Adaptively Secure MPC with Sublinear Communication Complexity

Abstract

A central challenge in the study of MPC is to balance between security guarantees, hardness assumptions, and resources required for the protocol. In this work, we study the cost of tolerating adaptive corruptions in MPC protocols under various corruption thresholds. In the strongest setting, we consider adaptive corruptions of an arbitrary number of parties (potentially all) and achieve the following results: (1) A two-round secure function evaluation (SFE) protocol in the CRS model, assuming LWE and indistinguishability obfuscation (iO). The communication, the CRS size, and the online computation are sublinear in the size of the function. The iO assumption can be replaced by secure erasures. Previous results required either the communication or the CRS size to be polynomial in the function size. (2) Under the same assumptions, we construct a “Bob-optimized” 2PC (where Alice talks first, Bob second, and Alice learns the output). That is, the communication complexity and total computation of Bob are sublinear in the function size and in Alice’s input size. We prove impossibility of “Alice-optimized” protocols. (3) Assuming LWE, we bootstrap adaptively secure NIZK arguments to achieve proof size sublinear in the circuit size of the NP relation. On a technical level, our results are based on laconic function evaluation (LFE) (Quach, Wee, and Wichs, FOCS’18) and shed light on an interesting duality between LFE and FHE. Next, we analyze adaptive corruptions of all-but-one of the parties and show a two-round SFE protocol in the threshold-PKI model (where keys of a threshold FHE scheme are pre-shared among the parties) with communication complexity sublinear in the circuit size, assuming LWE and NIZK. Finally, we consider the honest-majority setting and show a two-round SFE protocol with guaranteed output delivery under the same constraints. Our results highlight that the asymptotic cost of adaptive security can be reduced to be comparable to, and in many settings almost match, that of static security, with only a little sacrifice to the concrete round complexity and asymptotic communication complexity.

Appendices

Preliminaries (Cont’d)

In Appendix A.1, we define the LWE and adaptive LWE assumptions. In Appendix A.2, we formally define the cryptographic primitives used in the paper.

1.1 Cryptographic Assumptions

1.1.1 Learning With Errors

The decisional learning with errors (LWE) problem, introduced by Regev [88], is defined as follows.

Definition A.1

(decision LWE) Let \(n = n({\kappa })\) and \(q = q({\kappa })\) be integer parameters and \(\chi = \chi ({\kappa })\) be a distribution over \({{\mathbb {Z}}}\). The learning with errors (LWE) assumption \(\textsf{LWE}_{n,q,\chi }\) states that for all polynomials \(m = {\text {poly}}({\kappa })\) the following distributions are computationally indistinguishable:

$$\begin{aligned} ({{\textbf {A}}}, {\varvec{s}}^T{{\textbf {A}}}+{\varvec{e}}){\mathop {\equiv }\limits ^{\textrm{c}}}({{\textbf {A}}},{\varvec{u}}), \end{aligned}$$

where \({{\textbf {A}}}\leftarrow {{\mathbb {Z}}}_q^{n\times m}{}\), \({\varvec{s}}\leftarrow {{\mathbb {Z}}}_q^n\), \({\varvec{e}}\leftarrow \chi ^m\), and \({\varvec{u}}\leftarrow {{\mathbb {Z}}}_q^m\).

We rely on LWE security with the following range of parameters. We assume that for any polynomial \(p = p({\kappa }) = {\text {poly}}({\kappa })\) there exists some polynomial \(n = n({\kappa }) = {\text {poly}}({\kappa })\), some \(q = q({\kappa }) = 2^{{\text {poly}}({\kappa })}\), and some \(B = B({\kappa })\)-bounded distribution \(\chi = \chi ({\kappa })\) such that \(q/B \ge 2^p\) and the \(\textsf{LWE}_{n,q,\chi }\) assumption holds. Throughout the paper, the LWE assumption without further specification refers to the above parameters. The sub-exponentially secure LWE assumption further assumes that \(\textsf{LWE}_{n,q,\chi }\) with the above parameters is sub-exponentially secure, meaning that there exists some \(\epsilon > 0\) such that the distinguishing advantage of any polynomial-time distinguisher is \(2^{-{\kappa } ^\epsilon }\).

1.1.2 Adaptive Learning With Errors

Quach et al. [86] used the following natural variant of the LWE problem, denoted adaptive LWE.

Definition A.2

(decision ALWE) We define the decision adaptive LWE assumption \(\textsf{ALWE}_{n,k,q,\chi }\) with parameter \(n,k,q \in {{\mathbb {Z}}}\) and a distribution \(\chi \) over \({{\mathbb {Z}}}\) which are all parametrized by the security parameter \({\kappa } \). Let . We let \({{\textbf {G}}}\in {{\mathbb {Z}}}^{n\times m}\) be the gadget matrix (as defined in [79], see also Appendix C.1). For any polynomial \(m'=m'({\kappa })\), we consider the following two games \({\textsc {GAME} }^\beta \) for \(\beta \in \{0,1\}\), between a challenger and an adversary \(\mathcal{A} \).

• The Challenger picks k random matrices \(A_ i \leftarrow {{\mathbb {Z}}}_q^{n\times m}\) for \(i\in [k]\), and sends them to \(\mathcal{A} \).

• \(\mathcal{A} \) adaptively picks \(x_1,\ldots ,x_k \in \{0,1\}\), and sends it to the Challenger.

• The Challenger samples \({\varvec{s}}\leftarrow {{\mathbb {Z}}}_q^n\) and computes for all \(i\in [k]\)

  $$\begin{aligned} \left\{ \begin{array}{ll} {\varvec{b}}_i={\varvec{s}}^T({{\textbf {A}}}_i-x_i\cdot {{\textbf {G}}}) +{\varvec{e}}_i \text { where } {\varvec{e}}_i\leftarrow \chi ^m, &{} \hbox {if }\beta =0. \\ {\varvec{b}}_i\leftarrow {{\mathbb {Z}}}_q^m, &{} \hbox {if }\beta =1. \end{array} \right. \end{aligned}$$

  The Challenger also picks \({{\textbf {A}}}_{k+1}\leftarrow {{\mathbb {Z}}}_q^{n\times m'}\) and computes

  $$\begin{aligned} \left\{ \begin{array}{ll} {\varvec{b}}_{k+1}={\varvec{s}}^T{{\textbf {A}}}_{k+1}+{\varvec{e}}_{k+1} \text { where } {\varvec{e}}_{k+1}\leftarrow \chi ^{m'}, &{} \hbox {if }\beta =0. \\ {\varvec{b}}_{k+1}\leftarrow {{\mathbb {Z}}}_q^{m'}, &{} \hbox {if }\beta =1. \end{array} \right. \end{aligned}$$

  The challenger sends \({{\textbf {A}}}_{k+1}\) and \(\{{\varvec{b}}_i\}_{i\in [k+1]}\) to the adversary.

The \(\textsf{ALWE}_{n,k,q,\chi }\) assumption states that for all polynomial \(m = m({\kappa })\), the games \({\textsc {GAME} }^0\) and \({\textsc {GAME} }^1\) are computationally indistinguishable.

1.2 Cryptographic Primitives

1.2.1 Laconic Function Evaluation

Quach et al. [86] introduced the notion of laconic function evaluation (LFE), and constructed an LFE scheme for all circuits under the adaptive LWE assumption. At a high level, LFE allows to “compress” a function into a short digest that enables encrypting the input to the function as a short ciphertext. The size of the digest and the ciphertext (and therefore the computational cost of the encryption algorithm) only depend on the depth of the circuit representing the function and are independent of the circuit size.

Quach et al. [86] considered another variant of LFE that is function-hiding, meaning that the digest hides all partial information about the underlying function. Following [86], we assume that the circuit class \({{\mathcal {C}}}\) associates every circuit \(C\in {{\mathcal {C}}}\) with some circuit parameters \(C.\textsf{params}\) that remain unhidden. Unless specified otherwise, we will consider \({{\mathcal {C}}}\) to be the class of all circuits with \(C.\textsf{params}= (1^{\ell _\textsf {in}}, 1^{\ell _\textsf {out}}, 1^d)\) consisting of the input size \({\ell _\textsf {in}}\), output size \({\ell _\textsf {out}}\), and the depth \(d\) of the circuit.

Definition A.3

(LFE) A laconic function evaluation (LFE) scheme for a class of circuits \({{\mathcal {C}}}\) consists of four algorithm \(\Pi =(\mathsf {LFE.crsGen}, \mathsf {LFE.Compress}, \mathsf {LFE.Enc}, \mathsf {LFE.Dec})\).

• \(\mathsf {LFE.crsGen} (1^{\kappa },\textsf{params})\rightarrow \textsf{crs}\): given an input the security parameter and circuit parameters \(\textsf{params}\) the CRS generation algorithm outputs a uniformly random common random string \(\textsf{crs}\).

• \(\mathsf {LFE.Compress} (\textsf{crs},C)\rightarrow \textsf{digest}_C\): given as input the common random string \(\textsf{crs}\) and a circuit \(C \in {{\mathcal {C}}}\), the compression algorithm outputs a digest \(\textsf{digest}_C\).

