Homomorphic encryption schemes are PKE schemes with an additional special method Evaluate. Evaluate method takes input any function (as boolean circuit) and encrypted inputs of the function and evaluates the circuit. The results of such function are still encrypted under the public key PK.
Sometimes, it would be too wide of a scope to allow execution of any arbitrary function.
How can one limit FHE schemes to allow only fewer circuits?
This concept is called targeted malleability:
http://crypto.stanford.edu/~dabo/pubs/abstracts/reshom.html
The abstract and introduction of that paper give a good overview of the ideas. In brief, the goal is to ensure that a homomorphic evaluator can only produce a ciphertext by evaluating a function from an "approved" class of functions. It is trivial to achieve this by attaching to the ciphertext a noninteractive proof/argument that it was computed correctly, but this yields a ciphertext whose length is at least linear in the length of the chain of homomorphic operations performed. (This may be acceptable if only a small number of such "hops" are needed.)
The solutions given in the paper instead use succinct noninteractive arguments of correct computation relative to the previous ciphertext in the chain. This keeps the ciphertext length from growing much, because only one proof is attached to the ciphertext. However, the argument system needs a stronger property of "extractability" (of the previous statement in the chain to be proved) to make this work.
it seems that you are looking for this paper of mine http://libeccio.dia.unisa.it/Papers/CHES/
Here we introduce the concept of a Controlled Homomorphic Encryption Scheme (CHES). In a CHES, for every circuit $C$, it is possible to homomorphically create a ciphertext of $C(m)$ from a ciphertext of $m$ (so far it is like a regular FHE) but only if a special token for circuit C is known (this is similar to functional encryption). The owner of the decryption key can generate tokens for any circuit.
By itself, no. Though research has been done to add the necessary features to make FHE circuit computation verifiable. These protocols would allow the one party to specify what can be computed on the encrypted data and then verify that the computation has been performed properly.
Thus, it differs from Functional Encryption somewhat. In FE, the worker can only compute the desired functionality. In HE, the worker could still presumably compute any circuit they wanted, but they could not forge a proof to trick the other party into believing that they had computed the correct circuit. Since the output is encrypted and the cipher is semantically secure, being able to compute any circuit on the ciphertexts will not leak any information.
See:
Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers
Delegatable Homomorphic Encryption with Applications to Secure Outsourcing
of Computation
We have recently introduced the notion of controlled functional encryption (it is different from homomorphic encryption and more like functional encryption, but can be helpful) which can provide limited functionality very efficiently. We have a notion of authority and it can limit the functionality as desired. In controlled functional encryption model, any policy can be implemented very efficiently by the authority.
You can look at the paper or slides for more details.
Slides: http://naveed.pro/wp-content/uploads/2013/03/CFE.pdf
