Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Imagine Alice and Bob, standing on different planets light years apart. They are “simultaneously” given some input bits \(x_1\) and \(x_2\) respectively, and must answer by outputting bits \(y_1\) and \(y_2\) respectively. Classical physics allows them to implement local (component-wise) strategies where \(y_1\) is an arbitrary function of \(x_1\) and \(y_2\) is a function of \(x_2\). On the other hand, the impossibility of faster-than-light communication disallows signaling strategies, meaning that the distribution of \(y_1\) cannot depend on the value of \(x_2\) and vice versa.

However, there are strategies that are neither local nor signaling. For example, perhaps Alice and Bob want to ensure that \(y_1,y_2\) are random bits subject to \(y_1 \oplus y_2 = x_1 \wedge x_2\). In this case, the distribution of \(y_1\) does not depend on \(x_2\) (and vice versa) so the strategy is not signaling, but it’s also not local. Surprisingly some such strategies which are neither signaling nor local are achievable using quantum mechanics, if Alice and Bob share an entangled quantum state. Einstein referred to this phenomenon as “spooky action at a distance”.

In this work, we consider an analogous scenario, first considered by Dwork et al. [11], where the separation between \(x_1,x_2\) is enforced not via physical distance but by encrypting these bits under two independent public keys.Footnote 1 Here Alice gets the two ciphertexts \(c_1 \leftarrow \mathsf {Enc}_{\mathsf {pk}_1}(x_1), c_2 \leftarrow \mathsf {Enc}_{\mathsf {pk}_2}(x_2)\), and outputs two other ciphertexts \(c'_1,c'_2\) which are decrypted as \(y_i\leftarrow \mathsf {Dec}_{\mathsf {sk}_i}(c'_i)\), \(i=1,2\). As in the physical analogy, here too we can rule out signaling strategies (if the encryption is semantically secure), and can implement local strategies (if the encryption is homomorphic). But can we replace the entangled state from above by a special “spooky encryption scheme” that would allow Alice to implement spooky strategies? Answering this question is the focus of this work, and we obtain the following results:

  • Assuming the hardness of learning with errors (\(\textsf {LWE}\)), there exists a secure encryption scheme in which Alice can implement a wide class of spooky strategies that we call additive function sharing (AFS) spooky. Namely, for any two-argument function \(f:(\{0,1\}^*)^2\rightarrow \{0,1\}\), Alice can convert encryption of inputs \(c_i \leftarrow \mathsf {Enc}_{\mathsf {pk}_i}(x_i)\) to encryption of outputs \(y_i\leftarrow \mathsf {Dec}_{\mathsf {sk}_i}(c'_i)\), ensuring that \(y_1\oplus y_2 = f(x_1,x_2)\), except for a small error probability.

    This construction, described in Sect. 3, uses the \(\textsf {LWE}\)-based multi-key FHE schemes from [7, 22, 26], and it inherits from these multi-key scheme their dependence on a common random string.

  • In Sect. 4 we describe a spooky scheme that supports arbitrary two-input spooky relations on short inputs, as well as a very wide class of two-input spooky relations on long inputs. This construction uses probabilistic indistinguishability obfuscation (\(\mathsf {piO}\)), which is an extension of \(\mathsf {iO}\) to probabilistic circuits recently introduced by Canetti et al. [6], in conjunction with lossy encryption schemes which are homomorphic and ensure circuit privacy against malicious adversaries. This construction works in the plain model without common-random string and has no error, and it can be realized based on exponentially strong \(\mathsf {iO}\), exponentially strong PRFs, and DDH.

  • In Sect. 5 we describe a transformation from a scheme that supports only two-input spooky relations on one-bit inputs to one that supports AFS spooky relations on arbitrary number of inputs (of arbitrarily length each). This transformation can be applied to both our \(\textsf {LWE}\)-based and \(\mathsf {piO}\)-based constructions from above.

  • We show several implications of (AFS-)spooky encryption. On a negative, it gives a strong counter-example to a method proposed by Aiello et al. [1] for building succinct arguments for \(\textsf {NP}\) from homomorphic encryptionFootnote 2, resolving a question posted by [11]. On a positive, it immediately yields a function secret sharing (FSS) scheme for all functions [4, 15], and also gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. These application are discussed in Sect. 6.

  • We also study in Sect. 7 the concept of spooky free encryption, i.e., an encryption scheme where we can prove that no spooky strategy is feasible. We show that any non-malleable encryption scheme is spooky-free, and also build spooky-free homomorphic encryption schemes from SNARKs. It remains an open problem to construct spooky-free homomorphic encryption under more standard assumptions. Spooky-free homomorphic encryption can be used to instantiate the approach of Aiello et al. to get succinct arguments for \(\textsf {NP}\).

1.1 Technical Overview

LWE -Based Construction. Our \(\textsf {LWE}\)-based construction builds on the multi-key FHE schemes from [7, 22, 26]. In these schemes (after some syntactic massaging) secret keys and single-key ciphertexts are vectors in \(\mathbb {Z}_q^n\), and decryption consists of computing \(w=\left\langle {\mathbf {s},\mathbf {c}}\right\rangle \bmod q\), then rounding to the nearest multiple of q / 2, outputting zero if w is closer to 0 or one if w is closer to q / 2.

These schemes, however, also support homomorphic computation across ciphertexts relative to different keys. Roughly, they feature a “lifting procedure” where a dimension-n ciphertext vector relative to one key \(\mathbf {s}_i\) is “lifted” to a dimension \(\ell n\) vector \(\mathbf {c'}=(\mathbf {c'}_1,\ldots ,\mathbf {c'}_\ell )\) relative to the concatenated key \(\mathbf {s'}=(\mathbf {s}_1,\ldots ,\mathbf {s}_\ell )\) of dimension \(\ell n\). These lifted ciphertexts can still be computed on, and the decryption procedure proceeds just as before, except using the higher-dimension vectors. Namely, to decrypt \(\mathbf {c'}\) using \(\mathbf {s'}\), one first computes the inner product \(w'=\left\langle {\mathbf {s'},\mathbf {c'}}\right\rangle \) modulo q, then rounds to the nearest multiple of q / 2. In other words, we compute the individual inner products \(w_i=\left\langle {\mathbf {s}_i,\mathbf {c'}_i}\right\rangle \), then add them all up and round to the nearest multiple of q / 2.

We observe (cf. Lemma 1) that for the special case of two keys, \(\ell =2\), instead of adding the \(w_i\)’s and then rounding, we can first round each \(w_i\) to the nearest multiple of q / 2 and then add, and this yields the same result with high probability. Specifically, the error probability is proportional to the rounding error for the overall sum \(w'\). This observation immediately yields additive function sharing (AFS) spooky encryption for two-argument functions: We use one of the schemes from [7, 22, 26] to encrypt the two arguments \(x_1,x_2\) under two keys, then use the multi-key evaluation procedure to compute a multi-key ciphertext \(\mathbf {c'}=(\mathbf {c'}_1,\mathbf {c'}_2)\) encrypting the value \(f(x_1,x_2)\). Viewing each \(\mathbf {c'}_i\) as a single-key ciphertext, we apply the usual decryption procedure to each of them, and the resulting two bits are an additive secret sharing of \(f(x_1,x_2)\), except with a small error probability. The error probability can be made negligible by relying on LWE with a super-polynomial approximation factor.

piO-Based Construction. In Sect. 4 we show that using \(\mathsf {iO}\) we can construct an AFS encryption scheme without CRS and without errors, and moreover we can support arbitrary spooky relations on two bits, not just additive sharing. For this overview, let us focus on the simpler task of constructing AFS spooky scheme for the multiplication function \(\textsf {MULT}(b_1,b_2)=b_1\cdot b_2\).

The starting point of the construction takes a homomorphic encryption scheme \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec},\mathsf {Eval})\) and adds to the public key an obfuscation of the randomized functionality that decrypts, computes the functions f, and re-encrypts secret-sharing of the result. Specifically, let us denote for any \(x_1,y_1\in \{0,1\}\) the function \(f_{x_1,y_1}(x_2)=x_1\cdot x_2\oplus y_1\), and consider the following randomized program:

figure a

Given the two pairs \((\mathsf {pk}_1,\mathsf {Enc}_{\mathsf {pk}_1}(x_1))\), \((\mathsf {pk}_2,\mathsf {Enc}_{\mathsf {pk}_2}(x_2))\), and access to the program \(P_{\mathsf {sk}_1,\mathsf {pk}_1}\), we can run \(P_{\mathsf {sk}_1,\mathsf {pk}_1}(c_1,\mathsf {pk}_2,c_2)\) to get two ciphertexts \(c'_1\) and \(c'_2\), encrypting \(y_1,y_2\), respectively, such that \(y_1 \oplus y_2 = x_1 \cdot x_2\). We would like, therefore, to add an obfuscation of \(P_{\mathsf {sk}_1,\mathsf {pk}_1}\) to the public key, thereby obtaining AFS spooky multiplication.

As described, however, this construction is not even secure when \(P_{\mathsf {sk}_1,\mathsf {pk}_1}(c_1,\mathsf {pk}_2,c_2)\) is only accessed by a perfect black box. The reason is that if the underlying homomorphic encryption is not circuit private, then the evaluated ciphertext \(c'_2\) could leak information about \(x_1\). To fix this issue, we require the use of circuit-private homomorphic encryption in this construction. In fact, since the adversary could run the program \(P_{\mathsf {sk}_1,\mathsf {pk}_1}(c_1,\mathsf {pk}_2,c_2)\) on arbitrary inputs of its choice, we need a stronger notion of circuit privacy against malicious adversaries [24], that guarantees privacy even if the public-key and ciphertext given to the evaluation algorithm are generated adversarially.

Using a malicious circuit private homomorphic encryption scheme, the construction above would be secure if the program \(P_{\mathsf {sk}_1,\mathsf {pk}_1}(c_1,\mathsf {pk}_2,c_2)\) is accessed as a perfect black box (e.g., using \(\mathsf {VBB}\) obfuscation). However, we would like to rely on the weaker notion of indistinguishability obfuscation (\(\mathsf {iO}\)), or rather probabilistic \(\mathsf {iO}\) [6] (since we are dealing with a randomized program). We need to somehow argue that the secret key \(\mathsf {sk}_1\) that is encoded within the program \(P_{\mathsf {sk}_1,\mathsf {pk}_1}\) is hidden by the weaker obfuscation, and we do it using a technique from the work of Canetti et al. [6], employing a lossy encryption scheme.

We note that the construction above only uses homomorphic computations for single-bit functions (in addition to probabilistic \(\mathsf {iO}\)), and there are only four such function (identity, negation, constant 0 and constant 1). A secure and malicious-circuit-private encryption scheme that supports these operations was constructed by Naor and Pinkas [23] based on the \(\mathsf {DDH}\) assumption.

From 2-Spooky to n -Spooky. Both the \(\textsf {LWE}\) and \(\mathsf {piO}\) based constructions above only support two-argument spooky relations. Specifically the \(\textsf {LWE}\)-based scheme only supports AFS-spooky relations for two-argument functions, and the \(\mathsf {piO}\)-based scheme supports a large class of spooky relations but again, only on two inputs. We extend the supported spooky relations by showing how to transform a scheme that supports (multiple hops of) AFS-spooky two-input multiplication and single-key additive homomorphism, into a leveled AFS spooky scheme for any number of inputs of any length.