• \(\mathsf {LFE.Enc} (\textsf{crs},\textsf{digest}_C,x)\rightarrow \textsf{ct}\): given as input the common random string \(\textsf{crs}\), a digest \(\textsf{digest}_C\), and a message x, the encryption algorithm outputs a ciphertext \(\textsf{ct}\).

• \(\mathsf {LFE.Dec} (\textsf{crs},C,r,\textsf{ct})\rightarrow y\): given as input the common random string \(\textsf{crs}\), a circuit \(C \in {{\mathcal {C}}}\), the compression random coins r, and a ciphertext \(\textsf{ct}\), the deterministic decryption algorithm outputs a message y.

We require the following properties from an LFE scheme \(\Pi \):

Correctness. For every security parameter \({\kappa } \), parameters \(\textsf{params}\), and circuit \(C\in {{\mathcal {C}}}\) with \(C.\textsf{params}= \textsf{params}\) it holds that:

$$\begin{aligned} {\textrm{Pr}}\left[ \begin{array}{c|c} y=C(x) &{} \mathop {\textsf{crs}\leftarrow \mathsf {LFE.crsGen} (1^{\kappa },\textsf{params})}\limits _{\begin{array}{c} \textsf{digest}_C=\mathsf {LFE.Compress} (\textsf{crs},C;r)\\ \textsf{ct}\leftarrow \mathsf {LFE.Enc} (\textsf{crs},\textsf{digest}_C,x) \\ y=\mathsf {LFE.Dec} (\textsf{crs},C,r,\textsf{ct}) \end{array}} \end{array}\right] = 1. \end{aligned}$$

Security. There exists a PPT simulator \(\textsf{Sim}_{\textsc {lfe}} \) for the scheme \(\Pi \) such that for every stateful PPT adversary \(\mathcal{A} \), it holds that

$$\begin{aligned} \left| {\textrm{Pr}}\left[ \textsf{Expt} ^\mathsf {LFE-real} _{\Pi ,\mathcal{A}}({\kappa })=1\right] - {\textrm{Pr}}\left[ \textsf{Expt} ^\mathsf {LFE-ideal} _{\Pi ,\mathcal{A}}({\kappa })=1\right] \right| \le \textsf{negl}({\kappa }), \end{aligned}$$

for the experiments \(\textsf{Expt} ^\mathsf {LFE-real} \) and \(\textsf{Expt} ^\mathsf {LFE-ideal} \) defined below:

\(\textsf{Expt} ^\mathsf {LFE-real} _{\Pi ,\mathcal{A}}({\kappa })\)	\(\textsf{Expt} ^\mathsf {LFE-ideal} _{\Pi ,\mathcal{A}}({\kappa })\)
\(\textsf{params}\leftarrow \mathcal{A} (1^{\kappa })\)	\(\textsf{params}\leftarrow \mathcal{A} (1^{\kappa })\)
\(\textsf{crs}\leftarrow \mathsf {LFE.crsGen} (1^{\kappa },\textsf{params})\)	\(\textsf{crs}\leftarrow \mathsf {LFE.crsGen} (1^{\kappa },\textsf{params})\)
\(x^*,C,r\leftarrow \mathcal{A} (\textsf{crs})\)	\(x^*,C,r\leftarrow \mathcal{A} (\textsf{crs})\)
\(\text { s.t.\ } C\in {{\mathcal {C}}}\text { and } C.\textsf{params}=\textsf{params}\)	\(\text { s.t.\ } C\in {{\mathcal {C}}}\text { and } C.\textsf{params}=\textsf{params}\)
\(\textsf{digest}_C=\mathsf {LFE.Compress} (\textsf{crs},C;r)\)	\(\textsf{digest}_C=\mathsf {LFE.Compress} (\textsf{crs},C;r)\)
\(\textsf{ct}\leftarrow \mathsf {LFE.Enc} (\textsf{crs},\textsf{digest}_C,x^*)\)	\(\textsf{ct}\leftarrow \textsf{Sim}_{\textsc {lfe}} (\textsf{crs},C,r,\textsf{digest}_C,C(x^*))\)
Output \(\mathcal{A} (\textsf{ct})\)	Output \(\mathcal{A} (\textsf{ct})\)

(Statistical) Function-Hiding. An LFE scheme \(\Pi \) is function hiding if there exists a PPT simulator \(\textsf{Sim}_{\textsc {fh}} \) for the scheme \(\Pi \) such that for all stateful PPT adversary \(\mathcal{A} \), it holds that

$$\begin{aligned} \left| {\textrm{Pr}}\left[ \textsf{Expt} ^\mathsf {FH-real} _{\Pi ,\mathcal{A}}({\kappa })=1\right] - {\textrm{Pr}}\left[ \textsf{Expt} ^\mathsf {FH-ideal} _{\Pi ,\mathcal{A}}({\kappa })=1\right] \right| \le \textsf{negl}({\kappa }), \end{aligned}$$

for the experiments \(\textsf{Expt} ^\mathsf {FH-real} \) and \(\textsf{Expt} ^\mathsf {FH-ideal} \) defined below:

\(\textsf{Expt} ^\mathsf {FH-real} _{\Pi ,\mathcal{A}}({\kappa })\)	\(\textsf{Expt} ^\mathsf {FH-ideal} _{\Pi ,\mathcal{A}}({\kappa })\)
\(\textsf{params}\leftarrow \mathcal{A} (1^{\kappa })\)	\(\textsf{params}\leftarrow \mathcal{A} (1^{\kappa })\)
\(\textsf{crs}\leftarrow \mathsf {LFE.crsGen} (1^{\kappa },\textsf{params})\)	\(\textsf{crs}\leftarrow \mathsf {LFE.crsGen} (1^{\kappa },\textsf{params})\)
\(C\leftarrow \mathcal{A} (\textsf{crs})\)	\(C\leftarrow \mathcal{A} (\textsf{crs})\)
\(\text { s.t. } C\in {{\mathcal {C}}}\text { and } C.\textsf{params}=\textsf{params}\)	\(\text { s.t. } C\in {{\mathcal {C}}}\text { and } C.\textsf{params}=\textsf{params}\)
\(\textsf{digest}_C\leftarrow \mathsf {LFE.Compress} (\textsf{crs},C)\)	\(\textsf{digest}_C\leftarrow \textsf{Sim}_{\textsc {fh}} (\textsf{crs},C.\textsf{params})\)
Output \(\mathcal{A} (\textsf{digest}_C)\)	Output \(\mathcal{A} (\textsf{digest}_C)\)

Compactness. Consider the class \({{\mathcal {C}}}\) of all circuits with \(C.\textsf{params}= (1^{\ell _\textsf {in}},1^{\ell _\textsf {out}},1^d)\) consisting of the input size \({\ell _\textsf {in}}\), the output length \({\ell _\textsf {out}}\), and the depth \(d\) of the circuit. We say the LFE scheme is compact if

• The CRS is of size \({\text {poly}}({\kappa },{\ell _\textsf {in}},d)\). The digest is of size \({\text {poly}}({\kappa })\).

• The running time of the encryption algorithm and the size of its output (the ciphertext) are \({\tilde{O}}({\ell _\textsf {out}})\cdot {\text {poly}}({\kappa },{\ell _\textsf {in}},d)\).

• The running time of the compression and the decryption algorithms is \({\tilde{O}}(|C|)\cdot {\text {poly}}({\kappa },{\ell _\textsf {in}},d)\).

Theorem A.4

([86]) Assuming sub-exponential hardness of LWE there exists a function-hiding LFE scheme that is compact for circuits C with \(C.\textsf{params}= (1^{\ell _\textsf {in}},1^{\ell _\textsf {out}},1^d)\) of depth \(d\), input size \({\ell _\textsf {in}}\), and output size \({\ell _\textsf {out}}\) such that the CRS is a uniform random string. Further, if the function-hiding property is not required, the compression algorithm \(\mathsf {LFE.Compress} \) can be made deterministic.

1.2.2 Explainability Compiler

The notion of an explainability compiler was introduced by Dachman-Soled et al. [41] in the context of adaptively secure MPC as an extension of the technique of Sahai and Waters [90] for constructing sender-deniable encryption. At a high level, the compiler can take any randomized algorithm \(\textsf{Alg} \) and produce an algorithm \({\widetilde{\textsf{Alg}}}\) with the same functionality and has roughly the same size, along with an \(\textsf{Explain} \) algorithm. For any input/output pair (x, y), the \(\textsf{Explain} \) algorithm can produce coins r such that \(y={\widetilde{\textsf{Alg}}}(x;r)\). A similar notion was also used by Canetti et al. [27].

Definition A.5

(selective explainability compiler) A PPT algorithm \(\textsf{Comp} \) is an explainability compiler with selective security for a circuit class \({{\mathcal {C}}}\) if for every efficient, randomized circuit \(\textsf{Alg} \in {{\mathcal {C}}}\), the following hold:

• Polynomial slowdown. There is a polynomial \(p(\cdot )\) such that, for any \(({\widetilde{\textsf{Alg}}},\textsf{Explain})\) output by \(\textsf{Comp} (1^{\kappa },\textsf{Alg})\) it holds that \(|{\widetilde{\textsf{Alg}}}|\le p({\kappa })\cdot |\textsf{Alg} |\).

