Security and Communication Networks

Volume 2018, Article ID 5967635, 12 pages

https://doi.org/10.1155/2018/5967635

## LWR-Based Fully Homomorphic Encryption, Revisited

^{1}School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China^{2}State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China^{3}Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing, China^{4}College of Science, Hangzhou Normal University, Hangzhou, China^{5}Westone Cryptologic Research Center, Beijing, China

Correspondence should be addressed to Fucai Luo; nc.ca.eii@iacufoul

Received 29 August 2017; Revised 3 January 2018; Accepted 18 January 2018; Published 23 April 2018

Academic Editor: Amir Anees

Copyright © 2018 Fucai Luo et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Very recently, Costache and Smart proposed a fully homomorphic encryption (FHE) scheme based on the Learning with Rounding (LWR) problem, which removes the noise (typically, Gaussian noise) sampling needed in the previous lattices-based FHEs. But their scheme did not work, since the noise of homomorphic multiplication is complicated and large, which leads to failure of decryption. More specifically, they chose LWR instances as a public key and the private key therein as a secret key and then used the tensor product to implement homomorphic multiplication, which resulted in a tangly modulus problem. Recall that there are two moduli in the LWR instances, and then the moduli will tangle together due to the tensor product. Inspired by their work, we built the first workable LWR-based FHE scheme eliminating the tangly modulus problem by cleverly adopting the celebrated* approximate eigenvector* method proposed by Gentry et al. at Crypto 2013. Roughly speaking, we use a specific matrix multiplication to perform the homomorphic multiplication, hence no tangly modulus problem. Furthermore, we also extend the LWR-based FHE scheme to the multikey setting using the tricks used to construct LWE-based multikey FHE by Mukherjee and Wichs at Eurocrypt 2016. Our LWR-based multikey FHE construction provides an alternative to the existing multikey FHEs and can also be applied to multiparty computation with higher efficiency.

#### 1. Introduction

Fully homomorphic encryption (FHE) is a cryptographic primitive that allows performing arbitrarily complex and efficiently computable evaluations over encrypted data without decrypting them. But the problem of how to construct a FHE scheme had been bothering cryptologists since it was initially introduced by Rivest et al. [1]. Until 2009, this conundrum was compromised due to Gentry’s first plausible candidate FHE construction based on ideal lattices [2]. Since then, a series of works [3–8] have been presented with much progress mainly in security assumptions and efficiencies.

Gentry’s seminal work [2] showed for the first time that FHE can be based on cryptographic assumptions and put forward a remarkable “bootstrapping” theorem to achieve full homomorphism (which needs a “circular security” assumption). However, his scheme relies on relatively stronger cryptographic assumptions on ideal lattices (ideal lattices are a special breed that we know relatively little about) and can only evaluate “low degree” polynomials homomorphically without “bootstrapping.”

The LWE-based FHEs [5, 9–13] enjoy higher efficiency and stronger security compared to the previous schemes [2–4, 7] (following a similar framework to Gentry’s work), due to the simple algebraic structure of the well-studied LWE [14] and classical (quantum) reduction from some apparently intractable lattice problems (e.g., GapSVP) to LWE [14, 15]. The first LWE-based FHE was proposed by Brakerski and Vaikuntanathan [5] (henceforth, BV11b), who used a novel* relinearization* technique to construct a “somewhat homomorphic” encryption scheme based on LWE problem and introduced a novel* dimension-modulus reduction* technique, without resorting to the “squashing paradigm” used in the previous schemes [2–4, 7]. The subsequent improved works mainly refer to Brakerski et al.’s [9] BGV12 and Brakerski’s [10] Bra12. In BGV12, Brakerski, Gentry, and Vaikuntanathan used the* dimension reduction* and* modulus reduction* (which are originated from BV11b) iteratively and gradually, to construct a “leveled” FHE scheme (capable of evaluating arbitrary polynomial-depth circuits). Bra12 used the* dimension reduction* without the* modulus reduction*, to build a better leveled FHE scheme, which is superior to the previous best known in simplicity, noise management, and security. This is mainly because of their noise which only grows linearly () with every homomorphic multiplication, while in all previous works, the noise grows quadratically () without* modulus reduction*.

In Crypto 2013, Gentry et al. [16] (henceforth, GSW13) presented a LWE-based FHE scheme of GSW style (which was improved by Alperin-Sheriff and Peikert [17], henceforth, AP14), using two novel techniques of so-called* approximate eigenvector* and* flatten*, where the ciphertext is a matrix rather than vector. For the most part, its homomorphic addition and multiplication are just matrix addition and multiplication, which avoids the* key switching*,* modulus switching*, and the “evaluation” key used in previous schemes (e.g., BV11b, BGV12). It is important to note that, besides the fact that the scheme does not need an “evaluation” key, it has an interesting property of asymmetric noise growth because of its specific GSW style. Based on GSW13, a sequence of schemes was proposed, including bootstrapping schemes [11, 17], multikey schemes [6, 12, 13], and some other related schemes [18, 19] (these schemes mainly leverage the homomorphic operations of GSW13).

*Motivations*. The above-mentioned LWE-based FHEs and related schemes suffered the complex and time-consuming Gaussian or sub-Gaussian noise sampling, due to the fact that the corresponding LWE problem needs a noise (error) vector sampled from a distribution, typically (discrete) Gaussian or sub-Gaussian distribution [5, 9, 10, 12, 16, 17]. In particular, some schemes (e.g., [6, 18]) based on the LWE problem have to sample Gaussian noise in the encryption process, which seriously weakens the schemes’ efficiencies. Moreover, it has been recently shown (e.g., [20, 21]) that the Gaussian sampling will create lots of potential side-channel vulnerabilities that result in complete leakage of the secret key. Although it is possible to design good implementations which protect against side-channel attacks, these implementations are often very complex.

As a matter of course, this raises a question:* can we cast away the Gaussian noise sampling in building a* FHE* scheme while maintaining the same (almost) security level as those based on* LWE* problem*? Indeed, this is valuable theoretically and practically and even pedagogically.

Very recently, Costache and Smart [22] showed a FHE scheme based on the ring-LWR problem (or RLWR, a variant of Learning with Rounding (LWR) problem). Their scheme removes the Gaussian noise needed in the previous LWE-based FHEs and results in slightly smaller ciphertexts. Roughly speaking, they focused their attention on BGV12 and used the techniques of* relinearization* and* modulus switching* to build a RLWR-based FHE scheme. However, the LWR (the definition of LWR will be presented in Section 2.2), mainly leveraged by a scaled rounding function [23] including two different moduli and , makes the tensor product used by them to implement homomorphic multiplication intractable. In more detail, they chose RLWR instances as a public key and the private key therein as a secret key, and the ciphertext was computed as a vector decrypting to message , where are quotient rings. Then, they used the tensor product to implement homomorphic multiplication, which results in a product of two different elements belonging to different rings (i.e., two moduli are tangled together). This makes their analysis of the multiplication noise complicated and obscure. In fact, this “tangly modulus” problem brings a large multiplication noise to their decryption equation (in terms of ciphertext after homomorphic multiplication) and thus leads to failure of the decryption. Therefore, how to construct a FHE scheme based on LWR problem, we think, is still an open problem, while we focus our attention on this problem.

*Our Results*. In this paper, we propose a workable LWR-based FHE scheme eliminating the tangly modulus problem by cleverly adopting the celebrated* approximate eigenvector* method in GSW13. Roughly speaking, we use a specific matrix multiplication to perform the homomorphic multiplication, which avoids the tangly modulus problem, where the specific matrix multiplication involves a variant of gadget matrix (which will be described in Section 2.3). The efficiency of our scheme is almost comparable to that of GSW13 and AP14 without counting the cost of Gaussian noise sampling, for the size of modulus is almost the same as theirs which can be seen from Table 1 (our modulus is larger; see Section 4.2). Indeed, it is mainly our larger security loss (up to a polynomial factor) that results in the larger modulus (up to a polynomial factor). Our scheme can be seen as an alternative to the GSW13 and AP14.