Maliciously circuit-private multi-key FHE and MPC based on LWE

Attrapadung, Nuttapong; Hanaoka, Goichiro; Hiromasa, Ryo; Matsuda, Takahiro; Schuldt, Jacob C. N.

doi:10.1007/s10623-022-01160-x

Maliciously circuit-private multi-key FHE and MPC based on LWE

Open access
Published: 30 December 2022

Volume 91, pages 1645–1684, (2023)
Cite this article

Download PDF

You have full access to this open access article

Designs, Codes and Cryptography Aims and scope Submit manuscript

Maliciously circuit-private multi-key FHE and MPC based on LWE

Download PDF

Nuttapong Attrapadung¹^na1,
Goichiro Hanaoka¹^na1,
Ryo Hiromasa ORCID: orcid.org/0000-0003-1273-766X²^na1,
Takahiro Matsuda¹^na1 &
…
Jacob C. N. Schuldt¹^na1

1810 Accesses
Explore all metrics

Abstract

In this paper, we construct multi-key homomorphic and fully homomorphic encryption (resp. MKHE and MKFHE) schemes with malicious circuit privacy. Our schemes are based on learning with errors (LWE) besides appropriate circular security assumptions. In contrast, the previous maliciously circuit-private MKFHE scheme by Chongchitmate and Ostrovsky (PKC, 2017) is based on the non-standard decisional small polynomial ratio (DSPR) assumption with a super-polynomial modulus, besides ring learning with errors and circular security assumptions. We note that it was shown by Albrecht et al. (CRYPTO, 2016) that there exists a sub-exponential time attack against this type of DSPR assumption. The main building block of our maliciously circuit-private MKFHE scheme is a (plain) MKFHE scheme by Brakerski et al. (TCC, 2017), and the security of our schemes is proven under the hardness of LWE with sub-exponential modulus-to-noise ratio and circular security assumptions related to the Brakerski et al. scheme. Furthermore, based on our MKFHE schemes, we construct four-round multi-party computation (MPC) protocols with circuit privacy against a semi-honest server and malicious clients in the plain model. The protocols are obtained by combining our schemes with a maliciously sender-private oblivious transfer protocol and a circuit garbling scheme, all of which can be instantiated only assuming LWE.

Four Round Secure Computation Without Setup

Circuit-Private Multi-key FHE

Two Round Multiparty Computation via Multi-key FHE

1 Introduction

Fully homomorphic encryption (FHE) [8, 11, 12, 22, 23, 40] is a special type of public key encryption that allows functions to be evaluated over encrypted data. FHE is a powerful primitive often used as a building block in other schemes and protocols. A typical application of FHE is the construction of a multi-party computation (MPC) protocol between two semi-honest parties, which allows the parties to jointly perform a computation over their inputs, while revealing nothing more than the output of the computation. Specifically, the MPC protocol can be constructed as follows. The first party $P_{1}$ encrypts his input x under his own public key and sends the ciphertext c to the second party $P_{2}$. Then $P_{2}$ evaluates a function f homomorphically on c and his own input y, and sends the result back to $P_{1}$, who decrypts the final ciphertext to obtain f(x, y). An important property of this protocol is that the communication complexity is independent of the complexity of the function f being evaluated. Multi-key fully homomorphic encryption (MKFHE) [2, 10, 18, 31, 35] is a variant of FHE which allows evaluation of functions over ciphertexts generated under different public keys. Similar to FHE leading to a natural construction of a two-party computation protocol, MKFHE can be used as a basis for a multi-party computation protocol, where the parties encrypt their input under their own public key, then homomorphically evaluate the relevant function over all ciphertexts, and collaboratively run a multiparty decryption protocol on the evaluated ciphertext.

Client-Server MPC. In this paper, we consider a special type of MPC protocols called client-server MPC protocols in which the parties play different roles, namely server and client. The single server is given a description of a function to be computed in the protocol, and clients are given inputs to the function. Such protocols have been considered in the literature of server-aided MPC [29, 31] and circuit-private homomorphic encryption [17, 28, 36]. (The formal definition of the client-server MPC protocol can be found on Definition 5.1.) In client-server MPC, we can consider two types of security notions: client privacy and circuit privacy^{Footnote 1}. Client privacy requires that the clients’ inputs are kept semantically secure, whereas circuit privacy requires that no information about the function computed in the MPC protocol is revealed beyond the output with respect to the clients’ inputs. In this paper, we consider circuit privacy against malicious adversaries [28], namely even if the server is given malicious inputs (such as ill-formed ciphertexts or public keys) from clients, the output of the MPC protocol does not reveal any information about the computed function.

FHE and MPC with malicious circuit privacy. In [17], Chongchitmate and Ostrovsky showed a three-round MPC protocol with circuit privacy. Their protocol is secure against a semi-honest server and malicious clients in the plain model under the (non-standard) decisional small polynomial ratio (DSPR) assumption with super-polynomial modulus (in addition to learning with errors over a polynomial ring and appropriate circular security assumptions for the underlying building blocks). We note that it was shown by Albrecht et al. [1] that there exists a sub-exponential time attack against this type of DSPR assumption. This gives rise to the following natural question:

Can a client-server MPC protocol with (malicious) circuit privacy be obtained from standard assumptions?

The main building block of the protocol in [17] is a MKFHE scheme with circuit privacy against malicious adversaries. This scheme is in turn constructed based on the MKFHE scheme by Lopez-Alt et al. [31], which leads to the dependency on the DSPR assumption, as the scheme from [31] requires this.

In general, a client-server MPC protocol with circuit privacy against malicious clients can be constructed from any maliciously circuit-private MKFHE scheme by combining this with a statistically sender-private oblivious transfer (OT) protocol and information-theoretic randomized encoding [27]. Such an OT protocol exists under standard assumptions, e.g. the LWE-based protocol [9], so the above question can be rephrased as the following question, which was also raised in [17] as an open problem:

Can a maliciously circuit-private MKFHE scheme be obtained from standard assumptions?

1.1 Our results

In this paper, we answer the above questions in the affirmative, with the only caveat being that appropriate circular security assumptions are additionally required (note that all of the currently known (non-leveled) FHE schemes not based on obfuscation, require circular security assumptions). Concretely, we firstly construct a maliciously circuit-private MKHE^{Footnote 2} scheme for branching programs based on LWE as well as weak circular security of the (plain) MKFHE scheme by Brakerski et al. [15], which is one of the main building blocks of our scheme. Informally, we prove the following theorem:

Theorem 1.1

(Informal) Assuming the hardness of LWE with sub-exponential modulus-to-noise ratio (and weak circular security of [15]), there exists a maliciously circuit-private MKHE scheme with distributed setup for branching programs.

Secondly, we show how the obtained scheme can be combined with a plain MKFHE scheme (such as [15]), to obtain a fully homomorphic maliciously circuit-private scheme. To obtain this result, we rely on a somewhat non-standard circular security assumption. We note that a similar assumption is required to show the security of the previous construction of a maliciously circuit-private MKFHE in [17]. (The details of the circular security assumption are discussed in Sect. 4.3.) Informally, we show the following result.

Theorem 1.2

(Informal) Assuming the existence of a distributed-setup maliciously circuit-private MKHE scheme for branching programs and a distributed-setup (plain) MKFHE scheme which are “jointly circular secure”, there exists a maliciously circuit-private MKFHE scheme with distributed setup.

Based on either of our MK(F)HE schemes, we can build a four-round MPC protocol with circuit privacy against a semi-honest server and malicious clients in the plain model. All the additional building blocks required for our protocol can be instantiated assuming only LWE, and hence, from our circuit-private MKHE scheme for branching programs (Theorem 1.1), we obtain the following:

Theorem 1.3

(Informal) Assuming the hardness of LWE with sub-exponential modulus-to-noise ratio (and weak circular security of [15]), there exists a four-round client-server MPC protocol for branching programs ($\textsf{NC}^1$ circuits) with circuit privacy against a malicious adversary corrupting only clients in the plain model.

Furthermore, based on our MKFHE scheme (Theorem 1.2), we obtain:

Theorem 1.4

(Informal) Assuming the existence of a distributed-setup maliciously circuit-private MKHE scheme for branching programs and a distributed-setup (plain) MKFHE scheme which are jointly circular secure, there exists a four-round client-server MPC protocol with circuit privacy against a malicious adversary corrupting only clients in the plain model.

Comparison with Existing MPC Protocols. We first loosely compare MKFHE-based MPC protocols for circuits with other well-known general paradigms, namely, secret-sharing-based and garbled-circuit-based MPC in Table .^{Footnote 3}^{Footnote 4} MPC protocols based on the latter two paradigms generally do not aim at hiding the evaluated circuit. While it is in principle possible to hide the structure of the circuit, as we highlight below in our discussion of a related primitive called private function evaluation (PFE), information regarding the circuit size leaks as the communication complexity depends on this. In contrast, MKFHE-based MPC protocols makes the communication complexity and also client computation independent of the circuit size.

We next compare our MPC results among existing MK-FHE based client-server MPC protocols in the plain model in Table . We remark that these protocols achieve communication complexity and client computation independent of the circuit being evaluated. The main feature of our protocols is that they can be based on more standard computational assumptions (LWE), while the previous two works [17, 31] make use of the non-standard DSPR assumptions. Note that besides the computational assumptions listed, appropriate circular security assumptions are needed in all of the listed schemes. As a trade-off, our protocols require one more round compared to [17]; intuitively, this is due to our design where participating parties have to share individual public parameters used to generate public and secret keys for the underlying maliciously circuit-private MKFHE scheme.

Table 1 A comparison among MPC protocol paradigms for circuits

Full size table

Table 2 Comparison among existing MKFHE-based client-server MPC protocols in the plain model. Besides the computational assumptions listed, appropriate circular security assumptions are needed in all of the listed schemes. Client privacy refers to privacy of honest clients’ input against corrupted clients

Full size table

Relation to private function evaluation Private function evaluation (PFE) is a special type of MPC which allows a function, held by one party, to be computed while being kept secret. Such a protocol can be achieved by computing a universal circuit in an ordinary MPC protocol, and treating the (description of the) function as a client input. While the universal circuit approach hides the function itself, it does not guarantee that the size of the evaluated function is kept secret. In contrast, our MPC protocol provides this guarantee and achieves a communication complexity that is independent of the size of the evaluated function due to the use of MKFHE. Furthermore, the use of universal circuits incurs a significant overhead in terms of computation. A (boolean or arithmetic) circuit of size g requires a universal circuit of size at least $O(g\log g)$ [37, 39] to be computed. A more practical approach to PFE that does not rely on a universal circuit is considered in [33, 34] (in particular, [34] constructs an actively secure PFE which, unlike the security considered in this paper, allows corrupting the function holder), but the complexity of their protocols still depends on the size of the evaluated circuit.

1.2 Overview of our constructions

Here, we give an overview of the construction techniques we use to obtain our maliciously circuit-private MK(F)HE schemes. As our basic approach is similar to that of [17], we start by recalling the ideas behind the circuit-private MKFHE construction from [17].

Prior approach to circuit-private MKFHE Chongchitmate and Ostrovsky [17] constructed the first (maliciously) circuit-private MKFHE scheme. The scheme is built on a MKFHE scheme with a special property called private expandability. To homomorphically evaluate a function over ciphertexts, a MKFHE scheme usually transforms an input ciphertext $\textsf{ct}_{i}$ (generated under a single public key $\textsf{pk}_{i}$) into a ciphertext $\widetilde{\textsf{ct}}$ that relates to all the keys $\{\textsf{pk}_{i}\}_{i}$ involved in the homomorphic evaluation. Private expandability guarantees that no efficient algorithm can distinguish $\widetilde{\textsf{ct}}$, from an expanded ciphertext $\widetilde{\textsf{ct}}'$ obtained by expanding a ciphertext $\textsf{ct}_{j}$ under a different public key $\textsf{pk}_{j}$ for any $j\ne i$. The authors constructed a privately-expandable scheme from the MKFHE scheme of [31]. The private expansion algorithm of the scheme uses the noise smudging technique of [14, 21, 25] to remove the dependency on the key $\textsf{pk}_{i}$ under which the original ciphertext $\textsf{ct}_{i}$ is constructed. Private expandability leads to a semi-honest circuit-private MKHE scheme for branching programs by using the technique of [28]. Intuitively, private expandability hides by which key the expanded input was originally encrypted. The semi-honest circuit-private scheme for branching programs is transformed into a maliciously circuit-private scheme by using the maliciously circuit-private single-key FHE scheme of [36] to homomorphically check whether all $\textsf{pk}_{i}$’s and $\textsf{ct}_{i}$’s are well-formed. Finally, a fully homomorphic scheme is obtained by combining the maliciously circuit-private scheme with a normal MKFHE scheme with decryption in $\textsf{NC}^{1}$. It should be noted that all of the above schemes [17] (and technique of [36]) are in the plain model.

Privately-expandable MKFHE with distributed setup The definitions and constructions in [17] crucially rely on the use of a setup-free MKFHE scheme to obtain a scheme in the plain model. This eventually leads to their instantiation being based on the non-standard DSPR assumption (via [31]). We take a different approach. Specifically, we construct a maliciously circuit-private MKFHE scheme with distributed setup, in which every party $P_{i}$ independently generates a public parameter $\textsf{pp}_{i}$, and $\{\textsf{pp}_i\}_{i}$ are used to generate keys and ciphertexts. This will allow us to obtain a scheme based on standard assumptions, without having to introduce a common reference string (CRS) or trusted setup. The concept of a distributed setup for a MKFHE scheme is not new, and Brakerski, Halevi, and Polychroniadou [15] proposed a scheme with this property for the purpose of obtaining a four-round secure MPC protocol in the plain model. Note, however, that the results from [15] cannot be used directly in our approach, as the concept of private expandability was not considered in [15]. To address this, we firstly introduce a generalization of private expandability to MKFHE with distributed setup, in which the ciphertext expansion algorithm $\textsf{Expand}$ takes as input $\{\textsf{pp}_{i}\}_{i}$ generated by the $P_{i}$’s. We then proceed to prove that the scheme of [15] can in fact be extended to yield a scheme providing our notion of private expandability. To prove this, we use the noise smudging technique, which incurs the sub-exponential modulus-to-noise ratio in the LWE assumption. As a result, we obtain a privately-expandable MKFHE scheme based on LWE without having to introduce a CRS or trusted setup.

Achieving malicious circuit privacy. To obtain a maliciously circuit-private MKFHE scheme, we extend the approach taken by [17] to our setting. Specifically, we firstly define malicious circuit privacy for MK(F)HE with distributed setup, in which $\{\textsf{pp}_{i}\}_i$ generated in the distributed setup are given to the homomorphic evaluation algorithm. We then construct a maliciously circuit-private scheme using a privately-expandable MKFHE scheme with distributed setup. More precisely, private expandability allows us to construct a semi-honest circuit-private MKHE for branching programs in a similar way to [17, 28]. To achieve malicious circuit privacy, we use an additional (maliciously) circuit-private single-key FHE scheme to homomorphically check whether inputs to the homomorphic evaluation algorithm are well-formed. Note that for this to work, it must be possible for the evaluation algorithm to check the validity of the public parameters generated by the distributed setup procedure (without access to the randomness used to generate these). However, for our particular privately-expandable MKFHE scheme, all values $\textsf{pp}_{i}$ are picked uniformly at random from the appropriate domain, and hence we can check the validity of the $\textsf{pp}_i$’s simply via a membership test. Furthermore, similar to [17], the construction requires public keys to contain bit-wise encryptions of private keys of the privately-expandable MKFHE scheme, and hence requires the latter to be weakly circular secure. Lastly, note that the required maliciously circuit-private single-key FHE scheme can be constructed from an information-theoretic randomized encoding scheme, an OT protocol, and a single-key FHE scheme, as shown by Ostrovsky et al. [36]. Since the latter two primitives can be instantiated assuming only LWE [8, 9, 12], we obtain a maliciously circuit-private scheme for branching programs based on LWE (besides the required circular assumption).

Finally, we construct a fully homomorphic scheme by combining the maliciously circuit-private scheme for branching programs and a standard MKFHE scheme (such as the fully homomorphic variant of [15] based on LWE). Inputs are encrypted by the standard MKFHE scheme, and homomorphic evaluation is done via the evaluation algorithm of the standard MKFHE scheme, while the validity of the inputs is checked using our maliciously circuit-private scheme for branching programs. Furthermore, since the key generation and encryption of the MKFHE scheme from [15] are in $\textsf{NC}^{1}$, the maliciously circuit-private scheme for branching programs can homomorphically evaluate these to check whether the inputs to the homomorphic evaluation are generated properly. As a result, we obtain a maliciously circuit-private MKFHE scheme with distributed setup. We emphasize that, compared to the scheme from [17], the computational assumption required for our scheme is significantly weakened, from the non-standard DSPR assumption to the LWE assumption.

MPC protocol with malicious circuit privacy based on LWE. In a similar fashion to [17], we show that we can construct a MPC protocol with malicious circuit privacy based on our circuit-private MKFHE scheme combined with OT secure against malicious receivers and circuit garbling. However, as our scheme has a distributed setup procedure, we need one additional round in our MPC protocol for sharing the public parameters generated by the clients. Note that the observation made in [3, 15] is equally valid for our protocol: as the public parameters shared by clients in the first round are just uniformly random strings, the server need not check whether the parameters shared by malicious clients are properly generated. This allows us to obtain a client-server MPC protocol with malicious circuit privacy. We note that the additional building blocks required in our protocol (OT and circuit gabling) are known to exist under LWE [9, 41].

1.3 Organization

The rest of this paper is organized as follows. Section 2 introduces mathematical preliminaries and definitions of cryptographic primitives for this paper. In Sect. 3, we show how to construct a privately-expandable MKFHE scheme with distributed setup under LWE with sub-exponential modulus-to-noise ratio and the circular security of the underlying MKFHE scheme [15]. In Sect. 4, we first construct a (maliciously) circuit-private MKHE with distributed setup for branching programs from the privately-expandable scheme, and then build up a fully homomorphic scheme via a LWE-based MKFHE scheme with distributed setup. Section 5 shows our four-round MPC protocols based on our MK(F)HE schemes with distributed setup.

2 Preliminaries

In this section, we review notations, mathematical preliminaries, and definitions for homomorphic encryption.

Notations We denote the set of natural numbers, integers, and real numbers by $\mathbb {N}$, $\mathbb {Z}$, and $\mathbb {R}$, respectively. For $d \in \mathbb {N}$, we represent $\{1,2,\ldots ,d\}$ by [d]. For a countable set S, $a\xleftarrow {\$}S$ denotes that $a \in S$ is chosen uniformly at random from S. For a probability distribution $\mathcal {P}$ (over some set), $[\mathcal {P}]$ denotes the support of $\mathcal {P}$ (i.e. $\{x : \Pr [\mathcal {P} = x] > 0\}$), and $b \xleftarrow {\$}{\mathcal {P}}$ denotes that b is sampled according to $\mathcal {P}$. $\textsf{negl}(\lambda )$ represents an unspecified negligible function. Let $X=\{X_{\lambda }\}_{\lambda \in \mathbb {N}}$ and $Y=\{Y_{\lambda }\}_{\lambda \in \mathbb {N}}$ be ensembles of random variables, and $\Delta (X, Y)$ be the statistical distance between them. For $\epsilon >0$, we say that the two ensembles of random variables, X and Y, are $\epsilon $-close if $\Delta (X, Y)\le \epsilon $, and X and Y are statistically indistinguishable if they are $\epsilon $-close for $\epsilon =\textsf{negl}(\lambda )$, and denote it by $X\approx _{s} Y$. Also we use $X\approx _c Y$ to mean that X and Y are computationally indistinguishable, i.e., $|\Pr [\mathcal {D}(X_{\lambda })\rightarrow 1]-\Pr [\mathcal {D}(Y_{\lambda })\rightarrow 1]|=\textsf{negl}(\lambda )$ for any probabilistic polynomial-time (PPT) Turing machine $\mathcal {D}$. For simplicity, we sometimes abuse notation and write $X_{\lambda } \approx _s Y_{\lambda }$ (instead of $X \approx _s Y$), and we do the same for $\approx _c$.

Vectors are in column form and written by bold lower-case letters (e.g., $\textbf{x}$). The i-th element of the vector $\textbf{x}$ is represented by $x_{i}$. We denote the $\ell _{\infty }$ norm (max norm) of the vector $\textbf{x}$ by $\Vert \textbf{x}\Vert $. The inner-product of two vectors $\textbf{x}$ and $\textbf{y}$ is written as $\langle \textbf{x}, \textbf{y}\rangle $. We denote matrices as bold capital letters (e.g., $\textbf{X}$) and the (i, j)-th element of the matrix $\textbf{X}$ is represented by $\textbf{X}[i, j]$. For a matrix $\textbf{X}\in \mathbb {R}^{m\times n}$, the $\ell _{\infty }$ norm of $\textbf{X}$ is defined as $\Vert \textbf{X}\Vert :=\max _{i\in [n], j\in [m]}\{\Vert \textbf{X}[i, j]\Vert \}$. The notation $\textbf{X}^{T}\in \mathbb {Z}^{n\times m}$ represents the transpose of $\textbf{X}$. For two matrices $\textbf{A}\in \mathbb {Z}^{m\times n_{1}}$ and $\textbf{B}\in \mathbb {Z}^{m\times n_{2}}$, $[\textbf{A}\Vert \textbf{B}]\in \mathbb {Z}^{m\times (n_{1}+n_{2})}$ is the matrix obtained by concatenating $\textbf{A}$ and $\textbf{B}$. $\textbf{I}_{n}$ denotes the $n\times n$ identity matrix, and $\textbf{0}_{n\times m}$ denotes the $n\times m$ matrix all of whose entries are 0. For any $i\in [n]$, $\textbf{u}_{i}\in \{0,1\}^{n}$ represents the i-th standard basis vector of dimension n.

2.1 Gaussian, learning with errors, and gadget matrix

Gaussian For any real $\sigma >0$, a Gaussian function on $\mathbb {R}^n$ centered around $\textbf{0}$ with parameter $\sigma $ is defined as $\rho _\sigma (\textbf{x}):=\exp (-\pi \cdot \Vert \textbf{x}\Vert ^2/\sigma ^2)$ for all $\textbf{x}\in \mathbb {R}^n$. The (discrete) Gaussian distribution over $\mathbb {Z}^n$ of parameter $\sigma $, denoted by $D_{\sigma }$, is defined to be the distribution with the probability density function $D_\sigma (\textbf{x}):= \rho _\sigma (\textbf{x})/\sum _{\textbf{x}\in \mathbb {Z}^n}\rho _\sigma (\textbf{x})$ for all $\textbf{x}\in \mathbb {Z}^n$.

We recall the noise smudging (or so-called noise flooding) lemma. It states that adding a noise according to the Gaussian distribution with parameter superpolynomial in $\lambda $ vanishes dependence on the original distribution.

Lemma 2.1

(Gaussian Noise Smudging [14, 25]) Let $\sigma '>0$ and $y\in \mathbb {Z}$ be arbitrary. Then, $\Delta (D_{\sigma '}, D_{\sigma '}+y)\le \frac{\Vert y\Vert }{\sigma '}.$

Learning with errors The learning with errors (LWE) problem was first introduced by Regev [38]. We will base the security of our construction on the hardness of the decisional version of the problem, called the decisional LWE problem. For positive integers n and $q\ge 2$, let $A_{\textbf{s}, D}$ be the distribution obtained by choosing a vector $\textbf{a}\xleftarrow {\$}\mathbb {Z}_{q}^{n}$ uniformly at random and noise term $e\xleftarrow {\$}D$, and outputting $(\textbf{a}, \textbf{s}^{T}\textbf{a}+e \bmod q)\in \mathbb {Z}_{q}^{n} \times \mathbb {Z}_q$. The (decisional) LWE problem is to distinguish $A_{\textbf{s},D}$ where $\textbf{s} \xleftarrow {\$}\mathbb {Z}_q^n$, from the uniform distribution over $\mathbb {Z}_q^n \times \mathbb {Z}_q$. The LWE assumption states that this problem is intractable for any PPT algorithm. In this paper, we will use the LWE assumption in which q is superpolynomial in $\lambda $, and $D$ is a Gaussian distribution whose samples have norm bounded by some $B \in \mathbb {N}$ polynomial in $\lambda $ with overwhelming probability.

Gadget matrix Let $\textbf{g}^{T}:=(1,2,\ldots ,2^{\lceil \log q\rceil -1})$ be the vector consisting of the powers of 2. For $n\in \mathbb {N}$, we define the special matrix $\textbf{G}\in \mathbb {Z}_{q}^{n\times n\cdot (\lceil \log q\rceil )}$ (called the gadget matrix) that has the vector $\textbf{g}$ in diagonal and 0 in other elements, namely

$$\begin{aligned} \textbf{G}:= \left[ \begin{aligned} \text {---}\textbf{g}^{T}\text {---}{} & {} &\\&\ddots{} & {} \\{} & {} &\text {--- }\textbf{g}^{T}\text {---}\\ \end{aligned} \right] \in \mathbb {Z}_{q}^{n\times n\cdot (\lceil \log q\rceil )}. \end{aligned}$$

Let $\textbf{G}^{-1}:\mathbb {Z}^{n}_{q}\rightarrow \{0, 1\}^{n\cdot (\lceil \log q\rceil )}$ be the operation such that $\textbf{G}\cdot \textbf{G}^{-1}(\textbf{x})=\textbf{x}$ for any vector $\textbf{x}\in \mathbb {Z}_{q}^{n}$. Such operation can be obtained by decomposing every element of the given vector $\textbf{x}$ in binary representation. We will also abuse the notation and allow $\textbf{G}^{-1}$ to take a matrix $\textbf{M}\in \mathbb {Z}^{n \times k}$ as input, apply $\textbf{G}^{-1}$ to each column vector of $\textbf{M}$, and output the $(n \cdot (\lceil \log q \rceil ))$-by-k matrix consisting of the (horizontal) concatenation of all of the outputs, for any $k \in \mathbb {N}$. Then, for a matrix $\textbf{M}\in \mathbb {Z}^{n \times k}$, it holds that $\textbf{G}\cdot \textbf{G}^{-1}(\textbf{M}) = \textbf{M}$.