• Statistical functional equivalence. With overwhelming probability over the choice of \(({\widetilde{\textsf{Alg}}},\cdot )\) as output by \(\textsf{Comp} (1^{\kappa },\textsf{Alg})\), the distribution of \({\widetilde{\textsf{Alg}}}(x)\) is statistically close to the distribution of \(\textsf{Alg} (x)\) for every input x.

• Explainability.

  For every stateful PPT adversary \(\mathcal{A} \) it holds that

  $$\begin{aligned} \left| {\textrm{Pr}}\left[ \textsf{Expt} ^\mathsf {Explain-Static} _{\textsf{Comp},\textsf{Alg},\mathcal{A}}({\kappa })=1\right] \right| \le 1/2+\textsf{negl}({\kappa }), \end{aligned}$$

  for the experiment \(\textsf{Expt} ^\mathsf {Explain-Static} \) defined below:

\(\textsf{Expt} ^\mathsf {Explain-Static} _{\textsf{Comp},\textsf{Alg},\mathcal{A}}({\kappa })\)
\(x^*\leftarrow \mathcal{A} (1^{\kappa })\)
\(({\widetilde{\textsf{Alg}}},\textsf{Explain})\leftarrow \textsf{Comp} (1^{\kappa },\textsf{Alg})\)
Sample \(r_0 \leftarrow {\{0,1\}^*}\)
Compute \(y^*={\widetilde{\textsf{Alg}}}(x^*;r_0)\)
Compute \(r_1 \leftarrow \textsf{Explain} (x^*,y^*)\)
Sample \(b\leftarrow \{0,1\}\)
Compute \(b'\leftarrow \mathcal{A} ({\widetilde{\textsf{Alg}}},y^*,r_b)\)
Output 1 if and only if \(b' = b\)

Theorem A.6

([41]) Assuming the existence of an indistinguishable obfuscator for \(\mathsf {P/poly} \) and of one-way functions, there exists an explainability compiler with selective security for \(\mathsf {P/poly} \).

The definition and construction in [41] achieve selective security in the sense that the adversary must choose the challenge input \(x^*\) before learning the compiled algorithm \({\widetilde{\textsf{Alg}}}\). In some of our constructions, it will be simpler to use explainability compilers with adaptive security, where the adversary can choose the challenge input after seeing \({\widetilde{\textsf{Alg}}}\). We denote the adaptive game as \(\textsf{Expt} ^\mathsf {Explain-Adapt} _{\textsf{Comp},\textsf{Alg},\mathcal{A}}({\kappa })\). Adaptive security follows from selective security via complexity leveraging [16] by assuming sub-exponential security of the cryptographic primitives.

\(\textsf{Expt} ^\mathsf {Explain-Adapt} _{\textsf{Comp},\textsf{Alg},\mathcal{A}}({\kappa })\)
\(({\widetilde{\textsf{Alg}}},\textsf{Explain})\leftarrow \textsf{Comp} (1^{\kappa },\textsf{Alg})\)
\(x^*\leftarrow \mathcal{A} (1^{\kappa },{\widetilde{\textsf{Alg}}})\)
Sample \(r_0 \leftarrow {\{0,1\}^*}\)
Compute \(y^*={\widetilde{\textsf{Alg}}}(x^*;r_0)\)
Compute \(r_1 \leftarrow \textsf{Explain} (x^*,y^*)\)
Sample \(b\leftarrow \{0,1\}\)
Compute \(b'\leftarrow \mathcal{A} (y^*,r_b)\)
Output 1 if and only if \(b' = b\)

Corollary A.7

Assuming the existence of an indistinguishable obfuscator for \(\mathsf {P/poly} \) and of one-way functions, both with sub-exponential security, there exists an explainability compiler with adaptive security for \(\mathsf {P/poly} \).

1.2.3 Homomorphic Trapdoor Functions

Homomorphic trapdoor functions (HTDF) were introduced by [59] as a unification of homomorphic encryption and homomorphic signatures.

Definition A.8

(HTDF [59]) A homomorphic trapdoor function (HTDF) consists of the following five polynomial-time algorithms \((\mathsf {HTDF.Gen}, f, \mathsf {HTDF.Inv}, \mathsf {HTDF.Eval}^{{\textsf{in}}}, \mathsf {HTDF.Eval}^{{\textsf{out}}})\) with the following syntax:

• \(\mathsf {HTDF.Gen} (1^{\kappa },1^d)\rightarrow (\textsf{pk},\textsf{sk})\): given an input the security parameter and the depth-bound, the key-generation procedure outputs a public key \(\textsf{pk}\) and a secret key \(\textsf{sk}\). The security parameter defines the index space \({{\mathcal {X}}} \), the input space \({{\mathcal {U}}} \), the output space \({{\mathcal {V}}} \) and some efficiently sampleable input distribution \(D_{{\mathcal {U}}} \) over \({{\mathcal {U}}} \). We require that membership in the sets \({{\mathcal {U}}},{{\mathcal {V}}},{{\mathcal {X}}} \) can be efficiently tested and that one can efficiently sample uniformly at random from \({{\mathcal {V}}} \).

• \(f _{\textsf{pk},x}:{{\mathcal {U}}} \rightarrow {{\mathcal {V}}} \): the algorithm \(f \) is parametrized by a public key \(\textsf{pk}\) and an index \(x\in {{\mathcal {X}}} \).

• \(\mathsf {HTDF.Inv} _{\textsf{sk},x}:{{\mathcal {V}}} \rightarrow {{\mathcal {U}}} \): the algorithm \(\mathsf {HTDF.Inv} \) is parametrized by a secret key \(\textsf{pk}\) and an index \(x\in {{\mathcal {X}}} \).

• \({u^*}= \mathsf {HTDF.Eval}^{{\textsf{in}}} (g,(x_1,u_1),\ldots ,(x_\ell ,u_\ell ))\) and \({v^*}= \mathsf {HTDF.Eval}^{{\textsf{out}}} (g,v_1,\ldots ,v_\ell )\) are deterministic input/output homomorphic-evaluation algorithms. The algorithms take as input some function \(g: {{\mathcal {X}}} ^\ell \rightarrow {{\mathcal {X}}} \) and values \(x_i\in {{\mathcal {X}}}, u_i\in {{\mathcal {U}}}, v_i\in {{\mathcal {V}}} \). The outputs are \({u^*}\in {{\mathcal {U}}} \) and \({v^*}\in {{\mathcal {V}}} \).

We require the following properties from an HTDF scheme:

• Correctness. Let \((\textsf{pk},\textsf{sk})\leftarrow \mathsf {HTDF.Gen} (1^{\kappa },1^d)\), let \(x_1,\ldots ,x_\ell \in {{\mathcal {X}}} \), let \(g: {{\mathcal {X}}} ^\ell \rightarrow {{\mathcal {X}}} \) of depth at most d, and let \(y:= g(x_1, \ldots ,x_\ell )\). Let \(u_1,\ldots ,u_\ell \in {{\mathcal {U}}} \) and set \(v_i:= f _{pk,x_i}(u_i)\) for \(i\in [\ell ]\). Let \({u^*}= \mathsf {HTDF.Eval}^{{\textsf{in}}} (g,(x_1,u_1),\ldots ,(x_\ell ,u_\ell ))\) and let \({v^*}= \mathsf {HTDF.Eval}^{{\textsf{out}}} (g,v_1,\ldots ,v_\ell )\). Then, we require that \({u^*}\in {{\mathcal {U}}} \) and \(f_{pk,y}({u^*})={v^*}\).

• Distributional equivalence of inversion. The following distributions are statistically close:

  $$\begin{aligned} \left\{ (\textsf{pk},\textsf{sk},x,u,v)\mid (\textsf{pk},\textsf{sk})\leftarrow \mathsf {HTDF.Gen} (1^{\kappa },1^d), \right.&\left. x\in {{\mathcal {X}}}, u\leftarrow {{\mathcal {U}}}, v=f _{\textsf{pk},x}(u)\right\} _{\kappa } \\&{\mathop {\equiv }\limits ^{\textrm{s}}}\\ \left\{ (\textsf{pk},\textsf{sk},x,u',v') \mid (\textsf{pk},\textsf{sk})\leftarrow \mathsf {HTDF.Gen} (1^{\kappa },1^d), \right.&\left. x\in {{\mathcal {X}}}, v'\leftarrow {{\mathcal {V}}}, u'=\mathsf {HTDF.Inv} _{\textsf{sk},x}(v')\right\} _{\kappa }, \end{aligned}$$

  where \(x\in {{\mathcal {X}}} \) is an arbitrary random variable that depends on \((\textsf{pk},sk)\).

• Claw-free security. For every PPT adversary \(\mathcal{A} \), it holds that

  $$\begin{aligned} {\textrm{Pr}}\left[ \begin{array}{c|c} \mathop {f _{\textsf{pk},x}(u)=f _{\textsf{pk},x'}(u')}\limits _{\begin{array}{c} u,u'\in {{\mathcal {U}}},\quad x,x'\in {{\mathcal {X}}}, \quad x\ne x' \end{array}}&\mathop {(\textsf{pk},\textsf{sk})\leftarrow \mathsf {HTDF.Gen} (1^{\kappa },1^d)}\limits _{\begin{array}{c} (x,x',u,u')\leftarrow \mathcal{A} (1^{\kappa }, \textsf{pk}) \end{array}} \end{array}\right] \le \textsf{negl}({\kappa }). \end{aligned}$$

Theorem A.9

([59]) Under the LWE assumption, there exists an HTDF scheme.

