[Resource Topic] 2025/700: Fherret: Proof of FHE Correct-and-Honest Evaluation with Circuit Privacy from MPCitH

Resource Public-key cryptography
1

Welcome to the resource topic for 2025/700

Title:
Fherret: Proof of FHE Correct-and-Honest Evaluation with Circuit Privacy from MPCitH

Authors: Janik Huth, Antoine Joux, Giacomo Santato

Abstract:

The major Fully Homomorphic Encryption (FHE) schemes guarantee the privacy of the encrypted message only in the honest-but-curious setting, when the server follows the protocol without deviating. However, various attacks in the literature show that an actively malicious server can recover sensitive information by executing incorrect functions, tampering with ciphertexts, or observing the client’s reaction during decryption.

Existing integrity solutions for FHE schemes either fail to guarantee circuit privacy, exposing the server’s computations to the client, or introduce significant computational overhead on the prover by requiring proofs of FHE operations on ciphertexts.

In this work, we present Fherret, a novel scheme leveraging the MPC-in-the-Head (MPCitH) paradigm to provide a proof of correct-and-honest homomorphic evaluation while preserving circuit privacy. This proof guarantees that the client can safely decrypt the ciphertext obtained from the server without being susceptible to reaction-based attacks, such as verification and decryption oracle attacks. Additionally, this proof guarantees that the server’s evaluation maintains correctness, thereby protecting the client from \mathsf{IND}\text{-}\mathsf{CPA}^{\mathsf{D}}-style attacks.

Our solution achieves a prover overhead of 4\lambda homomorphic evaluations of random functions from the function space \mathcal{F}, while retaining a competitive verifier overhead of 2 \lambda homomorphic evaluations and a communication size proportional to \sqrt{2\lambda} times the size of a function from \mathcal{F}.

Furthermore, Fherret is inherently parallelizable, achieving a parallel computation overhead similar to a homomorphic evaluation of a random function from \mathcal{F} for both the prover and the verifier.

ePrint: https://eprint.iacr.org/2025/700

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .