On i -Hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research No relation to.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

FULLY HOMOMORPHIC ENCRYPTION
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Fully Homomorphic Encryption over the Integers
Secure Evaluation of Multivariate Polynomials
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.
Simons Institute, Cryptography Boot Camp
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Homomorphic Encryption: WHAT, WHY, and HOW
Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.
How to play ANY mental game
Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman.
FULLY HOMOMORPHIC ENCRYPTION WITH POLYLOG OVERHEAD Craig Gentry and Shai Halevi IBM Watson Nigel Smart Univ. Of Bristol.
PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
1 Information Security – Theory vs. Reality , Winter Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation.
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Fully Homomorphic Encryption and Bootstrapping.
China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Somewhat Homomorphic Encryption.
Fully Homomorphic Encryption (FHE) By: Matthew Eilertson.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Bounded key-dependent message security
Garbling Techniques David Evans
Topic 36: Zero-Knowledge Proofs
---On the ‘Vuvuzela’ Scheme
Laconic Oblivious Transfer and its Applications
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Rishab Goyal Venkata Koppula Brent Waters
Oblivious Transfer.
Compact Adaptively Secure ABE for NC1 from k-Lin
Presentation transcript:

On i -Hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research No relation to

2 This Work is About… Connections between: Homomorphic encryption (HE) Secure function evaluation (SFE)

3 Secure Function Evaluation (SFE) Client Alice has data x Server Bob has function f Alice wants to learn f(x) 1. Without telling Bob what x is 2. Bob may not want Alice to know f 3. Client Alice may also want server Bob to do most of the work computing f(x)

4 Not necessarily c*  c Homomorphic Encryption (HE) Alice encrypts data x  sends to Bob c  Enc( x ) Bob computes on encrypted data  sets c*  Eval( f, c )  c* is supposed to be an encryption of f ( x )  Hopefully it hides f (function-private scheme) Alice decrypts, recovers y  Dec( c* )  Scheme is (fully) homomorphic if y = f ( x )

5 A More Complex Setting Alice sends encrypted to Dora: 1. Mail goes first to SMTP server at BobsISP.com  Bob’s ISP looks for “Make money”, if found then it tags as suspicious 2. Mail goes next to mailboxes.charlie.com  More processing/tagging here 3. Dora’s mail client fetches and decrypts it Alice( x )Bob( f )Charlie( g )Dora( sk ) c 0  Enc( x ) c 1  Eval( f,c 0 ) c 2  Eval( g,c 1 ) y  Dec( c 2 ) y = g(f(x)) c0c0 c1c1 c2c2

6 A More Complex Setting c 1 is not a fresh ciphertext  May look completely different Can Charlie process it at all? What about security? Alice( x )Bob( f )Charlie( g )Dora( sk ) c 0  Enc( x ) c 1  Eval( f,c 0 ) c 2  Eval( g,c 1 )y  Dec( c 2 ) c0c0 c1c1 c2c2 2-Hop Homomorphic Encryption

7 Background Yao’s garbled circuits  Two-move 1-of-2 Oblivious Transfer “Folklore” connection to HE  Two-move SFE  function-private HE

8 1-of-2 Oblivious Transfer Alice has bit b, Bob has two Strings L 0,L 1 Alice learns L b, Bob learns nothing Alice sets ( c,s)  OT1 (b) sends c to Bob  The c part in OT1( 0 ), OT1( 1 ) is indistinguishable Bob responds with r  OT2( c, L 0, L 1 )   Sim such that for any L 0, L 1, b, ( c,s)  OT1( b ) OT2( c, L 0, L 1 )  Sim( c, s, L b ) Alice recovers L b  OT-out( s,r ) honest-but- curious

