Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs

Abstract

A non-interactive zero-knowledge (NIZK) proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that NIZK proofs of membership exist for all languages in NP. While there is evidence that such proofs cannot be much shorter than the corresponding membership witnesses, all known NIZK proofs for NP languages are considerably longer than the witnesses. Soon after Gentry’s construction of fully homomorphic encryption, several groups independently contemplated the use of hybrid encryption to optimize the size of NIZK proofs and discussed this idea within the cryptographic community. This article formally explores this idea of using fully homomorphic hybrid encryption to optimize NIZK proofs and other related cryptographic primitives. We investigate the question of minimizing the communication overhead of NIZK proofs for NP and show that if fully homomorphic encryption exists then it is possible to get proofs that are roughly of the same size as the witnesses. Our technique consists in constructing a fully homomorphic hybrid encryption scheme with ciphertext size \(|m|+{\mathrm {poly}}(k)\), where \(m\) is the plaintext and \(k\) is the security parameter. Encrypting the witness for an NP-statement allows us to evaluate the NP-relation in a communication-efficient manner. We apply this technique to both standard non-interactive zero-knowledge proofs and to universally composable non-interactive zero-knowledge proofs. The technique can also be applied outside the realm of non-interactive zero-knowledge proofs, for instance to get witness-size interactive zero-knowledge proofs in the plain model without any setup or to minimize the communication in secure computation protocols.

1 Introduction

Non-interactive zero-knowledge (NIZK) proof systems [2] yield proofs that can convince others about the truth of a statement without revealing anything but this truth. We will consider statements of the form \(x\in L\), where \(L\) can be an arbitrary language in NP. We require that the NIZK proof be complete, sound, and zero-knowledge.

• Completeness: Given a witness \(w\) for the statement \(x\in L\) there is an efficient algorithm to construct a convincing proof \(\pi \).

• Soundness: A malicious prover cannot convince the verifier that a false statement is true. We focus on unconditional soundness, where even an adversary with infinite computing power cannot create a convincing proof \(\pi \) for \(x\notin L\).

• Zero-knowledge: A malicious verifier learns nothing but the truth of the statement. In particular, the proof \(\pi \) does not reveal the witness \(w\) that the prover used when constructing the proof \(\pi \).

Only languages in BPP have NIZK proofs in the plain model without any setup [19, 20, 36]. Blum, Feldman and Micali [2] therefore suggested the common reference string model, where the prover and the verifier have access to a bit-string that is assumed to have been generated honestly according to a specific distribution. The common reference string can for instance be generated by a trusted third party or by a set of parties executing a multi-party computation protocol. Groth and Ostrovsky [25] has as an alternative suggested NIZK proofs in the multi-string model, where many parties generate a random string and the security of the NIZK proof relies on a majority of the strings being honestly generated.

1.1 Related Work

NIZK proofs have many applications, ranging from early chosen-ciphertext secure public-key encryption schemes [13] to advanced signature schemes [7, 9]. There is therefore a significant body of research dealing with NIZK proofs.

Blum, Feldman and Micali [2] proposed an NIZK proof for all of NP based on a number theoretic assumption related to factoring. Feige, Lapidot and Shamir [14] gave an NIZK proof for all of NP based on the existence of trapdoor permutations.

While these results established the existence of NIZK proofs based on general assumptions, other works have aimed at defining stronger security properties such as non-malleability [39], robustness [11] and universal composability [8, 27].

There has been significant progress in reducing the complexity of NIZK proofs based on general assumptions [10, 12, 24, 32] and Groth, Ostrovsky and Sahai [23, 26, 27] have constructed practical NIZK proofs using techniques from pairing-based cryptography.

Recently Gentry [15, 16] proposed a fully homomorphic encryption scheme and demonstrated that fully homomorphic encryption can be used to construct NIZK proofs whose size depends only on the size of the witness and on the security parameter, but not on the size of the circuit used to verify the witness. However, the ratio between the proof size and the witness size in this construction grows polynomially with the security parameter.

Soon after Gentry’s construction of fully homomorphic encryption, several groups independently contemplated the use of hybrid encryption to optimize the size of NIZK proofs and other related cryptographic primitives (e.g. [29, 37]). This article formally explores the idea of using fully homomorphic encryption to minimize communication.

1.2 Our Contribution

We construct NIZK proofs for arbitrary NP-languages in which the size of the common reference string is \({\mathrm {poly}}(k)\) and the size of the proof is essentially the same as the witness, i.e., \(|\pi |=|w|+{\mathrm {poly}}(k)\) where \(k\) is the security parameter. This is essentially the best one could hope for given our current knowledge on the complexity of deciding membership of NP-languages. Indeed, any interactive proof system for NP in which the communication from the prover to the verifier is substantially smaller than the witness size would imply a breakthrough in complexity theory [18, 21].

In Table 1, we compare our NIZK proofs with the current state of the art NIZK proofs for Circuit Satisfiability based on, respectively, trapdoor permutations [24] and specific cryptographic assumptions [15, 24, 27]. All of these NIZK proofs are publicly verifiable given the common reference string, the statement and the proof.

Table 1 Comparison of NIZK proofs with security parameter \(k\), circuit size \(|C|\) and witness size \(|w|\)

Our result is quite general and applies not only to standard NIZK proofs, but also to NIZK proofs with stronger security properties such as simulation soundness and non-malleability [39] as well as universal composability [8]. Universally composable NIZK proofs have the property that they retain their security properties in any environment, even an environment where arbitrary protocols are running concurrently with the NIZK proof. We propose a universally composable NIZK proof that is secure against adaptive malicious adversaries assuming provers are able to erase data from their systems after constructing their proofs. The universally composable NIZK proofs are also \(|w|\,+\,{\mathrm {poly}}(k)\) bits long.

1.3 Our Technique: Fully Homomorphic Hybrid Encryption

Our technique is based on a hybrid form of fully homomorphic encryption. A fully homomorphic encryption scheme allows taking two ciphertexts and computing a new ciphertext containing the sum or the product of their plaintexts even if the secret key is unknown. More generally, we can take \(t\) ciphertexts and compute a new ciphertext containing the evaluation of an arbitrary circuit on their plaintexts. Following the breakthrough work of Gentry [16], several subsequent works improved the efficiency of fully homomorphic encryption and the assumptions on which it can be based [3–6, 40–42].

There are many applications of fully homomorphic encryption schemes. It is not known whether they imply the existence of NIZK proofs though. However, if NIZK proofs do exist then fully homomorphic encryption can be used to reduce the size of the proofs. Gentry [15] showed that using fully homomorphic encryption it is possible to get NIZK proofs where the proof size is proportional to the witness size. If we are looking at the satisfiability of a large circuit with a few input wires, i.e., a small witness for satisfiability, this is a significant improvement over other NIZK proofs that tend to grow proportionally to the circuit size.

Gentry proposed to encrypt every bit of the witness using a fully homomorphic encryption scheme. Using the operations of the fully homomorphic encryption scheme it is possible to evaluate the circuit on the plaintexts to get a ciphertext that contains the output. Using an NIZK proof the prover then constructs a proof for the public key being valid, the encrypted inputs being valid ciphertexts and the output ciphertext being an encryption of \(1\). Since the proof contains \(|w|\) ciphertexts and \(|w|\) proofs of their correctness the total complexity is \(|w|\cdot {\mathrm {poly}}(k)\).

In this paper, we present a simple modification of Gentry’s NIZK proof that decreases the proof size to \(|w|+{\mathrm {poly}}(k)\). The idea is to construct a fully homomorphic hybrid encryption scheme. We first encrypt the witness \(w\) using a symmetric key encryption scheme, for instance using a one-time pad with a pseudorandom string, and then use the fully homomorphic encryption scheme both to decrypt the symmetrically encrypted witness and then evaluate the circuit on the witness.

More precisely, the prover will given a witness \(w\) for the satisfiability of a circuit \(C\) construct \((u,\mathrm{{pk}},\bar{s})\), where \(u\) is an encryption of \(w\) using a symmetric encryption scheme and pk is a public key for the fully homomorphic encryption scheme and \(\bar{s}\) is a fully homomorphic encryption of the secret key \(s\) used to construct \(u\). Now the prover gives an NIZK proof for pk being a valid public key, \(\bar{s}\) being a valid encryption of a key \(s\) and that after decrypting \(u\) using \(s\) and evaluating \(C\) on the resulting plaintext the output is \(1\). The length of \(u\) is \(|w|\) and the polynomially many other components are of size \({\mathrm {poly}}(k)\) each so the total size of the proof is \(|w|+{\mathrm {poly}}(k)\).

Fully homomorphic hybrid encryption is applicable in many situations. We apply it to non-interactive zero-knowledge proofs here, but one could for instance also use it in a similar way to get interactive zero-knowledge proofs in the plain model with a communication complexity of \(|w|+{\mathrm {poly}}(k)\). This compares favorably with the best previous communication-efficient interactive zero-knowledge proofs [22, 30, 31], in which the communication complexity either grows linearly with the circuit size or is polynomial in the witness size and restricted to low-depth circuits. Following a preliminary version of our work, a similar use of fully homomorphic hybrid encryption has been used in the context of computationally private information retrieval [4, 33].

