Candidate iO from Homomorphic Encryption Schemes

We propose a new approach to construct general-purpose indistinguishability obfuscation (iO). Our construction is obtained via a new intermediate primitive that we call split fully homomorphic encryption (split FHE), which we show to be sufficient for constructing iO. Specifically, split FHE is FHE where decryption takes the following two-step syntactic form: (i) a secret decryption step that uses the secret key and produces a hint which is (asymptotically) shorter than the length of the encrypted message, and (ii) a public decryption step that only requires the ciphertext and the previously generated hint (and not the entire secret key) and recovers the encrypted message. In terms of security, the hints for a set of ciphertexts should not allow one to violate semantic security for any other ciphertexts. Next, we show a generic candidate construction of split FHE based on three building blocks: (i) A standard FHE scheme with linear decrypt-and-multiply (which can be instantiated with essentially all LWE-based constructions), (ii) a linearly homomorphic encryption scheme with short decryption hints (such as the Damgård-Jurik encryption scheme, based on the DCR problem), and (iii) a cryptographic hash function (which can be based on a variety of standard assumptions). Our approach is heuristic in the sense that our construction is not provably secure and makes implicit assumptions about the interplay between these underlying primitives. We show evidence that this construction is secure by providing an argument in an appropriately defined oracle model. We view our construction as a big departure from the state-of-the-art constructions, and it is in fact quite simple.


Introduction
The goal of program obfuscation is to transform an arbitrary circuit C into an unintelligible but functionally equivalent circuitC. The notion of program obfuscation was first studied by Hada [41] and Barak et al. [10]. However, these works showed that natural notions of obfuscation are impossible to realize for general functionalities. Specifically, Barak et al. [10] defined a very natural notion of security for program obfuscation called virtual black-box (VBB) security, which requires that an obfuscated program does not reveal anything beyond what could be learned from just the input-output behavior of the original program. In the same work, they showed that this notion of program obfuscation is impossible to achieve for arbitrary circuits.
In light of this impossibility result, much of the work on obfuscation focused on realizing obfuscation for special functionalities. However, this changed with the work of Garg et al. [30] that proposed the first candidate indistinguishability obfuscation (iO) construction based on multilinear maps [28]. Furthermore, Garg et al. [30] showed powerful applications of iO to tasks such as functional encryption. Loosely speaking, iO requires that the obfuscations of two circuits C 0 and C 1 that have identical input-output behavior are computationally indistinguishable. Subsequently, significant work on using program obfuscation (e.g., [16,29,62]) has shown that most cryptographic applications of interest can be realized using iO (and one-way functions), or that iO is virtually crypto-complete.
Given its importance, significant effort has been poured into realizing secure obfuscation candidates. The first approach to obfuscation relied on using new candidate constructions of multilinear maps [23,28,35], an algebraic object that significantly expands the structure available for cryptographic constructions. Unfortunately, all multilinear map constructions so far have relied on ad-hoc and new computational intractability assumptions. Furthermore, attacks [22,43] on the multilinear map candidates and attacks [21,58] on several of the multilinear map based iO constructions [9,19,30] were later found. In light of these attacks, follow up works (e.g., [31]) offered constructions that defended against these attacks by giving constructions in the so-called weak multilinear map model [58]. Several of these weak multilinear map model-based iO constructions are still conjectured to be secure; however, the break-and-repair cycle of their development has left cryptographers wary, and rightly so.
Around the time when attacks on multilinear map candidates were at an all-time high, cryptographers started exploring new approaches to iO without using multilinear maps (or reducing their usage). Toward this goal, Bitansky and Vaikunthanathan [15] and Ananth and Jain [4] showed that iO could be realized assuming just functional encryption. In another approach, instead of trying to remove multilinear maps completely, Lin [48] and Lin and Vaikuntanathan [53] attempted to reduce their usage, i.e., they proposed iO constructions using only constant degree multilinear maps. With the goal of ultimately basing iO constructions on standard assumptions on bilinear maps, cryptographers started developing new ideas for realizing iO candidates from smaller constant degree multilinear maps [5,49]. Recently, Lin and Tessaro [51] described a candidate iO construction from degree-L multilinear maps for any L ≥ 2 and additionally assuming PRGs with certain special locality properties. Unfortunately, it was shown the needed PRGs for the case of L = 2 are insecure [8,54]. 1 Thus, still leaving a gap between bilinear maps and iO constructions which could now be based on trilinear maps [52]. Very recent works [1,3,45] (and cryptanalysis [12]) develop new ideas to resolve these problems and realize constructions based on bilinear maps. However, these bilinear mapbased constructions, which are still conjectured to be secure, additionally rely on certain pseudorandom objects with novel security properties. Finally, we note that all the other (perhaps less popular) approaches to iO (e.g., [37]) also start from new computational hardness assumptions.
Given the prior work, it is natural to wonder whether new sources of hardness are necessary for realizing iO candidates. Making progress on this dilemma is the focus of this work.

Our Results
We propose a new approach to construct general-purpose indistinguishability obfuscation. Our approach is heuristic but combines (in a non-standard way) well-known cryptographic building blocks, whose stand-alone security is well-established. In other words, our constructions use well-studied cryptographic primitives in a generic way to realize obfuscation, while still being heuristic in the sense that our constructions are not provably secure and make implicit assumptions about the interplay of the underlying primitives. The primitives we use can themselves be securely realized based on standard assumptions, namely the hardness of the learning with errors (LWE) and the decisional composite residues (DCR) problem. At a high level, our heuristics are similar in flavor to (i) the random oracle heuristic that is often used in cryptographic constructions [13] and (ii) the circular security heuristic that has been widely used in the construction of fully homomorphic encryption schemes (FHE) [34]. Split-FHE The starting point of our work is the fact that iO can provably be based on split FHE, a new primitive that we introduce in this work. A split FHE is an FHE scheme that allows for certain special properties of the decryption algorithm. Specifically, we consider FHE schemes for which the decryption algorithm can be split into two subroutines: • ρ ← PDec(sk, c) : A private procedure that takes the FHE secret key and a ciphertext as input and produces a decryption hint ρ, of size much smaller than the message encrypted in c. • m ← Rec(ρ, c) : A public procedure that takes as input the decryption hint ρ (generated by PDec) and the ciphertext c and recovers the full plaintext.
The security for a split FHE scheme requires that, for all pairs of messages (m 0 , m 1 ) and all circuits C such that C(m 0 ) = C(m 1 ), the encryption of m 0 is computationally indistinguishable from the encryption of m 1 , even given the decryption hint for the ciphertext evaluated on C. We show that split FHE alone suffices to construct exponentially efficient iO [50], which in turn allows us to build fully fledged iO. Concretely, we prove the following theorem.

Technical Overview
In the following we give an informal overview of the techniques we develop in this work and we refer the reader to the technical sections for more precise statements.

Chimeric FHE
Our starting point is the hybrid FHE scheme recently introduced by Brakerski et al. [17], which we recall in the following. The objective of their work is to build an FHE scheme with best possible rate (in an asymptotic sense) by leveraging the fact that most LWE-based FHE schemes admit an efficient linear noisy decryption. Specifically, given an FHE ciphertext c and an LWE secret key (s 1 , . . . , s n ) one can rewrite the decryption operation as a linear function L c (·) such that where e is a B-bounded noise term and ECC is some encoding of the plaintext (in their scheme m is packed in the high-order bits so that it does not interfere with the noise term). The idea then is to encrypt the secret key (s 1 , . . . , s n ) under a (high-rate) linearly homomorphic encryption (LHE) scheme, which allows one to compress evaluated FHE ciphertexts by computing L c (·) homomorphically. One interesting property of this approach is that it is completely parametric in the choice of the schemes, as long as they satisfy some simple structural requirements: More concretely, one can use any LHE scheme as long as its plaintext domain matches the LWE modulus of the FHE scheme. As an example, one can set the LHE to be the Damgård-Jurik encryption scheme [24,59], which we briefly recall in the following. The public key of the scheme consists of a large composite N = pq and an integer ζ , and the encryption algorithm for a message m computes for some uniform ρ ←$ Z N . Note that the corresponding plaintext space is Z N ζ and therefore the rate of the scheme approaches 1 as ζ grows. Furthermore, we observe that the scheme has one additional property that we refer to as split decryption. A scheme has split decryption if the decryption algorithm can be divided into a private and a public subroutine: • The private procedure takes as input a ciphertext c and the secret key φ(N ) and computes a decryption hint ρ = c N −ζ mod N using the extended Euclidean algorithm. It is crucial to observe that ρ ∈ Z N is potentially much smaller than the plaintext m. • The public procedure takes as input a ciphertext c and the decryption hint ρ and recovers the plaintext by computing and decoding m in polynomial time using the binomial theorem.
In a nutshell, the subgroup homomorphism allows one to recompute the randomness, which can be then publicly stretched and used to unmask the plaintext. This means that m can be fully recovered by communicating a small hint of size fixed and, in particular, independent of |m|. As we are going to discuss later, this property is going to be our main leverage to build general-purpose obfuscation.
Temporarily glossing over the security implications, we point out that the hybrid scheme of Brakerski et al. [17] already suffices to construct an FHE scheme with split decryption (in short, split FHE): Simply instantiate the LHE scheme with Damgård-Jurik and convert evaluated FHE ciphertexts before decryption using the algorithm described above.

Security for Split FHE
We now delve into the desired security property for a split FHE scheme. On a high level, we would like to ensure that the decryption hint does not reveal any additional information, beyond the plaintext of the corresponding ciphertext. It is instructive to observe that if we do not insist on this property, then every FHE scheme has a trivial split decryption procedure which simply outputs the secret key. We formalize this intuition as an indistinguishability definition that, roughly speaking, demands that for all plaintext pairs (m 0 , m 1 ) and every set of circuits (C 1 , . . . , C β ) such that C i (m 0 ) = C i (m 1 ), the encryption of m 0 and m 1 are computationally indistinguishable, even given the decryption hints ρ i of the evaluated ciphertexts. The condition C i (m 0 ) = C i (m 1 ) rules out trivial attacks where the distinguisher just checks the output of the evaluation. Here β = β(λ) is an arbitrary (but a priori bounded) polynomial in the security parameter.
Unfortunately, our candidate as described above falls short in satisfying this security notion: The central problem is that our split decryption procedure reveals the complete plaintext encoded in the Damgård-Jurik ciphertexts. This means that the distinguisher learns arbitrarily many relations of the form where c i is the evaluated ciphertext and L c i is a publicly known linear function. Collecting a large enough sample allows the distinguisher to recompute the FHE secret key (s 1 , . . . , s n ) via, e.g., Gaussian elimination. A standard approach to obviate this problem is to smudge the noise e i with some mask r i uniformly sampled from an exponentially larger domain. Thus, a natural solution would be to compute a randomizing ciphertext d i = DJ.Enc(pk DJ , r i ) and output the decryption hint for where r i is sampled from a domain exponentially larger than the noise bound B but small enough to allow one to decode ECC(C i (m b )). While it is possible to show that this approach indeed satisfies the security notion outlined above, it introduces an overhead in the size of the hint, which now consists of the pair (ρ i , d i ). Note that we cannot allow the distinguisher to recompute d i locally as it is crucial that r i remains hidden, so we have no other choice but append it to the decryption hint. However, the decryption hint is now of size O(|c i |), which does not satisfy our compactness requirement and makes our efforts purposeless (one can just set the decryption hint to be C i (m b ) and achieve better efficiency).
Although we appear to have encountered a roadblock, a closer look reveals that we still gained something from this approach: The ciphertext d i encodes a (somewhat small) random value and in particular is completely independent from c i . Furthermore, the decryption hint of c i · d i can be computed using the secret key alone. Assume for the moment that we had access to an oracle Sample that outputs uniform Damgård-Jurik encryption of bounded random values, then our idea is to delegate the sampling of d i to Sample. This allows us to bypass the main obstacle: We do not need to include d i in the decryption hint as it can be recomputed by querying Sample. One can think of this approach as a more structured version of the Fiat-Shamir transform [27], which allows us to state the following theorem. Looking ahead to our end goal, another interpretation of this theorem is as a universality result: Assuming the hardness of LWE and DCR, we can bootstrap an obfuscator for a specific circuit (i.e., the one that samples a uniform Damgård-Jurik encryption of a bounded random value) to an obfuscator for all circuits.