The transformation is inspired by the Goldreich-Micali-Wigderson MPC protocol [16]: Suppose that we are given n public keys \(\mathsf {pk}_1,\ldots ,\mathsf {pk}_n\), bit-by-bit encryptions of the input values \(\mathsf {Enc}_{\mathsf {pk}_i}(x_i)\), and an arithmetic circuit \(C : (\{0,1\}^*)^n \rightarrow \{0,1\}\) that we want to evaluate (i.e., to produce encrypted shares of \(C(x_1,\ldots ,x_n)\)). We process the circuit gate by gate, while maintaining the invariant that for every wire w we produce ciphertexts \(\mathsf {Enc}_{\mathsf {pk}_1}(w_1),\ldots ,\mathsf {Enc}_{\mathsf {pk}_n}(w_n)\) such that \(\oplus _{i \in [n]} w_i\) is equal to the wire w’s value. The wires are processed inductively:

  1. 1.

    For an input wire holding a bit b, which is part of the j’th input \(x_j\), we take the ciphertext c that encrypts b relative to \(\mathsf {pk}_j\), and append to it the ciphertexts \(c_i\leftarrow \mathsf {Enc}_{\mathsf {pk}_i}(0)\) for all \(i\ne j\). Clearly the ciphertexts \((c_1,\ldots ,c_{j-1},c,c_{j+1},\ldots ,c_n)\) are encryptions of an additive sharing of the wire’s value b.

  2. 2.

    For an addition gate with input wires uv and output wire w, by induction we already have \(\mathsf {Enc}_{\mathsf {pk}_1}(u_1),\ldots ,\mathsf {Enc}_{\mathsf {pk}_n}(u_n)\) and \(\mathsf {Enc}_{\mathsf {pk}_1}(v_1),\ldots ,\mathsf {Enc}_{\mathsf {pk}_n}(v_n)\). Using just an additive homomorphism on each key individually, we can produce \(\mathsf {Enc}_{\mathsf {pk}_1}(u_1\oplus v_1),\dots ,\mathsf {Enc}_{\mathsf {pk}_n}(u_n\oplus v_n)\) which is the desired secret sharing.

  3. 3.

    For a multiplication gate with input wires uv and output wire w, again by induction we already have \(\mathsf {Enc}_{\mathsf {pk}_1}(u_1),\ldots ,\mathsf {Enc}_{\mathsf {pk}_n}(u_n)\) and \(\mathsf {Enc}_{\mathsf {pk}_1}(v_1),\ldots ,\mathsf {Enc}_{\mathsf {pk}_n}(v_n)\). Using the AFS spooky multiplication we compute an encrypted tensor product of the \(\mathbf {u}\) and \(\mathbf {v}\) vectors. Namely, for every ij we use spooky multiplication to compute

    $$\begin{aligned} \big (\mathsf {Enc}_{\mathsf {pk}_i}(x_{i,j}),\mathsf {Enc}_{\mathsf {pk}_j}(y_{i,j})\big ) \leftarrow \textsf {SpookyMult}\big (\mathsf {Enc}_{\mathsf {pk}_i}(u_i),\mathsf {Enc}_{\mathsf {pk}_j}(u_j)\big ), \end{aligned}$$

    such that \(x_{i,j}\oplus y_{i,j} = u_i\cdot v_j\). Then we collapse this tensor product back into an n-vector using the additive homomorphism relative to each key separately. That is, for every \(i \in [n]\) we can compute a ciphertext \(\mathsf {Enc}_{\mathsf {pk}_i}(w_i)\) such that \(w_i = \bigoplus _{j \in [n]} x_{i,j} \oplus \bigoplus _{j \in [n]} y_{j,i}\). We observe that these ciphertexts form a secret sharing of \(u \cdot v\). Indeed, adding up the plaintexts we get:

    $$\begin{aligned} \bigoplus _{i \in [n]} \left( \bigoplus _{j \in [n]} x_{i,j} \oplus \bigoplus _{j \in [n]} z_{j,i} \right) = \bigoplus _{i,j \in [n]} ( x_{i,j} \oplus y_{i,j}) = \bigoplus _{i,j \in [n]} u_i \cdot v_j = (\bigoplus _i u_i) \cdot (\bigoplus _j v_j) \end{aligned}$$
    (1)

Thus, if the scheme can support 2d interleaved hops of (two-key) spooky multiplication and (single-key) additive homomorphism then it is an AFS-spooky scheme for the class of all depth d arithmetic circuits. We note that the resulting scheme does not depend on the number of inputs or their length, and it only depends on the complexity of C inasmuch as the underlying scheme depends on the depth of the evaluated circuit.

Applications of Spooky Encryption. In Sect. 6 we describe both positive and negative applications of spooky encryption. On the positive, it immediately yields a function secret sharing (FSS) scheme for all functions [4, 15]. Previously such a general function secret sharing scheme was only known to follow from sub-exponentially hard indistinguishability obfuscation [4] whereas we can base it on \(\textsf {LWE}\) (using our \(\textsf {LWE}\) based spooky encryption).

Spooky encryption also gives a simple 2-round multi-party computation protocol. Roughly, AFS-spooky encryption lets each party broadcast an encryption of its input under its own key, then everyone individually performs the AFS-spooky evaluation locally, each party can locally decrypt and recover a share of the output, and the output is recover using another round of communication. There are some technicalities that should be addressed for this idea to work, and perhaps the easiest way of addressing them is to use AFS-spooky encryption to construct multi-key FHE with threshold decryption (TMFHE), which can then be used to get a two-round protocol as done in [22]. Using our obfuscation based construction (which does not require a CRS), this gives the first 2-round semi-honest secure MPC protocol in the plain model.Footnote 3

On the negative side, AFS-spooky encryption yields a counter-example for the transformation of Aiello et al. [1] from multi-prover (MIP) to single-prover protocols. Their idea was to send all of the \(\textsf {MIP}\) queries to a single prover, but encrypted under independents keys of a homomorphic encryption scheme. The single prover can homomorphically implement the actions of the \(\textsf {MIP}\) provers on the individual encrypted queries, and hopefully the fact that the queries are encrypted under independent keys means that no cross-influence is possible. It is easy to see that spooky encryption violates this hope (by its very nature). Moreover, we show that this transformation can lead to a total break of soundness - in Sect. 6.1 we show how using AFS-spooky encryption can lead to an unsound single-prover protocol, when the transformation is applied to a simple two-prover protocol for graph 3-colorability.

Spooky-Free Encryption. Finally, in Sect. 7 we discuss the notion of spooky-free (SF) encryption, which provably ensures that any correlation that an attacker can induce between the original messages \((m_1,\ldots ,m_n)\) and “tampered messages” \((m_1',\ldots ,m_n')\), can be simulated by a “local simulator” that produces \(m_i'\) only as a function of \(m_i\) (and some shared randomness), see Definition 6. To validate this definition, we show that a spooky-free FHE suffices to prove the security of the natural approach of Aiello et al. [1], which was discussed above, of converting a succinct MIP into a succinct one-round argument discussed above. Indeed, spooky-freeness ensures that the attacker cannot cause more damage from seeing all n ciphertexts than what it could have done by seeing each plaintext independently.

We then turn to the systematic study of spooky-free encryption. First, we show that spooky-freeness implies semantic security. On the other hand, a very weak form of non-malleability (called 1-non-malleability here, or 1-bounded CCA security in [8]) implies spooky-freeness. However, since the scheme is non-malleable, it is inherently not homomorphic and so we cannot use it to obtain a delegation scheme via the foregoing approach.

Indeed, to instantiate the approach of Aiello et al. constructing succinct arguments for \(\textsf {NP}\), we need a homomorphic encryption scheme which is spooky free. As a proof of concept, in the full paper [9] we show how to built such a homomorphic spooky-free encryption using succinct non-interactive arguments of knowledge (SNARKs [3, 14]), true-simulation-extractable NIZKs [10] and regular FHE. While the use of SNARKs makes this construction uninteresting in the application to succinct arguments, the clean definition of SF-encryption, coupled with our “proof of concept” implementation, might open the door for more useful future constructions.

1.2 Related Work

The starting point for this line of work is the natural approach, suggested by Aiello et al. [1], for constructing a secure delegation scheme by combining a multi-prover interactive proof-system (\(\textsf {MIP}\)) with a homomorphic encryption scheme as described above. This intuition was questioned by Dwork et al. [11] and our work confirms that the approach of [1] is not always secure.

An approach to overcoming this barrier was taken by Kalai et al. [18, 19]. They designed a specific \(\textsf {MIP}\) (for \(\mathcal {P}\)) that is sound even against arbitrary no-signaling adversaries. Since semantic-security rules out signaling strategies, they obtain a secure delegation protocol for any language in \(\mathcal {P}\).

Spooky Free vs. Homomorphism Extraction. Bitansky and Chiesa defined in [2] a security notion called homomorphism extraction, that they show can be used to securely instantiate the construction of Aiello et al. and get succinct arguments for \(\textsf {NP}\). Intuitively, this notion says that to produce a valid encryption of \(m'\) from an encryption of m, you must know a function f such that \(m' = f(m)\). Compared to our notion of spooky-free (which is also sufficient for the Aiello et al. transformation), the main difference is that of “extraction vs. soundness”, so homomorphism extraction seems a stronger requirement. For example, homomorphism extraction implies some form of “plaintext awareness” and therefore is non-trivial even for schemes that aren’t homomorphic, whereas we show that any non-malleable encryption scheme is spooky-free.

Multi-key \(\textsf {FHE}\). A notion that is related to spooky-encryption, introduced by López-Alt et al. [21] is that of multi-key \(\textsf {FHE}\). In a multi-key \(\textsf {FHE}\), similarly to a spooky encryption scheme, the homomorphic evaluation procedure gets as input n ciphertexts encrypted under different keys. The difference is that the output of the evaluation in a multikey \(\textsf {FHE}\) is a single ciphertext that can only be decrypted by combining all the n keys. In contrast, in a spooky encryption scheme the result of the spooky evaluation is n ciphertexts, \(c_1,\ldots ,c_n\) where each \(c_i\) is encrypted under the \(i^\mathrm{{th}}\) original. Thus, spooky encryption can be thought of as a specific type of multi-key \(\textsf {FHE}\).

2 Definitions

2.1 Local, No-Signaling, and Spooky Relations

We say that two distributions \(D_1,D_2\) over a (finite) universe \(\mathcal {U}\) are \(\varepsilon \)-close if their statistical distance \(\frac{1}{2} ||D_1-D_2||_1\) is at most \(\varepsilon \), and denote it by \(D_1\mathop {\approx }\limits ^{\varepsilon } D_2\). We write \(D_1 \equiv D_2\) to denote that the distributions are identical. We say that \(D_1,D_2\) are \(\delta \)-far if their statistical distance is at least \(\delta \).

Definition 1

Let \(f: \{0,1\}^{\ell _1} \times \cdots \{0,1\}^{\ell _n} \rightarrow \{0,1\}^{\ell '_1} \times \cdots \{0,1\}^{\ell '_n} \) be a randomized mapping from n input to n outputs. For input \(\mathbf {x}=(x_1,\ldots ,x_n)\) to f, we denote the i’th component of the output by \(f(\mathbf {x})_i\), and more generally for a subset \(I\subset [n]\) we denote the projected input by \(\mathbf {x}_I=(x_i : i\in I)\) and the projected output by \(f(\mathbf {x})_I=(f(\mathbf {x})_i : i\in I)\).

