Tree Homomorphic Encryption
with Scalable Decryption
Moti Yung
Columbia University
Joint work with
Aggelos Kiayias
University of Connecticut
Outline
• The “computing server model” and
scalability.
• Tree homomorphic encryption with scalable
decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Outline
• The “computing server model” and
scalability.
• Tree homomorphic encryption with scalable
decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Homomorphic Encryption
Enc( x)  Enc( y )  Enc( x  y )
Basic Aggregation Operation : a “bush”
Enc( v)
Enc(v) Enc(v) Enc(v)
Enc(v)
Enc(v)
The computing server model for
Secure Multiparty Computation
• Computing server is a (perhaps distributed) party in
the protocol that manages the contributions and
delivery of results.
• This model has been applied in voting, auctions and
other specialized secure multiparty computations.
• Contributors provide (encrypted) input under the
specifications of the protocol (Access control allows
them to write a on a bulletin board – Role
specification).
• Processing / Aggregation of encrypted contributions
by computing server.
• Delivery of results / output decryption.
Computing Server Model:
Correctness Aspect
• All valid contributions are included.
• No unauthorized contributions are permitted.
• Contribution Processing is done according to
specifications.
• Auditing & Replication is added to cope with
various faults and failures.
Computing Server Model:
Privacy Aspect
• The computation / processing does not leak
any information about contributions, beyond
what trivially inferred from the public-output.
• Computing servers are honest w.r.t. privacy.
• Or, threshold techniques:
– Share decryption capabilities.
– Split contribution.
The Large Scale Setting
The “Bush” model insufficient for the large scale:
• Load Balancing Issues.
• Remote Geographic Locations.
• Overlay networks in P2P.
Enc( v)
Enc(v) Enc(v) Enc(v)
Non-bush approach is needed:
Enc(v)
Enc(v)
Aggregation over Trees : Scalability
Each node
Implements a
 gate for
ciphertext
processing
Structure:
Imposed by
Geographic
Load
balancing
parameters
Contributions:
• Bush aggregation of homomorphic encryption consistent with tree
deployment: every node is a bush for its children.
•Aggregation complexity linear in the number of children nodes
Connection to Elections
Top-Level
Regional
Level
(micro-) Precinct Level
Correctness Aspect across the Tree
• Scaling over tree structure:
Each node is comprised
by set of agents that
Collectively ensure the
Correctness aspect of the local
Node operation
Scales well over the tree hierarchical structure.
Privacy Aspect
E (...  a1  a2  a3  a4 )
E (...)
E (a1  a2  a3  a4 )
Decryption
Agents
E(a1  a2 )
E (a1 )
E (a3  a4 )
E (a2 ) E (a3 ) E (a )
4
The BIGGEST brother problem
• Inner nodes in the tree are assuring
correctness – no decryption capability.
• Decryption capability shared at the root?
– Possible, but all kinds of privacy advocates,
known election experts and election nonexperts will protest:
–why should the little guy put his privacy at
the end of the BIGGEST brother?
Does old solutions work?
• Sharing decryption capability to decipher
the result at the root among all tree nodes
using threshold techniques does not scale.
• But scalability is our primary objective to
begin with!
Outline
• The “computing server model” and
scalability.
• Tree homomorphic encryption with scalable
decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Idea.
• To solve the BIGGEST brother problem :
distribute decryption capability along the
tree structure.
• Since aggregation along the tree structure
scales – enforce decryption capability to
follow the same pattern.
User Perspective
nodes
that user
trusts for
correctness
User trust
path
User
So: the same
nodes
must share
Decryption
Capability
w.r.t.
that user’s
privacy.
Our Solution: Tree homomorphic
encryption with Scalable Decryption
• Tree is suggested by network architecture,
load-balancing parameters, geography,
network overlay, etc.
• Spreading Decryption capability across the
paths of the tree so that user privacy is not
violated unless the whole user trust path is
corrupt.
Homomorphic Encryption and
Aggregation.
Enc : R  P  C
Groups:  R, ,  P,, C ,
Enc(r  r ' , x  x' )  Enc(r , x)  Enc(r ' , x' )
Homomorphic over randomness is useful for constructing
generic proofs of knowledge.
Embedding of a Z-interval within  P,
Capacity: length of the Z-interval.
Inputs to the computation belong to set of integer
Values:
Choices
Homomorphic Encryption and
Aggregation, II
EXAMPLE: Voting among c candidates
Choices  {1, M , M 2 ,..., M c 1}
M # voters  N
v j  Choices 
v
j 1,..., N
j
 d 0  Md1  ...  M
c 1
d c 1
d j  # of votes won by j-th candidate.
Proofs of Knowledge
EXAMPLE: Voting among c candidates, II
Voter contributes the encryption and a proof
Of knowledge.
Enc(r , v ), v  Choices
Proof possible for generic
Homomorphic encryption scheme.
Length = linear in c
Three steps
• Key generation across the tree.
• Encryption of inputs at leaves.
• <Aggregation + decryption> along tree
paths.
Key Generation and distribution
across user trust paths
• Each node
generates a key
(independently)
Can be threshold
of agents within the
Node.
Public
Keys
Are
PropaGated
Down
To the
User level
across
all trust
paths
Blind-and-Share operation
l = # of levels
Enc1 (.), Enc2 (.),..., Encl (.)
Encryption functions of levels for user j
j-th user selects:

