Leveled Multi-Hop Multi-Identity Fully Homomorphic Encryption

Liu, Wen; Wang, Fuqun; Jin, Xiaodan; Chen, Kefei; Shen, Zhonghua

doi:https://doi.org/10.1155/2022/1023439

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 1023439 | https://doi.org/10.1155/2022/1023439

Leveled Multi-Hop Multi-Identity Fully Homomorphic Encryption

Wen Liu,¹Fuqun Wang,^1,2,3Xiaodan Jin,¹Kefei Chen,^1,2,3and Zhonghua Shen^1,2

Academic Editor: Jinguang Han

Received28 Nov 2021

Revised29 Jan 2022

Accepted15 Feb 2022

Published22 Mar 2022

Abstract

Gentry, Sahai, and Waters (CRYPTO 2013) proposed the notion of multi-identity fully homomorphic encryption (MIFHE), which allows homomorphic evaluation of data encrypted under multiple identities. Subsequently, Clear and McGoldrick (CANS 2014, CRYPTO 2015) proposed leveled MIFHE candidates. However, the proposed MIFHE is either based on i, which is a nonstandard assumption or single hop; that is, an arbitrary “evaluated” ciphertext under a set of identities is difficult to further evaluate when new ciphertexts are encrypted under additional identities. To overcome these drawbacks, we propose a leveled multi-hop MIFHE scheme. In a multi-hop MIFHE scheme, one can evaluate a group of ciphertexts under a set of identities to obtain an “evaluated” ciphertext, which can be further evaluated with other ciphertexts encrypted under additional identities. We also show that the proposed MIFHE scheme is secure against selective identity and chosen-plaintext attacks (IND-sID-CPA) under the learning with errors (LWE) assumption.

1. Introduction

The idea of homomorphic encryption was first proposed by Rivest et al. [1] in 1978. How to construct a scheme with homomorphic properties is used to be a difficult problem for cryptographers. With the advent of the information age and the development of cloud computing technology, it is particularly urgent to solve this problem. It was not until 2009 that Gentry proposed the first fully homomorphic encryption (FHE) system based on ideal lattices, allowing anyone without a secret key to compute any efficiently computable function over encrypted data [2]. Because FHE is suitable to apply cloud computing without compromising security, it has quickly become a research hot topic [3–7].

All of the above FHE schemes are single-key homomorphic, that is, only suitable for the homomorphic evaluation of ciphertext encrypted under a single key. However, in many realistic scenarios, the ciphertext of homomorphic encryption is usually encrypted under multiple different keys. Therefore, at STOC 2012, López-Alt, Tromer, and Vaikuntanathan [8] proposed the first cryptographic construction of multi-key full homomorphic encryption (MKFHE) based on NTRU cryptography, which enables the evaluation of data encrypted under different keys. Subsequently, a large number of articles appeared to improve MKFHE, including single hop only [9, 10], multi-hop with bootstrapping [11–16], and multi-hop without bootstrapping [17].

Although (MK) FHEs have extensive applications, they require complex certificate management in implementation. To simplify the certificate management, Naccache [18] introduced a notion of identity-based fully homomorphic encryption (IBFHE), where there is no user-specific key that the evaluator must use. In particular, in an IBFHE scheme, data encrypted under a single identity can perform homomorphic operations by any evaluator with only public parameters. In 2013, Gentry et al. [7] constructed an IBFHE scheme from GSW-FHE. The IBFHE scheme only allows homomorphic evaluation of encrypted data under single identity but not multiple identities. Clear and McGoldrick [19] gave an MIFHE based on the indistinguishability obfuscation (i) [20] to overcome the disadvantage of single identity at CANS 2014. Then, they [9] proposed a leveled MIFHE candidate under LWE in the random oracle model at CRYPTO 2015. However, the later scheme needs to set the number of users participating in homomorphic evaluation in advance, and new users cannot be added to the operation process, which is single hop in MIFHE cryptography. In 2017, Canetti et al. [21] proposed two MIFHE schemes. The first combines MKFHE and identity-based encryption (IBE) on the fly. Therefore, the ciphertext extension depends on the number of ciphertexts, which is not compact. The second is nonleveled, but uses i. In 2020, with the help of an MKFHE, Pal and Dutta [22] extended IBE to a CCA1 secure MIFHE scheme. However, their extension process uses witness pseudorandom function (WPRF), which is a nonstandard assumption. Recently, Shen et al. [23] proposed a compressible MIFHE scheme based on [9, 10, 24]. The scheme is selectively secure under the LWE assumption and can reach an optimal compression rate, but it is single hop.

