An Effective NTRU-Based Fully Homomorphic Encryption Scheme

Qin, Xiaoyue; Huang, Ruwei; Fan, Huifeng

doi:https://doi.org/10.1155/2021/9914961

Mathematical Problems in Engineering

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 9914961 | https://doi.org/10.1155/2021/9914961

An Effective NTRU-Based Fully Homomorphic Encryption Scheme

Xiaoyue Qin,¹Ruwei Huang,¹and Huifeng Fan¹

Academic Editor: Chien Ming Chen

Received12 Mar 2021

Revised23 Jul 2021

Accepted27 Jul 2021

Published09 Aug 2021

Abstract

Fully homomorphic encryption (FHE) supports arbitrary computations on ciphertexts without decryption to protect users’ privacy. However, currently, there are still some shortcomings in research studies on FHE. For example, the NTRU-based FHE scheme constructed using the approximate eigenvector method requires complex matrix multiplications, and the power-of-two cyclotomic ring cannot prevent subfield attacks. To address these problems, this paper proposed a NTRU-based FHE scheme constructed based on the power-of-prime cyclotomic ring and made the following improvements: (1) the power-of-prime cyclotomic ring is immune to subfield attacks; (2) complex matrix multiplications are replaced with matrix-vector multiplications to modify the ciphertext forms and decryption structures, so as to gain advantages in storage, transportation, and computations; (3) the single instruction multiple data (SIMD) technology is introduced, and homomorphic operations are executed through the Chinese remainder theorem, further improving the scheme computation and storage efficiency. The ciphertext of the scheme is in a form of a vector, and no key exchange is required for homomorphic operations. In addition, this scheme can eliminate the decisional small polynomial ratio (DSPR) assumption under certain conditions and only relies on the ring learning with errors (RLWE) assumption. The standard security model can prove that this scheme is secure against chosen-plaintext (IND-CPA) attacks. Compared with similar schemes, the proposed scheme improves the efficiency at least by a factor of and quadratically decreases the noise growth rate.

1. Introduction

Fully homomorphic encryption supports arbitrary computations on the ciphertext without the requirement of decryption, and the result obtained is same as direct computations on plaintext after decryption. This can well solve the contradiction between the security of user privacy and the outsourcing of data storage and computation in an outsourced computing environment. Therefore, fully homomorphic encryption is widely applied in cloud computing, healthcare, blockchain, and other industries [1]. The existing FHE schemes can be divided into three types: integer-type [2], Regev-type [3], and NTRU-type [4]. The first two types of schemes have low efficiency of homomorphic computations and large cost of key generation, while in the NTRU-based FHE scheme, algorithms can only use modular multiplication and modular inverse, which results in a faster decryption speed [5, 6] and plays a promising role in the resource-constrained IoT environment. It can provide mutual authentication for devices and servers as well as resistance to known attacks. IoT devices based on the NTRU-based scheme can be connected to authentication schemes such as those described in the literature [7, 8], improving the overall authentication efficiency of schemes as well as preventing quantum attacks. Therefore, the study of the NTRU-based FHE scheme is of great significance.

In 2013, Gentry et al. proposed a FHE scheme, which was constructed based on the technique of approximate eigenvectors [9]. The homomorphic addition and homomorphic multiplication of this scheme are achieved by doing simple addition and multiplication on the matrix. The scheme is relatively simple, fast, and easy to understand, and the implementation of homomorphic computations can be achieved without computing the public key and only with the help of the user’s public key [10]. In addition, the authors pointed out that the technique can be applied to construct an FHE scheme based on NTRU. However, no specific implementation was provided. The F-NTRU scheme proposed by Dor and Sunar [11] and the improved scheme proposed by Li et al. [12] are all constructed by adopting the flattening technique and the BitDecomp technique to derive an NTRU-based scheme based on approximate eigenvectors. However, the ciphertext of the FHE scheme constructed using approximate eigenvectors is in the form of a matrix. The ciphertext size is relatively large, and complex matrix multiplications are required, which greatly affects the computational efficiency. In 2018, Khedr and Gulak [13] used NTT (FastNumber-TheoreticTransform) to perform matrix multiplication instead of circular convolution in the F-NTRU scheme to make the computation simple, but none of these improvements can essentially avoid matrix multiplication.

Meanwhile, the security of the above schemes is based on the power-of-two cyclotomic ring. The schemes based on this cyclotomic ring have a simple structure, but they cannot prevent subfield attacks [14, 15] and use SIMD techniques [16]. Migliore et al. [17] also verified that the F-NTRU scheme suffers from the possibility of subfield attacks, so finding a more secure ring to guarantee the security of the scheme is especially important. In 2016, Doroz et al. [18] proposed for the first time a DHS16 scheme based on the power-of-prime cyclotomic ring to improve the LTV12 scheme [19], which improves the efficiency of the scheme in practical applications but does not give a theoretical proof of security. In 2018, Yu et al. [20] changed the ring structure of the SS11 scheme [21] to a power-of-prime cyclotomic ring and improved the key generation algorithm using a Gaussian distribution with regular embedding to make its security proven.

To address the abovementioned problems that occurred in the process of constructing FHE schemes using approximate eigenvectors, this paper firstly applies the existing power-of-two cyclotomic polynomial to the power-of-prime cyclotomic polynomial in terms of security enhancement and gives an NTRU-type FHE scheme based on the power-of-prime cyclotomic ring. The scheme eliminates the DSPR assumption under certain conditions, and its security only depends on the RLWE assumption. The standard security model can prove that this scheme is secure against chosen-plaintext (IND-CPA) attacks. In terms of improving efficiency, the scheme introduces SIMD techniques and uses matrix-vector multiplication instead of complex matrix multiplication, which greatly enhances the efficiency. The ciphertext of the scheme is in a form of a vector, which is more advantageous in storage, transportation, and computation. In addition, the calculation order of multiplication can further optimize the noise management.

2. Basic Knowledge

The power-of-prime cyclotomic ring [22]on which this scheme is based is a special case of cyclotomic polynomial. The construction of the key generation algorithm involves Gaussian distribution under regular embedding [23]. The security of this scheme depends on RLWE assumption as well as DSPR assumption [24], and the security model proves that this scheme is secure against IND-CPA attacks [25]. This section focuses on the cyclotomic polynomial, RLWE assumption, DSPR assumption, Gaussian distribution with regular embedding, and definition of the security model.

2.1. Symbolic Representation

If A indicates an algorithm, indicates that is obtained based on that algorithm. If A indicates a collection, indicates that is randomly chosen from Collection A. For any integer , if , integer indicates . Use lowercase letters to represent a multidimensional vector. For example, for vector , indicates its th component. The polynomial of an indeterminate of is represented using lowercase letters, for example, .

2.2. Cyclotomic Polynomial

Definition 1 (cyclotomic polynomial, see [22]). Assume Field K is the field of characteristic P, is a positive integer that cannot be divided by P with no remainder, is a primitive th root of unity in Field K, and the polynomial is called the th cyclotomic polynomial in Field K. Adjoin a primitive th root of unity to Field Q of rational numbers to get an extension field , which is called the th cyclotomic field.(i)When , (ii)When is a prime number, (iii)When is a prime number, , , , and is the power-of-prime cyclotomic polynomial ring.

Theorem 1 (see [22]). If is a finite field and is a positive integer, the sufficient and necessary condition for cyclotomic polynomial of order to be reducible over is that the exponent of mod is (that is, is the primitive root of mod ). It can be seen from Theorem 1 that if is a prime or the square exponent of a prime, is reducible over [26].

Theorem 2 (see [22]). If is a finite field, is a positive integer, and , cyclotomic polynomial can be decomposed into the product of different monic irreducible polynomials of degree 2 in , that is, , where is the exponent of mod , meeting the requirement of being the minimum integer of , and .