An additional application of fully homomorphic hybrid encryption is to minimizing communication in general secure computation. For simplicity, we address here the case of secure two-party computation in the semi-honest model (i.e., when the parties are honest-but-curious). Concretely, consider the case where Alice and Bob hold inputs \(x\) and \(y\) respectively and want to compute \(f(x,y)\) for a given polynomial time computable function \(f\). Using a fully homomorphic hybrid encryption scheme, there is a simple 2-party protocol to accomplish this task that is secure against static honest-but-curious adversaries: Alice encrypts \(x\) under her own key and Bob using the fully homomorphic property evaluates the function \(f(\cdot ,y)\) on the encrypted \(x\), which Alice can then decrypt. The communication of this protocol is \(|x|+{\mathrm {poly}}(k)\cdot |f(x,y)|\) bits, which is optimal for functions \(f(x,y)\) with a small output, such as the function corresponding to Yao’s millionaires problem [43]. Using specific fully homomorphic encryption schemes [6, 33] the communication can be reduced further to be \(|x|+|f(x,y)|\cdot (1+o(1))+{\mathrm {poly}}(k)\), which is useful when the output is large. We note that this approach can also be applied in the multi-party case via the use of threshold fully homomorphic encryption [16], and that security against malicious parties can be obtained without increasing the asymptotic communication complexity by using sublinear-communication arguments (cf. [34]).

2 Preliminaries

Given two functions \(f,g:\mathbb {N}\rightarrow [0,1]\) we write \(f(k)\approx g(k)\) when \(|f(k)-g(k)|=O(k^{-c})\) for every constant \(c>0\). We say that \(f\) is negligible if \(f(k)\approx 0\) and that \(f\) is overwhelming if \(f(k)\approx 1\).

We write \(y=A(x;r)\) when the algorithm \(A\) on input \(x\) and randomness \(r\), outputs \(y\). We write \(y\leftarrow A(x)\) for the process of picking randomness \(r\) at random and setting \(y=A(x;r)\). We also write \(y\leftarrow S\) for sampling \(y\) uniformly at random from the set \(S\).

We will now define non-interactive zero-knowledge proofs and describe three tools that will be used in our constructions of minimal size NIZK proofs, namely fully homomorphic encryption schemes, pseudorandom generators and strong one-time signatures.

2.1 Fully Homomorphic Public-Key Encryption

A fully homomorphic bit-encryption scheme enables computation on encrypted bits. There is an evaluation algorithm \({\mathrm {Eval}}\) that takes as input an arbitrary Boolean circuit and an appropriate number of ciphertexts and outputs a new ciphertext containing the output of the circuit evaluated on the plaintexts.

The encryption scheme consists of four algorithms \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\). The probabilistic polynomial time key generation algorithm \(K_{\mathrm {FHE}}\) on input \(1^{k}\) (and randomness \(\rho \leftarrow \{0,1\}^{\ell _{K_{\mathrm {FHE}}}(k)}\)) outputs a public key pk and a decryption key dk. The probabilistic polynomial time encryption algorithm \(E\) given a public key pk and a bit \(b\) (and randomness \(r\leftarrow \{0,1\}^{\ell _E(k)}\)) outputs a ciphertext \(c\). The deterministic polynomial time decryption algorithm \(D\) given a public key pk and a ciphertext \(c\) returns a bit \(b\) or an error symbol \(\bot \). Finally, the deterministic polynomial time evaluation algorithm \({\mathrm {Eval}}\) takes a public key pk, a Boolean circuit \(C\) and \(t\) ciphertexts as input and returns a ciphertext. We require that the encryption scheme be compact, which means that there is a polynomial upper bound \(\ell _{\mathrm {Eval}}(k)\) on the size of the ciphertexts output by \({\mathrm {Eval}}\), which is independent of the size of the circuit \(C\).

We will often encrypt a bit-string one bit at a time. We therefore define \(E_\mathrm{{pk}}(m)\) to be the tuple \((E_\mathrm{{pk}}(m_1),\ldots ,E_\mathrm{{pk}}(m_{|m|}))\), where \(m_1,\ldots ,m_{|m|}\) are the bits of \(m\). When being explicit about the randomness used, we define \(E_\mathrm{{pk}}(m;\bar{r})=(E_\mathrm{{pk}}(m_1;r_1),\ldots ,E_\mathrm{{pk}}(m_{|m|};r_{|m|}))\) for \(\bar{r}=(r_1,\ldots ,r_{|m|})\in (\{0,1\}^{\ell _E(k)})^{|m|}\).

The properties we need from the fully homomorphic encryption scheme are correctness and indistinguishability under chosen plaintext attack as defined below.

Definition 1

(Correctness) \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) is (perfectly) correct if for all all inputs \(m\in \{0,1\}^*\) and all Boolean circuits \(C\) with \(|m|\) input bits

$$\begin{aligned} \Pr \left[ (\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}(1^{k}); \bar{m}\leftarrow E_\mathrm{{pk}}(m); v={\mathrm {Eval}}_\mathrm{{pk}}(C;\bar{m}): D_{\mathrm{{dk}}}(v)=C(m)\right] =1. \end{aligned}$$

Definition 2

(IND-CPA security) \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) is indistinguishable under chosen plaintext attack (IND-CPA secure) if for all non-uniform polynomial time \(\mathcal {A}\)

$$\begin{aligned} \Pr \left[ (\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}(1^{k}); b \leftarrow \{0,1\}; c\leftarrow E_\mathrm{{pk}}(b):\mathcal {A}(c)=b\right] \approx \frac{1}{2}. \end{aligned}$$

Please note that by a standard hybrid argument the above security definition implies IND-CPA security also when using \(E_\mathrm{{pk}}\) for a bit-by-bit encryption of an arbitrary polynomial-size message \(m\).

2.2 Pseudorandom Generators

A length-flexible pseudorandom generator is a deterministic polynomial time algorithm \(G\) that on input \((s,\ell )\), where \(s\in \{0,1\}^k\), returns an \(\ell \)-bit string. Pseudorandomness means that \(G\)’s output looks random, which we now define formally.

Definition 3

(Pseudorandom generator) \(G\) is a pseudorandom generator if for all non-uniform polynomial time \(\mathcal {A}\) and all polynomially bounded \(\ell \)

$$\begin{aligned} \Pr \left[ s\leftarrow \{0,1\}^k; y=G(s,\ell (k)): \mathcal {A}(y)=1\right] \approx \Pr \left[ y\leftarrow \{0,1\}^{\ell (k)}: \mathcal {A}(y)=1\right] . \end{aligned}$$

Length-flexible pseudorandom generators can be constructed from one-way functions [28]. The existence of fully homomorphic encryption therefore implies the existence of length-flexible pseudorandom generators.

2.3 Strong One-Time Signatures

A strong one-time signature scheme consists of three algorithms \((K_{\mathrm {SIG}},{\mathrm {Sign}},{\mathrm {Vfy}})\). The key generation algorithm \(K_{\mathrm {SIG}}\) is a probabilistic polynomial time algorithm that on input \(1^{k}\) returns a verification key vk and a signing key sk. The signing algorithm \({\mathrm {Sign}}\) is a probabilistic polynomial time algorithm that on input sk and an arbitrary message \(m\) returns a signature \({\mathrm {sig}}\). The signature verification algorithm \({\mathrm {Vfy}}\) is a deterministic polynomial time algorithm that given a verification key vk, a message \(m\) and a signature \({\mathrm {sig}}\) returns \(1\) (acceptance) or \(0\) (rejection). We require that the scheme be correct and strongly existentially unforgeable under a single chosen message attack, where “strongly” means that the adversary is not even allowed to obtain a different signature on the same message. We give the formal definition below.

Definition 4

(Correctness) \((K_{\mathrm {SIG}},{\mathrm {Sign}},{\mathrm {Vfy}})\) is (perfectly) correct if for all \(m\in \{0,1\}^*\)

$$\begin{aligned} \Pr \left[ (\mathrm{{vk}},\mathrm{{sk}})\leftarrow K_{\mathrm {SIG}}(1^{k}); {\mathrm {sig}}\leftarrow \mathrm {Sign}_{\mathrm{{sk}}}(m): {\mathrm {Vfy}}_{\mathrm{{vk}}}(m,{\mathrm {sig}})=1\right] =1. \end{aligned}$$

Definition 5

(Strong existential unforgeability under one-time chosen message attack) \((K_{\mathrm {SIG}},{\mathrm {Sign}},{\mathrm {Vfy}})\) is strongly existentially unforgeable under a one-time chosen message attack if for all non-uniform polynomial time stateful interactive \(\mathcal {A}\)

$$\begin{aligned}&\Pr \left[ (\mathrm{{vk}},\mathrm{{sk}})\leftarrow K_{\mathrm {SIG}}(1^{k}); m\leftarrow \mathcal {A}(\mathrm{{vk}}); {\mathrm {sig}}\leftarrow \mathrm {Sign}_{\mathrm{{sk}}}(m); (m',{\mathrm {sig}}')\leftarrow \mathcal {A}({\mathrm {sig}}):\right. \\&\qquad \qquad \left. (m',{\mathrm {sig}}')\ne (m,{\mathrm {sig}}) \ \wedge \ {\mathrm {Vfy}}_{\mathrm{{vk}}}(m',{\mathrm {sig}}')=1\right] \approx 0. \end{aligned}$$

We will use a strong one-time signature scheme that has fixed-length signatures, i.e., where there is a polynomial upper bound \(\ell _{\mathrm {SIG}}(k)\) on the length of the signatures.

Fixed-length strong one-time signatures can be constructed from one-way functions (from universal one-way hash-functions [35] and Lamport signatures used in combination with Merkle trees [38]). The existence of fully homomorphic encryption therefore implies the existence of fixed-length strong one-time signatures.

