An extended abstract of this work appears in the proceedings of Symposium on Theory

of Computing - STOC 2012. This is the full version.

On-the-Fly Multiparty Computation on the Cloud via Multikey
Fully Homomorphic Encryption
Adriana Lopez-Alt
New York University
Eran Tromer
Tel Aviv University
Vinod Vaikuntanathan
University of Toronto
Abstract
We propose a new notion of secure multiparty computation aided by a computationally-
powerful but untrusted cloud server. In this notion that we call on-the-y multiparty compu-
tation (MPC), the cloud can non-interactively perform arbitrary, dynamically chosen computa-
tions on data belonging to arbitrary sets of users chosen on-the-y. All users input data and
intermediate results are protected from snooping by the cloud as well as other users. This ex-
tends the standard notion of fully homomorphic encryption (FHE), where users can only enlist
the clouds help in evaluating functions on their own encrypted data.
In on-the-y MPC, each user is involved only when initially uploading his (encrypted) data
to the cloud, and in a nal output decryption phase when outputs are revealed; the complexity
of both is independent of the function being computed and the total number of users in the
system. When users upload their data, they need not decide in advance which function will be
computed, nor who they will compute with; they need only retroactively approve the eventually-
chosen functions and on whose data the functions were evaluated.
This notion is qualitatively the best possible in minimizing interaction, since the users
interaction in the decryption stage is inevitable: we show that removing it would imply generic
program obfuscation and is thus impossible.
Our contributions are two-fold:
1. We show how on-the-y MPC can be achieved using a new type of encryption scheme that
we call multikey FHE, which is capable of operating on inputs encrypted under multiple,
unrelated keys. A ciphertext resulting from a multikey evaluation can be jointly decrypted
using the secret keys of all the users involved in the computation.
2. We construct a multikey FHE scheme based on NTRU, a very ecient public-key encryp-
tion scheme proposed in the 1990s. It was previously not known how to make NTRU fully
homomorphic even for a single party. We view the construction of (multikey) FHE from
NTRU encryption as a main contribution of independent interest. Although the transfor-
mation to a fully homomorphic system deteriorates the eciency of NTRU somewhat, we
believe that this system is a leading candidate for a practical FHE scheme.
Contents
1 Introduction 2
1.1 Our Results and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 On-the-Fly MPC from Multikey FHE 8
2.1 Multikey Fully Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 The Basic Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Security Against Malicious Adversaries . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Multikey Somewhat Homomorphic Encryption based on NTRU 14
3.1 Preliminaries for the NTRU Instantiation . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 The Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.4 Multikey Homomorphism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 From Somewhat to Fully Homomorphic Encryption 23
4.1 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.2 Modulus Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5 Acknowledgements 28
A Multikey Properties of Other FHE Schemes 32
A.1 A Generic Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
A.2 From Ring-LWE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
B Impossibility of a 2-Round Protocol 33
C Simulation Extractability 35
D Proofs 35
D.1 Security against Semi-Honest Adversaries . . . . . . . . . . . . . . . . . . . . . . . . 35
D.2 Security against Malicious Adversaries . . . . . . . . . . . . . . . . . . . . . . . . . . 37
1
1 Introduction
We are fast approaching a new digital era in which we store our data and perform our expensive
computations remotely, on powerful servers the cloud, in popular parlance. While the cloud
oers numerous advantages in costs and functionality, it raises grave questions of condentiality,
since data stored in the cloud could be vulnerable to snooping by the cloud provider or even by
other cloud clients [RTSS09]. Since this data often contains sensitive information (e.g., personal
conversations, medical information and organizational secrets), it is prudent for the users to en-
crypt their data before storing it in the cloud. Recent advances in fully homomorphic encryption
(FHE) [Gen09b, vDGHV10, BV11b, BV11a, GH11, BGV12] make it possible to perform arbitrary
computations on encrypted data, thus enabling the prospect of personal computers and mobile
devices as trusted but weak interfaces to a powerful but untrusted cloud on which the bulk of
computing is performed.
FHE is only suitable in settings where the computations involve a single user, since it requires
inputs to be encrypted under the same key. However, there are many scenarios where users, who
have uploaded their large data stores to the cloud in encrypted form, then decide to compute some
joint function of their data. For example, they may wish the cloud to compute joint statistical
information on their databases, locate common les in their collections, run a computational agent
to reach a decision based on their pooled data (without leaking anything but the nal decision), or
generally, in contexts where multiple (mutually distrusting) users need to pool together their data
to achieve a common goal.
The multiparty scenario is signicantly more complex, and comes with a set of natural but
stringent requirements. First, the participants involved in the computation and the function to
be computed may be dynamically chosen on-the-y, well after the data has been encrypted and
uploaded to the cloud. Secondly, once the function is chosen, we should not expect the users to be
online all the time, and consequently it is imperative that the cloud be able to perform the bulk of
this computation (on the encrypted data belonging to the participants) non-interactively, without
consulting the participants at all. Finally, all the burden of computation should indeed be carried
by the cloud: the computational and communication complexity of the users should depend only on
the size of the individual inputs and the output, and should be independent of both the complexity
of the function computed and the total number of users in the system, both of which could be very
large.
On-the-Fly Multiparty Computation. Consider a setting with a large universe of computationally-
weak users and a powerful cloud. An on-the-y multiparty computation protocol proceeds thus:
1. The numerous users each encrypt their data and upload them to the cloud, unaware of the
identity or even the number of other users in the system. Additional data may arrive directly
to the cloud, encrypted under users public keys (e.g., as encrypted emails arriving to a
cloud-based mailbox).
2. The cloud decides to evaluate an arbitrary dynamically chosen function on the data of ar-
bitrary subset of users chosen on-the-y. (The choice may be by some users request, or
as a service to compute the function on the data of parties fullling some criterion, or by
a need autonomously anticipated by the cloud provider, etc.) The cloud can perform this
computation non-interactively, without any further help from the users. The result is still
encrypted.
2
3. The cloud and the subset of users whose data was used in the computation interact in a
decryption phase. At this point the users retroactively approve the choice of function and the
choice of peer users on whose data the function was evaluated, and cooperate to retrieve the
output.
Crucially, the computation and communication of all the users (including the cloud) in the
decryption phase should be independent of both the complexity of the function computed, and the
size of the universe of parties (both of which can be enormous). Instead, the eort expended by
the cloud and the users in this phase should depend only on the size of the output and the number
of users who participated in the computation. Also crucially, the users need not be online at all
during the bulk of the computation; they need to wake up only when it is time to decrypt the
output.
We call this an on-the-y multiparty computation (or on-the-y MPC in short) to signify the fact
that the functions to be computed on the encrypted data and the participants in the computation
are both chosen on-the-y and dynamically, without possibly even the knowledge of the participants.
Protocols following this framework have additional desirable features such as the ability for users
to join a computation asynchronously.
Possible Approaches (and Why They Do Not Work). The long line of work on secure
multiparty computation (MPC) [GMW87, BGW88, CCD88, Yao82] does not seem to help us
construct on-the-y MPC protocols since the computational and communication complexities of
all the parties in these protocols depends polynomially on the complexity of the function being
computed.
1
In contrast, we are dealing with an asymmetric setting where the cloud computes a
lot, but the users compute very little. (Nevertheless, we will use the traditional MPC protocols to
interactively compute the decryption function at the end.)
Fully homomorphic encryption (FHE) is appropriate in such an asymmetric setting of computing
with the cloud. Yet, traditional FHE schemes are single-key in the sense that they can perform
(arbitrarily complex) computations on inputs encrypted under the same key. In our setting, since
the parties do not trust each other, they will most certainly not want to encrypt their inputs using
each others keys. Nevertheless, Gentry [Gen09a] proposed the following way of using single-key
FHE schemes in order to do multiparty computation: rst, the parties run a (short) MPC protocol
to compute a joint public key, where the matching secret key is secret-shared among all the parties.
The parties then encrypt their inputs under the joint public key and send the ciphertexts to the
cloud who then uses the FHE scheme to compute an encryption of the result. Finally, the parties run
yet another (short) MPC protocol to recover the result. A recent work by Asharov et al. [AJL
+
12]
extends this schema and makes it ecient in terms of the concrete round, communication and
computational complexity.
This line of work does not address the dynamic and non-interactive nature of on-the-y MPC.
In particular, once a subset of parties and a function are chosen, the protocols of [Gen09a, AJL
+
12]
require the parties to be online and run an interactive MPC protocol to generate a joint public key.
In contrast, we require that once the function and a subset of parties is chosen, the cloud performs
the (expensive) computations non-interactively, without help from any of the users. It would
also be unsatisfactory to postpone the (lengthy) computation of the function until the interactive
1
The works of Damgard et al. [DIK
+
08, DIK10] are an exception to this claim. However, it is not clear how to
build upon these results to address the dynamic and non-interactive nature of on-the-y MPC.
3
decryption phase; indeed, we require that once the users wake up for the decryption phase, the
running time of all parties is independent of the complexity of the function being computed. Thus,
even the feasibility of on-the-y MPC is not addressed by existing techniques.
Our Solution. We present a new notion of fully homomorphic encryption (FHE) that we call
a multikey FHE that permits computation on data encrypted under multiple unrelated keys; a
new construction of multikey FHE based on the NTRU encryption scheme (originally proposed by
Hostein, Pipher and Silverman [HPS98]); and a new method of achieving on-the-y multiparty
computation (for any a-priori bounded number of users) using a multikey FHE scheme. Although
the number of users involved in any computation has to be bounded in our solution, the total
number of users in the system is arbitrary.
1.1 Our Results and Techniques
New Notion: Multikey Homomorphic Encryption. An N-key Fully Homomorphic En-
cryption scheme is the same as a regular FHE scheme with two changes. First, the homomorphic
evaluation algorithm takes in polynomially many ciphertexts encrypted under at most N keys,
together with the corresponding evaluation keys, and produces a ciphertext. Second, in order to
decrypt the resulting ciphertext, one uses all the involved secret keys.
A multikey FHE scheme is indeed the right tool to perform on-the-y MPC as shown by
the following simple protocol: the users encrypt their inputs using their own public keys and
send the ciphertexts to the cloud, the cloud then computes a dynamically chosen function on
an arbitrary subset of parties using the multikey property of the FHE scheme, and nally, the
users together run an interactive MPC protocol in order to decrypt. Note that the users can be
oine during the bulk of the computation, and they need to participate only in the nal cheap
interactive decryption process. Note also that participants in the protocol need not be aware of
the entire universe of users, but only those users that participate in a joint computation. This
simple protocol provides us security against a semi-honest collusion of the cloud with an arbitrary
subset of parties. We then show how to achieve security against a malicious adversary, using tools
such as veriable computation protocols [GKR08, GGP10, CKV10, AIK10] or succinct argument
systems [Kil92, Mic94, BCCT12a, GLR11].
The computation of the decryption function can itself be outsourced to the cloud. In particular,
using the cloud-assisted MPC protocol of Asharov et al. [AJL
+
12] yields a 5-round on-the-y MPC
protocol (one oine round, and four online rounds to perform decryption). As an additional benet,
in the resulting on-the-y protocol, the parties may communicate with the server concurrently at
each stage. The only disadvantage of this approach is that it requires a CRS setup. This does not,
however, aect the on-the-y nature of the procotol since only an apriori bound N on the number
of computing parties needs to be known when creating the CRS.
(Multikey) Fully Homomorphic Encryption from NTRU. The starting point of our main
construction of multikey FHE is the NTRU encryption scheme of Hostein, Pipher and Silver-
man [HPS98] (more precisely, the slightly modied version due to Stehle and Steinfeld [SS11]).
NTRU is one of the earliest lattice-based public-key encryption schemes, together with the Ajtai-
Dwork cryptosystem [AD97] and the Goldreich-Goldwasser-Halevi cryptosystem [GGH97]. We
rst observe that NTRU can be made (single-key) fully homomorphic using the recent techniques
of [BV11a, BGV12]. Using some additional tricks, we then show that the scheme is multikey fully
4
homomorphic for a bounded number of users at essentially the same cost. Previously, it was not even
known whether NTRU could be turned into a (regular, single-key) fully homomorphic encryption
scheme.
2
This construction is one of our main contributions and we believe it to be of independent interest.
Our construction is particularly interesting since the NTRU scheme was originally proposed as an
ecient public-key encryption scheme, meant to replace RSA and elliptic curve cryptosystems in
applications where computational eciency is at a premium (for example, applications that run on
smart cards and embedded systems). Although the transformation to a fully homomorphic system
deteriorates the eciency of NTRU somewhat, we believe that this system is a leading candidate for
a practical FHE scheme. Whats more, as we show, the scheme supports homomorphic operations
on encryptions under multiple keys.
Theorem 1.1 (Informal). For every N N, there is an N-user multikey fully homomorphic
encryption scheme under the assumption that the NTRU encryption scheme (described below) is
semantically secure and circular secure. The size of the keys and ciphertexts in the scheme grow
polynomially with N.
We briey sketch here our variant of the NTRU encryption scheme and the ideas in turning
it into a multikey fully homomorphic encryption scheme. The reader is referred to Section 3 and
Section 4 for a detailed exposition.
The main dierences between the original NTRU scheme and our variant are threefold: (1)
Whereas the original NTRU scheme adds a deterministic noise to the ciphertext, the variant con-
sidered here adds noise chosen from a distribution with bounded support (specically, a discrete
Gaussian distribution), a modication recently introduced by Stehle and Steinfeld [SS11]. It seems
that this could only improve security; indeed, the purpose of the Stehle-Steinfeld work was to prove
the security of NTRU based on worst-case hardness assumptions on ideal lattices, (2) We do all our
operations modulo x
n
+1 where n is a power of 2 as in [SS11], as opposed to x
n
1 in the original
NTRU. (3) Our parameters are more aggressive than in [HPS98, SS11] to support homomorphisms.
As a result, the worst-case to average-case connection shown by [SS11] does not carry over to our
setting of parameters.
For security parameter , the scheme is parametrized by a prime number q = q(), and a
B-bounded error distribution over the ring R Z[x]/x
n
+ 1) (i.e., is a distribution over
polynomials whose coecients are all at most B() in absolute value). The parameters n, q and
are public. We show how to encrypt bits using the scheme. All operations in the scheme take place
in the ring R
q
R/qR.
Keygen(1

): Sample bounded polynomials f

t
, g and set f := 2f
t
+1 so that f 1 (mod 2).
Set the public key pk := h = 2gf
1
R
q
and the secret key sk = f R. (If f is not invertible
over R
q
, resample f
t
).
Enc(pk, m): Sample bounded polynomials s, e . Output the ciphertext c := hs+2e+m R
q
.
Dec(sk, c): Let = fc R
q
. Output (mod 2) as the message.
2
The observation that NTRU can be made single-key fully homomorphic was made concurrently by Gentry et
al. [GHL
+
11].
5
Decryption works since
fc (mod q) = f(hs + 2e +m) (mod q)
= 2(gs +ef) +fm (mod q)
= 2(gs +ef) +fm
where the last equality is true since [2(gs + ef) + fm[ < q/2.
3
Taking this quantity mod 2 then
gives us the message m since f 1 (mod 2).
The multikey homomorphic properties of the scheme are best seen through the lens of the
decryption equation (as in [BV11a, BV11b]). In particular, consider ciphertexts c
1
= h
1
s
1
+2e
1
+
m
1
R
q
and c
2
= h
2
s
2
+ 2e
2
+ m
2
R
q
that encrypt messages m
1
and m
2
under public keys
h
1
and h
2
respectively, with noise terms e
1
and e
2
. A little algebraic manipulation shows that
c
add
= c
1
+ c
2
and c
mult
= c
1
c
2
are ciphertexts that encrypt the sum and product of m
1
and m
2
,
respectively, albeit with larger error terms. Namely, decrypting c
1
+ c
2
and c
1
c
2
with the joint
secret key f
1
f
2
(which is simply a product of the two secret keys f
1
and f
2
) gives us:
f
1
f
2
(c
1
+c
2
) = 2(f
1
f
2
(e
1
+e
2
) +f
2
g
1
s
1
+f
1
g
2
s
2
) +f
1
f
2
(m
1
+m
2
)

