 This is a joint work with the Svikal Brokersky for my VITEMIN Institute. So there is a very long title, so I'll break it down. So we begin with the fully homomorphic encryption. So I see that I have a cell phone and I have some data stored in it, and let's call the data X, and I want to compute a function of my data. And the function is very complicated, and my cell phone doesn't have much computational power, so instead of computing it on my cell phone, I prefer to do the computation on the server. So in the very naive approach, what do I do? So I send my data to the server, and I let the server do the hard job, and it computes half, and it simply sends back the result. So this is all very nice and naive, but what if the server is malicious and I want to keep my data private? So I generate a public key and a secret key, and I want it to be of a special encryption scheme such that when I send the server an encryption of my data, it can run some evaluation algorithm, and when I decrypt the value of the ciphertext, I get f of X. So even though I've sent in encrypted data, I can still recover f of X without doing too many work, and we call this property full homomorphism if it holds for every circuit F. And also we want semantic security, so I want that encryption of zero would look like encryption of one, and throughout this talk, I will assume that we encrypt bit-by-bit. So this is the full homomorphic setting, and what if we have two parties, each having its own public key and secret key, and each having its own data X and Y? And I want to compute a function, both of f, a function f of X and Y. So what do we do in the multi-key settings? So each party computes an encryption, and now the server runs the evaluation algorithm on both ciphertexts, and we want to have the property that when two parties meet together and run the encryption algorithm on the evaluated ciphertext, we get f of X and Y. So this is the multi-key settings. And sometimes we want to relax the settings, and we assume that the two parties share public parameters. And what do I mean by that? I mean that when generating the public and secret keys, they're not completely independent, they also depend on the public parameters. We also want to get a stronger notion of a multi-key FHE, which we call multi-hop. Well, multi-hop could have many interpretations. So what do I mean by multi-hop? That assume that the two parties made some computation with the server, and got this chat1, cwat2, and et cetera. And all of a sudden, there comes a new party, says, hold on a minute. I want to join the computation, and it's after the fact. The other party has already made some computations. And we want the new party to be able to send its own encryption, and the server could still run an algorithm such that when it's decrypted, it would decrypt to the right value, and know that chat are already evaluated ciphertext. So this is multi-hop in the sense that we evaluate the ciphertext with a new party. And ideally, we want a fully dynamic encryption, and I mean by that, that polynomially, about the number of parties could join the computation. So if you had all these parties doing the computation, you can have always someone new to join. So let's cover some previous works that has been done. So the first work is by Lopez, which first introduced multi-key FHE, and they also gave the first scheme. So the scheme was multi-hop, but the number of parties that could use such a scheme has to be previously known. Also the scheme had no public parameters, which is very good. And the space complexity of evaluation, we could just think about it now as the length of the ciphertext grew like this, and where epsilon could be very small. It depends on the security parameter, and it is at least quadratic. And the cryptographic assumption is n-tru, which we just talked about. There was another work by Clearing McGaldrick, and then which was simplified and rephrased by Wooker E. Gene Weeks. And their scheme wasn't multi-hop, but it was the first work that supported an unbounded number of players. Also the scheme had public parameters, and the space complexity, the length of the ciphertext was still quadratic in the number of players. But the cryptographic assumption was learning with their errors. So our work continues their line of work, and we get multi-hop, and we also keep the unbounded number of players, so this is the first fully dynamic encryption scheme. But we also have public parameters. And the space complexity is efficient. It's linear in the number of players. And the assumption is also l-l-v-d. There are two concurrent works. The first one also continued the line of work from Corrigan Weeks, and it was multi-hop, but the amount of players is bounded. The scheme also had public parameters, and the length of the ciphertext was quadratic, and the assumption is length errors. The other concurrent work is a bit different. It is multi-hop. It can support an unbounded number of players, or it is fully dynamic, and it has no public parameters. And here the space complexity of variation is quadratic, and it has short ciphertext, but the cryptographic assumption is a PIO, which is not a standard assumption. And saying that, the cryptographic assumption for all previous works besides this one needs to assume circular security, which I'll talk about later, which is not standard assumption, but we also need that for just FHE, not fully dynamic encryption. So our starting point is the fully unbounded encryption by gentry behind motors, and in these settings, we have a matrix, which is short and wide, which would play the world's ciphertext, and the secret key would be a vector, and you'd have a special