1.2.4 Strong One-Time Signatures

Definition A.10

(strong one-time signatures) A strong one-time signatures scheme consists of three polynomial-time algorithms \((\mathsf {Sig.Gen}, \textsf{Sign}, \textsf{Vrfy})\) with the following syntax:

• \(\mathsf {Sig.Gen} (1^{\kappa })\rightarrow (\textsf{vk},\textsf{sigk})\): given an input the security parameter, the key-generation procedure outputs a public verification key \(\textsf{vk}\) and a secret signing key \(\textsf{sigk}\).

• \(\textsf{Sign} _{\textsf{sigk}}(m)\rightarrow \sigma \): given an input a signing key \(\textsf{sigk}\) and a message m, the signing algorithm outputs a signature \(\sigma \).

• \(b=\textsf{Vrfy} _{\textsf{vk}}(\sigma ,m)\): given an input a verification key \(\textsf{vk}\), a signature \(\sigma \), and a message m, the verification algorithm outputs a bit \(b\in \{0,1\}\).

We require the following properties from the signature scheme:

• (Perfect) correctness. For every message \(m\in {\{0,1\}^*}\), it holds that

  $$\begin{aligned} {\textrm{Pr}}\left[ \textsf{Vrfy} _{\textsf{vk}}(\sigma ,m)=1 \mid (\textsf{vk},\textsf{sigk})\leftarrow \mathsf {Sig.Gen} (1^{\kappa }), \sigma \leftarrow \textsf{Sign} _{\textsf{sigk}}(m)\right] =1. \end{aligned}$$

• Strong existential unforgeability under one-time chosen message attack. For every PPT adversary \(\mathcal{A} \), it holds that

  $$\begin{aligned} {\textrm{Pr}}\left[ \begin{array}{c|c} \mathop {(m',\sigma ')\ne (m,\sigma )}\limits _{\begin{array}{c} \textsf{Vrfy} _{\textsf{vk}}(\sigma ',m')=1 \end{array}} &{} \mathop {(\textsf{vk},\textsf{sigk})\leftarrow \mathsf {Sig.Gen} (1^{\kappa })}\limits _{\begin{array}{c} m\leftarrow \mathcal{A} (\textsf{vk})\\ \sigma \leftarrow \textsf{Sign} _{\textsf{sigk}}(m)\\ (m',\sigma ')\leftarrow \mathcal{A} (\sigma ) \end{array}} \end{array}\right] \le \textsf{negl}({\kappa }). \end{aligned}$$

We will use a strong one-time signature scheme that has fixed-length signatures, i.e., where there is a polynomial upper bound \(\ell _{SIG}({\kappa })\) on the length of the signatures. Fixed-length strong one-time signatures can be constructed from one-way functions (from universal one-way hash functions [81] and Lamport signatures used in combination with Merkle trees [89]). The existence of fully homomorphic trapdoor functions therefore implies the existence of fixed-length strong one-time signatures.

1.2.5 Non-Committing Encryption

A non-committing encryption scheme [9, 23, 43] is a public-key encryption scheme with the capability to efficiently simulate a public key and a ciphertext that can be explained as an encryption of any message.

Definition A.11

(NCE) A non-non-committing (bit) encryption scheme consists of four algorithms \((\mathsf {NC.Gen}, \mathsf {NC.Enc}, \mathsf {NC.Dec}, \mathsf {NC.Sim})\) such that the following properties hold:

• The triplet \((\mathsf {NC.Gen}, \mathsf {NC.Enc}, \mathsf {NC.Dec})\) forms a public-key encryption scheme.

• \(\mathsf {NC.Sim} \) is a simulation algorithm that on input \(1^{\kappa } \), outputs \((\textsf{pk}, \textsf{ct}, \rho ^0_G, \rho ^0_E, \rho ^1_G, \rho ^1_E)\), such that for any \({\mu }\in \{0,1\}\) the following distributions are computationally indistinguishable:

  • the joint view of an honest sender and an honest receiver in a normal encryption of \({\mu }\)

    $$\begin{aligned} \left\{ (\textsf{pk}, \textsf{ct}, r_G, r_E) \mid (\textsf{sk}, \textsf{pk}) = \mathsf {NC.Gen} (1^{\kappa }; r_G), \textsf{ct}= \mathsf {NC.Enc} (\textsf{pk}, {\mu }; r_E)\right\} , \end{aligned}$$

  • the simulated view of an encryption of \({\mu }\)

    $$\begin{aligned} \left\{ (\textsf{pk}, \textsf{ct}, \rho ^{\mu }_G, \rho ^{\mu }_E) \mid (\textsf{pk}, \textsf{ct}, \rho ^0_G, \rho ^0_E, \rho ^1_G, \rho ^1_E) \leftarrow \mathsf {NC.Sim} (1^{\kappa })\right\} . \end{aligned}$$

NCE schemes exist under wide range of assumptions, including LWE [33, 68, 69, 84].

1.2.6 Fully Homomorphic Encryption

Definition A.12

A (leveled) fully homomorphic encryption scheme (FHE) consists of 4 PPT algorithms:

• \(\mathsf {FHE.Gen} (1^{\kappa },1^d)\rightarrow (\textsf{pk},\textsf{sk})\): on input the security parameter \({\kappa } \) and a depth bound d, the key-generation algorithm outputs a public key \(\textsf{pk}\) and a secret key \(\textsf{sk}\).

• \(\mathsf {FHE.Enc} (\textsf{pk},\mu )\rightarrow \textsf{ct}\): on input a public key \(\textsf{pk}\) and a plaintext \(\mu \in \{0,1\}\), the encryption algorithm outputs a ciphertext \(\textsf{ct}\).

• \(\mathsf {FHE.Eval} (\textsf{pk},C, \textsf{ct}_1, \ldots , \textsf{ct}_\ell )\rightarrow \textsf{ct}\): on input a public key \(\textsf{pk}\), a circuit \(C:\{0,1\}^\ell \rightarrow \{0,1\}\), and a tuple of ciphertexts \((\textsf{ct}_1, \ldots , \textsf{ct}_\ell )\), the homomorphic-evaluation algorithm outputs a ciphertext \(\textsf{ct}\).

• \(\mathsf {FHE.Dec} (\textsf{sk},\textsf{ct})\rightarrow {\tilde{\mu }}\): on input a secret key \(\textsf{sk}\) and a ciphertext \(\textsf{ct}\), the decryption algorithm outputs \({\tilde{\mu }}\in \{0,1\}\).

We require the FHE scheme to be correct, meaning that when initialized with depth bound d the scheme correctly evaluates all circuits of depth at most d, and compact, meaning that the size of the decryption circuit (and of the evaluated ciphertext) is independent of d.

Definition A.13

Let \(\Pi =(\mathsf {FHE.Gen}, \mathsf {FHE.Enc}, \mathsf {FHE.Dec}, \mathsf {FHE.Eval})\) be an FHE scheme.

• \(\Pi \) is correct if for every depth bound \(d\in {{\mathbb {N}}}^+\), every circuit \(C:\{0,1\}^\ell \rightarrow \{0,1\}\) of depth at most d and every series of inputs \(\mu _1, \ldots , \mu _\ell \in \{0,1\}\) it holds that

  $$\begin{aligned} {\textrm{Pr}}\left[ \mathsf {FHE.Dec} \left( \textsf{sk},\mathsf {FHE.Eval} \left( \textsf{pk},C, \mathsf {FHE.Enc} (\textsf{pk},\mu _1), \ldots , \mathsf {FHE.Enc} (\textsf{pk},\mu _\ell )\right) \right) \right.&\left. \ne C\left( \mu _1, \ldots , \mu _\ell \right) \right] \\&\le \textsf{negl}({\kappa }). \end{aligned}$$

• \(\Pi \) is compact if there exists a polynomial \(s(\cdot )\) such that for every \({\kappa } \), every depth bound d, every circuit \(C: \{0,1\}^\ell \rightarrow \{0,1\}\) of depth at most d, and every \(\mu _1,\ldots ,\mu _\ell \in \{0,1\}\), the following holds. For \((\textsf{pk},\textsf{sk}) \leftarrow \mathsf {FHE.Gen} (1^{\kappa },1^d)\), ciphertexts \(\textsf{ct}_j \leftarrow \mathsf {FHE.Enc} (\textsf{pk}, \mu _j)\) for \(j \in [\ell ]\), and \(\textsf{ct}\leftarrow \mathsf {FHE.Eval} (\textsf{pk}, C, \textsf{ct}_1,\ldots , \textsf{ct}_\ell )\), we have that \(|\textsf{ct}| \le s({\kappa })\).

• \(\Pi \) is semantically secure if for every \({\kappa } \) and every depth bound d, it holds that for every PPT adversary \(\mathcal{A} \) the following experiment \(\textsf{Expt} ^\textsc {fhe}_{\mathcal{A},\Pi }(1^{\kappa },1^d)\) outputs 1 with negligible probability.

