2023-301.pdf (366 kB)

On Circuit Private, Multikey and Threshold Approximate Homomorphic Encryption.

Download (366 kB)
journal contribution
posted on 2024-02-19, 09:34 authored by Kamil Kluczniak, Giacomo SantatoGiacomo Santato
Homomorphic encryption for approximate arithmetic allows one to encrypt discretized real/complex numbers and evaluate arithmetic circuits over them. The first scheme, called CKKS, was introduced by Cheon et al. (Asiacrypt 2017) and gained tremendous attention. The enthusiasm for CKKS-type encryption stems from its potential to be used in inference or multiparty computation tasks that do not require an exact output. A desirable property for homomorphic encryption is circuit privacy, which requires that a ciphertext leaks no information on the computation performed to obtain it. Despite numerous improvements directed toward improving efficiency, the question of circuit privacy for approximate homomorphic encryption remains open. In this paper, we give the first formal study of circuit privacy for homomorphic encryption over approximate arithmetic. We introduce formal models that allow us to reason about circuit privacy. Then, we show that approximate homomorphic encryption can be made circuit private using tools from differential privacy with appropriately chosen parameters. In particular, we show that by applying an exponential (in the security parameter) Gaussian noise on the evaluated ciphertext, we remove useful information on the circuit from the ciphertext. Crucially, we show that the noise parameter is tight, and taking a lower one leads to an efficient adversary against such a system. We expand our definitions and analysis to the case of multikey and threshold homomorphic encryption for approximate arithmetic. Such schemes allow users to evaluate a function on their combined inputs and learn the output without leaking anything on the inputs. A special case of multikey and threshold encryption schemes defines a so-called partial decryption algorithm where each user publishes a ``masked'' version of its secret key, allowing all users to decrypt a ciphertext. Similarly, in this case, we show that applying a proper differentially private mechanism gives us IND-CPA-style security where the adversary additionally gets as input the partial decryptions. This is the first security analysis of approximate homomorphic encryption schemes that consider the knowledge of partial decryptions. As part of our study, we scrutinize recent proposals for the definition and constructions of threshold homomorphic encryption schemes and show new random oracle uninstantiability results that may be of independent interest.


Primary Research Area

  • Algorithmic Foundations and Cryptography


Cryptology ePrint Archive



Page Range


Sub Type

  • Article


@article{Kluczniak:Santato:2023, title = "On Circuit Private, Multikey and Threshold Approximate Homomorphic Encryption.", author = "Kluczniak, Kamil" AND "Santato, Giacomo", year = 2023, month = 10, journal = "Cryptology ePrint Archive", pages = "301--301" }

Usage metrics


    No categories selected



    Ref. manager