1 Introduction

The goal of program obfuscation is to transform an arbitrary circuit \(C\) into an unintelligible but functionally equivalent circuit \(\tilde{C}\). The notion of program obfuscation was first studied by Hada [41] and Barak et al. [10]. However, these works showed that natural notions of obfuscation are impossible to realize for general functionalities. Specifically, Barak et al. [10] defined a very natural notion of security for program obfuscation called virtual black-box (VBB) security, which requires that an obfuscated program does not reveal anything beyond what could be learned from just the input–output behavior of the original program. In the same work, they showed that this notion of program obfuscation is impossible to achieve for arbitrary circuits.

In light of this impossibility result, much of the work on obfuscation focused on realizing obfuscation for special functionalities. However, this changed with the work of Garg et al. [30] that proposed the first candidate indistinguishability obfuscation (iO) construction based on multilinear maps [28]. Furthermore, Garg et al. [30] showed powerful applications of iO to tasks such as functional encryption. Loosely speaking, iO requires that the obfuscations of two circuits \(C_0\) and \(C_1\) that have identical input-output behavior are computationally indistinguishable. Subsequently, significant work on using program obfuscation (e.g., [16, 29, 62]) has shown that most cryptographic applications of interest can be realized using iO (and one-way functions), or that iO is virtually crypto-complete.

Given its importance, significant effort has been poured into realizing secure obfuscation candidates. The first approach to obfuscation relied on using new candidate constructions of multilinear maps [23, 28, 35], an algebraic object that significantly expands the structure available for cryptographic constructions. Unfortunately, all multilinear map constructions so far have relied on ad-hoc and new computational intractability assumptions. Furthermore, attacks [22, 43] on the multilinear map candidates and attacks [21, 58] on several of the multilinear map based iO constructions [9, 19, 30] were later found. In light of these attacks, follow up works (e.g., [31]) offered constructions that defended against these attacks by giving constructions in the so-called weak multilinear map model [58]. Several of these weak multilinear map model-based iO constructions are still conjectured to be secure; however, the break-and-repair cycle of their development has left cryptographers wary, and rightly so.

Around the time when attacks on multilinear map candidates were at an all-time high, cryptographers started exploring new approaches to iO without using multilinear maps (or reducing their usage). Toward this goal, Bitansky and Vaikunthanathan [15] and Ananth and Jain [4] showed that iO could be realized assuming just functional encryption. In another approach, instead of trying to remove multilinear maps completely, Lin [48] and Lin and Vaikuntanathan [53] attempted to reduce their usage, i.e., they proposed iO constructions using only constant degree multilinear maps. With the goal of ultimately basing iO constructions on standard assumptions on bilinear maps, cryptographers started developing new ideas for realizing iO candidates from smaller constant degree multilinear maps [5, 49]. Recently, Lin and Tessaro [51] described a candidate iO construction from degree-L multilinear maps for any \(L\ge 2\) and additionally assuming PRGs with certain special locality properties. Unfortunately, it was shown the needed PRGs for the case of \(L=2\) are insecure [8, 54].Footnote 1 Thus, still leaving a gap between bilinear maps and iO constructions which could now be based on trilinear maps [52]. Very recent works [1, 3, 45] (and cryptanalysis [12]) develop new ideas to resolve these problems and realize constructions based on bilinear maps. However, these bilinear map-based constructions, which are still conjectured to be secure, additionally rely on certain pseudorandom objects with novel security properties. Finally, we note that all the other (perhaps less popular) approaches to iO (e.g., [37]) also start from new computational hardness assumptions.

Given the prior work, it is natural to wonder whether new sources of hardness are necessary for realizing iO candidates. Making progress on this dilemma is the focus of this work.

1.1 Our Results

We propose a new approach to construct general-purpose indistinguishability obfuscation. Our approach is heuristic but combines (in a non-standard way) well-known cryptographic building blocks, whose stand-alone security is well-established. In other words, our constructions use well-studied cryptographic primitives in a generic way to realize obfuscation, while still being heuristic in the sense that our constructions are not provably secure and make implicit assumptions about the interplay of the underlying primitives. The primitives we use can themselves be securely realized based on standard assumptions, namely the hardness of the learning with errors (LWE) and the decisional composite residues (DCR) problem. At a high level, our heuristics are similar in flavor to (i) the random oracle heuristic that is often used in cryptographic constructions [13] and (ii) the circular security heuristic that has been widely used in the construction of fully homomorphic encryption schemes (FHE) [34].

Split-FHE The starting point of our work is the fact that iO can provably be based on split FHE, a new primitive that we introduce in this work. A split FHE is an FHE scheme that allows for certain special properties of the decryption algorithm. Specifically, we consider FHE schemes for which the decryption algorithm can be split into two subroutines:

  • \(\rho \leftarrow \textsf{PDec}(\textsf{sk},c):\) A private procedure that takes the FHE secret key and a ciphertext as input and produces a decryption hint \(\rho \), of size much smaller than the message encrypted in \(c\).

  • \(m\leftarrow \textsf{Rec}(\rho , c):\) A public procedure that takes as input the decryption hint \(\rho \) (generated by \(\textsf{PDec}\)) and the ciphertext \(c\) and recovers the full plaintext.

The security for a split FHE scheme requires that, for all pairs of messages \((m_0, m_1)\) and all circuits \(C\) such that \(C(m_0) = C(m_1)\), the encryption of \(m_0\) is computationally indistinguishable from the encryption of \(m_1\), even given the decryption hint for the ciphertext evaluated on \(C\). We show that split FHE alone suffices to construct exponentially efficient iO [50], which in turn allows us to build fully fledged iO. Concretely, we prove the following theorem.

Theorem 1.1

(Informal) Assuming sub-exponentially hard LWE and the existence of sub-exponentially secure split FHE, there exists indistinguishability obfuscation for all polynomial-size circuits.

A Generic Candidate Next, we show a generic candidate construction of split FHE based on three building blocks: (i) a standard FHE scheme with linear decrypt-and-multiply (which can be instantiated with essentially all LWE-based constructions), (ii) a linearly homomorphic encryption scheme with short decryption hints (such as the Damgård-Jurik encryption scheme [24], based on the DCR problem), and (iii) a cryptographic hash functions. The security of the scheme can be based on a new conjecture on the interplay of these primitives, which we view as a natural strengthening of circular security. In this sense, it is aligned with Gentry’s heuristic step in the FHE bootstrapping theorem [34]. Additionally, our use of the cryptographic hash function has similarities to the other heuristic uses of hash functions, e.g., in the Fiat-Shamir transformation [27].

We expect that there will exist instantiations of the underlying primitives (though contrived) for which this construction is insecure. For example, if the underlying schemes are not circular secure to begin with, then the resulting split FHE would also be insecure. However, for natural instantiations of these primitives, security can be conjectured.

Evidence of Security In order to build confidence in our construction, we show evidence that the above-mentioned conjecture on the interplay between the security holds in an appropriate oracle model, inspired by the random oracle model, thus pushing all the heuristic aspects of the construction to an oracle. In fact, we show that security can be proved in this oracle model.

An alternate way to think of this result is that we construct split FHE based on an obfuscation for a specific program (representing the oracle), for which we can offer a relatively simple and natural heuristic implementation.

Conceptual Simplicity Another positive feature of our construction is its conceptual simplicity, which makes it much easier to analyze and thus have confidence in. Finally, we remark that our construction is a big departure from the previously mentioned multilinear maps based and local PRG-based iO constructions and will be accessible to readers without first understanding prior iO constructions.

1.2 Technical Overview

In the following we give an informal overview of the techniques we develop in this work and we refer the reader to the technical sections for more precise statements.

1.2.1 Chimeric FHE

Our starting point is the hybrid FHE scheme recently introduced by Brakerski et al. [17], which we recall in the following. The objective of their work is to build an FHE scheme with best possible rate (in an asymptotic sense) by leveraging the fact that most LWE-based FHE schemes admit an efficient linear noisy decryption. Specifically, given an FHE ciphertext \(c\) and an LWE secret key \((s_1, \dots , s_n)\) one can rewrite the decryption operation as a linear function \(L_c(\cdot )\) such that

$$\begin{aligned} L_c(s_1, \dots , s_n) = \textsf{ECC}(m) + e \end{aligned}$$

where e is a B-bounded noise term and \(\textsf{ECC}\) is some encoding of the plaintext (in their scheme \(m\) is packed in the high-order bits so that it does not interfere with the noise term). The idea then is to encrypt the secret key \((s_1, \dots , s_n)\) under a (high-rate) linearly homomorphic encryption (LHE) scheme, which allows one to compress evaluated FHE ciphertexts by computing \(L_c(\cdot )\) homomorphically.

One interesting property of this approach is that it is completely parametric in the choice of the schemes, as long as they satisfy some simple structural requirements: More concretely, one can use any LHE scheme as long as its plaintext domain matches the LWE modulus of the FHE scheme. As an example, one can set the LHE to be the Damgård-Jurik encryption scheme [24, 59], which we briefly recall in the following. The public key of the scheme consists of a large composite \(N = pq\) and an integer \(\zeta \), and the encryption algorithm for a message \(m\) computes

$$\begin{aligned} c= {\rho }^{N^\zeta } \cdot (1+N)^{m} \mod N^{\zeta +1} \end{aligned}$$

for some uniform \({\rho } \leftarrow \!\!\$\,\mathbb {Z}_N\). Note that the corresponding plaintext space is \(\mathbb {Z}_{N^\zeta }\) and therefore the rate of the scheme approaches 1 as \(\zeta \) grows. Furthermore, we observe that the scheme has one additional property that we refer to as split decryption. A scheme has split decryption if the decryption algorithm can be divided into a private and a public subroutine:

  • The private procedure takes as input a ciphertext \(c\) and the secret key \(\phi (N)\) and computes a decryption hint

    $$\begin{aligned} \rho = c^{N^{-\zeta }} \mod N \end{aligned}$$

    using the extended Euclidean algorithm. It is crucial to observe that \(\rho \in \mathbb {Z}_N\) is potentially much smaller than the plaintext \(m\).

  • The public procedure takes as input a ciphertext \(c\) and the decryption hint \(\rho \) and recovers the plaintext by computing

    $$\begin{aligned} (1+N)^m= c/ \rho ^{N^\zeta } \mod N^{\zeta +1} \end{aligned}$$

    and decoding \(m\) in polynomial time using the binomial theorem.

In a nutshell, the subgroup homomorphism allows one to recompute the randomness, which can be then publicly stretched and used to unmask the plaintext. This means that \(m\) can be fully recovered by communicating a small hint of size fixed and, in particular, independent of \(|m|\). As we are going to discuss later, this property is going to be our main leverage to build general-purpose obfuscation.

Temporarily glossing over the security implications, we point out that the hybrid scheme of Brakerski et al. [17] already suffices to construct an FHE scheme with split decryption (in short, split FHE): Simply instantiate the LHE scheme with Damgård-Jurik and convert evaluated FHE ciphertexts before decryption using the algorithm described above.

1.2.2 Security for Split FHE

We now delve into the desired security property for a split FHE scheme. On a high level, we would like to ensure that the decryption hint does not reveal any additional information, beyond the plaintext of the corresponding ciphertext. It is instructive to observe that if we do not insist on this property, then every FHE scheme has a trivial split decryption procedure which simply outputs the secret key. We formalize this intuition as an indistinguishability definition that, roughly speaking, demands that for all plaintext pairs \((m_0, m_1)\) and every set of circuits \((C_1, \dots , C_\beta )\) such that \(C_i(m_0) = C_i(m_1)\), the encryption of \(m_0\) and \(m_1\) are computationally indistinguishable, even given the decryption hints \(\rho _i\) of the evaluated ciphertexts. The condition \(C_i(m_0) = C_i(m_1)\) rules out trivial attacks where the distinguisher just checks the output of the evaluation. Here \(\beta = \beta (\lambda )\) is an arbitrary (but a priori bounded) polynomial in the security parameter.

Unfortunately, our candidate as described above falls short in satisfying this security notion: The central problem is that our split decryption procedure reveals the complete plaintext encoded in the Damgård-Jurik ciphertexts. This means that the distinguisher learns arbitrarily many relations of the form

$$\begin{aligned} L_{c_i}(s_1, \dots , s_n) = \textsf{ECC}(C_i(m_b)) + e_i\end{aligned}$$

where \(c_i\) is the evaluated ciphertext and \(L_{c_i}\) is a publicly known linear function. Collecting a large enough sample allows the distinguisher to recompute the FHE secret key \((s_1, \dots , s_n)\) via, e.g., Gaussian elimination. A standard approach to obviate this problem is to smudge the noise \(e_i\) with some mask \(r_i\) uniformly sampled from an exponentially larger domain. Thus, a natural solution would be to compute a randomizing ciphertext \(d_i = \mathsf {DJ.Enc}(\textsf{pk}_\textsf{DJ}, r_i)\) and output the decryption hint for

$$\begin{aligned} c_i \cdot d_i= & {} \mathsf {DJ.Enc}(\textsf{pk}_\textsf{DJ}, \textsf{ECC}(C_i(m_b)) \\{} & {} + e_i + r_i) \approx \mathsf {DJ.Enc}(\textsf{pk}_\textsf{DJ}, \textsf{ECC}(C_i(m_b)) + r_i) \end{aligned}$$

where \(r_i\) is sampled from a domain exponentially larger than the noise bound B but small enough to allow one to decode \(\textsf{ECC}(C_i(m_b))\). While it is possible to show that this approach indeed satisfies the security notion outlined above, it introduces an overhead in the size of the hint, which now consists of the pair \((\rho _i, d_i)\). Note that we cannot allow the distinguisher to recompute \(d_i\) locally as it is crucial that \(r_i\) remains hidden, so we have no other choice but append it to the decryption hint. However, the decryption hint is now of size \(O(|c_i|)\), which does not satisfy our compactness requirement and makes our efforts purposeless (one can just set the decryption hint to be \(C_i(m_b)\) and achieve better efficiency).

