Security and Communication Networks

Volume 2018, Article ID 6362010, 9 pages

https://doi.org/10.1155/2018/6362010

## Analysis on Matrix GSW-FHE and Optimizing Bootstrapping

^{1}Department of Information Research and Security, Zhengzhou Information Science Technology Institute, Zhengzhou 450001, China^{2}School of Information Technology, Deakin University, Victoria 3125, Australia^{3}School of Information Science and Engineering, University of Jinan, Jinan 250022, China

Correspondence should be addressed to Xiufeng Zhao; moc.361@gnef_uix_oahz

Received 8 August 2018; Revised 29 October 2018; Accepted 3 December 2018; Published 19 December 2018

Guest Editor: Zhaoqing Pan

Copyright © 2018 Xiufeng Zhao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

With the rapid development of multimedia technologies, the multimedia data storage and outsource computation are delegated to the untrusted cloud, which has led to a series of challenging security and privacy threats. Fully homomorphic encryption can be used to protect the privacy of cloud data and solve the trust problem of third party. In this paper, we analyse circular security of matrix GSW-FHE scheme. We derive a sufficient condition of circular security for matrix GSW-FHE scheme. It allows us to choose a good secret key via “reject sample” technique and furthermore obtain circular secure matrix GSW-FHE scheme. We also give an extended version of matrix GSW-FHE by defining deterministic asymmetric encryption algorithm and propose hybrid homomorphic plaintext slot-wise switching method, which significantly reduces computation and storage complexity of bootstrapping key generation, thus optimizing the bootstrapping procedure.

#### 1. Introduction

With the rapid development of multimedia technologies, for example, high-efficiency video coding (HEVC) is becoming popular due to its excellent coding performance [1]; the multimedia data storage and outsource computation are delegated to the untrusted cloud server, which has led to a series of challenging security and privacy threats. To tackle the security and privacy issues in cloud computing and storage, a lot of researches have been performed, such as fully homomorphic encryption [2, 3], attribute-based encryption, searchable encryption [4], and ciphertext retrieval scheme [5, 6]. The concept of homomorphic encryption is proposed by Rivest et al. [7], and Gentry [2, 3] proposed the first fully homomorphic encryption (FHE) scheme based on ideal lattice. FHE allows us to evaluate any function over ciphertext and obtain the function over corresponding plaintext by decryption. Fully homomorphic encryption can be used to protect the privacy of cloud data and solve the trust problem of untrusted third party. So the fully homomorphic encryption has a broad application prospect in the cloud computation and the big data field. There are many fully homomorphic encryption schemes based NP-hard problems, such as ideal lattice [2, 3], LWE [8, 9], RLWE [10], LWR [11], and so forth.

The difficulty of constructing fully homomorphic encryption scheme is reducing the noise in the ciphertext. The noise increases rapidly during ciphertext evaluations and eventually reaches a threshold beyond which we can no longer decrypt the resulting ciphertext correctly. Therefore, the somewhat homomorphic encryption scheme is constructed, which can homomorphically evaluates arithmetic circuits of limited depth. To get pure fully homomorphic encryption scheme, Gentry proposed bootstrapping technique. The bootstrapping technique is currently the only way to get pure fully homomorphic encryption from somewhat homomorphic encryption. Its main idea is refreshing ciphertext by homomorphic decryption and getting fresh ciphertext and realizing the purpose of reducing ciphertext noise. The critical process of bootstrapping technique is encrypting the pieces of secret key, and the corresponding ciphertexts are viewed as public evaluation key. Thus, the homomorphic encryption scheme must enjoy circular security.

Unfortunately, all known FHE schemes are supposed to be circular secure except [10, 12]. If fully homomorphic encryption scheme satisfies circular security, it is not necessary to generate as many public evaluation keys as the depth of evaluation circuit. But being circular secure is not a naive security attribute, so it is necessary to analyse circular security for concrete fully homomorphic encryption scheme. Meanwhile, bootstrapping is used to refresh ciphertext, and the procedure is implemented frequently to get pure fully homomorphic encryption. Therefore, how to improve the bootstrapping efficiency is worth intensive studying.

*Our Results.* We analyse circular security of matrix GSW-FHE scheme [13]. From formal definition of circular security, we derive a sufficient condition of circular security for matrix GSW-FHE scheme. That is, the matrix GSW-FHE scheme satisfies circular security with some function, if the equations about secret key have solution over . Therefore, we can choose a good secret key via “reject sample” technique and furthermore obtain circular secure matrix GSW-FHE scheme.