9 Bob has f (fan-in-2 boolean circuit) Bob chooses two labels L w,0, L w,1 for every wire w in the f- circuit A gadget for gate w = u  v:  Know L u,a and L v,b  Learn L w,a  b { Enc L u,a ( Enc L v,b (L w,c )) : c = a  b } Collection of gadgets for all gates + mapping output labels to 0/1 is the garbled circuit  ( f ) Yao’s Garbled Circuits L w,1 L u,0 L u,1 L v,0 L v,1 L w,0 

10 Yao’s Protocol Run 1-of-2-OT for each input wire w with input x j  Alice( x j )  Bob( L w,0, L w,1 ), Alice learns L w,x j Bob also sends to Alice the garbled circuit  ( f ) Alice knows one label on each input wire  computes up the circuit  learns one output label, maps it to 0/1 Bob learns nothing Alice’s view simulatable knowing only f(x) and | f | Assuming circuit topology is “canonicalized”

11 Folklore: Yao’s protocol  HE Roughly:  Alice’s message c  OT1( x ) is Enc( x )  Bob’s reply [OT2( c, labels),  ( f )] is Eval( f, c ) Not quite public-key encryption yet  Where are (pk, sk)?  Can be fixed with an auxiliary PKE Client does as much work as server Jumping ahead: how to extend it to multi-hop?

12 Plan for Today Definitions: i -hop homomorphic encryption  Function-privacy (hiding the function)  Compactness (server doing most of the work) “Folklore” connection to SFE  Yao’s protocol  1-hop non-compact HE Extensions to multi-Hop HE  DDH-based “re-randomizable Yao”  Generically 1-Hop  i -Hop (not today) With or without compactness

13 Homomorphic Encryption Schemes H = { KeyGen, Enc, Eval, Dec } ( pk, sk )  KeyGen(), c  Enc( pk; x ) c*  Eval( pk; f, c ), y  Dec( sk; c* ) Homomorphic: Dec sk (Eval pk ( f,Enc pk ( x )))= f ( x ) i -Hop Homomorphic ( i = poly(sec-param)): y = f j (f j  1 (… f 1 (x) …)) Multi-hop Homomorphic: i -Hop for all i Eval pk ( f 1,c 0 )Enc pk ( x )Eval pk ( f 2,c 1 )Dec sk ( x ) c0c0 c1c1 c2c2 cjcj yx … j  i hops

14 Properties of Homomorphic Encryption Semantic Security [GoMi84]   x,x ’, Enc pk ( x )  Enc pk ( x ’) Compactness  The same circuit can decrypt c 0, c 1, …, c i  The size of the c j ’s cannot depend on the f j ’s Hence the name  Functionality, not security property

15 1-hop: Output of Eval pk (f,c) can be simulated knowing only pk, c, f(x)   Sim such that for any f, x, pk, c  Enc pk ( x ) Eval pk ( f,c )  Sim( pk, c, f(x), | f |) i -hop: Same thing, except c is evaluated Eval pk ( f,c j )  Sim( pk, c j, f( f j (…f 1 (x)…) ), | f |) Crucial aspect: indistinguishable given sk and c j ’s  And randomness that was used to generate them Function Privacy honest-but- curious Eval pk ( f 1,c 0 )Enc pk ( x )Eval pk ( f j,c j-1 ) c0c0 c1c1 c j  cjcj x … j  i  hops Eval Sim ?

16 Aside: “fully” homomorphic If c ’  Eval( f, c ) has the same distribution as “fresh” ciphertexts, then we get both compactness and function-privacy This is “fully” homomorphic  Very few candidates for “fully” homomorphic schemes [G09, vDGHV10] Under “circular” assumptions  Not the topic of today’s talk

17 Yao’s protocol  1-hop Function-Private HE Alice( x )Bob( f ) ( c,s )  SFE1( x ) r  SFE2( f,c ) r y  SFE3( s,r ) c Dora( sk )