Although we appear to have encountered a roadblock, a closer look reveals that we still gained something from this approach: The ciphertext \(d_i\) encodes a (somewhat small) random value and in particular is completely independent from \(c_i\). Furthermore, the decryption hint of \(c_i \cdot d_i\) can be computed using the secret key alone. Assume for the moment that we had access to an oracle \(\textsf{Sample}\) that outputs uniform Damgård-Jurik encryption of bounded random values, then our idea is to delegate the sampling of \(d_i\) to \(\textsf{Sample}\). This allows us to bypass the main obstacle: We do not need to include \(d_i\) in the decryption hint as it can be recomputed by querying \(\textsf{Sample}\). One can think of this approach as a more structured version of the Fiat-Shamir transform [27], which allows us to state the following theorem.

Theorem 1.2

(Informal) Assuming the hardness of LWE and DCR, then there exists a split FHE scheme in the \(\textsf{Sample}\)-hybrid model.

Looking ahead to our end goal, another interpretation of this theorem is as a universality result: Assuming the hardness of LWE and DCR, we can bootstrap an obfuscator for a specific circuit (i.e., the one that samples a uniform Damgård-Jurik encryption of a bounded random value) to an obfuscator for all circuits.

1.2.3 Instantiating the Oracle

The most compelling question which arises from our main theorem is whether there exist plausible instantiations for the oracle \(\textsf{Sample}\). A first (flawed) attempt is to devise an oblivious sampling procedure for Damgård-Jurik ciphertext using a random oracle: Note that Damgård-Jurik ciphertexts live in a dense domain \(\mathbb {Z}_{N^\zeta +1}\) and indeed sampling a random integer \(c_i \leftarrow \!\!\$\,\mathbb {Z}_{N^{\zeta +1}}\) maps to a well-formed ciphertext with all but negligible probability. However, since \(c_i\) is uniform in the ciphertext domain, then so is the underlying plaintext \(r_i \in \mathbb {Z}_{N^\zeta }\). This makes \(c_i\) unusable for our purposes since we require \(r_i\) to be bounded by some value \(\tilde{q}\), which is exponentially smaller than \(N^\zeta \). If we were to sample \(r_i\) this way, then it would completely mask the term \(\textsf{ECC}(C_i(m_b))\), thus making the plaintext impossible to decode.

Ideally, we would like to restrict the oblivious sampling to ciphertexts encrypting \(\tilde{q}\)-bounded messages. Unfortunately, we are not aware of the existence of any such algorithm. Instead, our idea is to still sample \(c_i\) uniformly over the complete ciphertext domain and remove the high-order bits of \(r_i\) homomorphically: This can be done by including an FHE encryption of the Damgård-Jurik secret key, then homomorphically evaluating the circuit that decrypts \(c_i\) and computes \(- \lfloor r_i / \tilde{q} \rfloor \cdot \tilde{q}\). The evaluated ciphertext is then converted again to the Damgård-Jurik domain using the linear noisy decryption of the FHE scheme. At this point, one can obtain a well-formed encryption of a \(\tilde{q}\)-bounded value by computing

$$\begin{aligned} \mathsf {DJ.Enc}(\textsf{pk}_\textsf{DJ}, - \lfloor r_i / \tilde{q} \rfloor \cdot \tilde{q} + e) \cdot c_i&= \mathsf {DJ.Enc}(\textsf{pk}_\textsf{DJ}, - \lfloor r_i / \tilde{q} \rfloor \cdot \tilde{q} + e + r_i) \\ {}&= \mathsf {DJ.Enc}(\textsf{pk}_\textsf{DJ}, (r_i \mod \tilde{q}) + e) \end{aligned}$$

where the term \((r_i \mod \tilde{q}) + e\) is \(\tilde{q}\)-bounded with all but negligible probability by setting \(\tilde{q} \gg B\). While this approach brings us tantalizingly close to a provably secure scheme, a careful analysis highlights two lingering conjectures.

  1. (1)

    Circular Security Adding and FHE encryption of the Damgård-Jurik secret key introduces a circular dependency in the security of the two schemes (recall that our construction already encodes a Damgård-Jurik encryption of the FHE secret key). While circular security falls outside of the realm of provable statements, it is widely accepted as a mild assumption and it is known to be achieved by most natural encryption schemes [11]. We stress that circular security is also inherent in the bootstrapping theorem of Gentry [34], the only known method to construct fully (as opposed to leveled) homomorphic encryption from LWE.

  2. (2)

    Correlations While the homomorphically evaluated circuit essentially ignores the low-order bits of \(r_i\), the corresponding decryption noise e might still depend on \((r_i \mod \tilde{q})\) in some intricate way. This might introduce some correlation and bias the distribution of the term \((r_i \mod \tilde{q}) + e\) with respect to a uniform \(u \leftarrow \!\!\$\,\mathbb {Z}_{\tilde{q}}\). However, the noise function is typically highly non-linear and therefore appears to be difficult to exploit. We also point out that the distinguisher has no control over the choice of e, which exclusively depends on an honest execution of the homomorphic evaluation algorithm. We therefore conjecture that the distribution of \((r_i \mod \tilde{q}) + e\) is computationally indistinguishable from u.

In light of the above insights, we put forward the conjecture that the proposed algorithm already gives us a secure implementation of the oracle \(\textsf{Sample}\). We view this as a natural strengthening of Gentry’s heuristic for the bootstrapping theorem, which is justified by our more ambitious objective. As the conjecture pertains to standard cryptographic material (FHE and Damgård-Jurik encryption), we believe that any further insight on its veracity would substantially improve our understanding on these important and well-studied building blocks.

Finally, we mention that many heuristics can be used to weaken the correlation between the decryption noise e and the low-order bits \((r_i \mod \tilde{q})\), such as repeated applications of FHE bootstrapping [26]. We also propose a different heuristic approach to remove correlations based on binary extractors and we refer the reader to the technical sections for further details.

1.2.4 From Split FHE to iO

What is left to be shown is that split FHE does indeed suffice to construct program obfuscation. With this goal in mind, we recall a surprising result by Lin et al. [50] which states that, under the assumption that the LWE problem is sub-exponentially hard, iO for all circuits is implied by an obfuscator for circuits with logarithmic-size inputs with non-trivial efficiency. Here non-trivial efficiency means that the size of the obfuscated circuit \(\tilde{C}\) with input domain \(\{0,1\}^\eta \) is at most \(\textsf {poly}(\lambda , |C|)\cdot 2^{\eta \cdot (1-\varepsilon )}\), for some constant \(\epsilon >0\). This means that it suffices to show that split FHE implies the existence of an obfuscator (for circuits with polynomial-size input domain) with non-trivial efficiency.

The transformation is deceptively simple (and similar to [14]): The obfuscator computes a split FHE encryption of the circuit \(C\) and partitions the input domains in \(2^{\eta /2}\) disjoint sets \((P_1, \dots , P_{2^{\eta / 2}})\) of equal size. Then, for each partition \(P_i\), the algorithm homomorphically evaluates the universal circuit that evaluates \(C\) on all inputs in \(P_i\) and returns the concatenation of all outputs. Finally, it returns the decryption hint \(\rho _i\) corresponding to the evaluated ciphertext. The obfuscated circuit consists of the public-key of the split FHE scheme, the encryption of \(C\), and all of the decryption hints \((\rho _1, \dots , \rho _{2^{\eta / 2}})\). Note that the obfuscated circuit can be evaluated efficiently: On input x, let \(P_x\) be the partition that contains x, then the evaluator recomputes the homomorphic evaluation (which is a deterministic operation) of \(C\) on \(P_x\) and recovers the output using the decryption hint \(\rho _x\). As for non-trivial efficiency, since the size of each decryption hint is that of a fixed polynomial \(\textsf {poly}(\lambda )\), the total size of the obfuscated circuit is bounded by \(\textsf {poly}(\lambda , |C|)\cdot 2^{\eta / 2}\), as desired.

1.2.5 Other Applications

To demonstrate that the scope of our split FHE scheme goes beyond program obfuscation, we outline two additional applications. In both cases we only rely on standard assumptions, i.e., we do not need to introduce any new conjecture.

Two-Party Computation with Pre-Processing We obtain a (semi-honest) two-party computation scheme for any circuit \(C:\{0,1\}^\ell \rightarrow \{0,1\}^k\) with an input- and circuit-independent pre-processing where the communication complexity of the pre-processing phase is \(\textsf {poly}(\lambda , k)\), whereas the communication complexity of the online phase is \(\textsf {poly}(\lambda ) + \ell \). This improves over garbled circuit-based approaches that require a pre-processing at least linear in \(|C|\). The protocol works as follows: In the pre-processing phase Alice and Bob exchange their (independently sampled) public-keys for a split FHE scheme and Alice computes a randomizing ciphertext (in the scheme defined above this corresponds to a Damgård-Jurik encryption of a bounded random value), which is sent to Bob. In the online phase, Alice and Bob exchange their inputs encrypted under their own public keys (to achieve best-possible rate this can be done using hybrid encryption) and homomorphically compute the multi-key evaluation of f over both inputs. Note that multi-key evaluation is generically possible for the case of two parties [55]: Given two ciphertexts \(c_A = \textsf{Enc}(\textsf{pk}_A, m_A)\) and \(c_B = \textsf{Enc}(\textsf{pk}_B, m_B)\), Alice can homomorphically evaluate the evaluation procedure of \(c_B\) and f under \(\textsf{pk}_A\) and \(c_A\), to obtain a “nested” two-key ciphertext \(\textsf{Enc}(\textsf{pk}_A, \textsf{Enc}(\textsf{pk}_B, f(m_A, m_B)))\). Then Alice consumes the randomizing ciphertext computed in the pre-processing and sends a partial decryption of the evaluated ciphertext in the form of a decryption hint. Bob can then locally complete the partial decryption using its own secret key and recover the output.

Rate-1 Reusable Garbled Circuits The work of Goldwasser et al. [39] showed, assuming the hardness of the LWE problem, how to construct reusable garbled circuits where the size of the input encodings is \(\textsf {poly}(\lambda , d, \ell \cdot k)\), where \(C:\{0,1\}^\ell \rightarrow \{0,1\}^k\) and d is the depth of \(C\). Using split FHE, we obtain a scheme with rate-1 encodings, i.e., of size \(\textsf {poly}(\lambda , d, \ell ) + k\). This is done by using their scheme to garble the circuit that computes \(C\) homomorphically over the input encrypted under a split FHE scheme and returns the decryption hint of the evaluated ciphertext. This effectively removes the dependency of the underlying reusable garbled circuit on the output size k. However, we also need to include in the input encoding the answer of the \(\textsf{Sample}\) oracle (a Damgård-Jurik ciphertext, for the scheme describe above), which reintroduces an additive overhead in k.

1.3 Related Work

In the following we discuss more in depth the relation of our approach when compared with recent candidate constructions of iO from lattices and bilinear maps [1, 3, 45]. Very informally, this line of works leverages weak pseudorandom generators (PRG) to mask the noise of the LWE decryption. However, the output domain of such a PRG is only polynomially large: This is because of the usage of bilinear groups, where the plaintext space is polynomially bounded (decryption requires one to compute a discrete logarithm). This is especially problematic because statistical/computational indistinguishability cannot hold in this regime of parameters. To circumvent this problem, all papers in this line of work assume a strict bound on the distinguisher’s success probability (e.g., 0.99) and then rely on amplification techniques. This, however, requires one to construct a weak PRG where the advantage of any PPT distinguisher is non-negligible but at the same time bounded by \(< 0.99\).Footnote 2

On the other hand, we rely on the Damgård-Jurik encryption scheme, where the message domain is exponential. This allows us to sample the smudging factor from a distribution that is exponentially larger than the noise bound, which is necessary in order to argue about statistical indistinguishability. Thus, in our settings, conjecturing that the advantage of the distinguisher is negligible is, at least in principle, plausible.

Follow-up Works After the publication of this manuscript, a series of follow-up works [18, 25, 33, 63] has shown how to instantiate this approach in a provably secure way, assuming (a strong flavor of) circular security of homomorphic encryption schemes. Such works follow the general blueprint of our construction, but explore different instantiations for the underlying cryptographic building blocks. As an added bonus, they build exclusively on lattice-based cryptosystems and therefore the resulting iO constructions are plausibly post-quantum secure. Subsequently, the hardness of the computational problems stated in [33, 63] has been called into question by the work of [42]. They showed explicit counterexamples against their assumptions, thus suggesting a separation between standard circular security and the flavor needed to instantiate their works. However, the counterexamples presented in [42] do not imply an attack against any of the iO schemes. To the best of our knowledge, no attack is currently known against any of the above-mentioned works.