  • f is local if there exist n randomized “component mappings” \(f_i:\{0,1\}^{\ell _i}\rightarrow \{0,1\}^{\ell '_i}\) such that for all \((x_1,\ldots ,x_n)\in \{0,1\}^{\ell _1} \times \cdots \{0,1\}^{\ell _n}\), the distribution \(f(x_1,\ldots ,x_n)\) is a product distribution \(f(x_1,\ldots ,x_n) \equiv f_1(x_1)\times \cdots \times f_n(x_n).\)

  • f is no-signaling if for every subset \(I\in [n]\) and every two inputs \(\mathbf {x},\mathbf {x}'\) with the same I projection, \(\mathbf {x}_I=\mathbf {x}'_I\), the corresponding projected distributions are equal, \(f(\mathbf {x})_I \equiv f(\mathbf {x}')_I\).

  • We say that f is \(\varepsilon \) - spooky for some \(\varepsilon >0\) if it is no-signaling, but for every local \(f'\) there exists some input \(\mathbf {x}\) such that \(f(\mathbf {x})\) and \(f'(\mathbf {x})\) are at least \(\varepsilon \)-far.

These definitions extends to an ensemble of mappings \(F=\{f_k : k\in \mathbb {N}\}\), with the mapping parameters n, \(\ell _i, \ell '_i\) and the distance bound \(\varepsilon \) possibly depending on the ensemble parameter k. In this case we say that F is spooky if the \(f_k\)’s are \(\varepsilon \)-spooky for a non-negligible \(\varepsilon =\varepsilon (k)\).

As an example, consider the randomized function \(f(x_1,x_2) = (y_1,y_2)\) where \(y_1,y_2\) are uniformly random subject to \(y_1 \oplus y_2 = x_1 \wedge x_2\). This function is no-signaling since the distributions \(f(x)_1\) and \(f(x)_2\) are individually uniform, no matter what x is. However, it’s easy to show that for any local function \(f' = (f'_1,f'_2)\) there is an input \(x = (x_1,x_2)\) such that \(\Pr [ f'_1(x_1) \oplus f'_2(x_2) = x_1 \wedge x_2] \le 1/2\). Therefore the function f is \(\varepsilon \)-spooky for \(\varepsilon = 1/2\).

2.2 Spooky Encryption

A public-key encryption scheme consists of a tuple \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) of polynomial-time algorithms. The key-generation algorithm \(\mathsf {Gen}\) gets as input a security parameter \(\kappa \in \mathbb {N}\) and outputs a pair of public/private keys \((\mathsf {pk},\mathsf {sk})\). The encryption algorithm \(\mathsf {Enc}\) gets as input the public-key \(\mathsf {pk}\) and a bit \(m \in \{0,1\}^{\mathsf{poly}(\kappa )}\) and outputs a ciphertext c, whereas the decryption algorithm \(\mathsf {Dec}\) gets as input the private-key \(\mathsf {sk}\) and the ciphertext c and outputs the plaintext bit m. The basic correctness guarantee is that \(\Pr [\mathsf {Dec}_{\mathsf {sk}}(\mathsf {Enc}_{\mathsf {pk}}(m))=m]>1-\mathsf {negl}(k)\), where the probability is over the randomness of all these algorithms. The security requirement is that for every pair of polynomial-sized adversaries \((A_1,A_2)\) it holds that

$$\begin{aligned} \mathop {\Pr }\limits _{\begin{array}{c} (\mathsf {pk},\mathsf {sk}) \leftarrow \mathsf {Gen}(1^\kappa )\\ b \leftarrow \{0,1\} \end{array}} \left[ \begin{matrix} (m_0,m_1) \leftarrow A_1(\mathsf {pk}) \text { s.t. }|m_0|=|m_1|\\ A_2 \left( \mathsf {pk},\mathsf {Enc}_\mathsf {pk}(m_b)\right) =b \\ \end{matrix} \right] \le \frac{1}{2} + \mathrm {negl}(\kappa ). \end{aligned}$$

If the message space consists of just a single bit then we say that the scheme is a bit encryption scheme.

Definition 2

(Spooky Encryption). Let \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) be a public-key bit-encryption scheme and \(\mathsf {Spooky\text {-}Eval}\) be a polynomial-time algorithm that takes as input a (possibly randomized) circuit with \(n=n(\kappa )\) inputs and n outputs, \(C:(\{0,1\}^*)^n\rightarrow (\{0,1\}^*)^n\), and also n pairs of (public-key, ciphertext), and outputs n ciphertexts.

Let \(\mathcal {C}\) be a class of such circuits, we say that \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec},\mathsf {Spooky\text {-}Eval})\) is a \(\mathcal {C}\) -spooky encryption scheme if for every security parameter \(\kappa \), every randomized circuit \(C \in \mathcal {C}\), and every input \(\mathbf {x}=(x_1,\ldots ,x_n)\) for C, the distributions

$$\begin{aligned}&SPOOK[C,x_1,\ldots ,x_n] \mathop {=}\limits ^\mathrm{def}\\&\left\{ {(\mathsf {Dec}(\mathsf {sk}_1,c'_1),\ldots ,\mathsf {Dec}(\mathsf {sk}_n,c'_n))}:{\begin{array}{l} \forall i\in [n]~(\mathsf {pk}_i,\mathsf {sk}_i)\leftarrow \mathsf {Gen}(1^\kappa ),\\ ~~~~~~~~~~~~~~\mathbf {c}_i\leftarrow \mathsf {Enc}(\mathsf {pk}_i,x_i),\\ (c'_1,\ldots ,~c'_n)\leftarrow \mathsf {Spooky\text {-}Eval}(C,(\mathsf {pk}_i,\mathbf {c}_i)_i) \end{array}} \right\} \end{aligned}$$

and \(C(x_1,\ldots ,x_n)\) are close upto a negligible distance in \(\kappa \).

We note that the name spooky encryption stems from the application of Definition 2 to circuits C that compute spooky mappings. Indeed, as shown by Dwork et al. [11], the semantic security of \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) implies that only (almost) no-signaling C’s can be realized, and every homomorphic scheme can realize C’s that compute product mappings.

Spooky Encryption with CRS. We say that \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec},\mathsf {Spooky\text {-}Eval})\) is a \(\mathcal {C}\) -spooky encryption scheme with CRS if Definition 2 is satisfied except that we allow all algorithms (and the adversary) to get as input also a public uniformly distributed common random string.

2.3 Additive-Function-Sharing Spooky Encryption

An important special case of spooky encryption allow us to take encryptions \(c_i\leftarrow \mathsf {Enc}_{\mathsf {pk}_i}(x_i)\) under n independent keys of inputs \(x_1,\dots ,x_n\) to an n-argument function f, and produce new ciphertexts under the same n keys that decrypt to additive secret-shares of \(y=f(x_1,\ldots ,x_n)\). An encryption scheme that supports such “non-interactive sharing” is called additive-function-sharing spooky encryption (or AFS-spooky). Several variants of this concept are defined below:

  • We can either insist on getting a random secret sharing of y, or contend ourselves with any secret sharing. Below we call the latter variant weak AFS-spooky, and the former is strong AFS-spooky (or just AFS-spooky).

  • Similarly to homomorphic encryption schemes, we can have either a leveled variant where key-generation receives an additional depth parameter d and the result supports only circuits of depth upto d, or a fully AFS-spooky scheme that supports any circuit with a fixed parameter setting.

  • We can either allow non-negligible error probability (i.e., the probability that the computation fails to produce a secret-sharing of the right output y), or insist on a negligible error probability. Below we denote by \(\varepsilon \)-AFS-spooky the variant where the error probability is bounded by some \(\varepsilon \) (that need not be negligible), and the variant with negligible error probability is just AFS-spooky.

  • Sometimes we want to consider only two-argument functions \(f(x_1,x_2)\), a scheme that only supports two-argument functions is called AFS-2-spooky.

The formal definition itself is provided in the full version [9], where we also show that the weak and strong variants are essentially equivalent.

3 \(\textsf {LWE}\)-Based Spooky Encryption

3.1 Learning with Errors \((\textsf {LWE})\) and Multi-key FHE

The \(\textsf {LWE}\) assumption roughly says that adding just a little noise to a set of linear equations makes them hard to solve. In our context, we consider equations modulo some integer q and the noise consists of numbers whose magnitude is much smaller than q, as expressed via a noise distribution \(\chi \) that yields such “small numbers” with high probability. Below we identify \(\mathbb {Z}_q\) with the symmetric interval \([-q/2,q/2)\) and let \([x]_q\) denote the reduction of x modulo q into this interval.

Definition 3

(Learning with Errors [28]). Let \(n=n(\kappa ),q=q(\kappa )\in \mathbb {Z}\) be functions of the security parameter \(\kappa \) and \(\chi =\{\chi (\kappa )\}_\kappa \) be a distribution ensemble over \(\mathbb {Z}\). The decision-LWE assumption with parameters \((n,q,\chi )\) says that for any polynomial \(m=m(\kappa )\in \mathbb {Z}\), the following two distribution ensembles are computationally indistinguishable

$$\begin{aligned} \mathcal {LWE}[n,m,q,\chi ]&\mathop {=}\limits ^\mathrm{def}&\big \{(A,\mathbf {b}) : A\leftarrow \mathbb {Z}_q^{n\times m},~ \mathbf {s}\leftarrow \mathbb {Z}_q^n,~ \mathbf {e}\leftarrow \chi ^m,~ b:=[\mathbf {s} A + \mathbf {e}]_q \big \}, \\ and~~\mathcal {U}[n,m,q]&\mathop {=}\limits ^\mathrm{def}&\big \{(A,\mathbf {b}) : A\leftarrow \mathbb {Z}_q^{n\times m},~\mathbf {b}\leftarrow \mathbb {Z}_q^m\big \} ~(i.e., uniform\,over\ \mathbb {Z}_q^{(n+1)\times m}). \end{aligned}$$

For \(\alpha =\alpha (\kappa )\in (0,1)\), the \(\alpha \)-\(\mathsf {DLWE}\) assumption asserts the existence of parameters \(n,q,\chi \) as above with n polynomial in \(\kappa \), such that \(e\leftarrow \chi \) yields \(|e|<\alpha q\) with overwhelming probability.

Note that the \(\alpha \)-\(\mathsf {DLWE}\) assumption becomes stronger as \(\alpha \) gets smaller, and it is known to be false in the extreme case where \(\alpha =2^{-\varOmega (n)}\) using lattice-reduction techniques. On the other hand, we have ample evidence to belive the \(\alpha \)-\(\mathsf {DLWE}\) assumption with \(\alpha =1/\mathsf{poly}(n)\) [5, 25, 28], and it is commonly belived to hold also for super-polynomially (and perhaps even sub-exponentially) small \(\alpha \)’s.

We show that assuming hardness of the learning-with-errors problem, there exists a function-secret sharing (in the common-random-string model) for any n-argument function f. Our construction can be built on the multi-key fully homomorphic encryption construction of Mukherjee and Wichs [22] or the one of Peikert and Shiehian [26], which are variations of the Clear-McGoldrick scheme from [7]. We summarize the relevant properties of these constructions:

Theorem 1

[7, 22, 26]. Assuming the hardness of \(\alpha \)-\(\mathsf {DLWE}\) (for some \(\alpha (\kappa )\)), there exists a multi-key homomorphic encryption with the following properties:

  • The construction works in the common-random-string model. For parameters \(n,m,q=\mathsf{poly}(\kappa )\), all instances have access to a uniformly random matrix \(A\in \mathbb {Z}_q^{(n-1)\times m}\).