Instantiating the Oracle
The most compelling question which arises from our main theorem is whether there exist plausible instantiations for the oracle Sample. A first (flawed) attempt is to devise an oblivious sampling procedure for Damgård-Jurik ciphertext using a random oracle: Note that Damgård-Jurik ciphertexts live in a dense domain Z N ζ +1 and indeed sampling a random integer c i ←$ Z N ζ +1 maps to a well-formed ciphertext with all but negligible probability. However, since c i is uniform in the ciphertext domain, then so is the underlying plaintext r i ∈ Z N ζ . This makes c i unusable for our purposes since we require r i to be bounded by some valueq, which is exponentially smaller than N ζ . If we were to sample r i this way, then it would completely mask the term ECC(C i (m b )), thus making the plaintext impossible to decode.
Ideally, we would like to restrict the oblivious sampling to ciphertexts encrypting q-bounded messages. Unfortunately, we are not aware of the existence of any such algorithm. Instead, our idea is to still sample c i uniformly over the complete ciphertext domain and remove the high-order bits of r i homomorphically: This can be done by including an FHE encryption of the Damgård-Jurik secret key, then homomorphically evaluating the circuit that decrypts c i and computes − r i /q ·q. The evaluated ciphertext is then converted again to the Damgård-Jurik domain using the linear noisy decryption of the FHE scheme. At this point, one can obtain a well-formed encryption of aq-bounded value by computing DJ.Enc(pk DJ , − r i /q ·q + e) · c i = DJ.Enc(pk DJ , − r i /q ·q + e + r i ) = DJ.Enc(pk DJ , (r i modq) + e) where the term (r i modq) + e isq-bounded with all but negligible probability by settingq B. While this approach brings us tantalizingly close to a provably secure scheme, a careful analysis highlights two lingering conjectures.
(1) Circular Security Adding and FHE encryption of the Damgård-Jurik secret key introduces a circular dependency in the security of the two schemes (recall that our construction already encodes a Damgård-Jurik encryption of the FHE secret key). While circular security falls outside of the realm of provable statements, it is widely accepted as a mild assumption and it is known to be achieved by most natural encryption schemes [11]. We stress that circular security is also inherent in the bootstrapping theorem of Gentry [34], the only known method to construct fully (as opposed to leveled) homomorphic encryption from LWE. (2) Correlations While the homomorphically evaluated circuit essentially ignores the low-order bits of r i , the corresponding decryption noise e might still depend on (r i modq) in some intricate way. This might introduce some correlation and bias the distribution of the term (r i modq) + e with respect to a uniform u ←$ Zq . However, the noise function is typically highly non-linear and therefore appears to be difficult to exploit. We also point out that the distinguisher has no control over the choice of e, which exclusively depends on an honest execution of the homomorphic evaluation algorithm. We therefore conjecture that the distribution of (r i modq) + e is computationally indistinguishable from u.
In light of the above insights, we put forward the conjecture that the proposed algorithm already gives us a secure implementation of the oracle Sample. We view this as a natural strengthening of Gentry's heuristic for the bootstrapping theorem, which is justified by our more ambitious objective. As the conjecture pertains to standard cryptographic material (FHE and Damgård-Jurik encryption), we believe that any further insight on its veracity would substantially improve our understanding on these important and wellstudied building blocks.
Finally, we mention that many heuristics can be used to weaken the correlation between the decryption noise e and the low-order bits (r i modq), such as repeated applications of FHE bootstrapping [26]. We also propose a different heuristic approach to remove correlations based on binary extractors and we refer the reader to the technical sections for further details.

From Split FHE to iO
What is left to be shown is that split FHE does indeed suffice to construct program obfuscation. With this goal in mind, we recall a surprising result by Lin et al. [50] which states that, under the assumption that the LWE problem is sub-exponentially hard, iO for all circuits is implied by an obfuscator for circuits with logarithmic-size inputs with non-trivial efficiency. Here non-trivial efficiency means that the size of the obfuscated circuitC with input domain {0, 1} η is at most poly(λ, |C|) · 2 η·(1−ε) , for some constant > 0. This means that it suffices to show that split FHE implies the existence of an obfuscator (for circuits with polynomial-size input domain) with non-trivial efficiency.
The transformation is deceptively simple (and similar to [14]): The obfuscator computes a split FHE encryption of the circuit C and partitions the input domains in 2 η/2 disjoint sets (P 1 , . . . , P 2 η/2 ) of equal size. Then, for each partition P i , the algorithm homomorphically evaluates the universal circuit that evaluates C on all inputs in P i and returns the concatenation of all outputs. Finally, it returns the decryption hint ρ i corresponding to the evaluated ciphertext. The obfuscated circuit consists of the public-key of the split FHE scheme, the encryption of C, and all of the decryption hints (ρ 1 , . . . , ρ 2 η/2 ). Note that the obfuscated circuit can be evaluated efficiently: On input x, let P x be the partition that contains x, then the evaluator recomputes the homomorphic evaluation (which is a deterministic operation) of C on P x and recovers the output using the decryption hint ρ x . As for non-trivial efficiency, since the size of each decryption hint is that of a fixed polynomial poly(λ), the total size of the obfuscated circuit is bounded by poly(λ, |C|) · 2 η/2 , as desired.

Other Applications
To demonstrate that the scope of our split FHE scheme goes beyond program obfuscation, we outline two additional applications. In both cases we only rely on standard assumptions, i.e., we do not need to introduce any new conjecture. Two-Party Computation with Pre-Processing We obtain a (semi-honest) two-party computation scheme for any circuit C : {0, 1} → {0, 1} k with an input-and circuitindependent pre-processing where the communication complexity of the pre-processing phase is poly(λ, k), whereas the communication complexity of the online phase is poly(λ) + . This improves over garbled circuit-based approaches that require a preprocessing at least linear in |C|. The protocol works as follows: In the pre-processing phase Alice and Bob exchange their (independently sampled) public-keys for a split FHE scheme and Alice computes a randomizing ciphertext (in the scheme defined above this corresponds to a Damgård-Jurik encryption of a bounded random value), which is sent to Bob. In the online phase, Alice and Bob exchange their inputs encrypted under their own public keys (to achieve best-possible rate this can be done using hybrid encryption) and homomorphically compute the multi-key evaluation of f over both inputs. Note that multi-key evaluation is generically possible for the case of two parties [55]: Given two ciphertexts c A = Enc(pk A , m A ) and c B = Enc(pk B , m B ), Alice can homomorphically evaluate the evaluation procedure of c B and f under pk A and c A , to obtain a "nested" two-key ciphertext Enc(pk A , Enc(pk B , f (m A , m B ))). Then Alice consumes the randomizing ciphertext computed in the pre-processing and sends a partial decryption of the evaluated ciphertext in the form of a decryption hint. Bob can then locally complete the partial decryption using its own secret key and recover the output.

Rate-1 Reusable Garbled Circuits
The work of Goldwasser et al. [39] showed, assuming the hardness of the LWE problem, how to construct reusable garbled circuits where the size of the input encodings is poly(λ, d, · k), where C : {0, 1} → {0, 1} k and d is the depth of C. Using split FHE, we obtain a scheme with rate-1 encodings, i.e., of size poly(λ, d, ) + k. This is done by using their scheme to garble the circuit that computes C homomorphically over the input encrypted under a split FHE scheme and returns the decryption hint of the evaluated ciphertext. This effectively removes the dependency of the underlying reusable garbled circuit on the output size k. However, we also need to include in the input encoding the answer of the Sample oracle (a Damgård-Jurik ciphertext, for the scheme describe above), which reintroduces an additive overhead in k.