18 Dec sk ( r,c ’) Eval pk ( f, c,c ’) Enc’ pk ( x ) Yao’s protocol  1-hop Function-Private HE Add an auxiliary encryption scheme  with ( pk,sk ) Alice( x,pk) Bob( f ) c, c ’ r, c ’ Dora( sk ) ( c,s )  SFE1( x ) c ’  Enc pk ( s ) r  SFE2( f,c ) s  Dec sk ( c ’) y  SFE3( s,r )

19 Yao’s protocol  1-hop Function-Private HE Auxiliary scheme E = (Keygen, Enc, Dec) H.Keygen: Run ( pk,sk )  E.Keygen() H.Enc pk (x): ( s,c )  SFE1( x ), c ’  E.Enc pk ( s ) Output [ c, c ’] H.Eval pk ( f, [ c, c ’]): Set r  SFE2( f,c ) Output [ r, c ’] H.Dec sk ([ r, c ’]): Set s  E.Dec sk ( c ’) Output y  SFE3( s, r ) Works for every 2-move SFE protocol

20 Extending to multi-hop HE Can Charlie process evaluated ciphertext? Alice( x,pk) Bob( f ) c, c ’ ( c,s )  SFE1( x ) c ’  Enc pk ( s ) r  SFE2( f,c ) r, c ’ ? Charlie( g )

21 r  Yao2( f,c ) Extending to multi-hop HE Can Charlie process evaluated ciphertext?  ( f ) include both labels for every f -output  Charlie can use them as g -input labels  Proceed to extend  ( f ) into  ( g  f ) Alice( x,pk) Bob( f ) c, c ’ c = OT1( x ) r, c ’ ? Charlie( g ) r = OT2( c )  ( f ) r ’  Extend( g, r ) r ’, c ’ ( c,s )  Yao1( x ) c ’  Enc pk ( s )

22 Extendable 2-move SFE Given g and r  SFE2( f, SFE1( x )), compute r ’ = Extend( g, r )  SFE2( g  f, SFE1( x ))  I.e., r ’ in the support of SFE2( g  f, SFE1( x )) Maybe also require that the distributions SFE2( g  f, SFE1( x )) Extend( g, SFE2( f, SFE1( x )) are identical/close/indistinguishable  This holds for Yao’s protocol* * Assuming appropriate canonicalization

23 Charlie’s privacy Charlie’s function g hidden from Alice, Dora  Since r ’ ~ Yao2( g  f, c ), then g  f is hidden But not from Bob  r includes both labels for each input wire of g Yao2 protects you when only one label is known  Given r, can fully recover g from r ’ Alice( x )Bob( f )Charlie( g )Dora( sk ) ( c,s )  Yao1( x ) r  Yao2( f,c ) r ’  Extend( g,r )y  Yao3( s, r ’) crr’r’

24 Fixing Charlie’s privacy Problem: Extend( g, r ) is not random given r Solution: re-randomizable Yao  Given any r   ( f ), produce another random garbling of the same circuit, r ’  reRand( r ) r ’  reRand( r )   ( f ), even given r Charlie outputs r ’  reRand(Extend( g,r ))

25 Re-Randomizable SFE  =(SFE1, SFE2, SFE3) re-randomizable if  x, f, (c,s)  SFE1 (x), r  SFE2 (f,c) reRand (r)  SFE2 (f,c) Identical / close / indistinguishable  Even given x, f, c, r, s Thm: Extendable + re-Randomizable SFE  multi-hop function-private HE Proof: Evaluator j sets r j  reRand(Extend( f j,r j-1 )) Honest-but-curious

26 Re-randomizing Garbled Circuits DDH-based re-randomizable Yao Circuits Using Naor-Pinkas/Aiello-Ishai-Reingold for the OT protocol  Any “blindable OT” will do Using Boneh-Halevi-Hamburg-Ostrovsky for gate-gadget encryption  Need both key- and plaintext-homomorphism  And resistance to leakage…

