Cryptology ePrint Archive: Report 2013/307
Maliciously Circuit-Private FHE
Rafail Ostrovsky and Anat Paskin-Cherniavsky and Beni Paskin-Cherniavsky
Abstract: We present a framework for transforming FHE (fully homomorphic encryption) schemes with no circuit privacy requirements into maliciously circuit-private FHE. That is, even if both maliciously formed public key and ciphertext are used, encrypted outputs only reveal the evaluation of the circuit on some well-formed input $x^*$.
Previous literature on FHE only considered semi-honest circuit privacy.
Circuit-private FHE schemes have direct applications to computing on encrypted data. In that setting, one party (a receiver) holding an input $x$ wishes to learn the evaluation of a circuit $C$ held by another party (a sender). The goal is to make receiver's work sublinear (and ideally independent) of $|C|$, using a 2-message protocol.
The transformation technique may be of independent interest, and have various additional applications.
The framework uses techniques akin to Gentry's bootstrapping and conditional disclosure of secrets (CDS [AIR01]) combining a non circuit private FHE scheme, with a homomorphic encryption (HE) scheme for a smaller class of circuits which is maliciously circuit-private.
We devise the first known circuit private FHE, by instantiating our framework by various (standard) FHE schemes from the literature.
Category / Keywords: Fully homomorphic encryption, computing on encrypted data, privacy, malicious setting
Original Publication (with major differences): IACR-CRYPTO-2014
Date: received 22 May 2013, last revised 19 Aug 2014
Contact author: anps83 at gmail com
Available format(s): PDF | BibTeX Citation
Note: Full version for submission to CRYPTO 2014. Added:
* Added a new multi-hop circuit-private FHE result.
* Separated steps 1 and 2, so now the construction precisely follows the outline in the intro (upto an optional simplification).
* Improved notation and presentation.
Version: 20140819:102523 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]