Efficient GSW-Style Fully Homomorphic Encryption over the Integers

Zhao, Jianan; Huang, Ruwei; Yang, Bo

doi:https://doi.org/10.1155/2021/8823787

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Authors’ Contributions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 8823787 | https://doi.org/10.1155/2021/8823787

Efficient GSW-Style Fully Homomorphic Encryption over the Integers

Jianan Zhao,¹Ruwei Huang,¹and Bo Yang¹

Academic Editor: Angel M. Del Rey

Received24 Jun 2020

Revised09 Feb 2021

Accepted20 Feb 2021

Published05 Mar 2021

Abstract

We propose a GSW-style fully homomorphic encryption scheme over the integers (FHE-OI) that is more efficient than the prior work by Benarroch et al. (PKC 2017). To reduce the expansion of ciphertexts, our scheme consists of two types of ciphertexts: integers and vectors. Moreover, the computational efficiency in the homomorphic evaluation can be improved by hybrid homomorphic operations between integers and vectors. In particular, when performing vector-integer multiplications, the evaluation has the computational complexity of and thus outperforms all prior FHE-OI schemes. To slow down the noise growth in homomorphic multiplications, we introduce a new noise management method called sequentialization; therefore, the noise in the resulting ciphertext increases by a factor of rather than in general multiplications, where is the number of multiplications. As a result, the circuit with larger multiplicative depth can be evaluated under the same parameter settings. Finally, to further reduce the size of ciphertexts, we apply ciphertext truncation and obtain the integer ciphertext of size , thus additionally reducing the size of the vector ciphertext in Benarroch’s scheme from to .

1. Introduction

Fully homomorphic encryption (FHE) allows us to evaluate any computable function on plaintext m but only manipulate the ciphertexts; moreover, this procedure will not reveal any private information. With this property, FHE can be applied to outsourcing computation, particularly in the scenario that the remote server is an untrusted third party.

FHE has received major attention in cryptography since the first breakthrough by Gentry [1]. In Gentry’s blueprint, the first step is to construct a somewhat homomorphic encryption (SWHE) scheme based on ideal lattices, which can only evaluate a circuit of low depth since the ciphertext contains a noise component that grows exponentially after homomorphic multiplications. If the noise magnitude passes a predeﬁned threshold, the correctness of decryption will no longer remain. Then, by a key procedure called bootstrapping, the noise magnitude in the ciphertext can be reduced to the same level as that in the original ciphertext, and therefore, the SWHE scheme can be converted into an FHE scheme to evaluate a circuit of arbitrary depth. However, the costly bootstrapping procedure becomes a bottleneck in making this FHE scheme practical, and the complicated operations on ideal lattices become incomprehensible. Very shortly afterward, van Dijk, Gentry, Halevi, and Vaikuntanathan (DGHV) [2] proposed an alternative FHE scheme over the integers (FHE-OI) that is conceptually simpler than [1] since the homomorphic operations only consist of arithmetic operations on integers instead of ideal lattices. In addition, the scheme is based on a different hardness assumption, namely, the approximate greatest common divisor (AGCD) assumption [3]. Unfortunately, this scheme is still inefficient since it follows Gentry’s blueprint, which has a costly bootstrapping procedure. Moreover, the large size of public keys results in an increased storage requirement.

In order to improve the efficiency and avoid bootstrapping, a new noise management technique called modulus switching was proposed by Brakerski et al. [4]. The authors first constructed an SWHE scheme based on the learning with errors (LWE) assumption. Then, by applying modulus switching, the noise component in the ciphertext grows only linearly after homomorphic multiplications. As a result, they obtained a leveled FHE scheme that can evaluate any circuit with polynomial depth L by carefully calibrating L ladders of moduli. Later, this technique was adapted to the FHE-OI scheme [5]; however, it leads to a greater storage requirement since the circuit with multiplicative depth L needs to be evaluated via a procedure of key switching, and this requires storing L public keys. The larger size of public keys is an inherent property in AGCD-based FHE schemes compared to LWE-based ones; hence, the public keys of L times larger size yield a huge storage requirement. Afterward, a scale-invariant LWE-based FHE scheme was proposed by Brakerski [6]. In this scheme, the message m is encrypted to a higher bit and the same modulus is used throughout the homomorphic evaluation process. By applying the bit decomposition technique on ciphertexts and the encryptions of secret keys, the author obtained a leveled LWE-based FHE scheme whose noise growth was still linear after homomorphic multiplications. The scale-invariant technique was subsequently applied to the FHE-OI scheme and shown to be more efficient than [5]. At PKC 2014, Coron et al. [7] proposed a scale-invariant FHE-OI scheme (CLT14) where only an extra multiplication key needed to be stored in the original public keys, which significantly reduced the storage requirement compared with [5]. To ensure the security of the secret key, they encrypted it into a subset sum as the multiplication key and made a circular-secure assumption. At Eurocrypt 2015, Cheon et al. [8] proposed another scale-invariant FHE-OI scheme (CS15), which introduced a dimension-reduction technique to homomorphic multiplications; they also used invalid encryptions of the bits of the secret key as the multiplication key instead of using subset sum, but they still needed a circular-secure assumption.

