Achieving Message-Encapsulated Leveled FHE for IoT Privacy Protection

Ouyang, Weiping; Ma, Chunguang; Zhang, Guoyin; Diao, Keming

doi:https://doi.org/10.1155/2020/8862920

Mobile Information Systems

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest References Copyright Related Articles

Special Issue

Distributed Secure Computing for Smart Mobile IoT Networks

View this Special Issue

Research Article | Open Access

Volume 2020 | Article ID 8862920 | https://doi.org/10.1155/2020/8862920

Achieving Message-Encapsulated Leveled FHE for IoT Privacy Protection

Weiping Ouyang,¹Chunguang Ma,^1,2Guoyin Zhang,¹and Keming Diao¹

Academic Editor: Kathiravan Srinivasan

Received15 Apr 2020

Revised15 Jul 2020

Accepted16 Sept 2020

Published14 Oct 2020

Abstract

The rapid development of the Internet of Things has made the issue of privacy protection even more concerning. Privacy protection has affected the large-scale application of the Internet of Things. Fully Homomorphic Encryption (FHE) is a newly emerging public key encryption scheme, which can be used to prevent information leakage. It allows performing arbitrary algebraic operations on data which are encrypted, such that the operation performed on the ciphertext is directly transformed into the corresponding plaintext. Recently, overwhelming majority of FHE schemes are confined to single-bit encryption, whereas how to achieve a multibit FHE scheme is still an open problem. This problem is partially (rather than fully) solved by Hiromasa-Abe-Okamoto (PKC′15), who proposed a packed message FHE scheme which only supports decryption in a bit-by-bit manner. Followed by that, Li-Ma-Morais-Du (Inscrypt′16) proposed a multibit FHE scheme which can decrypt the ciphertext at one time, but their scheme is based on dual LWE assumption. Armed with the abovementioned two schemes, in this paper, we propose an efficient packed message FHE that supports the decryption in two ways: single-bit decryption and one-time decryption.

1. Introduction

In recent years, the Internet of Things (IoT) has become an attractive system paradigm to drive a substantive leap on goods and services and has been widely used in intelligent transportation, intelligent power grid, environmental monitoring and perception, intelligent home appliances, and other fields. It covers traditional equipment to general household equipment, which brings more efficiency and convenience to the users. Because many of the data transmitted in the Internet of Things are confidential information or personal privacy information, it usually needs to be encrypted first. With more and more encrypted data stored on the server, it is very frequent for us to retrieve and process these data. Although there are some algorithms for retrieving encrypted data, they are only suitable for small-scale data, and the cost is too high. The encrypted data retrieval method based on the Fully Homomorphic Encryption (FHE) can solve this problem. By directly retrieving the encrypted data, it not only ensures that the retrieved data will not be analyzed, but also carries out homomorphic operation on the retrieved data without changing the sequence of the corresponding plaintext. It can not only protect the user’s data security but also improve the retrieval efficiency. Since the first introduction of Gentry in 2009, the construction and optimization of the Fully Homomorphic Encryption scheme have been paid special attention by researchers. However, most of the existing Fully Homomorphic Encryption schemes only allow cryptographic calculations for a single bit, and the efficiency is not satisfactory. Although the cascading (or simple combination) approach can be used to implement message-encapsulated calculations, the performance of such a simple message-encapsulated FHE is not ideal.

In an application scenario, in many cases, it is necessary to calculate data of multiple bits at a time, and thus, constructing an efficient Message-encapsulation Fully Homomorphic encryption becomes an urgent requirement. At present, the research in this area has made initial progress [1, 2], which has increased the efficiency of FHE to a certain extent, but comprehensively, its efficiency still needs to be improved. Specifically, the following are considered:(1)Brakerski’s scheme [1] is constructed on the basis of the Brakerski’s [3] scheme and is a typical representative of the second generation of FHE. But, the latter scheme needs to implement homomorphic calculations by calculating the evaluation key, which increases the computational cost.(2)Hiromasa-Abe-Okamoto (HAO) [2] is based on the GSW [4] scheme and is a typical representative of the third generation of FHE. HAO constructs a message-encapsulation FHE scheme in the form of encapsulated messages, but it cannot implement one-time decryption and only decrypts the ciphertext bit-by-bit, so the scheme is still very inefficient.