Thus, it is interesting to construct a compact MIFHE scheme with the multi-hop homomorphism under standard assumption, where one can evaluate a group of ciphertexts under a set of identities to obtain an “evaluated” ciphertext, which can be further evaluated with other ciphertexts encrypted under additional identities.

1.1. Contribution

We propose a leveled multi-hop MIFHE scheme adapted from the GPV-FHE [25], following the construction method of the PS-MKFHE, which is a leveled multi-hop MKFHE scheme built by Peikert and Shiehian [17]. We show that it is compact and secure against the IND-sID-CPA attack under the LWE assumption in the random oracle model. In our construction, we use a fully homomorphic commitment to commit the plaintext bit to help homomorphic operations. Additionally, by combining the transformation of MIFHE to the nonadaptive chosen-ciphertext attack (CCA1) secure FHE proposed by Canetti et al. [21], we can obtain a CCA1 secure FHE with multi-hop homomorphism. Finally, we note that our construction can be applied to the ring setting as [9] for shorter parameters.

1.2. Technical Overview

It is well known that the efficient multi-hop MKFHE obtained by bootstrapping is difficult to generalize MIFHE, because the public homomorphic evaluation key cannot be extracted from identity secret key as it is a ciphertext of and even the is not generated before decryption. Therefore, we focus on the PS-MKFHE [17], which does not use bootstrapping. Our key observation is that we can construct a multi-hop MIFHE scheme following the ideas introduced by Peikert and Shiehian [17]. They built multi-hop MKFHE schemes to overcome the single hop drawback of the MKFHE schemes [9, 10]. In their first construction, a ciphertext consists of , where is a GSW-FHE ciphertext [7] that encrypts message , is a fully homomorphic commitment [26] to the same message, and is a special encryption of the commitment randomness implied in under the same key to . Here, provides the power of expanding to with additional keys (with a part of the public key) and preserves some invariant, which can be further used. In total, after expanding or computing, the form of remains. This finding is the reason to support the multi-hop computation with respect to additional keys.

However, it is nontrivial to construct a multi-hop MIFHE scheme because PS-MKFHE [17] is built from GSW-FHE [7] but not from GPV-FHE [26]. For simplicity, we now informally describe a multi-hop MKFHE from GPV-FHE [26], which can be converted into a multi-hop MIFHE scheme (see Section 3).

In a multi-hop MKFHE scheme based on GPV-FHE, a ciphertext under a secret key consists of four components :(1)A GPV-FHE ciphertext that encrypts under .(2)A GPV-FHE style fully homomorphic commitment to the same message with underlying commitment randomness .(3)A special encryption under of the former part of the commitment randomness .(4)Another special encryption under of the latter part of the commitment randomness .

To expand to an additional secret key , we definewhere is derived from . The commitment is preserved, and are padded with zeros to fit the long secret key . Moreover, the homomorphic evaluation can be simply designed as GPV-FHE (see Section 3 for more details about our MIFHE scheme).

1.3. Paper Organization

First, we recall some notions, definitions, and facts in Section 2. Then, we propose our MIFHE scheme that satisfies IND-sID-CPA secure in Section 3. In the end, we conclude in Section 4.

2. Preliminaries

Let us start with the following notations that will be used throughout the study. We use the bold uppercase letters (e.g., ) to represent matrices. Similarly, the bold lowercase letters (e.g., ) represent column vectors. We use to denote the entry of and to denote the entry of . is used to denote the concatenation of two matrices. Similarly, is used to denote the concatenation of two column vectors. Let denote the security parameter. We define for any positive integer . Let negl denote a negligible function that grows slower than for any constant and any sufficiently large value of . An event occurs with overwhelming probability; i.e., it occurs with a probability of at least .

