Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 5967635, 12 pages
https://doi.org/10.1155/2018/5967635
Research Article

LWR-Based Fully Homomorphic Encryption, Revisited

Fucai Luo,1,2,3 Fuqun Wang,4,5 Kunpeng Wang,1,2,3 Jie Li,1,2,3 and Kefei Chen4,5

1School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
2State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
3Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing, China
4College of Science, Hangzhou Normal University, Hangzhou, China
5Westone Cryptologic Research Center, Beijing, China

Correspondence should be addressed to Fucai Luo; nc.ca.eii@iacufoul

Received 29 August 2017; Revised 3 January 2018; Accepted 18 January 2018; Published 23 April 2018

Academic Editor: Amir Anees

Copyright © 2018 Fucai Luo et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Very recently, Costache and Smart proposed a fully homomorphic encryption (FHE) scheme based on the Learning with Rounding (LWR) problem, which removes the noise (typically, Gaussian noise) sampling needed in the previous lattices-based FHEs. But their scheme did not work, since the noise of homomorphic multiplication is complicated and large, which leads to failure of decryption. More specifically, they chose LWR instances as a public key and the private key therein as a secret key and then used the tensor product to implement homomorphic multiplication, which resulted in a tangly modulus problem. Recall that there are two moduli in the LWR instances, and then the moduli will tangle together due to the tensor product. Inspired by their work, we built the first workable LWR-based FHE scheme eliminating the tangly modulus problem by cleverly adopting the celebrated approximate eigenvector method proposed by Gentry et al. at Crypto 2013. Roughly speaking, we use a specific matrix multiplication to perform the homomorphic multiplication, hence no tangly modulus problem. Furthermore, we also extend the LWR-based FHE scheme to the multikey setting using the tricks used to construct LWE-based multikey FHE by Mukherjee and Wichs at Eurocrypt 2016. Our LWR-based multikey FHE construction provides an alternative to the existing multikey FHEs and can also be applied to multiparty computation with higher efficiency.

1. Introduction

Fully homomorphic encryption (FHE) is a cryptographic primitive that allows performing arbitrarily complex and efficiently computable evaluations over encrypted data without decrypting them. But the problem of how to construct a FHE scheme had been bothering cryptologists since it was initially introduced by Rivest et al. [1]. Until 2009, this conundrum was compromised due to Gentry’s first plausible candidate FHE construction based on ideal lattices [2]. Since then, a series of works [38] have been presented with much progress mainly in security assumptions and efficiencies.

Gentry’s seminal work [2] showed for the first time that FHE can be based on cryptographic assumptions and put forward a remarkable “bootstrapping” theorem to achieve full homomorphism (which needs a “circular security” assumption). However, his scheme relies on relatively stronger cryptographic assumptions on ideal lattices (ideal lattices are a special breed that we know relatively little about) and can only evaluate “low degree” polynomials homomorphically without “bootstrapping.”

The LWE-based FHEs [5, 913] enjoy higher efficiency and stronger security compared to the previous schemes [24, 7] (following a similar framework to Gentry’s work), due to the simple algebraic structure of the well-studied LWE [14] and classical (quantum) reduction from some apparently intractable lattice problems (e.g., GapSVP) to LWE [14, 15]. The first LWE-based FHE was proposed by Brakerski and Vaikuntanathan [5] (henceforth, BV11b), who used a novel relinearization technique to construct a “somewhat homomorphic” encryption scheme based on LWE problem and introduced a novel dimension-modulus reduction technique, without resorting to the “squashing paradigm” used in the previous schemes [24, 7]. The subsequent improved works mainly refer to Brakerski et al.’s [9] BGV12 and Brakerski’s [10] Bra12. In BGV12, Brakerski, Gentry, and Vaikuntanathan used the dimension reduction and modulus reduction (which are originated from BV11b) iteratively and gradually, to construct a “leveled” FHE scheme (capable of evaluating arbitrary polynomial-depth circuits). Bra12 used the dimension reduction without the modulus reduction, to build a better leveled FHE scheme, which is superior to the previous best known in simplicity, noise management, and security. This is mainly because of their noise which only grows linearly () with every homomorphic multiplication, while in all previous works, the noise grows quadratically () without modulus reduction.

In Crypto 2013, Gentry et al. [16] (henceforth, GSW13) presented a LWE-based FHE scheme of GSW style (which was improved by Alperin-Sheriff and Peikert [17], henceforth, AP14), using two novel techniques of so-called approximate eigenvector and flatten, where the ciphertext is a matrix rather than vector. For the most part, its homomorphic addition and multiplication are just matrix addition and multiplication, which avoids the key switching, modulus switching, and the “evaluation” key used in previous schemes (e.g., BV11b, BGV12). It is important to note that, besides the fact that the scheme does not need an “evaluation” key, it has an interesting property of asymmetric noise growth because of its specific GSW style. Based on GSW13, a sequence of schemes was proposed, including bootstrapping schemes [11, 17], multikey schemes [6, 12, 13], and some other related schemes [18, 19] (these schemes mainly leverage the homomorphic operations of GSW13).