We also give an extended version of matrix GSW-FHE by defining deterministic asymmetric encryption algorithm. To simplify the homomorphic equality test procedure, we propose hybrid homomorphic plaintext slot-wise switching method using symmetric encryption and deterministic public encryption algorithms, which significantly reduces computational cost of bootstrapping key generation, thus optimizing the bootstrapping procedure of work [13].

We may implement a trade-off between computation and storage complexity of bootstrapping. We delete part of the bootstrapping keys and compute them online when running Rounding procedure. In view of that, their computation involves only matrix additions; this cuts down the size of the large public bootstrapping key by a third, paying matrix additions with negligible computation complex.

*Related Works.* Encryption scheme achieves circular security, if it remains secure and even the secret key is encrypted under corresponding public key. In other words, circular secure encryption scheme resists key-dependent message (KDM) attack.

In the last few years, circular secure encryption schemes have been studied extensively [14–17]. Boneh et al. constructed a circular secure public key encryption scheme based on the DDH assumption without random oracle [16]. Based on Regev’s LWE-based encryption scheme [18], Applebaum et al. constructed efficient cryptosystems enjoying circular secure [17]. Brakerski and Vaikuntanathan [10] proposed circular secure homomorphic encryption scheme based on the ring-LWE assumption. The main idea in the work of [10, 17] is generating a valid ciphertext that decrypts to a message related to secret key. Because the entries of secret key are not in the message space, they introduced “noise flooding technique” and “rerandom technique” to “fit” the entries into the message space.

Brakerski and Vaikuntanathan presented a fully homomorphic encryption scheme based on the LWE assumption using relinearization technique [8]. The relinearization process allows doing one multiplication without increasing the size of the ciphertext and obtaining an encryption of the product under a new secret key. Posting a “chain” of secret keys allows performing up to levels of multiplications without blowing up to the ciphertext size. Yang et al. consider that if the relinearization satisfies circular security, the “chain” of secret keys may be back down to only one secret key, and they proposed a circular secure relinearization by defining a new assumption [12].

EuroCrypt 2013, Gentry, Sahai, and Waters proposed a new fully homomorphic encryption scheme based on the* approximate eigenvector* method, which is called GSW-FHE [19]. In the GSW-FHE scheme, homomorphic addition and multiplication are just matrix addition and multiplication. But GSW scheme operates one bit every running encryption algorithm. PKC 2015, Hiromasa et al. constructed a variant of GSW scheme called matrix GSW-FHE, which encrypts matrices and supports homomorphic matrix addition and multiplication. And they optimized the bootstrapping procedure of Alperin-Sheriff and Peikert [20] using the matrix GSW-FHE scheme [13]. To achieve homomorphic matrix operation, the pubic key of matrix GSW-FHE scheme includes the ciphertexts that encrypt partial information of the secret key, so the matrix GSW-FHE scheme resorts to circular security assumption, but formal circular security proof was not given, and it remains an open problem.

There are other works to optimize the bootstrapping procedure. Ducas et al. [21] proposed FHEW scheme, which accelerates bootstrapping via embedding the cyclic group into the group of roots of unity: , where is a primitive q-th root of unity. Wang and Tang [22] proposed an integer bootstrapping scheme by introducing new methods to evaluate integer polynomials with GSW-FHE, and they extended the method to packing by encrypting the integers diagonally in a matrix, as the matrix GSW-FHE proposed by Hiromasa et al. [13]. Similarly, their scheme resorts to circular security assumption.

On the other hand, packing technique is used to evaluate efficiently a large number of ciphertexts, and it allows us to apply single-instruction-multiple-data (SIMD) homomorphic operations to all encrypted data [23, 24]. The bootstrapping procedure [13, 20] is optimized by embedding into symmetric group , the multiplication group of permutation matrix, and homomorphic permuting SIMD ciphertexts. The mathematic preliminary of SIMD technique is Chinese Remainder Theorem (CRT). The plaintext space can be split into many small spaces via the CRT. If the plaintext modulus q is a composite that factors into distinct powers , then the ring can be mapped via the CRT to direct product of ring ’s.

*Organization.* In Section 2, we describe some preliminaries on the formal definition of homomorphic encryption and circular security and the isomorphic from additive group to a group of cyclic permutations. In Section 3, we review the matrix GSW-FHE scheme and define a new deterministic asymmetric encryption algorithm. We give the analysis on circular security of matrix GSW-FHE scheme in Section 4. In Section 5, we propose hybrid plaintext slot switching method and optimize the bootstrapping procedure. We give conclusions in Section 6.

#### 2. Preliminaries

We denote the set of integers by . Let be some group and let be some probability distribution, and then we use to denote that is chosen from uniformly at random and use to denote that is chosen along P.