2.1. Basic Notions

2.1.1. Approximations

Very recently, Peikert and Shiehian [17] suggested a simple method to indicate that the two sides in some “noisy equations” extensively used in lattice-based cryptography were approximately equal to an additive error. We will follow their notation using:

To indicate that for some , the notation can be naturally expanded to the vector or matrix type using the infinite norm.

2.1.2. Tensor Product

For matrices , tensor product is an matrix, which consists of blocks, whose block is .

In this work, we widely use the mixed-product property: for any matrices with compatible dimensions, it holds that:

2.2. Background on Lattices

2.2.1. Lattices

For matrix , we define the -ary integer lattice in this way:

For vector , we now define the coset (or “shifted” lattice) in this way:

2.2.2. LWE

The learning with errors (LWE) problem was first introduced by Regev [27] as an extension of the “learning parity with noise.” In this study, we define the decisional learning with errors (DLWE) problem that is equivalent to LWE for certain parameters as follows.

Definition 1. (Decisional Learning with Errors (DLWE)) For positive integers and an error distribution over , the DLWE problem is to distinguish with nonnegligible advantage between , where , and sampled uniformly at random from .

Let be a discrete Gaussian distribution over with parameter , and it is a well-established instantiation of LWE. A sample drawn from this distribution has magnitude bounded by except with a probability of at most . For this parameterization and any , it is easy to see LWE by quantum reduction at least as difficult as certain worst-case difficult problems (e.g., the shortest independent vector problem) on -dimensional lattices with approximate factor [27]. Classical reductions are also famous for subexponential modulus [28] and polynomial [29].

In this work, we rely on the tensor form of LWE denoted by TLWE and the matrix form of LWE denoted by MLWE, whose specific definitions are introduced below.

Definition 2. (The Matrix Form of Learning with Errors (MLWE)) For positive integers and an error distribution over , the MLWE problem is to distinguish with nonnegligible advantage between , where , and sampled uniformly at random from .

Definition 3. (The Tensor Form of Learning with Errors (TLWE)) For positive integers and an error distribution over , the TLWE problem is to distinguish with nonnegligible advantage between , where , and denotes the -dimensional identity matrix, and sampled uniformly at random from .

According to the standard mixed argument, we can get that MLWE is equivalent to DLWE with at most factor loss in the distinguishing advantage, and TLWE is equivalent to MLWE with at most factor loss in the distinguishing advantage.

2.2.3. Lattice Trapdoor

We recall some cryptographic facts about trapdoor generation and preimage sampling algorithms with important properties [30]. Since all the details of implementation are not strictly necessary in this work, we ignore them. Note that there are improved algorithms but only within factor [31].

Lemma 1 (see [30]). Let,be odd, and. There is a probabilistic polynomial timealgorithmthat outputs a pair, such thatis statistically close to a uniform matrix in, andis a basis forsatisfyingandwith overwhelming probability in.

Lemma 2 (see [30]). Letbe a positive integer,be a prime, and. Then, for all but afraction of alland for any, the distribution of the syndromeis statistically close to uniform over, where.

Lemma 3 (see [30]). Setfrom Lemma 1. Then, for a parameterand a uniformly random vector, there is a PPT algorithm, which outputs vectorsampled from a statistically similar distribution to; thus,wheneveris not empty.

2.2.4. Gadget Matrices and Bit Decomposition

We recall a useful notion of gadget matrix, which was first introduced in [31], to decompose vectors or matrices over into short vectors or matrices over .

For integer , let . Gadget matrix and bit decomposition function are defined, which outputs a binary column vector that consists of the binary representation of its argument, such that , for any .

More generally, for any positive integer , is defined, where denotes the -dimensional identity matrix. For any , the general bit decomposition function outputs a binary matrix (invoking ), such that , for . Additionally, we often write for simplicity.

2.3. Multi-Identity Fully Homomorphic Encryption

We begin with the definition of the leveled multi-hop MIFHE, which is adapted and summarized from the definition of the single-hop MIFHE in [9], definition of the single-hop MKFHE in [10], and definition of the multi-hop MKFHE in [17]. Here, we require a bound on the NAND circuit depth and a bound on the number of identities in one evaluation, and we mainly focus on the bit encryption scheme and [17].

