Maliciously circuit-private multi-key FHE and MPC based on LWE

In this paper, we construct multi-key homomorphic and fully homomorphic encryption (resp. MKHE and MKFHE) schemes with malicious circuit privacy. Our schemes are based on learning with errors (LWE) besides appropriate circular security assumptions. In contrast, the previous maliciously circuit-private MKFHE scheme by Chongchitmate and Ostrovsky (PKC, 2017) is based on the non-standard decisional small polynomial ratio (DSPR) assumption with a super-polynomial modulus, besides ring learning with errors and circular security assumptions. We note that it was shown by Albrecht et al. (CRYPTO, 2016) that there exists a sub-exponential time attack against this type of DSPR assumption. The main building block of our maliciously circuit-private MKFHE scheme is a (plain) MKFHE scheme by Brakerski et al. (TCC, 2017), and the security of our schemes is proven under the hardness of LWE with sub-exponential modulus-to-noise ratio and circular security assumptions related to the Brakerski et al. scheme. Furthermore, based on our MKFHE schemes, we construct four-round multi-party computation (MPC) protocols with circuit privacy against a semi-honest server and malicious clients in the plain model. The protocols are obtained by combining our schemes with a maliciously sender-private oblivious transfer protocol and a circuit garbling scheme, all of which can be instantiated only assuming LWE.

assumptions for the underlying building blocks). We note that it was shown by Albrecht et al. [1] that there exists a sub-exponential time attack against this type of DSPR assumption. This gives rise to the following natural question:

Can a client-server MPC protocol with (malicious) circuit privacy be obtained from standard assumptions?
The main building block of the protocol in [17] is a MKFHE scheme with circuit privacy against malicious adversaries. This scheme is in turn constructed based on the MKFHE scheme by Lopez-Alt et al. [31], which leads to the dependency on the DSPR assumption, as the scheme from [31] requires this.
In general, a client-server MPC protocol with circuit privacy against malicious clients can be constructed from any maliciously circuit-private MKFHE scheme by combining this with a statistically sender-private oblivious transfer (OT) protocol and information-theoretic randomized encoding [27]. Such an OT protocol exists under standard assumptions, e.g. the LWE-based protocol [9], so the above question can be rephrased as the following question, which was also raised in [17] as an open problem: Can a maliciously circuit-private MKFHE scheme be obtained from standard assumptions?

Our results
In this paper, we answer the above questions in the affirmative, with the only caveat being that appropriate circular security assumptions are additionally required (note that all of the currently known (non-leveled) FHE schemes not based on obfuscation, require circular security assumptions). Concretely, we firstly construct a maliciously circuit-private MKHE 2 scheme for branching programs based on LWE as well as weak circular security of the (plain) MKFHE scheme by Brakerski et al. [15], which is one of the main building blocks of our scheme. Informally, we prove the following theorem: Theorem 1.1 (Informal) Assuming the hardness of LWE with sub-exponential modulus-tonoise ratio (and weak circular security of [15]), there exists a maliciously circuit-private MKHE scheme with distributed setup for branching programs.
Secondly, we show how the obtained scheme can be combined with a plain MKFHE scheme (such as [15]), to obtain a fully homomorphic maliciously circuit-private scheme. To obtain this result, we rely on a somewhat non-standard circular security assumption. We note that a similar assumption is required to show the security of the previous construction of a maliciously circuit-private MKFHE in [17]. (The details of the circular security assumption are discussed in Sect. 4.3.) Informally, we show the following result. Based on either of our MK(F)HE schemes, we can build a four-round MPC protocol with circuit privacy against a semi-honest server and malicious clients in the plain model. All the additional building blocks required for our protocol can be instantiated assuming only LWE, e.g., [6,7,19,24] Yao/BMR paradigm garbled circuit × × e.g., [5,26,30,41] FHE based paradigm multi-key FHE e.g., [31,35] (and this work) and hence, from our circuit-private MKHE scheme for branching programs (Theorem 1.1), we obtain the following:

Theorem 1.3 (Informal)
Assuming the hardness of LWE with sub-exponential modulus-tonoise ratio (and weak circular security of [15]), there exists a four-round client-server MPC protocol for branching programs (NC 1 circuits) with circuit privacy against a malicious adversary corrupting only clients in the plain model.

Theorem 1.4 (Informal) Assuming the existence of a distributed-setup maliciously circuitprivate MKHE scheme for branching programs and a distributed-setup (plain) MKFHE scheme which are jointly circular secure, there exists a four-round client-server MPC protocol with circuit privacy against a malicious adversary corrupting only clients in the plain model.
Comparison with Existing MPC Protocols. We first loosely compare MKFHE-based MPC protocols for circuits with other well-known general paradigms, namely, secret-sharingbased and garbled-circuit-based MPC in Table 1 . 3 4 MPC protocols based on the latter two paradigms generally do not aim at hiding the evaluated circuit. While it is in principle possible to hide the structure of the circuit, as we highlight below in our discussion of a related primitive called private function evaluation (PFE), information regarding the circuit size leaks as the communication complexity depends on this. In contrast, MKFHE-based MPC protocols makes the communication complexity and also client computation independent of the circuit size. We next compare our MPC results among existing MK-FHE based client-server MPC protocols in the plain model in Table 2. We remark that these protocols achieve communication complexity and client computation independent of the circuit being evaluated. The main feature of our protocols is that they can be based on more standard computational assumptions (LWE), while the previous two works [17,31] make use of the non-standard DSPR assumptions. Note that besides the computational assumptions listed, appropriate circular security assumptions are needed in all of the listed schemes. As a trade-off, our protocols require one more round compared to [17]; intuitively, this is due to our design where participating parties have to share individual public parameters used to generate public and secret keys for the underlying maliciously circuit-private MKFHE scheme.

Overview of our constructions
Here, we give an overview of the construction techniques we use to obtain our maliciously circuit-private MK(F)HE schemes. As our basic approach is similar to that of [17], we start by recalling the ideas behind the circuit-private MKFHE construction from [17]. Prior approach to circuit-private MKFHE Chongchitmate and Ostrovsky [17] constructed the first (maliciously) circuit-private MKFHE scheme. The scheme is built on a MKFHE scheme with a special property called private expandability. To homomorphically evaluate a function over ciphertexts, a MKFHE scheme usually transforms an input ciphertext ct i (generated under a single public key pk i ) into a ciphertext ct that relates to all the keys {pk i } i involved in the homomorphic evaluation. Private expandability guarantees that no efficient algorithm can distinguish ct, from an expanded ciphertext ct obtained by expanding a ciphertext ct j under a different public key pk j for any j = i. The authors constructed a privately-expandable scheme from the MKFHE scheme of [31]. The private expansion algorithm of the scheme uses the noise smudging technique of [14,21,25] to remove the dependency on the key pk i under which the original ciphertext ct i is constructed. Private expandability leads to a semi-honest circuit-private MKHE scheme for branching programs by using the technique of [28]. Intuitively, private expandability hides by which key the expanded input was originally encrypted. The semi-honest circuit-private scheme for branching programs is transformed into a maliciously circuit-private scheme by using the maliciously circuit-private single-key FHE scheme of [36] to homomorphically check whether all pk i 's and ct i 's are well-formed.
Finally, a fully homomorphic scheme is obtained by combining the maliciously circuit-private scheme with a normal MKFHE scheme with decryption in NC 1 . It should be noted that all of the above schemes [17] (and technique of [36]) are in the plain model. Privately-expandable MKFHE with distributed setup The definitions and constructions in [17] crucially rely on the use of a setup-free MKFHE scheme to obtain a scheme in the plain model. This eventually leads to their instantiation being based on the non-standard DSPR assumption (via [31]). We take a different approach. Specifically, we construct a maliciously circuit-private MKFHE scheme with distributed setup, in which every party P i independently generates a public parameter pp i , and {pp i } i are used to generate keys and ciphertexts. This will allow us to obtain a scheme based on standard assumptions, without having to introduce a common reference string (CRS) or trusted setup. The concept of a distributed setup for a MKFHE scheme is not new, and Brakerski, Halevi, and Polychroniadou [15] proposed a scheme with this property for the purpose of obtaining a four-round secure MPC protocol in the plain model. Note, however, that the results from [15] cannot be used directly in our approach, as the concept of private expandability was not considered in [15]. To address this, we firstly introduce a generalization of private expandability to MKFHE with distributed setup, in which the ciphertext expansion algorithm Expand takes as input {pp i } i generated by the P i 's. We then proceed to prove that the scheme of [15] can in fact be extended to yield a scheme providing our notion of private expandability. To prove this, we use the noise smudging technique, which incurs the sub-exponential modulus-to-noise ratio in the LWE assumption. As a result, we obtain a privately-expandable MKFHE scheme based on LWE without having to introduce a CRS or trusted setup. Achieving malicious circuit privacy. To obtain a maliciously circuit-private MKFHE scheme, we extend the approach taken by [17] to our setting. Specifically, we firstly define malicious circuit privacy for MK(F)HE with distributed setup, in which {pp i } i generated in the distributed setup are given to the homomorphic evaluation algorithm. We then construct a maliciously circuit-private scheme using a privately-expandable MKFHE scheme with distributed setup. More precisely, private expandability allows us to construct a semihonest circuit-private MKHE for branching programs in a similar way to [17,28]. To achieve malicious circuit privacy, we use an additional (maliciously) circuit-private single-key FHE scheme to homomorphically check whether inputs to the homomorphic evaluation algorithm are well-formed. Note that for this to work, it must be possible for the evaluation algorithm to check the validity of the public parameters generated by the distributed setup procedure (without access to the randomness used to generate these). However, for our particular privately-expandable MKFHE scheme, all values pp i are picked uniformly at random from the appropriate domain, and hence we can check the validity of the pp i 's simply via a membership test. Furthermore, similar to [17], the construction requires public keys to contain bit-wise encryptions of private keys of the privately-expandable MKFHE scheme, and hence requires the latter to be weakly circular secure. Lastly, note that the required maliciously circuit-private single-key FHE scheme can be constructed from an information-theoretic randomized encoding scheme, an OT protocol, and a single-key FHE scheme, as shown by Ostrovsky et al. [36]. Since the latter two primitives can be instantiated assuming only LWE [8,9,12], we obtain a maliciously circuit-private scheme for branching programs based on LWE (besides the required circular assumption).
Finally, we construct a fully homomorphic scheme by combining the maliciously circuitprivate scheme for branching programs and a standard MKFHE scheme (such as the fully homomorphic variant of [15] based on LWE). Inputs are encrypted by the standard MKFHE scheme, and homomorphic evaluation is done via the evaluation algorithm of the standard MKFHE scheme, while the validity of the inputs is checked using our maliciously circuitprivate scheme for branching programs. Furthermore, since the key generation and encryption of the MKFHE scheme from [15] are in NC 1 , the maliciously circuit-private scheme for branching programs can homomorphically evaluate these to check whether the inputs to the homomorphic evaluation are generated properly. As a result, we obtain a maliciously circuitprivate MKFHE scheme with distributed setup. We emphasize that, compared to the scheme from [17], the computational assumption required for our scheme is significantly weakened, from the non-standard DSPR assumption to the LWE assumption. MPC protocol with malicious circuit privacy based on LWE. In a similar fashion to [17], we show that we can construct a MPC protocol with malicious circuit privacy based on our circuit-private MKFHE scheme combined with OT secure against malicious receivers and circuit garbling. However, as our scheme has a distributed setup procedure, we need one additional round in our MPC protocol for sharing the public parameters generated by the clients. Note that the observation made in [3,15] is equally valid for our protocol: as the public parameters shared by clients in the first round are just uniformly random strings, the server need not check whether the parameters shared by malicious clients are properly generated. This allows us to obtain a client-server MPC protocol with malicious circuit privacy. We note that the additional building blocks required in our protocol (OT and circuit gabling) are known to exist under LWE [9,41].

Organization
The rest of this paper is organized as follows. Section 2 introduces mathematical preliminaries and definitions of cryptographic primitives for this paper. In Sect. 3, we show how to construct a privately-expandable MKFHE scheme with distributed setup under LWE with sub-exponential modulus-to-noise ratio and the circular security of the underlying MKFHE scheme [15]. In Sect. 4, we first construct a (maliciously) circuit-private MKHE with distributed setup for branching programs from the privately-expandable scheme, and then build up a fully homomorphic scheme via a LWE-based MKFHE scheme with distributed setup. Section 5 shows our four-round MPC protocols based on our MK(F)HE schemes with distributed setup.

Preliminaries
In this section, we review notations, mathematical preliminaries, and definitions for homomorphic encryption. Notations We denote the set of natural numbers, integers, and real numbers by N, Z, and R, . For a countable set S, a $ ← − S denotes that a ∈ S is chosen uniformly at random from S. For a probability distribution P (over some set), [P] denotes the support of P (i.e. {x : Pr[P = x] > 0}), and b $ ← − P denotes that b is sampled according to P. negl(λ) represents an unspecified negligible function. Let X = {X λ } λ∈N and Y = {Y λ } λ∈N be ensembles of random variables, and (X , Y ) be the statistical distance between them. For > 0, we say that the two ensembles of random variables, X and Y , are -close if (X , Y ) ≤ , and X and Y are statistically indistinguishable if they are -close for = negl(λ), and denote it by X ≈ s Y . Also we use X ≈ c Y to mean that X and Y are computationally indistinguishable, i.e., |Pr[D(X λ ) → 1] − Pr[D(Y λ ) → 1]| = negl(λ) for any probabilistic polynomial-time (PPT) Turing machine D. For simplicity, we sometimes abuse notation and write X λ ≈ s Y λ (instead of X ≈ s Y ), and we do the same for ≈ c .
Vectors are in column form and written by bold lower-case letters (e.g., x). The i-th element of the vector x is represented by x i . We denote the ∞ norm (max norm) of the vector x by x . The inner-product of two vectors x and y is written as x, y . We denote matrices as bold capital letters (e.g., X) and the (i, j)-th element of the matrix X is represented by The notation X T ∈ Z n×m represents the transpose of X. For two matrices A ∈ Z m×n 1 and B ∈ Z m×n 2 , [A B] ∈ Z m×(n 1 +n 2 ) is the matrix obtained by concatenating A and B. I n denotes the n × n identity matrix, and 0 n×m denotes the n × m matrix all of whose entries are 0. For any i ∈ [n], u i ∈ {0, 1} n represents the i-th standard basis vector of dimension n.

Gaussian, learning with errors, and gadget matrix
Gaussian For any real σ > 0, a Gaussian function on R n centered around 0 with parameter σ is defined as ρ σ (x) := exp(−π · x 2 /σ 2 ) for all x ∈ R n . The (discrete) Gaussian distribution over Z n of parameter σ , denoted by D σ , is defined to be the distribution with the probability We recall the noise smudging (or so-called noise flooding) lemma. It states that adding a noise according to the Gaussian distribution with parameter superpolynomial in λ vanishes dependence on the original distribution. [14,25]) Let σ > 0 and y ∈ Z be arbitrary. Then, (D σ , D σ + y) ≤ y σ . Learning with errors The learning with errors (LWE) problem was first introduced by Regev [38]. We will base the security of our construction on the hardness of the decisional version of the problem, called the decisional LWE problem. For positive integers n and q ≥ 2, let A s,D be the distribution obtained by choosing a vector a $ ← − Z n q uniformly at random and noise term e $ ← − D, and outputting (a, s T a + e mod q) ∈ Z n q × Z q . The (decisional) LWE problem is to distinguish A s,D where s $ ← − Z n q , from the uniform distribution over Z n q × Z q . The LWE assumption states that this problem is intractable for any PPT algorithm. In this paper, we will use the LWE assumption in which q is superpolynomial in λ, and D is a Gaussian distribution whose samples have norm bounded by some B ∈ N polynomial in λ with overwhelming probability. Gadget matrix Let g T := (1, 2, . . . , 2 log q −1 ) be the vector consisting of the powers of 2. For n ∈ N, we define the special matrix G ∈ Z n×n·( log q ) q (called the gadget matrix) that has the vector g in diagonal and 0 in other elements, namely

Lemma 2.1 (Gaussian Noise Smudging
Let G −1 : Z n q → {0, 1} n·( log q ) be the operation such that G · G −1 (x) = x for any vector x ∈ Z n q . Such operation can be obtained by decomposing every element of the given vector x in binary representation. We will also abuse the notation and allow G −1 to take a matrix M ∈ Z n×k as input, apply G −1 to each column vector of M, and output the (n · ( log q ))by-k matrix consisting of the (horizontal) concatenation of all of the outputs, for any k ∈ N. Then, for a matrix M ∈ Z n×k , it holds that G · G −1 (M) = M.

