Let λ denote a security parameter. When we speak of a negligible function negl(λ), we mean a function that is asymptotically bounded from above by the reciprocal of all polynomials in λ.
CCA1-Secure fully homomorphic encryption
Definition 1
((Canetti et al. 2017)) Let \(\mathcal {M}\) be a message space. A CCA1-secure FHE scheme is a tuple of polynomial time algorithms (Gen,Enc,Dec,Eval), defined as follows, which satisfy the correctness, compactness and security properties below.
-
Gen(1λ): a randomized algorithm which outputs a public key, secret key pair (pk,sk).
-
Enc(pk,m): a randomized algorithm which outputs a ciphertext ct.
-
Dec(sk,ct): an algorithm which outputs a message \(m\in \mathcal {M}\).
-
Eval({cti},C): an algorithm which takes a collection of ciphertexts {cti} and a circuit C to be evaluated and outputs an evaluated ciphertext cteval.
Correctness: For any \(m\in \mathcal {M}\), (pk,sk)←Gen(1λ),
$$\Pr[\mathsf{Dec}(sk,\mathsf{Enc}(pk,m))=m]=1-\text{negl}$$
Homomorphic Correctness: For any \(\{m_{i}\}\in \mathcal {M}^{\text {poly}(\lambda)}\), circuit C of polynomial size, and (pk,sk)←Gen(1λ), cti←Enc(pk,mi)
$$\Pr[\mathsf{Dec}(sk,\mathsf{Eval}(\{{ct}_{i}\},C))=C(\{m_{i}\})]=1-\text{negl}$$
Compactness: There exists a polynomial poly(·) such that |cteval|≤poly(λ) for all cteval←Eval({cti},C). In particular, poly(·) is independent of the size, depth or number of inputs to C.
CCA1 Security: For any PPT adversary \(\mathcal {A}\), its chance of winning the following game against a challenger \(\mathcal {C}\) is at most 1/2+negl.
-
1.
\(\mathcal {C}\) draws (pk,sk)←Gen(1λ) and sends pk to \(\mathcal {A}\).
-
2.
For α=1,...,poly: \(\mathcal {A}\) sends ctα to \(\mathcal {C}\); \(\mathcal {C}\) computes mα=Dec(sk,ctα) and returns mα to \(\mathcal {A}\).
-
3.
\(\mathcal {A}\) sends \(m_{0},m_{1}\in \mathcal {M}\) to \(\mathcal {C}\).
-
4.
\(\mathcal {C}\) draws ct∗←Enc(pk,mb) for b←{0,1} and sends ct∗ to \(\mathcal {A}\).
-
5.
\(\mathcal {A}\) outputs a guess bit b′ and wins if b′=b.
Remark 1
We say that a FHE scheme is leveled if it permits evaluation of circuits of a-priori bounded polynomial depth on encrypted data. In contrast, a FHE scheme is pure (or unleveled) if it permits evaluation of circuits of any depth.
Multi-key IBFHE
Definition 2
((Canetti et al. 2017)) Let \(\mathcal {M}, \mathcal {ID}\) be message and identity spaces. A multi-key identity-based fully homomorphic encryption scheme is a tuple of polynomial time algorithms (Setup,KeyGen,Enc,Dec,Eval), defined as follows, which satisfy the correctness and security properties below.
-
Setup(1λ): output the master key pair (mpk,msk).
-
KeyGen(msk,id): output a secret key skid for the identity id.
-
Enc(mpk,id,m): encrypt message m under identity id, and outputs (id,ctid).
-
Dec(skid,id,ctid): decrypt ctid using skid and outputs m.
-
Eval({(idi,cti)},C): take a family of ciphertexts and a circuit and outputs (ideval,cteval).
Correctness: For any \(m\in \mathcal {M}, id\in \mathcal {ID}\), and (mpk,msk)←Setup(1λ), skid←KeyGen(msk,id)
$$\Pr[\mathsf{Dec}({sk}_{id},\mathsf{Enc}(mpk,id,m))=m]=1-\text{negl} $$
Homomorphic Correctness: For any \(\{m_{i}\}\in \mathcal {M}^{\text {poly}(\lambda)}\), \(\{{id}_{i}\}\in \mathcal {ID}^{\text {poly}(\lambda)}\), circuit C of polynomial size, and (mpk,msk)←Setup(1λ), ski←KeyGen(msk,idi), cti←Enc(mpk,idi,mi)
$$\Pr[\mathsf{Dec}({sk}_{eval},\mathsf{Eval}(\{({id}_{i},{ct}_{i})\},C))=C(\{m_{i}\})]=1-\text{negl} $$
where skeval←KeyGen(msk,ideval).
Compactness: There exists a polynomial poly(·) such that |ideval|,|cteval|≤poly(λ) for all ideval,cteval←Eval({(idi,cti)},C). In particular, poly(·) is independent of the size, depth or number of inputs to C.
Selective Security for Random Identities: For any PPT adversary \(\mathcal {A}\), its chance of winning the following game against a challenger \(\mathcal {C}\) is at most 1/2+negl.
-
1.