  \(\textsf{Expt} ^\textsc {fhe}_{\mathcal{A},\Pi }(1^{\kappa },1^d)\)

  1. 1.

     On input the security parameter \(1^{\kappa } \) and depth bound \(1^d\), the challenger generates \((\textsf{pk},\textsf{sk})\leftarrow \mathsf {FHE.Gen} (1^{\kappa },1^d)\), chooses a random , and computes the ciphertext \(\textsf{ct}\leftarrow \mathsf {FHE.Enc} (\textsf{pk},b)\). Next, the challenger hands \((\textsf{pk},\textsf{ct})\) to \(\mathcal{A} \).

  2. 2.

     \(\mathcal A\) outputs \(b'\). The experiments outputs 1 if \(b=b'\).

By abuse of notation, we consider in the paper encryption strings rather than bits. This should be interpreted as encrypting the string bit by bit.

The UC Framework

In this section, we describe the UC framework, for more details see [22].

1.1 The Real Model

An execution of a protocol \(\pi \) in the real model consists of n ppt interactive Turing machines (ITMs) \({P} _1,\ldots ,{P} _n\) representing the parties, along with two additional ITMs: an adversary \(\mathcal A\), describing the behavior of the corrupted parties and an environment \(\mathcal Z\), representing the external network environment in which the protocol operates. The environment gives inputs to the honest parties, receives their outputs, and can communicate with the adversary at any point during the execution. The adversary controls the operations of the corrupted parties.

In more details, each ITM is initialized with the security parameter \({\kappa } \) and random coins, where the environment receives an additional auxiliary input. The protocol proceeds by a sequence of activations, where the environment is activated first and at each point a single ITM is active. When the environment is activated it can read the output tapes of all honest parties and of the adversary, and it can activate one of the parties or the adversary by writing on its input tape. Once a party is activated it can perform a local computation, write on its output tape or send messages to other parties by writing on its outgoing communication tapes. After the party completes its operations the control is returned to the environment. Once the adversary is activated it can send messages on behalf of the corrupted parties or send a message to the environment by writing on its output tape. In addition, \(\mathcal{A} \) controls the communication between the parties, and so it can read the contents of the messages on outgoing tapes of honest parties and write messages on their incoming tapes. We assume that only messages that were sent in the past by some party can be delivered, and each message can be delivered at most once.¹⁸\(\mathcal{A} \) can also corrupt an honest party, gain access to all its tapes and control all its actions. Whenever a party is corrupted the environment is notified. If \(\mathcal{A} \) wrote on the incoming tape of an honest party, this party is activated next, otherwise the environment is activated. The protocol completes once \(\mathcal{Z} \) outputs a single bit.

A semi-honest adversary always instructs the corrupted parties to follow the protocol. A malicious adversary may instruct the corrupted parties to deviate from the protocol arbitrarily. In this work we also consider semi-malicious adversaries [5], that instruct the corrupted parties to follow the protocol but can choose arbitrary random coins for them. Formally, the adversary has a special witness tape. In each round of the protocol, whenever the adversary produces a new protocol message m on behalf of some party \({P} _k\), it must also write to its special witness tape some pair (x, r) of input x and randomness r that explains its behavior. More specifically, all of the protocol messages sent by the adversary on behalf of \({P} _k\) up to that point, including the new message m, must exactly match the honest protocol specification for \(P_k\) when executed with input x and randomness r. Note that the witnesses given in different rounds need not be consistent. Also, we assume that the attacker is rushing and hence may choose the message m and the witness (x, r) in each round adaptively, after seeing the protocol messages of the honest parties in that round (and all prior rounds). Lastly, the adversary may also choose to abort the execution on behalf of \({P} _k\) in any step of the interaction.

Let \({\textsc {REAL} }_{\pi , \mathcal{A}, \mathcal{Z}}({\kappa }, {z}, {\varvec{r}})\) denote \(\mathcal{Z} \)’s output on input \({z} \) and security parameter \({\kappa } \), after interacting with adversary \(\mathcal{A} \) and parties \({P} _1, \ldots , {P} _n\) running protocol \(\pi \) with random tapes \({\varvec{r}}=(r_1, \ldots , r_n, r_\mathcal{A}, r_\mathcal{Z})\) as described above. Let \({\textsc {REAL} }_{\pi , \mathcal{A}, \mathcal{Z}}({\kappa }, {z})\) denote the random variable \({\textsc {REAL} }_{\pi , \mathcal{A}, \mathcal{Z}}({\kappa }, {z}, {\varvec{r}})\), when the vector \({\varvec{r}}\) is uniformly chosen.

1.2 The Ideal Model

A computation in the ideal model consists of n dummy parties \({P} _1,\ldots ,{P} _n\), an ideal-process adversary (simulator) \(\mathcal S\), an environment \(\mathcal Z\), and an ideal functionality \({\mathcal {F}}\). As in the real model, the environment gives inputs to the honest (dummy) parties, receives their outputs, and can communicate with the ideal-process adversary at any point during the execution. The dummy parties act as channels between the environment and the ideal functionality, meaning that they send the inputs received from \(\mathcal{Z} \) to \({\mathcal {F}}\) and vice versa. The ideal functionality \({\mathcal {F}}\) defines the desired behavior of the computation. \({\mathcal {F}}\) receives the inputs from the dummy parties, executes the desired computation and sends the output to the parties. The ideal-process adversary does not see the communication between the parties and the ideal functionality; however, \(\mathcal{S} \) can communicate with \({\mathcal {F}}\).

Hiding the communication between the ideal functionality and the parties from the adversary may be too restrictive; it is often desired to provide the adversary the power to determine when a party will receive the message. We say that the ideal functionality \({\mathcal {F}}\) sends a delayed output v to a party \({P} \) if \({\mathcal {F}}\) first sends to the adversary a message that it is ready to generate an output to \({P} \). In case the output is public \({\mathcal {F}}\) sends v to the adversary. When the adversary replies to the message, \({\mathcal {F}}\) outputs the value v to \({P} \).¹⁹

Let \({\textsc {IDEAL} }_{{\mathcal {F}}, \mathcal{S}, \mathcal{Z}}({\kappa }, {z}, {\varvec{r}})\) denote \(\mathcal{Z} \)’s output on input \({z} \) and security parameter \({\kappa } \), after interacting with ideal-process adversary \(\mathcal{S} \) and dummy parties \({P} _1, \ldots , {P} _n\) that interact with ideal functionality \({\mathcal {F}}\) with random tapes \({\varvec{r}}=(r_\mathcal{S}, r_\mathcal{Z})\) as described above. Let \({\textsc {IDEAL} }_{{\mathcal {F}}, \mathcal{S}, \mathcal{Z}}({\kappa }, {z})\) denote the random variable \({\textsc {IDEAL} }_{{\mathcal {F}}, \mathcal{S}, \mathcal{Z}}({\kappa }, {z}, {\varvec{r}})\), when the vector \({\varvec{r}}\) is uniformly chosen.

Definition B.1

We say that a protocol \(\pi \) UC-realizes an ideal functionality \({\mathcal {F}}\) in the presence of adaptive malicious (resp., semi-malicious) adversaries, if for any ppt adaptive malicious (resp., semi-malicious) adversary \(\mathcal{A} \) and any ppt environment \(\mathcal{Z} \), there exists a ppt ideal-process adversary \(\mathcal{S} \) such that the following two distribution ensembles are computationally indistinguishable

$$\begin{aligned} \left\{ {\textsc {REAL} }_{\pi , \mathcal{A}, \mathcal{Z}}\left( {\kappa }, {z} \right) \right\} _{{\kappa } \in {{\mathbb {N}}}, {z} \in {\{0,1\}^*}} {\mathop {\equiv }\limits ^{\textrm{c}}}\left\{ {\textsc {IDEAL} }_{{\mathcal {F}}, \mathcal{S}, \mathcal{Z}}\left( {\kappa }, {z} \right) \right\} _{{\kappa } \in {{\mathbb {N}}}, {z} \in {\{0,1\}^*}}. \end{aligned}$$

1.3 The Hybrid Model

The \({\mathcal {F}}\)-hybrid model is a combination of the real and ideal models, it extends the real model with an ideal functionality \({\mathcal {F}}\). The parties communicate with each other in exactly the same way as in the real model described above; however, they can interact with \({\mathcal {F}}\) as in the ideal model. An important property of the UC framework is that the ideal functionality \({\mathcal {F}}\) in a \({\mathcal {F}}\)-hybrid model can be replaced with a protocol that UC-realizes \({\mathcal {F}}\).

Let the global output \({\textsc {HYBRID} }^{\mathcal {F}}_{\pi , \mathcal{A}, \mathcal{Z}}({\kappa }, {z})\) denote \(\mathcal{Z} \)’s output on input \({z} \) and security parameter \({\kappa } \), after interacting in a \({\mathcal {F}}\)-hybrid model with adversary \(\mathcal{A} \) and parties \({P} _1, \ldots , {P} _n\) with uniformly distributed random tapes \({\varvec{r}}=(r_1, \ldots , r_n, r_\mathcal{A}, r_\mathcal{Z})\) running protocol \(\pi \).