2.4 Non-Interactive Zero-Knowledge Proofs

Let \(R\) be a polynomially bounded, polynomial time computable binary relation. For pairs \((x,w)\in R\) we call \(x\) the statement and \(w\) the witness. Let \(L\) be the NP-language \(L=\{\ x\ : \exists w\ (x,w)\in R\ \}\). We write \(R(x,w)\in \{0,1\}\) (0 is no, 1 is yes) for the output of the polynomial time decision algorithm for \(R\) on input \((x,w)\).

We will construct NIZK proofs that have almost the same size as the witnesses. The proofs therefore leak the length of the witnesses, so we will assume that for all \(x\in L\) of the same length, all witnesses have the same length which can be efficiently computed given \(1^{|x|}\). There is only little loss of generality here, since by definition of NP all witnesses have length polynomial in \(|x|\) and an appropriate amount of padding could be used to ensure that all witnesses have the same length. We note that most popular NP-complete languages such as SAT, Circuit Satisfiability and Hamiltonicity have statements that uniquely determine the length of potential witnesses.

An efficient-prover non-interactive zero-knowledge proof for the relation \(R\) consists of three probabilistic polynomial time algorithms \((K,P,V)\). \(K\) is the common reference string generator that takes the security parameter written in unary \(1^{k}\) and outputs a common reference string \(\sigma \).¹ \(P\) is the prover algorithm that takes as input the common reference string \(\sigma \), a statement \(x\) and a witness \(w\) such that \((x,w)\in R\) and outputs a proof \(\pi \). \(V\) is the verifier algorithm that on a common reference string \(\sigma \), a statement \(x\) and a proof \(\pi \) outputs \(0\) or \(1\). We interpret a verifier output of \(0\) as a rejection of the proof and a verifier output of \(1\) as an acceptance of the proof.

Definition 6

\((K,P,V)\) is a non-interactive zero-knowledge proof for \(R\) if it is complete, sound and zero-knowledge as described below.

Perfect completeness. Completeness means that a prover with a witness can convince the verifier. For all adversaries \(\mathcal {A}\)

$$\begin{aligned} \Pr \left[ \sigma \leftarrow K(1^{k});(x,w)\leftarrow \mathcal {A}(\sigma );\pi \leftarrow P(\sigma ,x,w):V(\sigma ,x,\pi )\!=\!1 \text { if } (x,w)\in R\right] \!=\!1. \end{aligned}$$

Statistical soundness. Soundness means that it is impossible to convince the verifier of a false statement. For all adversaries \(\mathcal {A}\)

$$\begin{aligned} \Pr \left[ \sigma \leftarrow K(1^{k});(x,\pi )\leftarrow \mathcal {A}(\sigma ): x\notin L \text { and } V(\sigma ,x,\pi )=1 \right] \approx 0. \end{aligned}$$

If the probability is exactly \(0\), we say \((K,P,V)\) is perfectly sound.

Computational zero-knowledge. \((K,P,V)\) is zero-knowledge if it is possible to simulate the proof of a true statement without knowing the witness. Formally, we require the existence of a probabilistic polynomial time simulator \(S=(S_1,S_2)\). \(S_1\) outputs a simulated common reference string \(\sigma \) and a simulation trapdoor \(\tau \). \(S_2\) takes the simulation trapdoor and a statement as input and produces a simulated proof \(\pi \). We require for all non-uniform polynomial time adversaries \(\mathcal {A}\)

$$\begin{aligned} \Pr \left[ \sigma \leftarrow K(1^{k}): \mathcal {A}^{P(\cdot ,\cdot )}(\sigma )=1\right] \approx \Pr \left[ (\sigma ,\tau )\leftarrow S_1(1^{k}):\mathcal {A}^{S(\cdot ,\cdot )}(\sigma )=1\right] , \end{aligned}$$

where \(P(\cdot ,\cdot )\) on input \((x,w)\in R\) returns \(\pi \leftarrow P(\sigma ,x,w)\) and \(S(\cdot ,\cdot )\) on input \((x,w)\in R\) returns \(\pi \leftarrow S_2(\tau ,x)\).

3 Minimal NIZK Proofs from Fully Homomorphic Encryption

We will now construct an NIZK proof system for an arbitrary NP-relation \(R\). The common reference string has length \({\mathrm {poly}}(k)\) and the proof for a statement \(x\) has size \(|w|+{\mathrm {poly}}(k)\), where \(|w|\) is the size of witnesses for \(x\).

As explained in the introduction, the idea in the proof system is to use a pseudorandom one-time pad to encrypt the witness as \(u=w\oplus G(s,|w|)\). This ciphertext has length \(|w|\). Using a fully homomorphic encryption scheme the prover encrypts the seed \(s\) for the pseudorandom one-time pad. Both the prover and the verifier can use the evaluation algorithm to compute a fully homomorphic encryption of \(R(x,u\oplus G(s,|w|))\). The prover gives an NIZK proof for the key for the fully homomorphic encryption scheme having been correctly generated, that a seed \(s\) has been correctly encrypted and that the resulting encryption of \(R(x,u\oplus G(s,|w|))\) decrypts to \(1\). The fully homomorphic encryption part and the NIZK proof have size polynomial in \(k\), independently of the sizes of \(|w|\) or \(|x|\). The total size of the proof is therefore \(|w|+{\mathrm {poly}}(k)\).

In order to make this more precise, define given a relation \(R\) and a pseudorandom generator \(G\) the deterministic polynomial time computable function \(f\) that takes as input the security parameter \(k\), a statement \(x\) and a string \(u\) of length \(|w|\) and outputs a Boolean circuit \(C_{x,u}\) with \(k\) input wires such that \(C_{x,u}(\cdot )=R(x,u\oplus G(\cdot ,|w|))\). Define also given a fully homomorphic encryption scheme \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) the relation

$$\begin{aligned} R^F&=\{((\mathrm{{pk}},\bar{s},v),(\rho ,s,\bar{r})): \rho \in \{0,1\}^{\ell _{K_{\mathrm {FHE}}}(k)} \wedge (\mathrm{{pk}},\mathrm{{dk}})\\&= K_{\mathrm {FHE}}(1^{k};\rho ) \wedge \bar{r} \in (\{0,1\}^{\ell _E(k)})^{|s|} \wedge \bar{s}\\&= E_\mathrm{{pk}}(s;\bar{r}) \wedge D_{\mathrm{{dk}}}(v)=1\}. \end{aligned}$$

Let \((K^F,P^F,V^F)\) be an NIZK proof system for \(R^F\) with zero-knowledge simulator \((S_1^F,S_2^F)\). We can now give the detailed specification of the NIZK proof for \(R\) in Fig. 1.

Fig. 1

NIZK proof system for \(R\)

Theorem 7

\((K,P,V)\) described in Fig. 1 is an NIZK proof system for \(R\).

proof

Perfect completeness follows from the perfect completeness of \((K^F,P^F,V^F)\) and the perfect correctness of the fully homomorphic encryption scheme. The prover generates a valid key pair \((\mathrm{{pk}},\mathrm{{dk}})\), makes valid encryptions of the bits in \(s\) and by the correctness of the fully homomorphic encryption scheme \(v\) decrypts to \(1\) provided \(w=u\oplus G(s,|w|)\) is a witness for \(x\). The statement and witness provided to \(P^F\) is therefore valid and the completeness of \((K^F,P^F,V^F)\) implies that the resulting proof \(\pi \) is acceptable.

Statistical soundness follows from the statistical soundness of \((K^F,P^F,V^F)\) and the correctness of the fully homomorphic encryption scheme. To see this, consider a proof \(\Pi =(\mathrm{{pk}},\bar{s},u,\pi )\) for a statement \(x\). By the statistical soundness of \(\pi \) there exists \(\rho \) such that \((\mathrm{{pk}},\mathrm{{dk}})=K_{\mathrm {FHE}}(1^{k};\rho )\) and \(v={\mathrm {Eval}}_\mathrm{{pk}}(C_{x,u},\bar{s})\) decrypts to 1 under \(\mathrm{{dk}}\). Furthermore, the statistical soundness also guarantees that \(\bar{s}=E_\mathrm{{pk}}(s;\bar{r})\) for some seed \(s\) and randomness \(\bar{r}\). The perfect correctness of the fully homomorphic encryption scheme now guarantees that \(w=u\oplus G(s,|w|)\) is a witness for \(x\in L\).

Computational zero-knowledge follows from the computational zero-knowledge of \((K^F,P^F,V^F)\), the pseudorandomness of \(G\) and the IND-CPA security of \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\). Figure 1 describes a zero-knowledge simulator \((S_1,S_2)\) and we will now show that for every non-uniform polynomial time \(\mathcal {A}\)

$$\begin{aligned}&\Pr \left[ \sigma \leftarrow K(1^{k}): \mathcal {A}^{P(\cdot ,\cdot )}(\sigma )=1\right] \approx \Pr \left[ (\sigma ,\tau )\leftarrow S_1(1^{k}): \mathcal {A}^{S(\cdot ,\cdot )}(\sigma )=1\right] , \end{aligned}$$

where \(P(\cdot ,\cdot )\) on input \((x,w)\in R\) returns \(P(\sigma ,x,w)\) and \(S(\cdot ,\cdot )\) on input \((x,w)\in R\) returns \(S_2(\tau ,x)\).