\(\mathcal {C}\) draws \(id^{\ast }\leftarrow \mathcal {ID}\) and (mpk,msk)←Setup(1λ), sends mpk to \(\mathcal {A}\).
-
2.
\(\mathcal {A}\) makes queries to an oracle \(\mathcal {O}\) defined by \(\mathcal {O}(id)=\left \{ \begin {array}{ll} \mathsf {KeyGen}(msk,id), & \text {if \(id\neq id^{\ast }\);}\\ \bot, & \text {otherwise.} \end {array} \right. \)
-
3.
\(\mathcal {A}\) chooses two messages \(m_{0},m_{1}\in \mathcal {M}\) and sends them to the challenger \(\mathcal {C}\).
-
4.
\(\mathcal {C}\) uniformly samples a bit b←{0,1}, and returns ct∗←Enc(mpk,id∗,mb).
-
5.
\(\mathcal {A}\) outputs a guess bit b′ and wins if b′=b.
CCA1 FHE from multi-key IBFHE
Let E be a multi-key IBFHE scheme. Then the construction of CCA1 secure FHE is as follows (Canetti et al. 2017).
-
Gen(1λ):Output (pk,sk)=(mpk,msk)←E.Setup(1λ).
-
Enc(pk,m): Draw \(id\leftarrow \mathcal {ID}\) and compute \(\phantom {\dot {i}\!}{ct}_{id}\leftarrow \text {E.Enc}(mpk,id,m)\). Output ct=(id,ctid).
-
Dec(sk,ct): Parse ct=(id,ctid). Compute skid←E.KenGen(msk,id), and output m=E.Dec(skid,id,ctid).
-
Eval({cti},C): Parse \(\phantom {\dot {i}\!}{ct}_{i}=({id}_{i},{ct}_{{id}_{i}})\). Output \({ct}_{eval}=({id}_{eval}, \mathsf {E}.{ct}_{eval})\leftarrow \text {E.Eval}(\{({id}_{i},{ct}_{{id}_{i}})\}, C)\).
Lemma 1
The above scheme is a CCA1-secure FHE scheme.
The proof of this lemma can be found in (Canetti et al. 2017) and (Boneh et al. 2007).
Trapdoor encryption schemes
Definition 3
((Canetti et al. 2015)) An encryption scheme \(\prod =(\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec},\mathsf {tKeyGen})\) is a trapdoor encryption scheme, if (KeyGen,Enc,Dec) is a CPA-secure encryption scheme and the trapdoor key generation algorithm tKeyGen satisfies the following additional properties:
Trapdoor Public Keys: The following two ensembles are indistinguishable
$$\begin{aligned} \{(pk,sk)&\leftarrow \mathsf{KeyGen}(1^{\lambda}): pk\}_{\lambda}\\&\quad\approx \{tpk\leftarrow \mathsf{tKeyGen}(1^{\lambda}): tpk\}_{\lambda} \end{aligned} $$
Computational Hiding: The following two ensembles are indistinguishable
$$\begin{aligned} \{tpk&\leftarrow \mathsf{tKeyGen}(1^{\lambda}): \mathsf{Enc}(tpk,m_{0})\}_{\lambda}\\&\approx\{tpk\leftarrow \mathsf{tKeyGen}(1^{\lambda}): \mathsf{Enc}(tpk,m_{1})\}_{\lambda} \end{aligned} $$
where m0,m1 are two distinct messages.
The basic trapdoor encryption scheme does not provide any advantage in the trapdoor mode than the honest mode. Obviously, any CPA secure encryption scheme implies a trapdoor encryption scheme. The following are two stronger variants.
μ-Hiding Trapdoor Encryption Scheme The distinguishing advantage of the two ensembles in the computational hiding property of the above definition is replaced by some μ(λ). Typically, μ(λ) is much smaller than the inverse exponentiation of the ciphertext length. Canetti et al. (2015) showed that μ-hiding trapdoor encryption scheme can be constructed from any μ-rerandomizable CPA encryption scheme.
Statistical Trapdoor Encryption Scheme The computational hiding property in the above definition is replaced by statistical hiding. Note that any lossy encryption scheme implies a statistical trapdoor encryption scheme.
Probabilistic indistinguishability obfuscation (PIO)
Probabilistic Indistinguishability Obfuscation (PIO) A notion that was recently introduced by Canetti et al. (2015). Roughly speaking, this is an obfuscator for probabilistic circuits with the guarantee that the obfuscations of any two “equivalent” circuits are computationally indistinguishable. Before formally defining PIO, we introduce some relevant notions. Let \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be a family of sets of (randomized) circuits, where \(\mathcal {C}_{\lambda }\) contains circuits of size poly (λ). A circuit sampler for \(\mathcal {C}\) is a distribution ensemble \(D=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\) where the distribution Dλ ranges over triples (C0,C1,z) with \(C_{0}, C_{1}\in \mathcal {C}_{\lambda }\) such that C0,C1 take inputs of the same length, and z∈{0,1}poly(λ). Moreover, a class S of samplers for \(\mathcal {C}\) is a set of circuit samplers for \(\mathcal {C}\).
