Homomorphic Threshold Encryption

The core of the flow encryption system requires a partially homomorphic encryption scheme, which allows for users to publish transactions that contain encrypted values. These encrypted values are then aggregated, using the homomorphism, by validators. The aggregate value (the “batched flow”) is then decrypted using the threshold decryption scheme described here.

Desired Properties

For our threshold encryption scheme, we require three important properties:

Homomorphism: we must be able to operate over ciphertexts, by combining balance commitments from many participants into a batched value.
Verifiability: we must be able to verify that a given value $v_{i}$ was encrypted correctly to a given ciphertext $c_{i}$
Robustness: up to $n - t$ validators must be permitted to either fail to provide a decryption share or provide in invalid decryption share.

Concrete Instantiation: Homomorphic ElGamal

Setup

Compute a lookup table $LU T$ for every $v_{i} \in [0, 2^{23})$ by setting $LU T [v_{i}] = v_{i} G$ where $G$ is the basepoint of decaf377. Store $LU T$ for later use in value decryption.

Value Encryption

                                  ┌───────────────────┐                           
                                  │DKG Public Key (D) │                           
                                  │                   │                           
                                  └───────────────────┘                           
                                            │                                     
                                  ┌─────────▼─────────┐    ┌──────────────┐       
                                  │                   │    │     v_e      │       
                                  │                   │    │  (encrypted  │       
                                  │                   │    │    value)    │       
                  ┌──────────┐    │ElGamal Encryption │    │ ┌──────────┐ │       
               ┌─▶│v_0 (u16) │────▶   D: DKG Pubkey   ├────┼▶│   c_0    │ │       
               │  └──────────┘    │     M = v_i*G     │    │ └──────────┘ │       
               │  ┌──────────┐    │     e <- F_q      │    │ ┌──────────┐ │       
┌────────────┐ ├─▶│v_1 (u16) │────▶ c_i = (e*G, M+eD) ├────┼▶│   c_1    │ │       
│            │ │  └──────────┘    │                   │    │ └──────────┘ │       
│v [0, 2^64) │─┤  ┌──────────┐    │                   │    │ ┌──────────┐ │       
│            │ ├─▶│v_2 (u16) │────▶ Correctness Proof ├────┼▶│   c_2    │ │       
└────────────┘ │  └──────────┘    │         σ         │    │ └──────────┘ │       
               │  ┌──────────┐    │                   │    │ ┌──────────┐ │       
               └─▶│v_3 (u16) │────▶                   ├────┼▶│   c_3    │ │       
                  └──────────┘    │                   │    │ └──────────┘ │       
                                  │                   │    │              │       
                                  │                   │    │              │       
                                  └───────────────────┘    └──────────────┘       
                                            │                                     
                                            │           ┌────────────────────────┐
                                            └──────────▶│proofs σ_ci = (r, s, t) │
                                                        └────────────────────────┘

A value $v$ is given by an unsigned 64-bit integer $v \in [0, 2^{64})$ . Split $v$ into four 16-bit limbs

$v_{q} = v_{0} + v_{1} 2^{16} + v_{2} 2^{32} + v_{3} 2^{48}$ with $v_{i} \in [0, 2^{16}]$ .

Then, perform ElGamal encryption to form the ciphertext $v_{e}$ by taking (for each $v_{i}$ )

$M_{i} = v_{i} * G$ $e \leftarrow r an d F_{q}$ $c_{i} = (e * G, M_{i} + e * D)$

Where $G$ is the basepoint generator for decaf377, $F_{q}$ is the large prime-order scalar field for decaf377, and $D$ is the public key output from DKG.

Next, compute a proof of correctness of the ElGamal encryption by executing the following sigma protocol:

$k_{1} \leftarrow r an d F_{q}$ $k_{2} \leftarrow r an d F_{q}$ $α = k_{1} * G$ $γ = k_{1} * D + k_{2} * G$ $t = H (c_{i 0}, c_{i 1}, D, α, γ)$ $r = k_{1} - e * t$ $s = k_{2} - v_{i} * t$

The proof is then $σ_{c_{i}} = (r, s, t)$ . The encryption of value $v$ is given as $v_{e} = [c_{1}, c_{2}, c_{3}, c_{4}]$ .

Upon receiving an encrypted value $v_{e}$ with proofs $σ_{c_{i}}$ , a validator or validating full node should verify each proof $σ_{c_{i}}$ by checking

$α \leftarrow G * r + c_{i 0} * t$ $γ \leftarrow D * r + G * s + c_{i 1} * t$ $H (c_{i 0}, c_{i 1}, D, α, γ) = ? t$

Considering the value invalid if the proof fails to verify.

This protocol proves, in NIZK, the relation $R = {((e, v_{i}), c_{i 0}, c_{i 1}) \in F_{q} \times G : c_{i 0} = e G \land c_{i 1} = v_{i} G + eD}$

Showing that the ciphertext $c_{i}$ is an actual encryption of $v_{i}$ for the DKG pubkey $D$ , and using the hash transcript to bind the proof of knowledge of $(e, v_{i})$ to each $c_{i}$ .

Each ciphertext $c_{i}$ is two group elements, accompanied by a proof $σ_{c_{i}}$ which is three scalars. decaf377 group elements and scalars are encoded as 32-byte values, thus every encrypted value $v_{e}$ combined with its proof $σ_{c i}$ is $5 * 32 * 4$ = 640 bytes.

Value Aggregation

                          n (batch size)                         
┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐
│┌──────────────┐   ┌──────────────┐            ┌──────────────┐│
 │              │   │              │            │              │ 
 │   v_{e0}     │   │    v_{e1}    │            │    v_{ek}    │ 
 │              │   │              │            │              │ 
 │ ┌──────────┐ │   │ ┌──────────┐ │            │ ┌──────────┐ │ 
 │ │   c_0    │ │   │ │   c_0    │ │            │ │   c_0    │ │ 
 │ └──────────┘ │   │ └──────────┘ │            │ └──────────┘ │ 
 │ ┌──────────┐ │   │ ┌──────────┐ │            │ ┌──────────┐ │ 
 │ │   c_1    │ │   │ │   c_1    │ │            │ │   c_1    │ │ 
 │ └──────────┘ │   │ └──────────┘ │            │ └──────────┘ │ 
 │ ┌──────────┐ │   │ ┌──────────┐ │    ...     │ ┌──────────┐ │ 
 │ │   c_2    │ │   │ │   c_2    │ │            │ │   c_2    │ │ 
 │ └──────────┘ │   │ └──────────┘ │            │ └──────────┘ │ 
 │ ┌──────────┐ │   │ ┌──────────┐ │            │ ┌──────────┐ │ 
 │ │   c_3    │ │   │ │   c_3    │ │            │ │   c_3    │ │ 
 │ └──────────┘ │   │ └──────────┘ │            │ └──────────┘ │ 
 │              │   │              │            │              │ 
 │              │   │              │            │              │ 
 └──────────────┘   └──────────────┘            └──────────────┘ 
         │                  │             │             │        
         │                  │             │             │        
         └──────────────────┴─────┬───────┴─────────────┘        
                                  │             ┌──────────────┐ 
                                  ▼             │              │ 
                                ┌───┐           │   v_{agg}    │ 
                                │ + │───────────▶              │ 
                                └───┘           │ ┌──────────┐ │ 
                                                │ │   c_0    │ │ 
                                                │ └──────────┘ │ 
                                                │ ┌──────────┐ │ 
                                                │ │   c_1    │ │ 
                                                │ └──────────┘ │ 
                                                │ ┌──────────┐ │ 
                                                │ │   c_2    │ │ 
                                                │ └──────────┘ │ 
                                                │ ┌──────────┐ │ 
                                                │ │   c_3    │ │ 
                                                │ └──────────┘ │ 
                                                │              │ 
                                                │              │ 
                                                └──────────────┘

To batch flows, we must use the homomorphic property of ElGamal ciphertexts. Aggregation should be done component-wise, that is, on each limb of the ciphertext ( $c_{i}$ ). To aggregate a given $v_{e}, v_{e}^{'}$ , simply add each limb:

$v_{a gg} = v_{e} + v_{e}^{'} = [c_{0} + c_{0}^{'}, c_{1} + c_{1}^{'}, c_{2} + c_{2}^{'}, c_{3} + c_{3}^{'}] = \dots = v_{q} + v_{q}^{'} = v + v^{'}$

This holds due to the homomorphic property of ElGamal ciphertexts.

The block producer aggregates every $v_{e i}$ , producing a public transcript of the aggregation. The transcript can then be publicly validated by any validator or full node by adding together each $v_{e i}$ in the transcript and verifying that the correct $v_{a gg}$ was committed by the block producer.

Value Decryption

┌──────────────┐                                                                        
│     v_e      │                                                                        
│  (encrypted  │                                                                        
│    value)    │                                                                        
│ ┌──────────┐ │     ┌─────────────────────────┐                                        
│ │   c_0    │─┼────▶│                         │    ┌─────────────────────────────────┐ 
│ └──────────┘ │     │                         │    │       Gossip (ABCI++ Vote       │ 
│ ┌──────────┐ │     │                         │    │           Extensions)           │ 
│ │   c_1    │─┼────▶│Decryption Shares + Proof│    │                                 │ 
│ └──────────┘ │     │                         │    │        verify share proof       │ 
│ ┌──────────┐ │     │  s_{pi} = d_{p}c_{i0}   │───▶│          σ_pi for s_pi          │ 
│ │   c_2    │─┼────▶│   σ_{pi} = (r, α, γ)    │    │                                 │ 
│ └──────────┘ │     │                         │    │      d = sum(s_pi*λ_{0,i})      │ 
│ ┌──────────┐ │     │                         │    │        v_mi = -d + c_{i1}       │ 
│ │   c_3    │─┼────▶│                         │    │                                 │ 
│ └──────────┘ │     └─────────────────────────┘    └─────────────────────────────────┘ 
│              │                                                     │    ┌───────┐     
│              │                                                    ┌┘    │  LUT  │     
└──────────────┘                                                    │     └───┬───┘     
                   ┌─────────────────────────┐       ┌──────────────▼─────────▼────────┐
                   │                         │       │       Reverse dLog Lookup       │
                   │ Reconstruct from Limbs  │       │                                 │
                   │                         │◀──────│v_q = [LUT[v_mi], ..., LUT[v_mn]]│
                   │                         │       │                                 │
                   └─────────────────────────┘       └─────────────────────────────────┘
                                │                                                       
                                ▼                                                       
                           ┌─────────┐                                                  
                           │         │                                                  
                           │v (u128) │                                                  
                           │         │                                                  
                           └─────────┘

To decrypt the aggregate $v_{a gg}$ , take each ciphertext component $c_{i}$ and perform threshold ElGamal decryption using the participant’s DKG private key share $d_{p}$ to produce decryption share $s_{p} i$ :

$s_{p i} = d_{p} c_{i 0}$

Next, each participant must compute a proof that their decryption share is well formed relative to the commitment to their secret share $ϕ_{p} = G \cdot d_{p}$ . This is accomplished by adopting the Chaum-Pedersen sigma protocol for proving DH-triples.

With $c_{i 0}$ , $s_{p i}$ , and $d_{p}$ as inputs, each participant computes their proof $σ_{p i}$ by taking

$k \leftarrow r an d F_{q}$ $α = k * G$ $γ = k * c_{i 0}$ $t = H (s_{p i}, c_{i 0}, i, p, ϕ_{p}, α, γ)$ $r = k - d_{p} * t$

The proof is the tuple $σ_{p i} = (r, t)$ .

Every participant then broadcasts their proof of knowledge $σ_{p i}$ along with their decryption share $s_{p i}$ to every other participant.

After receiving $s_{p i}, σ_{p i} = (r, t)$ from each participant, each participant verifies that $s_{p i}$ is valid by checking

$α = G * r + ϕ_{p} * t$ $γ = c_{i 0} * r + s_{p i} * t$ $H (s_{p i}, c_{i 0}, i, p, ϕ_{p}, α, γ) = ? t$

and aborting if verification fails. (TODO: should we ignore this participant’s share, or report/slash them?)

This protocol is the Chaum-Pedersen sigma protocol which here proves the relation $R = {(d_{p}, (c_{i 0}, ϕ_{p}, s_{p i})) \in F_{q} \times G : ϕ_{p} = d_{p} G \land s_{p i} = d_{p} c_{i 0}}$

Showing that the validator’s decryption share is correctly formed for their key share which was committed to during DKG.

Now each participant can sum their received and validated decryption shares by taking

$d = p = 0 \sum n s_{p i} λ_{0, i}$

where $λ_{i}$ is the lagrange coefficient (for x=0) at $i$ , defined by

$λ_{0, i} = n \in S, n \neq = i \prod \frac{n}{n - i}$

where $S$ is the set of all participant indices.

Then, compute the resulting decryption by taking

$v_{m} = - d + c_{i 1}$

Now we have the output $v_{m} = [v_{im} \dots]$ . Each $v_{im}$ is a decaf377 group element. Use our lookup table $LU T$ from the setup phase to transform each value to its discrete log relative to the basepoint: $v_{i} = LU T [v_{im}]$ Now we have the decrypted value $v_{q} = [v_{0}, v_{1}, v_{2}, v_{3}]$

where each $v_{i}$ is bounded in $[0, 2^{23})$ .

To recombine the value, iterate over each $v_{i}$ , packing each $v_{i}$ into a u16 value $v_{u i}$ , performing carries if necessary. This yields the final value

$v = v_{u i} + v_{u i} * 2^{16} + v_{u i} * 2^{32} + v_{u i} * 2^{48} + v_{u i} * 2^{64}$

This value is bounded by $[0, 2^{71}]$ , assuming that the coefficients in the previous step were correctly bounded.

Note

On verifiability, this scheme must include some snark proof that coefficients were correctly created from input values. This can be accomplished by providing a SNARK proof $π$ that accompanies each value. It may also be desirable to SNARK the sigma protocol given in the value encryption phase in order to save on chain space.

Acknowledgements

Thanks to samczsun for his discussion and review of this spec, and for finding a flaw with an earlier instantiation of the encryption proof.

TODO: end-to-end complexity analysis (number of scalar mults per block, LUT size, etc)

The Penumbra Protocol