mhe

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2024 License: Apache-2.0, BSD-3-Clause, ISC, + 1 more Imports: 10 Imported by: 0

README

MHE

The MHE package implements several Multiparty Homomorphic Encryption (MHE) primitives based on Ring-Learning-with-Errors (RLWE). It provides generic interfaces for the local steps of the MHE-based Secure Multiparty Computation (MHE-MPC) protocol that are common across all the RLWE distributed schemes implemented in lattigo (e.g., collective key generation). The mhe/heinteger and mhe/hefloat packages import mhe and provide scheme-specific functionalities (e.g., interactive bootstrapping).

This package implements local operations only, hence does not assume or provide any network-layer protocol implementation. However, it provides serialization methods for all relevant structures that implement the standard encoding.BinaryMarshaller and encoding.BinaryUnmarshaller interfaces (see https://pkg.go.dev/encoding) as well as the io.WriterTo and io.ReaderFrom interfaces (see https://pkg.go.dev/encoding).

The MHE-MPC protocol implemented in the library is based on the constructions described in "Multiparty Homomorphic Encryption from Ring-Learning-with-Errors" by Mouchet et al. (2021), which is an RLWE instantiation of the MPC protocol described in "Multiparty computation with low communication, computation and interaction via threshold FHE" by Asharov et al. (2012).

MHE-MPC Protocol Overview

The protocol enables a group of N input parties to compute a joint function over their private inputs under encryption and to provide a receiver party with the result. The protocol is generic and covers several system- and adversary-models:

Peer-to-peer vs Cloud-assisted models. The parties can execute the protocol in a peer-to-peer way or receive assistance from a third-party server (which is also considered an adversary).

Internal vs External receivers. Receiver parties are the intended recipients of the computation result and can be either internal or external depending or whether they are or not input parties themselves, respectively. This distinction is important in practice, because external receivers do not need to be online (and even to be known) during the setup phase.

Anytrust vs Full-threshold Access-structure. As for many MPC protocols, the assumption on the worst-case number of corrupted parties can be mapped in the cryptographic access-control mechanism (the access structure). The implemented MHE-MPC protocol is "anytrust" (N-out-of-N-threshold) by default, but can be relaxed to any positive threshold t-out-of-N (see Threshold Secret-Key Generation).

Passive vs Active Adversaries. The implemented MHE-MPC protocol is secure against passive adversaries, and can in theory be extended to active security by requiring the parties to produce proofs that their shares are correctly computed for every round. Note that those proofs are not implemented in this library.

An execution of the MHE-based MPC protocol has two phases: the Setup phase and the Evaluation phase, each of which comprises a number of sub-protocols as depicted below (the details of each protocols are provided later).

  1. Setup Phase
    1. Secret Keys Generation
    2. [if t < N] Threshold Secret-Key Generation
    3. Collective Public Encryption-Key Generation
    4. Collective Public Evaluation-Key Generation
      1. Relinearization-Key
      2. Galois-Keys
      3. Generic Evaluation-Keys
  2. Evaluation Phase
    1. Input (Encryption)
    2. Circuit Evaluation
    3. Output phase (Decryption)
      1. Collective Key-Switching
      2. Local Decryption

MHE-MPC Protocol Steps Description

This section provides a description for each sub-protocol of the MHE-MPC protocol and provides pointers to the relevant types and methods. This description is a first draft and will evolve in the future. For concrete code examples, see the example/mhe folders. For a more formal exposition, see "Multiparty Homomorphic Encryption from Ring-Learning-with-Errors" and An Efficient Threshold Access-Structure for RLWE-Based Multiparty Homomorphic Encryption.

The system model is abstracted by considering that the parties have access to a common public authenticated channel. In the cloud-assisted setting, this public channel can be the helper cloud-server. In the peer-to-peer setting, it could be a public broadcast channel. We also assume that parties can communicate over private authenticated channels.

Several protocols require the parties to have access to common uniformly random polynomials (CRP), which are sampled from a common random string (CRS). This CRS is implemented as an interface type mhe.CRS that can be read by the parties as a part of the protocols (see below). The mhe.CRS can be implemented by a utils.KeyedPRNG type for which all parties use the same key.

1. Setup

In this phase, the parties generate the various keys that are required by the Evaluation phase. Similarly to LSSS-based MPC protocols such as SPDZ, the setup phase does not depend on the input and can be pre-computed. However, unlike LSSS-based MPC, the setup produces public-keys that can be re-used for an arbitrary number of evaluation phases.

1.i Secret Keys Generation

The parties generate their individual secret-keys locally by using a rlwe.KeyGenerator; this provides them with a rlwe.SecretKey type. See rlwe/keygenerator.go for further information on key-generation.

The ideal secret-key is implicitly defined as the sum of all secret-keys. Hence, this secret-key enforces an N-out-N access structure which requires all the parties to collaborate in a ciphertext decryption and thus tolerates N-1 dishonest parties.

1.ii [if t < N] Threshold Secret-Key Generation

For settings where an N-out-N access structure is too restrictive (e.g., from an availability point of view), an optional Threshold Secret-Key Generation Protocol can be run to enable t-out-of-N access-structures (hence tolerating t-1 dishonest parties). The idea of this protocol is to apply Shamir Secret Sharing to the ideal secret-key in such a way that any group of t parties can reconstruct it. This is achieved by a single-round protocol where each party applies Shamir Secret-Sharing to its own share of the ideal secret-key.

We assume that each party is associated with a distinct mhe.ShamirPublicPoint that is known to the other parties.

This protocol is implemented by the mhe.Thresholdizer type and its steps are the following:

  • Each party generates a mhe.ShamirPolynomial by using the Thresholdizer.GenShamirPolynomial method, then generates a share of type mhe.ShamirSecretShare for each of the other parties' ShamirPublicPoint by using the Thresholdizer.GenShamirSecretShare.
  • Each party privately sends the respective ShamirSecretShare to each of the other parties.
  • Each party aggregates all the ShamirSecretShares it received using the Thresholdizer.AggregateShares method.

Each party stores its aggregated ShamirSecretShare for later use.

1.iii Public Key Generation

The parties execute the collective public encryption-key generation protocol to obtain an encryption-key for the ideal secret-key.

The protocol is implemented by the mhe.PublicKeyGenProtocol type and its steps are as follows:

  • Each party samples a common random polynomial (mhe.PublicKeyGenCRP) from the CRS by using the PublicKeyGenProtocol.SampleCRP method.
  • [if t < N] Each party uses the mhe.Combiner.GenAdditiveShare to obtain a t-out-of-t sharing and uses the result as its secret-key in the next step.
  • Each party generates a share (mhe.PublicKeyGenShare) from the CRP and their secret-key, by using the PublicKeyGenProtocol.GenShare method.
  • Each party discloses its share over the public channel. The shares are aggregated with the PublicKeyGenProtocol.AggregateShares method.
  • Each party can derive the public encryption-key (rlwe.PublicKey) by using the PublicKeyGenProtocol.GenPublicKey method.

After the execution of this protocol, the parties have access to the collective public encryption-key, hence can provide their inputs to computations.