= 2E
add
+f
1
f
2
(m
1
+m
2
)
This shows that decrypting c
1
+c
2
using the joint secret key f
1
f
2
results in the sum of the two
messages, assuming that the error does not grow to be too large. Likewise, we have:
f
1
f
2
(c
1
c
2
) = 2(2g
1
g
2
s
1
s
2
+g
1
s
1
f
2
(2e
2
+m
2
) +g
2
s
2
f
1
(2e
1
+m
1
) +
f
1
f
2
(e
1
m
2
+e
2
m
1
+ 2e
1
e
2
)) +f
1
f
2
(m
1
m
2
)

= 2E
mult
+f
1
f
2
(m
1
m
2
)
This shows that decrypting c
1
c
2
using the joint secret key f
1
f
2
results in the product of the two
messages, assuming that the error does not grow to be too large.
Extending this to circuits, we observe that the eective secret key required to decrypt a ci-
phertext c resulting from evaluating a multivariate polynomial function on the inputs of N users is

N
i=1
f
d
i
i
where d
i
is the degree of the i
th
variable in the polynomial function. This makes the secret
key required to decrypt c dependent on the circuit evaluated, which is unacceptable even for some-
what homomorphic encryption. We use the relinearization technique from [BV11a] to transform
the ciphertext into one that can be decrypted using the secret key

N
i=1
f
i
(namely, reduce all the
exponents from d
i
to 1), after every operation. In eect, this ensures that the secret key is related
to the number of users N involved in the computation, and not to the function being computed.
With the use of relinearization, one can show that the scheme is multikey somewhat homomorphic,
i.e., capable of evaluating circuits of depth log n for some small constant < 1. (For more details,
see Section 3).
To turn this into a fully homomorphic encryption scheme, we use the technique of modu-
lus reduction from the work of Brakerski and Vaikuntanathan [BV11a], later rened in [BGV12].
Modulus reduction shows how to reduce the magnitude of the error (while simultaneously reducing
3
We associate Zq with the set {q/2, . . . , q/2} throughout this work.
6
the size of the modulus). This technique works transparently in the multikey setting. The bottom
line is that we can evaluate functions on N users as long as N log q/polylog(n). Put another
way, for any number N of users, we get a N-user multikey FHE by setting q to be a large enough
function of N. This gives us a leveled multikey FHE scheme. Finally, to turn this into a full-edged
multikey FHE scheme (whose complexity is independent of the complexity of the function being
computed), we use (a multikey analog of) Gentrys bootstrapping technique [Gen09b].
Our construction based on the NTRU encryption scheme raises a natural question: can any
of the other FHE schemes be made multikey? It turns out that the schemes of [Gen09a, SV10,
vDGHV10, BV11b, BV11a] can be made N-key fully homomorphic for a constant N, or sometimes
even N = O(log n). See Appendix A for more details.
Completely Non-Interactive On-the-Fly MPC? Our results raise the natural question of
whether the protocols can be made completely non-interactive, namely the users do not ever have to
talk to each other, even in the decryption phase. We know from [HLP11] that in the non-interactive
setting, the server can always evaluate the circuit multiple times, keeping some parties inputs but
plugging in fake inputs of its choosing for the other parties. However, even if we accept this as the
ideal functionality, we show that a non-interactive protocol cannot be achieved by drawing on the
impossibility of program obfuscation. Thus, our notion is qualitatively the best possible in terms
of interaction. See Appendix B for a formal theorem statement.
Other Related Work. The basic idea of using homomorphic encryption schemes in conjunction
with threshold decryption to boost the eciency of MPC protocols was rst noticed by Cramer,
Damgard and Nielsen [CDN01]. The idea of using a cloud to alleviate the computational eorts
of parties was recently explored in the work on server-aided MPC by Kamara, Mohassel and
Raykova [KMR11]. Their protocols, however, require some of the parties to do a large amount of
computation, essentially proportional to the size of the function f being computed. Halevi, Lindell
and Pinkas [HLP11] recently considered the model of secure computation on the web wherein
the goal is to minimize interaction between the parties. While their denition requires absolutely
no interaction among the participants in the protocols (the participants interact with the server
only), they show that this notion can only be achieved for a small class of functions. Our goal, on
the other hand, is to compute arbitary functions with the assistance of a cloud.
Organization. In Section 2 we formally dene multikey FHE and on-the-y MPC, and show
our construction of on-the-y MPC from multikey FHE. In Section 3 we show how to instantiate
multikey somewhat homomorphic encryption from the NTRU encryption scheme, and then show
how to achieve full homomorphism in Section 4. Finally, in Appendix B, we show the impossibility
of a completely non-interactive on-the-y MPC protocol.
Notation. In the remainder of the paper, we use the following notation. We use to denote the
security parameter. For an integer n, we use the notation [n] to denote the set [n] = 1, . . . , n.
For a randomized function f, we write f(x; r) to denote the unique output of f on input x with
random coins r. We write f(x) to denote a random variable for the output of f(x; r) over uniformly
random coins r. For a distribution or random variable X, we write x X to denote the operation
of sampling a random x according to X. For a set S, we overload notation and use s S to denote
sampling s from the uniform distribution over S. We use y := f(x) to denote the deterministic
7
evaluation of f on input x with output y. For two distributions D and D
t
, D
c
D
t
denotes
computational indistinguishability.
2 On-the-Fly MPC from Multikey FHE
We consider the problem of a server or cloud, denoted by S, storing the data of U dierent parties
P
1
, . . . , P
U
. We wish to ensure that the data of each party is kept private, but also allow the server
S to compute any joint function of the data of any subset V [U] of the parties. We also wish to
ensure that the server is able to do this with minimal participation from the parties in V , and no
interaction at all from the rest of the parties [U]V . Furthermore, the communication complexity
and the computation time of each party P
i
should be independent of the complexity of the function
since we rely on the computation power of the server, who will carry out the entire computation of
the joint function F. The computation should remain secure even if the server or any set of parties
are corrupted. We formalize this below.
For a class ( of functions with at most U inputs, an on-the-y multiparty protocol for (
is a protocol between U + 1 interactive Turing Machines P
1
, . . . , P
U
, S, such that for all inputs
x = (x
1
, . . . , x
U
), all functions F (, if F is an N-input function then for all ordered subsets
V [U] such that [V [ = N, the output of in an execution where P
i
is given x
i
as input (S does
not receive an input), and F, V are chosen for the computation, is y = F(x
i

iV
). An on-the-y
multiparty protocol consists of two phases, an oine phase that is performed before the function
F ( is chosen, and an online phase that begins once F is chosen together with a subset V of
inputs on which F will be evaluated. All parties P
1
, . . . , P
U
, S participate in the oine phase, but
only the server S and parties in V participate in the online phase. After the function is selected,
the server ignores all oine messages from non-computing parties (i.e. those in [U]V ).
Unlike in standard MPC, we require the communication complexity of the protocol, as well as
the computation time of parties P
1
, . . . , P
U
to be independent of the complexity of the function F.
Furthermore, we let the computation time of parties P
i
for i V depend on the partys input and
the output size of the F but require the computation time of parties P
i
for i [U]V to depend
only on the size of the partys input and be independent of the output size of F. On the other
hand, the computation time of the server S must be linear in the circuit-size of F.
Security. We prove security of an on-the-y MPC protocol in the Ideal/Real paradigm. Let
F(x
i

iV
) for V [U] be the function to be computed, and let N = [V [. For ease of notation,
we assume w.l.o.g. that V = [N]. In the ideal world, the computation of F is performed through
a trusted functionality T that receives input x
i
from each party P
i
for i [U], computes y =
F(x
1
, . . . , x
N
) (ignoring all inputs x
i
for i / V ) and gives y to parties P
1
, . . . , P
N
, S, while parties
P
i
for i [U]V do not get an output. Thus, in the ideal world, parties learn nothing more than
y. In the real world, however, this trusted functionality does not exist and so in order to compute
y = F(x
1
, . . . , x
N
), parties P
1
, . . . , P
U
, S run a protocol .
An adversary corrupting a party (resp. the server) receives all messages directed to the corrupted
party (resp. the server) and controls the messages that it sends. Since the server ignores messages
from parties outside V , we assume w.l.o.g. that an adversary only corrupts computing parties, i.e.
parties in V , and possibly the server.
We use IDEAL
T,S
(x) to denote the joint output of the ideal-world adversary o and the outputs
of the server S and the parties P
1
, . . . , P
N
in an ideal execution with functionality T and inputs x =
8
(x
1
, . . . , x
U
). Similarly, we use REAL
,,
(x) to denote the joint output of the real-world adversary
/ and the outputs of parties P
1
, . . . , P
N
and server S in an execution of protocol with inputs
x = (x
1
, . . . , x
U
). We say that a protocol securely realizes T if for every real-world adversary
/ corrupting any t < N parties (and possibly the server), there exists an ideal-world adversary o
with black-box access to / such that for all input vectors x, IDEAL
T,S
(x)
c
REAL
,,
(x).
2.1 Multikey Fully Homomorphic Encryption
In this section, we dene multikey fully homomorphic encryption. Intuitively, multikey FHE allows
us to evaluate any circuit on ciphertexts that might be encrypted under dierent public keys. To
guarantee semantic security, decryption requires all of the corresponding secret keys.
We introduce a parameter N, which is the number of distinct keys that a scheme can tolerate.
We let all algorithms depend polynomially on N. This is similar to the denition of leveled
FHE from [BGV12]. However, we note that in our denition, the algorithms depend on N but
are independent of the depth of circuits that the scheme can evaluate. Thus, we consider schemes
that are leveled with respect to the number of keys N, but fully homomorphic (non-leveled)
with respect to the circuits that are evaluated. The construction of multikey FHE schemes that
are not leveled with respect to the number of keys (i.e., where all algorithms are independent of
N) remains an open problem.
We now dene multikey FHE as follows, for restricted circuit classes and for arbitrary circuits.
Denition 2.1. (Multikey (-Homomorphic Encryption) Let ( be a class of circuits. A family
c
(N)
= (Keygen, Enc, Dec, Eval)
N>0
of algorithms is a multikey (-homomor-phic encryption
scheme family if for all integers N > 0, c
(N)
has the following properties:
(pk, sk, ek) Keygen(1

), for a security parameter , outputs a public key pk, a secret key sk

and a (public) evaluation key ek.
c Enc(pk, m), given a public key sk and message m, outputs a ciphertext c.
m
t
:= Dec(sk
1
, . . . , sk
N
, c), given N secret keys sk
i
and a ciphertext c, outputs a message m
t
.
c

:= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
t
, pk
t
, ek
t
)), given a (description of ) a boolean circuit C along
with t tuples (c
i
, pk
i
, ek
i
), each comprising of a ciphertext c
i
, a public key pk
i
, and an evalu-
ation key ek
i
, outputs a ciphertext c

.
We require absence of decryption failures and compactness of ciphertexts. Formally: for
every circuit C (, all sequences of N key tuples (pk
t
j
, sk
t
j
, ek
t
j
)
j[N]
each of which is in
the support of Keygen(1

), all sequences of t key tuples (pk

i
, sk
i
, ek
i
)
i[t]
each of which is in
(pk
t
j
, sk
t
j
, ek
t
j
)
j[N]
, and all plaintexts (m
1
, . . . , m
t
) and ciphertexts (c
1
, . . . , c
t
) such that c
i
is in the support of Enc(pk
i
, m
i
), Eval satises the following properties:
Correctness: Let c

:= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
t
, pk
t
, ek
t
)). Then Dec(sk
t
1
, . . . , sk
t
N
, c

) =
C(m
1
, . . . , m
t
).
4
4
Note that correctness still holds even if the circuit C completely ignores all ciphertexts encrypted under a public
key pk
i

, or if none of the original ciphertexts were encrypted under this key. In other words, using superuous keys
in the decryption process does not aect its correctness (as long as decryption uses at most N keys).
9
Compactness: Let c

:= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
t
, pk
t
, ek
t
)). There exists a polynomial
P such that [c

[ P(, N). In other words, the size of c

is independent of t and [C[.

Note, however, that we allow the evaluated ciphertext to depend on the number of keys,
N.
Denition 2.2. (Multikey FHE) A family of encryption schemes c
(N)
= (Keygen, Enc, Dec, Eval)
N>0
is multikey fully homomorphic if it is multikey (-homomorphic for the class ( of all circuits.
Semantic security of a multikey FHE follows directly from the semantic security of the under-
lying encryption scheme in the presence of the evaluation key ek. This is because given ek, the
adversary can compute Eval himself. Note that taking N = 1 in Denition 2.1 and Denition 2.2
yield the standard denitions of (-homomorphic and fully homomorphic encryption schemes.
2.2 The Basic Protocol
Let c
(N)
= (Keygen, Enc, Dec, Eval)
N>0
be a multikey fully-homomorphic family of encryption
schemes. We construct the following on-the-y MPC protocol
sh
secure against semi-honest
adversaries.
Step 1: For i [U], party P
i
samples a key tuple
(pk
i
, sk
i
, ek
i
) Keygen(1

)
and encrypts its input x
i
under pk
i
:
c
i
Enc(pk
i
, x
i
)
It sends (pk
i
, ek
i
, c
i
) to the server S.
At this point a function F, represented as a circuit C, has been selected on inputs x
i

iV
for some
V U. Let N = [V [. For ease of notation, assume w.l.o.g. that V = [N]. The parties proceed as
follows.
Step 2: The server S computes
c

:= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
N
, pk
N
, ek
N
))
and broadcasts c

to parties P
1
, . . . , P
N
.
Step 3: The parties P
1
, . . . , P
N
run a secure MPC protocol
dec
sh
to compute Dec(sk
1
, . . . , sk
N
, c

).
Theorem 2.1. Let c
(N)
= (Keygen, Enc, Dec, Eval)
N>0
be a multikey fully-homomorphic encryp-
tion scheme, and let
dec
sh
be an N-party MPC protocol for computing the decryption function
Dec(sk
1
, . . . , sk
N
, c

