1. Introduction
Fully homomorphic encryption (FHE) can compute arbitrary function on encrypted data without secret key. Such special property enable FHE to be used in a lot of applications such as private cloud computing. FHE was first proposed by Rivest, Adleman and Dertouzos since 1978 [1], and it had been an open hard problem in cryptography community until the first homomorphic encryption scheme was proposed by Gentry in 2009 [2]. Then some FHEschemes were proposed based on different mathematical hard problem. For example, the scheme is based on prime ideal [3], the schemes are based on integer [4-6] and the schemes are based on Learning with errors (LWE) or its ring variant (RLWE) [7-12].
1.1 Related Work
Among these FHE schemes, LWE-based FHE and RLWE-based FHE are very attractive since these schemes are simple and effective, as well as its security can be reduced to the worst case hardness of standard lattice problems that appear to be resistant to attack by both classical and quantum computers. Specially, Gentry, Sahai, and Waters (GSW) used the approximate eigenvector approach to propose a LWE-based FHE scheme in 2013 [10] whose ciphertext is a square matrix, and thus multiplication of ciphertexts is the multiplication of square matrixes that make homomorphic multiplication become very nature and simple.
Before GSW scheme, since the LWE-based cryptosystem [15] itself supports additive homomorphism, the key point of constructing LWE-based FHE is to achieve multiplicative homomorphism. To construct LWE-based FHE, Brakerski and Vaikuntanathan introduced the critical technique of key switching in [7] to reduce the growth of resulting ciphertext size caused by homomorphic multiplication. However, key switching is expensive. On the one hand, after each homomorphic multiplication, we have to do key switching by multiplying the resulting ciphertext by a matrix generated in the process of key switching. On the other hand, the matrix of key switching is as one part of public key. For homomorphic evaluation with circuit depth L, the public key has to include L matrixes of key switching. So keys witching needs a lot of space to store matrixes of key switching and greatly affects the computational efficiency. If the ciphertext is matrix, it does not need key switching. Thus it is important to study how to construct the FHE scheme with ciphertext matrix.
Moreover, GSW has an attractive feature observed in [19] that the noise growth is quasi-additive if we multiply GSW ciphertexts in sequence, which can be used to improve the approximation factor [19, 14] and bootstrapping algorithm [13,23,24]. We think this feature is related to the ciphertext structure that is called as decryption structure later.
1.2 Our Contribution
We present a general design method of constructing FHE whose ciphertext is matrix. By using this design method, we can deduce the FHE scheme step by step based on a basic encryption scheme. The process of deduction is similar to solving equation and the final output result is a FHE scheme. As long as the basic encryption scheme satisfies a condition, we can use this design method to construct FHE scheme based on the basic encryption scheme. For example, LWE-based encryption, RLWE-based encryption, NTRU over RLWE[18] and even Integer-based somewhat homomorphic encryption all satisfy conditions and can be as the basic encryption scheme used to construct corresponding FHE schemes. Thus the design method is general. Our design method reveals the essential of constructing FHE with ciphertext matrix.
By using this design method, we obtain three corresponding FHE schemes based on LWE-based encryption scheme [15], RLWE-based encryption scheme [16,25] and NTRUover RLWE, respectively. We also use this method to construct a packing message FHEscheme from LWE. The result is the same as in [14]. It suffices to show that our design method is general.
It is important to work out how to choose parameters of a FHE scheme to ensure correctness and security against lattice attacks. The performance and efficiency of FHEmight be reflected by the size of parameters. In order to obtain the concert parameters of FHE, Gentry et.al applied to the LWE-security analysis of Lindner and Peikert [21] to analyze the dimension needed for different security levels [22]. They also analyzed the concert parameters of the BGV scheme [8]. As far as we know, there is not paper to provide the concert parameters of GSW as well as a concert comparison of GSW and other representative FHE scheme such as Bra [9]. We provide the concert parameters in appendix.
Our techniques: Our design method is based on the observation that we can stack some LWE encryptions to form a ciphertext matrix, namely each row in matrix is a piece of ciphertext vector of LWE. We call this idea as ciphertexts stack. If we make the corresponding encryption scheme has homomorphic property, we thus can obtain a FHEscheme with ciphertext matrix.
The idea of ciphertexts stack plays important role in our design method. It is inspired by the paper [17,20] in which the authors improve Regevs’s LWE-based cryptosystem that encrypt one bit at a time to a multi-bit version that encrypt a vector at a time. Their method actually can be view as a type of ciphertexts stack. However ciphertexts stack does not mean that it just simply stack some ciphertext, but rather it needs to keep some structure.
Moreover, decryption structure is as a tool used in our design method to analyze homomorphic property and noise growth. We unify three different decryption structures to one, and we call it the abstract decryption structure. Then we derive the decryption structure of homomorphic multiplication from the abstract decryption structure, and we call it expected decryption structure. It means that if the decryption structure of the multiplication of ciphertext has same structure as expected decryption structure, homomorphic property would be hold.
To construct a FHE with ciphertext matrix, we assume the ciphertext matrix C formed by ciphertexts stack. According to the abstract decryption structure, we can derive the decryption structure with respect to C that enables to obtain the expected decryption structure. Namely, this decryption structure would result in homomorphic property. However, the noise growth is large in homomorphic multiplication with respect to this decryption structure. We thus need to adjust repeatedly decryption structure till the final decryption structure with respect to ciphertext C* enable us to obtain not only homomorphic property but also small noise growth during homomorphic operations. Moreover, from the view of ciphertexts stack, we can construct the encryption form of C* in which the part with respect to plaintext is view as an unknown variable M. The corresponding decryption structure of C*is called as the virtual decryption structure. Finally, we establish the equation between the final decryption structure and the virtual decryption structure about unknown variable M. We solve for M and eventually obtain concert encryption form of C*. Thus we achieve a FHE with ciphertext matrix.
We assume the ciphertext is a polynomial, e.g., the ciphertext polynomial is taken from the encryption scheme NTRU over RLWE, our design method also can be applied to construct FHE. The resulting ciphertext would not a matrix but a vector in which each element is a polynomial. Homomorphic multiplication is the product of a matrix and a vector where the matrix is that a ciphertext vector is decomposed as binary representation. The appearance, an original ciphertext is transformed from a vector (e.g.,LWE and RLWE encryption) to a matrix or from a polynomial (e.g, NTRU over RLWE) to a vector, sufficiently show that it is the result of ciphertexts stack. The purpose of ciphertexts stack is to control growth in noise and achieve homomorphic property at the same time.
2. The Design Method of Constructing FHE
2.1 Decryption Structure
For LWE-based encryption scheme, its decryption has the form , \(\lfloor<\boldsymbol{c}, \boldsymbol{s}>\bmod q\rceil \bmod 2\) where c encrypt plaintext bit m∈{0,1} under the secret key s. Specially, there is an important item in the decryption form, namely the inner product \(=\lfloor q / 2\rfloor \cdot m+e \bmod q\). It connects the ciphertext c with the corresponding plaintext m and the noise e in some sense, which enables us to analyze clearly homomorphic property and noise growth. We call \(<\boldsymbol{c,s}>\bmod q\) as decryption structure for LWE-based encryption scheme. It is also hold for RLWE-based encryption scheme. Next we introduce three notions about decryption structure.
At present, for LWE-based encryption scheme, there are three types of decryption structure such as\(\lfloor q / 2\rfloor \cdot m+e \bmod q\) [15] , \(m+2 e \bmod q\) [7] and s⋅ m+e mod q [18]. Both the first two exist in LWE-based encryption scheme and RLWE-based encryption scheme, while only the last one exists in the NTRU over RLWE where s is a secret polynomial. We unify above three types of decryption structure as one, namely x ⋅ m+e, which is called as abstract decryption structure. Here we denote plaintext and noise by m and e respectively, and we view x and e as unknown variables. The abstract decryption structure can be used to analyze what decryption structure with respect to the resulting ciphertext would result in additive and multiplicative homomorphism.
Suppose two ciphertext c1, c2 encrypt m1, m2 with abstract decryption structure xm1 + e1, x·m2+e2 respectively. To achieve additive homomorphism, the decryption structure with respect to adding c1 and c2 is required to keep the structure as x·(m1+m2) + e+, where e+ is the noise in the sum and x is an unknown variable. To achieve multiplicative homomorphism, the decryption structure with respect to multiplying c1 and c2 is required to keep the structure as x·(m1m2) + e×, where e× is the noise in the result of multiplying c1 and c2. We refer to x·(m1+m2) + e+ or x·(m1·m2) + e× as expected decryption structure for the addition and multiplication of ciphertexts. In other words, if the decryption structure of the resulting ciphertext has the same structure as the expected decryption structure during evaluation, homomorphic property would be hold without considering noise.
To design a FHE scheme with ciphertext matrix, we firstly consider what form of decryption structure that the ciphertext matrix has would enable to obtain homomorphic property.
Suppose a ciphertext matrix C encrypt m under the secret key s. From above description, the ciphertext C should have the decryption structure of form \(\boldsymbol{C} \cdot \boldsymbol{s}=x \cdot m+e(\bmod q)\) where x and e are two unknown variables. Note that additive homomorphism is obtained obviously, we thus only focus on how to obtain multiplicative homomorphism. For two ciphertexts C1 and C2 with decryption structure Ci·s= x·mi+ei (mod q) for i=1, 2, their product has the decryption structure of form C1·C2·s=C1·(xm2+e1)=C1·x·m2+C1·e1 (mod q).
In order to achieve multiplicative homomorphism, the decryption structure of the product of C1 and C2 need to has the same structure as the expected decryption structure x·(m1·m2) + e×. If we set x = s, we have
\(C_{1} \cdot C_{2} \cdot s=C_{1} \cdot\left(s \cdot m_{2}+e_{1}\right)=s \cdot m_{1} \cdot m_{2}+m_{2} \cdot e_{1}+C_{1} \cdot e_{2}=s \cdot m_{1} \cdot m_{2}+e^{\times}(\bmod q)\) (1)
where e×=m2·e1+C1·e2. Namely the decryption structure of the product of C1 and C2 has the same structure as the expected decryption structure x·(m1·m2) + e×. Thus when the ciphertext matrix C has the decryption structure of form C·s = s·m+e (mod q), homomorphic property would be hold without considering noise growth. The encryption corresponding to this decryption structure is called as zero homomorphic encryption that is similar to the conception of somewhat homomorphic encryption [2] and can be regarded as the extreme case of somewhat homomorphic encryption.
If we consider noise, the growth in noise mainly depends \(\left\|C_{1}\right\|_{\infty}\) according to the Equation (1). Thus above decryption structure will result in that even one homomorphic multiplication cannot be performed due to large noise growth. Thus we need to take some measure to suppress growth in noise caused by homomorphic multiplication. For example, we represent the ciphertext matrix C1 as binary, namely BitDecomp(C1), to reduce the noise magnitude in the product of ciphertext matrixes. Note that BitDecomp(C1) is the matrix formed by applying the operation to each row of C1 separately. Thus homomorphic multiplication is defined as BitDecomp(C1)·C2. However, the decryption structure corresponding to Bit Decomp(C1)·C2 , namely BitDecomp(C1)·C2·s = Bit Decomp(C1)·s·m2+Bit Decomp(C1)·e2 (mod q), is not the same structure as the expected decryption structure. It means that multiplicative homomorphism cannot be achieved. The reason is that BitDecomp(C1) need the corresponding secret key Powerof2(s) rather than s.