1.iv Evaluation-Key Generation

In order to evaluate circuits on the collectively-encrypted inputs, the parties must generate the evaluation-keys that correspond to the operations they wish to support. The generation of a relinearization-key, which enables compact homomorphic multiplication, is described below (see mhe.RelinearizationKeyGenProtocol). Additionally, and given that the circuit requires it, the parties can generate evaluation-keys to support rotations and other kinds of Galois automorphisms (see mhe.GaloisKeyGenProtocol below). Finally, it is possible to generate generic evaluation-keys to homomorphically re-encrypt a ciphertext from a secret-key to another (see mhe.EvaluationKeyGenProtocol).

1.iv.a Relinearization Key

This protocol provides the parties with a public relinearization-key (rlwe.RelinearizationKey) for the ideal secret-key. This public-key enables compact multiplications in RLWE schemes. Out of the described protocols in this package, this is the only two-round protocol.

The protocol is implemented by the mhe.RelinearizationKeyGenProtocol type and its steps are as follows:

  • Each party samples a common random polynomial matrix (mhe.RelinearizationKeyGenCRP) from the CRS by using the RelinearizationKeyGenProtocol.SampleCRP method.
  • [if t < N] Each party uses the mhe.Combiner.GenAdditiveShare to obtain a t-out-of-t sharing and use the result as their secret-key in the next steps.
  • Each party generates a share (mhe.RelinearizationKeyGenShare) for the first protocol round by using the RelinearizationKeyGenProtocol.GenShareRoundOne method. This method also provides the party with an ephemeral secret-key (rlwe.SecretKey), which is required for the second round.
  • Each party discloses its share for the first round over the public channel. The shares are aggregated with the RelinearizationKeyGenProtocol.AggregateShares method.
  • Each party generates a share (also a mhe.RelinearizationKeyGenShare) for the second protocol round by using the RelinearizationKeyGenProtocol.GenShareRoundTwo method.
  • Each party discloses its share for the second round over the public channel. The shares are aggregated with the RelinearizationKeyGenProtocol.AggregateShares method.
  • Each party can derive the public relinearization-key (rlwe.RelinearizationKey) by using the RelinearizationKeyGenProtocol.GenRelinearizationKey method.
1.iv.b Galois Keys

This protocol provides the parties with a public Galois-key (stored as rlwe.GaloisKey types) for the ideal secret-key. One Galois-key enables one specific Galois automorphism on the ciphertexts' slots. The protocol can be repeated to generate the keys for multiple automorphisms.

The protocol is implemented by the mhe.GaloisKeyGenProtocol type and its steps are as follows:

  • Each party samples a common random polynomial matrix (mhe.GaloisKeyGenCRP) from the CRS by using the GaloisKeyGenProtocol.SampleCRP method.
  • [if t < N] Each party uses the mhe.Combiner.GenAdditiveShare to obtain a t-out-of-t sharing and uses the result as its secret-key in the next step.
  • Each party generates a share (mhe.GaloisKeyGenShare) by using GaloisKeyGenProtocol.GenShare.
  • Each party discloses its mhe.GaloisKeyGenShare over the public channel. The shares are aggregated with the GaloisKeyGenProtocol.AggregateShares method.
  • Each party can derive the public Galois-key (rlwe.GaloisKey) from the final GaloisKeyGenShare by using the GaloisKeyGenProtocol.AggregateShares method.
1.iv.c Other Evaluation Keys

This protocol provides the parties with a generic public Evaluation-key (stored as rlwe.EvaluationKey types) for the ideal secret-key. One Evaluation-key enables one specific public re-encryption from one key to another.

The protocol is implemented by the mhe.EvaluationKeyGenProtocol type and its steps are as follows:

  • Each party samples a common random polynomial matrix (mhe.EvaluationKeyGenCRP) from the CRS by using the EvaluationKeyGenProtocol.SampleCRP method.
  • [if t < N] Each party uses the mhe.Combiner.GenAdditiveShare to obtain a t-out-of-t sharing and uses the result as its secret-key in the next step.
  • Each party generates a share (mhe.EvaluationKeyGenShare) by using EvaluationKeyGenProtocol.GenShare.
  • Each party discloses its mhe.EvaluationKeyGenShare over the public channel. The shares are aggregated with the EvaluationKeyGenProtocol.AggregateShares method.
  • Each party can derive the public Evaluation-key (rlwe.EvaluationKey) from the final EvaluationKeyGenShare by using the EvaluationKeyGenProtocol.AggregateShares method.
2 Evaluation Phase
2.i Input step (Encryption Phase)

The parties provide their inputs for the computation during the Input Phase. They use the collective encryption-key generated during the Setup Phase to encrypt their inputs, and send them through the public channel. Since the collective encryption-key is a valid RLWE public encryption-key, it can be used directly with the single-party scheme. Hence, the parties can use the Encoder and Encryptor interfaces of the desired encryption scheme (see heint.Encoder, hefloat.Encoder and rlwe.Encryptor).

2.ii Circuit Evaluation step

The computation of the desired function is performed homomorphically during the Evaluation Phase. The step can be performed by the parties themselves or can be outsourced to a cloud-server. Since the ciphertexts in the multiparty schemes are valid ciphertexts for the single-party ones, the homomorphic operation of the latter can be used directly (see heint.Evaluator and hefloat.Evaluator).

2.iii Output step

The receiver(s) obtain their outputs through the final Output Phase, whose aim is to decrypt the ciphertexts resulting from the Evaluation Phase. It is a two-step process with an optional pre-processing step when using the t-out-of-N access structure. In the first step, Collective Key-Switching, the parties re-encrypt the desired ciphertext under the receiver's secret-key. The second step is the local decryption of this re-encrypted ciphertext by the receiver.

2.iii.a Collective Key-Switching

The parties perform a re-encryption of the desired ciphertext(s) from being encrypted under the ideal secret-key to being encrypted under the receiver's secret-key. There are two instantiations of the Collective Key-Switching protocol:

  • Collective Key-Switching (KeySwitch), implemented as the mhe.KeySwitchProtocol interface: it enables the parties to switch from their ideal secret-key s to another ideal secret-key s' when s' is collectively known by the parties. In the case where s' = 0, this is equivalent to a collective decryption protocol that can be used when the receiver is one of the input-parties.
  • Collective Public-Key Switching (PublicKeySwitch), implemented as the mhe.PublicKeySwitchProtocol interface, enables parties to switch from their ideal secret-key s to an arbitrary key s' when provided with a public encryption-key for s'. Hence, this enables key-switching to a secret-key that is not known to the input parties, which enables external receivers.

While both protocol variants have slightly different local operations, their steps are the same:

  • Each party generates a share (of type mhe.KeySwitchShare or mhe.PublicKeySwitchShare) with the mhe.(Public)KeySwitchProtocol.GenShare method. This requires its own secret-key (a rlwe.SecretKey) as well as the destination key: its own share of the destination key (a rlwe.SecretKey) in KeySwitch or the destination public-key (a rlwe.PublicKey) in PublicKeySwitch.
  • Each party discloses its mhe.KeySwitchShare over the public channel. The shares are aggregated with the (Public)KeySwitchProtocol.AggregateShares method.
  • From the aggregated mhe.KeySwitchShare, any party can derive the ciphertext re-encrypted under s' by using the (Public)KeySwitchProtocol.KeySwitch method.
2.iii.b Decryption

Once the receivers have obtained the ciphertext re-encrypted under their respective keys, they can use the usual decryption algorithm of the single-party scheme to obtain the plaintext result (see rlwe.Decryptor.