An important question arises: Besides those mentioned above, is it possible to design an efficient method to decrypt the ciphertext of the message-encapsulation GSW-FHE scheme at one time?

Li et al. [5] used dual Regev [6] to construct a public key with multiple instances of the small short integer solution (SIS). Inspired by this work, we will construct public keys with multiple instances of LWEs (Learning with errors), and this constructs a Message-Encapsulation FHE scheme that can be decrypted at one time.

1.1. Our Contribution

Firstly, the public key of the Message-encapsulation Fully Homomorphic Encryption scheme of Hiromasa et al. [2] is as follows:

Among them are the secret matrix and the noise matrix . Then, the plaintext message is encapsulated in a matrix, and the public key of the abovementioned form is used to encrypt the message. However, the obtained ciphertext matrix cannot recover all the plaintext bits at one time, but can only be decrypted bit-by-bit.

Secondly, we notice that the public key matrix of the message-encapsulated fully homomorphic encryption scheme constructed by Li et al. [5] is as follows:

Among them, there is . Although Li et al.’s scheme [5] supports bit-by-bit encryption and one-time decryption, the scheme relies on the minimum integer solution hypothesis (see detailed analysis in [7]), and its parameter size depends on instead of causing the size of the evaluation key and the ciphertext to be too large.

Based on the abovementioned observations, in this paper, we construct a public key matrix first with multiple LWE instances. Different from the typical FHE scheme [3, 4, 8] and follow-up works [9–13], its public key matrix contains only one LWE instance. Then, using the new public key, we construct a message-encapsulation GSW-class FEH scheme (MFHE). We give an overview of the scheme in the following:(1)Firstly, we use a new public key matrix with multiple LWE instances as follows: Among them, and is an LWE instance. This is significantly different from existing message-encapsulation PKE schemes (for example, [14, 15]) and message-encapsulation FHE schemes (for example, [1, 2]) and is also the fundamental difference between other schemes and the FHE scheme constructed in this paper. Private keys corresponding to the public key is shaped as follows:(2)Next, we use the public key matrix we constructed to encrypt multibit messages. The difference is that we use the message-encapsulation method of Li et al. [5] and Hiromasa et al. [2] to embed multibit messages into the plaintext of a diagonal matrix. That is,and while constructing a private key matrix with private keys,

is the identity matrix, and we can get

Finally, using the matrix we constructed, calculation of can directly recover the message vector . See Section 4 for a detailed analysis.

1.2. Organization and Structure of the Paper

The rest of this paper is organized as follows. In Section 2, the definitions and symbols used in this paper are introduced. In Section 3, we review the scheme of Gentry-Sahai-Waters et al. In Section 4, we introduce the Message-encapsulation FHE (MFHE) scheme we constructed. Finally, we give a summary of the full paper in Chapter 5.

2. Preliminaries

In this section, we give the preparatory knowledge needed, including definitions and lemmas.

2.1. Symbols

For , we use to represent aggregation . For a real number , we use to represent the largest integer that is not greater than , to represent the nearest integer to . We represent vectors in bold lowercase letters, for example, , and the matrix in bold uppercase letters, for example, . In addition, we use to represent elements in from row and column . We use “” to indicate the assignment. It is worth noting that we use the definition of computationally indistinguishable and statistics indistinguishable and they are represented by and . In addition to this, we also define and . For convenience, we use to represent its norm.

We need to use the following variant of the Left-over Hash Lemma (LHL) [16].

Lemma 1. (Matrix-Vector LHL). Let and . We select a uniform random matrix , and then, the statistical distance of the distribution and is as follows:

2.2. Learning with Errors (LWEs)

LWEs is the main computational assumption that cryptosystems and our variants rely on.

Definition 1. (LWE Distribution). For safety parameters, let and be integers, let be the error distribution with the bound of , and let be an integer modulo of any polynomial that meets . Then, we select a vector and call it a secret, the LWE distribution in is selected uniformly and randomly, and we select and output .
There are two kinds of the LWE hypothesis: the search-LWE and the decision-LWE. The decision-LWE is defined as follows:

Definition 2. (Decision-). Assume an independent selected , which is selected according to one of the following distributions: (1) for from a uniform and random (i.e., ) or (2) uniform distribution (i.e., ). The two distributions mentioned above are computable indistinguishable.