Branching programs
Here, we recall the definition of branching programs. (The definition here is mostly taken verbatim from [17].) with the following properties: • G is a connected directed acyclic graph. We denote by (v) the set of the child nodes of v ∈ V .
• v 0 is the initial node with indegree 0.
• T ⊆ V is the set of terminal nodes of outdegree 0. Any node in V \T has outdegree 2.
is the edge-labeling function, such that the outgoing edges from each vertex are labeled by different values.
The height of v ∈ V , denoted height(v), is the length of the longest path from v to a node in T . The length of P is the height of v 0 . The width of P is the maximum number of vertices with the same height.
On input x ∈ {0, 1} n , P(x) is defined as follows: Follow the path induced by . Similarly, we also define P v (x) by following the path from any node v ∈ V instead of v 0 .
We say that a branching program By Barrington's theorem [4], all languages in NC 1 can be computed by a poly-sized layered branching program with constant width. Since the decryption circuit of a number of existing LWE-based FHE schemes (e.g., [13,15,23,35]) is in NC 1 , there exists a layered branching program of polynomial length that computes the decryption circuit of such LWE-based FHE schemes.

Single-key homomorphic encryption and its circuit privacy
Here, we recall the definitions for single-key HE.

Definition 2.2 (Single-key Homomorphic Encryption)
A single-key HE scheme SKHE for a class of circuits C consists of the four algorithms (KG, Enc, Dec, Eval) with the following properties: • (Syntax) -(pk, sk) $ ← − KG(1 λ ): This is the key generation algorithm that takes a security parameter 1 λ as input, and outputs a public/secret key pair (pk, sk).
ct $ ← − Enc(pk, x): This is the encryption algorithm that takes a public key pk and a plaintext x ∈ {0, 1} as input, and outputs a ciphertext ct.
ct $ ← − Eval(C, pk, (ct k ) k∈ [n] ) : This is the homomorphic evaluation algorithm that takes a circuit C ∈ C (with domain {0, 1} n ), a public key pk, and n ciphertexts (ct k ) k∈ [n] as input, and outputs an evaluated ciphertext ct. x := Dec(sk, ct): This is the (deterministic) decryption algorithm that takes a secret key sk and an evaluated ciphertext ct as input, and outputs a decryption result x.
• (Semantic Security) Defined in the same way as that for ordinary public-key encryption.
We say that SKHE is weakly circular secure if it remains secure even if bit-wise encryptions of a secret key are attached to a public key. We say that SKHE is fully homomorphic if C is a set of all circuits of polynomial size.
Circuit privacy Here, we recall the formal definition of malicious circuit privacy for singlekey HE [36]. [36]) Let SKHE = (KG, Enc, Eval, Dec) be a single-key HE for a circuit class C. We say that SKHE is maliciously circuit private if there exist an unbounded algorithm Sim (called the simulator) and an unbounded deterministic algorithm Ext (called the extractor) such that for all circuits C ∈ C (with n-bit input), and all possibly malformed public keys pk * and ciphertexts ct * 1 , . . . , ct * n , we have

Definition 2.3 (Malicious Circuit Privacy for Single-Key HE
where x * k := Ext(pk * , ct * k ) for all k ∈ [n].

Oblivious transfer
Here, we recall the definition of a statistically sender-private two-message oblivious transfer (OT) protocol against malicious receivers, which is known to exist under the LWE assumption due to Brakerski and Döttling [9].

Definition 2.4
A two-message OT protocol OT consists of the three algorithms (Q, A, D) with the following properties: This is the receiver's first algorithm that takes a security parameter 1 λ and a selection bit b ∈ {0, 1} as input, and outputs a receiver message q and a secret state st.
a $ ← − A(q, s 0 , s 1 ) : This is the sender's algorithm that takes a receiver message q and two strings s 0 , s 1 as input, and outputs a sender message a. • (Statistical Sender Privacy against Malicious Receivers) There exist possibly computationally unbounded algorithms Ext (called the extractor) and Sim (called the simulator) such that for any receiver message q (which could be outside the image of Q) and inputs (s 0 , s 1 ) with s 0 = s 1 , we have A(q, s 0 , s 1 ) ≈ s Sim(q, s b * ), where b * := Ext(q).

Circuit garbling
Here, we recall the definition of a circuit garbling scheme. In our MPC construction, we will use a projective circuit garbling scheme whose encoding is a list of tokens, one pair for each bit of an input x ∈ {0, 1} n for a circuit being garbled. Such a garbling scheme can be realized from any one-way function, and thus under the LWE assumption.
Definition 2.5 A (projective) circuit garbling scheme GC is a pair of the algorithms (GCircuit, GEval) with the following properties: This is the garbling algorithm that takes a security parameter 1 λ and a circuit C with n-bit input (for some polynomial n = n(λ)) as input, and outputs a garbled circuit G and a set of tokens e = (X 0 : This is the (deterministic) evaluation algorithm that takes a garbled circuit G and n tokens (X i ) i∈ [n] as input, and outputs some value y.
• (Correctness) For any λ, n ∈ N, any n-bit input circuit C, and any x = . • (Security) For any two circuits C 0 , C 1 (with n-bit input) of the same size and any two inputs x 0 = (x 1,0 , . . . , x n,0 ),

Multi-key homomorphic encryption with distributed setup
Here, we recall the definitions for multi-key HE (MKHE) with distributed setup. In this paper, we will treat both MKHE schemes for circuits and for branching programs. Below, we only give the formal definitions for the former since recovering the definitions for the latter is straightforward given those for the former.
In this paper, we will also make use of ordinary single-key HE (without setup). We review the formal definition of this type of HE in Sect. 2.3. [15,17]) An MKHE scheme with distributed setup MKHE for a class of circuits C, consists of the five algorithms MKHE = (dSetup, KG, Enc, Eval, Dec) with the following properties:

Definition 2.6 (Multi-key HE with Distributed Setup, adapted from
This is the distributed setup algorithm that takes a security parameter 1 λ , the maximal number of inputs N (in unary), and an index i ∈ [N ] as input, and outputs the i-th user's public parameter pp i . We require that given i ∈ [N ] and pp, whether pp ∈ [dSetup (1 λ This is the key generation algorithm that takes N public parameters (pp i ) i∈ [N ] and an index i ∈ [N ] as input, and outputs the i-th user's public/secret key pair (pk i , sk i ).
ct $ ← − Enc(pk i , x): This is the encryption algorithm that takes a public key pk i and a plaintext x ∈ {0, 1} as input, and outputs a ciphertext ct. [n] ): This is the homomorphic evaluation algorithm that takes as input a circuit C ∈ C (with domain {0, 1} n ), N public parameters (pp j ) j∈ [N ] , N public keys (pk i ) i∈ [N ] , and n pairs ( and ct k is presumed to be a ciphertext under pk I k . Then, this algorithm outputs an evaluated ciphertext ct.
and an evaluated ciphertext 6 ct as input, and outputs a decryption result x.
• (Correctness) For any N ∈ N, any circuit C ∈ C (with n-bit input), any indices , and any bits x 1 , . . . , x n ∈ {0, 1}, the following holds: • (Semantic Security) For any PPT adversary A, we have 1} is the following experiment run between the challenger and the (rushing) adversary A (namely, A generates corrupted public parameters after seeing an honest public parameter): 1. A chooses the maximal number of inputs N and the challenge index i ∈ [N ], and sends them to the challenger.

The challenger returns public parameters pp
, i) and sends pk i to A. 5. A sends the challenge plaintexts x 0 , x 1 to the challenger.

