Two Round Multiparty Computation via Multi-key FHE

  • Pratyay MukherjeeEmail author
  • Daniel Wichs
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9666)


We construct a general multiparty computation (MPC) protocol with only two rounds of interaction in the common random string model, which is known to be optimal. In the honest-but-curious setting we only rely on the learning with errors (LWE) assumption, and in the fully malicious setting we additionally assume the existence of non-interactive zero knowledge arguments (NIZKs). Previously, Asharov et al. (EUROCRYPT ’12) showed how to achieve three rounds based on LWE and NIZKs, while Garg et al. (TCC ’14) showed how to achieve the optimal two rounds based on indistinguishability obfuscation, but it was unknown if two rounds were possible under standard assumptions without obfuscation.

Our approach relies on multi-key fully homomorphic encryption (MFHE), introduced by Lopez-Alt et al. (STOC ’12), which enables homomorphic computation over data encrypted under different keys. We present a construction of MFHE based on LWE that significantly simplifies a recent scheme of Clear and McGoldrick (CRYPTO ’15). We then extend this construction to allow for a one-round distributed decryption of a multi-key ciphertext. Our entire MPC protocol consists of the following two rounds:
  1. 1.

    Each party individually encrypts its input under its own key and broadcasts the ciphertext. All parties can then homomorphically compute a multi-key encryption of the output.

  2. 2.

    Each party broadcasts a partial decryption of the output using its secret key. The partial decryptions can be combined to recover the output in plaintext.



Multi-key Fully Homomorphic Encryption (MFHE) Learning With Errors (LWE) Non-interactive Zero-knowledge (NIZKs) Partial Decryption Ciphertext 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Multiparty Computation. Secure multiparty computation (MPC) allows multiple parties to evaluate an arbitrary function over their inputs privately, without revealing anything about their inputs to each other beyond the function’s output. This problem was initially studied by Yao [34, 35], in the case of two honest-but-curious parties (who follow the protocol honestly but hope to learn information from its execution) and later by Goldreich, Micali and Wigderson [19] in the case of an arbitrary number of fully malicious parties (who can deviate arbitrarily from the specified protocol execution). By now, MPC is a fundamental part of cryptography and a subject of intense study.

One of the main challenges is to optimize the efficiency of MPC protocols. In this work, our main focus will be on constructing MPC protocols with the optimal round complexity.1

Round Complexity of MPC. We refer the reader to [3] for a comprehensive overview of prior work on round complexity of MPC. In the honest-but-curious setting, it was known how to achieve a constant number of rounds assuming the existence of oblivious transfer [2, 5, 22, 25, 27]. However, the concrete constants were not explicitly stated and they seem to require at least 4 rounds. These protocols can also be compiled into secure constructions in the fully malicious setting with only a constant number of additional rounds by using coin-flipping and concurrent zero-knowledge proofs [20, 25, 26, 27]. In the plain model and the fully malicious setting, there is a known lower bounds of 5 rounds for two party computation2, albeit in non-simultaneous message model where no broadcast channel is available [24]. A very recent work [15] shows a similar lower bound of 4 rounds assuming broadcast channel. However, in the honest-but-curious setting or even in the fully malicious setting with a common random string (CRS) the above lower bound does not hold and there is only a simple lower bound of 2 rounds [21]. In this work, we will assume the CRS model.

Recently, a result of Asharov et al. [3] showed how to achieve a 3 round MPC protocol in the CRS model, by relying on techniques from fully homomorphic encryption (FHE). Their construction achieves semi-honest security under the learning with errors (LWE) assumption, and fully malicious security (in the universal composability (UC) framework) by further assuming the existence of non-interactive zero knowledge arguments (NIZKs). The construction also yields a 2 round protocol in the public-key infrastructure (PKI) model, but it was left as an open problem to achieve 2 rounds in the CRS model.

Even more recently, the results of Garg et al. [14, 16] achieve a 2 round MPC protocol in the CRS model by relying on indistinguishability obfuscation (iO) and statistically sound NIZKs. On a high level, the main idea of that work is to have each party obfuscates its “next-message” function, after an initial round where the parties commit to their input. Making this work under the iO assumption is non-trivial and requires much care. However, this approach appears to crucially rely on obfuscation and does not easily lend itself to instantiations under simpler assumptions.

The main open question left by these works is whether 2 round MPC is achievable under more “standard” cryptographic assumptions, without relying on obfuscation.

Our Result. In this work, we construct a 2 round MPC protocol in the CRS model. We achieve honest-but-curious security under only the LWE assumption, and fully malicious security (in the UC framework) by additionally assuming the existence of NIZKs. As our main technical result, which may be of independent interest, we show how to construct a multi-key fully homomorphic encryption scheme with a one-round threshold decryption protocol.

2 Overview of Our Techniques

We now give an overview of our techniques by first describing how to construct MPC from multi-key FHE with threshold decryption, and then how to construct the latter from LWE.

2.1 MPC via Threshold (Multi-key) FHE

MPC via Threshold FHE. We begin with the approach of Asharov et al. [3] (variants of which were used in many preceding works [6, 7, 11, 12, 13, 23, 31]) for constructing MPC based on fully homomorphic encryption (FHE). At a high level, this approach is based on the following simple template:
  1. 1.

    The parties first run a secure distributed protocol for the “threshold key-generation” of an FHE scheme to agree on a common public key pk and a secret sharing of the corresponding secret key sk so that each party holds one share, and all shares are needed to recover sk.

  2. 2.

    Each party i then broadcasts an encryption of its input \(x_i\) under the common public key pk. Note that no individual party or incomplete set of parties can decrypt this ciphertext and so the privacy of the input is maintained. At the end of this round, each party can homomorphically compute the desired function f on the received ciphertexts and derive a common output ciphertext which encrypts \(y =f(x_1,\ldots ,x_N)\).

  3. 3.

    The parties run a secure distributed protocol for “threshold decryption” using their shares of the secret key sk to decrypt the output ciphertext and recover the output y in plaintext.3


Secure protocols for threshold key-generation and decryption can be implemented generically for any FHE scheme by using general MPC techniques, but this would require many rounds. Instead [3] show that specific FHE schemes by Brakerski, Gentry and Vaikuntanathan [8, 9] based on the LWE assumption have a “key homomorphic” property which can be leveraged to get distributed key-generation and decryption protocols consisting of one round each. Therefore, when instantiated with these schemes, the above template results in a 3 round MPC protocol.4

MPC via Threshold Multi-key FHE. One could hope to shave off an additional round from the above template by using multi-key fully homomorphic encryption (MFHE), recently introduced by Lopez-Alt, Tromer and Vaikuntanathan [28]. An MFHE schemes allows parties to independently encrypt their data under different individually chosen keys, while still allowing homomorphic computations over such ciphertexts. The output of such homomorphic computation is a “multi-key ciphertext” which cannot be decrypted by any single party individually (as this would violate semantic security of the other parties) but can be decrypted by the parties jointly using the combination of all their secret keys. The work of [28] constructed such an MFHE scheme based on (a variant of) the NTRU assumption.

Using MFHE, we naturally get the following simplified template for MPC:
  1. 1.

    Each party individually chooses its own MFHE key pair \((pk_i, sk_i)\), encrypts its input \(x_i\) under \(pk_i\), and broadcasts the resulting ciphertext. At the end of this round, each party can homomorphically compute the desired function f on the received ciphertexts and derive a common multi-key ciphertext which encrypts the output \(y =f(x_1,\ldots ,x_N)\).

  2. 2.

    The parties run a secure distributed protocol for “threshold decryption” using their secret keys \(sk_i\) to decrypt the multi-key ciphertext and recover the output y in plaintext.


As before, a distributed threshold decryption can be implemented generically using general MPC techniques, but this would require many rounds. Unfortunately, the MFHE scheme of [28] does not appear to admit any simpler threshold decryption protocol and therefore it is not known how to use this scheme to get a 2 round MPC.

A recent work of Clear and McGoldrick [10] gives an alternate construction of MFHE based on the LWE assumption, by cleverly adapting an FHE scheme of Gentry, Sahai and Waters [18]. We first present a significantly simplified construction of MFHE from LWE and give a stand-alone presentation of this scheme. We then show that this scheme admits a simple 1-round threshold decryption protocol. This threshold decryption protocol only satisfies a weak notion of security which doesn’t allow us to directly plug it into the above template for MPC. However, we show that we can make this approach work with only minor additional modifications.

As in [3], we show that our basic scheme (based on LWE) achieves security in semi-malicious setting, which is a strengthening of the honest-but-curious setting, where parties follow the protocol specification but can choose their random coins adversarially. By using NIZKs, we can then compile such a scheme into one which is secure in the fully malicious setting (and even universally composable) without additional rounds.

2.2 Constructing Threshold Multi-key FHE

We now give a high-level description of the MFHE construction and the threshold decryption protocol. We begin by describing a recent FHE construction by Gentry, Sahai and Waters (GSW) [18] using the notation and exposition of [1]. Then describe how to convert it into a MFHE scheme. Finally, we discuss how to perform threshold decryption.

Public Short Preimage Matrix. Before we describe the GSW encryption, we state a useful fact from [29] which we heavily rely on in the construction.

Lemma 1

([29]). For any \(m \ge n\lceil \log q \rceil \) there exists a fixed efficiently computable matrix \({\mathbf {G}}\in {\mathbb {Z}}_q^{n \times m}\) and an efficiently computable deterministic “short preimage” function \({\mathbf {G}}^{-1}(\cdot )\) satisfying the following. On input a matrix \({\mathbf {M}}\in \mathbb {Z}_q^{n\times m'}\) for any \(m'\), the function \({\mathbf {G}}^{-1}({\mathbf {M}})\) outputs a bit-matrix \({\mathbf {G}}^{-1}({\mathbf {M}})\in {\{0,1\}}^{m\times m'}\) such that \({\mathbf {G}}{\mathbf {G}}^{-1}({\mathbf {M}}) = {\mathbf {M}}\).

We can think of \({\mathbf {G}}\) as a special matrix with a “public trapdoor” that allows us to solve the short integer solution (SIS) problem. For those familiar with GSW encryption, multiplication by \({\mathbf {G}}\) is the \(\mathsf {BitDecomp^{-1}}\) operation and the function \({\mathbf {G}}^{-1}(\cdot )\) is called \(\mathsf {BitDecomp}\), but we can ignore the low-level detail of how this is implemented. Note that \({\mathbf {G}}^{-1}(\cdot )\) is not itself a matrix but rather an efficiently computable function.

Gentry-Sahai-Waters (GSW) FHE. Firstly, choose a random public matrix \({\mathbf {B}}\in \mathbb {Z}_q^{(n-1)\times m}\) where \(m = O(n \log q)\). We can think of this as a common public parameter used by all parties. A public/secret key pair is chosen by selecting a random vector \({\mathbf {s}}\in {\mathbb {Z}}_q^{n-1}\) and setting \({\mathbf {b}}= {\mathbf {s}}{\mathbf {B}}+ {\mathbf {e}}\) where \({\mathbf {e}}\) is some short “error vector”. We set the secret key to \(\mathbf{t}= (-{\mathbf {s}}, 1) \in {\mathbb {Z}}_q^n\) and the public key to the matrix
$$ {\mathbf {A}}:=\begin{bmatrix} {\mathbf {B}}\\ {\mathbf {b}}\end{bmatrix} \in {\mathbb {Z}}_q^{n \times m} $$
which ensures that \(\mathbf{t}{\mathbf {A}}= {\mathbf {e}}\approx \mathbf {0}\) (throughout the introduction, we use \(\approx \) to hide “short” values).

A valid GSW ciphertext of a bit \(\mu \in {\{0,1\}}\) with respect to a secret key \(\mathbf{t}\) is a matrix \({\mathbf {C}}\in {\mathbb {Z}}_q^{n \times m}\) such that \(\mathbf{t}{\mathbf {C}}\approx \mu \mathbf{t}{\mathbf {G}}\). To encrypt a bit \(\mu \) using the public key \({\mathbf {A}}\) we set \({\mathbf {C}}= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}\) where \({\mathbf {R}}\in {\{0,1\}}^{m \times m}\) is chosen as a random bit-matrix. This ensures that the result is a valid encryption of \(\mu \) under the secret key \(\mathbf{t}\) since \(\mathbf{t}{\mathbf {C}}= \mathbf{t}{\mathbf {A}}{\mathbf {R}}+ \mu \mathbf{t}{\mathbf {G}}\approx \mu \mathbf{t}{\mathbf {G}}\).