At Crypto 2013, Gentry, Sahai, and Waters (GSW) [9] proposed a conceptually simpler LWE-based leveled FHE scheme without using modulus switching and evaluation keys; however, the noise growth was still linear with the multiplicative depth. In this scheme, the plaintext bit m is extended into a plaintext vector by multiplying a gadget vector, and then each entry in the plaintext vector is encrypted to a vector ciphertext. Finally, the outputted ciphertext has the form of a matrix instead of a vector as in prior LWE-based FHE schemes. The homomorphic multiplication procedure is the general multiplicative operation between a ciphertext matrix and a decomposed binary ciphertext matrix. The main contribution of this scheme is the simple and natural homomorphic multiplication procedure rather than complicated modulus switching; however, it must generate a matrix ciphertext, which requires larger storage. This new FHE scheme was studied by Benarroch et al. [10], and they proposed a complete GSW-style FHE-OI scheme (BBL17). In this scheme, there is no need to encrypt the secret key as the multiplication key and make the circular-secure assumption; however, like [9], it must expand the ciphertext from integer to vector, and therefore the size of the vector ciphertext becomes a bottleneck to this scheme’s efficiency.

Note that the above FHE schemes are the encryptions of the plaintext m of a single bit, and the message space in these schemes is . There have been some SIMD approaches to make the FHE-OI scheme more efficient in parallel. In [11], the authors proposed a new technique to encrypt a vector of messages in a single ciphertext based on the Chinese Reminder theorem (CRT), thereby extending the message space from to . This technique has been improved by subsequent studies [7, 10]. In [12], the authors proposed an optimized bootstrapping procedure for larger message spaces of a single bit from to , where Q is the arbitrary prime larger than two. Subsequently, some improvements have been proposed to accelerate this technique and apply it to the homomorphic evaluation procedure [13–19].

From what has been discussed above, we can conclude that current FHE-OI schemes have significantly improved efficiency by adapting new noise management techniques from LWE-based schemes. While CLT14 [7] and CS15 [8] adapt the scale-invariant technique to obtain a leveled FHE-OI scheme and avoid costly bootstrapping procedures, the homomorphic evaluation procedure is still not efficient enough to be practical. Moreover, these schemes need to encrypt the secret key as the multiplication key and make a circular-secure assumption. Meanwhile, BBL17 [10] constructs a GSW-style FHE-OI scheme whose homomorphic multiplication procedure is a general multiplicative operation between vector and matrix, and the multiplication key is not needed. Unfortunately, it must expand the ciphertext from integer to vector, and this expansion renders difficult attempts to make this scheme more efficient. Therefore, how to improve the computational efficiency in homomorphic evaluation and reduce the ciphertext expansion have remained a challenging and open problem.

Our Contribution. In this paper, we propose a GSW-style FHE-OI scheme that is similar to BBL17 [10] but has a better spatial and computational efficiency. The main contribution of our scheme is three-fold.

