tsk & tpk under the PIR problem #443
-
|
Hi, I have been reviewing the PSI example for MHE BFV and I have seen that the receiver generates a 'target public key' (shared with the other nodes) and a 'target secret key' (not shared and known only to the receiver). So, when the nodes are executing the key switching protocol change the key the ciphertext is encrypted from CPK to the TPK, and return the result to the receiver (which aggregates the results and decrypts with TSK). This scheme corresponds to the 'Public-key-switching' technique of the paper 'Multiparty Homomorphic Encryption from Ring-Learning-with-Errors', which describes the receiver as an external party, and defines another scheme called 'Key-switching' in which all nodes are receivers and can decrypt using a common secret key (secure sharing of this key is assumed). My question is if in the 'Public-key-switching' scheme the receiver will always be an external party, or if the receiver can also be an internal party and take part in the PSI problem (like another party). But after the public-key-switching, the rest of the nodes send the receiver their results, which are aggregated with its result, and then the receiver is able to decrypt and obtain the final result. This modified scheme, where the receiver takes part in the protocol, is still secure under the same assumptions as the original 'Public-key-switching'? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
The case of an internal receiver is already covered by the collective key switching protocol (CKS). In this protocol, all parties except the receiver can generate a share for a target (secret-key) of zero (ie, a decryption share), and aggregate result. From this aggregation and the original ciphertext, the receiver obtains an encryption that can be decrypted from its share of the secret-key. The receiver public collective key-switching protocol (PCKS) could be any party, including an internal party who could also generate a target public-key for that purpose. But it is sub-optimal because the PCKS is more noisy and more costly than the CKS protocol. Hope this helps! |
Beta Was this translation helpful? Give feedback.
-
|
when you say "all parties except the receiver can generate a share for a target (secret-key) of zero (ie, a decryption share),", do you mean that each party (except the receiver) takes s_i' as 0 and calculates h_i as s_i * c_1 + e_i? And then the receiver computes h as sum(h_i) and then decrypts with c_0 + h + s_r * c1? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, this is what I meant. Sorry if this wasn't so clear :) |
Beta Was this translation helpful? Give feedback.
The case of an internal receiver is already covered by the collective key switching protocol (CKS). In this protocol, all parties except the receiver can generate a share for a target (secret-key) of zero (ie, a decryption share), and aggregate result. From this aggregation and the original ciphertext, the receiver obtains an encryption that can be decrypted from its share of the secret-key.
The receiver public collective key-switching protocol (PCKS) could be any party, including an internal party who could also generate a target public-key for that purpose. But it is sub-optimal because the PCKS is more noisy and more costly than the CKS protocol.
Hope this helps!