References

  1. Multiparty Homomorphic Encryption from Ring-Learning-With-Errors (https://eprint.iacr.org/2020/304)
  2. An Efficient Threshold Access-Structure for RLWE-Based Multiparty Homomorphic Encryption (https://eprint.iacr.org/2022/780)

Documentation

Overview

Package mhe implements RLWE-based scheme agnostic multiparty key-generation and proxy re-rencryption. See README.md for more details about multiparty homomorphic encryption.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NoiseCircularCiphertext 

func NoiseCircularCiphertext(params rlwe.Parameters, hasP bool, d, Log2Basis, nbParties int) (std float64)

func NoiseEvaluationKey 

func NoiseEvaluationKey(params rlwe.Parameters, nbParties int) (std float64)

NoiseEvaluationKey returns the standard deviation of the noise of each individual elements in a collective EvaluationKey.

func NoiseGadgetCiphertext 

func NoiseGadgetCiphertext(params rlwe.Parameters, nbParties int) (std float64)

NoiseGadgetCiphertext returns the standard deviation of the noise of each individual elements in a gadget ciphertext encrypted with the collective key.

func NoiseGaloisKey 

func NoiseGaloisKey(params rlwe.Parameters, nbParties int) (std float64)

NoiseGaloisKey returns the standard deviation of the noise of each individual elements in a collective GaloisKey.

func NoiseKeySwitch 

func NoiseKeySwitch(nbParties int, noisect, noisefresh, noiseflood float64) (std float64)

func NoiseRelinearizationKey 

func NoiseRelinearizationKey(params rlwe.Parameters, nbParties int) (std float64)

NoiseRelinearizationKey returns the standard deviation of the noise of each individual elements in the collective RelinearizationKey.

Types

type AdditiveShare 

type AdditiveShare struct {
	Value []uint64
}

AdditiveShare is a type for storing additively shared values in Z_Q[X] (RNS domain).

func NewAdditiveShare 

func NewAdditiveShare(N int) *AdditiveShare

NewAdditiveShare instantiates a new additive share struct for the ring defined by the given parameters at maximum level.

type AdditiveShareBigint 

type AdditiveShareBigint struct {
	Value []big.Int
}

AdditiveShareBigint is a type for storing additively shared values in Z (positional domain).

func NewAdditiveShareBigint 

func NewAdditiveShareBigint(n int) *AdditiveShareBigint

NewAdditiveShareBigint instantiates a new additive share struct composed of n big.Int elements.

type CircularCiphertextProtocol 

type CircularCiphertextProtocol struct {
	GadgetCiphertextProtocol
	// contains filtered or unexported fields
}

CircularCiphertextProtocol is a non-interactive public aggregatable transcripts (PAT) protocol by which a set of parties, each holding a secret sk_{i} and a message m_{i}, can collectively generate in a single round the encryption RLWE_{sk}(m*sk) where sk = sum sk_{i} and m = sum m_{i}. An RLWE is an rlwe.Ciphertext.

func NewCircularCiphertextProtocol 

func NewCircularCiphertextProtocol(params rlwe.ParameterProvider) *CircularCiphertextProtocol

NewCircularCiphertextProtocol creates an mhe.CircularCiphertextProtocol instance.

func (CircularCiphertextProtocol) Aggregate 

func (p CircularCiphertextProtocol) Aggregate(share1, share2, share3 *CircularCiphertextShare) (err error)

Aggregate aggregates the public aggregatable transcripts: share3 = share1 + share2.

func (CircularCiphertextProtocol) Allocate 

func (p CircularCiphertextProtocol) Allocate() *CircularCiphertextShare

Allocate allocates a party's share in the mhe.CircularCiphertextProtocol.

func (CircularCiphertextProtocol) Finalize 

func (p CircularCiphertextProtocol) Finalize(share *CircularCiphertextShare, ctU *rlwe.GadgetCiphertext, ctMS *rlwe.Ciphertext) (err error)

Finalize takes the public aggregated transcripts (share and ctu) and populates ctMS with RLWE_{s}(ms).

func (CircularCiphertextProtocol) Gen 

func (p CircularCiphertextProtocol) Gen(sk, u *rlwe.SecretKey, pt *rlwe.Plaintext, seed [32]byte, share *CircularCiphertextShare) (err error)

Gen populates the mhe.CircularCiphertextShare with the public aggregatable transcript (PAT).

func (CircularCiphertextProtocol) GenEphemeralSecret 

func (p CircularCiphertextProtocol) GenEphemeralSecret(sk *rlwe.SecretKey, seed [32]byte, DDGRLWE rlwe.DigitDecomposition) (u *rlwe.SecretKey, share *GadgetCiphertextShare, err error)

GenEphemeralSecret generates the ephemeral secret and its associated public share. This ephemeral secret can be reused across multiple calls of the main protocol.

func (CircularCiphertextProtocol) ShallowCopy 

func (p CircularCiphertextProtocol) ShallowCopy() *CircularCiphertextProtocol

ShallowCopy creates a shallow copy of the receiver in which all the read-only data-structures are shared with the receiver and the temporary buffers are reallocated. The receiver and the returned object can be used concurrently.

type CircularCiphertextShare 

type CircularCiphertextShare struct {
	Seed  [32]byte
	RLWE1 rlwe.Ciphertext // RLWE_{u}(m)[SeedRLWE]
	RLWE2 rlwe.Ciphertext // RLWE_{s}(0)[SeedRLWE]
}

CircularCiphertextShare is represent a Party's share in the mhe.CircularCiphertextProtocol.

func (CircularCiphertextShare) BinarySize 

func (share CircularCiphertextShare) BinarySize() int

BinarySize returns the serialized size of the object in bytes.

func (CircularCiphertextShare) Equal 

func (share CircularCiphertextShare) Equal(other *CircularCiphertextShare) bool

Equal performs a deep equal between the receiver and the operand.

func (CircularCiphertextShare) MarshalBinary 

func (share CircularCiphertextShare) MarshalBinary() (p []byte, err error)

MarshalBinary encodes the object into a binary form on a newly allocated slice of bytes.

func (*CircularCiphertextShare) ReadFrom 

func (share *CircularCiphertextShare) ReadFrom(r io.Reader) (n int64, err error)

ReadFrom reads on the object from an io.Writer. It implements the io.ReaderFrom interface.

Unless r implements the buffer.Reader interface (see see lattigo/utils/buffer/reader.go), it will be wrapped into a bufio.Reader. Since this requires allocation, it is preferable to pass a buffer.Reader directly:

  • When reading multiple values from a io.Reader, it is preferable to first first wrap io.Reader in a pre-allocated bufio.Reader.
  • When reading from a var b []byte, it is preferable to pass a buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

func (*CircularCiphertextShare) UnmarshalBinary 

func (share *CircularCiphertextShare) UnmarshalBinary(p []byte) (err error)

UnmarshalBinary decodes a slice of bytes generated by MarshalBinary or WriteTo on the object.

func (CircularCiphertextShare) WriteTo 

func (share CircularCiphertextShare) WriteTo(w io.Writer) (n int64, err error)

WriteTo writes the object on an io.Writer. It implements the io.WriterTo interface, and will write exactly object.BinarySize() bytes on w.