Given two valid GSW ciphertexts \({\mathbf {C}}_1, {\mathbf {C}}_2\) encrypting the bits \(\mu _1, \mu _2\) with respect to a secret key \(\mathbf{t}\) we can perform homomorphic addition by setting \({\mathbf {C}}^{+} = {\mathbf {C}}_1 + {\mathbf {C}}_2\) and multiplication by setting \({\mathbf {C}}^{\times } = {\mathbf {C}}_1 {\mathbf {G}}^{-1}({\mathbf {C}}_2)\). It is a simple exercise to check that \(\mathbf{t}{\mathbf {C}}^{+} \approx (\mu _1+ \mu _2)\mathbf{t}{\mathbf {G}}\) and \(\mathbf{t}{\mathbf {C}}^{\times } \approx (\mu _1\mu _2) \mathbf{t}{\mathbf {G}}\). This allows us to homomorphically evaluate any circuit, subject to the error not getting “too large”.

Finally, to decrypt a ciphertext \({\mathbf {C}}\) we set \({\mathbf {w}}:= (0,\ldots ,0, \lceil q/2 \rceil )\) and compute \(v = \mathbf{t}{\mathbf {C}}{\mathbf {G}}^{-1}({\mathbf {w}}^T)\). If \({\mathbf {C}}\) is a valid encryption of \(\mu \) under \(\mathbf{t}\) then \(v \approx \mu \lceil q/2 \rceil \). We recover \(\mu \) by checking whether v is closer to 0 or to q / 2.

Multi-key Variant of GSW. We now describe how to convert the above GSW FHE into a multi-key FHE. For simplicity, let’s assume that we only have \(N =2\) parties, but everything extends naturally to any polynomial number of parties N. We assume that the matrix \({\mathbf {B}}\) of the GSW encryption scheme is a common public parameter which is used by all parties.

The two parties choose independent GSW secret keys \(\mathbf{t}_1 = (-{\mathbf {s}}_1, 1), \mathbf{t}_2 = (-{\mathbf {s}}_2, 1)\) and compute the corresponding public key components \({\mathbf {b}}_1 = {\mathbf {s}}_1{\mathbf {B}}+ {\mathbf {e}}_1\) and \({\mathbf {b}}_2 = {\mathbf {s}}_2 {\mathbf {B}}+ {\mathbf {e}}_2\) using the common (and random) \({\mathbf {B}}\). We let
$$ {\mathbf {A}}_1:=\begin{bmatrix} {\mathbf {B}}\\ {\mathbf {b}}_1 \end{bmatrix},~~~~~ {\mathbf {A}}_2:=\begin{bmatrix} {\mathbf {B}}\\ {\mathbf {b}}_2 \end{bmatrix} $$
be the two GSW public keys for parties 1 and 2 respectively.

Now assume that the two parties independently encrypt some data under their respective keys. Unfortunately, we will not get anything meaningful by naively attempting to perform the GSW homomorphic operations on these ciphertexts under different keys. Instead, our goal will be to first convert both ciphertexts into a “common format” that will allow us to perform homomorphic operations over them.

In particular, we define a “combined secret key” Open image in new window as the concatenation of the two individual secret keys. Our goal will be to take a ciphertext \({\mathbf {C}}\in {\mathbb {Z}}_q^{n \times m}\) which encrypts a bit \(\mu \) with respect to the secret key of a single party (along with some helper information specified later) and expand it into multi-key ciphertext \(\widehat{{\mathbf {C}}}\in {\mathbb {Z}}_q^{2n \times 2m}\) which encrypts \(\mu \) with respect to the combined secret key \(\widehat{\mathbf{t}}\). In particular, a multi-key encryption of a bit \(\mu \) satisfies \(\widehat{\mathbf{t}}\widehat{{\mathbf {C}}}\approx \mu \widehat{\mathbf{t}}\widehat{{\mathbf {G}}}\) where \(\widehat{{\mathbf {G}}}= \begin{bmatrix} {\mathbf {G}}&\mathbf {0} \\ \mathbf {0}&{\mathbf {G}}\end{bmatrix} \in {\mathbb {Z}}_q^{2n \times 2m}\) is an expanded public matrix with a corresponding short preimage function \(\widehat{{\mathbf {G}}}^{-1}(\cdot )\). Once we do this, we can expand all ciphertexts under individual keys into multi-key ciphertexts under the key \(\widehat{\mathbf{t}}\) and then perform homomorphic operations on the multi-key ciphertexts just like in basic GSW scheme (just with larger parameters \(n' = 2n, m' = 2m\)). Therefore, the only challenge is how to perform the above “ciphertext expansion step”.

Ciphertext Expansion. To perform ciphertext expansion, we use a new primitive called “masking scheme” introduced by Clear and McGoldrick in [10]. Let \({\mathbf {C}}\) be a GSW encryption of some bit \(\mu \). A masking scheme allows party 1 to create some additional helper information \(\mathcal {U}\) about the ciphertext \({\mathbf {C}}\) at encryption time and release the tuple \((\mathcal {U}, {\mathbf {C}})\) while keeping the semantic security of the message intact. This information is completely independent of party 2 whose identity is unknown at encryption time. Later, if we are given the public key \({\mathbf {A}}_2\) for party 2, we can use the information \(\mathcal {U}\) to create a matrix \({\mathbf {X}}\) such that \(\mathbf{t}_1 {\mathbf {X}}+ \mathbf{t}_2 {\mathbf {C}}\approx \mu \mathbf{t}_2 {\mathbf {G}}\) where \(\mathbf{t}_2\) is the secret key of party 2. This allows us to perform ciphertext expansion by creating the expanded ciphertext:
$$\widehat{{\mathbf {C}}}= \begin{bmatrix} {\mathbf {C}}&{\mathbf {X}}\\ \mathbf {0}&{\mathbf {C}}\end{bmatrix}$$
so that,We can similarly expand the individually created ciphertexts of party 2 and then perform GSW style homomorphic operations on the expanded ciphertexts.5 Therefore, the only thing left to do is to construct such a “masking scheme” which we briefly describe below.
A Masking Scheme for GSW. The masking scheme consists of party 1 creating tuple \((\mathcal {U},{\mathbf {C}})\) where \({\mathbf {C}}\) is a GSW encryption of the message \(\mu \) under its own public key \(pk_1 = {\mathbf {A}}_1\) so that
$${\mathbf {C}}:= {\mathbf {A}}_1 {\mathbf {R}}+ \mu {\mathbf {G}}= \begin{bmatrix} {\mathbf {B}}{\mathbf {R}}\\{\mathbf {b}}_1 {\mathbf {R}}\end{bmatrix} + \mu {\mathbf {G}}$$
for some random matrix \({\mathbf {R}}\in {\{0,1\}}^{m\times m}\). The additional helper information \(\mathcal {U}\) consists of \(m^2\) GSW encryptions of each of the scalars \(\{{\mathbf {R}}[a,b]\}_{a \in [m], b \in [m]}\) under the public key \(pk_1\). It is easy to show that the pair \((\mathcal {U}, {\mathbf {C}})\) computationally hides \(\mu \) by relying on semantic security of the GSW scheme.
Later, assume we are given the public key \({\mathbf {A}}_2 :=\begin{bmatrix} {\mathbf {B}}\\ {\mathbf {b}}_2 \end{bmatrix}\) for party 2, corresponding to a secret key \(\mathbf{t}_2 = (-{\mathbf {s}}_2, 1)\). Then
$$\mathbf{t}_2 {\mathbf {C}}= -{\mathbf {s}}_2 {\mathbf {B}}{\mathbf {R}}+ {\mathbf {b}}_1 {\mathbf {R}}+ \mu \mathbf{t}_2 {\mathbf {G}}\approx ({\mathbf {b}}_1 -{\mathbf {b}}_2 ) {\mathbf {R}}+ \mu \mathbf{t}_2 {\mathbf {G}}$$
since \({\mathbf {b}}_2 \approx {\mathbf {s}}_2 {\mathbf {B}}\). The value \(\mathbf{t}_2{\mathbf {C}}\) corresponds to decrypting the GSW ciphertext \({\mathbf {C}}\) with the “incorrect” secret key \(\mathbf{t}_2\) and it yields the correct value \(\mu \mathbf{t}_2{\mathbf {G}}\) except that it is “masked” by the additional term \(({\mathbf {b}}_1-{\mathbf {b}}_2){\mathbf {R}}\).

Our goal is to come up with a matrix \({\mathbf {X}}\) for which \(\mathbf{t}_1 {\mathbf {X}}\approx ({\mathbf {b}}_2 - {\mathbf {b}}_1){\mathbf {R}}\) and therefore adding \(\mathbf{t}_1{\mathbf {X}}+ \mathbf{t}_2 {\mathbf {C}}\approx \mu \mathbf{t}_2{\mathbf {G}}\) as desired. One can do this by homomorphically combining the \(m^2\) ciphertexts contained in \(\mathcal {U}\), which encrypt each of the scalars \({\mathbf {R}}[a,b]\) of the matrix \({\mathbf {R}}\) under \(\mathbf{t}_1\), to get a “pseudo ciphertext” \({\mathbf {X}}\) which acts like an encryption of the vector \(({\mathbf {b}}_2 - {\mathbf {b}}_1){\mathbf {R}}\) in the sense that \(\mathbf{t}_1 {\mathbf {X}}\approx ({\mathbf {b}}_2 - {\mathbf {b}}_1){\mathbf {R}}\). This is not a standard homomorphic operation yielding a standard ciphertext – for example, the output is a vector rather than a scalar – but the idea for how to do this is very similar to the way we do standard GSW homomorphic operations. We skip the details of this step in the introduction, and refer the reader to Sect. 5.1 for details.

Threshold Decryption of Multi-key GSW. A multi-key GSW ciphertext encrypting a bit \(\mu \) with respect to the expanded secret key \(\widehat{\mathbf{t}}= (\mathbf{t}_1,\ldots ,\mathbf{t}_N)\) corresponding to N parties, is a matrix \(\widehat{{\mathbf {C}}}\in {\mathbb {Z}}_q^{nN \times mN}\) such that \(\widehat{\mathbf{t}}\widehat{{\mathbf {C}}}\approx \mu \widehat{\mathbf{t}}\widehat{{\mathbf {G}}}\).

If we were given all of the secret keys \(\widehat{\mathbf{t}}= (\mathbf{t}_1,\ldots ,\mathbf{t}_N)\) simultaneously, we could decrypt this ciphertext using the GSW decryption procedure, scaled up to the larger dimension: let \(\widehat{{\mathbf {w}}}= (0,\ldots ,0,\lceil q/2 \rceil ) \in {\mathbb {Z}}_q^{nN}\) and compute Open image in new window .

However, our goal is to design a distributed decryption protocol, where the parties collaboratively decrypt \(\mu \) without revealing their secret keys to each other. We do this as follows. Let’s think of \(\widehat{{\mathbf {C}}}\) as consisting of N matrices \( {i} \in {\mathbb {Z}}_q^{n \times mN}\) stacked on top of each other. Then each party i uses its secret key \(\mathbf{t}_i\) to output a “partial decryption” \(p_i = \mathbf{t}_i \widehat{{\mathbf {C}}}^{(i)}\widehat{{\mathbf {G}}}^{-1}(\widehat{{\mathbf {w}}}^T) + e_i\) where \(e_i\) is some “medium-sized smudging error”. This error is needed to smudge out any information about the error contained in the ciphertext \(\widehat{{\mathbf {C}}}\), which might contain sensitive information beyond just the plaintext bit. These partial decryptions can be combined to compute \(\sum _i p_i \approx v \approx \mu \lceil q/2 \rceil \) and therefore recover the plaintext bit \(\mu \).

The above process satisfies the following security notion: given the ciphertext \(\widehat{{\mathbf {C}}}\), the bit \(\mu \) that it encrypts, and the secret keys \(\{ \mathbf{t}_i~:~ i \ne j\}\) of all-but-one of the parties, we can simulate the partial decryption \(p_j\) of party j without knowing its secret key \(\mathbf{t}_j\). Intuitively, this property says that the partial decryption \(p_j\) cannot reveal too much information about \(\mathbf{t}_j\).