The challenger returns the challenge ciphertext ct
We say that MKHE is weakly circular secure if it remains secure even if bit-wise encryptions of the secret key sk i are attached to the public key pk i . We say that MKHE is fully homomorphic (and call it multi-key fully homomorphic encryption (MKFHE)) if C is a set of all circuits of polynomial size. We say that MKHE is compact if there exists a polynomial p such that | ct| < p(λ, N ), which is independent of C and n.
To ease notation, for an MKHE scheme with distributed setup, we will often write pp, pk, and sk to mean N public parameters (pp j ) j∈ [N ] , N public keys (pk j ) j∈ [N ] , and N secret keys (sk j ) j∈[N ] , respectively. (N will always be clear from the context.) Bootstrapping Gentry's bootstrapping theorem [22] provides a way to extend the class of functions a HE scheme supports from a limited class to an unlimited class. This involves homomorphic evaluation of so-called the augmented decryption function. Here we recall its multi-key variant.

Definition 2.7 (Multi-key Augmented Decryption Function)
Let MKHE = (dSetup, KG, Enc, Eval, Dec) be an MKHE scheme (for some circuit class). For hardwired values ct, ct , the multi-key augmented decryption function h ct, ct is defined by That is, the function h ct, ct interprets its input as N secret keys (sk j ) j∈ [N ] , decrypts the hardwired ciphertexts ct and ct , and returns the NAND of the results.
López-Alt et al. [31] showed a multi-key analogue of the bootstrapping theorem, which states that if an MKHE scheme supports homomorphic evaluation of circuits that can compute the multi-key augmented decryption function, and is furthermore (weakly) circular secure, then the scheme can be turned into a fully homomorphic one.

Privately expandable MKHE with distributed setup
In this section, we present an LWE-based MKFHE scheme with distributed setup, which additionally satisfies the privacy notion of private expandability. Specifically, we firstly extend the definition of private expandability for MKHE by [17] to schemes with a distributed setup, and then show that the MKFHE scheme with distributed setup by [15] can be modified to satisfy this notion, by introducing an alternative ciphertext expansion algorithm based on the approach of [17]. This modified scheme will be the main building block for our constructions of maliciously circuit-private MKHE and MKFHE presented in Sect. 4.
This section is organized as follows. In Sect. 3.1, we first formalize private expandability for MKHE with distributed setup. Next, in Sect. 3.2, we recall the MKFHE scheme with distributed setup by Brakerski et al. [15]. Then, in Sect. 3.3, we show how to make it privately expandable. Throughout this section, let N = N (λ) ∈ N be a polynomial denoting the number of users.

Private expandability of MKHE with distributed setup
Here, we define private expandability of MKHE with distributed setup, extending the original definition by [17]. For ease of exposition, we firstly introduce plain (possibly non-private) expandability, and then proceed to define private expandability.

Definition 3.1 (Expandability)
A MKHE scheme with distributed setup (dSetup, KG, Enc, Eval, Dec) for a circuit class C is expandable if there exist two algorithms (Expand, Eval) with the following properties: : This is the expansion algorithm that takes N public parameters pp, N public keys pk, an index i ∈ [N ], and a ciphertext ct as input, and outputs an expanded ciphertext ct.
ct $ ← − Eval(C, pp, pk, ( ct k ) k∈ [n] ): This is the homomorphic evaluation algorithm for expanded ciphertexts. It takes a circuit C ∈ C (with n-bit input), N public parameters pp, N public keys pk, and n expanded ciphertexts ( ct k ) k∈[n] as input 7 , and outputs an evaluated ciphertext ct.
• (Correctness) For any circuit C ∈ C (with n-bit input), any plaintexts x 1 , . . . , x n ∈ {0, 1}, As in [17], for an expandable MKHE scheme with distributed setup, we overload the notation for the algorithms, and replace the evaluation algorithm Eval of the original scheme with Eval. Hence, when we consider a MKHE scheme to consist of the six algorithms (dSetup, KG, Enc, Expand, Eval, Dec), Eval is the homomorphic evaluation algorithm for expanded ciphertexts (corresponding to Eval above).

Definition 3.2 (Private Expandability)
Let MKHE = (dSetup, KG, Enc, Expand, Eval, Dec) be an expandable MHFE scheme with distributed setup. We say that MKHE is privately expandable if it satisfies the following property: where the statistical indistinguishability is guaranteed only by the random coins of Expand.

LWE-based expandable MKFHE by brakerski et al.
We now present the MKFHE scheme of [15] which we will denote MKHE BHP . Although the original scheme has expandability, how this is supported is only informally sketched in [15]. Below we give a full description of the scheme which explicitly describes the expansion algorithm. The expandable MKFHE scheme MKHE BHP = (dSetup BHP , KG BHP , Enc BHP , Expand BHP , Eval BHP , Dec BHP ) is as follows.  7 Note that Eval does not take indices I k for expanded ciphertexts ct k as input.
This algorithm uses the "linear combination" algorithm LComb described below as a sub-algorithm. Roughly, LComb takes encryptions of the randomness matrix, i.e. (U τ,k ) τ ∈[n],k∈[w] , used to encrypt a message, and some input vector in Z n q as input, and generates an encryption of the multiplication between the randomness matrix and the input vector. This is used to erase junk terms in decryption.
Using LComb, Expand BHP proceeds as follows: For every j ∈ [N ] \ {i}, compute Then, output the expanded ciphertext C ∈ Z N ·m×N ·w q that consists of N 2 submatrices of size m × w, has the input ciphertext C in diagonal, and X j in the (i, j)-th submatrix for j ∈ [N ] \ {i}. More visually, the expanded ciphertext C is of the following form where all the empty submatrices are zero matrices. • Eval BHP (C, pp, pk, ( C k ) k∈ [n] ): This algorithm homomorphically evaluates the given circuit C over input ciphertexts ( C k ) k∈ [n] gate-by-gate (assuming C is described via NAND gates only), and outputs the final result as an evaluated ciphertext ct. To implement the NAND evaluation algorithm NAND, the algorithm makes use of homomorphic addition Add and multiplication Mult algorithms described below.
-Add( C 1 , C 2 ): Homomorphic addition can be just computed by adding the expanded ciphertext matrices: We can see correctness of this homomorphic addition from the condition satisfied for the expanded ciphertexts.
-Mult( C 1 , C 2 ): Homomorphic multiplication is computed by first decomposing the expanded ciphertexts by the gadget inverse function and multiplying it to the normal expanded ciphertext: . Also, correctness of the homomorphic multiplication can be easily checked from the relation between expanded ciphertexts and the concatenation of the involved secret keys.
, compute the expanded bootstrapping keys T j,k := Expand BHP (pp, pk, j, T j,k ). 8 Compute a ciphertext C NAND by evaluating the multi-key augmented decryption function h C 1 , C 2 (in Definition 2.7) on T j,k 's gate-by-gate via Add and Mult. • The above completes the description of MKHE BHP . For completeness, we show the correctness of the above described expansion algorithm Expand BHP , namely, that an expanded ciphertext output from Expand BHP can be correctly decrypted.
We first give the following property of LComb. This is an analogy of [16,Lemma A.3], showing an analogous property of the linear combination algorithm for [35].
The proof is almost the same as the one of [16] except the estimation of noise growth incurred by this algorithm.
Proof of Claim For the above vector t and matrix X, it holds that Therefore we have We now turn to the proof of the correctness of Expand BHP . Let t T := [t T 1 · · · t T N ] ∈ {0, 1} N ·m be the concatenation of the secret keys, ct i = (C, (U j,k ) j∈[n],k∈ [w] ) be output by Enc BHP (pk i , x), and C := Expand BHP (pp, pk, i, ct i ). Then , and noise e j and E i such that e j < nw 2 m B and E i < B with high probability. Thus, it holds that which implies Dec BHP (sk, C) = x.