Unless w implements the buffer.Writer interface (see lattigo/utils/buffer/writer.go), it will be wrapped into a bufio.Writer. Since this requires allocations, it is preferable to pass a buffer.Writer directly:

  • When writing multiple times to a io.Writer, it is preferable to first wrap the io.Writer in a pre-allocated bufio.Writer.
  • When writing to a pre-allocated var b []byte, it is preferable to pass buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

type CircularGadgetCiphertextProtocol 

type CircularGadgetCiphertextProtocol struct {
	CircularCiphertextProtocol
	// contains filtered or unexported fields
}

CircularGadgetCiphertextProtocol is a non-interactive public aggregatable transcripts (PAT) protocol by which a set of parties, each holding a secret sk_{i} and a message m_{i}, can collectively generate in a single round the encryption GRLWE_{sk}(m*sk) where sk = sum sk_{i} and m = sum m_{i}. An GRLWE is an rlwe.GadgetCiphertext.

func NewCircularGadgetCiphertextProtocol 

func NewCircularGadgetCiphertextProtocol(params rlwe.ParameterProvider, LogP int) *CircularGadgetCiphertextProtocol

NewCircularGadgetCiphertextProtocol creates an mhe.CircularGadgetCiphertextProtocol instance.

func (CircularGadgetCiphertextProtocol) Aggregate 

func (p CircularGadgetCiphertextProtocol) Aggregate(share1, share2, share3 *CircularGadgetCiphertextShare) (err error)

Aggregate aggregates the public aggregatable transcripts: share3 = share1 + share2.

func (CircularGadgetCiphertextProtocol) Allocate 

func (p CircularGadgetCiphertextProtocol) Allocate(dd rlwe.DigitDecomposition) *CircularGadgetCiphertextShare

Allocate allocates a party's share in the mhe.CircularCiphertextProtocol.

func (CircularGadgetCiphertextProtocol) Finalize 

func (p CircularGadgetCiphertextProtocol) Finalize(share *CircularGadgetCiphertextShare, ctu *rlwe.GadgetCiphertext, ctMS *rlwe.GadgetCiphertext) (err error)

Finalize takes the public aggregated transcripts (share and ctu) and populates ctMS with GRLWE_{s}(ms).

func (CircularGadgetCiphertextProtocol) FinalizeNew 

func (p CircularGadgetCiphertextProtocol) FinalizeNew(share *CircularGadgetCiphertextShare, ctu *rlwe.GadgetCiphertext) (ctMS *rlwe.GadgetCiphertext, err error)

FinalizeNew takes the public aggregated transcripts (share and ctu) returns ctMS with GRLWE_{s}(ms).

func (CircularGadgetCiphertextProtocol) Gen 

func (p CircularGadgetCiphertextProtocol) Gen(sk, u *rlwe.SecretKey, pt *rlwe.Plaintext, seed [32]byte, share *CircularGadgetCiphertextShare) (err error)

Gen populates the mhe.CircularGadgetCiphertextShare with the public aggregatable transcript (PAT).

func (CircularGadgetCiphertextProtocol) GenEphemeralSecret 

func (p CircularGadgetCiphertextProtocol) GenEphemeralSecret(sk *rlwe.SecretKey, seed [32]byte, DDGRLWE rlwe.DigitDecomposition) (u *rlwe.SecretKey, share *GadgetCiphertextShare, err error)

GenEphemeralSecret generates the ephemeral secret and its associated public share. This ephemeral secret can be reused across multiple calls of the main protocol.

func (CircularGadgetCiphertextProtocol) ShallowCopy 

func (p CircularGadgetCiphertextProtocol) ShallowCopy() *CircularGadgetCiphertextProtocol

ShallowCopy creates a shallow copy of the receiver in which all the read-only data-structures are shared with the receiver and the temporary buffers are reallocated. The receiver and the returned object can be used concurrently.

type CircularGadgetCiphertextShare 

type CircularGadgetCiphertextShare struct {
	Seed   [32]byte
	GRLWE1 rlwe.GadgetCiphertext // GRLWE_{a, u}(m) [QP]
	GRLWE2 rlwe.GadgetCiphertext // GRLWE_{a, s}(0) [QP]
}

CircularGadgetCiphertextShare is represent a Party's share in the mhe.CircularGadgetCiphertextProtocol.

func (CircularGadgetCiphertextShare) BinarySize 

func (share CircularGadgetCiphertextShare) BinarySize() int

BinarySize returns the serialized size of the object in bytes.

func (CircularGadgetCiphertextShare) Equal 

func (share CircularGadgetCiphertextShare) Equal(other *CircularGadgetCiphertextShare) bool

Equal performs a deep equal between the receiver and the operand.

func (CircularGadgetCiphertextShare) MarshalBinary 

func (share CircularGadgetCiphertextShare) MarshalBinary() (p []byte, err error)

MarshalBinary encodes the object into a binary form on a newly allocated slice of bytes.

func (*CircularGadgetCiphertextShare) ReadFrom 

func (share *CircularGadgetCiphertextShare) ReadFrom(r io.Reader) (n int64, err error)

ReadFrom reads on the object from an io.Writer. It implements the io.ReaderFrom interface.

Unless r implements the buffer.Reader interface (see see lattigo/utils/buffer/reader.go), it will be wrapped into a bufio.Reader. Since this requires allocation, it is preferable to pass a buffer.Reader directly:

  • When reading multiple values from a io.Reader, it is preferable to first first wrap io.Reader in a pre-allocated bufio.Reader.
  • When reading from a var b []byte, it is preferable to pass a buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

func (*CircularGadgetCiphertextShare) UnmarshalBinary 

func (share *CircularGadgetCiphertextShare) UnmarshalBinary(p []byte) (err error)

UnmarshalBinary decodes a slice of bytes generated by MarshalBinary or WriteTo on the object.

func (CircularGadgetCiphertextShare) WriteTo 

func (share CircularGadgetCiphertextShare) WriteTo(w io.Writer) (n int64, err error)

WriteTo writes the object on an io.Writer. It implements the io.WriterTo interface, and will write exactly object.BinarySize() bytes on w.

Unless w implements the buffer.Writer interface (see lattigo/utils/buffer/writer.go), it will be wrapped into a bufio.Writer. Since this requires allocations, it is preferable to pass a buffer.Writer directly:

  • When writing multiple times to a io.Writer, it is preferable to first wrap the io.Writer in a pre-allocated bufio.Writer.
  • When writing to a pre-allocated var b []byte, it is preferable to pass buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

type Combiner 

type Combiner struct {
	// contains filtered or unexported fields
}

Combiner is a type for generating t-out-of-t additive shares from local t-out-of-N shares. It implements the `Combine` operation as presented in "An Efficient Threshold Access-Structure for RLWE-Based Multiparty Homomorphic Encryption" (2022) by Mouchet, C., Bertrand, E., and Hubaux, J. P. (https://eprint.iacr.org/2022/780).

func NewCombiner 

func NewCombiner(params rlwe.Parameters, own ShamirPublicPoint, others []ShamirPublicPoint, threshold int) *Combiner

NewCombiner creates a new Combiner struct from the parameters and the set of ShamirPublicPoints. Note that the other parameter may contain the instantiator's own ShamirPublicPoint.