Now, a ciphertext is called a “fresh” ciphertext if it is generated by the encryption algorithm defined below (i.e., it corresponds to a single identity), an “expanded” ciphertext if it is the output of expansion algorithm (which relates to multiple identities), or an “evaluated” ciphertext if it is the output of homomorphic evaluation algorithm .

Definition 4. A leveled multi-hop multi-identity fully homomorphic encryption scheme consists of six PPT algorithms defined as follows:(i): on inputting a security parameter , a bound on the NAND circuit depth, and a bound on the number of identities involved in one evaluation, generate a master public key and a master secret key , and then output . Here, the security parameter also defines an identity space (ii): on inputting the , , and identity , extract a user-specific secret key , and output it(iii): on inputting the , identity , and bit , output a “fresh” ciphertext (iv): on inputting the , identity , and any (“fresh,” “expanded,” or “evaluated”) ciphertext under identities , compute and output an “expanded” ciphertext under identities (v): on inputting , an NAND circuit , and ciphertexts , output an “evaluated” ciphertext (vi): on inputting secret keys , which correspond to identities and any ciphertext , output a bit

We underline that we will homomorphically evaluate any NAND circuit gate by gate as described in [17], which indicates that the evaluation is multi-hop as previous multi-key FHE schemes [8, 17].

2.3.1. Correctness

A leveled multi-hop MIFHE scheme is correct if it satisfies the following conditions. For all positive integers , for every NAND circuit of depth at most with input wires, for every function (which relates each input wire to a key pair), and for every , the following experiment succeeds with overwhelming probability: , generate identity key pairs for every , generate ciphertext for every , compute (may invoke algorithm ), and finally check whether .

2.3.2. Compactness

A leveled multi-hop MIFHE scheme is compact if there exists a polynomial such that in the experiment from Definition 4. In other words, the length of is independent of both and but can depend polynomially on , and .

2.3.3. Security

The security game of MIFHE is the same as that of IBE, but there is no reference to the expansion algorithm and evaluation algorithm because they are public and do not impact the security. In this study, we will mainly focus on the semantically secure under selective identity and chosen-plaintext attack (IND-sID-CPA) security game for MIFHE between a challenger and a PPT attacker , which is defined as follows:(i)Initial Stage. Attacker is given bound on the NAND circuit depth and bound on the number of identities and outputs target identity .(ii)Setup. Challenger runs to generate and sends to attacker .(iii)Query Stage 1. Adversary adaptively issues a query on any identity such that . Challenger runs to obtain identity secret key that corresponds to and sends back to .(iv)Challenge. Challenger selects a uniformly random bit , computes a challenge ciphertext , and sends it to attacker .(v)Query Stage 2. Adversary issues additional adaptive identity secret key queries, and challenger responds as in query stage 1.(vi)Output. The attacker outputs a guess and wins if .

The advantage of the attacker in the above IND-sID-CPA security game is defined as , where the probability is taken over the random bits used by all algorithms in the game.

Definition 5. A leveled multi-identity fully homomorphic encryption scheme is IND-sID-CPA secure if any PPT attacker has at most a negligible advantage in the IND-sID-CPA security game defined above.

3. Multi-Identity Fully Homomorphic Encryption

3.1. MIFHE Scheme

In this section, we will describe the proposed MIFHE scheme. We present one more algorithm to help understand .