Related Work
In the following we discuss more in depth the relation of our approach when compared with recent candidate constructions of iO from lattices and bilinear maps [1,3,45]. Very informally, this line of works leverages weak pseudorandom generators (PRG) to mask the noise of the LWE decryption. However, the output domain of such a PRG is only polynomially large: This is because of the usage of bilinear groups, where the plaintext space is polynomially bounded (decryption requires one to compute a discrete logarithm). This is especially problematic because statistical/computational indistinguishability cannot hold in this regime of parameters. To circumvent this problem, all papers in this line of work assume a strict bound on the distinguisher's success probability (e.g., 0.99) and then rely on amplification techniques. This, however, requires one to construct a weak PRG where the advantage of any PPT distinguisher is non-negligible but at the same time bounded by < 0.99. 2 On the other hand, we rely on the Damgård-Jurik encryption scheme, where the message domain is exponential. This allows us to sample the smudging factor from a distribution that is exponentially larger than the noise bound, which is necessary in order to argue about statistical indistinguishability. Thus, in our settings, conjecturing that the advantage of the distinguisher is negligible is, at least in principle, plausible. Follow-up Works After the publication of this manuscript, a series of follow-up works [18,25,33,63] has shown how to instantiate this approach in a provably secure way, assuming (a strong flavor of) circular security of homomorphic encryption schemes. Such works follow the general blueprint of our construction, but explore different instantiations for the underlying cryptographic building blocks. As an added bonus, they build exclusively on lattice-based cryptosystems and therefore the resulting iO constructions are plausibly post-quantum secure. Subsequently, the hardness of the computational problems stated in [33,63] has been called into question by the work of [42]. They showed explicit counterexamples against their assumptions, thus suggesting a separation between standard circular security and the flavor needed to instantiate their works. However, the counterexamples presented in [42] do not imply an attack against any of the iO schemes. To the best of our knowledge, no attack is currently known against any of the above-mentioned works.
In a parallel line of work, the bilinear groups-based constructions have been subsequently improved by removing the dependence on weak PRGs [32,44]. The culmination of this line of research was a construction of iO from standard assumptions on bilinear groups, LPN over large fields, and the existence of PRG in NC0 [46,47]. In contrast with the "split-FHE approach", the presence of bilinear groups makes such schemes vulnerable to quantum attacks.

Preliminaries
We denote by λ ∈ N the security parameter. We say that a function negl(·) is negligible if it vanishes faster than any polynomial. Given a set S, we denote by s ← $ S the uniform sampling from S. We say that an algorithm is PPT if it can be implemented by a probabilistic machine running in time poly(λ). We abbreviate the set {1, . . . , n} as [n]. Matrices are denoted by M and vectors are denoted by v. We recall the smudging lemma [6,7]. Lemma 1. (Smudging) Let B 1 = B 1 (λ) and B 2 = B 2 (λ) be positive integers and let e 1 ∈ [B 1 ] be a fixed integer. Let e 2 ← $ [B 2 ] chosen uniformly at random. Then the distribution of e 2 is statistically indistinguishable from that of e 2 + e 1 as long as B 1 /B 2 = negl(λ).

Linear Algebra
We will need the following fact from linear algebra over rings, which holds immediately for fields but is non-trivial for the case of rings.

Lemma 2.
Let q be an arbitrary integer modulus and n be an integer. Let t ←$ Z n q be chosen uniformly at random. Now let a ←$ Z n q be distributed uniformly random. Then it holds that In other words, except with probability log(q) · 2 −n over the choice of t the inner product a, t will be distributed uniformly random given that a is uniform.
We provide the proof of Lemma 2 for completeness. The proof assumes some basic notions of algebra which we omit introducing here.
Proof. For a fixed t, a, t will be uniform for a uniform a ←$ Z n q given that the linear form t : Z n q → Z q given by x → x, t has range Z q . To see this, note that by linearity every y ∈ Z q has the same number of preimages under t . Thus, t maps a uniform distribution to a uniform distribution.
We will thus establish that the linear form t : Z n 1 → Z q given by → x, t has range Z q , except with negligible probability over the choice of t ←$ Z n q . This function is not full range, if and only if there exists a non-trivial ideal J ⊆ Z q such that for all i we have t i ∈ J . To see this, note that if all t i ∈ J , then a, t ∈ J and therefore t is not full range. On the other hand, if no such J exists, then we can construct an a * ∈ Z n q via Chinese Remaindering such that a * , t = 1 and therefore t is full range.
Thus, it suffices to show the above property for all maximal ideals in Z q , which are the p s Z q , where the p s are the prime-factors of q. As p s ≥ 2 we can upper-bound the number of maximal ideals in Z q by log(q). Fix a maximal ideal J = pZ q and let t = (t 1 , . . . , t n ) ←$ Z n q be chosen uniformly at random. It holds for a single uniformly Finally, as there are at most log(q) maximal ideals J a union-bound yields Pr[∃J ∀i : t i ∈ J ] ≤ log(q) · 2 −n . We conclude that t has range Z q , except with probability log(q) · 2 −n over the choice of t.

Definition 2.1. ( Indistinguishability Obfuscation)
A PPT machine iO is an indistinguishability obfuscator for a circuit class {C λ } λ∈N if the following conditions are satisfied: (Indistinguishability) For all polynomial-size distinguishers D there exists a negligible function negl(·) such that for all λ ∈ N, all pairs of circuits

Learning with Errors
We recall the (decisional) learning with errors (LWE) problem as introduced by Regev [61].

Definition 2.2. (Learning with Errors)
The LWE problem is parametrized by a modulus q, positive integers n, m and an error distribution χ . The LWE problem is hard if for all polynomial-size distinguishers D there exists a negligible function negl(·) such that for all λ ∈ N it holds that where A is chosen uniformly from Z n×m q , s is chosen uniformly from Z n q , u is chosen uniformly from Z m q and e is chosen from χ m .
As shown in [60,61], for any sufficiently large modulus q the LWE problem where χ is a discrete Gaussian distribution with parameter σ = αq ≥ 2 √ n (i.e. the distribution over Z where the probability of x is proportional to e −π(|x|/σ ) 2 ), is at least as hard as approximating the shortest independent vector problem (SIVP) to within a factor of γ =Õ(n/α) in worst case dimension n lattices. We refer to α = q/σ as the modulus-to-noise ratio, and by the above this quantity controls the hardness of the LWE instantiation. Hereby, LWE with polynomial α is (presumably) harder than LWE with super-polynomial or sub-exponential α. We can truncate the discrete Gaussian distribution χ to σ · ω( log(λ)) while only introducing a negligible error. Consequently, we omit the actual distribution χ but only use the fact that it can be bounded by a (small) value B.

Decisional Composite Residuosity
In the following we recall the decisional composite residuosity (DCR) assumption over Z * N ζ +1 [24,59]. Let N = pq, where p and q are primes, be a uniformly sampled Blum integer and let ζ be a fixed non-negative integer. Observe that the multiplicative group Z * N ζ +1 can be rewritten as the product of the subgroup where p and q are primes, be a uniformly sampled Blum integer and let ζ be a fixed non-negative integer. The DCR problem is hard if for all polynomial-size distinguishers D there exists a negligible function negl(·) such that for all λ ∈ N it holds that

Homomorphic Encryption
We recall the definition of homomorphic encryption in the following.

