1 Introduction

Fully-homomorphic encryption [21] (FHE) allows one to compute on encrypted data. An important limitation of FHE is that it requires all of the data to be encrypted under the same public key in order to perform homomorphic evaluations. To circumvent this shortcoming, López-Alt et al. [29] proposed a multi-party extension of FHE, namely, multi-key FHE, where each party can sample a key pair \((\mathsf {sk}_i, \mathsf {pk}_i)\) locally and encrypt its message under its own public key. Then one can publicly evaluate any (polynomially computable) circuit over the resulting ciphertexts \(c_i = \mathsf {Enc}(\mathsf {pk}_i, m_i)\), each encrypted under an independently sampled public key. Naturally, decrypting the resulting multi-key ciphertext requires one to know all the secret keys for the parties involved.

In this work we are interested in multi-key FHE schemes with a one-round decryption protocol: Given a multi-key ciphertext \(c = \mathsf {Enc}((\mathsf {pk}_1, \dots , \mathsf {pk}_N), C(m_1, \dots , m_N))\), the decryption consists of (i) a local phase, where each party independently computes a decryption share \(p_i\) using its secret key \(\mathsf {sk}_i\), and a (ii) public phase, where the plaintext m can be publicly recovered from the decryption shares \((p_1, \dots , p_N)\).

Other than being an interesting primitive on its own, multi-key FHE with one-round (also referred to as “non-interactive”) decryption implies a natural solution for secure multi-party computation (MPC) with optimal round complexity and communication complexity independent of the size of the circuit being computed [31]. Additionally, multi-key FHE with one-round decryption has proven to be a versatile tool to construct powerful cryptographic primitives, such as spooky encryption [18], homomorphic secret sharing [11, 12], obfuscation and functional encryption combiners [4, 5], multiparty obfuscation [25], homomorphic time-lock puzzles [14, 30], and ad-hoc multi-input functional encryption [1].

To the best of our knowledge, all known multi-key FHE schemes with one-round decryption assume a trusted setup [16, 17, 31, 32] or require non-standard assumptions, such as the existence of sub-exponentially secure general-purpose obfuscation [18]. A major open question in this area (stated in [16, 31]) is whether it is possible to avoid the use of a common setup and obtain a solution in the plain model.

1.1 Our Results

We present the first construction of a multi-key FHE with one-round decryption in the plain model, i.e. without a trusted setup, from standard assumptions over lattices. Specifically, we prove the following main theorem:

Theorem 1 (Informal)

Assuming,

  • Two-round semi-malicious oblivious transfer in the plain model,

  • Multi-key FHE with trusted setup and one-round decryption and,

  • Multi-key FHE in the plain model but with arbitrary round decryption,

there exists multi-key FHE in the plain model with one-round decryption.

A multi-key FHE with one-round decryption in the common reference string (CRS) model can be constructed assuming the hardness of the standard learning with errors (LWE) problem [17, 31]. Similarly, two-round semi-malicious oblivious transfer can also be instantiated assuming learning with errors [13]. On the other hand, a multi-key FHE scheme without setup, but with complex decryption, was proposed in [29] assuming the hardness of the Ring LWE and the decisional small polynomial ratio (DSPR) problems,Footnote 1 Thus, we obtain the following implication:

Theorem 2 (Informal)

Assuming that the LWE, Ring LWE, and DSPR problems are hard, there exists a leveled multi-key FHE scheme in the plain model with one-round decryption. Additionally assuming circular security of our scheme, there exists multi-key FHE in the plain model with one-round decryption.

We remark that our compiler is completely generic in the choice of the scheme and thus can benefit from future development in the realm of multi-key FHE with multi-round decryption. We also point out that our construction achieves a relaxed security notion where, among other differences, we require computational indistinguishability of simulated decryption shares, whereas the works of [16, 31, 32] achieved statistical indistinguishability (see Sect. 4 for a precise statement). To the best of our knowledge, this definition suffices for known applications of multi-key FHE.

Multiparty Homomorphic Encryption. As a stepping stone towards our main result, we introduce the notion of multiparty homomorphic encryption (MHE). MHE is a variant of multi-key FHE that retains its key virtue of communication efficiency but sacrifices on the efficiency of final output computation step. Specifically, the reconstruction of the message from the decryption shares is “non-compact”, i.e. its computational complexity might depend on the size of the evaluated circuit. Crucially, we still require that the size of the (evaluated) ciphertexts is independent of size of the circuit. As we discuss below, MHE suffices for some applications of multi-key FHE, including a two-round MPC protocol where the first message depends only on the input of each party and can be reused for arbitrarily many evaluations of different circuits.

Note that unlike the case of (single-key) FHE, allowing for non-compact output computation does not trivialize the notion of MHE. Indeed, in the case of FHE, a trivial scheme with non-compact output computation can be obtained via any public-key encryption scheme by simply considering a decryption process that first recovers the plaintext and then evaluates the circuit to compute the output. Such an approach, however, does not extend to the multiparty setting since it would violate the security requirement of MHE (defined similarly to that of multi-key FHE).

We prove the following theorem:

Theorem 3 (Informal)

Assuming the hardness of the LWE problem (with sub-exponential modulus-to-noise ratio), there exists an MHE scheme in the plain model.

At a technical level, we develop a recursive self-synthesis transformation that lifts any one-time MHE scheme (i.e. where the first message can be securely used only for the evaluation of a single circuit) to an unbounded MHE. Our approach bears resemblance to and builds upon several seemingly unrelated works dating as far back as the construction of pseudorandom functions from pseudorandom generators [23], as well as recent constructions of indistinguishability obfuscation from functional encryption [6, 9] (and even more recently, constructions of identity-based encryption [15, 20]).

Reusable MPC. A direct application of MHE is a two-round (semi-honest) MPC protocol in the plain model with the following two salient properties:

  • The first round of the protocol, which only depends on the inputs of the parties, can be reused for an arbitrary number of computations. That is, after the completion of the first round, the parties can execute the second round multiple times, each time with a different circuit \(C_\ell \) of their choice, to learn the output of \(C_\ell \) over their fixed inputs.

  • The communication complexity of the protocol is independent of the circuit size (and only depends on the circuit depth).

Alternately, we can use our multi-key FHE to achieve the same result with communication complexity independent of the circuit size, albeit based on stronger assumptions.

Previously, such a protocol – obtained via multi-key FHE – was only known in the CRS model [31]. Benhamouda and Lin [8] recently investigated the problem of two-round reusable MPC (with circuit-size dependent communication) and give a construction for the same, in the plain model, based on bilinear maps.Footnote 2 Our construction is based on a different assumption, namely, LWE, and therefore can be conjectured to satisfy post-quantum security.

Concurrent Work on Reusable MPC. The work of Bartusek et al. [7] investigate the question of two-round MPC with reusable first message. They propose schemes assuming the hardness of the DDH assumption over traditional groups. In contrast with our work, the resulting MPC is non-compact, i.e. the communication complexity is proportional to the size of the circuit. Moreover, unlike [7], our scheme can be conjectured to be secure against quantum adversaries.

1.2 Open Problems

Our work leaves open some interesting directions for future research. The most compelling problem is to construct a multi-key FHE with one-round decryption assuming only the hardness of the (plain) LWE problem. Another relevant direction is to improve the practical efficiency of our proposal and to obtain a more “direct” construction of multi-key FHE from lattice assumptions.

2 Technical Overview

Towards constructing both multi-key FHE and MHE, we first consider a relaxed notion of MHE where the evaluation algorithm is allowed to be private; we call this notion pMHE.

MHE with Private Evaluation (pMHE). An MHE scheme with private evaluation, associated with n parties, consists of the following algorithms:

  • Encryption: The \(i^{th}\) party, for \(i \in [n]\), on input \(x_i\) produces a ciphertext \(\mathsf {ct}_i\) and secret key \(\mathsf {sk}_i\).

  • Evaluation: The \(i^{th}\) party on input all the ciphertexts \(\mathsf {ct}_1,\ldots ,\mathsf {ct}_N\), secret key \(\mathsf {sk}_i\), and circuit C, it evaluates the ciphertexts to obtain a partial decrypted value \(p_i\). We emphasize that the \(i^{th}\) party requires \(\mathsf {sk}_i\) for its evaluation and thus is not a public operation.

  • Final Decryption: Given all the partial decrypted values \((p_{1},\ldots ,p_N)\) and the circuit C, reconstruct the output \(C(x_1,\ldots ,x_N)\).

Towards obtaining our main results, we will also sometimes consider a version of pMHE in the CRS model, where the encryption, evaluation and the final decryption algorithms additionally take as input a CRS, generated by a trusted setup. Furthermore, we will also consider pMHE schemes with an efficiency property that we refer to as ciphertext succinctness. We postpone defining this property to later in this section.