Motivations. The above-mentioned LWE-based FHEs and related schemes suffered the complex and time-consuming Gaussian or sub-Gaussian noise sampling, due to the fact that the corresponding LWE problem needs a noise (error) vector sampled from a distribution, typically (discrete) Gaussian or sub-Gaussian distribution [5, 9, 10, 12, 16, 17]. In particular, some schemes (e.g., [6, 18]) based on the LWE problem have to sample Gaussian noise in the encryption process, which seriously weakens the schemes’ efficiencies. Moreover, it has been recently shown (e.g., [20, 21]) that the Gaussian sampling will create lots of potential side-channel vulnerabilities that result in complete leakage of the secret key. Although it is possible to design good implementations which protect against side-channel attacks, these implementations are often very complex.

As a matter of course, this raises a question: can we cast away the Gaussian noise sampling in building a FHE scheme while maintaining the same (almost) security level as those based on LWE problem? Indeed, this is valuable theoretically and practically and even pedagogically.

Very recently, Costache and Smart [22] showed a FHE scheme based on the ring-LWR problem (or RLWR, a variant of Learning with Rounding (LWR) problem). Their scheme removes the Gaussian noise needed in the previous LWE-based FHEs and results in slightly smaller ciphertexts. Roughly speaking, they focused their attention on BGV12 and used the techniques of relinearization and modulus switching to build a RLWR-based FHE scheme. However, the LWR (the definition of LWR will be presented in Section 2.2), mainly leveraged by a scaled rounding function [23] including two different moduli and , makes the tensor product used by them to implement homomorphic multiplication intractable. In more detail, they chose RLWR instances as a public key and the private key therein as a secret key, and the ciphertext was computed as a vector decrypting to message , where are quotient rings. Then, they used the tensor product to implement homomorphic multiplication, which results in a product of two different elements belonging to different rings (i.e., two moduli are tangled together). This makes their analysis of the multiplication noise complicated and obscure. In fact, this “tangly modulus” problem brings a large multiplication noise to their decryption equation (in terms of ciphertext after homomorphic multiplication) and thus leads to failure of the decryption. Therefore, how to construct a FHE scheme based on LWR problem, we think, is still an open problem, while we focus our attention on this problem.

Our Results. In this paper, we propose a workable LWR-based FHE scheme eliminating the tangly modulus problem by cleverly adopting the celebrated approximate eigenvector method in GSW13. Roughly speaking, we use a specific matrix multiplication to perform the homomorphic multiplication, which avoids the tangly modulus problem, where the specific matrix multiplication involves a variant of gadget matrix (which will be described in Section 2.3). The efficiency of our scheme is almost comparable to that of GSW13 and AP14 without counting the cost of Gaussian noise sampling, for the size of modulus is almost the same as theirs which can be seen from Table 1 (our modulus is larger; see Section 4.2). Indeed, it is mainly our larger security loss (up to a polynomial factor) that results in the larger modulus (up to a polynomial factor). Our scheme can be seen as an alternative to the GSW13 and AP14.

Table 1: Comparison with LWE-based FHEs: GSW13 and AP14.

Furthermore, we also extend the LWR-based FHE scheme to multikey setting using the tricks used to construct LWE-based multikey FHE by Mukherjee and Wichs [12] at Eurocrypt 2016. Again, we leverage the specific GSW style to avoid the tangly modulus problem. Interestingly, it seems that the method of [12] has been tailored to be employed in constructing our LWR-based multikey FHE scheme, since it helps to avoid the tangly modulus problem when expanding the valid ciphertexts needed in multikey setting (see Section 5). Compared to Mukherjee and Wichs’s scheme, our scheme can also be applied to multiparty computation and is more efficient; again, this is largely for the reason that there is no Gaussian noise sampling. This can be also verified by Table 1 and by the fact that the LWE-based multikey FHE [12] is an extension of AP14.

What is more, our LWR-based FHE and its extended multikey FHE support bootstrapping procedures; this is due to the fact that the encryption and decryption processes in our schemes are very similar to those in AP14, except that there are two different moduli in our scheme (which will not tangle together because of our specific structure). We believe that it is straightforward to convert our LWR-based scheme into a RLWR-based one.

Our Techniques. In our LWR-based FHE, we choose pairs of LWR instances as a public key and the private key therein as a secret key. The public key is assembled as a matrix where , , and the secret key is , where . Since there are two different moduli in a matrix, we use the symbol (see Section 2) to differentiate from the conventional symbol .

For a message , the ciphertext is computed as where is a variant of gadget matrix (see Section 2.3). To perform homomorphic multiplication (addition is very natural), do the following: given two ciphertexts decrypting to message , we have since matrix does not affect the structure of matrix (see Operations in Section 2). Hence, we assert that the structures of ciphertexts remain unchanged after levels of multiplication, so they can be properly decrypted. Indeed, our homomorphic multiplication will not cause the tangly modulus problem existent in Costache and Smart’s solution [22], because these two different modular operations (in terms of moduli ) can be partitioned by our matrix operation but cannot be by the tensor product used by them. We defer the details to Section 4.

For the secret key, , where are public and is privately and uniformly chosen from instead of for initial noise and efficiency. This is reasonable and secure relying on Theorem 7 in Section 2.2 and the hardness of LWE problem with binary secret (which was proved at least as hard as the original LWE problem by Brakerski et al. [24]).

