Let λ denote a security parameter. When we speak of a negligible function negl(λ), we mean a function that is asymptotically bounded from above by the reciprocal of all polynomials in λ.
CCA1Secure fully homomorphic encryption
Definition 1
((Canetti et al. 2017)) Let \(\mathcal {M}\) be a message space. A CCA1secure FHE scheme is a tuple of polynomial time algorithms (Gen,Enc,Dec,Eval), defined as follows, which satisfy the correctness, compactness and security properties below.

Gen(1^{λ}): a randomized algorithm which outputs a public key, secret key pair (pk,sk).

Enc(pk,m): a randomized algorithm which outputs a ciphertext ct.

Dec(sk,ct): an algorithm which outputs a message \(m\in \mathcal {M}\).

Eval({ct_{i}},C): an algorithm which takes a collection of ciphertexts {ct_{i}} and a circuit C to be evaluated and outputs an evaluated ciphertext ct_{eval}.
Correctness: For any \(m\in \mathcal {M}\), (pk,sk)←Gen(1^{λ}),
$$\Pr[\mathsf{Dec}(sk,\mathsf{Enc}(pk,m))=m]=1\text{negl}$$
Homomorphic Correctness: For any \(\{m_{i}\}\in \mathcal {M}^{\text {poly}(\lambda)}\), circuit C of polynomial size, and (pk,sk)←Gen(1^{λ}), ct_{i}←Enc(pk,m_{i})
$$\Pr[\mathsf{Dec}(sk,\mathsf{Eval}(\{{ct}_{i}\},C))=C(\{m_{i}\})]=1\text{negl}$$
Compactness: There exists a polynomial poly(·) such that ct_{eval}≤poly(λ) for all ct_{eval}←Eval({ct_{i}},C). In particular, poly(·) is independent of the size, depth or number of inputs to C.
CCA1 Security: For any PPT adversary \(\mathcal {A}\), its chance of winning the following game against a challenger \(\mathcal {C}\) is at most 1/2+negl.

1.
\(\mathcal {C}\) draws (pk,sk)←Gen(1^{λ}) and sends pk to \(\mathcal {A}\).

2.
For α=1,...,poly: \(\mathcal {A}\) sends ct_{α} to \(\mathcal {C}\); \(\mathcal {C}\) computes m_{α}=Dec(sk,ct_{α}) and returns m_{α} to \(\mathcal {A}\).

3.
\(\mathcal {A}\) sends \(m_{0},m_{1}\in \mathcal {M}\) to \(\mathcal {C}\).

4.
\(\mathcal {C}\) draws ct^{∗}←Enc(pk,m_{b}) for b←{0,1} and sends ct^{∗} to \(\mathcal {A}\).

5.
\(\mathcal {A}\) outputs a guess bit b^{′} and wins if b^{′}=b.
Remark 1
We say that a FHE scheme is leveled if it permits evaluation of circuits of apriori bounded polynomial depth on encrypted data. In contrast, a FHE scheme is pure (or unleveled) if it permits evaluation of circuits of any depth.
Multikey IBFHE
Definition 2
((Canetti et al. 2017)) Let \(\mathcal {M}, \mathcal {ID}\) be message and identity spaces. A multikey identitybased fully homomorphic encryption scheme is a tuple of polynomial time algorithms (Setup,KeyGen,Enc,Dec,Eval), defined as follows, which satisfy the correctness and security properties below.

Setup(1^{λ}): output the master key pair (mpk,msk).

KeyGen(msk,id): output a secret key sk_{id} for the identity id.

Enc(mpk,id,m): encrypt message m under identity id, and outputs (id,ct_{id}).

Dec(sk_{id},id,ct_{id}): decrypt ct_{id} using sk_{id} and outputs m.