Theorem 3 (see [27]). If , , and Ring , for any , the function is

Theorem 4 (see [20]). If is a prime number, and , then . For any , in the worst case, the function

2.3. Gaussian Distribution with Regular Embedding

Definition 2 (Gaussian distribution with regular embedding, see [26]). Assume that is a monic reducible polynomial of degree , , the roots of in the field of complex numbers are , respectively, is called a regular transformation matrix. Let , the embedding of coefficients is represented by , and the transformation of regular embedding is represented by , and Gaussian distribution with regular embedding is represented as follows:

2.4. RLWE Assumption

Definition 3 (RLWE assumption, see [27]). Assume , is a prime number, and . Define polynomial ring , , and a discrete Gaussian distribution on ring R with regular embedding. The RLWE assumption states that, for a random ring element , given a polynomial where is uniformly random in and is drawn from an error distribution , it is very hard to distinguish whether is drawn from computations or directly from the uniform distribution of .

2.5. DSPR Assumption

Definition 4 (DSPR assumption, see [24]). Let , is a prime number, and . Define polynomial ring , , and a discrete Gaussian distribution on ring R with regular embedding. The DSPR assumption is that it is hard to distinguish whether the element of the polynomial , where and are sampled from distribution , is drawn from a uniformly random element of or is reversible in .

2.6. Security Model

Definition 5 (security model, see [25]). Define a game between the attacker and challenger. This game is divided into four phases.
Setup phase: the challenger runs the key generation algorithm of the encryption scheme to generate a public key and makes the attacker get the public key.
Oracle machine access phase: the attacker chooses the plaintext and initiates queries to the oracle machine for encryption. After the attacker gets the ciphertext in a response, the attacker can submit the chosen plaintext multiple times in different stages and get the ciphertexts corresponding different plaintexts.
Challenge phase: the attacker chooses two plaintext messages and and sends them to the challenger. The challenger chooses and sends the ciphertext to the attacker.
Guess phase: the attacker gives his guess corresponding to the ciphertext. When , the attacker wins.
Assume that there is an encryption scheme for the public key within the bounded polynomial time, and a tiny function that gets the advantage of the attacker iswhere can be ignored and is the security parameter of the scheme. The game includes an attacker of polynomial time attacker A. Let be the probability that attacker A wins in the game. This scheme is secure against IND-CPA attacks.

3. Efficient NTRU-Based Fully Homomorphic Encryption

This section first introduces the SIMD technique for plaintext batch processing, then describes the algorithm construction of the scheme in this paper, and finally proves the correctness of the encryption and decryption process and homomorphic operations of the scheme and provides an analysis of the noise growth during the process.

3.1. SIMD Technique

It can be derived from Theorems 1 and 2 that the power-of-prime cyclotomic ring can be decomposed into multiple irreducible polynomials in . Therefore, in this paper, we use the Chinese remainder theorem [28] to batch process the data of plaintext slots and perform homomorphic computations in parallel to improve the execution efficiency of the scheme. The specific procedure is given below.

Decompose the entire plaintext space into subrings with the same size. The corresponding plaintext slots are , inside which plaintexts are waiting to be encrypted. Then, combine plaintexts in the slots into a plaintext space. and indicate the ciphertexts obtained after encryption using a same plaintext space, respectively, and their corresponding plaintexts are and , respectively.

The homomorphic operations that are performed in parallel on plaintexts are as follows:where and indicate the batch homomorphic addition and homomorphic multiplication operations on plaintexts, respectively. Therefore, homomorphic operations can be regarded as being executed in parallel on the plaintext slots by using the SIMD technique. Because data at different indexes within the arrays can never interact, and operations are not sufficient to perform arbitrary computations on encrypted arrays. To obtain a complete operation set of data arrays, this paper introduces the operation described in the literature [29] to impose an arbitrary ordering on data in arrays and supports plaintext slots of to move cyclically by plaintext slots. When , the plaintext slot of moves by one slot. Accordingly, the plaintext of each plaintext slot is changed to , so as to perform the whole operations on the data. When the ciphertext requires decryption, the Chinese remainder theorem is used for reversible processing to decrypt to plaintexts.

3.2. Scheme Construction

Assume that is a security parameter, is the number of circuit layers, and is a dimension and a power of a prime number. Let , where is cyclotomic polynomial, the number of times for each is is the vector space of plaintexts, and mapping is the isomorphic mapping from to .