We parameterize the system by dimension , modulus , and error distribution for the underlying LWE problem; we set , , and . For the worst-case security, we set to be the standard discrete Gaussian distribution over with parameter , which implies that the samples drawn from have magnitudes bounded by except with probability . Modulus is set in the following Section 3.2 based on the bound on the maximum depth of the supported circuit and the bound of the number of identities. The scheme is described as follows:(i): On inputting security parameter , bound on the NAND circuit depth, and bound on the number of identities in one evaluation, do(1)Run algorithm TrapGen to generate a uniformly random matrix with a short basis for such that .(2)Choose a vector and set .(3)Output as the master public key and output as the master secret key.(ii)MIFHE.Extract : on inputting , , and identity , do:(1)If is from a previous inquiry on identity , then return . Otherwise, compute , where is a hash function modeled as a random oracle.(2)Run to output a vector such that . Set user-specific secret key , and store locally. Note that and .(3)Output .(iii)MIFHE.Enc : on inputting master public key , identity , and bit message , do:(1)Set and compute , where is the th standard unit (column) vector. (Remark: observe that ).(2)Choose a uniformly random matrix and a discrete Gaussian matrix , and define the following: Note that is nicely a GPV-FHE ciphertext [26] encrypting under the secret key . In particular,(3)Choose a matrix and a discrete Gaussian matrix , and define the following: Here, is regarded as a commitment to the message under commitment randomness .(4)Choose a matrix and a discrete Gaussian matrix , and define the following: Note that Therefore, is regarded as a sort of encryption of (the tensor product with corresponding to some bit decomposition appeared in expansion algorithm is vital to control the error growth), the former part of the commitment randomness used in .(5)Choose a uniformly random matrix and a discrete Gaussian matrix , and define the following: Note that: Therefore, is regarded as a sort of encryption of , the latter part of commitment randomness used in .(6)Output a “fresh” ciphertext to identity .(iv)MIFHE.Expand : on inputting , identity , and ciphertext encrypting under identities , do:(1)Set .(2)We define the following: where is defined as follows:(3)We leave the commitment and its randomness unchanged: , and .(4)We define the following:(5)Similarly, we define the following:(6)Output as the “expanded” ciphertext to identities , .(v)MIFHE.NAND : on inputting two ciphertexts that encrypt under identities , do:(1)We define the following:(2)We define the following:(3)We define the following:(4)We define the following:(5)Finally, output as the “evaluated” NAND ciphertext.(vi)MIFHE.Eval : on inputting , NAND circuit , and any ciphertexts , compute homomorphically over any ciphertexts gate by gate by invoking MIFHE.Expand and MIFHE.NAND, and output an “evaluated” ciphertext .(vii): on inputting the secret keys and a ciphertext under identities , let be the (column) concatenation of the secret keys , and compute:If , where is set in the next section, we can recover from the last term of vector : if this term is closer to 0, output 0; otherwise, output 1.

3.2. Analyzing the Noise Growth and Setting the Parameters

Now, we provide the reasons for definitions and analyze the noise growth in and to easily set the parameters. We instantiate the parameters and ensure correctness of .

First, as described in the previous section in the algorithm, let us do the following analysis:(1)We have the following: Given that is the (column) concatenation of the secret keys corresponding to identities , respectively, and a new secret key , which is the secret key of , we set and then have the following: which indicates that (7) holds. In general, the error implied in the “expanded” ciphertext is as follows:(2)This visibly satisfies equation (8), and the error implied in the “expanded” ciphertext is as follows:(3)We have the following: It is obvious that: Thus, (10) is kept up to expansion.(4)We have the following: Similar to the above step, (12) is also kept up to expansion as follows:

Second, we analyze the algorithm.(1)We have the following: With , which is the (column) concatenation of the secret keys that correspond to identities , we have the following: which indicates that (7) holds. In total, the error implied in the NAND ciphertext is as follows:(2)We have the following: and the commitment randomness is as follows: By simply computing, we can see that (8) is preserved:(3)We have the following:To see that (10) holds for , first note that: Second, note that: Finally, from the above, we have the following: which indicates that (10) holds.(4)We have the following: To see that (12) holds for , first, note that: Second, note that: Finally, from the above, we have the following: which indicates that (12) holds.

Then, as [17], we now instantiate the parameters by bounding the worst-case error growth when homomorphically computing a depth NAND circuit for up to distinct identities. For a ciphertext with commitment randomness , the max error is defined:

With the bounds from the above, for any ciphertext with errors bounded by , its “expanded” ciphertext has a max error of at most . Similarly, when we homomorphically compute an NAND gate of two ciphertexts with errors bounded by , the result has a max error of at most . Thus, after computing any depth NAND circuit on “fresh” ciphertexts under distinct keys, then the result has a max error of at most:

Thus, we can set for the correctness of decryption. Recall that ; therefore, . Thus, the security of our scheme corresponds to a worst-case -dimensional lattice problem with an approximation factor of .