Organization. In Section 2, we give some preliminaries including the LWE problem, LWR problem, and a variant of gadget matrix. We describe a basic LWR-based encryption scheme and give its full security proof in Section 3. Section 4 goes into the core of our LWR-based FHE scheme. In Section 5, we extend our main construction to the LWR-based multikey FHE. Finally, we conclude the paper in Section 6.

2. Preliminaries

As a preliminary matter, we give some explanations for some notations and operations throughout the paper.

Notations. For an integer , we define the set , and all logarithms on are to base 2. All arithmetics are performed over or when division is used, and for ease of use, we let . We denote vectors in bold lowercase (e.g., ) and matrices in bold uppercase (e.g., ). Let (resp., ) be the transpose of (resp., ). For any , we denote by , , and the rounding of down, up, or to the nearest integer; these notations also apply to vector and matrix. We say that a function negl is negligible if there are not any polynomial fractions smaller than the negl for sufficiently large . All vectors are treated as rows in the paper.

Probability. We let denote that is sampled uniformly at random from a distribution and (e.g., ) denote that is uniform over a set .

Operations. For an -dimensional vector , we denote its norm by , where refers to its magnitude. The multiplication between two vectors , over is denoted by (i.e., ). What we want to particularly explain beforehand is the multiplication between two matrices.

Given two different moduli , , and any integer , , for matrix , by abuse of notation, we let indicate that all row vectors of are over but the last one (i.e., -th) is over , and we state that we should be careful about, for example, multiplying a matrix by a matrix (or a vector ). More precisely, we should multiply every row vector of by the matrix , that is, multiply each row vector of by each column vector of , and then take a modular operation (take the product modulo a modulus). Note that the last row vector of is over , and thus the multiplications between this row vector and the matrix are evaluated over (take the products modulo the modulus ), while all the other multiplications are evaluated over (take the products modulo the modulus ). (These two modular operations can be partitioned due to the matrix structure which, roughly speaking, avoids the tangly modulus problem existent in [22].) This principle also applies to addition between two matrices over . Indeed, this is an important difference between LWE and LWR when performing addition and multiplication operations on matrices.

In our security proof, we will use the following variant of the standard leftover hash lemma [25].

Lemma 1 (see [5]). Let , , , , and be integers, and let . For matrix , let ; one has where denotes the statistical distance between two distributions .

2.1. Learning with Errors (LWE)

The well-known LWE problem has been enjoying fame for its applicability in constructions of lattice-based schemes conjectured to be secure in quantum setting, ever since Regev introduced it and showed a quantum reduction [14] from some worst-case hardness of the standard lattice problems to LWE problem (followed by classical reductions [15, 24]). It is defined as follows.

Definition 2 (see [9]). For positive integers , , , a vector , and an error distribution over (typically, a (discrete) Gaussian distribution with standard deviation for ). Let be the distribution over obtained by choosing independent samples and an error term and outputting pairs . Then, the (average-case) decision problem of the LWE, denoted by , is to distinguish, given arbitrarily many independent samples, the uniform distribution over from , for a fixed . The search problem of is aim to find secret given independent samples from (for ). The assumption is that the problem is infeasible.

Definition 3 (-bounded distributions [16]). A distribution ensemble , supported over the integers, is called -bounded if

2.2. Learning with Rounding (LWR)

Learning with Rounding (LWR) problem, which was used to construct lossy trapdoor functions, reusable computational extractors, and deterministic encryption, was firstly proposed by Banerjee et al. [23] for improving the efficiency of pseudorandom generator (PRG) based on the LWE problem. Indeed, the LWR problem can be seen as a deterministic alternative to LWE problem, except that the noise in LWR is deterministic which derandomizes the Gaussian noise in LWE, and the noise in LWR resulted from the scale rounding function being smaller than that in LWE. Specifically, the noise in LWE is -bounded ( for security [14]), whereas it has magnitude of less than in LWR. We recall the scaled rounding function [23] which is defined as follows: for , Similar to the LWE problem, we get the following analogous definition for the LWR problem.

Definition 4 (see [23]). For integers , , and , sample uniformly at random an -dimensional vector from , and then the LWR distribution is defined as , where the pair is LWR sample (instance), and let be the distribution comprised of independent samples from . Then, the search problem is defined as finding secret given independent samples from , while the decision problem is to distinguish independent samples (with nonnegligible advantage) chosen from the distribution , for a fixed , from samples chosen from uniform distribution over . The assumption is that the problem is infeasible.

As to the hardness of the LWR problem, Banerjee et al. [23] presented an efficient reduction from the LWE problem to the LWR problem for modulus of superpolynomial size, followed by Alwen et al. [26], who gave a reduction that allowed for a polynomial modulus , but restricted the number of samples and failed to apply to all values of the modulus . In 2016, Bogdanov et al. [27] generalized the theorem of [26] by eliminating the theoretic restriction on the modulus , but the number of samples was required to be less than (weaker than that of [26]), while Alperin-Sheriff and Apon [28] showed a dimension-preserving reduction from LWE to LWR with a polynomial-sized modulus, which immediately implies improvements in parameters (i.e., security and efficiency) for all known applications of polymodulus LWR.