form that the last element is normalized. And we want to have the following property that when I multiply the secret key by the ciphertext, I get something that looks approximately like the message, times the secret key, times a special matrix G called the gadget matrix. And for this of you who don't know what a gadget matrix is, just keep in mind that it is a diagonal matrix, having all the powers of two up to in mode Q. But just keep in mind that it is diagonal matrix, and what do I mean by this approximately? Well, I mean that the difference between what we actually have, which is the secret key, times the ciphertext, and what we would like to have, which is the message, times the secret key, times the gadget matrix, the difference is very small. And why is this property good for us? Well, first of all, let us do the encryption. So we said we only equipped bits. So if we encrypt the bit zero, so the multiplication would look like zero, which has only very small elements. But if we encrypted one, well, it will have this form. What's special about this form? We call that G is this matrix. And the last element of the secret key is normalized. So whereas when we encrypt zero, the last element would be very small. When we encrypt one, the last element would be very large because we multiply one by the highest power of two. So as long as this difference is smaller, the Q over 8, we can decrypt. And actually for decryption, because we only looked at the last column, we don't need the whole matrix to decryption. We can only take the last column of the cipher text. But we do need the whole matrix for some reason, because it allows to do homomorphic operations. I won't talk about why does this work, but just to mention it. So we do this arithmetic operation where G is not a square matrix, so the inverse is not well-defined. But it turns out that it's actually a pretty efficient algorithm. It's just to decompose the elements into bits. So if I do that, I get the NAND of the encryptions. And this works only to a certain point of operation, because after I do this many times, the noise is too big, and we can't decrypt. So how do you get around that? Because we want full homomorphism. We want to be able to decrypt any homomorphic operation of any circuit. So assuming I have this circuit G, and up to this point, I can do these NAND operations. So what do I do in the last point that I can do? So evaluate a slightly larger circuit. And this part would be this circuit, which has the two ciphertexts, CB1 and CB2, hard-coded into it. So what do I do? I take the input X and use it to decrypt the first ciphertext and the second one, and take their NAND. And what is good about this circuit? Because if I plug in the secret key, I get exactly the NAND of B1 and B2, which is one I want to get. So if I evaluate it homomorphically, I go for encryption of the B1 and the B2 to encryption of their NANDs. So we can keep doing NAND. And it's also because we ran decryption, so the noise is being canceled. So we can keep doing this operation and get fully homomorphism. But this requires an additional something, because I assume we have an encryption of the secret key, which is generally not secure, so we need an additional assumption called circular security. It's not a standard assumption, but as I said earlier, this is the only way we can get FHE besides IO. So how do we go from this into the multi-key settings? So the main idea is we have an encryption of some bit under a single player, and we want to extend it into a larger matrix for more players. So there is an extended algorithm and this matrix C hat has a special form which has only elements on the diagonal and on some row. And it has the property, like I said, that's only a linear number of non-zero blocks. And when I concatenate all the secret keys and I do this multiplication, I get the property that we talked about earlier. So we can still do decryption and evaluate, we can still do decryption and evaluation as before. So these extended algorithms, let us go to multi-key settings. Point is we can do this extended algorithm only once. So it is only single hop. If it could have extended many times, it would be multi-hop, but it doesn't work. So our goal is to make this scheme multi-hop. And we also want to get shorter ciphertext in the scheme before the ciphertext were matrices, so it was n squared. And we also want to get an efficient space for the evaluation. So we'll begin with getting multi-hop. So we have two ciphertexts, C1 encrypted under a red party and C2 encrypted under a blue party. And we want to run some evaluation algorithm that when I decrypt this evaluated ciphertext, I get the nan of the two bits. And if I could do that, I could do multi-key FHE, because without the loss of generality, the circuit is only of NAND gates, and it can go from any party, the red one and the blue one, to the joint party. So how do I do that? So we start with the single key settings. So we say that instead of running the NAND, we run this larger circuit. And when I plug in the encryption of the secret key, I get C hat. And when I decrypt C hat, I get the NAND of B1 and B2. But now we are in the multi-key settings, and to decrypt C1, we need the red party, and decrypt C2, we need the blue party. So what do we do? So instead of plugging in just an encryption of the single public key, we plug in all the encryption of all the secret keys. And this would still work because we have a multi-key evaluation. So the decryption would still be what we want, be the NAND of B1 and B2. And the important thing to note is that we don't reevaluate the public encryption of the secret key. We, if you want to evaluate the circuit