Consider generating the common reference string using \((\sigma ,\tau )\leftarrow S_1^F(1^{k})\) instead of using \(K=K^F\) and consider a modified oracle \(P'(\cdot ,\cdot )\) that on \((x,w)\in R\) returns a proof \(\Pi =(\mathrm{{pk}},\bar{s},u,\pi )\) generated as a normal prover \(P(\sigma ,x,w)\) would do except instead of computing \(\pi \leftarrow P^F(\sigma ,(\mathrm{{pk}},\bar{s},v),(\rho ,s,\bar{r}))\) it simulates \(\pi \leftarrow \mathcal {S}_2^F(\tau ,(\mathrm{{pk}},\bar{s},v))\). By the zero-knowledge property of \((K^F,P^F,V^F)\) we have for all non-uniform polynomial time \(\mathcal {A}\)

$$\begin{aligned}&\Pr \left[ \sigma \leftarrow K(1^{k}): \mathcal {A}^{P(\cdot ,\cdot )}(\sigma )=1\right] \approx \Pr \left[ (\sigma ,\tau )\leftarrow S_1^F(1^{k}): \mathcal {A}^{P'(\cdot ,\cdot )}(\sigma )=1\right] . \end{aligned}$$

Let \(P''\) be a modification of \(P'\) where the responses \(\Pi =(\mathrm{{pk}},\bar{s},u,\pi )\) are generated by computing \(\bar{s}\leftarrow E_\mathrm{{pk}}(0^k)\). By the IND-CPA security of \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) a hybrid argument gives us that for all non-uniform polynomial time \(\mathcal {A}\)

$$\begin{aligned}&\Pr \left[ (\sigma ,\tau )\leftarrow S_1^F(1^{k}): \mathcal {A}^{P'(\cdot ,\cdot )}(\sigma )=1\right] \approx \Pr \left[ (\sigma ,\tau )\leftarrow S_1^F(1^{k}): \mathcal {A}^{P''(\cdot ,\cdot )}(\sigma )=1\right] . \end{aligned}$$

Finally, since \(S_1=S_1^F\) we can view \(S\) as a modification of \(P''\) where the responses \(\Pi =(\mathrm{{pk}},\bar{s},u,\pi )\) are generated such that \(u\leftarrow \{0,1\}^{|w|}\). By the pseudorandomness of \(G\) we have for all non-uniform polynomial time \(\mathcal {A}\)

$$\begin{aligned}&\Pr \left[ (\sigma ,\tau )\leftarrow S_1^F(1^{k}): \mathcal {A}^{P''(\cdot ,\cdot )}(\sigma )=1\right] \approx \Pr \left[ (\sigma ,\tau )\leftarrow S_1(1^{k}): \mathcal {A}^{S(\cdot ,\cdot )}(\sigma )=1\right] . \end{aligned}$$

We conclude that \((S_1,S_2)\) is a zero-knowledge simulator for \((K,P,V)\). \(\square \)

The transformation preserves many properties of the underlying NIZK proof \((K^F,P^F,V^F)\). If \(K^F\) outputs uniformly random common reference strings, then so does \(K\). If the underlying NIZK proof has perfect soundness, then so does \((K,P,V)\). If the underlying NIZK proof is a proof of knowledge, i.e., given a secret extraction key \(\xi \) related to the common reference string it is possible to extract the witness, then so is the resulting witness-length NIZK proof.

4 Universally Composable NIZK Proofs from Fully Homomorphic Encryption

We will now give an NIZK proof system that is secure in the universal composability (UC) framework [8]. Universally composable NIZK proofs are secure even in an environment where arbitrary other protocols are running concurrently and automatically satisfy strong security notions such as non-malleability. The universally composable NIZK proofs we construct are communication-efficient consisting of \(|w|+{\mathrm {poly}}(k)\) bits.

In the universal composability framework the secure execution of a protocol by a set of parties is modeled by an ideal functionality. We say a protocol is secure if it is equivalent to the parties handing all their inputs to an honest, trusted and incorruptible ideal functionality, which computes the corresponding protocol outputs and hands them to the parties. The parties send their protocol inputs and receive their protocol outputs through a secure private authenticated channel to the ideal functionality, although we allow for the adversary to schedule or block the arrival of outputs.

We are interested in securely realizing the ideal non-interactive zero-knowledge functionality \(\mathcal {F}_{\mathrm {NIZK}}^R\) described in Fig. 2. The session ids \(sid\) are used to distinguish different invocations of the same functionality, which may for instance use different common reference strings in the underlying implementations. The functionality captures completeness by allowing a prover to compute a proof \(\pi \) for a statement \(x\) if it has a witness \(w\) such that \((x,w)\in R\) and will always verify such proofs as being correct. The ideal functionality captures an ideal form of soundness, since the only way a proof \(\pi \) for a statement \(x\) can be accepted is if at some point a witness \(w\) such that \((x,w)\in R\) has been provided to the ideal functionality. The ideal functionality also captures an ideal form of zero-knowledge, since it leaks no information about the witnesses used by honest provers.

Fig. 2

Ideal NIZK proof functionality \(\mathcal {F}_{\mathrm {NIZK}}^R\)

Let us clarify what it means to securely realize \(\mathcal {F}_{\mathrm {NIZK}}^R\). We will construct a protocol \(\phi _{\mathrm {NIZK}}\) to be run by parties \(P_1,\ldots ,P_n\) that receive protocol inputs and make protocol outputs to the environment in which they are operating. We model the environment as a non-uniform polynomial time algorithm \(\mathcal {Z}\). The execution of the protocol itself is attacked by a non-uniform polynomial time adversary \(\mathcal {A}\) that may communicate with the environment and corrupt parties adaptively. When corrupting a party \(P_i\) the adversary learns the present state of the party and takes control over the actions of \(P_i\). We say the protocol \(\phi _{\mathrm {NIZK}}\) securely realizes \(\mathcal {F}_{\mathrm {NIZK}}^R\) if there is a simulator \(\mathcal {S}\) that can simulate the protocol execution on top of the ideal functionality \(\mathcal {F}_{\mathrm {NIZK}}^R\). The simulator \(\mathcal {S}\) runs with dummy parties \(\tilde{P}_1,\ldots ,\tilde{P}_n\) that instead of running \(\phi _{\mathrm {NIZK}}\) simply forward their inputs to the ideal functionality \(\mathcal {F}_{\mathrm {NIZK}}^R\) and return the responses from \(\mathcal {F}_{\mathrm {NIZK}}^R\) to the environment. The simulator \(\mathcal {S}\) has the same ability as \(\mathcal {A}\) to corrupt dummy parties and to communicate with the environment, but does not have access to the internals of the ideal execution taking place inside \(\mathcal {F}_{\mathrm {NIZK}}^R\). Formally, \(\phi _{\mathrm {NIZK}}\) securely realizes \(\mathcal {F}_{\mathrm {NIZK}}^R\) if for any non-uniform polynomial time adversary \(\mathcal {A}\) there is a non-uniform polynomial time simulator \(\mathcal {S}\) such that no non-uniform polynomial time environment can distinguish between \(\phi _{\mathrm {NIZK}}\) executed by real parties \(P_1,\ldots ,P_n\) under attack by \(\mathcal {A}\) and \(\mathcal {F}_{\mathrm {NIZK}}^R\) being used by dummy parties \(\tilde{P}_1,\ldots ,\tilde{P}_n\) in the simulation by \(\mathcal {S}\).

We will present a non-interactive protocol \(\phi _{\mathrm {NIZK}}\) that securely realizes \(\mathcal {F}_{\mathrm {NIZK}}^R\) for an arbitrary NP-relation \(R\). A proof for a statement \(x\) with witnesses of size \(|w|\) consists of \(|w|+{\mathrm {poly}}(k)\) bits. We make two assumptions, namely that a fully homomorphic encryption scheme \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) exists and that \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) can be securely realized for the relation

$$\begin{aligned} R^F&=\{((\mathrm{{pk}},\bar{s},v,\mathrm{{vk}}),(\rho ,s,\bar{r})): \rho \in \{0,1\}^{\ell _{K_{\mathrm {FHE}}}(k)} \wedge (\mathrm{{pk}},\mathrm{{dk}})\\&= K_{\mathrm {FHE}}(1^{k};\rho ) \wedge \bar{r} \in (\{0,1\}^{\ell _E(k)})^{|s|} \wedge \bar{s}\\&= E_\mathrm{{pk}}(s;\bar{r}) \wedge D_{\mathrm{{dk}}}(v)=1\}. \end{aligned}$$

We have generalized \(R^F\) slightly compared to the previous section by allowing statements to have an arbitrary string vk in the end. This will be used later in combination with one-time signatures to prevent proofs from being modified.

There are several examples of protocols securely realizing \(\mathcal {F}_{\mathrm {NIZK}}^R\) for Circuit Satisfiability in the common reference string model [11, 23, 27] and in the multi-string model [25] under standard cryptographic assumptions, and a related functionality has been securely realized in the registered public key model [1]. This implies that we already have many candidates for a secure realization of \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\). A useful feature of the UC framework is the universal composition theorem [8] that says if a protocol \(\phi ^{\mathcal {F}'}\) securely realizes an ideal functionality \(\mathcal {F}\) in an \(\mathcal {F}'\)-hybrid model where it can make calls to an ideal functionality \(\mathcal {F}'\), then for any protocol \(\psi \) securely realizing \(\mathcal {F}'\) we have that \(\phi ^{\psi }\) securely realizes \(\mathcal {F}\). Our result therefore says that any secure realization of \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) implies a communication-efficient secure realization of \(\mathcal {F}_{\mathrm {NIZK}}^R\) if fully homomorphic encryption exists.

The construction of our universally composable NIZK proof is quite similar to the NIZK proof in Sect. 3 except the prover will make a strong one-time signature on each proof in order to prevent modifications of the proof and the protocol will call \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) instead of using a standard NIZK proof system \((K^F,P^F,V^F)\) in the construction. We therefore proceed directly to giving the details of the protocol in Fig. 3.