Eval({(id_{i},ct_{i})},C): take a family of ciphertexts and a circuit and outputs (id_{eval},ct_{eval}).
Correctness: For any \(m\in \mathcal {M}, id\in \mathcal {ID}\), and (mpk,msk)←Setup(1^{λ}), sk_{id}←KeyGen(msk,id)
$$\Pr[\mathsf{Dec}({sk}_{id},\mathsf{Enc}(mpk,id,m))=m]=1\text{negl} $$
Homomorphic Correctness: For any \(\{m_{i}\}\in \mathcal {M}^{\text {poly}(\lambda)}\), \(\{{id}_{i}\}\in \mathcal {ID}^{\text {poly}(\lambda)}\), circuit C of polynomial size, and (mpk,msk)←Setup(1^{λ}), sk_{i}←KeyGen(msk,id_{i}), ct_{i}←Enc(mpk,id_{i},m_{i})
$$\Pr[\mathsf{Dec}({sk}_{eval},\mathsf{Eval}(\{({id}_{i},{ct}_{i})\},C))=C(\{m_{i}\})]=1\text{negl} $$
where sk_{eval}←KeyGen(msk,id_{eval}).
Compactness: There exists a polynomial poly(·) such that id_{eval},ct_{eval}≤poly(λ) for all id_{eval},ct_{eval}←Eval({(id_{i},ct_{i})},C). In particular, poly(·) is independent of the size, depth or number of inputs to C.
Selective Security for Random Identities: For any PPT adversary \(\mathcal {A}\), its chance of winning the following game against a challenger \(\mathcal {C}\) is at most 1/2+negl.

1.
\(\mathcal {C}\) draws \(id^{\ast }\leftarrow \mathcal {ID}\) and (mpk,msk)←Setup(1^{λ}), sends mpk to \(\mathcal {A}\).

2.
\(\mathcal {A}\) makes queries to an oracle \(\mathcal {O}\) defined by \(\mathcal {O}(id)=\left \{ \begin {array}{ll} \mathsf {KeyGen}(msk,id), & \text {if \(id\neq id^{\ast }\);}\\ \bot, & \text {otherwise.} \end {array} \right. \)

3.
\(\mathcal {A}\) chooses two messages \(m_{0},m_{1}\in \mathcal {M}\) and sends them to the challenger \(\mathcal {C}\).

4.
\(\mathcal {C}\) uniformly samples a bit b←{0,1}, and returns ct^{∗}←Enc(mpk,id^{∗},m_{b}).

5.
\(\mathcal {A}\) outputs a guess bit b^{′} and wins if b^{′}=b.
CCA1 FHE from multikey IBFHE
Let E be a multikey IBFHE scheme. Then the construction of CCA1 secure FHE is as follows (Canetti et al. 2017).

Gen(1^{λ}):Output (pk,sk)=(mpk,msk)←E.Setup(1^{λ}).

Enc(pk,m): Draw \(id\leftarrow \mathcal {ID}\) and compute \(\phantom {\dot {i}\!}{ct}_{id}\leftarrow \text {E.Enc}(mpk,id,m)\). Output ct=(id,ct_{id}).

Dec(sk,ct): Parse ct=(id,ct_{id}). Compute sk_{id}←E.KenGen(msk,id), and output m=E.Dec(sk_{id},id,ct_{id}).