3.2.1. Key Generation Algorithm

Select a relatively large standard error , and make represent where is a polynomial sampled from a discrete Gaussian distribution with regular embedding. Input , where is a collection of reversible elements in . . Output . The detailed procedure is as follows:

First sample from a discrete Gaussian distribution with regular embedding; let . If , sample again.

Then, sample from a discrete Gaussian distribution with regular embedding. If , sample again.

Finally, return and .

3.2.2. Encryption Algorithm

Use the Chinese remainder theorem to calculate the plaintext . Let represent . is the length corresponding to message and is the ciphertext of . Column vector , where .

3.2.3. Additive Homomorphism

represents the result obtained by performing the homomorphic addition operation on two plaintexts. and represent the fresh ciphertexts in a form of a column vector. Because the ciphertexts are in the same form, only a simple addition operation is needed to achieve the homomorphic addition operation:

3.2.4. Multiplicative Homomorphism

indicates the result obtained by performing the homomorphic multiplication operation on two ciphertexts. The ciphertext obtained through calculation is a column vector, which is in a same form as the original ciphertext. Therefore, no key exchange is required:

3.2.5. Decryption Algorithm

indicates the fresh ciphertext in a form of a column vector. When performing decryption operations, the first element of this ciphertext is selected for calculation:

According to , plaintexts can be decrypted.

3.3. Correctness Analysis

In this section, the encryption and decryption process of the scheme and the corresponding noise growth are analyzed.

It can be known from the encryption and decryption algorithms that

Because , can be obtained from formula (9). Combine the Chinese remainder theorem to decrypt to plaintexts.

Theorem 1 (encryption noise). are parameters of the preceding encryption scheme. The upper bound of is B. For any , calculate and make . If , sample again. Let and ; then, exits and , which establishes the following equation:where is the noise of the ciphertext. contains part of noise of to correct messages that have few packaging [30]. Therefore, this part of noise is ignored in this paper.

Proof. According to the basic encryption scheme , let be the noise of the fresh ciphertext. As the upper bound of is B, we can know that the upper bound of coefficient is B, and the upper bound of coefficient is . Combining Theorem 4, we can obtain that the upper bound of coefficient is and the upper bound of coefficient of is . Above all, the upper bound of coefficient is , which is .

Theorem 2 (decryption noise). For any , . If is met and , then

Proof. If , thenCombining Theorem 1, we can reach the conclusion that when the noise is less than , the decryption is successful.

3.4. Homomorphism Analysis

Let and be the ciphertexts that are encrypted using the proposed scheme. The corresponding private key is . It can be found from the decryption definition that where .

3.4.1. Additive Homomorphism

Let be a ciphertext that is equivalent to the encryption of the sum of the two plaintexts. The ciphertext form is not changed, and the following can prove the additive homomorphism:

From formula (13), ciphertext can be seen as a result of the sum of two plaintexts. Therefore, this scheme has the additive homomorphism.

3.4.2. Addition Noise

Let represent the first row of the fresh ciphertext on which the homomorphic addition operation is performed. . According to the addition definition, , where and . Because , we can get .

3.4.3. Multiplicative Homomorphism

Let be a ciphertext that is equivalent to the encryption of the multiplication result of two plaintexts. The following can prove the multiplicative homomorphism:where the value ranges of , , and are small. It can be seen from formula (14) that can be decrypted to the multiplication result of two plaintexts; therefore, this scheme has multiplicative homomorphism.

3.4.4. Multiplication Noise

After the homomorphic addition operation is performed on two ciphertexts, the noise is the sum of the noises of two ciphertexts. After the homomorphic multiplication operation is performed, the noise is the multiplication result of the noises of two ciphertexts. Therefore, the factor that affects the correctness of decryption is multiplicative homomorphism. Therefore, this paper presents the noise obtained by performing the homomorphic multiplication and the calculated noise of the ciphertext circuit layer L.

Let represent the first row of the fresh ciphertext after the homomorphic multiplication operation was performed on it. Let represent the noise after a homomorphic multiplication operation. According to the multiplication definition, we have a formula , where , , , and is the first row of matrix , a polynomial containing coefficients whose value is 0 or 1. Through the formula, we can get . Because indicates plaintexts of , we can get . Therefore, .