Firstly, our scheme reduces the expansion of ciphertexts by generating two types of ciphertexts (vector and integer ciphertexts), and not only the vector ciphertexts as in BBL17 [10]. Besides, our scheme supports some hybrid homomorphic operations between integer and vector ciphertexts in the homomorphic evaluation procedure, such as vector-vector, vector-integer, and integer-integer operations. Since the vector ciphertext has a size of , which is times larger than the integer ciphertext, it is easy to see that the vector-vector operations are more costly than the integer-integer and integer-vector operations. As a result, when performing integer-integer and integer-vector homomorphic operations, the computational efficiency in our scheme is better than that in BBL17 [10]. In particular, when performing vector-vector multiplications, the asymptotic computational complexity in our scheme is identical to the homomorphic multiplications in prior leveled FHE-OI schemes [7, 8, 10], i.e., there is a complexity of . However, when performing vector-integer multiplications, the asymptotic computational complexity in our scheme is , which is better than that of all prior leveled FHE-OI schemes.

Secondly, our scheme displays better noise management since it performs the homomorphic multiplications in sequence. The method of sequentialization in homomorphic multiplications was first proposed in [20, 21] and derived from the observation that the noise growth is asymmetric after the homomorphic multiplications in GSW-style FHE schemes based on LWE. We find that the noise terms in our scheme also have an asymmetric form such as after homomorphic multiplications. Hence, if we perform homomorphic multiplications between L ciphertexts with the same noise magnitude r in the sequence, the resulting ciphertext will have a noise magnitude of rather than after general multiplications. Therefore, the circuit with a multiplicative depth larger than L can be evaluated under the same parameter settings as general multiplications.

Finally, the size of ciphertexts in our scheme can be further reduced by applying a technique of ciphertext compression called truncation. This technique was first proposed in CS15 [8], and the authors obtained an integer ciphertext of size . However, they only made a simple and abstract description of their technique and had not constructed a complete scheme. Moreover, they set to be small to obtain better efficiency, but this has been proved to be insecure in subsequent works [22]. We adapt this technique to our scheme and generalize it to the vector ciphertext. In addition, we construct a complete scheme and make the tight analysis of noise growth. In order to thwart the optimized OL attack proposed in [22], we set , which significantly reduces the size of ciphertexts. Finally, we obtain an integer ciphertext of size and vector ciphertext of size .

2. Preliminaries

2.1. Notation

We denote the parameters in our scheme by Greek letters (such as ). Scalars are denoted by lowercase Latin characters (such as p, q, x, y, and r). Vectors are denoted by lowercase bold English letters (such as p, q, x, y, and r). Matrices are denoted by uppercase English letters (such as P, Q, X, Y, and R). For two integers z and p, we denote by the result in after computing . For an n-dimensional vector z and an integer p, we denote by the result in after computing , where is the -th coordinate in z. For a vector z, we denote the norm to be the inﬁnity norm of z, i.e., . For some real number r, we denote by the nearest integer rounded to r, and we have , where . We denote a uniform distribution on a finite set A by U(A). All logarithms in this paper are base two.

2.2. Gadget Vector and Bit Decomposition Function

For some integer n, define an n-dimensional gadget vector . Define a decomposition function that can decompose an n-bit-length integer to its binary representation and output an n-dimensional binary vector. For some integer z, we have , where is the -th least significant bit of z, and . Define an augmented decomposition function which can decompose an l-dimensional vector to its binary representation and output an -dimensional binary matrix such that and .

Lemma 1 (leftover hash lemma [2]). Set uniformly and independently, set , and set . Then is -uniform over .

We can write the above leftover hash lemma as the following version, and we can see the obvious equivalence between the two lemmas.

Lemma 2. Set uniformly and independently, set , and let . Then is -uniform over .

Lemma 3 (see [10]). Set uniformly and independently, and set for some n; and let . Then is -uniform over .

2.3. Approximate GCD

Since the first FHE scheme based on the approximate greatest common divisor (AGCD) problem was proposed in DGHV [2], there have been some AGCD variants proposed. The first noise-free AGCD variant was proposed in [23]. It generates a special public key element without noise component and sets to be a random square free -rough integer to thwart some attacks based on factorization. Afterward, the first decisional and noise-free AGCD variant was proposed in [11]. In homomorphic evaluation, a noise-free will not introduce an extra noise component and will simplify the noise analysis; however, this could make the scheme vulnerable to thwart quantum attacks. Therefore, to improve the security, some decisional-AGCD variants with a noise component in were proposed in [7, 8, 10]. In the present work, we consider the decisional noisy variant proposed in BBL17 [10], and formally define it as follows.