  • For any depth parameter d, the scheme supports multi-key evaluation of depth-d circuits using public keys of size \(d \cdot \mathsf{poly}(\kappa )\), while secret keys are vectors \(\mathbf {s}\in \mathbb {Z}_q^n\), regardless of the depth parameter.

    Specifically, there is an efficient procedure \(\mathsf {Eval}\) that is given as input:

    • Parameters \(d,\ell \in \mathbb {N}\);

    • A depth-d circuit computing an \(\ell \)-argument function \(f: (\{0,1\}^*)^{\ell }\rightarrow \{0,1\}\);

    • Public keys \((\mathsf {pk}_1,\ldots ,\mathsf {pk}_n)\) and fresh encryptions (bit-by-bit) of each argument \(x_i\in \{0,1\}^*\) under key \(\mathsf {pk}_i\), denoted \(c_i\leftarrow \mathsf {Enc}_{\mathsf {pk}_i}(x_i)\).

On such input, the \(\mathsf {Eval}\) procedure outputs a dimension \(n\ell \)-vector, \(\mathbf {c}'=(\mathbf {c}'_1 \ldots \mathbf {c}'_\ell )\) (with each \(\mathbf {c}'_i\in \mathbb {Z}_q^n\)),Footnote 4 such that for the secret keys \(\mathbf {s}_i\) corresponding to \(\mathsf {pk}_i\) it holds that

$$\begin{aligned} \sum _{i=1}^\ell \left\langle {\mathbf {s}_i,\mathbf {c}'_i}\right\rangle = \left\lfloor {q/2}\right\rfloor \cdot f(x_1,\ldots ,x_n) + e \pmod {q} \end{aligned}$$

for some error \(e\in \mathbb {Z}_q\) with \(|e|<\alpha q \cdot \mathsf{poly}(\kappa )\).

By further making a circular-security assumption, there exists a scheme that supports evaluation of circuits of any depth without growing the public keys.

3.2 \(\textsf {LWE}\)-Based AFS Spooky Encryption

Below we show that under the decision-LWE assumption we can construct AFS-spooky encryption schemes (in the common-random-string model). Namely, for every n-argument function \(f(x_1,\ldots ,x_n)\), given encryption of the arguments under n independent public keys, we can compute an encryption of shares under the same keys of an additive secret-sharing of the output \(y=f(x_1,\ldots ,x_n)\).

Theorem 2

Assuming the hardness of \(\alpha \)-\(\mathsf {DLWE}\), there exists a leveled \(\varepsilon \)-AFS-2-Spooky encryption scheme for \(\varepsilon =\alpha \cdot \mathsf{poly}(\kappa )\). Further making a circular-security assumption, we get a (non-leveled) \(\varepsilon \)-AFS-2-spooky encryption scheme.

Proof

We show that the encryption scheme from Theorem 1 is already essentially a leveled weak AFS-2-spooky encryption scheme. Specifically, Theorem 1 tells us that given the description of a depth-d circuit C, computing a 2-argument function \(f:(\{0,1\}^*)^2\rightarrow \{0,1\}\), together with two public-key and corresponding bit-by-bit encryptions, \(c_i \leftarrow \mathsf {Enc}_{\mathsf {pk}_i}(x_i)\), the \(\mathsf {Eval}\) procedure yields \((\mathbf {c}'_1,\mathbf {c}'_2) \leftarrow \mathsf {Eval}(C,(\mathsf {pk}_1,c_1),(\mathsf {pk}_2,x_2))\) such that \(\left\langle {\mathsf {sk}_1,\mathbf {c}'_1}\right\rangle +\left\langle {\mathsf {sk}_2,\mathbf {c}'_2}\right\rangle = y\cdot q/2 + e \pmod {q}\), where the \(\mathsf {sk}_i\)’s are the secret keys corresponding to the \(\mathsf {pk}_i\)’s, \(y=f(x_1,x_2)\), and \(|e|<\alpha q \cdot \mathsf{poly}(\kappa )=\varepsilon q\).

Denote \(v_i=[\left\langle {\mathsf {sk}_i,\mathbf {c}'_i}\right\rangle ]_q\) for \(i=1,2\) and \(v=[v_1+v_2]_q\). Lemma 1 below says that instead of first adding the \(v_i\)’s and then rounding to the nearest multiple of q / 2, we can first round and then add, and this will yield the same result except with error probability of at most \(2\varepsilon \). The only catch is that Lemma 1 assumes that \(v_1,v_2\) are chosen at random subject to their sum modulo q being v, whereas in our case we do not have this guarantee. To account for this, we modify our \(\mathsf {Spooky\text {-}Eval}\) procedure, letting it choose a random shift amount \(\delta \in \mathbb {Z}_q\) and adding/subtracting it from \(v_1,v_2\), respectively. More detail is provided in the full version [9].

Lemma 1

Fix some modulus \(q\in \mathbb {Z}\), bit \(b\in \{0,1\}\), and a value \(v\in \mathbb {Z}_q\) such that \(v=b\cdot q/2 + e\pmod {q}\) for some bounded error \(|e|<q/4\). Consider choosing \(v_1,v_2\) uniformly at random in \(\mathbb {Z}_q\) subject to \(v_1+v_2=v\pmod {q}\), and denote \(v_i = b_i \cdot q/2 + e_i \pmod {q}\) with \(b_i=[\left\lceil {v_i \cdot 2/q}\right\rfloor ]_2\in \{0,1\}\) and \(|e_i|\le q/4\). Then \(\Pr _{v_1,v_2}[b_1\oplus b_2 = b]> 1 - 2(|e|+1)/q\).

Proof

We break the proof into four cases, namely \(b=0\) vs. \(b=1\) and \(e\ge 0\) vs. \(e<0\). Below we prove only the first the case \(b=0\) and \(v=e\ge 0\), the other three cases are similar. For the first case consider choosing at random \(v_1\in \mathbb {Z}_q\) and setting \(v_2=[v-v_1]_q=[e-v_1]_q\). It is straightforward (but tedious) to check that the condition \(b_1\oplus b_2 = b=0\) is satisfied whenever we have

$$\begin{aligned} \text{ either }~v_1,v_2 \in \big (\frac{-q}{4}+e, \frac{q}{4}\big ),&\text{ or }&v_1,v_2 \in \big [\frac{-q}{2},\frac{-q}{4}\big )\cup \big (\frac{q}{4}+e,\frac{q}{2}\big ). \end{aligned}$$

For example when \(v_1\in \big (\frac{q}{4}+e,\frac{q}{2}\big )\) then we have \(b_1=1\) and

$$\begin{aligned} v_2=e-v_1\in \left( e-\frac{q}{2},~ e-(\frac{q}{4}+e)\right) \subseteq \big (-\frac{q}{2},~-\frac{q}{4}\big ), \end{aligned}$$

so we get also \(b_2=1\) and therefore \(b_1\oplus b_2=0=b\).

The only error regions are \(v_1,v_2\in (\frac{-q}{4}, \frac{-q}{4}+e)\), \(v_1,v_2\in (\frac{q}{4},\frac{q}{4}+v)\), and (depending on rounding) also upto two of the four points \(v_1\in \{\frac{\pm q}{4},~ \frac{\pm q}{4}+e\}\cap \mathbb {Z}\).

3.3 Beyond AFS-2-Spooky Encryption

The construction from Theorem 2 does not directly extend to functions with more than two arguments, since Lemma 1 no longer holds for more than two \(v_i\)’s (even for the no-error case of \(e=0\)). Instead, we can use the GMW-like transformation that was sketched in the introduction and is described in detail in Sect. 5 to get a general AFS-spooky scheme.

To support this transformation, we need an AFS-2-spooky scheme which is multi-hop (in the sense of [13]), i.e. we need to apply the spooky evaluation procedure not just to fresh ciphertexts, but also to evaluated ciphertexts that resulted from previous applications of spooky evaluation. The AFS-2-spooky scheme in Theorem 2 may or may not have this property, depending on the underlying multi-key FHE scheme. In particular the Peikert-Shiehian scheme in [26] is “natively multi-hop,” so we can base our construction on that scheme and get directly a multi-hop AFS-2-spooky scheme which is suitable for our transformation.

On the other hand, the schemes from [7, 22] support only one hop, since only fresh cipehrtexts can be processed in a multi-key fashion. We can stil use them for our purposes by applying the same bootstrapping-based transformation as in [13, Theorem 4], which transforms any compact fully-homomorphic scheme to a multi-hop one:Footnote 5 More details are provided in the full version [9].

Theorem 3

Assuming the hardness of \(\alpha \)-\(\mathsf {DLWE}\), there exists a leveled FHE scheme that supports d interleaved levels of AFS-2-spooky multiplications and single-key addition, with total error probability \(\varepsilon =\alpha \cdot d\cdot \mathsf{poly}(\kappa )\).

Corollary 1

Assuming the hardness of \(\alpha \)-\(\mathsf {DLWE}\), there exists a leveled \(\varepsilon \)-AFS-spooky encryption scheme for \(\varepsilon =\alpha \cdot d\cdot \mathsf{poly}(\kappa )\). Further making a circular-security assumption, we get a (non-leveled) \(\varepsilon \)-AFS-spooky encryption scheme.    \(\square \)

4 \(\mathsf {piO}\) Based Spooky Encryption

In this section we show a construction based on probabilistic \(\mathsf {iO}\), in conjunction with lossy homomorphic encryption, that can support many 2-key spooky relations, even beyond AFS-spooky. Compared to our LWE-based construction from Sect. 3, the construction here does not need a CRS and has zero error probability, and it supports more spooky distributions. On the other hand, we are making a much stronger assumption here, and also we need a different scheme for different spooky relations.Footnote 6

The construction in this section supports in particular the functionality that we need for our generic transformation from Sect. 5, that turns an AFS-2-spooky scheme to an AFS-n-spooky one. The resulting AFS-n-spooky also does not use a CRS and has no error probability. Moreover, applying this transformation yields a single scheme supporting all AFS-spooky relations.

Organization of this Section. In Sect. 4.1 we introduce our tools, defining probabilistic indistinguishability obfuscation (using a slightly weaker variant of the definition of Canetti et al. [6]) and lossy homomorphic encryption with malicious circuit privacy. In Sect. 4.2 we describe and prove our construction for 2-input spooky encryption scheme, and finally in Sect. 4.3 we show how to obtain a multi-input AFS-spooky encryption.

4.1 Tools

Probabilistic Indistinguishability Obfuscation. Our construction uses probabilistic \(\mathsf {iO}\), a notion that was recently introduced by Canetti et al. [6]. Loosely speaking, this is an obfuscator for probabilistic circuits with the guarantee that the obfuscations of any two “equivalent” circuits are computationally indistinguishable.

Canetti et al. define several variants of \(\mathsf {piO}\), where the main distinction is the precise formulation of what it means for circuits to be equivalent. Our definition corresponds to a (weakened variant) of their \(X\text {-}\mathsf {Ind}\;\mathsf {piO}\) (which can be realized assuming sub-exponentially secure \(\mathsf {iO}\) and sub-exponentially secure OWF, see Theorem 4 below). Roughly, our variant only considers pairs of circuits with the property that for every input, their output distributions are identical, while the definition in [6] allows a small statistical gap.

