,et al.  Secure MPC: Laziness Leads to GOD , 2018, IACR Cryptol. ePrint Arch..

[15]  Yuval Ishai,et al.  Foundations of Homomorphic Secret Sharing , 2018, ITCS.

[16]  Aggelos Kiayias,et al.  Delegatable pseudorandom functions and applications , 2013, IACR Cryptol. ePrint Arch..

[17]  Paz Morillo,et al.  CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts , 2007, ProvSec.

[18]  Jonathan Katz,et al.  Composability and On-Line Deniability of Authentication , 2009, TCC.

[19]  Anat Paskin-Cherniavsky,et al.  Non-Interactive Secure Multiparty Computation , 2014, IACR Cryptol. ePrint Arch..

[20]  Ron Rothblum,et al.  Spooky Encryption and Its Applications , 2016, CRYPTO.

[21]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[22]  Tancrède Lepoint,et al.  Secure Single-Server Aggregation with (Poly)Logarithmic Overhead , 2020, IACR Cryptol. ePrint Arch..

[23]  Dan Boneh,et al.  Threshold Cryptosystems From Threshold Fully Homomorphic Encryption , 2018, IACR Cryptol. ePrint Arch..

[24]  Mark Zhandry,et al.  Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation , 2014, CRYPTO.

[25]  Daniel Wichs,et al.  Two Round Multiparty Computation via Multi-key FHE , 2016, EUROCRYPT.

[26]  Kazue Sako,et al.  Efficient Receipt-Free Voting Based on Homomorphic Encryption , 2000, EUROCRYPT.

[27]  Sarvar Patel,et al.  Practical Secure Aggregation for Privacy-Preserving Machine Learning , 2017, IACR Cryptol. ePrint Arch..

[28]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[29]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[30]  Imam Basuki,et al.  Analisis Film Adaptasi David Yates dari Novel J.K Rowling “Harry Potter and the Half Blood Prince” , 2013 .

[31]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[32]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[33]  Amit Sahai,et al.  Threshold Fully Homomorphic Encryption , 2017, IACR Cryptol. ePrint Arch..

[34]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[35]  Mark Zhandry,et al.  How to Avoid Obfuscation Using Witness PRFs , 2016, TCC.

[36]  Brent Waters,et al.  Constrained Pseudorandom Functions and Their Applications , 2013, ASIACRYPT.

[37]  Yuval Ishai,et al.  Breaking the Circuit Size Barrier for Secure Computation Under DDH , 2016, CRYPTO.

[38]  Robert K. Cunningham,et al.  Catching MPC Cheaters: Identification and Openability , 2017, ICITS.