Homomorphic secret sharing

Last updated July 07, 2023

In cryptography, homomorphic secret sharing is a type of secret sharing algorithm in which the secret is encrypted via homomorphic encryption. A homomorphism is a transformation from one algebraic structure into another of the same type so that the structure is preserved. Importantly, this means that for every kind of manipulation of the original data, there is a corresponding manipulation of the transformed data.^[1]

Technique

Homomorphic secret sharing is used to transmit a secret to several recipients as follows:

Transform the "secret" using a homomorphism. This often puts the secret into a form which is easy to manipulate or store. In particular, there may be a natural way to 'split' the new form as required by step (2).
Split the transformed secret into several parts, one for each recipient. The secret must be split in such a way that it can only be recovered when all or most of the parts are combined. (See Secret sharing .)
Distribute the parts of the secret to each of the recipients.
Combine each of the recipients' parts to recover the transformed secret, perhaps at a specified time.
Reverse the homomorphism to recover the original secret.

Examples

Suppose a community wants to perform an election, using a decentralized voting protocol, but they want to ensure that the vote-counters won't lie about the results. Using a type of homomorphic secret sharing known as Shamir's secret sharing, each member of the community can add their vote to a form that is split into pieces, each piece is then submitted to a different vote-counter. The pieces are designed so that the vote-counters can't predict how any alterations to each piece will affect the whole, thus, discouraging vote-counters from tampering with their pieces. When all votes have been received, the vote-counters combine them, allowing them to recover the aggregate election results.

In detail, suppose we have an election with:

Two possible outcomes, either yes or no. We'll represent those outcomes numerically by +1 and −1, respectively.
A number of authorities, k, who will count the votes.
A number of voters, n, who will submit votes.

In advance, each authority generates a publicly available numerical key, x_k.
Each voter encodes his vote in a polynomial p_n according to the following rules: The polynomial should have degree k − 1, its constant term should be either +1 or −1 (corresponding to voting "yes" or voting "no"), and its other coefficients should be randomly generated.
Each voter computes the value of his polynomial p_n at each authority's public key x_k.
- This produces k points, one for each authority.
- These k points are the "pieces" of the vote: If you know all of the points, you can figure out the polynomial p_n (and hence you can figure out how the voter voted). However, if you know only some of the points, you can't figure out the polynomial. (This is because you need n points to determine a degree-(n − 1) polynomial. Two points determine a line, three points determine a parabola, etc.)
The voter sends each authority the value that was produced using the authority's key.
Each authority collects the values that he receives. Since each authority only gets one value from each voter, he can't discover any given voter's polynomial. Moreover, he can't predict how altering the submissions will affect the vote.
Once the voters have submitted their votes, each authority k computes and announces the sum A_k of all the values he's received.
There are k sums, A_k; when they are combined together, they determine a unique polynomial P(x) – specifically, the sum of all the voter polynomials: P(x) = p₁(x) + p₂(x) + ... + p_n(x).
- The constant term of P(x) is in fact the sum of all the votes, because the constant term of P(x) is the sum of the constant terms of the individual p_n.
- Thus the constant term of P(x) provides the aggregate election result: if it is positive, more people voted for +1 than for −1; if it is negative, more people voted for −1 than for +1.

Features

This protocol works as long as not all of the k authorities are corrupt — if they were, then they could collaborate to reconstruct P(x) for each voter and also subsequently alter the votes.

The protocol requires t + 1 authorities to be completed, therefore in case there are N > t + 1 authorities, N − t − 1 authorities can be corrupted, which gives the protocol a certain degree of robustness.

The protocol manages the IDs of the voters (the IDs were submitted with the ballots) and therefore can verify that only legitimate voters have voted.

Under the assumptions on t:

A ballot cannot be backtracked to the ID so the privacy of the voters is preserved.
A voter cannot prove how they voted.
It is impossible to verify a vote.

The protocol implicitly prevents corruption of ballots. This is because the authorities have no incentive to change the ballot since each authority has only a share of the ballot and has no knowledge how changing this share will affect the outcome.

Vulnerabilities

The voter cannot be certain that their vote has been recorded correctly.
The authorities cannot be sure the votes were legal and equal, for example the voter can choose a value that is not a valid option (i.e. not in {−1, 1}) such as −20, 50, which will tilt the results in their favor.

Related Research Articles

In mathematics, the Chinese remainder theorem states that if one knows the remainders of the Euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime.

In mathematics, a finite field or Galois field is a field that contains a finite number of elements. As with any field, a finite field is a set on which the operations of multiplication, addition, subtraction and division are defined and satisfy certain basic rules. The most common examples of finite fields are given by the integers mod $p$ when $p$ is a prime number.

In numerical analysis, polynomial interpolation is the interpolation of a given data set by the polynomial of lowest possible degree that passes through the points of the dataset.

In mathematics, especially in the field of algebra, a polynomial ring or polynomial algebra is a ring formed from the set of polynomials in one or more indeterminates with coefficients in another ring, often a field.

<span class="mw-page-title-main">Blind signature</span> Form of digital signature

In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

Secret sharing refers to methods for distributing a secret among a group, in such a way that no individual holds any intelligible information about the secret, but when a sufficient number of individuals combine their 'shares', the secret may be reconstructed. Whereas insecure secret sharing allows an attacker to gain more information with each share, secure secret sharing is 'all or nothing'.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

<span class="mw-page-title-main">Boolean function</span> Function returning one of only two values

In mathematics, a Boolean function is a function whose arguments and result assume values from a two-element set. Alternative names are switching function, used especially in older computer science literature, and truth function, used in logic. Boolean functions are the subject of Boolean algebra and switching theory.

