Verifiable Encodings for Secure Homomorphic Analytics

TL;DR

This work addresses the absence of computation integrity guarantees in lattice-based homomorphic encryption by introducing two plaintext-space encodings, replication-based (REP) and polynomial-based (PE), that instantiate verifiable authenticators for CHHE pipelines. By shifting verification to the plaintext space and enabling offline challenge precomputation, VERITAS allows clients to detect malicious servers with probability at least $1-2^{-\\lambda}$ while preserving HE's privacy properties. The authors implement VERITAS in Go atop BFV (with batching) and demonstrate practical verification across ride-hailing, genomic analysis, encrypted search, and ML workloads, showing favorable client/server overheads relative to baseline HE. They further optimize for high multiplicative depth through PoC and interactive ReQ, reducing communication and computation where needed. Overall, VERITAS delivers a practical, open-source solution for verifiable secure analytics on encrypted data, enabling broader adoption of privacy-preserving outsourced computations with integrity guarantees.

Abstract

Homomorphic encryption, which enables the execution of arithmetic operations directly on ciphertexts, is a promising solution for protecting privacy of cloud-delegated computations on sensitive data. However, the correctness of the computation result is not ensured. We propose two error detection encodings and build authenticators that enable practical client-verification of cloud-based homomorphic computations under different trade-offs and without compromising on the features of the encryption algorithm. Our authenticators operate on top of trending ring learning with errors based fully homomorphic encryption schemes over the integers. We implement our solution in VERITAS, a ready-to-use system for verification of outsourced computations executed over encrypted data. We show that contrary to prior work VERITAS supports verification of any homomorphic operation and we demonstrate its practicality for various applications, such as ride-hailing, genomic-data analysis, encrypted search, and machine-learning training and inference.

Figures (8)

• Figure 1: HE pipeline. It returns the homomorphic evaluation of a function $f(\cdot)$ over the encryption of a message $\textbf{m}$.
• Figure 2: Enhanced HE pipeline. The square boxes correspond to the original HE pipeline (see §\ref{['sec:prelim:fhe']} and Fig. \ref{['fig:fhepure']}) and the dotted boxes are the new components offering verification capabilities. The grey box represents the computing server. For a message $\textbf{m}$ associated with a label $\tau$ and for a function $f(\cdot)$, the verification pipeline checks if the Eval. step performed by the computing server was executed correctly. $\mathbf{sk}_{\text{HE}}$ and $\mathbf{evk}$ are the HE secret key and evaluation key respectively. $K$ is the encoder's secret key.
• Figure 3: Replication Encoding. A message $\mathsf{m}$ with identifier $\tau$ is encoded as a vector $\mathbf{M}$ with challenge values (using the PRF $F_K(\cdot)$) for indices in the challenge set $S$ and replications of $\mathsf{m}$ for all the others. For ease of presentation, here $\mathsf{m}{\in}\mathbb{Z}_t$ and $\lambda {=} 8$.
• Figure 4: Polynomial Encoding. A message $\mathbf{m}\in \mathbb{Z}_t^N$ identified by $\boldsymbol{\tau}$ is encoded as $P$ using the secret $\alpha$ and the challenge vector $\textbf{r}_{\boldsymbol{\tau}}$.
• Figure 5: Polynomial Compression Protocol (PoC, §\ref{['sec:vche2:PP']}). For clarity, polynomials are represented in the plaintext space.

Theorems & Definitions (8)

• Theorem 1
• Theorem 2
• proof
• proof
• Theorem 3
• proof
• Theorem 4
• proof