Making MKHE BHP privately expandable
It is straightforward to see that MKHE BHP is not privately expandable. Specifically, the positions of non-zero submatrices of an expanded ciphertext C output from Expand BHP directly reveal the user index. We now show a special ciphertext expansion algorithm pExpand BHP that can make MKHE BHP privately expandable. The simple idea behind the construction is to hide the zero submatrices in an expanded ciphertext by adding dummy ciphertexts of zero generated by using "larger" noise.
In addition to the algorithms Expand BHP and Add from the original scheme MKHE BHP , pExpand BHP uses two sub-algorithms which we denote by Enc * and Add * . The former algorithm is the same as Enc BHP except that it uses "larger noise", and the latter is just the homomorphic addition algorithm over pre-expanded ciphertexts and is simply implemented by element-wise addition.
The formal description of the algorithms are as follows: and ct * j := Expand BHP (pp, pk, j, ct * j ). Output ct i := j∈[N ] ct * j , where the summation of ct * j 's is realized by Add. Since the algorithm Add * just homomorphically adds fresh ciphertexts of MKHE BHP that corresponds to ciphertexts of the dual scheme of [23], we can easily check that correctness of Add * holds. Hence, the correctness of pExpand BHP can be seen as follows.
. Then, by the correctness of Add and Add * , we have In the following, we show that the output of pExpand BHP hides user indices.  (1 λ , 1 N , j) (1 λ , 1 N , j)], and (pk j , sk j ) ∈ [KG BHP (pp, j)]. Then, for any i ∈ [N ], x ∈ {0, 1}, and ct ∈ [Enc BHP (pk i , x)], we have where the statistical indistinguishability is guaranteed only by the random coins of Enc * .

Proof of the claim
Let D be the distribution of a randomness in Enc * , namely, every element is sampled from D t . Then, by the designs of Enc BHP and Add * , the distribution of the left hand side is identical to Enc * (pk i , x; r +r ) where r $ ← − D and the addition of the randomnesses is just element-wise addition. By Lemma 2.1, the distribution r be defined in the same way as pExpand BHP (pp, pk, i , ct i ) except that ct * i is generated as Enc * (pk i , x) instead of Add * (ct i , Enc * (pk i , 0)). By the above claim, for both i ∈ {i, i }, ct * i generated in pExpand and that in pExpand BHP are statistically indistinguishable, and thus we have pExpand BHP (pp, pk, i , ct i ) ≈ s pExpand (pp, pk, i , x). Hence, to prove the lemma, it is sufficient to show pExpand (pp, pk, i, x) ≈ s pExpand (pp, pk, i , x). To this end, we argue similarly to the proof of [16,Lemma A.5] and show that the distribution of the output of pExpand is identical.
For each i ∈ {i, i }, let ct i be an output of pExpand (pp, pk, i , x). If i = i then clearly ct i and ct i are distributed identically. When i = i , the only difference in the executions of pExpand (pp, pk, i, x) and pExpand (pp, pk, i , x) is in ct * where C i = B i R i + E i + xG in the execution of pExpand for i, and C i = B i R i + E i in the execution for i . For i = i, ct * i has a similar form but C i = B i R i + E i in the former execution, and C i = B i R i + E i + xG in the latter execution. R i and R i are sampled from the same distribution and the same for E i and E i . Furthermore, in both executions, X i, j for each j ∈ [N ] \ {i} is generated according to the same distribution, and the same is true for Therefore, ct * i,i in the two executions of pExpand are distributed identically. This means that the distribution of pExpand (pp, pk, i, x) and that of pExpand (pp, pk, i , x) are identical regardless of i, i ∈ [N ]. This in turn implies pExpand BHP (pp, pk, i, ct i ) ≈ s pExpand BHP (pp, pk, i , ct i ).
We summarize the consequence of the above lemmas.

Maliciously circuit-private MKHE based on LWE
In this section, we show two constructions of maliciously circuit-private MKHE with distributed setup, one for branching programs, and the other for circuits of all poly-sized circuits (i.e. MKFHE), These constructions are based on the construction methodology of [17]. In Sect. 4.1, we give the formal definition of malicious circuit privacy for MKHE with distributed setup. In Sect. 4.2, we show the first construction: a maliciously circuit-private MKHE scheme with distributed setup for branching programs from the combination of a privately expandable MKFHE scheme with distributed setup and a maliciously circuit-private single-key FHE scheme. In Sect. 4.3, we show how to enhance maliciously circuit-private MKHE with distributed setup for branching program to fully homomorphic one by using a (non-circuit-private) MKFHE scheme as an additional building block. (There, we also explain a somewhat non-standard circular security assumption required to prove the semantic security of this MKFHE construction.) Throughout this section, let N = N (λ) ∈ N be a polynomial denoting the number of users.

Definition
Here we introduce the definition of malicious circuit privacy for MKHE with distributed setup. [17]) Let MKHE = (dSetup, KG, Enc, Eval, Dec) be an MKHE scheme with distributed setup for a class of circuits C. We say MKHE is maliciously circuit-private if there exists an unbounded algorithm Sim (called the simulator) and an unbounded deterministic algorithm Ext (called the extractor) such that for all circuits C ∈ C (with n-bit input), all indices I 1 , . . . , I n ∈ [N ], and all possibly malformed public parameters pp * = (pp * i ) i∈ [N ] , public keys pk * := (pk * i ) i∈ [N ] , and ciphertexts ct * 1 , . . . , ct * n , we have Eval(C, pp * , pk * , (

Scheme for branching programs
We now show how to construct a maliciously circuit-private MKFHE scheme for branching programs. The construction is generic and based on the combination of a privately-expandable MKFHE scheme and a maliciously circuit-private single-key FHE scheme.
The main difference from [17] is that we need to treat public parameters pp generated by the distributed setup appropriately: We have an additional check in the homomorphic evaluation algorithm to make sure the public parameters pp are possible outputs of the distributed setup algorithm of the underlying privately-expandable MKFHE scheme. There is also a technically subtle but important difference in the design of the evaluation algorithm (see the explanation in the footnote of the scheme description). Intuition of our construction In order to achieve malicious circuit-privacy for the homomorphic evaluation algorithm, we need to deal with (possibly) malformed input public keys and ciphertexts. To do this, we use a maliciously circuit-private single-key FHE scheme to homomorphically check whether the inputs are possible output of semi-honest execution of the key generation and encryption algorithm. This guarantees that the input public keys and ciphertexts for the homomorphic evaluation of a branching program are well-formed. Hence, in the following, we consider the semi-honest circuit-private evaluation of a branching program.
To explain the intuition of the circuit-private evaluation, first recall how to compute a branching program. Let P = (G = (V , E), v 0 , T , φ V , φ E ) be a length-branching program over {0, 1} n . To evaluate P on x ∈ {0, 1} n , we follow the path induced by φ V and x from the initial node v 0 to a terminal node in T . As defined in Definition 2.1, P v (x) refers to follow the path from any node v ∈ V , and P v 0 (x) = P(x). Since every node v ∈ V has two child Now, consider homomorphically evaluating P on a ciphertext of x. Suppose that every bit of x is encrypted by MKHE under a different public key, i.e., for i = 1, . . . , n, x i ∈ {0, 1} is encrypted under a public key pk i of MKHE. To homomorphically evaluate P, we need to evaluate P v (x) backward from terminal nodes to v 0 , which results in a ciphertext of for v ( ) = v 0 and v (0) ∈ T be a path to obtain P(x). The evaluation algorithm of our circuit-private MKHE scheme computes a ciphertext of P v (h) (x) (for h = 1, . . . , ) depending on a ciphertext of x i for i = φ V (v (h) ), which is encrypted under pk i . Our simulator for the malicious circuit privacy also computes a ciphertext of P v (h) (x), but independent of pk i . To show indistinguishability between the real evaluation and simulation, we use private expandability of MKHE to make the ciphertext of P v (h) (x) in the real evaluation independent of the encryption key. Building Blocks. We will use the following building blocks.
• Let MKHE PE = (dSetup PE , KG PE , Enc PE , Expand PE , Eval PE , Dec PE ) be a privatelyexpandable MKFHE scheme with distributed setup, for which we also assume weak circular security. We also require that this scheme is additive homomorphic over fresh (pre-expanded) ciphertexts such that for any i ∈ [N ], public parameters pp = (pp j ) j∈[N ] generated by dSetup PE (1 λ , 1 N , i), an honestly generated key pair (pk PE,i , sk PE,i ) ∈ [KG PE (pp, i)], plaintexts x 1 , x 2 ∈ {0, 1}, and randomness r 1 , r 2 for Enc PE , we have Enc PE (pk PE,i , x 1 ; r 1 ) + Enc PE (pk PE,i , x 2 ; r 2 ) = Enc PE (pk PE,i , x 1 + x 2 ; r 1 + r 2 ). (In the following, we will just use "−" to denote the homomorphic subtraction between ciphertexts.) • Let SKHE mCP = (KG mCP , Enc mCP , Eval mCP , Dec mCP ) be a maliciously circuit-private single-key FHE scheme. (see Sect. 2.3 for the formal definitions of single-key HE and malicious circuit privacy for single-key HE.)