func (Combiner) Finalize 

func (cmb Combiner) Finalize(activesPoints []ShamirPublicPoint, ownPoint ShamirPublicPoint, ownShare *ShamirSecretShare, skOut *rlwe.SecretKey) (err error)

Finalize generates a t-out-of-t additive share of the secret from a local aggregated share ownSecret and the set of active identities, identified by their ShamirPublicPoint. It stores the resulting additive share in skOut.

type EvaluationKeyProtocol 

type EvaluationKeyProtocol struct {
	GadgetCiphertextProtocol
}

EvaluationKeyProtocol is the structure storing the parameters for the collective EvaluationKey generation.

func NewEvaluationKeyProtocol 

func NewEvaluationKeyProtocol(params rlwe.ParameterProvider) (p *EvaluationKeyProtocol)

NewEvaluationKeyProtocol instantiates a new mhe.EvaluationKeyProtocol.

func (EvaluationKeyProtocol) Aggregate 

func (p EvaluationKeyProtocol) Aggregate(share1, share2, share3 *EvaluationKeyShare) (err error)

Aggregate sets share3 to share1 + share2.

func (EvaluationKeyProtocol) Allocate 

func (p EvaluationKeyProtocol) Allocate(evkParams ...rlwe.EvaluationKeyParameters) *EvaluationKeyShare

Allocate allocates a party's share in the mhe.EvaluationKeyProtocol.

func (EvaluationKeyProtocol) Finalize 

func (p EvaluationKeyProtocol) Finalize(share *EvaluationKeyShare, evk *rlwe.EvaluationKey) (err error)

Finalize finalizes the protocol and populates the input computed collective rlwe.EvaluationKey.

func (EvaluationKeyProtocol) FinalizeNew 

func (p EvaluationKeyProtocol) FinalizeNew(share *EvaluationKeyShare) (evk *rlwe.EvaluationKey)

FinalizeNew finalizes the protocol and returns the computed collective rlwe.EvaluationKey.

func (EvaluationKeyProtocol) Gen 

func (p EvaluationKeyProtocol) Gen(skIn, skOut *rlwe.SecretKey, seed [32]byte, share *EvaluationKeyShare) (err error)

Gen generates a party's share in the mhe.EvaluationKeyProtocol.

func (EvaluationKeyProtocol) ShallowCopy 

func (p EvaluationKeyProtocol) ShallowCopy() *EvaluationKeyProtocol

ShallowCopy creates a shallow copy of the receiver in which all the read-only data-structures are shared with the receiver and the temporary buffers are reallocated. The receiver and the returned object can be used concurrently.

type EvaluationKeyShare 

type EvaluationKeyShare struct {
	GadgetCiphertextShare
}

func (*EvaluationKeyShare) Aggregate 

func (share *EvaluationKeyShare) Aggregate(params rlwe.ParameterProvider, a, b *EvaluationKeyShare) (err error)

Aggregate sets the receiver to a + b.

func (EvaluationKeyShare) AsEvaluationKey 

func (share EvaluationKeyShare) AsEvaluationKey(params rlwe.ParameterProvider) (evk *rlwe.EvaluationKey)

AsEvaluationKey wraps the receiver into an rlwe.EvaluationKey.

func (EvaluationKeyShare) Equal 

func (share EvaluationKeyShare) Equal(other *EvaluationKeyShare) bool

Equal performs a deep equal between the receiver and the operand.

func (EvaluationKeyShare) Get 

func (share EvaluationKeyShare) Get(params rlwe.ParameterProvider, evk *rlwe.EvaluationKey) (err error)

Get copies the data of the receiver on a pre-allocated rlwe.EvaluationKey.

func (EvaluationKeyShare) GetNew 

func (share EvaluationKeyShare) GetNew(params rlwe.ParameterProvider) (evk *rlwe.EvaluationKey)

GetNew copies the data of the receiver on a new rlwe.EvaluationKey.

type GadgetCiphertextProtocol 

type GadgetCiphertextProtocol struct {
	*rlwe.KeyGenerator
}

GadgetCiphertextProtocol is the structure storing the parameters for the collective EvaluationKey generation.

func NewGadgetCiphertextProtocol 

func NewGadgetCiphertextProtocol(params rlwe.ParameterProvider) (p *GadgetCiphertextProtocol)

NewGadgetCiphertextProtocol instantiates a new mhe.GadgetCiphertextProtocol.

func (GadgetCiphertextProtocol) Aggregate 

func (p GadgetCiphertextProtocol) Aggregate(share1, share2, share3 *GadgetCiphertextShare) (err error)

Aggregate sets share3 to share1 + share2.

func (GadgetCiphertextProtocol) Allocate 

func (p GadgetCiphertextProtocol) Allocate(LevelQ, LevelP int, DD rlwe.DigitDecomposition) *GadgetCiphertextShare

Allocate allocates a party's share in the mhe.GadgetCiphertextProtocol.

func (GadgetCiphertextProtocol) Finalize 

func (p GadgetCiphertextProtocol) Finalize(share *GadgetCiphertextShare, ct *rlwe.GadgetCiphertext) (err error)

Finalize finalizes the protocol and populates the input computed collective rlwe.GadgetCiphertext.

func (GadgetCiphertextProtocol) Gen 

func (p GadgetCiphertextProtocol) Gen(sk *rlwe.SecretKey, pt *rlwe.Plaintext, seed [32]byte, share *GadgetCiphertextShare) (err error)

Gen generates a party's share in the mhe.GadgetCiphertextProtocol.

func (GadgetCiphertextProtocol) ShallowCopy 

func (p GadgetCiphertextProtocol) ShallowCopy() *GadgetCiphertextProtocol

ShallowCopy creates a shallow copy of the receiver in which all the read-only data-structures are shared with the receiver and the temporary buffers are reallocated. The receiver and the returned object can be used concurrently.

type GadgetCiphertextShare 

type GadgetCiphertextShare struct {
	Seed [32]byte
	rlwe.GadgetCiphertext
}

func (*GadgetCiphertextShare) Aggregate 

func (share *GadgetCiphertextShare) Aggregate(params rlwe.ParameterProvider, a, b *GadgetCiphertextShare) (err error)

Aggregate sets the receiver to a + b.

func (GadgetCiphertextShare) AsGadgetCiphertext 

func (share GadgetCiphertextShare) AsGadgetCiphertext(params rlwe.ParameterProvider) (gct *rlwe.GadgetCiphertext)

AsGadgetCiphertext wraps the receiver into an rlwe.GadgetCiphertext.

func (GadgetCiphertextShare) BinarySize 

func (share GadgetCiphertextShare) BinarySize() (dataLen int)

BinarySize returns the serialized size of the object in bytes.

func (GadgetCiphertextShare) Equal 

func (share GadgetCiphertextShare) Equal(other *GadgetCiphertextShare) bool

Equal performs a deep equal between the receiver and the operand.

func (GadgetCiphertextShare) Get 

func (share GadgetCiphertextShare) Get(params rlwe.ParameterProvider, gct *rlwe.GadgetCiphertext) (err error)

Get copies the data of the receiver on a pre-allocated rlwe.GadgetCiphertext.

func (GadgetCiphertextShare) GetNew 

func (share GadgetCiphertextShare) GetNew(params rlwe.ParameterProvider) (gct *rlwe.GadgetCiphertext)

GetNew copies the data of the receiver on a new rlwe.GadgetCiphertext.

func (GadgetCiphertextShare) MarshalBinary 

func (share GadgetCiphertextShare) MarshalBinary() (data []byte, err error)

MarshalBinary encodes the object into a binary form on a newly allocated slice of bytes.

func (*GadgetCiphertextShare) ReadFrom 

func (share *GadgetCiphertextShare) ReadFrom(r io.Reader) (n int64, err error)

ReadFrom reads on the object from an io.Writer. It implements the io.ReaderFrom interface.

