2.2.3.5 Verifiable Rotation of Homomorphic Encryptions

De Hoogh, Schoenmakers, Skoric, and Villegas [HSSV09] has proposed an efficient solution to perform a verifiable rotation (also known as cyclic shift) of homomorphically encrypted values. Other solutions (e.g. Reiter and Wang, Fragile Mixing, ACM CCS, 2004) do not provide that level of efficency. LibTMCG provides the first known implementation of their protocol. It can only be used with the VTMF card encoding scheme of Barnett and Smart [BS03].

Further, to the best of our knowledge it is not known, whether their protocol retains the zero-knowledge property when it is executed in a concurrent setting. Thus the application programmer should be careful and avoid parallel invocations of the same instance.

Class: HooghSchoenmakersSkoricVillegasVRHE

This class provides the low-level interface for their protocol. There are just a few methods that might be of general interest. All other components are only used internally by high-level operations and thus their description is omitted here.

Constructor on HooghSchoenmakersSkoricVillegasVRHE: HooghSchoenmakersSkoricVillegasVRHE (mpz_srcptr p_ENC, mpz_srcptr q_ENC, mpz_srcptr k_ENC, mpz_srcptr g_ENC, mpz_srcptr h_ENC, unsigned long int fieldsize =TMCG_DDH_SIZE, unsigned long int subgroupsize =TMCG_DLSE_SIZE)

This constructor creates a new instance. The low-level operations are later used to show the correctness of a rotation of the cards. The protocol and some of its parameters are initialized by the members of the corresponding VTMF instance. Consequently, p_ENC is the prime number p which determines the field {\bf Z}/p{\bf Z}, q_ENC is the order of the underlying subgroup G, i.e. the prime number q, and k_ENC is the integer such that p = qk + 1 holds. Further, g_ENC is the generator g, and finally h_ENC is the common public key h. The fieldsize and the subgroupsize are supplied to internal classes and are only of interest, if p_ENC or q_ENC have lengths different from the default. If these arguments are omitted, they are set to TMCG_DDH_SIZE and TMCG_DLSE_SIZE, respectively.

This constructor should be instantiated only once by the session leader. All other instances must be created by the second constructor. Further, it is very important that the VTMF key generation protocol has been finished before the value of h is passed to the constructor. Otherwise, the correctness verification will definitely fail.

Constructor on HooghSchoenmakersSkoricVillegasVRHE: HooghSchoenmakersSkoricVillegasVRHE (std::istream& in, unsigned long int fieldsize =TMCG_DDH_SIZE, unsigned long int subgroupsize =TMCG_DLSE_SIZE)

This constructor initializes the instance from a correctly formatted input stream in. For example, such a stream can be generated by calling the method PublishGroup of an already created instance. Later the instance can be used to show the correctness of a rotation.

Method on HooghSchoenmakersSkoricVillegasVRHE: bool CheckGroup ()

This method checks whether the initialized commitment scheme is sound. It returns true, if all tests have been passed successfully.

Method on HooghSchoenmakersSkoricVillegasVRHE: void PublishGroup (std::ostream& out)

This method exports the instance configuration to the output stream out such that other instances can be initialized, e.g. with the second constructor.

Destructor on HooghSchoenmakersSkoricVillegasVRHE: ~HooghSchoenmakersSkoricVillegasVRHE ()

This destructor releases all occupied resources.