). If c is semantically secure, and

dec
sh
is secure against semi-honest adver-
saries corrupting t < N parties, then the above construction is an on-the-y MPC protocol secure
against semi-honest adversaries corrupting t parties and possibly the server S.
See Appendix D for the proof of Theorem 2.1.
10
2.3 Security Against Malicious Adversaries
The protocol described in Section 2.2 is not secure against malicious adversaries. Our rst step in
handling this type of attack is to replace our decryption protocol with one that is secure against
malicious adversaries, which we will denote
dec
mal
. Next, we will apply general MPC techniques
to the rest of our protocol (Steps 1 and 2) to ensure parties do not deviate from the protocol. This
requires coin-ipping and zero-knowledge proofs. However, there are two subtleties to consider.
1. First, recall that in our model, parties do not communicate with each other until the de-
cryption phase. In particular, parties do not communicate with each other (or even know
about the existance of other parties) during Step 1. Therefore, coin-ipping in Step 1 is out
of the question. Fortunately, the correctness property (from Denition 2.1) guarantees that
the scheme is secure against corrupt parties that follow the protocol in Step 1 but adap-
tively choose their random coins. This means that parties do not need to coin-ip for each
others random coins. Furthermore, since the servers computation throughout the protocol
is deterministic, the parties do not need to coin-ip for the servers random coins.
We therefore only need to add zero-knowledge proofs of knowledge
5
to ensure that the parties
indeed follow the protocol. The intuition behind this is that correctness will guarantee that
the simulator can extract the input x
i
for a corrupted party and therefore obtain the correct
value y from the ideal functionality, regardless of the coins used by the adversary.
2. Second, we wish to ensure that the computation time and communication complexity of the
parties is small. This means that the server must be able to prove that he carried out the
computation of Eval correctly in such a way that the parties can verify the validity of the
proof in time that is much less than linear in the circuit size. To solve this problem, we use
techniques from veriable computation. We oer several solutions, each with its own benets
and drawbacks.
Verication for Small Inputs. We rst consider the case where the ciphertexts (c
1
, . . . , c
N
) are
small enough to be broadcast to the N parties in V (i.e., allowing communication complexity linear
in the total input size of the participating parties). In this case, the server needs to convince the
participating parties that c

= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
N
, pk
N
, ek
N
)), i.e., that a deterministic
circuit of size poly([C[, ) accepts. For any uniform circuit C (i.e., computable by a poly()-time
Turing machine), the following oer poly(, log([C[)) communcation and verication eciency.
6
1. Use the argument system of Kilian [Kil92, Kil95], yielding interactive 4-round verication. It
relies on expensive PCPs.
5
There is a subtely here. We assume a rushing adversary, that is, we assume that the adversary can choose his
messages adaptively, depending on the messages from the honest players. Because of this, in the proof the simulator
will have to provide simulated proofs for the honest parties and still be able to extract from the proofs created by the
adverary on behalf of corrupt players. We therefore need to use simulation-extractable ZK proofs (SE-ZK) [Gro06],
instead of ordinary ZK proofs of knowledge (ZK-POKs). However, in the interest of clarity, we choose to present the
construction above with ZK-POKs instead of SE-ZK. See Appendix C for a precise denition of simulation-extractable
proofs.
6
For any given family of C, |C| = poly(), and thus, poly(, log(|C|)) = poly(); but the degree of this polynomial
depends on the circuit family.
11
2. Use Micalis CS proofs [Mic94]. This reduces interaction to one round, but assumes a random
oracle. It also relies on expensive PCPs.
3. Use the succint non-interactive arguments (SNARGs and SNARKs) of Bitansky et al. [BCCT12a,
BCCT12b] or Goldwasser at al. [GLR11]. These are 1-round and hold in the standard model,
but require a non-falsiable assumption [Nao03].
7
Some variants rely on PCPs, PIR or FHE.
In case that the evaluation circuit is in logspace-uniform NC, we have another alternative:
4. Use the argument system of Goldwasser et al. [GKR08] for a 2-round solution. It relies on
PIR.
In the case of arbitrary nonuniform poly()-size circuits, one can use the technique of [BSCGT12,
Section 5.4]. First, in a preparatory phase, the circuit C is written down and its collision-
resistant hash digest d is computed by a trusted party or via an MPC protocol. Then, in step
3, the server proves the NP statement there exists a circuit

C whose digest is d and c

=
Eval(

C, (c
1
, pk
1
, ek
1
), . . . , (c
N
, pk
N
, ek
N
)). This requires a succint argument system that is proof of
knowledge and supports nondeterministic uniform circuits. This is satised by Micalis construction
of CS proofs under Valiants analysis [Mic94, Val08], and by SNARKs [BCCT12a, BCCT12b].
Verication for Large Inputs. We can make communication and verication complexities de-
pend merely polylogarithmically on the size of the relevant inputs x
1
, . . . , x
N
. In the aforementioned
proofs of knowledge for nondeterministic statements [Mic94, Val08, BCCT12a, BCCT12b], the com-
plexity depends polynomially on the size of statement being proven (expressed as a nondeterministic
Turing machine and its input), but merely polylogarithmically on the size of the witness for the
statement, and in particular, the nondeterministic choices made by the Turing machine. We thus
move c
i
from the instance into the witness. To recognize the correct c
i
, each party P
i
remembers
the digest of c
i
under a collision-resistant hash function family H = H
hk
: 0, 1

0, 1

.
In the oine stage, every party P
i
draws hash key hk
i
and computes the digest d
i
= H
hk
i
(c
i
,
enc
i
),
where
enc
i
is the corresponding zero-knowledge proof of plaintext knowledge. P
i
then sends
(c
i
,
enc
i
, hk
i
, d
i
) to the cloud. Each party P
i
remembers its own (hk
i
, d
i
) but can forget the poten-
tially long x
i
, c
i
,
enc
i
. In the online stage, the server broadcasts (hk
1
, d
1
), . . . , (hk
N
, d
N
) and proves
the following NP statement: there exist c
1
,
enc
1
, . . . , c
N
,
enc
N
such that d
i
= H
hk
i
(c
i
,
enc
i
) and
c

= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
N
, pk
N
, ek
N
)) and
enc
i
is a valid proof.
This is secure, since whenever the server convinces the clients, it actually knows such c
1
,
enc
1
,
. . . , c
N
,
enc
N
which can be eciently extracted from the server (by the arguments proof of knowl-
edge property). For an honest party, the extracted c
i
must be the one originally sent by the party
(by the collision-resistance of H). For a corrupt party, the extracted c
i
must be a valid ciphertext
and its plaintext can be eciently extracted from
enc
i
(by the proof of knowledge property of

enc
i
).
We remark that the proceedings version of this work does not include the proof of plaintext
knowledge
enc
i
in the digest. Unfortunately, we do not know how to prove the resulting protocol
secure if only the ciphertext c
i
is included in the digest. This stems from the fact that each party
chooses its own digest key hk
i
, and thus we cannot guarantee that H
hk
i
is collision-resistant if P
i
7
A non-falsiable assumption is necessary for the argument system to be non-interactive and secure in the standard
model [GW11]. Note that we indeed require adaptive security, since the prover (ie. the server) is free to choose the
statement to be proven (ie. the function to be computed).
12
is corrupt. This potentially enables a corrupt server to nd a (possibly invalid) ciphertext c
t
i
and
prove that d
i
= H
hk
i
(c
t
i
) and c

= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
t
i
, pk
i
, ek
i
), . . . , (c
N
, pk
N
, ek
N
)). This
defeats the purpose of having a proof of plaintext knowledge
enc
i
in the rst place, and in short,
implies that a malicious party can potentially evaluate the joint function on an unknown input.
Including the proof of knowledge
enc
i
guarantees that this attack is not possible (see the security
proof in Appendix D for more details).
Protocol for Malicious Adversaries. The protocol for fully malicious adversaries is given
below. Let c
(N)
= (Keygen, Enc, Dec, Eval)
N>0
be a multikey fully-homomorphic family of en-
cryption schemes, and let H = H
hk
: 0, 1

0, 1

be a family of collision-resistant hash

functions. The following construction is an on-the-y MPC protocol
mal
secure against malicious
adversaries.
Step 1: For i [U], party P
i
samples a key tuple
(pk
i
, sk
i
, ek
i
) := Keygen(1

; r
i
)
and encrypts its input x
i
under pk
i
:
c
i
:= Enc(pk
i
, x
i
; s
i
)
It computes zero-knowledge proofs of knowledge
gen
i
,
enc
i
showing it computed these steps
correctly. The proofs
gen
i
,
enc
i
attest to these relations.
R
gen
= ( (pk
i
, ek
i
) , (sk
i
, r
i
) ) [ (pk
i
, sk
i
, ek
i
) := Keygen(1

; r
i
)
R
enc
= ( (pk
i
, c
i
) , (x
i
, s
i
) ) [ c
i
= Enc(pk
i
, x
i
; s
i
)
It also samples a hash key hk
i
and computes the digest of the ciphertext and the proof of
plaintext knowledge
d
i
= H
hk
i
(c
i
,
enc
i
)
Party P
i
sends the tuple (pk
i
, ek
i
, hk
i
,
gen
i
,
enc
i
, c
i
, d
i
) to the server S. The server veries all
proofs
gen
i
,
enc
i

i[U]
.
From this point forward, party P
i
can forget its (potentially long) input x
i
, ciphertext c
i
, and
proof
enc
i
. It need only remember the hash key hk
i
and digest d
i
.
A function F, represented as a circuit C, is now selected on inputs x
i

iV
for some V U.
Let N = [V [. For ease of notation, we assume w.l.o.g. that V = [N].
Step 2: The server S computes
c

:= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
N
, pk
N
, ek
N
))
and a short argument proving that
(c
1
,
Enc
1
) , . . . , (c
N
,
Enc
N
) s.t. d
i
= H
hk
i
(c
i
,
Enc
i
) and Verify
enc
( (pk
i
, c
i
) ,
Enc
i
) = 1
and c

= Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
N
, pk
N
, ek
N
))
It broadcasts (c

, ) to parties P
1
, . . . , P
N
, together with
(pk
i
, ek
i
, hk
i
, d
i
,
gen
i
)
i[N]
13
Step 3: The parties P
1
, . . . , P
N
verify the argument and all proofs
gen
i

i[N]
. The parties run
an MPC protocol
dec
mal
to compute Dec(sk
1
, . . . , sk
N
, c

).
Theorem 2.2. Let c
(N)
= (Keygen, Enc, Dec, Eval)
N>0
be a multikey fully-homomorphic encryp-
tion scheme, and let
dec
mal
be an N-party MPC protocol for computing the decryption function
Dec(sk
1
, . . . , sk
N
, c

). Let H = H
hk
: 0, 1

0, 1

be a family of collision-resistant hash

functions. If c is semantically secure, and
dec
mal
is secure against malicious adversaries cor-
rupting t < N parties, then the above construction is an on-the-y MPC protocol secure against
malicious adversaries corrupting t parties and possibly the server S.
See Appendix D for the proof of Theorem 2.2.
3 Multikey Somewhat Homomorphic Encryption based on NTRU
We show how to construct a multikey somewhat homomorphic encryption scheme based on the
NTRU encryption system rst proposed by Hostein, Pipher, and Silverman [HPS98]. More pre-
cisely, we rely on a variant of the NTRU scheme proposed by Stehle and Steinfeld[SS11].
In Section 3.1, we rst review denitions and facts from the literature that we use extensively.
In Section 3.2, we describe the encryption scheme. In Section 3.3, we discuss its security, and in
Section 3.4 show that it is multikey somewhat homomorphic.
3.1 Preliminaries for the NTRU Instantiation
We work over rings R
.
= Z[x]/ (x)) and R
q
.
= R/qR for some degree n integer polynomial
(x) Z[x] and a prime integer q Z. Note that R
q
Z
q
[x]/ (x)), i.e., the ring of degree n
polynomials modulo (x) with coecients in Z
q
. Addition in these rings is done component-wise in
their coecients (thus, their additive group is isomorphic to Z
n
and Z
n
q
respectively). Multiplication
is simply polynomial multiplication modulo (x) (and also q, in the case of the ring R
q
). Thus an
element in R (or R
q
) can be viewed as a degree n polynomial over Z (or Z
q
). We represent such
an element using the vector of its n coecients, each in the range
_
q
2
_
, ...,
_
q
2
_
. For an element
a(x) = a
0
+a
1
x +. . . +a
n1
x
n1
R, we let |a|

= max [a
i
[ denote its

norm.
In this work, we set (x) = x
n
+ 1 to be the n
th
cyclotomic polynomial, where n is a power
of two. We use distributions over the ring Z[x]/ x
n
+ 1). To show the homomorphic properties of
the scheme, the only property of these distributions we use is the magnitude of the polynomials
coecients. Hence, we dene a B-bounded distribution to be a distribution over R where the

-norm of a sample is bounded.

Denition 3.1. (B-Bounded Polynomial) A polynomial e R is called B-bounded if |e|

B.
Denition 3.2. (B-Bounded Distribution) A distribution ensemble
n

nN
, supported over
R, is called B-bounded (for B = B(n)) if for all e in the suport of
n
, we have |e|

< B. In
other words, a B-bounded distribution over R outputs a B-bounded polynomial.
We present some elementary facts about the Gaussian distribution and multiplication over
the ring Z[x]/ x
n
+ 1). The rst fact shows that the discrete Gaussian distribution over Z
n
with
standard deviation r, denoted by D
Z
n
,r
, outputs a (r

n)-bounded polynomial with high probability.

14
This allows us to dene a truncated Gaussian distribution that is (r

n)-bounded and statistically

close to the discrete Gaussian. The second says that multiplication in the ring Z[x]/ x
n
+ 1)
increases the norm of the constituent elements only by a small amount.
Lemma 3.1 (see [MR07], Theorem 4.4). Let n N. For any real number r > (

log n), we have

Pr
xD
Z
n
,r
[[[x[[ > r

n] 2
n+1
Dene the truncated discrete Gaussian distribution to be one that samples a polynomial accord-
ing to the discrete Gaussian D
Z
n
,r
and repeat the sampling if the polynomial is not (r

n)-bounded.
By Lemma 3.1, this distribution is statistically close to the discrete Gaussian.
Lemma 3.2. (see [LM06, Gen09b]) Let n N, let (x) = x
n
+ 1 and let R
.
= Z[x]/ (x)).
For any s, t R,
[[s t (mod (x))[[

n [[s[[ [[t[[
[[s t (mod (x))[[

n [[s[[

[[t[[

Lemma 3.2 yields the following corollary.

Corollary 3.3. Let n N, let (x) = x
n
+ 1 and R
.
= Z[x]/ (x)). Let be a B-bounded
distribution over the ring R and let s
1
, . . . , s
k
. Then

k
i=1
s
i
is (n
k1
B
k
)-bounded.
The Ring LWE Assumption. We describe a special case of the ring learning with errors
assumption of Lyubaskevsky, Peikert and Regev [LPR10], which we will call RLWE. The RLWE
assumption is analogous to the standard learning with errors (LWE) assumption, rst dened
by Regev [Reg05, Reg09] (generalizing the learning parity with noise assumption of Blum et
al. [BFKL93]).
The RLWE
,q,
assumption is that for a random ring element s R
q
, given any polynomial
number of samples of the form (a
i
, b
i
= a
i
s + e
i
) (R
q
)
2
, where a
i
is uniformly random in R
q
and e
i
is drawn from the error distribution , the b
i
s are computationally indistinguishable from
uniform in R
q
. We use the Hermite normal form of the assumption, as in [BV11b], where the secret
s is sampled from the noise distribution rather than being uniform in R
q
. This presentation is
more useful for the purposes of this paper and it turns out to be equivalent to the original one up
to obtaining one additional sample [ACPS09, LPR10].
Denition 3.3. (The RLWE Assumption - Hermite Normal Form [BV11b, LPR10]) For
all N, let (x) =

(x) Z[x] be a polynomial of degree n = n(), let q = q() Z be a prime

integer, let the ring R
.
= Z[x]/ (x)) and R
q
.
= R/qR, and let denote a distribution over the
ring R.
The decisional ring LWE assumption RLWE
,q,
states that for any = poly() it holds that
(a
i
, a
i
s +e
i
)
i[]
c
(a
i
, u
i
)
i[]
,
where s is sampled from the noise distribution , a
i
are uniform in R
q
, the error polynomials e
i
are sampled from the error distribution , and nally, the ring elements u
i
are uniformly random
over R
q
.
15
We use RLWE
()
,q,
to denote the assumption when the number of samples is xed.
Fact 3.4. The RLWE

,q,
assumption implies that,
(a
i
, a
i
s + 2 e
i
)
i[]
c
(a
i
, u
i
)
i[]
.
where a
i
, s, e
i
and u
i
are as in Denition 3.3.
Choice of Parameters. As already stated above, we will rely of the following specic choices
of the polynomial (x) and the error distribution . For security parameter and a dimension
parameter n = n() which is a power of two:
We set (x) to be the n
th
cyclotomic polynomial. This implies that (x) = x
n
+ 1.
The error distribution is the truncated discrete Gaussian distribution D
Z
n
,r
for standard
deviation r > 0. A sample from this distribution is a (r

n)-bounded polynomial e R.
The Worst-case to Average-case Connection. We state a worst-case to average-case reduc-
tion from the shortest vector problem on ideal lattices to the RLWE problem for our setting of
parameters. The reduction stated below is a special case of the results of [LPR10].
Theorem 3.5 (A special case of [LPR10]). Let
n
(x) = x
n
+ 1 be the n
th
cyclotomic polynomial
where n is a power of two. Let r (

log n) be a real number, and let q 1 (mod 2n) be a

prime integer. Let R
.
= Z[x]/ x
n
+ 1). Then there is a randomized reduction from 2
(log n)
(q/r)-
approximate R-SVP to RLWE
,q,
where = D
Z
n
,r
is the discrete Gaussian distribution. The
reduction runs in time poly(n, q).
3.2 The Scheme
We describe the NTRU encryption scheme [HPS98], with the modications proposed by Stehle and
Steinfeld [SS11]. For a security parameter , the scheme is parametrized by the following quantities:
an integer n = n(),
a prime number q = q(),
a degree-n polynomial (x) =

(x),
a B()-bounded error distribution = () over the ring R
.
= Z[x]/(x)).
The parameters n, q, (x) and are public and we assume that given , there are polynomial-time
algorithms that output n, q and (x), and sample from the error distribution . The message space
is / = 0, 1, and all operations on ciphertexts are carried out in the ring R
q
(i.e. modulo q and
(x)).
Keygen(1

) : Sample polynomials f
t
, g and set f := 2f
t
+1 so that f 1 (mod 2). If f
is not invertible in R
q
, resample f
t
. Set
pk := h = 2gf
1
R
q
, sk := f R
16
Enc(pk, m) : Sample polynomials s, e . Output the ciphertext
c := hs + 2e +m R
q
where all operations are done modulo q and (x).
Dec(sk, c) : Let = fc R
q
. Output m
t
:= (mod 2).
It is easily seen that this scheme is correct as long as there is no wrap-around modulo q. To
decrypt a ciphertext c, we compute in R
q
:
fc = fhs + 2fe +fm = 2gs + 2fe +fm
If there is no wrap-around modulo q then
fc (mod 2) = 2gs + 2fe +fm (mod 2) = fm (mod 2) = m
One possible setting which ensures that there is no wrap-around modulo q is to set (x) = x
n
+1.
To see why this helps, notice that since the coecients of g, s, f, e are all bounded by 2B + 1.
8
By Corollary 3.3, we know that the coecients of gs (mod x
n
+1) and fe (mod x
n
+1) are both
bounded by n(2B+1)
2
. Thus, the coecients of fc are bounded by 4n(2B+1)
2
+B < 36nB
2
< q/2.
In other words, as long as we set q > 72nB
2
, a fresh ciphertext generated by Enc is guaranteed
to decrypt correctly. From here on, we refer to = fc R
q
as the error in a ciphertext c.
For the rest of our exposition, we will use (x) = x
n
+ 1 as our modulus polynomial.
3.3 Security
We base the security of the encryption scheme in Section 3.2 on two assumptions the RLWE
assumption described in Section 3.1, as well as a new assumption that we call the (Decisional)
Small Polynomial Ratio (DSPR) Assumption. Towards this end, we dene the following problem.
Denition 3.4. (Decisional Small Polynomial Ratio (DSPR
,q,
) Problem) Let (x)
Z[x] be a polynomial of degree n, let q Z be a prime integer, and let denote a distribution
over the ring R
.
= Z[x]/ (x)). The (decisional) small polynomial ratio problem DSPR
,q,
is to
distinguish between the following two distributions:
a polynomial h = g/f, where f and g are sampled from the distribution (conditioned on f
being invertible over R
q
= R/qR), and
a polynomial h sampled uniformly at random over R
q
.
Stehle and Steinfeld [SS11] have shown that the DSPR
,q,
problem is hard even for unbounded
adversaries (namely, the two distributions above are statistically close) if n is a power of two,
(x) = x
n
+ 1 is the n
th
cyclotomic polynomial, and is the discrete Gaussian D
Z
n
,r
for r >

qpoly(n). This allowed them to prove semantic security for the modied NTRU scheme described
in Section 3.2 under the RLWE
,q,
assumption alone.
The security proof follows by a hybrid argument, in two steps.
8
In fact, the coecients of g, s and e are bounded by B and that of f is bounded by 2B + 1.
17
1. The hardness of DSPR
,q,
allows us to change the public key h = 2g/f to h = 2h
t
for a
uniformly sampled h
t
.
2. Once this is done, we can use RLWE
,q,
to change the challenge ciphertext c

= hs +2e +m
to c

= u +m, where u is uniformly sampled from R

q
.
In this nal hybrid, the advantage of the adversary is exactly 1/2 since c

is uniform over R
q
,
independent of the message m.
Unfortunately, their result holds only if r >

q poly(n), which is too large to permit even a
single homomorphic multiplication. To support homomorphic operations, we need to use a much
smaller value of r, for which it is easy to see that the DSPR
,q,
assumption does not hold in a
statistical sense any more. This makes it necessary for us to assume that the decisional small
polynomial ratios problem is hard for our choice of parameters, which we refer to as the DSPR
,q,
assumption.
Using the same security proof as in [SS11], we can base the security of the scheme in Section 3.2
on the DSPR assumption and the RLWE assumption. With the choice of parameters stated below,
this yields security under the DSPR assumption and the hardness of approximating shortest vectors
on ideal lattices to within a factor of 2
n

, which is believed to be hard.

Lemma 3.6. Let n be a power of two, let (x) = x
n
+ 1, let q = 2
n

for (0, 1) and = D

Z
n
,r
with r = poly(n). Then, the (modied) NTRU encryption scheme described in Section 3.2 is secure
under the DSPR
,q,
assumption and the worst-case hardness of approximating shortest vectors on
ideal lattices (over the ring R
.
= Z[x]/ (x))) to within a factor of 2
(n

)
.
3.4 Multikey Homomorphism
Let (h
1
, f
1
) and (h
2
, f
2
) be two dierent public/secret key pairs, and let c
1
= h
1
s
1
+ 2e
1
+ m
1
and c
2
= h
2
s
2
+2e
2
+m
2
be two ciphertexts, encrypted under public keys h
1
and h
2
, respectively.
We show how to compute ciphertexts that decrypt to the sum and the product of m
1
and m
2
. In
particular, we show that the ciphertexts c
mult
.
= c
1
c
2
and c
add
.
= c
1
+ c
2
can be decrypted
to the product and the sum of m
1
and m
2
respectively, using the secret key f
12
.
= f
1
f
2
.
To see this, note that as long as there is no wrap-around modulo q,
f
1
f
2
(c
1
+c
2
) (mod 2) = 2(f
1
f
2
(e
1
+e
2
) +f
2
g
1
s
1
+f
1
g
2
s
2
) +f
1
f
2
(m
1
+m
2
) (mod 2)
= m
1
+m
2
(mod 2)
and
f
1
f
2
(c
1
c
2
) (mod 2) = 2(2g
1
g
2
s
1
s
2
+g
1
s
1
f
2
(2e
2
+m
2
) +g
2
s
2
f
1
(2e
1
+m
1
) +
f
1
f
2
(e
1
m
2
+e
2
m
1
+ 2e
1
e
2
)) +f
1
f
2
(m
1
m
2
) (mod 2)
= m
1
m
2
(mod 2)
since f
1
1 (mod 2) and f
2
1 (mod 2). In other words, the joint secret key f
12
.
= f
1
f
2
can
be used to decrypt c
add
.
= c
1
+ c
2
and c
mult
.
= c
1
c
2
. We can extend this argument to any
combination of operations, with ciphertexts encrypted under multiple public keys.
Of course, the error in the ciphertexts will grow with the number of operations performed (as
with all known fully homomorphic encryption schemes). Thus, correctness of decryption will only
18
hold for a limited number of operations. We can show that the scheme can correctly evaluate
circuits of depth roughly log(n) when q = 2
n

and B = poly(n).
However, an astute reader would have observed by now that in order to successfully decrypt
a ciphertext that was the result of a homomorphic evaluation, we must know the circuit that was
evaluated. For example, to decrypt c
2
1
+ c
2
we need to multiply it by f
2
1
f
2
, whereas to decrypt
c
1
+c
2
2
we need to multiply by f
1
f
2
2
. This is obviously unsatisfactory.
Furthermore, consider what happens when we add or multiply two ciphertexts c, c
t
that are
themselves a result of homomorphic evaluation. Suppose, for example, that c = c
1
c
2
and c
t
= c
2
c
3
,
where c
i
is encrypted under h
i
for i 1, 2, 3. We know c can be decrypted using f
1
f
2
and c
t
can
be decrypted using f
2
f
3
. Thus, we know that
f
1
f
2
c = 2e +m
f
2
f
3
c
t
= 2e
t
+m
t
for some messages m and m
t
and error terms e and e
t
. Following the discussion above, we can
see that c + c
t
can be decrypted using the key f
1
f
2
f
3
. In general, given a ciphertext c encrypted
under a set of keys K, and c
t
encrypted under a set of keys K
t
, their sum can be decrypted using
the product of the keys in K K
t
. The absolute magnitude of the entries in this product grows
exponentially with the number of keys in K K
t
.
Analogously, in the context of homomorphic multiplication, we need f
1
f
2
2
f
3
to decrypt cc
t
. This
hints at the fact that the size of the (joint) secret key needed to decrypt an evaluated ciphertext
grows exponentially with the degree of the evaluated circuit (and not just with the number of
parties involved, as in the case of addition). Indeed, after D multiplications, the (joint) secret key
needed to decrypt will be the product of D polynomials, and the magnitude of the coecients in
this product will be exponential in D.
It is benecial, especially for our constructions in Section 4 that we eliminate the exponential
dependence (of the magnitude of the coecients of the joint secret key) on the degree D. We
remark that we will not succeed in eliminating the exponential dependence on N, the number of
users indeed, this is the reason why our solution will eventually assume an a-priori upper bound
on N.
This motivates our use of relinearization, a technique rst introduced by Brakerski and Vaikun-
tanathan [BV11a]. Informally, we will introduce a (public) evaluation key ek that will be output
by the Keygen algorithm. Every time we multiply ciphertexts that share a key f
i
, we will use the
evaluation key to ensure that we only need f
i
, and not f
2
i
, to decrypt the new ciphertext. This
ensures two things.
1. First, it ensures that to decrypt a ciphertext c

, we only need to multiply it by one copy of

each secret key, making decryption independent of the circuit used to produce c

.
2. Second, it ensures that the size of the (joint) secret key needed to decrypt depends only on
the number of keys N, and not on the circuit C that was evaluated.
We present below our modied scheme, as well as the Eval algorithm.
Keygen(1

) : Sample f
t
, g and set f := 2f
t
+ 1 so that f 1 (mod 2). If f is not
invertible in R
q
, resample f
t
. Set
pk := h = 2gf
1
R
q
, sk := f R
19
For all 0, . . . , log q|, sample s

, e

and compute

= hs

+ 2e

+ 2

f R
q
. Set
ek = (
0
, . . . ,
]log q|
) R
log q|
q
Enc(pk, m) : Sample s, e . Output the ciphertext c := hs + 2e +m R
q
.
Dec(sk
1
, . . . , sk
N
, c) : Parse sk
i
= f
i
for i [N]. Let = f
1
f
N
c R
q
. Output m
t
:=
(mod 2).
Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
t
, pk
t
, ek
t
)): We show how to evaluate a t-input circuit C. To this
end, we show how to homomorphically add and multiply two elements in 0, 1. Given two
ciphertexts c
1
, c
2
, we assume that we also have a set of distinct public keys associated with
each ciphertext.
9
We will denote these lists by K
1
, K
2
, respectively. The public-key set of a
fresh encryption is simply the set pk containing the public key under which it was encrypted.
Given two ciphertexts c
1
and c
2
with corresponding public-key sets K
1
and K
2
, output the
ciphertext
c
add
= c
1
+c
2
R
q
as an encryption of the sum of the underlying messages. Output the set K
add
= K
1
K
2
as
its corresponding public-key set.
Given two ciphertexts c
1
and c
2
with corresponding public-key sets K
1
and K
2
, compute
ciphertext c
0
= c
1
c
2
R
q
, and let K
1
K
2
= pk
i
1
, . . . , pk
ir
.
If K
1
K
2
= , let c
mult
= c
0
.
Otherwise, for j [r] and = 0, . . . , log q|, dene c
j1,
so that
c
j1
=
]log q|

=0
c
j1,
2

is the binary representation of c

j1
. Parse
ek
i
j
= (
i
j
,0
, . . . ,
i
j
,]log q|
)
and let
c
j
=
]log q|

=0
c
j1,

i
j
,
At the end of the iteration, let c
mult
= c
r
.
In either case, output c
mult
as an encryption of the product of the underlying messages, and
output the set K
mult
= K
1
K
2
as its corresponding public-key set.
We rst show that the scheme works correctly as advertised:
Lemma 3.7. If q = 2
n

for (0, 1) and is a B-bounded distribution for B = poly(n), then

the (modied) NTRU encryption scheme described above is multikey homomorphic for N = O
_
n

_
keys and circuits of depth d < ( ) log n log log n O(1).
9
That is, we assume each set contains distinct public keys, but the intersection of any two sets might not be empty.
20
Proof. The main step in the proof of correctness is to show that a homomorphic operation increases
the error from to at most
2
+(Bpoly(n))
O(N)
. Putting this together with the fact that successful
decryption requires the error to be smaller than q/2 gives us the statement of the lemma.
We rst compute how much the error in a ciphertext grows with a homomorphic multiplication.
Let c and c
t
be ciphertexts that decrypt to m and m
t
, under two sets of secret keys K and K
t
respectively. Let f
K
(resp. f
K
) denote the product

iK
f
i
(resp.

iK
f
i
). Then, we have:
f
K
c = 2e +m
f
K
c
t
= 2e
t
+m
t
where [2e +m[ and [2e
t
+m
t
[
t
. Letting c
mult
.
= cc
t
, we have
(f
K
f
K
) c
mult
= 2(2ee
t
+em
t
+e
t
m) +mm
t
(1)
Thus, the error in the ciphertext c
mult
is at most
t
, and it decrypts to the product of the two
messages mm
t
as long as the error is not too large.
We now move to analyzing the additional error introduced by relinearization. Let K K
t
=
i
1
, . . . , i
r
. Then, the joint decryption key f
K
f
K
contains the term f
2
i
1
. . . f
2
ir
. The goal of
relinearization is to convert c
mult
into a ciphertext that decrypts to the same message under the
secret key
f
K
f
K

_

jKK

f
j
_
1
which replaces the term f
2
i
1
. . . f
2
ir
with the term f
i
1
. . . f
ir
.
Let F
0
.
= f
K
f
K
and let F
j
.
= F
j1
(f
i
j
)
1
for j = 1, . . . , r. Thus, F
r
is a simple product of
the secret keys f
i
, without any quadratic terms.
We show that the ciphertext c
j
decrypts to the message mm
t
, and has error at most
t
+ j
(8 log q(nB)
2N+2
). The base case (i.e., j = 0) follows from Equation 1 since c
0
= c
mult
. In general,
we have:
F
j
c
j
= (f
i
j
F
j
) (f
i
j
)
2
(f
i
j
c
j
)
= F
j1
(f
i
j
)
2
(f
i
j
c
j
)
= F
j1
(f
i
j
)
2

_]log q|

=0
c
j1,
(f
i
j

i
j
,
)
_
(2)
Now,
f
i
j

i
j
,
= 2(g
i
j
s
i
j
,
+f
i
j
e
i
j
,
) + 2

f
2
i
j
= 2E

+ 2

f
2
i
j
21
where [E

[ 2nB
2
. Substituting back into Equation 2, we get
F
j
c
j
= F
j1
(f
i
j
)
2

_]log q|

=0
c
j1,
(f
i
j

i
j
,
)
_
= 2
_
F
j1
f
2
i
j
]log q|

=0
c
j1,
E

_
+F
j1
]log q|

=0
c
j1,
2

= 2
_
F
j1
f
2
i
j
]log q|

=0
c
j1,
E

_
+F
j1
c
j1
Since F
j1
c
j1
is exactly mm
t
plus an even error (by the inductive assumption), this shows that
c
j
decrypts to mm
t
as well, under the secret key F
j
.
It remains to compute the error in the ciphertext c
j
. Since F
j1
f
2
i
j
is a product of at most 2N
small polynomials, it has

norm at most (nB)

2N
, by Corollary 3.3. Thus, the error is at most
error
j
2 n (nB)
2N
2n(log q| + 1)B
2
+ error
j1
8 log q (nB)
2N+2
+
t
+ (j 1) 8 log q(nB)
2N+2

t
+j (8 log q(nB)
2N+2
)
Thus, the nal error after a multiplication and relinearization is at most
t
+8N log q (nB)
2N+2
=

t
+ (B n)
O(N)
, as claimed, for the setting of q = 2
n

.
For a circuit of depth d and an initial error
0
, the error grows to at most
(
0
B n)
2
d
O(N)
after homomorphic evaluation. This results in correct decryption as long as d < log log q
(log log n + log N + O(1)). In particular, for N = O(n

) keys and q = 2
n

, we get d < (
) log n log log n O(1).
The main dierence between the scheme in Section 3.2 and the one in this section in terms of
security is in the evaluation key ek. The evaluation key contains the elements

.
= hs

+ 2e

+ 2

f
which can be thought of as pseudo-encryptions of multiples of the secret key f under the cor-
responding public key h. We point out that these are not true encryptions of the message 2

f
since 2

f is not a binary polynomial, whereas our scheme is only equipped to correctly encrypt
polynomials m Z
2
[x]/ (x)).
The security of the scheme then relies on a circular security assumption which states that
semantic security of the scheme is maintained given the evaluation key as constructed above. We
22
remark that this assumption can be avoided at the cost of obtaining a leveled homomorphic en-
cryption scheme (where the size of the evaluation key grows with the depth of the circuits that the
scheme supports).
In Section 4 we show how to convert this somewhat homomorphic scheme into a multi-key fully
homomorphic one. In the same section, we also discuss any additional assumptions we need to
make to maintain security.
4 From Somewhat to Fully Homomorphic Encryption
We use Gentrys bootstrapping theorem [Gen09b, Gen09a] to convert a multikey somewhat homo-
morphic scheme into a multikey fully homomorphic one. Unfortunately, as we will see, we cannot
apply the bootstrapping theorem directly to the somewhat homomorphic encryption scheme from
Section 3. We therefore turn to modulus reduction, a technique introduced by [BV11a, BGV12], to
convert our somewhat homomorphic scheme into a bootstrappable scheme. We rst describe the
bootstrapping theorem, and then present the modulus reduction technique and how we can apply
it in our case.
4.1 Bootstrapping
We remind the reader of the denition of a bootstrappable encryption scheme and present Gentrys
bootstrapping theorem [Gen09b, Gen09a] that states that a bootstrappable scheme can be converted
into a fully homomorphic one. We modify the theorem and the corresponding denitions from their
original presentation to generalize it to the multikey setting. Taking N = 1 yields the theorem and
the denitions from [Gen09b, Gen09a].
Denition 4.1. (Bootstrappable Scheme) Let c = c
(N)
= (Keygen, Enc, Dec, Eval)
N>0
be a
family of multikey (-homomorphic encryption schemes, and let f
add
and f
mult
be the the augmented
decryption functions of the scheme dened as
f
c
1
,c
2
add
(sk
1
, . . . , sk
N
) = Dec(sk
1
, . . . , sk
N
, c
1
) XOR Dec(sk
1
, . . . , sk
N
, c
2
)
and
f
c
1
,c
2
mult
(sk
1
, . . . , sk
N
) = Dec(sk
1
, . . . , sk
N
, c
1
) AND Dec(sk
1
, . . . , sk
N
, c
2
)
Then c is bootstrappable if
_
f
c
1
,c
2
add
, f
c
1
,c
2
mult
_
c
1
,c
2
( .
Namely, the scheme can homomorphically evaluate f
add
and f
mult
.
We rst dene the notion of weak circular security, and then describe our generalization of
Gentrys bootstrapping theorem.
Denition 4.2. (Weak Circular Security) A public key encryption scheme (Gen, Enc, Dec)
is weakly circular secure if it is IND-CPA secure even for an adversary with auxiliary information
containing encryptions of all secret key bits: Enc(pk, sk[i])
i
.
Namely, no polynomial time adversary can distinguish an encryption of 0 from an encryption of
1 even given the additional information. We now state a generalization of Gentrys bootstrapping
theorem to the multi-key setting.
23
Theorem 4.1. (Multikey Bootstrapping Theorem) Let c be a bootstrappable family of mul-
tikey homomorphic schemes that is also weakly circular secure. Then there is a multikey fully
homomorphic family c
t
of encryption schemes.
The idea behind (multi-key) bootstrapping is that given a public evaluation key that consists
of encryptions of all bits of all secret keys,
j,i
= Enc(pk
j
, sk
j
[i]), we can evaluate circuits of any
depth by periodically refreshing the evaluated ciphertext c. Simply evaluate the decryption
circuit Dec(sk
1
, . . . , sk
N
, c) homomorphically using the evaluation key
j,i
= Enc(pk
j
, sk
j
[i]). The
result is a ciphertext c

that encrypts the same plaintext as c and can again be decrypted using
sk
1
, . . . , sk
N
, but has much smaller noise. Thus, after this refreshing step, we can continue evaluating
homomorphically for a few more levels before the noise grows again and we need to apply the
refreshing procedure once more.
Unfortunately, the somewhat homomorphic scheme that we described in Section 3 is not boot-
strappable. Recall that we can only evaluate circuits of depth less than log(n), where < 1. How-
ever, the shallowest implementation of the decryption circuit we are aware of has depth c log Nlog n
for some constant c > 1. We therefore turn to modulus reduction, which will allow us to convert
our somewhat homomorphic encryption scheme into a bootstrappable scheme.
4.2 Modulus Reduction
Modulus reduction [BV11a, BGV12] is a noise-management technique that provides an exponential
gain on the depth of the circuits that can be evaluated, while keeping the depth of the decryption
circuit unchanged. Informally, if d
dec
is the depth of the decryption circuit of the multikey scheme
described in Section 3.4, then we modify the scheme so that its decryption circuit is unchanged but
the scheme can now evaluate circuits of depth d
dec
. Hence, the new scheme can evaluate its own
decryption circuit, making it bootstrappable. Details follow.
We let [ ]
q
denote the corresponding element in R
q
(ie. reducing modulo (x) and q), as in
[BGV12]. Then, if (h, f) is a key pair and c is a ciphertext under public key h, [ fc ]
q
corresponds
to the noise in c. Recall that for decryption to be successful, we need [ fc ]
q
to be equal to fc
over the integers. However, each homomorphic operation increases this noise. Modulus reduction
allows us to keep the noise magnitude small by simply scaling the ciphertext after each operation.
The key idea is to exploit the dierence in how the noise aects security and homomorphisms:
The growth of noise upon homomorphic multiplication is governed by the magnitude of the
noise.
Security is governed by the ratio between the magnitude of the noise and the modulus q.
This suggests a method of reducing the magnitude of the noise and the modulus by roughly the
same factor, thus preserving security while at the same time making homomorphic multiplications
easier.
In particular, modulus reduction gives us a way to transform a ciphertext c R
q
into a dierent
ciphertext c
t
R
p
(where p is smaller than q) while preserving correctness: for joint secret key
f =

N
i=1
f
i
,
[ fc ]
p
= [ fc
t
]
q
(mod 2)
The transformation from c to c
t
involves simply scaling by (p/q) and rounding appropriately.
24
Lemma 4.2 ([BV11a, BGV12]). Let p and q be two odd moduli, and let c R
q
. Dene c
t
to
be the polynomial in R
p
closest to (p/q) c such that c
t
c (mod 2). Then, for any f with
|[ fc ]
q
|

< q/2 (q/p) |f|

1
, we have
[ fc
t
]
p
= [ fc ]
q
(mod 2) and
_
_
[ fc
t
]
p
_
_

< (p/q) |[ fc ]
q
|

+|f|
1
where |f|

and |f|
1
are the

and
1
norms of f, respectively.
Proof. Let fc (mod x
n
+1) =

n1
i=0
d
i
x
i
, and consider a coecient d
i
. We know that there exists
k Z such that:
d
i
(mod q) = d
i
kq
_

q
2
+
q
p
|f|
1
,
q
2

q
p
|f|
1
_
,
so that
(p/q) d
i
kp
_

p
2
+|f|
1
,
p
2
|f|
1
_
Let fc
t
(mod x
n
+ 1) =

n1
i=0
e
i
x
i
. Then |f|
1
(p/q) e
i
d
i
|f|
1
. Therefore,
e
i
kp
_

p
2
,
p
2
_
and e
i
(mod p) = e
i
kp
This proves the second part of the lemma. To prove the rst part, notice that since p and q are
both odd, we know kp kq (mod 2). Moreover, we chose c
t
such that c c
t
(mod 2). We thus
have
e
i
kp d
i
kq (mod 2)
(e
i
(mod p)) (d
i
(mod q)) (mod 2)
[ fc
t
]
p
[ fc ]
q
(mod 2)
The beauty of Lemma 4.2 is that if we know the depth d of the circuit we want to evaluate (in
our case, d = d
dec
, the depth of the augmented decryption circuit), then we can construct a ladder
of decreasing moduli q
0
, . . . , q
d
and perform modulus reduction after each operation so that at level
i all ciphertexts reside in R
q
i
and the magnitude of the noise at each level is small. In particular,
this is true at level d so that once the evaluation is complete, it is possible to decrypt the resulting
ciphertext without decryption errors.
Bootstrappable Scheme. We change the scheme so that it uses modulus reduction during the
evaluation. Keygen will now sample a ladder of decreasing moduli q
0
, . . . q
d
dec
. We will choose the
distribution in order to guarantee that any sample is B-bounded, where B q
d
dec
. The modied
scheme is as below.
Keygen(1

) : For every i 0, . . . , d
dec
, sample g
(i)
, u
(i)
and set f
(i)
:= 2u
(i)
+1 so that
f
(i)
1 (mod 2). If f
(i)
is not invertible in R
q
i
, resample u
(i)
. Let h
(i)
= 2g
(i)
(f
(i)
)
1

R
q
i1
, and set
pk := h
(0)
R
q
0
, sk := f
(d
dec
)
R
q
d
dec
25
For all i [d
dec
] and 0, . . . , log q
i1
|, sample s
(i)

, e
(i)

and compute

(i)

:= h
(i)
s
(i)

+ 2e
(i)

+ 2

f
(i1)
R
q
i1

(i)

:= h
(i)
s
(i)

+ 2e
(i)

+ 2

(f
(i1)
)
2
R
q
i1
Set
ek :=
(i)

,
(i)

i[d
dec
],0,...,]log q
i
|
Enc(pk, m) : Sample s, e . Output the ciphertext c := hs + 2e +m R
q
0
.
Dec(sk
1
, . . . , sk
N
, c) : Assume w.l.o.g. that c R
q
d
dec
. Parse sk
i
= f
i
for i [N]. Let
:= f
1
f
N
c R
q
d
dec
. Output m
t
:= (mod 2).
Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
t
, pk
t
, ek
t
)): We show how to evaluate a t-input circuit C. We
assume w.l.o.g. that the circuit C is leveled in that it is composed of alternating XOR and
AND levels.
We show how to homomorphically add and multiply two elements in 0, 1. Given two
ciphertexts c
1
, c
2
, we assume that we also have a set of distinct public keys associated with
each ciphertext.
10
We will denote these lists by K
1
, K
2
, respectively. The public-key set
of a fresh encryption is simply the set pk containing the public key under which it was
encrypted.
Given two ciphertexts c
1
, c
2
R
q
i
with corresponding public-key sets K
1
, K
2
, compute
c = c
1
+ c
2
R
q
i
and let K
1
K
2
= pk
j
1
, . . . , pk
jr
. For = 1, . . . , r and
0, . . . , log q
i
|, dene c
1,
so that
c
1
=
]log q
i
|

=0
c
1,
2

is the binary representation of c

1
. Parse
ek
j

=
(i)
j

,
,
(i)
j

i[d
dec
],0,...,]log q
i
|
Let
c

:=
]log q
i
|

=0
c
1

(i)
j

,
R
q
i
Finally, reduce the modulus: let c
add
be the integer vector closest to (q
i+1
/q
i
)c
r
such that
c
add
c
r
(mod 2). Output c
add
R
q
i+1
as an encryption of the sum of the underlying
messages. Output the set K
add
:= K
1
K
2
as its corresponding public-key set.
Given two ciphertexts c
1
, c
2
R
q
i
with corresponding public-key sets K
1
, K
2
, compute
ciphertext c
0
= c
1
c
2
R
q
i
, and let K
1
K
2
= pk
j
1
, . . . , pk
jr
. For = 1, . . . , r and
0, . . . , log q
i
|, dene c
1,
so that
c
1
=
]log q
i
|

=0
c
1,
2

10
That is, we assume each set contains distinct public keys, but the intersection of any two sets might not be empty.
26
is the binary representation of c
1
. Parse
ek
j

=
(i)
j

,
,
(i)
j

i[d
dec
],0,...,]log q
i
|
If pk
j

K
1
K
2
, let
c

:=
]log q
i
|

=0
c
1

(i+1)
j

,
R
q
i
Otherwise, let
c

:=
]log q
i
|

=0
c
1

(i+1)
j

,
R
q
i
Finally, reduce the modulus. Let c
mult
be the integer vector closest to (q
i+1
/q
i
) c
r
such
that c
mult
c
r
(mod 2). Output c
mult
R
q
i+1
as an encryption of the product of the
underlying messages, and output the set K
mult
:= K
1
K
2
as its corresponding public-key
set.
We can now show the following lemma, whose proof is deferred to the full version.
Lemma 4.3. If q = 2
n

for (0, 1) and is a B-bounded distribution for B = poly(n), then

the (modied) NTRU encryption scheme described above is multikey homomorphic for N keys and
circuits of depth d as long as Nd = O(n

