 Hello, my name is Salihit Mosseg, this is a joint work with Shweta Agarwal and Shafi Goldwasser. I'm going to talk about deniable fully homomorphic encryption. Deniable FHG is the combination of deniable encryption and fully homomorphic encryption. Let's start with some motivation. In this section, we have two candidates, a red and a blue. To vote for the red candidate, vote 0. For the blue, vote 1. The parties generate a secret key and a public key using a key generating algorithm. They keep to themselves the secret key and they publish in the cloud the public key for everyone to encrypt their vote. Bob used this public key to encrypt his vote B-0 using a fresh randomness R. And then he submitted, he submitted his vote CT-0 to the cloud. Everyone are doing the same. Then after the voting phase is done, one can compute this CT-0, which is the homomorphically, which is the tally of the result. Then the parties can decrypt this CT-0 and they will know what's the voting result, how many people vote for the blue candidate. Alice can come to Bob and ask, Bob, for whom did you vote for? Maybe she's willing to pay him, maybe he's in love with her and he feel obligated to answer. But what Bob can do, he can give her his vote B-0 and the randomness use R to convince her. Or alternatively, he can give her the flipped B and a fake randomness that he can compute using a fake algorithm that gets the public key, the original message and randomness B-0 and R, and the flipped message, the fake message B-0. Now Alice, if she encrypt the original message B-0 and R, she will get the ciphertext Bob submitted CT-0, but also if she encrypt using the flipped message and the fake randomness, she will also get the exactly same ciphertext. Additionally, she will not be able to distinguish between the honesty distribution and the fake distribution, where the fake distribution is when the message and randomness she gets are not the one used inside by Bob when he submitted his vote. The fake distribution requires both deniability and homomorphism. Deniability to guarantee honest participation and that nobody will be able to buy both. And homomorphism so we can compute the voting result homomorphically. And this is true in whenever we store encrypted data in the cloud, we usually want not just deniability, but also the ability to compute on it. And also this is true in any data-driven algorithm. Deniability encryption. It was introduced by Kaneti Dwork and Oren Stropsky in 1997. We get a construction from trapdoor implementation, where the site of the ciphertext is the inverse of the faking probability, which means that in order to get negligible faking probability, their ciphertext side need to be exponential. And we say faking probability is the probability Alice in the story before can distinguish between the fake and the honest distribution. They also introduced the notion of weak deniable encryption, when Bob in the story before can also lie about the encryption algorithm he used. They gave a construction that gets compact ciphertext and negligible deniability. Additionally, they show a lower bound, some tradeoff between the efficiency and the deniability of skin. And they said that it seems inherent that the length of the ciphertext will grow with the inverse of the faking probability in separable construction, which is a term they defined in the paper. A significant step forward was in 2014 by Sahay and Waters, when they gave a construction for deniable encryption based on IO and one-way function. They achieved both compact ciphertext and negligible deniability. And it's very easy to modify their skin to add homomorphism to it. But this is not a polynomial time assumption. Our result. We give the notion of deniable FH and we give constructions based on LW, which is a polynomial time assumption. We support large message space or prior work and code large messages beat by beat. We get compact ciphertext. Our construction is separable. So what seems inherent in 1996 is not inherent. But our encryption time grows with the inverse of the faking probability. So not the ciphertext side, but the encryption time does. Also, our encryption can be run in the offline online mode. When in the online time, the online time is independent of the faking probability and offline is independent of the message being encrypted. Additionally, we give the notion of the weak deniable FH and we give a construction for it from LW that also support at large message space. So what's new in the weak notion is that we add FH property and we support large message space. Let's see the definition of a deniable FH. So as I said, a deniable FH is an FH scheme and a deniable encryption scheme. So if we get the key gen, the encryption evaluating and decryption algorithm, this is an FH scheme. And if we take the key gen encryption decryption and faking algorithm, this is a deniable encryption scheme. Let's see the syntax. I think it's very standard. Maybe just evaluating this new so public key function F and K ciphertext and output ciphertext and the faking get the public key message randomness and a faking message and out with a faking randomness. There are four properties from the scheme. Correctness, CPI security, the ability and compactness. Correctness is the regular correctness of a homomorphism of an FH scheme. So if we decrypt a ciphertext city star, we want to get the evaluated the function on the messages. We cannot simultaneously satisfy perfect correctness and the ability. This is inherent that we ask for one minus negligible. We also want CPI security and standards. We support also large message space. We have a more involved definition for there. Deniability that for every bit be it will be computationally indistinguishable whether you get a public key and encryption of this bit be using the randomness are and then be an R in the clear. We also want a distribution or a fake distribution where we get this be and some faking are and the encryption is of the flipped bit. This is computationally indistinguishable. And we said it's delta deniable. For every polynomial time PPT adversary a, you cannot distinguish those two distribution with probability at most delta. And this delta is the faking probability that we wanted to be small. Compactness the last property. So we want the compactness of an home of FH scheme that the evaluated ciphertext are not growing. It's independent of the complexity of the function as the number of ciphertext involved in the computation. Also, we want the ciphertext to be independent of the faking probability, regardless of the encryption running time. Now let's see our construction. Our construction use a special FHG scheme. We will denote this special FHG scheme with blue. So, every time it's blue, it's from the special FHG. And we use it for the binary message space. So all the homomorphic operations are more to the ciphertext space is denoted by this curly are the bootstrapping procedure. The c of x is evaluating of the decryption algorithm on the input x, the input to the bootstrapping. And it's got the ciphertext of the secret key. This will output a fresh ciphertext because it will output a value of this computation. And of course, the secret key is a vector of ciphertext because we are in the binary message space. And some notation homomorphic addition with two, we will denote by XOR. Okay, so let's see the key generation. So the public key will be a public key of special FHG and ciphertext of the secret key. And the secret key would just be the secret key of the special FHG. So we will need something like circular security for this scheme to be secure. And the secret key of the special FHG. Okay, the encryption to encrypt the B to B, what we will do, we will first sample X1 to XN binary bits such that their priority is B. For every XI that is zero, we will sample a random element from the ciphertext space. And for every element that is one, we will sample a small RI what we call here. And we will set the capital RI to be a valid encryption, fresh encryption of the bit one. Then we are going to compute the bootstrapping on all this capital RI that we sample and computed in step two and three. And then we will compute the parity of the bootstrapping value, and this will be the ciphertext. And we will output this ciphertext. So for correctness to hold, what we will need is that the bootstrapping of a random element from the ciphertext space to be a valid encryption of zero is high probability. So what is the randomness we choose we select during the encryption is n bits X1 to XN and the capital RI for every XI that is zero, and this is small RI for every XI that is one. And the faking algorithm, it gets the public key, the original message, and the randomness, and the fake message B prime. So if B prime is equal to B, we will just output run. Otherwise, we are going to sample an index K such that XK equal one. We are going to sample some index from these X1 to XN, such that XK is one, we are going to flip it. We are going to set X prime K to be zero. And then we need to sample a large capital R prime K, and we are going to set it to be encryption of one using our K. Usually for an index X that is zero, we sample a random element in the ciphertext space. But now we are sampling and we are setting it to be a ciphertext, a specific ciphertext, so we will need some pseudo random ciphertext property. For every I that is not K, we just set the capital RI to be the same and small RI to be the same as in the original randomness. Sorry. So we output R prime, a random prime, which is the same as run, just with the flipped bit XK, and we put this capital R prime K. Observe that the output of the encryption is just a ciphertext of the special FHE, so the valve and the crypt is just the same as in the special FHE. So what is the special FHE, what do we need for me. We said we need circular security, pseudo random ciphertext, and this property that the bootstrapping of a random element from the ciphertext space is a valid encryption of zero with type of ability. Okay, so circular security, let's start. So this is when we get the ciphertext of the secret key, we still have security, the CPA security. And actually, in our scheme, this can be removed by using two pairs of keys. And the second property, pseudo random ciphertext. That's mean that we will not be able to distinguish whether we see the public key and an encryption of MS, like a valid encryption. Or the public key and a random element from the ciphertext space. This should be computational indistinguishable. This is almost always the case by the LW in the LWE assumption. Okay, and for the property number three, what we need is the deterministic about and decrypt algorithm and bias decryption on random input. That the probability that we decrypt the random input, we will get zero with probability, almost one, one minus negligible. So number three is almost always the case, but number four is not always the case. Okay, so first, let's see why these two things are exactly like the boots, like give us that the bootstrapping of a random element is a valid encryption of zero with high probability. Okay, so instead of the writing. Oh, sorry. Instead of, instead of writing the encryption of R is SK, I'm just changing the write it, the write up. And this is exactly like what we want, right, that the evaluating of the bootstrapping of a random element would be zero with high probability. And since the evaluating and the decryption are deterministic, this would hold. Okay, we can even weaker the properties of this special FHE, we can ask the decrypt, but then we need to change the construction. We can ask the decryption always output a valid message. This almost always the case, and if not, we can replace the not valid message with a zero. And this, for example, BGP 14 satisfies all these three properties. We also show how we can modify the construction of BGP 14 to get to this bias decryption on one input, check the paper to see how. Okay, I also promised that we are in the online offline encryption. So if you remember we select and beads and then according to this we set these are the capital R I. So what we can see is that we can just in the preprocessing select the n minus one beats. And then when we get the message B, we just set the last bit to be according to the message that we are encrypting and do all the rest that we need. Okay, summary, we saw the notion of an FHE and we gave a construction based on LWE. Thank you very much and you can check the papers online.