The above security property of partial decryption is tricky to use since it allows us to simulate the partial decryption of only one party at a time. Nevertheless, we show that this security property of threshold decryption is sufficient in the context of implementing MPC.

2.3 Road-Map Through the Paper

We begin by giving a definition of multi-key FHE (MFHE) first and then MFHE with threshold decryption in Sect. 4. Then in Sect. 5 we construct such a scheme from the LWE and in Sect. 6 we show how to construct MPC from such a scheme. These two sections are independent of each other and can be read in any order.

3 Preliminaries

Throughout, we let \({\lambda }\) denote the security parameter and \(\mathsf{negl}({\lambda })\) denote a negligible function. We represent elements in \(\mathbb {Z}_q\) as integers in the range \((-q/2,q/2]\). Let \(\mathbf{x}= (x_1,\ldots ,x_n) \in {\mathbb {Z}}^n\) be a vector. We use the notation \(\mathbf{x}[i]\) to denote the ith component scalar. Similarly for a matrix \({\mathbf {M}}\in {\mathbb {Z}}^{n\times m}\) we use \({\mathbf {M}}[i,j]\) to denote the scalar element located in the i-th row and the j-th column. In general, vectors are represented as single row matrices. The infinity norm (often called simply norm) of a vector \(\mathbf{x}\) is defined as \(\Vert \mathbf{x}\Vert _\infty = {\max _{i}(\vert \mathbf{x}[i]\vert )}\). The norm of matrices is defined similarly. An n-dimensional all-zero vector is usually denoted by \(\mathsf {0}^n\) and similarly \(\mathsf {0}^{n\times m}\) denotes an all-zero matrix.

For two distributions XY, over a finite domain \(\varOmega \), the statistical distance between X and Y is defined by \(\varDelta (X,Y) \mathop {=}\limits ^\mathrm{def}\frac{1}{2}\sum _{\omega \in \varOmega }\left| X(\omega ) - Y(\omega )\right| \). If XY are distribution ensembles parameterized by the security parameter, we write \(X \mathop {\approx }\limits ^{{\tiny {\mathrm {stat}}}}Y\) if the quantity \(\varDelta (X,Y)\) is negligible. Similarly, we write \(X \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}Y\) if they are computationally indistinguishable. We write \(\omega \leftarrow X\) to denote that \(\omega \) is sampled at random according to distribution X. We write \(\omega \leftarrow \varOmega \) to denote that it is sampled uniformly at random from the set \(\varOmega \). For a distribution ensemble \(\chi = \chi ({\lambda })\) over the integers, and integers bounds \(B= B({\lambda })\), we say that \(\chi \) is B-bounded if \(\Pr _{x \leftarrow \chi ({\lambda })} [|x| \le B({\lambda })] =1\).

We rely on the following lemma, which says that adding large noise “smudges out” any small values (see e.g., [4] for proof).

Lemma 2

(Smudging Lemma). Let \(B_1 = B_1({\lambda })\), and \(B_2 = B_2({\lambda })\) be positive integers and let \(e_1 \in [-B_1, B_1]\) be a fixed integer. Let \(e_2 \leftarrow [-B_2, B_2]\) be chosen uniformly at random. Then the distribution of \(e_2\) is statistically indistinguishable from that of \(e_2 + e_1\) as long as \(B_1/B_2 = \mathsf{negl}({\lambda })\).

Learning with Errors. The decisional learning with errors (LWE) problem, introduced by Regev [33], is defined as follows.

Definition 1

(LWE [33]). Let \({\lambda }\) be the security parameter, \(n =n({\lambda }), q = q({\lambda })\) be integers and let \(\chi = \chi ({\lambda }),\) be distributions over \({\mathbb {Z}}\). The \(\mathsf {LWE}_{n,q,\chi }\) assumption says that for any polynomial \(m = m({\lambda })\) we have
$$({\mathbf {A}}, {\mathbf {s}}{\mathbf {A}}+ {\mathbf {e}}) \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}({\mathbf {A}}, {\mathbf {z}})$$
where \({\mathbf {A}}\leftarrow {\mathbb {Z}}_q^{n \times m}\), \({\mathbf {s}}\leftarrow {\mathbb {Z}}_q^n\), \({\mathbf {e}}\leftarrow \chi ^m\) and \({\mathbf {z}}\leftarrow {\mathbb {Z}}_q^m\).

The works of [32, 33] show that the LWE problem is as hard as approximating the shortest vector problem in lattices (for appropriate parameters). The version of the LWE assumption that we need here is that for any polynomial \(p = p({\lambda })\) there is a polynomial \(n =n({\lambda })\), a modulus \(q = q({\lambda })\) of singly-exponential size, and a distribution \(\chi = \chi ({\lambda })\) such that \(\chi \) is \(B_{\chi }\)-bounded and \(q \ge 2^p B_{\chi }\) such that \(\mathsf {LWE}_{n,q,\chi }\) holds. This is as hard as approximating the shortest vector with sub-exponential approximation factors.

4 Defining Threshold Multi-key FHE

4.1 Multi-key FHE (MFHE)

We start with our definition of (leveled) multi-key FHE which is adapted from the definition given by Lopez-Alt, Tromer and Vaikuntanathan [28] with some minor differences which reflect differences in the properties achieved by the schemes of [28] and [10]. On the positive side, in the scheme of [10] the number of parties N need not be known ahead of time during key generation or encryption. On the negative side, the scheme of [10] requires some common public parameters that are available to the parties during key generation.

Below we call any ciphertext which is associated with multiple keys an “expanded” ciphertext. Also, the ciphertexts that are generated by the encryption procedure (and thus corresponds to a single key) are called “fresh” ciphertexts, and the expanded ciphertexts that are output by the homomorphic evaluations are called “evaluated” ciphertexts.

Definition 2

(Multi-key (Leveled) FHE). A multi-key (leveled) FHE is a tuple of algorithms \(\mathsf {MFHE}= (\mathsf {Setup},\mathsf{Keygen},\mathsf {Encrypt},\mathsf {Expand},\mathsf {Eval},\mathsf {Decrypt}) \) described as follows:
  • \(\mathsf {params}\leftarrow \mathsf {Setup}(1^{{\lambda }},1^d)\): Setup takes as input the security parameter \({\lambda }\) and the circuit depth d and outputs the system parameters \(\mathsf {params}\). We assume that all the other algorithms take \(\mathsf {params}\) as an input implicitly.

  • \((sk,pk)\leftarrow \mathsf{Keygen}(\mathsf {params})\): Output secret key \(sk\) and public key \(pk\).

  • \(c\leftarrow \mathsf {Encrypt}(pk,\mu )\): On input \(pk\) and some message \(\mu \) output a ciphertext c.

  • \(\widehat{c}\leftarrow \mathsf {Expand}((pk_{1},\ldots ,pk_{N}),i,c)\): Given a sequence of N public-keys and a fresh ciphertext c under the i-th key \(pk_i\), it outputs an “expanded” ciphertext\(\widehat{c}\).

  • \(\widehat{c}:=\mathsf {Eval}(\mathsf {params},\mathcal {C},(\widehat{c}_1,\ldots ,\widehat{c}_\ell ))\): Given a (description of) boolean circuit \(\mathcal {C}\) of depth \(\le d\) along with \(\ell \) expanded ciphertexts \((\widehat{c}_1,\ldots ,\widehat{c}_\ell )\), outputs an evaluated ciphertext \(\widehat{c}\).

  • \(\mu :=\mathsf {Decrypt}(\mathsf {params},(sk_1,\ldots ,sk_N),c)\): On input some ciphertext \(\widehat{c}\) and a sequence of N secret keys output a message \(\mu \).

We require the following properties:
  • Semantic security of encryption: For any polynomial \(d= d(\lambda )\) and any two messages \(\mu _0,\mu _1\) the following distributions are computationally indistinguishable:
    $$ (\mathsf {params}, pk,\mathsf {Encrypt}(pk,\mu _0)) \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}(\mathsf {params}, pk,\mathsf {Encrypt}(pk,\mu _1))$$
    where \(\mathsf {params}\leftarrow \mathsf {Setup}(1^{\lambda },1^d), (sk,pk)\leftarrow \mathsf{Keygen}(\mathsf {params})\).
  • Correctness and compactness: Let \(\mathsf {params}\leftarrow \mathsf {Setup}(1^{\lambda },1^d)\). Consider any sequences of N correctly generated key pairs \(\{(pk_i,sk_i)\leftarrow \mathsf{Keygen}(\mathsf {params})\}_{i\in [N]}\) and any \(\ell \)-tuple of messages \((\mu _1,\ldots ,\mu _\ell )\). For any sequence of indices \((I_1,\ldots ,I_\ell )\) where each \(I_i\in [N]\) let \(\{c_i\leftarrow \mathsf {Encrypt}(pk_{I_{i}},\mu _i)\}_{i\in [\ell ]}\) be encryptions of the messages \(\mu _i\) under the \(I_i\)-th public key and let \(\widehat{c}_i\leftarrow \mathsf {Expand}((pk_1,\ldots ,pk_N),I_i,c_i)\}_{i\in [\ell ]}\) be the corresponding expanded ciphertexts. Let \(\mathcal {C}\) be any (boolean) circuit of depth \(\le d\) and let \(\widehat{c}:=\mathsf {Eval}(\mathcal {C},(\widehat{c}_1,\ldots ,\widehat{c}_\ell )\) be the evaluated ciphertext. Then the following holds:

    Correctness of Expansion: \(\forall ~i~\in [\ell ]~,~\mathsf {Decrypt}((sk_1,\ldots ,sk_N),\widehat{c}_i)= \mu _i\).

    Correctness of Evaluation: \(\mathsf {Decrypt}((sk_1,\ldots ,sk_N),\widehat{c})= \mathcal {C}(\mu _1,\ldots ,\mu _\ell ) \).

    Compactness: There exists a polynomial \(p(\cdots )\) such that \(|\widehat{c}|\le p({\lambda },d,N)\). In other words the size of \(\widehat{c}\) should be independent of \(\mathcal {C}\) and \(\ell \), but can depend on \({\lambda }\), d and N.

Public-Coin Parameter Generation. By default, we will consider schemes where the \(\mathsf {Setup}\) algorithm is “public-coin” meaning that its randomness is included in its output. For such algorithms, we can derive \(\mathsf {params}\) from a common random string.

4.2 Threshold Decryption for MFHE

We now define a multi-key FHE which supports a one-round threshold distributed decryption protocol. Such a protocol consists of two components: (1) given an expanded ciphertext (possibly evaluated) \(\widehat{c}\) each party can compute a partial decryption using its secret key \(sk_i\), (2) there is a way to combine the partial decryptions computed by each party to recover the plaintext.

Definition 3

A Threshold multi-key FHE scheme (TMFHE) is a multi-key FHE scheme with two additional algorithms \(\mathsf {MFHE}.\mathsf {PartDec}, \mathsf {MFHE}.\mathsf {FinDec}\) described as follows:
  • \(p_i\leftarrow \mathsf {MFHE}.\mathsf {PartDec}(\widehat{c},(pk_1,\ldots ,pk_N),i,sk_i)\): On input an expanded ciphertext under a sequence of N keys and the i-th secret key output a partial decryption \(p_i\).

  • \(\mu \leftarrow \mathsf {MFHE}.\mathsf {FinDec}(p_1,\ldots ,p_N)\): On input N partial decryption output the plaintext \(\mu \).

Along with the properties of multi-key FHE we require the scheme to satisfy the following properties.

  • Correctness and Simulation: Let \(\mathsf {params}\leftarrow \mathsf {Setup}(1^{\lambda },1^d)\). Consider any sequences of N correctly generated key pairs \(\{(pk_i,sk_i)\leftarrow \mathsf{Keygen}(\mathsf {params})\}_{i\in [N]}\) and any \(\ell \)-tuple of messages \((\mu _1,\ldots ,\mu _\ell )\). For any sequence of indices \((I_1,\ldots ,I_\ell )\) where each \(I_i\in [N]\) let \(\{c_i\leftarrow \mathsf {Encrypt}(pk_{I_{i}},\mu _i)\}_{i\in [\ell ]}\) be encryptions of the messages \(\mu _i\) under the \(I_i\)-th public key and let \(\widehat{c}_i\leftarrow \mathsf {Expand}((pk_1,\ldots ,pk_N),I_i,c_i)\}_{i\in [\ell ]}\) be the corresponding expanded ciphertexts. Let \(\mathcal {C}\) be any (boolean) circuit of depth \(\le d\) and let \(\widehat{c}:=\mathsf {Eval}(\mathcal {C},(\widehat{c}_1,\ldots ,\widehat{c}_\ell )\) be the evaluated ciphertext.