Definition 3.1. (Homomorphic Encryption)
A homomorphic encryption scheme for a circuit family C consists of the following efficient algorithms.
KeyGen(1 λ ) : On input the security parameter 1 λ , the key generation algorithm returns a key pair (sk, pk). Enc(pk, m) : On input a public key pk and a message m, the encryption algorithm returns a ciphertext c. Eval(pk, C, (c 1 , . . . , c )) : On input the public key pk, an -inputs circuit C∈ C, and a vector of ciphertexts (c 1 , . . . , c ), the evaluation algorithm returns an evaluated ciphertext c. Dec(sk, c) : On input the secret key sk and a ciphertext c, the decryption algorithm returns a message m.
We say that a scheme is fully homomorphic (FHE) if it is homomorphic for all (unbounded) polynomial-size circuits. If the maximum size of the circuit that can be evaluated is bounded in the public parameters, then we call such a scheme a leveled FHE. We also consider a restricted class of homomorphism that supports linear functions and we refer to such a scheme as linearly homomorphic encryption (LHE). We characterize correctness of a single evaluation, which suffices for our purposes. This can be extended to the more general notion of multi-hop correctness [36] if the condition specified below is required to hold for arbitrary compositions of circuits. all (sk, pk) in the support of KeyGen(1 λ ), and all c i in the support of Enc(pk, m i ) it holds that Pr Dec(sk, Eval(pk, C, (c 1 , . . . , c ))) = C(m 1 , . . . , m ) = 1.
We require a scheme to be compact in the sense that the size of the ciphertext should not grow with the size of the evaluated circuit. We define a weak notion of security (implied by the standard semantic security [40]) which is going to be more convenient to work with. where (sk, pk) ← KeyGen(1 λ ).

Linear Decrypt-and-Multiply
We consider schemes with a fine-grained correctness property. Specifically, we require that the decryption consists of the application of a linear function in the secret key, followed by some publicly computable function. Furthermore, we require that such a procedure allows us to specify an arbitrary constant ω that is multiplied to the resulting plaintext. We refer to such schemes as linear decrypt-and-multiply schemes. This property was introduced in an oral presentation by Micciancio [57] and recently formalized by Brakerski et al. [17]. We stress that all major candidate FHE constructions satisfy (or can be adapted to) such a constraint, e.g., [2,20,38]. We recall the definition in the following. In an abuse of notation, we often write KeyGen(1 λ ; q) to fix the modulus q in the key generation algorithm.  (m 1 , . . . , m ), all c i in the support of Enc(pk, m i ) and every ω ∈ Z q that Dec&Mult(sk, Eval(pk, C, (c 1 , . . . , c )), ω) = ω · C(m 1 , . . . , m ) + e mod q where Dec&Mult is a linear function in sk over Z q and |e| ≤ B with all but negligible probability.
In our construction, we will need some additional structure for the modulus q. Fortunately, most LWE-based FHE schemes can be instantiated with an arbitrary q that does not depend on any secret input but only on the security parameter. Moreover, LWEbased FHE schemes can be instantiated with any (sufficiently large) modulus q without affecting the worst-case hardness of the underlying LWE problem [60]. In favor of a simpler analysis, we assume that e is always non-negative. Note that this is without loss of generality as it can be always guaranteed by adding B to the result of Dec&Mult and setting a slightly looser bound B = 2B.

Split Decryption
We define the notion of homomorphic encryption with split decryption, which is going to be central in our work. Loosely speaking, a scheme has split decryption if the decryption algorithm consists of two subroutines: A private algorithm (that depends on the secret key) that on input a ciphertext c computes a small hint ρ, and a publicly computable algorithm that takes as input ρ and c and returns the corresponding plaintext. We henceforth refer to such schemes as split homomorphic encryption. We introduce the syntax in the following. where c = Eval(pk, C, (c 1 , . . . , c )).
Beyond the standard compactness for homomorphic encryption, a scheme with split decryption must satisfy the additional property that the size of the decryption hint ρ is independent (or, more generally, sublinear) of the size of the message. Furthermore, the size of the public key and of a fresh encryption of a message m should depend polynomially on the security parameter (and on the length of m) and otherwise be linear in the size of the output. These are the properties that make split decryption non-trivial and that are going to be our main leverage to bootstrap this primitive into a more powerful machinery. We formally characterize these requirements below. where ρ = PDec(sk, Eval(pk, C, (c 1 , . . . , c ))).
Finally the notion of semantic security for split schemes requires that the decryption hint ρ for a certain ciphertext does not reveal any information beyond the corresponding plaintext. Note that we define a very weak notion where the above must hold only for a bounded number of ciphertexts, and the inputs are fixed prior to the public parameters of the scheme.  (1,0) , . . . , ρ (β,0) ) − Pr 1 = D(pk, c 1 , ρ (1,1) , . . . , ρ (β,1) We also present the stronger definition of simulation security for decryption hints, which requires the existence of a simulator that can compute the decryption hint without the knowledge of the secret key. It appears challenging to achieve this notion in the standard model, for the simple reason that the size of the hint is smaller than the size of the message that we want to simulate. Nevertheless, we show that this notion is useful as it may be achievable in the presence of a (programmable) oracle. where ≡ denotes the equivalence of the two distributions.

Damgård-Jurik Encryption
In the following we recall a variant of the Damgård-Jurik encryption linearly homomorphic encryption scheme [24]. We present a variant of the scheme that satisfies the notion of split correctness, which is going to be instrumental for our purposes. The scheme is parametrized by a non-negative integer ζ that we assume is given as input to all algorithms.
and recover m using the polynomial-time algorithm described in [24].
It is well known that the scheme satisfies (standard) semantic security assuming the intractability of the decisional composite residuosity (DCR) problem. To prove correct-ness, we are going to use the fact that for all non-negative integers (x, ζ ). We refer the reader to [56] for a proof of this equality.
Recall that c = r N ζ · (1 + N ) m and that Therefore, we have that by an application of Equation (1). Taking the inverse on both sides of the equation above we obtain as desired for correctness. Although such a scheme does not immediately give us a secure split LHE, we highlight a few salient properties that we are going to leverage in our main constructions. Split Compactness The hint ρ ∈ Z N consists of log(N ) bits and in particular is independent of the size of the message space Z N ζ , as the integer ζ can be set to be arbitrarily large (within the range of polynomials in λ). Simulatable Hints Given a ciphertext c and a plaintext value m, the simulator can efficiently compute a ciphertextc such that the homomorphic sum of c andc results in a uniform encryption of m and the corresponding decryption hint can be computed given only the random coins used to generatec. Concretely, let for some r ←$ Z N . It follows, that for ciphertexts of the form c ·c (looking ahead,c will be the output of an oracle), we can define the output of the simulator to be ρ = r . The message can be then recovered using the DJ.Rec algorithm as described above. Dense Ciphertexts Sampling a random integer in Z N ζ +1 gives a well-formed ciphertext with all but negligible probability. This is because the group order ϕ(N ) · N ζ is close to

Split Fully Homomorphic Encryption
In the following we present our construction for FHE with split decryption. We first present a generic construction in the presence of (a structured version of) a random oracle, then we propose concrete instantiations for the building blocks and plausible candidates for the implementation of the oracle.