In a parallel line of work, the bilinear groups-based constructions have been subsequently improved by removing the dependence on weak PRGs [32, 44]. The culmination of this line of research was a construction of iO from standard assumptions on bilinear groups, LPN over large fields, and the existence of PRG in NC0 [46, 47]. In contrast with the “split-FHE approach”, the presence of bilinear groups makes such schemes vulnerable to quantum attacks.

2 Preliminaries

We denote by \(\lambda \in \mathbb {N}\) the security parameter. We say that a function \(\textsf {negl}(\cdot )\) is negligible if it vanishes faster than any polynomial. Given a set S, we denote by \(s \leftarrow \!\!\$\,S\) the uniform sampling from S. We say that an algorithm is PPT if it can be implemented by a probabilistic machine running in time \(\textsf {poly}(\lambda )\). We abbreviate the set \(\{1, \dots , n\}\) as [n]. Matrices are denoted by \(\textbf{M}\) and vectors are denoted by \(\textbf{v}\). We recall the smudging lemma [6, 7].

Lemma 1

(Smudging) Let \(B_1 = B_1(\lambda )\) and \(B_2=B_2(\lambda )\) be positive integers and let \(e_1 \in [B_1]\) be a fixed integer. Let \(e_2 \leftarrow \!\!\$\,[B_2]\) chosen uniformly at random. Then the distribution of \(e_2\) is statistically indistinguishable from that of \(e_2+e_1\) as long as \(B_1/B_2=\textsf {negl}(\lambda )\).

2.1 Linear Algebra

We will need the following fact from linear algebra over rings, which holds immediately for fields but is non-trivial for the case of rings.

Lemma 2

Let q be an arbitrary integer modulus and n be an integer. Let \(\textbf{t} \leftarrow \!\!\$\,\mathbb {Z}_q^n\) be chosen uniformly at random. Now let \(\textbf{a} \leftarrow \!\!\$\,\mathbb {Z}_q^n\) be distributed uniformly random. Then it holds that

$$\begin{aligned} \Pr _{\textbf{t}}[\langle \textbf{a},\textbf{t} \rangle \text { distributed uniformly in } \mathbb {Z}_q] > 1 - \log (q) \cdot 2^{-n}. \end{aligned}$$

In other words, except with probability \(\log (q) \cdot 2^{-n}\) over the choice of \(\textbf{t}\) the inner product \(\langle \textbf{a},\textbf{t} \rangle \) will be distributed uniformly random given that \(\textbf{a}\) is uniform.

We provide the proof of Lemma 2 for completeness. The proof assumes some basic notions of algebra which we omit introducing here.

Proof

For a fixed \(\textbf{t}\), \(\langle \textbf{a},\textbf{t} \rangle \) will be uniform for a uniform \(\textbf{a} \leftarrow \!\!\$\,\mathbb {Z}_q^n\) given that the linear form \(\Phi _{\textbf{t}}: \mathbb {Z}_{{q}}^n \rightarrow \mathbb {Z}_q\) given by \(\textbf{x} \mapsto {\langle \textbf{x}, \textbf{t} \rangle }\) has range \(\mathbb {Z}_q\). To see this, note that by linearity every \(y \in \mathbb {Z}_q\) has the same number of preimages under \(\Phi _\textbf{t}\). Thus, \(\Phi _\textbf{t}\) maps a uniform distribution to a uniform distribution.

We will thus establish that the linear form \(\Phi _{\textbf{t}}: \mathbb {Z}_1^n \rightarrow \mathbb {Z}_q\) given by \({\mathbf {} \mapsto \langle \textbf{x}, \textbf{t} \rangle }\) has range \(\mathbb {Z}_q\), except with negligible probability over the choice of \(\textbf{t} \leftarrow \!\!\$\,\mathbb {Z}_q^n\). This function is not full range, if and only if there exists a non-trivial ideal \(J \subseteq \mathbb {Z}_q\) such that for all i we have \(\textbf{t}_i \in J\). To see this, note that if all \(\textbf{t}_i \in J\), then \(\langle \textbf{a},\textbf{t} \rangle \in J\) and therefore \(\Phi _\textbf{t}\) is not full range. On the other hand, if no such J exists, then we can construct an \(\textbf{a}^*\in \mathbb {Z}_q^n\) via Chinese Remaindering such that \(\langle \textbf{a}^*,\textbf{t} \rangle = 1\) and therefore \(\Phi _\textbf{t}\) is full range.

Thus, it suffices to show the above property for all maximal ideals in \(\mathbb {Z}_q\), which are the \(p_s \mathbb {Z}_q\), where the \(p_s\) are the prime-factors of q. As \(p_s \ge 2\) we can upper-bound the number of maximal ideals in \(\mathbb {Z}_q\) by \(\log (q)\). Fix a maximal ideal \(J = p \mathbb {Z}_q\) and let \(\textbf{t} = (t_1,\dots ,t_n) \leftarrow \!\!\$\,\mathbb {Z}_q^n\) be chosen uniformly at random. It holds for a single uniformly random \(t \leftarrow \!\!\$\,\mathbb {Z}_q\) that \(\Pr [t \in J] = 1/p \le 1/2\). Since the \((t_1,\dots ,t_n)\) are independent, it holds that \(\Pr [\forall i: \textbf{t}_i \in J] \le 2^{-n}\). Finally, as there are at most \(\log (q)\) maximal ideals J a union-bound yields \(\Pr [\exists J \forall i: \textbf{t}_i \in J] \le \log (q) \cdot 2^{-n}\). We conclude that \(\Phi _\textbf{t}\) has range \(\mathbb {Z}_q\), except with probability \(\log (q) \cdot 2^{-n}\) over the choice of \(\textbf{t}\). \(\square \)

2.2 Indistinguishability Obfuscation

We recall the notion of indistinguishability obfuscation (iO) from [30].

Definition 2.1

( Indistinguishability Obfuscation) A PPT machine \(\textsf{iO}\) is an indistinguishability obfuscator for a circuit class \(\{\mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\) if the following conditions are satisfied:

(Functionality) For all \(\lambda \in \mathbb {N}\), all circuit \(C\in \mathcal {C}_\lambda \), all inputs x it holds that

$$\begin{aligned} \Pr \left[ \tilde{C}(x) = C(x) \Big | \tilde{C}\leftarrow \textsf{iO}(C) \right] = 1. \end{aligned}$$

(Indistinguishability) For all polynomial-size distinguishers \(\mathcal {D}\) there exists a negligible function \(\textsf {negl}(\cdot )\) such that for all \(\lambda \in \mathbb {N}\), all pairs of circuits \((C_0, C_1) \in \mathcal {C}_\lambda \) such that \(|C_0| = |C_1|\) and \(C_0(x) = C_1(x)\) on all inputs x, it holds that

$$\begin{aligned} \left| \Pr \left[ 1=\mathcal {D}(\textsf{iO}(C_0))\right] - \Pr \left[ 1=\mathcal {D}(\textsf{iO}(C_1))\right] \right| = \textsf {negl}(\lambda ). \end{aligned}$$

2.3 Learning with Errors

We recall the (decisional) learning with errors (LWE) problem as introduced by Regev [61].

Definition 2.2

(Learning with Errors) The LWE problem is parametrized by a modulus q, positive integers nm and an error distribution \(\chi \). The LWE problem is hard if for all polynomial-size distinguishers \(\mathcal {D}\) there exists a negligible function \(\textsf {negl}(\cdot )\) such that for all \(\lambda \in \mathbb {N}\) it holds that

$$\begin{aligned} \left| \Pr \left[ 1=\mathcal {D}(\textbf{A},\textbf{s}^\top \cdot \textbf{A} + \textbf{e})\right] - \Pr \left[ 1=\mathcal {D}(\textbf{A},\textbf{u})\right] \right| = \textsf {negl}(\lambda ){,} \end{aligned}$$

where \(\textbf{A}\) is chosen uniformly from \(\mathbb {Z}_q^{n \times m}\), \(\textbf{s}\) is chosen uniformly from \(\mathbb {Z}_q^n\), \(\textbf{u}\) is chosen uniformly from \(\mathbb {Z}_q^m\) and \(\textbf{e}\) is chosen from \(\chi ^m\).

As shown in [60, 61], for any sufficiently large modulus q the LWE problem where \(\chi \) is a discrete Gaussian distribution with parameter \(\sigma = \alpha q \ge 2 \sqrt{n}\) (i.e. the distribution over \(\mathbb {Z}\) where the probability of x is proportional to \(e^{-\pi (|x|/\sigma )^2}\)), is at least as hard as approximating the shortest independent vector problem (SIVP) to within a factor of \(\gamma = \tilde{O}({n}/\alpha )\) in worst case dimension n lattices. We refer to \(\alpha = {q/\sigma }\) as the modulus-to-noise ratio, and by the above this quantity controls the hardness of the LWE instantiation. Hereby, LWE with polynomial \(\alpha \) is (presumably) harder than LWE with super-polynomial or sub-exponential \(\alpha \). We can truncate the discrete Gaussian distribution \(\chi \) to \(\sigma \cdot \omega (\sqrt{\log (\lambda )})\) while only introducing a negligible error. Consequently, we omit the actual distribution \(\chi \) but only use the fact that it can be bounded by a (small) value B.

2.4 Decisional Composite Residuosity

In the following we recall the decisional composite residuosity (DCR) assumption over \(\mathbb {Z}^*_{N^{\zeta +1}}\) [24, 59]. Let \(N = pq\), where p and q are primes, be a uniformly sampled Blum integer and let \(\zeta \) be a fixed non-negative integer. Observe that the multiplicative group \(\mathbb {Z}^*_{N^{\zeta +1}}\) can be rewritten as the product of the subgroup \(\mathbb {H}_N = \{(1+N)^i: i \in [N^{\zeta }]\}\), generated by \((1+N)\), and the group of \(N^{\zeta }\)-th residues \(\mathbb{N}\mathbb{R}_N = \{ x^{N^{\zeta }}: x \in \mathbb {Z}_{N}^*\}\) of order \(\varphi (N)\), where \(\varphi (\cdot )\) denotes Euler’s totient function.

Definition 2.3

(Decisional Composite Residuosity) Let \(N = pq\), where p and q are primes, be a uniformly sampled Blum integer and let \(\zeta \) be a fixed non-negative integer. The DCR problem is hard if for all polynomial-size distinguishers \(\mathcal {D}\) there exists a negligible function \(\textsf {negl}(\cdot )\) such that for all \(\lambda \in \mathbb {N}\) it holds that

$$\begin{aligned} \left| \Pr \left[ 1=\mathcal {D}(r)\right] - \Pr \left[ 1=\mathcal {D}(u)\right] \right| = \textsf {negl}(\lambda ). \end{aligned}$$

where \(r\leftarrow \!\!\$\,\mathbb{N}\mathbb{R}_N\) and \(u \leftarrow \!\!\$\,\mathbb {Z}^*_{N^{\zeta +1}}\).

3 Homomorphic Encryption

We recall the definition of homomorphic encryption in the following.

Definition 3.1

(Homomorphic Encryption) A homomorphic encryption scheme for a circuit family \(\mathcal {C}\) consists of the following efficient algorithms.

\(\textsf{KeyGen}(1^\lambda ):\):

On input the security parameter \(1^\lambda \), the key generation algorithm returns a key pair \((\textsf{sk}, \textsf{pk})\).

\(\textsf{Enc}(\textsf{pk}, m):\):

On input a public key \(\textsf{pk}\) and a message \(m\), the encryption algorithm returns a ciphertext \(c\).

\(\textsf{Eval}(\textsf{pk}, C, (c_1, \dots , c_\ell )):\):

On input the public key \(\textsf{pk}\), an \(\ell \)-inputs circuit \(C{\in \mathcal {C}}\), and a vector of ciphertexts \((c_1, \dots , c_\ell )\), the evaluation algorithm returns an evaluated ciphertext \(c\).

\(\textsf{Dec}(\textsf{sk}, c):\):

On input the secret key \(\textsf{sk}\) and a ciphertext \(c\), the decryption algorithm returns a message \(m\).

We say that a scheme is fully homomorphic (FHE) if it is homomorphic for all (unbounded) polynomial-size circuits. If the maximum size of the circuit that can be evaluated is bounded in the public parameters, then we call such a scheme a leveled FHE. We also consider a restricted class of homomorphism that supports linear functions and we refer to such a scheme as linearly homomorphic encryption (LHE). We characterize correctness of a single evaluation, which suffices for our purposes. This can be extended to the more general notion of multi-hop correctness [36] if the condition specified below is required to hold for arbitrary compositions of circuits.