To achieve multiplicative homomorphism, we adjust the decryption structure of ciphertext matrix C as
\(\boldsymbol{C} \cdot \boldsymbol{s}=\text { Powerof2 }(\boldsymbol{s}) \cdot m+e(\bmod q).\) (2)
It is the final decryption structure that enables to achieve not only multiplicative homomorphism but also low noise growth during homomorphic operations. The dimension of C can be obtained by the dimension of s. This step actually use ciphertexts stack to adjust decryption structure. That is we insert more LWE ciphertexts into original ciphertext matrix.
2.2 Ciphertexts Stack
LWE encryption has the form \(\boldsymbol{c} \leftarrow(m, 0, \ldots \ldots, 0)+\boldsymbol{A}^{\mathrm{T}} \cdot \boldsymbol{r}=(m, 0, \ldots \ldots, 0)+\boldsymbol{c}_{0}(\bmod q)\),where m is a plaintext bit, r is a random vector and \(A=\left[\begin{array}{ll} \boldsymbol{b} & \boldsymbol{A}^{\prime} \end{array}\right]\) is a LWE matrix (A is also the public key). Here we denote the encryption of 0 by c0. Note that \(A \cdot s=b-A^{\prime} \cdot s^{\prime}=2 e^{\prime}\)where e´ is an error vector and s=(1, s´) is a secret key vector. Note that RLWE encryption also has the similar form.
The idea of ciphertexts stack is inspired by [17,20] in which they proposed a multi-bit version of Regevs’s lattice-based cryptosystem, namely \(c \leftarrow\left(m_{1}, m_{2}, \ldots m_{t}, 0 \ldots 0\right)+\boldsymbol{A}^{\mathrm{T}} \cdot \boldsymbol{r}(\bmod q) =\left(m_{1}, m_{2}, \ldots m_{t}, 0, \ldots 0\right)+\left[b_{1}, b_{2}, \ldots, b_{t} | \boldsymbol{A}^{\prime}\right]^{\mathrm{T}} \cdot \boldsymbol{r}(\bmod q)\). Their idea actually can be viewed as atype of ciphertexts stack.
Since we want to design a FHE scheme whose ciphertext is the matrix, the intuition is that the ciphertext matrix could be formed by stacking some LWE ciphertext vectors together (each row of ciphertext matrix is a LWE ciphertext vector). However, ciphertexts stack don't simply stack these ciphertexts together but need to obtain the expected decryption structure, and thus achieve homomorphic property.
Suppose ciphertext matrix C is formed by stacking some LWE ciphertext vectors. According to LWE encryption form,we have C←M + C0 (mod q) where M is viewed as unknown variable with respect to plaintext m and each row in the matrix C0 is the encryption of 0. The decryption structure of the ciphertext matrix C has the form C·s=M·s+ C0·s = M·s+ e (mod q), where e is an error vector. This decryption structure is called as the virtual decryption structure.
Recall that the final decryption structure of the form (2) enables to achieve homomorphic property and low noise growth at the same time. If above virtual decryption structure has the same structure as the final decryption structure, the corresponding encryption scheme would be a FHE scheme with ciphertext matrix. Thus we establish the equation between virtual encryption structure and expected decryption structure, namely M·s+ e = Powerof2(s)T·m+e (mod q) = G·s·m + e (mod q),where G=Powerof2(I)T. We denote identity matrix by I.
Then we solve for unknown variable M from above equation and derive M=G·m. Thus we obtain the concert encryption form that is C←G·m + C0 (mod q).The decryption is same as LWE decryption. We choose the appropriate row from C which corresponds to a LWE ciphertext, and decrypt it. The corresponding encryption scheme is a FHE scheme with ciphertext matrix.
2.3 The Design Method
At present, all of FHE schemes are built on some known encryption scheme that we call itthe basic encryption scheme. The encryption form in the basic encryption scheme is required to meet a condition when we apply below design method to construct a FHE scheme. The condition is that the encryption has the form c←m+c0, where m is the plaintext and c0 is encryption of 0. All of encryption schemes such as LWE encryption [15], ring LWE encryption [16], NTRU encryption over ring LWE [18] as well as DGHV basic encryption scheme [4] meet this condition. It means that the corresponding FHE scheme with ciphertext matrix can be achieved by applying the design method on these basic encryption schemes.
Let ciphertext C be a matrix or polynomial. In the case of ciphertext matrix, we need to construct it from the basic encryption scheme. We assume that ciphertext matrix C is formed by stacking up a certain number of ciphertext vectors that encrypt plaintext m under secret key s using the basic encryption scheme (e.g, LWE-based encryption scheme). That is, each row in ciphertext matrix C is a piece of ciphertext vector. The decryption is same as the basic encryption scheme, i.e., the secret key s of the basic encryption scheme is used to decrypt some row in ciphertext matrix. Thus the ciphertext matrix C is the encryption of plaintext m under the secret key s. The corresponding decryption structure is C·s.
In the case of ciphertext polynomial, we do not need to construct it as there is the known NTRU encryption scheme based on ring LWE whose ciphertext is a polynomial. The corresponding decryption structure also has the form C·s where C is a ciphertext polynomial and s is a secret key polynomial. Note that, in this case, we can skip step 1 and start directly from step 2 to construct FHE using below design method. The design method is described as follows.
Step 1. Establish decryption structure of the ciphertext C that enable to achieve additive and multiplicative homomorphism without considering noise growth. From the session 2.1, the decryption structure of the ciphertext C should has the form C·s =s·m+e(mod q), where e is a noise variable. The dimension of C can be obtained by the dimension of s. This form of decryption structure enables us to achieve potentially homomorphic property without considering noise growth. The encryption scheme with respect to this decryption structure is zero homomorphic encryption that is obtained by jumping directly to the step 3 and step 4.