The vector is denoted by bold lowercase letter, for example, , and the i-th element of a vector is denoted by . The inner product between two vectors is denoted by . Matrices are written by using bold capital letters, for example, , and the i-th column vector of a matrix is denoted by . The identity matrix is denoted by .

##### 2.1. Homomorphic Encryption

Let and be the message and ciphertext space. A homomorphic encryption scheme consists of four algorithms .(i): input security parameter and output a public encryption key , a secret decryption key , and a public evaluation key .(ii): input public key and plaintext and output ciphertext .(iii): input secret key and ciphertext and output the message encrypted in the ciphertext .(iv): input the evaluation key , function , and ciphertexts and output a ciphertext that is obtained by applying the function to .

##### 2.2. Embedding into Symmetric Group

According to Cayley’s Theorem, the additive group is isomorphic to a group of cyclic permutations G, where corresponds to a cyclic permutation that can be represented by an indicator vector with 1 in the -th position. The permutation matrix can be obtained from the cyclic rotation of the indicator vector. The addition in leads to the composition of the permutations; the rounding function can be computed by summing the entries of the indicator vector corresponding to those in that round 1.

By CRT, is isomorphic to the direct product , where , and are small and powers of distinct primes. Similarly, embeds into symmetric group .

#### 3. Matrix GSW-FHE

##### 3.1. Review Matrix GSW-FHE Scheme

In this section, we review the matrix GSW-FHE scheme. Let be the security parameter. The matrix GSW-FHE scheme is parameterized by an integer lattice dimension , an integer modulus , and a distribution over which is assumed to be sub-Gaussian; all of the parameters depend on . Let , , and . Let be the amount of bits to be encrypted, which defines the message space . The ciphertext space is . The scheme uses the rounding function where, for any , outputs 1 if is close to and 0 otherwise. Recall that and .(i) KeyGen: Sample a uniformly random matrix , secret key matrix , and noise matrix . Let and . Let be the matrix with 1 in the position and 0 in the others. For all , first sample , and set Output public key and secret key .(ii) : Sample random matrixes and , parse , and output the ciphertext(iii) : Sample a random matrix , and output the ciphertext where is the element of .(iv) : Output the matrix , where is the row of .

##### 3.2. Deterministic Asymmetric Encryption

We define a new deterministic asymmetric encryption algorithm in the matrix GSW-FHE scheme as follows:(i): input and and output the ciphertext

where is the element of . The DetePubEnc algorithm has lower computational cost than algorithm and algorithm, and it only involves matrix addition, whereas the algorithm and algorithm involve both matrix multiplication and matrix addition.

#### 4. Analysis on Matrix GSW-FHE

In the KeyGen algorithm of matrix GSW-FHE, needs to be computed when generating public key . We observe that where right matrix is with in the i-th row and 0 in other rows. Let be an matrix, which satisfies the following matrix equation:That is,Viewing the elements of as the equation parameter and the elements of as variables, we can get equations from the above matrix equation: According to the knowledge of linear algebra, the equations exit nontrivial solution if the rank of coefficient matrix is equal to the rank of the augmented matrix as below.That is,We denote the solution by , so we have From the above analysis, we can derivate the circular security of the matrix GSW-FHE scheme.

Theorem 1 (circular security). *If the equation exits nontrivial solution over , then the matrix GSW-FHE scheme is circular secure with function .*

*Proof. *Let be a ciphertext encrypting function , , and . Then we haveFrom (12), we have; ; therefore, we derivate that As is an instance of LWE over , it satisfies uniform distribution over . Furthermore, obeys uniform distribution over .

On the other hand, suppose that is a ciphertext encrypting** 0**; that is,It is also an instance of LWE over and obeys uniform distribution over , too. Therefore, distributions of and are computationally indistinguishable, and the advantage of probabilistic polynomial-time adversary is negligible. So we can conclude that the matrix GSW-FHE is circular secure with function .

From Theorem 1, we can choose a good secret key that satisfies that (12) has solution via “reject sample” technique and obtain circular secure matrix GSW-FHE scheme.

#### 5. Optimizing Bootstrapping

In this section, we describe how to optimize the bootstrapping procedure of [13] by introducing deterministic homomorphic plaintext slot-wise permutation.

##### 5.1. Motivation

The decryption of all LWE-based FHE schemes consists of the inner product and rounding: for secret key and a binary ciphertext , the decryption algorithm computesNote that the inner product itself is just a subset-sum of the -entries of indicated by and uses only the additive group structure of . Alperin-Sheriff and Peikert [20] proposed an efficient bootstrapping algorithm by embedding into permutation group . Thus the rounding function is no longer just a sum, and it can be expressed as where each equality test returns 0 for false and 1 for true. The equality test operation has homomorphic counterpart, called homomorphic equality test. Homomorphic equality test is an important primitive for optimizing bootstrapping procedure, and it has many other applications as mentioned in [25].

