Two Round Multiparty Computation via Multikey FHE
 73 Citations
 2.7k Downloads
Abstract
We construct a general multiparty computation (MPC) protocol with only two rounds of interaction in the common random string model, which is known to be optimal. In the honestbutcurious setting we only rely on the learning with errors (LWE) assumption, and in the fully malicious setting we additionally assume the existence of noninteractive zero knowledge arguments (NIZKs). Previously, Asharov et al. (EUROCRYPT ’12) showed how to achieve three rounds based on LWE and NIZKs, while Garg et al. (TCC ’14) showed how to achieve the optimal two rounds based on indistinguishability obfuscation, but it was unknown if two rounds were possible under standard assumptions without obfuscation.
 1.
Each party individually encrypts its input under its own key and broadcasts the ciphertext. All parties can then homomorphically compute a multikey encryption of the output.
 2.
Each party broadcasts a partial decryption of the output using its secret key. The partial decryptions can be combined to recover the output in plaintext.
Keywords
Multikey Fully Homomorphic Encryption (MFHE) Learning With Errors (LWE) Noninteractive Zeroknowledge (NIZKs) Partial Decryption Ciphertext1 Introduction
Multiparty Computation. Secure multiparty computation (MPC) allows multiple parties to evaluate an arbitrary function over their inputs privately, without revealing anything about their inputs to each other beyond the function’s output. This problem was initially studied by Yao [34, 35], in the case of two honestbutcurious parties (who follow the protocol honestly but hope to learn information from its execution) and later by Goldreich, Micali and Wigderson [19] in the case of an arbitrary number of fully malicious parties (who can deviate arbitrarily from the specified protocol execution). By now, MPC is a fundamental part of cryptography and a subject of intense study.
One of the main challenges is to optimize the efficiency of MPC protocols. In this work, our main focus will be on constructing MPC protocols with the optimal round complexity.^{1}
Round Complexity of MPC. We refer the reader to [3] for a comprehensive overview of prior work on round complexity of MPC. In the honestbutcurious setting, it was known how to achieve a constant number of rounds assuming the existence of oblivious transfer [2, 5, 22, 25, 27]. However, the concrete constants were not explicitly stated and they seem to require at least 4 rounds. These protocols can also be compiled into secure constructions in the fully malicious setting with only a constant number of additional rounds by using coinflipping and concurrent zeroknowledge proofs [20, 25, 26, 27]. In the plain model and the fully malicious setting, there is a known lower bounds of 5 rounds for two party computation^{2}, albeit in nonsimultaneous message model where no broadcast channel is available [24]. A very recent work [15] shows a similar lower bound of 4 rounds assuming broadcast channel. However, in the honestbutcurious setting or even in the fully malicious setting with a common random string (CRS) the above lower bound does not hold and there is only a simple lower bound of 2 rounds [21]. In this work, we will assume the CRS model.
Recently, a result of Asharov et al. [3] showed how to achieve a 3 round MPC protocol in the CRS model, by relying on techniques from fully homomorphic encryption (FHE). Their construction achieves semihonest security under the learning with errors (LWE) assumption, and fully malicious security (in the universal composability (UC) framework) by further assuming the existence of noninteractive zero knowledge arguments (NIZKs). The construction also yields a 2 round protocol in the publickey infrastructure (PKI) model, but it was left as an open problem to achieve 2 rounds in the CRS model.
Even more recently, the results of Garg et al. [14, 16] achieve a 2 round MPC protocol in the CRS model by relying on indistinguishability obfuscation (iO) and statistically sound NIZKs. On a high level, the main idea of that work is to have each party obfuscates its “nextmessage” function, after an initial round where the parties commit to their input. Making this work under the iO assumption is nontrivial and requires much care. However, this approach appears to crucially rely on obfuscation and does not easily lend itself to instantiations under simpler assumptions.
The main open question left by these works is whether 2 round MPC is achievable under more “standard” cryptographic assumptions, without relying on obfuscation.
Our Result. In this work, we construct a 2 round MPC protocol in the CRS model. We achieve honestbutcurious security under only the LWE assumption, and fully malicious security (in the UC framework) by additionally assuming the existence of NIZKs. As our main technical result, which may be of independent interest, we show how to construct a multikey fully homomorphic encryption scheme with a oneround threshold decryption protocol.
2 Overview of Our Techniques
We now give an overview of our techniques by first describing how to construct MPC from multikey FHE with threshold decryption, and then how to construct the latter from LWE.
2.1 MPC via Threshold (Multikey) FHE
 1.
The parties first run a secure distributed protocol for the “threshold keygeneration” of an FHE scheme to agree on a common public key pk and a secret sharing of the corresponding secret key sk so that each party holds one share, and all shares are needed to recover sk.
 2.
Each party i then broadcasts an encryption of its input \(x_i\) under the common public key pk. Note that no individual party or incomplete set of parties can decrypt this ciphertext and so the privacy of the input is maintained. At the end of this round, each party can homomorphically compute the desired function f on the received ciphertexts and derive a common output ciphertext which encrypts \(y =f(x_1,\ldots ,x_N)\).
 3.
The parties run a secure distributed protocol for “threshold decryption” using their shares of the secret key sk to decrypt the output ciphertext and recover the output y in plaintext.^{3}
Secure protocols for threshold keygeneration and decryption can be implemented generically for any FHE scheme by using general MPC techniques, but this would require many rounds. Instead [3] show that specific FHE schemes by Brakerski, Gentry and Vaikuntanathan [8, 9] based on the LWE assumption have a “key homomorphic” property which can be leveraged to get distributed keygeneration and decryption protocols consisting of one round each. Therefore, when instantiated with these schemes, the above template results in a 3 round MPC protocol.^{4}
MPC via Threshold Multikey FHE. One could hope to shave off an additional round from the above template by using multikey fully homomorphic encryption (MFHE), recently introduced by LopezAlt, Tromer and Vaikuntanathan [28]. An MFHE schemes allows parties to independently encrypt their data under different individually chosen keys, while still allowing homomorphic computations over such ciphertexts. The output of such homomorphic computation is a “multikey ciphertext” which cannot be decrypted by any single party individually (as this would violate semantic security of the other parties) but can be decrypted by the parties jointly using the combination of all their secret keys. The work of [28] constructed such an MFHE scheme based on (a variant of) the NTRU assumption.
 1.
Each party individually chooses its own MFHE key pair \((pk_i, sk_i)\), encrypts its input \(x_i\) under \(pk_i\), and broadcasts the resulting ciphertext. At the end of this round, each party can homomorphically compute the desired function f on the received ciphertexts and derive a common multikey ciphertext which encrypts the output \(y =f(x_1,\ldots ,x_N)\).
 2.
The parties run a secure distributed protocol for “threshold decryption” using their secret keys \(sk_i\) to decrypt the multikey ciphertext and recover the output y in plaintext.
As before, a distributed threshold decryption can be implemented generically using general MPC techniques, but this would require many rounds. Unfortunately, the MFHE scheme of [28] does not appear to admit any simpler threshold decryption protocol and therefore it is not known how to use this scheme to get a 2 round MPC.
A recent work of Clear and McGoldrick [10] gives an alternate construction of MFHE based on the LWE assumption, by cleverly adapting an FHE scheme of Gentry, Sahai and Waters [18]. We first present a significantly simplified construction of MFHE from LWE and give a standalone presentation of this scheme. We then show that this scheme admits a simple 1round threshold decryption protocol. This threshold decryption protocol only satisfies a weak notion of security which doesn’t allow us to directly plug it into the above template for MPC. However, we show that we can make this approach work with only minor additional modifications.
As in [3], we show that our basic scheme (based on LWE) achieves security in semimalicious setting, which is a strengthening of the honestbutcurious setting, where parties follow the protocol specification but can choose their random coins adversarially. By using NIZKs, we can then compile such a scheme into one which is secure in the fully malicious setting (and even universally composable) without additional rounds.
2.2 Constructing Threshold Multikey FHE
We now give a highlevel description of the MFHE construction and the threshold decryption protocol. We begin by describing a recent FHE construction by Gentry, Sahai and Waters (GSW) [18] using the notation and exposition of [1]. Then describe how to convert it into a MFHE scheme. Finally, we discuss how to perform threshold decryption.
Public Short Preimage Matrix. Before we describe the GSW encryption, we state a useful fact from [29] which we heavily rely on in the construction.
Lemma 1
([29]). For any \(m \ge n\lceil \log q \rceil \) there exists a fixed efficiently computable matrix \({\mathbf {G}}\in {\mathbb {Z}}_q^{n \times m}\) and an efficiently computable deterministic “short preimage” function \({\mathbf {G}}^{1}(\cdot )\) satisfying the following. On input a matrix \({\mathbf {M}}\in \mathbb {Z}_q^{n\times m'}\) for any \(m'\), the function \({\mathbf {G}}^{1}({\mathbf {M}})\) outputs a bitmatrix \({\mathbf {G}}^{1}({\mathbf {M}})\in {\{0,1\}}^{m\times m'}\) such that \({\mathbf {G}}{\mathbf {G}}^{1}({\mathbf {M}}) = {\mathbf {M}}\).
We can think of \({\mathbf {G}}\) as a special matrix with a “public trapdoor” that allows us to solve the short integer solution (SIS) problem. For those familiar with GSW encryption, multiplication by \({\mathbf {G}}\) is the \(\mathsf {BitDecomp^{1}}\) operation and the function \({\mathbf {G}}^{1}(\cdot )\) is called \(\mathsf {BitDecomp}\), but we can ignore the lowlevel detail of how this is implemented. Note that \({\mathbf {G}}^{1}(\cdot )\) is not itself a matrix but rather an efficiently computable function.
A valid GSW ciphertext of a bit \(\mu \in {\{0,1\}}\) with respect to a secret key \(\mathbf{t}\) is a matrix \({\mathbf {C}}\in {\mathbb {Z}}_q^{n \times m}\) such that \(\mathbf{t}{\mathbf {C}}\approx \mu \mathbf{t}{\mathbf {G}}\). To encrypt a bit \(\mu \) using the public key \({\mathbf {A}}\) we set \({\mathbf {C}}= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}\) where \({\mathbf {R}}\in {\{0,1\}}^{m \times m}\) is chosen as a random bitmatrix. This ensures that the result is a valid encryption of \(\mu \) under the secret key \(\mathbf{t}\) since \(\mathbf{t}{\mathbf {C}}= \mathbf{t}{\mathbf {A}}{\mathbf {R}}+ \mu \mathbf{t}{\mathbf {G}}\approx \mu \mathbf{t}{\mathbf {G}}\).