Fig. 3

Universally composable NIZK proof for \(R\)

Theorem 8

The protocol \(\phi _{\mathrm {NIZK}}\) in Fig. 3 securely realizes \(\mathcal {F}_{\mathrm {NIZK}}^R\) in the \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\)-hybrid model.

proof

We have to show that for any adversary \(\mathcal {A}\) there is an ideal process adversary \(\mathcal {S}\) such that no environment \(\mathcal {Z}\) has more than negligible advantage in distinguishing between \(\phi _{\mathrm {NIZK}}\) running with \(P_1,\ldots ,P_n\) and \(\mathcal {A}\) and \(\mathcal {F}_{\mathrm {NIZK}}^R\) running with dummy parties \(\tilde{P}_1,\ldots ,\tilde{P}_n\) and \(\mathcal {S}\). Our proof strategy is to start with \(\phi _{\mathrm {NIZK}}\) running with \(\mathcal {A}\) and modifying the experiment in steps that the environment has negligible probability of distinguishing. For this purpose we define three additional simulators \(\mathcal {S}_{\mathrm {REAL}},\mathcal {S}_{\mathrm {EXT}},\mathcal {S}_{\mathrm {SIM}}\) that are used in intermediate steps and have the ability to control \(\mathcal {F}_{\mathrm {NIZK}}^R\) in various ways. Informally, \(\mathcal {S}_{\mathrm {REAL}}\) running with the ideal functionality \(\mathcal {F}_{\mathrm {NIZK}}^R\) takes full control over \(\mathcal {F}_{\mathrm {NIZK}}^R\) and makes a perfect simulation of \(\mathcal {A}\) running with \(\phi _{\mathrm {NIZK}}\). \(\mathcal {S}_{\mathrm {EXT}}\) modifies the simulation \(\mathcal {S}_{\mathrm {REAL}}\) such that whenever an NIZK proof that has not been created by \(\mathcal {F}_{\mathrm {NIZK}}^R\) is verified as being valid it extracts the corresponding witness and inputs it to \(\mathcal {F}_{\mathrm {NIZK}}^R\). \(\mathcal {S}_{\mathrm {SIM}}\) and \(\mathcal {S}\) complete the security proof by enabling the simulation of honest parties making NIZK proofs without knowledge of the witnesses.

We now give the details of the simulators and the security proof.

\(\mathcal {S}_{\mathrm {REAL}}\)::

\(\mathcal {S}_{\mathrm {REAL}}\) learns the inputs to \(\mathcal {F}_{\mathrm {NIZK}}^R\) and controls the outputs. It can therefore run a perfect simulation of \(P_1,\ldots ,P_n\) and \(\mathcal {A}\) running \(\phi _{\mathrm {NIZK}}\) in the \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\)-hybrid model. \(\mathcal {S}_{\mathrm {REAL}}\) simulates \(\mathcal {A}\) and forwards all communication between the simulated \(\mathcal {A}\) and the environment \(\mathcal {Z}\). Whenever the simulated \(\mathcal {A}\) corrupts a simulated \(P_i, \mathcal {S}_{\mathrm {REAL}}\) corrupts \(\tilde{P}_i\) and lets it interact with the environment as \(\mathcal {A}\) instructs the simulated \(P_i\) to interact with the environment. When \(\mathcal {S}_{\mathrm {REAL}}\) receives \((\mathbf {prove},P_i,sid,x)\) from \(\mathcal {F}_{\mathrm {NIZK}}^R\) it is because an honest \(\tilde{P}_i\) has input \((\mathbf {prove},sid,x,w)\) with \((x,w)\in R\). Since \(\mathcal {S}_{\mathrm {REAL}}\) knows the inputs to \(\mathcal {F}_{\mathrm {NIZK}}^R\) it can simulate \(P_i\) running \(\phi _{\mathrm {NIZK}}\) in the \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\)-hybrid model including \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) sending \((\mathbf {prove},(\mathrm{{pk}},\bar{s},v,\mathrm{{vk}}))\) to \(\mathcal {A}\) and on getting the answer \((\mathbf {prf},\pi )\) making the signature \({\mathrm {sig}}\) to complete the proof \(\Pi =(\mathrm{{pk}},\bar{s},u,\mathrm{{vk}},\pi ,{\mathrm {sig}})\). \(\mathcal {S}_{\mathrm {REAL}}\) answers \((\mathbf {prf},\Pi )\) to \(\mathcal {F}_{\mathrm {NIZK}}^R\). On input \((\mathbf {verify},P_j,sid,x,\Pi )\) from \(\mathcal {F}_{\mathrm {NIZK}}^R\) the simulator \(\mathcal {S}_{\mathrm {REAL}}\) knows that the honest party \(\tilde{P}_j\) has queried \((\mathbf {verify},sid,x,\Pi )\) to \(\mathcal {F}_{\mathrm {NIZK}}^R\), where \((sid,x,\Pi )\) has not been stored before and hence not been created by an honest party. \(\mathcal {S}_{\mathrm {REAL}}\) simulates \(P_j\) running the verification protocol on input \((\mathbf {verify},sid,x,\Pi )\). The simulator forces \(\mathcal {F}_{\mathrm {NIZK}}^R\) to return the resulting answer \((\mathbf {verification},sid,x,\Pi ,b)\) and stores \((sid,x,\Pi )\) in \(\mathcal {F}_{\mathrm {NIZK}}^R\) if \(b=1\). The simulation by \(\mathcal {S}_{\mathrm {REAL}}\) is exactly like running \(\phi _{\mathrm {NIZK}}\) in the \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\)-hybrid model, except for the fact that a proof \(\Pi \) for a statement \(x\) output by an honest party \(\tilde{P}_i\) is guaranteed to be accepted in the verification phase and once a proof \(\Pi \) for a statement \(x\) is accepted, it will always be accepted by \(\mathcal {F}_{\mathrm {NIZK}}^R\). However, if we look at a real execution of \(\phi _{\mathrm {NIZK}}\) we see that the correctness of the signature scheme, the correctness of the fully homomorphic encryption scheme and the properties of \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) guarantees that proofs \(\Pi \) created by honest parties \(P_i\) are accepted and also that accepted proofs will always be accepted again. To the environment, a real execution of \(\phi _{\mathrm {NIZK}}\) in the \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\)-hybrid model with adversary \(\mathcal {A}\) is perfectly indistinguishable from the simulation by \(\mathcal {S}_{\mathrm {REAL}}\) running with \(\mathcal {F}_{\mathrm {NIZK}}^R\).

\(\mathcal {S}_{\mathrm {EXT}}\)::

\(\mathcal {S}_{\mathrm {EXT}}\) runs like \(\mathcal {S}_{\mathrm {REAL}}\) when proofs are constructed, but changes the way proofs are verified. As \(\mathcal {S}_{\mathrm {REAL}}\) it simulates \(P_j\) getting input \((\mathbf {verify},sid,x,\Pi )\) in the execution of \(\phi _{\mathrm {NIZK}}\), but if the answer is \((\mathbf {verification},sid,x,\Pi ,1)\) then it extracts a witness \(w\) such that \((x,w)\in R\) and aborts the simulation if the extraction fails. More precisely, on input \((\mathbf {verify},P_j,sid,x,\Pi )\) from \(\mathcal {F}_{\mathrm {NIZK}}^R\) the simulator \(\mathcal {S}_{\mathrm {EXT}}\) simulates the honest \(P_j\) getting input \((\mathbf {verify},sid,x,\Pi )\) in \(\phi _{\mathrm {NIZK}}\). If \(P_j\) outputs \((\mathbf {verification},sid,x,\Pi ,0)\) then \(\mathcal {S}_{\mathrm {EXT}}\) returns \((\mathbf {witness},\bot )\) to \(\mathcal {F}_{\mathrm {NIZK}}^R\) and forwards the resulting \((\mathbf {verification},sid,x,\Pi ,0)\) message to \(\tilde{P}_j\). On the other hand, if \(P_j\) outputs \((\mathbf {verification},sid,x,\Pi ,1)\) then \(\mathcal {S}_{\mathrm {EXT}}\) will try to extract a witness \(w\) such that \((x,w)\in R\), return \((\mathbf {witness},w)\) to \(\mathcal {F}_{\mathrm {NIZK}}^R\) and send the resulting \((\mathbf {verification},sid,x,\Pi ,1)\) message to \(\tilde{P}_j\). \(\mathcal {S}_{\mathrm {EXT}}\) parses \(\Pi =(\mathrm{{pk}},\bar{s},u,\mathrm{{vk}},\pi ,{\mathrm {sig}})\). We only need to extract a witness for \(\Pi \), when the signature \({\mathrm {sig}}\) on \((x,\mathrm{{pk}},\bar{s},u,\mathrm{{vk}},\pi )\) is valid, because otherwise the protocol \(\phi _{\mathrm {NIZK}}\) will reject the proof. Part of the verification protocol consists in querying \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) on \((\mathbf {verify},sid,(\mathrm{{pk}},\bar{s},v,\mathrm{{vk}}),\pi )\), where \(v={\mathrm {Eval}}_{\mathrm{{pk}}}(C_{x,u},\bar{s})\). The simulated \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) will only return \((\mathbf {verification},sid,x,\pi ,1)\) if an honest party created the proof \(\pi \) on \((\mathrm{{pk}},\bar{s},v,\mathrm{{vk}})\) or if \(\mathcal {A}\) supplies a witness \((\rho ,s,\bar{r})\) such that \((\mathrm{{pk}},\mathrm{{dk}})=K_{\mathrm {FHE}}(1^{k};\rho )\) and \(\bar{s}=E_\mathrm{{pk}}(s;\bar{r})\) and \(D_{\mathrm{{dk}}}(v)=1\). In the latter case, this tells \(\mathcal {S}_{\mathrm {EXT}}\) what \(\mathrm{{dk}}\) is and hence it can compute \(s\) and \(w=u\oplus G(s,|w|)\). The correctness of the fully homomorphic encryption scheme shows that in this case, the witness \(w\) satisfies \((x,w)\in R\) and therefore \(\mathcal {S}_{\mathrm {EXT}}\) can submit \((\mathbf {witness},w)\) to \(\mathcal {F}_{\mathrm {NIZK}}^R\). On the other hand, if an honest party created the proof \(\pi \) on \((\mathrm{{pk}},\bar{s},v,\mathrm{{vk}})\) then the strong existential unforgeability of the one-time signature scheme implies that there is negligible probability of the adversary producing a different valid signature \({\mathrm {sig}}\) using \(\mathrm{{vk}}\). There is therefore only negligible risk of \(\mathcal {S}_{\mathrm {EXT}}\) not being able to extract a witness \(w\).

