Succinctly Verifiable Computation over Additively-Homomorphically Encrypted Data: Making Privacy-Preserving Blueprints Practical
摘要
Introduced by Kohlweiss, Lysyanskaya, and Nguyen (Eurocrypt’23), a privacy-preserving blueprint (PPB) allows an auditor of a privacy system, on input x, to create a public encoding \(\textsf{pk} \) of the function \(f(x,\cdot )\) that reveals nothing about x. Yet, a user who knows \(\textsf{pk} \) and a y that corresponds to a commitment to y, \(C_y\) , can compute an escrow Z of the value f(x, y); Z will verifiably correspond to \(\textsf{pk} \) and \(C_y\) . The auditor will be able to recover f(x, y) from \(Z\) , but will learn no other information about y. For example, let f(x, y) be the “watchlist” function that outputs y iff y is on the list x; a PPB for such a function (which we call an f-PPB) allows the auditor to trace watchlisted users in an otherwise anonymous system. PPBs are a—socially important and potentially controversial—instance of the actively secure non-interactive secure computation (NISC) problem. As such, they can be naturally constructed from homomorphic encryption and efficient proof systems. In this work, we present a framework for additively homomorphic encryption (AHE) with efficient proof systems that yields a dramatically improved PPB both in efficiency and security. In our setting, AHE allows one to compute an encryption, \(c_\textit{f}\) , of a polynomial \(f(x_1,\ldots ,x_n,y_1,\ldots , y_k)\) on input the values: \(y_1,\ldots ,y_k\) and only the (additively homomorphic) encryptions of \(x_1,\ldots ,x_n\) . For AHE that satisfies a set of natural requirements, we give a NIZK proof system for showing the correct computation of \(c_\textit{f}\) and proves that the \(y_1,\ldots ,y_k\) values used in the computation of \(c_\textit{f}\) correspond to public commitments \(C_1,\ldots ,C_k\) . The resulting proof’s size is \(O(k\log d)\) (independent of n) where d is the maximum degree of any variable in f. Critically, the proof can be computed without knowledge of \(x_1,\ldots ,x_n\) only requiring the encryptions of these values. We show how our proof system can be instantiated both with ElGamal-based encryption (under DDH) and with a variant of the Camenisch-Shoup cryptosystem (under DCR and Strong RSA). Applying our proof system to Camenisch-Shoup ciphertexts is novel and extends previous work to apply to more general polynomials. Using our NIZK proof system for additively homomorphic computation we achieve the following results: (1) We provide efficient schemes for a useful class of functions f; for example, we show how to realize f that would allow the auditor to trace all private payment transactions of a suspect user in a central bank digital currency (CBDC). (2) For the watchlist and related functions, we reduce the size of the escrow \(Z\) from linear in the size of the auditor’s input x, to logarithmic. Additionally, (3) we define and satisfy a stronger notion of security for f-PPBs, where a malicious auditor cannot frame a user in a transaction in which the user was not involved in.