v j  Choices  s1  s2  ...  sl  v j mod 2
s  Z 2 ,   1,..., l
Encryptions of shares:
 1  Enc1 (s1 ), 2  Enc2 (s 2 ),..., l  Encl (s l )

capacity

c
2
N
Capacity Condition:
consistency
• Encryptions in general are over different
domains (each node has independent publickey).
• We need consistency checks to ensure
correct blind-and-sharing of the input
(independent of the individual domains).
Proof of consistency
Each of the ciphertexts  1 ,..., l
Is accompanied by a commitment  1 , 2 ,..., l
to the plaintext – over the same domain.
Together with a proof of knowledge that ensures:
1. Each ciphertext   and commitment 

hide the same value.
2. The aggregation of the commitments
   1  2  ...  l
hides a value of the form S  v   2
such that: v  Choices,   {0,..., c}
Proof of consistency, II
• It follows that an encrypted contribution
 1 ,..., l
Contains an additive sharing of a value

S  v  2
So that

S mod 2  Choices
Tree Aggregation
Lowest level:
1
2
1'
2'
…
…
l
l'
Encrypted contributions
 1  1 '
 2  2 '
…
 l  l '
Tree Aggregation, II
• Lowest level node obtains the aggregated
ciphertext:
Where
u1 ,..., u NV
are the users
assigned to the
node V.
 1[u1 ]  ...  1[u N ]
 2 [u1 ]  ...  2 [u N ]
V
V
…
 l [u1 ]  ...  l [u N ]
V
Tree Aggregation + Partial
Decryption.
Lowest level:
Lowest
Level node
Decrypts the
Last entry
And apply modulo
operation:
 1[u1 ]  ...  1[u N ]
 2 [u1 ]  ...  2 [u N ]
V
V
…
 s [u ] mod 2

i 1,.., NV
l
i
the block is propagated to the upper level
Tree Aggregation + Partial
Decryption, II
j-th level:
...  1[u... ]
j
The j-th level
Receives partially
decrypted entries
From its children
That are of the form:
…
...  j [u... ]

...
mod
2

...
…

...
mod
2

...
Tree Aggregation + Partial
Decryption, III
• The j-th level node aggregate as follows:
...  1[u... ]

...  1[u... ]
…
…
...  j [u... ]
 ... mod 2

...

 mod 2
...  j [u... ]

...
mod
2

...
…
…

...
mod
2

...
 mod 2

...
mod
2

...
And decrypt
The j-th
Level.
Tree Aggregation + Partial
Decryption, IV
• Top level agents, after aggregation and
decryption of the top level entry obtain:

...
mod
2

The totally decrypted
Sum of shares:
...