\(\mathcal {S}_{\mathrm {SIM}}\)::

\(\mathcal {S}_{\mathrm {EXT}}\) runs the verification process of \(\mathcal {F}_{\mathrm {NIZK}}^R\) without interference, but in the proof process it uses knowledge of the inputs the honest parties provide to \(\mathcal {F}_{\mathrm {NIZK}}^R\). In the next couple of modifications of the simulator, we will move towards simulating the proofs instead of using knowledge of the inputs to \(\mathcal {F}_{\mathrm {NIZK}}^R\). Let \(\mathcal {S}_{\mathrm {SIM}}\) be a modification of \(\mathcal {S}_{\mathrm {EXT}}\) that instead of running a perfect simulation of \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) allows simulated honest parties to submit \((\mathbf {prove},sid,(\mathrm{{pk}},\bar{s},v,\mathrm{{vk}})),\bot )\) even if \((x,w)\notin R\). This means, \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) may ask \(\mathcal {A}\) for a proof \(\pi \) for a false statement \((\mathrm{{pk}},\bar{s},v,\mathrm{{vk}})\) and store \((sid,(\mathrm{{pk}},\bar{s},v,\mathrm{{vk}}),\pi )\) as being a valid proof and return \((\mathbf {prf},sid,(\mathrm{{pk}},\bar{s},v,\mathrm{{vk}}),\pi )\) to the requesting party \(P_i\). \(\mathcal {S}_{\mathrm {EXT}}\) can now change the way it constructs \(\bar{s}\) to instead set \(\bar{s}\leftarrow E_{\mathrm{{pk}}}(0^{k})\). Due to the IND-CPA security of the fully homomorphic encryption scheme this tuple of ciphertexts \(\bar{s}\) is indistinguishable from a bit-wise encryption of \(s\). Running \(\mathcal {F}_{\mathrm {NIZK}}^R\) with \(\mathcal {S}_{\mathrm {SIM}}\) is therefore computationally indistinguishable from running \(\mathcal {F}_{\mathrm {NIZK}}^R\) with \(\mathcal {S}_{\mathrm {EXT}}\).

\(\mathcal {S}\)::

We will now make a modification of \(\mathcal {S}_{\mathrm {SIM}}\) to get a simulator that does not have access to the internals of \(\mathcal {F}_{\mathrm {NIZK}}^R\). \(\mathcal {S}\) is a modification of \(\mathcal {S}_{\mathrm {SIM}}\) that simulates the proof created by an honest party \(P_i\) by setting \(u\leftarrow \{0,1\}^{|w|}\) instead of using \(u=w\oplus G(s,|w|)\). Since \(G\) is a pseudorandom generator, it is not possible for the environment to distinguish whether \(\mathcal {S}_{\mathrm {SIM}}\) or \(\mathcal {S}\) is making the simulation with \(\mathcal {F}_{\mathrm {NIZK}}^R\).

Since \(\mathcal {S}\) does not need to know the witness when simulating a proof for an honest party \(P_i\), it runs entirely without access to or control over the workings of \(\mathcal {F}_{\mathrm {NIZK}}^R\). As we have shown \(\mathcal {S}\) running with \(\mathcal {F}_{\mathrm {NIZK}}^R\) is indistinguishable from the protocol \(\phi _{\mathrm {NIZK}}\) running with \(\mathcal {A}\) in the \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\)-hybrid model. The protocol \(\phi _{\mathrm {NIZK}}\) therefore securely realizes \(\mathcal {F}_{\mathrm {NIZK}}^R\) in the \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\)-hybrid model. \(\square \)

We have assumed a dynamic corruption model in the construction. However, we can also apply our construction if \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) can be securely realized against static adversaries, in which case we get a witness-length universally composable NIZK proof for any NP-relation \(R\) that is secure against static adversaries.

There may be many ways to securely realize \(\mathcal {F}_{\mathrm {NIZK}}^{R^F}\) and by the universal composition theorem [8] our result shows that all of them imply the existence of witness-length universally composable NIZK proofs if fully homomorphic encryption exists. In particular, we get witness-length universally composable NIZK proofs in the common reference string model, the multi-string model and under any other setup assumption under which universally composable NIZK proofs exist.

5 Fully Homomorphic Hybrid Encryption

We have implicitly been using a hybrid encryption approach in the construction of the non-interactive zero-knowledge proofs. The underlying hybrid encryption scheme has ciphertexts that are both fully homomorphic and communication-efficient: the encryption of a plaintext \(m\) has size \(|m|+{\mathrm {poly}}(k)\). Such a scheme is useful in itself, so we will now explicitly define fully homomorphic encryption for arbitrary length messages and show that the construction satisfies the definition.² We note that, unlike some definitions of fully homomorphic encryption, we allow the encrypted output to be encoded differently from the encrypted input.

5.1 Defining Fully Homomorphic Encryption of Arbitrary Size Messages

A fully homomorphic encryption scheme consists of four algorithms \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\). The probabilistic polynomial time key generation algorithm \(K_{\mathrm {FHE}}^*\) on input \(1^{k}\) (and randomness \(\rho \leftarrow \{0,1\}^{\ell _{K_{\mathrm {FHE}}^*}(k)}\)) outputs a public key pk and a decryption key \(\mathrm{{dk}}\). The probabilistic polynomial time encryption algorithm \(E^*\) given a public key pk and a plaintext \(m\in \{0,1\}^*\) (and randomness \(r\leftarrow \{0,1\}^{\ell _{E^*}(k)}\)) outputs a ciphertext \(c\). If we have a tuple of plaintexts \(\vec {m}=(m_1,\ldots ,m_n)\) to encrypt, we will for simplicity write \(\vec {c}\leftarrow E^*_\mathrm{{pk}}(\vec {m})\) when generating \(\vec {c}=(c_1,\ldots ,c_n)\) as \(c_i\leftarrow E_\mathrm{{pk}}^*(m_i)\) (using randomness \(\vec {r}=(r_1,\ldots ,r_n)\leftarrow (\{0,1\}^{\ell _{E^*}(k)})^n\)). The deterministic polynomial time decryption algorithm \(D^*\) given a public key pk and a ciphertext returns a message \(m\) or an error symbol \(\bot \). Finally, the (possibly probabilistic) polynomial time evaluation algorithm \({\mathrm {Eval}}^*\) takes a public key pk, a Boolean circuit \(C\) and \(n\) ciphertexts as input and returns a ciphertext. A well-formed request to \({\mathrm {Eval}}^*\) with a circuit that has \(n\) blocks of \(t_1,\ldots ,t_n\) input wires and \(t_{\mathrm {out}}\) output wires includes input ciphertexts with plaintexts of lengths \(t_1,\ldots ,t_n\) and the output ciphertext then contains a plaintext of size \(t_{\mathrm {out}}\). We require that the encryption scheme be compact, which here means that there is a polynomial upper bound \(\ell _{\mathrm {Eval}}^*(k,t_{\mathrm {out}})\) on the size of the ciphertexts output by \({\mathrm {Eval}}^*\).

Definition 9

(Correctness) \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) is (perfectly) correct if for all Boolean circuits \(C\) and all valid inputs \(\vec {m}=(m_1,\ldots ,m_n)\)

$$\begin{aligned} \Pr \left[ (\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}^*(1^{k}); \vec {c}\leftarrow E^*_\mathrm{{pk}}(\vec {m}); v\leftarrow {\mathrm {Eval}}^*_\mathrm{{pk}}(C,\vec {c}):\right. \\ \qquad \left. D^*_{\mathrm{{dk}}}(v)=C(m_1,\ldots ,m_n)\right] =1. \end{aligned}$$

Definition 10

(IND-CPA security) \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) is indistinguishable under chosen plaintext attack (IND-CPA secure) if for all non-uniform polynomial time \((\mathcal {A},\mathcal {D})\)

$$\begin{aligned} \Pr \left[ (\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}^*(1^{k}); (m_0,m_1,{\mathrm {St}})\leftarrow \mathcal {A}(\mathrm{{pk}}); b\leftarrow \{0,1\}; c\leftarrow E^*_{\mathrm{{pk}}}(m_b):\right. \\ \qquad \left. \mathcal {D}({\mathrm {St}},c)=b\right] \approx \frac{1}{2}, \end{aligned}$$

where \(\mathcal {A}\) outputs \(m_0,m_1\) of the same bit-length.