Note that Brakerski et al. [24] proved that the bin-LWE (implies that the secret key is uniformly chosen from ) is at least as hard as the original LWE problem (up to logarithmic loss). Hence, we can uniformly choose the secret in LWR from under the hardness of bin-LWE and the following theorem (Theorem 5). Next, we recall the main theorem in [27] (it is sufficient for our schemes, though the number of samples was required to be less than ). Then, by combining this theorem with Lemma 6 (it is a simple fact; here we present it as a lemma), we get our crucial Theorem 7 on which the proposed schemes’ security is based. Note that Theorem 7 concerns the search problem of bin-LWE, which is harder than the decision problem of bin-LWE.

Theorem 5 (see [27]). For every , , , , and if there is an algorithm such that where , , and , then there exists an efficient algorithm that runs in time polynomial in , , the number of divisors of , and the running time of such that for noise distribution that is -bounded and balanced in each coordinate.

Lemma 6. If , then the distribution is uniform over for (i.e., the distribution is equivalent to ).

Theorem 7. For every , , , , , and if there is an algorithm such that where , , and , then there exists an efficient algorithm that runs in time polynomial in , , the number of divisors of , and the running time of such that for noise distribution that is -bounded and balanced in each coordinate.

Proof of Sketch. Note that there is no restriction on the condition in Theorem 5. In other words, Theorem 5 holds even under the additional condition . Therefore, Theorem 7 is obvious by combining Lemma 6 which implies that the vector is equivalent to .

We remark that the term in Theorem 7 can be interpreted as the decision problem, for the fixed .

2.3. Variant of Gadget Matrix

The gadget matrix, which was proposed by [29], was used to build a LWE-based FHE scheme of GSW style by AP14, which extended the “flatten” skill in GSW13. Here, we construct a variant of gadget matrix which is specific to our LWR-based FHE scheme.

Since there are two moduli , in the LWR problem, a variant of gadget matrix with invariant function is as follows: where , , and . We also define the deterministic inversion function , which is equal to bit decomposition that decomposes into its bit representation over or and has the following property: for any matrix , it holds that Note that is an expensively randomized inversion function in AP14, although it leads to a tighter noise analysis for its homomorphic operations.

3. Building Block

As a warmup, in this section, we present a basic encryption scheme construction based on LWR which is adapted from the ring-LWR-based FHE scheme [22]. Then, based on the basic encryption scheme, we give our LWR-based FHE scheme in the next section. We remark that the secret key is uniformly chosen from to keep the noise growing slower and speed up encryption and decryption processes, under the same (almost) security level as GSW13 and AP14. This can be guaranteed by Theorem 7 in Section 2.2 and the hardness of bin-LWE problem.

3.1. The Basic LWR-Based Encryption Scheme

The basic encryption scheme based on LWR is constructed as follows.(i) Setup(): choose parameters , , moduli , and satisfying (this condition is needed for the security proof). Let .(ii) KeyGen(): choose uniformly at random a secret key . Choose uniformly at random vectors , and then computefor , which results in pairs of LWR samples . Assemble a matrix by the column vectors and set , and then let . The final public key is , and the secret key is . For later use, we write for Then, according to (15), it holds that  mod , where the noise .(iii) Enc(): to encrypt a message , choose a random vector , and then output (iv) Dec(): given the ciphertext , output

Correctness. As long as the noise , where is the entry of the vector , the above Dec algorithm can rightly recover the message . We prove this by the following steps: For every column vector of the matrix , it holds thatThen, we have , and it follows that iff .

3.2. Security

We argue that the above basic encryption scheme is IND-CPA secure under Theorem 7. In fact, the structure of our basic encryption scheme is identical to that of [14, 16, 17], and so is the strategy of security proof. In our paper, Theorem 7 guarantees the hardness of assumption (where ) assuming the bin-LWE problem; hence, we can base the security of our basic encryption scheme on the LWR problem. For completeness, we give a full security proof below.

Theorem 8. The above basic LWR-based encryption scheme is IND-CPA secure under the assumption.

Proof. We prove the theorem via a series of hybrid experiments. The analysis of probability is omitted here, since it is natural and very similar to that of [4, 14].(i)Hybrid 0: this is the real system (we set , where ).(ii)Hybrid 1: this is the same as Hybrid 0 except that we use pairs chosen uniformly from , instead of being chosen from LWR samples in Hybrid 0, to assemble public key . The ciphertext is thus generated by encrypting using the public key as per the encryption procedure in Hybrid 0.(iii)Hybrid 2: this is the same as Hybrid 1 except that the ciphertext is chosen from uniformly and independently of the public key.Firstly, we claim that Hybrid 1 is indistinguishable from Hybrid 0, under the assumption. This is shown by a simple reduction: if any hypothetical adversary can distinguish these two hybrids, then we can construct an algorithm to break the assumption. Specifically, simply collects its input samples (challenged samples) into the public key and encrypts a message using the public key to get a ciphertext , and then it invokes on , outputting the same acceptreject decision. It is clear that perfectly simulates Hybrid 0 or Hybrid 1 depending on whether its input samples are LWR samples or uniform over ; that is, if the input samples are LWR samples, then the ciphertext is generated as per Hybrid 0; otherwise, the ciphertext is generated as per Hybrid 1. Therefore, and have equal distinguishing advantages. Because ’s advantage must be negligible by hypothesis, so is ’s.
In the second place, we claim that Hybrid 1 is statistically indistinguishable from Hybrid 2; that is, even a computationally unbounded adversary has only negligible advantage in distinguishing them. This is easy to be justified by Lemma 1 in Section 2. In more detail, by Lemma 1, the term in Hybrid 1 is statistically indistinguishable from any element . Hence, the ciphertext in Hybrid 1 is statistically indistinguishable from that of Hybrid 2, for adding any fixed vector to preserves its uniform distribution.
To sum up, we conclude that Hybrid 0 is indistinguishable from Hybrid 2, and the ciphertext in Hybrid 2 is independent of message (regardless of or ), which completes the proof.