    • Correctness of Decryption: The following holds with probability 1:
      $$\mathsf {MFHE}.\mathsf {FinDec}(\widehat{c}, (p_1,\ldots ,p_N)) = \mathcal {C}(\mu _1,\ldots ,\mu _\ell )$$
      where \(\{p_i\leftarrow \mathsf {MFHE}.\mathsf {PartDec}(\widehat{c},(pk_1,\ldots ,pk_N),i,sk_i)\}_{i\in [N]}\) are the partial decryptions.
    • Simulatability of partial decryption: There exists a PPT simulator \(\mathcal{S}^{thr}\) which, on input and index \(i \in [N]\) and all but the i-th keys \(\{sk_j\}_{j\in [N]\setminus \{i\}}\) the evaluated ciphertext \(\widehat{c}\) and the output message \(\mu := \mathcal {C}(\mu _1,\ldots ,\mu _\ell )\) produces a simulated partial decryption \(p'_i\leftarrow \mathcal{S}^{thr}(\mu ,\widehat{c},i,\{sk_j\}_{j\in [N]\setminus \{i\}})\) such that
      $$p_i \mathop {\approx }\limits ^{{\tiny {\mathrm {stat}}}}p'_i$$
      where \(p_i\leftarrow \mathsf {MFHE}.\mathsf {PartDec}(\widehat{c},(pk_1,\ldots ,pk_N),i,sk_i)\). Note that the randomness is only over the random coins of the simulator and the \(\mathsf {MFHE}.\mathsf {PartDec}\) procedure and all other values are assumed to be fixed (and known).

The simulatability of partial decryptions property says that we can simulate the partial decryption \(p_i\) produced by a single party i given the plaintext value \(\mu \) and the secret keys of all other parties. Ideally, we would have a stronger definition that allows us to simulate the partial decryptions \(\{p_i\}_{i \in S}\) of any subset of the parties S given the secret keys of all other parties (rather than just a single values), but unfortunately we do not know how to achieve this type of security. It turns out that, with a little additional work, the given definition suffices in our MPC construction.

5 Constructing Threshold Multi-key FHE from LWE

We now show how to construct threshold multi-key FHE from LWE. The construction proceeds in four parts. First, we present the GSW encryption scheme along with a non-standard but useful homomorphic property that it satisfies. Secondly, we define the notion of a masking scheme for GSW and show how to construct it. Thirdly, we use GSW and the masking scheme to construct multi-key FHE. Finally, we show to perform threshold decryption for this scheme.

5.1 GSW Fully Homomorphic Encryption

We now describe the GSW fully homomorphic encryption scheme.

  • \(\mathsf {params}\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^{\lambda },1^d)\): Choose a lattice dimension parameters \(n = n({\lambda },d)\) and \(B_{\chi }\)-bounded error distribution \(\chi = \chi ({\lambda },d)\) and a modulus q of size \(q = B_{\chi }2^{\omega ( d {\lambda }\log {\lambda })}\) such that \(\mathsf {LWE}_{n-1,q,\chi ,B_{\chi }}\) holds.6 Choose \(m= n\log (q) + \omega (\log {\lambda })\). Finally choose a random matrix \({\mathbf {B}}\in \mathbb {Z}_q^{n-1\times m}\). Output \(\mathsf {params}:= (q,n,m,\chi ,B_{\chi },{\mathbf {B}})\). We stress that all the other algorithms implicitly get \(\mathsf {params}\) as input even if we usually do not write this explicitly.

  • \(\mathsf {GSW}.\mathsf{Keygen}(\mathsf {params})\): We separately describe two sub-algorithms to generate secret-key and pubic-key respectively:
    • \(\mathsf {GSW}.\mathsf {SKGen}(\mathsf {params})\): Sample Open image in new window . Output \(sk= \mathbf{t}= (-{\mathbf {s}},1)\in \mathbb {Z}_q^n\).

    • \(\mathsf {GSW}.\mathsf {PKGen}(\mathsf {params},sk)\): Sample \({\mathbf {e}}\leftarrow \chi ^m\). Set \({\mathbf {b}} :={\mathbf {s}}{\mathbf {B}}+ {\mathbf {e}}\in \mathbb {Z}_q^m\). Output \(pk= {\mathbf {A}}\) where, \({\mathbf {A}}\in \mathbb {Z}_q^{n\times m}\) is defined as \({\mathbf {A}}:=\begin{bmatrix} {\mathbf {B}}\\ {\mathbf {b}}\end{bmatrix}\)

  • \(\mathsf {GSW}.\mathsf {Encrypt}(pk,\mu )\): Choose a short random matrix as the randomness Open image in new window . Then output the encryption of message \(\mu \in {\{0,1\}}\) as \({\mathbf {C}}\in \mathbb {Z}_q^{n\times m}\) where,
    $$ {\mathbf {C}}:= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}$$
  • \(\mathsf {GSW}.\mathsf {Decrypt}(sk,{\mathbf {C}})\): Let \(\mathbf{t}:=sk\). Define a vector \({\mathbf {w}}\in \mathbb {Z}_q^{n}\) as follows:
    $$\begin{aligned} {\mathbf {w}} = [0,\ldots ,0,\lceil q/2\rceil ] \end{aligned}$$
    Then compute \(v=\mathbf{t}{\mathbf {C}}{\mathbf {G}}^{-1}({\mathbf {w}}^{T})\in \mathbb {Z}_q^m\). Finally output \(\mu ' = \left| \left\lfloor \frac{v}{q/2}\right\rceil \right| \) as the decrypted message.
  • On input two ciphertexts \({\mathbf {C}}_1,{\mathbf {C}}_2\in \mathbb {Z}_q^{n\times m}\) we can define homomorphic addition, multiplication:
    • \(\mathsf {GSW}.\mathsf {Add}({\mathbf {C}}_1,{\mathbf {C}}_2)\): Output \({\mathbf {C}}_1 + {\mathbf {C}}_2\in \mathbb {Z}_q^{n\times m}\).

    • \(\mathsf {GSW}.\mathsf {Mult}({\mathbf {C}}_1,{\mathbf {C}}_2)\): Output the matrix product \({\mathbf {C}}_1 {\mathbf {G}}^{-1}({\mathbf {C}}_2)\in \mathbb {Z}_q^{n\times m}\).

    This also allows us to compute a homomorphic NAND gate by outputting \({\mathbf {G}}- {\mathbf {C}}_1 {\mathbf {G}}^{-1}({\mathbf {C}}_2)\).

We sketch the proof of the following theorem for completeness.

Theorem 1

([18]). The scheme described above is a secure FHE under the \(\mathsf {LWE}_{n-1,q,\chi ,B_{\chi }}\) assumption.

Security. The proof of semantic security consists of two steps. First, we can use the LWE assumption to replace the public key \(pk = {\mathbf {A}}\) with a uniformly random matrix in \({\mathbb {Z}}_q^{n \times m}\). Then we can use the leftover hash lemma to replace the ciphertext \({\mathbf {C}}:= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}\) with a uniformly random value \({\mathbf {C}}'\). We refer the reader to [18] for details.

Correctness. To analyze correctness, it is helpful to define the following notion of a “noisy ciphertext”.

Definition 4

( \(\beta \) -noisy ciphertext). A \(\beta \)-noisy ciphertext of some message \(\mu \) under secret-key \(sk= \mathbf{t}\in \mathbb {Z}_q^n\) is a matrix \({\mathbf {C}}\in \mathbb {Z}_q^{n\times m}\) such that: \(\mathbf{t}{\mathbf {C}}= \mu \mathbf{t}{\mathbf {G}}+ {\mathbf {e}}\) for some \({\mathbf {e}}\) with \(\Vert {\mathbf {e}}\Vert _\infty \le \beta \).

  • Encryption: Consider a fresh ciphertext \({\mathbf {C}}={\mathbf {A}}{\mathbf {R}}+\mu {\mathbf {G}}\) which is generated by encrypting some message \(\mu \) with some public key \({\mathbf {A}}\) with corresponding secret key \(\mathbf{t}\). First recall that \(\mathbf{t}{\mathbf {A}}={\mathbf {e}}\) such that \(\Vert {\mathbf {e}}\Vert _\infty \le B_{\chi }\). Therefore \(\mathbf{t}{\mathbf {C}}= {\mathbf {e}}'+\mu \mathbf{t}{\mathbf {G}}\) where \({\mathbf {e}}' = {\mathbf {e}}{\mathbf {R}}\) which implies \(\Vert {\mathbf {e}}'\Vert _\infty \le mB_{\chi }\). Hence \({\mathbf {C}}\) is \(mB_{\chi }\)-noisy encryption of \(\mu \) under \(\mathbf{t}\). Let us call this value initial noise or \(\beta _{init} = mB_{\chi }\).

  • Evaluation: Let \({\mathbf {C}}_1\) and \({\mathbf {C}}_2\) be two ciphertexts which are \(\beta _1\) and \(\beta _2\) noisy encryption of \(\mu _1,\mu _2 \in {\{0,1\}}\) under the key \(\mathbf{t}\) respectively, so that: \(\mathbf{t}{\mathbf {C}}_1 = {\mathbf {e}}_1 + \mu _1\mathbf{t}{\mathbf {G}}\) and \(\mathbf{t}{\mathbf {C}}_2 = {\mathbf {e}}_2 +\mu _2\mathbf{t}{\mathbf {G}}\) with \(\Vert {\mathbf {e}}_1\Vert _\infty \le \beta _1,\Vert {\mathbf {e}}_2\Vert _\infty \le \beta _2\).

  • Addition: Then their addition will result in a ciphertext \({\mathbf {C}}^{(+)} = {\mathbf {C}}_1 + {\mathbf {C}}_2\) such that, \(\mathbf{t}{\mathbf {C}}^{(+)} = {\mathbf {e}}' + (\mu _1+\mu _2)\mathbf{t}{\mathbf {G}}\) where \({\mathbf {e}}' = {\mathbf {e}}_1 + {\mathbf {e}}_2\). Clearly this is \(\beta _1+\beta _2\)-noisy.

  • Multiplication: On the other hand the multiplication would produce a ciphertext \({\mathbf {C}}^{(\times )}={\mathbf {C}}_1{\mathbf {G}}^{-1}({\mathbf {C}}_2)\) such that \(\mathbf{t}{\mathbf {C}}^{(\times )} = {\mathbf {e}}'' + \mu _1\mu _2{\mathbf {G}}\) where \({\mathbf {e}}'' = {\mathbf {e}}{\mathbf {G}}^{-1}({\mathbf {C}}_2)+\mu _1{\mathbf {e}}_2\). Clearly \(\Vert {\mathbf {e}}''\Vert _\infty \le (m\beta _1+\beta _2)\) and the ciphertext \({\mathbf {C}}^{(\times )}\) is \((m\beta _1+\beta _2)\)-noisy. The same calculation holds for NAND gates.

  • Decryption: Let \({\mathbf {C}}\) be a \(\beta \)-noisy encryption of \(\mu \) so that: \(\mathbf{t}{\mathbf {C}}= {\mathbf {e}}+ \mu \mathbf{t}{\mathbf {G}}\) where \(\Vert e\Vert _\infty = \beta \). Then \( v = \mathbf{t}{\mathbf {C}}{\mathbf {G}}^{-1}({\mathbf {w}}^T) =e' +\mu (q/2)\) such that \(e' =\langle {\mathbf {e}}~,~ {\mathbf {G}}^{-1}({\mathbf {w}}^T)\rangle \). Clearly, \(\Vert e'\Vert _\infty \le m\beta \). Now one can observe that decryption works correctly as long as \(\Vert e'\Vert _\infty < q/4\). Therefore correctness holds as long as \(\beta < q/(4m)\). We call this value \(\beta _{max}:= q/(4m)\).

Consider evaluating a (boolean) circuit of depth d consisting of NAND gates. It takes input fresh ciphertexts (\(\beta _{init}\)-noisy) and each level multiplies the noise by a factor of at most \((m+1)\). Therefore, the final output is \(\beta _{final}\)-noisy ciphertexts where \(\beta _{final} = (m+1)^{d}\beta _{init}\). To ensure correctness of decryption we need \(\beta _{final}\le \beta _{max}\) meaning \(B_{\chi }4m^2(m+1)^d < q\) which is satisfied by our choice of parameters. This concludes the proof.

Homomorphic Linear Combinations and Pseudo Encryption. We now define an additional homomorphic operation. This operation takes as input GSW ciphertexts \({\mathbf {C}}_{i,j}\) encrypting the individual entries \({\mathbf {M}}[i,j]\) of some matrix \({\mathbf {M}}\in {\mathbb {Z}}_q^{m \times m}\) under a secret key \(\mathbf{t}\). It also takes a plaintext vector \(\mathbf {v}\in {\mathbb {Z}}_q^m\) which specifies the homomorphic function to be computed. The operations outputs a “pseudo ciphertext” \({\mathbf {C}}_{lc}\) which we can think of as a pseudo encryption of the vector \(\mathbf {v}{\mathbf {M}}\), meaning that \(\mathbf{t}{\mathbf {C}}_{lc}\approx \mathbf {v}{\mathbf {M}}\). Note that the “pseudo ciphertext” \({\mathbf {C}}_{lc}\) cannot be correctly decrypted (we can only recover something close to \(\mathbf {v}{\mathbf {M}}\) but not the exact value) nor can we further perform any of the standard GSW homomorphic operations on it.

Property 1

(Linear combination). Let \({\mathbf {M}}\in {\{0,1\}}^{m \times m}\) be a matrix and for \(i \in [m], j \in [m]\) let \({\mathbf {C}}_{i,j} \in {\mathbb {Z}}_q^{n\times m}\) be a \(\beta \)-noisy GSW encryption of \({\mathbf {M}}[i,j]\) under a secret key \(\mathbf{t}\in {\mathbb {Z}}_q^n\). Let \(\mathbf {v}\in {\mathbb {Z}}_q^m\) be some vector (not necessarily short). Then there is a polynomial-time deterministic algorithm
$${\mathbf {C}}_{lc}= \mathsf {GSW.LComb}(({\mathbf {C}}_{1,1},\ldots ,{\mathbf {C}}_{m,m}),\mathbf {v}) $$
which outputs \({\mathbf {C}}_{lc}\in \mathbb {Z}_q^{n\times m}\) such that \(\mathbf{t}{\mathbf {C}}_{lc}= \mathbf {v}{\mathbf {M}}+ {\mathbf {e}}\) where \(\Vert {\mathbf {e}}\Vert _\infty \le m^3\beta \).
Implementation. The algorithm \(\mathsf {GSW.LComb}(({\mathbf {C}}_{1,1},\ldots ,{\mathbf {C}}_{m,m}),\mathbf {v})\) is implemented as follows:
  1. 1.
    For each \(i\in [m], j\in [m]\) define a matrix \({\mathbf {Z}}_{i,j}\in \mathbb {Z}_q^{n\times m}\) as follows: In other words \({\mathbf {Z}}_{i,j}\) will have 0 everywhere except the n-th (final) row and j-th column where it has the value \(\mathbf {v}[i]\).
  2. 2.

    Now output \({\mathbf {C}}_{lc}\in \mathbb {Z}_q^{n\times m} \) where: Open image in new window

Correctness. Correctness follows because,where \({\mathbf {e}}_{i,j}\) is the noise contained in \({\mathbf {C}}_{i,j}\) which is of magnitude \(\Vert {\mathbf {e}}_{i,j}\Vert _\infty \le \beta \), \({\mathbf {e}}'_{i,j} = {\mathbf {e}}_{i,j}{\mathbf {G}}^{-1}({\mathbf {Z}}_{i,j})\) has magnitude \(\Vert {\mathbf {e}}_{i,j}\Vert _\infty \le m\beta \), and finally Open image in new window has magnitude \(\Vert {\mathbf {e}}''\Vert _\infty \le m^3\beta \).

5.2 A Masking Scheme for GSW

We now define and show how to construct a “masking scheme” for GSW, which serves as the main component of the multi-key FHE scheme. Intuitively, a masking scheme allows us to take a GSW public key \(pk = {\mathbf {A}}\) (having a corresponding secret key \(\mathbf{t}\)) and a bit \(\mu \) and output a pair of values \((\mathcal {U},{\mathbf {C}})\) such that \({\mathbf {C}}\) is a GSW encryption of \(\mu \) with \(pk\) and \(\mathcal {U}\) is an auxiliary value such that (1) the pair \((\mathcal {U},{\mathbf {C}})\) computationally hide \(\mu \) (just like \({\mathbf {C}}\) alone) and (2) later, given another GSW public key \(pk = {\mathbf {A}}'\) (having a corresponding secret key \(\mathbf{t}'\)) we can compute a matrix \({\mathbf {X}}\) such that \(\mathbf{t}{\mathbf {X}}+ \mathbf{t}' {\mathbf {C}}= \mu \mathbf{t}' {\mathbf {G}}\).

Property 2

(GSW Masking Scheme). There exists a pair of algorithms \((\mathsf {UniEnc},\mathsf {Extend})\):
  • \(\mathsf {UniEnc}(\mu ,pk)\): On input a message \(\mu \in {\{0,1\}}\) and a GSW public key pk it generates a pair \( (\mathcal {U},{\mathbf {C}})\) where \({\mathbf {C}}\in \mathbb {Z}_q^{n\times m}\) and \(\mathcal {U}\in {\{0,1\}}^*\).

  • \(\mathsf {Extend}(\mathcal {U},pk, pk')\): On input \(\mathcal {U}\) and GSW public keys \(pk, pk'\) it outputs \({\mathbf {X}}\in \mathbb {Z}_q^{n\times m}\).

for which the following properties holds:
  • Semantic Security: For any polynomial \(d = d({\lambda })\) security of GSW encryption implies that:
    $$(\mathsf {params},pk,\mathsf {UniEnc}(0,pk))\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}(\mathsf {params}, pk,\mathsf {UniEnc}(1,pk))$$
    where \(\mathsf {params}\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^{\lambda },1^d)\), \((sk, pk) \leftarrow \mathsf {GSW}.\mathsf{Keygen}(\mathsf {params})\).
  • Correctness: Let \(\mathsf {params}\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^{\lambda },1^d)\) and let \((sk= \mathbf{t},pk),(sk' = \mathbf{t}',pk')\) be two independent key pairs generated with \(\mathsf {GSW}.\mathsf{Keygen}(\mathsf {params})\). For any \(\mu \in {\{0,1\}}\) let \((\mathcal {U},{\mathbf {C}})\leftarrow \mathsf {UniEnc}(\mu ,pk)\) and \({\mathbf {X}}\leftarrow \mathsf {Extend}(\mathcal {U},pk, pk')\). Then
    $$\mu :=\mathsf {GSW}.\mathsf {Decrypt}(sk,{\mathbf {C}})~~\text {and}~~\mathbf{t}{\mathbf {X}}+\mathbf{t}'{\mathbf {C}}= \mu \mathbf{t}'{\mathbf {G}}+{\mathbf {e}}$$
    where \(\Vert {\mathbf {e}}\Vert _\infty \le \beta _{mask}\) for \(\beta _{mask}:= (m^4 +m) B_{\chi }\).

Instantiation. We now show how to implement such masking scheme.

  • \(\mathsf {UniEnc}(pk,\mu )\): On input a message \(\mu \) and a public key \(pk\) the algorithm outputs \(\mathcal {U}\), which is a \(m^2\)-tuple of matrices in \(\mathbb {Z}_q^{n\times m}\), and \({\mathbf {C}}\in \mathbb {Z}_q^{n\times m}\) as follows.

    1. 1.

      Let \( {\mathbf {A}}= pk\). Set \({\mathbf {C}}\leftarrow \mathsf {GSW}.\mathsf {Encrypt}(pk,\mu ) \in \mathbb {Z}_q^{n\times m}\) so that \({\mathbf {C}}= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}\) where \({\mathbf {R}}\in {\{0,1\}}^{m \times m}\) is the encryption randomness.

    2. 2.

      Encrypt each element of the random matrix \({\mathbf {R}}\) (chosen in Step 1) to get \(m^2\) ciphertexts: \({\mathbf {V}}^{(a,b)}_{} \leftarrow \mathsf {GSW}.\mathsf {Encrypt}(pk,{\mathbf {R}}[a,b])\). Set \(\mathcal {U}:= \left( {\mathbf {V}}^{(1,1)}_{},\ldots ,{\mathbf {V}}^{(m,m)}_{}\right) \in \left( \mathbb {Z}_q^{n\times m}\right) ^{(m^2)}\).

  • \(\mathsf {Extend}(\mathcal {U}, pk, pk')\): On input a \(\mathcal {U}\in \left( \mathbb {Z}_q^{n\times m}\right) ^{(m^2)}\) and public keys \(pk, pk'\) the algorithm computes \({\mathbf {X}}\in \mathbb {Z}_q^{n\times m}\) as follows:
    1. 1.

      Parse \(pk = {\mathbf {A}}= \begin{bmatrix} {\mathbf {B}}\\{\mathbf {b}}\end{bmatrix}\), \(pk' = {\mathbf {A}}' = \begin{bmatrix} {\mathbf {B}}\\{\mathbf {b}}' \end{bmatrix}\) and, \(\mathcal {U}= \big (\{{\mathbf {V}}^{(a,b)}_{}\}_{a,b\in [m]}\big )\).

    2. 2.

      Set \({\mathbf {X}}= \mathsf {GSW.LComb}\big (({\mathbf {V}}^{(1,1)}_{},\ldots ,{\mathbf {V}}^{(m,m)}_{}),{\mathbf {b}}' - {\mathbf {b}}\big )\).

Semantic Security. The view of the attacker is the following distribution:
$$\bigg (\mathsf {params}, {\mathbf {A}},{\mathbf {C}},\mathcal {U}= \left( ~~{\mathbf {V}}^{(11)}_{},\ldots ,{\mathbf {V}}^{(m,m)}_{}\right) \bigg )$$
generated via \(\mathsf {params}\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^{\lambda },1^d)\), \((sk, pk= {\mathbf {A}}) \leftarrow \mathsf {GSW}.\mathsf{Keygen}(\mathsf {params})\) and \(({\mathbf {C}}, \mathcal {U}) \leftarrow \mathsf {UniEnc}(pk,\mu )\), where either \(\mu = 0\) or \(\mu =1\). We prove semantic security of the masking scheme by relying on the semantic security of the underlying GSW scheme. The proof consists of the following hybrids:
  • Firstly, we modify each of the ciphertexts \({\mathbf {V}}^{(a,b)}_{}\) so that instead of being GSW encryptions of \({\mathbf {R}}[a,b]\), we just choose them as GSW encryptions of 0. This just relies on semantic security of GSW encryption.

  • Secondly, we also choose \({\mathbf {C}}\) as a GSW encryption of 0. This also just follows from the semantic security of GSW encryption, since after the first step no information about the randomness \({\mathbf {R}}\) is given out.

Finally, this distribution is completely independent of the bit \(\mu \) which concludes the proof of semantic security.

Correctness. Let \(\left( (sk= \mathbf{t},pk= {\mathbf {A}}),(sk' = \mathbf{t}',pk' = {\mathbf {A}}')\right) \) be two correctly generated GSW key-pairs. Now recall that, \(sk= \mathbf{t}= (-{\mathbf {s}},1) \in \mathbb {Z}_q^{n}\), and \(sk' = \mathbf{t}' = (-{\mathbf {s}}',1)\in \mathbb {Z}_q^n\); \(pk= {\mathbf {A}}= \begin{bmatrix}{\mathbf {B}}\\{\mathbf {b}} \end{bmatrix}\in \mathbb {Z}_q^{n\times m}\), \(pk' = {\mathbf {A}}' = \begin{bmatrix}{\mathbf {B}}\\{\mathbf {b}}' \end{bmatrix}\in \mathbb {Z}_q^{n\times m}\) where \({\mathbf {b}}= {\mathbf {s}}{\mathbf {B}}+ {\mathbf {e}}\), \({\mathbf {b}}' = {\mathbf {s}}'{\mathbf {B}}+ {\mathbf {e}}'\) with \(\Vert {\mathbf {e}}\Vert _\infty , \Vert {\mathbf {e}}'\Vert _\infty \le \beta _{\chi }\).