Definition 3.2

(Correctness) A homomorphic encryption scheme \((\textsf{KeyGen}, \textsf{Enc}, \textsf{Eval}, \textsf{Dec})\) is correct if for all \(\lambda \in \mathbb {N}\), all \(\ell \)-inputs circuits \(C{\in \mathcal {C}}\), all inputs \((m_1, \dots , m_\ell )\), all \((\textsf{sk}, \textsf{pk})\) in the support of \(\textsf{KeyGen}(1^\lambda )\), and all \(c_i\) in the support of \(\textsf{Enc}(\textsf{pk}, m_i)\) it holds that

$$\begin{aligned} \Pr \left[ \textsf{Dec}(\textsf{sk}, \textsf{Eval}(\textsf{pk}, C, (c_1, \dots , c_\ell ))) = C(m_1, \dots , m_\ell )\right] = 1. \end{aligned}$$

We require a scheme to be compact in the sense that the size of the ciphertext should not grow with the size of the evaluated circuit.

Definition 3.3

(Compactness) A homomorphic encryption scheme \((\textsf{KeyGen},\textsf{Enc},\textsf{Eval}, \textsf{Dec})\) is compact if there exists a polynomial \(\textsf {poly}(\cdot )\) such that for all \(\lambda \in \mathbb {N}\), all \(\ell \)-inputs circuits \(C{\in \mathcal {C}}\) in the supported family, all inputs \((m_1, \dots , m_\ell )\), all \((\textsf{sk}, \textsf{pk})\) in the support of \(\textsf{KeyGen}(1^\lambda )\), and all \(c_i\) in the support of \(\textsf{Enc}(\textsf{pk}, m_i)\) it holds that

$$\begin{aligned} |\textsf{Eval}(\textsf{pk}, C, (c_1, \dots , c_\ell ))| = \textsf {poly}(\lambda )\cdot |C(m_1, \dots , m_\ell )|. \end{aligned}$$

We define a weak notion of security (implied by the standard semantic security [40]) which is going to be more convenient to work with.

Definition 3.4

(Semantic Security) A homomorphic encryption scheme \((\textsf{KeyGen},\textsf{Enc},\textsf{Eval}, \textsf{Dec})\) is semantically secure if for all polynomial-size distinguishers \(\mathcal {D}\) there exists a negligible function \(\textsf {negl}(\cdot )\) such that for all \(\lambda \in \mathbb {N}\), all pairs of message \((m_0, m_1)\), it holds that

$$\begin{aligned} \left| \Pr \left[ 1=\mathcal {D}(\textsf{pk}, \textsf{Enc}(\textsf{pk}, m_0))\right] - \Pr \left[ 1=\mathcal {D}(\textsf{pk}, \textsf{Enc}(\textsf{pk}, m_1))\right] \right| = \textsf {negl}(\lambda ) \end{aligned}$$

where \((\textsf{sk}, \textsf{pk}) \leftarrow \textsf{KeyGen}(1^\lambda )\).

3.1 Linear Decrypt-and-Multiply

We consider schemes with a fine-grained correctness property. Specifically, we require that the decryption consists of the application of a linear function in the secret key, followed by some publicly computable function. Furthermore, we require that such a procedure allows us to specify an arbitrary constant \(\omega \) that is multiplied to the resulting plaintext. We refer to such schemes as linear decrypt-and-multiply schemes. This property was introduced in an oral presentation by Micciancio [57] and recently formalized by Brakerski et al. [17]. We stress that all major candidate FHE constructions satisfy (or can be adapted to) such a constraint, e.g., [2, 20, 38]. We recall the definition in the following. In an abuse of notation, we often write \(\textsf{KeyGen}(1^\lambda ; q)\) to fix the modulus q in the key generation algorithm.

Definition 3.5

(Decrypt-and-Multiply) We call a homomorphic encryption scheme \((\textsf{KeyGen},\textsf{Enc},\textsf{Eval}, \textsf{Dec})\) a decrypt-and-multiply scheme, if there exist bounds \(B = B(\lambda )\) and \(Q = Q(\lambda )\) and an algorithm \( \mathsf {Dec{ \& }Mult}\) such that the following holds. For every \(q \ge Q\), all \((\textsf{sk}, \textsf{pk})\) in the support of \(\textsf{KeyGen}(1^\lambda {;}q)\), every \(\ell \)-inputs circuit \(C{\in \mathcal {C}}\), all inputs \((m_1, \dots , m_\ell )\), all \(c_i\) in the support of \(\textsf{Enc}(\textsf{pk}, m_i)\) and every \(\omega \in \mathbb {Z}_q\) that

$$ \begin{aligned} \mathsf {Dec{ \& }Mult}(\textsf{sk}, \textsf{Eval}(\textsf{pk}, C, (c_1, \dots , c_\ell )), \omega ) = \omega \cdot C(m_1, \dots , m_\ell ) + e \mod q \end{aligned}$$

where \( \mathsf {Dec{ \& }Mult}\) is a linear function in \(\textsf{sk}\) over \(\mathbb {Z}_q\) and \(|e| \le B\) with all but negligible probability.

In our construction, we will need some additional structure for the modulus q. Fortunately, most LWE-based FHE schemes can be instantiated with an arbitrary q that does not depend on any secret input but only on the security parameter. Moreover, LWE-based FHE schemes can be instantiated with any (sufficiently large) modulus q without affecting the worst-case hardness of the underlying LWE problem [60]. In favor of a simpler analysis, we assume that e is always non-negative. Note that this is without loss of generality as it can be always guaranteed by adding B to the result of \( \mathsf {Dec{ \& }Mult}\) and setting a slightly looser bound \(B = 2B\).

3.2 Split Decryption

We define the notion of homomorphic encryption with split decryption, which is going to be central in our work. Loosely speaking, a scheme has split decryption if the decryption algorithm consists of two subroutines: A private algorithm (that depends on the secret key) that on input a ciphertext \(c\) computes a small hint \(\rho \), and a publicly computable algorithm that takes as input \(\rho \) and \(c\) and returns the corresponding plaintext. We henceforth refer to such schemes as split homomorphic encryption. We introduce the syntax in the following.

Definition 3.6

(Split Decryption) A homomorphic encryption scheme \((\textsf{KeyGen}, \textsf{Enc}, \textsf{Eval}, \textsf{Dec})\) has split decryption if the decryption algorithm \(\textsf{Dec}\) consist of the following two subroutines.

\(\textsf{PDec}(\textsf{sk}, c):\):

On input the secret key \(\textsf{sk}\) and a ciphertext \(c\), the partial decryption algorithm returns a decryption hint \(\rho \).

\(\textsf{Rec}(\rho , c):\):

On input the hint \(\rho \) and a ciphertext \(c\), the recovery algorithm returns a message \(m\).

The notion of correctness is extended canonically.

Definition 3.7

(Split Correctness) A homomorphic encryption scheme with split decryption \((\textsf{KeyGen}, \textsf{Enc}, \textsf{Eval}, \textsf{PDec}, \textsf{Rec})\) is correct if for all \(\lambda \in \mathbb {N}\), all \(\ell \)-inputs circuits \(C{\in \mathcal {C}}\) in the supported family, all inputs \((m_1, \dots , m_\ell )\), all \((\textsf{sk}, \textsf{pk})\) in the support of \(\textsf{KeyGen}(1^\lambda )\), and all \(c_i\) in the support of \(\textsf{Enc}(\textsf{pk}, m_i)\) it holds that

$$\begin{aligned} \Pr \left[ \textsf{Rec}(\textsf{PDec}(\textsf{sk}, c), c) = C(m_1, \dots , m_\ell )\right] = 1 \end{aligned}$$

where \(c= \textsf{Eval}(\textsf{pk}, C, (c_1, \dots , c_\ell ))\).

Beyond the standard compactness for homomorphic encryption, a scheme with split decryption must satisfy the additional property that the size of the decryption hint \(\rho \) is independent (or, more generally, sublinear) of the size of the message. Furthermore, the size of the public key and of a fresh encryption of a message \(m\) should depend polynomially on the security parameter (and on the length of \(m\)) and otherwise be linear in the size of the output. These are the properties that make split decryption non-trivial and that are going to be our main leverage to bootstrap this primitive into a more powerful machinery. We formally characterize these requirements below.

Definition 3.8

(Split Compactness) A homomorphic encryption scheme with split decryption \((\textsf{KeyGen},\textsf{Enc},\textsf{Eval}, \textsf{PDec}, \textsf{Rec})\) is compact if there exists a polynomial \(\textsf {poly}(\cdot )\) such that for all \(\lambda \in \mathbb {N}\), all \(\ell \)-inputs circuits \(C{\in \mathcal {C}}\) in the supported family, all inputs \((m_1, \dots , m_\ell )\), all \((\textsf{sk}, \textsf{pk})\) in the support of \(\textsf{KeyGen}(1^\lambda )\), and all \(c_i\) in the support of \(\textsf{Enc}(\textsf{pk}, m_i)\) it holds that

  • \(|\textsf{pk}| \le \textsf {poly}(\lambda )\cdot |C(m_1, \dots , m_\ell )|\),

  • \(|c_i| \le \textsf {poly}(\lambda , |m_i|)\cdot |C(m_1, \dots , m_\ell )|\), and

  • \(|\rho | \le \textsf {poly}(\lambda )\)

where \(\rho = \textsf{PDec}(\textsf{sk}, \textsf{Eval}(\textsf{pk}, C, (c_1, \dots , c_\ell )))\).

Finally the notion of semantic security for split schemes requires that the decryption hint \(\rho \) for a certain ciphertext does not reveal any information beyond the corresponding plaintext. Note that we define a very weak notion where the above must hold only for a bounded number of ciphertexts, and the inputs are fixed prior to the public parameters of the scheme.

Definition 3.9

(Security) A homomorphic encryption scheme with split decryption \((\textsf{KeyGen},\textsf{Enc},\textsf{Eval}, \textsf{PDec}, \textsf{Rec})\) is secure if for all polynomial-size distinguishers \(\mathcal {D}\) there exists a negligible function \(\textsf {negl}(\cdot )\) such that for all \(\lambda \in \mathbb {N}\), all polynomials \(\beta = \beta (\lambda )\), all pairs of messages \((m_0, m_1)\), all vectors of circuits \((C_1, \dots , C_\beta ){\in \mathcal {C}^\beta }\) such that, for all \(i \in [\beta ]\), \(C_i(m_0) = C_i(m_1)\) it holds that

$$\begin{aligned}{} & {} \left| \Pr \left[ 1=\mathcal {D}(\textsf{pk}, c_0, \rho _{(1,0)}, \dots , \rho _{(\beta , 0)})\right] - \Pr \left[ 1=\mathcal {D}(\textsf{pk}, c_1, \rho _{(1,1)}, \dots , \rho _{(\beta , 1)})\right] \right| \\{} & {} \qquad = \textsf {negl}(\lambda ) \end{aligned}$$

where \((\textsf{sk}, \textsf{pk}) \leftarrow \textsf{KeyGen}(1^\lambda )\), for all \(b\in \{0,1\}\) define \(c_b \leftarrow \textsf{Enc}(\textsf{pk}, m_b)\) and, for all \(i\in [\beta ]\) and all \(b\in \{0,1\}\), define \(\rho _{(i, b)} \leftarrow \textsf{PDec}(\textsf{sk}, \textsf{Eval}(\textsf{pk}, C_i, c_b))\).

We also present the stronger definition of simulation security for decryption hints, which requires the existence of a simulator that can compute the decryption hint without the knowledge of the secret key. It appears challenging to achieve this notion in the standard model, for the simple reason that the size of the hint is smaller than the size of the message that we want to simulate. Nevertheless, we show that this notion is useful as it may be achievable in the presence of a (programmable) oracle.

Definition 3.10

(Simulatable Hints) A homomorphic encryption scheme with split decryption \((\textsf{KeyGen},\textsf{Enc},\textsf{Eval}, \textsf{PDec}, \textsf{Rec})\) has simulatable hints if there exists a polynomial-size simulator \(\textsf{Sim}\) such that for all \(\lambda \in \mathbb {N}\), all \((\textsf{sk}, \textsf{pk})\) in the support of \(\textsf{KeyGen}(1^\lambda )\), all messages \(m\), and all ciphertexts \(c\) in the support of \(\textsf{Enc}(\textsf{pk}, m)\) it holds that

$$\begin{aligned} \textsf{PDec}(\textsf{sk}, c) \equiv \textsf{Sim}(1^\lambda , \textsf{pk}, c, m), \end{aligned}$$

where \(\equiv \) denotes the equivalence of the two distributions.

3.3 Damgård-Jurik Encryption

In the following we recall a variant of the Damgård-Jurik encryption linearly homomorphic encryption scheme [24]. We present a variant of the scheme that satisfies the notion of split correctness, which is going to be instrumental for our purposes. The scheme is parametrized by a non-negative integer \(\zeta \) that we assume is given as input to all algorithms.

\(\mathsf {DJ.KeyGen}(1^\lambda ):\):

On input the security parameter \(1^\lambda \), sample a uniform Blum integer \(N = pq\), where p and q are \(\lambda \)-bits primes. Set \(\textsf{pk}= (N, \zeta )\) and \(\textsf{sk}= \varphi (N)\).