Roadmap of our Approach. Using the abstraction of pMHE, we achieve both of our results as illustrated in Fig. 1:

  • The starting point of our approach is a one-time pMHE, namely, a pMHE scheme where the initial ciphertexts, i.e., encryptions of \(x_i\) for every \(i \in [n]\), can be evaluated upon only once. The first step in our approach, involving the technical bulk of our work, is a reusability transformation that takes a one-time pMHE in the CRS model and converts it into a pMHE scheme (in the plain model), that allows for (unbounded) polynomially-many homomorphic evaluations (of different circuits) over the initial ciphertexts. We outline this in Sect. 2.1.

  • We next describe two different transformations: The first transformation converts a pMHE scheme to multi-key FHE (Sect. 2.2) and the second transformation converts it to an MHE scheme (Sect. 2.3).

  • Finally, in Sect. 2.4, we discuss instantiation of one-time pMHE.

Fig. 1.
figure 1

Our approach

Full size image

2.1 Reusability Transformation

We now proceed to describe our reusability transformation from a one-time pMHE scheme in the CRS model to a (reusable) pMHE scheme in the plain model. We will in fact first consider the simpler problem of obtaining a pMHE scheme in the CRS model. Later, we show how we can modify the transformation to get rid of the CRS.

Reusability: Naive Attempt. Let \(\mathsf {One}\mathsf {MHE}\) denote a one-time pMHE scheme. Using two instantiations of \(\mathsf {One}\mathsf {MHE}\) that we call \(\mathsf {One}\mathsf {MHE}_{0}\) and \(\mathsf {One}\mathsf {MHE}_{1}\), we first attempt to build an pMHE scheme for a circuit class \(\mathcal {C}=\{C_0,C_1\}\) that allows for only two decryption queries, denoted by \(\mathsf {Two}\mathsf {MHE}\).

  • The \(i^{th}\) party, for \(i \in [N]\), on input \(x_i\), produces two ciphertexts \(\mathsf {ct}_0^i\) and \(\mathsf {ct}_1^i\), where \(\mathsf {ct}_0^i\) is computed by encrypting \(x_i\) using \(\mathsf {One}\mathsf {MHE}_0\) and \(\mathsf {ct}_1\) is computed by encrypting \(x_i\) using \(\mathsf {One}\mathsf {MHE}_1\).

  • To evaluate a circuit \(C_b\), for \(b \in \{0,1\}\), run the evaluation procedure of \(\mathsf {One}\mathsf {MHE}_b\) to obtain the partial decrypted values.

  • The final decryption on input \(C_b\) and partial decrypted values produces the output.

It is easy to see that the above scheme supports two decryption queries. While the above template can be generalized if \(\mathcal {C}\) consists of polynomially many circuits; every circuit in \(\mathcal {C}\) is associated with an instantiation of \(\mathsf {One}\mathsf {MHE}\). However, it is clear that this approach does not scale when \(\mathcal {C}\) consists of exponentially many circuits.

Recursive Self-synthesis. Instead of generating all the instantiations of \(\mathsf {One}\mathsf {MHE}\) during the encryption phase, as is done in \(\mathsf {Two}\mathsf {MHE}\), our main insight is to instead defer the generation of the instantiations of \(\mathsf {One}\mathsf {MHE}\) to the evaluation phase. The advantage of this approach is that, during the evaluation phase, we know exactly which circuit is being evaluated and thus we can afford to be frugal and only generate the instantiations of \(\mathsf {One}\mathsf {MHE}\) that are necessary, based on the description of this circuit. The idea of bootstrapping a"one-time" secure scheme into a “multi-time” secure scheme is not new and has been studied in different contexts in cryptography; be it the classical result on pseudorandom functions from pseudorandom generators [24] or the more recent results on indistinguishability from functional encryption [6, 10, 28] and constructions of identity-based encryption [15, 19, 20]. In particular, as we will see soon, our implementation of deferring the executions of \(\mathsf {One}\mathsf {MHE}\) and only invoke the instantiations as needed bears some resemblance to techniques developed in these works, albeit in a very different context.

Illustration. Before explaining our approach to handle any polynomial number of decryption queries, we start with the same example as before: The goal is to build pMHE scheme for a circuit class \(\mathcal {C}=\{C_0,C_1\}\) that allows for 2 decryption queries. The difference, however, is, unlike before, the approach we describe below will scale to exponentially many circuits.

We employ a tree-based approach to solve this problem. The tree associated with this scheme consists of three nodes: a root and two leaves. The first leaf is associated with the circuit \(C_0\) and the second leaf is associated with the circuit \(C_1\). Every node is associated with an instantiation of the one-time pMHE scheme. Denote the one-time pMHE scheme associated with the root to be \(\mathsf {One}\mathsf {MHE}_{\bot }\), with the left leaf to be \(\mathsf {One}\mathsf {MHE}_{0}\) and the right leaf node to be \(\mathsf {One}\mathsf {MHE}_1\).

Armed with the above notation, we now present an overview of construction of a pMHE scheme for \(\mathcal {C}=\{C_0,C_1\}\) allowing for 2 decryption queries as follows:

  • The \(i^{th}\) party, for \(i \in [N]\), on input \(x_i\), produces the ciphertext \(\mathsf {ct}_{\bot }^i\), where \(\mathsf {ct}_{\bot }^i\) is computed by encrypting \(x_i\) using \(\mathsf {One}\mathsf {MHE}_{\bot }\).

  • To evaluate a circuit \(C_b\), for \(b \in \{0,1\}\), the \(i^{th}\) party does the following:

    • \(\bullet \) First run the evaluation procedure of \(\mathsf {One}\mathsf {MHE}_{\bot }\) on input circuit \(C_{\bot }\) (defined below) to obtain the \(i^{th}\) partial decrypted value associated with \(\mathsf {One}\mathsf {MHE}_{\bot }\).

      Denote \(C_{\bot }\) to be the circuitFootnote 3 that takes as input \((x_1,\ldots ,x_N)\) and produces: (i) \(GC_{i,0}\) wire labels for \(\mathsf {One}\mathsf {MHE}_{0}\) ciphertext of \(x_i\) under the \(i^{th}\) party’s secret key, for every i, and, (ii) \(GC_{i,1}\) wire labels for \(\mathsf {One}\mathsf {MHE}_{1}\) ciphertext of \(x_i\) under the \(i^{th}\) party’s secret key, for every i.

    • \(\bullet \) It computes a garbled circuit \(GC_{i,b}\) defined below.

      Denote \(GC_{i,b}\) to be the garbling of a circuit that takes as input \(\mathsf {One}\mathsf {MHE}_{b}\) ciphertexts of \(x_1,\ldots ,x_N\), performs evaluation of \(C_b\) using the \(i^{th}\) secret key associated with \(\mathsf {One}\mathsf {MHE}_b\) and outputs the \(\mathsf {One}\mathsf {MHE}_b\) partial decryption values.

    Output the \(i^{th}\) partial decrypted value of \(\mathsf {One}\mathsf {MHE}_{\bot }\) and the garbled circuit \(GC_{i,b}\).

  • The final decryption algorithm takes as input the \(\mathsf {One}\mathsf {MHE}_{\bot }\) partial decryption values from all the parties, garbled circuits \(GC_{1,b},\ldots ,GC_{N,b}\), circuit \(C_b\) (to be evaluated) and performs the following operations:

    • \(\bullet \) It first runs the final decryption procedure of \(\mathsf {One}\mathsf {MHE}_{\bot }\) to obtain the wire labels corresponding to all the garbled circuits \(GC_{1,b},\ldots ,GC_{N,b}\).

    • \(\bullet \) It then evaluates all the garbled circuits to obtain the \(\mathsf {One}\mathsf {MHE}_{b}\) partial decryption values.

    • \(\bullet \) Using the \(\mathsf {One}\mathsf {MHE}_{b}\) partial decryption values, compute the final decryption procedure of \(\mathsf {One}\mathsf {MHE}_{b}\) to obtain \(C_b(x_1,\ldots ,x_N)\).

Full-Fledged Tree-Based Approach. We can generalize the above approach to construct a pMHE scheme for any circuit class and that handles any polynomially many queries. If s is the maximum size of the circuit in the class of circuits, we consider a binary tree of depth s.

  • Every edge in the tree is labeled. If an edge e is incident from the parent to its left child then label it with 0 and if e is incident from the parent to its right child then label it with 1.

  • Every node in the tree is labeled. The label is the concatenation of all the edge labels on the path from the root to the node.

  • Every leaf is associated with a circuit of size s.

With each node v, associate with v a new instantiation of a one-time pMHE scheme, that we denote by \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)}\), where \(\mathbf {l}(v)\) is the label associated with node v. If v is the root node \(\mathbf {l}(v)=\bot \).