Furthermore, for any message \(\mu \) let \((\mathcal {U},{\mathbf {C}})\leftarrow \mathsf {UniEnc}(pk,\mu )\) and \({\mathbf {X}}\leftarrow \mathsf {Extend}(\mathcal {U},pk, pk')\) where \(\mathcal {U}= \left( {\mathbf {V}}^{(1,1)}_{},\ldots ,{\mathbf {V}}^{(nm)}_{}\right) \). Then it is easy to see that \(\mu :=\mathsf {GSW}.\mathsf {Decrypt}(sk,{\mathbf {C}})\) which implies that \({\mathbf {C}}= {\mathbf {A}}{\mathbf {R}}+ \mu {\mathbf {G}}= \begin{bmatrix}{\mathbf {B}}\\{\mathbf {b}} \end{bmatrix} {\mathbf {R}}+ \mu {\mathbf {G}}\) for some \({\mathbf {R}}\in {\{0,1\}}^{m \times m}\) and hence
$$\begin{aligned} \mathbf{t}' {\mathbf {C}}= & {} (-{\mathbf {s}}', 1) \begin{bmatrix}{\mathbf {B}}\\{\mathbf {b}} \end{bmatrix}{\mathbf {R}}+ \mu \mathbf{t}' {\mathbf {G}}\\= & {} - {\mathbf {s}}' {\mathbf {B}}{\mathbf {R}}+ {\mathbf {b}}{\mathbf {R}}+ \mu \mathbf{t}' {\mathbf {G}}\\= & {} -({\mathbf {b}}' - {\mathbf {e}}'){\mathbf {R}}+ {\mathbf {b}}{\mathbf {R}}+ \mu \mathbf{t}' {\mathbf {G}}\\= & {} ({\mathbf {b}}- {\mathbf {b}}') {\mathbf {R}}+ \mu \mathbf{t}' {\mathbf {G}}+ {\mathbf {e}}_{C} \end{aligned}$$
where \({\mathbf {e}}_{C} = {\mathbf {e}}' {\mathbf {R}}\) has norm \(\Vert {\mathbf {e}}_C\Vert _\infty = mB_{\chi }\).
On the other hand, by the correctness of linear combinations, we have:
$$ \mathbf{t}{\mathbf {X}}= ({\mathbf {b}}' - {\mathbf {b}}) {\mathbf {R}}+ {\mathbf {e}}_{X}$$
where \(\Vert {\mathbf {e}}_{X}\Vert _\infty = m^4B_{\chi }\).

Combining these equations, we get \(\mathbf{t}{\mathbf {X}}+ \mathbf{t}' {\mathbf {C}}= \mu \mathbf{t}' {\mathbf {G}}+ {\mathbf {e}}^*\) where \(\Vert {\mathbf {e}}^*\Vert _\infty \le (m^4 +m) B_{\chi }\) as claimed.

5.3 Construction of Multi-key FHE

First recall the fixed matrix \({\mathbf {G}}\in \mathbb {Z}_q^{n\times m}\) that played an important role for the earlier construction and analysis. In this section we define an “expanded matrix” \(\widehat{{\mathbf {G}}}_N \in \mathbb {Z}_q^{nN\times mN}\) as:
$$\widehat{{\mathbf {G}}}_N = \begin{bmatrix} {\mathbf {G}}&\cdots&\cdots&\mathsf {0}\\ \mathsf {0}&{\mathbf {G}}&\cdots&\vdots \\ \vdots&\cdots&{\mathbf {G}}&\mathsf {0}\\ \mathsf {0}&\cdots&\cdots&{\mathbf {G}}\\ \end{bmatrix}$$
We note that there exists a corresponding efficiently computable function \(\widehat{{\mathbf {G}}}^{-1}_N(\cdot )\) such that for any \(m'\in \mathbb {N}\) any matrix \({\mathbf {M}}\in \mathbb {Z}_q^{nN \times m'}\), \(\widehat{{\mathbf {G}}}^{-1}_N({\mathbf {M'}})\in {\{0,1\}}^{mN\times mN}\) is “short” and \(\widehat{{\mathbf {G}}}_N\widehat{{\mathbf {G}}}^{-1}_N({\mathbf {M}}) = {\mathbf {M}}\). Such \(\widehat{{\mathbf {G}}}^{-1}_N(\cdot )\) can be computed using \({\mathbf {G}}^{-1}(\cdot )\) in the natural way.

Construction. Now we describe our multi-key FHE construction.

  • \(\mathsf {MFHE}.\mathsf {SetUp}(1^\lambda ,1^d)\): Run the set-up algorithm of GSW to generate the parameters:
    $$\mathsf {params}:= (q,n,m,\chi ,B_{\chi },{\mathbf {B}})\leftarrow \mathsf {GSW}.\mathsf {SetUp}(1^\lambda ,1^d).$$
  • \(\mathsf {MFHE}.\mathsf{Keygen}(\mathsf {params})\): Run the key-generation algorithm of GSW to generate:
    $$sk:=\mathbf{t}\leftarrow \mathsf {GSW}.\mathsf {SKGen}(\mathsf {params})\qquad pk:={\mathbf {A}}\leftarrow \mathsf {GSW}.\mathsf {PKGen}(\mathsf {params},sk)$$
  • \(\mathsf {MFHE}.\mathsf {Encrypt}(pk,\mu )\): Execute the following steps:
    • Just use the masking scheme: \((\mathcal {U},{\mathbf {C}})\leftarrow \mathsf {UniEnc}(\mu ,pk)\).

    • Output the pair \(c:=(\mathcal {U},{\mathbf {C}})\) as the ciphertext for \(\mu \).

  • \(\mathsf {MFHE}.\mathsf {Expand}((pk_{1},\ldots ,pk_{N}),i,c)\): On receiving a sequence of public-keys \(\left( pk_1,\ldots ,pk_N\right) \) and a fresh ciphertext \(c = (\mathcal {U},{\mathbf {C}})\) under the public key \(pk_i\) run the \(\mathsf {Extend}\) algorithm for all \(pk_j\) where \(i\ne j\).

    • For \(j\in \left\{ pk_1,\ldots ,pk_N\right\} \setminus \{i\}\), compute \({\mathbf {X}}_j\leftarrow \mathsf {Extend}(\mathcal {U},pk_i, pk_j)\).

    • Then define a matrix \(\widehat{{\mathbf {C}}}\in \mathbb {Z}_q^{nN\times mN}\) as a concatenation of \(N^2\) sub-matrices where each sub-matrix \({\mathbf {C}}_{a,b} \in {\mathbb {Z}}_q^{n \times m}\) for \(a,b\in [N]\) is defined as: For reader’s convenience we provide a pictorial representation of \(\widehat{{\mathbf {C}}}\) in Fig. 1:

      Finally output \(\widehat{c} :=\widehat{{\mathbf {C}}}\) as the expanded ciphertext.

  • \(\mathsf {MFHE}.\mathsf {Eval}(\mathsf {params},\mathcal {C},(\widehat{c}_1,\ldots ,\widehat{c}_\ell ))\) On input \(\ell \) expanded ciphertexts simply use the GSW homomorphic evaluation algorithms namely \(\mathsf {GSW}.\mathsf {Add}\) and \(\mathsf {GSW}.\mathsf {Mult}\), albeit with expanded dimensions \(n' = nN\) and \(m' = mN\) and the expanded \(\widehat{{\mathbf {G}}}_N,\widehat{{\mathbf {G}}}^{-1}_N\) (in place of nm and \({\mathbf {G}}, {\mathbf {G}}^{-1}\)).

  • \(\mathsf {MFHE}.\mathsf {Decrypt}(\mathsf {params},(sk_1,\ldots ,sk_N),c)\): On input a ciphertext \(c = \widehat{{\mathbf {C}}}\) and the sequence of secret keys \((sk_1,\ldots ,sk_N)\) parse each \(\mathbf{t}_i:=sk_i\) and then construct the joint secret key by horizontally appending all the secret-keys in sequence Open image in new window . Then run the GSW decryption algorithm albeit with expanded dimensions \(n' = nN\) and \(m' = mN\) and the expanded \(\widehat{{\mathbf {G}}}_N,\widehat{{\mathbf {G}}}^{-1}_N\) (in place of nm and \({\mathbf {G}}, {\mathbf {G}}^{-1}\)).

Fig. 1.

Structure of the expanded ciphertext \(\widehat{{\mathbf {C}}}\)

Correctness and Security of MFHE Construction

Theorem 2

The scheme described above is a secure MFHE under the \(\mathsf {LWE}_{n-1,q,\chi ,B_{\chi }}\) assumption (with the same parameters as we defined for GSW encryption).

Semantic Security. The semantic security of the above multi-key FHE follows directly from that of the GSW masking scheme.

Correctness of Expansion. Consider a sequences of N key pairs \(((sk_1 = \mathbf{t}_1,pk_1),\ldots ,(sk_N = \mathbf{t}_N,pk_N))\) correctly generated by running the key-generation as \(\{(pk_i,sk_i)\leftarrow \mathsf {MFHE}.\mathsf{Keygen}(\mathsf {params})\}_{i\in [N]}\). Now suppose for any message \(\mu \) and any \(i\in [N]\) we have a ciphertext \(c\leftarrow \mathsf {MFHE}.\mathsf {Encrypt}(pk_i,\mu )\) under the i-th key and the corresponding expanded ciphertext \(\widehat{{\mathbf {C}}}\leftarrow \mathsf {MFHE}.\mathsf {Expand}((pk_1,\ldots ,pk_N),i,c)\) as shown in Fig. 1. Let \(\widehat{\mathbf{t}}= [\mathbf{t}_1,\ldots ,\mathbf{t}_N]\). Then

where \(\Vert {\mathbf {e}}_i\Vert _\infty \le mB_{\chi }\) by the correctness of GSW encryption and for \(j\ne i\), \(\Vert {\mathbf {e}}_j\Vert _\infty \le (m^4 +m) B_{\chi }\) by the correctness of the GSW masking scheme. Therefore, Open image in new window where \(\Vert {\mathbf {e}}\Vert _\infty \le (m^4 +m) B_{\chi }\). Let’s call this value \(\beta '_{init} = (m^4 +m) B_{\chi }= 2^{O(\log {\lambda })} B_{\chi }\). The correctness of GSW encryption is guaranteed as long as \(\beta '_{init} \le q/(4m')\) which holds with the choice of q we defined.

Correctness of Evaluation. Let \(\widehat{{\mathbf {C}}}_1, \ldots , \widehat{{\mathbf {C}}}_\ell \) be expanded ciphertexts corresponding to bit \(\mu _1,\ldots ,\mu _\ell \) so that, by the above correctness property, \(\widehat{\mathbf{t}}\widehat{{\mathbf {C}}}_i = \mu _i \widehat{\mathbf{t}}\widehat{{\mathbf {G}}}+ {\mathbf {e}}_i\) where \(\Vert {\mathbf {e}}_i\Vert _\infty \le \beta '_{init}\). If \(\widehat{{\mathbf {C}}}\) is the output of a homomorphic evaluation of a circuit \(\mathcal {C}\) of depth d over the above ciphertexts such that \(\mu = \mathcal {C}(\mu _1,\ldots ,\mu _\ell )\) then by the correctness of GSW homomorphic evaluation with scaled up parameters \(n' = nN, m' = mN\) we have Open image in new window where \(\Vert {\mathbf {e}}\Vert _\infty \le \beta '_{init} (m'+1)^d = (m^4 +m) B_{\chi }(mN + 1)^d\). Let’s call this value \(\beta '_{final} = B_{\chi }(m^4 +m) (mN + 1)^d = 2^{O(d \log {\lambda })} B_{\chi }\). The correctness of GSW encryption is guaranteed as long as \(\beta '_{final} \le q/(4m')\) which holds with the choice of q we defined.

5.4 Threshold Decryption for Multi-key FHE

We now show how to implement threshold decryption for the \(\mathsf {MFHE}\) construction outlined in the previous section.