Generic Construction
Our scheme assumes the existence of the following primitives: If the underlying FHE scheme is leveled then so is going to be the resulting split FHE. Conversely, if the FHE scheme supports the evaluation of unbounded circuits, then so does the resulting split FHE construction. The scheme is described below, assuming that the Eval algorithm has oracle access to the Sample interface.
Eval Sample (pk, C, (c 1 , . . . , c )) : On input a circuit C with bits of input and k bits of output and a vector of ciphertexts (c 1 , . . . , c ), let, for all j ∈ [k], C j be the circuit that returns the j-th bit of the output of C, then compute d j ← FHE.Eval(pk FHE , C j , (c 1 , . . . , c )).
What is left to be shown is the exact specification of the oracle Sample(pk, x), which we describe in the following. The oracle is accessible by all parties and it is stateful: on input the same x, the oracle will always return the same output. The oracle is parametrized by an integerq, which we are going to define later.
We formally analyze our scheme in the following. During the analysis, we set the parameters on demand and we show afterward that our choices lead to a satisfiable set of constraints for which the underlying computational problems are still conjectured to be hard. The following theorem establishes correctness.
For the a variable we have that a = LHE.Enc(pk LHE , r ), for some uniform r ←$ Zq , by definition of the oracle Sample. Thus, by the correctness of the LHE scheme. Note that the sumẽ is bounded from above by k · B, whereas the term r is trivially bounded from above byq. This implies that the output of the circuit is encoded in the higher order bits ofm with probability 1, for a large enough q.
We then argue about the split security of the scheme. We remark that we analyze security in the presence of an oracle and we refer the reader to Sect. 4 C i , c).
The i-th hybrid H i is defined to be identical to H i−1 , except that the oracle Sample(pk, ·) on input d (i) is programmed to output a uniformly sampled a such that the resulting c is of the form where ECC is the high-order bits encoding defined in the evaluation algorithm,ẽ is the sum of the decryption noises of the ciphertexts (d (1) , . . . , d (k) ), as defined in the evaluation algorithm, and r ←$ Zq . Thenρ i is defined to be the decryption hint of c, computed using the random coins of the simulated a, rather than the secret key. First observe thatẽ is efficiently computable given the secret key of the FHE scheme and thereforeρ i is also computable in polynomial time. It is important to observe that the distribution of c is identical to the previous hybrid and the difference lies only in the wayρ i is computed. Since the LHE scheme has simulatable hints, it follows that the distribution of H i is identical to that of H i−1 and the change described here is only syntactical. That is, Hybrids H β+1 . . . H 2β : The (β + i)-th hybrid is defined to be identical to the previous ones except that the a variable corresponding to the i-th call in the evaluation algorithm is programmed such that c = LHE.Enc pk LHE , ECC(C i (m b )) +r .
I.e., the noise termẽ is omitted from the computation. Concretely, a is computed as where d is defined as in the Eval algorithm and the denominator is uniformly sampled. Thus, the only difference with respect to the previous hybrid is whether the noise termẽ is included in the ciphertext or not. Sinceẽ is bounded from above by k · B andq ≥ 2 λ ·k · B, by Lemma 1 the distribution induced by this hybrid is statistically indistinguishable from that of the previous one. Hybrids H 2β+1 . . . H 2β+n : The (2β + i)-th hybrid is defined as the previous one, except that the ciphertext c (LHE,i) in the public parameters is computed as the encryption of 0. Note that the secret key of the LHE scheme is no longer used in the computation of (ρ 1 , . . . ,ρ β ) and therefore indistinguishability follows from an invocation of the semantic security of the LHE scheme. Specifically, the following distributions are computationally indistinguishable LHE.Enc(pk LHE , 0), . . . , LHE.Enc(pk LHE , 0), LHE.Enc(pk LHE , s i ), LHE.Enc(pk LHE , s i+1 ), . . . , LHE.Enc(pk LHE , s n ) ≈ LHE.Enc(pk LHE , 0), . . . , LHE.Enc(pk LHE , 0), LHE.Enc(pk LHE , 0), LHE.Enc(pk LHE , s i+1 ), . . . , LHE.Enc(pk LHE , s n ) .
Observe that the secret key of the FHE scheme is no longer encoded in the public parameters and is not needed to compute (ρ 1 , . . . ,ρ β ) either. It follows that any advantage that the adversary has in distinguishing H (0) 3β+n from H (1) 3β+n cannot be greater than the advantage in distinguishing FHE.Enc(pk FHE , m 0 ) from FHE.Enc(pk FHE , m 1 ). Thus, computational indistinguishability follows from an invocation of the semantic security of the FHE scheme. This concludes our proof.

Instantiating the Oracle
To complete the description of our scheme, we discuss a few candidate instantiations for the oracle Sample. We require the underlying LHE scheme to have a dense ciphertext domain (which is the case for the Damgård-Jurik encryption scheme). Both of our proposals require to augment the public key of the scheme with an FHE encryption of the LHE secret key c FHE ← FHE.Enc(pk FHE , sk LHE ) and introduce new circularity assumptions between the FHE and the LHE schemes.
An alternate way to think of the oracle in Theorem 4.2 is to see it as an obfuscation for a special program, which is sufficient for realizing split FHE. The candidate constructions that we provide below can be seen as a natural and simple obfuscation of this special program.