Unless r implements the buffer.Reader interface (see see lattigo/utils/buffer/reader.go), it will be wrapped into a bufio.Reader. Since this requires allocation, it is preferable to pass a buffer.Reader directly:

  • When reading multiple values from a io.Reader, it is preferable to first first wrap io.Reader in a pre-allocated bufio.Reader.
  • When reading from a var b []byte, it is preferable to pass a buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

func (*GadgetCiphertextShare) UnmarshalBinary 

func (share *GadgetCiphertextShare) UnmarshalBinary(p []byte) (err error)

UnmarshalBinary decodes a slice of bytes generated by MarshalBinary or WriteTo on the object.

func (GadgetCiphertextShare) WriteTo 

func (share GadgetCiphertextShare) WriteTo(w io.Writer) (n int64, err error)

WriteTo writes the object on an io.Writer. It implements the io.WriterTo interface, and will write exactly object.BinarySize() bytes on w.

Unless w implements the buffer.Writer interface (see lattigo/utils/buffer/writer.go), it will be wrapped into a bufio.Writer. Since this requires allocations, it is preferable to pass a buffer.Writer directly:

  • When writing multiple times to a io.Writer, it is preferable to first wrap the io.Writer in a pre-allocated bufio.Writer.
  • When writing to a pre-allocated var b []byte, it is preferable to pass buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

type GaloisKeyProtocol 

type GaloisKeyProtocol struct {
	EvaluationKeyProtocol
}

GaloisKeyProtocol is the structure storing the parameters for the collective GaloisKeys generation.

func NewGaloisKeyProtocol 

func NewGaloisKeyProtocol(params rlwe.ParameterProvider) (p *GaloisKeyProtocol)

NewGaloisKeyProtocol creates a GaloisKeyProtocol instance.

func (GaloisKeyProtocol) Aggregate 

func (p GaloisKeyProtocol) Aggregate(share1, share2, share3 *GaloisKeyShare) (err error)

Aggregate computes share3 = share1 + share2.

func (GaloisKeyProtocol) Allocate 

func (p GaloisKeyProtocol) Allocate(evkParams ...rlwe.EvaluationKeyParameters) (pShare *GaloisKeyShare)

Allocate allocates a party's share in the GaloisKey Generation.

func (GaloisKeyProtocol) Finalize 

func (p GaloisKeyProtocol) Finalize(share *GaloisKeyShare, gk *rlwe.GaloisKey) (err error)

Finalize finalizes the GaloisKey Generation and populates the input rlwe.GaloisKey.

func (GaloisKeyProtocol) FinalizeNew 

func (p GaloisKeyProtocol) FinalizeNew(share *GaloisKeyShare) (gk *rlwe.GaloisKey)

FinalizeNew finalizes the GaloisKey Generation and returns a new rlwe.GaloisKey.

func (GaloisKeyProtocol) Gen 

func (p GaloisKeyProtocol) Gen(sk *rlwe.SecretKey, galEl uint64, seed [32]byte, share *GaloisKeyShare) (err error)

Gen generates a party's share in the GaloisKey Generation.

func (GaloisKeyProtocol) ShallowCopy 

func (p GaloisKeyProtocol) ShallowCopy() *GaloisKeyProtocol

ShallowCopy creates a shallow copy of GaloisKeyProtocol in which all the read-only data-structures are shared with the receiver and the temporary buffers are reallocated. The receiver and the returned GaloisKeyProtocol can be used concurrently.

type GaloisKeyShare 

type GaloisKeyShare struct {
	GaloisElement uint64
	EvaluationKeyShare
}

GaloisKeyShare is represent a Party's share in the GaloisKey Generation protocol.

func (GaloisKeyShare) BinarySize 

func (share GaloisKeyShare) BinarySize() int

BinarySize returns the serialized size of the object in bytes.

func (GaloisKeyShare) Equal 

func (share GaloisKeyShare) Equal(other *GaloisKeyShare) bool

Equal performs a deep equal between the receiver and the operand.

func (GaloisKeyShare) MarshalBinary 

func (share GaloisKeyShare) MarshalBinary() (p []byte, err error)

MarshalBinary encodes the object into a binary form on a newly allocated slice of bytes.

func (*GaloisKeyShare) ReadFrom 

func (share *GaloisKeyShare) ReadFrom(r io.Reader) (n int64, err error)

ReadFrom reads on the object from an io.Writer. It implements the io.ReaderFrom interface.

Unless r implements the buffer.Reader interface (see see lattigo/utils/buffer/reader.go), it will be wrapped into a bufio.Reader. Since this requires allocation, it is preferable to pass a buffer.Reader directly:

  • When reading multiple values from a io.Reader, it is preferable to first first wrap io.Reader in a pre-allocated bufio.Reader.
  • When reading from a var b []byte, it is preferable to pass a buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

func (*GaloisKeyShare) UnmarshalBinary 

func (share *GaloisKeyShare) UnmarshalBinary(p []byte) (err error)

UnmarshalBinary decodes a slice of bytes generated by MarshalBinary or WriteTo on the object.

func (GaloisKeyShare) WriteTo 

func (share GaloisKeyShare) WriteTo(w io.Writer) (n int64, err error)

WriteTo writes the object on an io.Writer. It implements the io.WriterTo interface, and will write exactly object.BinarySize() bytes on w.

Unless w implements the buffer.Writer interface (see lattigo/utils/buffer/writer.go), it will be wrapped into a bufio.Writer. Since this requires allocations, it is preferable to pass a buffer.Writer directly:

  • When writing multiple times to a io.Writer, it is preferable to first wrap the io.Writer in a pre-allocated bufio.Writer.
  • When writing to a pre-allocated var b []byte, it is preferable to pass buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

type KeySwitchingProtocol 

type KeySwitchingProtocol[T rlwe.SecretKey | rlwe.PublicKey] struct {
	*rlwe.Encryptor
	Sk *rlwe.SecretKey
}

KeySwitchingProtocol is the structure storing the parameters and and precomputations for the collective key-switching protocol.

func NewKeySwitchingProtocol 

func NewKeySwitchingProtocol[T rlwe.SecretKey | rlwe.PublicKey](params rlwe.ParameterProvider) *KeySwitchingProtocol[T]

NewKeySwitchingProtocol creates a new KeySwitchingProtocol that will be used to perform a collective key-switching on a ciphertext encrypted under a collective public-key, whose secret-shares are distributed among j parties, re-encrypting the ciphertext under another public-key, whose secret-shares are also known to the parties.

func (KeySwitchingProtocol[T]) Aggregate 

func (p KeySwitchingProtocol[T]) Aggregate(share1, share2, share3 *KeySwitchingShare) (err error)

Aggregate aggregates the public aggregatable transcripts: share3 = share1 + share2.

func (KeySwitchingProtocol[T]) Allocate 

func (p KeySwitchingProtocol[T]) Allocate(level int) *KeySwitchingShare

Allocate allocates the share of the KeySwitchingProtocol.

func (KeySwitchingProtocol[T]) Finalize 

func (p KeySwitchingProtocol[T]) Finalize(in *rlwe.Ciphertext, share *KeySwitchingShare, out *rlwe.Ciphertext) (err error)

Finalize takes the public aggregated transcripts and peforms an oblivious re-encryption of in and returns the result in out.

func (KeySwitchingProtocol[T]) FinalizeNew 

func (p KeySwitchingProtocol[T]) FinalizeNew(in *rlwe.Ciphertext, share *KeySwitchingShare) (out *rlwe.Ciphertext, err error)

FinalizeNew takes the public aggregated transcripts and peforms an oblivious re-encryption of in and returns the result in out.

func (KeySwitchingProtocol[T]) Gen 

func (p KeySwitchingProtocol[T]) Gen(skIn *rlwe.SecretKey, keyOut *T, noise float64, ct *rlwe.Ciphertext, share *KeySwitchingShare) (err error)

Gen computes a party's public aggregatable transcrit (share) in the KeySwitchcol. ct is the rlwe.Ciphertext to keyswitch. Note that ct.Q[0] is not used by the function and can be nil/zero.

func (KeySwitchingProtocol[T]) ShallowCopy 

func (p KeySwitchingProtocol[T]) ShallowCopy() *KeySwitchingProtocol[T]

ShallowCopy creates a shallow copy of KeySwitchingProtocol in which all the read-only data-structures are shared with the receiver and the temporary bufers are reallocated. The receiver and the returned KeySwitchingProtocol can be used concurrently.

type KeySwitchingShare 

type KeySwitchingShare struct {
	VectorShare
}

KeySwitchingShare is a type for the KeySwitch protocol shares.

func NewKeySwitchingShare 

func NewKeySwitchingShare(p rlwe.ParameterProvider, size, level int) *KeySwitchingShare

func (KeySwitchingShare) Equal 

func (share KeySwitchingShare) Equal(other *KeySwitchingShare) bool

Equal performs a deep equal between the receiver and the operand.

type PublicKeyProtocol 

type PublicKeyProtocol struct {
	*rlwe.Encryptor
}

PublicKeyProtocol is the structure storing the parameters and and precomputations for the collective encryption key generation protocol.

func NewPublicKeyProtocol 

func NewPublicKeyProtocol(params rlwe.ParameterProvider) *PublicKeyProtocol

NewPublicKeyProtocol creates a new PublicKeyProtocol instance

func (PublicKeyProtocol) Aggregate 

func (p PublicKeyProtocol) Aggregate(share1, share2, share3 *PublicKeyShare) (err error)

Aggregate evalutes share3 = share1 + share2

func (PublicKeyProtocol) Allocate 

func (p PublicKeyProtocol) Allocate() (pkg *PublicKeyShare)

Allocate allocates the share of the PublicKeyGen protocol.

func (PublicKeyProtocol) Finalize 

func (p PublicKeyProtocol) Finalize(share *PublicKeyShare, pubkey *rlwe.PublicKey) (err error)

Finalize return the current aggregation of the received shares as a bfv.PublicKey.

func (PublicKeyProtocol) Gen 

func (p PublicKeyProtocol) Gen(sk *rlwe.SecretKey, seed [32]byte, share *PublicKeyShare) (err error)

Gen generates the party's public key share from its secret key as:

a[seeded]*s_i + e_i

for the receiver protocol. Has no effect is the share was already generated.

func (PublicKeyProtocol) ShallowCopy 

func (p PublicKeyProtocol) ShallowCopy() *PublicKeyProtocol

ShallowCopy creates a shallow copy of the receiver in which all the read-only data-structures are shared with the receiver and the temporary buffers are reallocated. The receiver and the returned struct can be used concurrently.

type PublicKeyShare 

type PublicKeyShare struct {
	VectorShare
}

type RefreshShare 

type RefreshShare struct {
	MetaData        rlwe.MetaData
	EncToShareShare KeySwitchingShare
	ShareToEncShare KeySwitchingShare
}

RefreshShare is a struct storing the decryption and recryption shares.

func (RefreshShare) BinarySize 

func (share RefreshShare) BinarySize() int

BinarySize returns the serialized size of the object in bytes.

func (RefreshShare) Equal 

func (share RefreshShare) Equal(other *RefreshShare) bool

func (RefreshShare) MarshalBinary 

func (share RefreshShare) MarshalBinary() (p []byte, err error)

MarshalBinary encodes the object into a binary form on a newly allocated slice of bytes.

func (*RefreshShare) ReadFrom 

func (share *RefreshShare) ReadFrom(r io.Reader) (n int64, err error)

ReadFrom reads on the object from an io.Writer. It implements the io.ReaderFrom interface.

Unless r implements the buffer.Reader interface (see see lattigo/utils/buffer/reader.go), it will be wrapped into a bufio.Reader. Since this requires allocation, it is preferable to pass a buffer.Reader directly:

  • When reading multiple values from a io.Reader, it is preferable to first first wrap io.Reader in a pre-allocated bufio.Reader.
  • When reading from a var b []byte, it is preferable to pass a buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

func (*RefreshShare) UnmarshalBinary 

func (share *RefreshShare) UnmarshalBinary(p []byte) (err error)

UnmarshalBinary decodes a slice of bytes generated by MarshalBinary or WriteTo on the object.

func (RefreshShare) WriteTo 

func (share RefreshShare) WriteTo(w io.Writer) (n int64, err error)

WriteTo writes the object on an io.Writer. It implements the io.WriterTo interface, and will write exactly object.BinarySize() bytes on w.

Unless w implements the buffer.Writer interface (see lattigo/utils/buffer/writer.go), it will be wrapped into a bufio.Writer. Since this requires allocations, it is preferable to pass a buffer.Writer directly:

  • When writing multiple times to a io.Writer, it is preferable to first wrap the io.Writer in a pre-allocated bufio.Writer.
  • When writing to a pre-allocated var b []byte, it is preferable to pass buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

type RelinearizationKeyProtocol 

type RelinearizationKeyProtocol struct {
	*rlwe.Encryptor
}

RelinearizationKeyProtocol is the structure storing the parameters and precomputations for the collective relinearization key generation protocol. The protocol is based on https://eprint.iacr.org/2021/1085.

func NewRelinearizationKeyProtocol 

func NewRelinearizationKeyProtocol(params rlwe.ParameterProvider) *RelinearizationKeyProtocol

NewRelinearizationKeyProtocol creates a new mhe.RelinearizationKeyProtocol struct.

func (RelinearizationKeyProtocol) Aggregate 

func (p RelinearizationKeyProtocol) Aggregate(share1, share2, share3 *RelinearizationKeyShare) (err error)

Aggregate sets share3 to share1 + share2.

func (RelinearizationKeyProtocol) Allocate 

func (p RelinearizationKeyProtocol) Allocate(evkParams ...rlwe.EvaluationKeyParameters) *RelinearizationKeyShare

Allocate allocates the share of the mhe.RelinearizationKeyProtocol.

func (RelinearizationKeyProtocol) Finalize 

func (p RelinearizationKeyProtocol) Finalize(share *RelinearizationKeyShare, evk *rlwe.RelinearizationKey) (err error)

Finalize finalizes the protocol and populates the input computed collective RelinearizationKey.

func (RelinearizationKeyProtocol) Gen 

func (p RelinearizationKeyProtocol) Gen(sk *rlwe.SecretKey, pk *rlwe.PublicKey, share *RelinearizationKeyShare) (err error)

Gen generates a party's share in the RelinearizationKey Generation Protocol.

func (*RelinearizationKeyProtocol) ShallowCopy 

func (p *RelinearizationKeyProtocol) ShallowCopy() *RelinearizationKeyProtocol

ShallowCopy creates a shallow copy of the receiver in which all the read-only data-structures are shared with the receiver and the temporary buffers are reallocated. The receiver and the returned object can be used concurrently.

type RelinearizationKeyShare 

type RelinearizationKeyShare struct {
	rlwe.GadgetCiphertext
}

RelinearizationKeyShare is a share in the mhe.RelinearizationKeyProtocol.

type ShamirPolynomial 

type ShamirPolynomial struct {
	ring.Vector
}

ShamirPolynomial represents a polynomial with ringqp.Poly coefficients. It is used by the Thresholdizer type to produce t-out-of-N-threshold shares of an ringqp.Poly.

See mhe.Thresholdizer.

type ShamirPublicPoint 

type ShamirPublicPoint uint64

ShamirPublicPoint is a type for Shamir public point associated with a party identity within the t-out-of-N-threshold scheme.

See Thresholdizer and Combiner types.

type ShamirSecretShare 

type ShamirSecretShare struct {
	ring.Point
}

ShamirSecretShare represents a t-out-of-N-threshold secret-share.

See mhe.Thresholdizer and mhe.Combiner.

func (ShamirSecretShare) Equal 

func (s ShamirSecretShare) Equal(other *ShamirSecretShare) bool

Equal performs a deep equal.

type TestParametersLiteral 

type TestParametersLiteral struct {
	rlwe.DigitDecomposition
	rlwe.ParametersLiteral
}

type Thresholdizer 

type Thresholdizer struct {
	// contains filtered or unexported fields
}

Thresholdizer is a type for generating secret-shares of ringqp.Poly types such that the resulting sharing has a t-out-of-N-threshold access-structure. It implements the `Thresholdize` operation as presented in "An Efficient Threshold Access-Structure for RLWE-Based Multiparty Homomorphic Encryption" (2022) by Mouchet, C., Bertrand, E., and Hubaux, J. P. (https://eprint.iacr.org/2022/780).

See the `mhe` package README.md.

func NewThresholdizer 

func NewThresholdizer(params rlwe.ParameterProvider) *Thresholdizer

NewThresholdizer creates a new Thresholdizer instance from parameters.

func (Thresholdizer) Aggregate 

func (thr Thresholdizer) Aggregate(share1, share2, share3 *ShamirSecretShare) (err error)

Aggregate aggregates two ShamirSecretShare and stores the result in outShare.

func (Thresholdizer) Allocate 

func (thr Thresholdizer) Allocate() *ShamirSecretShare

Allocate allocates a ShamirSecretShare struct.

func (Thresholdizer) Finalize 

func (thr Thresholdizer) Finalize(recipient ShamirPublicPoint, secretPoly *ShamirPolynomial, shareOut *ShamirSecretShare) (err error)

Finalize generates a secret share for the given recipient, identified by its ShamirPublicPoint. The result is stored in ShareOut and should be sent to this party.

func (Thresholdizer) Gen 

func (thr Thresholdizer) Gen(threshold int, secret *rlwe.SecretKey) (*ShamirPolynomial, error)

Gen generates a new secret ShamirPolynomial to be used in the Thresholdizer.GenShamirSecretShare method. It does so by sampling a random polynomial of degree threshold - 1 and with its constant term equal to secret.

type VectorShare 

type VectorShare struct {
	Seed [32]byte
	ring.Vector
}

VectorShare is a struct storing the PublicKeyGen protocol's share.

func NewVectorShare 

func NewVectorShare(params rlwe.ParameterProvider, LevelQ, LevelP, size int) *VectorShare

func (VectorShare) Aggregate 

func (share VectorShare) Aggregate(params rlwe.ParameterProvider, share1, share2 *VectorShare) (err error)

func (VectorShare) BinarySize 

func (share VectorShare) BinarySize() (size int)

BinarySize returns the serialized size of the object in bytes.

func (VectorShare) Equal 

func (share VectorShare) Equal(other *VectorShare) bool

Equal performs a deep equal between the receiver and the operand.

func (VectorShare) MarshalBinary 

func (share VectorShare) MarshalBinary() (p []byte, err error)

MarshalBinary encodes the object into a binary form on a newly allocated slice of bytes.

func (*VectorShare) ReadFrom 

func (share *VectorShare) ReadFrom(r io.Reader) (n int64, err error)

ReadFrom reads on the object from an io.Writer. It implements the io.ReaderFrom interface.

Unless r implements the buffer.Reader interface (see see lattigo/utils/buffer/reader.go), it will be wrapped into a bufio.Reader. Since this requires allocation, it is preferable to pass a buffer.Reader directly:

  • When reading multiple values from a io.Reader, it is preferable to first first wrap io.Reader in a pre-allocated bufio.Reader.
  • When reading from a var b []byte, it is preferable to pass a buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

func (*VectorShare) UnmarshalBinary 

func (share *VectorShare) UnmarshalBinary(p []byte) (err error)

UnmarshalBinary decodes a slice of bytes generated by MarshalBinary or WriteTo on the object.

func (VectorShare) WriteTo 

func (share VectorShare) WriteTo(w io.Writer) (n int64, err error)

WriteTo writes the object on an io.Writer. It implements the io.WriterTo interface, and will write exactly object.BinarySize() bytes on w.

Unless w implements the buffer.Writer interface (see lattigo/utils/buffer/writer.go), it will be wrapped into a bufio.Writer. Since this requires allocations, it is preferable to pass a buffer.Writer directly:

  • When writing multiple times to a io.Writer, it is preferable to first wrap the io.Writer in a pre-allocated bufio.Writer.
  • When writing to a pre-allocated var b []byte, it is preferable to pass buffer.NewBuffer(b) as w (see lattigo/utils/buffer/buffer.go).

Source Files

View all Source files

Directories

Path Synopsis
Package mhefloat implements homomorphic decryption to Linear-Secret-Shared-Shares (LSSS) and homomorphic re-encryption from LSSS, as well as interactive bootstrapping for the package `he/hefloat` See `mhe/README.md` for additional information on multiparty schemes.
 Package mhefloat implements homomorphic decryption to Linear-Secret-Shared-Shares (LSSS) and homomorphic re-encryption from LSSS, as well as interactive bootstrapping for the package `he/hefloat` See `mhe/README.md` for additional information on multiparty schemes.
Package mheint implements homomorphic decryption to Linear-Secret-Shared-Shares (LSSS) and homomorphic re-encryption from LSSS, as well as interactive bootstrapping for the package `he/heint` See `mhe/README.md` for additional information on multiparty schemes.
 Package mheint implements homomorphic decryption to Linear-Secret-Shared-Shares (LSSS) and homomorphic re-encryption from LSSS, as well as interactive bootstrapping for the package `he/heint` See `mhe/README.md` for additional information on multiparty schemes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.