Correctness and IND-CPA security were needed in the construction of non-interactive zero-knowledge proofs. However, in other scenarios such as secure function evaluation it is also necessary that the evaluation algorithm hide the circuit \(C\) used by the evaluation algorithm. Our definition of circuit privacy does not require the output of the evaluation algorithm to look identical to a fresh encryption of the output. Instead, it only requires that this encrypted output reveal to the decryption algorithm no more than the plaintext output \(C(m)\). This corresponds to the notion of “1-hop” homomorphic encryption from [17]. We require circuit privacy to hold even when the randomness used by the key generation and by the encryption algorithm are known; this is crucial for applications in which one party generates keys and encryptions and another evaluates \(C\).

Definition 11

(Circuit privacy) \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) is computationally circuit private if for all non-uniform polynomial time \((\mathcal {A},\mathcal {D})\)

$$\begin{aligned}&\Pr \left[ \rho \leftarrow \{0,1\}^{\ell _{K_{\mathrm {FHE}}^*(k)}};(\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}^*(1^k;\rho );(C,\vec {m},\vec {r},{\mathrm {St}})\leftarrow \mathcal {A}(\rho );\right. \\&\qquad \qquad \left. \vec {c}=E^*_{\mathrm{{pk}}}(\vec {m};\vec {r});v\leftarrow {\mathrm {Eval}}^*_{\mathrm{{pk}}}(C,\vec {c}):\mathcal {D}({\mathrm {St}},v)=1\right] \\&\approx \Pr \left[ \rho \leftarrow \{0,1\}^{\ell _{K_{\mathrm {FHE}}^*(k)}};(\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}^*(1^k;\rho );(C,\vec {m},\vec {r},{\mathrm {St}})\leftarrow \mathcal {A}(\rho );\right. \\&\qquad \qquad \left. v\leftarrow {\mathrm {Eval}}^*_{\mathrm{{pk}}}({\mathrm {Id}},E^*_{\mathrm{{pk}}}(C(\vec {m}))):\mathcal {D}({\mathrm {St}},v)=1\right] , \end{aligned}$$

where \(\mathcal {A}\) outputs consistent \(C\) and \(\vec {m}=(m_1,\ldots ,m_n)\) and \(\vec {r}\), and where \({\mathrm {Id}}\) is a circuit that simply returns its input (with \(t_{\mathrm {out}}\) input and output wires).

\((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) is statistically circuit private if the above holds even for unbounded \((\mathcal {A},\mathcal {D})\).

Often statistical circuit privacy can be obtained by running a rerandomization algorithm on the output ciphertext after completing a deterministic fully homomorphic evaluation of the circuit. Such a division of labor gives us the best of two worlds. In our construction of non-interactive zero-knowledge proofs it was necessary to have a deterministic evaluation algorithm such that the computation could be replicated by the verifier who knew what the circuit was. In the secure function evaluation protocol in Sect. 6 on the other hand we will need circuit privacy but are happy to have a probabilistic circuit evaluation algorithm.

5.2 Length-Optimal Fully Homomorphic Hybrid Encryption Scheme Construction

In our constructions of non-interactive zero-knowledge proofs we implicitly used a hybrid encryption approach where we first encrypt a symmetric encryption key and then use that to encrypt the plaintext. By using a pseudorandom one-time pad we made the ciphertext have size \(|m|+{\mathrm {poly}}(k)\), which is minimal except for an additive overhead. We recap the construction in Fig. 4, which relies on a fully homomorphic bit-encryption scheme \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) and a pseudorandom generator \(G\) as defined in Sect. 2.

Fig. 4

Fully homomorphic encryption for arbitrary size plaintexts

Lemma 12

If \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) is IND-CPA secure and \(G\) is a pseudorandom generator then \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) is IND-CPA secure.

proof

Consider the generation of \(\bar{s}\leftarrow E_{\mathrm{{pk}}}(s)\). By the IND-CPA security of the bit-encryption scheme this is computationally indistinguishable from \(\bar{s}\leftarrow E_{\mathrm{{pk}}}(0^{k})\). Next, we pick \(u\leftarrow \{0,1\}^{|m|}\) uniformly at random instead of generating it as a pseudorandom one-time pad. By the pseudorandomness of \(G\) this modification only changes the adversary’s distinguishing advantage negligibly. Now everything but the length of the encrypted plaintext is perfectly hidden and we conclude \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) is IND-CPA secure. \(\square \)

Lemma 13

If \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) has computational (statistical) circuit privacy then \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) as constructed above has computational (statistical) circuit privacy.

proof

Given a circuit privacy adversary \((\mathcal {A},\mathcal {D})\) for \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) we can construct a circuit privacy adversary \((\mathcal {B},\mathcal {D})\) for \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\). The adversary \(\mathcal {B}(\rho )\) runs \((C,m_1,\ldots ,m_n,(s_1,\bar{r}_1),\ldots ,(s_n,\bar{r}_n),{\mathrm {St}})\leftarrow \mathcal {A}(\rho )\). It then computes \(u_1=m_1\oplus G(s_1,|m_1|),\ldots ,u_n=m_n\oplus G(s_n,|m_n|)\) and \(C_u=f(1^k,C,u_1,\ldots ,u_n)\). \(\mathcal {B}\) returns \((C_u,s_1,\ldots ,s_n,\bar{r}_1,\ldots ,\bar{r}_n,{\mathrm {St}})\).

The computational (statistical) circuit privacy of \((K_{\mathrm {FHE}},E,D,{\mathrm {Eval}})\) gives us

$$\begin{aligned}&\Pr \left[ \rho \leftarrow \{0,1\}^{\ell _{K_{\mathrm {FHE}}^*(k)}};(\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}^*(1^k;\rho );\right. \\&\qquad \qquad (C,m_1,\ldots ,m_n,(s_1,\bar{r}_1),\ldots ,(s_n,\bar{r}_n),{\mathrm {St}})\leftarrow \mathcal {A}(\rho );\\&\qquad \qquad \left. c_i=E^*_{\mathrm{{pk}}}(m_i;(s_i,\bar{r}_i));v\leftarrow {\mathrm {Eval}}^*_{\mathrm{{pk}}}(C,c_1,\ldots ,c_n):\mathcal {D}({\mathrm {St}},v)=1\right] \\&\quad = \Pr \left[ \rho \leftarrow \{0,1\}^{\ell _{K_{\mathrm {FHE}}(k)}};(\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}(1^k;\rho );\right. \\&\qquad \qquad (C_u,s_1,\ldots ,s_n,\bar{r}_1,\ldots ,\bar{r}_n,{\mathrm {St}})\leftarrow \mathcal {B}(\rho );\\&\qquad \qquad \left. \bar{s}_i=E_{\mathrm{{pk}}}(s_i;\bar{r}_i);v\leftarrow {\mathrm {Eval}}_{\mathrm{{pk}}}(C_u,\bar{s}_1,\ldots ,\bar{s}_n):\mathcal {D}({\mathrm {St}},v)=1\right] \\&\quad \approx \Pr \left[ \rho \leftarrow \{0,1\}^{\ell _{K_{\mathrm {FHE}}(k)}};(\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}(1^k;\rho );\right. \\&\qquad \qquad (C_u,s_1,\ldots ,s_n,\bar{r}_1,\ldots ,\bar{r}_n,{\mathrm {St}})\leftarrow \mathcal {B}(\rho );\\&\qquad \qquad \left. v\leftarrow {\mathrm {Eval}}_{\mathrm{{pk}}}({\mathrm {Id}},E_{\mathrm{{pk}}}(C_u(s_1,\ldots ,s_n))):\mathcal {D}({\mathrm {St}},v)=1\right] \\&\quad = \Pr \left[ \rho \leftarrow \{0,1\}^{\ell _{K_{\mathrm {FHE}}^*(k)}};(\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}^*(1^k;\rho );\right. \\&\qquad \qquad (C,m_1,\ldots ,m_n,(s_1,\bar{r}_1),\ldots ,(s_n,\bar{r}_n),{\mathrm {St}})\leftarrow \mathcal {A}(\rho );\\&\qquad \qquad \left. v\leftarrow {\mathrm {Eval}}^*_{\mathrm{{pk}}}({\mathrm {Id}},E^*_{\mathrm{{pk}}}(C(m_1,\ldots ,m_n))):\mathcal {D}({\mathrm {St}},v)=1\right] , \end{aligned}$$

which shows \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) has computational (statistical) circuit privacy. \(\square \)

Let us call an encryption scheme length-optimal if the encryption procedure produces ciphertexts of size \(|m|+{\mathrm {poly}}(k)\), where \(|m|\) is the size of the plaintext and \(k\) is the security parameter. The following theorem then summarizes the results of this section.

Theorem 14

If IND-CPA secure fully homomorphic public key bit-encryption schemes exist, then length-optimal IND-CPA secure fully homomorphic public key encryption schemes for arbitrary size plaintexts exist. If IND-CPA secure circuit private fully homomorphic public key bit-encryption schemes exist, then length-optimal IND-CPA secure circuit private fully homomorphic public key encryption schemes for arbitrary size plaintexts exist.

proof

The existence of bit-encryption implies the existence of pseudorandom generators. The construction of \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) in Fig. 4 is perfectly correct. Since the encryption procedure outputs ciphertexts of size \(|m|+{\mathrm {poly}}(k)\) the scheme is length-optimal. Lemma 12 shows the construction preserves IND-CPA security and Lemma 13 shows that the construction preserves circuit privacy. \(\square \)

6 2-Party Secure Function Evaluation

As an illustration of the usefulness of fully homomorphic encryption for messages of arbitrary length, we will look at the case of 2-party secure function evaluation. Here Alice and Bob have inputs \(x\) and \(y\) respectively and Alice wants to learn \(f(x,y)\) for a given polynomial time computable function \(f\).