Definition 1. Let be some integers satisfying , and p is an -bit odd integer. Define the distribution supported over as follows:

Definition 2. (()-AGCD). The -AGCD problem is to find p when given polynomially many samples from . The -decisional-AGCD problem is to distinguish between and the uniform distribution when given polynomially many samples from and .
In the following, we define the truncated distribution and sample from this distribution via rejection sampling.

Definition 3. (see [10]). Let X be a distribution supported over , and let . The distribution is the distribution X conditioned on . If , then is undefined. Analogously, we can define .

Lemma 4. Let . Then, the distribution and are computationally indistinguishable under the -decisional-AGCD assumption.

Proof. First, we sample via rejection sampling. It is easy to see that the rejection probability when sampling each is at most since . Therefore, the distribution is efficiently sampleable up to a negligible statistical distance with since is noticeable. Second, we replace the samplings of the ’s by . Similar to the above procedure, we can deduce that the statistical distance between and is negligible. Since the distribution and are computationally indistinguishable under the -decisional-AGCD assumption, we finally conclude that the distribution and are computationally indistinguishable.

2.4. The GSW-Style FHE Scheme over the Integers

We recall the first complete GSW-style FHE-OI scheme proposed in BBL17 [10].(i): Generate the public parameters according to the security parameter . Sample uniformly an -bit integer p. First sample an integer and then integers . Write , let and .(ii): Randomly sample a matrix and compute which is a vector of dimension .(iii): Given the public key element and two ciphertexts and , compute Note that this addition procedure is done when it is known that at most one of the plaintext messages is 1.(iv): Given the public key element and two ciphertexts and , compute(v): Compute , and output the following:

3. Our Basic Scheme

In this section, we first describe the construction of our GSW-style FHE scheme. Then, we analyze the correctness and noise growth, and finally prove its underlying security.

3.1. Construction

Recall that for a speciﬁc -bit odd integer p, we define the distribution as follows:(i): Given a security parameter , choose the parameters according to and some constraints to ensure the correctness and security (see analysis below). Sample uniformly an -bit odd integer p. Sample an integer via rejection sampling. For , sample via rejection sampling, and define . Sample an integer and resample until is odd, write . Output the secret key and the public key .(ii): Given a message , uniformly sample a matrix and output a -dimensional vector c:(iii): Given a message , uniformly sample a vector and output an integer c:(iv): Given two ciphertexts or for , output the following: Integer-integer addition: Vector-vector addition: Integer-vector addition:(v): Given two ciphertexts or for , output the following: Vector-vector multiplication: Vector-integer multiplication:(vi): Given a -dimensional vector ciphertext c, first compute , and then output the following:(vii): Given an integer ciphertext c, output the following:

3.2. Analysis of Correctness and Noise Growth

We first prove the correctness of our scheme and analyze the noise growth in encryption, decryption, and homomorphic operations procedures. Then we convert our scheme into a leveled FHE-OI scheme by analyzing the multiplicative circuit depth L. Finally, we show that when performing homomorphic multiplications in sequence, the resulting ciphertext can have a smaller noise growth.

Lemma 5 (Encryption noise of Integer Ciphertext). Let and for a message , thenwhere .

Proof. For a public key element vector and a random vector , it is easy to see that , where , and . Denote , where ; hence, we can writeSince is odd, we have modulo p andfor some . As a result, we have , where .

Lemma 6 (encryption noise of vector ciphertext). Let and for a message ; then,where .

Proof. For a public key element where , write , with and . Then, we haveDefine and , and then we have . Since and , we have and . Therefore, .

Lemma 7 (noise of integer-integer addition). Let and with for and . Then,where .

Proof. Since , we havewhere . Hence, we have .

Lemma 8 (noise of integer-vector addition). Let , with and with . Then,where .

Proof. Write , , and definewhere . Hence, we can writefor some . As a result, we have .

Lemma 9 (noise of vector-vector addition). Let and with for and . Then,where .

Proof. , where . Define , and then we have , where . Hence, we have .

Lemma 10 (noise of vector-vector multiplication). Let and with for and . Then,where .

Proof. Write and , and then we haveDefine and . Since and , we have ; hence, we can write , where .

Lemma 11 (noise of vector-integer multiplication). Let , with and with . Then,where .

Proof. Write , and then we havewhere and . As a result, we have .

Lemma 12 (decryption noise of integer ciphertext). Let and an integer ciphertext c with for a message . Then,if .