Definition 4
((Canetti et al. 2015)) A uniform PPT machine \(pi\mathcal {O}\) is an indistinguishability obfuscator for a class of samplers S over the (potentially randomized) circuit family \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) if the following two conditions hold:
Correctness:\(pi\mathcal {O}\) on input a (potentially probabilistic) circuit \(C\in \mathcal {C}_{\lambda }\) and the security parameter \(\lambda \in \mathbb {N}\) (in unary), outputs a deterministic circuit Λ of size poly (|C|,λ). Furthermore, for every non-uniform PPT distinguisher \(\mathcal {D}\), every (potentially probabilistic) circuit \(C\in \mathcal {C}_{\lambda }\), and string z, we define the following two experiments:
-
Exp\(_{\mathcal {D}}^{1}(1^{\lambda },C,z)\): \(\mathcal {D}\) on input 1λ,C,z, participates in an unbounded number of iterations of his choice. In iteration i, it chooses an input xi; if xi is the same as any of the previously chosen input xj for j<i, then abort; otherwise, \(\mathcal {D}\) receives C(xi;ri) using fresh random coins ri (ri = null if C is deterministic). At the end of all iterations, \(\mathcal {D}\) outputs a bit b. (Note that \(\mathcal {D}\) can keep state across iterations.)
-
Exp\(_{\mathcal {D}}^{2}(1^{\lambda },C,z)\): Obfuscate circuit C to obtain \(\Lambda \leftarrow pi\mathcal {O}(1^{\lambda },C;r)\) using fresh random coins r. Run \(\mathcal {D}\) as described above, except that in each iteration, feed \(\mathcal {D}\) with Λ(xi) instead.
Overload the notation Exp\(_{\mathcal {D}}^{i}(1^{\lambda },C,z)\)as the output of \(\mathcal {D}\)in experiment Exp\(_{\mathcal {D}}^{i}\). We require that for every non-uniform PPT distinguisher \(\mathcal {D}\), there is a negligible function μ, such that, for every \(\lambda \in \mathbb {N}\), every \(C\in \mathcal {C}_{\lambda }\), and every auxiliary input z∈{0,1}poly(λ),
$$\begin{aligned}\text{Adv}_{\mathcal{D}}(1^{\lambda},C,z)&=|\Pr[\textsf{Exp}_{\mathcal{D}}^{1}(1^{\lambda},C,z)]\\&\quad-\Pr[\textsf{Exp}_{\mathcal{D}}^{2}(1^{\lambda},C,z)]| =\mu(\lambda) \end{aligned} $$
Security with Respect to S: For every sampler \(D=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\in \mathbf {S}\), and for every non-uniform PPT machine \(\mathcal {A}\), there exists a negligible function μ such that
$${{} \begin{aligned}|\Pr[(C_{1},C_{2},z)\leftarrow D_{\lambda}: \mathcal{A}(C_{1},C_{2},pi\mathcal{O}(1^{\lambda},C_{1}),z)&=1] \\ -\Pr[(C_{1},C_{2},z)\leftarrow D_{\lambda}: \mathcal{A}(C_{1},C_{2},pi\mathcal{O}(1^{\lambda},C_{2}),z)&=1]|\\&=\mu(\lambda) \end{aligned}} $$
Puncturable Pseudorandom functions
In our construction, we will use the puncturable PRFs, which are PRFs that can be defined on all bit strings of a certain length, except for some polynomial-size set of inputs. Below we recall their definition, as given by Sahai and Waters (2014):
Definition 5
A puncturable family of PRFs F is given by a triple of Turing machines Key,Puncture,Eval, and a pair of computable functions n(·) and m(·), satisfying the following conditions:
-
(Functionality preserved under puncturing.) For every PPT adversary \(\mathcal {A}\) such that \(\mathcal {A}(1^{\lambda })\) outputs a set S⊆{0,1}n(λ), then for all x∈{0,1}n(λ) where x∉S, we have that:
$$ \begin{aligned} &\text{Pr}\left[\mathsf{Eval}(K,x)=\mathsf{Eval}(K_{S},x):K\leftarrow\mathsf{Key}(1^{\lambda}), K_{S}\right.\\ &\qquad\qquad\qquad\left.=\mathsf{Puncture}(K,S)\right]=1. \end{aligned} $$
-
(Pseudorandom at punctured points.) For every PPT adversary \((\mathcal {A}_{1},\mathcal {A}_{2})\) such that \(\mathcal {A}_{1}(1^{\lambda })\) outputs a set S⊆{0,1}n(λ) and any x∈S, consider an experiment where K←Key(1λ) and KS=Puncture(K,S). Then we have
$$\begin{array}{*{20}l} |\Pr[\mathcal{A}_{2}(K_{S},x,\mathsf{Eval}(K,x))&=1]- \Pr[\mathcal{A}_{2}(K_{S},x,U_{m(\lambda)}) \\ &=1]|\leq\text{negl}(\lambda), \end{array} $$
where Um(λ) denotes the uniform distribution over m(λ) bits.