27 DDH-based OT [NP01,AIR01] OT1( b ) =  ( g, h, x, y b )-DDH, ( g, h, x, y 1-b )-non-DDH OT2(( g, h, x, y 0,y 1 ),  ,   ) = On strings  ,    use same ( g,h,x,y 0,y 1 ) for all bits Scheme is additive homomorphic:  For every c  OT1( b ), r  OT2( c,  ,   ),  ,   reRand( c, r,  ,   )  OT2( c,     ,      )  0,  1 are bits

28 BHHO encryption [BHHO08] We view it as a secret-key encryption Secret key is a bit vector s  {0,1} l Encryption of bit b is a vector  Such that g 0  j g j s j = g b  BHHO public key is a random encryption of zero Key- and plaintext- additively-homomorphic  For every s, t, ,  ’  {0,1} l, pk  Enc s ( 0 ), c  Enc s ( t ): c ’  reRand( pk, c, ,  ’)  Enc s   ( t   ’)  c ’ (pseudo)random, even given pk, c, s, t, ,  ’

29 BHHO-based Yao Circuits Use NP/AIR protocol for the 1-of-2-OT Two l -bit masks L w, 0, L w, 1 for every wire  Used as BHHO secret keys A gadget for gate w = u  v:  Choose four random masks  a,b ( a,b  {0,1} )  Gate gadget has four pairs (in random order) { : c = a  b } L w,1 L u,0 L u,1 L v,0 L v,1 L w,0 

30 Is this re-Randomizable? Not quite… Want to XOR a random  w,b into each L w,b  But don’t know what ciphertexts use L w,0 / L w,1  Cannot use different masks for the two labels XOR the same mask to both L w,0, L w,1 ?  No. Bob knows old-L w,0, old-L w,1, Dora knows new-L w,b, together they can deduce new-L w,  b

31 Better re-Randomization? We must apply the same transformation T(  ) to both labels of each wire  T  (x) = x   does not work We “really want” 2-universal hashing:  Given L 0, L 1, T(L b ), want T(L  b ) to be random  Must be able to apply T (  ) to both key, plaintext Even BHHO can’t do this (as far as we know)  But it can get close…

32 Stronger homomorphism of BHHO Key- and plaintext-homomorphic for every transformation T (  ) that:  Is an affine function over Z q l  Maps 0-1 vectors to 0-1 vectors In particular: bit permutations  multiplication by a permutation matrix For every pk  Enc s ( 0 ), c  Enc s ( t ), ,  ’  S l c ’  permute( pk, c, ,  ’)  Enc  (s) (  ’ (t))  c ’ (pseudo)random, even given pk, c, s, ,  ’

33 Bit Permutation is “sort-of” Universal For random Hamming-weight- l / 2 strings Permutation Lemma: For random L, L ’  R HW( l / 2 ),  R S l, the expected residual min-entropy of  ( L ’) given  (L), L, L ’ is E L,L ’,  { H  (  ( L ’) |  (L), L, L ’ ) }  l – 3 / 2 log l Proof: Fix L, L ’,  (L), then  ( L ’) is uniform in the set { x  HW( l / 2 ) : HD(  (L), x) = HD(L, L’) }  HD – Hamming Distance

34 BHHO is secure even with balanced keys re-Randomizable BHHO-based Yao Labels have Hamming weight exactly l / 2 Use NP/AIR protocol for the 1-of-2-OT Two masks L w, 0, L w, 1  HW( l / 2 ) for every wire A gadget for gate w = u  v:  Gate gadget has four pairs (in random order) { : c = a  b } Instead of output labels (secret keys), provide corresponding public keys  Still extendable: can use pk for encryption

35 re-Randomization Input: OT response r, garbled circuit  Choose a permutation  w for every wire w For input wires, permute the OT response  We use bit-by-bit OT, and “blindable” Permute the gate gadgets accordingly Also re-randomize the gate masks  a,b  Using the BHHO additive homomorphism

36 re-Randomizable yet? For each wire, adversary knows L, L ’,  (L)  Permutation lemma: min-entropy of  ( L ’) almost l bits We use  ( L ’) as BHHO secret key  Use Naor-Segev’09 to argue security NS09: BHHO is secure, under leakage of O( l ) bits View L, L ’,  (L) as randomized leakage on  ( L ’)  Leaking only 3 / 2 log l bits on the average  So we’re safe Security proof is roughly the same as the Lindell-Pinkas proof of the basic Yao protocol L, L ’ random in the honest-but-curious model

37 Summary Highlighted the multi-hop property for homomorphic encryption  In connection to function privacy, compactness Described connections to SFE A DDH-based multi-hop function private scheme  Not compact  Uses re-randomizable Yao circuits Other results (generic):  1-hop FP  i -hop FP for every constant i  1-hop compact FP  i -hop compact FP for every i  1-hop compact + 1-hop FP  1-hop compact FP

38 Open Problems Malicious model  The generic constructions still apply  Not the randomized-Yao-circuit construction Main sticky point is the permutation lemma Other extensions  General evaluation network (not just a chain)  Hiding the evaluation-network topology  Other adversary structures

39 Thank you

40 1-hop Function-Private  i -hop FP Given E = (KeyGen, Enc, Eval, Dec)  and a constant parameter d Build H d = (KeyGen*, Enc*, Eval*, Dec*)  d -hop function-private, complexity n O(d) Use d +1 E-public-keys   j encrypts j ’th sk under j +1 st pk  j th node evaluates f j  Dec c j -1 (  ) on ciphertext  j The input to Dec c j -1 is sk Ciphertext from node j -1 hard-wired in Dec c j -1  j is a “fresh ciphertext”, not an evaluated one

41 1-hop Function-Private  i -hop FP KeyGen*: ( pk j,sk j )  KeyGen(),  j  Enc pk j +1 ( sk j )  sk* = {sk j }, pk*={(  j, pk j )}, j=0,1, …, d Enc pk * ( x ): output [level-0, Enc pk 0 ( x )] Dec sk* ([level- j, c ]): output Dec sk j ( c ) Eval pk * ( f, [level- j, c] ):  Compute description of F f,c ( s )  f( Dec s (c) ) Input is s, not c  Set c ’  Eval pk j+1 (F f,c,  j ), output [level-( j+1), c ’ ] * * *

42 1-hop Function-Private  i -hop FP The description size of F f,c ( s )  f( Dec s (c) ) is at least | f | + |c| Size of c ’ = Eval pk j+1 (F f,c,  j ) can be n O(1)  |F f,c |  For a non-compact scheme (e.g., Yao-based) So after i hops, ciphertext size is n O(1)  (| f i | + n O(1)  (| f i  | + … n O(1)  (| f  | +c 0 ) …)) n O(i)  (c 0 +  j | f j |) Can only do constant many hops

43 1-hop Compact FP  i -hop Compact FP If underlying scheme is compact, then size of c ’ = Eval pk j+1 (F f,c,  j ) does not grow Can do as many hops as  j ’s in pk* If pk* includes   Enc pk ( sk ), then we can handle any number of hops  This assumes that scheme is circular secure

44 1-hop FP + 1 -hop Compact  1 -hop Compact FP Roughly, Eval*( f ) = cEval(pEval( f ))  pEval makes it private, cEval compresses it pk* includes ppk, cpk1, cpk2, and also  = pEnc ppk ( csk 0 ),  = cEnc cpk 1 ( psk )  sk* = [csk 0, csk 1 ] Eval pk* ( f, c ): // c encrypted under cpk 0  Let F f,c (s)  f( cDec s (c)), set c’  pEval ppk ( F f,c,  )  Let G c ’ (s)  pDec s (c ’ ), set c *  cEval cpk 2 ( G c ’,  )