Proof. Write . Since p is odd, we havewhich is correctly decrypted to m when . Hence, we have .

Lemma 13 (decryption noise of vector ciphertext). Let and a vector ciphertext c with for a message . Then,if .

Proof. For a ciphertext , first computewhere and with . By Lemma 12, the ciphertext c is correctly decrypted to m when . Hence, we have .
The following lemma shows that our HE scheme can be converted to a leveled FHE-OI scheme to evaluate any binary circuit with depth L if the parameters satisfy some constraints.

Lemma 14. Given any binary circuit C with depth L, the HE scheme can be converted to a leveled FHE-OI scheme to evaluate this circuit if

Proof. Assume that the given circuit C only consists of multiplication gates; then, a ciphertext will undergo L homomorphic multiplications. We first consider the vector-vector multiplications. For , let be the ciphertext after the -th homomorphic multiplication, and be a fresh ciphertext. Let be the upper bound on the noise magnitude . First, we have by Lemma 6; then, after the -th homomorphic multiplication, we have by Lemma 10. By solving the recurrence equation, we obtainwhich should be smaller than for decryption correctness by Lemma 13. Hence, we have .
Note that vector-integer multiplications have a similar noise growth than vector-vector multiplications, and hence, we omit vector-integer multiplication in the analysis of vector-vector multiplication.

Lemma 15 (sequentialization of homomorphic multiplication). Let and with for and , where k is an arbitrary positive integer larger than 1. Then, for any fixed multiplication sequencethe noise component in satisfies .

Proof. Define ; hence, by Lemma 13. Define . Then we have . By recursively performing the above procedure, we finally obtain a ciphertext with the noise component satisfying .
The above lemma implies that when we perform homomorphic multiplications between L+1 fresh ciphertexts and undergo at most L multiplications, if we operate these ciphertexts by a fixed multiplication sequence in Lemma 15, then the resulting ciphertext will have a noise growth of . This growth is in contrast to the noise blowup in general homomorphic multiplications, i.e., in Lemma 14. This is a unique property in the GSW-style FHE scheme since the noise terms in ciphertexts grow asymmetrically. We can realize better noise management and evaluate a circuit with a multiplicative depth larger than L by applying this multiplication sequence in homomorphic evaluation.
Note that the method of sequentialization in homomorphic multiplication can also be applied to vector-integer multiplication since it has the same asymmetrical property as vector-vector multiplication and the noise growth is similar. Here we omit the analysis of vector-integer multiplication.

3.3. Parameters

We present some constraints in choosing parameters to ensure the correctness and security against known attacks. Let L be the circuit depth in homomorphic evaluation and let be the security parameter. is the bit-length of the noise in public key elements, and it should satisfy to protect against brute force attacks on the noise [3, 5, 24, 25]. is the bit-length of the secret key p, and it should satisfy to ensure decryption correctness (see Lemma 14). is the bit-length of the public key elements , y and it should satisfy to thwart different lattice reduction attacks on the AGCD (as studied in [8]), such as orthogonal lattice attacks [2, 26], the simultaneous Diophantine approximation attack [27], and the multivariate polynomial attack [28]. is the number of integers in the public keys, and it should satisfy to be able to use the leftover hash lemma in the security proof.

To satisfy the above constraints, we can take

3.4. Semantic Security

We show that the security of our HE scheme can be based on the decisional-AGCD problem; the main proof process is to show that it is difficult to distinguish the ciphertext from a uniform integer module .

Theorem 1. The HE scheme is IND-CPA secure under the -decisional-AGCD assumption.

Proof. We will use a three-step hybrid argument to prove that both the integer and vector ciphertexts in our HE scheme have computational indistinguishability and there is no such a probabilistic polynomial-time adversary that can distinguish these ciphertexts.
Hybrid : Let ), and for a message . By the leftover hash lemma in Lemmas 2 and 3, the tuple ( (mod ), (mod )) is within an exponentially small statistical distance by . As a result, the tuple ( (mod ), (mod )) is within an exponentially small statistical distance by , independent of the underlying plaintext. Hence, we haveHybrid : Let U be the uniform distribution over . In this hybrid, we replace the s in the public keys by sampling from . We first sample via rejection sampling. Then, we sample via rejection sampling for , write , and output . The resulting public key distribution is computationally indistinguishable from the genuine public key distribution in by Lemma 4. Hence, we haveHybrid : Define and for . By the leftover hash lemma in Lemmas 2 and 3, the tuple ( (mod ), (mod )) is within an exponentially small statistical distance by . As a result, the tuple ( (mod ), (mod )) is within an exponentially small statistical distance by , independent of the underlying plaintext. Hence, we haveFinally, we conclude thatwhich proves the IND-CPA security of the HE scheme.

