Arithmetic Sharing（算术共享）

Sharing Senantics

Sharing Values. For an kkk-bit Arithmetic sharing xxx of x, we have x0+x1=x_0+x_1=x0+x1=x (mod2k)(mod 2^k)(mod2k) with x0,x1∈Zzkx_0,x_1\in\mathbb{Z}_{z^k}x0,x1∈Zzk.

Sharing. PiP_iPi chooses r∈RZzk,r\in_R\mathbb{Z}_{z^k},r∈RZzk, set xi=x_i=xi= x−r-r−r and send rrr to P1−iP_{1-i}P1−i who sets x1−i=rx_{1-i}=rx1−i=r.

Reconstruction. P1−iP_{1-i}P1−i sends its share $x_{1-i} to PiP_iPi who computes x=x0+x1=x_0+x_1=x0+x1.

Operations

一方掌握密文，一方掌握密钥，加密方式为基于环 ring Zzk\mathbb{Z}_{z^k}Zzk的加法操作。（所有操作均为 mod2kmod 2^kmod2k ）

加法门+++

goal: 求 x+yx+yx+y

P0P_0P0掌握密文，P1P_1P1掌握密钥；xxx为P0P_0P0的明文，yyy为P1P_1P1的明文。
x=x0+x1(mod2k)x=x_0+x_1(mod 2^k)x=x0+x1(mod2k), P0P_0P0将x1x_1x1发送给P1P_1P1，本地保留x0x_0x0；
y=y0+y1(mod2k)y=y_0+y_1(mod 2^k)y=y0+y1(mod2k), P1P_1P1将y0y_0y0发送给P0P_0P0，本地保留y1y_1y1.

P0P_0P0	x0x_0x0	y0y_0y0
P1P_1P1	x1x_1x1	y1y_1y1

compute:

z=x+y=(x0+x1)+(y0+y1)mod2kz=x+y=(x_0+x_1)+(y_0+y_1) mod 2^kz=x+y=(x0+x1)+(y0+y1)mod2k=(x0+y0mod2k)+(x1+y1mod2k)=(x_0+y_0 mod2^k)+(x_1+y_1mod2^k)=(x0+y0mod2k)+(x1+y1mod2k)

注：本地计算，无需交互，非常高效。

乘法门⋅\cdot⋅

goal: 求z=x⋅y=(xy)0+(xy)1z=x\cdot y=(xy)_0+(xy)_1z=x⋅y=(xy)0+(xy)1

xxx以掩码形式输出不泄露隐私 e=x+ae=x+ae=x+a ; 其中x=x0+x1,a=a0+a1x=x_0+x_1 ,a=a_0+a_1x=x0+x1,a=a0+a1 ; a0,a1a_0,a_1a0,a1分别由P0,P1P_0,P_1P0,P1掌握$。
yyy以掩码形式输出不泄露隐私 f=y+bf=y+bf=y+b ; 其中y=y0+y1,b=b0+b1y=y_0+y_1 ,b=b_0+b_1y=y0+y1,b=b0+b1 ; b0,b1b_0,b_1b0,b1分别由P0,P1P_0,P_1P0,P1掌握。
P0P_0P0公开x0+a0,y0+b0x_0+a_0,y_0+b_0x0+a0,y0+b0 ; P1P_1P1公开x1+a1,y1+b1x_1+a_1,y_1+b_1x1+a1,y1+b1 ; 所以双方均可计算 e,fe,fe,f.

∴x⋅y=(e−a)(f−b)=ef−fa−eb+ab\therefore x\cdot y=(e-a)(f-b)=ef-fa-eb+ab∴x⋅y=(e−a)(f−b)=ef−fa−eb+ab mod2kmod2^kmod2k

question1: 如何将 xyxyxy 安全的拆分为(xy)0和(xy)1?(xy)_0和(xy)_1?(xy)0和(xy)1?

拆分：
xy=ef−fa−eb+abx y=ef-fa-eb+abxy=ef−fa−eb+ab mod2kmod2^kmod2k
(xy)0=−fa0−eb0+(xy)_0=-fa_0-eb_0+(xy)0=−fa0−eb0+ (ab)0(ab)_0(ab)0 mod2kmod2^kmod2k
(xy)1=ef−fa1−eb1+(xy)_1=ef-fa_1-eb_1+(xy)1=ef−fa1−eb1+(ab)1(ab)_1(ab)1 mod2kmod2^kmod2k

question2: 如何将 ababab 安全的拆分为(ab)0和(ab)1?(ab)_0和(ab)_1?(ab)0和(ab)1?

令c=abc=abc=ab,将ccc拆分为c0c_0c0 c1c_1c1,使得 c=c0+c1c=c_0+c_1c=c0+c1

P0P_0P0选择随机数c0c_0c0
c1=(a0+a1)(b0+b1)−c0=a0b0+a0b1+a1b0+a1b1−c0c_1=(a_0+a_1)(b_0+b_1)-c_0=a_0b_0+a_0b_1+a_1b_0+a_1b_1-c_0c1=(a0+a1)(b0+b1)−c0=a0b0+a0b1+a1b0+a1b1−c0

P0P_0P0	x0x_0x0	y0y_0y0	a0a_0a0	b0b_0b0	c0c_0c0
P1P_1P1	x1x_1x1	y1y_1y1	a1a_1a1	b1b_1b1	c1?c_1?c1?

question3: 如何使得P1P_1P1隐私获得c1?c_1?c1?

借助支持加法的同态加密实现

给定密文 E(m)E(m)E(m) 和 E(n)E(n)E(n) , 则 E(m)E(n)=E(m+n)E(m)E(n)=E(m+n)E(m)E(n)=E(m+n)

给定密文 E(m)E(m)E(m) 和 nnn , 则 (E(m))n=E(mn)(E(m))^n=E(mn)(E(m))n=E(mn)

乘法三元组

P1P_1P1计算发送给P0P_0P0: E(b1),E(a1)E(b_1),E(a_1)E(b1),E(a1)
P0P_0P0计算发送给P1P_1P1:E(b1)a0E(a1)b0E(a0b0−c0)=E(a0b0+a0b1+a1b0−c0)E(b_1)^{a_0}E(a_1)^{b_0}E(a_0b_0-c_0)=E(a_0b_0+a_0b_1+a_1b_0-c_0)E(b1)a0E(a1)b0E(a0b0−c0)=E(a0b0+a0b1+a1b0−c0)
P1P_1P1解密并计算：a0b0+a0b1+a1b0−c0+a1b1a_0b_0+a_0b_1+a_1b_0-c_0+a_1b_1a0b0+a0b1+a1b0−c0+a1b1 mod2kmod 2^kmod2k
P1P_1P1获得c1c_1c1.

注：乘法三原则的计算只与随机数有关，所以可预先离线计算，提高计算效率。
∴x⋅y=(e−a)(f−b)=ef−fa−eb+ab\therefore x\cdot y=(e-a)(f-b)=ef-fa-eb+ab∴x⋅y=(e−a)(f−b)=ef−fa−eb+ab mod2kmod2^kmod2k
             =(xy)0+(xy)1=(−fa0−eb0+=(xy)_0+(xy)_1=(-fa_0-eb_0+=(xy)0+(xy)1=(−fa0−eb0+ (ab)0mod2k)+(ef−fa1−eb1+(ab)_0mod2^k)+(ef-fa_1-eb_1+(ab)0mod2k)+(ef−fa1−eb1+(ab)1(ab)_1(ab)1 mod2kmod2^kmod2k)     (question1)
             =(−fa0−eb0+=(-fa_0-eb_0+=(−fa0−eb0+ c0mod2k)+(ef−fa1−eb1+c_0mod2^k)+(ef-fa_1-eb_1+c0mod2k)+(ef−fa1−eb1+c1c_1c1 mod2kmod2^kmod2k)    (question2)
             =(−fa0−eb0+=(-fa_0-eb_0+=(−fa0−eb0+ c0mod2k)+(ef−fa1−eb1+c_0mod2^k)+(ef-fa_1-eb_1+c0mod2k)+(ef−fa1−eb1+a0b0+a0b1+a1b0−c0+a1b1a_0b_0+a_0b_1+a_1b_0-c_0+a_1b_1a0b0+a0b1+a1b0−c0+a1b1 mod2kmod2^kmod2k)     (question3)