A Simple Candidate
Let C be the ciphertext domain of LHE. Throughout the following description, we fix the random coins of the algorithm (whenever needed) by drawing them from the evaluation of a cryptographic hash function Hash over the input. The intuition for our candidate is very simple: We sample an LHE ciphertext sampled using a random oracle (which is the reason why we need dense ciphertexts) and then we cancel out the high-order bits of the underlying plaintext by homomorphically decrypting the random ciphertext, isolating the chunk of information that we are interested in, and finally key-switching into the LHE scheme. The formal description is elaborated below.
Observe that y is an element in the ciphertext domain of LHE and it is of the form y = LHE.Enc(pk LHE , m), for some m ∈ Z q , since LHE has a dense ciphertext domain. Where m mod q is distributed uniformly over Zq except for the event where m ∈ {q −(q modq), . . . , q}, which happens only with negligible probability. It follows that the output of the oracle is syntactically well formed. However, a closer look to the oracle instantiation reveals two lingering assumptions.
(1) Circular Security The addition of c FHE = FHE.Enc(pk FHE , sk LHE ) introduces a circular dependency in the security of the LHE and FHE schemes (recall that our split FHE construction includes in the public key an encryption of sk FHE under pk LHE ). Circular security is, however, widely considered to be a very mild assumption and currently is the only known approach to construct plain (as opposed to leveled) FHE from LWE via the bootstrapping theorem [34].
(2) Correlations Althoughỹ is an FHE encryption of the correct value, it is not necessarily uniformly distributed, conditioned on y. In particular the randomness of y may depend in some intricate way on the low-order bits of m. For the specific case of LWE-based schemes, the noise term might carry some information about m modq, which could introduce some harmful correlation. However, the noise function is typically highly nonlinear and therefore appears to be difficult to exploit. We also stress that we only consider honest executions of the FHE.Eval algorithm.
While (1) can be regarded as a standard assumption, we view (2) as a natural conjecture which we believe holds true for any natural/known candidate instantiation of the FHE and LHE schemes. In light of these considerations, we conjecture that the implementation as describe above already leads to a secure split FHE scheme.

Toward Removing Correlations
A natural approach toward removing the correlation of the LHE and FHE ciphertexts is that of ciphertext sanitization [26]: One could expect that repeatedly bootstrapping the FHE ciphertext would decorrelate the noise from the companion LHE ciphertext. Unfortunately our settings are different than those typically considered in the literature, in the sense that the sanitization procedure must be carried out by the distinguisher and therefore cannot use private random coins. Although it appears hard to formally analyze the effectiveness of these methods in our settings, we expect that these techniques might (at least heuristically) help to obliterate harmful correlations. In this work we take a different route and we suggest a simple heuristic method to prevent correlations. In a nutshell, the idea is to sample a set of random plaintexts and define the random string as the sum of a uniformly sampled subset S of these plaintext. The key observation is that subset sum is a linear operation and therefore can be performed directly in the LHE scheme, which implies that the leakage of the FHE scheme cannot depend on S. As for the previous construction, our instantiation contains a ciphertext c FHE = FHE.Enc(pk FHE , sk LHE ). The scheme is parametrized by some σ ∈ poly(λ), which defines the size of the set S. In the following description we present the algorithm as randomized, although this simplification can be easily bypassed with standard techniques (e.g., computing the random coins using a cryptographic hash Hash(x)).
• If S i = 0, sample a uniform encryption y i ←$ LHE.Enc(pk LHE , m i ), for a random known m i .
Then computẽ Let h be the following linear function over Z q : To see why the implementation is syntactically correct, observe that which is exactly what we want, except thatm is slightly larger thanq, by a factor of at most σ . This can still be used in our main construction by adjusting the factor ω used in the decrypt-and-multiply procedure accordingly. The intuition why we believe that this variant is secure is that the leakage in the FHE randomness cannot depend on the set S, since the distributions of all y i are statistically close (recall that LHE has dense ciphertexts). Thus, S (which is chosen uniformly) resembles the behavior of a binary extractor on (m i modq). Nevertheless, proving a formal statement remains an interesting open question.

Damgård-Jurik Instantiation
When instantiating the LHE scheme with the Damgård-Jurik encryption scheme (as described in Sect. 3.3) and the FHE scheme with any LWE-based scheme with linear decrypt-and-multiply (e.g., the scheme proposed in [38]) we obtain a split FHE which satisfies the notion of split compactness: The hint ρ is of size N = poly(λ) and in particular is arbitrarily smaller than the size of the plaintext space q = N ζ . For essentially any choice of the LWE-based FHE scheme with modulus q, the size of the public key and fresh ciphertexts depends polynomially in λ and linearly in log(q) = log(N ζ ), which gives us the desired bound. The analysis above sets the following additional constraints: • q ≥ 2 k + 2 log(q+(k+1)B) and •q ≥ 2 λ · (k + 1) · B which are always satisfied for q = N ζ , by setting the integer ζ to be large enough. Note that this choice of parameters fixes the modulus of the FHE with linear decrypt-andmultiply to Z N ζ , which is super-polynomially larger than the noise bound B. Finally, the LWE parameter n is free and can be set to any value for which the corresponding problem (with super-polynomial modulus-to-noise ratio) is conjectured to be hard.

Lattice-Based Instantiation
In the following we describe a split FHE construction based exclusively on LWE. Our scheme assumes the existence of a fully homomorphic encryption scheme FHE = (FHE.KeyGen, FHE.Enc, FHE.Eval, FHE.Dec) with linear decrypt-and-multiply with noise bound B and (for simplicity prime) modulus q. To simplify the exposition, we also assume the existence of a public-key encryption scheme PKE = (PKE.KeyGen, PKE.Enc, PKE.Dec). This is without loss of generality since any FHE scheme is also a public-key encryption scheme. We define the gadget matrix G as and in an abuse of notation we define the (non-linear) bit-decomposition operator as G −1 , since it acts as the inverse of G.
In favor of a simpler exposition, we present a direct construction of FHE with split decryption, instead of instantiating each building block individually. We stress that, in contrast with the instantiation based on the Damgård-Jurik encryption scheme (Sect. 4.3), this scheme does not satisfy the syntactical requirements to apply the generic transformations (described in Sect. 4.2) to lift the scheme to the plain model. Nevertheless, such a scheme is still useful a building block to construct rate-1 reusable garbled circuits (Sect. 6).
The sampling oracle is defined below. For simplicity we describe the oracle as randomized and we implement the deterministic variant by fixing the random coins using, e.g., a hash function.
Sample(pk, x) : On input a string x ∈ {0, 1} * sample a uniform t ←$ Z n q and compute encryption c τ ← PKE.Enc(pk PKE , t). Let where MSB returns the most significant bit of each element of the input vector. Return (τ, c τ ).
The correctness of the scheme follows since + (s 1 , . . . , s n with all but negligible probability over the random choice of t. To establish this, we need to show that equality (4) holds, except with negligible probability over the choice of t and A.
Observe that ẽ + e ∞ ≤ B · (n · k · log(q) + 1). For a given z ∈ Z q say that z is bad if |z − q/4| < B · (n · k · log(q) + 1) or |z + q/4| < B · (n · k · log(q) + 1). By choosing q sufficiently large, e.g. by q/4 > 2 λ · B · (n · k · log(q) + 1), we get that the probability that a uniformly random z ←$ Z q is bad is negligible. Further say that a vector z ∈ Z k q is bad if any of its components is bad. By Lemma 2 we can fix a t ∈ Z n q such if a ←$ Z n q is chosen uniformly random, then a, t is distributed uniformly random, as a uniformly random t ∈ Z n q has this property except with probability log(q)·2 −n . Let a i , . . . , a k be the rows of A.
It is not hard to see that the distribution induced by this hybrid is computationally indistinguishable from the previous one, by a reduction against the semantic security of PKE. Hybrid H β+1 : This hybrid is defined to be exactly as the previous one except that the element B is chosen uniformly over Z k×nk log(q) q . Indistinguishability follows from a standard hybrid argument against the LWE assumption. Note that the above prove implicitly defines a simulator (in the Sample-hybrid model) for decryption hints: Sample ρ ← $ Z n q and program the corresponding query to the Sample oracle to c τ ← PKE.Enc(pk PKE , 0) and where L c is the linear function defined by the input ciphertext c and m is the message given as input to the simulator. This implies that the scheme as described above satisfies (computational) hint simulatability in the Sample-hybrid model.
Finally, we observe that the scheme satisfies split compactness as the size of the decryption hints is O(n log(q)) = poly(λ) and in particular is independent of the output size k.