4. LWR-Based FHE Scheme

4.1. Our Construction

Our LWR-based FHE scheme is constructed as follows.(i) Setup(): choose dimension parameter and moduli and satisfying . Also, choose parameter . Let . Let , , and .(ii) KeyGen(): choose uniformly at random a secret key . As per KeyGen algorithm in Section 3, generate a matrix The final public key is , and the secret key is . Note that it holds that  mod , where the noise .(iii) Enc(): to encrypt a message , choose a random matrix . Output the ciphertext where the gadget matrix is brought from Section 2.3. Since we should perform the above matrix multiplication as per the specific matrix operations described in Section 2, we give Algorithm 1 that makes the encryption algorithm more readable.(iv) Dec(): given the ciphertext , choose a vector and compute Output (mod 2). We also give Algorithm 2 that makes the decryption algorithm more readable.(v) Add(): given two ciphertext matrices decrypting to messages and , respectively, output (vi) Mult(): for two ciphertext matrices decrypting to messages and , respectively, the multiplication is defined as where is brought from Section 2.3. We give Algorithm 3 only for homomorphic multiplication, because homomorphic addition is trivial, and homomorphic NAND depends on homomorphic multiplication.(vii) NAND(): for two ciphertext matrices decrypting to messages and , respectively, the NAND operation is defined as Note that any Boolean circuit can be converted to use only NAND operation.(viii) Eval()): evaluate the Boolean function on ciphertexts by the NAND operation. Output a ciphertext .

Algorithm 1: Encryption algorithm.
Algorithm 2: Decryption algorithm.
Algorithm 3: Homomorphic multiplication.

The IND-CPA security of the above scheme follows immediately from the security of the basic encryption scheme in Section 3. The ciphertext matrix is just plus a matrix of encryptions of 0 under the key by the basic encryption in Section 3, which is pseudorandom by Theorem 8 and hence hides .

4.2. Correctness

In this subsection, we analyze the scheme’s correctness and the noise growth of each homomorphic operation. Moreover, we also give a more detailed analysis for homomorphic multiplication to illustrate that our proposed construction is practicable.

Correctness. The correctness is obvious according to the correctness of the basic encryption scheme in Section 3, iff the magnitude of noise is less than . In fact, according to the Dec, we haveand thenwhere . Hence, the correctness holds iff

Since the homomorphic addition is obvious, we mainly analyze homomorphic multiplication and NAND operation.

Homomorphic Multiplication. To multiply two ciphertext matrices designated for messages , we havewhere and is the total noise which is of magnitude due to by the correctness of our basic encryption scheme. Therefore, it is clear that the noise growth factor is , and after levels of homomorphic multiplication, the noise grows from initial magnitude of to . By comparison, in GSW13, the noise at level is near , where , .

Homomorphic NAND. To perform NAND operation on two ciphertext matrices designated for messages , we have where is the noise of homomorphic NAND, which is identical to that of homomorphic multiplication. Therefore, the noise is also increased by a factor of at most .

Analysis for Homomorphic Multiplication. Given two ciphertext matrices designated for messages , we let , . Recall that Compute and let , that is, , and then we have , where and . Then, we havewhere, as per the specific matrix multiplication described in Section 2, we can compute . Since  mod , does not affect the correctness of  mod  (recall that ). Therefore, (25) holds.

4.3. Parameters and Comparisons

Compared to GSW13 and AP14, we conclude, from the above analysis, that our noise growth factor is also (identical to theirs) and the size of parameter is almost the same as theirs. Hence, we claim that the efficiency of our scheme is almost comparable to theirs without considering the cost of the Gaussian noise sampling, since our encryption and decryption processes are identical to theirs. Concretely, we assume the depth of NAND operation is , and after levels of homomorphic NAND operation, the noise is near , and it holds that for decryption. Then, combining with the requirements of in Theorem 7 in Section 2, and , in our scheme, we can set , satisfying . Compared to the parameter of (since ) in GSW13 and AP14, our parameter is larger (up to a polynomial factor); this is caused by the condition needed for achieving the same (almost) security level as GSW13 and AP14. Therefore, in consideration of the cost (e.g., running time, memory) of Gaussian or sub-Gaussian noise sampling in GSW13 and AP14, our scheme has some advantages over them and thus can be seen as an alternative to them. Actually, with the development of reduction between LWE and LWR, the moduli can be reduced.

Bootstrapping involves homomorphically evaluating the decryption function. Because our decryption process is identical to AP14, bootstrapping works on our proposed scheme as well. In more detail, similar to AP14, we can also directly evaluate the decryption function in an elementary and efficient arithmetic form, using just basic facts about cyclic groups, so as to achieve bootstrapping. In our scheme, the bootstrapping method also just results in polynomial noise, which allows the security to be based on the LWR problem with inverse-polynomial noise rates. Since the reduction from LWE to LWR incurs a polynomial loss () according to Theorem 7 in Section 2, the security can be based on LWE problem with inverse-polynomial noise rates and hence on worst-case lattice problems (e.g., GapSVP) with polynomial approximation factors.

5. LWR-Based Multikey FHE Scheme

FHE has been studied extensively also due to its versatility in cryptography and industrial application, such as the problem of outsourcing computation to a third trust party (a remote server) without compromising its privacy [5] and secure multiparty computation problem [12, 30]. In Eurocrypt 2016, Mukherjee and Wichs [12] extended AP14 to multikey case and presented a multikey FHE scheme for implementing two round multiparty computations, which enabled performing homomorphic computation over encrypted data under different keys and satisfied threshold decryption. Their solution, however, relies on the LWE problem, the efficiency of which is retarded by the sub-Gaussian noise sampling. But the tricks in [12] inspire us to construct a multikey FHE scheme based on LWR. In fact, our construction also satisfies threshold decryption; we will describe it in Section 5.3. Here, we just present some necessary tools and our main construction, and we refer interested readers to [12] for the definitions of multikey FHE and multiparty computation, the security definition of multiparty computation protocol, and some other related concepts.

5.1. Overview of the Techniques

In this subsection, we will describe how to construct a LWR-based multikey FHE scheme (adapted from [12]); this helps readers understand our construction more easily. For simplicity, we consider a case of two keys, for it is natural to generalize to the case of any polynomial number of keys. According to (23) in Section 4.2, given two ciphertexts and decrypting to messages and , we can perform homomorphic operations on these two ciphertexts, iff they satisfy the equation for small noise , where . Hence, for the “combined secret key” , where and which correspond to two different users, if we can construct two expanded ciphertexts and , such that and (henceforth, is used for omitting the noise term ), where is the expansion of , then we can perform homomorphic operations on these two ciphertexts and .

Exactly as Mukherjee and Wichs [12] showed, we can create the expanded ciphertext as follows: such that iffwhere . Similarly, we can also generate the ciphertext . Here, we have made a big step forward; next, we proceed to analyze how to construct this without revealing the secret key .

Assume we are given a user-specific public key , a secret key , and a ciphertext which is generated as per Enc algorithm in Section 4. Assume we are also given another user-specific public key and secret key (assume is the public shared parameter), such that ; then, we haveSubtracting (34) from (32), we get over . We proceed to use an important tool brought from [12] to construct such matrix .

Linear Combination. For a matrix with entries for , , let be LWR-based FHE encryption of under a secret key , where . Let be a vector, where is its th entry. Then, there is a polynomial time deterministic algorithm which outputs such that , where .

The algorithm is implemented as follows:(1)For each , , define a matrix as follows: In other words, will be 0 everywhere except the th row and th column where it has the value .(2)Output , where

Then, we analyze its correctness as follows: where is the noise contained in with magnitude of (according to Section 3), and then has magnitude , and finally has magnitude .

5.2. Construction of Two-Key FHE Scheme from LWR

For ease of description, here we just give a construction of two-key FHE scheme based on LWR, for everything extends naturally to any polynomial number of keys.

Construction. Now, we describe the two-key FHE construction.(i) TFHE.Setup(): run the Setup and KeyGen algorithms in Section 4 to generate the parameters: (ii) TFHE.KeyGen(): run the KeyGen algorithms in Section 4 to get (iii) TFHE.Enc(): for , run the Enc algorithm in Section 4 to get a ciphertext and the corresponding random matrix . For all entries of the uniform matrix , we use the same secret key to encrypt them, which leads to a helper set . Output the ciphertext and the helper set .(iv) TFHE.Expand(): given and , when , run the linear combination algorithm to generate a matrix , such thatFinally, output an expanded ciphertext: where ciphertext corresponds to the message . Similarly, when , output an expanded ciphertext .(v) TFHE.Eval(): on inputting two expanded ciphertexts, run Eval algorithm in Section 4, albeit with expanded dimensions and , and the gadget matrix . Output the ciphertext .(vi) TFHE.Dec(): on inputting a ciphertext and two secret keys and , parse and , and then obtain a new secret key . Finally, run the Dec algorithm in Section 4 to get a plaintext .

Correctness. It is sufficient to verify that and . Adding (34) and (40) up, that is, plusresults in This also applies to verify .

Parameters and Security. Though our LWR-based multikey FHE scheme does not need the sub-Gaussian noise sampling compared to Mukherjee and Wichs’s [12], the structure of our construction is identical to theirs. Indeed, we just cleverly use the scaled rounding function instead of their sub-Gaussian noise, to hide the message, and this is done thanks to our specific structure which helps us circumvent the tangly modulus problem that exists in [22]. Since the LWE-based multikey FHE [12] is an extension of AP14, while the parameter in our LWR-based FHE is almost identical to that of AP14 according to Section 4.2, hence the LWR-based multikey FHE which is the extension of LWR-based FHE has almost the same parameter as that of [12].

As to the security, we remark that the main difference between multikey setting in this section and single key setting in Section 4 is the number of ciphertexts. In multikey setting, there is an additional helper set which involves ciphertexts, but the ciphertexts are encryptions of entries of the random matrix , which are independent of other ciphertexts. In other words, the helper set does not affect scheme’s security; therefore, our LWR-based multikey FHE scheme has the same security level as the LWR-based FHE scheme in Section 4.

5.3. Threshold Decryption for Two-Key FHE Scheme

In [12], the main idea of designing a multiparty computation protocol is to leverage the property of “threshold decryption” of multikey FHE and rely on the “smudging lemma [31].” In the secure multiparty computation distributed protocol, the parties run a secure distributed protocol using their own secret key to decrypt the output ciphertext and finally recover the plaintext . Specifically, each party will obtain partial information by operating their own secret key on the common ciphertext , and then they broadcast the information they get added by some medium-sized smudging noise from a uniform distribution (adding the noise is needed to “smudge out” any information about the noise contained in ciphertext and is needed for security proof); finally, each party can sum up all the other partial information and get the final decryption . We can achieve the construction of multiparty computation protocol as well, for our LWR-based multikey FHE scheme also satisfies the threshold decryption. Compared to [12], our threshold decryption also needs the smudging noise, but the whole computation overhead is lower in that our LWR-based multikey FHE scheme does not need the sub-Gaussian noise sampling. The threshold decryption follows. For simplicity, we again cover the case of two-key FHE.(i) TFHE.PartDec()): given the output (common) ciphertext under two public keys and the secret keys , do the following:(1)Parse the ciphertext consisting of two submatrices such that (2)Define a vector as (3)For , compute , and then compute , where is random “smudging noise.” We can set . Note that the parameter in [12], where .(ii) TFHE.FinDec(): given , compute the sum . Finally, output .

Correctness. Given the common ciphertext designated for the message , parse the parties’ keys as . By the correctness of LWR-based two-key FHE scheme, it holds that Then, we have where holds under the appropriate parameters; for example, we can set . Therefore, the correctness holds.

6. Conclusions

We present the first workable LWR-based FHE scheme. Our FHE scheme erases the expensive Gaussian noise sampling and thus can be seen as an alternative to the existing LWE-based FHEs. Furthermore, based on our main construction, we give the first LWR-based multikey FHE scheme, which is an alternative to the existing multikey FHEs that can also be applied to multiparty computation. However, neither our LWR-based multikey FHE scheme nor Mukherjee and Wichs’s can be used to construct multiparty computation protocol without the smudging lemma (which means that the corresponding modulus has to be set exponentially in security parameter). Therefore, it remains an open problem to construct multiparty computation protocol via multikey FHEs without the smudging lemma.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research is supported in part by the National Basic Research Program of China (973 Project, no. 2014CB340603), the National Key Research and Development Program of China (2017YFB0802000), the National Natural Science Foundation of China (nos. 61672030, 61272040, and U1705264), the Research Foundation of Hangzhou Normal University (no. 2017QDL002), and the Scientific Research Fund of Zhejiang Provincial Education Department (no. Y201737292).

References

  1. R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks and privacy homomorphisms,” Foundations of secure computation, vol. 4, no. 11, pp. 169–180, 1978. View at Google Scholar · View at MathSciNet
  2. C. Gentry, A Fully Homomorphic Encryption Scheme, Stanford University, 2009.
  3. M. Van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, vol. 6110 of Lecture Notes in Computer Science, pp. 24–43, Springer, Berlin, Germany, 2010. View at Publisher · View at Google Scholar · View at MathSciNet
  4. Z. Brakerski and V. Vaikuntanathan, “Fully homomorphic encryption from ring-LWE and security for key dependent messages,” in Annual Cryptology Conference, vol. 6841 of Lecture Notes in Computer Science, pp. 505–524, Springer, Heidelberg, Berlin, Germany, 2011. View at Publisher · View at Google Scholar · View at MathSciNet
  5. Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106, IEEE Computer Society, 2011. View at Publisher · View at Google Scholar · View at MathSciNet
  6. M. Clear and C. McGoldrick, “Multi-identity and multi-key leveled fhe from learning with errors,” in Proceedings of the Annual Cryptology Conference, pp. 630–656, Springer, Heidelberg, Berlin, Germany, 2015. View at MathSciNet
  7. N. P. Smart and F. Vercauteren, “Fully homomorphic encryption with relatively small key and ciphertext sizes,” in Public Key Cryptography, vol. 6056 of Lecture Notes in Computer Science, pp. 420–443, Springer, Berlin, Germany, 2010. View at Publisher · View at Google Scholar · View at MathSciNet
  8. L. Ducas and D. Micciancio, “Fhew: Bootstrapping homomorphic encryption in less than a second,” EUROCRYPT, vol. 9056, pp. 617–640, 2015. View at Publisher · View at Google Scholar · View at MathSciNet
  9. Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) fully homomorphic encryption without bootstrapping,” in Proceedings of the 3rd Conference on Innovations in Theoretical Computer Science, ITCS 2012, pp. 309–325, USA, January 2012. View at Publisher · View at Google Scholar · View at Scopus
  10. Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical GapSVP,” in CRYPTO, vol. 7417, pp. 868–886, Springer, 2012. View at Publisher · View at Google Scholar · View at Scopus
  11. I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, “Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds,” in Proceedings of the 22nd International Conference on the Theory and Application of Cryptology and Information Security, Lecture Notes in Computer Science, pp. 3–33, Springer, Hanoi, Vietnam, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  12. P. Mukherjee and D. Wichs, “Two round multiparty computation via multi-key fhe,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, vol. 9666 of Lecture Notes in Computer Science, pp. 735–763, Springer, Berlin, Germany, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  13. C. Peikert and S. Shiehian, “Multi-key fhe from lwe, revisited,” in Theory of Cryptography Conference, vol. 9986 of Lecture Notes in Computer Science, pp. 217–238, Springer, Berlin, Germany, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  14. O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM (JACM), vol. 56, no. 6, Article ID 1568324, 34 pages, 2009. View at Publisher · View at Google Scholar · View at MathSciNet
  15. C. Peikert, “Public-key cryptosystems from the worst-case shortest vector problem,” in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC '09, pp. 333–342, ACM, USA, June 2009. View at Publisher · View at Google Scholar · View at Scopus
  16. C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based,” in Advances in Cryptology–CRYPTO 2013, vol. 8042, pp. 75–92, Springer, 2013. View at Publisher · View at Google Scholar · View at Scopus
  17. J. Alperin-Sheriff and C. Peikert, “Faster bootstrapping with polynomial error,” in Proceedings of the International Cryptology Conference, pp. 297–314, Springer, Berlin, Germany, 2014. View at Publisher · View at Google Scholar · View at MathSciNet
  18. Z. Brakerski, D. Cash, R. Tsabary, and H. Wee, “Targeted homomorphic attribute-based encryption,” in Proceedings of the Theory of Cryptography Conference, pp. 330–360, Springer, Berlin, Germany, 2016. View at MathSciNet
  19. S. Gorbunov, V. Vaikuntanathan, and D. Wichs, “Leveled fully homomorphic signatures from standard lattices,” in Proceedings of the Forty-Seventh Annual ACM Symposium on Theory of Computing, pp. 469–477, Portland, Oregon, USA, June 2015. View at Publisher · View at Google Scholar · View at Scopus
  20. P. Pessl, “Analyzing the shuffling side-channel countermeasure for lattice-based signatures,” in Proceedings of the 17th International Conference on Cryptology in India, vol. 10095, pp. 153–170, Springer, Kolkata, India, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  21. L. G. Bruinderink, A. Hülsing, T. Lange, and Y. Yarom, “Flush, gauss, and reload–a cache attack on the bliss lattice-based signature scheme,” in Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems, pp. 323–345, Springer, 2016. View at Publisher · View at Google Scholar · View at Scopus
  22. A. Costache and N. P. Smart, “Homomorphic encryption without gaussian noise,” IACR Cryptology ePrint Archive, vol. 163, 2017. View at Google Scholar
  23. A. Banerjee, C. Peikert, and A. Rosen, “Pseudorandom functions and lattices,” Advances in Cryptology–EUROCRYPT 2012, pp. 719–737, 2012. View at Google Scholar · View at MathSciNet
  24. Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé, “Classical hardness of learning with errors (extended abstract),” in Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 575–584, ACM, New York, NY, USA, 2013. View at Publisher · View at Google Scholar · View at MathSciNet
  25. J. HÅstad, R. Impagliazzo, L. A. Levin, and M. Luby, “A pseudorandom generator from any one-way function,” SIAM Journal on Computing, vol. 28, no. 4, pp. 1364–1396, 1999. View at Publisher · View at Google Scholar · View at MathSciNet
  26. J. Alwen, S. Krenn, K. Pietrzak, and D. Wichs, “Learning with rounding, revisited: New reduction, properties and applications,” in Advances in Cryptology–CRYPTO 2013, pp. 57–74, Springer, 2013. View at Publisher · View at Google Scholar · View at Scopus
  27. A. Bogdanov, S. Guo, D. Masny, S. Richelson, and A. Rosen, “On the hardness of learning with rounding over small modulus,” in Proceedings of the Theory of Cryptography Conference, vol. 9562, pp. 209–224, Springer, Berlin, Germany, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  28. J. Alperin-Sheriff and D. Apon, “Dimension-preserving reductions from lwe to lwr,” IACR Cryptology ePrint Archive, vol. 2016, no. 589, 2016. View at Google Scholar
  29. D. Micciancio and C. Peikert, “Trapdoors for lattices: Simpler, tighter, faster, smaller,” in EuroCrypt, vol. 7237 of Lecture Notes in Computer Science, pp. 700–718, Springer, Heidelberg, Berlin, Germany, 2012. View at Publisher · View at Google Scholar · View at MathSciNet
  30. A. López-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption,” in Proceedings of the Forty-Fourth Annual ACM Symposium on Theory of Computing, pp. 1219–1234, ACM, New York, NY, USA, 2012. View at Publisher · View at Google Scholar · View at MathSciNet
  31. G. Asharov, A. Jain, A. López-Alt, E. Tromer, V. Vaikuntanathan, and D. Wichs, “Multiparty computation with low communication, computation and interaction via threshold FHE,” in Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Advances in Cryptology - EUROCRYPT 2012, pp. 483–501, Cambridge, UK, April 15-19, 2012. View at Scopus