Theorem B.2

(Canetti [22]) Let \({\mathcal {F}}\) be an ideal functionality and let \(\rho \) be a protocol that UC-realizes \({\mathcal {F}}\) in the presence of adaptive malicious (resp., semi-malicious) adversaries, and let \(\pi \) be a protocol that UC-realizes \({\mathcal {G}}\) in the \({\mathcal {F}}\)-hybrid model in the presence of adaptive malicious (resp., semi-malicious) adversaries. Then for any ppt adaptive malicious (resp., semi-malicious) real-model adversary \(\mathcal{A} \) and any ppt environment \(\mathcal{Z} \), there exists a ppt adaptive malicious (resp., semi-malicious) adversary \(\mathcal{S} \) in the \({\mathcal {F}}\)-hybrid model such that

$$\begin{aligned} \Big \{{\textsc {REAL} }_{\pi ^\rho , \mathcal{A}, \mathcal{Z}}\left( {\kappa }, {z} \right) \Big \}_{{\kappa } \in {{\mathbb {N}}}, {z} \in {\{0,1\}^*}} {\mathop {\equiv }\limits ^{\textrm{c}}}\left\{ {\textsc {HYBRID} }^{\mathcal {F}}_{\pi , \mathcal{S}, \mathcal{Z}}\left( {\kappa },{z} \right) \right\} _{{\kappa } \in {{\mathbb {N}}}, {z} \in {\{0,1\}^*}}. \end{aligned}$$

1.4 Some Ideal Functionalities

We next describe several ideal functionalities that are used throughout the paper.

1.4.1 Common Reference String

The common reference string functionality samples a string from some pre-determined distribution and provides the string to all the parties. The CRS functionality is described in Fig. 9.

Fig. 9

Common reference string functionality

In case the distribution D is the uniform distribution, we refer to the functionality as a uniform reference string functionality.

1.4.2 Secure Message Transmission

The secure message transmission (SMT) functionality models a secure and private channel between two parties. The sender can send a message to the receiver such that the adversary learns only a specified leakage of the message, e.g., its length. If the sender is corrupted before the message was delivered to the receiver, the adversary is allowed to change the message. The secure message transmission functionality is described in Fig. 10.

Fig. 10

Secure message transmission functionality

1.4.3 Secure Function Evaluation

Secure function evaluation (SFE) is a multiparty primitive where a set of n parties wish to compute a (possibly randomized) function \(f :({\{0,1\}^*})^n\times {\{0,1\}^*}\rightarrow ({\{0,1\}^*})^n\), where \(f = (f_1, \ldots , f_n)\). That is, for a vector of inputs \({\varvec{x}}= (x_1, \ldots , x_n)\in ({\{0,1\}^*})^n\) and random coins \(r \in _R {\{0,1\}^*}\), the output-vector is \((f_1({\varvec{x}};r), \ldots , f_n({\varvec{x}};r))\). The output for the \(i\)’th party (with input \(x_i\)) is defined to be \(f_i({\varvec{x}};r)\). The secure function evaluation functionality, \({\mathcal {F}}_{\textsf{sfe}}^f\), is presented in Fig. 11.

Fig. 11

Secure function evaluation functionality

Note that UC protocols do not provide guaranteed termination, since the adversary has full control over the communication. Therefore, it is standard to claim about security in situations where the environment provides sufficiently many activations to the parties, and the adversary delivers all the messages (see [24] for further discussion). We would like to define UC analogs to security with abort and guaranteed output delivery that are normally defined in the stand-alone model (see [36]). One way is to use the synchronous model of UC [75], where guaranteed termination can be achieved independently of the adversary. Another way is to slightly adjust the \({\mathcal {F}}_{\textsf{sfe}}\) functionality, as discussed below.

Note that the \({\mathcal {F}}_{\textsf{sfe}}\) functionality in some sense guarantee the output delivery, since although the adversary has the power to “hang” the computation, he cannot force an honest party to output an incorrect result. Stated differently, if the protocol terminates, i.e., the adversary provides inputs and deliver the output then the protocol satisfies guaranteed output delivery. For clarity, we denote this functionality by \({\mathcal {F}}_{\mathsf {sfe-god}}\). In the no-honest-majority setting, the adversary has an extra capability, as he can force all parties to output \(\bot \) even when the protocol terminates. To capture this capability, we denote by \({\mathcal {F}}_{\mathsf {sfe-abort}}\) the \({\mathcal {F}}_{\textsf{sfe}}\) functionality that allows the adversary to send a special \((\textsf{abort},\textsf{sid})\) message at any time. In case some honest party has already received the output value, the functionality ignores this message. Otherwise, the functionality sets the output of all honest parties to \(\bot \).

1.4.4 Broadcast

The broadcast functionality enables a sender to reliably deliver a message to all other parties. If the sender is corrupted before the message was delivered to the receivers, the adversary is allowed to change the message. We model this functionality as a special case of the SFE functionality for the function \(f(x,{\lambda },\ldots ,{\lambda })=(x,\ldots ,x)\) (where \({\lambda } \) denotes the empty string).

Constructing TEFHE From LWE

In this section, we present an explicit construction of threshold equivocal FHE scheme. we start by describing in Appendix C.1 the GSW scheme, followed by its equivocal variant in Appendix C.2. In Appendix C.3, we present the threshold equivocal FHE. Unlike the rest of the paper, in this section we use n to denote the dimension of the lattice, and N to denote the number of parties.

1.1 GSW Fully Homomorphic Encryption

We now describe the GSW [56] fully homomorphic encryption scheme. We use in the construction the public gadget matrix as defined by Micciancio and Peikert [79], which is a matrix \({{\textbf {G}}}\in {{\mathbb {Z}}}_q^{n\times m}\) with some special structure, such that given a matrix \({{\textbf {V}}}\in {{\mathbb {Z}}}_q^{n\times m}\) everyone can compute a “short” matrix \({{\textbf {G}}}^{-1}({{\textbf {V}}})\in {{\mathbb {Z}}}_q^{m\times m}\) satisfying \({{\textbf {G}}}\cdot {{\textbf {G}}}^{-1}({{\textbf {V}}})={{\textbf {V}}}\). The GSW scheme is defined as follows:

• -\(\textsf{params}\leftarrow \mathsf {GSW.Setup} (1^{\kappa },1^d)\): Choose a lattice dimension parameter \(n = n({\kappa },d)\), a \(B_\chi \)-bounded error distribution \(\chi = \chi ({\kappa },d)\), and a modulus q of size \(q = B_\chi 2^{\omega (d{\kappa } \log {\kappa })}\) such that \(\textsf{LWE}_{n-1,q,\chi ,B_\chi }\) holds. Choose \(m = n\log (q) + \omega (\log {\kappa })\). Finally, choose a random matrix \({{\textbf {B}}}\in {{\mathbb {Z}}}_q^{n-1\times m}\). Output \(\textsf{params}:= (q,n,m,\chi ,B_\chi ,{{\textbf {B}}})\). We stress that all the other algorithms implicitly get \(\textsf{params}\) as input even if we usually do not write this explicitly.

• -\((\textsf{pk},\textsf{sk}) \leftarrow \mathsf {GSW.Keygen} (\textsf{params})\): We separately describe two sub-algorithms to generate secret-key and public-key, respectively:

  • \(\textsf{sk}\leftarrow \mathsf {GSW.SKGen} (\textsf{params})\): Sample uniformly at random \({\varvec{s}}\leftarrow {{\mathbb {Z}}}_q^{n-1}\) and output \(\textsf{sk}= {\varvec{t}}= (-{\varvec{s}},1) \in {{\mathbb {Z}}}_q^n\).

  • \(\textsf{pk}\leftarrow \mathsf {GSW.PKGen} (\textsf{params},\textsf{sk})\): Let \(\textsf{sk}={\varvec{t}}= (-{\varvec{s}},1)\), sample \({\varvec{e}}\leftarrow \chi ^m\), set \({\varvec{b}}:= {\varvec{s}}\cdot {{\textbf {B}}}+ {\varvec{e}}\in {{\mathbb {Z}}}_q^m\) and output \(\textsf{pk}= {{\textbf {A}}}\) where \({{\textbf {A}}}\in {{\mathbb {Z}}}_q^{n\times m}\) is defined as \( {{\textbf {A}}}= \begin{bmatrix} {{\textbf {B}}}\\ {\varvec{b}}\end{bmatrix}\).

• \(\textsf{ct}\leftarrow \mathsf {GSW.Enc} (\textsf{pk},\mu )\): Choose a short random matrix as the randomness \({{\textbf {R}}}\leftarrow \{0,1\}^{m\times m}\). Then, output the encryption of the message \(\mu \in \{0,1\}\) as \({{\textbf {C}}}\in {{\mathbb {Z}}}_q^{n\times m}\), defined as

  $$\begin{aligned} {{\textbf {C}}}={{\textbf {A}}}{{\textbf {R}}}+ \mu {{\textbf {G}}}. \end{aligned}$$

• \(\mu ' =\mathsf {GSW.Dec} (\textsf{sk},\textsf{ct})\): We decompose the decryption algorithm into two parts:

  • \(v =\mathsf {GSW.Dec} ^1(\textsf{sk},\textsf{ct})\): Let \(\textsf{sk}={\varvec{t}}\) and \(\textsf{ct}={{\textbf {C}}}\). Consider the public vector and output \(v={\varvec{t}}\cdot {{\textbf {C}}}\cdot {{\textbf {G}}}^{-1}({\varvec{w}}^T)\in {{\mathbb {Z}}}_q\).

