On the Efficiency of FHE-Based Private Queries

Private query processing is a very attractive problem in the fields of both cryptography and databases. In this work, we restrict our attention to the efficiency aspect of the problem, particularly for basic queries with conditions on various combinations of equality . Without loss of generality, these conditions can be regarded as a Boolean function, and this Boolean function can then be evaluated at ciphertexts produced by a fully homomorphic encryption (FHE) scheme without decryption . From the efficiency perspective, the remaining concern is to efficiently test the equality function without severely downgrading the performance of FHE-based querying solutions. To this end, we first analyze the multiplicative depth required for an equality test algorithm with respect to the plaintext space inhabited by general FHE schemes. The primary reason for this approach is that given an equality test algorithm, its efficiency is measured in terms of the multiplicative depth required to construct its arithmetic circuit expression. Indeed, the implemented equality test algorithm dominates the entire performance of FHE-based query solutions, apart from the performance of the underlying FHE scheme. Then, we measure the multiplicative depth considering an FHE scheme that takes an extension field as its plaintext space and that supports the depth-free evaluation of Frobenius maps. According to our analysis, when the plaintext space of an FHE scheme is a field of characteristic $2$ , the equality test algorithm for $\ell$ -bit messages requires the lowest multiplicative depth $\lceil \log {\ell}\rceil$ . Furthermore, we design a set of private query protocols for conjunctive, disjunctive, and threshold queries based on the equality test algorithm. Similarly, applying the equality test algorithm over $\mathbb {F}_{2^{\ell}}$ , our querying protocols require the minimum depths. More specifically, a multiplicative depth of $\lceil \log {\ell}\rceil +\lceil \log {(1+\rho)}\rceil$ is required for conjunctive and disjunctive queries, and a depth of $\lceil \log {\ell}\rceil +2\lceil \log {(1+\rho)}\rceil$ is required for threshold conjunctive queries, when their query conditions have $\rho$ attributes to be compared. Finally, we provide a communication-efficient version of our solutions, though with additional computational costs, when an upper bound $\delta$  ( $0\leq \delta \leq 1$ ) on the selectivity of a database is given. Consequently, we reduce the communication cost from $n$ to approximately $\lfloor \delta n\rfloor$ ciphertexts with $\lceil \log {n}\rceil$ additional depth when the database consists of $n$ tuples.