4. Ciphertext Compression

The above HE scheme reduces the ciphertext expansion in BBL17 [10] by generating two types of ciphertexts. Moreover, the computational efficiency in homomorphic evaluation can be improved by hybrid homomorphic operations between integers and vectors. However, the size of the vector ciphertext () is still a bottleneck to making our scheme more efficient.

In this section, we will use a technique of ciphertext compression to reduce the size of both integer and vector ciphertexts. The technique was first proposed in CS15 [8], and we observe that it can also be applied to our HE scheme.

Note that the plaintext bit m is embedded into the most signiﬁcant bit of the integer ciphertext c modulo p, i.e., . For vector ciphertext c, first compute ; then, has the same form as integer ciphertext c (see the proof in Lemma 13). In this case, some least signiﬁcant bits of ciphertexts c and are irrelevant for decryption correctness, and therefore, we can truncate these bits to obtain a ciphertext of smaller size. However, the number of bits we can truncate must be limited to an upper bound since the decryption failure probability becomes overwhelming if we truncate more bits. According to CS15 [8], truncating a ciphertext by bits can result in optimal performance. We follow this approach and describe the truncation procedure in the HE scheme below.

Define . For integer ciphertext c, define so that . For vector ciphertext c, define , where is the -th coordinate in vector c. In the following, we formally present the truncated version of the HE scheme (we call this truncated scheme THE).(i)[THE Encryption](1)For encryption of the integer ciphertext, let and with for a message . Then, where , and the noise component is by Lemma 5.(2)For encryption of the vector ciphertext, let and with for a message . Write , and then we have . Then, where , , , , , and the noise component is by Lemma 6.(ii)[THE Addition](1)For integer-integer addition, where , , , , and . The noise component is .(2)For vector-vector addition, where , , , and . The noise component is .(3)For integer-vector addition, first compute where , , We have , . Then, compute where , , , and with , . The noise component is .(iii)[THE Multiplication](1)For vector-vector multiplication, where , , , and . The noise component is .(2)For vector-integer multiplication, where , , , and . The noise component is .(iv)[THE Decryption](1)For decryption of the integer ciphertext, which is correctly decrypted to m when . Hence, we have .(2)For decryption of the vector ciphertext, first compute where , , and with and . Then, compute where . To ensure the decryption correctness, equation (53) should satisfy , which is equivalent to . Hence, we have .

By applying the above THE scheme, the size of integer and vector ciphertexts in HE scheme can be reduced to and . Besides, the noise growth in homomorphic evaluation is similar between the two schemes. As a result, if the is set small, the spatial and computational efficiency in the THE scheme can be significantly improved.

In CS15 [8], the authors set to obtain an integer ciphertext of small size, but this was proved insecure in subsequent works. In [22], the authors proposed an optimized OL attack to obtain the most signiﬁcant bits of the secret key p, and the computational complexity was . Therefore, to thwart this optimized OL attack and obtain a security level of , we need to set , which significantly reduces the size of ciphertexts. Moreover, the truncated scheme is as secure as before. Consequently, we have a better spatial and computational efficiency compared to the HE scheme.

To satisfy the above conditions and the constraints in Section 3.3, we can set

5. Comparison with Prior Works

In this section, we make a comparison between our scheme and prior schemes, such as CLT14 [7], CS15 [8], BBL17 [10], and Per20b [19]. We show that our scheme has more advantages in regards to spatial and computational efficiency.

