Open 1853582 opened 1 year ago
Thank you for your questions.
I don't understand your first question. Can you try to rephrase it?
Let me first explain potential effects of changing q that are bit more independent of the concrete implementation. Then I will point out some things that can happen if you change q in this specific implementation.
2.1. For the scheme to function properly, p must be large enough to contain the entire message space plus some extra space that will be used for error correction, because the pseudorandom function is only
Warning: The code in this repository is only meant as proof of concept for scientific purposes (e.g. it was not written with side channel attacks in mind). Also am not an expert on the exact effects that different choices of p and q have on the security of the underlying learning-with-rounding (LWR) problem. So I would strongly advice you against solely relying on this code or my above answers in a real world implementation where the security of actual data is at stake.
Thank you for your detailed answer. If I want to combine your homomorphic pseudo-random function with Shamir algorithm, each aggregator uses a different key. If this key is modulo 2 to the 128th power, it may not be very convenient to apply. Can we use large prime numbers for the modulus of key or must we perform operations on the finite field GF (2 ^ 128).
I read from your paper: “Note that if q does not divide the size of the output space of H′, extra analysis is needed to make sure that the mod q operation does not induce any bias. However in our case we choose q as power of 2, whereby it divides the size of the output space of H′. In our implementation we used SHA3-512 as H′.” Can you further explain the consequences of deviation caused by module q operation? Is there a solution to this type of problem please?
Hash value result after computing mod 5 0 0 1 1 2 2 3 3 4 4 5 0 6 1 7 2
The numbers 0,1,2 appear twice in the result, while 3 and 4 only appear once. Thus, 0,1,2 are twice as likely as 3 and 4 (this is the "bias" from your quote), which is not a uniform distribution anymore.
One potential solution to this problem is that you choose a prime number q that is very very close to 2^128. Then the bias is very small (the "statistical difference" to a uniform distribution is very small). More concretely: I typed "what is the closest prime number to 2^128" in wolfram-alpha and it gave q=340282366920938463463374607431768211507 as answer (please check if this is actually a prime number). This is very close to 2^128, in fact q - 2^128 = 51. So if you simply take the first 128 bit of the hash value, then this is very close to a uniform distribution over Z_q. You don't even have to compute modulo. The "statistical distance" between the distribution that you would produce and a uniform distribution over Z_q should be less than 2^-122, so I think that this should be ok from a security perspective.
An alternative solution could be to take a prime number q that is slightly smaller than 2^128 and if your hash value is larger than q, through it away and compute a new one. This should produce an (exact) uniform distribution, but may have other caveats.
Use this at your own risk! I have spent a bit more than 1 hour thinking about the question and writing the answer, so its probably best to thoroughly think it through yourself and double check with other people.
Also I am pretty sure that other people have thought about that problem for a longer time than I did, so there is probably more information (and potentially a better solution) somewhere on the internet.
Thank you for your answer. I will continue to think about it.
Hello, I have some thoughts about this paper:
In the Setup and Key Management section, you mentioned that it is necessary to assign a secret key to each client, and then obtain the total key through the NIKE method and send it back to the server. This part of the communication seems a bit heavy, and I was wondering if it could be replaced with the Shamir method to distribute the key. Each client's secret key is ki=LiSi, and then S=L1S1+L2S2++ LnSn calculates the total secret key.
You mentioned that encrypting a label can only encrypt one number. If the object I encrypt is not a number but a vector, it will result in longer encryption time. Is there a way to solve this problem? My current idea is to calculate the hash in advance and assemble it into a vector H=[H (1),..., H (n)]. Then, I can use the tensor library to calculate H · K and perform modular operations.
Do you think these two points are feasible?
I am a software engineer and currently the project requires the use of quantum resistant key homomorphic pseudo random numbers. Sorry to bother you, I asked you so many questions.
Hello,I also want to ask is there a way to obtain multiple pseudo random numbers at once?
The NIKE is necessary so that each pair of clients has a shared secret key. Each client then uses this key to blind their PRF secret key in a way that the server can only learn the sum of the keys. This is done in order to avoid having a central party creating and distributing the PRF secret keys. I do not see how Shamir's secret sharing would avoid the central party. But I also don't understand what exactly your idea is.
I guess you can even compute the entire PRF value(s) in advance. Then encryption is only adding the pre-computed PRF value(s) to the message.
Can I ask a question about the code?
Why can we only calculate hash once to obtain λ Hash values
Are there any requirements for the values of q and p here? In your comments, it was explained that 512 bits can be split into Z_q The 4 (128 bit) values of q, so q needs to be taken to the 128th power of 2. Would changing q result in an error?