Step 2. Adjust decryption structure, and output the final decryption structure that enable to achieve simultaneously homomorphic property and low noise growth during homomorphic evaluation. From the section 2.1, the final decryption structure is derived as C*·s = Powerof2(s)T·m+e = G·s·m+e(mod q) where e is a noise variable and G=Powerof2(I)T. The dimension of C* and G can be obtained by the dimension of s. Note that C*is the expansion of C by inserting a certain number of ciphertexts into C. If C is a matrix, C*is also a matrix. If C is a polynomial, C* would be a vector. Since a vector can also be seen as a matrix, C*is viewed as a matrix in the later whether it is a matrix or vector.
Step 3. Construct the form of ciphertext matrix C* by using ciphertexts stack. According to the ciphertext form of the basic encryption scheme, the ciphertext matrix C* can be represented as C*←M+C0(mod q) by using ciphertexts satck, where the matrix M is seen as an unknown variable with respect to plaintext m and C0 is a matrix in which each row is an encryption of 0 produced by the basic encryption scheme. The decryption structure of C* has the form C*·s←M·s+e (mod q) where e is a noise variable. This decryption structure is also called the virtual decryption structure. If we get the concert form of M, we can obtain the concert encryption algorithm.
Step 4. Establish an equation about M between the virtual decryption structure and the final decryption structure, namely M·s+e = G·s·m+e (mod q). We derive M=G·m from this equation. Thus the encryption is obtained as C*←G·m + C0 (mod q).
Step 5. Decryption is the same as Regev’s decryption procedure that is applied to one row of C*. Let \(\boldsymbol{c}_{l-1}\) be the l-1th row of C, namely the coefficient of the plaintext m is 2l-1 where\(l=\lceil\log q\rceil-1\). Output\(\left\lfloor\frac{1}{2^{l-1}}\bmod q\right\rceil \bmod 2\)
For the security of the scheme outputted by this design method, on the one hand, G is the "primitive matrix”. On the other hand, each row of C* is a LWE encryption of plaintext bit m, thus the security can be obtained from the security of Regev’s encryption scheme. For each scheme obtained by this design method, we give the proof of security in detail in the later.
3. A RLWE-based FHE Scheme with Ciphertext Matrix
The basic encryption scheme that this FHE scheme built on is the RLWE-based encryption scheme [16]. In the ring LWE encryption scheme, the secret key is a 2-dimensional vector\(\boldsymbol{s}=\left(1,-\boldsymbol{s}^{\prime}\right)\) where s’ is a polynomial over R and is sampled uniformly from the error distribution. To generate the public key, choose a uniformly random element a∈Rq and a uniformly random small elements e∈R from the error distribution, and output the public key \(\boldsymbol{b}^{\prime}=\left(b=a \cdot s^{\prime}+e, a\right) \in R_{q} \times R_{q}\). To encrypt an n-bit message t∈{0,1}n, we use its bits as the 0-1coefficients of a polynomial m∈R2. The encryption algorithm then chooses three random small elements r,e1,e2∈R from the error distribution and outputs \(c \leftarrow\left(\lfloor q / 2\rfloor \cdot m+b r+e_{1}\right., \left.a r+e_{2}\right)=(\lfloor q / 2\rfloor \cdot m, 0)+\boldsymbol{b}^{\prime} \cdot r+e^{\prime}=\boldsymbol{m}+c_{0} \in R_{q} \times R_{q}\), where e’=(e1,e2) and \(m=(\lfloor q / 2\rfloor \cdot m\), 0) and\(\boldsymbol{c}_{0}=\boldsymbol{b}^{\prime} \cdot \boldsymbol{r}+\boldsymbol{e}^{\prime}\). Thus the decryption structure is c⋅ s=m ⋅ s +c0 ⋅ s\(=\lfloor q / 2\rfloor \cdot m+r \cdot e+e_{1}-s^{\prime} \cdot e_{2}\). As long as the coefficients of r⋅ e+e1-s’⋅ e2 have magnitudes less than q/4, the message can be recovered by \(\left\lfloor\frac{2}{q}[<\boldsymbol{c}, \boldsymbol{s}>]_{q}\right\rceil \bmod 2\) .The ring LWE encryption obviously satisfies the condition as the basic encryption scheme to construct FHE scheme using the design method. Next we firstly explain how to construct this FHE scheme using the design pattern, and then we give this FHE scheme.
3.1 Using Design Method to Construct A RLWE-Based FHE Scheme with Ciphertext Matrix
Assume that the ciphertext C is a matrix in which each row is an encryption produced by the RLWE-based encryption scheme under the secret key s=(1, -s’) where s’∈Rq.
In step 1, we can obtain the decryption structure of form \(C \cdot s=s \cdot m+e=\left[\begin{array}{c} 1 \\ s^{\prime} \end{array}\right] \cdot m+e(\bmod q)\), where e is a noise variable. Here we can deduce that e is a 2-dimensional vector and the ciphertext C is a 2×2 matrix.
By step 2, the final decryption structure is outputted and has the form
\(\boldsymbol{C}^{*} \boldsymbol{s}=\boldsymbol{G} \cdot \boldsymbol{s} \cdot m^{+} e=\left[\begin{array}{c} 1 \\ 2 \\ \vdots \\ 2^{l} \\ s^{\prime} \\ 2 s^{\prime} \\ \vdots \\ 2^{l} s^{\prime} \end{array}\right] \cdot m+e(\bmod q)\) (3)
where e is a noise variable and \(l=\lceil\log q\rceil-1\) .We can deduce that e is a 2 (l+1)-dimensional vector and C*are 2(l+1)×2 matrix.
By step 3 and step 4, we obtain the encryption that has the form of
\(C^{*} \leftarrow G m+C_{0}=\left[\begin{array}{cc} 1 & 0 \\ 2 & 0 \\ \vdots & \vdots \\ 2^{\prime} & 0 \\ 0 & 1 \\ 0 & 2 \\ \vdots & \vdots \\ 0 & 2^{\prime} \end{array}\right] m+C_{0}(\bmod q)\) (4)
This FHE scheme is given as follows in detail.