\(\mathsf {DJ.Enc}(\textsf{pk}, m):\):

On input a message \(m\in \mathbb {Z}_{N^\zeta }\), sample a random \(r \leftarrow \!\!\$\,\mathbb {Z}_N\) and compute

$$\begin{aligned}c= r^{N^\zeta } \cdot (1+N)^{m} \mod N^{\zeta +1}.\end{aligned}$$
\(\mathsf {DJ.Eval}(\textsf{pk}, f, (c_1, \dots , c_\ell )):\):

On input a vector of ciphertexts \((c_1, \dots , c_\ell )\) and a linear function \(f = (\alpha _1, \dots , \alpha _\ell ) \in \mathbb {Z}_{N^\zeta }^\ell \), compute

$$\begin{aligned} c= \prod ^\ell _{i=1} c_i^{\alpha _1} \mod N^{\zeta +1}. \end{aligned}$$
\(\mathsf {DJ.PDec}(\textsf{sk}, c):\):

On input a ciphertext \(c\), set \(s = c\mod N\). Then compute \(N^{-\zeta }\) such that \(N^{\zeta } \cdot N^{-\zeta } = 1 \mod \varphi (N)\) using the extended Euclidean algorithm. Return

$$\begin{aligned}\rho = s^{N^{-\zeta }} \mod N.\end{aligned}$$
\(\mathsf {DJ.Rec}(\rho , c):\):

On input a hint \(\rho \) and a ciphertext \(c\), compute

$$\begin{aligned}(1+N)^m= c/\rho ^{N^\zeta } \mod N^{\zeta +1}\end{aligned}$$

and recover \(m\) using the polynomial-time algorithm described in [24].

It is well known that the scheme satisfies (standard) semantic security assuming the intractability of the decisional composite residuosity (DCR) problem. To prove correctness, we are going to use the fact that

$$\begin{aligned} x^{N^\zeta } \mod N^{\zeta +1} = (x\mod N)^{N^\zeta } \mod N^{\zeta +1} \end{aligned}$$
(1)

for all non-negative integers \((x,\zeta )\). We refer the reader to [56] for a proof of this equality. Recall that \(c = r^{N^\zeta } \cdot (1+N)^m\) and that

$$\begin{aligned} \rho= & {} (c \mod N)^{N^{-\zeta }} \mod N\\= & {} \left( r^{N^\zeta }\cdot (1+N)^m \mod N\right) ^{N^{-\zeta }} \mod N\\= & {} \left( r^{N^\zeta } \mod N\right) ^{N^{-\zeta }} \mod N. \end{aligned}$$

Therefore, we have that

$$\begin{aligned} \rho ^{N^\zeta } \mod N^{\zeta + 1}= & {} \left( \left( r^{N^\zeta } \mod N\right) ^{N^{-\zeta }} \mod N\right) ^{N^\zeta } \mod N^{\zeta + 1}\\= & {} \left( r^{N^\zeta } \mod N\right) ^{N^{-\zeta }\cdot N^\zeta } \mod N^{\zeta + 1}\\= & {} r^{N^\zeta } \mod N^{\zeta + 1} \end{aligned}$$

by an application of Equation (1). Taking the inverse on both sides of the equation above we obtain

$$\begin{aligned} c / \rho ^{N^\zeta } \mod N^{\zeta + 1}&= c / r^{N^\zeta } \mod N^{\zeta + 1}\\ {}&= r^{N^\zeta }\cdot (1+N)^m / r^{N^\zeta } \mod N^{\zeta + 1}\\&= (1+N)^m \mod N^{\zeta + 1} \end{aligned}$$

as desired for correctness. Although such a scheme does not immediately give us a secure split LHE, we highlight a few salient properties that we are going to leverage in our main constructions.

Split Compactness The hint \(\rho \in \mathbb {Z}_N\) consists of \(\lceil \log (N)\rceil \) bits and in particular is independent of the size of the message space \(\mathbb {Z}_{N^\zeta }\), as the integer \(\zeta \) can be set to be arbitrarily large (within the range of polynomials in \(\lambda \)).

Simulatable Hints Given a ciphertext \(c\) and a plaintext value \(m\), the simulator can efficiently compute a ciphertext \(\tilde{c}\) such that the homomorphic sum of \(c\) and \(\tilde{c}\) results in a uniform encryption of \(m\) and the corresponding decryption hint can be computed given only the random coins used to generate \(\tilde{c}\). Concretely, let

$$\begin{aligned} \tilde{c} = \frac{r^{N^\zeta } \cdot (1+N)^{m}}{c} \mod N^{\zeta +1}\end{aligned}$$

for some \(r\leftarrow \!\!\$\,\mathbb {Z}_N\). It follows, that for ciphertexts of the form \(c \cdot \tilde{c}\) (looking ahead, \(\tilde{c}\) will be the output of an oracle), we can define the output of the simulator to be \(\rho = r\). The message can be then recovered using the \(\mathsf {DJ.Rec}\) algorithm as described above.

Dense Ciphertexts Sampling a random integer in \(\mathbb {Z}_{N^{\zeta +1}}\) gives a well-formed ciphertext with all but negligible probability. This is because the group order \(\varphi (N)\cdot N^\zeta \) is close to \(N^{\zeta +1}\), i.e., \(\frac{\varphi (N)\cdot N^\zeta }{N^{\zeta +1}} = \frac{\varphi (N)}{N} = 1 - \textsf {negl}(\lambda )\).

4 Split Fully Homomorphic Encryption

In the following we present our construction for FHE with split decryption. We first present a generic construction in the presence of (a structured version of) a random oracle, then we propose concrete instantiations for the building blocks and plausible candidates for the implementation of the oracle.

4.1 Generic Construction

Our scheme assumes the existence of the following primitives:

  • A fully homomorphic encryption scheme \(\textsf{FHE}= (\mathsf {FHE.KeyGen}, \mathsf {FHE.Enc}, \)\( \mathsf {FHE.Eval}, \mathsf {FHE.Dec})\) with linear decrypt-and-multiply and with noise bound B.

  • A linearly homomorphic encryption \(\textsf{LHE}= (\mathsf {LHE.KeyGen}, \mathsf {LHE.Enc}, \mathsf {LHE.Eval}, \mathsf {LHE.PDec}, \mathsf {LHE.Rec})\) with simulatable decryption hints.

If the underlying FHE scheme is leveled then so is going to be the resulting split FHE. Conversely, if the FHE scheme supports the evaluation of unbounded circuits, then so does the resulting split FHE construction. The scheme is described below, assuming that the \(\textsf{Eval}\) algorithm has oracle access to the \(\textsf{Sample}\) interface.

figure a

What is left to be shown is the exact specification of the oracle \(\textsf{Sample}(\textsf{pk}, x)\), which we describe in the following. The oracle is accessible by all parties and it is stateful: on input the same x, the oracle will always return the same output. The oracle is parametrized by an integer \(\tilde{q}\), which we are going to define later.

figure b

We formally analyze our scheme in the following. During the analysis, we set the parameters on demand and we show afterward that our choices lead to a satisfiable set of constraints for which the underlying computational problems are still conjectured to be hard. The following theorem establishes correctness.

Theorem 4.1

(Split Correctness) Let \(q \ge 2^k + 2^{\lceil \log (\tilde{q} + kB) \rceil }\). Let \(\textsf{FHE}\) be a correct fully homomorphic encryption scheme with linear decrypt-and-multiply and let \(\textsf{LHE}\) be a split correct linearly homomorphic encryption scheme. Then the scheme as described above satisfies split correctness.

Proof

Let us rewrite

$$\begin{aligned} \tilde{m} = \mathsf {LHE.Rec}(\rho , c) = \mathsf {LHE.Rec}(\mathsf {LHE.PDec}(\textsf{sk}_\textsf{LHE}, c), c) \end{aligned}$$

where \(c= \mathsf {LHE.Eval}\left( \textsf{pk}_\textsf{LHE}, \sum , (d, a)\right) \). We first expand the d term as

$$ \begin{aligned} d&= \mathsf {LHE.Eval}(\textsf{pk}_\textsf{LHE}, g, (c_{(\textsf{LHE},1)}, \dots , c_{(\textsf{LHE},n)}))\\&= \mathsf {LHE.Eval}(\textsf{pk}_\textsf{LHE}, g, (\mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_1), \dots , \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_n)))\\&= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, \sum ^k_{j=1} \mathsf {Dec{ \& }Mult}\left( (s_1, \dots , s_n), d_j, 2^{\lceil \log (\tilde{q} + (k+1)B) \rceil + j}\right) \right) \end{aligned}$$

by the correctness of the LHE scheme, where

$$\begin{aligned} d_j = \mathsf {FHE.Eval}(\textsf{pk}_\textsf{FHE}, C_j, ({c}_1, \dots , {c}_\ell )) \end{aligned}$$

and \(c_i = \mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_i)\). Thus, by the decrypt-and-multiply correctness of the FHE scheme we can rewrite

$$\begin{aligned} d&= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, \sum ^k_{j=1} 2^{\lceil \log (\tilde{q} + (k+1)B) \rceil + j} \cdot C_j(m_1, \dots , m_\ell ) + e_j\right) \\&= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, \sum ^k_{j=1} 2^{\lceil \log (\tilde{q} + (k+1)B) \rceil + j} \cdot C_j(m_1, \dots , m_\ell ) + \underbrace{\sum ^k_{j=1} e_j}_{\tilde{e}}\right) . \end{aligned}$$

For the a variable we have that \(a = \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, r)\), for some uniform \(r \leftarrow \!\!\$\,\mathbb {Z}_{\tilde{q}}\), by definition of the oracle \(\textsf{Sample}\). Thus,

$$\begin{aligned} c&= \mathsf {LHE.Eval}\left( \textsf{pk}_\textsf{LHE}, \sum , (d, a)\right) \\&= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, {\left( \sum ^k_{j=1} 2^{\lceil \log (\tilde{q} + (k+1)B) \rceil + j} \cdot C_j(m_1, \dots , m_\ell ) + \tilde{e}\right) } + r\right) \end{aligned}$$

by the correctness of the LHE scheme. Note that the sum \(\tilde{e}\) is bounded from above by \(k \cdot B\), whereas the term \({r}\) is trivially bounded from above by \(\tilde{q}\). This implies that the output of the circuit is encoded in the higher order bits of \(\tilde{m}\) with probability 1, for a large enough q. \(\square \)

We then argue about the split security of the scheme. We remark that we analyze security in the presence of an oracle and we refer the reader to Sect. 4.3 and Sect. 4.4 for concrete instantiations.

Theorem 4.2

(Split Security) Let \(\tilde{q} \ge 2^\lambda \cdot k \cdot B\). Let \(\textsf{FHE}\) be a semantically secure fully homomorphic encryption scheme and let \(\textsf{LHE}\) be a semantically secure linearly homomorphic encryption scheme with simulatable decryption hints. Then the scheme as described above satisfies split security in the \(\textsf{Sample}\)-hybrid model.

Proof

Fix any admissible \((m_0, m_1, C_1, \dots , C_\beta )\) as per Definition 3.9. Consider the following series of hybrids.

Hybrid \(\mathcal {H}_0:\) Is defined as the original experiment. Denote the distribution induced by the random coins of the challenger by

$$\begin{aligned} \left( \textsf{pk}, c= \mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_b), \rho _1, \dots , \rho _\beta \right) \end{aligned}$$

where

$$\begin{aligned} \textsf{pk}= \left( \textsf{pk}_\textsf{FHE}, \textsf{pk}_\textsf{LHE}, \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_1), \dots , \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_n)\right) \end{aligned}$$

and \(\rho _i\) is computed as \(\textsf{PDec}(\textsf{sk}, \textsf{Eval}(\textsf{pk}, C_i, c))\).

Hybrids \(\mathcal {H}_1 \dots \mathcal {H}_\beta :\) Let \(d^{(i)}\) be the variable d defined during the execution of \(\textsf{Eval}(\textsf{pk}, C_i, c)\). The i-th hybrid \(\mathcal {H}_i\) is defined to be identical to \(\mathcal {H}_{i-1}\), except that the oracle \(\textsf{Sample}(\textsf{pk}, \cdot )\) on input \(d^{(i)}\) is programmed to output a uniformly sampled a such that the resulting \(c\) is of the form

$$\begin{aligned} c= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, \textsf{ECC}(C_i(m_b)) + \tilde{e} + r \right) \end{aligned}$$

where \(\textsf{ECC}\) is the high-order bits encoding defined in the evaluation algorithm, \(\tilde{e}\) is the sum of the decryption noises of the ciphertexts \((d^{(1)}, \dots , d^{(k)})\), as defined in the evaluation algorithm, and \(r \leftarrow \!\!\$\,\mathbb {Z}_{\tilde{q}}\). Then \(\tilde{\rho }_i\) is defined to be the decryption hint of \(c\), computed using the random coins of the simulated a, rather than the secret key.

First observe that \(\tilde{e}\) is efficiently computable given the secret key of the FHE scheme and therefore \(\tilde{\rho }_i\) is also computable in polynomial time. It is important to observe that the distribution of \(c\) is identical to the previous hybrid and the difference lies only in the way \(\tilde{\rho }_i\) is computed. Since the LHE scheme has simulatable hints, it follows that the distribution of \(\mathcal {H}_i\) is identical to that of \(\mathcal {H}_{i-1}\) and the change described here is only syntactical. That is,

$$\begin{aligned}&\left( \textsf{pk}, \mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_b), \tilde{\rho }_1,\dots , \tilde{\rho }_{i-1}, \rho _i,\rho _{i+1}, \dots , \rho _\beta \right) \\&= \left( \textsf{pk}, \mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_b), \tilde{\rho }_1,\dots , \tilde{\rho }_{i-1}, \tilde{\rho }_i,\rho _{i+1}, \dots , \rho _\beta \right) . \end{aligned}$$

Hybrids \(\mathcal {H}_{\beta +1} \dots \mathcal {H}_{2\beta }:\) The \((\beta + i)\)-th hybrid is defined to be identical to the previous ones except that the a variable corresponding to the i-th call in the evaluation algorithm is programmed such that

$$\begin{aligned} c&= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, \textsf{ECC}(C_i(m_b)) + \tilde{r} \right) . \end{aligned}$$

I.e., the noise term \(\tilde{e}\) is omitted from the computation. Concretely, a is computed as

$$\begin{aligned} a = {\mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, \textsf{ECC}(C_i(m_b)) + \tilde{r} \right) }/{d}, \end{aligned}$$

where d is defined as in the \(\textsf{Eval}\) algorithm and the denominator is uniformly sampled. Thus, the only difference with respect to the previous hybrid is whether the noise term \(\tilde{e}\) is included in the ciphertext or not. Since \(\tilde{e}\) is bounded from above by \(k\cdot B\) and \(\tilde{q} \ge 2^\lambda \cdot k\cdot B\), by Lemma 1 the distribution induced by this hybrid is statistically indistinguishable from that of the previous one.

Hybrids \(\mathcal {H}_{2\beta + 1} \dots \mathcal {H}_{2\beta + n}:\) The \((2\beta +i)\)-th hybrid is defined as the previous one, except that the ciphertext \(c_{(\textsf{LHE}, i)}\) in the public parameters is computed as the encryption of 0. Note that the secret key of the LHE scheme is no longer used in the computation of \((\tilde{\rho }_1, \dots , \tilde{\rho }_\beta )\) and therefore indistinguishability follows from an invocation of the semantic security of the LHE scheme. Specifically, the following distributions are computationally indistinguishable

$$\begin{aligned}&\left( \begin{array}{l} \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, 0), \dots , \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, 0), \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_i),\\ \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_{i+1}), \dots , \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_n) \end{array}\right) \\&\quad \approx \left( \begin{array}{l} \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, 0), \dots , \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, 0), \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, 0),\\ \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_{i+1}), \dots , \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, s_n) \end{array} \right) . \end{aligned}$$

Hybrid \(\mathcal {H}^{(b)}_{2\beta + n}:\) We define the hybrid \(\mathcal {H}^{(b)}_{2\beta + n}\) as \(\mathcal {H}_{2\beta + n}\) with the challenger bit fixed to b. Note that the distribution induced by these hybrids is

$$\begin{aligned} \left( \textsf{pk}, c= \mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_b), \tilde{\rho }_1, \dots , \tilde{\rho }_\beta \right) \end{aligned}$$

where

$$\begin{aligned} \textsf{pk}= \left( \textsf{pk}_\textsf{FHE}, \textsf{pk}_\textsf{LHE}, \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, 0), \dots , \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, 0)\right) . \end{aligned}$$

Observe that the secret key of the FHE scheme is no longer encoded in the public parameters and is not needed to compute \((\tilde{\rho }_1, \dots , \tilde{\rho }_\beta )\) either. It follows that any advantage that the adversary has in distinguishing \(\mathcal {H}^{(0)}_{3\beta + n}\) from \(\mathcal {H}^{(1)}_{3\beta + n}\) cannot be greater than the advantage in distinguishing \(\mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_0)\) from \(\mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_1)\). Thus, computational indistinguishability follows from an invocation of the semantic security of the FHE scheme. This concludes our proof. \(\square \)

4.2 Instantiating the Oracle

To complete the description of our scheme, we discuss a few candidate instantiations for the oracle \(\textsf{Sample}\). We require the underlying LHE scheme to have a dense ciphertext domain (which is the case for the Damgård-Jurik encryption scheme). Both of our proposals require to augment the public key of the scheme with an FHE encryption of the LHE secret key \(c_\textsf{FHE}\leftarrow \mathsf {FHE.Enc}(\textsf{pk}_{\textsf{FHE}}, \textsf{sk}_{\textsf{LHE}})\) and introduce new circularity assumptions between the FHE and the LHE schemes.

An alternate way to think of the oracle in Theorem 4.2 is to see it as an obfuscation for a special program, which is sufficient for realizing split FHE. The candidate constructions that we provide below can be seen as a natural and simple obfuscation of this special program.

4.2.1 A Simple Candidate

Let \(\mathfrak {C}\) be the ciphertext domain of \(\textsf{LHE}\). Throughout the following description, we fix the random coins of the algorithm (whenever needed) by drawing them from the evaluation of a cryptographic hash function \(\textsf{Hash}\) over the input. The intuition for our candidate is very simple: We sample an LHE ciphertext sampled using a random oracle (which is the reason why we need dense ciphertexts) and then we cancel out the high-order bits of the underlying plaintext by homomorphically decrypting the random ciphertext, isolating the chunk of information that we are interested in, and finally key-switching into the LHE scheme. The formal description is elaborated below.

figure c

Observe that y is an element in the ciphertext domain of \(\textsf{LHE}\) and it is of the form \(y =\mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, m)\), for some \(m\in \mathbb {Z}_q\), since \(\textsf{LHE}\) has a dense ciphertext domain. Furthermore, by the correctness of the FHE and the LHE scheme, we have that

$$\begin{aligned} \tilde{y}&= \mathsf {FHE.Eval}\left( \textsf{pk}_\textsf{FHE}, -\left\lfloor \mathsf {LHE.Dec}(\cdot , y) / \tilde{q} \right\rfloor \cdot \tilde{q}, c_\textsf{FHE}\right) \\&= \mathsf {FHE.Eval}\left( \textsf{pk}_\textsf{FHE}, -\left\lfloor \mathsf {LHE.Dec}(\cdot , y) / \tilde{q} \right\rfloor \cdot \tilde{q}, \mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, \textsf{sk}_\textsf{LHE})\right) \\&= \mathsf {FHE.Enc}\left( \textsf{pk}_\textsf{FHE}, -\left\lfloor \mathsf {LHE.Dec}(\textsf{sk}_\textsf{LHE}, y) / \tilde{q} \right\rfloor \cdot \tilde{q}\right) \\&= \mathsf {FHE.Enc}\left( \textsf{pk}_\textsf{FHE}, -\left\lfloor m/ \tilde{q} \right\rfloor \cdot \tilde{q}\right) . \end{aligned}$$

Let \(q \ge 2^\lambda \cdot \tilde{q}\) (this additional constraint is compatible with the parameters settings defined above), then we have that

$$ \begin{aligned} z&= \mathsf {LHE.Eval}\left( \textsf{pk}_\textsf{LHE}, h, (y, c_{(\textsf{LHE},1)}, \dots , c_{(\textsf{LHE},n)}) \right) \\&= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, m+ \mathsf {Dec{ \& }Mult}\left( (s_1, \dots , s_n), \tilde{y}, 1\right) \right) \\&= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, m-\left\lfloor m/ \tilde{q} \right\rfloor \cdot \tilde{q} + e \right) \\&= \mathsf {LHE.Enc}\left( \textsf{pk}_\textsf{LHE}, (m\mod \tilde{q}) + e \right) \end{aligned}$$

Where \(m\mod q\) is distributed uniformly over \(\mathbb {Z}_{\tilde{q}}\) except for the event where \(m\in \{q - (q \mod \tilde{q}), \dots , q\}\), which happens only with negligible probability. It follows that the output of the oracle is syntactically well formed. However, a closer look to the oracle instantiation reveals two lingering assumptions.

  1. (1)

    Circular Security The addition of \(c_\textsf{FHE}= \mathsf {FHE.Enc}(\textsf{pk}_{\textsf{FHE}}, \textsf{sk}_{\textsf{LHE}})\) introduces a circular dependency in the security of the LHE and FHE schemes (recall that our split FHE construction includes in the public key an encryption of \(\textsf{sk}_\textsf{FHE}\) under \(\textsf{pk}_\textsf{LHE}\)). Circular security is, however, widely considered to be a very mild assumption and currently is the only known approach to construct plain (as opposed to leveled) FHE from LWE via the bootstrapping theorem [34].

  2. (2)

    Correlations Although \(\tilde{y}\) is an FHE encryption of the correct value, it is not necessarily uniformly distributed, conditioned on y. In particular the randomness of \(\tilde{y}\) may depend in some intricate way on the low-order bits of \(m\). For the specific case of LWE-based schemes, the noise term might carry some information about \(m\mod \tilde{q}\), which could introduce some harmful correlation. However, the noise function is typically highly nonlinear and therefore appears to be difficult to exploit. We also stress that we only consider honest executions of the \(\mathsf {FHE.Eval}\) algorithm.

While (1) can be regarded as a standard assumption, we view (2) as a natural conjecture which we believe holds true for any natural/known candidate instantiation of the FHE and LHE schemes. In light of these considerations, we conjecture that the implementation as describe above already leads to a secure split FHE scheme.

4.2.2 Toward Removing Correlations

A natural approach toward removing the correlation of the LHE and FHE ciphertexts is that of ciphertext sanitization [26]: One could expect that repeatedly bootstrapping the FHE ciphertext would decorrelate the noise from the companion LHE ciphertext. Unfortunately our settings are different than those typically considered in the literature, in the sense that the sanitization procedure must be carried out by the distinguisher and therefore cannot use private random coins. Although it appears hard to formally analyze the effectiveness of these methods in our settings, we expect that these techniques might (at least heuristically) help to obliterate harmful correlations. In this work we take a different route and we suggest a simple heuristic method to prevent correlations. In a nutshell, the idea is to sample a set of random plaintexts and define the random string as the sum of a uniformly sampled subset S of these plaintext. The key observation is that subset sum is a linear operation and therefore can be performed directly in the LHE scheme, which implies that the leakage of the FHE scheme cannot depend on S. As for the previous construction, our instantiation contains a ciphertext \(c_\textsf{FHE}= \mathsf {FHE.Enc}(\textsf{pk}_{\textsf{FHE}}, \textsf{sk}_{\textsf{LHE}})\). The scheme is parametrized by some \(\sigma \in \textsf {poly}(\lambda )\), which defines the size of the set S. In the following description we present the algorithm as randomized, although this simplification can be easily bypassed with standard techniques (e.g., computing the random coins using a cryptographic hash \(\textsf{Hash}(x)\)).

figure d

To see why the implementation is syntactically correct, observe that

$$\begin{aligned} \tilde{y}&= \mathsf {FHE.Eval}\left( \textsf{pk}_\textsf{FHE}, -\sum ^\sigma _{i=1}\left\lfloor \mathsf {LHE.Dec}(\cdot , y_i) / \tilde{q} \right\rfloor \cdot \tilde{q}, c_\textsf{FHE}\right) \\&= \mathsf {FHE.Enc}\left( \textsf{pk}_\textsf{FHE}, -\sum ^\sigma _{i=1}\left\lfloor \mathsf {LHE.Dec}(\textsf{sk}_\textsf{LHE}, y_i) / \tilde{q} \right\rfloor \cdot \tilde{q}\right) \\&= \mathsf {FHE.Enc}\left( \textsf{pk}_\textsf{FHE}, -\sum ^\sigma _{i=1}\left\lfloor m_i / \tilde{q} \right\rfloor \cdot \tilde{q}\right) \end{aligned}$$

by the evaluation correctness of the FHE scheme. Invoking the correctness of the LHE scheme we have that

$$\begin{aligned} z&= \mathsf {LHE.Eval}\left( \textsf{pk}_{\textsf{LHE}}, h, \left( \left\{ y_i\right\} _{i\in S}, c_{(\textsf{LHE},1)}, \dots , c_{(\textsf{LHE},n)}\right) \right) \\&= \mathsf {LHE.Eval}\left( \textsf{pk}_{\textsf{LHE}}, h, \left( \left\{ \mathsf {LHE.Enc}(\textsf{pk}_\textsf{LHE}, m_i)\right\} _{i\in S}, c_{(\textsf{LHE},1)}, \dots , c_{(\textsf{LHE},n)}\right) \right) \\&= \mathsf {LHE.Enc}\left( \textsf{pk}_{\textsf{LHE}},\sum _{i \in S} m_i + \sum _{i\notin S} \lfloor m_i / \tilde{q}\rfloor \cdot \tilde{q} -\sum ^\sigma _{i=1}\left\lfloor m_i / \tilde{q} \right\rfloor \cdot \tilde{q} +e\right) \\&= \mathsf {LHE.Enc}\left( \textsf{pk}_{\textsf{LHE}},\sum _{i \in S} (m_i \mod \tilde{q}) + \sum ^\sigma _{i=1} \lfloor m_i / \tilde{q}\rfloor \cdot \tilde{q} -\sum ^\sigma _{i=1}\left\lfloor m_i / \tilde{q} \right\rfloor \cdot \tilde{q} +e\right) \\&= \mathsf {LHE.Enc}\left( \textsf{pk}_{\textsf{LHE}},\underbrace{\sum _{i \in S} (m_i \mod \tilde{q})}_{\tilde{m}}+e \right) \end{aligned}$$

which is exactly what we want, except that \(\tilde{m}\) is slightly larger than \(\tilde{q}\), by a factor of at most \(\sigma \). This can still be used in our main construction by adjusting the factor \(\omega \) used in the decrypt-and-multiply procedure accordingly. The intuition why we believe that this variant is secure is that the leakage in the FHE randomness cannot depend on the set S, since the distributions of all \(y_i\) are statistically close (recall that LHE has dense ciphertexts). Thus, S (which is chosen uniformly) resembles the behavior of a binary extractor on \((m_i \mod \tilde{q})\). Nevertheless, proving a formal statement remains an interesting open question.