Note 1. Regev and others [6, 17–19] introduce the convention between the approximate shortest vector problem (for appropriate parameters) in the LWE hypothesis. We have omitted the lemma of the results of these schemes; see [6, 17–19] for details.

2.3. Discrete Gauss

In our structure, we need to analyze the behavior of choosing the wrong element from the Gaussian distribution.

Definition 3. (B Bounded [3]). A distribution on an integer if the following exists:and then, it is called -bound (represented as ).
For the analysis of our scheme, the vector selected from the Gaussian distribution needs to have a certain bound on its norm.

Lemma 2. (See [20]). 1. For ; 2. for , there is Therefore, in this paper, we set and .
In this paper, we assume . So, if , then on average, . It can be known from Lemma 2.2 (2) that there is a high possibility that . Therefore, in this paper, we set and .

2.4. Leveled Fully Homomorphic Encryption

In public-key cryptography, the cipher keeps a public key and encrypts the message in order that the corresponding private key holder can recover the original plaintext message.

Definition 4. (See [21]). Let a fixed function be the level of Fully Homomorphic Encryption. For a kind of circuit , the L-FHE scheme includes four Probabilistic Polynomial Times (PPTs), and the algorithm is as follows: The key generation algorithm (KeyGen) is a randomization algorithm that inputs security parameters and outputs public keys () and private keys () The encryption algorithm Enc is a randomization algorithm that inputs a public key () and a message and outputs a ciphertext The decryption algorithm Dec is a deterministic algorithm that inputs the private key and ciphertext and outputs the decrypted message The homomorphic algorithm Eval inputs a public key , a circuit , and a sequence of ciphertexts , here let be a polynomial related to the and outputs the computed ciphertext The correctness requirements are as follows: For arbitrary and output by , we have For arbitrary , arbitrary , and , we have

Definition 5. (CPA Security [21]). One FHE scheme is indistinguishable from the choice of plaintext attack (): the condition that security needs to be satisfied is that for any PPT adversary , the following probabilities related to are negligible:Among them, and is arbitrarily selected from the plaintext space by the adversary.
The security definition of a message-encapsulation GSW (MFHE) is the same as GSW for a single bit. Because in public key settings, the security of single message encryption implies the security of multiple message encryption. See section 11 in [22] for more details.

Definition 6. (Compactness [21]). For a class of loops , if there is a polynomial such that the length of output ciphertext of Eval is at most , then an Fully Homomorphic Encryption is compact (if it is nontrivial, then for all , some , and we have ).

2.5. Basic Tools

Let us review some of the basic tools proposed by Brakerski and Vaikuntanathan [23] and Gentry et al. [4]. We fix . Let , and therefore, and .

Definition 7. (See [24, 25]). The algorithm BitComp enters a vector and outputs an -dimensional vector where is the bit in the binary representation of (sorted by minimum impact to maximum impact). In other words,

Definition 8. (See [24, 25]). Algorithm enters a vectorand output .
Note that the input vector does not need to be binary and any of the input vector algorithms in are already defined.

Definition 9. (See [24, 25]). The algorithm Flatten enters a vector and outputs an -dimension binary vector (i.e., an element from ) defined as

Definition 10. (See [24, 25]). The algorithm PoweOftwo enters an -dimension vector and outputs an -dimension vector in . The output is as follows:

Lemma 3. (See [26]). For any , there is a fixed effective computable matrix and a valid computable deterministic “short-image” function that meets the following conditions. For arbitrary , we enter a matrix and the inverse function outputs a matrix so that .

Note 2. In fact, we can also express the abovementioned definitions and results as follows using the language of and . Micciancio and Peikert’s [26] matrix can be expressed as , where . For , there is . For , there is . For , the algorithm is renamed as . For , there is . For , there is . For , the algorithm is renamed as .

3. Gentry–Sahai–Waters (GSW) Scheme

Before our work, we first review the GSW scheme and, then, summarize the safety of the scheme of Gentry et al. [4].

