a590003

I. Pre-processing phase. In this phase, the clients interact with each other to perform the following computations:
1. D 1 and D 2 engage in the execution of a standard secure computation protocol Π fhe to compute the (randomized)
functionality F fhe described as follows:
• Generate key pairs (sk, pk) ← Gen(1 κ ) and (SK, P K) ← Gen(1 κ ) for the FHE scheme
(Gen, Enc, Dec).
• Compute 2-out-of-2 shares of the FHE secret keys sk, SK. That is, compute sk 1 , sk 2 s.t. sk 1 ⊕sk 2 =
sk, and SK 1 , SK 2 s.t. SK 1 ⊕ SK 2 = SK.
• Output (pk, P K, sk i , SK i ) to D i .
2. D 1 and D 2 engage in the execution of a standard secure computation protocol Π prf to compute the (randomized)
functionality F prf described as follows:
• Sample keys K 1 and K 2 for a pseudo-random function PRF : {0, 1} κ × {0, 1} κ → {0, 1}.
• For every j ∈ [2], compute (c prf
j
, d prf
j
) ← COM(K i ).
• Output ({c prf
j
}, d prf
i
, K i ) to D i .
3. D 1 and D 2 engage in the execution of a standard secure computation protocol Π test to compute the (randomized)
functionality F test described as follows. F test takes as input the public key pk for FHE (as
computed above) from D 1 , D 2 and computes the following:
• For every i ∈ [2], j ∈ [n], generate random strings r i,j and compute ̂R i,j ← Enc P K (Enc pk (r i,j )).
• For every j ∈ [n],
(a) Compute secret j = Eval P K ( ̂R 1,j , ̂R 2,j ; G).
(b) Compute (c test
j , d test
j ) ← COM(secret).
(c) Choose random strings d test
1,j , dtest 2,j s.t. dtest j = d test
1,j ⊕ dtest 2,j .
• Output (̂R i,j , c test
j , d test
i,j ) to D i.
(Note that the three steps above can be combined into a single secure computation protocol execution. We choose
to split them into separate executions for simplicity of explanation and proof.)
II. Online phase. In this phase, the clients interact with the worker in a single round of communication to
compute the functionality G. For simplicity of exposition, we assume that the public keys (pk, P K) were given
to W at the end of the pre-processing phase; we do not include them in the description below.
More specifically, this phase proceeds as follows:
D i → W: Let x i denote the private input of D i . The client D i performs the following steps:
1. For every j ∈ [n],
• Compute ̂X i,j ← Enc P K (Enc pk (x i )).
• Let s be the session number. Then, compute bit b i,j ← prf Ki
(s‖j). Let (vi,j 0 , v1 i,j ) be such that
v b i,j
i,j
= ̂X i,j and v 1−b i,j
i,j
= ̂R i,j .
D i sends the tuple {vi,j 0 , v1 i,j }n j=1 to W.
W → (D 1 , D 2 ): On receiving the tuples {v 0 i,j , v1 i,j }n j=1 from each client D i, W performs the following steps. For
every j ∈ [n], homomorphically compute the following four values:
9
11. How to Delegate Secure Multiparty Computation to the Cloud