For , they map to the r-by-r permutation matrices of group and are denoted as * and *, respectively. The Eq? algorithm is described as follows:(i): given a ciphertext encrypting some permutation and a permutation (in the clear), output a ciphertext c encrypting 1 if ; otherwise, output a ciphertext c encrypting 0:

Note that the permutation goes through all permutations in , and it is not masked in the homomorphic equality test Algorithm; that is, is* in the clear*.

Let : be the isomorphism of an element in () into the cyclic permutation that corresponds to an element in , where . During homomorphic rounding process of work [13], is encrypted as part of public bootstrapping key and used in the homomorphic equality test algorithm.

In fact, traverses and does not carry any privacy information. It is not necessary to encrypt using SecEnc algorithm, which would increase computation cost. We propose optimizing homomorphic equality test algorithm by defining hybrid homomorphic plaintext slot-wise switching method, which reduces the computation cost of bootstrapping key generation.

##### 5.2. Hybrid Homomorphic Plaintext Slot-Wise Switching

Plaintext slot-wise permutation is an important operation in application of packed FHE [23, 24]. It can be achieved by multiplying the encryption of a permutation and its inverse from left and right. We propose hybrid homomorphic plaintext slot switching procedure where the switch key is encrypted by symmetric and asymmetric encryption algorithm. The nice feature of our switching procedure is that part of switch key can be computed by deterministic public encryptions, which makes our procedure more efficient than that of [13].(i) : Input a secret key matrix and a permutation ; let be a matrix corresponding to , and compute Output the switch key . The algorithm is the same as the work in [13].(ii) : Input a switch key and a ciphertext C; output where is the fixed encryption of with noise zero.(iii) : Input a secret key matrix and a permutation , and compute Output the deterministic switch key .(iv) : Input a deterministic switch key and a ciphertext C; output where is the fixed encryption of with noise zero.

##### 5.3. Optimized Bootstrapping Procedure

Our optimized bootstrapping procedure can be used to refresh ciphertexts of all standard LWE-based FHE. Let be the ciphertext to be bootstrapped, and let be a secret key that corresponds to **.** The optimized bootstrapping procedure consists of two algorithms, HybirdBootKeyGen and HybirdBootstrap.(i) : Input a secret key and public key for our bootstrapping scheme and the secret key for ciphertext to be refreshed; output a bootstrapping key . For every and , let be the permutation corresponding to , and generate where, for a vector , is the square integer matrix that has in its diagonal entries and 0 in the others. Then compute the hints used in homomorphic equality test on packed indictor vectors. For every and such that , compute Output the bootstrapping key (ii) : Input a bootstrapping key* bk* and a ciphertext ; output the refreshed ciphertext . All the FHE schemes based on the LWE problem have similar decryption algorithm; that is, the decryption algorithm needs to compute . There are two phases in the HybridBootstrap algorithm: evaluate the inner product and rounding. **Inner Product**: For every , homomorphically compute an encryption of . Let . For , set , and iteratively compute for such that . **Rounding**: For each such that , homomorphically test the equality between and , and sum their results. The refreshed ciphertext is computed as

##### 5.4. Correctness Analysis

Lemma 2 (correctness). *Let be the secret key for our scheme. Let and be a ciphertext and secret key of LWE-based FHE scheme. Then, for , the refreshed ciphertext is designed to encrypt in the first slot.*

*Proof. *Firstly, is designed to encrypt , andis designed to encrypt 1 in the first slot if and only if Finally, since the homomorphic sum is taken over every such that , is designed to encrypt 1 if and only if .

##### 5.5. Security Analysis

If the bootstrapping scheme secret key is generated independently of the secret keys of FHE scheme from LWE, then Ind-CPA security of the bootstrapping key follows immediately from the security of hybrid homomorphic plaintext slot-wise switching, and the security of hybrid homomorphic plaintext slot-wise switching scheme resorts to the security of matrix GSW-FHE and hence the security of our bootstrapping scheme from LWE assumption.

##### 5.6. Performance Analysis

Let be the modules of the ciphertext to be refreshed, and has the form , where are small and powers of distinct primes. The following lemma allows us to choose a sufficiently large by letting it be the product of all maximal prime powers bounded by , and then there exists , where is security parameter.

Lemma 3 (see [13, 20]). *For all , the product of all maximal prime powers is all at least .*

On one hand, our algorithm involves matrix additions operation only, whereas SecEnc algorithm involves many matrix multiplication operations. Our bootstrapping key is optimized from . Therefore, our optimized bootstrapping key generation has lower computation complexity. The comparison of computational complexity is illustrated in Table 1.