We review the algorithms which make up the GSW scheme [4]. These algorithms were originally defined based on functions , , and , but the ideas from [19, 27] borrowed into this paper are defined using tool matrix . Let be the security parameter and be the number of levels of homomorphic encryption. :(1)Select a module of bit , error distribution on the parameter and , so that the problem is at least secure for known attacks. Choose a parameter .(2)Output: . We express and . :(1)Select and calculate(2)Generate a matrix and a vector .(3)Calculate and construct matrix . Obviously, we observed.(4)Return to and . : in order to encrypt a single-bit message ,(1)Let be the abovementioned matrix (2)Select a matrix evenly(3)Calculate In the original GSW scheme, , where is an identity matrix. :(1)We have .(2)Let meet . Let be column of .(3)Calculate within the scope of ; note and From that mentioned above, it can be seen that column of the ciphertext matrix selected in the calculation corresponds to coordinate of the vector , i.e. .(4)Output . So, if it is , then it returns to 0, and if it is , then it returns to 1. : : calculate and output : output

Note that . In addition, use to calculate homomorphic gates.

Note 3. Note that, in [19], the decryption algorithm is to select a suitable vector and calculate . It is much less efficient than the original one (all about calculation time and error item size). So, we used the GSW decryption algorithm in our scheme.
When is a power of 2, there is also a variant of the message in . See more details in [4].

3.1. Security

A brief proof of the following theorem is given in [4].

Theorem 1. Let be public parameter so that the hypothesis is true, and let . Then, we can say that the GSW scheme is safe.
The most important step of the proof is to prove that and the uniform distribution is computational indistinguishable.

Note 4. The correctness of the GSW scheme is obtained by analyzing the scale of the noise during encryption, decryption, and homomorphism. Always ensure that the maximum noise level in the abovementioned process is still less than 1/4, which can be decrypted correctly. This work is not the focus of this paper, so it will not be repeated. See more details [4].

4. Message-Encapsulation FHE

4.1. Message-Encapsulation FHE (MFHE Scheme)

Now, we introduce our MFHE scheme as follows: a message-encapsulation public-key encryption scheme based on the difficulty of the LWE hypothesis. We give the security parameter , set to be the private keys number, and then, can encrypt the -bit messages at one time.

Let be an integer, and let be a distribution set on . The definition of the variant of the GSW scheme is similar to the cryptosystem proposed in [19, 27, 28]. More specifically, :(1)In particular, we first select the modulo , and the dimension of lattice . We appropriately select the error distribution for for security against known LWE attacks, Finally, we select the parameter and a parameter .(2)Let and , and then, output . :(1)For , select from and output the position of which is 1.(2)Select a matrix and vectors , evenly, and then, calculate and output where the size of is . In addition, we observed that .(3)Output and . It is worth noting that . :(1)To encrypt -bit , , embed the bits into a -dimension matrix first, , where , , and . Later, for simplicity, will be abbreviated as , and the message matrix is constructed using a plaintext matrix . where is a random diagonal matrix, and note that is a -dimensional matrix.(2)Then, select a uniform matrix . Calculate and output cipher text: Now, we propose a decryption algorithm for the MFHE scheme which allows us to recover all the message bits at the one time. :(1)First, assume that the user has a private key matrix as follows: What needs to be noted here is Therefore, it is easy for us to get the bound of which is less than or equal to , i.e. .(2)Define the matrix as follows:(3)Calculate and output Among them, we have , i.e.,(4)Finally, use the results mentioned above to output the complete message . :there are two algorithms, which are, homomorphic addition and homomorphic multiplication. For any two plaintext matrices , we get the ciphertext separately. Therefore, the homomorphic addition and multiplication are as follows: : output . Here, we can calculate a homomorphic NAND gate from the output.

Note 5. Generally, we can choose different private keys to decrypt column of the ciphertext bit-by-bit and get the bit message of , that is, we can get the bit in row and column under the private key. However, it is actually possible to recover the entire message using the private key matrix based on the abovementioned decryption algorithm. We calculate as follows:The magnitude of the noise can be simply calculated and verified to grow linearly compared to single-bit decryption algorithm. :(1)Suppose we want to decrypt the bit of row and column , so let , then define a vector so that the position is, and the other positions are 0, .(2)For to , calculate The inner product of equals to(3)Output a message , in which represents the operation that rounds to the nearest integer. Therefore the value belongs to . 4. Finally, by repeating it times, the entire message can be recovered. The algorithm here is similar to the algorithm in [2], which is achieved by recovering each element separately.

Note 6. It should be noted here that due to the structural characteristics of the public key in our scheme, accurate decryption is achieved by dynamically adjusting the position of in the vector . That is, dot-multiply and to obtain the bits of the row and column of the plaintext matrix.
We can get all the bits of the message by using the decryption algorithm and appropriate private key.

Note 7. It can be seen that our message-encapsulation GSW scheme is to implement -bit homomorphic addition. However, since the element of is not a product of , only -bit homomorphic multiplication is supported.

4.2. Correctness Analysis

Next, we analyze the correctness of the MFHE scheme.

Definition 11. We call the message matrix which is obtained by decrypting the ciphertext under different private keys (see (2)). The noise of a single-bit message is as follows:For flexible single-bit decryption algorithm , we represent the noise vector as . For simplicity, we abbreviate to when and do not affect the contextual understanding.
Note that, in our setup, due to the structure of the new public key, is the noise of row of the plaintext matrix , not the single-bit noise.

Lemma 4. Obviously, using Definition 4.1, for convenience, for a decryption algorithm , if the noise meetswhere is a one-time private key matrix, we can represent the entire noise matrix asFor convenience, we will abbreviate as when and do not affect the contextual understanding.
In order to analyze the correctness, for convenience, we first define the following noise ciphertext concept.

Definition 12. (-Noise Ciphertext). A ciphertext matrix with noise, which makes in a private key , for a corresponding message . Then, let the norm of be

Lemma 5. For a one-time private key matrix , we can get when we run the Dec algorithm. So, in this case, we get

Lemma 6. For a plaintext matrix (a combination of ) and a private key , the noise vector of the ciphertext meetsIn the following, we analyze the correctness of the decryption.

Lemma 7. Let be an noise encryption of . If we can recover (an element of ) from the ciphertext under the private key , then there isso that

Proof. Obviously, by using Lemma 4.2 we can simply prove Lemma 4.7, and we will not go into details here.

Lemma 8. Let be an noise encryption in . If we can recover all from the ciphertext , then there is a private key matrix such thatwhere .

Proof. This proof can be obtained directly from Lemma 4.2 and Lemma 4.7. Now, we know that as long as , the decryption runs correctly, i.e., . Therefore, we call the value as the bound of noise.
The analysis of the homomorphic operation is given in the following. Before introducing the boundary of noise, the following notes are given.

Note 8. For the convenience of reading, let and .

Lemma 9. (See [8]). The boundary of the noise of homomorphic addition, homomorphic multiplication, and homomorphic negative is as follows: Addition: for , the following condition is met: Multiplication: for , the following condition is met: NAND: for , the following condition is met:

Proof. Let be a private key matrix. Let be the ciphertext of the encrypted message separately. Then, Homomorphic addition, that is, add ciphertext and ciphertext , so that Where and the noise is Obviously, the noise is . Homomorphic multiplication: that is, multiply the ciphertext and ciphertext , so that Then, we have which equals to For convenience, we first set the noise to Obviously, according to Lemma 4.2, there is and is a binary matrix (). Therefore, in this case, exists. Also, pay attention to that The boundary of () is . Therefore, In this case, we can easily get the boundary . In other words, . Therefore, we have , and the ciphertext is noisy. NAND gate: the same operation is true for the NAND gate, and output matrix product is . Consider a Boolean circuit whose computational depth is while containing NAND gates. It takes the new ciphertext as input, that is, the noise ciphertext, the noise multiplied by a factor which is at most at each level, that is, the norm of the error element increases by a factor which is, at most, . Therefore, the wrong element norm of the final ciphertext is bounded as .In order to ensure the correctness of the decryption, needs to be true. That is to say, the inequality must be true, which is guaranteed by the parameters we choose. The proof is completed.

4.3. Security Analysis

In the following, we use Theorem 4.1 to prove that the message-encapsulation GSW scheme based on the LWE assumption that it is safe and that the scheme is indistinguishable from the original GSW scheme [4].

Theorem 2. Let and be a discrete Gaussian distribution on , which makes the problem difficult. Let be an integer that makes true. Define two distributions and as follows: is a distribution on the matrix . Among them, is uniformly selected, for all , , in which are uniformly selected from , and is selected from a discrete Gaussian distribution . is evenly distributed on .Therefore, the distribution and is computational indistinguishable.

Theorem 3. Let so that the assumption is true and . Then, the MFHE scheme is safe.

Proof. The proof of security contains two steps: First, we use Theorem 4.11 to prove that, under the assumption, the matrix and the randomly chosen matrix are computationally indistinguishable Then, using the Left-over Hash Lemma, a uniform random value can be used to replace the ciphertext , that is, is indistinguishable from the uniform distributionThe brief proof is over. See more details in [4].

5. Conclusions

In this paper, we construct an efficient message-encapsulation FHE scheme. The scheme can achieve the decryption at one time and can also flexibly decrypt bit-by-bit. In Table 1, we give a comparison of the parameters of this scheme with the existing schemes. It can be seen from the comparison that compared with the previous ones, the scheme keeps the key length substantially, and this scheme is based on more conventional assumptions and, meanwhile, reduces the ciphertext length to some extent. The proposal of this scheme makes the full homomorphic encryption take a big step from theoretical research to large-scale application. It is conducive to greatly improving the efficiency of encrypted data processing (such as retrieval and operation) in the Internet of things, saving the energy consumption of nodes in the Internet of Things, and ensuring that the data are not statistically analyzed, which has a better application scenario [29–31].

In addition, there are many interesting open issues that may be resolved in the future. For example, our thinking has certain reference value for enhancing big data security and constructing a message-encapsulated casual transmission protocol, but it also has certain challenges.

Data Availability

No data were used in this study.

Conflicts of Interest

The authors declare no conflicts of interest.

References

Z. Brakerski, C. Gentry, and S. Halevi, “Packed ciphertexts in LWE-based homomorphic encryption,” in Proceedings of the Public-Key Cryptography—PKC 2013—16th International Conference on Practice and Theory in Public-Key Cryptography, pp. 1–13, Nara, Japan, February 2013.
View at: Publisher Site | Google Scholar
R. Hiromasa, M. Abe, and T. Okamoto, “Packing messages and optimizing bootstrapping in GSW-FHE,” in Proceedings of the Public-Key Cryptography—PKC 2015—18th IACR International Conference on Practice and Theory in Public-Key Cryptography, pp. 699–715, Gaithersburg, MD, USA, March 2015.
View at: Google Scholar
Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical gapsvp,” in Proceedings of the Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, pp. 868–886, Santa Barbara, CA, USA, August 2012.
View at: Publisher Site | Google Scholar
C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” in Proceedings of the Part I Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference, pp. 75–92, Santa Barbara, CA, USA, August 2013.
View at: Google Scholar
Z. Li, C. Ma, E. Morais, and G. Du, “Multi-bit leveled homomorphic encryption via dual LWE-based,” in Proceedings of the Revised Selected Papers Information Security and Cryptology—12th International Conference, pp. 221–242, Beijing, China, November 2016.
View at: Publisher Site | Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, no. 6, pp. 1–34, 2009.
View at: Publisher Site | Google Scholar
Z. Li, S. D. Galbraith, and C. Ma, “Preventing adaptive key recovery attacks on the gentry-sahai-waters leveled homomorphic encryption scheme,” IACR Cryptology ePrint Archive, p. 1146, 2016.
View at: Google Scholar
Z. Brakerski and R. Perlman, “Lattice-based fully dynamic multi-key FHE with short ciphertexts,” in Proceedings of the Part I Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, pp. 190–213, Santa Barbara, CA, USA, August 2016.
View at: Publisher Site | Google Scholar
Z. Li, C. Ma, and D. Wang, “Leakage resilient leveled FHE on multiple bit message,” IEEE Transactions on Big Data, 2017.
View at: Publisher Site | Google Scholar
Z. Li, C. Ma, and D. Wang, “Towards multi-hop homomorphic identity-based proxy re-encryption via branching program,” IEEE Access, vol. 5, pp. 16214–16228, 2017.
View at: Publisher Site | Google Scholar
Z. Li, C. Ma, and D. Wang, “Achieving multi-hop PRE via branching program,” IEEE Transactions on Cloud Computing, vol. 8, no. 1, pp. 45–58, 2020.
View at: Publisher Site | Google Scholar
Z. Li, C. Ma, and H. Zhou, “Multi-key FHE for multi-bit messages,” Sciece China Information Sciences, vol. 61, no. 2, Article ID 029101, 2018.
View at: Publisher Site | Google Scholar
Z. Li, C. Xiang, and C. Wang, “Oblivious transfer via lossy encryption from lattice-based cryptography,” Wireless Communications and Mobile Computing, vol. 2018, Article ID 5973285, 11 pages, 2018.
View at: Publisher Site | Google Scholar
R. Lindner and C. Peikert, “Better key sizes (and attacks) for LWE-based encryption,” in Proceedings of the Topics in Cryptology—CT-RSA 2011—the Cryptographers’ Track at the RSA Conference 2011, pp. 319–339, San Francisco, CA, USA, February 2011.
View at: Publisher Site | Google Scholar
C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and composable oblivious transfer,” in Proceedings of the 28th Annual International Cryptology Conference Advances in Cryptology—CRYPTO 2008, pp. 554–571, Santa Barbara, CA, USA, August 2008.
View at: Publisher Site | Google Scholar
J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generation from one-way functions (extended abstracts),” in Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 12–24, Seattle, Washigton, USA, May 1989.
View at: Google Scholar
C. Peikert, “Public-key cryptosystems from the worst-case shortest vector problem: extended abstract,” in Proceedings of the STOC 2009 41st Annual ACM Symposium on Theory of Computing, pp. 333–342, Bethesda, MD, USA, May 2009.
View at: Publisher Site | Google Scholar
C. Peikert and B. Waters, “Lossy trapdoor functions and their applications,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 187–196, British Columbia, Canada, May 2008.
View at: Publisher Site | Google Scholar
P. Mukherjee and D. Wichs, “Two round multiparty computation via multi-key FHE,” in Proceedings of the Part II Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 735–763, Vienna, Austria, May 2016.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Lattice signatures without trapdoors,” in Proceedings of the Advances in Cryptology—EUROCRYPT 2012— 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 738–755, Cambridge, UK, April 2012.
View at: Publisher Site | Google Scholar
J. Katz, A. Thiruvengadam, and H. Zhou, “Feasibility and infeasibility of adaptively secure fully homomorphic encryption,” in Proceedings of the Public-Key Cryptography—PKC 2013—16th International Conference on Practice and Theory in Public-Key Cryptography, pp. 14–31, Nara, Japan, February 2013.
View at: Google Scholar
J. Katz and Y. Lindell, Introduction to Modern Cryptography, CRC Press, Boca Raton, FL, USA, Second edition, 2014.
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the FOCS 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pp. 97–106, Palm Springs, CA, USA, October 2011.
View at: Publisher Site | Google Scholar
M. Clear and C. McGoldrick, “Multi-identity and multi-key leveled FHE from learning with errors,” in Proceedings of the Part II Advances in Cryptology—CRYPTO 2015—35th Annual Cryptology Conference, pp. 630–656, Santa Barbara, CA, USA, August 2015.
View at: Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Lattice-based FHE as secure as PKE,” in Proceedings of the ITCS’14 Innovations in Theoretical Computer Science, pp. 1–12, Princeton, NJ, USA, January 2014.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Proceedings of the Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 700–718, Cambridge, UK, April 2012.
View at: Publisher Site | Google Scholar
J. Alperin-Sheriff and C. Peikert, “Faster bootstrapping with polynomial error,” in Proceedings of the Part I Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, pp. 297–314, Santa Barbara, CA, USA, August 2014.
View at: Publisher Site | Google Scholar
L. Ducas and D. Micciancio, “FHEW: bootstrapping homomorphic encryption in less than a second,” in Proceedings of the Part I Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 617–640, Sofia, Bulgaria, April 2015.
View at: Publisher Site | Google Scholar
Z. Li, V. Sharma, C. Ma, C. Ge, and W. Susilo, “Ciphertext-policy attribute-based proxy re-encryption via constrained PRFS,” Science China Information Sciences, vol. 64, no. 6, 2020.
View at: Publisher Site | Google Scholar
Z. Li, J. Wang, C. Choi, and W. Zhang, “Multi-factor password-authenticated key exchange via pythia PRF service,” Computers, Materials & Continua, vol. 63, no. 2, pp. 663–674, 2020.
View at: Publisher Site | Google Scholar
V. Sharma, D. N. K. Jayakody, and M. Qaraqe, “Osmotic computing-based service migration and resource scheduling in mobile augmented reality networks (MARN),” Future Generation Computer Systems, vol. 102, pp. 723–737, 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Weiping Ouyang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

307

Downloads

615

Citations