2.2 Branching programs

Here, we recall the definition of branching programs. (The definition here is mostly taken verbatim from [17].)

Definition 2.1

(Branching program) A (binary) branching program P over $\{0,1\}^{n}$ consists of a tuple $(G=(V, E), v_{0}, T, \phi _{V}, \phi _{E})$ with the following properties:

G is a connected directed acyclic graph. We denote by $\Gamma (v)$ the set of the child nodes of $v\in V$.
$v_{0}$ is the initial node with indegree 0.
$T\subseteq V$ is the set of terminal nodes of outdegree 0. Any node in $V\backslash T$ has outdegree 2.
$\phi _{V}: V\rightarrow [n]\cup \{0,1\}$ is the node-labeling function with $\phi _{V}(v)\in \{0,1\}$ for $v\in T$, and $\phi _{V}(v)\in [n]$ for $v\in V\backslash T$.
$\phi _{E}:E\rightarrow \{0,1\}$ is the edge-labeling function, such that the outgoing edges from each vertex are labeled by different values.

The height of $v\in V$, denoted $\textsf{height}(v)$, is the length of the longest path from v to a node in T. The length of P is the height of $v_{0}$. The width of P is the maximum number of vertices with the same height.

On input $x \in \{0,1\}^n$, P(x) is defined as follows: Follow the path induced by x from $v_0$ to a node $v_{\ell }\in T$, where an edge $(v, v')$ is in the path if $x_{\phi _{V}(v)} = \phi _{E}(v, v')$. (By the property of $\phi _E$, such $v'$ is unique.) Then $P(x):=\phi _{V}(v_{\ell })$. Similarly, we also define $P_{v}(x)$ by following the path from any node $v\in V$ instead of $v_{0}$.

We say that a branching program $P=(G=(V, E), v_0, T, \phi _V, \phi _E)$ is layered if for any $e=(v, v')\in E$, we have $\textsf{height}(v)=\textsf{height}(v')+1$.

By Barrington’s theorem [4], all languages in $\textsf{NC}^1$ can be computed by a poly-sized layered branching program with constant width. Since the decryption circuit of a number of existing LWE-based FHE schemes (e.g., [13, 15, 23, 35]) is in $\textsf{NC}^1$, there exists a layered branching program of polynomial length that computes the decryption circuit of such LWE-based FHE schemes.

2.3 Single-key homomorphic encryption and its circuit privacy

Here, we recall the definitions for single-key HE.

Definition 2.2

(Single-key Homomorphic Encryption) A single-key HE scheme $\textsf{SKHE}$ for a class of circuits $\mathcal {C}$ consists of the four algorithms $(\textsf{KG}, \textsf{Enc}, \textsf{Dec}, \textsf{Eval})$ with the following properties:

(Syntax)
- $(\textsf{pk}, \textsf{sk})\xleftarrow {\$}{\textsf{KG}(1^{\lambda })}$: This is the key generation algorithm that takes a security parameter $1^\lambda $ as input, and outputs a public/secret key pair $(\textsf{pk}, \textsf{sk})$.
- $\textsf{ct}\xleftarrow {\$}{\textsf{Enc}(\textsf{pk}, x)}$: This is the encryption algorithm that takes a public key $\textsf{pk}$ and a plaintext $x \in \{0,1\}$ as input, and outputs a ciphertext $\textsf{ct}$.
- $\widehat{\textsf{ct}}\xleftarrow {\$}{\textsf{Eval}(C, \textsf{pk}, (\textsf{ct}_k)_{k \in [n]})}:$ This is the homomorphic evaluation algorithm that takes a circuit $C \in \mathcal {C}$ (with domain $\{0,1\}^n$), a public key $\textsf{pk}$, and n ciphertexts $(\textsf{ct}_k)_{k \in [n]}$ as input, and outputs an evaluated ciphertext $\widehat{\textsf{ct}}$.
- $\widehat{x}:= \textsf{Dec}(\textsf{sk}, \widehat{\textsf{ct}})$: This is the (deterministic) decryption algorithm that takes a secret key $\textsf{sk}$ and an evaluated ciphertext $\widehat{\textsf{ct}}$ as input, and outputs a decryption result $\widehat{x}$.
(Correctness) For any circuit $C \in \mathcal {C}$ (with n-bit input), and any $(x_{1},\ldots , x_{n})\in \{0,1\}^{n}$, if $(\textsf{pk}, \textsf{sk})\xleftarrow {\$}{\textsf{KG}(1^\lambda )}$, $\textsf{ct}_{k} \xleftarrow {\$}{\textsf{Enc}(\textsf{pk}, x_{k})}$ for every $k \in [n]$, and $\widehat{\textsf{ct}}\xleftarrow {\$}\textsf{Eval}(C, \textsf{pk}, (\textsf{ct}_k)_{k \in [n]})$, then we have $\Pr [\textsf{Dec}(\textsf{sk}, \widehat{\textsf{ct}})\ne C(x_1, \ldots , x_n)]=\textsf{negl}(\lambda )$.
(Semantic Security) Defined in the same way as that for ordinary public-key encryption.

We say that $\textsf{SKHE}$ is weakly circular secure if it remains secure even if bit-wise encryptions of a secret key are attached to a public key. We say that $\textsf{SKHE}$ is fully homomorphic if $\mathcal {C}$ is a set of all circuits of polynomial size.

Circuit privacy Here, we recall the formal definition of malicious circuit privacy for single-key HE [36].

Definition 2.3

(Malicious Circuit Privacy for Single-Key HE [36]) Let $\textsf{SKHE}=(\textsf{KG}, \textsf{Enc}, \textsf{Eval}, \textsf{Dec})$ be a single-key HE for a circuit class $\mathcal {C}$. We say that $\textsf{SKHE}$ is maliciously circuit private if there exist an unbounded algorithm $\textsf{Sim}$ (called the simulator) and an unbounded deterministic algorithm $\textsf{Ext}$ (called the extractor) such that for all circuits $C \in \mathcal {C}$ (with n-bit input), and all possibly malformed public keys $\textsf{pk}^*$ and ciphertexts $\textsf{ct}^*_1, \ldots , \textsf{ct}^*_n$, we have

$$\begin{aligned} \textsf{Eval}(C, \textsf{pk}^*, (\textsf{ct}_k^*)_{k \in [n]}) \approx _s \textsf{Sim}(\textsf{pk}^*, (\textsf{ct}^*_k)_{k \in [n]}, C(x_1^*,\ldots , x_n^*)), \end{aligned}$$

where $x_k^*:=\textsf{Ext}(\textsf{pk}^*, \textsf{ct}_k^*)$ for all $k \in [n]$.

2.4 Oblivious transfer

Here, we recall the definition of a statistically sender-private two-message oblivious transfer (OT) protocol against malicious receivers, which is known to exist under the LWE assumption due to Brakerski and Döttling [9].

Definition 2.4

A two-message OT protocol $\textsf{OT}$ consists of the three algorithms $(\textsf{Q}, \textsf{A}, \textsf{D})$ with the following properties:

(Syntax)
- $(q, \textsf{st}) \xleftarrow {\$}\textsf{Q}(1^\lambda , b)$: This is the receiver’s first algorithm that takes a security parameter $1^\lambda $ and a selection bit $b\in \{0,1\}$ as input, and outputs a receiver message q and a secret state $\textsf{st}$.
- $a \xleftarrow {\$}\textsf{A}(q, s_{0}, s_{1}):$ This is the sender’s algorithm that takes a receiver message q and two strings $s_{0}, s_{1}$ as input, and outputs a sender message a.
- $s' := \textsf{D}(a, \textsf{st}):$ This is the (deterministic) receiver’s second algorithm that takes a sender message a and a secret state $\textsf{st}$ as input, and outputs a string $s'$.
(Correctness) For all $\lambda \in \mathbb {N}$, $b \in \{0,1\}$, and $s_0, s_1 \in \{0,1\}^*$ such that $\Vert s_0\Vert = \Vert s_1\Vert $, if $(q, \textsf{st}) \xleftarrow {\$}\textsf{Q}(1^\lambda , b)$ and $a\xleftarrow {\$}\textsf{A}(q, s_0, s_1)$, then it holds that $s_b = \textsf{D}(a, \textsf{st})$.
(Receiver Privacy) It holds that $\textsf{Q}(1^\lambda , 0) \approx _{c} \textsf{Q}(1^\lambda , 1)$.
(Statistical Sender Privacy against Malicious Receivers) There exist possibly computationally unbounded algorithms $\textsf{Ext}$ (called the extractor) and $\textsf{Sim}$ (called the simulator) such that for any receiver message q (which could be outside the image of $\textsf{Q}$) and inputs $(s_0, s_1)$ with $\Vert s_0\Vert = \Vert s_1\Vert $, we have $\textsf{A}(q, s_0, s_1)\approx _{s} \textsf{Sim}(q, s_{b^*})$, where $b^*:=\textsf{Ext}(q)$.

2.5 Circuit garbling

Here, we recall the definition of a circuit garbling scheme. In our MPC construction, we will use a projective circuit garbling scheme whose encoding is a list of tokens, one pair for each bit of an input $x\in \{0,1\}^{n}$ for a circuit being garbled. Such a garbling scheme can be realized from any one-way function, and thus under the LWE assumption.

Definition 2.5

A (projective) circuit garbling scheme $\textsf{GC}$ is a pair of the algorithms $(\textsf{GCircuit}, \textsf{GEval})$ with the following properties:

(Syntax)
- $(G, e) \xleftarrow {\$}\textsf{GCircuit}$: This is the garbling algorithm that takes a security parameter $1^{\lambda }$ and a circuit C with n-bit input (for some polynomial $n = n(\lambda )$) as input, and outputs a garbled circuit G and a set of tokens $e = (X_i^0, X_i^1)_{i \in [n]}$.
- $y \,= \textsf{GEval}(G, (X_i)_{i \in [n]}$: This is the (deterministic) evaluation algorithm that takes a garbled circuit G and n tokens $(X_i)_{i \in [n]}$ as input, and outputs some value y.
(Correctness) For any $\lambda , n \in \mathbb {N}$, any n-bit input circuit C, and any $x = (x_1, \ldots , x_n) \in \{0,1\}^n$, if $(G, e = (X_i^0, X_i^1)_{i \in [n]}) \xleftarrow {\$}\textsf{GCircuit}(1^\lambda , C)$, then we have $\textsf{GEval}(G, (X_i^{x_i})_{i \in [n]}) = C(x)$.
(Security) For any two circuits $C_0, C_1$ (with n-bit input) of the same size and any two inputs $x_0 = (x_{1,0}, \ldots , x_{n,0}), x_1 = (x_{1,1}, \ldots , x_{n,1}) \in \{0,1\}^n$ such that $C_0(x_0)=C_1(x_1)$, if $(G_b, e_b = (X_{i,b}^0, X_{i,b}^1)_{i \in [n]}) \xleftarrow {\$}\textsf{GCircuit}(1^\lambda , C_i)$ for both $b \in \{0,1\}$, then we have $(G_0, (X_{i,0}^{x_{i,0}})_{i \in [n]}) \approx _{c} (G_1, (X_{i,1}^{x_{i,1}})_{i \in [n]})$.

2.6 Multi-key homomorphic encryption with distributed setup

Here, we recall the definitions for multi-key HE (MKHE) with distributed setup. In this paper, we will treat both MKHE schemes for circuits and for branching programs. Below, we only give the formal definitions for the former since recovering the definitions for the latter is straightforward given those for the former.

In this paper, we will also make use of ordinary single-key HE (without setup). We review the formal definition of this type of HE in Sect. 2.3.

Definition 2.6

(Multi-key HE with Distributed Setup, adapted from [15, 17]) An MKHE scheme with distributed setup $\textsf{MKHE}$ for a class of circuits $\mathcal {C}$, consists of the five algorithms $\textsf{MKHE}= (\textsf{dSetup}, \textsf{KG}, \textsf{Enc}, \textsf{Eval}, \textsf{Dec})$ with the following properties:

(Syntax)
- $\textsf{pp}_i \xleftarrow {\$}{\textsf{dSetup}(1^\lambda , 1^N, i)}$: This is the distributed setup algorithm that takes a security parameter $1^\lambda $, the maximal number of inputs N (in unary), and an index $i \in [N]$ as input, and outputs the i-th user’s public parameter $\textsf{pp}_{i}$. We require that given $i \in [N]$ and $\textsf{pp}$, whether $\textsf{pp}\in [\textsf{dSetup}(1^\lambda ,1^N,i)]$ or not is efficiently checkable.^{Footnote 5}
- $(\textsf{pk}_{i}, \textsf{sk}_{i})\xleftarrow {\$}{\textsf{KG}((\textsf{pp}_j)_{j \in [N]}, i)}$: This is the key generation algorithm that takes N public parameters $(\textsf{pp}_i)_{i \in [N]}$ and an index $i \in [N]$ as input, and outputs the i-th user’s public/secret key pair $(\textsf{pk}_{i}, \textsf{sk}_{i})$.
- $\textsf{ct}\xleftarrow {\$}{\textsf{Enc}(\textsf{pk}_i, x)}$: This is the encryption algorithm that takes a public key $\textsf{pk}_i$ and a plaintext $x \in \{0,1\}$ as input, and outputs a ciphertext $\textsf{ct}$.
- $\widehat{\textsf{ct}}\xleftarrow {\$}{\textsf{Eval}(C, (\textsf{pp}_{j})_{j\in [N]}, (\textsf{pk}_{j})_{j\in [N]}, \{(I_{k}, \textsf{ct}_{k})\}_{k\in [n]})}$: This is the homomorphic evaluation algorithm that takes as input a circuit $C \in \mathcal {C}$ (with domain $\{0,1\}^n$), N public parameters $(\textsf{pp}_j)_{j \in [N]}$, N public keys $(\textsf{pk}_i)_{i \in [N]}$, and n pairs $(I_k, c_k)_{k \in [n]}$, where $I_k \in [N]$ and $\textsf{ct}_k$ is presumed to be a ciphertext under $\textsf{pk}_{I_k}$. Then, this algorithm outputs an evaluated ciphertext $\widehat{\textsf{ct}}$.
- $\widehat{x}:=\textsf{Dec}((\textsf{sk}_i)_{i \in [N]}, \widehat{\textsf{ct}})$: This is the (deterministic) decryption algorithm that takes N secret keys $(\textsf{sk}_i)_{i \in [N]}$ and an evaluated ciphertext^{Footnote 6}$\widehat{\textsf{ct}}$ as input, and outputs a decryption result $\widehat{x}$.
(Correctness) For any $N \in \mathbb {N}$, any circuit $C \in \mathcal {C}$ (with n-bit input), any indices $I_1, \ldots , I_n \in [N]$, and any bits $x_1, \ldots , x_n \in \{0,1\}$, the following holds: If $\textsf{pp}_{j}\xleftarrow {\$}{\textsf{dSetup}(1^\lambda , 1^N, j)}$ for all $j \in [N]$, $(\textsf{pk}_j, \textsf{sk}_j)\xleftarrow {\$}{\textsf{KG}((\textsf{pp}_{j})_{j\in [N]}, j)}$ for all $j \in [N]$, $\textsf{ct}_k \xleftarrow {\$}{\textsf{Enc}(\textsf{pk}_{I_k}, x_k)}$ for all $k \in [n]$, and $\widehat{\textsf{ct}}\xleftarrow {\$}\textsf{Eval}(C, (\textsf{pp}_j)_{j \in [N]}, (\textsf{pk}_j)_{j \in [N]}, (I_k, \textsf{ct}_k)_{k \in [n]})$, then we have
$$\begin{aligned} \Pr [\textsf{Dec}((\textsf{sk}_j)_{j \in [N]}, \widehat{\textsf{ct}})\ne C(x_1,\ldots ,x_n)]=\textsf{negl}(\lambda ). \end{aligned}$$
(Semantic Security) For any PPT adversary $\mathcal {A}$, we have
$$\begin{aligned} |\Pr [\textsf{Exp}_{\textsf{MKHE}, \mathcal {A}}(\lambda , 0)\rightarrow 1]-\Pr [\textsf{Exp}_{\textsf{MKHE}, \mathcal {A}}(\lambda , 1)\rightarrow 1]|=\textsf{negl}(\lambda ), \end{aligned}$$
where $\textsf{Exp}_{\textsf{MKHE}, \mathcal {A}}(\lambda , b)$ for $b \in \{0,1\}$ is the following experiment run between the challenger and the (rushing) adversary $\mathcal {A}$ (namely, $\mathcal {A}$ generates corrupted public parameters after seeing an honest public parameter):
1. 1.
  $\mathcal {A}$ chooses the maximal number of inputs N and the challenge index $i\in [N]$, and sends them to the challenger.
2. 2.
  The challenger returns public parameters $\textsf{pp}_{i}\xleftarrow {\$}{\textsf{dSetup}(1^\lambda , 1^N, i)}$.
3. 3.
  $\mathcal {A}$ chooses public parameters $\textsf{pp}_{j}$ for all $j\in [N]\backslash \{i\}$, and sends $\{\textsf{pp}_j\}_{j \in [N] \setminus \{i\}}$ to the challenger.
4. 4.
  The challenger generates $(\textsf{pk}_{i}, \textsf{sk}_{i})\xleftarrow {\$}{\textsf{KG}((\textsf{pp}_{j})_{j\in [N]}, i)}$ and sends $\textsf{pk}_i$ to $\mathcal {A}$.
5. 5.
  $\mathcal {A}$ sends the challenge plaintexts $x_{0}, x_{1}$ to the challenger.
6. 6.
  The challenger returns the challenge ciphertext $\textsf{ct}^* \xleftarrow {\$}\textsf{Enc}(\textsf{pk}_{i}, x_{b})$ to $\mathcal {A}$.
7. 7.
  $\mathcal {A}$ outputs its guess $b'\in \{0,1\}$, which is treated as output of the experiment $\textsf{Exp}_{\textsf{MKHE}, \mathcal {A}}(\lambda , b)$.

We say that $\textsf{MKHE}$ is weakly circular secure if it remains secure even if bit-wise encryptions of the secret key $\textsf{sk}_i$ are attached to the public key $\textsf{pk}_i$. We say that $\textsf{MKHE}$ is fully homomorphic (and call it multi-key fully homomorphic encryption (MKFHE)) if $\mathcal {C}$ is a set of all circuits of polynomial size. We say that $\textsf{MKHE}$ is compact if there exists a polynomial p such that $|\widehat{\textsf{ct}}|< p(\lambda , N)$, which is independent of C and n.

To ease notation, for an MKHE scheme with distributed setup, we will often write $\textbf{pp}$, $\textbf{pk}$, and $\textbf{sk}$ to mean N public parameters $(\textsf{pp}_j)_{j \in [N]}$, N public keys $(\textsf{pk}_j)_{j \in [N]}$, and N secret keys $(\textsf{sk}_j)_{j \in [N]}$, respectively. (N will always be clear from the context.)

Bootstrapping Gentry’s bootstrapping theorem [22] provides a way to extend the class of functions a HE scheme supports from a limited class to an unlimited class. This involves homomorphic evaluation of so-called the augmented decryption function. Here we recall its multi-key variant.

Definition 2.7

(Multi-key Augmented Decryption Function) Let $\textsf{MKHE}= (\textsf{dSetup}, \textsf{KG}, \textsf{Enc}, \textsf{Eval}, \textsf{Dec})$ be an MKHE scheme (for some circuit class). For hardwired values $\widehat{\textsf{ct}}, \widehat{\textsf{ct}}'$, the multi-key augmented decryption function $h_{\widehat{\textsf{ct}}, \widehat{\textsf{ct}}'}$ is defined by

$$\begin{aligned} h_{\widehat{\textsf{ct}}, \widehat{\textsf{ct}}'}((\textsf{sk}_j)_{j \in [N]}):=\overline{\textsf{Dec}((\textsf{sk}_j)_{j \in [N]}, \widehat{\textsf{ct}})\wedge \textsf{Dec}((\textsf{sk}_{j})_{j \in [N]}, \widehat{\textsf{ct}}')}. \end{aligned}$$

That is, the function $h_{\widehat{\textsf{ct}}, \widehat{\textsf{ct}}'}$ interprets its input as N secret keys $(\textsf{sk}_j)_{j \in [N]}$, decrypts the hardwired ciphertexts $\widehat{\textsf{ct}}$ and $\widehat{\textsf{ct}}'$, and returns the NAND of the results.

López-Alt et al. [31] showed a multi-key analogue of the bootstrapping theorem, which states that if an MKHE scheme supports homomorphic evaluation of circuits that can compute the multi-key augmented decryption function, and is furthermore (weakly) circular secure, then the scheme can be turned into a fully homomorphic one.

3 Privately expandable MKHE with distributed setup

In this section, we present an LWE-based MKFHE scheme with distributed setup, which additionally satisfies the privacy notion of private expandability. Specifically, we firstly extend the definition of private expandability for MKHE by [17] to schemes with a distributed setup, and then show that the MKFHE scheme with distributed setup by [15] can be modified to satisfy this notion, by introducing an alternative ciphertext expansion algorithm based on the approach of [17]. This modified scheme will be the main building block for our constructions of maliciously circuit-private MKHE and MKFHE presented in Sect. 4.

This section is organized as follows. In Sect. 3.1, we first formalize private expandability for MKHE with distributed setup. Next, in Sect. 3.2, we recall the MKFHE scheme with distributed setup by Brakerski et al. [15]. Then, in Sect. 3.3, we show how to make it privately expandable. Throughout this section, let $N = N(\lambda ) \in \mathbb {N}$ be a polynomial denoting the number of users.

3.1 Private expandability of MKHE with distributed setup

Here, we define private expandability of MKHE with distributed setup, extending the original definition by [17]. For ease of exposition, we firstly introduce plain (possibly non-private) expandability, and then proceed to define private expandability.

Definition 3.1

(Expandability) A MKHE scheme with distributed setup $(\textsf{dSetup}, \textsf{KG}, \textsf{Enc}, \textsf{Eval}, \textsf{Dec})$ for a circuit class $\mathcal {C}$ is expandable if there exist two algorithms $(\textsf{Expand}, \widetilde{\textsf{Eval}})$ with the following properties:

(Syntax)
- $\widetilde{\textsf{ct}}\xleftarrow {\$}\textsf{Expand}(\textbf{pp}, \textbf{pk}, i, \textsf{ct})$: This is the expansion algorithm that takes N public parameters $\textbf{pp}$, N public keys $\textbf{pk}$, an index $i \in [N]$, and a ciphertext $\textsf{ct}$ as input, and outputs an expanded ciphertext $\widetilde{\textsf{ct}}$.
- $\widehat{\textsf{ct}}\xleftarrow {\$}\widetilde{\textsf{Eval}}(C, \textbf{pp}, \textbf{pk}, (\widetilde{\textsf{ct}}_k)_{k \in [n]})$: This is the homomorphic evaluation algorithm for expanded ciphertexts. It takes a circuit $C \in \mathcal {C}$ (with n-bit input), N public parameters $\textbf{pp}$, N public keys $\textbf{pk}$, and n expanded ciphertexts $(\widetilde{\textsf{ct}}_k)_{k \in [n]}$ as input^{Footnote 7}, and outputs an evaluated ciphertext $\widehat{\textsf{ct}}$.
(Correctness) For any circuit $C \in \mathcal {C}$ (with n-bit input), any plaintexts $x_1,\ldots , x_n \in \{0,1\}$, and indices $I_1,\ldots , I_n \in [N]$, if $\textsf{pp}_{j}\xleftarrow {\$}\textsf{dSetup}(1^{\lambda }, 1^{N}, j)$ for all $j \in [N]$, $(\textsf{pk}_{j}, \textsf{sk}_{j})\xleftarrow {\$}\textsf{KG}(\textbf{pp}, j)$ for all $j \in [N]$, $\textsf{ct}_k \xleftarrow {\$}\textsf{Enc}(\textsf{pk}_{I_k}, x_k)$ for all $k \in [n]$, $\widetilde{\textsf{ct}}_k \xleftarrow {\$}\textsf{Expand}(\textbf{pp}, \textbf{pk}, I_k, \textsf{ct}_k)$ for all $k \in [n]$, and $\widehat{\textsf{ct}}\xleftarrow {\$}\textsf{Eval}(\textbf{pp}, \textbf{pk}, (\widetilde{\textsf{ct}}_k)_{k \in [n]})$, then
$$\begin{aligned} \Pr \left[ \begin{array}{l} ~~~\exists k \in [n]: \textsf{Dec}(\textbf{sk}, \widetilde{\textsf{ct}}_k) \ne x_k\\ \vee ~\textsf{Dec}(\textbf{sk}, \widehat{\textsf{ct}}) \ne C(x_1, \ldots , x_n) \end{array} \right] = \textsf{negl}(\lambda ). \end{aligned}$$

As in [17], for an expandable MKHE scheme with distributed setup, we overload the notation for the algorithms, and replace the evaluation algorithm $\textsf{Eval}$ of the original scheme with $\widetilde{\textsf{Eval}}$. Hence, when we consider a MKHE scheme to consist of the six algorithms $(\textsf{dSetup}, \textsf{KG}, \textsf{Enc}, \textsf{Expand}, \textsf{Eval}, \textsf{Dec})$, $\textsf{Eval}$ is the homomorphic evaluation algorithm for expanded ciphertexts (corresponding to $\widetilde{\textsf{Eval}}$ above).

Definition 3.2

(Private Expandability) Let $\textsf{MKHE}= (\textsf{dSetup}, \textsf{KG}, \textsf{Enc}, \textsf{Expand}, \textsf{Eval}, \textsf{Dec})$ be an expandable MHFE scheme with distributed setup. We say that $\textsf{MKHE}$ is privately expandable if it satisfies the following property: For all $j \in [N]$, let $\textsf{pp}_j \in [\textsf{dSetup}(1^\lambda , 1^N, j)]$ and $(\textsf{pk}_j, \textsf{sk}_j) \in [\textsf{KG}(\textbf{pp}, j)]$.

Let $i, i' \in [N]$, $x \in \{0,1\}$, $\textsf{ct}_i \in [\textsf{Enc}(\textsf{pk}_i, x)]$, and $\textsf{ct}_{i'} \in [\textsf{Enc}(\textsf{pk}_{i'}, x)]$. Then, we have

$$\begin{aligned} \textsf{Expand}(\textbf{pp}, \textbf{pk}, i, \textsf{ct}_i) \approx _s\\ \textsf{Expand}(\textbf{pp}, \textbf{pk}, i', \textsf{ct}_{i'}), \end{aligned}$$

where the statistical indistinguishability is guaranteed only by the random coins of $\textsf{Expand}$.

3.2 LWE-based expandable MKFHE by brakerski et al.

We now present the MKFHE scheme of [15] which we will denote $\textsf{MKHE}_{\textsf{BHP}}$. Although the original scheme has expandability, how this is supported is only informally sketched in [15]. Below we give a full description of the scheme which explicitly describes the expansion algorithm. The expandable MKFHE scheme $\textsf{MKHE}_{\textsf{BHP}}=(\textsf{dSetup}_{\textsf{BHP}}, \textsf{KG}_{\textsf{BHP}}, \textsf{Enc}_{\textsf{BHP}}, \textsf{Expand}_{\textsf{BHP}}, \textsf{Eval}_{\textsf{BHP}}, \textsf{Dec}_{\textsf{BHP}})$ is as follows.

$\textsf{dSetup}_{\textsf{BHP}}(1^{\lambda }, 1^{N}, i\in [N])$: Let $n = n(\lambda )$ be a polynomial in security parameter $\lambda $, $q = q(\lambda )$ be a superpolynomial in $\lambda $, $\ell := \lceil \log q\rceil $, $m=O(n\ell )$, $w:=m\ell $, and $D$ be a Gaussian distribution whose samples have norm bounded by some polynomial $B = B(\lambda ) \in \mathbb {N}$ except with negligible probability. Sample a matrix $\textbf{A}_{i} \xleftarrow {\$}\mathbb {Z}_{q}^{m\times n}$, and output $\textsf{pp}_{i}:=\textbf{A}_{i}$. (Note that any member in $\mathbb {Z}_q^{m \times n}$ is a possible public parameter.)
$\textsf{KG}_{\textsf{BHP}}(\textbf{pp}, i \in [N])$: Sample $\textbf{s}_{i}\xleftarrow {\$}\{0, 1\}^{m-1}$, and set $\textbf{t}_{i}^{T}:=[\textbf{s}_{i}^{T}\Vert 1]\in \mathbb {Z}_{q}^{1\times m}$. For every $j \in [N]$, compute $\textbf{b}_{i,j}^{T}:=\textbf{t}_{i}^{T}\textbf{A}_{j}\in \mathbb {Z}_{q}^{1\times n}$ and
$$\begin{aligned} \textbf{B}_{i,j}:=\textbf{A}_{i}- \begin{bmatrix} \textbf{0}_{(m-1)\times n}\\ \textbf{b}_{i, j}^{T} \end{bmatrix} \in \mathbb {Z}_{q}^{m\times n}, \end{aligned}$$
which satisfies $\textbf{t}_{i}^{T} \textbf{B}_{i, j} = \textbf{b}_{i, i}^{T} - \textbf{b}_{i, j}^{T} \in \mathbb {Z}_{q}^{1\times n}$. Let $\textbf{B}_{i} := \textbf{B}_{i,i}$.

For every $k \in [m]$, sample $\textbf{R}_{k} \xleftarrow {\$}D^{n\times w}$ and $\textbf{E}_{k} \xleftarrow {\$}D^{m\times w}$, and compute an encryption of the k-th bit $\textbf{t}_i[k]$ of the secret key $\textbf{t}_i$ by
$$\begin{aligned} \textbf{T}_{i, k} := \textbf{B}_{i} \textbf{R}_{k} + \textbf{E}_{k} + \textbf{t}_{i}[k] \textbf{G}\in \mathbb {Z}_{q}^{m\times w}. \end{aligned}$$
Output $\textsf{pk}_{i}:=((\textbf{b}_{i, j})_{j\in [N]}, (\textbf{T}_{i, k})_{k\in [m]})$ and $\textsf{sk}_{i}:=\textbf{t}_{i}$.
$\textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_{i}, x \in \{0,1\})$: Sample $\textbf{R}\xleftarrow {\$}D^{n\times w}$ and $\textbf{E}\xleftarrow {\$}D^{m\times w}$, and compute
$$\begin{aligned} \textbf{C}:= \textbf{B}_{i} \textbf{R}+ \textbf{E}+ x \textbf{G}\in \mathbb {Z}_{q}^{m\times w}. \end{aligned}$$
For every $\tau \in [n]$ and $k \in [w]$, sample $\textbf{R}_{\tau , k} \xleftarrow {\$}D^{n\times w}$ and $\textbf{E}_{\tau , k}\xleftarrow {\$}D^{m\times w}$, and compute an encryption of the $(\tau , k)$-entry $\textbf{R}[\tau , k]$ of $\textbf{R}$ by
$$\begin{aligned} \textbf{U}_{\tau , k} := \textbf{B}_{i} \textbf{R}_{\tau , k} + \textbf{E}_{\tau , k} + \textbf{R}[\tau , k] \textbf{G}\in \mathbb {Z}_{q}^{m\times w}. \end{aligned}$$
Output $\textsf{ct}_{i}:=(\textbf{C}, (\textbf{U}_{\tau , k})_{\tau \in [n], k \in [w]})$.
$\textsf{Expand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i, \textsf{ct}_{i})$: This algorithm uses the “linear combination” algorithm $\textsf{LComb}$ described below as a sub-algorithm. Roughly, $\textsf{LComb}$ takes encryptions of the randomness matrix, i.e. $(\textbf{U}_{\tau , k})_{\tau \in [n], k \in [w]}$, used to encrypt a message, and some input vector in $\mathbb {Z}_{q}^{n}$ as input, and generates an encryption of the multiplication between the randomness matrix and the input vector. This is used to erase junk terms in decryption.
- $\textsf{LComb}((\textbf{U}_{\tau , k} \in \mathbb {Z}_{q}^{m\times w})_{\tau \in [n], k \in [w]}, \textbf{v}\in \mathbb {Z}_{q}^{n})$: First define a matrix $\textbf{Z}^{(\textbf{v})}_{\tau , k} \in \mathbb {Z}^{n\times w}$ for $\tau \in [n]$ and $k \in [w]$ as
  $$\begin{aligned} \textbf{Z}^{(\textbf{v})}_{\tau , k}[a, b]:= \left\{ \begin{aligned} v_\tau&\text { if }a=n \text { and }b=k \\ 0&\text { otherwise, } \end{aligned} \right. \end{aligned}$$
  then output $\textbf{X}:= \sum _{\tau \in [n],k \in [w]} \textbf{U}_{\tau , k} \textbf{G}^{-1} (\textbf{Z}^{(\textbf{v})}_{\tau , k}) \in \mathbb {Z}_q^{m \times w}$.
Using $\textsf{LComb}$, $\textsf{Expand}_{\textsf{BHP}}$ proceeds as follows: For every $j\in [N] \setminus \{ i \}$, compute
$$\begin{aligned} \textbf{X}_{j}:=\textsf{LComb}((\textbf{U}_{\tau , k})_{\tau \in [n], k\in [w]}, \textbf{b}_{i,i} - \textbf{b}_{j,i}). \end{aligned}$$
Then, output the expanded ciphertext $\widetilde{\textbf{C}}\in \mathbb {Z}_{q}^{N\cdot m\times N\cdot w}$ that consists of $N^2$ submatrices of size $m\times w$, has the input ciphertext $\textbf{C}$ in diagonal, and $\textbf{X}_{j}$ in the (i, j)-th submatrix for $j \in [N] \setminus \{i\}$. More visually, the expanded ciphertext $\widetilde{\textbf{C}}$ is of the following form
$$\begin{aligned} \widetilde{\textbf{C}}:= \begin{bmatrix} \textbf{C}&{} &{} &{} &{} &{} &{} \\ &{} \ddots &{} &{} &{} &{} &{} \\ &{} &{} \textbf{C}&{} &{} &{} &{} \\ \textbf{X}_{1}&{} \cdots &{} \textbf{X}_{i-1} &{}\, \textbf{C}\, &{} \textbf{X}_{i+1} &{} \cdots &{} \textbf{X}_{N}\\ &{} &{} &{} &{} \textbf{C}&{} &{} \\ &{} &{} &{} &{} &{} \ddots &{} \\ &{} &{} &{} &{} &{} &{} \textbf{C}\\ \end{bmatrix} \in \mathbb {Z}_{q}^{N\cdot m\times N\cdot w}, \end{aligned}$$
where all the empty submatrices are zero matrices.
$\textsf{Eval}_{\textsf{BHP}}(C, \textbf{pp}, \textbf{pk}, (\widetilde{\textbf{C}}_{k})_{k \in [n]})$: This algorithm homomorphically evaluates the given circuit C over input ciphertexts $(\widetilde{\textbf{C}}_k)_{k \in [n]}$ gate-by-gate (assuming C is described via NAND gates only), and outputs the final result as an evaluated ciphertext $\widehat{\textsf{ct}}$. To implement the NAND evaluation algorithm $\textsf{NAND}$, the algorithm makes use of homomorphic addition $\textsf{Add}$ and multiplication $\textsf{Mult}$ algorithms described below.
- $\textsf{Add}(\widetilde{\textbf{C}}_{1}, \widetilde{\textbf{C}}_{2})$: Homomorphic addition can be just computed by adding the expanded ciphertext matrices: $\widetilde{\textbf{C}}_{\textsf{Add}}:=\widetilde{\textbf{C}}_{1} + \widetilde{\textbf{C}}_{2} \in \mathbb {Z}_{q}^{N\cdot m\times N\cdot w}$. We can see correctness of this homomorphic addition from the condition satisfied for the expanded ciphertexts.
- $\textsf{Mult}(\widetilde{\textbf{C}}_{1}, \widetilde{\textbf{C}}_{2})$: Homomorphic multiplication is computed by first decomposing the expanded ciphertexts by the gadget inverse function and multiplying it to the normal expanded ciphertext: $\widetilde{\textbf{C}}_{\textsf{Mult}} := \widetilde{\textbf{C}}_{1} \textbf{G}^{-1} (\widetilde{\textbf{C}}_{2}) \in \mathbb {Z}_{q}^{N\cdot m\times N\cdot w}$. Also, correctness of the homomorphic multiplication can be easily checked from the relation between expanded ciphertexts and the concatenation of the involved secret keys.
- $\textsf{NAND}(\textbf{pp}, \textbf{pk}, \widetilde{\textbf{C}}_1, \widetilde{\textbf{C}}_2)$: For all $j\in [N], k\in [m]$, compute the expanded bootstrapping keys $\widetilde{\textbf{T}}_{j, k} := \textsf{Expand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, j, \textbf{T}_{j, k})$.^{Footnote 8} Compute a ciphertext $\widetilde{\textbf{C}}_{\textsf{NAND}}$ by evaluating the multi-key augmented decryption function $h_{\widetilde{\textbf{C}}_1,\widetilde{\textbf{C}}_2}$ (in Definition 2.7) on $\widetilde{\textbf{T}}_{j, k}$’s gate-by-gate via $\textsf{Add}$ and $\textsf{Mult}$.
$\textsf{Dec}_{\textsf{BHP}}(\textbf{sk}, \widehat{\textsf{ct}})$: Parse $\widehat{\textsf{ct}}$ as $\widetilde{\textbf{C}}\in \mathbb {Z}_{q}^{N\cdot m\times N\cdot w}$.

Set $\widetilde{\textbf{t}}^{T}:=[\textbf{t}_1^T\Vert \cdots \Vert \textbf{t}_N^T]$, and output $x':=\lfloor (2/q)\cdot \widetilde{\textbf{t}}^T \widetilde{\textbf{C}}\textbf{u}_{N\cdot w}\rceil $, where $\textbf{u}_{N\cdot w}:=(0,\ldots ,0,1)\in \{0,1\}^{N\cdot w}$.

The above completes the description of $\textsf{MKHE}_{\textsf{BHP}}$. For completeness, we show the correctness of the above described expansion algorithm $\textsf{Expand}_{\textsf{BHP}}$, namely, that an expanded ciphertext output from $\textsf{Expand}_{\textsf{BHP}}$ can be correctly decrypted.

Lemma 3.1

(Correctness of $\textsf{Expand}_{\textsf{BHP}}$) Let $i \in [N]$ and $x \in \{0,1\}$. If $\textsf{pp}_j \xleftarrow {\$}\textsf{dSetup}_{\textsf{BHP}}(1^\lambda , 1^{N}, j)$ for every $j \in [N]$, $(\textsf{pk}_j, \textsf{sk}_j) \xleftarrow {\$}\textsf{KG}_{\textsf{BHP}}(\textbf{pp}, j)$ for every $j \in [N]$, $\textsf{ct}_i \xleftarrow {\$}\textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_i, x)$, and $\widetilde{\textbf{C}}_i := \textsf{Expand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i, \textsf{ct}_i)$, then

$$\begin{aligned} \Pr \left[ \textsf{Dec}_{\textsf{BHP}}(\textbf{sk}, \widetilde{\textbf{C}}_i)\ne x \right] =\textsf{negl}(\lambda ). \end{aligned}$$

We first give the following property of $\textsf{LComb}$. This is an analogy of [16, Lemma A.3], showing an analogous property of the linear combination algorithm for [35].

The proof is almost the same as the one of [16] except the estimation of noise growth incurred by this algorithm.

Claim 3.1

Let $\textbf{R}\in \mathbb {Z}^{n\times w}$ be a matrix, and $\textbf{t}^{T} = [\textbf{s}^{T}, 1] \in \{0,1\}^{m}$ for $\textbf{s}\in \{0,1\}^{m-1}$. For $\tau \in [n]$ and $k\in [w]$, let $\textbf{U}_{\tau , k} \in \mathbb {Z}_{q}^{m\times w}$ be such that $\textbf{t}^{T} \textbf{U}_{\tau , k} = \textbf{e}^{T}_{\tau , k} + \textbf{t}^T \textbf{R}[\tau , k]\textbf{G}$ for $\textbf{R}[\tau , k]\in \mathbb {Z}_{B}$ and $\textbf{e}_{\tau , k} \in \mathbb {Z}^{w}$ with $\Vert \textbf{e}_{\tau , k}\Vert < mB$. Let $\textbf{b}= (b_1, \dots , b_n) \in \mathbb {Z}_{q}^{n}$ and $\textbf{X}= \textsf{LComb}((\textbf{U}_{\tau , k})_{\tau , k}, \textbf{b})$. Then we have

$$\begin{aligned} \textbf{t}^{T} \textbf{X}= \textbf{e}''^{T} + \textbf{b}^{T} \textbf{R}\in \mathbb {Z}_{q}^{w} \end{aligned}$$

for some $\textbf{e}''^{T} \in \mathbb {Z}^{w}$ with $\Vert \textbf{e}''^{T}\Vert < nw^{2}mB$.

Proof of Claim

For the above vector $\textbf{t}$ and matrix $\textbf{X}$, it holds that

$$\begin{aligned} \begin{aligned} \textbf{t}^{T} \textbf{X}&= \textbf{t}^{T} \sum _{\tau \in [n], k \in [w]}\textbf{U}_{\tau , k} \textbf{G}^{-1} (\textbf{Z}^{(\textbf{b})}_{\tau , k})\\&= \sum _{\tau , k} (\textbf{e}^{T}_{\tau , k} + \textbf{t}^{T} \textbf{R}[\tau , k] \textbf{G}) \textbf{G}^{-1} (\textbf{Z}^{(\textbf{b})}_{\tau , k})\\&= \sum _{\tau , k} (\textbf{e}'^{T}_{\tau , k} + \textbf{t}^{T} \textbf{R}[\tau , k] \textbf{Z}^{(\textbf{b})}_{\tau , k})\\&= \textbf{e}''^{T} + \textbf{t}^{T} \sum _{\tau , k} \textbf{R}[\tau , k] \textbf{Z}^{(\textbf{b})}_{\tau , k}, \end{aligned} \end{aligned}$$

where $\textbf{e}''^{T} = \sum _{\tau \in [n], k \in [w]}\textbf{e}'^{T}_{\tau , k}$ satisfying $\Vert \textbf{e}''\Vert <nw^{2}mB$, and

$$\begin{aligned} \sum _{\tau , k} \textbf{R}[\tau , k] \textbf{Z}^{(\textbf{b})}_{\tau , k} = \begin{bmatrix} 0 &{} \cdots &{} 0\\ \vdots &{} &{} \vdots \\ 0 &{} \cdots &{} 0\\ \sum _{\tau } \textbf{R}[\tau , 1]\cdot b_{\tau } &{} \cdots &{} \sum _{\tau } \textbf{R}[\tau , w] \cdot b_{\tau } \end{bmatrix} = \begin{bmatrix} \textbf{0}\\ \textbf{b}^{T} \textbf{R}\end{bmatrix}. \end{aligned}$$

Therefore we have

$$\begin{aligned} \textbf{t}^T \textbf{X}=\textbf{e}''^{T} + [\textbf{s}^{T}, 1] \begin{bmatrix} \textbf{0}\\ \textbf{b}^{T} \textbf{R}\end{bmatrix} = \textbf{e}''^{T} + \textbf{b}^{T} \textbf{R}. \end{aligned}$$

$\square $

We now turn to the proof of the correctness of $\textsf{Expand}_{\textsf{BHP}}$. Let $\widetilde{\textbf{t}}^{T}:=[\textbf{t}_{1}^{T}\Vert \cdots \Vert \textbf{t}_{N}^{T}] \in \{0,1\}^{N\cdot m}$ be the concatenation of the secret keys, $\textsf{ct}_i = (\textbf{C}, (\textbf{U}_{j,k})_{j \in [n], k \in [w]})$ be output by $\textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_i, x)$, and $\widetilde{\textbf{C}}:= \textsf{Expand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i, \textsf{ct}_i)$. Then

where $\textbf{X}_j = \textsf{LComb}((\textbf{U}_{j,k})_{j \in [n], k \in [w]}, \textbf{b}_{i,i} - \textbf{b}_{j,i})$ for each $j \in [N] \setminus \{i\}$. By the above claim, for every $j\in [N]$, we have $\textbf{t}_j^T \textbf{C}= (\textbf{b}_{j, i} - \textbf{b}_{i, i})^T\textbf{R}+ \textbf{t}_j^T \textbf{E}_i + x \cdot \textbf{t}_j^T \textbf{G}$, and $\textbf{t}_i^T \textbf{X}_j = \textbf{e}_j^T + (\textbf{b}_{i, i} - \textbf{b}_{j, i})^T \textbf{R}$ for some matrix $\textbf{R}$ (randomness of $\textsf{Enc}$), and noise $\textbf{e}_j$ and $\textbf{E}_i$ such that $\Vert \textbf{e}_j\Vert <nw^{2}mB$ and $\Vert \textbf{E}_i\Vert <B$ with high probability. Thus, it holds that

which implies $\textsf{Dec}_{\textsf{BHP}}(\textbf{sk}, \widetilde{\textbf{C}}) = x$.

3.3 Making $\textsf{MKHE}_{\textsf{BHP}}$ privately expandable

It is straightforward to see that $\textsf{MKHE}_{\textsf{BHP}}$ is not privately expandable. Specifically, the positions of non-zero submatrices of an expanded ciphertext $\widetilde{\textbf{C}}$ output from $\textsf{Expand}_{\textsf{BHP}}$ directly reveal the user index.

We now show a special ciphertext expansion algorithm $\textsf{pExpand}_{\textsf{BHP}}$ that can make $\textsf{MKHE}_{\textsf{BHP}}$ privately expandable. The simple idea behind the construction is to hide the zero submatrices in an expanded ciphertext by adding dummy ciphertexts of zero generated by using “larger” noise.

In addition to the algorithms $\textsf{Expand}_{\textsf{BHP}}$ and $\textsf{Add}$ from the original scheme $\textsf{MKHE}_{\textsf{BHP}}$, $\textsf{pExpand}_{\textsf{BHP}}$ uses two sub-algorithms which we denote by $\textsf{Enc}^*$ and $\textsf{Add}^*$. The former algorithm is the same as $\textsf{Enc}_{\textsf{BHP}}$ except that it uses “larger noise”, and the latter is just the homomorphic addition algorithm over pre-expanded ciphertexts and is simply implemented by element-wise addition.

The formal description of the algorithms are as follows:

$\textsf{Enc}^*(\textsf{pk}_i, x)$: Generate a ciphertext $\textsf{ct}= (\textbf{C}, (\textbf{U}_{\tau ,k})_{\tau \in [n], k \in [w]})$ in the same way as $\textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_i, x)$, except that each entry in $\textbf{R}$, $\textbf{E}$, $\textbf{R}_{\tau ,k}$, and $\textbf{E}_{\tau ,k}$ for every $\tau \in [n]$ and $k \in [w]$, is sampled from $D_t$ where t is superpolynomial in $\lambda $.
$\textsf{Add}^*(\textsf{ct}, \textsf{ct}')$: Parse $\textsf{ct}$ as $(\textbf{C}, (\textbf{U}_{\tau , k})_{\tau \in [n], k \in [w]})$ and $\textsf{ct}'$ as $(\textbf{C}', (\textbf{U}'_{\tau , k})_{\tau \in [n],k \in [w]})$. Compute $\textbf{C}'' := \textbf{C}+ \textbf{C}' \in \mathbb {Z}_{q}^{m\times w}$ and $\textbf{U}_{\tau ,k}'' := \textbf{U}_{\tau ,k} + \textbf{U}_{\tau ,k}' \in \mathbb {Z}_{q}^{m\times w}$ for all $\tau \in [n]$ and $k \in [w]$. Output $\textsf{ct}'' := (\textbf{C}'', (\textbf{U}_{\tau ,k}'')_{\tau \in [n], k \in [w]})$.
$\textsf{pExpand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i, \textsf{ct}_{i})$: For every $j\in [N]$, compute
$$\begin{aligned} \textsf{ct}_{j}^*:= {\left\{ \begin{array}{ll} \textsf{Add}^*(\textsf{ct}_{i}, \textsf{Enc}^*(\textsf{pk}_i, 0)) &{} \text { if }j=i \\ \textsf{Enc}^*(\textsf{pk}_j, 0) &{} \text {otherwise} \\ \end{array}\right. }. \end{aligned}$$
and $\widetilde{\textsf{ct}}_j^* := \textsf{Expand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, j, \textsf{ct}_j^*)$. Output $\widetilde{\textsf{ct}}_i := \sum _{j\in [N]} \widetilde{\textsf{ct}}_{j}^*$, where the summation of $\widetilde{\textsf{ct}}_{j}^*$’s is realized by $\textsf{Add}$.

Since the algorithm $\textsf{Add}^*$ just homomorphically adds fresh ciphertexts of $\textsf{MKHE}_{\textsf{BHP}}$ that corresponds to ciphertexts of the dual scheme of [23], we can easily check that correctness of $\textsf{Add}^*$ holds. Hence, the correctness of $\textsf{pExpand}_{\textsf{BHP}}$ can be seen as follows.

Lemma 3.2

(Correctness of $\textsf{pExpand}_{\textsf{BHP}}$) Let $i \in [N]$ and $x \in \{0,1\}$. If $\textsf{pp}_j \xleftarrow {\$}\textsf{dSetup}_{\textsf{BHP}}(1^\lambda , 1^{N}, j)$ for every $j \in [N]$, $(\textsf{pk}_j, \textsf{sk}_j) \xleftarrow {\$}\textsf{KG}_{\textsf{BHP}}(\textbf{pp}, j)$ for every $j \in [N]$, $\textsf{ct}\xleftarrow {\$}\textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_i, x)$, and $\widetilde{\textsf{ct}}:= \widetilde{\textbf{C}}\xleftarrow {\$}\textsf{pExpand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i, \textsf{ct})$, then

$$\begin{aligned} \Pr \left[ \textsf{Dec}_{\textsf{BHP}}(\textbf{sk}, \widetilde{\textsf{ct}})\ne x \right] =\textsf{negl}(\lambda ). \end{aligned}$$

Proof

Let $\widetilde{\textbf{t}}^{T} := [\textbf{t}_1^{T} \Vert \cdots \Vert \textbf{t}_N^{T}]$ where $\textbf{t}_j = \textsf{sk}_j$ for each $j \in [N]$. Then, by the correctness of $\textsf{Add}$ and $\textsf{Add}^*$, we have $\widetilde{\textbf{t}}^{T} \widetilde{\textbf{C}}= (\sum _{j\in [N]} \widetilde{\textbf{e}}_j'^{T}) + (\sum _{j\in [N]}x_j) \cdot \widetilde{\textbf{t}}^{T}\textbf{G}$, where $x_j = x$ if $j=i$, and $x_j = 0$ otherwise by the construction of $\textsf{pExpand}_{\textsf{BHP}}$. If $\Vert \widetilde{\textbf{e}}\Vert <q/4$ for $\widetilde{\textbf{e}}: = \sum _{j\in [N]}\widetilde{\textbf{e}}_j'$ (that can be satisfied by an appropriate choice of q), then $x = \textsf{Dec}_{\textsf{BHP}}(\textbf{sk}, \widetilde{\textsf{ct}})$. $\square $

In the following, we show that the output of $\textsf{pExpand}_{\textsf{BHP}}$ hides user indices.

Lemma 3.3

(Privacy of $\textsf{pExpand}_{\textsf{BHP}}$) For all $j \in [N]$, let $\textsf{pp}_j \in [\textsf{dSetup}_{\textsf{BHP}}(1^\lambda , 1^{N}, j)]$, and $(\textsf{pk}_j, \textsf{sk}_j) \in [\textsf{KG}_{\textsf{BHP}}(\textbf{pp}, j)]$. Then, for any $i, i' \in [N]$, $x \in \{0,1\}$, $\textsf{ct}_i \in [\textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_i, x)]$, and $\textsf{ct}_{i'} \in [\textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_{i'}, x)]$, we have

$$\begin{aligned} \textsf{pExpand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i, \textsf{ct}_i) \approx _{s} \textsf{pExpand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i', \textsf{ct}_{i'}) \end{aligned}$$

where the statistical indistinguishability is guaranteed only by the random coins of $\textsf{pExpand}_{\textsf{BHP}}$.

Proof

We first show a simple fact about $\textsf{Add}^*$ useful for showing the lemma.

Claim 3.2

For all $j \in [N]$, let $\textsf{pp}_j \in [\textsf{dSetup}_{\textsf{BHP}}(1^{\lambda }, 1^{N}, j)]$, and $(\textsf{pk}_{j}, \textsf{sk}_{j}) \in [\textsf{KG}_{\textsf{BHP}}(\textbf{pp}, j)]$. Then, for any $i \in [N]$, $x \in \{0,1\}$, and $\textsf{ct}\in [\textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_i, x)]$, we have

$$\begin{aligned} \textsf{Add}^{*}(\textsf{ct}, \textsf{Enc}^*(\textsf{pk}_i, 0)) \approx _s \textsf{Enc}^*(\textsf{pk}_i, x), \end{aligned}$$

where the statistical indistinguishability is guaranteed only by the random coins of $\textsf{Enc}^*$.

Proof of the claim

Let $r =(\textbf{R}, \textbf{E}, (\textbf{R}_{\tau ,k})_{\tau \in [n], k \in [w]}), (\textbf{E}_{\tau ,k})_{\tau \in [n], k \in [w]})$ be the randomness such that $\textsf{ct}= \textsf{Enc}_{\textsf{BHP}}(\textsf{pk}_i, x; r)$ with $\Vert \textbf{R}\Vert , \Vert \textbf{E}\Vert , \Vert \textbf{R}_{\tau ,k}\Vert , \Vert \textbf{E}_{\tau ,k}\Vert < r = O(\sqrt{n})$. Let $D'$ be the distribution of a randomness in $\textsf{Enc}^*$, namely, every element is sampled from $D_t$. Then, by the designs of $\textsf{Enc}_{\textsf{BHP}}$ and $\textsf{Add}^*$, the distribution of the left hand side is identical to $\textsf{Enc}^*(\textsf{pk}_i, x; r + r')$ where $r' \xleftarrow {\$}D'$ and the addition of the randomnesses is just element-wise addition. By Lemma 2.1, the distribution $r + D' = \{r' \xleftarrow {\$}D' : r + r'\}$ (where r is fixed) is statistically close to $D'$. Hence, $\textsf{Add}(\textsf{ct}, \textsf{Enc}^*(\textsf{pk}_i,0)) = \{r' \xleftarrow {\$}D' : \textsf{Enc}^*(\textsf{pk}_i, x; r + r' )\} \approx _s \textsf{Enc}^*(\textsf{pk}_i, x)$. $\square $

For $i'' \in \{i, i'\}$, let $\textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i'', x)$ be defined in the same way as $\textsf{pExpand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i'', \textsf{ct}_{i''})$ except that $\textsf{ct}^*_{i''}$ is generated as $\textsf{Enc}^*(\textsf{pk}_{i''}, x)$ instead of $\textsf{Add}^*(\textsf{ct}_{i''}, \textsf{Enc}^*(\textsf{pk}_{i''}, 0))$. By the above claim, for both $i'' \in \{i, i'\}$, $\textsf{ct}^*_{i''}$ generated in $\textsf{pExpand}'$ and that in $\textsf{pExpand}_{\textsf{BHP}}$ are statistically indistinguishable, and thus we have $\textsf{pExpand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i'', \textsf{ct}_{i''}) \approx _s \textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i'', x)$. Hence, to prove the lemma, it is sufficient to show $\textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i, x) \approx _s \textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i', x)$. To this end, we argue similarly to the proof of [16, Lemma A.5] and show that the distribution of the output of $\textsf{pExpand}'$ is identical.

For each $i'' \in \{i, i'\}$, let $\widetilde{\textsf{ct}}_{i''}$ be an output of $\textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i'', x)$. If $i = i'$ then clearly $\widetilde{\textsf{ct}}_i$ and $\widetilde{\textsf{ct}}_{i'}$ are distributed identically. When $i \ne i'$, the only difference in the executions of $\textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i, x)$ and $\textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i', x)$ is in $\widetilde{\textsf{ct}}_{i}^*$ and $\widetilde{\textsf{ct}}_{i'}^*$ (other ciphertexts $\widetilde{\textsf{ct}}_{j}^*$ for $j \in [N] \setminus \{i, i'\}$ are clearly distributed identically), and thus we only have to show that $\widetilde{\textsf{ct}}_{i, i'}^* := \widetilde{\textsf{ct}}_{i}^* + \widetilde{\textsf{ct}}_{i'}^*$ generated in the two executions of $\textsf{pExpand}'$ are distributed identically. $\textsf{pExpand}'$ generates $\widetilde{\textsf{ct}}_{i}^*$ of the form

$$\begin{aligned} \begin{aligned} \widetilde{\textsf{ct}}_i^*&= \begin{bmatrix} \textbf{C}_i &{} &{} &{} &{} &{} &{} \\ &{} \ddots &{} &{} &{} &{} &{} \\ &{} &{} \textbf{C}_i &{} &{} &{} &{} \\ \textbf{X}_{i,1}&{} \cdots &{} \textbf{X}_{i, i-1} &{}\, \textbf{C}_i \, &{} \textbf{X}_{i, i+1} &{} \cdots &{} \textbf{X}_{i,N}\\ &{} &{} &{} &{} \textbf{C}_i &{} &{} \\ &{} &{} &{} &{} &{} \ddots &{} \\ &{} &{} &{} &{} &{} &{} \textbf{C}_i \\ \end{bmatrix}, \end{aligned} \end{aligned}$$

where $\textbf{C}_{i} = \textbf{B}_{i} \textbf{R}_{i} + \textbf{E}_i + x\textbf{G}$ in the execution of $\textsf{pExpand}'$ for i, and $\textbf{C}_{i} = \textbf{B}_{i} \textbf{R}_{i} + \textbf{E}_i$ in the execution for $i'$. For $i' \ne i$, $\widetilde{\textsf{ct}}_{i'}^*$ has a similar form but $\textbf{C}_{i'} = \textbf{B}_{i'} \textbf{R}_{i'} + \textbf{E}_{i'}$ in the former execution, and $\textbf{C}_{i'} = \textbf{B}_{i'} \textbf{R}_{i'} + \textbf{E}_{i'} + x\textbf{G}$ in the latter execution. $\textbf{R}_{i}$ and $\textbf{R}_{i'}$ are sampled from the same distribution and the same for $\textbf{E}_i$ and $\textbf{E}_{i'}$. Furthermore, in both executions, $\textbf{X}_{i,j}$ for each $j \in [N] \setminus \{i\}$ is generated according to the same distribution, and the same is true for $\textbf{X}_{i',j}$ for each $j \in [N] \setminus \{i'\}$ Both executions generate $\widetilde{\textsf{ct}}_{i, i'}^* = \widetilde{\textsf{ct}}_{i}^* + \widetilde{\textsf{ct}}_{i'}^*$ of the form (where w.l.o.g. we assume $i < i'$)

$$\begin{aligned} \begin{aligned} \widetilde{\textsf{ct}}_{i, i'}^*&= \begin{bmatrix} \textbf{C}_{i,i'} &{} &{} &{} &{} &{} &{} \\ &{} \ddots &{} &{} &{} &{} &{} \\ \textbf{X}_{i, 1}&{} \cdots &{} \textbf{C}_{i,i'} &{} \cdots &{} \textbf{X}_{i, i'} &{} \cdots &{} \textbf{X}_{i, N}\\ &{} &{} &{} \ddots &{} &{} &{} \\ \textbf{X}_{i', 1}&{} \cdots &{} \textbf{X}_{i', i} &{} \cdots &{} \textbf{C}_{i,i'} &{} \cdots &{} \textbf{X}_{i', N}\\ &{} &{} &{} &{} &{} \ddots &{} \\ &{} &{} &{} &{} &{} &{} \textbf{C}_{i,i'} \\ \end{bmatrix}, \end{aligned} \end{aligned}$$

where $\textbf{C}_{i,i'} := \textbf{B}_i \textbf{R}_i + \textbf{B}_{i'} \textbf{R}_{i'} + (\textbf{E}_{i} + \textbf{E}_{i'}) + x\textbf{G}$. Therefore, $\widetilde{\textsf{ct}}_{i,i'}^*$ in the two executions of $\textsf{pExpand}'$ are distributed identically. This means that the distribution of $\textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i, x)$ and that of $\textsf{pExpand}'(\textbf{pp}, \textbf{pk}, i', x)$ are identical regardless of $i,i' \in [N]$. This in turn implies $\textsf{pExpand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i, \textsf{ct}_i) \approx _s \textsf{pExpand}_{\textsf{BHP}}(\textbf{pp}, \textbf{pk}, i', \textsf{ct}_{i'})$. $\square $

We summarize the consequence of the above lemmas.

Theorem 3.1

Let $\textsf{MKHE}_{\textsf{pBHP}} := (\textsf{dSetup}_{\textsf{BHP}}, \textsf{KG}_{\textsf{BHP}}, \textsf{Enc}_{\textsf{BHP}}, \textsf{pExpand}_{\textsf{BHP}}, \textsf{Eval}_{\textsf{BHP}}, \textsf{Dec}_{\textsf{BHP}})$ be an expandable MKFHE scheme with distributed setup that is the same as $\textsf{MKHE}_{\textsf{BHP}}$ except that its expansion algorithm $\textsf{Expand}_{\textsf{BHP}}$ is replaced with $\textsf{pExpand}_{\textsf{BHP}}$. Then, $\textsf{MKHE}_{\textsf{pBHP}}$ is privately expandable.

4 Maliciously circuit-private MKHE based on LWE

In this section, we show two constructions of maliciously circuit-private MKHE with distributed setup, one for branching programs, and the other for circuits of all poly-sized circuits (i.e. MKFHE), These constructions are based on the construction methodology of [17].

In Sect. 4.1, we give the formal definition of malicious circuit privacy for MKHE with distributed setup. In Sect. 4.2, we show the first construction: a maliciously circuit-private MKHE scheme with distributed setup for branching programs from the combination of a privately expandable MKFHE scheme with distributed setup and a maliciously circuit-private single-key FHE scheme. In Sect. 4.3, we show how to enhance maliciously circuit-private MKHE with distributed setup for branching program to fully homomorphic one by using a (non-circuit-private) MKFHE scheme as an additional building block. (There, we also explain a somewhat non-standard circular security assumption required to prove the semantic security of this MKFHE construction.)

Throughout this section, let $N = N(\lambda ) \in \mathbb {N}$ be a polynomial denoting the number of users.

4.1 Definition

Here we introduce the definition of malicious circuit privacy for MKHE with distributed setup.

Definition 4.1

(Malicious Circuit-privacy for MKHE with Distributed Setup, adapted from [17]) Let $\textsf{MKHE}=(\textsf{dSetup}, \textsf{KG}, \textsf{Enc}, \textsf{Eval}, \textsf{Dec})$ be an MKHE scheme with distributed setup for a class of circuits $\mathcal {C}$. We say $\textsf{MKHE}$ is maliciously circuit-private if there exists an unbounded algorithm $\textsf{Sim}$ (called the simulator) and an unbounded deterministic algorithm $\textsf{Ext}$ (called the extractor) such that for all circuits $C \in \mathcal {C}$ (with n-bit input), all indices $I_1,\ldots ,I_n\in [N]$, and all possibly malformed public parameters $\textbf{pp}^* =(\textsf{pp}_i^*)_{i \in [N]}$, public keys $\textbf{pk}^* := (\textsf{pk}_i^*)_{i \in [N]}$, and ciphertexts $\textsf{ct}_1^*, \ldots , \textsf{ct}_n^*$, we have

$$\begin{aligned} \textsf{Eval}(C, \textbf{pp}^*, \textbf{pk}^*, (I_k, \textsf{ct}_k^*)_{k\in [n]}) \approx _s \textsf{Sim}(\textbf{pp}^*, \textbf{pk}^*, (I_k, \textsf{ct}_k^*)_{k\in [n]}, C(x^*_1, \ldots , x_n^*)), \end{aligned}$$

where $x_i^* := \textsf{Ext}(\textbf{pp}^*, I_k, \textsf{pk}_{I_k}^*, \textsf{ct}_k^*)$ for all $k \in [n]$.

4.2 Scheme for branching programs

We now show how to construct a maliciously circuit-private MKFHE scheme for branching programs. The construction is generic and based on the combination of a privately-expandable MKFHE scheme and a maliciously circuit-private single-key FHE scheme.

The main difference from [17] is that we need to treat public parameters $\textbf{pp}$ generated by the distributed setup appropriately: We have an additional check in the homomorphic evaluation algorithm to make sure the public parameters $\textsf{pp}$ are possible outputs of the distributed setup algorithm of the underlying privately-expandable MKFHE scheme. There is also a technically subtle but important difference in the design of the evaluation algorithm (see the explanation in the footnote of the scheme description).

Intuition of our construction In order to achieve malicious circuit-privacy for the homomorphic evaluation algorithm, we need to deal with (possibly) malformed input public keys and ciphertexts. To do this, we use a maliciously circuit-private single-key FHE scheme to homomorphically check whether the inputs are possible output of semi-honest execution of the key generation and encryption algorithm. This guarantees that the input public keys and ciphertexts for the homomorphic evaluation of a branching program are well-formed. Hence, in the following, we consider the semi-honest circuit-private evaluation of a branching program.

To explain the intuition of the circuit-private evaluation, first recall how to compute a branching program. Let $P=(G=(V, E), v_{0}, T, \phi _{V}, \phi _{E})$ be a length-$\ell $ branching program over $\{0,1\}^{n}$. To evaluate P on $x\in \{0,1\}^{n}$, we follow the path induced by $\phi _{V}$ and x from the initial node $v_{0}$ to a terminal node in T. As defined in Definition 2.1, $P_{v}(x)$ refers to follow the path from any node $v\in V$, and $P_{v_{0}}(x)=P(x)$. Since every node $v\in V$ has two child nodes $v', v''\in V$ such that $\phi _{E}(v, v')=0$ and $\phi _{E}(v, v'')=1$, $P_{v}(x)$ can be defined for $i=\phi _{V}(v)$ as $P_{v}(x):=P_{v'}(x)$ if $x_{i}=0$, and $P_{v}(x):=P_{v''}(x)$ if $x_{i}=1$.

Now, consider homomorphically evaluating P on a ciphertext of x. Suppose that every bit of x is encrypted by MKHE under a different public key, i.e., for $i=1,\ldots , n$, $x_{i}\in \{0,1\}$ is encrypted under a public key $\textsf{pk}_{i}$ of MKHE. To homomorphically evaluate P, we need to evaluate $P_{v}(x)$ backward from terminal nodes to $v_{0}$, which results in a ciphertext of $P_{v_{0}}(x)=P(x)$. Let $(v^{(\ell )}, v^{(\ell -1)},\ldots , v^{(0)})$ for $v^{(\ell )}=v_{0}$ and $v^{(0)}\in T$ be a path to obtain P(x). The evaluation algorithm of our circuit-private MKHE scheme computes a ciphertext of $P_{v^{(h)}}(x)$ (for $h=1,\ldots , \ell $) depending on a ciphertext of $x_{i}$ for $i=\phi _{V}(v^{(h)})$, which is encrypted under $\textsf{pk}_{i}$. Our simulator for the malicious circuit privacy also computes a ciphertext of $P_{v^{(h)}}(x)$, but independent of $\textsf{pk}_{i}$. To show indistinguishability between the real evaluation and simulation, we use private expandability of MKHE to make the ciphertext of $P_{v^{(h)}}(x)$ in the real evaluation independent of the encryption key.

Building Blocks. We will use the following building blocks.

Let $\textsf{MKHE}_{\textsf{PE}}=(\textsf{dSetup}_{\textsf{PE}}, \textsf{KG}_{\textsf{PE}}, \textsf{Enc}_{\textsf{PE}}, \textsf{Expand}_{\textsf{PE}}, \textsf{Eval}_{\textsf{PE}}, \textsf{Dec}_{\textsf{PE}})$ be a privately-expandable MKFHE scheme with distributed setup, for which we also assume weak circular security. We also require that this scheme is additive homomorphic over fresh (pre-expanded) ciphertexts such that for any $i \in [N]$, public parameters $\textbf{pp}= (\textsf{pp}_j)_{j \in [N]}$ generated by $\textsf{dSetup}_{\textsf{PE}}(1^\lambda ,1^N,i)$, an honestly generated key pair $(\textsf{pk}_{\textsf{PE},i}, \textsf{sk}_{\textsf{PE},i}) \in [\textsf{KG}_{\textsf{PE}}(\textbf{pp}, i)]$, plaintexts $x_1, x_2 \in \{0,1\}$, and randomness $r_1, r_2$ for $\textsf{Enc}_{\textsf{PE}}$, we have $\textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE},i}, x_1; r_1) + \textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE},i}, x_2;r_2) = \textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE},i}, x_1 + x_2; r_1 + r_2)$. (In the following, we will just use “−” to denote the homomorphic subtraction between ciphertexts.)
Let $\textsf{SKHE}_{\textsf{mCP}}=(\textsf{KG}_{\textsf{mCP}}, \textsf{Enc}_{\textsf{mCP}}, \textsf{Eval}_{\textsf{mCP}}, \textsf{Dec}_{\textsf{mCP}})$ be a maliciously circuit-private single-key FHE scheme. (see Sect. 2.3 for the formal definitions of single-key HE and malicious circuit privacy for single-key HE.)

Notation and convention Values with subscript $\textsf{PE}$ (resp. $\textsf{mCP}$) will denote those related to $\textsf{MKHE}_{\textsf{PE}}$ (resp. $\textsf{SKHE}_{\textsf{mCP}}$). We will omit a subscript for $\textsf{pp}$.

To lighten the notation, we use the convention that $\textsf{Enc}_{\textsf{PE}}$ takes as plaintext input a bit-string x (rather than a single bit), and outputs the concatenation of the bit-wise encryption of x. Also, to easily grasp what is encrypted, we will use the notation $[\![{x}]\!]_{i}$ to mean bit-wise encryption of a bit-string x under the i-th public key $\textsf{pk}_{\textsf{PE},i}$ of $\textsf{MKHE}_{\textsf{PE}}$. (For example, we write $[\![{x}]\!]_{i} \xleftarrow {\$}\textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE},i}, x)$.) An expanded ciphertext of $[\![{x}]\!]_i$ will be denoted $\widetilde{[\![{x}]\!]}$.

We will use the same convention for $\textsf{Enc}_{\textsf{mCP}}$, and use the notation $[{x}]_i$ to denote an encryption of x under the i-th public key $\textsf{pk}_{\textsf{mCP},i}$ of $\textsf{SKHE}_{\textsf{mCP}}$.

Validation circuit To achieve malicious circuit privacy, the evaluation algorithm $\textsf{Eval}_{\textsf{BP}}$ of our scheme will homomorphically evaluate the following circuit $\textsf{Validate}$ to check whether public/secret keys and ciphertexts input to $\textsf{Eval}_{\textsf{BP}}$ are well-formed, in which case (and only then) it outputs some hardwired value. $\textsf{Validate}$ has the following values hardwired: $N, q \in \mathbb {N}$, public parameters $\textbf{pp}$, an index $i \in [N]$, a public key $\textsf{pk}_{\textsf{PE}}$, q ciphertexts $\{\textsf{ct}_{\textsf{PE},k}\}_{k \in [q]}$, and some value $\textsf{out}\in \{0,1\}^*$. As input, it takes a secret key $\textsf{sk}_{\textsf{PE}}$ and randomness $r_{\textsf{KG}}$ and $\{r_{\textsf{Enc},k}\}_{k \in [q]}$, and its output is defined as follows^{Footnote 9}:

$$\begin{aligned}&{\textsf{Validate}^{N, q}_{\textbf{pp}, i, \textsf{pk}_{\textsf{PE}}, \{\textsf{ct}_{\textsf{PE}, k}\}_{k\in [q]}, \textsf{out}}(\textsf{sk}_{\textsf{PE}}, r_{\textsf{KG}}, \{r_{\textsf{Enc}, k}\}_{k\in [q]})}\\&\quad := {\left\{ \begin{array}{ll} \textsf{out}&{} \begin{array}{l} \text {if }(\textsf{pk}_{\textsf{PE}}, \textsf{sk}_{\textsf{PE}})=\textsf{KG}_{\textsf{PE}}(\textbf{pp}, i; r_{\textsf{KG}}),\\ \text {and }\forall k\in [q], \exists x_k \in \{0,1\}: \textsf{ct}_{\textsf{PE}, k}=\textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE}}, x_k; r_{\textsf{Enc}, k}) \end{array}\\ 0^{|\textsf{out}|} &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

Construction Using the building blocks $\textsf{MKHE}_{\textsf{PE}}$ and $\textsf{SKHE}_{\textsf{mCP}}$, and the validation circuit $\textsf{Validate}$ described above, we describe our maliciously circuit-private MKHE scheme with distributed setup for length-$\ell $ branching programs $\textsf{MKHE}_{\textsf{BP}} = (\textsf{dSetup}_{\textsf{BP}}, \textsf{KG}_{\textsf{BP}}, \textsf{Enc}_{\textsf{BP}}, \textsf{Eval}_{\textsf{BP}}, \textsf{Dec}_{\textsf{BP}})$ below. (For convenience, a one-page version of the description is given in Figure in page 48.)