Informally, the encryption algorithm of pMHE generates \(\mathsf {One}\mathsf {MHE}_{\bot }\) encryption of \(x_i\) under the \(i^{th}\) secret key. During the evaluation procedure, on input C, each party generates s garbled circuits, one for every node on the path from the root to the leaf labeled with C. The role of these garbled circuits is to delegate the computation of the partial decrypted values to the final decryption phase. In more detail, the garbled circuit associated with the node v computes the partial decrypted values associated with \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)}\). The partial decryption values will be generated by homomorphically evaluating the following circuit: (i) the wire labels, associated with \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}{v||0}}\) encryptions of \(x_1,\ldots ,x_N\), of all the N garbled circuits associated with the node v||0 and, (ii) the wire labels, associated with \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}{v||1}}\) encryptions of \(x_1,\ldots ,x_N\), of all the N garbled circuits associated with the node v||1. Note that the homomorphic evaluation is performed inside the garbled circuit.

During the final decryption, starting from the root node, each garbled circuit (of every party) is evaluated to obtain wire labels of the garbled circuit associated with the child node on the path from the root to the leaf labelled with C. Finally, the garbled circuit associated with the leaf labelled with C is then evaluated to obtain the \(\mathsf {One}\mathsf {MHE}_{C}\) partial decrypted values. These partial decrypted values are then decoded to recover the final output \(C(x_1,\ldots ,x_N)\).

We give an overview of the final decryption process in Fig. 2.

Fig. 2.
figure 2

A glimpse of the final decryption process of the reusable pMHE scheme when evaluated upon the circuit with the boolean representation \(C=01\cdots \). During the evaluation process, the \(i^{th}\) party generates the garbled circuits \(GC_{i,0},GC_{i,01},\cdots ,GC_{i,C}\) as part of the partial decrypted values. The garbled circuit \(GC_{i,\mathbf {l}(v)}\), associated with the prefix \(\mathbf {l}(v)\) of C, computes the evaluation procedure of \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)}\). The output of final decryption of \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)}\) are (i) the wire labels of \(GC_{i,\mathbf {l}(v)||0}\), for every \(i \in [n]\), of the encryptions of all the inputs of the parties, \(x_1,\ldots ,x_N\) generated with respect to \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)||0}\) and, (ii) the wire labels of \(GC_{i,\mathbf {l}(v)||1}\), for every \(i \in [n]\), for the encryptions of all the inputs of the parties, \(x_1,\ldots ,x_N\) generated with respect to \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)||1}\).

Full size image

Efficiency Challenges. To argue that the above scheme is a pMHE scheme, we should at the very least argue that the encryption, evaluation and final decryption algorithms can be executed in polynomial time. Let us first argue that all the garbled circuits can be computed in polynomial time by the \(i^{th}\) party. The time to compute the garbled circuit associated with the root node is polynomial in the time to compute \(\mathsf {One}\mathsf {MHE}_{0}\) and \(\mathsf {One}\mathsf {MHE}_1\) ciphertexts. Even if the time to compute \(\mathsf {One}\mathsf {MHE}_{0}\) and \(\mathsf {One}\mathsf {MHE}_1\) ciphertexts only grows proportional to the depth of the circuits being evaluated, the recursion would already blow up the size of the first garbled circuit to be exponential in s! This suggests that we need to define a suitable succinctness property on \(\mathsf {One}\mathsf {MHE}\) in order to make the above transformation work.

Identifying the Necessary Efficiency for Recursion. To make the above recursion idea work, we impose a stringent efficiency constraint on the encryption complexity of \(\mathsf {One}\mathsf {MHE}\). In particular, we require two properties to hold:

  1. 1.

    The size of the encryption circuit is a polynomial in the security parameter \(\lambda \), the number of parties, the input length, and the depth of the circuit.

  2. 2.

    The depth of the encryption circuit \(\mathsf {One}\mathsf {MHE}\) grows polynomially in \(\lambda \), the number of parties and and the input length.

Put together, we refer to the above efficiency properties as ciphertext succinctness. It turns out that if we have an \(\mathsf {One}\mathsf {MHE}\) scheme with ciphertext succinctness, then the resulting reusable pMHE scheme has polynomial efficiency and moreover, the ciphertext sizes in the resulting scheme are polynomial in the security parameter alone.Footnote 4

Removing the CRS. Note that if we start with \(\mathsf {One}\mathsf {MHE}\) in the CRS model, we end up with reusable pMHE scheme still in the CRS model. However, our goal was to construct a pMHE in the plain model. To fix this, we revisit the tree-based approach to construct pMHE and make two important changes.

The first change is the following: Instead of instantiating the root node with a \(\mathsf {One}\mathsf {MHE}\) scheme satisfying ciphertext succinctness, we instantiate it by a \(\mathsf {One}\mathsf {MHE}\) scheme that need not satisfy any succinctness property (and thus can be instantiated by any semi-malicious MPC in the plain model); if we work out the recursion analysis carefully it turns out that its not necessary that the \(\mathsf {One}\mathsf {MHE}\) scheme associated with the root node satisfy ciphertext succinctness. The intermediate nodes, however, still need to satisfy ciphertext succinctness and thus need to be instantiated using \(\mathsf {One}\mathsf {MHE}\) in the CRS model.

Since the intermediate nodes still require a CRS, we make the parent node generate the CRS for its children. That is, upon evaluating the partial decryption values output by a garbled circuit associated with node v (see Fig. 2 for reference), we obtain: (i) wire labels for \(\mathsf {crs}_{\mathbf {l}{v}||0}\) and the \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)||0}\) ciphertexts computed with respect to the common reference string \(\mathsf {crs}_{\mathbf {l}(v)||0}\) and, (ii) wire labels for \(\mathsf {crs}_{\mathbf {l}{v}||1}\) and \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)||1}\) ciphertexts computed with respect to the common reference string \(\mathsf {crs}_{\mathbf {l}(v)||1}\). That is, the circuit being homomorphically evaluated by \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)}\) first generates \(\mathsf {crs}_{\mathbf {l}(v)||0},\mathsf {crs}_{\mathbf {l}(v)||1}\), then generates the \(\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)||0},\mathsf {One}\mathsf {MHE}_{\mathbf {l}(v)||1}\) ciphertexts followed by generating wire labels for these ciphertexts. This is the reason why we require the root node to be associated with a \(\mathsf {One}\mathsf {MHE}\) scheme in the plain model; if not, its unclear how we would be able to generate the CRS for the root node.

2.2 From pMHE to Multi-key FHE

Once we obtain a reusable pMHE in the plain model, our main result follows from a simple bootstrapping procedure. Our transformation lifts a multi-key FHE scheme in the plain model with “complex” (i.e. not one-round) decryption to a multi-key FHE in the plain model with one-round decryption, by additionally assuming the existence of a reusable pMHE. Plugging the scheme from [29] into our compiler yields our main result.

The high-level idea of our transformation is to use the pMHE scheme to securely evaluate the decryption circuit (no matter how complex is) of input the multi-key FHE. This allows us to combine the compactness of the multi-key FHE and the one-round decryption of the pMHE into a single scheme that inherits the best of both worlds. More concretely, our compiled scheme looks as follows.

  • Key Generation: The i-th party runs the key generation algorithm of the underlying multi-key FHE to obtain a key pair \((\mathsf {pk}_i, \mathsf {sk}_i)\), then computes the pMHE encryption of \(\mathsf {sk}_i\) to obtain a ciphertext \(\tilde{\mathsf {ct}}_i\) and an secret evaluation key \(\tilde{\mathsf {sk}}_i\). The public key is set to \((\mathsf {pk}_i, \tilde{\mathsf {ct}}_i)\).

  • Encryption: To encrypt a message \(m_i\), the i-th party simply runs the encryption algorithm of the multi-key FHE scheme to obtain a ciphertext \(\mathsf {ct}_i\).

  • Evaluation: On input the ciphertexts \(\mathsf {ct}_1, \dots , \mathsf {ct}_N\) and a circuit C, the i-th party runs the (deterministic) multi-key evaluation algorithm to obtain an evaluated ciphertext \(\mathsf {ct}\). Then each party runs the evaluation algorithm of the pMHE scheme for the circuit

    $$ \varGamma (\mathsf {sk}_1, \dots , \mathsf {sk}_N) = \mathsf {Dec}((\mathsf {sk}_i, \dots , \mathsf {sk}_N), \mathsf {ct}) $$

    over the pMHE ciphertexts \(\tilde{\mathsf {ct}}_1, \dots , \tilde{\mathsf {ct}}_N\), where the value \(\mathsf {ct}\) is hardwired in the circuit. The i-th party returns the corresponding output \(p_i\).

  • Final Decryption: Given the description of the circuit \(\varGamma \) (which is known to all parties) and the decryption shares \((p_1, \dots , p_N)\), reconstruct the output using the final decryption algorithm of pMHE.

We stress that, in order to achieve the functionality of a multi-key FHE scheme, it is imperative that the underlying pMHE scheme has reusable ciphertexts, which was indeed the main challenge for our construction. It is important to observe that even thought the pMHE scheme does not have a compact decryption algorithm, this does not affect the compactness of the complied scheme. This is because the size of the circuit \(\varGamma \) is independent of the size of the evaluated circuit C, by the compactness of the underlying multi-key FHE scheme.