Assume that the noise of the th layer is ; according to the homomorphic operation, we can get . The calculated noise of this scheme after the second multiplication circuit is as follows:

A homomorphic multiplication operation is performed on plaintexts. Therefore, the maximum noise deduced from the calculation of a circuit with a depth of L is

As long as does not exceed , the encryption of ciphertexts is correct. To compare with the F-NTRU scheme in terms of the noise, this paper analyzes the noise growth of the F-NTRU scheme.

Let and be the ciphertexts encrypted by using the F-NTRU scheme. The corresponding private key is represents the first row of the ciphertext after a homomorphic multiplication operation is performed, and represents the noise after a homomorphic multiplication operation is performed. According to the F-NTRU scheme, the multiplication definition is

and . Because , we can get that , . Therefore, in the F-NTRU scheme, the noise after a homomorphic multiplication operation is performed is . Assume that the noise of the th layer is , according to the homomorphic operation, and the noise calculated after the second multiplication circuit in the F-NTRU scheme is as follows:

A homomorphic multiplication operation is performed on two plaintexts. Therefore, the maximum noise deduced from the calculation of a circuit with a depth of is

As long as does not exceed the encryption condition of the F-NTRU scheme, the ciphertext can be decrypted correctly. Combining the noise analysis of this scheme, we can get that compared with the F-NTRU scheme, the noise growth of this scheme after a homomorphic multiplication operation is performed decreases quadratically. In addition, the noise growth frequency of the F-NTRU scheme is times of this scheme. Therefore, this scheme has a better performance in the noise management.

3.4.5. Multiplication Computation Optimization

As the noise depends mainly on the noise of the first ciphertext, changing the order of multiplication can optimize the homomorphic computation of the scheme. For example, there are 4 initial ciphertexts denoted as , , , and . The original order of computation is first calculate , then calculate , and then get the final ciphertext obtained by calculating . However, when the order of computation changes to first calculate , then calculate , and then get the final ciphertext obtained by calculating , the dependence on the noise of the multiplied ciphertext can be reduced because the noise growth of such schemes is asymmetric. For example, in the literature [31] when using the first computation order, the noise obtained after the calculation of the circuit with a depth of is . However, when the second computation order is used, the noise obtained after the same calculation is . The noise of the former grows exponentially, while the noise of the latter grows linearly; therefore, changing the multiplication order can optimize the homomorphic computation of the scheme and reduce the noise growth rate of the homomorphic multiplication, which means that the latter computation order can meet the calculation of a circuit with a depth more than for the same noise threshold. For details, see the literature [32].

3.5. Security Analysis

Theorem 3. Assume that , and are prime numbers, and is met. When , there exists a probability of that meet the following formulas:The security of this scheme at this time only relies on the RLWE assumption.

Proof. When meet the above situation, there exists a probability of that formulas (20) and (21) can be established [21]. For polynomial , same parameters also apply to the formula , that is, there exists a probability of that . Combining Theorem 4, we can get that there exists a probability of that . For a power-of-two cyclotomic ring and a power-of-prime cyclotomic ring, we already prove that, in normal cases, polynomial have a relatively smaller value. Therefore, sample with a certain width of , and make the public key distribute uniformly when its norm growth does not affect a single homomorphic multiplication operation. Combining the inverse property, we can get that the inverses of , that belong to . Therefore, we get the following formula:In the DSPR assumption, can be changed to . In the RLWE assumption, can be changed to . In , the value range of e is very small and can be ignored. Combining formula (22), we can convert the form of fraction in the DSPR assumption to the form of multiplication in the RLWE assumption. Therefore, the security of this scheme can be reducible over the RLWE assumption.

Theorem 4. Assume that is a security parameter, is the number of layers of a circuit, and is a dimension and a power of a prime number. Let . Under the prerequisite of RLWE assumption, this scheme is secure against IND-CPA attacks.