  • \(\mathsf {MFHE}.\mathsf {PartDec}(\widehat{c},(pk_1,\ldots ,pk_N),i,sk_i)\): On input an expanded ciphertext Open image in new window under a sequence of keys \((pk_1,\ldots ,pk_N)\) and the i-th secret key \(sk_i = \mathbf{t}_i\in \mathbb {Z}_q^{n}\) do the following:

  • Parse \(\widehat{{\mathbf {C}}}\) as consisting of N sub-matrices \(\widehat{{\mathbf {C}}}^{(i)}\in \mathbb {Z}_q^{n\times mN}\) such that
    $$\widehat{{\mathbf {C}}}= \begin{bmatrix} \widehat{{\mathbf {C}}}^{(1)}\\ \vdots \\ \widehat{{\mathbf {C}}}^{(N)} \end{bmatrix} .$$
  • Define \(\widehat{{\mathbf {w}}}\in \mathbb {Z}_q^{nN}\) as \(\widehat{{\mathbf {w}}}= [0,\ldots ,0,\lceil q/2\rceil ]\).

  • Then compute \(\gamma _i = \mathbf{t}_i\widehat{{\mathbf {C}}}^{(i)}\widehat{{\mathbf {G}}}^{-1}(\widehat{{\mathbf {w}}}^T) \in \mathbb {Z}_q\) and output \(p_i = \gamma _i + e^{sm}_{i}\in \mathbb {Z}_q\) where Open image in new window is some random “smudging noise” where \(B^{dec}_{smdg}=2^{d{\lambda }\log {\lambda }}B_{\chi }\).

  • \(\mathsf {MFHE}.\mathsf {FinDec}(p_1,\ldots ,p_N)\): Given \(p_1,\ldots ,p_N\), compute the sum \(p := \sum _{i=1}^N p_i\). Output \(\mu :=\left| \left\lceil \frac{p}{q/2}\right\rfloor \right| \).

Correctness and Simulation Security

Theorem 3

The above threshold decryption procedures for \(\mathsf {MFHE}\) satisfy correctness and (statistical) simulation security.

Correctness. Here the entire scheme is same as \(\mathsf {MFHE}\) except the decryption. So if \(\widehat{{\mathbf {C}}}\) is an evaluated ciphertext encrypting a bit \(\mu \) and the secret keys are Open image in new window then, by the analysis used for non-threshold correctness, we have
where \(\Vert {\mathbf {e}}\Vert _\infty \le \beta '_{final} = (m^4 +m) B_{\chi }(mN + 1)^d\). Therefore if the partial decryptions \(p_i\) are computed as specified we have:

where \(e^{sm} = \sum _{i \in [N]} e^{sm}_{i} \) has norm \(|e^{sm}| \le N B^{dec}_{smdg}= 2^{O(d{\lambda }\log {\lambda })}B_{\chi }\) and \(e' = {\mathbf {e}}\widehat{{\mathbf {G}}}^{-1}(\widehat{{\mathbf {w}}}^T)\) has norm \(|e'| \le \beta '_{final} mN = 2^{O(d \log {\lambda })} B_{\chi }\). Since \(q = 2^{\omega (d {\lambda }\log {\lambda })} B_{\chi }\) we have \(|e' + e^{sm}| < q/4\) and correctness holds.

Simulatability: The simulator \(\mathcal{S}^{thr}(\mu ,\widehat{{\mathbf {C}}},i,\{\mathbf{t}_j\}_{j\in [N]\setminus \{i\}})\), on input the secrets keys \(\{\mathbf{t}_j\}_{j\ne i}\) the evaluated ciphertext \(\widehat{{\mathbf {C}}}\in \mathbb {Z}_q^{nN\times mN}\) and the output value \(\mu = \mathcal {C}(\mu _1,\ldots ,\mu _\ell )\) encrypted in \(\widehat{{\mathbf {C}}}\) outputs the simulated partial decryption:for Open image in new window where \(\gamma _j = \mathbf{t}_j\widehat{{\mathbf {C}}}^{(j)}\widehat{{\mathbf {G}}}^{-1}(\widehat{{\mathbf {w}}}^T)\).
To see the indistinguishability note that, by the same calculation as used to argue correctness, we know that \(\sum _{j \in [N]}\gamma _j = \mu \lceil q/2\rceil + e'\) where \(|e'| \le \beta '_{final} mN = 2^{O(d \log {\lambda })} B_{\chi }\). Therefore if \(p_i = \gamma _i + e^{sm}_i\) is the real partial decryption thenThe difference between the real value \(p_i\) and the simulated value \(p'_i\) is the noise \(e'\) of norm \(|e'| = 2^{O(d \log {\lambda })} B_{\chi }\). But by the smudging Lemma 2, the distributions of \(e^{sm}_i\) and \(e^{sm}_i + e'\) are statistically close since Open image in new window where \(B^{dec}_{smdg}=2^{d{\lambda }\log {\lambda }}B_{\chi }\) so that \(B^{dec}_{smdg}/|e'| \ge 2^{{\lambda }}\). Therefore the simulated partial decryption and the real one are statistically indistinguishable.

5.5 Bootstrapping

Note that the above MFHE scheme is leveled i.e., it depends on the multiplicative depth of the circuit to be computed. However, this dependency can be avoided easily by boot-strapping and assuming circular security. We briefly describe the straightforward procedure and omit the details.

During key generation, each party i chooses a key pair \((sk_i,pk_i)\) and uses the MFHE scheme to encrypt the secret key \(sk_i\) under \(pk_i\) bit-by-bit.7 It appends these encryptions to the public key. Later, given a sequence of public keys \(\{pk_1,\ldots ,pk_N\}\) anyone can create an expanded multi-key encryption of each \(sk_i\) using the MFHE expansion procedure. This allows us to use Gentry’s boot-strapping technique [17] to “refresh” a highly noisy multi-key ciphertext by homomorphically computing the MFHE decryption procedure. Therefore, to compute a circuit of arbitrary depth, we only need to set the parameters of the MFHE scheme so as to be evaluate circuits of some fixed depth \(d+1\) where d is the depth of the MFHE decryption procedure.

Note that, by circular security it is assured that an encryption of a secret key under itself is semantically secure which implies that the semantic security of the above modified MFHE scheme remains intact.

6 Secure MPC via Threshold MFHE

Basic Template. We now present a protocol for general MPC, using any threshold multi-key fully homomorphic scheme. The protocol is based on the template discussed in the introduction which we recall below:
  1. 1.

    Each party individually chooses its own MFHE key pair \((pk_i, sk_i)\), encrypts its input \(x_i\) under \(pk_i\), and broadcasts the resulting ciphertext. At the end of this round, each party can homomorphically compute the desired function f on the received ciphertexts and derive a common multi-key ciphertext which encrypts the output \(y =f(x_1,\ldots ,x_N)\).

  2. 2.

    The parties run a distributed protocol for “threshold decryption” using their secret keys \(sk_i\) to decrypt the multi-key ciphertext and recover the output y in plaintext. In particular each party first generates partial decryptions \(p_i\) from the common (evaluated) ciphertext \(\widehat{c}\) and then broadcasts them. Finally each party, on receiving all those partial decryptions can compute the final decryption y.


Our goal is to prove the security of this protocol (as least in the honest-but-curious setting, as a start). The natural attempt to construct a MPC simulator \(\mathcal{S}\) would be to first use the simulator of threshold decryption, \(\mathcal{S}^{thr}\) to replace the correct partial decryptions \(p_i\) with simulated ones \(p'_i\) and then use semantic security of the encryption to replace each ciphertext (broadcast in the first round) by encryptions of 0.

The Problem. Unfortunately, we notice that the simulatability of the threshold decryption does not suffice when there is more than one honest party. Essentially, our definition of simulation security for threshold decryption only allows us to simulate the partial decryption of a single party at a time while knowing the secret keys of all other parties. We cannot, however, simultaneously simulate the partial decryptions of (even) two honest parties without knowing either of their secret keys.

Solution. Essentially we solve the above problem by two steps. We first show that the “basic” protocol as described above is already secure when there is exactly one honest party. Then, later in Sect. 6.2 we extend the basic protocol to another protocol which can handle any arbitrary number of corruption. The extended protocol additionally requires only pseudorandom functions (PRFs) and thus no new assumptions are used. Combining, we get a protocol which securely realizes any functionality against any arbitrary number of corruptions. Below we provide the basic protocol from any \(\mathsf {MFHE}\) scheme and prove security against exactly \(N-1\) corruptions. Later in Sect. 6.2 we present the extension in detail.

Semi-Malicious Security. Following [3], we will actually prove that the above protocol satisfies something called “semi-malicious” security which is stronger than honest-but-curious. Intuitively, it means that adversarial parties need to follow the protocol specification, but can use arbitrary values for their random coins. In fact, the adversary only needs to decide on the input and the random coins to use for each party in each round at the time that the party sends the first message8. We will then rely on a theorem of [3] showing that one can compile any such protocol which is secure in the semi-malicious setting into one that is secure in the fully malicious setting, without adding any rounds, by using non-interactive zero-knowledge proofs (NIZKs).
Fig. 2.

\(\pi _f\): A basic MPC protocol for f secure against \(N-1\) corruptions

6.1 Protocol Secure Against Exactly \(N-1\) Corruptions

The protocol, given in Fig. 2, realizes general multiparty computation for any polynomial-time deterministic functions f which produces a common output for all parties. It does so with respect to a static semi-malicious attackers corrupting exactly \(N-1\) parties. Formally we prove the following theorem.

Theorem 4

Let f be a poly-time computable deterministic function with N inputs and 1 output. Let \(\mathsf {MFHE}= \left( \mathsf {Setup}, \mathsf{Keygen}, \mathsf {Encrypt}, \mathsf {Expand}, \mathsf {Eval}, \mathsf {PartDec}, \mathsf {FinDec}\right) \) be a multi-key FHE scheme with threshold decryption. Then the protocol \(\pi _f\) described in Fig. 2 UC-realizes the function f against any static semi-malicious adversary corrupting exactly \(N-1\) parties.

Proof: The correctness of the protocol follows in a straightforward way from the correctness of the underlying threshold \(\mathsf {MFHE}\) scheme.

To prove security basically we need to construct an efficient (PPT) simulator \(\mathcal{S}\) for any adversary corrupting exactly \(N-1\) parties. Let \(\mathcal{A}\) be a static semi-malicious adversary and \(P_h\) be the only honest party. The simulator simulates the protocol execution on behalf of the honest party \(P_h\) as follows.

The Simulator. In round-I, the simulator encrypts 0s instead of the real input bits of the honest party \(P_h\). After round-I it gets the inputs and the secret keys of the \(N-1\) corrupt parties from the “witness tape”. It gives these inputs to the ideal functionality and receives the output bits \(y_j\) for each \(j\in [{\ell _{out}}]\). At this point it can also compute the evaluated ciphertexts \(\widehat{c}_j\). Then it computes the simulated partial decryptions for the honest party \(\widetilde{ }^{(j)}_{h}\leftarrow \mathcal{S}^{thr}(y_j,\widehat{c}_j,h,\{sk_i\}_{i\in [N]\setminus \{h\}})\) and broadcast those in round-II instead of correctly computed partial decryptions \(p^{(j)}_{h}\) generated via \(\mathsf {MFHE}.\mathsf {PartDec}(\cdots )\).

Hybrid Games. We now define a series of hybrid games that will be used to prove the indistinguishability of the real and ideal worlds:
$$\begin{aligned} \mathrm{{{\small IDEAL}}}_{\mathcal{F},\mathcal{S},\mathcal {Z}} \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathrm{{{\small REAL}}}_{\pi , \mathcal{A}, \mathcal {Z}} \end{aligned}$$
The output of each game is always just the output of the environment.
  • The game  \({\small REAL}_{\pi ,\mathcal{A},\mathcal {Z}}\) : This is exactly an execution of the protocol \(\pi \) in the real world with environment \(\mathcal {Z}\) and semi-malicious adversary \(\mathcal{A}\).

  • The game \({\small HYB}^{1}_{\pi ,\mathcal{A},\mathcal {Z}}\) : In this game, we modify the real world experiment as follows. Assume (as a mental experiment) that \(P_{h_{}}\) is given the all the secret keys \(\{sk_i\}_{i\in [N]\setminus \{h\}}\) (as written on the “witness tape” of the adversary) after round I. In the second round, instead of broadcasting a correctly generated partial decryptions \(p^{(j)}_{h}\) generated via \(\mathsf {MFHE}.\mathsf {PartDec}(\cdots )\), it broadcasts simulated ones \(\{ \widetilde{ }^{(j)}_{h}\leftarrow \mathcal{S}^{thr}(y_j, \widehat{c}_j,h_1, \{sk_i\}_{i\ne h})\}_{j\in [{\ell _{out}}]}\).

  • The game  \({\small IDEAL}_{\mathcal{F},\mathcal{S},\mathcal {Z}}\) : This is similar to the game \({\small HYB}^{1}_{\pi ,\mathcal{A},\mathcal {Z}}\) except instead of encrypting its real input, \(P_{h_{}}\) now broadcasts encryption of 0s in the first round.

Claim 1

\(\mathrm{{{\small REAL}}}_{\pi ,\mathcal{A},\mathcal {Z}}\mathop {\approx }\limits ^{{\tiny {\mathrm {stat}}}}\mathrm{{{\small HYB}}}^{1}_{\pi ,\mathcal{A},\mathcal {Z}}\)

Proof: Notice that, the only change between those experiments are that, the partial decryption of party \(P_{h_{}}\) is generated through simulator \(\mathcal{S}^{thr}\) instead of correctly using \(\mathsf {MFHE}.\mathsf {PartDec}\). By simulatability of threshold decryption the partial decryptions are statistically indistinguishable hence so are the experiments.     Open image in new window

Claim 2

\(\mathrm{{{\small HYB}}}^{1}_{\pi ,\mathcal{A},\mathcal {Z}}\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathrm{{{\small IDEAL}}}_{\mathcal{F},\mathcal{S},\mathcal {Z}}\)

Proof: The only change between those experiments are in generating encryptions of party \(P_{h_{}}\). By semantic security of the underlying \(\mathsf {MFHE}\) the encryptions are computationally indistinguishable. Hence the experiments are also computationally indistinguishable. Note that here it is possible to use the semantic security as the partial decryptions of \(P_{h_{}}\) in both the experiments are simulated and hence independent of the secret key \(sk_h\).    Open image in new window

This concludes the proof of the theorem.     Open image in new window

6.2 An Extended Protocol for Arbitrary Many Corruptions

In this section we construct an “extended” MPC protocol \(\widehat{\pi }_f\) which securely computes any function f against any semi-malicious adversary that can corrupt any \(t\in [N]\) parties. We do so by relying on the “basic” MPC protocol \(\pi _{f}\) from the previous section, which is secure against a semi-malicious adversary that corrupts exactly \(N-1\) parties. To compute a function f, our extedned protocol simply runs the basic protocol \(\pi _{\widehat{f}}\) on an extended function \(\widehat{f}\) defined as follows.

Definition 5

(Extended function). For any polynomial \({\ell _{in}},{\ell _{out}},N\in \mathbb {N}\) let \(f:\{{\{0,1\}}^{{\ell _{in}}}\}^N\rightarrow {\{0,1\}}^{\ell _{out}}\) be a poly-time computable function and \(\mathsf {PRF}:{\{0,1\}}^{\lambda }\times [N] \rightarrow {\{0,1\}}^{\ell _{in}}\) be a PRF. Then we define an extended function \(\widehat{f}:\{{\{0,1\}}^{{\ell _{in}}}\times \{1,2,3\} \times {\{0,1\}}^{{\lambda }}\}^N\rightarrow {\{0,1\}}^{\ell _{out}}\) which takes as input \((({\mathbf {x}}_1,\mathtt {mode}_1,{\mathbf {z}}_1), \ldots , ({\mathbf {x}}_N,\mathtt {mode}_N,{\mathbf {z}}_N))\) and does the following:
  • If \(\forall ~i\in [N]\), \(\mathtt {mode}_i =1\) then output \(f({\mathbf {x}}_1,\ldots ,{\mathbf {x}}_N)\).

  • If \(\exists ~\text {unique}~i\in [N]\) such that \(\mathtt {mode}_i =2\) then let \(K := {\mathbf {z}}_i\). For all \(j\in [N]\):
    • If \(\mathtt {mode}_j = 3\) then set \({\mathbf {x}}'_j:=\mathsf {PRF}(K,j)\oplus {\mathbf {x}}_j\).

    • Else set \({\mathbf {x}}'_j :={\mathbf {x}}_j\).

    Output \(f({\mathbf {x}}_1',\ldots ,{\mathbf {x}}'_N)\).

  • Otherwise output \(\mathsf {0}^{\ell _{out}}\).

Roughly speaking, the extended function does the same thing as the original function if all the inputs have \(\mathtt {mode}_i=1\). However, if there is one special party with \(\mathtt {mode}_i =2\) then the function uses a PRF key \(K = {\mathbf {z}}_i\) provided by that party to “decrypt” the inputs of all the parties with \(\mathtt {mode}_j = 3\).

We define an “extended protocol” \(\widehat{\pi }_f\) in Fig. 3. It essentially just runs the original basic protocol \(\pi _{\widehat{f}}\) with an extended function \(\widehat{f}\) and appropriately extended inputs.
Fig. 3.

\(\widehat{\pi }_f\): Extended protocol secure against any number of semi-malicious corruptions.

The following theorem states that the extended protocol \(\widehat{\pi }_f\) is secure against any arbitrary number of semi-malicious corruptions. The proof is deferred to the full version [30].

Theorem 5

Let f be a function with N inputs and 1 output. Let \(\mathsf {PRF}:{\{0,1\}}^{\lambda }\times [N] \rightarrow {\{0,1\}}^{\ell _{out}}\) be a PRF. Then, under the LWE assumption, the protocol \(\widehat{\pi }_f\) shown in Fig. 3 UC-realizes f against a static semi-malicious adversary that can corrupt any number of parties.

6.3 Extensions and Applications

Generalized Functionalities. Our protocol (Fig. 2) considers deterministic functionalities where all the parties receive the same output. One can extend that to handle randomized functionalities and individual output in a straightforward manner using known standard techniques just like [4]. We refer to [4] for more details.

Fully Malicious Adversary. Our protocol protects only against semi-malicious adversaries. However, since we are in the CRS model such protocol can be generically converted to one secure against fully-malicious adversary using non-interactive zero-knowledge (NIZK) arguments. For more detail on this again we refer to [4].

Communication Complexity. Although our main focus was on round complexity, we mention that our scheme also achieves essentially optimal communication complexity which is only proportional to the total input size, output size and circuit depth. We can get rid of the reliance on circuit depth by using bootstrapping and relying on circular security: each party would simply send a GSW encryption of its secret key under its public key and then we would perform a boostrapping step after each homomorphic operation to reduce the noise in the ciphertext.

Computation on the Web. Our results also relate to the idea of “computation on the web” [21] where parties can’t interact with each other but can only interact with some central website without further coordination. Using our scheme (or any 2 round protocol) each party needs to log in twice: once to give its ciphertext to the sever and once to give a partial decryption of the output.

7 Conclusions

We have shown how to implement MPC with only two rounds of interaction by relying on the LWE assumption (and NIZKs for malicious security). Several interesting open problems remain. Firstly, is possible to get a 2 round MPC protocol under general assumptions such as the existence of oblivious transfer? Secondly, is it possible to get a protocol that achieves adaptive security? A recent work of [16] does this using indistinguishability obfuscation (iO) but it remains an open problem to do this using more standard assumptions such as LWE. Lastly, it would be interesting to get a 2 round protocol in the honest-but-curious model without a CRS. One way to achieve this would be to a build a threshold multi-key FHE without any common public parameters.


  1. 1.

    We assume a broadcast communication channel and in each round of a protocol all parties broadcast a message to all other parties. Each honest party must broadcast their round i message right away prior to receiving the round i messages of other parties. On the other hand, we assume a “rushing” adversary that can wait to collect the round i messages of all honest parties prior to selecting the round i messages of the corrupted parties.

  2. 2.

    In their non-simultaneous model no broadcast channel is present, that is in a round only one party sends message to another.

  3. 3.

    Throughout this work, we use the term “threshold” to denote distributed schemes where all parties are needed to perform an operation and security is maintained from any incomplete subset of parties.

  4. 4.

    We note that one the main challenges in the work of [3] is to implement the threshold generation of the FHE “evaluation key” which has a complex structure in the FHE schemes of [8, 9]. This could be vastly simplified using a more recent FHE scheme of Gentry-Sahai-Waters [18] which does not require an evaluation key. However, this would still not improve the final round complexity of the MPC construction below 3 rounds.

  5. 5.

    In the actual scheme involving N parties we first expand the single-key ciphertext of each party into a multi-key ciphertext (under the concatenated keys of all the parties) and subsequently perform homomorphic operations on the expanded ciphertexts.

  6. 6.

    The size of q here is bigger than needed for GSW encryption alone in order to support our extensions.

  7. 7.

    We ignore the algebraic structure of the secret key here and assume each element in \(\mathbb {Z}_q\) can be represented as a \(\lceil \log (q)\rceil +1\) binary string.

  8. 8.

    See the full version [30] for a formal definition.


  1. 1.
    Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  2. 2.
    Applebaum, B., Ishai, Y., Kushilevitz, E.: Computationally private randomizing polynomials and their applications. In: IEEE Conference on Computational Complexity, pp. 260–274 (2005)Google Scholar
  3. 3.
    Asharov, G., Jain, A., López-Alt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, pp. 483–501. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Asharov, G., Jain, A., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold fhe. Cryptology ePrint Archive, Report 2011/613 2011.
  5. 5.
    Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: STOC, pp. 503–513 (1990)Google Scholar
  6. 6.
    Bendlin, R., Damgård, I.: Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 201–218. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: Fully homomorphic encryption without bootstrapping. In: ITCS (2012)Google Scholar
  9. 9.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) lwe. In: FOCS (2011)Google Scholar
  10. 10.
    Clear, M., McGoldrick, C.: Multi-identity and multi-key leveled FHE from learning with errors. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 630–656. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  11. 11.
    Cramer, R., Damgård, I.B., Nielsen, J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–300. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Damgård, I.B., Nielsen, J.B.: Universally composable efficient multiparty computation from threshold homomorphic encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 247–264. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Matthew, K.: Franklin and stuart haber: joint encryption and message-efficient secure computation. J. Cryptology 9(4), 217–232 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Garg, S., Gentry, C., Halevi, S., Raykova, M.: Two-round secure MPC from indistinguishability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 74–94. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  15. 15.
    Garg, S., Mukherjee, P., Pandey, O., Polychroniadou, A.: The exact round complexity of secure computation. Manuscript, October 2015Google Scholar
  16. 16.
    Garg, S., Polychroniadou, A.: Two-round adaptively secure MPC from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 614–637. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  17. 17.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
  18. 18.
    Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  19. 19.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC, pp. 218–229 (1987)Google Scholar
  20. 20.
    Goyal, V.: Constant round non-malleable protocols using one way functions. In: STOC, pp. 695–704 (2011)Google Scholar
  21. 21.
    Halevi, S., Lindell, Y., Pinkas, B.: Secure computation on the web: computing without simultaneous interaction. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 132–150. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  22. 22.
    Ishai, Y., Kushilevitz, E.: Randomizing polynomials: A new representation with applications to round-efficient secure computation. In: FOCS, pp. 294–304 (2000)Google Scholar
  23. 23.
    Jakobsson, M., Juels, A.: Mix and match: secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 162–177. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. 24.
    Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Katz, J., Ostrovsky, R., Smith, A.: Round Efficiency of Multi-party Computation with a Dishonest Majority. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, pp. 578–595. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Lin, H., Pass, R.: Constant-round non-malleable commitments from any one-way function. In: STOC, pp. 705–714 (2011)Google Scholar
  27. 27.
    Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 171–189. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  28. 28.
    López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Karloff, H.J., Pitassi, T. (eds.) Proceedings of the 44th Symposium on Theory of Computing Conference, STOC, New York, NY, USA, 19–22 May 2012, pp. 1219–1234. ACM (2012)Google Scholar
  29. 29.
    Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  30. 30.
    Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. Cryptology ePrint Archive, Report 2015/345 (2015).
  31. 31.
    Myers, S., Sergi, M., Shelat, A.: Threshold fully homomorphic encryption and secure computation. In: eprint /454 (2011)Google Scholar
  32. 32.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC, pp. 333–342 (2009)Google Scholar
  33. 33.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)Google Scholar
  34. 34.
    Andrew Chi-Chih Yao: Protocols for secure computations (extended abstract). In: FOCS, pp. 160–164 (1982)Google Scholar
  35. 35.
    Andrew Chi-Chih Yao: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167 (1986)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.University of CaliforniaBerkeleyUSA
  2. 2.Northeastern UniversityBostonUSA

Personalised recommendations