  • .

• \(\mathsf {GSW.Eval} \): We define the homomorphic evaluation by defining addition and multiplication. Given ciphertexts \({{\textbf {C}}}_1,{{\textbf {C}}}_2\in {{\mathbb {Z}}}_q^{n\times m}\), define:

  • \(\mathsf {GSW.Add} ({{\textbf {C}}}_1,{{\textbf {C}}}_2)\): Output \({{\textbf {C}}}^{(+)}={{\textbf {C}}}_1+{{\textbf {C}}}_2\in {{\mathbb {Z}}}_q^{n\times m}\).

  • \(\mathsf {GSW.Mult} ({{\textbf {C}}}_1,{{\textbf {C}}}_2)\): Output \({{\textbf {C}}}^{(\times )}={{\textbf {C}}}_1\cdot {{\textbf {G}}}^{-1}({{\textbf {C}}}_2)\in {{\mathbb {Z}}}_q^{n\times m}\).

Theorem C.1

([56]) The scheme as defined above is a secure FHE scheme under the \(\textsf{LWE}_{n-1,q,\chi ,B_\chi }\) assumption.

Proof

(sketch) Semantic security of the scheme is proved in two steps. First, the public key \({{\textbf {A}}}\) is replaced with a uniformly random matrix \({{\textbf {A}}}\leftarrow {{\mathbb {Z}}}_q^{n\times m}\); this step is secure under the LWE assumption. Second, the ciphertext \({{\textbf {C}}}={{\textbf {A}}}{{\textbf {R}}}+\mu {{\textbf {G}}}\) is replaced with a uniformly random matrix \({{\textbf {C}}}\leftarrow {{\mathbb {Z}}}_q^{n\times m}\); this step is secure due to the leftover hash lemma. We refer the reader to [56] for further details.

To prove correctness, we start by defining noisy ciphertexts.

Definition C.2

A \(\beta \)-noisy ciphertext of some message \(\mu \) under secret key \(\textsf{sk}={\varvec{t}}\in {{\mathbb {Z}}}_q^n\) is a matrix \({{\textbf {C}}}\in {{\mathbb {Z}}}_q^{n\times m}\) such that \({\varvec{t}}{{\textbf {C}}}= \mu {\varvec{t}}{{\textbf {G}}}+ {\varvec{e}}\) for some \({\varvec{e}}\) satisfying \(\Vert {\varvec{e}}\Vert _\infty \le \beta \).

We proceed to analyze the noise behavior of ciphertexts under encryption, evaluation, and decryption operation.

• Encryption. Consider a public key \({{\textbf {A}}}\) and a secret key \({\varvec{t}}\) generated by \(\mathsf {GSW.Keygen} (1^{\kappa },1^d)\); it holds that \({\varvec{t}}{{\textbf {A}}}= {\varvec{e}}\) with \(\Vert {\varvec{e}}\Vert _\infty \le B_\chi \). Therefore, a ciphertext \({{\textbf {C}}}={{\textbf {A}}}{{\textbf {R}}}+\mu {{\textbf {G}}}\leftarrow \mathsf {GSW.Enc} (\textsf{pk},\mu )\) satisfies \({\varvec{t}}{{\textbf {C}}}={\varvec{e}}{{\textbf {R}}}+\mu {\varvec{t}}{{\textbf {G}}}\) with \(\Vert {\varvec{e}}{{\textbf {R}}}\Vert _\infty \le mB_\chi \). That is, \({{\textbf {C}}}\) is a \(mB_\chi \)-noisy ciphertext of \(\mu \) under secret key \({\varvec{t}}\). We denote \({\beta _\textsf {init}}=mB_\chi \).

• Addition. Let \({{\textbf {C}}}_1\) (resp. \({{\textbf {C}}}_2\)) be a \(\beta _1\)-noisy (resp. \(\beta _2\)-noisy) ciphertext of \(\mu _1\) (resp. \(\mu _2\)) under secret key \({\varvec{t}}\), i.e., \({\varvec{t}}{{\textbf {C}}}_i=\mu _i{\varvec{t}}{{\textbf {G}}}+ {\varvec{e}}_i\) with \(\Vert {\varvec{e}}_i\Vert _\infty \le \beta _i\) for \(i\in \{1,2\}\). Then, for \({{\textbf {C}}}^{(+)}={{\textbf {C}}}_1+{{\textbf {C}}}_2\) it holds that \({\varvec{t}}{{\textbf {C}}}^{(+)}=(\mu _1+\mu _2){{\varvec{t}}}{{\textbf {G}}}+{\varvec{e}}_1+{\varvec{e}}_2\), i.e., \({{\textbf {C}}}^{(+)}\) is a \((\beta _1+\beta _2)\)-noisy ciphertext of \(\mu _1+\mu _2\) under \({\varvec{t}}\).

• Multiplication. Let \({{\textbf {C}}}_1\) and \({{\textbf {C}}}_2\) as above. Then, for \({{\textbf {C}}}^{(\times )}={{\textbf {C}}}_1{{\textbf {G}}}^{-1}({{\textbf {C}}}_2)\) it holds that \({\varvec{t}}{{\textbf {C}}}^{(\times )}=\mu _1\mu _2{\varvec{t}}{{\textbf {G}}}+ {\varvec{e}}\) where \({\varvec{e}}={\varvec{e}}_1{{\textbf {G}}}^{-1}({{\textbf {C}}}_2)+\mu _1{\varvec{e}}_2\). Therefore, \(\Vert {\varvec{e}}\Vert _\infty \le (m\beta _1+\beta _2)\), i.e., \({{\textbf {C}}}^{(\times )}\) is a \((m\beta _1+\beta _2)\)-noisy ciphertext of \(\mu _1\mu _2\) under \({\varvec{t}}\). The same calculation holds for NAND gates.

• Decryption. Let \({{\textbf {C}}}\) be a \(\beta \)-noisy ciphertext of \(\mu \) under \({\varvec{t}}\), i.e., \({\varvec{t}}{{\textbf {C}}}=\mu {\varvec{t}}{{\textbf {G}}}+{\varvec{e}}\) with \(\Vert {\varvec{e}}\Vert _\infty \le \beta \). Then, with \(e'=\langle {\varvec{e}},{{\textbf {G}}}^{-1}({\varvec{w}}^T) \rangle \). it holds that \(\left|e' \right|\le m\beta \). The decryption will be correct as long as \(\left|e' \right|\le q/4\), i.e., as long as \(\beta \le q/(4\,m)\). We denote \({\beta _\textsf {max}}= q/(4\,m)\).

Consider a homomorphic evaluation of Boolean circuit of depth d consisting of NAND gates. The inputs are encrypted as \({\beta _\textsf {init}}\)-noisy ciphertexts, and each level multiplies the noise by a factor of at most \((m+1)\). Therefore, the final output is \({\beta _\textsf {final}}\)-noisy ciphertexts, where \({\beta _\textsf {final}}= (m + 1)^d {\beta _\textsf {init}}\). To ensure correctness of decryption, we require that \({\beta _\textsf {final}}\le {\beta _\textsf {max}}\) meaning \(B_\chi 4m^2 (m + 1)^d < q\) which is satisfied by the choice of parameters for the scheme. \(\square \)

1.2 GSW/GVW Equivocal Fully Homomorphic Encryption

We now describe the construction of the additional algorithms for the equivocal FHE scheme based on the GSW FHE scheme, following [59].

Lemma C.3

([1, 2, 55, 79]) There exist efficient algorithms \(\textsf{TrapGen} \), \(\textsf{SamPre} \), and \(\textsf{Sam} \) such that the following holds. Given integers \(n \ge 1\) and \(q \ge 2\), there exists some \(m^*= m^*(n,q) = O(n\log q)\) and \({\beta _\textsf {sam}}= {\beta _\textsf {sam}}(n,q) = O(n \sqrt{\log q})\) such that for all \(m \ge m^*\) and all k (polynomial in n) it holds that:

1. 1.

   \({{\textbf {U}}}\leftarrow \textsf{Sam} (1^m,1^k,q)\) samples a matrix \({{\textbf {U}}}\in {{\mathbb {Z}}}_q^{m\times k}\) which satisfies \(\Vert {{\textbf {U}}}\Vert _\infty \le {\beta _\textsf {sam}}\) (with probability 1).

2. 2.