- RLFHE.Setup( λ, L ):Input the security parameter λ and the circuit level L. Choose a prime integer modulus q( λ) ≥2 and a dimension parameter n( λ)≥1 which is a power of two. Let \(\phi(x)=x^{n}+1\) be the nth cyclotomic polynomial. Let \(R=\mathbb{Z}[x] / \phi(x) \text { and } R_{q}=\mathbb{Z}_{q}[x] / \phi(x)\). Let\(\chi\) be the B-bounded discrete Gaussian distribution over the ring R. Let \(l=\lceil\log q\rceil-1 . \text { Output params }=(n, q, f(x), \chi)\). Output params = (n, q, f(x), χ).
- RLFHE.SecretKeyGen(params): Sample s’← χ. Set sk= s = (1, -s’)∈Rq × Rq.
- RLFHE.PublicKeyGen(params,sk): Sample a←Rq and e← χ. Compute b=a·s′+e. Set pk= b’=( b, a)∈Rq × Rq.
- RLFHE.Enc(params, pk, m):To encrypt an n-bit message in {0,1}n, we use its bits as the 0-1 coefficients of a polynomial m∈R2. Sample \(\boldsymbol{R} \leftarrow \chi^{2(l+1) \times 1}\)and \(\boldsymbol{E} \leftarrow \chi^{2(l+1) \times 2}\), where R is a 2(l+1)×1 matrix and E is a 2(l+1)×2 matrix in which each entry is sampled from the discrete Gaussian distribution χ. Output the ciphertext:
\(C+\left[\begin{array}{cc} 1 & 0 \\ 2 & 0 \\ \vdots & \vdots \\ 2^{\prime} & 0 \\ 0 & 1 \\ 0 & 2 \\ \vdots & \vdots \\ 0 & 2^{\prime} \end{array}\right] m+R b^{\prime}+E \in R_{q}^{2(1+1) \times 2}.\)(5)
- RLFHE.Dec(sk,C): Let cl be the l-th row of C, namely the coefficient of the plaintextm is 2l-1. Output \(\left\lfloor\frac{1}{2^{l-1}}\bmod q\right\rceil \bmod 2\).
- RLFHE.Add(C1, C2): Output C1+C2∈ \(R_{q}^{2(l+1) \times 2}\) .
- RLFHE.Mult(C1, C2): OutputBitDecomp(C1)⋅ C2∈ \(R_{q}^{2(l+1) \times 2}\) .
Lemma 3.1 (security). Let params = (n, q, f(x), χ) be such that the ring LWE assumption holds. Then for any m ∈ R2 , if \(\boldsymbol{s} \leftarrow \mathbf{R} \mathbf{L} \mathbf{F} \mathbf{H} \mathbf{E} . \mathbf{S} \mathbf{e} \mathbf{c} \mathbf{r} \mathbf{t} \mathbf{K} \mathbf{e} \mathbf{y} \mathbf{G} \mathbf{e} \mathbf{n}(p a r a m s),\) \(\boldsymbol{b}^{\prime} \leftarrow \mathbf{R} \mathbf{L} \mathbf{F} \mathbf{H} \mathbf{E} . \mathbf{P} \mathbf{u b} \text { lic } \mathbf{K} \mathbf{e y} \mathbf{G} \mathbf{e} \mathbf{n}(\text {params}, \mathbf{s k}),\). \(C \leftarrow \text { RLFHE.Enc(params, pk, } m)\), its holds that the joint distribution (b’, C) is computationally indistinguishable from uniform over \(R_{q}^{2} \times R_{q}^{2(l+1) \times 2}\) .
Proof. The security of above scheme includes two parts. One part is that we need to prove the public key is indistinguishable from uniform over Rq × Rq. Another part is that we need to prove the ciphertext matrix is indistinguishable from uniform over \(R_{q}^{2(l+1) \times 2}\) . For the first part, since the public key b’=(b, a) is a ring LWE instance, the public key is indistinguishable from uniform over Rq × Rq under the ring LWE assumption. For the second part, since each row in ciphertext matrix is a ciphertext produced by the ring LWE encryption scheme, the ciphertext matrix is indistinguishable from uniform over \(R_{q}^{2(l+1) \times 2}\) under the ring LWE assumption. Therefore, the joint distribution (b’, C) is computationally indistinguishable from uniform over \(R_{q}^{2} \times R_{q}^{2(l+1) \times 2}\) .
3.2 Analysis of Noise
Below we analyze noise growth to show that above scheme is a leveled FHE scheme. We firstly analyze the noise magnitude at encryption and decryption and then analyze noise growth during homomorphic operations.
3.2.1 Encryption Noise and Decryption Noise
Lemma 4.2 (encryption noise). Let \(\text {params}=(n, q, f(x),|\chi| \leq B)\) be parameters for the above scheme. Sample \(s^{\prime} \leftarrow \chi\). Set \(\boldsymbol{s} \leftarrow\left(1,-s^{\prime}\right)\). Let m∈R2 be any polynomial. Set \(\boldsymbol{b}^{\prime} \leftarrow \mathbf{R} \mathbf{L} \mathbf{F} \mathbf{H} \mathbf{E}\), \(PublicKeyGen(params, sk)\) and \(C\leftarrow RLFHE.Enc(params, pk, m )\). Then for some \(e \in R_{q}^{2(l+1)}\) with \(\|\boldsymbol{\mu}\|_{\infty} \leq 2 n B^{2}+B\),it holds that \(\boldsymbol{C} \cdot \boldsymbol{s}=m \cdot \text { Powerof2 }(\boldsymbol{s})+e(\bmod q)\). We call e noise in ciphertext C.