2.3 From pMHE to MHE

Equipped with pMHE, we discuss how to construct a full-fledged MHE scheme. There are two hurdles we need to cross to obtain this application. The first being the fact that pMHE only supports private evaluation and the second being that pMHE only satisfies ciphertext succinctness and in particular, could have large partial decryption values.

We address the second problem by applying a compiler that generically transforms a pMHE scheme with large partial decryption values into a scheme with succinct partial decryption values; that is, one that only grows proportional to the input, output lengths and the depth of the circuit being evaluated. Such compilers, that we refer to as low communication compilers were recently studied in the context of two-round secure MPC protocols [3, 33] and we adapt them to our setting. Once we apply such a compiler, we achieve our desired pMHE scheme that satisfies the required efficiency property.

To achieve an MHE scheme with public evaluation, we use a (single-key) leveled FHE scheme. Each party encrypts its secret key using FHE, that is, the \(i^{th}\) party generates an FHE key pair \((\mathsf {pk}_i,\mathsf {sk}_i)\) and encrypts the \(i^{th}\) secret key of pMHE under \(\mathsf {pk}_i\); we denote the resulting ciphertext as \(\mathsf {FHE}.\mathsf {ct}_i\). The \(i^{th}\) party ciphertext of the MHE scheme (\(\mathsf {MHE}.\mathsf {ct}_i\)) now consists of the \(i^{th}\) party ciphertext of the pMHE scheme (\(\mathsf {pMHE}.\mathsf {ct}_i\)) along with \(\mathsf {FHE}.\mathsf {ct}_i\). The public evaluation of MHE now consists of homomorphically evaluating the pMHE private evaluation circuit, with \((C,\mathsf {pMHE}.\mathsf {ct}_1,\ldots ,\mathsf {pMHE}.\mathsf {ct}_{N})\) hardwired, on the ciphertext \(\mathsf {FHE}.\mathsf {ct}_i\). Since this is performed for each party, there are N resulting FHE ciphertexts \((\widehat{\mathsf {FHE}.\mathsf {ct}_1},\ldots ,\widehat{\mathsf {FHE}.\mathsf {ct}_N})\). During the partial decryption phase, the \(i^{th}\) party decrypts \(\widehat{\mathsf {FHE}.\mathsf {ct}_i}\) using \(\mathsf {sk}_i\) to obtain the partial decryption value corresponds to the pMHE scheme. The final decryption of MHE is the same as the final decryption of pMHE.

2.4 Instantiating One-Time pMHE in the CRS Model

So far we have shown that one-time pMHE suffices to achieve both of our results. All that remains is to instantiate the one-time pMHE in the CRS model. We instantiate this using the multi-key FHE scheme with one-round decryption in the CRS model. A sequence of works [16, 17, 31] have presented a construction of such a scheme based on the LWE problem.

3 Preliminaries

We denote the security parameter by \(\lambda \). We focus only on boolean circuits in this work. For any circuit C, let \(C.\mathsf {in}, C.\mathsf {out}, C.\mathsf {depth}\) be the input length, output length and depth of the circuit C, respectively. Denote \(C.\mathsf {params}= (C.\mathsf {in}, C.\mathsf {out}, C.\mathsf {depth})\).

For any totally ordered sets \(S_1, S_2, \dots , S_n\), and any tuple \((i^*_1, i^*_2, \dots , i^*_n) \in S_1 \times S_2 \times \dots \times S_n\), we use the notation \((i^*_1, i^*_2, \dots , i^*_n) + 1\) (resp. \((i^*_1, i^*_2, \dots , i^*_n) - 1\)) to denote the lexicographical smallest (resp. biggest) element in \(S_1 \times S_2 \times \dots \times S_n\) that is lexicographical greater (resp. less) than \((i^*_1, i^*_2, \dots , i^*_n)\).

Pseudorandom Generators. We recall the definition of pseudorandom generators. A function \(\mathsf {PRG}_\lambda : \{0, 1\}^{\mathsf {PRG}.\mathsf {in}_\lambda } \rightarrow \{0, 1\}^{\mathsf {PRG}.\mathsf {out}_\lambda }\) is a pseduorandom generator, if for any PPT distinguisher \(\mathcal {D}\), there exits a negligible function \(\nu (\lambda )\) such that

$$\begin{aligned} \bigg |\Pr \left[ s \leftarrow \{0, 1\}^{\mathsf {PRG}.\mathsf {in}_\lambda } : \mathcal {D}(1^\lambda , \mathsf {PRG}_\lambda (s)) = 1\right] - \\ \Pr \left[ u \leftarrow \{0, 1\}^{\mathsf {PRG}.\mathsf {out}_\lambda }: \mathcal {D}(1^\lambda , u) = 1\right] \bigg | < \nu (\lambda ). \end{aligned}$$

Learning with Errors. We recall the learning with errors (LWE) distribution.

Definition 1 (LWE distribution)

For a positive integer dimension n and modulo q, the LWE distribution \(A_{\mathbf {s}, \chi }\) is obtained by sampling \(\mathbf {a} \leftarrow \mathbb {Z}_q^n\), and an error \(e \leftarrow \chi \), then outputting \((\mathbf {a}, b = \mathbf {s}^T \cdot \mathbf {a} + e) \in \mathbb {Z}_q^n \times \mathbb {Z}_q\).

Definition 2 (LWE problem)

The decisional \(\mathsf {LWE}_{n, m, q, \chi }\) problem is to distinguish the uniform distribution from the distribution \(A_{\mathbf {s}, \chi }\), where \(\mathbf {s} \leftarrow \mathbb {Z}_q^n\), and the distinguisher is given m samples.

Standard instantiation of LWE takes \(\chi \) to be a discrete Gaussian distribution.

Definition 3 (LWE assumption)

Let \(n = n(\lambda ), m = m(\lambda ), q = q(\lambda )\) and \(\chi = \chi (\lambda )\). The Learning with Error (LWE) assumption states that for any PPT distinguisher \(\mathcal {D}\), there exits a negligible function \(\nu (\lambda )\) such that

$$\begin{aligned} |\Pr [\mathcal {D}(1^\lambda , (\mathbf {A}, \mathbf {s}^T \mathbf {A} + \mathbf {e})) = 1] - \Pr [\mathcal {D}(1^\lambda , (\mathbf {A}, \mathbf {u})) = 1]| < \nu (\lambda ) \end{aligned}$$

where \(\mathbf {A} \leftarrow \mathbb {Z}_q^{n \times m}, \mathbf {s} \leftarrow \mathbb {Z}_q^n, \mathbf {u} \leftarrow \mathbb {Z}_q^m, \mathbf {e} \leftarrow \chi ^m\).

3.1 Garbling Schemes

A garbling scheme [34] is a tuple of algorithms \((\mathsf {GC}.\mathsf {Garble}, \mathsf {GC}.\mathsf {Eval})\) defined as follows.

  • \(\mathsf {GC}.\mathsf {Garble}(1^\lambda , C, \mathsf {lab})\) On input the security parameter, a circuit C, and a set of labels \(\mathsf {lab}= \{\mathsf {lab}_{i, b} \}_{i \in [C.\mathsf {in}], b \in \{0, 1\}}\), where \(\mathsf {lab}_{i, b} \in \{0, 1\}^{\lambda }\), it outputs a garbled circuit \(\widetilde{C}\).

  • \(\mathsf {GC}.\mathsf {Eval}(\widetilde{C}, \mathsf {lab})\) On input a garbled circuit \(\widetilde{C}\) and a set of labels \(\mathsf {lab}= \{\mathsf {lab}_i\}_{i\in [C.\mathsf {in}]}\), it outputs a value y.

We require the garbling scheme to satisfy the following properties.

  • Correctness. For any circuit C, and any input \(x \in \{0, 1\}^{C.\mathsf {in}}\),

  • Simulation Security. There exits a simulator \(\mathsf {Sim}= (\mathsf {Sim}_1, \mathsf {Sim}_2)\) such that, for any input x, any circuit C, and any non-uniform PPT distinguisher \(\mathcal {D}\), we have

Theorem 4

([34]). There exists a garbling scheme for all poly-sized circuits from one-way functions.

Remark 1

For the ease of representation, for any labels \(\mathsf {lab}\,{=}\, \{\mathsf {lab}_{i, b}\}_{i\in [n], b\in \{0, 1\}}\), and any input \(x \in \{0, 1\}^n\), we denote \(\mathsf {lab}_x = \{\mathsf {lab}_{i, x_i}\}_{i\in [n]}\).

3.2 Laconic Function Evaluation

A laconic function evaluation (LFE) scheme [33] for a class of poly-sized circuits consists of four PPT algorithms \(\mathsf {crsGen},\mathsf {Compress},\mathsf {Enc},\mathsf {Dec}\) described below.