To formally define \(\mathsf {piO}\), we consider a (possibly randomized) PPT sampling algorithm S that given as input a security parameter \(1^\kappa \), outputs a triple \((C_0,C_1,z)\), where \(C_0\) and \(C_1\) are randomized circuits (to be obfuscated) and z is some auxiliary input. We say that a sampler S is an equivalent-circuit-sampler if with probability 1 it outputs circuits \(C_0\) and \(C_1\) such that for every x the circuits \(C_0(x)\) and \(C_1(x)\) generate identical distributions.

Definition 4

(Probabilistic Indistinguishable Obfuscation ( \(\mathsf {piO}\) ) , [6]). A probabilistic indistinguishability obfuscator is a probabilistic polynomial-time algorithm \(\mathsf {piO}\) that, given as input a security parameter \(1^\kappa \) and a probabilistic circuit C, outputs a circuit \(C' = \mathsf {piO}(1^\kappa ,C)\) (which may be deterministic) of size at most \(|C'| = \mathsf{poly}(\kappa ,|C|)\) such that the following two properties hold:

  1. 1.

    For every individual input x, the distribution C(x) and \(\big ( \mathsf {piO}(1^\kappa ,C) \big )(x)\) are identical.Footnote 7

  2. 2.

    For every equivalent-circuit-sampler S, drawing \((C_0,C_1,z) \leftarrow S(1^\kappa )\) we get computationally indistinguishable distributions:

    $$\begin{aligned} \left\{ (C_0,C_1,z,\mathsf {piO}(1^\kappa ,C_0))\right\} \mathop {=}\limits ^{c} \left\{ (C_0,C_1,z,\mathsf {piO}(1^\kappa ,C_1))\right\} \end{aligned}$$

We note that our correctness guarantee is incomparable to that given by [6]. Indeed, motivated by their PRF based construction, the definition in [6] basically requires that no PPT adversary can distinguish between oracle access to C and to \(\mathsf {piO}(1^\kappa ,C)\) (so long as the adversary is not allowed to repeat its queries). On the one hand our definition is weaker in that it only considers each input individually, but on the other hand it is stronger in that it requires that for each such individual input the distributions are identical. Our correctness guarantee can be easily obtained from the construction in [6], by using an underlying PRF \(\{f_s\}_s\) with the property that \(f_s(x)\) is individually uniformly random for every x. The latter can be easily obtained by taking any PRF and xor-ing its output with a fixed random string.

Theorem 4

[6]. Assuming the existence of a sub-exponentially indistinguishable indistinguishability obfuscator for circuits and a sub-exponentially secure puncturable PRF, there exists a probabilistic indistinguishability obfuscator.

Lossy Encryption. Loosely speaking, a lossy encryption scheme has a procedure \(\widetilde{\mathsf {Gen}}\) for generating “lossy public keys.” These keys are indistinguishable from normal public keys, but have the property that ciphertexts generated using such lossy keys contain no information about their plaintext. We defer the formal definition to the full version [9].

Malicious Circuit-Private Encryption. A public-key encryption scheme \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\), with message space \(\{0,1\}^\ell \), is a homomorphic encryption scheme for a class of Boolean circuits \(\mathcal {C}\) on \(\ell \)-bit inputs if there exists a PPT algorithm \(\mathsf {Eval}\), such that for every key-pair \((\mathsf {pk},\mathsf {sk})\), circuit \(C\in \mathcal {C}\) and ciphertext \(c=\mathsf {Enc}_\mathsf {pk}(x)\), where \(x \in \{0,1\}^\ell \), on input (Cc) the algorithm \(\mathsf {Eval}_{\mathsf {pk}}\) outputs \(c^*\) such that \(\mathsf {Dec}_\mathsf {sk}(c^*)=C(x)\). If the length of \(c^*\) does not depend on C then we say that the scheme is compact.

As noted in the introduction, our construction requires a homomorphic encryption scheme that has malicious circuit privacy, which means that the ciphertext \(c^*\) does not reveal any non-trivial information about the circuit C which was used to generate it, even for an adversarially chosen public-key \(\mathsf {pk}\) and ciphertext c. We defer the formal definition to the full version [9].

Malicious circuit privacy for evaluating \(\textsf {NC}_1\) circuits can be achieved by a “folklore” combination of an information theoretic variant of Yao’s garbled circuit [17] with an oblivious transfer protocol that has perfect security against a malicious receiver. The latter can be constructed based on \(\mathsf {DDH}\) [23]. Moreover, these schemes can be made lossy using standard techniques.

Moreover, we can apply the techniques of Ostrovsky et al. [24] to bootstrap this result to any poly-circuit, assuming the existence of (leveled) fully homomorphic encryption with \(\textsf {NC}_1\) decryption. The latter scheme can be instantiated based on LWE, see more details in the full version [9]. Hence we obtain:

Theorem 5

Assuming the hardness of \(\mathsf{LWE}\) and \(\mathsf {DDH}\), there exists a lossy leveled fully-homomorphic encryption scheme with malicious circuit privacy.

4.2 Two-Key Spooky Encryption from \(\mathsf {piO}\)

Our construction relies on a property of two-input relations that we call re-sampleability. Roughly, it should be possible to sample efficiently from the distribution of the second coordinate conditioned on a particular fixed value for the first coordinate.

Definition 5

(Efficiently Re-sampleable). A randomized polynomial-size circuit \(C: \{0,1\}^{\ell _1} \times \{0,1\}^{\ell _2} \rightarrow \{0,1\}^{\ell '_1} \times \{0,1\}^{\ell '_2}\) is efficiently re-sampleable if there exists a polynomial-size randomized “resampling circuit” \(RS_C\), such that for any input \((x_1,x_2)\) to C, the distribution \(C(x_1,x_2)\) is identical to the “resampled distribution” \(\left\{ {(y_1,y'_2)}:{(y_1,y_2)\leftarrow C(x_1,x_2),~ y'_2\leftarrow RS_C(x_1,x_2,y_1)} \right\} .\)

We construct a 2-key spooky scheme that supports any 2 input/output circuit that is both efficiently re-sampleable and no-signaling.

Theorem 6

(2-Key Spooky Encryption from \(\mathsf {piO}\) ). Let \(C: \{0,1\}^{\ell _1} \times \{0,1\}^{\ell _2} \rightarrow \{0,1\}^{\ell '_1} \times \{0,1\}^{\ell '_2}\) be an efficiently re-sampleable no-signaling circuit, with re-sampling circuit \(RS_C\). If there exist (1) \(\mathsf {piO}\), and (2) a perfectly-lossy homomorphic encryption scheme that can evaluate C and \(RS_C\), and is perfectly malicious circuit private, then there exists a C-spooky encryption scheme, which is also perfectly lossy (and hence semantically secure).

We stress that the encryption scheme that we need for Theorem 6 must be able to evaluate C and \(RS_C\) and be perfectly malicious circuit private, but it need not be compact. In the full paper we describe such a scheme for \(\textsf {NC}_1\) circuits based on \(\mathsf {DDH}\). Hence, under \(\mathsf {DDH}\) and \(\mathsf {piO}\), we get a C-spooky scheme for every re-sampleable and no-signaling C in \(\textsf {NC}_1\). Moreover, we can use the techniques of Ostrovsky et al. [24] to supports any poly-size circuit, assuming both \(\mathsf {DDH}\) and \(\textsf {FHE}\). Since [6] show that full-fledged \(\textsf {FHE}\) can be built based on \(\mathsf {piO}\), we get a construction under \(\mathsf {DDH}\) and \(\mathsf {piO}\) for C-spooky scheme for every re-sampleable and no-signaling polynomial-size circuit C.

Remark 1

(Almost No-Signaling). A natural relaxation of no-signaling circuits, considered in previous works (e.g., [11, 18, 19]), allows the distributions \(C(x,y)_1\) and \(C(x,y')_1\) to be indistinguishable (rather than identical). Such circuit is called almost no-signaling.

It is clear that for a secure C-spooky encryption scheme to exist, C must be (at least) almost no-signaling (cf. [11]). However our construction does not extend to the “almost” case, Theorem 6 requires that C to be perfectly no-signaling, i.e. \(C(x,y)_1\) and \(C(x,y')_1\) must be identically distributed for all \(x,y,y'\). Supporting almost no-signaling circuits is left to future work.

Proof of Theorem 6. Let \(\mathsf {piO}\) be a probabilistic indistinguishability obfuscator and let \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) be the encryption scheme from the theorem statement, with \(\widetilde{\mathsf {Gen}}\) the corresponding lossy key generation algorithm and \(\mathsf {Eval}\) the homomorphic evaluation algorithm with malicious circuit privacy.

Each instance of our construction uses two public/secret keys pairs, where only the first pair is used for “normal encryption and decryption,” and the other pair is only used for spooky evaluation. In addition to the two pairs, the public key also contains an obfuscated program that implements spooky evaluation using the secret key. That obfuscated program has a secret key hard-wired, and given two ciphertexts \(c_1,c_2\) it decrypt the first one, then evaluates the re-sampling circuit \(RS_{C}\) homomorphically on the other. A complete description of the resulting scheme is found in Fig. 1.

We first show that the scheme supports spooky evaluation of C and then show that it is a lossy encryption scheme (and in particular is semantically secure).

Lemma 2

The scheme \((\mathsf {Gen\text {-}Spooky},\mathsf {Enc\text {-}Spooky},\mathsf {Dec\text {-}Spooky},\mathsf {Spooky\text {-}Eval}\)) is C-spooky.

Proof

The spooky evaluation procedure gets as input two public-keys \(\mathsf {pk\text {-}spooky}_1=\big (\mathsf {pk}1_1,\mathsf {pk}2_1,\tilde{P}_1\big )\), \(\mathsf {pk\text {-}spooky}_2=\big (\mathsf {pk}1_2,\mathsf {pk}2_2,\tilde{P}_2\big )\), and matching ciphertexts \(c_1=\mathsf {Enc\text {-}Spooky}(\mathsf {pk\text {-}spooky}_1,x_1)\) and \(c_2=\mathsf {Enc\text {-}Spooky}(\mathsf {pk\text {-}spooky}_2,x_2)\) (for some inputs \(x_1,x_2\) to C). It simply runs the obfuscated program \(\tilde{P}_1=\mathsf {piO}(1^\kappa ,P[\mathsf {sk}1_1,\mathsf {pk}2_1])\) on input \((c_1,\mathsf {pk}1_2,c_2)\) and returns its output.