again, we just use this again, which aren't the output of the evaluation algorithm. So we actually need only single hop to do this. And since we have single hop for the previous work, running this circuit gives us multi-hop. So the next step is we want to decrease the length of the ciphertext. So we said that if all we wanted to do is decryption, we can only take the last column of the matrix. So what we are going to do is to simply generate the last column of the matrix, which will give us linear length ciphertext. So the public parameters, public key and secret key are as in the single hop scheme. But now we're going to generate only column ciphertext. But how can we do evaluation now? Because we needed a matrix for a reason. So it seems that we kind of lost the point of giving up on all matrix. So let's go over again, what we said we do in the decryption. So we have the encryption of the secret keys and we decrypt the hard-coded encryptions. Sorry, we decrypt the hard-coded ciphertext and get c-hat. So we said that the public key is as before and the public key contains the encryption of the secret key. But this time we have only vector ciphertext. Thing is it still works because for decryption we only need the last column of the matrix. So decryption still works but we get a matrix ciphertext. So how do we get around that? We simply cut it off and to get back the vector ciphertext which is linear length, it's number of parts. But the downside of all this whole procedure is that we get the space complexity to be squared and we want the space complexity to be linear. So how do we get around that? So first make a few observations. We can do some morphic operation even though we have only vector ciphertext. So we can do addition by simply adding the two ciphertext. I won't get into why this works but take it as a fact. And we can also do multiplication. Well it is not clear how to multiply two vectors. So we can do tensor product but it wouldn't work very well. So I assume that we have at least one of the ciphertexts has to be a matrix for multiplication to work. And if this matrix is very sparse, for example if it has a linear number of nonzero elements which we know the structure of the matrix, then we can do multiplication in linear space and addition is also in linear space. And remember that after the extend algorithm, the matrix had a very specific form which was very sparse and then only linear number of nonzero blocks. So if this c1 matrix has been a matrix that has only been extended, we can run the multiplication algorithm in linear space. But if we ran some evaluation on this matrix, it would lose its form, it would lose its sparseness and we couldn't do a space efficient multiplication. So keep that in mind and we use these two observations to reduce the space of the evaluation. So for that only the model of branching programs. So what are branching programs? It is a rather intuitive model of computation. So we have L layers, in this case L would be four, and we have some width which is this case is also four and we start and we evaluate the branching program layer by layer. So we start in this layer and we look at our input which is the indicated variable one and we see if the bit is zero or one, if the bit is zero, we take the red arrow, otherwise we take the blue arrow and this way we advance to the next layer. And this way we go from one layer to another until we get to the last one and if we ended up in this point, we accept and otherwise we reject. So these are branch programs and the main idea is we utilize branching programs. So instead of evaluating this circuit, we're going to transfer it into a branching program and this is due to Barrington and it says this transformation could be done efficiently and we actually can do it on the fly and what do I mean by on the fly? That we can output each layer of the branching program efficiently. So the idea is instead of evaluating this circuit which requires a quadratic space, we'll transfer it to a branching program and we will evaluate the branching program more frequently instead of evaluating the homomorphically in this circuit. So how do we do that? If we take a closer look at branching programs, we see each step in the layers actually go from either the blue arrow or the red one and by looking at the inputs, we can see which one we take. So it actually has a very simple formula. So y prime would be a y one if x is one and it would be y zero if x is zero and we can evaluate this formula efficiently. So x is the input that we have and we assume that x would be a vector encryption. Yeah, sorry. X is the input for the branching program which is an encryption of the secret key and in the encryption of the secret key, it would be very sparse because it's only been extended and y zero and y one are only the vector encryptions. So we can do this multiplication and addition using just linear space and by the correctness of the branching program we would eventually after evaluating all these each step of the layer, we get linear space. So there are a few ideas for future work. First of all, we would like to do it without public parameters which would be very good but it's not clear how to do that and it would be also interesting to get even shorter ciphertext. We're not sure if it's possible to get the ciphertext to be linear and the number of players could be a lower bound but we're not sure about it. And the main direction would be to get a fully dynamic encryption without the need for a circular security. And actually it is not known even for a fully homophic encryption it would be interesting to get simply that. So this is it and thank you very much for listening.