| Key Generation. Each user () runs the following CSA.Key algorithm to get a public key pair |
| and a secret key . |
| CSA.Key: Given , , and , output a public key pair and a secret key by |
| performing following steps: |
| (1) perform GHV.Key to get and , |
| (2) choose a uniformly random matrix . |
| Encryption. Each user () runs the following CSA.Enc algorithm to get a ciphertext pair . |
| CSA.Enc: Given a public key pair and a plaintext , output a ciphertext pair |
| by performing following steps: |
| (1) choose at random, |
| (2) compute , |
| (3) choose a uniformly random vector , |
| (4) choose Gaussian error vectors and , |
| (5) compute , |
| (6) compute . |
| Aggregation. aggregates ciphertext pairs generated under distinct public key pairs by |
| performing the following CSA.Agg. |
| CSA.Agg: Given ciphertext pairs where , output , and by performing following |
| steps: |
| (1) Let where is the number of elements in , |
| (2) . |
| re-Aggregation. Each user () can run the following CSA.reAgg algorithm to get a |
| re-aggregated ciphertext. |
| CSA.reAgg: Given an aggregated ciphertext , a ciphertext , a public key pair , |
| a secret key , and a public key of , output by performing following steps: |
| (1) perform GHV.Dec to get , |
| (2) compute , |
| (3) choose a uniformly random vector , |
| (4) choose a Gaussian error vector , |
| (5) compute . |
| dec-Aggregation. gives an aggregated ciphertext to , and a ciphertext and a public key |
| of to each user , respectively. Let , then the receiver obtains |
| by performing following steps: |
| (1) Each user in turn, |
| (a) computes = CSA.reAgg, |
| (b) sends to the next user . |
| (2) computes = CSA.reAgg and sends to . |
| (3) performs GHV.Dec to get . |