Notation and convention
Values with subscript PE (resp. mCP) will denote those related to MKHE PE (resp. SKHE mCP ). We will omit a subscript for pp.
To lighten the notation, we use the convention that Enc PE takes as plaintext input a bitstring x (rather than a single bit), and outputs the concatenation of the bit-wise encryption of x. Also, to easily grasp what is encrypted, we will use the notation [[x]] i to mean bit-wise encryption of a bit-string x under the i-th public key pk PE,i of MKHE PE . (For example, we We will use the same convention for Enc mCP , and use the notation [x] i to denote an encryption of x under the i-th public key pk mCP,i of SKHE mCP . Validation circuit To achieve malicious circuit privacy, the evaluation algorithm Eval BP of our scheme will homomorphically evaluate the following circuit Validate to check whether public/secret keys and ciphertexts input to Eval BP are well-formed, in which case (and only then) it outputs some hardwired value. Validate has the following values hardwired: N , q ∈ N, public parameters pp, an index i ∈ [N ], a public key pk PE , q ciphertexts {ct PE,k } k∈ [q] , and some value out ∈ {0, 1} * . As input, it takes a secret key sk PE and randomness r KG and {r Enc,k } k∈ [q] , and its output is defined as follows 9 : if (pk PE , sk PE ) = KG PE (pp, i; r KG ), and ∀k ∈ [q], ∃x k ∈ {0, 1} : ct PE,k = Enc PE (pk PE , x k ; r Enc,k ) 0 |out| otherwise Construction Using the building blocks MKHE PE and SKHE mCP , and the validation circuit Validate described above, we describe our maliciously circuit-private MKHE scheme with distributed setup for length-branching programs MKHE BP = (dSetup BP , KG BP , Enc BP , Eval BP , Dec BP ) below. (For convenience, a one-page version of the description is given in Figure 1 in page 48.) (1 λ , 1 N , i) (1 λ , 1 N , j)], then output ⊥ and terminate. Otherwise, parse P as a lengthbranching program (G = (V , E), v 0 , T , φ V , φ E ), and suppose its input length is n-bit. Parse each pk j as (pk PE, j , pk mCP, j , [[sk PE, j , . For each 10 v ∈ V \ T for which Label(u 0 ) and Label(u 1 ) with (v) = {u 0 , u 1 } are already defined, do the following:  PE,1 , . . . , a PE,s ). 12 -Compute  (P, pp, pk, (I k , pk k ) k∈ [n] ) and Dec BP (sk, ct). Since all public keys pk and ciphertexts (ct k ) k∈ [n] are honestly generated, the check regarding pk PE, j and {[[x k ]] I k } I k = j in the homomorphic evaluation of Validate done by Eval mCP never fails, and every V mCP, j decrypts to S j . This implies ct PE }, and thus v 0 = v ( ) . Intuitively, Eval BP homomorphically computes the branching program P backwards from the terminal nodes to the initial node: Every layer of the branching program computes P v (h) 13 . This means that

We now inductively show that for every h ∈ [ ], every vertex v (h) at height h satisfies the property that Label(v (h) ) is a bit-wise expanded ciphertexts of P v (h) (x), and thus
Assumption for the induction (case h − 1) : suppose as the assumption for the induction that the case h − 1 is true, i.e. every v (h−1) at height h − 1 satisfies the property that Label(v (h−1) ) is bit-wise expanded ciphertexts of P v (h−1) (x) and we have Case h : let v (h) be an arbitrary vertex at height h, and let (v (h) ) = {v holds. This is true for every vertex at height h, and thus proves the inductive step. Hence, we have Dec PE (sk PE , Label(v )) = Dec PE (sk PE , Label(v 0 )) = P(x), and thus the scheme satisfies correctness.
For the semantic security of MKHE BP , we need to assume MKHE PE is weakly circular secure. Since the proof is straightforward, we only give a proof sketch.

Theorem 4.2 (Security)
If MKHE PE is weakly circular secure and SKHE mCP is semantically secure, then MKHE BP is semantically secure. 13 We here assume that for b ∈ {0, 1}, v

Proof of Sketch
By the semantic security of SKHE mCP , [sk PE,i r KG,i ] i in the challenge public key pk i and [r Enc,i ] in the challenge ciphertext ct i can be replaced by encryptions of unrelated messages of appropriate length without being noticed by an adversary. Then, the weak circular security of MKHE PE guarantees that the information of the challenge message x does not leak from [[x]] i in ct i .
The following theorem guarantees the malicious circuit privacy of MKHE BP . The intuition and notation for the proof of this theorem are given at the beginning of this section (Sect. 4.2).

Theorem 4.3 (Malicious Circuit Privacy) If MKHE PE is privately expandable and SKHE mCP is maliciously circuit-private, then MKHE BP is maliciously circuit private.
Proof Let Ext mCP and Sim mCP be respectively the extractor and simulator that are guaranteed to exist by the malicious circuit privacy of SKHE mCP . We construct an extractor Ext BP and a simulator Sim BP as follows:  (1 λ , 1 N , j)], then output ⊥ and terminate. Otherwise, parse each pk * j as (pk * PE, j , pk * mCP, j , If one of the checks during the computation of V mCP, j was not satisfied, then pick c * $ ← − {0, 1} s 0 , and terminate with output ct * := ( c * , ( V * mCP, j ) j∈ [N ] ). Otherwise (i.e. the checks did not fail), set out 0 := b * , and for h = 1, . . . , , do the following: 14 Set c * := out ⊕ j∈[N ] S j and output ct
Firstly, it immediately follows that holds by the malicious circuit privacy of SKHE mCP . Hence, we have ( c, , where the right hand side is the "hybrid" distribution in which c is generated as in Eval BP and ( V * mCP, j ) j∈ [N ] is generated as in Sim BP . Furthermore, if there exists j ∈ [N ] under which holds, then V * j is independent of S j , and makes c in the hybrid distribution uniformly random and independent of other values, which is exactly how c * in this case is generated. This means that ct ≈ s ct * holds in this case.
We now consider the distributions of c and c * in the remaining case (i.e. the check in Validate is satisfied and it outputs S j for all j ∈ [N ]). In this case, it is guaranteed that every pk * PE, j is a possible output of KG PE (pp * , j), and every [[x k ]] * I k is a possible output of Enc PE (pk * PE, Since at this point [[x * k ]] I k is guaranteed to be a valid encryption of x * k , a PE,t is guaranteed to be a valid encryption of 0 (under pk * PE,I k ). Hence, a PE,t is an expanded ciphertext of 0. Thus, if the t-th bit of out h−1 is equal to 0 = Label(v (h−1) )[t], then by the private expandability of MKHE PE , we have a * PE,t ≈ s a PE,t . Similarly, if the t-th bit of out h−1 is 1, then Sim BP computes a *  Label(v (h) ), proving the inductive step. Hence, we have out ≈ s Label(v ( ) ) = Label(v 0 ) and thus c * ≈ s c.
We have shown that in any case, ( c, holds. This means that MKHE BP satisfies malicious circuit privacy.
Instantiation For the underlying privately expandable MKFHE scheme with distributed setup, we can use MKHE pBHP shown in Sect. 3.3, whose weak circular security directly follows from that of the original scheme MKHE BHP .
For the underlying maliciously circuit-private single-key FHE scheme, we can rely on the existing results [9,27,36]. Specifically, Ostrovsky et al. [36] constructed a maliciously circuitprivate single-key FHE scheme from the combination of compact single-key FHE and singlekey HE satisfying a weak form of malicious circuit privacy (called input privacy), and the latter can be based on a statistically sender-private (2-message) OT protocol and an informationtheoretic randomized encoding [27]. Brakerski and Döttling [9] recently constructed such an OT protocol based on LWE, and the MKFHE scheme MKHE BHP can be used as single-key FHE, we can realize a maliciously circuit-private single-key FHE scheme based on LWE and the weak circular security of MKHE BHP .
Using the above two schemes in MKHE BP , we obtain a maliciously circuit-private MKHE with distributed setup for branching programs based on LWE and the weak circular security of MKHE BHP , yielding a proof of Theorem 1.1.

Achieving full homomorphism
We follow the framework of [17] that generically transforms an MKHE scheme for branching programs to a fully homomorphic one by using a (non-circuit-private) MKFHE scheme with distributed setup as an additional building block. As in our scheme for branching programs in Sect. 4.2, the main difference from [17] is that in the homomorphic evaluation algorithm, we have to make sure the public parameters belong to the support of the distributed setup algorithm. Intuition of our construction To construct a fully homomorphic scheme, we combine the malicious circuit-private MKHE scheme MKHE BP for branching programs in Sect. 4.2 and a standard MKFHE scheme MKHE F . Inputs to a function are encrypted by MKHE F and homomorphic evaluation is done by the evaluation algorithm of MKHE F . The result of the homomorphic evaluation can be transformed into the ciphertext of MKHE BP in a bootstrapping-like manner. Our homomorphic evaluation algorithm also uses MKHE BP to check whether the inputs to the homomorphic evaluation are generated properly.
The homomorphic evaluation algorithm of our construction computes an output by homomorphically evaluating a composition of the decryption of MKHE BP and function that checks all the input validations success. The composite function is parametrized by the results of the homomorphic evaluation and input validations, which are the ciphertexts of MKHE BP . Since the simulator for our construction can generate simulated results of the homomorphic computation by using the simulator for MKHE BP , the composite function computed by our simulator is statistically indistinguishable from the one in the real evaluation. Building blocks We will use the following building blocks.
scheme with distributed setup whose decryption circuit can be computed by NC 1 circuits. • Let MKHE BP = (dSetup BP , KG BP , Enc BP , Eval BP , Dec BP ) be a maliciously circuit-private MKHE scheme with distributed setup for length-branching programs, where is a polynomial of λ large enough so that it can compute the validation circuits KValidate and CValidate introduced below, and the decryption circuit of Dec F . For notational convenience, we treat this scheme as an MKHE scheme for circuits that can be computed by length -branching programs. (Thus, Eval BP takes a circuit as input, rather than a branching program).

Notation and convention
We use similar notations and conventions as in Sect. 4.2, namely, subscripts F and BP for parameters, and Enc F and Enc BP takes bit-strings as a plaintext inputs. Similarly, we allow Dec F and Dec BP to take multiple ciphertexts as input, and let their outputs be the concatenation of the decryption results. We will also use bracket notations for ciphertexts: [[x]] i for a ciphertext generated as Enc F (pk F,i , x), and [x] i for a ciphertext generated as Enc BP (pk BP,i , x). Validation circuits We introduce three types of circuits that will be used in the construction of our fully homomorphic scheme.
• KValidate checks whether a hardwired public key of MKHE F is well-formed. It has the following values hardwired: N ∈ N, public parameters pp F , an index i ∈ [N ], a public key pk F , and some value out ∈ {0, 1} * . Then, it takes a pair of (candidate) secret key sk F and randomness r KG as input, and its output is defined as follows: • CValidate checks whether the hardwired ciphertext of MKHE F is well-formed. It has the following values hardwired: a public key pk F , a ciphertext ct F , and some value out ∈ {0, 1} * . Then, it takes randomness r Enc as input, and its output is defined as follows: CValidate pk F ,ct F ,out (r Enc ) := out if ∃x ∈ {0, 1} : ct F = Enc F (pk F , x; r Enc ) 0 otherwise .
• CombineDec checks whether the given ciphertexts of MKHE BP are correctly decrypted to a hardwired element. It has N , q ∈ N and some value out ∈ {0, 1} * hardwired, takes N secret keys sk BP = (sk BP, j ) j∈ [N ] and q evaluated ciphertexts { ct BP, j } j∈ [q] as input, and its output is defined as follows:  Figure 2in page 49.)  (1 λ , 1 N , j)], then output ⊥ and terminate. Otherwise, parse each pp j as (pp BP, j , pp F, j ), each pk j as (pk F, j , pk BP, j , [[sk BP, j For every j ∈ [N ], compute Parse each pp j as (pp F,j , pp BP,j ). Pick a randomness r KG,i for KG F .  , 1 N , j)] then return ⊥. Parse each pp j as (pp F,j , pp BP,j ). Parse each pk j as (pk F,j , pk BP,j , For every j ∈ [N ]: Return ct. . • Dec mCP (sk, ct): Parse each sk j as sk F, j . Output x := Dec F (sk F , ct).

Correctness and security
The correctness of MKHE mCP is immediate from the correctness of MKHE F and MKHE BP . The semantic security of MKHE mCP is not straightforward. Like the construction in [17], a public key pk i of MKHE mCP contains an encryption of a secret key sk BP,i under pk F,i , and encryptions of a secret key sk F,i and the randomness r KG,i used to generate sk F,i under pk F,i . Hence, semantic security does not simply follow from a straightforward combination of the semantic security and/or (weak) circular security of the individual building blocks MKHE F and MKHE BP . In order to prove the semantic security of MKHE mCP , it seems unavoidable to assume that the semantic security of MKHE F and MKHE BP continue to hold even if in the semantic security games of each scheme, an adversary is additionally given the values that constitute the public parameters pp i = (pp F,i , pp BP,i ) and a public key 15 Once we admit this type of somewhat non-standard circular security assumptions on MKHE F and MKHE BP , the semantic security of MKHE mCP follows straightforwardly, and thus we omit the proof.

Theorem 4.4 (Security)
If MKHE F and MKHE BP satisfy the above "joint" circular security, then MKHE mCP is semantically secure.
The following theorem guarantees the malicious circuit privacy of MKHE mCP . The intuition and notation for the proof of this theorem are given at the beginning of this section (Sect. 4.3).
For every k ∈ [n], compute r * Enc,k := Ext BP (pp * BP , I k , pk * BP,I k , [r Enc,k ] * I k ), . As explained above, for the resulting scheme to be semantically secure, we need joint circular security for the above two schemes. This assumption seems reasonable since the former building block scheme is also based on MKHE BHP (albeit an additional LWE-based OT protocol from [9]).

Maliciously circuit-private MPC based on LWE
In this section, we describe our MPC protocol from any maliciously circuit-private MKHE scheme with distributed setup, a maliciously (statistically) sender-private OT protocol, and a projective circuit garbling scheme.

Definitions for MPC
We here give the definition of maliciously circuit-private MPC protocols. We consider a 1server and N -client protocol. In this protocol, inputs to participating parties are asymmetric (i.e., the server has a function to be computed, and the clients have inputs for the function), so the secure MPC protocol needs to have two types of security requirements: server privacy and client privacy. The server privacy has almost the same requirement with the circuit privacy in MKHE, and the client privacy means the semantic security of the client's input. We do not allow adversaries to corrupt the server, but we want to consider stronger security against clients. The client privacy should be considered for a semi-honest server and malicious clients.
In the following, we first define a client-server MPC protocol, then we define the client privacy and server privacy for the protocol, where we refer to the server privacy as circuit privacy. These definitions follow from those in [17]. Definition 5.1 (Client-Server MPC protocol) Let C be a class of functions with at most N inputs. A multi-party protocol for C is a protocol between parties P 1 , . . . , P N , and the server S where P i (i = 1, . . . , N ) is given x i as input, and S is given a function F on N inputs. Denote x = (x 1 , . . . , x N ). At the end of the protocol, each party P i outputs F(x) while S outputs ⊥.

Definition 5.2 (Client Privacy) An adversary
receives all messages directed to P i for every i ∈ T and controls the messages that they send. Let View ,S (F, x) denote the joint collection of messages that S receives in an execution of the protocol on an N -input function F ∈ C and an input set x = (x 1 , . . . , x N ). Let View ,A (F, x) denote the joint collection of messages A receives through corrupted parties in an execution of protocol on F and x. A multi-party protocol for C is secure against a semi-honest server and malicious clients if the protocol satisfies the following two privacy notions: • Privacy against clients For every adversary A corrupting parties {P i } i∈T with |T | = t < N , for all N -input functions F ∈ C and for all input sets x = (x 1 , . . . , x N ) and x = (x 1 , . . . , x N ) such that x i = x i for any i ∈ T , for all y the range of F, • Privacy against a server For every server S, for all N -input functions F ∈ C and for all input sets x = (x 1 , . . . , x N ) and x = (x 1 , . . . , x N ) such that x i = x i for any i ∈ T , for all y the range of F,

Definition 5.3 (Malicious Circuit Privacy (Server Privacy))
Let be a multi-party protocol for a function class C. In the ideal-world execution of , the computation of F ∈ C is performed through a trusted functionality F . Each party P i sends their input x i to F , the server sends F to F , which performs the computation and sends the output F(x) to each P i (i ∈ [N ]). Let Ideal F ,S (F, x) denote the joint output of the ideal-world adversary (called simulator) S, parties P 1 , . . . , P N and the server S. Moreover, let Real ,A (F, x) denote the joint output of the real-world adversary A, parties P 1 , . . . , P N and the server S. The protocol is maliciously circuit-private if for every malicious (and possibly unbounded) adversary A corrupting any number of parties, there exists an unbounded simulator S with black-box access to A such that for all N -input functions F ∈ C and for all input sets x = (x 1 , . . . , x N ), A (F, x).

Construction
Our MPC protocol consists of four rounds, and is maliciously circuit-private in the plain model. We follow the approach of [17] but require an additional round (the first round) that computes the distributed setup. Intuition of our construction The server evaluates the function over encrypted inputs sent from the clients. The server then constructs a special decryption circuit that given as input a secret key for the circuit-private MKFHE scheme and randomness used to generate the secret key, decrypts the result of the homomorphic evaluation if the input secret keys are valid. Also, the server sends a garbled circuit of the special decryption circuit to the clients. The difference between real-world and ideal-world executions of the protocol is how to construct a garbled circuit of the special decryption circuit. The simulator of the malicious circuit privacy for our MPC protocol generates a simulated result of the homomorphic evaluation by using the simulator for the circuit-private homomorphic scheme, and compute a garbled circuit for the special decryption circuit hardwired with the simulated result. Since the simulated result is statistically indistinguishable from the result of the real evaluation, the garbled circuit is also statistically indistinguishable from the one in the real-world execution of the protocol. Building blocks We will use the following building blocks.
The description of our protocol is as follows.
• Inputs and outputs: The clients P i (i = 1, ., N ) is given x i as input, and the server S is given a function F on N inputs. Each P i outputs F(x 1 , ., x N ) while S outputs ⊥.
(where r KG,i,k is the k-th bit of r KG,i ). Also P i computes a ciphertext ct i $ ← − Enc mCP (pk i , x i ), and sends (pk i , ct i , (q k i ) k∈ [s+r ] ) to the server S. • Round 3: The input of the server S is a function F that takes on inputs x = (x 1 , . . . , x N ).
The server S selects a circuit C representing the function F. It then computes ct $ ← − Eval mCP (C, pp, pk, (ct j ) j∈ [N ] ), where we denote pk := (pk j ) j∈ [N ] . Let g ct,pp,pk be the following circuit: The security of our protocol is guaranteed by the following theorem.

Theorem 5.1
If MKHE mCP is semantically secure and maliciously circuit-private, OT is statistically sender private against malicious receivers, and GC is secure, then is a secure MPC protocol with malicious circuit privacy.
The proof of Theorem 5.1 is divided into the following three lemmas: the first two lemmas state that the protocol has privacy against malicious clients and a semi-honest server, and the third one is for saying the malicious circuit privacy of .  , g ). By the sender-privacy of OT against malicious receivers, A can obtain at most one garbled input (token) for the corrupted clients. Let X and X be garbled inputs obtained by e and e for the secret key and its randomness. Since both circuits evaluate to y on garbled inputs corresponding to valid secret keys and 0 otherwise we have (G, X ) ≈ c (G , X ) by the security of GC. Also, a i 's and garbled inputs do not depend on the protocol inputs. Therefore, the views of an adversary A in the executions of for input x and that for x are computationally indistinguishable. This concludes the proof of lemma. Proof In the second round of , each client P i (i = 1, . . . , N ) sends OT-queries (q k i ) k∈[r +s] to the server, and the queries do not depend on the protocol input. Thus, by the receiver privacy of OT, they are computationally indistinguishable from OT-queries generated by using some fixed string independent of the secret key and randomness. This in turn enables us to invoke the semantic security of MKHE mCP , and say that the server's view in the case that the ciphertext ct i in the second round message encrypts x, is computationally indistinguishable from the case that ct i encrypts x . This concludes the proof of the lemma.
Intuition for the proof of the following theorem is given in the beginning of this section (Sect. 5.2).

Lemma 5.3 (Malicious Circuit Privacy)
If MKHE mCP is maliciously circuit-private, then the protocol is maliciously circuit-private.
Proof Let Ext mCP and Sim mCP be the extractor and simulator that are guaranteed to exist by the malicious circuit privacy of MKHE mCP . Here we show the construction of a simulator S for , where we can assume w.l.o.g. that the real-world adversary A corrupts all the clients, because we are not considering the privacy of the clients here. • Step 2: Given (pk * i , ct * i , (q * i,k ) k∈[r +s] ) i∈T from A, S runs Ext mCP to compute the corrupted inputx i := Ext mCP (pp * , i, pk * i , ct * i ). It then submits them to the ideal functionality F and obtains b * := F(x 1 , . . . ,x N ). • Step 3: Denote pk * = (pk * j ) j∈ [N ] . The simulator S runs Sim mCP to compute ct * $ ← − Sim mCP (pp * , pk * , ( j, ct * j ) j∈ [N ] , b * ), then defines a circuit g ct * ,pp * ,pk * ((sk j , r j ) j∈ i , X * 0 (i−1)(r +s)+k , X * 1 (i−1)(r +s)+k ), and sends (G * , (a * i,k ) k∈[r +s] ) for i ∈ T to A.
• Output: In Round 4 of the protocol, no interaction between the server S and the clients P i occurs. Since we are assuming that all clients are corrupted and controlled by A, the simulator S need not do any action until A returns the outputs of the corrupted parties. Finally, when A terminates with the outputs of the corrupted parties in the real-world execution of , S just forwards the received outputs and terminates.
By the malicious circuit privacy of MKHE mCP , ct * is statistically indistinguishable from the real computation of Eval mCP for F, and thus the garbled circuit G * is also statistically indistinguishable from the one in the real-world execution of . Hence we have Real ,A (F, x) ≈ s Ideal ,S (F, x).
Instantiations from LWE When instantiated MKHE mCP with our proposed schemes in Sects. 4.2 and 4.3, we obtain Theorems 1.3 and 1.4, respectively.

Conclusion
In this paper, we constructed a maliciously circuit-private MKHE scheme for branching programs based on LWE as well as weak circular security of the (plain) MKFHE scheme by Brakerski et al. [15]. We also showed how the obtained scheme can be combined with a plain MKFHE scheme (such as [15]), to obtain a fully homomorphic maliciously circuit-private scheme. To obtain this result, we relied on a somewhat non-standard circular security assumption, but a similar assumption is required to show the security of the previous maliciously circuit-private MKFHE scheme in [17]. Based on either of our MK(F)HE schemes, we built a four-round MPC protocol with circuit privacy against semi-honest server and malicious clients in the plain model, where the additional building blocks required for our protocol can be instantiated assuming only LWE.
Availability of data and materials Not applicable.

Conflict of interest/Competing interests Not applicable.
Code availability Not applicable.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.