[Paper Review] Verifiable Fully Homomorphic Encryption
The paper analyzes FHE integrity gaps, introduces a new maliciously-secure verifiable FHE notion (vFHE), and provides generic constructions and instantiations using commitments and ZK proofs, plus evaluation across settings.
Fully Homomorphic Encryption (FHE) is seeing increasing real-world deployment to protect data in use by allowing computation over encrypted data. However, the same malleability that enables homomorphic computations also raises integrity issues, which have so far been mostly overlooked. While FHEs lack of integrity has obvious implications for correctness, it also has severe implications for confidentiality: a malicious server can leverage the lack of integrity to carry out interactive key-recovery attacks. As a result, virtually all FHE schemes and applications assume an honest-but-curious server who does not deviate from the protocol. In practice, however, this assumption is insufficient for a wide range of deployment scenarios. While there has been work that aims to address this gap, these have remained isolated efforts considering only aspects of the overall problem and fail to fully address the needs and characteristics of modern FHE schemes and applications. In this paper, we analyze existing FHE integrity approaches, present attacks that exploit gaps in prior work, and propose a new notion for maliciously-secure verifiable FHE. We then instantiate this new notion with a range of techniques, analyzing them and evaluating their performance in a range of different settings. We highlight their potential but also show where future work on tailored integrity solutions for FHE is still required.
Motivation & Objective
- Highlight the gaps between existing FHE integrity notions and real-world deployment needs.
- Define a clean, modular notion of maliciously-secure verifiable FHE (vFHE) that composes standard FHE with integrity properties.
- Provide generic constructions of vFHE from standard FHE, commitments, and zero-knowledge proofs, and discuss practical instantiations.
Proposed method
- Unify and categorize existing FHE integrity approaches into MAC-based, ZKP-based, and attestation-based paradigms.
- Formally define maliciously-secure verifiable FHE (vFHE) with soundness, completeness, correctness, and security properties.
- Show how to extend vFHE with server-input privacy and input predicates.
- Describe a generic construction of vFHE from IND-CPA secure FHE, commitments, and a compatible ZKP system.
- Analyze challenges in bridging FHE and ZKPs, and propose an optimization for emulating FHE ring arithmetic inside field-based ZKPs.
Experimental results
Research questions
- RQ1What are the limitations of existing FHE integrity notions in real-world deployments?
- RQ2How can a clean, modular vFHE notion be defined and achieved?
- RQ3What generic architecture and core primitives suffice to instantiate vFHE from standard FHE, commitments, and ZKPs?
- RQ4What practical challenges arise when combining FHE with ZKPs, and how can they be mitigated?
Key findings
- Existing integrity notions are insufficient for real-world FHE deployments due to mismatches with practical threat models and input settings.
- A modular vFHE notion can compose standard FHE with integrity primitives to address malicious servers and decryption/failure oracles.
- Generic constructions from standard FHE, commitments, and ZKPs can realize vFHE, enabling various deployment settings with extensible privacy properties.
- ZKP-based instantiations reveal fundamental challenges in emulating FHE ring arithmetic in field-based ZKPs, requiring tailored optimizations.
- FHE-in-TEE and other approaches offer point-of-comparison, but future work is needed on ZKP systems specifically designed for FHE characteristics.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.