Evaluator without exposing secret key

[fedejinich]

Hi, I'm trying to evaluate a symmetric decryption circuit on server side and I don't want to expose the BFV-secret-keys to create a new evaluator instance on the server.

My circuit performs additions, subtractions, multiplications, and rows/columns rotations.

My first thought was that I could easily do that, but it seems that I need the same BFV-secret-key to generate the same galois keys to perform the right rows/columns rotations. Does this make sense? Is there any way to do it without exposing sensitive data?

[Pro7ech]

The decryption circuit requires the secret-key, so if you want to evaluate it on the server-side, it will need to know the secret-key.

Regarding the rotations, which require Galois keys, the owner of the secret-key can generate them and then share them to the party performing the evaluation. These are public key material and thus they can be shared without posing a security issue.

[fedejinich]

the decryption circuit (transciphering) requires an homomorphically encrypted "symmetric"-secret-key. Server-side shouldn't be able to decrypt it.

Galois keys are quite big to be shared over the network right? how would you share it?

[Pro7ech]

There is no other way than marshalling them into bytes and sending them on the network. If this is a blocker, you might want to take a look at Hierarchical Galois Key Management Systems for Privacy Preserving AIaaS with Homomorphic Encryption.

We plan to enable compressed keys (a factor of two improvement), but this is not yet available.