/ log n).
Multikey Fully Homomorphic Encryption. To turn this into a fully homomorphic encryption
scheme, we use the (multi-key) bootstrapping theorem (Theorem 4.1), but rst, we show an upper
bound on the depth of the decryption circuit.
Lemma 4.4. The decryption circuit for the scheme above for N keys can be implemented as a
polynomial-size arithmetic circuit over GF(2) of depth O(log N(log log q + log n)).
Proof. The decryption circuit for a ciphertext encrypted under N keys can be written as
Dec
f
1
,...,f
N
(c) = c
N

i=1
f
i
Multiplying two polynomials over R
q
can be done using a polynomial-size Boolean circuit of depth
O(log log q + log n) (see, e.g., [BV11a, Lemma 4.5] for a proof). Using a binary tree of polynomial
multiplications, the decryption operation above can then be done in depth O(log N(log log q +
log n)), as claimed.
This means that the modied scheme is bootstrappable, and therefore applying the bootstrap-
ping theorem gives us:
Theorem 4.5. For every N N, let B = poly(n), to be a B-bounded distribution, and q =
2
(N log Nlog
2
n)
. Then, there exists a multikey fully homomorphic encryption scheme for N keys,
secure under the DSPR
,q,
and RLWE
,q,
assumptions.
27
Proof. To apply Theorem 4.1, we require that the depth of the decryption circuit is smaller than
the depth of the circuits that the scheme can evaluate. That is,
log N (log log q + log n) < C
log q
N log n
for some universal constant C > 0, which holds for the parameter settings in the statement of the
theorem.
In particular, this scheme maintains security as long as q = 2
n
1
for some > 0, thus supporting
as many as N = n
1
/ log
O(1)
n users.
Finally, we remark that bootstrapping (and therefore assuming weak circular security) can be
avoided at the cost of obtaining a leveled homomorphic encryption scheme (where the size of the
evaluation key grows with the depth of the circuits that the scheme supports).
5 Acknowledgements
This work was supported by the Check Point Institute for Information Security, the Israeli Centers
of Research Excellence (I-CORE) program (center No. 4/11), an NSERC Discovery Grant, and
by DARPA under Agreement number FA8750-11-2-0225. The U.S. Government is authorized to
reproduce and distribute reprints for Governmental purposes notwithstanding any copyright nota-
tion thereon. The views and conclusions contained herein are those of the author and should not
be interpreted as necessarily representing the ocial policies or endorsements, either expressed or
implied, of DARPA or the U.S. Government.
We thank Craig Gentry for pointing out an error in our initial construction. We also thank an
anonymous STOC reviewer for suggesting the construction described in Appendix A of multikey
FHE for N = O(1) parties from FHE .
References
[ACPS09] Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic
primitives and circular-secure encryption based on hard learning problems. In Shai
Halevi, editor, CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages
595618. Springer, 2009.
[AD97] Miklos Ajtai and Cynthia Dwork. A public-key cryptosystem with worst-case/average-
case equivalence. In STOC, pages 284293, 1997.
[AIK10] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. From secrecy to soundness:
Ecient verication via secure computation. In Samson Abramsky, Cyril Gavoille,
Claude Kirchner, Friedhelm Meyer auf der Heide, and Paul G. Spirakis, editors, ICALP
(1), volume 6198 of Lecture Notes in Computer Science, pages 152163. Springer, 2010.
[AJL
+
12] Gilad Asharov, Abhishek Jain, Adriana Lopez-Alt, Eran Tromer, Vinod Vaikun-
tanathan, and Daniel Wichs. Multi-party computation with low communication, com-
putation and interaction from threshold fhe. In EUROCRYPT, 2012.
28
[BCCT12a] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. From extractable
collision resistance to succinct non-interactive arguments of knowledge, and back again.
In ITCS, 2012.
[BCCT12b] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. Recursive composi-
tion and bootstrapping for snarks and proof-carrying data. Cryptology ePrint Archive:
Report 2012/095, 2012.
[BFKL93] Avrim Blum, Merrick L. Furst, Michael J. Kearns, and Richard J. Lipton. Crypto-
graphic primitives based on hard learning problems. In Douglas R. Stinson, editor,
CRYPTO, volume 773 of Lecture Notes in Computer Science, pages 278291. Springer,
1993.
[BGI
+
01] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P.
Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. In Joe Kilian,
editor, CRYPTO, volume 2139 of Lecture Notes in Computer Science, pages 118.
Springer, 2001.
[BGV12] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. Fully homomorphic en-
cryption without bootstrapping. In ITCS, 2012.
[BGW88] Michael Ben-Or, Sha Goldwasser, and Avi Wigderson. Completeness theorems for
non-cryptographic fault-tolerant distributed computation (extended abstract). In
STOC, pages 110, 1988.
[BSCGT12] Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, and Eran Tromer. Fully homomor-
phic encryption without modulus switching from classical gapsvp. Cryptology ePrint
Archive: Report 2012/078, 2012.
[BV11a] Zvika Brakerski and Vinod Vaikuntanathan. Ecient fully homomorphic encryption
from (standard) lwe. In Ostrovsky [Ost11], pages 97106.
[BV11b] Zvika Brakerski and Vinod Vaikuntanathan. Fully homomorphic encryption from ring-
lwe and security for key dependent messages. In Rogaway [Rog11], pages 505524.
[CCD88] David Chaum, Claude Crepeau, and Ivan Damgard. Multiparty unconditionally secure
protocols (extended abstract). In STOC, pages 1119, 1988.
[CDN01] Ronald Cramer, Ivan Damgard, and Jesper Buus Nielsen. Multiparty computation
from threshold homomorphic encryption. In EUROCRYPT, pages 280299, 2001.
[CKV10] Kai-Min Chung, Yael Tauman Kalai, and Salil P. Vadhan. Improved delegation of
computation using fully homomorphic encryption. In Rabin [Rab10], pages 483501.
[DHLW10] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt, and Daniel Wichs. Ef-
cient public-key cryptography in the presence of key leakage. In Masayuki Abe,
editor, ASIACRYPT, volume 6477 of Lecture Notes in Computer Science, pages 613
631. Springer, 2010.
29
[DIK
+
08] Ivan Damgard, Yuval Ishai, Mikkel Krigaard, Jesper Buus Nielsen, and Adam Smith.
Scalable multiparty computation with nearly optimal work and resilience. In David
Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages
241261. Springer, 2008.
[DIK10] Ivan Damgard, Yuval Ishai, and Mikkel Krigaard. Perfectly secure multiparty com-
putation and the computational overhead of cryptography. In Gilbert [Gil10], pages
445465.
[Gen09a] Craig Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford Univer-
sity, 2009. crypto.stanford.edu/craig.
[Gen09b] Craig Gentry. Fully homomorphic encryption using ideal lattices. In Michael Mitzen-
macher, editor, STOC, pages 169178. ACM, 2009.
[GGH97] Oded Goldreich, Sha Goldwasser, and Shai Halevi. Public-key cryptosystems from
lattice reduction problems. In Burton S. Kaliski Jr., editor, CRYPTO, volume 1294
of Lecture Notes in Computer Science, pages 112131. Springer, 1997.
[GGP10] Rosario Gennaro, Craig Gentry, and Bryan Parno. Non-interactive veriable comput-
ing: Outsourcing computation to untrusted workers. In Rabin [Rab10], pages 465482.
[GH11] Craig Gentry and Shai Halevi. Fully homomorphic encryption without squashing using
depth-3 arithmetic circuits. In Ostrovsky [Ost11], pages 107109.
[GHL
+
11] Craig Gentry, Shai Halevi, Vadim Lyubashevsky, Christopher Peikert, Joseph Silver-
man, and Nigel Smart. Personal communication, 2011.
[Gil10] Henri Gilbert, editor. Advances in Cryptology - EUROCRYPT 2010, 29th Annual
International Conference on the Theory and Applications of Cryptographic Techniques,
French Riviera, May 30 - June 3, 2010. Proceedings, volume 6110 of Lecture Notes in
Computer Science. Springer, 2010.
[GKR08] Sha Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. Delegating computa-
tion: interactive proofs for muggles. In Cynthia Dwork, editor, STOC, pages 113122.
ACM, 2008.
[GLR11] Sha Goldwasser, Huijia Lin, and Aviad Rubinstein. Delegation of computation with-
out rejection problem from designated verier cs-proofs. Cryptology ePrint Archive:
Report 2011/456, 2011.
[GMW87] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or
a completeness theorem for protocols with honest majority. In STOC, pages 218229,
1987.
[Gro06] Jens Groth. Simulation-sound nizk proofs for a practical language and constant size
group signatures. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284
of Lecture Notes in Computer Science, pages 444459. Springer, 2006.
30
[GW11] Craig Gentry and Daniel Wichs. Separating succinct non-interactive arguments from
all falsiable assumptions. In Lance Fortnow and Salil P. Vadhan, editors, STOC,
pages 99108. ACM, 2011.
[HLP11] Shai Halevi, Yehuda Lindell, and Benny Pinkas. Secure computation on the web:
Computing without simultaneous interaction. In Rogaway [Rog11], pages 132150.
[HPS98] Jerey Hostein, Jill Pipher, and Joseph H. Silverman. Ntru: A ring-based public
key cryptosystem. In Joe Buhler, editor, ANTS, volume 1423 of Lecture Notes in
Computer Science, pages 267288. Springer, 1998.
[Kil92] Joe Kilian. A note on ecient zero-knowledge proofs and arguments (extended ab-
stract). In STOC, pages 723732. ACM, 1992.
[Kil95] Joe Kilian. Improved ecient arguments (preliminary version). In Don Coppersmith,
editor, CRYPTO, volume 963 of Lecture Notes in Computer Science, pages 311324.
Springer, 1995.
[KMR11] Seny Kamara, Payman Mohassel, and Mariana Raykova. Outsourcing multi-
party computation. Cryptology ePrint Archive, Report 2011/272, 2011.
http://eprint.iacr.org/.
[KV09] Jonathan Katz and Vinod Vaikuntanathan. Signature schemes with bounded leakage
resilience. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of Lecture Notes in
Computer Science, pages 703720. Springer, 2009.
[LM06] Vadim Lyubashevsky and Daniele Micciancio. Generalized compact knapsacks are
collision resistant. In Michele Bugliesi, Bart Preneel, Vladimiro Sassone, and Ingo
Wegener, editors, ICALP (2), volume 4052 of Lecture Notes in Computer Science,
pages 144155. Springer, 2006.
[LPR10] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning
with errors over rings. In Gilbert [Gil10], pages 123.
[Mic94] Silvio Micali. Cs proofs (extended abstracts). In FOCS, pages 436453. IEEE, 1994.
[MR07] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based on
gaussian measures. SIAM J. Comput., 37(1):267302, 2007.
[Nao03] Moni Naor. On cryptographic assumptions and challenges. In Dan Boneh, editor,
CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 96109. Springer,
2003.
[Ost11] Rafail Ostrovsky, editor. IEEE 52nd Annual Symposium on Foundations of Computer
Science, FOCS 2011, Palm Springs, CA, USA, October 22-25, 2011. IEEE, 2011.
[Rab10] Tal Rabin, editor. Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology
Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings, volume 6223
of Lecture Notes in Computer Science. Springer, 2010.
31
[Reg05] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography.
In Harold N. Gabow and Ronald Fagin, editors, STOC, pages 8493. ACM, 2005.
[Reg09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography.
J. ACM, 56(6), 2009.
[Rog11] Phillip Rogaway, editor. Advances in Cryptology - CRYPTO 2011 - 31st Annual
Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings,
volume 6841 of Lecture Notes in Computer Science. Springer, 2011.
[RTSS09] Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. Hey, you, get
o of my cloud: exploring information leakage in third-party compute clouds. In ACM
Conference on Computer and Communications Security, pages 199212, 2009.
[Sah99] Amit Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-
ciphertext security. In FOCS, pages 543553, 1999.
[SS11] Damien Stehle and Ron Steinfeld. Making ntru as secure as worst-case problems over
ideal lattices. In Kenneth G. Paterson, editor, EUROCRYPT, volume 6632 of Lecture
Notes in Computer Science, pages 2747. Springer, 2011.
[SV10] Nigel P. Smart and Frederik Vercauteren. Fully homomorphic encryption with rel-
atively small key and ciphertext sizes. In Public Key Cryptography, pages 420443,
2010.
[Val08] Paul Valiant. Incrementally veriable computation or proofs of knowledge imply
time/space eciency. In Ran Canetti, editor, TCC, volume 4948 of Lecture Notes
in Computer Science, pages 118. Springer, 2008.
[vDGHV10] Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully ho-
momorphic encryption over the integers. In Gilbert [Gil10], pages 2443.
[vDJ10] Marten van Dijk and Ari Juels. On the impossibility of cryptography alone for privacy-
preserving cloud computing. In Proceedings of the 5th USENIX conference on Hot
topics in security, HotSec10, pages 18, Berkeley, CA, USA, 2010. USENIX Associa-
tion.
[Yao82] Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In
FOCS, pages 160164, 1982.
A Multikey Properties of Other FHE Schemes
A.1 A Generic Construction
It turns out that any FHE scheme is inherently multikey for a constant number of parties, N = O(1).
This can be seen from the following construction.
Let c = (Keygen, Enc, Dec, Eval) be an FHE scheme with plaintext space 0, 1, and ciphertext
space 0, 1
p()
for some polynomial p(). For c 0, 1

, we overload notation and let Enc(pk, c)

denote the bit-wise encryption of c. Let c
1
= Enc(pk
1
, m
1
), . . . , c
N
= Enc(pk
N
, m
N
) be a set of
32
ciphertexts, each encrypting a bit message under a dierent key. From c
1
, . . . , c
N
, it is possible to
construct the following ciphetexts using Enc and Eval:
c
t
1
= Enc(pk
1
, Enc(pk
2
, Enc(. . . , Enc(pk
N
, m
1
)) . . .))
c
t
2
= Enc(pk
1
, Enc(pk
2
, Enc(. . . , Enc(pk
N
, m
2
)) . . .))
.
.
.
c
t
N
= Enc(pk
1
, Enc(pk
2
, Enc(. . . , Enc(pk
N
, m
N
)) . . .))
Using Eval once again, it is possible to obtain the ciphertext
c = Enc(pk
1
, Enc(pk
2
, Enc(. . . , Enc(pk
N
, C(m
1
, . . . , m
N
))) . . .))
It is then possible to decrypt c

using sk
1
, . . . , sk
N
. However, note that the size of c
t
i
is p()
N
.
This means that we must have N = O(1), and thus can only obtain this generic construction of
multikey FHE from (regular) FHE for a constant number of parties.
A.2 From Ring-LWE
The FHE scheme of Brakerski and Vaikuntanathan [BV11b] based on the Ring-LWE assumption
can be made multikey for N = O(log()) parties by using relinearization and modulus reduction
[BV11a, BGV12]). Indeed, it is possible to show that in this new scheme, the size of the ciphertext
(as number of elements in R
q
) increases to at most 2
N
when evaluating on ciphertexts encrypted
under at most N keys. Thus, it is able to handle a logarithmic number of parties, N = O(log()).
B Impossibility of a 2-Round Protocol
In this section, we prove the impossibility of a 2-round on-the-y MPC protocol. We show that if
such a protocol securely computes a function f, then a certain class of functions can be obfuscated.
This has a similiar avor to a recent result of Van Dijk and Jules [vDJ10]. We review the denition
of obfuscation from [BGI
+
01].
Denition B.1. A probabilistic algorithm O is a (circuit) obfuscator if the following three condi-
tions hold:
Functionality: For every circuit C, the string O(C) describes a circuit that computes the same
function as C.
Polynomial Slowdown: There is a polynomial p such that for every circuit C, [O(C)[ p([C[).
Virtual Black-Box Property: For any PPT adversary /, there is a PPT simulator o such
that for all circuits C

Pr[/(O(C)) = 1] Pr[o
C
(1
[C[
) = 1]

negl([C[)
33
Barak et. al. [BGI
+
01] show that assuming one-way functions exist, there does not exist any
algorithm O satisfying Denition B.1, even if we do not require that O run in polynomial time .
Thus, we conclude that assuming one-way functions exist, a 2-round on-the-y MPC protocol is
impossible.
We now show the connection between on-the-y MPC and obfuscation. For ease of nota-
tion, w.l.o.g. assume that the N parties whose input will be used in the computation are parties
1, . . . , N. Such a protocol can be modeled by U + N + 1 (possibly randomized) algorithms:
In
1
, . . . , In
U
, ComputeF, Out
1
, . . . , Out
N
, where:
(d
i
, c
i
) In
i
(x
i
): On input x
i
, the algorithm In
i
outputs two elements, c
i
to be sent to the
server S and d
i
to be kept by party P
i
.
(z
1
, . . . , z
N
) ComputeF(c
1
, . . . , c
N
) : On input c
1
, . . . , c
N
, which are the messages the server
received from parties P
1
, . . . , P
N
, ComputeF outputs N elements z
1
, . . . , z
N
. The server sends
back z
i
to party P
i
.
y
i
Out
i
(z
i
, d
i
) : On input z
i
which was received from the server, and the auxiliary infor-
mation d
i
output by In
i
, Out
i
computes the output y
i
.
In what follows, we use the following notation. For a set T and a vector x = (x
1
, . . . , x
n
), we
let x
T
= (x
i
)
iT
.
Theorem B.1. Let f be an N-input function. If a 2-round on-the-y MPC protocol = (In
1
, . . . , In
U
,
ComputeF, Out
1
, . . . , Out
N
) securely computes f against a semi-honest adversary corrupting t < N
parties, then for any x (0, 1

)
N
and any H [N] such that [H[ = N t, there exists an
obfuscator O
x
H
for f
x
H
, where f
x
H
is the t-input function dened by f with xed inputs x
i
for
i H, and restricted to outputs y
j
for j [N]H.
Proof of Theorem B.1: Fix x (0, 1

)
N
and H [N] such that [H[ = N t. Consider an
execution of where x is the input vector. We can build an obfuscator O
x
H
for f
x
H
as follows:
compute (d
i
, c
i
) In
i
(x
i
) for i H and sample random coins r
S
, r
i
, s
i

i[N]\H
. O
x
H
outputs the
circuit that on input x
C
:
For j C, computes (c
j
, d
j
) := In
j
(x
j
; r
j
).
Computes (z
1
, . . . , z
N
) := ComputeF(c
1
, . . . , c
N
; r
S
)
For j C, computes y
j
:= Out
j
(z
j
; s
j
).
Outputs (y
j
)
jC
.
Notice that O
x
H
can be considered as a semi-honest adversary /

attacking by corrupting
the server S and the parties in C = [N]H (ie. the parties in H are honest). For the sake of
simplicity, assume /

outputs its entire view. Then by the security of , we know that the output
of /

is computationally indistinguishable from the output of an adversary o

corrupting the same

parties in the ideal model. More formally, for all x and any predicate D, we have
[ Pr[D(REAL
,,
(x)) = 1] Pr[D(IDEAL
f,S

(x)) = 1][ = negl()

34
In our case, REAL
,,
(x) = (x
C
, O
x
H
(x
C
)) and IDEAL
f,S

(x) = o(x
C
, y
C
), so we have:
[ Pr[D(x
C
, O
x
H
(x
C
)) = 1] Pr[D(o(x
C
, y
C
)) = 1][ = negl() (3)
Because this holds for all x (and in particular for all x
C
), then (3) holds even if D is allowed
to chose x
C
. Now consider an adversary /
C
attacking the obfuscation of f
x
H
(). Then we can
substitute D in (3) with /
C
, and because /
C
can only run O
x
H
() on a polynomial number of
inputs, then by a hybrid argument we have that for all /
C
there exists o
C
(namely /
C
(o()) such
that:
[ Pr[/
C
(O
x
H
()) = 1] Pr[o
f
x
H
()
C
(1

) = 1][ = negl()
C Simulation Extractability
For completeness, we include the denition of simulation-extractability [Gro06].
Denition C.1 (Simulation Extractability [Gro06]). Let = (Setup, Prove, Verify) be a proof
system for a relation R, satisfying the completeness, soundness and zero-knowledge properties. We
say that is simulation-extractable if:
Setup also outputs an extraction key xk.
There exists a PPT algorithm Ext(y, , xk) such that for all P

we have the probability that

P

wins in the following game in negligible in :

1. Key Generation: The challenger runs (pp, xk) Setup(1

) and gives pp to P

.
2. Simulation queries: P
S()
is given access to the simulation oracle o(), which it can
adaptively access.
3. Adversary Output: P

outputs a tuple (y

).
4. Extraction: The challenger runs x

Ext(y

, ek).
5. P

wins if (a) y

was not part of a simulator query, (b) Verify(y

) = 1, and
(c) R(y, x

) = 0.
Katz and Vaikuntanathan [KV09] implicitly construct simulation-extractable proofs for all of
NP from CPA encryption and simulation-sound proofs [Sah99]. See [DHLW10] for a more detailed
exposition.
D Proofs
D.1 Security against Semi-Honest Adversaries
Proof of Theorem 2.1: We prove that the protocol is correct and secure, and that it satises the
performance requirements of an on-the-y protocol.
Correctness: Correctness follows directly from the correctness properties of homomorphic evalu-
ation and the decryption MPC protocol.
35
Performance: By compactness of evaluation, we know that c is independent of [C[. This means
that the communication complexity and the computation time of the parties is independent
of [C[.
Security: Recall that for security, we only need to consider adversaries corrupting a subset T of
the parties P
1
, . . . , P
N
involved in the computation. We let T = [N]T. For a semi-honest
adversary /
sh
corrupting t < N parties, we construct a simulator o
sh
corrupting the same
parties in the ideal world. We show the case when the server S is corrupted (the other case
is analogous).
Simulator o
sh
: Runs /
sh
on input x
i

iT
.
Step 1: For non-computing parties i N+1, . . . , U and for honest parties i T, o
sh
computes (pk
i
, , ek
i
) Keygen(1

) honestly and computes c

i
Enc(pk
i
, 0). For
each party P
i
, o
sh
sends (c
i
, pk
i
, ek
i
) to /
sh
on behalf of P
i
.
Step 2: Receive c

from /
sh
.
Step 3: Gives x
i

iT
to the ideal functionality and receives y = f(x
1
, . . . , x
N
). Runs
the simulator o
sh
dec
(interacting with /
sh
) on input y.
o
sh
outputs whatever /
sh
outputs.
We prove that IDEAL
T,S
sh(x)
c
REAL

sh
,,
sh(x). Since /
sh
is semi-honest, correctness guar-
antees that the outputs of the honest parties does not change. Furthermore, we prove that
the view created by o
sh
for /
sh
is indistinguishable from the view of /
sh
in a real world ex-
ecution, and thus its output is indistinguishable in both cases. We prove this using a hybrid
argument.
Hybrid 0: This is the view of /
sh
in a real-world execution. We have:
(pk
i
, , ek
i
) Keygen(1

)
iT
, c
i
Enc(pk
i
, x
i
)
iT
, View
dec
(/
sh
)
Hybrid 1: We change how Step 3 is performed. Instead of executing
dec
, we run the
simulator o
sh
dec
(interacting with /
sh
) on input y = f(x
1
, . . . , x
N
). We now have:
(pk
i
, , ek
i
) Keygen(1

)
iT
, c
i
Enc(pk
i
, x
i
)
iT
, View
S
sh

dec
(y)
(/
sh
)
We claim that the view of /
sh
in Hybrid 0 is computationally indistinguishable from its
view in Hybrid 1 by the security of
dec
. Suppose, for the sake of contradiction, that
there exists an algorithm T that distinguishes between hybrids 0 and 1. We construct
an adversary B that breaks the security of
dec
. The adversary B works as follows:
1. For all i T, sample (pk
i
, , ek
i
) Keygen(1

) and compute c
i
Enc(pk
i
, x
i
)
honestly. For all i T, give (pk
i
, ek
i
, c
i
) to /
sh
on behalf of P
i
for all i T. Receive
c

from /
sh
.
2. Receive the challenge view View

(/
sh
), and send the entire view of /
sh
to T.
3. Output the bit output by T.
When View

(/
sh
) = View
dec
(/
sh
), B perfectly emulates Hybrid 0, whereas if View

(/
sh
) =
View
S
sh

dec
(y)
(/
sh
), B perfectly emulates Hybrid 1. Therefore, if T can distinguish be-
tween Hybrids 0 and 1, then B can distinguish between View
dec
(/
sh
) and View
S
sh

dec
(y)
(/
sh
),
contradicting the security of
dec
.
36
Hybrids 2.k for k = 1, . . . , N t: Let T = i
1
, . . . , i
Nt
. In Hybrid 2.k we change c
i
k
so
that instead of encrypting x
i
k
it now encrypts 0. More formally, in Hybrid 2.k we have
c
i
j
= Enc(pk
i
j
, 0) for j k and c
i
j
= Enc(pk
i
j
, x
i
j
) for j > k.
(pk
i
, , ek
i
) Keygen(1

)
iT
, View
S
sh

dec
(y)
(/
sh
)
c
i
j
Enc(pk
i
j
, 0)
jk
, c
i
j
Enc(pk
i
j
, x
i
j
)
j>k
For ease of notation we let Hybrid 1 be Hybrid 2.0. We claim that the view of /
sh
in
Hybrid 2.k is indistinguishable from its view in Hybrid 2.(k1) by the semantic security
of c under public key pk
i
k
. Suppose, for the sake of contradiction, that there exists an
algorithm T that distinguishes between hybrids 2.k and 2.(k 1). We construct an
adversary B that breaks the semantic security of c under public key pk
i
k
. The adversary
B works as follows:
1. Receive (pk, ek) from the semantic security challenger and set pk
i
k
= pk and ek
i
k
=
ek. Give m
0
= 0 and m
1
= x
i
k
to the challenger and receive c = Enc(pk, m
b
). Set
c
i
k
= c. For all i T, i ,= i
k
, compute (pk
i
, , ek
i
) Keygen(1

) honestly. For j < k,

compute c
i
j
Enc(pk
i
j
, 0) and for j > k, compute c
i
j
Enc(pk
i
j
, x
i
j
). For all
i T give (pk
i
, ek
i
, c
i
) to /
sh
on behalf of P
i
. Receive c

from /
sh
.
2. Obtain y from the ideal functionality, run the simulator o
sh
dec
(y)(/
sh
). Give T the
resulting view.
3. Output the bit output by T.
When b = 0, B perfectly emulates Hybrid 2.k, whereas if b = 1, B perfectly emulates
Hybrid 2.(k1). Therefore, if T can distinguish between Hybrids 2.k and 2.(k1), then
B can distinguish between an encryption of m
0
and an encryption of m
1
, contradicting
the semantic security of c.
We have proved that the view of /
sh
in Hybrid 0 is computationally indistinguishable from
the view of /
sh
in Hybrid 2.(N t). But notice that the view of /
sh
in Hybrid 2.(N t) is
precisely the simulated view created by o
sh
. We conclude that the view created by o
sh
for
/
sh
is indistinguishable from the view of /
sh
in a real world execution, as desired.
D.2 Security against Malicious Adversaries
Proof of Theorem 2.2: We prove that the protocol is correct and secure, and that it satises the
performance requirements of an on-the-y protocol.
Correctness: Correctness follows directly from the correctness properties of homomorphic evalu-
ation and the decryption MPC protocol.
Performance: By compactness of evaluation, we know that c

is independent of [C[. Also, all

zero-knowledge proofs are independent of C. Furthermore, we know that the proof has
size polylogarithmic in [C[. Furthermore, the complexity of and the time needed to verify
depend only polylogarithmically on the total size of the ciphertexts c
i
. This means they also
37
only depend polylogarithmically on the total size of the inputs x
i
. Thus, the computation
time and communication complexity party P
i
is at most polylogarithmic in [C[ and the total
size of inputs, and polynomial in y and its input x
i
.
Security: Recall that for security, we only need to consider adversaries corrupting a subset T of
the parties P
1
, . . . , P
N
involved in the computation. We let T = [N]T. For a malicious
adversary /
mal
corrupting t < N parties, we construct a simulator o
mal
corrupting the same
parties in the ideal world. We show the case when the server S is corrupted (the other case
is analogous).
Simulator o
mal
: Runs /
mal
on input x
i

iT
.
Step 1: For non-computing parties i N + 1, . . . , U and for honest parties i
T, o
mal
computes (pk
i
, , ek
i
) Keygen(1

) and samples hk
i
honestly. It com-
putes c
i
Enc(pk
i
, 0) and simulated proofs
gen
i
and
enc
i
using the ZK sim-
ulator. It also computes d
i
= H
hk
i
(c
i
,
enc
i
). For each party P
i
, o
mal
sends
(pk
i
, ek
i
, c
i
, hk
i
, d
i
,
gen
i
,
enc
i
) to /
mal
on behalf of P
i
. Receives (c

, ), (pk
i
, ek
i
, hk
i
,
d
i
,
gen
i
)
i[N]
from /
mal
.
Step 2: Receive (c

, ) from /
mal
, together with (pk
i
, ek
i
, hk
i
, d
i
,
gen
i
)
i[N]
. Verify
and
gen
i
)
i[T]
and use the extractor to extract witness c
i
,
enc
i

iT
from .
Use the extractor to extract witness x
i
from
enc
i
for all i T.
Step 3: Gives x
i

iT
to the ideal functionality and receives y = f( x
1
, . . . , x
N
), where
x
j
= x
j
for honest parties j T. Runs the simulator o
mal
dec
(interacting with /
mal
)
on input y.
o
mal
outputs whatever /
mal
outputs.
We prove that IDEAL
T,S
mal (x)
c
REAL

mal
,,
mal (x). We prove that the view created by o
mal
for /
mal
is indistinguishable from the view of /
mal
in a real world execution, and thus its output
is indistinguishable in both cases. We prove this using a hybrid argument. We give a sketch of each
hybrid.
Hybrid 0: This is the view of /
mal
in a real-world execution. We have:
(pk
i
, , ek
i
) Keygen(1

)
iT
,
gen
i
Prove
gen
( )
iT
c
i
Enc(pk
i
, x
i
)
iT
,
enc
i
Prove
enc
( )
iT
d
i
= H
hk
i
(c
i
,
enc
i
)
iT
, View
dec
(/
mal
)
Hybrid 1: We change how we compute the proofs
gen
i
; instead of computing real proofs, we use
the ZK simulator.
(pk
i
, , ek
i
) Keygen(1

)
iT
,
gen
i
Sim
gen
( )
iT
c
i
Enc(pk
i
, x
i
)
iT
,
enc
i
Prove
enc
( )
iT
d
i
= H
hk
i
(c
i
,
enc
i
)
iT
, View
dec
(/
mal
)
We claim that the view of /
mal
in Hybrid 1 is computationally indistinguishable from its
view in Hybrid 0 by the (adaptive unbounded) zero-knowledge property of the proof system
38
for relation R
gen
. Suppose, for the sake of contradiction, that there exists an algorithm
T that distinguishes between hybrids 0 and 1. We construct an adversary B that breaks
zero-knowledge. The adversary B works as follows:
1. For all i T, sample (pk
i
, , ek
i
) Keygen(1

) and hk
i
honestly, and compute c
i

Enc(pk
i
, x
i
) and
enc
i
Prove
enc
( ). Obtain
gen
i
from a query to the ZK challenger.
For all i T, compute d
i
= H
hk
i
(c
i
,
enc
i
) and give (pk
i
, ek
i
, c
i
, hk
i
, d
i
,
gen
i
,
enc
i
) to
/
mal
on behalf of P
i
. Receive (c

, ), (pk
i
, ek
i
, hk
i
, d
i
,
gen
i
)
i[N]
from /
mal
.
2. Verify and
gen
i

iT
and run the protocol
dec
(c

) (interacting with /
mal
). Give T
the resulting view.
3. Output the bit output by T.
When
gen
i
Prove
gen
( ) for all i T, B perfectly emulates Hybrid 0, whereas if
gen
i

Sim
gen
( ) for all i T, B perfectly emulates Hybrid 1. Therefore, if T can distinguish
between Hybrids 0 and 1, then B can distinguish between real proofs and simulated proofs,
contradicting the (adaptive unbounded) zero-knowledge property of the proof system for
relation R
gen
.
Hybrids 2: We change how we compute the proofs
enc
i
. Instead of computing real proofs, we
use the ZK simulator.
(pk
i
, , ek
i
) Keygen(1

)
iT
,
gen
i
Sim
gen
( )
iT
c
i
Enc(pk
i
, x
i
)
iT
,
enc
i
Sim
enc
( )
iT
d
i
= H
hk
i
(c
i
,
enc
i
)
iT
, View
dec
(/
mal
)
We claim that the view of /
mal
in Hybrid 2 is computationally indistinguishable from its
view in Hybrid 1 by the (adaptive unbounded) zero-knowledge property of the proof system
for relation R
enc
. Suppose, for the sake of contradiction, that there exists an algorithm
T that distinguishes between hybrids 1 and 2. We construct an adversary B that breaks
zero-knowledge. The adversary B works as follows:
1. For all i T, sample (pk
i
, , ek
i
) Keygen(1

) and hk
i
honestly, and compute c
i

Enc(pk
i
, x
i
) and
gen
i
Sim
enc
( ). Obtain
enc
i
from a query to the ZK challenger.
For all i T, compute d
i
= H
hk
i
(c
i
,
enc
i
) and give (pk
i
, ek
i
, c
i
, hk
i
, d
i
,
gen
i
,
enc
i
) to
/
mal
on behalf of P
i
. Receive (c

, ), (pk
i
, ek
i
, hk
i
, d
i
,
gen
i
)
i[N]
from /
mal
.
2. Verify and
gen
i

iT
and run the protocol
dec
(c

) (interacting with /
mal
). Give T
the resulting view.
3. Output the bit output by T.
When
enc
i
Prove
enc
( ) for all i T, B perfectly emulates Hybrid 0, whereas if
enc
i

Sim
enc
( ) for all i T, B perfectly emulates Hybrid 1. Therefore, if T can distinguish
between Hybrids 0 and 1, then B can distinguish between real proofs and simulated proofs,
contradicting the (adaptive unbounded) zero-knowledge property of the proof system for
relation R
enc
.
39
Hybrid 3: Hybrid 3 is the same as hybrid 2 except that we use the extractor for to extract
(c
i
,
enc
i
)
i[N]
Ext() and compute c := Eval(C, (c
1
, pk
1
, ek
1
), . . . , (c
N
, pk
N
, ek
N
)). The
simulator outputs if verication fails for any
enc
i
, if d
i
,= H
hk
i
( c
i
,
enc
i
), or if c ,= c

, where
c

is the evaluated ciphertext provided by /

mal
. By the proof of knowledge property of ,
we know that this event happens with negligible probability. The simulator also outputs
if c
i
,= c
i
for any i T. By the collision-resistance property of H
hk
i
() (since we sampled hk
i
correctly for i T), we know this happens with only negligible probability. Thus, hybrids 2
and 3 are statistically close.
Hybrid 4: Hybrid 4 is the same as hybrid 3 except that in addition, we extract

sk
i
Ext
gen
(
gen
i
)
iT
,
and run y := Dec(

sk
1
, . . . ,

sk
N
, c

), where

sk
i
= sk
i
for i T. If y ,= y

, where y

is the output
of the protocol
dec
(c

), then the simulator outputs . By correctness of decryption and of

the protocol
dec
, we know that as long as (pk
i
,

sk
i
, ek
i
) is in the support of Keygen for all
i, this event happens with negligible probability. This is indeed true for i T since we sam-
ple the key tuple honestly in that case. Furthermore, by the simulation-extractability of the
proof system for relation R
gen
, we know that except with negligible probability, (pk
i
,

sk
i
, ek
i
)
is indeed in the support of Keygen for i T. Thus, by a union bound over all i T, we
know that all of (pk
i
,

sk
i
, ek
i
) are in the support of Keygen, except with negligible probability.
Thus, hybrids 3 and 4 are statistically close.
Hybrid 5: Instead of running the protocol
dec
and outputting View
dec
(/
mal
), we run the sim-
ulator o
mal
dec
and ouput View
S
mal
dec
(e y)
(/
mal
), where y := Dec(

sk
1
, . . . ,

sk
N
, c

).
(pk
i
, , ek
i
) Keygen(1

)
iT
,
gen
i
Sim
gen
( )
iT
c
i
Enc(pk
i
, x
i
)
iT
,
enc
i
Sim
enc
( )
iT
d
i
= H
hk
i
(c
i
,
enc
i
)
iT
, View
S
mal
dec
(e y)
(/
mal
)
where
(c
i
,
enc
i
)
i[N]
Ext() ,

sk
i
Ext
gen
(
gen
i
)
iT
y := Dec(

sk
1
, . . . ,

sk
N
, c

) where

sk
j
= sk
j
for j T
We claim that the view of /
mal
in Hybrid 4 is computationally indistinguishable from its
view in Hybrid 5 by the security of the protocol
dec
. Suppose, for the sake of contradiction,
that there exists an algorithm T that distinguishes between hybrids 4 and 5. We construct
an adversary B that breaks the security of
dec
. The adversary B works as follows:
1. For all i T, sample (pk
i
, , ek
i
) Keygen(1

) and hk
i
honestly, and compute c
i

Enc(pk
i
, x
i
),
gen
i
Sim
enc
( ), and
enc
i
Sim
enc
( ). Compute d
i
= H
hk
i
(c
i
,
enc
i
)
and give (pk
i
, ek
i
, c
i
, hk
i
, d
i
,
gen
i
,
enc
i
) to /
mal
on behalf of P
i
. Receive (c

, ), (pk
i
, ek
i
,
hk
i
, d
i
,
gen
i
)
i[N]
from /
mal
.
2. Verify and
gen
i

iT
. Receive the challenge view View

(/
mal
), which is either
View
dec
(/
mal
) or View
S
mal
dec
(y

)
(/
mal
), and send the entire view of /
sh
to T.
3. Output the bit output by T.
40
Recall that unless the simulator outputs , we are guaranteed that y = y

, where y

is the
output of the protocol
dec
(c

). Thus, when View

(/
mal
) = View
dec
(/
mal
), B perfectly
emulates Hybrid 4, whereas if View

(/
mal
) = View
S
mal
dec
(e y)
(/
mal
), B perfectly emulates Hybrid
5. Therefore, if T can distinguish between Hybrids 4 and 5, then B can distinguish between a
real execution of
dec
and a simulated view, contradicting the security of the protocol
dec
.
Hybrid 6: Instead of computing y := Dec(

sk
1
, . . . ,

sk
N
, c

), we decrypt x
i
:= Dec(

sk
i
, c
i
) and
obtain y = f( x
1
, . . . , x
N
), where x
j
= x
j
for j T.
(pk
i
, , ek
i
) Keygen(1

)
iT
,
gen
i
Sim
gen
( )
iT
c
i
Enc(pk
i
, x
i
)
iT
,
enc
i
Sim
enc
( )
iT
d
i
= H
hk
i
(c
i
,
enc
i
)
iT
, View
S
mal
dec
(e y)
(/
mal
)
where
(c
i
,
enc
i
)
i[N]
Ext() ,

sk
i
Ext
gen
(
gen
i
)
iT
, x
i
:= Dec(

sk
i
, c
i
)
iT
y = f( x
1
, . . . , x
N
) where x
j
= x
j
for j T
This is purely a syntactical change, since by correctness of the encryption scheme c, we are
guaranteed that y is the same in both hybrids. Thus, hybrids 5 and 6 are identical.
Hybrid 7: We change how we extract x
i
. Instead of decrypting c
i
with

sk
i
, we extract x
i
from

enc
i
.
(pk
i
, , ek
i
) Keygen(1

)
iT
,
gen
i
Sim
gen
( )
iT
c
i
Enc(pk
i
, x
i
)
iT
,
enc
i
Sim
enc
( )
iT
d
i
= H
hk
i
(c
i
,
enc
i
)
iT
, View
S
mal
dec
(e y)
(/
mal
)
where
(c
i
,
enc
i
)
i[N]
Ext() , x
i
j
Ext(
enc
i
j
)
iT
y = f( x
1
, . . . , x
N
) where x
j
= x
j
for j T
We claim that the view of /
mal
in Hybrid 6 is computationally indistinguishable from its view
in Hybrid 7 by the simulation-extractability of the proof system for relation R
enc
. Suppose,
for the sake of contradiction, that there exists an algorithm T that distinguishes between
hybrids 6 and 7. We construct an adversary B that breaks simulation-extractability. The
adversary B works as follows:
1. For all i T, sample (pk
i
, , ek
i
) Keygen(1

), compute c
i
Enc(pk
i
, x
i
),
gen
i

Sim
gen
( ), and obtain
enc
i
Sim
enc
( ) from a query to the simulation-extractability
challenger. Sample hk
i
honestly, compute d
i
= H
hk
i
(c
i
,
enc
i
), and give (pk
i
, ek
i
, c
i
, hk
i
,
d
i
,
gen
i
,
enc
i
) to /
mal
on behalf of P
i
. Receive (c

, ), (pk
i
, ek
i
, hk
i
, d
i
,
gen
i
)
i[N]
from
/
mal
.
2. Verify and
gen
i

iT
and run (c
i
,
enc
i
)
i[N]
Ext(). Sample b 0, 1. If b = 0,
then for i T, run the extractor

sk
i
Ext
gen
(
gen
i
) and decrypt x
i
:= Dec(

sk
i
, c
i
). If
b = 1, run the extractor x
i
Ext(
enc
i
). Run the simulator o
mal
dec
on input y (interacting
with /
mal
), where y = f( x
1
, . . . , x
N
) and x
j
= x
j
for j T. Give T the resulting view.
41
3. If T outputs b
t
= b, then guess a random i

T and output ((pk

i
, c
i
),
enc
i
).
Let z
(k)
denote the variable z in hybrid k. If T distinguishes between hybrids 6 and 7 then we
must have that y
(6)
,= y
(7)
, since the views are identical up to the point where y is computed.
Thus, there exists i

T such that x
(6)
i
,= x
(7)
i
. Furthermore, we are guaranteed that if T
distinguishes between hybrids 6 and 7,
enc
i
is a valid proof for every i T (since otherwise,
the simulator outputs in both hybrids). Thus,
enc
i
is a valid proof but the extractor fails
to extract a valid witness (the only valid witness is x
(6)
i
and we know that x
(6)
i
,= x
(7)
i
), and
B will guess this index i

with probability 1/t. Therefore, if T distinguishes hybrids 6 and

7 with non-negligible probability , then B breaks the simulation-extractability of the proof
system for R
enc
with probability /t, which is also non-negligible.
Hybrids 8.k for k = 1, . . . , N t: Let T = i
1
, . . . , i
Nt
. In Hybrid 8.k we change c
i
k
so that
instead of encrypting x
i
k
it now encrypts 0. More formally, in Hybrid 8.k we have c
i
j
=
Enc(pk
i
j
, 0) for j k and c
i
j
= Enc(pk
i
j
, x
i
j
) for j > k.
(pk
i
, , ek
i
) Keygen(1

)
iT
,
gen
i
Sim
gen
( )
iT
c
i
j
Enc(pk
i
j
, 0)
jk
, c
i
j
Enc(pk
i
j
, x
i
j
)
j>k
,
enc
i
Sim
enc
( )
iT
d
i
= H
hk
i
(c
i
,
enc
i
)
iT
, View
S
mal
dec
(e y)
(/
mal
)
where
(c
i
,
enc
i
)
i[N]
Ext() , x
i
Ext(
enc
i
)
iT
y = f( x
1
, . . . , x
N
) where x
j
= x
j
for j T
For ease of notation we let Hybrid 7.(N t) be Hybrid 6.0. We claim that the view of
/
mal
in Hybrid 8.k is computationally indistinguishable from its view in Hybrid 8.(k 1)
by the semantic security of c under public key pk
i
j
. Suppose, for the sake of contradiction,
that there exists an algorithm T that distinguishes between hybrids 8.k and 8.(k 1). We
construct an adversary B that breaks the semantic security of c. The adversary B works as
follows:
1. Receive (pk, ek) from the semantic security challenger and set pk
i
k
= pk and ek
i
k
=
ek. Give m
0
= 0 and m
1
= x
i
k
to the challenger and receive c = Enc(pk, m
b
). Set
c
i
k
= c. For all i T, i ,= i
k
, sample (pk
i
, , ek
i
) Keygen(1

) honestly. For j < k,

compute c
i
j
Enc(pk
i
j
, 0) and for j > k, compute c
i
j
Enc(pk
i
j
, x
i
j
). For all i
T, sample hk
i
honestly, compute
gen
i
Sim
gen
( ),
enc
i
Sim
enc
( ) and d
i
=
H
hk
i
(c
i
,
enc
i
), and give (pk
i
, ek
i
, c
i
, hk
i
, d
i
,
gen
i
,
enc
i
) to /
sh
on behalf of P
i
. Receive
(c

, ), (pk
i
, ek
i
, hk
i
, d
i
,
gen
i
)
i[N]
from /
sh
.
2. Verify and
gen
i

iT
. Obtain y from the ideal functionality, run the simulator
o
sh
dec
(y)(/
sh
) and output the view View
S
sh

dec
(y)
(/
sh
).
When b = 0, B perfectly emulates Hybrid 8.k, whereas if b = 1, B perfectly emulates Hybrid
8.(k 1). Therefore, if T can distinguish between Hybrids 8.k and 8.(k 1), then B can
distinguish between an encryption of m
0
and an encryption of m
1
, contradicting the semantic
security of c.
42
We have proved that the view of /
mal
in Hybrid 0 is computationally indistinguishable from
the view of /
mal
in Hybrid 8.(N t). But notice that the view of /
mal
in Hybrid 8.(N t) is
precisely the simulated view created by o
mal
. We conclude that the view created by o
mal
for /
mal
is indistinguishable from the view of /
mal
in a real world execution, as desired.
43