Split Fully Homomorphic Encryption Implies Obfuscation
In order to construct fully fledged iO from split FHE, we rely on a theorem from Lin et al. [50], which we recall in the following. Roughly speaking, the theorem states that, under the assumption that the LWE problem is sub-exponentially hard, it suffices to consider circuits with a polynomial-size input domain and obfuscators that output obfuscated circuits of size slightly sublinear in size of the truth table of the circuit. Here P log /poly denotes the class of polynomial-size circuits with inputs of length η = O(log(λ)) and by non-trivial efficiency we mean that the size of the obfuscated circuit is bounded by poly(λ, |C|) · 2 η·(1−ε) , for some constant ε > 0. Note that the above theorem poses no restriction on the runtime of the obfuscator, which can be as large as poly(λ, |C|) · 2 η .
In the following we show how to construct an obfuscator for P log /poly with nontrivial efficiency. We assume only the existence of a (leveled) split FHE scheme sFHE = (KeyGen, Enc, Eval, PDec, Rec). iO(C) : On input the description of a circuit C, sample a pair (sk, pk) ← KeyGen(1 λ ) and compute c ← Enc(pk, C). For all i ∈ 2 η/2 define the universal circuit U i as Then compute c i ← Eval(pk, U i , c) and ρ i ← PDec(sk, c i ). The obfuscated circuit is defined to be pk, c, ρ 1 , . . . , ρ 2 η/2 .
First, we discuss how to evaluate an obfuscated circuit: On input some x ∈ {0, 1} η , parse it as an integer and round it to the nearest multiple of 2 η/2 (let such integer bex) such thatx ≤ x. Then compute cx ← Eval(pk, Ux , c) and m ← Rec(ρx , cx ). Read the output as the (x −x)-th bit of m.

Analysis
Note that the runtime of the obfuscator is dominated by 2 η/2 evaluations of the split FHE ciphertext, where each subroutine homomorphically evaluates the circuit C 2 η/2 -many times. Thus, the total runtime of the obfuscator is in the order of poly(λ, |C|) · 2 η . We now argue that our obfuscator has non trivial efficiency in terms of output size. We analyze the size of each component of the obfuscated circuit: • By the compactness of the split FHE scheme, the public key pk grows linearly with the size of the output domain, i.e., 2 η/2 , and polynomially in the security parameter. • The ciphertext c grows linearly with the size of the encrypted message and, therefore, by the compactness of the split FHE scheme, is bounded by poly(λ, |C|)·2 η/2 . • Each decryption hint ρ i is of size poly(λ), since the underlying split FHE is compact.
It follows that the total size of the obfuscated circuit is bounded from above by poly(λ, |C|) · 2 η/2 . What is left to be shown is that our obfuscator satisfies the notion of indistinguishability obfuscation.

Theorem 5.2. (Indistinguishability Obfuscation)
Let sFHE be a sub-exponentially secure leveled split FHE scheme. Then the scheme as described above is a sub-exponentially secure indistinguishability obfuscator.
Proof. By the perfect correctness of the split FHE scheme it follows that the obfuscated circuit is functionally equivalent to the plain circuit. Indistinguishability follows immediately from the split security of sFHE: If the split FHE is secure against a distinguisher running in sub-exponential time, then so is iO.

Rate-1 Reusable Garbled Circuits
In this section we recall the definition of reusable garbled circuits (rGC) and discuss how to construct a scheme with rate-1 input encodings (in the output length).

Definition
We briefly recall the syntax of garbling schemes as defined by Yao [64]. We define correctness for a garbling scheme. We recall the notion of reusable security from [39], that requires that the encodings of inputs x with respect to a garbled circuit C reveal nothing beyond C(x).

Rate-1 Construction
In the following we present our rGC scheme with rate-1 encodings. We assume the existence of the following building blocks. We stress that the former can be constructed using the schemes presented in Sect. 4.1 and Sect. 4.4, without making any additional assumption. As a main corollary, we obtain that assuming the hardness of the LWE problem is sufficient.
To see why the scheme satisfies correctness, observe that We analyze the security of our scheme in the following theorem. Theorem 6.5. (Reusable Security) Let FHE be a split FHE scheme with simulatable decryption hints and let rGC be a reusably secure garbling scheme. Then the scheme as described above is reusably secure.
Proof. The proof consists the description of an efficient simulator Sim = (Sim 0 , Sim 1 ). The algorithm Sim 0 computes the public-key of the split-FHE scheme honestly and simulates the garbled circuitC using the simulator of the underlying garbling scheme. On the other hand, the algorithm Sim 1 evaluates the FHE ciphertext honestly to obtainc and samples a as dictated by the Sample algorithm. Finally, it computes a simulated decryption hint ρ for the input value C(x) using the simulator provided by the split-FHE scheme and feeds ρ as an input to the simulator of the underlying garbling scheme to obtain an encoding e. The algorithm returns (c, a, e). Indistinguishability follows from a standard hybrid argument over the security of the reusable garbling scheme and by an invocation of the simulatability of the decryption hints of the split FHE scheme.
All is left to be shown is that the scheme has rate-1 encodings (in the output length), by instantiating the garbling scheme with construction of [39]. The input encoding consists of three components: (1) A ciphertextc of the split FHE scheme encrypting the input x, whose size can be bounded by poly(λ, |x|). (2) The answer a to a query to the Sample oracle, whose size is (for the choice of parameters discussed in, e.g., Sect. 4.3) bounded by |y| + poly(λ). (3) The encoding e for the garbling of the circuit . Note that the size of the output of depends only on the security parameter (and in particular is independent of |y|); thus, the size of e can be bounded by poly(λ, d, |x|), where d is the depth of the circuit C.
It follows that the total size of the input encoding is bounded by poly(λ, d, |x|) + |y|.
Funding Open Access funding enabled and organized by Projekt DEAL.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.