Security question


We use Multiparty Homomorphic Encryption algorithm and would be grateful if you could help us to clarify one point. Say we have party A, who generates number a, and party B, who generates numbers b and c. It’s important for us to keep the values of b and c in secret from A. A encrypts number a and sends it to B, then B encrypts its numbers and calculates (a-b)*c using Multiparty HE. After that it partially decrypts this value and sends to A to complete decryption process.
First we considered the idea of encrypting all the values a, b and c and making all the calculations using HE algorithm (essentially it includes addition/subtraction and mutiplication of encrypted values). But, having in mind that b and c are both generated by the same party, we thought about the possibility to use only addition/subtraction part of algorithm without encrypting number c. So, what we want to do is to calculate (a-b) with the help of HE algorithm, then multiply it by c using the function EvalMultCipherConstant. The question is the following: is it secure to use the second approach if we are going to ask party A to decrypt the value of (a-b)*c and at the same time we can not afford to disclose the value of c to the party A?

Multiparty FHE is a secure cryptographic primitive that allows mutually distrusting parties to compute joint computations on their private data without any party learning anything about the other parties’ private data, beyond what the computed function itself can reveal about the private inputs.

Note that after party A decrypts, she will get something like the following:
r=(a-b)*c, with r and a being known variables.
If Party A learns any other piece of information about b and c, she might be able to learn them. Additionally, it is important to check for the possibility of multiple runs of the protocol and whether different results can be generated for the same inputs. This could help Party A learn b and c with a few hand-crafted choices of her inputs a_i.

Another scenario is if the decryption result r=0, party A can monitor such incidents and deduce that either a=b or c=0 for such protocol invocations.

Also, you did not mention if party A would send the decrypted result (r) back to party B. If that is the case, party B will learn a from a single run of the protocol. I just wanted to highlight this incident, even though it may be unimportant in your protocol.

Thus, your protocol seems secure to me given that the above scenarios are not feasible.