Given two valid GSW ciphertexts \({\mathbf {C}}_1, {\mathbf {C}}_2\) encrypting the bits \(\mu _1, \mu _2\) with respect to a secret key \(\mathbf{t}\) we can perform homomorphic addition by setting \({\mathbf {C}}^{+} = {\mathbf {C}}_1 + {\mathbf {C}}_2\) and multiplication by setting \({\mathbf {C}}^{\times } = {\mathbf {C}}_1 {\mathbf {G}}^{1}({\mathbf {C}}_2)\). It is a simple exercise to check that \(\mathbf{t}{\mathbf {C}}^{+} \approx (\mu _1+ \mu _2)\mathbf{t}{\mathbf {G}}\) and \(\mathbf{t}{\mathbf {C}}^{\times } \approx (\mu _1\mu _2) \mathbf{t}{\mathbf {G}}\). This allows us to homomorphically evaluate any circuit, subject to the error not getting “too large”.
Finally, to decrypt a ciphertext \({\mathbf {C}}\) we set \({\mathbf {w}}:= (0,\ldots ,0, \lceil q/2 \rceil )\) and compute \(v = \mathbf{t}{\mathbf {C}}{\mathbf {G}}^{1}({\mathbf {w}}^T)\). If \({\mathbf {C}}\) is a valid encryption of \(\mu \) under \(\mathbf{t}\) then \(v \approx \mu \lceil q/2 \rceil \). We recover \(\mu \) by checking whether v is closer to 0 or to q / 2.
Multikey Variant of GSW. We now describe how to convert the above GSW FHE into a multikey FHE. For simplicity, let’s assume that we only have \(N =2\) parties, but everything extends naturally to any polynomial number of parties N. We assume that the matrix \({\mathbf {B}}\) of the GSW encryption scheme is a common public parameter which is used by all parties.
Now assume that the two parties independently encrypt some data under their respective keys. Unfortunately, we will not get anything meaningful by naively attempting to perform the GSW homomorphic operations on these ciphertexts under different keys. Instead, our goal will be to first convert both ciphertexts into a “common format” that will allow us to perform homomorphic operations over them.
In particular, we define a “combined secret key” Open image in new window as the concatenation of the two individual secret keys. Our goal will be to take a ciphertext \({\mathbf {C}}\in {\mathbb {Z}}_q^{n \times m}\) which encrypts a bit \(\mu \) with respect to the secret key of a single party (along with some helper information specified later) and expand it into multikey ciphertext \(\widehat{{\mathbf {C}}}\in {\mathbb {Z}}_q^{2n \times 2m}\) which encrypts \(\mu \) with respect to the combined secret key \(\widehat{\mathbf{t}}\). In particular, a multikey encryption of a bit \(\mu \) satisfies \(\widehat{\mathbf{t}}\widehat{{\mathbf {C}}}\approx \mu \widehat{\mathbf{t}}\widehat{{\mathbf {G}}}\) where \(\widehat{{\mathbf {G}}}= \begin{bmatrix} {\mathbf {G}}&\mathbf {0} \\ \mathbf {0}&{\mathbf {G}}\end{bmatrix} \in {\mathbb {Z}}_q^{2n \times 2m}\) is an expanded public matrix with a corresponding short preimage function \(\widehat{{\mathbf {G}}}^{1}(\cdot )\). Once we do this, we can expand all ciphertexts under individual keys into multikey ciphertexts under the key \(\widehat{\mathbf{t}}\) and then perform homomorphic operations on the multikey ciphertexts just like in basic GSW scheme (just with larger parameters \(n' = 2n, m' = 2m\)). Therefore, the only challenge is how to perform the above “ciphertext expansion step”.
Our goal is to come up with a matrix \({\mathbf {X}}\) for which \(\mathbf{t}_1 {\mathbf {X}}\approx ({\mathbf {b}}_2  {\mathbf {b}}_1){\mathbf {R}}\) and therefore adding \(\mathbf{t}_1{\mathbf {X}}+ \mathbf{t}_2 {\mathbf {C}}\approx \mu \mathbf{t}_2{\mathbf {G}}\) as desired. One can do this by homomorphically combining the \(m^2\) ciphertexts contained in \(\mathcal {U}\), which encrypt each of the scalars \({\mathbf {R}}[a,b]\) of the matrix \({\mathbf {R}}\) under \(\mathbf{t}_1\), to get a “pseudo ciphertext” \({\mathbf {X}}\) which acts like an encryption of the vector \(({\mathbf {b}}_2  {\mathbf {b}}_1){\mathbf {R}}\) in the sense that \(\mathbf{t}_1 {\mathbf {X}}\approx ({\mathbf {b}}_2  {\mathbf {b}}_1){\mathbf {R}}\). This is not a standard homomorphic operation yielding a standard ciphertext – for example, the output is a vector rather than a scalar – but the idea for how to do this is very similar to the way we do standard GSW homomorphic operations. We skip the details of this step in the introduction, and refer the reader to Sect. 5.1 for details.
Threshold Decryption of Multikey GSW. A multikey GSW ciphertext encrypting a bit \(\mu \) with respect to the expanded secret key \(\widehat{\mathbf{t}}= (\mathbf{t}_1,\ldots ,\mathbf{t}_N)\) corresponding to N parties, is a matrix \(\widehat{{\mathbf {C}}}\in {\mathbb {Z}}_q^{nN \times mN}\) such that \(\widehat{\mathbf{t}}\widehat{{\mathbf {C}}}\approx \mu \widehat{\mathbf{t}}\widehat{{\mathbf {G}}}\).
If we were given all of the secret keys \(\widehat{\mathbf{t}}= (\mathbf{t}_1,\ldots ,\mathbf{t}_N)\) simultaneously, we could decrypt this ciphertext using the GSW decryption procedure, scaled up to the larger dimension: let \(\widehat{{\mathbf {w}}}= (0,\ldots ,0,\lceil q/2 \rceil ) \in {\mathbb {Z}}_q^{nN}\) and compute Open image in new window .
However, our goal is to design a distributed decryption protocol, where the parties collaboratively decrypt \(\mu \) without revealing their secret keys to each other. We do this as follows. Let’s think of \(\widehat{{\mathbf {C}}}\) as consisting of N matrices \( {i} \in {\mathbb {Z}}_q^{n \times mN}\) stacked on top of each other. Then each party i uses its secret key \(\mathbf{t}_i\) to output a “partial decryption” \(p_i = \mathbf{t}_i \widehat{{\mathbf {C}}}^{(i)}\widehat{{\mathbf {G}}}^{1}(\widehat{{\mathbf {w}}}^T) + e_i\) where \(e_i\) is some “mediumsized smudging error”. This error is needed to smudge out any information about the error contained in the ciphertext \(\widehat{{\mathbf {C}}}\), which might contain sensitive information beyond just the plaintext bit. These partial decryptions can be combined to compute \(\sum _i p_i \approx v \approx \mu \lceil q/2 \rceil \) and therefore recover the plaintext bit \(\mu \).
The above process satisfies the following security notion: given the ciphertext \(\widehat{{\mathbf {C}}}\), the bit \(\mu \) that it encrypts, and the secret keys \(\{ \mathbf{t}_i~:~ i \ne j\}\) of allbutone of the parties, we can simulate the partial decryption \(p_j\) of party j without knowing its secret key \(\mathbf{t}_j\). Intuitively, this property says that the partial decryption \(p_j\) cannot reveal too much information about \(\mathbf{t}_j\).
The above security property of partial decryption is tricky to use since it allows us to simulate the partial decryption of only one party at a time. Nevertheless, we show that this security property of threshold decryption is sufficient in the context of implementing MPC.
2.3 RoadMap Through the Paper
We begin by giving a definition of multikey FHE (MFHE) first and then MFHE with threshold decryption in Sect. 4. Then in Sect. 5 we construct such a scheme from the LWE and in Sect. 6 we show how to construct MPC from such a scheme. These two sections are independent of each other and can be read in any order.
3 Preliminaries
Throughout, we let \({\lambda }\) denote the security parameter and \(\mathsf{negl}({\lambda })\) denote a negligible function. We represent elements in \(\mathbb {Z}_q\) as integers in the range \((q/2,q/2]\). Let \(\mathbf{x}= (x_1,\ldots ,x_n) \in {\mathbb {Z}}^n\) be a vector. We use the notation \(\mathbf{x}[i]\) to denote the ith component scalar. Similarly for a matrix \({\mathbf {M}}\in {\mathbb {Z}}^{n\times m}\) we use \({\mathbf {M}}[i,j]\) to denote the scalar element located in the ith row and the jth column. In general, vectors are represented as single row matrices. The infinity norm (often called simply norm) of a vector \(\mathbf{x}\) is defined as \(\Vert \mathbf{x}\Vert _\infty = {\max _{i}(\vert \mathbf{x}[i]\vert )}\). The norm of matrices is defined similarly. An ndimensional allzero vector is usually denoted by \(\mathsf {0}^n\) and similarly \(\mathsf {0}^{n\times m}\) denotes an allzero matrix.
For two distributions X, Y, over a finite domain \(\varOmega \), the statistical distance between X and Y is defined by \(\varDelta (X,Y) \mathop {=}\limits ^\mathrm{def}\frac{1}{2}\sum _{\omega \in \varOmega }\left X(\omega )  Y(\omega )\right \). If X, Y are distribution ensembles parameterized by the security parameter, we write \(X \mathop {\approx }\limits ^{{\tiny {\mathrm {stat}}}}Y\) if the quantity \(\varDelta (X,Y)\) is negligible. Similarly, we write \(X \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}Y\) if they are computationally indistinguishable. We write \(\omega \leftarrow X\) to denote that \(\omega \) is sampled at random according to distribution X. We write \(\omega \leftarrow \varOmega \) to denote that it is sampled uniformly at random from the set \(\varOmega \). For a distribution ensemble \(\chi = \chi ({\lambda })\) over the integers, and integers bounds \(B= B({\lambda })\), we say that \(\chi \) is Bbounded if \(\Pr _{x \leftarrow \chi ({\lambda })} [x \le B({\lambda })] =1\).
We rely on the following lemma, which says that adding large noise “smudges out” any small values (see e.g., [4] for proof).
Lemma 2
(Smudging Lemma). Let \(B_1 = B_1({\lambda })\), and \(B_2 = B_2({\lambda })\) be positive integers and let \(e_1 \in [B_1, B_1]\) be a fixed integer. Let \(e_2 \leftarrow [B_2, B_2]\) be chosen uniformly at random. Then the distribution of \(e_2\) is statistically indistinguishable from that of \(e_2 + e_1\) as long as \(B_1/B_2 = \mathsf{negl}({\lambda })\).
Learning with Errors. The decisional learning with errors (LWE) problem, introduced by Regev [33], is defined as follows.
Definition 1
The works of [32, 33] show that the LWE problem is as hard as approximating the shortest vector problem in lattices (for appropriate parameters). The version of the LWE assumption that we need here is that for any polynomial \(p = p({\lambda })\) there is a polynomial \(n =n({\lambda })\), a modulus \(q = q({\lambda })\) of singlyexponential size, and a distribution \(\chi = \chi ({\lambda })\) such that \(\chi \) is \(B_{\chi }\)bounded and \(q \ge 2^p B_{\chi }\) such that \(\mathsf {LWE}_{n,q,\chi }\) holds. This is as hard as approximating the shortest vector with subexponential approximation factors.
4 Defining Threshold Multikey FHE
4.1 Multikey FHE (MFHE)
We start with our definition of (leveled) multikey FHE which is adapted from the definition given by LopezAlt, Tromer and Vaikuntanathan [28] with some minor differences which reflect differences in the properties achieved by the schemes of [28] and [10]. On the positive side, in the scheme of [10] the number of parties N need not be known ahead of time during key generation or encryption. On the negative side, the scheme of [10] requires some common public parameters that are available to the parties during key generation.
Below we call any ciphertext which is associated with multiple keys an “expanded” ciphertext. Also, the ciphertexts that are generated by the encryption procedure (and thus corresponds to a single key) are called “fresh” ciphertexts, and the expanded ciphertexts that are output by the homomorphic evaluations are called “evaluated” ciphertexts.
Definition 2

\(\mathsf {params}\leftarrow \mathsf {Setup}(1^{{\lambda }},1^d)\): Setup takes as input the security parameter \({\lambda }\) and the circuit depth d and outputs the system parameters \(\mathsf {params}\). We assume that all the other algorithms take \(\mathsf {params}\) as an input implicitly.

\((sk,pk)\leftarrow \mathsf{Keygen}(\mathsf {params})\): Output secret key \(sk\) and public key \(pk\).

\(c\leftarrow \mathsf {Encrypt}(pk,\mu )\): On input \(pk\) and some message \(\mu \) output a ciphertext c.

\(\widehat{c}\leftarrow \mathsf {Expand}((pk_{1},\ldots ,pk_{N}),i,c)\): Given a sequence of N publickeys and a fresh ciphertext c under the ith key \(pk_i\), it outputs an “expanded” ciphertext\(\widehat{c}\).

\(\widehat{c}:=\mathsf {Eval}(\mathsf {params},\mathcal {C},(\widehat{c}_1,\ldots ,\widehat{c}_\ell ))\): Given a (description of) boolean circuit \(\mathcal {C}\) of depth \(\le d\) along with \(\ell \) expanded ciphertexts \((\widehat{c}_1,\ldots ,\widehat{c}_\ell )\), outputs an evaluated ciphertext \(\widehat{c}\).

\(\mu :=\mathsf {Decrypt}(\mathsf {params},(sk_1,\ldots ,sk_N),c)\): On input some ciphertext \(\widehat{c}\) and a sequence of N secret keys output a message \(\mu \).
 Semantic security of encryption: For any polynomial \(d= d(\lambda )\) and any two messages \(\mu _0,\mu _1\) the following distributions are computationally indistinguishable:where \(\mathsf {params}\leftarrow \mathsf {Setup}(1^{\lambda },1^d), (sk,pk)\leftarrow \mathsf{Keygen}(\mathsf {params})\).$$ (\mathsf {params}, pk,\mathsf {Encrypt}(pk,\mu _0)) \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}(\mathsf {params}, pk,\mathsf {Encrypt}(pk,\mu _1))$$

Correctness and compactness: Let \(\mathsf {params}\leftarrow \mathsf {Setup}(1^{\lambda },1^d)\). Consider any sequences of N correctly generated key pairs \(\{(pk_i,sk_i)\leftarrow \mathsf{Keygen}(\mathsf {params})\}_{i\in [N]}\) and any \(\ell \)tuple of messages \((\mu _1,\ldots ,\mu _\ell )\). For any sequence of indices \((I_1,\ldots ,I_\ell )\) where each \(I_i\in [N]\) let \(\{c_i\leftarrow \mathsf {Encrypt}(pk_{I_{i}},\mu _i)\}_{i\in [\ell ]}\) be encryptions of the messages \(\mu _i\) under the \(I_i\)th public key and let \(\widehat{c}_i\leftarrow \mathsf {Expand}((pk_1,\ldots ,pk_N),I_i,c_i)\}_{i\in [\ell ]}\) be the corresponding expanded ciphertexts. Let \(\mathcal {C}\) be any (boolean) circuit of depth \(\le d\) and let \(\widehat{c}:=\mathsf {Eval}(\mathcal {C},(\widehat{c}_1,\ldots ,\widehat{c}_\ell )\) be the evaluated ciphertext. Then the following holds:
Correctness of Expansion: \(\forall ~i~\in [\ell ]~,~\mathsf {Decrypt}((sk_1,\ldots ,sk_N),\widehat{c}_i)= \mu _i\).
Correctness of Evaluation: \(\mathsf {Decrypt}((sk_1,\ldots ,sk_N),\widehat{c})= \mathcal {C}(\mu _1,\ldots ,\mu _\ell ) \).
Compactness: There exists a polynomial \(p(\cdots )\) such that \(\widehat{c}\le p({\lambda },d,N)\). In other words the size of \(\widehat{c}\) should be independent of \(\mathcal {C}\) and \(\ell \), but can depend on \({\lambda }\), d and N.
PublicCoin Parameter Generation. By default, we will consider schemes where the \(\mathsf {Setup}\) algorithm is “publiccoin” meaning that its randomness is included in its output. For such algorithms, we can derive \(\mathsf {params}\) from a common random string.
4.2 Threshold Decryption for MFHE
We now define a multikey FHE which supports a oneround threshold distributed decryption protocol. Such a protocol consists of two components: (1) given an expanded ciphertext (possibly evaluated) \(\widehat{c}\) each party can compute a partial decryption using its secret key \(sk_i\), (2) there is a way to combine the partial decryptions computed by each party to recover the plaintext.
Definition 3

\(p_i\leftarrow \mathsf {MFHE}.\mathsf {PartDec}(\widehat{c},(pk_1,\ldots ,pk_N),i,sk_i)\): On input an expanded ciphertext under a sequence of N keys and the ith secret key output a partial decryption \(p_i\).

\(\mu \leftarrow \mathsf {MFHE}.\mathsf {FinDec}(p_1,\ldots ,p_N)\): On input N partial decryption output the plaintext \(\mu \).
Along with the properties of multikey FHE we require the scheme to satisfy the following properties.

Correctness and Simulation: Let \(\mathsf {params}\leftarrow \mathsf {Setup}(1^{\lambda },1^d)\). Consider any sequences of N correctly generated key pairs \(\{(pk_i,sk_i)\leftarrow \mathsf{Keygen}(\mathsf {params})\}_{i\in [N]}\) and any \(\ell \)tuple of messages \((\mu _1,\ldots ,\mu _\ell )\). For any sequence of indices \((I_1,\ldots ,I_\ell )\) where each \(I_i\in [N]\) let \(\{c_i\leftarrow \mathsf {Encrypt}(pk_{I_{i}},\mu _i)\}_{i\in [\ell ]}\) be encryptions of the messages \(\mu _i\) under the \(I_i\)th public key and let \(\widehat{c}_i\leftarrow \mathsf {Expand}((pk_1,\ldots ,pk_N),I_i,c_i)\}_{i\in [\ell ]}\) be the corresponding expanded ciphertexts. Let \(\mathcal {C}\) be any (boolean) circuit of depth \(\le d\) and let \(\widehat{c}:=\mathsf {Eval}(\mathcal {C},(\widehat{c}_1,\ldots ,\widehat{c}_\ell )\) be the evaluated ciphertext.
 Correctness of Decryption: The following holds with probability 1:where \(\{p_i\leftarrow \mathsf {MFHE}.\mathsf {PartDec}(\widehat{c},(pk_1,\ldots ,pk_N),i,sk_i)\}_{i\in [N]}\) are the partial decryptions.$$\mathsf {MFHE}.\mathsf {FinDec}(\widehat{c}, (p_1,\ldots ,p_N)) = \mathcal {C}(\mu _1,\ldots ,\mu _\ell )$$
 Simulatability of partial decryption: There exists a PPT simulator \(\mathcal{S}^{thr}\) which, on input and index \(i \in [N]\) and all but the ith keys \(\{sk_j\}_{j\in [N]\setminus \{i\}}\) the evaluated ciphertext \(\widehat{c}\) and the output message \(\mu := \mathcal {C}(\mu _1,\ldots ,\mu _\ell )\) produces a simulated partial decryption \(p'_i\leftarrow \mathcal{S}^{thr}(\mu ,\widehat{c},i,\{sk_j\}_{j\in [N]\setminus \{i\}})\) such thatwhere \(p_i\leftarrow \mathsf {MFHE}.\mathsf {PartDec}(\widehat{c},(pk_1,\ldots ,pk_N),i,sk_i)\). Note that the randomness is only over the random coins of the simulator and the \(\mathsf {MFHE}.\mathsf {PartDec}\) procedure and all other values are assumed to be fixed (and known).$$p_i \mathop {\approx }\limits ^{{\tiny {\mathrm {stat}}}}p'_i$$

The simulatability of partial decryptions property says that we can simulate the partial decryption \(p_i\) produced by a single party i given the plaintext value \(\mu \) and the secret keys of all other parties. Ideally, we would have a stronger definition that allows us to simulate the partial decryptions \(\{p_i\}_{i \in S}\) of any subset of the parties S given the secret keys of all other parties (rather than just a single values), but unfortunately we do not know how to achieve this type of security. It turns out that, with a little additional work, the given definition suffices in our MPC construction.
5 Constructing Threshold Multikey FHE from LWE
We now show how to construct threshold multikey FHE from LWE. The construction proceeds in four parts. First, we present the GSW encryption scheme along with a nonstandard but useful homomorphic property that it satisfies. Secondly, we define the notion of a masking scheme for GSW and show how to construct it. Thirdly, we use GSW and the masking scheme to construct multikey FHE. Finally, we show to perform threshold decryption for this scheme.
5.1 GSW Fully Homomorphic Encryption
We now describe the GSW fully homomorphic encryption scheme.

\(\mathsf {params}\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^{\lambda },1^d)\): Choose a lattice dimension parameters \(n = n({\lambda },d)\) and \(B_{\chi }\)bounded error distribution \(\chi = \chi ({\lambda },d)\) and a modulus q of size \(q = B_{\chi }2^{\omega ( d {\lambda }\log {\lambda })}\) such that \(\mathsf {LWE}_{n1,q,\chi ,B_{\chi }}\) holds.^{6} Choose \(m= n\log (q) + \omega (\log {\lambda })\). Finally choose a random matrix \({\mathbf {B}}\in \mathbb {Z}_q^{n1\times m}\). Output \(\mathsf {params}:= (q,n,m,\chi ,B_{\chi },{\mathbf {B}})\). We stress that all the other algorithms implicitly get \(\mathsf {params}\) as input even if we usually do not write this explicitly.
 \(\mathsf {GSW}.\mathsf{Keygen}(\mathsf {params})\): We separately describe two subalgorithms to generate secretkey and pubickey respectively:

\(\mathsf {GSW}.\mathsf {SKGen}(\mathsf {params})\): Sample Open image in new window . Output \(sk= \mathbf{t}= ({\mathbf {s}},1)\in \mathbb {Z}_q^n\).

\(\mathsf {GSW}.\mathsf {PKGen}(\mathsf {params},sk)\): Sample \({\mathbf {e}}\leftarrow \chi ^m\). Set \({\mathbf {b}} :={\mathbf {s}}{\mathbf {B}}+ {\mathbf {e}}\in \mathbb {Z}_q^m\). Output \(pk= {\mathbf {A}}\) where, \({\mathbf {A}}\in \mathbb {Z}_q^{n\times m}\) is defined as \({\mathbf {A}}:=\begin{bmatrix} {\mathbf {B}}\\ {\mathbf {b}}\end{bmatrix}\)

 \(\mathsf {GSW}.\mathsf {Encrypt}(pk,\mu )\): Choose a short random matrix as the randomness Open image in new window . Then output the encryption of message \(\mu \in {\{0,1\}}\) as \({\mathbf {C}}\in \mathbb {Z}_q^{n\times m}\) where,$$ {\mathbf {C}}:= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}$$
 \(\mathsf {GSW}.\mathsf {Decrypt}(sk,{\mathbf {C}})\): Let \(\mathbf{t}:=sk\). Define a vector \({\mathbf {w}}\in \mathbb {Z}_q^{n}\) as follows:Then compute \(v=\mathbf{t}{\mathbf {C}}{\mathbf {G}}^{1}({\mathbf {w}}^{T})\in \mathbb {Z}_q^m\). Finally output \(\mu ' = \left \left\lfloor \frac{v}{q/2}\right\rceil \right \) as the decrypted message.$$\begin{aligned} {\mathbf {w}} = [0,\ldots ,0,\lceil q/2\rceil ] \end{aligned}$$
 On input two ciphertexts \({\mathbf {C}}_1,{\mathbf {C}}_2\in \mathbb {Z}_q^{n\times m}\) we can define homomorphic addition, multiplication:

\(\mathsf {GSW}.\mathsf {Add}({\mathbf {C}}_1,{\mathbf {C}}_2)\): Output \({\mathbf {C}}_1 + {\mathbf {C}}_2\in \mathbb {Z}_q^{n\times m}\).

\(\mathsf {GSW}.\mathsf {Mult}({\mathbf {C}}_1,{\mathbf {C}}_2)\): Output the matrix product \({\mathbf {C}}_1 {\mathbf {G}}^{1}({\mathbf {C}}_2)\in \mathbb {Z}_q^{n\times m}\).
This also allows us to compute a homomorphic NAND gate by outputting \({\mathbf {G}} {\mathbf {C}}_1 {\mathbf {G}}^{1}({\mathbf {C}}_2)\).

We sketch the proof of the following theorem for completeness.
Theorem 1
([18]). The scheme described above is a secure FHE under the \(\mathsf {LWE}_{n1,q,\chi ,B_{\chi }}\) assumption.
Security. The proof of semantic security consists of two steps. First, we can use the LWE assumption to replace the public key \(pk = {\mathbf {A}}\) with a uniformly random matrix in \({\mathbb {Z}}_q^{n \times m}\). Then we can use the leftover hash lemma to replace the ciphertext \({\mathbf {C}}:= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}\) with a uniformly random value \({\mathbf {C}}'\). We refer the reader to [18] for details.
Correctness. To analyze correctness, it is helpful to define the following notion of a “noisy ciphertext”.
Definition 4
( \(\beta \) noisy ciphertext). A \(\beta \)noisy ciphertext of some message \(\mu \) under secretkey \(sk= \mathbf{t}\in \mathbb {Z}_q^n\) is a matrix \({\mathbf {C}}\in \mathbb {Z}_q^{n\times m}\) such that: \(\mathbf{t}{\mathbf {C}}= \mu \mathbf{t}{\mathbf {G}}+ {\mathbf {e}}\) for some \({\mathbf {e}}\) with \(\Vert {\mathbf {e}}\Vert _\infty \le \beta \).

Encryption: Consider a fresh ciphertext \({\mathbf {C}}={\mathbf {A}}{\mathbf {R}}+\mu {\mathbf {G}}\) which is generated by encrypting some message \(\mu \) with some public key \({\mathbf {A}}\) with corresponding secret key \(\mathbf{t}\). First recall that \(\mathbf{t}{\mathbf {A}}={\mathbf {e}}\) such that \(\Vert {\mathbf {e}}\Vert _\infty \le B_{\chi }\). Therefore \(\mathbf{t}{\mathbf {C}}= {\mathbf {e}}'+\mu \mathbf{t}{\mathbf {G}}\) where \({\mathbf {e}}' = {\mathbf {e}}{\mathbf {R}}\) which implies \(\Vert {\mathbf {e}}'\Vert _\infty \le mB_{\chi }\). Hence \({\mathbf {C}}\) is \(mB_{\chi }\)noisy encryption of \(\mu \) under \(\mathbf{t}\). Let us call this value initial noise or \(\beta _{init} = mB_{\chi }\).

Evaluation: Let \({\mathbf {C}}_1\) and \({\mathbf {C}}_2\) be two ciphertexts which are \(\beta _1\) and \(\beta _2\) noisy encryption of \(\mu _1,\mu _2 \in {\{0,1\}}\) under the key \(\mathbf{t}\) respectively, so that: \(\mathbf{t}{\mathbf {C}}_1 = {\mathbf {e}}_1 + \mu _1\mathbf{t}{\mathbf {G}}\) and \(\mathbf{t}{\mathbf {C}}_2 = {\mathbf {e}}_2 +\mu _2\mathbf{t}{\mathbf {G}}\) with \(\Vert {\mathbf {e}}_1\Vert _\infty \le \beta _1,\Vert {\mathbf {e}}_2\Vert _\infty \le \beta _2\).

Addition: Then their addition will result in a ciphertext \({\mathbf {C}}^{(+)} = {\mathbf {C}}_1 + {\mathbf {C}}_2\) such that, \(\mathbf{t}{\mathbf {C}}^{(+)} = {\mathbf {e}}' + (\mu _1+\mu _2)\mathbf{t}{\mathbf {G}}\) where \({\mathbf {e}}' = {\mathbf {e}}_1 + {\mathbf {e}}_2\). Clearly this is \(\beta _1+\beta _2\)noisy.

Multiplication: On the other hand the multiplication would produce a ciphertext \({\mathbf {C}}^{(\times )}={\mathbf {C}}_1{\mathbf {G}}^{1}({\mathbf {C}}_2)\) such that \(\mathbf{t}{\mathbf {C}}^{(\times )} = {\mathbf {e}}'' + \mu _1\mu _2{\mathbf {G}}\) where \({\mathbf {e}}'' = {\mathbf {e}}{\mathbf {G}}^{1}({\mathbf {C}}_2)+\mu _1{\mathbf {e}}_2\). Clearly \(\Vert {\mathbf {e}}''\Vert _\infty \le (m\beta _1+\beta _2)\) and the ciphertext \({\mathbf {C}}^{(\times )}\) is \((m\beta _1+\beta _2)\)noisy. The same calculation holds for NAND gates.

Decryption: Let \({\mathbf {C}}\) be a \(\beta \)noisy encryption of \(\mu \) so that: \(\mathbf{t}{\mathbf {C}}= {\mathbf {e}}+ \mu \mathbf{t}{\mathbf {G}}\) where \(\Vert e\Vert _\infty = \beta \). Then \( v = \mathbf{t}{\mathbf {C}}{\mathbf {G}}^{1}({\mathbf {w}}^T) =e' +\mu (q/2)\) such that \(e' =\langle {\mathbf {e}}~,~ {\mathbf {G}}^{1}({\mathbf {w}}^T)\rangle \). Clearly, \(\Vert e'\Vert _\infty \le m\beta \). Now one can observe that decryption works correctly as long as \(\Vert e'\Vert _\infty < q/4\). Therefore correctness holds as long as \(\beta < q/(4m)\). We call this value \(\beta _{max}:= q/(4m)\).
Consider evaluating a (boolean) circuit of depth d consisting of NAND gates. It takes input fresh ciphertexts (\(\beta _{init}\)noisy) and each level multiplies the noise by a factor of at most \((m+1)\). Therefore, the final output is \(\beta _{final}\)noisy ciphertexts where \(\beta _{final} = (m+1)^{d}\beta _{init}\). To ensure correctness of decryption we need \(\beta _{final}\le \beta _{max}\) meaning \(B_{\chi }4m^2(m+1)^d < q\) which is satisfied by our choice of parameters. This concludes the proof.
Homomorphic Linear Combinations and Pseudo Encryption. We now define an additional homomorphic operation. This operation takes as input GSW ciphertexts \({\mathbf {C}}_{i,j}\) encrypting the individual entries \({\mathbf {M}}[i,j]\) of some matrix \({\mathbf {M}}\in {\mathbb {Z}}_q^{m \times m}\) under a secret key \(\mathbf{t}\). It also takes a plaintext vector \(\mathbf {v}\in {\mathbb {Z}}_q^m\) which specifies the homomorphic function to be computed. The operations outputs a “pseudo ciphertext” \({\mathbf {C}}_{lc}\) which we can think of as a pseudo encryption of the vector \(\mathbf {v}{\mathbf {M}}\), meaning that \(\mathbf{t}{\mathbf {C}}_{lc}\approx \mathbf {v}{\mathbf {M}}\). Note that the “pseudo ciphertext” \({\mathbf {C}}_{lc}\) cannot be correctly decrypted (we can only recover something close to \(\mathbf {v}{\mathbf {M}}\) but not the exact value) nor can we further perform any of the standard GSW homomorphic operations on it.
Property 1
 1.For each \(i\in [m], j\in [m]\) define a matrix \({\mathbf {Z}}_{i,j}\in \mathbb {Z}_q^{n\times m}\) as follows: In other words \({\mathbf {Z}}_{i,j}\) will have 0 everywhere except the nth (final) row and jth column where it has the value \(\mathbf {v}[i]\).
 2.
Now output \({\mathbf {C}}_{lc}\in \mathbb {Z}_q^{n\times m} \) where: Open image in new window
5.2 A Masking Scheme for GSW
We now define and show how to construct a “masking scheme” for GSW, which serves as the main component of the multikey FHE scheme. Intuitively, a masking scheme allows us to take a GSW public key \(pk = {\mathbf {A}}\) (having a corresponding secret key \(\mathbf{t}\)) and a bit \(\mu \) and output a pair of values \((\mathcal {U},{\mathbf {C}})\) such that \({\mathbf {C}}\) is a GSW encryption of \(\mu \) with \(pk\) and \(\mathcal {U}\) is an auxiliary value such that (1) the pair \((\mathcal {U},{\mathbf {C}})\) computationally hide \(\mu \) (just like \({\mathbf {C}}\) alone) and (2) later, given another GSW public key \(pk = {\mathbf {A}}'\) (having a corresponding secret key \(\mathbf{t}'\)) we can compute a matrix \({\mathbf {X}}\) such that \(\mathbf{t}{\mathbf {X}}+ \mathbf{t}' {\mathbf {C}}= \mu \mathbf{t}' {\mathbf {G}}\).
Property 2

\(\mathsf {UniEnc}(\mu ,pk)\): On input a message \(\mu \in {\{0,1\}}\) and a GSW public key pk it generates a pair \( (\mathcal {U},{\mathbf {C}})\) where \({\mathbf {C}}\in \mathbb {Z}_q^{n\times m}\) and \(\mathcal {U}\in {\{0,1\}}^*\).

\(\mathsf {Extend}(\mathcal {U},pk, pk')\): On input \(\mathcal {U}\) and GSW public keys \(pk, pk'\) it outputs \({\mathbf {X}}\in \mathbb {Z}_q^{n\times m}\).
 Semantic Security: For any polynomial \(d = d({\lambda })\) security of GSW encryption implies that:where \(\mathsf {params}\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^{\lambda },1^d)\), \((sk, pk) \leftarrow \mathsf {GSW}.\mathsf{Keygen}(\mathsf {params})\).$$(\mathsf {params},pk,\mathsf {UniEnc}(0,pk))\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}(\mathsf {params}, pk,\mathsf {UniEnc}(1,pk))$$
 Correctness: Let \(\mathsf {params}\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^{\lambda },1^d)\) and let \((sk= \mathbf{t},pk),(sk' = \mathbf{t}',pk')\) be two independent key pairs generated with \(\mathsf {GSW}.\mathsf{Keygen}(\mathsf {params})\). For any \(\mu \in {\{0,1\}}\) let \((\mathcal {U},{\mathbf {C}})\leftarrow \mathsf {UniEnc}(\mu ,pk)\) and \({\mathbf {X}}\leftarrow \mathsf {Extend}(\mathcal {U},pk, pk')\). Thenwhere \(\Vert {\mathbf {e}}\Vert _\infty \le \beta _{mask}\) for \(\beta _{mask}:= (m^4 +m) B_{\chi }\).$$\mu :=\mathsf {GSW}.\mathsf {Decrypt}(sk,{\mathbf {C}})~~\text {and}~~\mathbf{t}{\mathbf {X}}+\mathbf{t}'{\mathbf {C}}= \mu \mathbf{t}'{\mathbf {G}}+{\mathbf {e}}$$
Instantiation. We now show how to implement such masking scheme.

\(\mathsf {UniEnc}(pk,\mu )\): On input a message \(\mu \) and a public key \(pk\) the algorithm outputs \(\mathcal {U}\), which is a \(m^2\)tuple of matrices in \(\mathbb {Z}_q^{n\times m}\), and \({\mathbf {C}}\in \mathbb {Z}_q^{n\times m}\) as follows.
 1.
Let \( {\mathbf {A}}= pk\). Set \({\mathbf {C}}\leftarrow \mathsf {GSW}.\mathsf {Encrypt}(pk,\mu ) \in \mathbb {Z}_q^{n\times m}\) so that \({\mathbf {C}}= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}\) where \({\mathbf {R}}\in {\{0,1\}}^{m \times m}\) is the encryption randomness.
 2.
Encrypt each element of the random matrix \({\mathbf {R}}\) (chosen in Step 1) to get \(m^2\) ciphertexts: \({\mathbf {V}}^{(a,b)}_{} \leftarrow \mathsf {GSW}.\mathsf {Encrypt}(pk,{\mathbf {R}}[a,b])\). Set \(\mathcal {U}:= \left( {\mathbf {V}}^{(1,1)}_{},\ldots ,{\mathbf {V}}^{(m,m)}_{}\right) \in \left( \mathbb {Z}_q^{n\times m}\right) ^{(m^2)}\).
 1.
 \(\mathsf {Extend}(\mathcal {U}, pk, pk')\): On input a \(\mathcal {U}\in \left( \mathbb {Z}_q^{n\times m}\right) ^{(m^2)}\) and public keys \(pk, pk'\) the algorithm computes \({\mathbf {X}}\in \mathbb {Z}_q^{n\times m}\) as follows:
 1.
Parse \(pk = {\mathbf {A}}= \begin{bmatrix} {\mathbf {B}}\\{\mathbf {b}}\end{bmatrix}\), \(pk' = {\mathbf {A}}' = \begin{bmatrix} {\mathbf {B}}\\{\mathbf {b}}' \end{bmatrix}\) and, \(\mathcal {U}= \big (\{{\mathbf {V}}^{(a,b)}_{}\}_{a,b\in [m]}\big )\).
 2.
Set \({\mathbf {X}}= \mathsf {GSW.LComb}\big (({\mathbf {V}}^{(1,1)}_{},\ldots ,{\mathbf {V}}^{(m,m)}_{}),{\mathbf {b}}'  {\mathbf {b}}\big )\).
 1.