Given a fully homomorhic encryption scheme for arbitrary size plaintexts the construction of a 2-party secure function evaluation protocol is very simple. Alice encrypts her input \(x\) under her own public key and send the ciphertext to Bob. Bob then applies a suitable circuit to the ciphertext to compute the evaluation of \(f(x,y)\) and sends it back to Alice. Alice can now decrypt and get the result. (A slight extension of the protocol would allow also Bob to learn the result \(f(x,y)\) by having Alice sending the result encrypted under Bob’s public key.) Intuitively, Alice’s input will remain private because of the IND-CPA security of the encryption scheme while Bob’s input will remain private because of the circuit privacy of the encryption scheme. The full construction can be found in Fig. 6.

To formalize 2-party secure function evaluation, we use the universal composability framework [8], which we also used for non-interactive zero-knowledge proofs in Sect. 4. Here, however, we will only consider the case of static adversaries that corrupt a fixed set of parties from the start of the protocol and do not corrupt any more parties after that. We will also restrict ourselves to the case of honest-but-curious adversaries. This means corrupted parties controlled by the adversary follow the protocol honestly but the adversary will try to learn some extra information about the honest parties private inputs. We do not assume the parties have access to a common reference string but we do assume their communication is authenticated. If a party \(P_i\) receives a message from \(P_j\) it is therefore guaranteed this message did indeed originate from \(P_j\) although we can expect the adversary to have learned the contents of the message.

The ideal 2-party secure function evaluation functionality is given in Fig. 5. Note that the size of the input \(x\) and the size of the output \(z=f(x,y)\) are not secret but everything else is kept secret by the ideal functionality. There is one restriction we place on the polynomial time function \(f\), which is that given \(|x|\) and \(y\) it should be possible to determine uniquely the size of the output \(f(x,y)\). This restriction, which is standard since UC protocols typically do not hide the lengths of inputs and outputs, is needed in our construction to enable the construction of a polynomial size circuit \(C_{|x|,y}(\cdot )\) with a fixed number of output wires that corresponds to the computation of \(f(\cdot ,y)\).

Fig. 5

Ideal 2-party secure function evaluation functionality \(\mathcal {F}_{\mathrm {2SFE}}^f\)

Theorem 15

\(\phi _{\mathrm {2SFE}}\) in Fig. 6 securely realizes \(F_{\mathrm {2SFE}}^f\) against static honest-but-curious adversaries if \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) is an IND-CPA secure fully homomorphic encryption scheme with computational circuit privacy.

Fig. 6

Universally composable 2-party secure function evaluation for \(f\)

proof

\(\mathcal {S}\) in the ideal process runs a copy of \(\mathcal {A}\) and will try to simulate an execution of the protocol such that \(\mathcal {A}\) and the environment \(\mathcal {Z}\) cannot detect that they are running in the ideal process. \(\mathcal {S}\) forwards all communication between the simulated \(\mathcal {A}\) and the environment \(\mathcal {Z}\) and \(\mathcal {S}\) simulates for each dummy party \(\tilde{P}_i\) a corresponding real world party \(P_i\). Since \(\mathcal {A}\) is static the set of corrupted parties is fixed from the start and \(\mathcal {S}\) has full control over the corresponding corrupted dummy parties. Whenever a corrupted dummy party \(\tilde{P}_i\) receives an input \(\mathcal {S}\) sends it to the ideal functionality, and whenever a simulated party \(P_i\) makes an output to the environment, \(\mathcal {S}\) delivers the corresponding output from the ideal functionality to \(\tilde{P}_i\) so it can output it to the environment. For each pair of parties \((P_i,P_j)\) engaging in the protocol there are four options:

• \(P_i\) and \(P_j\) are both corrupt: As specified above \(\mathcal {S}\) learns the inputs \(x\) and \(y\) of the parties and submits them to the ideal functionality on behalf of \(\tilde{P}_i\) and \(\tilde{P}_j\). If \(\mathcal {A}\) in the protocol outputs the result to \(\mathcal {Z}\) on behalf of \(P_i\), then \(\mathcal {S}\) delivers the ideal functionality’s result to \(\tilde{P}_i\) and outputs it to the environment.

• \(P_i\) is corrupt and \(P_j\) is honest: In this setting \(\mathcal {S}\) has to simulate the message \((sid,P_i,P_j,v)\) that \(P_j\) sends to \(P_i\). Since \(\tilde{P}_i\) is corrupted, \(\mathcal {S}\) knows the ideal functionality’s result \(z=f(x,y)\). It can therefore compute \(v\leftarrow {\mathrm {Eval}}_{\mathrm{{pk}}}^*({\mathrm {Id}},E_{\mathrm{{pk}}}^*(z))\) and use that in \(P_j\)’s response to \(P_i\).

• \(P_i\) is honest and \(P_j\) is corrupt: In this setting \(\mathcal {S}\) has to simulate the message \((sid,P_i,P_j,\mathrm{{pk}},c,|x|)\) that \(P_i\) sends to \(P_j\). On input \((sid,P_i,P_j,|x|)\) from the ideal functionality \(\mathcal {S}\) therefore picks \((\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}^*(1^k)\) and \(c\leftarrow E^*_{\mathrm{{pk}}}(0^{|x|})\) and instructs \(P_i\) to send \((sid,P_i,P_j,\mathrm{{pk}},c,|x|)\) to \(P_j\).

• \(P_i\) and \(P_j\) are both honest: Here \(\mathcal {S}\) has to simulate the entire communication between \(P_i\) and \(P_j\). On input \((sid,P_i,P_j,|x|)\) from the ideal functionality \(\mathcal {S}\) therefore picks \((\mathrm{{pk}},\mathrm{{dk}})\leftarrow K_{\mathrm {FHE}}^*(1^k)\) and \(c\leftarrow E^*_{\mathrm{{pk}}}(0^{|x|})\) and instructs \(P_i\) to send \((sid,P_i,P_j,\mathrm{{pk}},c,|x|)\) to \(P_j\). On subsequent input \((sid,P_i,P_j,|z|)\) from the ideal functionality \(\mathcal {S}\) then computes \(v\leftarrow {\mathrm {Eval}}_{\mathrm{{pk}}}^*({\mathrm {Id}},E_{\mathrm{{pk}}}^*(0^{|z|}))\) and instructs \(P_j\) to send \((sid,P_i,P_j,v)\) to \(P_i\).

To see this is a good simulation, observe first that since \(\mathcal {A}\) is honest-but-curious it always instructs corrupt parties \(P_i\) to act like an honest party would do, so it does for instance output the correct protocol output in the simulation when both parties are corrupt, generates a valid key and ciphertext when \(P_i\) is corrupt, and computes \(v\) correctly on the basis of \(y\) if \(P_j\) is corrupt. The IND-CPA security of the encryption scheme guarantees the ciphertext \(c\leftarrow E^*_{\mathrm{{pk}}}(0^{|x|})\) in the simulation when \(P_i\) is honest cannot be distinguished from the correct encryptions \(c\leftarrow E^*_{\mathrm{{pk}}}(x)\). The computational circuit privacy of the encryption scheme guarantees that \(v\leftarrow {\mathrm {Eval}}_{\mathrm{{pk}}}^*({\mathrm {Id}},E^*_{\mathrm{{pk}}}(z))\) cannot be distinguished from the correct evaluation \(v\leftarrow {\mathrm {Eval}}_{\mathrm{{pk}}}^*(C_{|x|,y},c)\) when \(P_j\) is honest, even when given the randomness used for generating \(c\). When both \(P_i\) and \(P_j\) are honest the computational circuit privacy shows the real protocol running with \(v\leftarrow {\mathrm {Eval}}^*_{\mathrm{{pk}}}(C_{|x|,y},c)\) cannot be distinguished from a simulated \(v\leftarrow {\mathrm {Eval}}^*_{\mathrm{{pk}}}({\mathrm {Id}},E^*_{\mathrm{{pk}}}(f(x,y)))\). The IND-CPA security then says this cannot be distinguished from running \(v\leftarrow {\mathrm {Eval}}^*_{\mathrm{{pk}}}({\mathrm {Id}},E^*_{\mathrm{{pk}}}(0^{|z|}))\) and that having \(c\leftarrow E^*_{\mathrm{{pk}}}(x)\) cannot be distinguished from \(c\leftarrow E^*_{\mathrm{{pk}}}(0^{|x|})\). This means the simulation in the ideal process cannot be distinguished by \(\mathcal {Z}\) from the real execution of the protocol. \(\square \)

Using the hybrid encryption scheme \((K_{\mathrm {FHE}}^*,E^*,D^*,{\mathrm {Eval}}^*)\) from Sect. 5 Alice’s (\(P_i\)’s) communication is \(|x|+{\mathrm {poly}}(k)\) bits. For small output sizes \(|z|=O(1)\) this gives an overall communication of \(|x|+{\mathrm {poly}}(k)\) so there is only an additive overhead.

For large output sizes, the existence of fully homomorphic bit-encryption only guarantees a total communication of \(|x|+{\mathrm {poly}}(k)|z|\) bits. However, using specific cryptographic assumptions it is possible to get a communication complexity of \(|x|+|z|\cdot (1+o(1))+{\mathrm {poly}}(k)\). This follows from Lipmaa’s [33] method to batch many ciphertexts into one in the fully homomorphic encryption scheme by Brakerski, Gentry and Vaikuntanathan [6].