Proof. By definition
\(\begin{aligned} C^{\cdot} \boldsymbol{s} &=m \cdot \text { Powerof } 2(\boldsymbol{s})+\boldsymbol{R} \cdot \boldsymbol{b}^{\prime} \cdot \boldsymbol{s}+\boldsymbol{E} \cdot \boldsymbol{s}(\bmod q) \\ &=m \cdot \text { Powerof2 }(\boldsymbol{s})+\boldsymbol{R} \cdot e+\boldsymbol{E} \cdot \boldsymbol{s}(\bmod q) \\ &=m \cdot \text { Powerof2 }(\boldsymbol{s})+\boldsymbol{e}(\bmod q) \end{aligned}\) (6)
Since \(|\chi| \leq B\) , we have \(=\|e\|_{\infty}=\|\boldsymbol{R} \cdot e+\boldsymbol{E} \cdot \boldsymbol{s}\|_{\infty} \leq\|\boldsymbol{R} \cdot e\|_{\infty}+\|\boldsymbol{E} \cdot \boldsymbol{s}\|_{\infty} \leq n B^{2}+B+n B^{2}=2 n B^{2}+B\) and the lemma follows.
The above lemma means that the fresh ciphertext, namely the ciphertext is produced by the encryption and not the homomorphic operations, has the noise magnitude at most \(2 n B^{2}+B\).
Lemma 4.3 (decryption noise). Let χ be the B-bounded discrete Gaussian distribution over the ring R. Sample s′← χ. Set s←(1, -s′ ). Let \(C \in R_{q}^{2(l+1) \times 2}\) be such that
\(\boldsymbol{C} \cdot \boldsymbol{s}=m \cdot \text { Powerof2 }(\boldsymbol{s})+\boldsymbol{e}(\bmod q)\),
with \(m \in R_{2}\) and \(\|e\|_{\infty}<q / 8\). Then
\(m \leftarrow \mathbf{R} \mathbf{L} \mathbf{F} \mathbf{H} \mathbf{E} \cdot \mathbf{D} \mathbf{e} \mathbf{c}(\boldsymbol{s}, \boldsymbol{C})\). (7)
Proof. Let cl-1 be the l-1th row of C. Then we have \(<\boldsymbol{c}_{l-1}, \boldsymbol{s}>=m \cdot 2^{l-1}+e(\bmod q)\) where \(|e|<q / 8\). Since \(q / 4<2^{l-1}<q / 2\) then \(\left\|e / 2^{l-1}\right\|_{\infty}<1 / 2\). Therefore we have \(m \leftarrow\left\lfloor\bmod q / 2^{l-1}\right\rceil\) , namely \(m \leftarrow \mathbf{R L F H E} . \mathbf{D e c}(\boldsymbol{s}, \boldsymbol{C})\).
Above lemma means that the correctness of decryption is guaranteed as long as the noise in ciphertext matrix C has magnitude at most q/8.
3.2.2 Analysis of Noise Growth
Homomorphic addition and multiplication increase the noise in ciphertext. Since noises grow slightly with homomorphic additions and substantially with homomorphic multiplications, we just focus on the analysis of noise growth in homomorphic multiplication.
Suppose C1 and C2 encrypt m1 and m2∈R2 under the secret key s respectively. It holds that Ci⋅ s = mi ⋅ Powerof2(s)+ei for i∈{1,2} where \(|| e_{i} \|_{\infty} \leq \beta=2 n B^{2}+B\). Let \(C^{x}=\mathrm{BitDecomp}\left(C_{1}\right) \cdot C_{2}\), namely C×is the homomorphic multiplication of C1 and C2. We have
\(\begin{aligned} C^{\times} \cdot s &=\operatorname{BitDecomp}\left(C_{1}\right) \cdot C_{2} \cdot s \\ &=\operatorname{BitDecomp}\left(C_{1}\right) \cdot\left(m_{2} \cdot \operatorname{Powerof} 2(s)+e_{2}\right) \\ &=m_{1} m_{2} \cdot \operatorname{Powerof} 2(s)+m_{2} \cdot e_{1}+\operatorname{BitDecomp}\left(C_{1}\right) \cdot e_{2} \\ &=m_{1} m_{2} \cdot \operatorname{Powerof} 2(s)+e^{x}. \end{aligned}\)
Since\(\left\|e_{i}\right\|_{\infty} \leq \beta\) , we have \(\left\|e^{x}\right\|_{\infty} \leq 2 n(l+1) \beta+n \beta\). Set N=n(l+1),then \(\left\|e^{x}\right\|_{\infty} \leq(2 N+n) \beta\). It is only the noise caused by one homomorphic multiplication of two fresh ciphertexts. After evaluating depth-L circuit (L levels of multiplication), the noise grows to at most \((2 N+n)^{L}\) ⋅ \(\beta \sim(2 n \log q)^{L} \cdot \beta\). It means that in order to guarantee correct decryption the final noisemagnitude is required below q/8.
For security, the best known algorithm for LWE runs in time approximately \(2^{n / \log (q / B)}\). This result also holds for ring LWE. Therefore we choose B to be polynomial in n and \(q=2^{n^{\varepsilon}}\) for every ε<1, we can derive \(L \approx \log q \approx n^{\varepsilon}\) from \((n N+1)^{L} \cdot \beta<q / 8\). It means that we could homomorphically evaluate a circuit of polynomial depth using above scheme from ring LWE. Thus above scheme is a leveled FHE scheme.