$\textsf{dSetup}_{\textsf{BP}}(1^\lambda , 1^N, i\in [N])$: Output $\textsf{pp}_{i} \xleftarrow {\$}\textsf{dSetup}_{\textsf{PE}}(1^\lambda , 1^N, i)$.
$\textsf{KG}_{\textsf{BP}}(\textbf{pp}, i)$: Pick randomness $r_{\textsf{KG},i}$ for $\textsf{KG}_{\textsf{PE}}$, and compute
$$\begin{aligned}&(\textsf{pk}_{\textsf{PE}, i}, \textsf{sk}_{\textsf{PE}, i}) := \textsf{KG}_{\textsf{PE}}(\textbf{pp}, i; r_{\textsf{KG}, i}),(\textsf{pk}_{\textsf{mCP}, i}, \textsf{sk}_{\textsf{mCP}, i}) \xleftarrow {\$}\textsf{KG}_{\textsf{mCP}}(1^\lambda ),\\&[\![{\textsf{sk}_{\textsf{PE},i}}]\!]_{i} \xleftarrow {\$}\textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE}, i}, \textsf{sk}_{\textsf{PE}, i}), [{\textsf{sk}_{\textsf{PE},i} \Vert r_{\textsf{KG}, i}}]_{i} \xleftarrow {\$}\textsf{Enc}_{\textsf{mCP}}(\textsf{pk}_{\textsf{mCP}, i}, \textsf{sk}_{\textsf{PE},i} \Vert r_{\textsf{KG}, i}). \end{aligned}$$
Output $\textsf{pk}_{i} :=(\textsf{pk}_{\textsf{PE}, i}, \textsf{pk}_{\textsf{mCP}, i}, [\![{\textsf{sk}_{\textsf{PE}, i}}]\!]_{i}, [{\textsf{sk}_{\textsf{PE}, i} \Vert r_{\textsf{KG}, i}}]_{i})$ and $\textsf{sk}_{i} := (\textsf{sk}_{\textsf{PE}, i}, \textsf{sk}_{\textsf{mCP}, i})$.
$\textsf{Enc}_{\textsf{BP}}(\textsf{pk}_i, x \in \{0,1\})$: Parse $\textsf{pk}_i$ as $(\textsf{pk}_{\textsf{PE},i}, \textsf{pk}_{\textsf{mCP},i}, [\![{\textsf{sk}_{\textsf{PE}, i}}]\!]_{i}, [{\textsf{sk}_{\textsf{PE}, i} \Vert r_{\textsf{KG}, i}}])$. Pick randomness $r_{\textsf{Enc}, i}$ for $\textsf{Enc}_{\textsf{PE}}$, and compute
$$\begin{aligned}&[\![{x}]\!]_i := \textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE}, i}, x; r_{\textsf{Enc}, i}),&[{r_{\textsf{Enc}, i}}]_i \xleftarrow {\$}\textsf{Enc}_{\textsf{mCP}}(\textsf{pk}_{\textsf{mCP}, i}, r_{\textsf{Enc}, i}). \end{aligned}$$
Output $\textsf{ct}_{i}:=([\![{x}]\!]_i, [{r_{\textsf{Enc}, i}}]_i)$.
$\textsf{Eval}_{\textsf{BP}}(P, \textbf{pp}, \textbf{pk}, (I_k, \textsf{ct}_k)_{k\in [n]})$: If there exists $j \in [N]$ such that $\textsf{pp}_j \notin [\textsf{dSetup}_{\textsf{PE}}(1^\lambda ,1^N, j)]$, then output $\bot $ and terminate. Otherwise, parse P as a length-$\ell $ branching program $(G = (V, E), v_{0}, T, \phi _{V}, \phi _{E})$, and suppose its input length is n-bit. Parse each $\textsf{pk}_j$ as $(\textsf{pk}_{\textsf{PE},j}, \textsf{pk}_{\textsf{mCP},j}, [\![{\textsf{sk}_{\textsf{PE}, j}}]\!]_{j}, [{\textsf{sk}_{\textsf{PE}, j} \Vert r_{\textsf{KG}, j}}]_{j})$ and each $\textsf{ct}_k$ as $([\![{x_k}]\!]_{I_k}, [{r_{\textsf{Enc},k}}]_{I_k})$. Let $s_0$ be the length of $\textsf{Label}(v_0)$ determined below. ($s_0$ itself is known a priori.) For every $j \in [N]$, choose $S_{j}\xleftarrow {\$}\{0,1\}^{s_0}$, set $q_j := |\{k \in [n]: I_k = j\}|$, and compute
$$\begin{aligned} \widehat{V}_{\textsf{mCP},j}&\xleftarrow {\$}\textsf{Eval}_{\textsf{mCP}} \left( \begin{array}{l} \textsf{Validate}^{N, q_j}_{\textbf{pp}, j, \textsf{pk}_{\textsf{PE}, j}, \{[\![{x_k}]\!]_{I_k}\}_{I_{k}=j}, S_{j}}, \textsf{pk}_{\textsf{mCP},j},\\ ([{\textsf{sk}_{\textsf{PE}, j} \Vert r_{\textsf{KG}, j}}]_j, \{[{r_{\textsf{Enc}, k}}]_j\}_{I_k=j}) \end{array} \right) ,\\ \widetilde{[\![{\textsf{sk}_{\textsf{PE}, j}}]\!]}&\xleftarrow {\$}\textsf{Expand}_{\textsf{PE}}(\textbf{pp}, \textbf{pk}_{\textsf{PE}}, j, [\![{\textsf{sk}_{\textsf{PE}, j}}]\!]_j). \end{aligned}$$
For each $v \in T$, set $\textsf{Label}(v) := \phi _V(v)$. For each^{Footnote 10}$v\in V \setminus T$ for which $\textsf{Label}(u_0)$ and $\textsf{Label}(u_1)$ with $\Gamma (v) = \{u_0,u_1\}$ are already defined, do the following:
- Let $h:=\textsf{height}(v)$, $k^{\star }:=\phi _{V}(v)$, and $\{u_{0}, u_{1} \} = \Gamma (v)$ such that $\phi _{E}(v, u_0)=0$ and $\phi _{E}(v, u_1)=1$.
- Let $[\![{0}]\!]_{I_{k^{\star }}} := \textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE},I_{k^\star }}, 0; 0)$ and $[\![{1}]\!]_{I_{k^{\star }}} := \textsf{Enc}_{\textsf{PE}}(\textsf{pk}_{\textsf{PE},I_{k^\star }}, 1; 0)$.
- For $t=1,\ldots ,s=|\textsf{Label}(u_0)|$, do the following:
  - $*$ For $\sigma \in \{0,1\}$, let $\textsf{Label}(u_\sigma )[t]$ be the t-th bit of $\textsf{Label}(u_\sigma )$.
  - $*$ Set
    $$\begin{aligned} a_{\textsf{PE},t} := {\left\{ \begin{array}{ll} {[\![{0}]\!]_{I_{k^{\star }}}} &{} \text {if }\textsf{Label}(u_{0})[t] = 0 \wedge \textsf{Label}(u_{1})[t] = 0 \\ {[\![{x_{k^{\star }}}]\!]_{I_{k^{\star }}}} &{} \text {if }\textsf{Label}(u_{0})[t] = 0 \wedge \textsf{Label}(u_{1})[t] = 1 \\ {[\![{1}]\!]_{I_{k^{\star }}}} - {[\![{x_{k^{\star }}}]\!]_{I_{k^{\star }}}} &{} \text {if }\textsf{Label}(u_{0})[t] = 1 \wedge \textsf{Label}(u_{1})[t] = 0 \\ {[\![{1}]\!]_{I_{k^{\star }}}} &{} \text {if } \textsf{Label}(u_{0})[t] = 1 \wedge \textsf{Label}(u_{1})[t] = 1 \\ \end{array}\right. }, \end{aligned}$$
  and compute $\widetilde{a}_{\textsf{PE},t} \xleftarrow {\$}\textsf{Expand}_{\textsf{PE}}(\textbf{pp}, \textbf{pk}_{\textsf{PE}}, I_{k^\star }, a_{\textsf{PE},t})$.^{Footnote 11}
- Set $\widetilde{a}_{\textsf{PE},v}: = (\widetilde{a}_{\textsf{PE},1}, \ldots , \widetilde{a}_{\textsf{PE},s})$.^{Footnote 12}
- Compute
  $$\begin{aligned} \textsf{Label}(v):= {\left\{ \begin{array}{ll} {\widetilde{a}_{\textsf{PE},v}} &{} \text {if }h=1,\\ {\textsf{Eval}_{\textsf{PE}}} \Bigl (\textsf{Dec}_{\textsf{PE}}, \textbf{pp}, \textbf{pk}_{\textsf{PE}}, ((\widetilde{[\![{\textsf{sk}_{\textsf{PE}, j}}]\!]})_{j\in [N]}, \widetilde{a}_{\textsf{PE},v}) \Bigr ) &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$
  where the inputs to $\textsf{Dec}_{\textsf{PE}}$ in $\textsf{Eval}_{\textsf{PE}}$ are naturally arranged: the secret keys encrypted in $(\widetilde{[\![{\textsf{sk}_{\textsf{PE},j}}]\!]})_{j \in [N]}$ are used as $\textbf{sk}_{\textsf{PE}}$, and what is encrypted in $\widetilde{a}_{\textsf{PE},v}$ (which, for honestly generated ciphertexts, is $\textsf{Label}(u_{x_{k^\star }})$) is used as an expanded ciphertext to be decrypted.
Finally, output $\widehat{\textsf{ct}}:=(\textsf{Label}(v_{0}) \oplus \bigoplus _{j \in [N]} S_j, (\widehat{V}_{\textsf{mCP},j})_{j \in [N]})$.
$\textsf{Dec}_{\textsf{BP}}(\textbf{sk}, \widehat{\textsf{ct}})$: Parse each $\textsf{sk}_j$ as $(\textsf{sk}_{\textsf{PE},j}, \textsf{sk}_{\textsf{mCP},j})$ and $\widehat{\textsf{ct}}$ as $(\widehat{c}, (\widehat{V}_{\textsf{mCP},j})_{j \in [N]})$. For every $j \in [N]$, compute $S_{j}:=\textsf{Dec}_{\textsf{mCP}}(\textsf{sk}_{\textsf{mCP}, j}, \widehat{V}_{\textsf{mCP},j})$. Let $\widehat{\textsf{ct}}_{\textsf{PE}}:=\widehat{c}\oplus \bigoplus _{j \in [N]} S_j$. Output $\widehat{x}:= \textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \widehat{\textsf{ct}}_{\textsf{PE}})$.

Correctness and security We now see the correctness, security, and malicious circuit privacy of $\textsf{MKHE}_{\textsf{BP}}$.

Theorem 4.1

(Correctness) $\textsf{MKHE}_{\textsf{BP}}$ satisfies correctness.

Proof

Let $\textbf{pp}$, $\textbf{pk}$, and $\textbf{sk}$ be honestly generated public parameters, public keys, and secret keys, respectively. Let $I_1, \dots , I_n \in [N]$ be arbitrary indices, $x = (x_1,\dots ,x_n) \in \{0,1\}^n$ be arbitrary plaintexts, and $\textsf{ct}_k = ([\![{x_k}]\!]_{I_k}, [{r_{\textsf{Enc}, I_{k}}}]_{I_k}) \xleftarrow {\$}\textsf{Enc}_{\textsf{BP}}(\textsf{pk}_{I_k}, x_k)$ for every $k \in [n]$. Let $P = (G = (V, E), v_0, T, \phi _V, \phi _E)$ be a length-$\ell $ branching program. Now, consider executing $\widehat{\textsf{ct}}= (\widehat{c}, (\widehat{V}_{\textsf{mCP},j})_{j \in [N]}) \xleftarrow {\$}\textsf{Eval}_{\textsf{BP}}(P, \textbf{pp}, \textbf{pk}, (I_k, \textsf{pk}_k)_{k \in [n]})$ and $\textsf{Dec}_{\textsf{BP}}(\textbf{sk}, \widehat{\textsf{ct}})$. Since all public keys $\textbf{pk}$ and ciphertexts $(\textsf{ct}_k)_{k \in [n]}$ are honestly generated, the check regarding $\textsf{pk}_{\textsf{PE},j}$ and $\{[\![{x_k}]\!]_{I_k}\}_{I_k = j}$ in the homomorphic evaluation of $\textsf{Validate}$ done by $\textsf{Eval}_{\textsf{mCP}}$ never fails, and every $\widehat{V}_{\textsf{mCP},j}$ decrypts to $S_j$. This implies $\widehat{\textsf{ct}}_{\textsf{PE}} = \widehat{c}\oplus \bigoplus _{j \in [N]} S_j = \textsf{Label}(v_0)$. Hence, to show the correctness, it is sufficient to show $\textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \textsf{Label}(v_0)) = P(x)$.

For each $h \in \{0\} \cup [\ell ]$, let $v^{(h)}\in V$ be a node such that $\textsf{height}(v^{(h)})=h$ and $\Gamma (v^{(h)})=\{v^{(h-1)}_{0}, v^{(h-1)}_{1}\}$, and thus $v_{0}=v^{(\ell )}$. Intuitively, $\textsf{Eval}_{\textsf{BP}}$ homomorphically computes the branching program P backwards from the terminal nodes to the initial node: Every layer of the branching program computes $P_{v^{(h)}}(x) = P_{v^{(h-1)}_{x_{k^{\star (h)}}}}(x)$ where $k^{\star (h)} :=\phi _{V}(v^{(h)})$. We now inductively show that for every $h \in [\ell ]$, every vertex $v^{(h)}$ at height h satisfies the property that $\textsf{Label}(v^{(h)})$ is a bit-wise expanded ciphertexts of $P_{v^{(h)}}(x)$, and thus $\textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \textsf{Label}(v^{(h)})) = P_{v^{(h)}}(x)$ holds.

$\underline{\text {Base case h } = 1:}$ by the construction of $\textsf{Eval}_{\textsf{BP}}$, $\textsf{Label}(v^{(1)}) = \widetilde{a}_{\textsf{PE},v^{(1)}}$ is bit-wise expanded ciphertexts of $\textsf{Label}(v_{x_{k^{\star (1)}}}^{(0)})=x_{k^{\star (1)}}=P_{v^{(1)}}(x)$^{Footnote 13} .

This means that

$$\begin{aligned} \textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \textsf{Label}(v^{(1)}))=P_{v^{(1)}}(x). \end{aligned}$$

$\underline{\text {Assumption for the induction (case h } - 1):}$ suppose as the assumption for the induction that the case $h - 1$ is true, i.e. every $v^{(h-1)}$ at height $h-1$ satisfies the property that $\textsf{Label}(v^{(h-1)})$ is bit-wise expanded ciphertexts of $P_{v^{(h-1)}}(x)$ and we have

$$\begin{aligned} \textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \textsf{Label}(v^{(h-1)})) = P_{v^{(h-1)}}(x). \end{aligned}$$

$\underline{\text {Case }h:}$ let $v^{(h)}$ be an arbitrary vertex at height h, and let $\Gamma (v^{(h)}) = \{v^{(h-1)}_0, v^{(h-1)}_1\}$ with $\phi _E(v^{(h)}, v^{(h-1)}_\sigma ) = \sigma $ for $\sigma \in \{0,1\}$. Recall that by the construction of $\textsf{Eval}_{\textsf{BP}}$, $\widetilde{a}_{\textsf{PE},v^{(h)}}$ is bit-wise expanded ciphertexts of $\textsf{Label}(v^{(h-1)}_{x_{k^{\star (h)}}})$, and $\textsf{Label}(v^{(h)})$ is an output of $\textsf{Eval}_{\textsf{PE}}(\textsf{Dec}_{\textsf{PE}}, \textbf{pp}, \textbf{pk}_{\textsf{PE}}, ((\widetilde{[\![{\textsf{sk}_{\textsf{PE},j}}]\!]}_j)_{j \in [N]}, \widetilde{a}_{\textsf{PE},v^{(h)}}))$. Hence, $\textsf{Label}(v^{(h)})$ is bit-wise expanded ciphertexts of

$$\begin{aligned} \textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \textsf{Label}(v^{(h-1)}_{x_{k^{\star (h)}}})) = P_{v^{(h-1)}_{x_{k^{\star (h)}}}}(x) = P_{v^{(h)}}(x), \end{aligned}$$

which means $\textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \textsf{Label}(v^{(h)})) = P_{v^{(h)}}(x)$ holds.

This is true for every vertex at height h, and thus proves the inductive step. Hence, we have $\textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \textsf{Label}(v^{\ell })) = \textsf{Dec}_{\textsf{PE}}(\textbf{sk}_{\textsf{PE}}, \textsf{Label}(v_0)) = P(x)$, and thus the scheme satisfies correctness. $\square $

For the semantic security of $\textsf{MKHE}_{\textsf{BP}}$, we need to assume $\textsf{MKHE}_{\textsf{PE}}$ is weakly circular secure. Since the proof is straightforward, we only give a proof sketch.

Theorem 4.2

(Security) If $\textsf{MKHE}_{\textsf{PE}}$ is weakly circular secure and $\textsf{SKHE}_{\textsf{mCP}}$ is semantically secure, then $\textsf{MKHE}_{\textsf{BP}}$ is semantically secure.

Proof of Sketch

By the semantic security of $\textsf{SKHE}_{\textsf{mCP}}$, $[{\textsf{sk}_{\textsf{PE},i} \Vert r_{\textsf{KG},i}}]_i$ in the challenge public key $\textsf{pk}_i$ and $[{r_{\textsf{Enc},i}}]$ in the challenge ciphertext $\textsf{ct}_i$ can be replaced by encryptions of unrelated messages of appropriate length without being noticed by an adversary. Then, the weak circular security of $\textsf{MKHE}_{\textsf{PE}}$ guarantees that the information of the challenge message x does not leak from $[\![{x}]\!]_i$ in $\textsf{ct}_i$. $\square $

The following theorem guarantees the malicious circuit privacy of $\textsf{MKHE}_{\textsf{BP}}$. The intuition and notation for the proof of this theorem are given at the beginning of this section (Sect. 4.2).

Theorem 4.3

(Malicious Circuit Privacy) If $\textsf{MKHE}_{\textsf{PE}}$ is privately expandable and $\textsf{SKHE}_{\textsf{mCP}}$ is maliciously circuit-private, then $\textsf{MKHE}_{\textsf{BP}}$ is maliciously circuit private.

Proof

Let $\textsf{Ext}_{\textsf{mCP}}$ and $\textsf{Sim}_{\textsf{mCP}}$ be respectively the extractor and simulator that are guaranteed to exist by the malicious circuit privacy of $\textsf{SKHE}_{\textsf{mCP}}$. We construct an extractor $\textsf{Ext}_{\textsf{BP}}$ and a simulator $\textsf{Sim}_{\textsf{BP}}$ as follows:

$\textsf{Ext}_{\textsf{BP}}(\textbf{pp}^*, i, \textsf{pk}^*_i, \textsf{ct}^*)$: Parse $\textsf{pk}^*_i$ as $(\textsf{pk}_{\textsf{PE},i}^*, \textsf{pk}_{\textsf{mCP},i}^*, [\![{\textsf{sk}_{\textsf{PE},i}}]\!]^*_i, [{\textsf{sk}_{\textsf{PE},i} \Vert r_{\textsf{KG},i}}]_i^*)$ and $\textsf{ct}^*$ as $([\![{x}]\!]^*_i, [{r_{\textsf{Enc}}}]^*_i)$. Extract^{Footnote 14}
$$\begin{aligned} \textsf{sk}_{\textsf{PE}, i}^{*} \Vert r_{\textsf{KG},i}^*&:= \textsf{Ext}_{\textsf{mCP}}(\textsf{pk}_{\textsf{mCP}, i}^{*}, [{\textsf{sk}_{\textsf{PE}, i} \Vert r_{\textsf{KG},i}}]^{*}_{i}),\\ r_{\textsf{Enc}}^{*}&:=\textsf{Ext}_{\textsf{mCP}}(\textsf{pk}_{\textsf{mCP}, i}^{*}, [{r_{\textsf{Enc}}}]^{*}_i). \end{aligned}$$
Check whether $(\textsf{pk}_{\textsf{PE}, i}^{*}, \textsf{sk}_{\textsf{PE}, i}^{*})=\textsf{KG}_{\textsf{PE}}(\textbf{pp}^*, i; r_{\textsf{KG}}^*)$ and there exists $x' \in \{0,1\}$ such that $[\![{x}]\!]^*_i = \textsf{Enc}_{\textsf{PE}}(\textbf{pp}^*, \textsf{pk}_{\textsf{PE}, i}^{*}, x'; r_{\textsf{Enc}}^{*})$. If the check passes, then output $x'$. Otherwise, output 0.
$\textsf{Sim}_{\textsf{BP}}(\textbf{pp}^*, \textbf{pk}^*, (I_k, \textsf{ct}_k^*)_{k\in [n]}, b^* \in \{0,1\})$: If there exists $j \in [N]$ such that $\textsf{pp}^*_j \notin [\textsf{dSetup}_{\textsf{PE}}(1^\lambda ,1^N, j)]$, then output $\bot $ and terminate. Otherwise, parse each $\textsf{pk}^*_j$ as $(\textsf{pk}_{\textsf{PE},j}^*, \textsf{pk}_{\textsf{mCP},j}^*, [\![{\textsf{sk}_{\textsf{PE},j}}]\!]^*_{j}, [{\textsf{sk}_{\textsf{PE},j} \Vert r_{\textsf{KG},j}}]^*_j)$ and each $\textsf{ct}_k^*$ as $([\![{x_k}]\!]^*_{I_k}, [{r_{\textsf{Enc},k}}]^*_{I_k})$. For every $j \in [N]$, do the following:
- Sample $S_{j}\xleftarrow {\$}\{0,1\}^{s_0}$.
- Do the same check on $\textsf{pk}_{\textsf{PE},j}^*$ and $[\![{x_k}]\!]^*_{j}$ as done in $\textsf{Ext}_{\textsf{BP}}(\textbf{pp}^*, j, \textsf{pk}_{\textsf{PE},j}^*, \textsf{ct}^*_k)$ for all k such that $I_k = j$.
- Compute
  $$\begin{aligned} \widehat{V}^*_{\textsf{mCP},j} := {\left\{ \begin{array}{ll} \begin{array}{r} \textsf{Sim}_{\textsf{mCP}} \Bigl (\textsf{pk}_{\textsf{mCP}, j}^{*}, ([{\textsf{sk}_{\textsf{mCP}, j} \Vert r_{\textsf{KG}, j}}]^{*}_j, \{[{r_{\textsf{Enc}, k}}]^{*}_{j}\}_{I_k=j}), S_j \Bigr )\\ \text {if the above check passes}\end{array}\\ \begin{array}{r} \textsf{Sim}_{\textsf{mCP}} \Bigl (\textsf{pk}_{\textsf{mCP}, j}^{*}, ([{\textsf{sk}_{\textsf{mCP}, j} \Vert r_{\textsf{KG}, j}}]^{*}_j, \{[{r_{\textsf{Enc}, k}}]^{*}_{j}\}_{I_k=j}), 0^{s_0} \Bigr )\\ \text {otherwise}\end{array} \end{array}\right. }. \end{aligned}$$
- Compute $\widetilde{[\![{\textsf{sk}_{\textsf{PE}, j}}]\!]}^* \xleftarrow {\$}\textsf{Expand}_{\textsf{PE}}(\textbf{pp}^*, \textbf{pk}^*, [\![{\textsf{sk}_{\textsf{PE}, j}}]\!]^{*}_j)$.
If one of the checks during the computation of $\widehat{V}_{\textsf{mCP},j}$ was not satisfied, then pick $\widehat{c}^* \xleftarrow {\$}\{0,1\}^{s_0}$, and terminate with output $\widehat{\textsf{ct}}^* := (\widehat{c}^*, (\widehat{V}^*_{\textsf{mCP},j})_{j \in [N]})$. Otherwise (i.e. the checks did not fail), set $\textsf{out}_0:=b^*$, and for $h=1, \ldots , \ell $, do the following:
- Let $[\![{0}]\!]_1:= \textsf{Enc}_{\textsf{PE}}(\textsf{pk}^*_{\textsf{PE},1}, 0;0)$ and $[\![{1}]\!]_1 := \textsf{Enc}_{\textsf{PE}}(\textsf{pk}^*_{\textsf{PE},1}, 1;0)$.
- For $t=1,\dots , s:=|\textsf{out}_{h-1}|$ (where $|\textsf{out}_0|:=1$), set
  $$\begin{aligned} a^*_{\textsf{PE},t}:= {\left\{ \begin{array}{ll} {[\![{0}]\!]_{1}} &{} \text {if the }t\text {-th bit of }\textsf{out}_{h-1}\text { is }0\\ {[\![{1}]\!]_{1}} &{} \text {if the }t\text {-th bit of }\textsf{out}_{h-1}\text { is }1\\ \end{array}\right. }, \end{aligned}$$
  and compute $\widetilde{a}^*_{\textsf{PE},t} \xleftarrow {\$}\textsf{Expand}_{\textsf{PE}}(\textbf{pp}^*, \textbf{pk}_{\textsf{PE}}^*, 1, a^*_{\textsf{PE},t})$.
- Set $\widetilde{a}^*_{\textsf{PE},h} := (\widetilde{a}^*_{\textsf{PE},1}, \ldots , \widetilde{a}^*_{\textsf{PE},s})$.
- Compute
  $$\begin{aligned} \textsf{out}_h:= {\left\{ \begin{array}{ll} \widetilde{a}^*_{\textsf{PE},1} &{} \text {if }h=1,\\ \textsf{Eval}_{\textsf{PE}} \Bigl (\textsf{Dec}_{\textsf{PE}}, \textbf{pp}^*, \textbf{pk}^*_{\textsf{PE}}, ((\widetilde{[\![{\textsf{sk}_{\textsf{PE}, j}}]\!]}^{*})_{j\in [N]}, \widetilde{a}^*_{\textsf{PE},h}) \Bigr ) &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$
Set $\widehat{c}^* := \textsf{out}_{\ell } \oplus \bigoplus _{j \in [N]} S_j$ and output $\widehat{\textsf{ct}}^*:=(\widehat{c}^*, (\widehat{V}^*_{\textsf{mCP}, j})_{j \in [N]})$.

Consider an arbitrary branching program $P = (G = (V,E), v_0, T, \phi _V, \phi _E)$ (with length $\ell $, input-length n), and public parameters $\textbf{pp}^*$, public keys $\textbf{pk}^* = (\textsf{pk}^*_{\textsf{PE},j}, [\![{\textsf{sk}_{\textsf{PE},j}}]\!]^*_j, [{\textsf{sk}_{\textsf{PE},j} \Vert r_{\textsf{KG},j}}]^*_j)_{j \in [N]}$, and index/ciphertext pairs $(I_k, \textsf{ct}^*_k)_{k \in [n]}$ where $\textsf{ct}^*_k = ([\![{x_k}]\!]^*_{I_k}, [{r_{\textsf{Enc},k}}]^*_{I_k})$ for each $k \in [n]$. (Here, possibly malformed values are denoted with an asterisk.) Let

$$\begin{aligned} \widehat{\textsf{ct}}&= (\widehat{c}, (\widehat{V}_{\textsf{mCP},j})_{j \in [N]}) \xleftarrow {\$}\textsf{Eval}_{\textsf{BP}}(P, \textbf{pp}^*, \textbf{pk}^*, (I_k, \textsf{ct}^*_k)_{k \in [n]}),\\ \widehat{\textsf{ct}}^*&= (\widehat{c}^*, (\widehat{V}^*_{\textsf{mCP},j})_{j \in [N]}) \xleftarrow {\$}\textsf{Sim}_{\textsf{BP}}(\textbf{pp}^*, \textbf{pk}^*, (I_k, \textsf{ct}^*_k)_{k \in [n]}, b^*), \end{aligned}$$

where $b^* := P(x^*_1, \dots , x^*_n)$ and $x^*_k := \textsf{Ext}_{\textsf{BP}}(\textbf{pp}^*, I_k, \textsf{pk}_{I_k}^*, \textsf{ct}^*_k)$ for all $k \in [n]$. Let $\textsf{sk}_{\textsf{PE}, j}^{*} \Vert r_{\textsf{KG},j}^* :=\textsf{Ext}_{\textsf{mCP}}(\textsf{pk}_{\textsf{mCP}, j}^{*}, [{\textsf{sk}_{\textsf{PE}, j} \Vert r_{\textsf{KG},j}}]^{*}_{j})$ for all $j \in [N]$, and $r_{\textsf{Enc},k}^{*} :=\textsf{Ext}_{\textsf{mCP}}(\textsf{pk}_{\textsf{mCP}, I_k}^{*}, [{r_{\textsf{Enc},k}}]^{*}_{I_k})$ for all $k \in [n]$. What we need to show is $\widehat{\textsf{ct}}\approx _s \widehat{\textsf{ct}}^*$.

Firstly, it immediately follows that $(\widehat{V}_{\textsf{mCP},j})_{j \in [N]} \approx _s (\widehat{V}^*_{\textsf{mCP}, j})_{j \in [N]}$ holds by the malicious circuit privacy of $\textsf{SKHE}_{\textsf{mCP}}$. Hence, we have $(\widehat{c}, (\widehat{V}_{\textsf{mCP},j})_{j \in [N]}) \approx _s (\widehat{c}, (\widehat{V}^*_{\textsf{mCP},j})_{j \in [N]})$, where the right hand side is the “hybrid” distribution in which $\widehat{c}$ is generated as in $\textsf{Eval}_{\textsf{BP}}$ and $(\widehat{V}^*_{\textsf{mCP},j})_{j \in [N]}$ is generated as in $\textsf{Sim}_{\textsf{BP}}$. Furthermore, if there exists $j \in [N]$ under which

$$\begin{aligned} \textsf{Validate}^{N, q_j}_{\textbf{pp}^*, j, \textsf{pk}^*_{\textsf{PE},j}, \{[\![{x_k}]\!]^*_j\}_{I_k = j}, S_j}(\textsf{sk}^*_{\textsf{PE},j}, r_{\textsf{KG},j}^*, \{r_{\textsf{Enc},k}^*\}_{I_k = j}) = 0^{s_0} \end{aligned}$$

holds, then $\widehat{V}^*_j$ is independent of $S_j$, and makes $\widehat{c}$ in the hybrid distribution uniformly random and independent of other values, which is exactly how $\widehat{c}^*$ in this case is generated. This means that $\widehat{\textsf{ct}}\approx _s \widehat{\textsf{ct}}^*$ holds in this case.

We now consider the distributions of $\widehat{c}$ and $\widehat{c}^*$ in the remaining case (i.e. the check in $\textsf{Validate}$ is satisfied and it outputs $S_j$ for all $j \in [N]$). In this case, it is guaranteed that every $\textsf{pk}_{\textsf{PE},j}^*$ is a possible output of $\textsf{KG}_{\textsf{PE}}(\textbf{pp}^*, j)$, and every $[\![{x_k}]\!]^*_{I_k}$ is a possible output of $\textsf{Enc}_{\textsf{PE}}(\textsf{pk}^*_{\textsf{PE},I_k}, x^*_k)$. Hence, we write $[\![{x^*_k}]\!]_{I_k}$ instead of $[\![{x_k}]\!]^*_{I_k}$ to reflect this.

Let $v^{(h)}\in V$ be the vertex at height $h\in \{0\} \cup [\ell ]$ along the path indicated by $(x^*_1, \ldots , x^*_n) \in \{0,1\}^n$. To show $\widehat{c}\approx _s \widehat{c}^*$, we inductively show that $\textsf{Label}(v^{(h)})$ in $\textsf{Eval}_{\textsf{BP}}$ and $\textsf{out}_h$ in $\textsf{Sim}_{\textsf{BP}}$ are statistically indistinguishable for every $h \in \{0\} \cup [\ell ]$.

$\underline{\text {Base case }h = 0:}$ We have $\textsf{out}_0=b^*=\textsf{Label}(v^{(0)})$ by the design of $\textsf{Sim}_{\textsf{BP}}$, and thus clearly $\textsf{out}_0\approx _s\textsf{Label}(v^{(0)})$.

$\underline{\text {Assumption for the induction (case }h - 1):}$ Now, suppose as an hypothesis for the induction that $\textsf{out}_{h-1}\approx _s\textsf{Label}(v^{(h-1)})$ holds.

$\underline{\text {Case }h:}$ For every $t=1,\ldots , s:=|\textsf{Label}(v^{(h)})|$, if the t-th bit of $\textsf{out}_{h-1}$ is 0, then $\textsf{Sim}_{\textsf{BP}}$ computes $\widetilde{a}_{\textsf{PE},t}^* \xleftarrow {\$}\textsf{Expand}_{\textsf{PE}}(\textbf{pp}^*, \textbf{pk}_{\textsf{PE}}^*, 1, [\![{0}]\!]_1)$. On the other hand, if $\textsf{Label}(v^{(h-1)})[t]=0$, then letting $k^\star = \phi _{V}(v^{(h)})$, $\textsf{Eval}_{\textsf{BP}}$ computes $\widetilde{a}_{\textsf{PE},t} \xleftarrow {\$}\textsf{Expand}_{\textsf{PE}}(\textbf{pp}^*, \textbf{pk}_{\textsf{PE}}^*, I_{k^\star }, a_{\textsf{PE},t})$, where

$$\begin{aligned} a_{\textsf{PE},t} = {\left\{ \begin{array}{ll} {[\![{0}]\!]_{I_{k^{\star }}}} \text { or } [\![{x^{*}_{k^{\star }}}]\!]_{I_{k^{\star }}} &{} \text {if } x^*_{k^{\star }}=\phi _E(v^{(h)}, v^{(h-1)})=0\\ {[\![{1}]\!]_{I_{k^{\star }}}} - [\![{x^*_{k^{{\star }}}}]\!]_{I_{k^{\star }}} &{} \text {if } x^{*}_{k^{\star }} =\phi _E(v^{(h)}, v^{(h-1)})=1 \end{array}\right. }. \end{aligned}$$

Since at this point $[\![{x^*_{k^\star }}]\!]_{I_{k^\star }}$ is guaranteed to be a valid encryption of $x^*_{k^{\star }}$, $a_{\textsf{PE},t}$ is guaranteed to be a valid encryption of 0 (under $\textsf{pk}^*_{\textsf{PE},I_{k^\star }}$). Hence, $\widetilde{a}_{\textsf{PE},t}$ is an expanded ciphertext of 0. Thus, if the t-th bit of $\textsf{out}_{h-1}$ is equal to $0 = \textsf{Label}(v^{(h-1)})[t]$, then by the private expandability of $\textsf{MKHE}_{\textsf{PE}}$, we have $\widetilde{a}^*_{\textsf{PE},t} \approx _s \widetilde{a}_{\textsf{PE},t}$.

Similarly, if the t-th bit of $\textsf{out}_{h-1}$ is 1, then $\textsf{Sim}_{\textsf{BP}}$ computes $\widetilde{a}_{\textsf{PE},t}^* \xleftarrow {\$}\textsf{Expand}_{\textsf{PE}}(\textbf{pp}^*, \textbf{pk}_{\textsf{PE}}^*, 1, [\![{1}]\!]_1)$. On the other hand, if $\textsf{Label}(v^{(h-1)})[t]=1$, then $\textsf{Eval}_{\textsf{BP}}$ computes $\widetilde{a}_{\textsf{PE},t} \xleftarrow {\$}\textsf{Expand}_{\textsf{PE}}(\textbf{pp}^*, \textbf{pk}_{\textsf{PE}}^*, I_{k^\star }, a_{\textsf{PE},t})$, where

$$\begin{aligned} a_{\textsf{PE},t} = {\left\{ \begin{array}{ll} {[\![{1}]\!]_{I_{k^{\star }}}} - {[\![{x^{*}_{k^{\star }}}]\!]_{I_{k^{\star }}}} &{} \text {if } x^*_{k^{\star }} =\phi _E(v^{(h)}, v^{(h-1)})=0\\ {[\![{x^*_{k^{\star }}}]\!]_{I_{k^{\star }}}} \text { or } {[\![{1}]\!]_{I_{k^\star }}} &{} \text {if } x^{*}_{k^{\star }}=\phi _E(v^{(h)}, v^{(h-1)})=1 \end{array}\right. }. \end{aligned}$$

Thus, if the t-th bit of $\textsf{out}_{h-1}$ is equal to $1 = \textsf{Label}(v^{(h-1)})[t]$, then $a_{\textsf{PE},t}$ is a valid encryption of 1 (under $\textsf{pk}^*_{I_k}$). Again by the private expandability of $\textsf{MKHE}_{\textsf{PE}}$, we have $\widetilde{a}^*_{\textsf{PE},t} \approx _s \widetilde{a}_{\textsf{PE},t}$.

Averaging over $\textsf{out}_{h-1} \approx _s \textsf{Label}(v^{(h-1)})$, we have $\widetilde{a}^*_{\textsf{PE}, h} \approx _s \widetilde{a}_{\textsf{PE},v^{(h)}}$.

By applying $\textsf{Eval}_{\textsf{PE}}(\textsf{Dec}_{\textsf{PE}}, \textbf{pp}^*, \textbf{pk}_{\textsf{PE}}^*, (\widetilde{[\![{\textsf{sk}_{\textsf{PE}, j}}]\!]}^*)_{j\in [N]}, \cdot )$ to both sides of $\widetilde{a}^*_{\textsf{PE}, h} \approx _s \widetilde{a}_{\textsf{PE}, v^{(h)}}$, we have $\textsf{out}_h \approx _s \textsf{Label}(v^{(h)})$, proving the inductive step. Hence, we have $\textsf{out}_\ell \approx _s \textsf{Label}(v^{(\ell )}) = \textsf{Label}(v_0)$ and thus $\widehat{c}^* \approx _s \widehat{c}$.

We have shown that in any case, $(\widehat{c}, (\widehat{V}_{\textsf{mCP},j})_{j \in [N]}) \approx _s (\widehat{c}^*, (\widehat{V}^*_{\textsf{mCP},j})_{j \in [N]})$ holds. This means that $\textsf{MKHE}_{\textsf{BP}}$ satisfies malicious circuit privacy. $\square $

Instantiation For the underlying privately expandable MKFHE scheme with distributed setup, we can use $\textsf{MKHE}_{\textsf{pBHP}}$ shown in Sect. 3.3, whose weak circular security directly follows from that of the original scheme $\textsf{MKHE}_{\textsf{BHP}}$.

For the underlying maliciously circuit-private single-key FHE scheme, we can rely on the existing results [9, 27, 36]. Specifically, Ostrovsky et al. [36] constructed a maliciously circuit-private single-key FHE scheme from the combination of compact single-key FHE and single-key HE satisfying a weak form of malicious circuit privacy (called input privacy), and the latter can be based on a statistically sender-private (2-message) OT protocol and an information-theoretic randomized encoding [27]. Brakerski and Döttling [9] recently constructed such an OT protocol based on LWE, and the MKFHE scheme $\textsf{MKHE}_{\textsf{BHP}}$ can be used as single-key FHE, we can realize a maliciously circuit-private single-key FHE scheme based on LWE and the weak circular security of $\textsf{MKHE}_{\textsf{BHP}}$.

Using the above two schemes in $\textsf{MKHE}_{\textsf{BP}}$, we obtain a maliciously circuit-private MKHE with distributed setup for branching programs based on LWE and the weak circular security of $\textsf{MKHE}_{\textsf{BHP}}$, yielding a proof of Theorem 1.1.

4.3 Achieving full homomorphism

We follow the framework of [17] that generically transforms an MKHE scheme for branching programs to a fully homomorphic one by using a (non-circuit-private) MKFHE scheme with distributed setup as an additional building block. As in our scheme for branching programs in Sect. 4.2, the main difference from [17] is that in the homomorphic evaluation algorithm, we have to make sure the public parameters belong to the support of the distributed setup algorithm.

Intuition of our construction To construct a fully homomorphic scheme, we combine the malicious circuit-private MKHE scheme $\textsf{MKHE}_{\textsf{BP}}$ for branching programs in Sect. 4.2 and a standard MKFHE scheme $\textsf{MKHE}_{\textsf{F}}$. Inputs to a function are encrypted by $\textsf{MKHE}_{\textsf{F}}$ and homomorphic evaluation is done by the evaluation algorithm of $\textsf{MKHE}_{\textsf{F}}$. The result of the homomorphic evaluation can be transformed into the ciphertext of $\textsf{MKHE}_{\textsf{BP}}$ in a bootstrapping-like manner. Our homomorphic evaluation algorithm also uses $\textsf{MKHE}_{\textsf{BP}}$ to check whether the inputs to the homomorphic evaluation are generated properly.

The homomorphic evaluation algorithm of our construction computes an output by homomorphically evaluating a composition of the decryption of $\textsf{MKHE}_{\textsf{BP}}$ and function that checks all the input validations success. The composite function is parametrized by the results of the homomorphic evaluation and input validations, which are the ciphertexts of $\textsf{MKHE}_{\textsf{BP}}$. Since the simulator for our construction can generate simulated results of the homomorphic computation by using the simulator for $\textsf{MKHE}_{\textsf{BP}}$, the composite function computed by our simulator is statistically indistinguishable from the one in the real evaluation.

Building blocks We will use the following building blocks.

Let $\textsf{MKHE}_{\textsf{F}} = (\textsf{dSetup}_{\textsf{F}}, \textsf{KG}_{\textsf{F}}, \textsf{Enc}_{\textsf{F}}, \textsf{Eval}_{\textsf{F}}, \textsf{Dec}_{\textsf{F}})$ be a (non-circuit-private) MKFHE scheme with distributed setup whose decryption circuit can be computed by $\textsf{NC}^1$ circuits.
Let $\textsf{MKHE}_{\textsf{BP}} = (\textsf{dSetup}_{\textsf{BP}}, \textsf{KG}_{\textsf{BP}}, \textsf{Enc}_{\textsf{BP}}, \textsf{Eval}_{\textsf{BP}}, \textsf{Dec}_{\textsf{BP}})$ be a maliciously circuit-private MKHE scheme with distributed setup for length-$\ell $ branching programs, where $\ell $ is a polynomial of $\lambda $ large enough so that it can compute the validation circuits $\textsf{KValidate}$ and $\textsf{CValidate}$ introduced below, and the decryption circuit of $\textsf{Dec}_{\textsf{F}}$. For notational convenience, we treat this scheme as an MKHE scheme for circuits that can be computed by length $\ell $-branching programs. (Thus, $\textsf{Eval}_{\textsf{BP}}$ takes a circuit as input, rather than a branching program).

Notation and convention We use similar notations and conventions as in Sect. 4.2, namely, subscripts $\textsf{F}$ and $\textsf{BP}$ for parameters, and $\textsf{Enc}_{\textsf{F}}$ and $\textsf{Enc}_{\textsf{BP}}$ takes bit-strings as a plaintext inputs. Similarly, we allow $\textsf{Dec}_{\textsf{F}}$ and $\textsf{Dec}_{\textsf{BP}}$ to take multiple ciphertexts as input, and let their outputs be the concatenation of the decryption results. We will also use bracket notations for ciphertexts: $[\![{x}]\!]_i$ for a ciphertext generated as $\textsf{Enc}_{\textsf{F}}(\textsf{pk}_{\textsf{F},i},x)$, and $[{x}]_i$ for a ciphertext generated as $\textsf{Enc}_{\textsf{BP}}(\textsf{pk}_{\textsf{BP},i}, x)$.

Validation circuits We introduce three types of circuits that will be used in the construction of our fully homomorphic scheme.

$\textsf{KValidate}$ checks whether a hardwired public key of $\textsf{MKHE}_{\textsf{F}}$ is well-formed. It has the following values hardwired: $N \in \mathbb {N}$, public parameters $\textbf{pp}_{\textsf{F}}$, an index $i \in [N]$, a public key $\textsf{pk}_{\textsf{F}}$, and some value $\textsf{out}\in \{0,1\}^*$. Then, it takes a pair of (candidate) secret key $\textsf{sk}_{\textsf{F}}$ and randomness $r_{\textsf{KG}}$ as input, and its output is defined as follows:
$$\begin{aligned} \textsf{KValidate}^N_{\textbf{pp}_{\textsf{F}}, i, \textsf{pk}_{\textsf{F}}, \textsf{out}}(\textsf{sk}_{\textsf{F}}, r_{\textsf{KG}}) := {\left\{ \begin{array}{ll} \textsf{out}&{} \text { if } (\textsf{pk}_{\textsf{F}}, \textsf{sk}_{\textsf{F}}) = \textsf{KG}_{\textsf{F}}(\textbf{pp}_{\textsf{F}}, i; r_{\textsf{KG}})\\ 0 &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$
$\textsf{CValidate}$ checks whether the hardwired ciphertext of $\textsf{MKHE}_{\textsf{F}}$ is well-formed. It has the following values hardwired: a public key $\textsf{pk}_{\textsf{F}}$, a ciphertext $\textsf{ct}_{\textsf{F}}$, and some value $\textsf{out}\in \{0,1\}^*$. Then, it takes randomness $r_{\textsf{Enc}}$ as input, and its output is defined as follows:
$$\begin{aligned} \textsf{CValidate}_{\textsf{pk}_{\textsf{F}}, \textsf{ct}_{\textsf{F}}, \textsf{out}}(r_{\textsf{Enc}}) := {\left\{ \begin{array}{ll} \textsf{out}&{} \text { if } \exists x \in \{0,1\} : \textsf{ct}_{\textsf{F}} = \textsf{Enc}_{\textsf{F}}(\textsf{pk}_{\textsf{F}}, x; r_{\textsf{Enc}})\\ 0 &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$
$\textsf{CombineDec}$ checks whether the given ciphertexts of $\textsf{MKHE}_{\textsf{BP}}$ are correctly decrypted to a hardwired element. It has $N,q \in \mathbb {N}$ and some value $\textsf{out}\in \{0,1\}^*$ hardwired, takes N secret keys $\textbf{sk}_{\textsf{BP}} = (\textsf{sk}_{\textsf{BP}, j})_{j \in [N]}$ and q evaluated ciphertexts $\{\widehat{\textsf{ct}}_{\textsf{BP},j}\}_{j \in [q]}$ as input, and its output is defined as follows:
$$\begin{aligned} \textsf{CombineDec}^{N,q}_{\textsf{out}} \Bigl (\textbf{sk}_{\textsf{BP}}, \{\widehat{\textsf{ct}}_{\textsf{BP},j}\}_{j \in [q]} \Bigr ) := {\left\{ \begin{array}{ll} \textsf{out}&{} \begin{array}{l} \text {if }\textsf{Dec}_{\textsf{BP}}(\textbf{sk}_{\textsf{BP}}, \widehat{\textsf{ct}}_{\textsf{BP},j}) = \textsf{out}\\ ~~~~~~~~~~~~~~~~~~\text { for all } j \in [q] \end{array}\\ 0 &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$

Construction Using the building blocks $\textsf{MKHE}_{\textsf{F}}$ and $\textsf{MKHE}_{\textsf{BP}}$, and the validation circuits $\textsf{KValidate}$, $\textsf{CValidate}$, and $\textsf{CombineDec}$, we construct our maliciously circuit private MKFHE scheme with distributed setup $\textsf{MKHE}_{\textsf{mCP}} = (\textsf{dSetup}_{\textsf{mCP}}, \textsf{KG}_{\textsf{mCP}}, \textsf{Enc}_{\textsf{mCP}}, \textsf{Eval}_{\textsf{mCP}}, \textsf{Dec}_{\textsf{mCP}})$ as follows. (For convenience, a one-page version of the description is given in Figure in page 49.)

$\textsf{dSetup}_{\textsf{mCP}}(1^\lambda , 1^N, i\in [N])$: Compute $\textsf{pp}_{\textsf{BP}, i} \xleftarrow {\$}\textsf{dSetup}_{\textsf{BP}}(1^\lambda , 1^N, i)$ and $\textsf{pp}_{\textsf{F}, i} \xleftarrow {\$}\textsf{dSetup}_{\textsf{F}}(1^{\lambda }, 1^N, i)$. Output $\textsf{pp}_i:=(\textsf{pp}_{\textsf{BP}, i}, \textsf{pp}_{\textsf{F}, i})$.
$\textsf{KG}_{\textsf{mCP}}(\textbf{pp}, i \in [N])$: Parse each $\textsf{pp}_j$ as $(\textsf{pp}_{\textsf{BP}, j}, \textsf{pp}_{\textsf{F}, j})$. Pick randomness $r_{\textsf{KG},i}$ for $\textsf{KG}_{\textsf{F}}$, and compute
$$\begin{aligned}&(\textsf{pk}_{\textsf{F}, i}, \textsf{sk}_{\textsf{F}, i}) := \textsf{KG}_{\textsf{F}}(\textbf{pp}_{\textsf{F}}, i; r_{\textsf{KG}, i}),{} & {} (\textsf{pk}_{\textsf{BP}, i}, \textsf{sk}_{\textsf{BP}, i}) \xleftarrow {\$}\textsf{KG}_{\textsf{BP}}(\textbf{pp}_{\textsf{BP}}, i),\\&[\![{\textsf{sk}_{\textsf{BP}, i}}]\!]_i \xleftarrow {\$}\textsf{Enc}_{\textsf{F}}(\textsf{pk}_{\textsf{F}, i}, \textsf{sk}_{\textsf{BP}, i}),{} & {} [{\textsf{sk}_{\textsf{F}, i}}]_i \xleftarrow {\$}\textsf{Enc}_{\textsf{BP}}(\textsf{pk}_{\textsf{BP}, i}, \textsf{sk}_{\textsf{F}, i}),\\&[{r_{\textsf{KG}, i}}]_i \xleftarrow {\$}\textsf{Enc}_{\textsf{BP}}(\textsf{pk}_{\textsf{BP}, i}, r_{\textsf{KG}, i}). \end{aligned}$$
Output $\textsf{pk}_i:=(\textsf{pk}_{\textsf{F}, i}, \textsf{pk}_{\textsf{BP}, i}, [\![{\textsf{sk}_{\textsf{BP}, i}}]\!]_i, [{\textsf{sk}_{\textsf{F}, i}}], [{r_{\textsf{KG}, i}}]_i)$ and $\textsf{sk}_i:=\textsf{sk}_{\textsf{F}, i}$.
$\textsf{Enc}_{\textsf{mCP}}(\textsf{pk}_i, x \in \{0,1\})$: Parse $\textsf{pk}_i$ as $(\textsf{pk}_{\textsf{F}, i}, \textsf{pk}_{\textsf{BP}, i}, [\![{\textsf{sk}_{\textsf{BP}, i}}]\!]_i, [{\textsf{sk}_{\textsf{F}, i}}]_i, [{r_{\textsf{KG}, i}}]_i)$. Pick randomness $r_{\textsf{Enc}, i}$ for $\textsf{Enc}_{\textsf{F}}$, and compute
$$\begin{aligned}&[\![{x}]\!]_i := \textsf{Enc}_{\textsf{F}}(\textsf{pk}_{\textsf{F}, i}, x; r_{\textsf{Enc}, i}),{} & {} [{r_{\textsf{Enc}, i}}]_i \xleftarrow {\$}\textsf{Enc}_{\textsf{BP}}(\textsf{pk}_{\textsf{BP}, i}, r_{\textsf{Enc}, i}). \end{aligned}$$
Output $\textsf{ct}_i:=([\![{x}]\!]_i, [{r_{\textsf{Enc}, i}}]_i)$.
$\textsf{Eval}_{\textsf{mCP}}(C, \textbf{pp}, \textbf{pk}, (I_k, \textsf{ct}_k)_{k\in [n]})$: If there exists $j \in [N]$ such that $\textsf{pp}_j \notin [\textsf{dSetup}_{\textsf{mCP}}(1^\lambda ,1^N, j)]$, then output $\bot $ and terminate. Otherwise, parse each $\textsf{pp}_j$ as $(\textsf{pp}_{\textsf{BP},j}, \textsf{pp}_{\textsf{F},j})$, each $\textsf{pk}_j$ as $(\textsf{pk}_{\textsf{F}, j}, \textsf{pk}_{\textsf{BP}, j}, [\![{\textsf{sk}_{\textsf{BP}, j}}]\!]_j, [{\textsf{sk}_{\textsf{F}, j}}]_j, [{r_{\textsf{KG}, j}}]_j)$, and each $\textsf{ct}_k$ as $([\![{x_k}]\!]_{I_k}, [{r_{\textsf{Enc}, k}}]_{I_k})$. Compute
$$\begin{aligned} \widehat{\textsf{ct}}_{\textsf{F}}&\xleftarrow {\$}\textsf{Eval}_{\textsf{F}} \Bigl ( C, \textbf{pp}_{\textsf{F}}, \textbf{pk}_{\textsf{F}}, (I_k, [\![{x_k}]\!]_{I_k})_{k\in [n]} \Bigr ),\\ \widehat{\textsf{ct}}_{\textsf{BP}}&\xleftarrow {\$}\textsf{Eval}_{\textsf{BP}} \Bigl ( \textsf{Dec}_{\textsf{F}}(\cdot , \widehat{\textsf{ct}}_{\textsf{F}}), \textbf{pp}_{\textsf{BP}}, \textbf{pk}_{\textsf{BP}}, (j, [{\textsf{sk}_{\textsf{F}, j}}]_j)_{j\in [N]} \Bigr ). \end{aligned}$$
For every $j \in [N]$, compute
$$\begin{aligned} \widehat{\textsf{ct}}^K_{\textsf{BP}, j} \xleftarrow {\$}\textsf{Eval}_{\textsf{BP}} \left( \begin{array}{l} \textsf{KValidate}^N_{\textbf{pp}_{\textsf{F}}, j, \textsf{pk}_{\textsf{F}, j}, \widehat{\textsf{ct}}_{\textsf{BP}}},\\ \textbf{pp}_\textsf{BP}, \textbf{pk}_{\textsf{BP}}, (j, ([{\textsf{sk}_{\textsf{F}, j}}]_j, [{r_{\textsf{KG}, j}}]_j)) \end{array} \right) . \end{aligned}$$
For every $k \in [n]$, compute
$$\begin{aligned} \widehat{\textsf{ct}}^C_{\textsf{BP}, k} \xleftarrow {\$}\textsf{Eval}_{\textsf{BP}} \left( \begin{array}{l} \textsf{CValidate}_{\textsf{pk}_{\textsf{F}, I_k}, [\![{x_k}]\!]_{I_k}, \widehat{\textsf{ct}}_{\textsf{BP}}},\\ \textbf{pp}_{\textsf{BP}}, \textbf{pk}_{\textsf{BP}}, (I_k, [{r_{\textsf{Enc}, k}}]_{I_k}) \end{array} \right) . \end{aligned}$$
Output
$$\begin{aligned} \widehat{\textsf{ct}}\xleftarrow {\$}\textsf{Eval}_{\textsf{F}} \left( \begin{array}{l} \textsf{Dec}_{\textsf{BP}}(\cdot , \textsf{CombineDec}^{N,N+n}_{\widehat{\textsf{ct}}_{\textsf{BP}}}(\cdot , \{\widehat{\textsf{ct}}^K_{\textsf{BP}, j}\}_{j\in [N]} \cup \{\widehat{\textsf{ct}}^C_{\textsf{BP}, k}\}_{k\in [n]})),\\ \textbf{pp}_{\textsf{F}}, \textbf{pk}_\textsf{F}, (j, [\![{\textsf{sk}_{\textsf{BP}, j}}]\!]_j)_{j\in [N]} \end{array} \right) . \end{aligned}$$
$\textsf{Dec}_{\textsf{mCP}}(\textbf{sk}, \widehat{\textsf{ct}})$: Parse each $\textsf{sk}_j$ as $\textsf{sk}_{\textsf{F}, j}$. Output $\widehat{x}:=\textsf{Dec}_{\textsf{F}}(\textbf{sk}_{\textsf{F}}, \widehat{\textsf{ct}})$.

Correctness and security The correctness of $\textsf{MKHE}_{\textsf{mCP}}$ is immediate from the correctness of $\textsf{MKHE}_{\textsf{F}}$ and $\textsf{MKHE}_{\textsf{BP}}$.

The semantic security of $\textsf{MKHE}_{\textsf{mCP}}$ is not straightforward. Like the construction in [17], a public key $\textsf{pk}_i$ of $\textsf{MKHE}_{\textsf{mCP}}$ contains an encryption of a secret key $\textsf{sk}_{\textsf{BP},i}$ under $\textsf{pk}_{\textsf{F},i}$, and encryptions of a secret key $\textsf{sk}_{\textsf{F},i}$ and the randomness $r_{\textsf{KG},i}$ used to generate $\textsf{sk}_{\textsf{F},i}$ under $\textsf{pk}_{\textsf{F},i}$. Hence, semantic security does not simply follow from a straightforward combination of the semantic security and/or (weak) circular security of the individual building blocks $\textsf{MKHE}_{\textsf{F}}$ and $\textsf{MKHE}_{\textsf{BP}}$. In order to prove the semantic security of $\textsf{MKHE}_{\textsf{mCP}}$, it seems unavoidable to assume that the semantic security of $\textsf{MKHE}_{\textsf{F}}$ and $\textsf{MKHE}_{\textsf{BP}}$ continue to hold even if in the semantic security games of each scheme, an adversary is additionally given the values that constitute the public parameters $\textsf{pp}_i = (\textsf{pp}_{\textsf{F},i}, \textsf{pp}_{\textsf{BP},i})$ and a public key $\textsf{pk}_i = (\textsf{pk}_{\textsf{F},i}, \textsf{pk}_{\textsf{BP},i}, [\![{\textsf{sk}_{\textsf{BP},i}}]\!]_i, [{\textsf{sk}_{\textsf{F},i}}]_i, [{r_{\textsf{KG},i}}]_i)$ of $\textsf{MKHE}_{\textsf{mCP}}$.^{Footnote 15}

Once we admit this type of somewhat non-standard circular security assumptions on $\textsf{MKHE}_{\textsf{F}}$ and $\textsf{MKHE}_{\textsf{BP}}$, the semantic security of $\textsf{MKHE}_{\textsf{mCP}}$ follows straightforwardly, and thus we omit the proof.