...
mod
2

...
…

...
mod
2

...
Output recovery
• THEN: Top level agents recover the results
as follows:
This operation
Reveals the result
Of the procedure
In the form:

...
mod
2

...
 mod 2

...
mod
2


shares
[
u
]
mod
2

i
...
i 1,.., N
…
 ... mod 2

...

v
i
i  all
contributions
Output Recovery, II
• This works because:
 ... mod 2

...
mod
2

vu1 

…

...
mod
2

...
vu N 
su1 ,1[u1 ]  su2 ,1[u2 ]  ...  su N ,1[u N ]
...
...
vu 2 
=
su1 , 2 [u1 ]  su2 , 2 [u2 ]  ...  su N , 2 [u N ]
…
su1 ,l [u1 ]  su2 ,l [u2 ]  ...  su N ,l [u N ]
Tree Homomorphic Encryption with
Scalable Decryption:
implementations
• Generic based on any additive
homomorphic encryption: Paillier or
(modified) ElGamal.
– Size of encrypted contribution equals length of
user trust path.
Implementations, II
• Modified ElGamal accepts more efficient
implementation of scalable decryption:
– Constant size of contribution: independent of
the length of the user trust path.
– Onion style decryption.
Outline
• The “computing server model” and
scalability.
• Tree homomorphic encryption with scalable
decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Tree Homomorphic Encryption with
Onion decryption
• ElGamal-specific case.
• Shortening of contribution encryption size.
– Based on: Composition of public-key across
user trust paths.
Initialization/Setup
Additive ElGamal Specific
Global Parameters: G, g, f, h generators
of G multiplicative group of prime order q.
Setup
Each node creates local
public key pk=ga.
Each node computes its local combined_pk by multiplying its
local pk with the combined_pk of the parent node.
Submission of Contributions
Additive ElGamal Specific
Each user makes a selection v{1, M, M2, ..., Mc-1}
and publishes
< g r, (combined_pk)r f v >
combined_pk is the combined public-key local to
the lowest level node, i.e.
combined_pk=h0 h1 h2 ... hk
where h0 , h1, h2, ... , hk are the local pk’s of the nodes
in the user trust path.
r<q is selected at random.
Submission of Contributions, II
Additive ElGamal Specific
the user proves that the
Encryption <B1, B2> , is formed according to the
specifications.
The voter publishes:
NIZK[ r : (B1 = gr) 
(  vC (B2 = (combined_pk)r f v )]
Tree Aggregation + Decryption
by “Onion Peeling”
The low level node
multiplies all encrypted contributions point-wise:
< P B1 , P B2 
is a valid ElGamal encryption of f
(due to the homomorphic property)
under the public-key of all nodes
in the user trust path.
v
THEN: The node “peels-off” its layer of encryption (by doing
ElGamal Decryption w.r.t. its local private-key.
< gr, (h0 h1 h2 ... hk)r f v>  < gr, (h1 h2 ... hk)r f v>
The process continues recursively up to the top-level node.
Output
The top node receives the tally T = f
v
Recovery of output:
The space of all possible values for  v is of size
O(nc-1) and as a result it can be found in time
O(nc-1). Using the baby-step giant-step method
this can be improved to O(n(c-1)/2)
Outline
• The “computing server model” and
scalability.
• Tree homomorphic encryption with scalable
decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Application To E-Voting:
“Scalable” Secret Ballot Elections
• Arbitrary elections’ structure, size and distributions
• Security properties scale in parallel to the elections
structure
Voter Distribution
Smallest Administrative Unit: Microprecinct
The Election Tree
Results
Setup
Security
Horizon
Secure
Subelections
Ballot-Casting
Outline
• The “computing server model” and
scalability.
• Tree homomorphic encryption with scalable
decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Conclusions
• Tree Homomorphic Encryption with Scalable
Decryption.
• motivated by load-balancing / network topology
geography constraints / overlay P2P networks.
• Assuming multi-level trust can eliminate big brother
presence.
• Further increase of security possible by employing
“paranoid security” or “multi-path election”
• Future applications?