Firstly, we modify each of the ciphertexts \({\mathbf {V}}^{(a,b)}_{}\) so that instead of being GSW encryptions of \({\mathbf {R}}[a,b]\), we just choose them as GSW encryptions of 0. This just relies on semantic security of GSW encryption.

Secondly, we also choose \({\mathbf {C}}\) as a GSW encryption of 0. This also just follows from the semantic security of GSW encryption, since after the first step no information about the randomness \({\mathbf {R}}\) is given out.
Finally, this distribution is completely independent of the bit \(\mu \) which concludes the proof of semantic security.
Correctness. Let \(\left( (sk= \mathbf{t},pk= {\mathbf {A}}),(sk' = \mathbf{t}',pk' = {\mathbf {A}}')\right) \) be two correctly generated GSW keypairs. Now recall that, \(sk= \mathbf{t}= ({\mathbf {s}},1) \in \mathbb {Z}_q^{n}\), and \(sk' = \mathbf{t}' = ({\mathbf {s}}',1)\in \mathbb {Z}_q^n\); \(pk= {\mathbf {A}}= \begin{bmatrix}{\mathbf {B}}\\{\mathbf {b}} \end{bmatrix}\in \mathbb {Z}_q^{n\times m}\), \(pk' = {\mathbf {A}}' = \begin{bmatrix}{\mathbf {B}}\\{\mathbf {b}}' \end{bmatrix}\in \mathbb {Z}_q^{n\times m}\) where \({\mathbf {b}}= {\mathbf {s}}{\mathbf {B}}+ {\mathbf {e}}\), \({\mathbf {b}}' = {\mathbf {s}}'{\mathbf {B}}+ {\mathbf {e}}'\) with \(\Vert {\mathbf {e}}\Vert _\infty , \Vert {\mathbf {e}}'\Vert _\infty \le \beta _{\chi }\).
Combining these equations, we get \(\mathbf{t}{\mathbf {X}}+ \mathbf{t}' {\mathbf {C}}= \mu \mathbf{t}' {\mathbf {G}}+ {\mathbf {e}}^*\) where \(\Vert {\mathbf {e}}^*\Vert _\infty \le (m^4 +m) B_{\chi }\) as claimed.
5.3 Construction of Multikey FHE
Construction. Now we describe our multikey FHE construction.
 \(\mathsf {MFHE}.\mathsf {SetUp}(1^\lambda ,1^d)\): Run the setup algorithm of GSW to generate the parameters:$$\mathsf {params}:= (q,n,m,\chi ,B_{\chi },{\mathbf {B}})\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^\lambda ,1^d).$$
 \(\mathsf {MFHE}.\mathsf{Keygen}(\mathsf {params})\): Run the keygeneration algorithm of GSW to generate:$$sk:=\mathbf{t}\leftarrow \mathsf {GSW}.\mathsf {SKGen}(\mathsf {params})\qquad pk:={\mathbf {A}}\leftarrow \mathsf {GSW}.\mathsf {PKGen}(\mathsf {params},sk)$$
 \(\mathsf {MFHE}.\mathsf {Encrypt}(pk,\mu )\): Execute the following steps:

Just use the masking scheme: \((\mathcal {U},{\mathbf {C}})\leftarrow \mathsf {UniEnc}(\mu ,pk)\).

Output the pair \(c:=(\mathcal {U},{\mathbf {C}})\) as the ciphertext for \(\mu \).


\(\mathsf {MFHE}.\mathsf {Expand}((pk_{1},\ldots ,pk_{N}),i,c)\): On receiving a sequence of publickeys \(\left( pk_1,\ldots ,pk_N\right) \) and a fresh ciphertext \(c = (\mathcal {U},{\mathbf {C}})\) under the public key \(pk_i\) run the \(\mathsf {Extend}\) algorithm for all \(pk_j\) where \(i\ne j\).

For \(j\in \left\{ pk_1,\ldots ,pk_N\right\} \setminus \{i\}\), compute \({\mathbf {X}}_j\leftarrow \mathsf {Extend}(\mathcal {U},pk_i, pk_j)\).
 Then define a matrix \(\widehat{{\mathbf {C}}}\in \mathbb {Z}_q^{nN\times mN}\) as a concatenation of \(N^2\) submatrices where each submatrix \({\mathbf {C}}_{a,b} \in {\mathbb {Z}}_q^{n \times m}\) for \(a,b\in [N]\) is defined as: For reader’s convenience we provide a pictorial representation of \(\widehat{{\mathbf {C}}}\) in Fig. 1:
Finally output \(\widehat{c} :=\widehat{{\mathbf {C}}}\) as the expanded ciphertext.


\(\mathsf {MFHE}.\mathsf {Eval}(\mathsf {params},\mathcal {C},(\widehat{c}_1,\ldots ,\widehat{c}_\ell ))\) On input \(\ell \) expanded ciphertexts simply use the GSW homomorphic evaluation algorithms namely \(\mathsf {GSW}.\mathsf {Add}\) and \(\mathsf {GSW}.\mathsf {Mult}\), albeit with expanded dimensions \(n' = nN\) and \(m' = mN\) and the expanded \(\widehat{{\mathbf {G}}}_N,\widehat{{\mathbf {G}}}^{1}_N\) (in place of n, m and \({\mathbf {G}}, {\mathbf {G}}^{1}\)).

\(\mathsf {MFHE}.\mathsf {Decrypt}(\mathsf {params},(sk_1,\ldots ,sk_N),c)\): On input a ciphertext \(c = \widehat{{\mathbf {C}}}\) and the sequence of secret keys \((sk_1,\ldots ,sk_N)\) parse each \(\mathbf{t}_i:=sk_i\) and then construct the joint secret key by horizontally appending all the secretkeys in sequence Open image in new window . Then run the GSW decryption algorithm albeit with expanded dimensions \(n' = nN\) and \(m' = mN\) and the expanded \(\widehat{{\mathbf {G}}}_N,\widehat{{\mathbf {G}}}^{1}_N\) (in place of n, m and \({\mathbf {G}}, {\mathbf {G}}^{1}\)).
Correctness and Security of MFHE Construction
Theorem 2
The scheme described above is a secure MFHE under the \(\mathsf {LWE}_{n1,q,\chi ,B_{\chi }}\) assumption (with the same parameters as we defined for GSW encryption).
Semantic Security. The semantic security of the above multikey FHE follows directly from that of the GSW masking scheme.
where \(\Vert {\mathbf {e}}_i\Vert _\infty \le mB_{\chi }\) by the correctness of GSW encryption and for \(j\ne i\), \(\Vert {\mathbf {e}}_j\Vert _\infty \le (m^4 +m) B_{\chi }\) by the correctness of the GSW masking scheme. Therefore, Open image in new window where \(\Vert {\mathbf {e}}\Vert _\infty \le (m^4 +m) B_{\chi }\). Let’s call this value \(\beta '_{init} = (m^4 +m) B_{\chi }= 2^{O(\log {\lambda })} B_{\chi }\). The correctness of GSW encryption is guaranteed as long as \(\beta '_{init} \le q/(4m')\) which holds with the choice of q we defined.
Correctness of Evaluation. Let \(\widehat{{\mathbf {C}}}_1, \ldots , \widehat{{\mathbf {C}}}_\ell \) be expanded ciphertexts corresponding to bit \(\mu _1,\ldots ,\mu _\ell \) so that, by the above correctness property, \(\widehat{\mathbf{t}}\widehat{{\mathbf {C}}}_i = \mu _i \widehat{\mathbf{t}}\widehat{{\mathbf {G}}}+ {\mathbf {e}}_i\) where \(\Vert {\mathbf {e}}_i\Vert _\infty \le \beta '_{init}\). If \(\widehat{{\mathbf {C}}}\) is the output of a homomorphic evaluation of a circuit \(\mathcal {C}\) of depth d over the above ciphertexts such that \(\mu = \mathcal {C}(\mu _1,\ldots ,\mu _\ell )\) then by the correctness of GSW homomorphic evaluation with scaled up parameters \(n' = nN, m' = mN\) we have Open image in new window where \(\Vert {\mathbf {e}}\Vert _\infty \le \beta '_{init} (m'+1)^d = (m^4 +m) B_{\chi }(mN + 1)^d\). Let’s call this value \(\beta '_{final} = B_{\chi }(m^4 +m) (mN + 1)^d = 2^{O(d \log {\lambda })} B_{\chi }\). The correctness of GSW encryption is guaranteed as long as \(\beta '_{final} \le q/(4m')\) which holds with the choice of q we defined.
5.4 Threshold Decryption for Multikey FHE
We now show how to implement threshold decryption for the \(\mathsf {MFHE}\) construction outlined in the previous section.

\(\mathsf {MFHE}.\mathsf {PartDec}(\widehat{c},(pk_1,\ldots ,pk_N),i,sk_i)\): On input an expanded ciphertext Open image in new window under a sequence of keys \((pk_1,\ldots ,pk_N)\) and the ith secret key \(sk_i = \mathbf{t}_i\in \mathbb {Z}_q^{n}\) do the following:
 Parse \(\widehat{{\mathbf {C}}}\) as consisting of N submatrices \(\widehat{{\mathbf {C}}}^{(i)}\in \mathbb {Z}_q^{n\times mN}\) such that$$\widehat{{\mathbf {C}}}= \begin{bmatrix} \widehat{{\mathbf {C}}}^{(1)}\\ \vdots \\ \widehat{{\mathbf {C}}}^{(N)} \end{bmatrix} .$$

Define \(\widehat{{\mathbf {w}}}\in \mathbb {Z}_q^{nN}\) as \(\widehat{{\mathbf {w}}}= [0,\ldots ,0,\lceil q/2\rceil ]\).