Fig. 1.
figure 1

\(\mathsf {piO}\) based spooky encryption

Fig. 2.
figure 2

The probabilistic circuits \(P'[\mathsf {sk}1,\mathsf {pk}2]\) and \(P''[\mathsf {pk}2]\)

By construction and using the correctness of \(\mathsf {piO}\), this procedure outputs \(c_1'\) and \(c_2'\) such that \(c_1' \leftarrow \mathsf {Enc}(\mathsf {pk}2_1,y_1)\), where \(y_1 \leftarrow \big ( C(x_1,0^{\ell _2}) \big )_1\), and \(c_2' \leftarrow \mathsf {Eval}_{\mathsf {pk}1_2}(\mathsf {RS}[x_1,y_1,r],c_2)\), where \(\mathsf {RS}[x_1,y_1,r](x_2)\equiv RS_C(x_1,x_2,y_1;r)\). By the no-signaling property \(y_1\) is distributed identically to \(y'_1\leftarrow \big ( C(x_1,x_2) \big )_1\) and so \(c'_2\) is distributed as \(\mathsf {Eval}_{\mathsf {pk}1_2}(\mathsf {RS}[x_1,y'_1,r],c_2)\). Hence

$$\begin{aligned} \mathsf {Dec\text {-}Spooky}(\mathsf {sk\text {-}spooky}_1,c'_1)= & {} \mathsf {Dec}_{\mathsf {sk}1_1} \left( \mathsf {Enc}(\mathsf {pk}2_1,y'_1)\right) ~=~ y'_1 \\ \text{ and }~\mathsf {Dec\text {-}Spooky}(\mathsf {sk\text {-}spooky}_2,c'_2)= & {} \mathsf {RS}[x_1,y'_1,r](x_2) ~=~ RS_C\big (x_1,x_2,y'_1;r\big )_2. \end{aligned}$$

By the definition of re-sampling, the joint distribution \(\Big (\mathsf {Dec\text {-}Spooky}(\mathsf {sk\text {-}spooky}_1,c'_1), \mathsf {Dec\text {-}Spooky}(\mathsf {sk\text {-}spooky}_2,c'_2)\Big )\) is identical to \(C(x_1,x_2)\), as required.

Lemma 3

The scheme \((\mathsf {Gen\text {-}Spooky},\mathsf {Enc\text {-}Spooky},\mathsf {Dec\text {-}Spooky})\) is a perfectly lossy encryption scheme.

Proof

We need to show that there is an alternative key-generation procedure \(\widetilde{\mathsf {Gen\text {-}Spooky}}\), producing public keys that are indistinguishable from the real ones, but such that ciphertexts encrypted relative to these keys contain no information about the encrypted plaintext.

The main challenge in establishing the lossiness of the scheme is in showing that the public-keys are indistinguishable from lossy keys despite the obfuscated programs in the public-key (which depend on the corresponding secret keys). Toward that end, we will (gradually) show that these obfuscated programs are computationally indistinguishable from programs that do not depend on the secret keys.

Below we state and prove a few claims, where we consider the distributions \((\mathsf {pk}1,\mathsf {sk}1),(\mathsf {pk}2,\mathsf {sk}2) \leftarrow \mathsf {Gen}(1^\kappa )\) and \(\widetilde{\mathsf {pk}}1,\widetilde{\mathsf {pk}}2 \leftarrow \widetilde{\mathsf {Gen}}(1^\kappa )\), where \(\widetilde{\mathsf {Gen}}\) is the lossy key-generation of the underlying encryption scheme.

Claim 4.1

\(\Big (\mathsf {pk}1,\mathsf {pk}2,\mathsf {piO}(1^\kappa ,P[\mathsf {sk}1,\mathsf {pk}2]) \Big ) \overset{c}{=} \Big (\mathsf {pk}1,\widetilde{\mathsf {pk}}2,\mathsf {piO}(1^\kappa ,P[\mathsf {sk}1,\widetilde{\mathsf {pk}}2])\Big )\).

Proof

Follows from the indistinguishability between standard and lossy public-keys of the underlying scheme.

Claim 4.2

\(\Big (\mathsf {pk}1,\widetilde{\mathsf {pk}}2,\mathsf {piO}(1^\kappa ,P[\mathsf {sk}1,\widetilde{\mathsf {pk}}2])\Big ) \overset{c}{=} \Big (\mathsf {pk}1,\widetilde{\mathsf {pk}}2,\mathsf {piO}(1^\kappa ,P'[\mathsf {sk}1,\widetilde{\mathsf {pk}}2])\Big )\), where \(P'[\mathsf {sk}1,\widetilde{\mathsf {pk}}2]\) is similar to \(P[\mathsf {sk}1,\widetilde{\mathsf {pk}}2]\) except that it encrypts \(0^{\ell _1}\) rather than \(y_1\) in Step 3, see Fig. 2.

Proof

Since \(\widetilde{\mathsf {pk}}2\) is a lossy public-key, \(\mathsf {Enc}_{\widetilde{\mathsf {pk}}2}(0^{\ell _1})\) and \(\mathsf {Enc}_{\widetilde{\mathsf {pk}}2}(y_1)\) are identically distributed. Hence P and \(P'\) have identical output distribution for every input, and so their \(\mathsf {piO}\)-obfuscations are indistinguishable.

We proceed to the main claim:

Claim 4.3

\(\Big (\mathsf {pk}1,\widetilde{\mathsf {pk}}2,\mathsf {piO}(1^\kappa ,P'[\mathsf {sk}1,\widetilde{\mathsf {pk}}2])\Big ) \overset{c}{=}\Big (\mathsf {pk}1,\widetilde{\mathsf {pk}}2,\mathsf {piO}(1^\kappa ,P''[\widetilde{\mathsf {pk}}2])\Big )\), where the program \(P''[\widetilde{\mathsf {pk}}2]\), defined in Fig. 2, does not have the secret key \(\mathsf {sk}1\) (hence it cannot recover \(x_1\) or compute \(y_1\)), so on \(c=\mathsf {Enc}_{\mathsf {pk}}(x_2)\) it evaluates homomorphically \(f''(x_2)=C(0^{\ell _1},x_2)_2\) rather than \(f'(x_2)=RS_C(x_1,x_2,y_1)\).

Proof

We will show that for every valid secret key \(\mathsf {sk}1\) and arbitrary public key \(\widetilde{\mathsf {pk}}2\), the randomized programs \(P'[\mathsf {sk}1,\widetilde{\mathsf {pk}}2]\) and \(P''[\widetilde{\mathsf {pk}}2]\) are functionally identical, in the sense that their outputs are identically distributed for every input. The claim will then follow from the fact that \(\mathsf {piO}\) is a probabilistic indistinguishability obfuscator (see Definition 4).

Note that the first output \(c'_1=\mathsf {Enc}_{\widetilde{\mathsf {pk}}2}(0^{\ell '_1})\) is generated identically by the two programs, and is independent of everything else that happens in these programs, so we only need to show that the second output \(c'_2\) is identically distributed. To show this, we first establish that \(c'_2\) is an encryption under \(\mathsf {pk}\) of a value \(y_2\) that is distributed identically in the two programs, and then we appeal to the malicious circuit-privacy of the underlying scheme to conclude that also \(c'_2\) itself is identically distributed.

For starters, fix some arbitrary \(x_1\in \{0,1\}^{\ell _1}\) and \(x\in \{0,1\}^{\ell _2}\), and consider the following distributions

$$\begin{aligned} \begin{array}{rcll} \mathcal {D}_1[x_1,x] &{}=&{} \big \{ y_1\leftarrow C(x_1,0^{\ell _2})_1,~ \text{ output }~y_2\leftarrow RS_C(x_1,x,y_1)\big \}, &{} \text{// } \text{ Output } \text{ distribution } \text{ of } P'\\ \mathcal {D}_2[x_1,x] &{}=&{} \big \{ y_1\leftarrow C(x_1,x)_1,~~~ \text{ output }~y_2\leftarrow RS_C(x_1,x,y_1)\big \}, \\ \mathcal {D}_3[x_1,x] &{}=&{} \big \{ \text{ output }~y_2\leftarrow C(x_1,x)_2 \big \},\\ \mathcal {D}_4[x] &{}=&{} \big \{ \text{ output }~y_2\leftarrow C(0^{\ell _1},x)_2 \big \}. &{} \text{// } \text{ Output } \text{ distribution } \text{ of } P'' \end{array} \end{aligned}$$

Since C is a no-signaling circuit then \(\mathcal {D}_1[x_1,x]=\mathcal {D}_2[x_1,x]\) and \(\mathcal {D}_3[x_1,x]=\mathcal {D}_4[x]\), and since \(R_C\) is the re-sampling circuit for C then we also have \(\mathcal {D}_2[x_1,x]=\mathcal {D}_3[x_1,x]\). We therefore conclude that the two distributions \(\mathcal {D}_1[x_1,x]\) and \(\mathcal {D}_4[x]\) are identical for every \(x_1,x\).

Now consider \(x_1=\mathsf {Dec}_{\mathsf {sk}1}(c_1)\), and x which is the “effective plaintext” for \(\mathsf {pk},c\) (such x must exist since the underlying scheme is malicious circuit-private). Recall that the second output of \(P'[\mathsf {sk}1,\widetilde{\mathsf {pk}}2]\) consists of a homomorphic evaluation of \(\mathcal {D}_1[x_1,x]\), while the second output of \(P''[\widetilde{\mathsf {pk}}2]\) consists of homomorphic evaluation of \(\mathcal {D}_4[x]\). Using perfect malicious circuit privacy, we conclude that these outputs are identically distributed.

Having established that the output distributions of \(P'[\mathsf {sk}1,\widetilde{\mathsf {pk}}2]\) and \(P''[\widetilde{\mathsf {pk}}2]\) are identical (for every input), the claim follows because \(\mathsf {piO}\) is a probabilistic indistinguishability obfuscator.

Claim 4.4

\(\Big (\mathsf {pk}1,\widetilde{\mathsf {pk}}2,\mathsf {piO}(P''_{\widetilde{\mathsf {pk}}2})\Big ) \overset{c}{=} \Big (\widetilde{\mathsf {pk}}1,\widetilde{\mathsf {pk}}2,\mathsf {piO}(P''_{\widetilde{\mathsf {pk}}2})\Big )\).

Proof

This claim follows from the indistinguishability between standard and lossy public-keys of the underlying scheme.

Combining Claims 4.1-4.3, the two distributions \(\Big (\mathsf {pk}1,\mathsf {pk}2,\mathsf {piO}(P_{\mathsf {sk}1,\mathsf {pk}2})\Big )\) and \(\Big (\widetilde{\mathsf {pk}}1,\widetilde{\mathsf {pk}}2,\mathsf {piO}(P''_{\widetilde{\mathsf {pk}}2})\Big )\) are computationally indistinguishable. We complete the proof of Lemma 3 by observing that keys drawn from the latter distribution are lossy, since the key \(\widetilde{\mathsf {pk}}1\) is lossy, the \(\mathsf {Enc\text {-}Spooky}\) procedure just uses the underlying encryption procedure with \(\widetilde{\mathsf {pk}}1\), and the program \(P''[\mathsf {pk}2]\) that we obfuscate is independent of \(\widetilde{\mathsf {pk}}1\).

4.3 \(\mathsf {piO}\) Based Multi-key Spooky Encryption

To obtain spooky encryption for more than two inputs, we would like to invoke our general transformation from 2-key spooky encryption to n-key spooky encryption (see Theorem 8). The scheme in Theorem 6 supports spooky multiplication, but we need it to support multiple alternating hops of (single-key) additive homomorphism and spooky multiplication. This is obtained by the following lemma:

Lemma 4

Assume the existence of (1) \(\mathsf {piO}\) and (2) a lossy encryption scheme that is homomorphic for all one-bit to one-bit functions with perfect malicious circuit privacy. Then, for every \(d=d(\kappa )\), there exists an encryption scheme that supports d interleaved levels of AFS-2-spooky multiplications and single-key additions.