Positional voting is a ranked voting electoral system in which the options or candidates receive points based on their rank position on each ballot and the one with the most points overall wins. The lower-ranked preference in any adjacent pair is generally of less value than the higher-ranked one. Although it may sometimes be weighted the same, it is never worth more. A valid progression of points or weightings may be chosen at will or it may form a mathematical sequence such as an arithmetic progression, a geometric one or a harmonic one. The set of weightings employed in an election heavily influences the rank ordering of the candidates. The steeper the initial decline in preference values with descending rank, the more polarised and less consensual the positional voting system becomes.

In cryptography, a secret sharing scheme is verifiable if auxiliary information is included that allows players to verify their shares as consistent. More formally, verifiable secret sharing ensures that even if the dealer is malicious there is a well-defined secret that the players can later reconstruct. The concept of verifiable secret sharing (VSS) was first introduced in 1985 by Benny Chor, Shafi Goldwasser, Silvio Micali and Baruch Awerbuch.

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and out-sourced to commercial cloud environments for processing, all while encrypted.

The Kemeny–Young method is an electoral system that uses preferential ballots and pairwise comparison counts to identify the most popular choices in an election. It is a Condorcet method because if there is a Condorcet winner, it will always be ranked as the most popular choice.

<span class="mw-page-title-main">ThreeBallot</span> End-to-end auditable anonymous voting system

ThreeBallot is a voting protocol invented by Ron Rivest in 2006. ThreeBallot is an end-to-end (E2E) auditable voting system that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptographic keys.

End-to-end auditable or end-to-end voter verifiable (E2E) systems are voting systems with stringent integrity properties and strong tamper resistance. E2E systems often employ cryptographic methods to craft receipts that allow voters to verify that their votes were counted as cast, without revealing which candidates were voted for. As such, these systems are sometimes referred to as receipt-based systems.

Shamir's secret sharing (SSS) is an efficient secret sharing algorithm for distributing private information among a group so that the secret cannot be revealed unless a quorum of the group acts together to pool their knowledge. To achieve this, the secret is mathematically divided into parts from which the secret can be reassembled only when a sufficient number of shares are combined. SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen the quorum number of shares.

Private biometrics is a form of encrypted biometrics, also called privacy-preserving biometric authentication methods, in which the biometric payload is a one-way, homomorphically encrypted feature vector that is 0.05% the size of the original biometric template and can be searched with full accuracy, speed and privacy. The feature vector's homomorphic encryption allows search and match to be conducted in polynomial time on an encrypted dataset and the search result is returned as an encrypted match. One or more computing devices may use an encrypted feature vector to verify an individual person or identify an individual in a datastore without storing, sending or receiving plaintext biometric data within or between computing devices or any other entity. The purpose of private biometrics is to allow a person to be identified or authenticated while guaranteeing individual privacy and fundamental human rights by only operating on biometric data in the encrypted space. Some private biometrics including fingerprint authentication methods, face authentication methods, and identity-matching algorithms according to bodily features. Private biometrics are constantly evolving based on the changing nature of privacy needs, identity theft, and biotechnology.

In cryptography, the open vote network is a secure multi-party computation protocol to compute the boolean-count function: namely, given a set of binary values 0/1 in the input, compute the total count of ones without revealing each individual value. This protocol was proposed by Feng Hao, Peter Ryan, and Piotr Zieliński in 2010. It extends Hao and Zieliński's anonymous veto network protocol by allowing each participant to count the number of veto votes while preserving the anonymity of those who have voted. The protocol can be generalized to support a wider range of inputs beyond just the binary values 0 and 1.

Direct Recording Electronic with Integrity and Enforced Privacy (DRE-ip) is an End-to-End (E2E) verifiable e-voting system without involving any tallying authorities, proposed by Siamak Shahandashti and Feng Hao in 2016. It improves a previous DRE-i system by using a real-time computation strategy and providing enhanced privacy. A touch-screen based prototype of the system was trialed in the Gateshead Civic Centre polling station on 2 May 2019 during the 2019 United Kingdom local elections with positive voter feedback. A proposal that includes DRE-ip as a solution for large-scale elections was ranked 3rd place in the 2016 Economist Cybersecurity Challenge jointly organized by The Economist and Kaspersky Lab.

The Method of Equal Shares is a proportional method of counting ballots that applies to participatory budgeting, to committee elections, and to simultaneous public decisions. It can be used when the voters vote via approval ballots, ranked ballots or cardinal ballots. It works by dividing the available budget into equal parts that are assigned to each voter. The method is only allowed to use the budget share of a voter to implement projects that the voter voted for. It then repeatedly finds projects that can be afforded using the budget shares of the supporting voters. In contexts other than participatory budgeting, the method works by equally dividing an abstract budget of "voting power".

References

↑ Schoenmakers, Berry (1999). "A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic Voting". Advances in Cryptology — CRYPTO' 99. Lecture Notes in Computer Science. Vol. 1666. pp. 148–164. CiteSeerX 10.1.1.102.9375 . doi:10.1007/3-540-48405-1_10. ISBN 978-3-540-66347-8.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Schoenmakers, Berry (1999). "A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic Voting". Advances in Cryptology — CRYPTO' 99. Lecture Notes in Computer Science. Vol. 1666. pp. 148–164. CiteSeerX 10.1.1.102.9375 . doi:10.1007/3-540-48405-1_10. ISBN 978-3-540-66347-8.

[1]