Theorem 4.4

(Security) If $\textsf{MKHE}_{\textsf{F}}$ and $\textsf{MKHE}_{\textsf{BP}}$ satisfy the above “joint” circular security, then $\textsf{MKHE}_{\textsf{mCP}}$ is semantically secure.

The following theorem guarantees the malicious circuit privacy of $\textsf{MKHE}_{\textsf{mCP}}$. The intuition and notation for the proof of this theorem are given at the beginning of this section (Sect. 4.3).

Theorem 4.5

(Malicious Circuit Privacy) If $\textsf{MKHE}_{\textsf{BP}}$ is maliciously circuit-private, then so is $\textsf{MKHE}_{\textsf{mCP}}$.

The proof goes similarly to that of [16, Theorem 5.1].

Proof

Let $\textsf{Ext}_{\textsf{BP}}$ and $\textsf{Sim}_{\textsf{BP}}$ be the extractor and simulator, respectively, that are guaranteed to exist by the malicious circuit privacy of $\textsf{MKHE}_{\textsf{BP}}$. We construct an extractor $\textsf{Ext}_{\textsf{mCP}}$ and a simulator $\textsf{Sim}_{\textsf{mCP}}$ as follows.

$\textsf{Ext}_{\textsf{mCP}}(\textbf{pp}^*,i, \textsf{pk}^*_i, \textsf{ct}^*_i)$: Parse each $\textsf{pp}^*_j$ as $(\textsf{pp}_{\textsf{F},j}^*, \textsf{pp}_{\textsf{BP},j}^*)$, $\textsf{pk}^*_i$ as $(\textsf{pk}_{\textsf{F}, i}^*, \textsf{pk}_{\textsf{BP}, i}^*, [{\textsf{sk}_{\textsf{F}, i}}]^*_i, [{r_{\textsf{KG}, i}}]^*_i, [\![{\textsf{sk}_{\textsf{BP}, i}}]\!]^*_i)$, and $\textsf{ct}^*_i$ as $([\![{x}]\!]^*_i, [{r_{\textsf{Enc},i}}]^*_i)$. Extract
$$\begin{aligned} \textsf{sk}_{\textsf{F}, i}^*&:= \textsf{Ext}_{\textsf{BP}}(\textbf{pp}_{\textsf{BP}}^*, i, \textsf{pk}_{\textsf{BP}, i}^*, [{\textsf{sk}_{\textsf{F}, i}}]^*_i),\\ r_{\textsf{KG}, i}^*&:= \textsf{Ext}_{\textsf{BP}}(\textbf{pp}_{\textsf{BP}}^*, i, \textsf{pk}_{\textsf{BP}, i}^*, [{r_{\textsf{KG}, i}}]^*_i),\\ r_{\textsf{Enc}, i}^*&:= \textsf{Ext}_{\textsf{BP}}(\textbf{pp}_{\textsf{BP}}^*, i, \textsf{pk}_{\textsf{BP}, i}^*, [{r_{\textsf{Enc}, i}}]^*_i). \end{aligned}$$
Check whether $(\textsf{pk}_{\textsf{F}, i}^*, \textsf{sk}_{\textsf{F}, i}^*) = \textsf{KG}_{\textsf{F}}(\textbf{pp}_{\textsf{F}}^*, i; r_{\textsf{KG}, i}^*)$ and there exists $x' \in \{0,1\}$ such that $[\![{x}]\!]^*_i = \textsf{Enc}_{\textsf{F}}(\textsf{pk}_{\textsf{F},i}^*, x'; r^*_{\textsf{Enc},i})$. If the check passes, then output $x'$. Otherwise, output 0.
$\textsf{Sim}_{\textsf{mCP}}(\textbf{pp}^*, \textbf{pk}^*, (I_k, \textsf{ct}_k^*)_{k\in [n]}, b^{*})$: If there exists $j \in [N]$ such that $\textsf{pp}^*_j \notin [\textsf{dSetup}_{\textsf{mCP}}(1^\lambda ,1^N, j)]$ holds, then output $\bot $ and terminate. Otherwise, parse each $\textsf{pp}_j^*$ as $(\textsf{pp}_{\textsf{F}, j}^*, \textsf{pp}_{\textsf{BP}, j}^*)$, each $\textsf{pk}_j^*$ as $(\textsf{pk}_{\textsf{F}, j}^*, \textsf{pk}_{\textsf{BP}, j}^*, [\![{\textsf{sk}_{\textsf{BP}, j}^*}]\!]_j, [{\textsf{sk}_{\textsf{F}, j}}]^*_j, [{r_{\textsf{KG}, j}}]^*_j)$, and each $\textsf{ct}_k^*$ as $([\![{x_k}]\!]^*_{I_k}, [{r_{\textsf{Enc},k}}]^*_{I_k})$. Compute $\widehat{\textsf{ct}}_{\textsf{BP}}^* \xleftarrow {\$}\textsf{Sim}_{\textsf{BP}}(\textbf{pp}_{\textsf{BP}}^*, \textbf{pk}_{\textsf{BP}}^*, (j, [{\textsf{sk}_{\textsf{F}, j}}]^*_j))_{j\in [N]}, b^{*})$. For every $j \in [N]$, compute
$$\begin{aligned} \textsf{sk}_{\textsf{F}, j}^*&:=\textsf{Ext}_{\textsf{BP}}(\textbf{pp}_{\textsf{BP}}^*, j, \textsf{pk}_{\textsf{BP}, j}^*, [{\textsf{sk}_{\textsf{F}, j}}]^*_j),\\ r_{\textsf{KG}, j}^*&:=\textsf{Ext}_{\textsf{BP}}(\textbf{pp}_{\textsf{BP}}^*, j, \textsf{pk}_{\textsf{BP}, j}^*, [{r_{\textsf{KG}, j}}]^*_j),\\ \textsf{out}^{*K}_j&:= {\left\{ \begin{array}{ll} \widehat{\textsf{ct}}_{\textsf{BP}}^* &{} \text {if } (\textsf{pk}_{\textsf{F}, j}^*, \textsf{sk}_{\textsf{F}, j}^*) = \textsf{KG}_{\textsf{F}}(\textbf{pp}_{\textsf{F}}, j; r_{\textsf{KG}, j}^*)\\ 0 &{} \text {otherwise} \end{array}\right. },\\ \widehat{\textsf{ct}}_{\textsf{BP}, j}^{*K}&\xleftarrow {\$}\textsf{Sim}_{\textsf{BP}} \Bigl (\textbf{pp}_{\textsf{BP}}^*, \textbf{pk}_{\textsf{BP}}^*, (j, ([{\textsf{sk}_{\textsf{BHP}, j}}]^*_j, [{r_{\textsf{KG}, j}}]^*_j)), \textsf{out}^{*K}_j \Bigr ). \end{aligned}$$
For every $k \in [n]$, compute
$$\begin{aligned} r_{\textsf{Enc}, k}^*&:= \textsf{Ext}_{\textsf{BP}}(\textbf{pp}_{\textsf{BP}}^*, I_k, \textsf{pk}_{\textsf{BP}, I_k}^*, [{r_{\textsf{Enc}, k}}]^*_{I_k}),\\ \textsf{out}^{*C}_k&:= {\left\{ \begin{array}{ll} \widehat{\textsf{ct}}_{\textsf{BP}}^* &{} \text {if }\exists x' \in \{0,1\} : [\![{x_k}]\!]^*_{I_k} = \textsf{Enc}_{\textsf{F}}(\textsf{pk}_{\textsf{F}, I_k}^*, x'; r_{\textsf{Enc}, k}^*)\\ 0 &{} \text {otherwise} \end{array}\right. },\\ \widehat{\textsf{ct}}_{\textsf{BP}, k}^{*C}&\xleftarrow {\$}\textsf{Sim}_{\textsf{BP}} \Bigl ( \textbf{pp}^*_{\textsf{BP}}, \textbf{pk}_{\textsf{BP}}^*, (I_k, [{r_{\textsf{Enc}, k}}]^*_k), \textsf{out}^{*C}_k \Bigr ). \end{aligned}$$
Output
$$\begin{aligned} \widehat{\textsf{ct}}^* \xleftarrow {\$}\textsf{Eval}_{\textsf{F}} \left( \begin{array}{l} \textsf{Dec}_{\textsf{BP}}(\cdot , \textsf{CombineDec}^{N,N+n}_{\widehat{\textsf{ct}}^*_{\textsf{BP}}}(\cdot , \{\widehat{\textsf{ct}}_{\textsf{BP}, j}^{*K}\}_{j\in [N]} \cup \{\widehat{\textsf{ct}}_{\textsf{BP}, k}^{*C}\}_{k\in [n]})),\\ \textbf{pp}_{\textsf{F}}^*, \textbf{pk}_{\textsf{F}}^*, (j, [\![{\textsf{sk}_{\textsf{BP}, j}}]\!]^*_j)_{j\in [N]} \end{array} \right) . \end{aligned}$$

Since $\widehat{\textsf{ct}}^*_{\textsf{BP}}$, $(\widehat{\textsf{ct}}_{\textsf{BP}, j}^{*K})_{j \in [N]}$, and $(\widehat{\textsf{ct}}_{\textsf{BP}, k}^{*C})_{k \in [n]}$ computed in $\textsf{Sim}_{\textsf{mCP}}$ are respectively statistically indistinguishable from $\widehat{\textsf{ct}}_{\textsf{BP}}$, $(\widehat{\textsf{ct}}_{\textsf{BP}, j}^K)_{j \in [N]}$, and $(\widehat{\textsf{ct}}_{\textsf{BP}, k}^C)_{k \in [n]}$ computed in $\textsf{Eval}_{\textsf{mCP}}$ by the malicious circuit privacy of $\textsf{MKHE}_{\textsf{BP}}$, the distribution of $\widehat{\textsf{ct}}^*$ output from $\textsf{Sim}_{\textsf{mCP}}$ is also statistically indistinguishable from the evaluated ciphertext $\widehat{\textsf{ct}}$ output from $\textsf{Eval}_{\textsf{mCP}}$. $\square $

Theorems 4.4 and 4.5 yield Theorem 1.2.

Instantiation For the underlying maliciously circuit-private MKHE for branching programs, we can just use the scheme explained in Sect. 4.2. For the underlying (non-circuit-private) MKFHE, we can use the MKFHE scheme $\textsf{MKHE}_{\textsf{BHP}}$.

As explained above, for the resulting scheme to be semantically secure, we need joint circular security for the above two schemes. This assumption seems reasonable since the former building block scheme is also based on $\textsf{MKHE}_{\textsf{BHP}}$ (albeit an additional LWE-based OT protocol from [9]).

5 Maliciously circuit-private MPC based on LWE

In this section, we describe our MPC protocol from any maliciously circuit-private MKHE scheme with distributed setup, a maliciously (statistically) sender-private OT protocol, and a projective circuit garbling scheme.

5.1 Definitions for MPC

We here give the definition of maliciously circuit-private MPC protocols. We consider a 1-server and N-client protocol. In this protocol, inputs to participating parties are asymmetric (i.e., the server has a function to be computed, and the clients have inputs for the function), so the secure MPC protocol needs to have two types of security requirements: server privacy and client privacy. The server privacy has almost the same requirement with the circuit privacy in MKHE, and the client privacy means the semantic security of the client’s input. We do not allow adversaries to corrupt the server, but we want to consider stronger security against clients. The client privacy should be considered for a semi-honest server and malicious clients.

In the following, we first define a client-server MPC protocol, then we define the client privacy and server privacy for the protocol, where we refer to the server privacy as circuit privacy. These definitions follow from those in [17].

Definition 5.1

(Client-Server MPC protocol) Let $\mathcal {C}$ be a class of functions with at most N inputs. A multi-party protocol $\Pi $ for $\mathcal {C}$ is a protocol between parties $P_1, \ldots , P_N$, and the server S where $P_i$ ($i=1,\ldots , N$) is given $x_i$ as input, and S is given a function F on N inputs. Denote $\textbf{x}=(x_1,\ldots ,x_N)$. At the end of the protocol, each party $P_i$ outputs $F(\textbf{x})$ while S outputs $\bot $.

Definition 5.2

(Client Privacy) An adversary $\mathcal {A}$ corrupting $\{P_i\}_{i\in T}$ for some $T\subseteq [N]$ receives all messages directed to $P_i$ for every $i\in T$ and controls the messages that they send. Let $\textsf{View}_{\Pi , S}(F, \textbf{x})$ denote the joint collection of messages that S receives in an execution of the protocol $\Pi $ on an N-input function $F\in \mathcal {C}$ and an input set $\textbf{x}=(x_1,\ldots ,x_N)$. Let $\textsf{View}_{\Pi , \mathcal {A}}(F, \textbf{x})$ denote the joint collection of messages $\mathcal {A}$ receives through corrupted parties in an execution of protocol $\Pi $ on F and $\textbf{x}$. A multi-party protocol $\Pi $ for $\mathcal {C}$ is secure against a semi-honest server and malicious clients if the protocol satisfies the following two privacy notions:

Privacy against clients For every adversary $\mathcal {A}$ corrupting parties $\{P_i\}_{i\in T}$ with $|T|=t<N$, for all N-input functions $F\in \mathcal {C}$ and for all input sets $\textbf{x}=(x_1,\ldots ,x_N)$ and $\textbf{x}'=(x_1',\ldots ,x_N')$ such that $x_i=x_i'$ for any $i\in T$, for all y the range of F,
$$\begin{aligned}{}[\textsf{View}_{\Pi , \mathcal {A}}(F, \textbf{x}): y=F(\textbf{x})] \approx _c [\textsf{View}_{\Pi , \mathcal {A}}(F, \textbf{x}'): y=F(\textbf{x}')]. \end{aligned}$$
Privacy against a server For every server S, for all N-input functions $F\in \mathcal {C}$ and for all input sets $\textbf{x}=(x_1,\ldots ,x_N)$ and $\textbf{x}'=(x_1',\ldots ,x_N')$ such that $x_{i}=x_{i}'$ for any $i\in T$, for all y the range of F,
$$\begin{aligned}{}[\textsf{View}_{\Pi , S}(F, \textbf{x}): y=F(\textbf{x})] \approx _c [\textsf{View}_{\Pi , S}(F, \textbf{x}'): y=F((\textbf{x}')]. \end{aligned}$$

Definition 5.3

(Malicious Circuit Privacy (Server Privacy)) Let $\Pi $ be a multi-party protocol for a function class $\mathcal {C}$. In the ideal-world execution of $\Pi $, the computation of $F\in \mathcal {C}$ is performed through a trusted functionality $\mathcal {F}$. Each party $P_i$ sends their input $x_i$ to $\mathcal {F}$, the server sends F to $\mathcal {F}$, which performs the computation and sends the output $F(\textbf{x})$ to each $P_i$ ($i\in [N]$). Let $\textsf{Ideal}_{\mathcal {F}, \mathcal {S}}(F, \textbf{x})$ denote the joint output of the ideal-world adversary (called simulator) $\mathcal {S}$, parties $P_1,\ldots , P_N$ and the server S. Moreover, let $\textsf{Real}_{\Pi , \mathcal {A}}(F, \textbf{x})$ denote the joint output of the real-world adversary $\mathcal {A}$, parties $P_1, \ldots , P_N$ and the server S. The protocol $\Pi $ is maliciously circuit-private if for every malicious (and possibly unbounded) adversary $\mathcal {A}$ corrupting any number of parties, there exists an unbounded simulator $\mathcal {S}$ with black-box access to $\mathcal {A}$ such that for all N-input functions $F\in \mathcal {C}$ and for all input sets $\textbf{x}=(x_1,\ldots ,x_N)$, $\textsf{Ideal}_{\mathcal {F}, \mathcal {S}}(F, \textbf{x})\approx _s \textsf{Real}_{\Pi , \mathcal {A}}(F, \textbf{x})$.

5.2 Construction

Our MPC protocol consists of four rounds, and is maliciously circuit-private in the plain model. We follow the approach of [17] but require an additional round (the first round) that computes the distributed setup.

Intuition of our construction The server evaluates the function over encrypted inputs sent from the clients. The server then constructs a special decryption circuit that given as input a secret key for the circuit-private MKFHE scheme and randomness used to generate the secret key, decrypts the result of the homomorphic evaluation if the input secret keys are valid. Also, the server sends a garbled circuit of the special decryption circuit to the clients. The difference between real-world and ideal-world executions of the protocol is how to construct a garbled circuit of the special decryption circuit. The simulator of the malicious circuit privacy for our MPC protocol generates a simulated result of the homomorphic evaluation by using the simulator for the circuit-private homomorphic scheme, and compute a garbled circuit for the special decryption circuit hardwired with the simulated result. Since the simulated result is statistically indistinguishable from the result of the real evaluation, the garbled circuit is also statistically indistinguishable from the one in the real-world execution of the protocol.

Building blocks We will use the following building blocks.

Let $\textsf{MKHE}_{\textsf{mCP}} = (\textsf{dSetup}_{\textsf{mCP}}, \textsf{KG}_{\textsf{mCP}}, \textsf{Enc}_{\textsf{mCP}}, \textsf{Eval}_{\textsf{mCP}}, \textsf{Dec}_{\textsf{mCP}})$ be a maliciously circuit-private MKFHE scheme with distributed setup.
Let $\textsf{OT}= (\textsf{Q}, \textsf{A}, \textsf{D})$ be a maliciously sender-private OT protocol.
Let $\textsf{GC}= (\textsf{GCircuit}, \textsf{GEval})$ be a projective circuit garbling scheme.

The description of our protocol $\Pi $ is as follows.

Inputs and outputs: The clients $P_{i}$ ($i=1,.,N$) is given $x_{i}$ as input, and the server S is given a function F on N inputs. Each $P_{i}$ outputs $F(x_{1},., x_{N})$ while S outputs $\bot $.
Round 1: For $i\in [N]$, the client $P_i$ computes $\textsf{pp}_{i}\xleftarrow {\$}\textsf{dSetup}_{\textsf{mCP}}(1^\lambda , 1^N, i\in [N])$, and broadcasts $\textsf{pp}_{i}$ to other parties and the server S. Each of the parties $P_i$ and the server S checks if $\textsf{pp}_j \in [\textsf{dSetup}_{\textsf{mCP}}(1^\lambda ,1^N, j)$ for all $j \in [N]$. If the check fails, the parties abort the protocol. Let $\textbf{pp}:=(\textsf{pp}_j)_{j\in [N]}$.
Round 2: For $i\in [N]$, the client $P_i$ runs $(\textsf{pk}_{i}, \textsf{sk}_{i})\xleftarrow {\$}\textsf{KG}_{\textsf{mCP}}(\textbf{pp}, i; r_{\textsf{KG}, i})$. Let s and r be the bit-size of $\textsf{sk}_{i}$ and $r_{\textsf{KG}, i}$, respectively. The client $P_i$ computes $(q_{i}^{k}, \textsf{st}_{i}^{k})\xleftarrow {\$}\textsf{Q}(1^{\lambda }, \textsf{sk}_{i, k})$ for $k\in [s]$ (where $\textsf{sk}_{i, k}$ is the k-th bit of $\textsf{sk}_{i}$), and $(q_{i}^{s+k}, \textsf{st}_{i}^{s+k})\xleftarrow {\$}\textsf{Q}(1^{\lambda }, r_{\textsf{KG}, i, k})$ for $k\in [r]$ (where $r_{\textsf{KG}, i, k}$ is the k-th bit of $r_{\textsf{KG}, i}$). Also $P_{i}$ computes a ciphertext $\textsf{ct}_{i}\xleftarrow {\$}\textsf{Enc}_{\textsf{mCP}}(\textsf{pk}_{i}, x_{i})$, and sends $(\textsf{pk}_{i}, \textsf{ct}_{i}, (q_{i}^{k})_{k\in [s+r]})$ to the server S.
Round 3: The input of the server S is a function F that takes on inputs $\textbf{x}=(x_1,\ldots ,x_N)$. The server S selects a circuit C representing the function F. It then computes $\widehat{\textsf{ct}}\xleftarrow {\$}\textsf{Eval}_{\textsf{mCP}}(C, \textbf{pp}, \textbf{pk}, (\textsf{ct}_j)_{j \in [N]})$, where we denote $\textbf{pk}:=(\textsf{pk}_{j})_{j\in [N]}$. Let $g_{\widehat{\textsf{ct}}, \textbf{pp}, \textbf{pk}}$ be the following circuit:
$$\begin{aligned}&g_{\widehat{\textsf{ct}}, \textbf{pp}, \textbf{pk}}((\textsf{sk}_{j}, r_{j})_{j\in [N]})\\&:= {\left\{ \begin{array}{ll} \textsf{Dec}(\textbf{sk}, \widehat{\textsf{ct}}) &{} \text {if }(\textsf{pk}_{j}, \textsf{sk}_{j})=\textsf{KG}_{\textsf{mCP}}(\textbf{pp}, j; r_{j}) \text { for all }j\in [N]; \\ \bot &{} \text {otherwise}\\ \end{array}\right. }, \end{aligned}$$
where we denote $\textbf{sk}:= (\textsf{sk}_j)_{j \in [N]}$. The server S then generates a garbled circuit $(G, e)\xleftarrow {\$}\textsf{GCircuit}(1^{\lambda }, g_{\widehat{\textsf{ct}}, \textbf{pp}, \textbf{pk}})$, where $e=(X_{j}^{0}, X_{j}^{1})_{j \in [N(r+s)]}$. For each $i\in [N]$ and $k\in [r+s]$, the server S computes $a_{i}^{k} \xleftarrow {\$}\textsf{A}(q_{i}^{k}, X_{(i-1)(r+s)+k}^{0}, X_{(i-1)(r+s)+k}^{1})$. It finally sends $(G, (a_{i}^{k})_{k \in [r + s]})$ to the client $P_{i}$ for each $i\in [N]$.
Round 4: For $i\in [N]$, $P_{i}$ computes the garbled input $X_{(i-1)(r+s)+k}=\textsf{D}(a_{i}^{k}, \textsf{st}_{i}^{k})$ for $k\in [s+r]$. The client $P_{i}$ broadcasts these to all the other clients, $P_{j}$ for $j\in [N]\backslash \{i\}$. Each client computes $y:=\textsf{GEval}(G, (X_{j})_{j \in [N(r+s)]})$.

The security of our protocol is guaranteed by the following theorem.

Theorem 5.1

If $\textsf{MKHE}_{\textsf{mCP}}$ is semantically secure and maliciously circuit-private, $\textsf{OT}$ is statistically sender private against malicious receivers, and $\textsf{GC}$ is secure, then $\Pi $ is a secure MPC protocol with malicious circuit privacy.

The proof of Theorem 5.1 is divided into the following three lemmas: the first two lemmas state that the protocol $\Pi $ has privacy against malicious clients and a semi-honest server, and the third one is for saying the malicious circuit privacy of $\Pi $.

Lemma 5.1

(Privacy against Malicious Clients) Assume $\textsf{MKHE}_{\textsf{mCP}}$ is semantically secure, $\textsf{OT}$ is statistically sender-private against malicious receivers and $\textsf{GC}$ is secure. Then, for any $y\in \{0,1\}$, $\textbf{x}, \textbf{x}'\in \{0,1\}^N$, $F: \{0,1\}^N\rightarrow \{0,1\}$ and $T\subset [N]$ such that $x_i=x_i'$ for any $i\in T$,

$$\begin{aligned}{}[\textsf{View}_{\Pi , \mathcal {A}}(F, \textbf{x}): y=F(\textbf{x})]\approx _{c} [\textsf{View}_{\Pi , \mathcal {A}}(F, \textbf{x}'): y=F(\textbf{x}')]. \end{aligned}$$

Proof

The ciphertexts $\{\textsf{ct}_{j}\}_{j\in [N] \setminus T}$ obtained for $\textbf{x}$ in the second round of the protocol are computationally indistinguishable from $\{\textsf{ct}_{j}'\}_{j\in [N] \setminus T}$ obtained for $\textbf{x}'$ by the semantic security of $\textsf{MKHE}_{\textsf{mCP}}$. Let g and $g'$ be circuits obtained in the third round of $\Pi $ for input $\textbf{x}$ and $\textbf{x}'$, respectively, where both circuits evaluate to y if a secret key and randomness for the key generation are valid, and 0 otherwise. Let $(G, e)\xleftarrow {\$}\textsf{GCircuit}(1^\lambda , g)$ and $(G', e')\xleftarrow {\$}\textsf{GCircuit}(1^\lambda , g')$. By the sender-privacy of $\textsf{OT}$ against malicious receivers, $\mathcal {A}$ can obtain at most one garbled input (token) for the corrupted clients. Let X and $X'$ be garbled inputs obtained by e and $e'$ for the secret key and its randomness. Since both circuits evaluate to y on garbled inputs corresponding to valid secret keys and 0 otherwise we have $(G, X)\approx _{c}(G', X')$ by the security of $\textsf{GC}$. Also, $a_i$’s and garbled inputs do not depend on the protocol inputs. Therefore, the views of an adversary $\mathcal {A}$ in the executions of $\Pi $ for input $\textbf{x}$ and that for $\textbf{x}'$ are computationally indistinguishable. This concludes the proof of lemma. $\square $

Lemma 5.2

(Privacy against a Semi-honest Server) If $\textsf{MKHE}_{\textsf{mCP}}$ is semantically secure and $\textsf{OT}$ is receiver private against semi-honest senders, then for any $y\in \{0,1\}$, $\textbf{x}, \textbf{x}'\in \{0,1\}^N$, and $F: \{0,1\}^N\rightarrow \{0,1\}$, we have

$$\begin{aligned}{}[\textsf{View}_{\Pi , S}(F, \textbf{x}): y=F(\textbf{x})]\approx _{c} [\textsf{View}_{\Pi , S}(F, \textbf{x}'): y=F(\textbf{x}')]. \end{aligned}$$

Proof

In the second round of $\Pi $, each client $P_i$ ($i=1,\ldots , N$) sends $\textsf{OT}$-queries $(q_{i}^{k})_{k\in [r+s]}$ to the server, and the queries do not depend on the protocol input. Thus, by the receiver privacy of $\textsf{OT}$, they are computationally indistinguishable from $\textsf{OT}$-queries generated by using some fixed string independent of the secret key and randomness. This in turn enables us to invoke the semantic security of $\textsf{MKHE}_{\textsf{mCP}}$, and say that the server’s view in the case that the ciphertext $\textsf{ct}_i$ in the second round message encrypts $\textbf{x}$, is computationally indistinguishable from the case that $\textsf{ct}_i$ encrypts $\textbf{x}'$. This concludes the proof of the lemma. $\square $

Intuition for the proof of the following theorem is given in the beginning of this section (Sect. 5.2).