Proof (Proof Sketch). To obtain an additive homomorphism, we use a construction of Canetti et al. [6] which, assuming \(\mathsf {piO}\), transforms any lossy encryption into a d-leveled \(\textsf {FHE}\). This is done by taking d copies of keys of the original lossy scheme and publishing \(d-1\) obfuscated programs where the \(i^\mathrm{{th}}\) obfuscated program takes as input two ciphertexts encrypted under the \(i^\mathrm{{th}}\) key, decrypts them (using the \(i^\mathrm{{th}}\) private-key which is hard-wired) applies one operation (AND, XOR, NAND, etc.) and encrypts the result under the \((i+1)^\mathrm{{th}}\) key. Using the fact that the scheme is lossy, Canetti et al.  show that the \(\mathsf {piO}\) obfuscation hides the hard-wired private keys and semantic security is maintained.

For our application, we need to compute multiple spooky multiplications, and then sum them up with single-key addition. To get n-input AFS-spooky we need to sum up n ciphertexts, which can be done using an addition tree of depth \(d=\log n\).

Looking more closely at the construction from [6], we observe that by setting \(d=i \log {n}\) we can already support i interleaving hops of (single-key) additive homomorphism and 2-input spooky multiplications. This follows since the transformation in [6] has the property that after every additive homomorphic operation, we obtain a fresh ciphertext (under a new-key).

Using the scheme from Lemma 4 and applying Theorem 8, we get:

Theorem 7

( n -Key Spooky from \(\mathsf {piO}\) ). Assume existence of (1) \(\mathsf {piO}\) and (2) a lossy encryption scheme that is homomorphic for all single-bit to single-bit functions with perfect malicious circuit privacy. Then there exists a leveled AFS-spooky encryption scheme.

5 From 2-Input to n-Input AFS-Spooky

Theorem 8

(2-Spooky to n -Spooky). Let \(d=d(\kappa )\) and assume that there exists a public-key bit-encryption scheme that supports 2d (interleaving) hops of (1) single-key compact additive homomorphism and (2) two-key spooky multiplication. Then, that same scheme is a d-level AFS-spooky encryption.

Proof

Let \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) be the encryption scheme in the theorem statement, let Spooky-Mult be the spooky multiplication PPT algorithm and let \(\mathsf {Eval}\) be the single-key homomorphic evaluation algorithm (that supports compact additive homomorphism). We show a procedure that given as input:

  1. 1.

    A depth-d, fan-in-2, n-input arithmetic circuit over \(\mathsf {GF}(2)\), \(C:(\{0,1\}^*)^n\rightarrow \{0,1\}\);

  2. 2.

    n public-keys \(\mathsf {pk}_1,\dots ,\mathsf {pk}_n\); and

  3. 3.

    n ciphertexts \(c_1,\dots ,c_n\), where \(c_j = \mathsf {Enc}(\mathsf {pk}_j,x_j)\),

outputs a sequence of ciphertexts \(c'_1,\dots ,c'_n\) such that \(\sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c'_j) = C(x_1,\dots ,x_n)\) (where addition is over \(\mathsf {GF}(2)\)).

The procedure processes the circuit wire by wire. We maintain the invariant that whenever a wire w is processed, the procedure generates ciphertexts \(c^{(w)}_1,\ldots ,c^{(w)}_n\) such that \(\sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(w)}_{j})\) is the correct value of the wire w when the circuit C is evaluated on input \((x_1,\dots ,x_n)\). Furthermore, if the wire w is at distance i from the input then \(c^{(w)}_1,\dots ,c^{(w)}_n\) have passed at most 2i hops of homomorphic operations. In particular, at the end of the process the procedure will have generated the sequence of ciphertexts \(c^{\mathrm {out}}_1,\ldots ,c^{\mathrm {out}}_n\) such that \(\sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{\mathrm {out}}_{j})\) is equal to the output value of the circuit, as required. We proceed to describe how the wires are (inductively) processed.

Consider an input wire w, corresponding to an input bit b which is part of the \(i^\mathrm{{th}}\) input \(x_i\), and for which we are given the input ciphertext \(c=\mathsf {Enc}_{\mathsf {pk}_i}(b)\). For that wire we set \(c^{(w)}_{i} = c\) and \(c^{(w)}_{j} = \mathsf {Enc}_{\mathsf {pk}_{j'}}(0)\) for all \(j \ne i\). Hence, \(\sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(w)}_j) = \mathsf {Dec}_{\mathsf {sk}_{i}}(c) = b\), which is the correct value for the wire w.

Consider a gate g with input wires uv and output wire w. Let \(b_u\) (resp., \(b_v\)) be the value on the wire u (resp., v) when C is evaluated on input \((x_1,\dots ,x_n)\). By induction, we have already generated ciphertexts \(c^{(u)}_1,\dots ,c^{(u)}_n\) and \(c^{(v)}_1,\dots ,c^{(v)}_n\) such that \(\sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(u)}_j) = b_u\) and \(\sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(v)}_j) = b_v\).

For the case that g is an addition gate, we set \(c^{(w)}_j = \mathsf {Eval}\left( \mathsf {pk}_j,\oplus ,c^{(u)}_j,c^{(v)}_j \right) \) and we get:

$$\begin{aligned} \sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(w)}_j) = \sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(\mathsf {Eval}_{\mathsf {pk}_j}(\oplus ,c^{(u)}_j,c^{(v)}_j)) = \sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(u)}_j) \;\oplus \; \mathsf {Dec}_{\mathsf {sk}_j}(c^{(v)}_j) = b_u \oplus b_v, \end{aligned}$$

which is the correct value for the wire w. Furthermore, each new ciphertext was obtained by just a single homomorphic operation.

Now consider the case that g is a multiplication gate. We first compute auxiliary ciphertexts \((f_{j,j'},g_{j,j'}) = \textsf {Spooky\text {-}Mult}(\mathsf {pk}_j,\mathsf {pk}_{j'},c^{(u)}_j,c^{(v)}_{j'})\), for every \(j,j' \in [n]\). We then set

$$\begin{aligned} c^{(w)}_j = \mathsf {Eval}_{\mathsf {pk}_j}(\oplus , f_{j,1},\ldots ,f_{j,n},g_{1,j},\ldots ,g_{n,j}). \end{aligned}$$

We obtain that:

$$\begin{aligned} \sum _{j \in [n]} \mathsf {Dec}_{\mathsf {sk}_j}\big (c^{(w)}_j\big )&= \sum _{j\in [n]} \mathsf {Dec}_{\mathsf {sk}_j}\big (\mathsf {Eval}_{\mathsf {pk}_j}( \oplus ,x_{j,1},\dots ,x_{j,n},y_{1,j},\dots ,y_{n,j})\big ) \\&= \sum _{j\in [n]} \sum _{j'\in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(f_{j,j'}) \oplus \mathsf {Dec}_{\mathsf {sk}_j}(g_{j',j}) \\&= \sum _{j\in [n]} \sum _{j'\in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(u)}_j) \cdot \mathsf {Dec}_{\mathsf {sk}_j}(c^{(v)}_{j'}) \\&= \Big (\sum _{j\in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(u)}_j)\Big ) \cdot \Big (\sum _{j'\in [n]} \mathsf {Dec}_{\mathsf {sk}_j}(c^{(v)}_{j'})\Big ) ~~=~~ b_u \cdot b_v, \end{aligned}$$

which is the correct value for the wire w (where the fourth equality is due to the Spooky-Mult guarantee). Furthermore, each new ciphertext was obtained by applying two hops of homomorphic operations.

6 Applications of Spooky Encryption

6.1 Counter Example for the [1] Heuristic

Building on [11], we show that AFS-2-spooky encryption gives a counter-example to a natural method proposed by Aiello et al. [1] for building succinct arguments for \(\textsf {NP}\), resolving a question posed by [11]. The suggestion of Aiello et al. [1] was to take any multi-prover interactive proof-system (\(\textsf {MIP}\)) and to use that proof-system using only a single prover by sending all of the \(\textsf {MIP}\) queries encrypted under independents keys of a homomorphic encryption scheme.Footnote 8 The fact that the scheme is homomorphic allows the honest prover to answer the different queries (homomorphically) and the intuition was that the use of different keys means that only local homomorphisms are possible. Dwork et al. [11] questioned this intuition and raised the question of whether there exist spooky encryption schemes that allow for other kinds of attacks which can break the soundness of the [1] protocol. We show that this is indeed the case: there exists an \(\textsf {MIP}\) (suggested by [11]) which, when combined with any AFS-2-spooky encryption scheme via the [1] transformation, yields an insecure protocol. The \(\textsf {MIP}\) that we use is based on a \(\textsf {PCP}\) for 3-coloring due to Petrank [27]:

Theorem 9

[27]. There exists a universal constant \(\varepsilon >0\) such that distinguishing between the following two types of graphs is \(\textsf {NP}\) complete:

  • G is 3-colorable.

  • Every 3-coloring of G has at least \(\varepsilon \) fraction of monochromatic edges.

This PCP leads to the following natural \(\textsf {MIP}\) protocol between a verifier V and two non-communicating provers \(P_1\) and \(P_2\) (who, in case G is 3-colorable, also have access to the same 3-coloring of G).

  1. 1.

    V chooses a random edge \((u,v) \in E\), then with probability 1 / 3 it sets \(q_1=u\) and \(q_2=v\), with probability 1 / 3 it sets \(q_1=u\) and \(q_2=u\), and with probability 1 / 3 it sets \(q_1=v\) and \(q_2=v\). V sends \(q_1\) to \(P_1\) and \(q_2\) to \(P_2\).

  2. 2.

    Each \(P_i\) sends the color \(a_i \in \{0,1,2\}\) of the vertex \(q_i\) (encoded as two bits).

  3. 3.

    V accepts if \(q_1=q_2\) and \(a_1=a_2\), or if \(q_1 \ne q_2\) and \(a_1 \ne a_2\).

Completeness and soundness are easy to see, some details are given in the full version [9].

Insecurity of the 3-Coloring \(\textsf {MIP}\). Composed the foregoing \(\textsf {MIP}\) with any AFS-2-spooky encryption scheme yields an insecure protocol. More specifically, the cheating prover is given ciphertexts \(c_1=\mathsf {Enc}_{\mathsf {pk}_1}(q_1)\) and \(c_2=\mathsf {Enc}_{\mathsf {pk}_2}(q_2)\). Loosely speaking, using the spooky evaluation algorithm it can produce ciphertexts \(\mathsf {Enc}_{\mathsf {pk}_1}(a_1)\) and \(\mathsf {Enc}_{\mathsf {pk}_2}(a_2)\) for bits \(a_1,a_2 \in \{0,1\}\) such that \(a_1=a_2\) if and only if \(u=v\). It sends as its answers to V the ciphertext \(\left( \mathsf {Enc}_{\mathsf {pk}_1}(0),\mathsf {Enc}_{\mathsf {pk}_1}(a_1) \right) \) as its answer to the first query and \(\left( \mathsf {Enc}_{\mathsf {pk}_1}(0),\mathsf {Enc}_{\mathsf {pk}_1}(a_2) \right) \) as its answer to the second query (the extra encryption of 0 is used simply because the verifier expects an answer with 2 bits).

Now, if the verifier choose \(q_1=u\) and \(q_2=v\) (corresponding to the first of the three possibilities) then \(q_1 \ne q_2\) and so \(a_1 \ne a_2\) and the verifier accepts. Otherwise, (i.e. if \(q_1=q_2\)) then we have that \(a_1=a_2\) and again the verifier accepts. Hence, we have shown a strategy that breaks the soundness of the scheme with probability 1.