Eval({ct_{i}},C): Parse \(\phantom {\dot {i}\!}{ct}_{i}=({id}_{i},{ct}_{{id}_{i}})\). Output \({ct}_{eval}=({id}_{eval}, \mathsf {E}.{ct}_{eval})\leftarrow \text {E.Eval}(\{({id}_{i},{ct}_{{id}_{i}})\}, C)\).
Lemma 1
The above scheme is a CCA1secure FHE scheme.
The proof of this lemma can be found in (Canetti et al. 2017) and (Boneh et al. 2007).
Trapdoor encryption schemes
Definition 3
((Canetti et al. 2015)) An encryption scheme \(\prod =(\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec},\mathsf {tKeyGen})\) is a trapdoor encryption scheme, if (KeyGen,Enc,Dec) is a CPAsecure encryption scheme and the trapdoor key generation algorithm tKeyGen satisfies the following additional properties:
Trapdoor Public Keys: The following two ensembles are indistinguishable
$$\begin{aligned} \{(pk,sk)&\leftarrow \mathsf{KeyGen}(1^{\lambda}): pk\}_{\lambda}\\&\quad\approx \{tpk\leftarrow \mathsf{tKeyGen}(1^{\lambda}): tpk\}_{\lambda} \end{aligned} $$
Computational Hiding: The following two ensembles are indistinguishable
$$\begin{aligned} \{tpk&\leftarrow \mathsf{tKeyGen}(1^{\lambda}): \mathsf{Enc}(tpk,m_{0})\}_{\lambda}\\&\approx\{tpk\leftarrow \mathsf{tKeyGen}(1^{\lambda}): \mathsf{Enc}(tpk,m_{1})\}_{\lambda} \end{aligned} $$
where m_{0},m_{1} are two distinct messages.
The basic trapdoor encryption scheme does not provide any advantage in the trapdoor mode than the honest mode. Obviously, any CPA secure encryption scheme implies a trapdoor encryption scheme. The following are two stronger variants.
μHiding Trapdoor Encryption Scheme The distinguishing advantage of the two ensembles in the computational hiding property of the above definition is replaced by some μ(λ). Typically, μ(λ) is much smaller than the inverse exponentiation of the ciphertext length. Canetti et al. (2015) showed that μhiding trapdoor encryption scheme can be constructed from any μrerandomizable CPA encryption scheme.
Statistical Trapdoor Encryption Scheme The computational hiding property in the above definition is replaced by statistical hiding. Note that any lossy encryption scheme implies a statistical trapdoor encryption scheme.
Probabilistic indistinguishability obfuscation (PIO)
Probabilistic Indistinguishability Obfuscation (PIO) A notion that was recently introduced by Canetti et al. (2015). Roughly speaking, this is an obfuscator for probabilistic circuits with the guarantee that the obfuscations of any two “equivalent” circuits are computationally indistinguishable. Before formally defining PIO, we introduce some relevant notions. Let \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be a family of sets of (randomized) circuits, where \(\mathcal {C}_{\lambda }\) contains circuits of size poly (λ). A circuit sampler for \(\mathcal {C}\) is a distribution ensemble \(D=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\) where the distribution D_{λ} ranges over triples (C_{0},C_{1},z) with \(C_{0}, C_{1}\in \mathcal {C}_{\lambda }\) such that C_{0},C_{1} take inputs of the same length, and z∈{0,1}^{poly(λ)}. Moreover, a class S of samplers for \(\mathcal {C}\) is a set of circuit samplers for \(\mathcal {C}\).
Definition 4
((Canetti et al. 2015)) A uniform PPT machine \(pi\mathcal {O}\) is an indistinguishability obfuscator for a class of samplers S over the (potentially randomized) circuit family \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) if the following two conditions hold:
Correctness:\(pi\mathcal {O}\) on input a (potentially probabilistic) circuit \(C\in \mathcal {C}_{\lambda }\) and the security parameter \(\lambda \in \mathbb {N}\) (in unary), outputs a deterministic circuit Λ of size poly (C,λ). Furthermore, for every nonuniform PPT distinguisher \(\mathcal {D}\), every (potentially probabilistic) circuit \(C\in \mathcal {C}_{\lambda }\), and string z, we define the following two experiments:

Exp\(_{\mathcal {D}}^{1}(1^{\lambda },C,z)\): \(\mathcal {D}\) on input 1^{λ},C,z, participates in an unbounded number of iterations of his choice. In iteration i, it chooses an input x_{i}; if x_{i} is the same as any of the previously chosen input x_{j} for j<i, then abort; otherwise, \(\mathcal {D}\) receives C(x_{i};r_{i}) using fresh random coins r_{i} (r_{i} = null if C is deterministic). At the end of all iterations, \(\mathcal {D}\) outputs a bit b. (Note that \(\mathcal {D}\) can keep state across iterations.)

Exp\(_{\mathcal {D}}^{2}(1^{\lambda },C,z)\): Obfuscate circuit C to obtain \(\Lambda \leftarrow pi\mathcal {O}(1^{\lambda },C;r)\) using fresh random coins r. Run \(\mathcal {D}\) as described above, except that in each iteration, feed \(\mathcal {D}\) with Λ(x_{i}) instead.
Overload the notation Exp\(_{\mathcal {D}}^{i}(1^{\lambda },C,z)\)as the output of \(\mathcal {D}\)in experiment Exp\(_{\mathcal {D}}^{i}\). We require that for every nonuniform PPT distinguisher \(\mathcal {D}\), there is a negligible function μ, such that, for every \(\lambda \in \mathbb {N}\), every \(C\in \mathcal {C}_{\lambda }\), and every auxiliary input z∈{0,1}^{poly(λ)},
$$\begin{aligned}\text{Adv}_{\mathcal{D}}(1^{\lambda},C,z)&=\Pr[\textsf{Exp}_{\mathcal{D}}^{1}(1^{\lambda},C,z)]\\&\quad\Pr[\textsf{Exp}_{\mathcal{D}}^{2}(1^{\lambda},C,z)] =\mu(\lambda) \end{aligned} $$
Security with Respect to S: For every sampler \(D=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\in \mathbf {S}\), and for every nonuniform PPT machine \(\mathcal {A}\), there exists a negligible function μ such that
$${{} \begin{aligned}\Pr[(C_{1},C_{2},z)\leftarrow D_{\lambda}: \mathcal{A}(C_{1},C_{2},pi\mathcal{O}(1^{\lambda},C_{1}),z)&=1] \\ \Pr[(C_{1},C_{2},z)\leftarrow D_{\lambda}: \mathcal{A}(C_{1},C_{2},pi\mathcal{O}(1^{\lambda},C_{2}),z)&=1]\\&=\mu(\lambda) \end{aligned}} $$
Puncturable Pseudorandom functions
In our construction, we will use the puncturable PRFs, which are PRFs that can be defined on all bit strings of a certain length, except for some polynomialsize set of inputs. Below we recall their definition, as given by Sahai and Waters (2014):
Definition 5
A puncturable family of PRFs F is given by a triple of Turing machines Key,Puncture,Eval, and a pair of computable functions n(·) and m(·), satisfying the following conditions:

(Functionality preserved under puncturing.) For every PPT adversary \(\mathcal {A}\) such that \(\mathcal {A}(1^{\lambda })\) outputs a set S⊆{0,1}^{n(λ)}, then for all x∈{0,1}^{n(λ)} where x∉S, we have that:
$$ \begin{aligned} &\text{Pr}\left[\mathsf{Eval}(K,x)=\mathsf{Eval}(K_{S},x):K\leftarrow\mathsf{Key}(1^{\lambda}), K_{S}\right.\\ &\qquad\qquad\qquad\left.=\mathsf{Puncture}(K,S)\right]=1. \end{aligned} $$

(Pseudorandom at punctured points.) For every PPT adversary \((\mathcal {A}_{1},\mathcal {A}_{2})\) such that \(\mathcal {A}_{1}(1^{\lambda })\) outputs a set S⊆{0,1}^{n(λ)} and any x∈S, consider an experiment where K←Key(1^{λ}) and K_{S}=Puncture(K,S). Then we have
$$\begin{array}{*{20}l} \Pr[\mathcal{A}_{2}(K_{S},x,\mathsf{Eval}(K,x))&=1] \Pr[\mathcal{A}_{2}(K_{S},x,U_{m(\lambda)}) \\ &=1]\leq\text{negl}(\lambda), \end{array} $$
where U_{m(λ)} denotes the uniform distribution over m(λ) bits.