   We have the statistical indistinguishability requirements:

   $$\begin{aligned} {{\textbf {A}}}{\mathop {\equiv }\limits ^{\textrm{s}}}{{\textbf {A}}}' \qquad \text { and } \qquad ({{\textbf {A}}},\textsf{td},{{\textbf {U}}},{{\textbf {V}}}) {\mathop {\equiv }\limits ^{\textrm{s}}}({{\textbf {A}}},\textsf{td},{{\textbf {U}}}',{{\textbf {V}}}'), \end{aligned}$$

   where \({{\textbf {A}}}\) is sampled as \(({{\textbf {A}}},\textsf{td})\leftarrow \textsf{TrapGen} ( 1^n,1^m,q)\) and \({{\textbf {A}}}'\leftarrow {{\mathbb {Z}}}_q^{n\times m}\) is uniformly random. Likewise, \({{\textbf {U}}}\leftarrow \textsf{Sam} (1^m,1^k,q)\), \({{\textbf {V}}}={{\textbf {A}}}{{\textbf {U}}}\), \({{\textbf {V}}}'\leftarrow {{\mathbb {Z}}}_q^{n\times k}\) is uniformly random, and \({{\textbf {U}}}'\leftarrow \textsf{SamPre} ({{\textbf {A}}},{{\textbf {V}}}',\textsf{td})\). The statistical distance is negligible in n. Moreover, we guarantee that any \({{\textbf {U}}}'\in \textsf{SamPre} ({{\textbf {A}}},V',\textsf{td})\) always satisfies \({{\textbf {A}}}{{\textbf {U}}}' = {{\textbf {V}}}'\) and \(\Vert {{\textbf {U}}}'\Vert _\infty \le {\beta _\textsf {sam}}\).

We proceed to define the additional algorithms for the equivocal FHE:

• \((\textsf{pk},\textsf{td}) \leftarrow \mathsf {GSW.GenEquiv} (\textsf{params})\): Select \(({{\textbf {A}}},\textsf{td})\leftarrow \textsf{TrapGen} (1^n,1^m,q)\) and set \(\textsf{pk}={{\textbf {A}}}\).

• \(\mathsf {GSW.Equiv} (\textsf{td},\textsf{ct},\mu )\): Let \(\textsf{ct}={{\textbf {C}}}\) and output \(\textsf{SamPre} ({{\textbf {A}}}, {{\textbf {C}}}-\mu {{\textbf {G}}},\textsf{td})\).

1.3 Threshold Equivocal Fully Homomorphic Encryption

We proceed by adjusting the EFHE scheme to support threshold key-generation and decryption.

• \(\mathsf {TEFHE.Gen} (1^{\kappa },1^d,1^N)\rightarrow (\textsf{pk},\textsf{sk}_1,\ldots ,\textsf{sk}_N)\): Compute \(\textsf{params}\leftarrow \mathsf {GSW.Setup} (1^{\kappa },1^d)\), set \((\textsf{pk},\textsf{sk})\leftarrow \mathsf {GSW.Keygen} (\textsf{params})\), and let \((\textsf{sk}_1,\ldots ,\textsf{sk}_N)\) be a linear secret sharing of \(\textsf{sk}\), i.e., \(\sum _{i\in [N]} \textsf{sk}_i=\textsf{sk}\mod q\).

• \(\mathsf {TEFHE.Enc} (\textsf{pk},\mu )\rightarrow \textsf{ct}\): Output \(\mathsf {GSW.Enc} (\textsf{pk},\mu )\).

• \(\mathsf {TEFHE.Eval} (\textsf{pk},C, \textsf{ct}_1, \ldots , \textsf{ct}_\ell )\rightarrow \textsf{ct}\): Output \(\mathsf {GSW.Eval} (\textsf{pk},C, \textsf{ct}_1, \ldots , \textsf{ct}_\ell )\).

• \(\mathsf {TEFHE.PartDec} (i,\textsf{sk}_i,\textsf{ct})\rightarrow {\textsf{p}}_i\): Output partial decryption \({\textsf{p}}_i=\mathsf {GSW.Dec} ^1(\textsf{sk}_i,\textsf{ct})+e_i\), where \(e_i\leftarrow [-{B_\textsf {smdg}},{B_\textsf {smdg}}]\) is some random “smudging noise,” where \({B_\textsf {smdg}}=2^{d{\kappa } \log {\kappa }}B_\chi \).

• \(\mathsf {TEFHE.FinDec} (\textsf{pk},\{{\textsf{p}}_1,\ldots ,{\textsf{p}}_N\})\rightarrow {\tilde{\mu }}\): Output \(\mathsf {GSW.Dec} ^2(\sum _{i=1}^N {\textsf{p}}_i)\).

• \(\mathsf {TEFHE.GenEquiv} (1^{\kappa },1^d)\rightarrow (\textsf{pk},\textsf{td})\): Output \(\mathsf {GSW.GenEquiv} (\textsf{params})\).

• \(\mathsf {TEFHE.Equiv} (\textsf{td},\textsf{ct},\mu )\rightarrow r\): Output \(\mathsf {GSW.Equiv} (\textsf{td},\textsf{ct},\mu )\).

We will use the following “smudging lemma” [5] to prove correctness of the threshold scheme.

Lemma C.4

([5]) Let \(B_1 = B_1({\kappa })\) and \(B_2 = B_2({\kappa })\) be positive integers, and let \(e_1 \in [-B_1,B_1]\) be a fixed integer. Let \(e_2 \leftarrow [-B_2,B_2]\) be chosen uniformly at random. Then, the distribution of \(e_2\) is statistically indistinguishable from that of \(e_2 +e_1\) as long as \(B_1 /B_2 = \textsf{negl}({\kappa })\).

To prove correctness, we need to show that given a ciphertext matrix \({{\textbf {C}}}\), it holds that by computing \({\textsf{p}}_i=\mathsf {GSW.Dec} ^1(\textsf{sk}_i,\textsf{ct})+e_i\) for \(e_i\leftarrow [-{B_\textsf {smdg}},{B_\textsf {smdg}}]\) followed by \(\mathsf {GSW.Dec} ^2(\sum _{i=1}^N {\textsf{p}}_i)\), we get the same result as computing \(v=\mathsf {GSW.Dec} ^1(\textsf{sk},{{\textbf {C}}})\) followed by \(\mathsf {GSW.Dec} ^2(v)\). Note that by defining \({{\textbf {C}}}_1={{\textbf {C}}}{{\textbf {G}}}^{-1}({\varvec{w}}^T)\in {{\mathbb {Z}}}_q^n\), it holds by linearity of inner product that:

$$\begin{aligned} \sum _{i=1}^N {\textsf{p}}_i&= \sum _{i=1}^N (\mathsf {GSW.Dec} ^1({\varvec{t}}_i,{{\textbf {C}}})+e_i) = \sum _{i=1}^N ({\varvec{t}}_i{{\textbf {C}}}{{\textbf {G}}}^{-1}({\varvec{w}}^T)+e_i) = \sum _{i=1}^N ({\varvec{t}}_i{{\textbf {C}}}_1+e_i)\\&= \sum _{i=1}^N (\langle {\varvec{t}}_i,{{\textbf {C}}}_1 \rangle +e_i) = \langle \sum _{i=1}^N{\varvec{t}}_i,{{\textbf {C}}}_1 \rangle +\sum _{i=1}^N e_i = \langle {\varvec{t}},{{\textbf {C}}}_1 \rangle +\sum _{i=1}^N e_i\\&= \mathsf {GSW.Dec} ^1({\varvec{t}},{{\textbf {C}}})+\sum _{i=1}^N e_i. \end{aligned}$$

To prove simulatability, we construct a simulator \(\textsf{Sim}_{\textsc {tefhe}} \) that receives as input the ciphertext \(\textsf{ct}\) describing a matrix \({{\textbf {C}}}\in {{\mathbb {Z}}}_q^{n\times m}\), a plaintext \(\mu \in \{0,1\}\), and the secret key of all parties but the \(i\)’th \(\{\textsf{sk}_j\}_{j\ne i}\), where each \(\textsf{sk}_j\) is of the form \({\varvec{t}}_j=({\varvec{s}}_j,1)\in {{\mathbb {Z}}}_q^n\). The simulator starts by setting \({{\textbf {C}}}_1={{\textbf {C}}}{{\textbf {G}}}^{-1}({\varvec{w}}^T)\) for , and computing \(\gamma _j=\langle {\varvec{t}}_j,{{\textbf {C}}}_1 \rangle \) for every \(j\ne i\). Next, sample smudging noise \(e^{{\textsf {sm}}}_i\leftarrow [-{B_\textsf {smdg}},{B_\textsf {smdg}}]\) and set

To prove the statistical indistinguishability, note that by the same calculation as used to argue correctness, we know that with \(|e'|\le {\beta _\textsf {final}}mN=2^{O(d\log {\kappa })}B_\chi \). Denote that real partial decryption is \({\textsf{p}}_i=\gamma _i+e_i^{{\textsf {sm}}}\), then it holds that

The difference between the real value \({\textsf{p}}_i\) and the simulated value \({\textsf{p}}'_i\) is the noise \(e'\) of norm \(|e'| =2^{O(d\log {\kappa })}B_\chi \). By Lemma C.4, the distributions \(e^{{\textsf {sm}}}_i\) and \(e^{{\textsf {sm}}}_i+e'\) are statistically close since \(e^{{\textsf {sm}}}_i\leftarrow [-{B_\textsf {smdg}},{B_\textsf {smdg}}]\) for \({B_\textsf {smdg}}=2^{O(d{\kappa } \log {\kappa })}B_\chi \), hence \({B_\textsf {smdg}}/|e'|\ge 2^{\kappa } \).