Proof. The following adopts the game hopping method to prove. In the formulas, indicates the advantage of attacker A in the .
: standard IND-CPA game, that is, the challenger invokes the KeyGen algorithm of the scheme and makes attacker get the generated public key . has the capability of accessing the oracle machine for encryption. The challenger outputs the ciphertext , and attacker tries to distinguish the plaintexts corresponding to . In the advantage of attacker is the difference between is the method to generate a public key. In , public key is not sampled from the Gaussian distribution with regular embedding and a private key . But it is directly selected at random in a uniform way from . It can be obtained from Definition 3 that the result generated from the discrete Gaussian distribution cannot be distinguished from the distribution probability of . It can be seen from the literature [33] that the error between the result generated from the discrete Gaussian distribution and the distributed result of is within . Therefore, we get the following formula: the difference between is that the encryption algorithm of is not performed according to the scheme, but is randomly selected in a uniform way from . From Theorem 3, we can get that the DSPR assumption in this scheme has been reducible over RLWE . Therefore, in and , the advantage difference of attacker lies in the solution to the RLWE problem:: in , the ciphertext given by the challenger is no longer generated by the encryption algorithm. It is selected randomly in a uniform way from . The security analysis of is the same as . We get the following formula:In , the public key and ciphertext given by the challenger are all random, which are not related to plain text . Therefore, attacker A has no advantage in that meansFrom formulas (23)–(27), we can getAbove all, in the assumption, can be ignored, which meets the requirement of Definition 5. Therefore, this scheme is secure against IND-CPA attacks.

4. Performance Analysis

In this section, the proposed scheme and the F-NTRU scheme are analyzed to show the advantages of the proposed scheme in terms of ciphertext size and homomorphic computational complexity.

4.1. Ciphertext Size Analysis

The ciphertext of the F-NTRU scheme consists of two polynomials whose number of times is less than , and the ciphertext extension is in a matrix form of . From Theorem 3, we can get that the upper bound of the size is . The public key used by the F-NTRU scheme consists of two polynomials, and the size is . During decryption, a polynomial private key has the number of times less than and coefficient less than , and the size is . In this scheme, the ciphertext is a polynomial in a form of a dimension vector . It can be deduced from Theorem 4 that the ciphertext size of this scheme is . The cyclotomic polynomial of the public key and private key of the scheme in this paper is different from that of the F-NTRU scheme. Therefore, the sizes of the public key and private key in this scheme are changed and are and , respectively, compared with the F-NTRU scheme. The details are shown in Table 1.

As can be seen from Table 1, compared with the F-NTRU scheme, this scheme optimizes the public key size while keeping the private key size unchanged. The ciphertext size of this scheme is reduced from quadratic to cubic, which gains more advantages in storage and transmission.

4.2. Computational Complexity Analysis

Assume that the time for performing a vector addition operation is and for performing a vector multiplication operation is . In the F-NTRU scheme, performing a homomorphic addition operation is equivalent to performing times of vector addition operations and performing a homomorphic multiplication operation is equivalent to performing times of vector multiplication operations. However, in this scheme, performing a homomorphic addition operation is equivalent to performing one single vector addition operation and performing a homomorphic multiplication operation is equivalent to performing times of vector multiplication operations. Because in the matrix form of , is in a form of a vector. The computational volume of the matrix calculation and a column vector operation actually equal times of vector multiplication operations. In addition, in this scheme, multiple plaintexts are packed into one ciphertext using the Chinese remainder theorem for parallel processing, which effectively improves the computational efficiency. For details, see Table 2:

From Table 2, it can be seen that this scheme improves the efficiency by a factor of +1 by changing the ciphertext to a form of a vector. The adoption of the batch processing technique also helps enhance the computational efficiency by a factor of . Therefore, in terms of efficiency, this scheme overall improves by a factor of compared with the F-NTRU scheme. In terms of communication cost, the plaintext space in this scheme is divided into plaintext slots, which has lower communication cost and computational cost. Normally, matrix-vector multiplication is order of magnitude faster than matrix multiplication, but since this scheme does not use the flattening technique to binarize the ciphertexts, the multiplication operation of values is slower than that of binarized values. Fortunately, the actual time spent in computing a large number of products of matrix vectors (value 0) is greatly reduced. This is a major breakthrough in terms of efficiency after the matrix multiplication is replaced with the matrix-vector multiplication in this scheme.

5. Conclusion

To solve the problems of constructing fully homomorphic encryption schemes using approximate eigenvectors, this paper proposes an NTRU-based fully homomorphic encryption scheme based on a power-of-prime cyclotomic ring. This scheme can eliminate the DSPR assumption under certain conditions so that the scheme only relies on the RLWE assumption and can also be secure against IND-CPA attacks. The ciphertext of this scheme is in a form of a vector, and the use of matrix-vector multiplication operations instead of complex matrix multiplication operations effectively improves the efficiency of the scheme. Meanwhile, the noise growth decreases quadratically. Combining the multiplication execution order optimization method, the scheme performs better in noise management. Compared with the F-NTRU scheme, the ciphertext of this scheme has obvious advantages in storage, transportation, and computation, but the reduction in the number of times to decompose polynomial mods using the Chinese remainder theorem in this scheme affects the security of the RLWE assumption. Therefore, security parameters need to be selected more stringently in order to ensure the data security.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This paper was one of the phased achievements of the project supported by the National Natural Science Foundation of China (Grant no. 62062009).

References

L. Ruiqi and J. Chunfu, “A multi key homomorphic encryption scheme based on NTRU,” Acta Cryptologica Sinica, vol. 7, no. 05, pp. 683–697, 2020.
View at: Google Scholar
M. Van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” in Annual International Conference on the Theory and Applications of CryptographicTechniques, pp. 24–43, Springer, French Riviera, May 2010.
View at: Publisher Site | Google Scholar
G. C. BrakerskiZ and V. Vaikuntanathan, “(Leveled) fully homomorphic encryption without bootstrapping,” in Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 309–325, New York, NY, USA, January 2012.
View at: Google Scholar
J. W. Bos, K. Lauter, J. Loftus et al., “Improved security for a ring-based fully homomorphic encryption scheme,” in Proceedings of the IMA International Conference on Cryptography and Coding, p. 4564, Springer, Oxford, UK, December 2013.
View at: Google Scholar
F. Hu, K. Wilhelm, M. Schab, M. Lukowiak, S. Radziszowski, and Y. Xiao, “NTRU-based sensor network security: a low-power hardware implementation perspective,” Security and Communication Networks, vol. 2, no. 1, pp. 71–81, 2009.
View at: Publisher Site | Google Scholar
Q. Xiaoyue and H. Ruwei, “Research on the homomorphic encryption of NTRU system,” Computer Application Research, vol. 2021, Article ID 0, 8 pages, 2021.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Publisher Site | Google Scholar
S. Qiu, D. Wang, G. Xu, and S. Kumari, “Practical and provably secure three-factor Authentication protocol based on extended chaotic-maps for mobile lightweight devices,” IEEE Transactions on Dependable and Secure Computing, vol. 30, 2020.
View at: Publisher Site | Google Scholar
C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” Advances in Cryptology-Crypto 2013, vol. 41, pp. 75–92, 2013.
View at: Publisher Site | Google Scholar
L. Xengpeng, M. Chunguang, and Z. Hongsheng, “Research on holomorphic encryption,” Acta Cryptologica, vol. 4, no. 6, pp. 561–578, 2017.
View at: Google Scholar
Y. Dorz and B. Sunar, “Flattening NTRU for evaluation key free homomorphic encryption,” Journal of Mathematical Cryptology, vol. 14, no. 1, 2016.
View at: Google Scholar
Z. C. Li, J. M. Zhang, Y. T. Yang et al., “A fully homomorphic encryption scheme based on NTRU,” ACTA Electronica Sinica, vol. 46, no. 4, pp. 938–944, 2018.
View at: Google Scholar
A. Khedr and G. Gulak, “SecureMed: secure medical computation using GPU-accelerated homomorphic encryption scheme,” IEEE Journal of Biomedical and Health Informatics, vol. 22, no. 2, pp. 597–606, 2018.
View at: Publisher Site | Google Scholar
M. Albrecht, S. Bai, and L. Ducas, “A subfield lattice attack on overstretched NTRU assumptions,” in Proceedings of Annual Cryptology Conference, pp. 153–178, Springer, Santa Barbara, CA, USA, August 2016, Cham.
View at: Publisher Site | Google Scholar
J. H. Cheon, J. Jeong, and C. Lee, “An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero,” LMS Journal of Computation and Mathematics, vol. 19, pp. 255–266, 2016.
View at: Publisher Site | Google Scholar
N. P. Smart and F. Vercauteren, “Fully homomorphic SIMD operations,” Designs, Codes & Cryptography, vol. 71, no. 1, pp. 57–81, 2014.
View at: Publisher Site | Google Scholar
V. Migliore, G. Bonnoron, and C. Fontaine, “Practical parameters for somewhat homomorphic encryption (she) schemes on binary circuits,” IEEE Transactions on Computers, vol. 2018, Article ID 2808962, 1 page, 2018.
View at: Publisher Site | Google Scholar
Y. Doröz, Y. Hu, and B. Sunar, “Homomorphic AES evaluation using the modified LTV scheme,” Designs, Codes and Cryptography, vol. 80, no. 2, 2016.
View at: Google Scholar
A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan, “On-the fly rnultiparty computation on the cloud via multikey fully homornorphic encryption,” in Proceedings of the 44th Annual ACM Symposium on Theory of Comnputing, pp. 1219–1234, New York, NY, USA, May 2012.
View at: Google Scholar
Y. Yu, G. Xu, and X. Wang, “Provably secure NTRU instances over prime cyclotomic rings,” in Proceedings of the IACR International Workshop on Public Key Cryptography, Amsterdam, Netherlands, March 2017.
View at: Google Scholar
D. Stehlé and R. Steinfeld, Making NTRU as Secure as Worst-Case Problems over Ideal Lattices, Springer-Verlag, Berlin, Germany, 2011.
H. N. Rudolf Lidl and F. M. Cohn, Finite Fields, Cambridge University Press, Cambridge, UK, 1997.
Z. Haonan, L. Ningbo, C. Xiaoliang, and Y. Xiaoyuan, “Multi key holomorphic scheme based on prime power order cyclotomic polynomial ring,” Information Network Security, vol. 20, no. 5, pp. 83–87, 2020.
View at: Google Scholar
C. Xiaoliang, Z. Haonan, Z. Tanping, L. Ningbo, and Y. Xiaoyuan, “Decryption structure of multi key homomorphic encryption scheme based on public key cryptosystem,” Computer Application, vol. 41, pp. 1–7, 2021.
View at: Google Scholar
D. D. Stebila, “An introduction to provable security,” 2021.
View at: Google Scholar
C. Yinlan, “Cyclotomic polynomials over finite fields,” Journal of Hubei Normal University, vol. 32, no. 2, pp. 1–5, 2012.
View at: Google Scholar
V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” in Proceedings of the 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 2010.
View at: Google Scholar
J. H. Cheon, J. Kim, M. S. Lee et al., “CRT-based fully homomorphic encryption over the integers,” Information Sciences, vol. 310, pp. 149–162, 2015.
View at: Publisher Site | Google Scholar
A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption,” in Proceedings of the 44th symposium on Theory of Computing, pp. 1219–1234, New York, NY, USA, May 2012.
View at: Google Scholar
J. Hoffstein and J. Silverman, “Optimizations for NTRU,” in Proceedings of the Public Key Cryptography & Computational Number Theory, Warsaw, Poland, September 2000.
View at: Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “How to use a short basis: trapdoors for hard lattices and new cryptograghic constructions,” in Proceedings of the of STOC, pp. 197–206, Springer-Verlag, Victoria, TX, USA, May 2008.
View at: Google Scholar
C. Zhigang and Z. Guomin, “NTRU type fully homomorphic encryp-tion scheme without key exchange L,” Journal of Network and In-Formation Security, vol. 3, no. 1, pp. 39–45, 2017.
View at: Google Scholar
V. Lyubashevsky, C. Peikert, and O. Regev, “A toolkit for ring-LWE cryptography,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Athens, Greece, May 2013.
View at: Google Scholar

Copyright

Copyright © 2021 Xiaoyue Qin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies