Question about library usage in the context of decentralized storage

[ppoliani]

I have recently read the papers that you have published, namely

• Multiparty Homomorphic Encryption from Ring-Learning-with-Errors
• Lattigo: a Multiparty Homomorphic Encryption Library in Go
• An Efficient Threshold Access-Structure for RLWE-Based Multiparty Homomorphic Encryption

I feel like the concepts introduced/described are just fascinating for someone that doesn't know much about the research in this area. In addition to that this set of libraries can be used in some interesting applications.

I would love to learn more about lattigo and how to use them and the best way to go about it is create a sample project. So I've come up with this mini project, but I'm not quite sure if what it tries to do is a real use case for HE and MHE.

Basically, I would love to create a fairly simple decentralized storage using a custom blockchain network. The idea is:

• to have a dynamic set of validator N nodes which can constantly change
• I would want these validators to participate in an t-of-n MPC setup
• any user could use the public key set of created by the above setup to encrypt some plaintext and store it directly on-chain
• then at some point in the future, the same user can ask the blockchain (the set of validators) to decrypt the message
• the important part here is that the validator set should be dynamic. Thus is message M was encrypted using the public key of a validator set S, then the same message should be decrypted when the validator set changes to S'.

Now, I've done some research around MPC encryption and I know that using BLS threshold encryption we could have a common public key set that user can use to encrypt. In the decryption phase validators would decrypt ciphertext using their secret share and send the decryption share to the user that can aggregate them to get the original plaintext.

The questions I've got are:

1. Is this something that would be possible to do using MHE and the set of libraries in this repo
2. If so what would be a great way to start implementing this mini project. I know there are some examples but I'm not sure how to they all fit together.

For example, in the BLS example described above, I would use a DKG algorithm to create a common public key set which will be used to encrypt data. Then I each node would use their secret key to decrypt the ciphertext.

[ChristianMct]

Thank you for your interest in our research and library.

Regarding your first question:

Without the dynamic validator set requirement, the library implements all the necessary local operations (i.e., computing party's shares in the collective public-key generation, encrypting, and computing decryption shares). But note that MHE as a primitive could "too much" because your use-case doesn't seem to require any computation to be performed on the encrypted data.

With the dynamic validator set requirement, things become more complicated because the MHE primitive as presented in our work assumes a fix set of key-holders. So except for the case where S' is always a subset of S (which can be handled with the t-out-of-N scheme), you would have to:

1. create a collective public key cpk' for S' and
2. have the parties in S run the public-key switching protocol to re-encrypt all the clients' ciphertext to cpk'.

There is everything you need to implement this approach in Lattigo too, but it is a bit unrealistic because it requires work proportional to the size of the database at each epoch and introduces noise in the ciphertexts at each epoch (hence bounding the maximum number of epochs for a ciphertext).
Instead, what (I believe) is the typical approach for dynamic validator sets is to have each party in S re-share its key share among the parties in S’ at each epoch. This approach is not described in our work and you might need to implement some local operations yourself from the ring package. For the re-sharing itself, the drlwe.Thresholdizer.interface might be enough.

Regarding your second question, I'm afraid we don't have much better resources than the examples and the godoc right now. But we know this isn't a perfect situation and a "getting started" tutorial is in roadmap.

[ppoliani]

@ChristianMct Hi Christian, thank you so much for taking time and effort to answer my questions :)

[ppoliani]

Regarding your last statement

Instead, what (I believe) is the typical approach for dynamic validator sets is to have each party in S re-share its key share among the parties in S’ at each epoch.

Is there some place I can look into this concept of re-share? Does re-share process entail old parties that leave S to literally share their secret share with the new one joining?

[ChristianMct]

Does re-share process entail old parties that leave S to literally share their secret share with the new one joining?

Something in this spirit, yes. But I was imagining a setting in which time is discretized in epochs and, each epochs has a fixed set S of N validators. When transitioning from epoch E to E+1, all N validators secret-share their epoch E share among the N' validators in S' (indeed this requires that N' >= t). My assumption is that the system probably needs keep the validators in sync about who currently holds a share of the ideal MHE secret-key at a given moment in time.

Is there some place I can look into this concept of re-share?

I'm unfortunately not knowledgable enough on the decentralized system literature to provide a good pointer on that. It is just a design I have seen several time without exactly remembering where exactly.

[ppoliani]

Thank you again @ChristianMct :)