Then compute \(\gamma _i = \mathbf{t}_i\widehat{{\mathbf {C}}}^{(i)}\widehat{{\mathbf {G}}}^{1}(\widehat{{\mathbf {w}}}^T) \in \mathbb {Z}_q\) and output \(p_i = \gamma _i + e^{sm}_{i}\in \mathbb {Z}_q\) where Open image in new window is some random “smudging noise” where \(B^{dec}_{smdg}=2^{d{\lambda }\log {\lambda }}B_{\chi }\).

\(\mathsf {MFHE}.\mathsf {FinDec}(p_1,\ldots ,p_N)\): Given \(p_1,\ldots ,p_N\), compute the sum \(p := \sum _{i=1}^N p_i\). Output \(\mu :=\left \left\lceil \frac{p}{q/2}\right\rfloor \right \).
Theorem 3
The above threshold decryption procedures for \(\mathsf {MFHE}\) satisfy correctness and (statistical) simulation security.
where \(e^{sm} = \sum _{i \in [N]} e^{sm}_{i} \) has norm \(e^{sm} \le N B^{dec}_{smdg}= 2^{O(d{\lambda }\log {\lambda })}B_{\chi }\) and \(e' = {\mathbf {e}}\widehat{{\mathbf {G}}}^{1}(\widehat{{\mathbf {w}}}^T)\) has norm \(e' \le \beta '_{final} mN = 2^{O(d \log {\lambda })} B_{\chi }\). Since \(q = 2^{\omega (d {\lambda }\log {\lambda })} B_{\chi }\) we have \(e' + e^{sm} < q/4\) and correctness holds.
5.5 Bootstrapping
Note that the above MFHE scheme is leveled i.e., it depends on the multiplicative depth of the circuit to be computed. However, this dependency can be avoided easily by bootstrapping and assuming circular security. We briefly describe the straightforward procedure and omit the details.
During key generation, each party i chooses a key pair \((sk_i,pk_i)\) and uses the MFHE scheme to encrypt the secret key \(sk_i\) under \(pk_i\) bitbybit.^{7} It appends these encryptions to the public key. Later, given a sequence of public keys \(\{pk_1,\ldots ,pk_N\}\) anyone can create an expanded multikey encryption of each \(sk_i\) using the MFHE expansion procedure. This allows us to use Gentry’s bootstrapping technique [17] to “refresh” a highly noisy multikey ciphertext by homomorphically computing the MFHE decryption procedure. Therefore, to compute a circuit of arbitrary depth, we only need to set the parameters of the MFHE scheme so as to be evaluate circuits of some fixed depth \(d+1\) where d is the depth of the MFHE decryption procedure.
Note that, by circular security it is assured that an encryption of a secret key under itself is semantically secure which implies that the semantic security of the above modified MFHE scheme remains intact.
6 Secure MPC via Threshold MFHE
 1.
Each party individually chooses its own MFHE key pair \((pk_i, sk_i)\), encrypts its input \(x_i\) under \(pk_i\), and broadcasts the resulting ciphertext. At the end of this round, each party can homomorphically compute the desired function f on the received ciphertexts and derive a common multikey ciphertext which encrypts the output \(y =f(x_1,\ldots ,x_N)\).
 2.
The parties run a distributed protocol for “threshold decryption” using their secret keys \(sk_i\) to decrypt the multikey ciphertext and recover the output y in plaintext. In particular each party first generates partial decryptions \(p_i\) from the common (evaluated) ciphertext \(\widehat{c}\) and then broadcasts them. Finally each party, on receiving all those partial decryptions can compute the final decryption y.
Our goal is to prove the security of this protocol (as least in the honestbutcurious setting, as a start). The natural attempt to construct a MPC simulator \(\mathcal{S}\) would be to first use the simulator of threshold decryption, \(\mathcal{S}^{thr}\) to replace the correct partial decryptions \(p_i\) with simulated ones \(p'_i\) and then use semantic security of the encryption to replace each ciphertext (broadcast in the first round) by encryptions of 0.
The Problem. Unfortunately, we notice that the simulatability of the threshold decryption does not suffice when there is more than one honest party. Essentially, our definition of simulation security for threshold decryption only allows us to simulate the partial decryption of a single party at a time while knowing the secret keys of all other parties. We cannot, however, simultaneously simulate the partial decryptions of (even) two honest parties without knowing either of their secret keys.
Solution. Essentially we solve the above problem by two steps. We first show that the “basic” protocol as described above is already secure when there is exactly one honest party. Then, later in Sect. 6.2 we extend the basic protocol to another protocol which can handle any arbitrary number of corruption. The extended protocol additionally requires only pseudorandom functions (PRFs) and thus no new assumptions are used. Combining, we get a protocol which securely realizes any functionality against any arbitrary number of corruptions. Below we provide the basic protocol from any \(\mathsf {MFHE}\) scheme and prove security against exactly \(N1\) corruptions. Later in Sect. 6.2 we present the extension in detail.
6.1 Protocol Secure Against Exactly \(N1\) Corruptions
The protocol, given in Fig. 2, realizes general multiparty computation for any polynomialtime deterministic functions f which produces a common output for all parties. It does so with respect to a static semimalicious attackers corrupting exactly \(N1\) parties. Formally we prove the following theorem.
Theorem 4
Let f be a polytime computable deterministic function with N inputs and 1 output. Let \(\mathsf {MFHE}= \left( \mathsf {Setup}, \mathsf{Keygen}, \mathsf {Encrypt}, \mathsf {Expand}, \mathsf {Eval}, \mathsf {PartDec}, \mathsf {FinDec}\right) \) be a multikey FHE scheme with threshold decryption. Then the protocol \(\pi _f\) described in Fig. 2 UCrealizes the function f against any static semimalicious adversary corrupting exactly \(N1\) parties.
Proof: The correctness of the protocol follows in a straightforward way from the correctness of the underlying threshold \(\mathsf {MFHE}\) scheme.
To prove security basically we need to construct an efficient (PPT) simulator \(\mathcal{S}\) for any adversary corrupting exactly \(N1\) parties. Let \(\mathcal{A}\) be a static semimalicious adversary and \(P_h\) be the only honest party. The simulator simulates the protocol execution on behalf of the honest party \(P_h\) as follows.
The Simulator. In roundI, the simulator encrypts 0s instead of the real input bits of the honest party \(P_h\). After roundI it gets the inputs and the secret keys of the \(N1\) corrupt parties from the “witness tape”. It gives these inputs to the ideal functionality and receives the output bits \(y_j\) for each \(j\in [{\ell _{out}}]\). At this point it can also compute the evaluated ciphertexts \(\widehat{c}_j\). Then it computes the simulated partial decryptions for the honest party \(\widetilde{ }^{(j)}_{h}\leftarrow \mathcal{S}^{thr}(y_j,\widehat{c}_j,h,\{sk_i\}_{i\in [N]\setminus \{h\}})\) and broadcast those in roundII instead of correctly computed partial decryptions \(p^{(j)}_{h}\) generated via \(\mathsf {MFHE}.\mathsf {PartDec}(\cdots )\).

The game \({\small REAL}_{\pi ,\mathcal{A},\mathcal {Z}}\) : This is exactly an execution of the protocol \(\pi \) in the real world with environment \(\mathcal {Z}\) and semimalicious adversary \(\mathcal{A}\).

The game \({\small HYB}^{1}_{\pi ,\mathcal{A},\mathcal {Z}}\) : In this game, we modify the real world experiment as follows. Assume (as a mental experiment) that \(P_{h_{}}\) is given the all the secret keys \(\{sk_i\}_{i\in [N]\setminus \{h\}}\) (as written on the “witness tape” of the adversary) after round I. In the second round, instead of broadcasting a correctly generated partial decryptions \(p^{(j)}_{h}\) generated via \(\mathsf {MFHE}.\mathsf {PartDec}(\cdots )\), it broadcasts simulated ones \(\{ \widetilde{ }^{(j)}_{h}\leftarrow \mathcal{S}^{thr}(y_j, \widehat{c}_j,h_1, \{sk_i\}_{i\ne h})\}_{j\in [{\ell _{out}}]}\).

The game \({\small IDEAL}_{\mathcal{F},\mathcal{S},\mathcal {Z}}\) : This is similar to the game \({\small HYB}^{1}_{\pi ,\mathcal{A},\mathcal {Z}}\) except instead of encrypting its real input, \(P_{h_{}}\) now broadcasts encryption of 0s in the first round.
Claim 1
\(\mathrm{{{\small REAL}}}_{\pi ,\mathcal{A},\mathcal {Z}}\mathop {\approx }\limits ^{{\tiny {\mathrm {stat}}}}\mathrm{{{\small HYB}}}^{1}_{\pi ,\mathcal{A},\mathcal {Z}}\)
Proof: Notice that, the only change between those experiments are that, the partial decryption of party \(P_{h_{}}\) is generated through simulator \(\mathcal{S}^{thr}\) instead of correctly using \(\mathsf {MFHE}.\mathsf {PartDec}\). By simulatability of threshold decryption the partial decryptions are statistically indistinguishable hence so are the experiments. Open image in new window
Claim 2
\(\mathrm{{{\small HYB}}}^{1}_{\pi ,\mathcal{A},\mathcal {Z}}\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathrm{{{\small IDEAL}}}_{\mathcal{F},\mathcal{S},\mathcal {Z}}\)
Proof: The only change between those experiments are in generating encryptions of party \(P_{h_{}}\). By semantic security of the underlying \(\mathsf {MFHE}\) the encryptions are computationally indistinguishable. Hence the experiments are also computationally indistinguishable. Note that here it is possible to use the semantic security as the partial decryptions of \(P_{h_{}}\) in both the experiments are simulated and hence independent of the secret key \(sk_h\). Open image in new window
This concludes the proof of the theorem. Open image in new window
6.2 An Extended Protocol for Arbitrary Many Corruptions
In this section we construct an “extended” MPC protocol \(\widehat{\pi }_f\) which securely computes any function f against any semimalicious adversary that can corrupt any \(t\in [N]\) parties. We do so by relying on the “basic” MPC protocol \(\pi _{f}\) from the previous section, which is secure against a semimalicious adversary that corrupts exactly \(N1\) parties. To compute a function f, our extedned protocol simply runs the basic protocol \(\pi _{\widehat{f}}\) on an extended function \(\widehat{f}\) defined as follows.
Definition 5

If \(\forall ~i\in [N]\), \(\mathtt {mode}_i =1\) then output \(f({\mathbf {x}}_1,\ldots ,{\mathbf {x}}_N)\).
 If \(\exists ~\text {unique}~i\in [N]\) such that \(\mathtt {mode}_i =2\) then let \(K := {\mathbf {z}}_i\). For all \(j\in [N]\):

If \(\mathtt {mode}_j = 3\) then set \({\mathbf {x}}'_j:=\mathsf {PRF}(K,j)\oplus {\mathbf {x}}_j\).