Our HE scheme reduces the ciphertext expansion by generating integer and vector ciphertexts instead of only generating vector ciphertexts as in BBL17 [10]. Additionally, the size of both ciphertexts can be further reduced by applying the THE scheme. Compared to CLT14 [7], the vector ciphertexts in the HE scheme have a larger size since the CLT14 [7] scheme only consists of integer ciphertexts; moreover, by applying the THE scheme, the vector ciphertexts are similar to the integer ciphertexts in CLT14 [7]. However, we cannot compare our schemes with Per20b [19] directly since Per20b used a variant called RAGCD and it has a larger message space such that . However, we can convert Per20b into a general AGCD scheme and set message space to by restricting the parameters to some concrete values. Roughly, we can take and set the size of scalar and vector ciphertexts in Per20b equal to and . In this way, we can see that our schemes have similar performance as Per20b. Table 1 shows the concrete parameters of the size of ciphertexts in our schemes and prior schemes.

In homomorphic evaluation, since the multiplication procedure takes up most of the running time, it determines the final computational efficiency. In the following, we show that the homomorphic multiplication in our scheme has more advantages than prior schemes.

Note that the vector-vector multiplication in our HE scheme includes the general multiplication operation between a vector and a decomposed vector (a binary matrix). Vector-vector multiplication must compute times (for each coefficient) about modular additions of -bit numbers; this procedure has an asymptotic computational complexity of , which is identical to that of prior schemes. However, the vector-integer multiplication in our HE scheme is between a vector and a decomposed integer (a binary vector), and it only requires computation of about modular additions of -bit numbers and has a computational complexity of . This complexity is smaller than that of CLT14, CS15, and BBL17, and is identical to the vector-scalar multiplication of Per20b. Furthermore, by applying the THE scheme, both kinds of multiplications are faster than in prior schemes since they have a smaller computational complexity of and . Table 2 shows the asymptotic computational complexity of homomorphic multiplication in our scheme and prior schemes.

6. Conclusion

In this work, we present a GSW-style FHE-OI scheme and reduce the ciphertext expansion by generating integer and vector ciphertexts. The computational efficiency in homomorphic evaluation is improved by hybrid homomorphic operations between integers and vectors, especially when performing vector-integer multiplications. Our computational complexity is better than those of all prior leveled FHE-OI schemes. By applying sequentialization in homomorphic multiplications, the noise growth in the resulting ciphertext is smaller than that produced through general multiplications, and therefore, our scheme can evaluate a circuit with a larger multiplicative depth under the same parameter settings as general multiplications. Finally, the efficiency in our scheme can be further improved by a technique of ciphertext compression called truncation, and the optimized scheme is as secure as before when it comes to thwarting known attacks. Note that our scheme can also be generalized to SIMD operations such as the batch technique based on Chinese remainder theorem and larger prime message space.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Authors’ Contributions

Ruwei Huang and Bo Yang are contributed equally to this work.

Acknowledgments

This work was supported in part by the National Natural Science Foundation Project under Grant No. 62062009 and the Guangxi Innovation-Driven Development Project under Grant Nos. AA17204058-17 and AA18118047-7.