  • \(\mathsf {crsGen}(1^{\lambda },\mathsf {params})\) It takes as input the security parameter \(\lambda \), circuit parameters \(\mathsf {params}\) and outputs a uniformly random common string \(\mathsf {crs}\).

  • \(\mathsf {Compress}(\mathsf {crs},C)\) It takes as input the common random string \(\mathsf {crs}\), poly-sized circuit C and outputs a digest \(\mathsf {digest}_C\). This is a deterministic algorithm.

  • \(\mathsf {Enc}(\mathsf {crs},\mathsf {digest}_C,x)\) It takes as input the common random string \(\mathsf {crs}\), a digest \(\mathsf {digest}_C\), a message x and outputs a ciphertext \(\mathsf {ct}\).

  • \(\mathsf {Dec}(\mathsf {crs},C,\mathsf {ct})\) It takes as input the common random string \(\mathsf {crs}\), circuit C, ciphertext \(\mathsf {ct}\) and outputs a message y.

Correctness. We require the following to hold:

Efficiency. The size of CRS should be polynomial in \(\lambda \), the input, output lengths and the depth of C. The size of digest, namely \(\mathsf {digest}_C\), should be polynomial in \(\lambda \), the input, output lengths and the depth of C. The size of the output of \(\mathsf {Enc}(\mathsf {crs},\mathsf {digest}_C)\) should be polynomial in \(\lambda \), the input, output lengths and the depth of C.

Security. For every PPT adversary \(\mathcal {A}\), input x, circuit C, there exists a PPT simulator \(\mathsf {Sim}\) such that for every PPT distinguisher \(\mathcal {D}\), there exists a negligible function \(\nu (\lambda )\) such that

Remark 2

A strong version of security, termed as adaptive security, was defined in [33]; for our construction, selective security suffices.

Theorem 5

([33]). Assuming the hardness of learning with errors, there exists a laconic function evaluation protocol.

4 Multi-key Fully Homomorphic Encryption

A multi-key FHE [29] allows one to compute functions over ciphertexts encrypted under different and independently sampled keys. One can then decrypt the result of the computation by gathering together the corresponding secret keys and run a decryption algorithm. In this work we explicitly distinguish between two families of schemes, depending on structural properties of the decryption algorithm.

  • One-Round Decryption: The decryption algorithm consists of two subroutines (i) a local phase (\(\mathsf {PartDec}\)) where each party computes a decryption share of the ciphertext based only on its secret key and (ii) a public phase (\(\mathsf {FinDec}\)) where the plaintext can be publicly reconstructed from the decryption shares. This variant is the focus of our work.

  • Unstructured Decryption: The decryption is a (possibly interactive) protocol that takes as input a ciphertext and all secret keys and returns the underlying plaintext. No special structural requirements are imposed.

In this work we are interested in constructing the former. However, the latter is going to be a useful building block in our transformation. More formally, a multi-key FHE is a tuple of algorithms \(\mathsf {MKFHE}= (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Eval}, \mathsf {Dec})\) defined as follows.

  • \(\mathsf {KeyGen}(1^\lambda , i)\) On input the security parameter \(\lambda \), and an index \(i \in [N]\), it outputs a public-key secret-key pair \((\mathsf {pk}_i, \mathsf {sk}_i)\) for the i-th party.

  • \(\mathsf {Enc}(\mathsf {pk}_i, x_i)\) On input a public key \(\mathsf {pk}_i\) of the i-th party, and a message \(x_i\), it outputs a ciphertext \(\mathsf {ct}_i\).

  • \(\mathsf {Eval}(C,(\mathsf {ct}_j)_{j \in [N]})\) On input the circuit C of size polynomial in \(\lambda \) and the ciphertexts \((\mathsf {ct}_j)_{j \in [N]}\), it outputs the evaluated ciphertext \(\widehat{\mathsf {ct}}\).

  • \(\mathsf {Dec}((\mathsf {sk}_j)_{j\in [N]}, \widehat{\mathsf {ct}})\) On input a set of keys \(\mathsf {sk}_1, \dots , \mathsf {sk}_N\) and the evaluated ciphertext \(\widehat{\mathsf {ct}}\), it outputs a value \(y \in \{0, 1\}^{C.\mathsf {out}}\). We say that a multi-key FHE has a one-round decryption if the decryption protocol consists of the algorithms \(\mathsf {PartDec}\) and \(\mathsf {FinDec}\) with the following syntax.

    • \(\mathsf {PartDec}(\mathsf {sk}_i,i,\widehat{\mathsf {ct}})\) On input the secret key \(\mathsf {sk}_i\) of \(i^{th}\) party, the index i, and the evaluated ciphertext \(\widehat{\mathsf {ct}}\), it outputs the partial decryption \(p_i\) of the \(i^{th}\) party.

    • \(\mathsf {FinDec}(C, (p_j)_{j\in [N]})\) On input all the partial decryptions \((p_j)_{j\in [N]}\), it outputs a value \(y \in \{0, 1\}^{C.\mathsf {out}}\).

We say that the scheme is fully homomorphic if it is homomorphic for P/poly.

Trusted Setup. We also consider multi-key FHE schemes in the presence of a trusted setup, in which case we also include an algorithm \(\mathsf {Setup}\) that, on input the security parameter \(1^\lambda \), outputs a common reference string \(\mathsf {crs}\) that is given as input to all algorithms.

Correctness. We define correctness for multi-key FHE with one-round decryption, the more general notion can be obtained by modifying our definition in a natural way. Note that we only define correctness for a single application (single-hop) of the homomorphic evaluation procedure. It is well known that (multi-key) FHE schemes can be generically converted to satisfy the more general notion of multi-hop correctness [22].

Definition 4 (Correctness)

A scheme \(\mathsf {MKFHE}= (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Eval}, \mathsf {PartDec}, \mathsf {FinDec})\) is said to satisfy the correctness of an MHE scheme if for any inputs \((x_i)_{i\in [N]}\), and circuit C, the following holds:

Compactness. We say that a scheme is compact if the size of the evaluated ciphertexts does not depend on the size of the circuit C and only grows with the security parameter (and possibly the number of keys N). Furthermore, we require that the runtime of the decryption algorithm (and of its subroutines \(\mathsf {PartDec}\) and \(\mathsf {FinDec}\)) is independent of the size of the circuit C.

Reusable Semi-malicious Security. We define the notion of reusable security for multi-key FHE with one-round decryption. Intuitively, this notion says that the decryption share do not reveal anything beyond the plaintext that they reconstruct to. In this work we present a unified notion that combines semantic security and computational indistingushability of partial decryption shares. This is a weakening of the definition given in [31], where the simulated decryption shares were required to be statistically close to the honestly compute ones. To the best of our knowledge, this weaker notion is sufficient for all applications of multi-key FHE. Note that by default we consider a semi-malicious adversary, that is allowed to choose the random coins of the corrupted parties arbitrarily.

We define security in the real/ideal world framework. The experiments are parameterized by adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\), a PPT simulator \(\mathsf {Sim}\) implemented as algorithms \((\mathsf {Sim}_1, \mathsf {Sim}_2)\), the subset of honest parties \(H \subseteq [N]\), and their input \((x_i)_{i\in H}\). For the simplicity, we denote \(\bar{H} = [N] \setminus H\).

figure a

Definition 5

A scheme \(\mathsf {MKFHE}= (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Eval}, \mathsf {PartDec}, \mathsf {FinDec})\) is said to satisfy the reusable semi-malicious security if the following holds: there exists a simulator \(\mathsf {Sim}= (\mathsf {Sim}_1, \mathsf {Sim}_2)\) such that for any PPT adversary \(\mathcal {A}\), for any set of honest parties \(H \subseteq [N]\), any n.u. PPT distinguisher \(\mathcal {D}\), and any messages \((x_i)_{i\in H}\), there exists a negligible function \(\nu (\lambda )\) such that

5 Multiparty Homomorphic Encryption

We define the notion of multiparty homomorphic encryption (MHE) in this section. As mentioned earlier, this notion can be seen as a variant of multi-key FHE [17, 31]; unlike multi-key FHE, this notion does not require a trusted setup, however, the final decryption phase needs to take as input the circuit being evaluated as input.

5.1 Definition

A multiparty homomorphic encryption is a tuple of algorithms \(\mathsf {MHE}= (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Eval}, \mathsf {PartDec}, \mathsf {FinDec})\), which are defined as follows.

  • \(\mathsf {KeyGen}(1^\lambda , i)\) On input the security parameter \(\lambda \), and an index \(i \in [N]\), it outputs a public-key secret-key pair \((\mathsf {pk}_i, \mathsf {sk}_i)\) for the i-th party.

  • \(\mathsf {Enc}(\mathsf {pk}_i, x_i)\) On input a public key \(\mathsf {pk}_i\) of the i-th party, and a message \(x_i\), it outputs a ciphertext \(\mathsf {ct}_i\).

  • \(\mathsf {Eval}(C,(\mathsf {ct}_j)_{j \in [N]})\) On input the circuit C of size polynomial in \(\lambda \) and the ciphertexts \((\mathsf {ct}_j)_{j \in [N]}\), it outputs the evaluated ciphertext \(\widehat{\mathsf {ct}}\).

  • \(\mathsf {PartDec}(\mathsf {sk}_i,i,\widehat{\mathsf {ct}})\) On input the secret key \(\mathsf {sk}_i\) of \(i^{th}\) party, the index i, and the evaluated ciphertext \(\widehat{\mathsf {ct}}\), it outputs the partial decryption \(p_i\) of the \(i^{th}\) party.

  • \(\mathsf {FinDec}(C, (p_j)_{j\in [N]})\) On input the circuit C, and all the partial decryptions \((p_j)_{j\in [N]}\), it outputs a value \(y \in \{0, 1\}^{C.\mathsf {out}}\).

We require that a MHE scheme satisfies the properties of correctness, succinctness and reusable simulation security.

Correctness. We require the following definition to hold.

Definition 6 (Correctness)

A scheme \(\mathsf {MHE}= (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Eval}, \mathsf {PartDec}, \mathsf {FinDec})\) is said to satisfy the correctness of an MHE scheme if for any inputs \((x_i)_{i\in [N]}\), and circuit C, the following holds:

$$\begin{aligned} \Pr \left[ \begin{array}{c} \forall i\in [N], (\mathsf {pk}_i, \mathsf {sk}_i) \leftarrow \mathsf {KeyGen}(1^\lambda , i) \\ \mathsf {ct}_i \leftarrow \mathsf {Enc}(\mathsf {pk}_i, x_i) \\ \widehat{\mathsf {ct}} \leftarrow \mathsf {Eval}(C, (\mathsf {ct}_j)_{j\in [N]}) \\ p_i \leftarrow \mathsf {PartDec}(\mathsf {sk}_i,i,\widehat{\mathsf {ct}}) \\ y \leftarrow \mathsf {FinDec}(C, (p_j)_{j\in [N]}) \end{array} : y = C(x_1,\ldots ,x_{N})\right] = 1. \end{aligned}$$

Succinctness. We require that the size of the ciphertexts and the partial decrypted values to be independent of the size of the circuit being evaluated. More formally,

Definition 7 (Succinctness)

A scheme \(\mathsf {MHE}= (\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Eval}, \mathsf {PartDec}, \mathsf {FinDec})\) is said to satisfy the succinctness property of an MHE scheme if for any inputs \((x_i)_{i\in [N]}\), and circuit C, the following holds: for any inputs \((x_i)_{i\in [N]}\), and circuit C,

  • Succinctness of Ciphertext: for \(j \in [N]\), \(|\mathsf {ct}_j|=\mathsf {poly}(\lambda , |x_j|)\).

  • Succinctness of Partial Decryptions: for \(j \in [N]\), \(|p_j|=\mathsf {poly}(\lambda , N, C.\mathsf {in},C.\mathsf {out},C.\mathsf {depth})\), where N is the number of parties, \(C.\mathsf {in}\) is the input length of the circuit being evaluated, \(C.\mathsf {out}\) is the output length and \(C.\mathsf {depth}\) is the depth of the circuit.

where, for every \(i \in [N]\), (i) \((\mathsf {pk}_i, \mathsf {sk}_i) \leftarrow \mathsf {KeyGen}(1^\lambda , i)\), (ii) \(\mathsf {ct}_i \leftarrow \mathsf {Enc}(\mathsf {pk}_i, x_i)\), (iii) \(\widehat{\mathsf {ct}} \leftarrow \mathsf {Eval}(C, (\mathsf {ct}_j)_{j\in [N]})\) and, (iv) \(p_i \leftarrow \mathsf {PartDec}(\mathsf {sk}_i, i, \widehat{\mathsf {ct}})\).

Remark 3

En route to constructing MHE schemes satisfying the above succinctness properties, we also consider MHE schemes that satisfy the correctness and security (stated next) properties but fail to satisfy the above succinctness definition. We refer to such schemes as non-succinct MHE schemes.

5.2 Security

We define the security of MHE by real world-ideal world paradigm. We only consider the semi-honest security notion.

In the real world, the adversary is given the public key \(\mathsf {pk}_i\) and ciphertext \(\mathsf {ct}_i\) for the honest parties, and also the uniform randomness coins \(r_i, r_i'\) for the dishonest parties, where \(r_i\) is used for the key generation, and \(r_i'\) is used for the encryption. In addition, the adversary is given access to an oracle \(\mathcal {O}\). Each time, the adversary can query \(\mathcal {O}\) with a circuit C. The oracle \(\mathcal {O}\) firstly evaluates C homomorphically over the ciphertexts \((\mathsf {ct}_i)_{i\in [N]}\), and obtains an evaluated ciphertext \(\widehat{\mathsf {ct}}\). Then it outputs the partial decryption of \(\widehat{\mathsf {ct}}\) of the honest parties.

In the ideal world, a simulator \(\mathsf {Sim}_1\) generates the \(\mathsf {pk}_i\) and \(\mathsf {ct}_i\) of honest parties, and also the random coins \((r_i, r_i')_{i\in \bar{H}}\) of dishonest parties, and sends them the the adversary. Then, the adversary is given access to an oracle \(\mathcal {O}'\). For each query C made by the adversary, the oracle \(\mathcal {O}'\) executes the stateful simulator \(\mathsf {Sim}_2\) to obtain the simulating partial decryption messages \((p_i)_{i\in H}\) of honest parties. Then the oracle \(\mathcal {O}'\) outputs \((p_i)_{i\in H}\).

Reusable Semi-honest Security. We define the real and ideal experiments below. The experiments are parameterized by adversary \(\mathcal {A}\), a PPT simulator \(\mathsf {Sim}\) implemented as algorithms \((\mathsf {Sim}_1, \mathsf {Sim}_2)\), the subset of honest parties \(H \subseteq [N]\), and the input \((x_i)_{i\in [N]}\). For the simplicity, we denote \(\bar{H} = [N]\,\setminus \,H\).

figure b

Definition 8

A scheme \((\mathsf {MHE}.\mathsf {KeyGen},\ \mathsf {MHE}.\mathsf {Enc},\ \mathsf {MHE}.\mathsf {Eval},\ \mathsf {MHE}.\mathsf {PartDec}, \mathsf {MHE}.\mathsf {FinDec})\) is said to satisfy the reusable semi-honest security if the following holds: there exists a simulator \(\mathsf {MHE}.\mathsf {Sim}= (\mathsf {MHE}.\mathsf {Sim}_1, \mathsf {MHE}.\mathsf {Sim}_2)\) such that for any PPT adversary \(\mathcal {A}\), for any set of honest parties \(H \subseteq [N]\), any n.u. PPT distinguisher \(\mathcal {D}\), and any messages \((x_i)_{i\in [H]}\), there exists a negligible function \(\nu (\lambda )\) such that

Remark. Definition 8 directly captures the reusability property implied by the definition of [31]. However, our definition is somewhat incomparable to [31] due to the following reasons: [31] give a one-time (semi-malicious) statistical simulation security definition for threshold decryption, which implies multi-use security via a standard hybrid argument. In contrast, Definition 8, which guarantees (semi-honest) computational security, is given directly for the multi-use setting. Second, [31] define security of threshold decryption only for \(n-1\) corruptionsFootnote 5 whereas our definition captures any dishonest majority.

6 Intermediate Notion: MHE with Private Evaluation (pMHE)

Towards achieving MHE, we first consider a relaxation of the notion of MHE where we allow the evaluation algorithm to be a private-key procedure. We call this notion MHE with private evaluation, denoted by pMHE.

A multiparty homomorphic encryption with private evaluation (pMHE) is a tuple of algorithms \((\mathsf {Enc}, \mathsf {PrivEval}, \mathsf {FinDec})\), which are defined as follows.

  • \(\mathsf {Enc}(1^\lambda , C.\mathsf {params}, i, x_i)\) On input the security parameter \(\lambda \), the parameters of a circuit C, \(C.\mathsf {params}= (C.\mathsf {in}, C.\mathsf {out}, C.\mathsf {depth})\), an index i, and an input \(x_i\), it outputs a ciphertext \(\mathsf {ct}_i\), and a partial decryption key \(\mathsf {sk}_i\).

  • \(\mathsf {PrivEval}(\mathsf {sk}_i, C, (\mathsf {ct}_j)_{j\in [N]})\)Footnote 6 On input the partial decryption key \(\mathsf {sk}_i\), a circuit C, and the ciphertexts \((\mathsf {ct}_j)_{j\in [N]}\), it outputs a partial decryption message \(p_{i}\).

  • \(\mathsf {FinDec}(C, (p_{j})_{j\in [N]})\) On input the circuit C and the partial decryptions \((p_{j})_{j\in [N]}\), it outputs \(y \in \{0, 1\}^{C.\mathsf {out}}\).