Else set \({\mathbf {x}}'_j :={\mathbf {x}}_j\).
Output \(f({\mathbf {x}}_1',\ldots ,{\mathbf {x}}'_N)\).


Otherwise output \(\mathsf {0}^{\ell _{out}}\).
Roughly speaking, the extended function does the same thing as the original function if all the inputs have \(\mathtt {mode}_i=1\). However, if there is one special party with \(\mathtt {mode}_i =2\) then the function uses a PRF key \(K = {\mathbf {z}}_i\) provided by that party to “decrypt” the inputs of all the parties with \(\mathtt {mode}_j = 3\).
The following theorem states that the extended protocol \(\widehat{\pi }_f\) is secure against any arbitrary number of semimalicious corruptions. The proof is deferred to the full version [30].
Theorem 5
Let f be a function with N inputs and 1 output. Let \(\mathsf {PRF}:{\{0,1\}}^{\lambda }\times [N] \rightarrow {\{0,1\}}^{\ell _{out}}\) be a PRF. Then, under the LWE assumption, the protocol \(\widehat{\pi }_f\) shown in Fig. 3 UCrealizes f against a static semimalicious adversary that can corrupt any number of parties.
6.3 Extensions and Applications
Generalized Functionalities. Our protocol (Fig. 2) considers deterministic functionalities where all the parties receive the same output. One can extend that to handle randomized functionalities and individual output in a straightforward manner using known standard techniques just like [4]. We refer to [4] for more details.
Fully Malicious Adversary. Our protocol protects only against semimalicious adversaries. However, since we are in the CRS model such protocol can be generically converted to one secure against fullymalicious adversary using noninteractive zeroknowledge (NIZK) arguments. For more detail on this again we refer to [4].
Communication Complexity. Although our main focus was on round complexity, we mention that our scheme also achieves essentially optimal communication complexity which is only proportional to the total input size, output size and circuit depth. We can get rid of the reliance on circuit depth by using bootstrapping and relying on circular security: each party would simply send a GSW encryption of its secret key under its public key and then we would perform a boostrapping step after each homomorphic operation to reduce the noise in the ciphertext.
Computation on the Web. Our results also relate to the idea of “computation on the web” [21] where parties can’t interact with each other but can only interact with some central website without further coordination. Using our scheme (or any 2 round protocol) each party needs to log in twice: once to give its ciphertext to the sever and once to give a partial decryption of the output.
7 Conclusions
We have shown how to implement MPC with only two rounds of interaction by relying on the LWE assumption (and NIZKs for malicious security). Several interesting open problems remain. Firstly, is possible to get a 2 round MPC protocol under general assumptions such as the existence of oblivious transfer? Secondly, is it possible to get a protocol that achieves adaptive security? A recent work of [16] does this using indistinguishability obfuscation (iO) but it remains an open problem to do this using more standard assumptions such as LWE. Lastly, it would be interesting to get a 2 round protocol in the honestbutcurious model without a CRS. One way to achieve this would be to a build a threshold multikey FHE without any common public parameters.
Footnotes
 1.
We assume a broadcast communication channel and in each round of a protocol all parties broadcast a message to all other parties. Each honest party must broadcast their round i message right away prior to receiving the round i messages of other parties. On the other hand, we assume a “rushing” adversary that can wait to collect the round i messages of all honest parties prior to selecting the round i messages of the corrupted parties.
 2.
In their nonsimultaneous model no broadcast channel is present, that is in a round only one party sends message to another.
 3.
Throughout this work, we use the term “threshold” to denote distributed schemes where all parties are needed to perform an operation and security is maintained from any incomplete subset of parties.
 4.
We note that one the main challenges in the work of [3] is to implement the threshold generation of the FHE “evaluation key” which has a complex structure in the FHE schemes of [8, 9]. This could be vastly simplified using a more recent FHE scheme of GentrySahaiWaters [18] which does not require an evaluation key. However, this would still not improve the final round complexity of the MPC construction below 3 rounds.
 5.
In the actual scheme involving N parties we first expand the singlekey ciphertext of each party into a multikey ciphertext (under the concatenated keys of all the parties) and subsequently perform homomorphic operations on the expanded ciphertexts.
 6.
The size of q here is bigger than needed for GSW encryption alone in order to support our extensions.
 7.
We ignore the algebraic structure of the secret key here and assume each element in \(\mathbb {Z}_q\) can be represented as a \(\lceil \log (q)\rceil +1\) binary string.
 8.
See the full version [30] for a formal definition.
References
 1.AlperinSheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 2.Applebaum, B., Ishai, Y., Kushilevitz, E.: Computationally private randomizing polynomials and their applications. In: IEEE Conference on Computational Complexity, pp. 260–274 (2005)Google Scholar
 3.Asharov, G., Jain, A., LópezAlt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, pp. 483–501. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 4.Asharov, G., Jain, A., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold fhe. Cryptology ePrint Archive, Report 2011/613 2011. http://eprint.iacr.org/
 5.Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: STOC, pp. 503–513 (1990)Google Scholar
 6.Bendlin, R., Damgård, I.: Threshold decryption and zeroknowledge proofs for latticebased cryptosystems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 201–218. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 7.Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semihomomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 8.Brakerski, Z., Gentry, C., Vaikuntanathan, V.: Fully homomorphic encryption without bootstrapping. In: ITCS (2012)Google Scholar
 9.Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) lwe. In: FOCS (2011)Google Scholar
 10.Clear, M., McGoldrick, C.: Multiidentity and multikey leveled FHE from learning with errors. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 630–656. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 11.Cramer, R., Damgård, I.B., Nielsen, J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–300. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 12.Damgård, I.B., Nielsen, J.B.: Universally composable efficient multiparty computation from threshold homomorphic encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 247–264. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 13.Matthew, K.: Franklin and stuart haber: joint encryption and messageefficient secure computation. J. Cryptology 9(4), 217–232 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
 14.Garg, S., Gentry, C., Halevi, S., Raykova, M.: Tworound secure MPC from indistinguishability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 74–94. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 15.Garg, S., Mukherjee, P., Pandey, O., Polychroniadou, A.: The exact round complexity of secure computation. Manuscript, October 2015Google Scholar
 16.Garg, S., Polychroniadou, A.: Tworound adaptively secure MPC from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 614–637. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 17.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
 18.Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptuallysimpler, asymptoticallyfaster, attributebased. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 19.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC, pp. 218–229 (1987)Google Scholar
 20.Goyal, V.: Constant round nonmalleable protocols using one way functions. In: STOC, pp. 695–704 (2011)Google Scholar
 21.Halevi, S., Lindell, Y., Pinkas, B.: Secure computation on the web: computing without simultaneous interaction. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 132–150. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 22.Ishai, Y., Kushilevitz, E.: Randomizing polynomials: A new representation with applications to roundefficient secure computation. In: FOCS, pp. 294–304 (2000)Google Scholar
 23.Jakobsson, M., Juels, A.: Mix and match: secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 162–177. Springer, Heidelberg (2000)CrossRefGoogle Scholar
 24.Katz, J., Ostrovsky, R.: Roundoptimal secure twoparty computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 25.Katz, J., Ostrovsky, R., Smith, A.: Round Efficiency of Multiparty Computation with a Dishonest Majority. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, pp. 578–595. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 26.Lin, H., Pass, R.: Constantround nonmalleable commitments from any oneway function. In: STOC, pp. 705–714 (2011)Google Scholar
 27.Lindell, Y.: Parallel cointossing and constantround secure twoparty computation. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 171–189. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 28.LópezAlt, A., Tromer, E., Vaikuntanathan, V.: Onthefly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Karloff, H.J., Pitassi, T. (eds.) Proceedings of the 44th Symposium on Theory of Computing Conference, STOC, New York, NY, USA, 19–22 May 2012, pp. 1219–1234. ACM (2012)Google Scholar
 29.Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 30.Mukherjee, P., Wichs, D.: Two round multiparty computation via multikey FHE. Cryptology ePrint Archive, Report 2015/345 (2015). http://eprint.iacr.org/
 31.Myers, S., Sergi, M., Shelat, A.: Threshold fully homomorphic encryption and secure computation. In: eprint /454 (2011)Google Scholar
 32.Peikert, C.: Publickey cryptosystems from the worstcase shortest vector problem: extended abstract. In: STOC, pp. 333–342 (2009)Google Scholar
 33.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)Google Scholar
 34.Andrew ChiChih Yao: Protocols for secure computations (extended abstract). In: FOCS, pp. 160–164 (1982)Google Scholar
 35.Andrew ChiChih Yao: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167 (1986)Google Scholar