Fully Homomorphic Encryption (FHE) is seeing increasing real-world deployment to protect data in use by allowing computation over encrypted data. However, the same malleability that enables homomorphic computations also raises integrity issues, which have so far been mostly overlooked. While FHEs lack of integrity has obvious implications for correctness, it also has severe implications for confidentiality: a malicious server can leverage the lack of integrity to carry out interactive key-recovery attacks. As a result, virtually all FHE schemes and applications assume an honest-but-curious server who does not deviate from the protocol. In practice, however, this assumption is insufficient for a wide range of deployment scenarios. While there has been work that aims to address this gap, these have remained isolated efforts considering only aspects of the overall problem and fail to fully address the needs and characteristics of modern FHE schemes and applications. In this paper, we analyze existing FHE integrity approaches, present attacks that exploit gaps in prior work, and propose a new notion for maliciously-secure verifiable FHE. We then instantiate this new notion with a range of techniques, analyzing them and evaluating their performance in a range of different settings. We highlight their potential but also show where future work on tailored integrity solutions for FHE is still required.

翻译：全同态加密（FHE）在现实世界中的部署日益增多，通过允许对加密数据进行计算来保护使用中的数据。然而，实现同态计算的可塑性也引发了完整性方面的问题，这一问题迄今大多被忽视。虽然FHE缺乏完整性显然会影响正确性，但它也对机密性产生严重影响：恶意服务器可利用这种完整性缺失实施交互式密钥恢复攻击。因此，几乎所有FHE方案和应用都假设服务器为"诚实但好奇"（即不偏离协议）的模型。然而在实践中，这种假设对广泛的部署场景而言并不充分。尽管已有部分工作试图弥补这一缺陷，但这些研究仍各自为政，仅考虑整体问题的某些方面，未能全面满足现代FHE方案与应用的需求与特性。本文分析了现有FHE完整性方法，揭示了利用前人工作漏洞的攻击手段，并提出了一种恶意安全可验证FHE的新概念。随后，我们通过一系列技术实例化该概念，在不同场景下进行分析与性能评估。我们既展示了这些技术的潜力，也指出了未来仍需针对FHE定制完整性解决方案的研究方向。