6.2 2-Round \(\textsf {MPC}\) from AFS-Spooky Encryption

AFS-spooky encryption seems to be a useful tool for minimally-interactive multi-party protocols: it lets each party broadcast an encryption of its input under its own key, then everyone individually performs the AFS-spooky evaluation locally, and each party can locally decrypt and recover a share of the output (relative to an additive n-out-of-n secret-sharing scheme). Finally another round of communication can be used to recover the secret from all the shares. Implementing this the approach requires attention to some details, such as ensuring that the spooky evaluation is deterministic (so that all the parties arrive at the same sharing) and making the shares simulatable. The latter can be done by having each party distribute a random additive sharing of 0 in the first round, and then adding all their received shares to their spooky generated share before broadcasting it in the second round.

A different (but similar) avenue for implementing 2-round MPC, is by reducing AFS-spooky encryption to multi-key FHE with threshold decryption (TMFHE). This primitive was recently formalized by Mukherjee and Wichs [22], who showed how to use it to generically construct 2-round MPC. Just like spooky encryption, a TMFHE scheme can homomorphically process n ciphertexts \(c_1,\ldots ,c_n\), encrypting values \(x_1,\ldots ,x_n\) under independent public keys \(\mathsf {pk}_1,\ldots ,\mathsf {pk}_n\), producing for any function f a ciphertext \(c^* = \mathsf {Eval}(f, (\mathsf {pk}_1,c_1),\ldots ,(\mathsf {pk}_n,c_n))\). The ciphertexts \(c^*\) cannot be decrypted by any single secret keys \(\mathsf {sk}_i\) individually, but each party can compute a partial decryption \(y_i = \mathsf {PartDec}_{\mathsf {sk}_i}(c^*)\) and these y’s can be combined to get \(y = \mathsf {FinDec}(y_1,\ldots ,y_n)=f(x_1,\ldots ,x_n)\). For security, Mukherjee and Wichs required that for each individual i, the partial decryption \(y_i\) can be simulated given the evaluated ciphertext \(c^*\), the final output y and the secret key \(\mathsf {sk}_j\) for \(j \ne i\) (see [22] for formal definitions).

We observe that an AFS-spooky encryption with perfect correctness immediately yields a TMFHE scheme. The homomorphic evaluation procedure \(\mathsf {Eval}\) of the TMFHE runs the \(\mathsf {Spooky\text {-}Eval}\) procedure of the AFS-spooky encryption and sets \(c^* = (c'_1,\ldots ,c'_n)\) to be the resulting ciphertexts. The partial decryption procedure \(\mathsf {PartDec}_{\mathsf {sk}_i}(c^*)\) outputs \(y_i = \mathsf {Dec}_{\mathsf {sk}_i}(c'_i)\) and the combination procedure \(\mathsf {FinDec}(y_1,\ldots ,y_n)\) outputs \(y = \bigoplus _{i=1}^n y_i\). For security, we observe that each partial decryption \(y_i\) can be simulated given \(c^* = (c'_1,\ldots ,c'_n)\), y and \(\mathsf {sk}_j\) for \(j \ne i\) by computing \(y_j = \mathsf {Dec}_{\mathsf {sk}_j}(c'_j)\) and setting \(y_i = y \oplus (\bigoplus _{j \ne i} y_j)\).Footnote 9 This proves the following theorem.

Theorem 10

An AFS-spooky encryption scheme with perfect correctness implies a multi-key FHE with threshold decryption (TMFHE).

Using the above theorem and the results of [22] which constructs a 2-round MPC from TMFHE, we get the following corollaries.

Corollary 2

Assuming the existence of a weak AFS-spooky encryption scheme:

  • There exists a 2-round \(\mathsf{MPC}\) protocol with semi-honest security. If the encryption scheme is in the plain model then so is the \(\mathsf{MPC}\) protocol and if the encryption scheme requires a CRS then so does the \(\mathsf{MPC}\) protocol.

  • Furthermore, assuming the existence of NIZKs in the CRS model, there exists a 2-round \(\mathsf{MPC}\) protocol with malicious security in the CRS model.

Combining this with our construction of AFS-spooky encryption without a CRS from iO, we get the first construction of a 2-round semi-honest \(\textsf {MPC}\) protocol in the plain model.

Corollary 3

Assume existence of (1) \(\mathsf {piO}\) and (2) a lossy encryption scheme that is homomorphic for all single-bit to single-bit functions with perfect malicious circuit privacy. Then, there exists a 2-round \(\mathsf{MPC}\) protocol with semi-honest security in the plain model.

6.3 Function Secret Sharing

Function secret sharing (FSS), recently introduced by Boyle, Gilboa and Ishai [4], allows a dealer to split a function f into k succinctly described functions \(\hat{f}_1,\ldots ,\hat{f}_k\) such that (1) any strict subset of the \(\hat{f}_i\)’s reveals nothing about f and (2) for any x it holds that the values \(\hat{f}_1(x),\ldots ,\hat{f}_k(x)\) are an additive secret sharing of f(x). Boyle et al. gave constructions under standard assumptions for certain restricted families of functions and a general construction for any poly-size circuit, based on \(\mathsf {piO}\). We show how to construct such a general FSS scheme given any AFS-spooky encryption scheme. In particular, we obtain a leveled FSS scheme assuming only \(\textsf {LWE}\).

To construct such an FSS scheme, the dealer first generates a k-out-of-k secret sharing \(f_1,\dots ,f_k\) of the description of the function f. The dealer also generates k key pairs \((\mathsf {pk}_i,\mathsf {sk}_i)_{i \in [k]}\) for the AFS spooky scheme and publishes \(\hat{f}_i \mathop {=}\limits ^\mathrm{def}\left( \mathsf {sk}_i,\mathsf {pk}_1,\dots ,\mathsf {pk}_k,\mathsf {Enc}_{\mathsf {pk}_1}(f_1),\dots ,\mathsf {Enc}_{\mathsf {pk}_k}(f_k) \right) \) as the \(i^\mathrm{{th}}\) share. Assuming the scheme is semantically secure, any strict subset of the \(\hat{f}_i\)’s hides the original function f (upto its description length).

For the FSS functionality, given an input x we can consider the circuit \(C_x\) that takes as input k shares of a function f, adds them up and applies the resulting function to the input x (which, say, is hardwired). To evaluate \(\hat{f}_i\) on x, we run the spooky evaluation algorithm, which we assume wlog is deterministic, on \(\mathsf {Enc}_{\mathsf {pk}_1}(f_1),\ldots ,\mathsf {Enc}_{\mathsf {pk}_k}(f_k)\) with respect to the circuit \(C_x\). Thus, given each \(\hat{f}_i\) separately, we can generate the same ciphertexts \(c_1,\dots ,c_k\) which are encryptions of an additive secret sharing of f(x). Each function \(\hat{f}_i\) can then be used to decrypt \(c_i\) and publish its share of f(x).

A De-centralized View. We remark that the above construction can be viewed as a de-centralized FSS. More specifically, we may have some k (not necessarily secret or functional) shares \(f_1,\ldots ,f_k\) of a function f, where each share is owned by a different player. Player i can generate a key pair \((\mathsf {pk}_i,\mathsf {sk}_i)\) and broadcast \((\mathsf {pk}_i,\mathsf {Enc}_{\mathsf {pk}_i}(f_i))\) to all other players. Using our scheme, after learning the input x, the players can (non-interactively) generate an additive secret sharing of f(x).

7 Spooky-Free Encryption

We turn now to study spooky-free encryption, i.e. an encryption scheme that ensures that no spooky relations can be realized by an adversary. The formal definition roughly states that any correlation that an attacker can induce between the original messages \((m_1,\ldots ,m_n)\) and “tampered messages” \((m_1',\ldots ,m_n')\), can be simulated by a “local simulator” that produces \(m_i'\) only as a function of \(m_i\) (and some shared randomness).

Definition 6

(Spooky-Free Encryption). An encryption scheme \((\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})\) is spooky-free if for every PPT adversary \(\mathcal {A}\) there exists a PPT simulator \(\mathcal {S}\) such that for all PPT message distributions \(\mathcal {D}\), the two distributions \(\mathbf {REAL}_{\mathcal {D},\mathcal {A}}(\kappa )\) and \(\mathbf {SIM}_{\mathcal {D},\mathcal {S}}(\kappa )\) specified below are computationally indistinguishable:

figure b

It is not hard to see that spooky-freeness for \(n\ge 2\) implies semantic security. As a small subtlety, here the attacker must choose the messages it claims to distinguish before seeing the public-key, since the message sampler \(\mathcal {D}\) does not know anything public keys used in the real experiment. (We defined it this way since stronger security was not needed for our delegation application.) Of course, this minor difference from standard semantic security is without loss of generality when the message space is polynomial small (e.g., for bit encryption).

Lemma 5

A spooky-free scheme for \(n\ge 2\) is semantically secure (in the “selective” sense discussed above).

Proof

Suppose that a scheme \((\mathsf {Enc},\mathsf {Dec},\mathsf {Gen})\) is not semantically secure, and let B be an attacker that can distinguish \(\mathsf {Enc}_{\mathsf {pk}}(x_0)\) from \(\mathsf {Enc}_{\mathsf {pk}}(x_1)\). We use B to construct a sampler \(\mathcal {D}\) and attacker \(\mathcal {A}\) that can fool any simulator \(\mathcal {S}\) with non-negligible probability. We assume that \(\mathcal {D}\) and \(\mathcal {A}\) (and S) know the messages \(x_0\) and \(x_1\) whose encryption B can distinguish.

\(\mathcal {D}\) draws at random \(m_1\leftarrow \{x_0,x_1\}\) and sets \(m_i:=0\) for \(i>1\). Upon seeing n ciphertexts \(c_1,\ldots ,c_n\), \(\mathcal {A}\) gives \(c_1\) to B, asking him to guess whether it encrypts \(x_0\) or \(x_1\). Let \(\sigma \) be the guess that B makes, then we know that \(m_1 = x_\sigma \) with probability \(\ge 1/2+\varepsilon \). \(\mathcal {A}\) then sets \(c'_i=c_i\) for all \(i\ne 2\), and sets \(c'_2\) to be a fresh encryption of \(x_\sigma \) under \(\mathsf {pk}_2\).

As we can see, the output of the real experiment has the tuple \((m_1,m_2')\) distributed as \((x_b,x_\sigma )\), where b is a random bit and \(\sigma =b\) with probability \(\ge 1/2+\varepsilon \). On the other hand, the simulator for the second message \(m_2'\) is only given \(m_2=0\) as the input, and has to guess \(\sigma '\) s.t., \(\Pr [b=\sigma ']\ge 1/2+\varepsilon \), which is impossible information-theoretically.

In the full version of this work [9] we show that spooky-free homomorphic encryption is exactly the ingredient needed to instantiate the idea of Aiello et al. [1] for converting general multi-prover (\(\textsf {MIP}\)) systems into single-prover arguments.Footnote 10 We also show there that non-malleable encryption is always spooky-free (albeit without any homomorphic capabilities), and we construct a spooky-free FHE scheme using a strong security component called succinct non-interactive argument of knowledge (SNARK).Footnote 11

Spooky-Free Encryption with CRS. Definition 6 can be naturally extended to the common-reference-string model. We use this relaxation in the full version to gain somewhat better efficiency (at the price of a slightly harder proof of security). We note that, unlike the setting of spooky encryption from Sect. 3, we do not need the CRS to get the desired functionality, but rather use it only to improve efficiency. Our construction remains spooky-free (but slower) if all the public keys are chosen completely independently.