Correctness. For any input \((x_i)_{i\in [N]}\), and any circuit C, we have

Reusable Semi-malicious Security. The experiments are parameterized by the adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\), the subset of honest parties \(H \subseteq [N]\), the inputs \((x_i)_{i\in H}\), and the PPT simulator \(\mathsf {Sim}\) implemented as algorithms \((\mathsf {Sim}_1, \mathsf {Sim}_2)\). Denote \(\bar{H} = [N]\setminus H\).

figure c

Definition 9

A scheme \(\mathsf {pMHE}= (\mathsf {Enc}, \mathsf {PrivEval}, \mathsf {FinDec})\) is said to satisfy the reusable semi-malicious security if the following holds: there exists a simulator \(\mathsf {Sim}= (\mathsf {Sim}_1, \mathsf {Sim}_2)\) such that for any PPT adversary \(\mathcal {A}\), for any set of honest parties \(H \subseteq [N]\), PPT distinguisher \(\mathcal {D}\), and any messages \((x_i)_{i\in H}\), there exists a negligible function \(\nu (\lambda )\) such that

6.1 CRS Model

A pMHE in the common random/reference string model is a tuple of algorithms \(\mathsf {pMHE}= (\mathsf {Setup}, \mathsf {Enc},\mathsf {PrivEval}, \mathsf {FinDec})\), where the \(\mathsf {PrivEval}, \mathsf {FinDec}\) works the same way as in the plain model, while \(\mathsf {Setup}, \mathsf {Enc}\) are defined as follows.

  • \(\mathsf {Setup}(1^\lambda )\) On input the security parameter, it outputs a common reference string \(\mathsf {crs}\).

  • \(\mathsf {Enc}(\mathsf {crs}, C.\mathsf {params}, i, x_i)\) On input the common reference string \(\mathsf {crs}\), the parameters of C, an index i, and an input \(x_i\), it output a ciphertext \(\mathsf {ct}_i\), and a partial decryption key \(\mathsf {sk}_i\).

6.2 One-Time pMHE

We consider a weak version of pMHE scheme called one-time pMHE.

Definition 10

A pMHE scheme is a one-time pMHE scheme, if the security holds for all n.u. PPT adversary \(\mathcal {A}\) that only query the oracle \(\mathcal {O}\) at most once.

We will use a one-time pMHE scheme as a starting point in the reusability transformation.

Remark 4

In this setting, without loss of generality, we assume that the private evaluation algorithm \(\mathsf {PrivEval}\) is deterministic, and the secret key is the randomness used by \(\mathsf {Enc}\).

6.3 Ciphertext Succinctness

We define the notion of ciphertext succinctness associated with a pMHE scheme. Roughly, we require the size of the encryption circuit to only grow with the depth of the circuits being homomorphically evaluated. We additionally require the depth of the encryption circuit to be only poly-logarithmically in the depth. We allow the depth of the encryption circuit to, however, grow polynomially in the number of parties and input lengths. We impose similar efficiency requirements on the setup procedure as well.

Note that this is an incomparable to the traditional succinctness property we defined for an MHE scheme; on one hand, ciphertext succinctness imposes an additional requirement on the encryption circuit whereas it doesn’t say anything about the size of the partial decryption values. The succinctness property of MHE is about the size of the ciphertexts whereas the ciphertext succinctness property is about the complexity of the encryption circuit.

Definition 11 (Ciphertext Succinctness)

A pMHE scheme with a setup \(\mathsf {pMHE}= (\mathsf {Setup}, \mathsf {Enc}, \mathsf {PrivEval}, \mathsf {FinDec})\) is said to satisfy strong ciphertext succinctness property if it satisfies the correctness, strong semi-honest security, and in addition, satisfies the following properties:

  • The size of the \(\mathsf {Setup}\) circuit is \(\mathsf {poly}(\lambda , N, C.\mathsf {depth})\).

  • The depth of the \(\mathsf {Setup}\) circuit is \(\mathsf {poly}(\lambda , N, \log (C.\mathsf {depth}) )\).

  • The size of the \(\mathsf {Enc}\) circuit is \(\mathsf {poly}(\lambda , N, C.\mathsf {in}, C.\mathsf {depth})\).

  • The depth of the \(\mathsf {Enc}\) circuit is \(\mathsf {poly}(\lambda , N, C.\mathsf {in}, \log (C.\mathsf {depth}))\).

where N is the number of parties, and \((C.\mathsf {in},C.\mathsf {out},C.\mathsf {depth})\) are the parameters associated with the circuits being evaluated.

Remark 5

The ciphertext succinctness property is incomparable with the succinctness property of an MHE scheme; while there is no requirement on the size of the partial decryptions in the above definitions, there is a strict requirement on the complexity of the encryption procedure in the above definition as against a requirement on just the size of the ciphertexts as specified in the succinctness definition of MHE.

6.4 Instantiation

We can instantiate any one-time pMHE scheme satisfying ciphertext sucinctness in the CRS model from any multi-key FHE in the CRS model. Thus, have the following:

Theorem 6 (Ciphertext-Succinct One-Time pMHE with CRS from LWE)

Assuming learning with errors, there exists a one-time pMHE scheme in the CRS model satisfying ciphertext succinctness property.

We defer the proof to the full version.

7 Main Step: One-Time pMHE in CRS \(\Longrightarrow \) Reusable pMHE

In this section, we show how to bootstrap from a one-time pMHE with ciphertext succinctness property into a (possibly non-succinct) reusable pMHE scheme.

Lemma 1 (Bootstrap from One-Time Ciphertext Succinctness Scheme to Reusable Scheme)

From the following primitives,

  • \(\mathsf {pMHE}' = (\mathsf {pMHE}'.\mathsf {Setup}, \mathsf {pMHE}'.\mathsf {Enc}, \mathsf {pMHE}'.\mathsf {PrivEval}, \mathsf {pMHE}'.\mathsf {FinDec})\): a one-time ciphertext succinct pMHE scheme in the CRS model.

  • \(\mathsf {pMHE}_0 = (\mathsf {pMHE}_0.\mathsf {Enc}, \mathsf {pMHE}_0.\mathsf {PrivEval}, \mathsf {pMHE}_0.\mathsf {FinDec})\): a one-time delayed-function semi-malicious pMHE scheme without setup. (Note: this pMHE scheme need not satisfy any succinctness property)

  • \(\mathsf {PRG}: \{0, 1\}^{\mathsf {PRG}.\mathsf {in}} \rightarrow \{0, 1\}^{\mathsf {PRG}.\mathsf {out}}\), a pseduorandom generator, where \(\mathsf {PRG}.\mathsf {out}= \mathsf {poly}(\mathsf {PRG}.\mathsf {in})\) for some large polynomial \(\mathsf {poly}\). Moreover, we require the depth of \(\mathsf {PRG}\) to be \(\mathsf {poly}(\lambda ,\log (\mathsf {PRG}.\mathsf {out}))\) for some fixed \(\mathsf {poly}\) independent of \(\mathsf {PRG}.\mathsf {out}\).

we can build a reusable semi-malicious pMHE scheme \(\mathsf {pMHE}= (\mathsf {pMHE}.\mathsf {Enc}, \mathsf {pMHE}.\mathsf {PrivEval}, \mathsf {pMHE}.\mathsf {FinDec})\) without the trusted setup.

Construction. We present the construction below.

In our construction, each party generates a PRG seed \(k_i\), then in on the t-th level of the tree, the i-th party uses \(k_i\) to generate a pseudorandom string, which is divided into the following 5 parts.

  1. 1.

    \((\mathsf {lab}^{i, t+1, b})_{b \in \{0, 1\}}\) is used as the labels of the children nodes.

  2. 2.

    \((k_{i, b}^{t+1})_{b \in \{0, 1\}}\) are the PRG seeds for the children nodes.

  3. 3.

    \((r_{i,1,b}^{t+1})_{b \in \{0, 1\}}\) is the randomness used to generate the two new ciphertexts for the children nodes.

  4. 4.

    \((r_{i,2,b}^{t+1})_{b \in \{0, 1\}}\) is the randomness used to generate the garbled circuits for the children nodes.

  5. 5.

    \((r_{i,3,b}^{t+1})_{b \in \{0, 1\}}\) is the randomness used to generate the CRS of the children nodes. We will xor the \(r_{i, 3, b}\) for all the parties to achieve semi-malicious security.

    • Randomly sample \(k_i \leftarrow \{0, 1\}^{\mathsf {PRG}.\mathsf {in}}\), and random coins \(r_{i}\).

    • \((\mathsf {ct}_i', \mathsf {sk}_i') \leftarrow \mathsf {pMHE}_0.\mathsf {Enc}(1^\lambda , \mathsf {NewEnc}^1.\mathsf {params}, i, (x_i, k_i))\), where \(\mathsf {NewEnc}^1\) is defined in Fig. 3.

    • Let \(\mathsf {ct}_i = \mathsf {ct}_i'\) and \(\mathsf {sk}_i = (\mathsf {sk}_i', (k_i, r_{i}))\).

    Output \((\mathsf {ct}_i, \mathsf {sk}_i)\).

    • Parse \(\mathsf {sk}_i\) as \((\mathsf {sk}_i', (k_i, r_{i}))\).

    • Let \(\mathsf {id}\) be the binary representation of the circuit C. Denote \(n = |\mathsf {id}|\).

    • For \(t \in [n]\), \(\mathsf {Boot}^t\) is defined as follows.

      • \(\mathsf {Boot}^t_{[\mathsf {sk}_i^t]}(\mathsf {ct}^t)\)

      • \(\bullet \) Let \(p_i^t = \mathsf {pMHE}'.\mathsf {PrivEval}(\mathsf {sk}_i^t, \mathsf {NewEnc}^{t+1}, \mathsf {ct}^t)\), where \(\mathsf {NewEnc}\) is defined in Figs. 3 and 4.

      • \(\bullet \) Output \(p_i^t\).

  • Let \(p_i^0 = \mathsf {pMHE}'.\mathsf {PrivEval}(\mathsf {sk}_i', \mathsf {NewEnc}^1, (\mathsf {ct}_j)_{j\in [N]}; r_{i})\), \(k_i^0 = k_i\).

  • For each \(t = 1, 2, \dots , n\),

    • Let \(b = \mathsf {id}[t]\). Parse \(\mathsf {PRG}(k_i^{t-1})\) as \((\mathsf {lab}^{i,t,b'}, k_{i, b'}^t, r_{i, 1, b'}^t, r_{i, 2, b'}^t, r_{i,3,b'}^t)_{b' \in \{0, 1\}}\)

    • Let \(\mathsf {sk}_i^t = r_{i,1,b}^t\), \(\widetilde{\mathsf {Boot}_{i}^t} \leftarrow \mathsf {GC}.\mathsf {Garble}(1^\lambda , \mathsf {Boot}^t_{[\mathsf {sk}_i^t]}, \mathsf {lab}^{i, t, b}; r^t_{i,2,b})\).

    • Let \(k_i^t = k_{i, b}^t\).

  • Let \(p_i = (p_i^0, (\widetilde{\mathsf {Boot}_{i}^t})_{t \in [n]}, \mathsf {ct}_i)\).

  • Output \(p_i\).

Fig. 3.
figure 3

Description of \(\mathsf {NewEnc}^t\), for \(t \in [n]\).

Full size image
Fig. 4.
figure 4

Description of \(\mathsf {NewEnc}^{n+1}\).

Full size image

    • Let \(\mathsf {id}\) be the binary representation of C. Parse \(p_i\) as \((p_i^0, (\widetilde{\mathsf {Boot}_{i}^t})_{t\in [n]}, \mathsf {ct}_i)\).

    • For each \(t = 1, 2, \dots , n\),

      • Let \(b = \mathsf {id}[t]\).

      • If \(t \,{=}\, 1\)\((\mathsf {lab}'^{i,t,0}, \mathsf {lab}'^{i,t,1})_{i\in [N]}\,{ \leftarrow }\, \mathsf {pMHE}_0.\mathsf {FinDec}(\mathsf {NewEnc}^t, (p_i^{t-1})_{i \in [N]})\).

      • Otherwise, \((\mathsf {lab}'^{i,t,0}, \mathsf {lab}'^{i,t,1})_{i\in [N]} \,{ \leftarrow }\,\mathsf {pMHE}'.\mathsf {FinDec}(\mathsf {NewEnc}^t, (p_i^{t-1})_{i \in [N]})\).

      • For each \(i \in [N]\), execute \(p_i^t \leftarrow \mathsf {GC}.\mathsf {Eval}(1^\lambda , \widetilde{\mathsf {Boot}_{i}^t}, \mathsf {lab}'^{i,t,b})\).

    • Let \(y \leftarrow \mathsf {pMHE}'.\mathsf {FinDec}(\mathsf {NewEnc}^{n+1}, (p_i^n)_{i\in [N]})\).

    • Output y.

7.1 Correctness

Lemma 2 (Correctness)

The construction of \(\mathsf {pMHE}\) is correct.

We defer the proof to the full version.

7.2 Security

Lemma 3 (Reusable Semi-malicious Security)

The construction of \(\mathsf {pMHE}\) is reusable semi-malicious secure.

We defer the proof to the full version.

7.3 Instantiation

We can instantiate \(\mathsf {pMHE}_0\) based on any two-round semi-malicious MPC in the plain model and this in turn can be based on any two-round semi-malicious oblivious transfer (OT); we crucially use the fact that \(\mathsf {pMHE}_0\) need not satisfy any succinctness property for this implication. Furthermore, we can instantiate the two-round semi-malicious OT from learning with errors [13]. Similarly, we can also instantiate one-time pMHE in the CRS model with ciphertext succcintness from learning with errors (Theorem 6) and finally, the pseudorandom generator mentioned above any pseudorandom function which in turn can be based on one-way functions. Thus, we have the following theorem.

Theorem 7

Assuming LWE, there exists a (non-succinct) reusable pMHE scheme in the plain model.

8 Result #1: Construction of Multi-key FHE

In the following we show how to combine a multi-key FHE with unstructured decryption with a reusable pMHE without trusted setup to obtain a multi-key FHE scheme in the plain model with one-round decryption.

Theorem 8 (Multi-key FHE in the Plain Model)

If there exists a semantically secure multi-key FHE scheme \(\mathsf {MKFHE}' = (\mathsf {MKFHE}'.\mathsf {KeyGen}, \mathsf {MKFHE}'.\mathsf {Enc}, \mathsf {MKFHE}'.\mathsf {Eval}, \mathsf {MKFHE}'.\mathsf {Dec})\) without trusted setup and with unstructured decryption, and a reusable semi-malicious pMHE scheme \(\mathsf {pMHE}= (\mathsf {pMHE}.\mathsf {Enc}, \mathsf {pMHE}.\mathsf {PrivEval}, \mathsf {pMHE}.\mathsf {FinDec})\) without trusted setup, then there exists a semi-malicious multi-key FHE scheme \(\mathsf {MKFHE}= (\mathsf {MKFHE}.\mathsf {KeyGen}, \mathsf {MKFHE}.\mathsf {Enc}, \mathsf {MKFHE}.\mathsf {Eval}, \mathsf {MKFHE}.\mathsf {PartDec}, \mathsf {MKFHE}.\mathsf {FinDec})\) without trusted setup.

Construction. Let \(\varGamma .\mathsf {params}\) be the input, output size, and depth of the decryption circuit of the multi-key FHE scheme \(\mathsf {MKFHE}'\). The construction is described below.

figure d

We defer the proof to the full version.

8.1 Instantiation

By Theorem 7 we can instantiate the reusable semi-malicious pMHE scheme from the LWE problem (with sub-exponential modulus-to-noise ratio). For the multi-key FHE with unstructured decryption, we can use the scheme from [29], which is shown semantically secure against the Ring LWE and the DSPR problem. Thus we obtain the following implication.

Theorem 9

Assuming LWE, Ring LWE, and DSPR, there exists a multi-key FHE scheme with one-round decryption in the plain model.

9 Result #2: Construction of MHE

We now show how to construct an MHE scheme. In Sect. 7, we constructed a pMHE scheme satisfying ciphertext succinctness. To obtain an MHE scheme from pMHE with ciphertext succinctness, we perform the following two steps: (1) first, we transform the above pMHE scheme into another scheme satisfying succinctness (recall that succinctness is incomparable to ciphertext succinctness) and, (2) secondly, we show how to achieve public evaluation generically to obtain the MHE scheme.

9.1 Non-Succinct pMHE to Succinct pMHE

We now show how to generically transform a non-succinct pMHE scheme into a succinct pMHE scheme. Furthermore, the transformation preserves the number of queries the adversary can make to the decryption oracle. That is, if the underlying pMHE scheme is reusable, then so is the resulting scheme.

Theorem 10

Assuming LWE, there exists a generic transformation from any non-succinct (Remark 3) semi-honest pMHE to a succinct (Definition 7) semi-honest pMHE scheme.

We defer the proof to the full version.

9.2 pMHE to MHE: Private to Public Evaluation

We show how to construct an MHE scheme from pMHE and a leveled fully homomorphic encryption scheme.

Theorem 11 (From pMHE to MHE)

If there exits a reusable semi-honest secure pMHE scheme \(\mathsf {pMHE}\) with succinctness property, and a (leveled) fully homomorphic encryption scheme \(\mathsf {FHE}= (\mathsf {FHE}.\mathsf {KeyGen}, \mathsf {FHE}.\mathsf {Enc}, \mathsf {FHE}.\mathsf {Dec}, \mathsf {FHE}.\mathsf {Eval})\), then there exits a reusable semi-honest secure MHE scheme \(\mathsf {MHE}\) with succinctness property.

We defer the proof to the full version.