4.3 Damgård-Jurik Instantiation

When instantiating the LHE scheme with the Damgård-Jurik encryption scheme (as described in Sect. 3.3) and the FHE scheme with any LWE-based scheme with linear decrypt-and-multiply (e.g., the scheme proposed in [38]) we obtain a split FHE which satisfies the notion of split compactness: The hint \(\rho \) is of size \(N = \textsf {poly}(\lambda )\) and in particular is arbitrarily smaller than the size of the plaintext space \(q = N^\zeta \). For essentially any choice of the LWE-based FHE scheme with modulus q, the size of the public key and fresh ciphertexts depends polynomially in \(\lambda \) and linearly in \(\log (q) = \log (N^\zeta )\), which gives us the desired bound. The analysis above sets the following additional constraints:

  • \(q \ge 2^k + 2^{\lceil \log (\tilde{q} + (k+1)B) \rceil }\) and

  • \(\tilde{q} \ge 2^\lambda \cdot (k+1) \cdot B\)

which are always satisfied for \(q = N^\zeta \), by setting the integer \(\zeta \) to be large enough. Note that this choice of parameters fixes the modulus of the FHE with linear decrypt-and-multiply to \(\mathbb {Z}_{N^\zeta }\), which is super-polynomially larger than the noise bound B. Finally, the LWE parameter n is free and can be set to any value for which the corresponding problem (with super-polynomial modulus-to-noise ratio) is conjectured to be hard.

4.4 Lattice-Based Instantiation

In the following we describe a split FHE construction based exclusively on LWE. Our scheme assumes the existence of a fully homomorphic encryption scheme \(\textsf{FHE}= (\mathsf {FHE.KeyGen}, \mathsf {FHE.Enc}, \mathsf {FHE.Eval}, \mathsf {FHE.Dec})\) with linear decrypt-and-multiply with noise bound B and (for simplicity prime) modulus q. To simplify the exposition, we also assume the existence of a public-key encryption scheme \(\textsf{PKE}= (\textsf{PKE}.\textsf{KeyGen}, \textsf{PKE}.\textsf{Enc}, \textsf{PKE}.\textsf{Dec})\). This is without loss of generality since any FHE scheme is also a public-key encryption scheme. We define the gadget matrix \(\textbf{G}\) as

$$\begin{aligned} \textbf{G} = (1, 2, \dots , 2^{\lceil \log (q)\rceil }) \otimes \mathbb {I} = \begin{bmatrix} (1, 2, \dots , 2^{\lceil \log (q)\rceil }) &{} 0 &{} \dots &{} 0\\ 0 &{} (1, 2, \dots , 2^{\lceil \log (q)\rceil }) &{} \dots &{} 0\\ \vdots &{}\vdots &{} \ddots &{} \vdots \\ 0 &{} 0 &{} \dots &{} (1, 2, \dots , 2^{\lceil \log (q)\rceil })\\ \end{bmatrix} \end{aligned}$$

and in an abuse of notation we define the (non-linear) bit-decomposition operator as \(\textbf{G}^{-1}\), since it acts as the inverse of \(\textbf{G}\).

In favor of a simpler exposition, we present a direct construction of FHE with split decryption, instead of instantiating each building block individually. We stress that, in contrast with the instantiation based on the Damgård-Jurik encryption scheme (Sect. 4.3), this scheme does not satisfy the syntactical requirements to apply the generic transformations (described in Sect. 4.2) to lift the scheme to the plain model. Nevertheless, such a scheme is still useful a building block to construct rate-1 reusable garbled circuits (Sect. 6).

figure e

The sampling oracle is defined below. For simplicity we describe the oracle as randomized and we implement the deterministic variant by fixing the random coins using, e.g., a hash function.

figure f

The correctness of the scheme follows since

$$ \begin{aligned} \textsf{MSB}\left( \textbf{B}\textbf{G}^{-1}(L_c) - \textbf{A}\rho \right)&= \textsf{MSB}\left( \left( \textbf{A}\textbf{R} + \textbf{E} + (s_1, \dots , s_n)\otimes \textbf{G}\right) \textbf{G}^{-1}(L_c) - \textbf{A}\rho \right) \\&= \textsf{MSB}\left( \textbf{A}\textbf{R}\textbf{G}^{-1}(L_c) + \textbf{E}\textbf{G}^{-1}(L_c) + L_c(s_1, \dots , s_n) - \textbf{A}\rho \right) \\&= \textsf{MSB}\left( \textbf{A}\textbf{R}\textbf{G}^{-1}(L_c) + \textbf{e} + L_c(s_1, \dots , s_n) - \textbf{A}\left( \textbf{R} \textbf{G}^{-1}(L_c) - \textbf{t}\right) \right) \\&= \textsf{MSB}\left( L_c(s_1, \dots , s_n) + \textbf{A}\textbf{t} + \textbf{e}\right) \\&= \textsf{MSB}\left( \mathsf {Dec{ \& }Mult}\left( (s_1, \dots , s_n), (\tilde{c}_1, \dots , \tilde{c}_k), \lceil q/2 \rceil \right) + \textbf{A}\textbf{t} + \textbf{e}\right) \end{aligned}$$

where

$$\begin{aligned} \tilde{c}_j&= \mathsf {FHE.Eval}(\textsf{pk}_\textsf{FHE}, C_j, (c_1, \dots , c_\ell ))\\&= \mathsf {FHE.Eval}(\textsf{pk}_\textsf{FHE}, C_j, (\mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_1), \dots , \mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, m_\ell )))\\&= \mathsf {FHE.Enc}(\textsf{pk}, C_j(m_1,\dots , m_\ell )) \end{aligned}$$

thus

$$\begin{aligned} \textsf{MSB}\left( \textbf{B}\textbf{G}^{-1}(L_c) - \textbf{A}\rho \right) \oplus \tau&= \textsf{MSB}\left( \lceil q/2 \rceil \cdot C(m_1,\dots , m_\ell ) +\tilde{\textbf{e}} + \textbf{A}\textbf{t} + \textbf{e}\right) \oplus \tau \end{aligned}$$
(2)
$$\begin{aligned}&= C(m_1,\dots , m_\ell ) \oplus \textsf{MSB}\left( \textbf{A}\textbf{t} + \textbf{e} + \tilde{\textbf{e}}\right) \oplus \tau \end{aligned}$$
(3)
$$\begin{aligned}&= C(m_1,\dots , m_\ell ) \oplus \textsf{MSB}\left( \textbf{A}\textbf{t}\right) \oplus \textsf{MSB}\left( \textbf{A}\textbf{t}\right) \end{aligned}$$
(4)
$$\begin{aligned}&= C(m_1,\dots , m_\ell ) \end{aligned}$$
(5)

with all but negligible probability over the random choice of \(\textbf{t}\). To establish this, we need to show that equality (4) holds, except with negligible probability over the choice of \(\textbf{t}\) and \(\textbf{A}\).

Observe that \(\Vert \tilde{\textbf{e}} + \textbf{e}\Vert _\infty \le B\cdot (n\cdot k \cdot \lceil \log (q)\rceil + 1)\). For a given \(z \in \mathbb {Z}_q\) say that z is bad if \(|z - q/4| < B\cdot (n\cdot k \cdot \lceil \log (q)\rceil + 1)\) or \(|z + q/4| < B\cdot (n\cdot k \cdot \lceil \log (q)\rceil + 1)\). By choosing q sufficiently large, e.g. by \(q/4 > 2^\lambda \cdot B\cdot (n\cdot k \cdot \lceil \log (q)\rceil + 1)\), we get that the probability that a uniformly random \(z \leftarrow \!\!\$\,\mathbb {Z}_q\) is bad is negligible. Further say that a vector \(\textbf{z} \in \mathbb {Z}_q^k\) is bad if any of its components is bad.

By Lemma 2 we can fix a \(\textbf{t} \in \mathbb {Z}_q^n\) such if \(\textbf{a} \leftarrow \!\!\$\,\mathbb {Z}_q^n\) is chosen uniformly random, then \(\langle \textbf{a}, \textbf{t} \rangle \) is distributed uniformly random, as a uniformly random \(\textbf{t} \in \mathbb {Z}_q^n\) has this property except with probability \(\log (q) \cdot 2^{-n}\). Let \(\textbf{a}_i,\dots ,\textbf{a}_k\) be the rows of \(\textbf{A}\). Since the \(\textbf{a}_i\) are uniformly random, so are the \(\langle \textbf{a}_i,\textbf{t} \rangle \). Thus, it holds for every i that \(\Pr [\langle \textbf{a}_i,\textbf{t} \rangle \text { bad}] < \textsf {negl}(\lambda )\). By a union bound we immediately get that \(\Pr _{\textbf{A}}[\textbf{A} \textbf{t} \text { bad}] = \Pr _{\textbf{A}}[\exists i: \langle \textbf{a}_i,\textbf{t} \rangle \text { bad}] < k \cdot \textsf {negl}(\lambda ) = \textsf {negl}(\lambda )\). Putting everything together, we get that \(\Pr _{\textbf{A},\textbf{t}}[\textbf{A}\textbf{t} \text { bad}] < \textsf {negl}(\lambda ) + \log (q) \cdot 2^{-n} = \textsf {negl}(\lambda )\). We can conclude that \(\textsf{MSB}\left( \textbf{A}\textbf{t} + {\textbf{e} + \tilde{\textbf{e}}}\right) = \textsf{MSB}\left( \textbf{A}\textbf{t}\right) \), except with negligible choice over \(\textbf{t}\) and \(\textbf{A}\).

We now proceed to argue about the security of our scheme.

Theorem 4.3

(Split Security) Let \(\textsf{FHE}\) be a semantically secure fully homomorphic encryption scheme with simulatable hints and let \(\textsf{PKE}\) be a semantically secure public-key encryption scheme. If the LWE problem is hard, then the scheme as described above satisfies split security in the \(\textsf{Sample}\)-hybrid model.

Proof

Let \((m_0, m_1, C_1, \dots , C_\beta )\) be the inputs specified by the adversary at the beginning of the experiment. Consider the following series of hybrids.

Hybrid \(\mathcal {H}_0:\) Is defined as the original experiment.

Hybrids \(\mathcal {H}_1 \dots \mathcal {H}_\beta :\) We define the hybrid \(\mathcal {H}_i\) to be identical to the previous one except that the i-th hint \(\rho _i\) is sampled uniformly from \(\mathbb {Z}_q^n\) and the corresponding query to the \(\textsf{Sample}\) oracle is answered by computing \(c_\tau \leftarrow \textsf{PKE}.\textsf{Enc}(\textsf{pk}_{\textsf{PKE}}, 0)\) and setting

$$\begin{aligned} \tau = \textsf{MSB}(\textbf{B}\textbf{G}^{-1}(L_c) - \textbf{A}\rho ) \oplus C(m_1, \dots , m_\ell ). \end{aligned}$$

It is not hard to see that the distribution induced by this hybrid is computationally indistinguishable from the previous one, by a reduction against the semantic security of \(\textsf{PKE}\).

Hybrid \(\mathcal {H}_{\beta +1}:\) This hybrid is defined to be exactly as the previous one except that the element \(\textbf{B}\) is chosen uniformly over \(\mathbb {Z}_q^{k\times nk\lceil \log (q)\rceil }\). Indistinguishability follows from a standard hybrid argument against the LWE assumption.

Hybrid \(\mathcal {H}^{(b)}_{\beta +1}:\) We define the hybrid \(\mathcal {H}^{(b)}_{\beta +1}\) as \(\mathcal {H}_{\beta +1}\) with the challenger bit fixed to b. By the semantic security of the FHE scheme, it follows that \(\mathcal {H}^{(0)}_{\beta }\) and \(\mathcal {H}^{(1)}_{\beta }\) are computationally indistinguishable. This concludes our proof. \(\square \)

Note that the above prove implicitly defines a simulator (in the \(\textsf{Sample}\)-hybrid model) for decryption hints: Sample \(\rho \leftarrow \!\!\$\,\mathbb {Z}_q^n\) and program the corresponding query to the \(\textsf{Sample}\) oracle to \(c_\tau \leftarrow \textsf{PKE}.\textsf{Enc}(\textsf{pk}_{\textsf{PKE}}, 0)\) and

$$\begin{aligned} \tau = \textsf{MSB}(\textbf{B}\textbf{G}^{-1}(L_c) - \textbf{A}\rho ) \oplus m. \end{aligned}$$

where \(L_c\) is the linear function defined by the input ciphertext \(c\) and m is the message given as input to the simulator. This implies that the scheme as described above satisfies (computational) hint simulatability in the \(\textsf{Sample}\)-hybrid model.

