Add definitions for other advanced crypto: FHE, MPC, WE (#33)

* setup new entries

* fhe

* add acronyms

* mpc blurb

* witness encryption

* nits

* add summary table

* disambiguate variables

* intro to mpc

* nits

* witness encryption examples

src/SUMMARY.md

@@ -17,9 +17,11 @@
 - [Evaluation Form](./definitions/evaluation_form.md)
 - [Fast Fourier Transform](./definitions/fast_fourier_transform.md)
 - [Fiat-Shamir Transform](./definitions/fiat_shamir.md)
+- [Fully Homomorphic Encryption (FHE)](./definitions/fhe.md)
 - [Instance](./definitions/instance.md)
 - [Lagrange Interpolation](./definitions/lagrange_interpolation.md)
 - [Language](./definitions/language.md)
+- [Multi-party Computation (MPC)](./definitions/mpc.md)
 - [Nullifier](./definitions/nullifier.md)
 - [Oracle](./definitions/oracle.md)
 - [PLONKish Arithmetization](./definitions/plonkish_arithmetization.md)
@@ -45,5 +47,6 @@
 - [Trusted Setup](./definitions/trusted_setup.md)
 - [Vanishing Polynomial](./definitions/vanishing_polynomial.md)
 - [Witness](./definitions/witness.md)
+- [Witness Encryption](./definitions/witness_encryption.md)
 - [Zero-Knowledge Proof](./definitions/zero_knowledge_proof.md)
 - [zkVM](./definitions/zkvm.md)

src/definitions/fhe.md

@@ -0,0 +1,21 @@
+# Fully Homomorphic Encryption (FHE)
+
+> An encryption scheme is said to be *fully homomorphic* if it allows to compute additions and multiplications on ciphertexts; decrypting the modified ciphertext reveals the result of applying those additions and multiplications to the original message.
+
+---
+
+Regular encryption allows one party (the sender) to hide a message such that there is only one party (the receiver) that can unhide it.
+
+Fully homomorphic encryption (FHE) adds the possibility of computing an arbitrary function $F$ on the ciphertext before it gets decrypted.
+The decryption will yield $F(\texttt{message})$.
+
+[![](../images/fhe.png)](../images/fhe.png)
+
+This process allows to outsource computation to an untrusted party without revealing the input data.
+Note however that FHE alone gives no guarantees as to what function $F$ was run.
+
+# Practicality
+
+FHE is regarded as the holy grail of encryption and for a long time was thought to be impossible.
+Today we are starting to see practical FHE schemes.
+Note however that they are orders of magnitude slower than symmetric encryption, and non-FHE public key schemes.

src/definitions/mpc.md

@@ -0,0 +1,30 @@
+# Multi-party Computation (MPC)
+
+> A protocol that allows mutually distrusting parties, each holding a secret, to jointly compute a function over their secrets without revealing any information other than the result.
+
+---
+
+As indicated in the name, MPC is a protocol between multiple parties.
+These parties each hold some data that they want to keep secret.
+They also do no trust each other but, for some reason, want to jointly compute a program together.
+
+An MPC protocol allows these parties to evaluate the function of interest on their joint private inputs without revealing anything other than the result.
+
+> **The canonical example: Yao's millionaire problem.**  
+> The example we usually use to illustrate this setting is known as Yao's millionaire problem, named after its inventor Andrew Yao.
+> Alice and Bob are two millionaires and want to know who is more rich.
+> However they don't want to reveal how much they own to each other, nor to any third party.
+>
+> The problem can then be extended to allow for more than 2 parties, and any arbitrary program rather than just a comparison of integers.
+
+## Generic vs Task-specific Protocols
+MPC protocols can be divided into two groups: those that are task-specific, and those that are generic.
+A generic protocol will allow the set of parties to compute any program they like.
+However, making the protocol generic prevents it from being optimized for the specific task at hand.
+On the other hand, task-specific protocols can take advantage fo this specialization and can be overall faster or cheaper to run.
+
+## Constructing MPC
+Generic 2-party MPC (2-PC) protocols can be built following the *garbled circuit* approach laid out by Andrew Yao [[Yao86]]((https://ieeexplore.ieee.org/document/4568207)).
+For further reading on garbled circuits, we recommend [*A Gentle Introduction to Yao’s Garbled Circuits*](https://web.mit.edu/sonka89/www/papers/2017ygc.pdf) by Sophia Yakoubov. 
+
+Protocols involving more parties will often use techniques such as [zero-knowledge proof](./zero_knowledge_proof.md) and [fully homomorphic encryption](./fhe.md).

src/definitions/witness_encryption.md

@@ -0,0 +1,36 @@
+# Witness Encryption
+
+> An encryption scheme where public keys are instances (public inputs of a circuits) and private keys are witnesses (the private inputs and intermediate computation steps).
+
+---
+
+Witness encryption is a generalization of public key encryption.
+
+Recall that for public key encryption, we pick one specific hard problem to generate private-public key pairs.
+For example, if we choose the discrete logarithm in [elliptic curves](./elliptic_curve.md) (EC), the private key is a scalar $s$ and the public key is a point $P = sG$.
+We assume that finding $s$ given $P$ is hard and use this fact to construct encryption schemes.
+
+In witness encryption, we allow to encrypt to any $\mathsf{NP}$-problem (see [Decision Problems](../intro_to_zk/what_is_proving.md#decision-problems)).
+For example, we could **encrypt to an [arithmetic circuit](./circuit.md)** --- the same ones we use for SNARKs (!).
+The **public key would be the public inputs**, while the **private key is the private inputs and all intermediate computation steps**.
+
+More formally, the public key is any [instance](./instance.md) of an $\mathsf{NP}$ relation, and the private key is a corresponding [witness](./witness.md).
+Note that depending on the relation, a single public key (instance) could have multiple private keys (witnesses).
+Depending on your use case this could be a nasty bug or a great feature!
+
+Here is a table summarizing the above discussion:
+| Scheme                         | Hard Problem              | Public Key     | Private Key                           |
+| ------------------------------ | ------------------------- | -------------- | ------------------------------------- |
+| EC public key encryption       | EC discrete logarithm     | Point $P = sG$ | Scalar $s$                            |
+| Circuit-based encryption       | Circuit satisfiability    | public inputs  | private inputs and intermediate wires |
+| Generic **witness encryption** | any $\mathsf{NP}$-problem | instance $x$   | witness $w$                           |
+
+## Witness Encryption in Practice
+**Witness encryption schemes are not yet practical**.
+Cryptographers are hard at work to make these schemes usable.
+
+However, we do have variants that are already available:
+- **commitment-based witness encryption (CWE).** In CWE, the public key is an instance $x$ and a commitment $\mathsf{com}$. The corresponding private key is a value $w$ such that $\mathsf{com}$ was a commitment to $w$ and $w$ was a valid witness for $x$. 
+    > **CWE example.** Following our circuit example: the public key would be the public inputs *and* a commitment to the private inputs + intermediate steps.
+- **signature-based witness encryption (SWE).** In SWE, the public key is a signature key $\mathsf{pk}$ and a string `s`. The corresponding private key is a signature on `s` by the secret key $\mathsf{sk}$ that corresponds to $\mathsf{pk}$.
+    > **SWE example.** SWE has been used to build *timelock encryption*, otherwise known as "encrypting to the future" [[DHMW22]](https://eprint.iacr.org/2022/433) [[GMR23]](https://eprint.iacr.org/2023/189).