References

C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the ACM Symposium on Theory of Computing, pp. 169–178, Washington, DC, USA, June 2009.
View at: Google Scholar
M. Vandijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 24–43, French Riviera, France, June 2010.
View at: Google Scholar
N. Howgrave-Graham, “Approximate integer common divisors,” in CaLC, Springer, Berlin, Germany, 2001.
View at: Google Scholar
Z. Brakerski, G. Craig, and V. Vaikuntanathan, “(leveled) fully homomorphic encryption without bootstrapping,” in Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 309–325, Cambridge, MA, USA, January2012.
View at: Google Scholar
J.-S. Coron, D. Naccache, and M. Tibouchi, “Public key compression and modulus switching for fully homomorphic encryption over the integers,” in Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 2012.
View at: Google Scholar
Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical gapsvp,” in Proceedings of the 32nd International Cryptology Conference, pp. 868–886, Santa Barbara, CL, USA, August2012.
View at: Google Scholar
J.-S. Coron, T. Lepoint, and M. Tibouchi, “Scale-invariant fully homomorphic encryption over the integers,” in Public Key Cryptography, Springer, Berlin, Germany, 2014.
View at: Google Scholar
H. Jung and D. Stehlé, “Fully homomorphic encryption over the integers revisited,” in Proceedings of the 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 513–536, Sofia, Bulgaria, April 2015.
View at: Google Scholar
G. Craig, S. Amit, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” in Crypto (1), Springer, Berlin, Germany, 2013.
View at: Google Scholar
D. Benarroch, Z. Brakerski, and T. Lepoint, “FHE over the integers: decomposed and batched in the post-quantum regime,” in Public-Key Cryptography, Springer, Berlin, Germany, 2017.
View at: Google Scholar
H. C. Jung, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, and A. Yun, “Batch fully homomorphic encryption over the integers,” in Proceedings of the 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 2013.
View at: Google Scholar
K. Nuida and K. Kurosawa, “(Batch) fully homomorphic encryption over integers for non-binary message spaces,” IACR Cryptology ePringt Archive, vol. 777, p. 2014, 2014.
View at: Google Scholar
E. Kim and M. Tibouchi, “FHE over the integers and modular arithmetic circuits,” in Proceedings of the International Conference on Cryptology and Network Security, pp. 435–450, Milan, Italy, November 2016.
View at: Google Scholar
Z. Lian, Y. Hu, H. Chen, and B. Wang, “Bootstrapping of FHE over the integers with large message space,” in Security and Communication Networks 2018, Wiley, Hoboken, NJ, USA, 2018.
View at: Google Scholar
S. Cheon, H. Jung, K. Han, and D. Kim, “Faster bootstrapping of FHE over the integers,” in Proceedings of the International Conference on Information Security and Cryptology, pp. 242–259, Nanjing, China, December 2019.
View at: Google Scholar
K. M. M. Aung, H. T. Lee, B. H. M. Tan, and H. Wang, “Fully homomorphic encryption over the integers for non-binary plaintexts without the sparse subset sum problem,” Theoretical Computer Science, vol. 771, pp. 49–70, 2019.
View at: Publisher Site | Google Scholar
J. Kim, S. Kim, and J. H. Seo, “A new scale-invariant homomorphic encryption scheme,” Information Sciences, vol. 422, pp. 177–187, 2018.
View at: Publisher Site | Google Scholar
V. L.P. Hilder, “Efficient AGCD-based homomorphic encryption for matrix and vector arithmetic,” IACR Cryptology ePringt Archive, vol. 491, 2020.
View at: Google Scholar
H. V. L. Pereira, “Bootstrapping fully homomorphic encryption over the integers in less than one second,” IACR Cryptology ePrint Archive, vol. 995, 2020, https://eprint.iacr.org/2020/995.pdf.
View at: Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Lattice-based FHE as secure as PKE,” in Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, pp. 1–12, Princeton, NJ, USA, January 2014.
View at: Google Scholar
J. Alperin-Sheriff and C. Peikert, “Faster bootstrapping with polynomial error,” in Proceedings of the Annual Cryptology Conference, pp. 297–314, Santa Barbara, CL, USA, August 2014.
View at: Google Scholar
J. Xu, S. Sarkar, and L. Hu, “Revisiting orthogonal lattice attacks on approximate common divisor problems and their applications,” IACR Cryptology ePrint Archive, vol. 9, no. 2, p. 1208, 2018.
View at: Google Scholar
J.-S. . Coron, A. Mandal, D. Naccache, and M. Tibouchi, “Fully homomorphic encryption over the integers with shorter public keys,” in Proceedings of the Annual Cryptology Conference, pp. 487–504, Santa Barbara, CL, USA, August 2011.
View at: Google Scholar
Y. Chen and P. Q. Nguyen, “Faster algorithms for approximate common divisors: breaking fully-homomorphic-encryption challenges over the integers,” Advances in Cryptology - Eurocrypt 2012, vol. 7237, pp. 502–519, 2012.
View at: Publisher Site | Google Scholar
J.-S. Coron, T. Lepoint, and M. Tibouchi, “Batch fully homomorphic encryption over the integers,” IACR Cryptology ePrint Archive, vol. 36, p. 2013, 2013.
View at: Google Scholar
P. Q. Nguyen and J. Stern, “The two faces of lattices in cryptology,” in CaLC, Springer, Berlin, Germany, 2001.
View at: Google Scholar
J. C. Lagarias, “The computational complexity of simultaneous diophantine approximation problems,” SIAM Journal on Computing, vol. 14, no. 1, pp. 196–209, 1985.
View at: Publisher Site | Google Scholar
C. Henry and N. Heninger, “Approximate common divisors via lattices,” The Open Book Series, vol. 1, no. 1, pp. 271–293, 2013.
View at: Google Scholar

Copyright

Copyright © 2021 Jianan Zhao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies