Implementation of collective decryption & bootstrapping

[pen9u1nlee]

Hi, a straightforward implementation of decryption & bootstrapping seem like this:

• Collective Decryption: For $sk = \sum sk_i$, each party $i$ computes $c_1 sk_i+e_i$ where $e_i$ is a sampled noise. All parties collectively compute $c_0 + \sum (c_1 sk_i+e_i)$.
• The Collective Bootstrapping may look the same with additional secret nonces $n_i$ for each party $i$ and a public sum $n = \sum n_i$. Each party $i$ collectively compute $m = c_0 + \sum (c_1 sk_i+n_i+e_i)$, encrypt $m$ and perform $m - n$.

It seems to me that all secrets are sealed by RLWE problem and insufficient betrayers. So my question is, whether this implementation is safe (semantically secure if not all parties are betrayers) and correct.

[Pro7ech]

Hi @PenguinLeee,

I have converted your issue to a discussion, since it isn't directly related to the Lattigo library (see README.md).

You are correct, this is the underlying idea of Protocol 5 in https://eprint.iacr.org/2020/304. This protocol is implemented for all three schemes in the Lattigo library:

• BFV: lattigo/dbfv/refresh.go
• BGV: lattigo/dbgv/refresh.go
• CKKS: lattigo/dckks/refresh.go

[pen9u1nlee]

Very much thanks for your guidance. BTW, is Collective Decryption implemented?

[Pro7ech]

@PenguinLeee Yes, you can use the Collective Key Switching (CKS) protocol and give a zero key (zerosk := rlwe.NewSecretKey(params)) as the target key to preform a collective decryption.