Finally, we observe that the scheme satisfies split compactness as the size of the decryption hints is \(O(n \log (q)) = \textsf {poly}(\lambda )\) and in particular is independent of the output size k.

5 Split Fully Homomorphic Encryption Implies Obfuscation

In order to construct fully fledged iO from split FHE, we rely on a theorem from Lin et al. [50], which we recall in the following. Roughly speaking, the theorem states that, under the assumption that the LWE problem is sub-exponentially hard, it suffices to consider circuits with a polynomial-size input domain and obfuscators that output obfuscated circuits of size slightly sublinear in size of the truth table of the circuit.

Theorem 5.1

([50]) Assuming sub-exponentially hard LWE, if there exists a sub-exponentially secure indistinguishability obfuscator for \(\textsf{P}^\textsf{log} / \textsf{poly}\) with non-trivial efficiency, then there exists an indistinguishability obfuscator for \(\textsf{P} / \textsf{poly}\) with sub-exponential security.

Here \(\textsf{P}^\textsf{log} / \textsf{poly}\) denotes the class of polynomial-size circuits with inputs of length \(\eta = O(\log (\lambda ))\) and by non-trivial efficiency we mean that the size of the obfuscated circuit is bounded by \(\textsf {poly}(\lambda , |C|)\cdot 2^{\eta \cdot (1-\varepsilon )}\), for some constant \(\varepsilon > 0\). Note that the above theorem poses no restriction on the runtime of the obfuscator, which can be as large as \(\textsf {poly}(\lambda , |C|)\cdot 2^\eta \).

In the following we show how to construct an obfuscator for \(\textsf{P}^\textsf{log} / \textsf{poly}\) with non-trivial efficiency. We assume only the existence of a (leveled) split FHE scheme \(\textsf{sFHE}= (\textsf{KeyGen}, \textsf{Enc},\textsf{Eval},\textsf{PDec}, \textsf{Rec})\).

figure g

First, we discuss how to evaluate an obfuscated circuit: On input some \(x\in \{0,1\}^{\eta }\), parse it as an integer and round it to the nearest multiple of \(2^{\eta /2}\) (let such integer be \(\bar{x}\)) such that \(\bar{x} \le x\). Then compute \(c_{\bar{x}} \leftarrow \textsf{Eval}(\textsf{pk}, \mathfrak {U}_{\bar{x}}, c)\) and \(m\leftarrow \textsf{Rec}(\rho _{\bar{x}}, c_{\bar{x}})\). Read the output as the \((x - \bar{x})\)-th bit of \(m\).

5.1 Analysis

Note that the runtime of the obfuscator is dominated by \(2^{\eta /2}\) evaluations of the split FHE ciphertext, where each subroutine homomorphically evaluates the circuit \(C\) \(2^{\eta / 2}\)-many times. Thus, the total runtime of the obfuscator is in the order of \(\textsf {poly}(\lambda , |C|) \cdot 2^\eta \). We now argue that our obfuscator has non trivial efficiency in terms of output size. We analyze the size of each component of the obfuscated circuit:

  • By the compactness of the split FHE scheme, the public key \(\textsf{pk}\) grows linearly with the size of the output domain, i.e., \(2^{\eta /2}\), and polynomially in the security parameter.

  • The ciphertext \(c\) grows linearly with the size of the encrypted message and, therefore, by the compactness of the split FHE scheme, is bounded by \(\textsf {poly}(\lambda , |C|) \cdot 2^{\eta / 2}\).

  • Each decryption hint \(\rho _i\) is of size \(\textsf {poly}(\lambda )\), since the underlying split FHE is compact. As an obfuscated circuit consists of \(2^{\eta /2}\)-many decryption hints, the size of the vector \((\rho _1, \dots , \rho _{2^{\eta /2}})\) is \(\textsf {poly}(\lambda ) \cdot 2^{\eta /2}\).

It follows that the total size of the obfuscated circuit is bounded from above by \(\textsf {poly}(\lambda , |C|) \cdot 2^{\eta / 2}\). What is left to be shown is that our obfuscator satisfies the notion of indistinguishability obfuscation.

Theorem 5.2

(Indistinguishability Obfuscation) Let \(\textsf{sFHE}\) be a sub-exponentially secure leveled split FHE scheme. Then the scheme as described above is a sub-exponentially secure indistinguishability obfuscator.

Proof

By the perfect correctness of the split FHE scheme it follows that the obfuscated circuit is functionally equivalent to the plain circuit. Indistinguishability follows immediately from the split security of \(\textsf{sFHE}\): If the split FHE is secure against a distinguisher running in sub-exponential time, then so is \(\textsf{iO}\). \(\square \)

6 Rate-1 Reusable Garbled Circuits

In this section we recall the definition of reusable garbled circuits (rGC) and discuss how to construct a scheme with rate-1 input encodings (in the output length).

6.1 Definition

We briefly recall the syntax of garbling schemes as defined by Yao [64].

Definition 6.1

(Garbling Scheme) A garbling scheme consists of the following efficient algorithms

  • \(\mathsf {GC.Garble}(1^\lambda , C):\) On input the security parameter \(1^\lambda \) and a circuit \(C\), the garbling algorithm returns a garbled circuit \(\tilde{C}\) and a secret key \(\textsf{sk}\).

  • \(\mathsf {GC.Encode}(\textsf{sk}, x):\) On input the secret key \(\textsf{sk}\) and an input x, the encoding algorithm returns an encoding \(c\).

  • \(\mathsf {GC.Eval}(\tilde{C}, c):\) On input a garbled circuit \(\tilde{C}\) and an encoding \(c\), the evaluation algorithm returns an output y.

We define correctness for a garbling scheme.

Definition 6.2

(Correctness) A garbling scheme \((\mathsf {GC.Garble}, \mathsf {GC.Encode}, \mathsf {GC.Eval})\) is correct if for all \(\lambda \in \mathbb {N}\), all circuits \(C\), all inputs x, and all pairs \((\tilde{C}, \textsf{sk})\) in the support of \(\mathsf {GC.Garble}(1^\lambda , C)\) it holds that

$$\begin{aligned} \Pr [\mathsf {GC.Eval}(\tilde{C}, \mathsf {GC.Encode}(\textsf{sk}, x)) = C(x)] =1. \end{aligned}$$

We recall the notion of reusable security from [39], that requires that the encodings of inputs x with respect to a garbled circuit \(C\) reveal nothing beyond \(C(x)\).

Definition 6.3

(Reusable Security) A garbling scheme \((\mathsf {GC.Garble}, \mathsf {GC.Encode}, \mathsf {GC.Eval})\) is reusably secure if there exists a PPT simulator \(\textsf{Sim} = (\textsf{Sim}_0, \textsf{Sim}_1)\) such that for all PPT attackers \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\) there exists a negligible function \(\textsf {negl}(\lambda )\) such that

$$\begin{aligned} \left| \begin{array}{r} \Pr \left[ 1 \leftarrow \mathcal {A}_{2}^{\mathsf {GC.Encode}(\textsf{sk}, \cdot )}(\tilde{C}, \textsf{st}) \Big |\begin{array}{l} (C, \textsf{st}) \leftarrow \mathcal {A}_1(1^\lambda )\\ (\tilde{C}, \textsf{sk}) \leftarrow \mathsf {GC.Garble}(1^\lambda , C)\\ \end{array} \right] -\\ \Pr \left[ 1 \leftarrow \mathcal {A}_{2}^{\mathcal {O}_{C, \tilde{\textsf{st}}}(\cdot )}(\tilde{C}, \textsf{st}) \Big | \begin{array}{l} (C, \textsf{st}) \leftarrow \mathcal {A}_1(1^\lambda )\\ (\tilde{C}, \tilde{\textsf{st}}) \leftarrow \textsf{Sim}_0(1^\lambda , 1^{|C|})\\ \end{array} \right] \end{array} \right| = \textsf {negl}(\lambda ) \end{aligned}$$

where \(\mathcal {O}_{C, \tilde{\textsf{st}}}\), on input x, runs \((c, \tilde{\textsf{st}}')\leftarrow \textsf{Sim}_1(1^{|x|}, \tilde{\textsf{st}}, C(x))\), sets \(\tilde{\textsf{st}} = \tilde{\textsf{st}}'\) and returns \(c\).

Theorem 6.4

([39]) Assuming sub-exponentially hard LWE, there exists a reusable garbled circuit scheme with input encodings of size \(\textsf {poly}(\lambda , d, |x|, |y|)\), where d is the depth of the circuit.

6.2 Rate-1 Construction

In the following we present our rGC scheme with rate-1 encodings. We assume the existence of the following building blocks.

  • A one-time secure split FHE scheme \(\textsf{FHE}= (\mathsf {FHE.KeyGen}, \mathsf {FHE.Enc}, \mathsf {FHE.Eval},\textsf{FHE}.\textsf{Sample}, \textsf{FHE}.\textsf{PDec}, \textsf{FHE}.\textsf{Rec})\) with simulatable decryption hints.

  • A reusable garbled circuit \(\textsf{rGC} = (\mathsf {GC.Garble}, \mathsf {GC.Encode}, \mathsf {GC.Eval})\).

We stress that the former can be constructed using the schemes presented in Sect. 4.1 and Sect. 4.4, without making any additional assumption. As a main corollary, we obtain that assuming the hardness of the LWE problem is sufficient.

figure h

To see why the scheme satisfies correctness, observe that

$$\begin{aligned} \textsf{FHE}.\textsf{Rec}(\rho , c)&= \textsf{FHE}.\textsf{Rec}(\mathsf {GC.Eval}(\tilde{C}, e), c)\\&= \textsf{FHE}.\textsf{Rec}(\mathsf {GC.Eval}(\tilde{C}, \mathsf {GC.Encode}(\textsf{sk}_{\textsf{rGC}},(x,r,s))), c) \end{aligned}$$

where \((\tilde{C},\textsf{sk}_{\textsf{rGC}})\leftarrow \mathsf {GC.Garble}(1^\lambda , \Gamma )\). By definition of \(\Gamma \) and by the correctness of the garbling scheme, we have that

$$\begin{aligned} \textsf{FHE}.\textsf{Rec}(\rho , c) = \textsf{FHE}.\textsf{Rec}(\textsf{FHE}.\textsf{PDec}(\textsf{sk}_{\textsf{FHE}}, c), c) \end{aligned}$$

where

$$\begin{aligned} c&= \mathsf {FHE.Eval}^a(\textsf{pk}_\textsf{FHE}, C, \tilde{c})\\&= \mathsf {FHE.Eval}^a(\textsf{pk}_\textsf{FHE}, C, \mathsf {FHE.Enc}(\textsf{pk}_{\textsf{FHE}}, x))\\&= \mathsf {FHE.Enc}(\textsf{pk}_\textsf{FHE}, C(x)) \end{aligned}$$

and therefore

$$\begin{aligned} \textsf{FHE}.\textsf{Rec}(\rho , c) = C(x). \end{aligned}$$

We analyze the security of our scheme in the following theorem.

Theorem 6.5

(Reusable Security) Let \(\textsf{FHE}\) be a split FHE scheme with simulatable decryption hints and let \(\textsf{rGC}\) be a reusably secure garbling scheme. Then the scheme as described above is reusably secure.

Proof

The proof consists the description of an efficient simulator \(\textsf{Sim} = (\textsf{Sim}_0, \textsf{Sim}_1)\). The algorithm \(\textsf{Sim}_0\) computes the public-key of the split-FHE scheme honestly and simulates the garbled circuit \(\tilde{C}\) using the simulator of the underlying garbling scheme. On the other hand, the algorithm \(\textsf{Sim}_1\) evaluates the FHE ciphertext honestly to obtain \(\tilde{c}\) and samples a as dictated by the \(\textsf{Sample}\) algorithm. Finally, it computes a simulated decryption hint \(\rho \) for the input value C(x) using the simulator provided by the split-FHE scheme and feeds \(\rho \) as an input to the simulator of the underlying garbling scheme to obtain an encoding e. The algorithm returns \((\tilde{c}, a, e)\). Indistinguishability follows from a standard hybrid argument over the security of the reusable garbling scheme and by an invocation of the simulatability of the decryption hints of the split FHE scheme. \(\square \)

All is left to be shown is that the scheme has rate-1 encodings (in the output length), by instantiating the garbling scheme with construction of [39]. The input encoding consists of three components:

  1. (1)

    A ciphertext \(\tilde{c}\) of the split FHE scheme encrypting the input x, whose size can be bounded by \(\textsf {poly}(\lambda , |x|)\).

  2. (2)

    The answer a to a query to the \(\textsf{Sample}\) oracle, whose size is (for the choice of parameters discussed in, e.g., Sect. 4.3) bounded by \(|y| + \textsf {poly}(\lambda )\).

  3. (3)

    The encoding e for the garbling of the circuit \(\Gamma \). Note that the size of the output of \(\Gamma \) depends only on the security parameter (and in particular is independent of |y|); thus, the size of e can be bounded by \(\textsf {poly}(\lambda , d, |x|)\), where d is the depth of the circuit \(C\).

It follows that the total size of the input encoding is bounded by \(\textsf {poly}(\lambda , d, |x|) + |y|\).