Lemma 5.3

(Malicious Circuit Privacy) If $\textsf{MKHE}_{\textsf{mCP}}$ is maliciously circuit-private, then the protocol $\Pi $ is maliciously circuit-private.

Proof

Let $\textsf{Ext}_{\textsf{mCP}}$ and $\textsf{Sim}_{\textsf{mCP}}$ be the extractor and simulator that are guaranteed to exist by the malicious circuit privacy of $\textsf{MKHE}_{\textsf{mCP}}$. Here we show the construction of a simulator $\mathcal {S}$ for $\Pi $, where we can assume w.l.o.g. that the real-world adversary $\mathcal {A}$ corrupts all the clients, because we are not considering the privacy of the clients here.

Step 1: The simulator $\mathcal {S}$ receives $\textsf{pp}_{j}^{*}$ for $j\in T=[N]$ from $\mathcal {A}$. Denote $\textbf{pp}^* := (\textsf{pp}_j^*)_{j \in [N]}$.
Step 2: Given $(\textsf{pk}_{i}^*, \textsf{ct}_{i}^*, (q_{i, k}^*)_{k\in [r+s]})_{i\in T}$ from $\mathcal {A}$, $\mathcal {S}$ runs $\textsf{Ext}_{\textsf{mCP}}$ to compute the corrupted input $\tilde{x_{i}}:=\textsf{Ext}_{\textsf{mCP}}(\textbf{pp}^*, i, \textsf{pk}_i^*, \textsf{ct}_i^*)$. It then submits them to the ideal functionality $\mathcal {F}$ and obtains $b^*:=F(\tilde{x}_1,\ldots , \tilde{x}_N)$.
Step 3: Denote $\textbf{pk}^*=(\textsf{pk}_{j}^*)_{j\in [N]}$. The simulator $\mathcal {S}$ runs $\textsf{Sim}_{\textsf{mCP}}$ to compute
$$\begin{aligned} \widehat{\textsf{ct}}^* \xleftarrow {\$}\textsf{Sim}_{\textsf{mCP}}(\textbf{pp}^*, \textbf{pk}^*, (j, \textsf{ct}_{j}^*)_{j\in [N]}, b^{*}), \end{aligned}$$
then defines a circuit
$$\begin{aligned}&{g_{\widehat{\textsf{ct}}^*, \textbf{pp}^*, \textbf{pk}^*}((\textsf{sk}_{j}, r_{j})_{j\in [N]}) }\\&\quad := {\left\{ \begin{array}{ll} \textsf{Dec}_{\textsf{mCP}}(\textsf{sk}_1, \ldots , \textsf{sk}_N, \widehat{\textsf{ct}}^*) &{} \begin{aligned} \text {if } (\textsf{pk}_{j}^*, \textsf{sk}_{j})=\textsf{KG}_{\textsf{mCP}}(\textbf{pp}^*, j; r_{j})\\ \text { for all }j\in [N] \end{aligned}\\ 0 &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$
The simulator generates a garbled circuit $(G^*, e^*)\xleftarrow {\$}\textsf{GCircuit}(1^\lambda , g_{\widehat{\textsf{ct}}^*, \textbf{pp}^*, \textbf{pk}^*})$ where $e^* = (X^{*0}_{j}, X^{*1}_j)_{j \in [N (r+s)]}$. For all $i\in [N]$ and $k\in [r+s]$, the simulator $\mathcal {S}$ computes $a_{i,k}^{*} \xleftarrow {\$}\textsf{A}(q^{*k}_i, X^{*0}_{(i-1)(r+s)+k}, X^{*1}_{(i-1)(r+s)+k})$, and sends $(G^*, (a_{i,k}^{*})_{k \in [r+s]})$ for $i\in T$ to $\mathcal {A}$.
Output: In Round 4 of the protocol, no interaction between the server S and the clients $P_i$ occurs. Since we are assuming that all clients are corrupted and controlled by $\mathcal {A}$, the simulator $\mathcal {S}$ need not do any action until $\mathcal {A}$ returns the outputs of the corrupted parties. Finally, when $\mathcal {A}$ terminates with the outputs of the corrupted parties in the real-world execution of $\Pi $, $\mathcal {S}$ just forwards the received outputs and terminates.

By the malicious circuit privacy of $\textsf{MKHE}_{\textsf{mCP}}$, $\widehat{\textsf{ct}}^*$ is statistically indistinguishable from the real computation of $\textsf{Eval}_{\textsf{mCP}}$ for F, and thus the garbled circuit $G^*$ is also statistically indistinguishable from the one in the real-world execution of $\Pi $. Hence we have $\textsf{Real}_{\Pi , \mathcal {A}}(F, \textbf{x})\approx _{s}\textsf{Ideal}_{\Pi , \mathcal {S}}(F, \textbf{x})$. $\square $

Instantiations from LWE When instantiated $\textsf{MKHE}_{\textsf{mCP}}$ with our proposed schemes in Sects. 4.2 and 4.3, we obtain Theorems 1.3 and 1.4, respectively.

6 Conclusion

In this paper, we constructed a maliciously circuit-private MKHE scheme for branching programs based on LWE as well as weak circular security of the (plain) MKFHE scheme by Brakerski et al. [15]. We also showed how the obtained scheme can be combined with a plain MKFHE scheme (such as [15]), to obtain a fully homomorphic maliciously circuit-private scheme. To obtain this result, we relied on a somewhat non-standard circular security assumption, but a similar assumption is required to show the security of the previous maliciously circuit-private MKFHE scheme in [17]. Based on either of our MK(F)HE schemes, we built a four-round MPC protocol with circuit privacy against semi-honest server and malicious clients in the plain model, where the additional building blocks required for our protocol can be instantiated assuming only LWE.

Availability of data and materials

Not applicable.

Notes

This is referred to as server privacy in [28], but here we use the term “circuit privacy” to relate the notion to circuit privacy of FHE.
Here we purposely write “MKHE” (without “F”) since it does not support all circuits.
Note that there are also combinations of these paradigms such as ABY/ABY3 [20, 32] which combine secret-sharing-based and garbled-circuit-based MPC; these protocols inherit the circuit size dependency properties (the last two columns in Table 1) from their components.
Note that in Table 1, we compare general MPC, not only client-server MPC.
This property is trivially satisfied by the MKFHE scheme with distributed setup by Brakerski et al. [15].
For simplicity, in this paper we only consider the decryption algorithm for evaluated ciphertexts for (single-key/multi-key) HE schemes.
Note that $\widetilde{\textsf{Eval}}$ does not take indices $I_k$ for expanded ciphertexts $\widetilde{\textsf{ct}}_k$ as input.
The expanded bootstrapping keys need to be computed only once and are reused across multiple calls of $\textsf{NAND}$.
We allow $\{\textsf{ct}_{\textsf{PE},k}\}_{k \in [q]}$ to be empty, in which case $\textsf{Validate}$ is defined to not take $\{r_{\textsf{Enc},k}\}$ as input, and the check of $\{\textsf{ct}_{\textsf{PE},k}\}$ is omitted.
This step will be performed from the nodes in the last layer to the initial node $v_0$, so that $\textsf{Label}(v)$ for every $v \in V \setminus T$ will be defined in the end.
The way we compute $\widetilde{a}_{\textsf{PE},t}$ is different from [17]. In their construction, $\widetilde{a}_{\textsf{PE},t}$ in the case $\textsf{Label}(u_0)[t] = \textsf{Label}(u_1)[t] = 1$ is computed deterministically from the values that are generated outside the loop regarding t. This seems to make $\widetilde{a}_{\textsf{PE},t}$ distinguishable from what the simulator for the (malicious) circuit privacy in the proof generates. Our design of $\textsf{Eval}_{\textsf{BP}}$ simplifies the design of the homomorphic evaluation algorithm in [17] while also removing this bug.
One can check that each $\widetilde{a}_{\textsf{PE},t}$ is an expanded ciphertext of $\textsf{Label}(u_{x_{k^\star }})[t]$. Hence, $\widetilde{a}_{\textsf{PE},v}$ is bit-wise expanded ciphertexts of $\textsf{Label}(u_{x_{k^{\star }}})$.
We here assume that for $b\in \{0,1\}$, $v_{b}^{(0)}\in \Gamma (v^{(1)})$ satisfies $\phi _{V}(v_{b}^{(0)})=b$.
Each $[{\textsf{sk}_{\textsf{PE},i} \Vert r_{\textsf{KG},i}}]^*_i$ is actually a vector of ciphertexts. Thus, $\textsf{Ext}_{\textsf{mCP}}(\textsf{pk}^{*}_{\textsf{mCP},i}, [{\textsf{sk}_{\textsf{PE},i}}]^*_i)$ here means applying $\textsf{Ext}_{\textsf{mCP}}(\textsf{pk}^{*}_{\textsf{mCP},i}, \cdot )$ to each ciphertext in $[{\textsf{sk}_{\textsf{PE},i}}]^*_i$ and output the concatenation of the results. Same for $\textsf{Ext}_{\textsf{mCP}}(\textsf{pk}^*_{\textsf{mCP},i}, [{r_{\textsf{KG},i}}]^*_i)$ and $\textsf{Ext}_{\textsf{mCP}}(\textsf{pk}^*_{\textsf{mCP},i}, [{r_{\textsf{Enc}}}]^*_i)$.
For proving the semantic security of the maliciously circuit-private MKFHE scheme by Chongchitmate and Ostrovsky [17], a similar “joint” circular security assumption on the building blocks seems necessary. In the corresponding proof of [16, Theorem 5.1] (the full version of [17]), it is written that the semantic security of their maliciously circuit-private scheme follows from the building blocks, but no explanation on how the proof is obtained is given.

References

Albrecht M.R., Bai S., Ducas L.: A subfield lattice attack on overstretched NTRU assumptions - cryptanalysis of some FHE and graded encoding schemes. In: Robshaw M., Katz J. (eds.) CRYPTO 2016, Part I, volume 9814 of LNCS, pp. 153–178, Santa Barbara, CA, USA, August 14–18 (2016). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-662-53018-4_6.
Ananth P., Jain A., Jin Z., Malavolta G.: Multi-key fully-homomorphic encryption in the plain model. In TCC 2020, (2020).
Badrinarayanan S., Jain A., Manohar N., Sahai A.: Threshold multi-key FHE and applications to round-optimal MPC. Cryptology ePrint Archive, Report 2018/580 (2018). https://eprint.iacr.org/2018/580/20190529:195715.
Barrington D.A. Mix.: Bounded-width polynomial-size branching programs recognize exactly those languages in $\text{NC}^1$. In: 18th ACM STOC, pp. 1–5, Berkeley, CA, USA, May 28–30, (1986). ACM Press. https://doi.org/10.1145/12130.12131.
Beaver D., Micali S., Rogaway P.: The round complexity of secure protocols (extended abstract). In: 22nd ACM STOC, pp. 503–513, Baltimore, MD, USA, May 14–16, (1990). ACM Press. https://doi.org/10.1145/100216.100287.
Ben-Or M., Goldwasser S., Wigderson A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: 20th ACM STOC, pp. 1–10, Chicago, IL, USA, May 2–4 (1988). ACM Press. https://doi.org/10.1145/62212.62213.
Bendlin R., Damgård I., Orlandi C., Zakarias S.: Semi-homomorphic encryption and multiparty computation. In: Paterson K.G. (Ed.) EUROCRYPT 2011, volume 6632 of LNCS, pp. 169–188, Tallinn, Estonia, May 15–19 (2011). Springer, Heidelberg. https://doi.org/10.1007/978-3-642-20465-4_11.
Brakerski Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Reihaneh S.-N., Ran C. (eds.) CRYPTO 2012, volume 7417 of LNCS, pp. 868–886, Santa Barbara, CA, USA, August 19–23 (2012). Springer, Heidelberg. https://doi.org/10.1007/978-3-642-32009-5_50.
Brakerski Z., Döttling, N.: Two-message statistically sender-private OT from LWE. In: Beimel A., Dziembowski S. (eds.) TCC 2018, Part II, volume 11240 of LNCS, pages 370–390, Panaji, India, November 11–14 (2018). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-030-03810-6_14.
Brakerski Z., Perlman R.: Lattice-based fully dynamic multi-key FHE with short ciphertexts. In: Robshaw M., Katz J. (eds.) CRYPTO 2016, Part I, volume 9814 of LNCS, pp. 190–213, Santa Barbara, CA, USA, August 14–18 (2016). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-662-53018-4_8.
Brakerski Z., Vaikuntanathan V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway P. (ed.) CRYPTO 2011, volume 6841 of LNCS, pp. 505–524, Santa Barbara, CA, USA, August 14–18 (2011a). Springer, Heidelberg. https://doi.org/10.1007/978-3-642-22792-9_29.
Brakerski Z., Vaikuntanathan V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky R. (ed.) 52nd FOCS, pp. 97–106, Palm Springs, CA, USA, October 22–25 (2011b). IEEE Computer Society Press. https://doi.org/10.1109/FOCS.2011.12.
Brakerski Z., Gentry C., Vaikuntanathan V.: (Leveled) fully homomorphic encryption without bootstrapping. In Goldwasser S (ed.) ITCS 2012, pp. 309–325, Cambridge, MA, USA, January 8–10 (2012). ACM. https://doi.org/10.1145/2090236.2090262.
Brakerski Z., Vaikuntanathan V., Wee H., Wichs D.: Obfuscating conjunctions under entropic ring LWE. In Sudan M (ed.) ITCS 2016, pp. 147–156, Cambridge, MA, USA, January 14–16 (2016). ACM. https://doi.org/10.1145/2840728.2840764.
Brakerski Z., Halevi S., Polychroniadou A.: Four round secure computation without setup. In: Kalai Y., Reyzin L. (eds.) TCC 2017, Part I, volume 10677 of LNCS, pp. 645–677, Baltimore, MD, USA, November 12–15 (2017). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-319-70500-2_22.
Chongchitmate W., Ostrovsky R.: Circuit-private multi-key FHE. Cryptology ePrint Archive, Report 2017/010 (2017a). http://eprint.iacr.org/2017/010.
Chongchitmate W., Ostrovsky R.: Circuit-private multi-key FHE. In Fehr S. (ed.) PKC 2017, Part II, volume 10175 of LNCS, pp. 241–270, Amsterdam, The Netherlands, March 28–31 (2017b). Springer, Heidelberg. https://doi.org/10.1007/978-3-662-54388-7_9.
Clear M., McGoldrick C.: Multi-identity and multi-key leveled FHE from learning with errors. In Gennaro R., Robshaw M.J.B. (eds.) CRYPTO 2015, Part II, volume 9216 of LNCS, pp. 630–656, Santa Barbara, CA, USA, August 16–20 (2015). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-662-48000-7_31.
Damgård I., Pastro V., Smart N.P., Zakarias S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini R., Canetti R. (eds.) CRYPTO 2012, volume 7417 of LNCS, pp. 643–662, Santa Barbara, CA, USA, August 19–23 (2012). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-642-32009-5_38.
Demmler D., Schneider T., Zohner M.: ABY—A framework for efficient mixed-protocol secure two-party computation. In NDSS 2015, San Diego, CA, USA, February 8–11 (2015). The Internet Society.
Gentry C.: A Fully Homomorphic Encryption Scheme. PhD thesis, Stanford University, Available at http://crypto.stanford.edu/craig (2009a).
Gentry C.: Fully homomorphic encryption using ideal lattices. In Mitzenmacher M. (ed.) 41st ACM STOC, pp. 169–178, Bethesda, MD, USA, May 31–June 2 (2009b). ACM Press. https://doi.org/10.1145/1536414.1536440.
Gentry C., Sahai A., Waters B.: Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti R., Garay J.A. (eds) CRYPTO 2013, Part I, volume 8042 of LNCS, pages 75–92, Santa Barbara, CA, USA, August 18–22 (2013). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-642-40041-4_5.
Goldreich O., Micali S., Wigderson A.: How to play any mental game or A completeness theorem for protocols with honest majority. In: Aho A (ed.) 19th ACM STOC, pp. 218–229, New York City, NY, USA, May 25–27 (1987). ACM Press. https://doi.org/10.1145/28395.28420.
Goldwasser S., Kalai Y.T., Peikert C., Vaikuntanathan V.: Robustness of the learning with errors assumption. In Yao A.C.-C. (ed.) ICS 2010, pp. 230–240, Tsinghua University, Beijing, China, January 5–7 (2010). Tsinghua University Press.
Hazay C., Scholl P., Soria-Vazquez E.: Low cost constant round MPC combining BMR and oblivious transfer. In Takagi T., Peyrin T. (eds.) ASIACRYPT 2017, Part I, volume 10624 of LNCS, pages 598–628, Hong Kong, China, December 3–7 (2017). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-319-70694-8_21.
Ishai Y., Kushilevitz E.: Perfect constant-round secure computation via perfect randomizing polynomials. In: Widmayer P., Ruiz F.T., Bueno R.M., Hennessy M., Eidenbenz S., Conejo R. (eds.) editors, ICALP 2002, volume 2380 of LNCS, pp. 244–256, Malaga, Spain, July 8–13 (2002). Springer, Heidelberg, Germany. https://doi.org/10.1007/3-540-45465-9_22.
Ishai Y., Paskin A.: Evaluating branching programs on encrypted data. In Vadhan S.P. (ed.) TCC 2007, volume 4392 of LNCS, pp. 575–594, Amsterdam, The Netherlands, February 21–24 (2007). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-540-70936-7_31.
Kamara S.., Mohassel P., Raykova M.: Outsourcing multi-party computation. Cryptology ePrint Archive, Report 2011/272 (2011). http://eprint.iacr.org/2011/272.
Lindell Y., Smart N.P., Soria-Vazquez E.: More efficient constant-round multi-party computation from BMR and SHE. In: Hirt M., Smith A.D. (eds.) TCC 2016-B, Part I, volume 9985 of LNCS, pages 554–581, Beijing, China, October 31 – November 3 (2016). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-662-53641-4_21.
López-Alt A., Tromer E., Vaikuntanathan V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In Karloff H.J., Pitassi T. (eds.) 44th ACM STOC, pages 1219–1234, New York, NY, USA, May 19–22 (2012). ACM Press. https://doi.org/10.1145/2213977.2214086.
Mohassel P., Rindal P.: ABY$^3$: A mixed protocol framework for machine learning. In: Lie D., Mannan M., Backes M., Wang X.F. (eds.) ACM CCS 2018, pp. 35–52, Toronto, ON, Canada, October 15–19 (2018). ACM Press. https://doi.org/10.1145/3243734.3243760.
Mohassel P., Sadeghian S.S.: How to hide circuits in MPC an efficient framework for private function evaluation. In Johansson T., Nguyen P.Q. (eds.) EUROCRYPT 2013, volume 7881 of LNCS, pp. 557–574, Athens, Greece, May 26–30 (2013). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-642-38348-9_33.
Mohassel P., Sadeghian S.S., Smart N.P.: Actively secure private function evaluation. In Sarkar P., Iwata T. (eds.) ASIACRYPT 2014, Part II, volume 8874 of LNCS, pp. 486–505, Kaoshiung, Taiwan, R.O.C., December 7–11 (2014). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-662-45608-8_26.
Mukherjee P., Wichs D.: Two round multiparty computation via multi-key FHE. In: Fischlin M., Coron J.-S. (eds.) EUROCRYPT 2016, Part II, volume 9666 of LNCS, pp. 735–763, Vienna, Austria, May 8–12 (2016). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-662-49896-5_26.
Ostrovsky R., Paskin-Cherniavsky A., Paskin-Cherniavsky B.: Maliciously circuit-private FHE. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pp. 536–553, Santa Barbara, CA, USA, August 17–21 (2014). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-662-44371-2_30.
Raz R.: Elusive functions and lower bounds for arithmetic circuits. In Ladner R.E., Dwork C. (eds.) 40th ACM STOC, pp. 711–720, Victoria, BC, Canada, May 17–20 (2008). ACM Press. https://doi.org/10.1145/1374376.1374479.
Regev O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow H.N., Fagin R. (eds.) 37th ACM STOC, pp. 84–93, Baltimore, MA, USA, May 22–24 (2005). ACM Press. https://doi.org/10.1145/1060590.1060603.
Valiant L.G.: Universal circuits (preliminary report). In Chandra A.K., Wotschke D., Friedman E.P., Harrisonl M.A. (eds.) 8th ACM STOC, pp. 196–203, New York, NY, USA, May 3–5 (1976). https://doi.org/10.1145/800113.803649.
van Dijk M., Gentry C., Halevi S., Vaikuntanathan V.: Fully homomorphic encryption over the integers. In Gilbert H (ed.) EUROCRYPT 2010, volume 6110 of LNCS, pp. 24–43, French Riviera, May 30–June 3 (2010). Springer, Heidelberg, Germany. https://doi.org/10.1007/978-3-642-13190-5_2.
Yao A.C.-C.: How to generate and exchange secrets (extended abstract). In: 27th FOCS, pp. 162–167, Toronto, Ontario, Canada, October 27–29 (1986). IEEE Computer Society Press. https://doi.org/10.1109/SFCS.1986.25.

Download references

Funding

Nuttapong Attrapadung, Goichiro Hanaoka, Takahiro Matsuda, and Jacob C. N. Schuldt were partly supported by JSPS KAKENHI Kiban-A Grant Number 19H01109.

Author information

N. Attrapadung, G. Hanaoka, R. Hiromasa, T. Matsuda, and J. C. N. Schuldt have contributed equally to this work.

Authors and Affiliations

National Institute of Advanced Industrial Science and Technology, 2-3-26, Aomi, Koto-ku, Tokyo, 135-0064, Japan
Nuttapong Attrapadung, Goichiro Hanaoka, Takahiro Matsuda & Jacob C. N. Schuldt
Mitsubishi Electric, 5-1-1, Ofuna, Kamakura, Kanagawa, 247-0056, Japan
Ryo Hiromasa

Authors

Nuttapong Attrapadung
View author publications
You can also search for this author in PubMed Google Scholar
Goichiro Hanaoka
View author publications
You can also search for this author in PubMed Google Scholar
Ryo Hiromasa
View author publications
You can also search for this author in PubMed Google Scholar
Takahiro Matsuda
View author publications
You can also search for this author in PubMed Google Scholar
Jacob C. N. Schuldt
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ryo Hiromasa.

Ethics declarations

Conflict of interest/Competing interests

Not applicable.

Code availability

Not applicable.

Additional information

Communicated by D. Stehle.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Attrapadung, N., Hanaoka, G., Hiromasa, R. et al. Maliciously circuit-private multi-key FHE and MPC based on LWE. Des. Codes Cryptogr. 91, 1645–1684 (2023). https://doi.org/10.1007/s10623-022-01160-x

Download citation

Received: 11 October 2021
Revised: 30 November 2022
Accepted: 02 December 2022
Published: 30 December 2022
Issue Date: May 2023
DOI: https://doi.org/10.1007/s10623-022-01160-x

Keywords

Mathematics Subject Classification

94A60

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Maliciously circuit-private multi-key FHE and MPC based on LWE

Abstract

Similar content being viewed by others

Four Round Secure Computation Without Setup

Circuit-Private Multi-key FHE

Two Round Multiparty Computation via Multi-key FHE

1 Introduction

1.1 Our results

Theorem 1.1

Theorem 1.2

Theorem 1.3

Theorem 1.4

1.2 Overview of our constructions

1.3 Organization

2 Preliminaries

2.1 Gaussian, learning with errors, and gadget matrix

Lemma 2.1

2.2 Branching programs

Definition 2.1

2.3 Single-key homomorphic encryption and its circuit privacy

Definition 2.2

Definition 2.3

2.4 Oblivious transfer

Definition 2.4

2.5 Circuit garbling

Definition 2.5

2.6 Multi-key homomorphic encryption with distributed setup

Definition 2.6

Definition 2.7

3 Privately expandable MKHE with distributed setup

3.1 Private expandability of MKHE with distributed setup

Definition 3.1

Definition 3.2

3.2 LWE-based expandable MKFHE by brakerski et al.

Lemma 3.1

Claim 3.1

Proof of Claim

3.3 Making \(\textsf{MKHE}_{\textsf{BHP}}\) privately expandable

Lemma 3.2

Proof

Lemma 3.3

Proof

Claim 3.2

Proof of the claim

Theorem 3.1

4 Maliciously circuit-private MKHE based on LWE

4.1 Definition

Definition 4.1

4.2 Scheme for branching programs

Theorem 4.1

Proof

Theorem 4.2

Proof of Sketch

Theorem 4.3

Proof

4.3 Achieving full homomorphism

Theorem 4.4

Theorem 4.5

Proof

5 Maliciously circuit-private MPC based on LWE

5.1 Definitions for MPC

Definition 5.1

Definition 5.2

Definition 5.3

5.2 Construction

Theorem 5.1

Lemma 5.1

Proof

Lemma 5.2

Proof

Lemma 5.3

Proof

6 Conclusion

Availability of data and materials

Notes

References

Funding

Author information

Authors and Affiliations

Corresponding author