4. A NTRU-Type FHE with ciphertext matrix
When we consider the ciphertext is a polynomial, there is a known encryption scheme, a NTRU scheme from ring LWE in [18], whose ciphertext is a polynomial. We take this NTRU scheme as the basic encryption scheme and we construct FHE scheme based on it. In this NTRU basic encryption scheme, the secret key \(f=2 f^{\prime}+1\) is invertible in Rq where f’ is sampled uniformly from the error distribution, and the public key is \(h=2 g \cdot f^{1} \in R_{q}\) where g is sampled uniformly from the error distribution. To encrypt a message m∈R2, sample s, e from the error distribution and output the ciphertext c←m+h·s+2e∈Rq. The decryption is \(m \leftarrow c \cdot f \text { mod } q \text { mod } 2 \in R_{2}\). Thus the decryption structure has the form \(c \cdot f=m \cdot f +2 g \cdot s+2 e \cdot f \in R_{q} \text { where } g \cdot s+e \cdot f\) is called as the noise in ciphertext. As long as the noise is below q/4, correct decryption is guaranteed. It is obvious that the NTRU basic encryption scheme meet the condition of constructing FHE scheme by using design method.
4.1 Using Design Method to Construct A NTRU-Type FHE Scheme
From the decryption structure of the NTRU basic encryption scheme, we know that this scheme is a zero homomorphic encryption by nature. Thus we start directly from step 2 to construct FHE by using design method.
In step 2, the final decryption structure is derived as \(C^{*} \cdot f=\text { Powerof2 }(f)^{\mathrm{T}} \cdot m+e(\bmod q)\) where f is the secret key and e is a noise variable. It is obvious that C* is a vector of length \(l+1=\lceil\log q\rceil\) . By step 3 and step 4, we obtain the encryption of the form
\(C^{*} \leftarrow G m+C_{0}=\text { Powerof2 }(1)^{\mathrm{T}} \cdot m+C_{0}=\left[\begin{array}{c} 1 \\ 2 \\ \vdots \\ 2^{\prime} \end{array}\right] \cdot m+C_{0}(\bmod q)\). This FHE scheme is omitted in detail.
5. A Packing Messages FHE from LWE
By using the design method, we can construct a FHE scheme that encrypts a plaintext matrix instead of a plaintext bit, namely multiple plaintexts are packed into one ciphertext. This packing message FHE scheme obtained by using design method is the same as in [14]. It suffices to show that this design method is general.
The idea of constructing a packing message FHE scheme by using design method is to stack up a number of encryptions of plaintext vectors instead of a number of encryptions of plaintext bits. We first recall the basic encryption scheme that the packing message FHEscheme is based on. To encrypt a plaintext vector \(\boldsymbol{m}=\left(m_{1}, m_{2}, \ldots m_{t}\right)\) with length t where mi ∈{0,1}, according to the encryption schemes proposed in [17,20], a matrix \(\boldsymbol{A}^{\prime} \in \mathbb{Z}_{q}^{m \times n}\) is chosen uniformly , and an error vector ei is chosen from a Gaussian distribution, and \(\boldsymbol{s}_{i} \in \mathbb{Z}_{q}^{n}\) is chosen uniformly at random for \(1 \leq i \leq t\). Let \(S^{\prime}=\left[-s_{1},-s_{2}, \ldots,-s_{t}\right]\) be a matrix whose each column is the vector si. The secret key is\(S=\left[\frac{I}{-S^{\prime}}\right]\) where I denote an t × t identity matrix. Set \(\boldsymbol{b}_{i}=\boldsymbol{A}^{\prime} \boldsymbol{s}_{i}+\boldsymbol{e}_{i} \in \mathbb{Z}_{q}^{m}\) for \(1 \leq i \leq t\). The public key is \(\left[\boldsymbol{b}_{1}, \boldsymbol{b}_{2}, \ldots \boldsymbol{b}_{t} | \mathrm{A}^{\prime}\right]\). Sample a vector r∈{0,1}m, the encryption of a plaintext vector m under the secret key S is \(c \leftarrow(\lfloor q / 2\rfloor \cdot \boldsymbol{m}\), \(0, \ldots 0)+\left[\boldsymbol{b}_{1}, \boldsymbol{b}_{2}, \ldots \boldsymbol{b}_{t} | \mathrm{A}^{\prime}\right]^{\mathrm{T}} \boldsymbol{r}(\bmod q)\). The corresponding decryption is \(\left\lfloor\frac{2}{q}[\boldsymbol{c} \cdot \boldsymbol{S}]_{q}\right\rceil \bmod 2\) . If we stack up a number of these ciphertexts produced by the above basic encryption to form a ciphertext matrix, it is possible to construct a packing message FHE scheme with ciphertext matrix. The intuition is that the corresponding plaintext may be a matrix. Below we describehow to use design method to deduce a packing message FHE scheme with ciphertext matrix.
Let C be a (n+t)×(n+t) square matrix. Suppose each row of ciphertext matrix C is a ciphertext produced by the above basic encryption scheme under the (n+t)×t secret matrix S. From the step 1 described in design method, we can obtain the decryption structure C· S=S·m+e (mod q) where e is a noise variable. We can deduce that m is a t × t square matrix and e denote a (n+t)×t matrix. From the step 2, the final decryption structure has the form of C*·S=Powerof2(S) ·m+e=G·S·m+e* (mod q). We can deduce that C* is a (n+t)(l+1)×(n+t) matrix and e* denote a (n+t)(l+1)×t matrix. According to the step 3, we construct ciphertext matrix C* by using ciphertexts stack and obtain the corresponding encryption form that is C*←M+C0 (mod q) where the unknown variable M denote a (n+t)(l+1)×(n+t) matrix with respect to plaintext and C0 is a (n+t)(l+1)×(n+t) matrix with respect to encryptions of 0. Thus the decryption structure of C*, namely virtual decryption structure, is C*·S←M·S+C0·S=M·S+e*(mod q) where e* is a noise variable.
Then we establish an equation between the virtual decryption structure and the final decryption structure, namely \(\boldsymbol{M} \cdot \boldsymbol{S}+e^{*}=\boldsymbol{G} \cdot \boldsymbol{S} \cdot m+e^{*}(\bmod q)\). We can solve for M from above equation and have M·S=G·S·m. Since \(M \cdot S=M-[]^{\prime} 1-S\), then have M=[G·S·m|0]. Therefore the concert encryption form is obtained, namely C*←[G·S·m| 0]+C0(mod q). The decryption is the same as the basic encryption scheme. Note that the result M=[G·S·m|0] may be just one possible answer for the equation M·S=G·S·m. We don’t know whether there are other answers.
6. Conclusion
We present a general design method of constructing FHE whose ciphertext is matrix. By using this design method, we can deduce the FHE scheme step by step based on a basic encryption scheme. The process of deduction is similar to solving equation and the final output result is a FHE scheme.
By using this design method, we obtain three corresponding FHE schemes. Our obtained FHE schemes are more efficient than GSW. In addition, we also use this method to construct a packing message FHE scheme from LWE. The result is the same as in [14]. It suffices to show that our design method is general.
참고문헌
- R.L. Rivest, L. Adleman, and M.L. Dertouzos, "On Data Banks and Privacy Homomorphisms," Foundations of secure computation, vol. 4, no. 11, pp. 169-180, 1978.
- C. Gentry, "Fully Homomorphic Encryption Using Ideal Lattices," in Proc. of 41st annual ACM symposium on Theory of computing, pp. 169-178, 2009.
- N.P. SmartF. Vercauteren, "Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes," in Proc. of International Workshop on Public Key Cryptography, pp. 420-443, 2010.
- M. van Dijk, C. Gentry, S. Halevi and et al., "Fully Homomorphic Encryption over the Integers," in Proc. of Advances in Cryptology-Eurocrypt 2010, pp. 24-43, 2010.
- J.-S. Coron, A. Mandal, D. Naccache and et al., "Fully Homomorphic Encryption over the Integers with Shorter Public Keys," in Proc. of Advances in Cryptology-Crypto 2011, pp. 487-504, 2011.
- J.-S. Coron, D. Naccache, and M. Tibouchi, "Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers," in Proc. of Advances in Cryptology-Eurocrypt 2012, pp. 446-464, 2012.
- Z. BrakerskiV. Vaikuntanathan, "Efficient Fully Homomorphic Encryption from (Standard) Lwe," in Proc. of 52nd Annual Symposium on Foundations of Computer Science, pp. 97-106, 2011.
- Z. Brakerski, C. Gentry, and V. Vaikuntanathan, "(Leveled) Fully Homomorphic Encryption without Bootstrapping," ACM Transactions on Computation Theory (TOCT), vol. 6, no. 3, pp. 13, 2014.
- Z. Brakerski, "Fully Homomorphic Encryption without Modulus Switching from Classical Gapsvp," in Proc. of Advances in Cryptology-Crypto 2012, pp. 868-886, 2012.
- C. Gentry, A. Sahai, and B. Waters, "Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based," pp. 75-92, 2013.
- A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan, "On-the-Fly Multiparty Computation on the Cloud Via Multikey Fully Homomorphic Encryption," in Proc. of 44th symposium on Theory of Computing, pp. 1219-1234, 2012.
- Z. Chen, J. Wang, Z. Zhang and et al., "A Fully Homomorphic Encryption Scheme with Better Key Size," China Communications, vol. 11, no. 9, pp. 82-92, 2014. https://doi.org/10.1109/CC.2014.6969773
- J. Alperin-SheriffC. Peikert, "Faster Bootstrapping with Polynomial Error," in Proc. of Advances in Cryptology-Crypto 2014, pp. 297-314, 2014.
- R. Hiromasa, M. Abe, and T. Okamoto, "Packing Messages and Optimizing Bootstrapping in Gsw-Fhe," in Proc. of Public-Key Cryptography -- Pkc 2015, pp. 699-715, 2015.
- O. Regev, "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography," in Proc. of the thirty-seventh annual ACM symposium on Theory of computing, pp. 84-93, 2005.
- V. Lyubashevsky, C. Peikert, and O. Regev, "On Ideal Lattices and Learning with Errors over Rings," in Proc. of Advances in Cryptology-Eurocrypt 2010, pp. 1-23, 2010.
- C. Peikert, V. Vaikuntanathan, and B. Waters, "A Framework for Efficient and Composable Oblivious Transfer," in Proc. of Advances in Cryptology-Crypto 2008, pp. 554-571, 2008.
- D. StehleR. Steinfeld, "Making Ntru as Secure as Worst-Case Problems over Ideal Lattices," in Proc. of Advances in Cryptology-Eurocrypt 2011, pp. 27-47, 2011.
- Z. BrakerskiV. Vaikuntanathan, "Lattice-Based Fhe as Secure as Pke," in Proc. of 5th conference on Innovations in theoretical computer science, pp. 1-12, 2014.
- C. Peikert, "A Decade of Lattice Cryptography," Found. Trends Theor. Comput. Sci., vol. 10, no. 4, pp. 283-424, 2014. https://doi.org/10.1561/0400000074
- M.R. Albrecht, R. Player, and S. Scott, "On the Concrete Hardness of Learning with Errors," Journal of Mathematical Cryptology, vol. 9, no. 3, pp. 169-203, 2015.
- C. Gentry, S. Halevi, and N. Smart, "Homomorphic Evaluation of the Aes Circuit," in Proc. of Advances in Cryptology-Crypto 2012, pp. 850-867, 2012.
- M. PaindavoineB. Vialla, "Minimizing the Number of Bootstrappings in Fully Homomorphic Encryption," in Proc. of International Conference on Selected Areas in Cryptography, pp. 25-43, 2015.
- I. Chillotti, N. Gama, M. Georgieva and et al., "Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds," in Proc. of Advances in Cryptology-Asiacrypt 2016, pp. 3-33, 2016.
- J. Bos, K. Lauter, J. Loftus and et al., "Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme," in Proc. of Cryptography and Coding, pp. 45-64, 2013.