Finally, the compactness requirement is satisfied because any ciphertext in our construction is bounded by .

3.3. Security

Now, we prove that the proposed scheme MIFHE is IND-sID-CPA secure under the hardness of the DLWE assumption in the random oracle model.

Theorem 1. The multi-hop multi-identity fully homomorphic encryption scheme MIFHE, which was constructed in Section 3.1, is IND-sID-CPA secure in the random oracle model assuming that the DLWEassumption holds.

Proof. We prove the security of the proposed scheme MIFHE using a sequence of hybrid games. The first one of this game is the real IND-sID-CPA security game in Definition 5, and the last one is the ideal game, where the challenge ciphertext (except challenge identity ) is uniformly random and independent of the challenge bit . We proceed by considering a sequence of hybrid games as follows: Game 0: This is the original game described in Definition 5, and it is IND-sID-CPA security. Recall that is the target identity; that is, attacker plans to attack , and the challenge ciphertext is encrypting . Game 1: In this game, we change the methods of generating master public key , answering hash (random oracle) queries and answering identity secret key queries as follows.(1)Uniformly select at random a matrix and a vector , and set .(2)Uniformly select at random a vector .(3)When attacker issues a hash query on identity , do:(a)If , return .(b)Otherwise, if , return .(c)Otherwise, sample vector , and compute , set , and store locally. Finally, return .(4)When attacker issues an identity secret key query on identity , where , without loss of generality, we assume that has queried on and return , where . Game 2: this game is the same as Game 1 except that , which is a part of the challenge ciphertext, is selected as uniformly random independent elements in . Game 3: this game is the same as Game 2, except that is selected as a uniformly random element in . In fact, Game 3 is the ideal game.We show the indistinguishability among all sequential hybrid games.

Lemma 4. Game 0 and Game 1 are statistically indistinguishable.

Proof. We show that Game 0 is statistically close to Game 1 by analyzing that the changes are undetectable by any attacker between them step by step using Lemmas 1–3.
First, note that while the former part of master public key is generated by running algorithm (with a trapdoor ) in Game 0, is sampled from the uniform distribution over in Game 1. By Lemma 1, in Game 0 is distributed statistically close to a uniform distribution over as in Game 1.
Second, in regard to the simulation of hash query , we discuss two cases:(1)If , then return , which was uniformly sampled from at random. This perfectly simulates hash query .(2)Otherwise, sample a Gaussian vector , compute , and return . Here, is distributed statistically close to the uniform distribution over , since is distributed statistically close to uniform distribution over by Lemma 2 and .Finally, note that the identity secret key of is , where is generated by running algorithm in Game 0, and the identity secret key of is , where is sampled from such that in Game 1. By Lemma 3, in Game 0 is distributed statistically close to such that . Thus, the identity secret key in Game 0 is distributed statistically close to that in Game 1. Therefore, Game 0 and Game 1 are statistically indistinguishable.

Lemma 5. Game 1 and Game 2 are computationally indistinguishable.

Proof. The computational indistinguishability between Game 1 and Game 2 follows the assumed intractability of DLWE (and MLWE and TLWE). To show this behavior, we present a simulator that can draw samples and form ; it simulates Game 1 when the samples are DLWE samples; it simulates Game 2 when they are uniformly random samples. proceeds as follows:(1)Draw sufficient samples, and form . Uniformly select at random a vector , and let .(2)The hash query and identity secret key query are identical to those in Game 1. Generate exactly as in MIFHE.Enc.Therefore, if is sampled from DLWE, then perfectly simulates Game 1. In contrast, if is uniformly random, then simulates perfectly Game 2previous.

Lemma 6. Game 2 and Game 3 are computationally indistinguishable.

Proof. Similar to the previous proof of Lemma 5, the computational indistinguishability between Game 2 and Game 3 follows the assumed intractability of DLWE (or MLWE). To show this effect, we present a simulator that can draw samples and form ; it simulates Game 2 when the samples are DLWE samples; it simulates Game 3 when they are uniformly random samples. proceeds as follows:(1)Draw sufficient samples, and form . Uniformly choose at random a vector , and let .(2)The hash query and identity secret key query are identical to those in Game 2. Uniformly choose random .Therefore, if is sampled from DLWE, then perfectly simulates Game 2. In contrast, if is uniformly random, then perfectly simulates Game 3.

There is no information of message in Game 3. Additionally, Game 0 and Game 3 are computationally indistinguishable by Lemmas 4–6. Therefore, if the DLWE is difficult, attacker only has negligible advantage, which completes the proof of the IND-sID-CPA security of .

4. Conclusion and Open Problem

We present a multi-hop MIFHE scheme, which is IND-sID-CPA secure in the random oracle model under the standard LWE assumption. However, the proposed MIFHE scheme is only leveled homomorphic. Therefore, it is interesting to construct a nonleveled multi-hop MIFHE scheme (i.e., there is no a priori bound on the depth of the circuits) under standard assumptions such as LWE (without unfalsifiable i or WPRF).

Data Availability

No data were required in this work.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Nature Science Foundation of China (Nos. 11974096, 61972124, and U1705264) and the Zhejiang Provincial Natural Science Foundation of China (No. LY19F020019).

References

R. Rivest, L. Adleman, and M. Deryouzos, On Data banks and Privacy Homomorphisms. Foundations of Secure Computation, Academic Press, NY, USA, pp. 169–180, 1978.
C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the forty-first annual ACM symposium on Theory of computing, pp. 169–178, Bethesda MD USA, May 2009.
View at: Publisher Site | Google Scholar
M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, H. Gilbert, Ed., pp. 24–43, Monaco and Nice, France, May 2010.
View at: Publisher Site | Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pp. 97–106, IEEE Computer Society, Palm Springs, CA, USA, October 2011.
View at: Publisher Site | Google Scholar
Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) fully homomorphic encryption without bootstrapping,” in Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, S. Goldwasser, Ed., pp. 309–325, MA, USA, January 2012.
View at: Publisher Site | Google Scholar
Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical GapSVP,” in Proceedings of the Annual Cryptology Conference, R. Safavi-Naini and R. Canetti, Eds., pp. 868–886, Santa Barbara, CA, USA, August 2012.
View at: Publisher Site | Google Scholar
C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” in Proceedings of the Annual Cryptology Conference, J. A. Canetti and R. Garay, Eds., pp. 75–92, Santa Barbara, CA, USA, August 2013.
View at: Publisher Site | Google Scholar
A. López-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption,” in Proceedings of the forty-fourth annual ACM symposium on Theory of computing, pp. 1219–1234, NY, USA, May 2012.
View at: Publisher Site | Google Scholar
M. Clear and C. McGoldrick, “Multi-identity and multi-key leveled FHE from learning with errors,” in Proceedings of the Annual Cryptology Conference, R. Gennaro and M. Robshaw, Eds., pp. 630–656, Santa Barbara, CA, USA, August 2015.
View at: Publisher Site | Google Scholar
P. Mukherjee and D. Wichs, “Two round multiparty computation via multi-key FHE,” in Proceedings, Part II, of the 35th Annual International Conference on Advances in Cryptology, M. Fischlin and J.-S. Coron, Eds., vol. 9665, pp. 735–763, May 2016.
View at: Publisher Site | Google Scholar
Z. Brakerski and R. Perlman, “Lattice-based fully dynamic multi-key FHE with short ciphertexts,” in Proceedings of the Annual Cryptology Conference, pp. 190–213, Santa Barbara, CA, USA, August 2016.
View at: Publisher Site | Google Scholar
L. Chen, Z. Zhang, and X. Wang, “Batched multi-hop multi-key FHE from ring-LWE with compact ciphertext extension,” in Proceedings of the Theory of Cryptography Conference, pp. 597–627, Baltimore, USA, November 2017.
View at: Publisher Site | Google Scholar
H. Chen, I. Chillotti, and Y. Song, “Multi-key homomorphic encryption from TFHE,” in Proceedings of the Advances in Cryptology-ASIACRYPT, pp. 446–472, Springer, Kobe, Japan, December 2019.
View at: Publisher Site | Google Scholar
P. Ananth, A. Jain, Z. Jin, and G. Malavolta, “Multi-key fully-homomorphic encryption in the plain model,” in Proceedings of the Theory of Cryptography Conference, pp. 28–57, December 2020.
View at: Publisher Site | Google Scholar
T. Zhou, Z. Zhang, L. Chen, X. Che, W. Liu, and X. Yang, “Multi-key fully homomorphic encryption scheme with compact ciphertext,” Available athttp://eprint.iacr.org/2021/1131.
View at: Google Scholar
C. Biswas and R. Dutta, “Secure and efficient multi-key FHE scheme supporting multi-bit messages from LWE preserving non-interactive decryption,” Available athttp://eprint.iacr.org/2021/1431.
View at: Google Scholar
C. Peikert and S. Shiehian, “Multi-key FHE from LWE, revisited,” in Proceedings of the Theory of Cryptography Conference, pp. 217–238, Beijing, China, November 2016.
View at: Publisher Site | Google Scholar
D. Naccache, “Is theoretical cryptography any good in practice?” http://www.iacr.org/workshops/ches/ches2010.
View at: Google Scholar
M. Clear and C. McGoldrick, “Bootstrappable identity-based fully homomorphic encryption,” in Proceedings of the International Conference on Cryptology and Network Security, pp. 1–19, Springer, Heraklion, Greece, December 2014.
View at: Publisher Site | Google Scholar
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters, “Candidate indistinguishability obfuscation and functional encryption for all circuits,” FOCS, IEEE Computer Society Press, pp. 40–49.
View at: Publisher Site | Google Scholar
R. Canetti, S. Raghuraman, S. Richelson, and V. Vaikuntanathan, “Chosen-ciphertext secure fully homomorphic encryption,” in Proceedings of the IACR International Workshop on Public Key Cryptography, pp. 213–240, Amsterdam, The Netherlands, March, 2017.
View at: Google Scholar
T. Pal and R. Dutta, “Chosen-ciphertext secure multi-identity and multi-attribute pure FHE,” in Proceedings of the Book Cryptology and Network Security, pp. 387–408, Edinburgh, United Kingdom, May 2020.
View at: Publisher Site | Google Scholar
T. Shen, F. Wang, K. Chen, Z. Shen, and R. zhang, “Compressible multikey and multi-identity fully homomorphic encryption,” Security and Communication Networks, vol. 2021, Article ID 6619476, 14 pages, 2021.
View at: Publisher Site | Google Scholar
T. Shen, F. Wang, K. Chen, K. Wang, and B. Li, “Efficient leveled (multi) identity-based fully homomorphic encryption schemes,” IEEE Access, vol. 7, Article ID 79310, 2019.
View at: Publisher Site | Google Scholar
F. Wang and K. Wang, “Fully homomorphic encryption with auxiliary inputs,” in Proceedings of the International Conference on Information Security and Cryptology, D. Lin, M. Yung, and J. Zhou, Eds., pp. 220–238, Beijing, China, December 2014.
View at: Google Scholar
S. Gorbunov, V. Vaikuntanathan, and D. Wichs, “Leveled fully homomorphic signatures from standard lattices,” in Proceedings of the forty-seventh annual ACM symposium on Theory of Computing, pp. 469–477, Portland Oregon USA, June 2015.
View at: Publisher Site | Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the thirty-seventh annual ACM symposium on Theory of Computing, pp. 84–93, Baltimore MD USA, May 2005.
View at: Publisher Site | Google Scholar
C. Peikert, “Public key cryptosystems from the worst-case shortest vector problem,” in Proceedings of the forty-first annual ACM symposium on Theory of Computing, pp. 333–342, Bethesda MD USA, May 2009.
View at: Publisher Site | Google Scholar
Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé, “Classal hardness of learning with errors,” in Proceedings of the forty-fourth annual ACM symposium on Theory of Computing, pp. 575–584, Palo Alto California USA, June 2013.
View at: Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the fortieth annual ACM symposium on Theory of Computing, pp. 197–206, Victoria British Columbia Canada, May 2008.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, D. Pointcheval and T. Johansson, Eds., pp. 700–718, Cambridge, United Kingdom, April 2012.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Wen Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies