#### Abstract

Achieving both simplicity and efficiency in fully homomorphic encryption (FHE) schemes is important for practical applications. In the simple FHE scheme proposed by Ducas and Micciancio (DM), ciphertexts are refreshed after each homomorphic operation. And ciphertext refreshing has become a major bottleneck for the overall efficiency of the scheme. In this paper, we propose a more efficient FHE scheme with fewer ciphertext refreshings. Based on the DM scheme and another simple FHE scheme proposed by Gentry, Sahai, and Waters (GSW), ciphertext matrix operations and ciphertext vector additions are both applied in our scheme. Compared with the DM scheme, one more homomorphic NOT AND (NAND) operation can be performed on ciphertexts before ciphertext refreshing. Results show that, under the same security parameters, the computational cost of our scheme is obviously lower than that of GSW and DM schemes for a depth-2 binary circuit with NAND gates. And the error rate of our scheme is kept at a sufficiently low level.

#### 1. Introduction

With the rapid development of computer networks and big data, the cloud has been playing an important role in storing and processing huge amounts of data [1]. The cloud provides abundant, flexible, and on-demand remote storage and computational resources for network users. However, the cloud is not fully trustable, and users do not have full control power on the data stored in the cloud. Data in the cloud are faced with the risk of leakage, and personal privacy is seriously threatened. In some recent research works, approaches based on network defense have been proposed for guaranteeing cloud security [2–6]. Nevertheless, data encryption provides a more fundamental and universal privacy protection for data in the cloud. In traditional encryption techniques, when the encrypted data are stored in the cloud, they need to be decrypted before computation, and personal privacy is still seriously threatened. Homomorphic encryption allows ciphertext operations to be performed directly; thus an untrusted third party can process the ciphertexts without decrypting them. The decryption of the result of ciphertext operation is equivalent to the result of corresponding plaintext operation. Furthermore, fully homomorphic encryption (FHE) allows arbitrary operations to be performed on ciphertexts. Concretely, let and denote encryption and decryption algorithms, respectively. And let and denote the plaintexts and corresponding ciphertexts, respectively, where and . For a function of plaintexts , and a corresponding function of ciphertexts , FHE schemes satisfy the following property:This ideal property can be applied to privacy protection in the cloud, where personal data are stored and processed in encrypted form.

In FHE schemes, ciphertexts are generated with a random noise to ensure semantic security. The noise grows as homomorphic operations proceed. When the noise magnitude exceeds a certain threshold, ciphertext will no longer be correctly decrypted. By means of bootstrapping proposed by Gentry [7], ciphertext noise can be reduced and further homomorphic operations can be performed. However, due to its inherent complexity, bootstrapping has become a major bottleneck for the efficiency of all FHE schemes. Although there are many studies on improving the efficiency of FHE schemes [8–27], they are still not simple and efficient enough to be widely adopted in the real world. Designing a conceptually simple and efficient FHE scheme has become a challenging issue.

In this paper, a new FHE scheme is proposed to achieve both conceptual simplicity and higher efficiency. The scheme is constructed using the ideas of ciphertext matrix operations in the FHE scheme proposed by Gentry, Sahai and Waters (GSW) [19] and ciphertext vector additions in the FHE scheme proposed by Ducas and Micciancio (DM) [21]. Both these schemes are conceptually simpler than most other FHE schemes, while suffering from low efficiency. We have proved that, compared with DM, our scheme allows one more homomorphic operation to be performed before ciphertext refreshing. And the computational cost of our scheme is significantly lower than that of DM and GSW under the same security parameters, with the error rate kept at a sufficiently low level. Our scheme not only inherits the advantage of conceptual simplicity in DM and GSW but is also more efficient.

*Assumptions.* The assumptions in our scheme are specified as follows: the hardness of the Learning with Errors (LWE) problem [28]; circular security in ciphertext refreshing; that is, one can safely encrypt a secret key under its associated public key [7]; the operations on the binary circuit which are performed parallelly. And the computational cost at each level is represented as that of a specific gate at the level.

*Contributions.* The main contributions of our scheme are summarized as follows: To the best of our knowledge, our scheme is one of the few FHE schemes which take both simplicity and efficiency into consideration. Our scheme inherits the advantage of conceptual simplicity in DM and GSW, which are conceptually simpler than most other FHE schemes. Our scheme combines the advantage of efficient homomorphic operation in DM with the advantage of moderate growth of noise magnitude in GSW. When compared with DM, it allows one more homomorphic operation to be performed before ciphertext refreshing. Under the same security parameters, the computational cost of our scheme is obviously lower than that of DM and GSW, and the error rate is kept at a sufficiently low level.

*Organization.* The rest of this paper is organized as follows: the related work is discussed in Section 2; some preliminaries are given in Section 3; a review of GSW and DM is presented in Section 4; our more efficient FHE scheme, along with its correctness, security, and applicability analysis, is presented in Section 5; the comparison of our scheme with DM and GSW in terms of overall efficiency and error rate is given in Section 6; finally, conclusions are drawn in Section 7.

#### 2. Related Work

##### 2.1. Construction of FHE Schemes

Gentry proposed the first FHE scheme in 2009 [7], which marks a milestone in the research of homomorphic encryption. Gentry’s FHE scheme is based on ideal lattices, which includes the following major steps: the construction of a somewhat homomorphic encryption scheme (SWHE) which allows limited homomorphic additions and multiplications to be performed on ciphertexts; the squashing step for reducing the complexity of decryption algorithm; the bootstrapping technique for reducing ciphertext noise via re-encryption and homomorphic decryption. Despite its significant contribution, Gentry’s scheme sufferes from a rather low efficiency. Following Gentry’s work, some other FHE schemes based on ideal lattices have been proposed on improving the efficiency of Gentry’s scheme [8–11]. However, the inherent complicated key generation process, along with large key/ciphertext sizes, has made these schemes impractical for real-world applications.

In 2010, Dijk et al. proposed a FHE scheme over the integers [29]. Both the keys and ciphertexts are integers, which are much simpler than previous FHE schemes based on ideal lattices. However, the scheme also suffers from low efficiency due to large key/ciphertext sizes. Although some improved FHE schemes on integers have been proposed [12–15], keys and ciphertexts in these schemes are still too large to be deployed in any practical system.

Recently, most FHE schemes have been constructed based on the LWE problem, which is a computational problem over lattices [28]. LWE has now drawn the attention of more and more cryptographic researchers with its relatively small key/ciphertext sizes and strong security. Brakerski and Vaikuntanathan presented the first LWE-based FHE scheme (BV) in 2011 [30]. The relinearization technique was introduced for controlling ciphertext dimension in homomorphic multiplications. And the dimension-modulus reduction technique was proposed as a new method for simplifying the decryption algorithm to make the scheme bootstrappable, thus fully homomorphic. Compared with the squashing technique proposed by Gentry, the sparse subset-sum assumption was removed in dimension-modulus reduction, making it more natural. Brakerski, Gentry, and Vaikuntanathan proposed a leveled FHE scheme (BGV) in 2012 [16]. The relinearization and dimension-modulus reduction techniques were improved as the key-switching and modulus-switching techniques in BGV, for more efficient control of ciphertext dimension and noise magnitude. Brakerski then introduced a scale-invariant leveled FHE scheme (Bra12) without modulus switching. Compared with previous LWE-based FHE schemes, Bra12 is simpler, and ciphertext noise magnitude grows by a constant multiplicative factor as homomorphic operations proceed, instead of exponentially. However, in all of these schemes, the complex process of key switching (or relinearization) still introduces a huge computational cost, which is unattractive in practice.

In 2013, a new leveled FHE scheme, known as GSW, was proposed by Gentry, Sahai and Waters [19]. GSW is based on approximate eigenvectors of matrices. The ciphertexts in GSW are square matrices, and homomorphic additions and multiplications are just matrix additions and multiplications, respectively. Therefore, ciphertext dimension always keeps constant and key switching is no longer necessary. Scale-invariance can also be achieved in GSW via the flatten technique; thus modulus switching is also no longer necessary. GSW is simpler and more natural than previous LWE-based FHE schemes. However, matrix multiplication still brings about a high computational cost. Ducas and Miccianico proposed a new FHE scheme with homomorphic NOT AND (NAND) gates [21], which is known as the DM scheme. Homomorphic operations in DM are just ciphertext vector additions, which are very simple operations. However, ciphertexts in DM need to be refreshed after each homomorphic operation, which becomes a bottleneck for the overall efficiency. Although GSW and DM are conceptually simpler than most other FHE schemes, both of them still suffer from efficiency bottlenecks.

Other research works on the construction of LWE-based FHE schemes generally focus on improving the efficiency [22–25] and optimizing the bootstrapping algorithm [26, 27]. In some recent research works, multikey FHE schemes are proposed for secure multiparty computation [31, 32]. However, these schemes involve either key-switching, or ciphertext matrix operations, which are both computationally costing. Some of them are not conceptually simple. Therefore, it is necessary to construct a new FHE scheme with both conceptual simplicity and higher efficiency.

##### 2.2. Applications of Homomorphic Encryption Schemes

As homomorphic encryption supports operations on encrypted data, it is definitely more powerful than traditional encryption techniques and has a vast area of applications. In recent years, with the wide adoption of cloud storage and cloud computation in real-world applications, there have been many applications of homomorphic encryption schemes on privacy protection in the cloud.

Searchable encryption is a basic application of homomorphic encryption, where users can execute secure queries on encrypted data. The query results are obtained through homomorphic operations between the encrypted query and the encrypted data. A lot of researchers have proposed secure information retrieval schemes based on homomorphic encryption [33–36]. Meng Shen et al. proposed a graph encryption scheme which makes use of SWHE and enables approximate Constrained Shortest Distance (CSD) querying over encrypted graph [37]. Another common application of homomorphic encryption schemes is secure e-voting, where the ballots of voters are encrypted and homomorphic operations are performed on these data [38–41]. The property of homomorphic encryption makes it possible to tally all encrypted ballots without accessing the plaintext content of any individual ballot; thus voter’s privacy is protected. Recently, with the rapid development of artificial intelligence and machine learning, privacy protection in machine learning has also drawn the attention of many researchers. Many studies on encrypted machine learning have emerged, where homomorphic encryption schemes are adopted for computation on encrypted data. Xiaoqiang Sun et al. implemented three private classification algorithms based on homomorphic encryption [42], which were hyperplane decision-based classification, Naïve Bayes classification, and decision tree classification. M Kim et al. proposed secure logistic regression for biomedical data [43]. There are also lots of research works on secure deep learning based on homomorphic encryption [44–46]. The activation functions in deep learning algorithms are usually approximated as polynomials, which can be homomorphically evaluated by homomorphic encryption schemes. Other recent applications of homomorphic encryption include integrity verification [47, 48], data aggregation [49, 50], and secure multiparty computation [32, 51].

Moreover, homomorphic encryption can be applied in the defense against phishing attack, where user’s personal information is encrypted, and the verification is completed via homomorphic operations. Even if personal information is leaked to the phishing server, nothing can be learned from the encrypted data. Longfei Wu et al. proposed a novel automated lightweight antiphishing scheme for mobile platforms, which is highly beneficial for mobile users [52]. Adopting homomorphic encryption in the scheme would provide an even stronger defense against phishing attacks. With the rise of self-awareness of privacy protection and the development of homomorphic encryption, there will be more and more applications of homomorphic encryption in the future.

#### 3. Preliminaries

##### 3.1. Notations

The mathematical symbols in this paper are shown in Table 1.

##### 3.2. The LWE Problem

LWE is a computational problem over lattices, which is proposed by Regev [28]. For security parameter , let and denote the dimension and modulus of the vector, respectively, and let denote the random distribution on for the random errors. The vector is generated by sampling . For vector and error , output the following LWE instance . The LWE assumption is that the distribution formed by different LWE instances is computationally indistinguishable from the uniform distribution on .

##### 3.3. The Cyclotomic Ring

Let be a power of 2, the -th cyclotomic polynomial is , and the corresponding polynomial ring is . denotes the residue ring of modulo an integer . Each element in is a polynomial with integer coefficients whose degree is at most , and each element in is an element in with all its coefficients modulo . For polynomial , let denote the coefficient vector of the polynomial. And let denote the following matrix: the first column is , and the other columns are the anticyclic rotations of with the cycled entries negated, as shown in

##### 3.4. BitDecomp and Flatten Techniques

Let denote the BitDecomp operation, and let , , . The BitDecomp operation is defined as follows:where is the -th bit in ’s binary representation from the lowest to the highest bit. After BitDecomp, the upper bound of ’s norm goes down from to . Let denote the inverse operation of ; for a vector , the operation is defined as follows:

Let denote the flatten operation; for a vector , is defined as follows:

There is another operation which comes hand in hand with . Let denote the operation , which is defined as follows:An obvious property between and is shown as follows:For a vector , the following property also holds:

It can be observed from (8) that an important advantage of lies in that it makes the coefficients of a vector small, without affecting its inner product with the vector . When the above operations are applied to a matrix, they are performed for each row of the matrix.

#### 4. A Review of GSW and DM Schemes

##### 4.1. The GSW Scheme

GSW is constructed based on approximate eigenvectors of matrices. And homomorphic operations in GSW are just ciphertext matrix operations. GSW is more natural and concise than previous LWE-based FHE schemes which require key switching (or relinearization). The main algorithms in GSW are shown as follows:(i): denote the security parameter and multiplicative depth, respectively. Ciphertext dimension , modulus , and noise distribution are set to guarantee a security level of . Let , , , and parameter set . Sample , let , and output secret key . Sample , let , , and output public key .(ii): for plaintext message , sample ; output ciphertext: where denotes the -dimensional identity matrix.(iii): on input ciphertext pair , output ciphertext As a result of the homomorphic NAND operation, satisfies the following property:where are the plaintext messages in , respectively, and are the corresponding ciphertext noises. Let denote the upper bound of the noise magnitudes in , that is, the upper bound for the norms of . It is obvious that . Actually, as a result of the flatten operation. As , the noise in is upper bounded by , as shown by (11).

The overall algorithm flow of GSW is shown in Figure 1.

##### 4.2. The DM Scheme

DM is a FHE scheme based on a LWE symmetric encryption scheme. Homomorphic operations in DM correspond to ciphertext vector additions. DM is conceptually simple for its simple homomorphic operation. The main algorithms in DM are shown as follows:(i): denotes the security parameter. Integer is the plaintext modulus. Ciphertext dimension , modulus , and ciphertext noise distribution are set to guarantee a security level of . Here for any . Let denote the parameter set . The key is uniformly sampled from : .(ii): the plaintext and ciphertext spaces are , respectively. Sample , , on input plaintext message , and output ciphertext:(iii): on input ciphertexts , and encrypts the plaintext message , output . In particular,

The ciphertext is a ciphertext of with noise magnitude less than , which guarantees correct decryption. Homomorphic NAND operations in DM are completed by a few additions between ciphertext vectors, which are simpler and faster than tensor products or matrix operations in previous schemes. However, ciphertext magnitude would be at least after a further homomorphic operation, then the ciphertext would no longer be correctly decrypted. After each homomorphic operation, ciphertext needs to be refreshed to keep the noise magnitude small.

An efficient ciphertext refreshing algorithm based on Ring-GSW is proposed in DM for reducing ciphertext noise. In the refreshing algorithm, ciphertext and refreshing key are taken as input, and base is used to encode the ciphertext . consists of the following ciphertexts:where and denotes the encryption algorithm in the ciphertext refreshing algorithm. The ciphertext refreshing algorithm is shown as in Algorithm 1, where and denote the initialization and homomorphic addition of the accumulator , respectively. is initialized as an encryption of . When the main loop in Algorithm 1 ends, the underlying plaintext of the accumulator satisfieswhere is the noise in the input ciphertext . As , it is clear that when and when . In other words, extracting the most significant bit (msb) in would yield the plaintext .

During the process in Algorithm 1, the accumulator , along with a switching key and a testing vector , is taken as input. Here , and is the secret key used in the encryption algorithm of the ciphertext refreshing algorithm. The details of are shown in Algorithm 2.

The ciphertext in the step of Algorithm 2 iswhere , is the row of and or . As , is an encryption of . Thus, . After key and modulus switching, is transformed to a ciphertext under key modulo . Under an appropriate parameter setting, the noise magnitude of the refreshed ciphertext would be lower than , and further homomorphic operations can be performed.

The overall algorithm flow of DM is shown in Figure 2, where .

#### 5. Efficient FHE Scheme Based on GSW and DM Schemes

Aimed at the problem of overly frequent ciphertext refreshings in DM, a new FHE scheme (NHE) is proposed to achieve a higher efficiency. The ciphertext matrix operations in GSW and ciphertext vector additions in DM are both applied in our scheme. And the advantage of conceptual simplicity of both GSW and DM is inherited in our scheme. Moreover, our scheme combines the advantage of efficient homomorphic operation in DM with the advantage of moderate growth of noise magnitude in GSW. The whole scheme is briefly shown here, and some related details will be illustrated later.(i): here denotes the security parameter. Modulus , dimension , and ciphertext noise distribution are set to guarantee a security level of . Concretely, is a discrete Gaussian distribution over integers with zero mean and standard deviation . Let denote the parameter set , and let . Sample ; output secret key . Sample , let , , and output public key .(ii): on input plaintext message , output ciphertext(iii): the input ciphertexts correspond to encryptions of , respectively. Each ciphertext is assumed to have an internal attribute indicating the number of homomorphic operations it has gone through. The of any ciphertext is 0 in the beginning and increases by 1 after each homomorphic operation. For such that , homomorphic NAND operation is performed as follows: Then the -th row is extracted from as the ciphertext for the next homomorphic NAND operation. Clearly, . For a pair of ciphertexts such that , homomorphic NAND operation is performed as follows: where is an auxiliary vector such that . The homomorphic operations in (18) and (19) are based on the ideas of ciphertext matrix operations in GSW and ciphertext vector additions in DM, respectively.(iv): the switching key consists of the following ciphertexts: , where is the new secret key. On input ciphertext and the switching key , output ciphertext The above ciphertext is a ciphertext under the new secret key instead of .(v): on input ciphertext , output ciphertext where and . is the final ciphertext after 2 homomorphic NAND operations. The modulus in is transformed from to . Moreover, dimension and modulus of are set to be the same as those of the ciphertexts in DM.

corresponds to the sum of some -dimensional vectors, and corresponds to rounding for each coefficient in a single vector. Both algorithms involve just simple operations, which have no significant effect on the simplicity of our scheme. The overall algorithm flow of our scheme is shown in Figure 3. Here the algorithms and denote the algorithms in (18) and (19), respectively.

##### 5.1. Correctness Analysis

Assuming there are 4 fresh ciphertexts , as shown in Figure 3. Each coefficient of the noise vectors in the above ciphertexts follows a discrete Gaussian distribution with zero mean and standard deviation . According to the property of discrete Gaussian distribution, the probability of each coefficient being in the interval is , which is very close to 1. The probability of the all the noises in being upper bounded by is thus .

It can be learned from (18) that the ciphertext satisfieswhere are the noise vectors in , respectively. As the first coefficients in are and , it is clear that . Let denote the -th row in ; we havewhere . And are the -th coefficient in and the -th row in , respectively. should satisfy the constraint to guarantee correct decryption after the next homomorphic operation.

Assume the ciphertexts in (19) encrypt , respectively, and the ciphertext noises in are , respectively. Clearly, . It is clear thatLet the plaintext spaces of and be and , respectively, as in DM. The noise in the ciphertext is

For each ciphertext in the switching key , we have where . Thus, the ciphertext can be further expressed aswhere . The noise in is

Let denote the error vector brought about by the rounding operation in (21); we haveThe noise introduced by modulus switching iswhere is the subvector extracted from all the coefficients in except the -th coefficient, and is the -th coefficient in . Then the noise of can be expressed as

According to (11), the upper bounds for are both , where is the upper bound of the fresh ciphertexts generated in (17). Under an appropriate parameter setting, we further haveThen it can be learned from (26), (31), and (32) that the noise magnitude in satisfies

All the random noises are drawn from an identical discrete Gaussian distribution. The discrete Gaussian distribution can be considered as the corresponding continuous Gaussian distribution with all the instances rounded down to the nearest integer. Assuming random real numbers are generated from a continuous Gaussian distribution with zero mean and standard deviation , their sum also follows a Gaussian distribution with zero mean and standard deviation . The probability of the above sum lying in the interval satisfies . As the downward rounding has an error magnitude of at most , we haveUnder an appropriate parameter setting, we havewhere is a very small positive number.

For vectors which are independently and uniformly sampled from , it is clear that also follows a uniform distribution over . And each coefficient in follows the uniform distribution over the following set:where . The uniform distribution over can be considered as the continuous uniform distribution over with all the instances rounded up to the nearest element in . Let denote the sum of independent random real numbers from the uniform distribution over . The probability density function of is given bywhere and is the number of combinations when choosing items from items. Thus, the corresponding cumulative distribution function is

Let denote the probability of lying in the interval ; we havewhere is a positive integer. For independent random real numbers from the uniform distribution over , is the probability of their sum lying in the interval . Let be the lowest probability among . would be close to 1 as long as is sufficiently large. And the absolute value of the above sum can be considered as upper bounded by . When the above independent random real numbers are rounded up to the nearest element in , an extra error is introduced. The absolute value of the error is upper bounded by . As long as is sufficiently small, the following is satisfied:where is another very small positive number. Thus we haveAccording to the requirement for correct decryption, should satisfyWhen is sufficiently large, is still guaranteed to be close to 1 even if is under the above constraint. According to (33), the upper bound of noise magnitude in the ciphertext isThen we have , and correct decryption is guaranteed. The ciphertext can be refreshed using the ciphertext refreshing algorithm in DM, and further homomorphic operations can be performed.

Therefore, the correctness of our scheme lies in that the three incidents corresponding to the probabilities are all true. The error rate of our scheme is .

##### 5.2. Security Analysis

We first give a formal definition for the threat/security model of indistinguishability under chosen plaintext attack (IND-CPA) and then conduct a security analysis for our scheme in line with the model. The IND-CPA threat/security model is defined as the following challenge-guess game between the challenger and the adversary:(i)**Initialization.** The challenger runs the Keygen algorithm to obtain the public and private keys, , and sends the public key to the adversary .(ii)**Challenge.** The adversary selects a pair of plaintexts and sends them to the challenger. The challenger randomly selects a plaintext such that , encrypts the plaintext: , and then sends the ciphertext to the adversary .(iii)**Guess. **The adversary guesses the plaintext on receiving ciphertext and outputs plaintext . If , then the adversary wins the game.

Let denote the index of the adversary’s output plaintext on receiving ciphertext . The adversary’s advantage is defined as the difference between the probabilities that the adversary guesses and , as shown in (44)The scheme is IND-CPA secure if for any polynomial time adversary , the adversary’s advantage is negligible: .

Generally, the ciphertexts in homomorphic encryption schemes are stored outside the local storage. Thus, the storage providers, such as cloud service providers and remote servers, might be the direct potential adversaries. Moreover, there are eavesdroppers who are trying to steal the stored data. And there may be coconspirators with an untrusted storage provider who get the stored data from the untrusted storage provider. They might also be the potential adversaries. In our scheme, both the public key and ciphertexts can be revealed to them.

Thus, it is common for the adversaries to conduct chosen plaintext attacks (CPA). The IND-CPA security of our scheme is analyzed as follows.

It can be learned from (17) that, for the initial ciphertext , we have where . As can be transformed to via BitDecomp, is secure if effectively hides the plaintext [19]. The matrix consists of independent LWE instances where .

Suppose a polynomial time adversary participates in the challenge-guess game as described above. If achieves nonnegligible advantage in the game, then the LWE problem can be solved with equivalent advantage. According to the LWE assumption, no polynomial algorithm can solve the LWE problem with nonnegligible advantage. Thus, the adversary’s advantage should be negligible. Our scheme is IND-CPA secure with respect to the initial ciphertexts. For a final ciphertext , it can be regarded as a ciphertext from a LWE symmetric encryption scheme with secret key . In this case, the challenger in the challenge-guess game retains the secret key and performs encryption using the secret key. Following the above analysis, it is easy to show that our scheme is also IND-CPA secure with respect to the final ciphertexts. Therefore, our scheme achieves IND-CPA security under the LWE assumption.

##### 5.3. Applicability Analysis

In general, our scheme supports arbitrary operations on encrypted data; it is universally applicable for privacy-preserving computations in the real world, such as financial and medical data analysis. The underlying plaintexts in each homomorphic NAND operation in our scheme are a pair of bits, which are at the lowest level of data granularity. Thus, our scheme is highly flexible and extensible and can be adjusted to various kinds of computations on encrypted data. As our scheme is conceptually simple, it can be easily implemented, deployed, and maintained in real-world applications. Furthermore, the efficiency of our scheme is relatively high, and the efficient ciphertext refreshing algorithm in DM can be utilized in our scheme for efficient computation on encrypted data in real-world applications.

#### 6. Performance Comparison

In this section, the homomorphic operations in DM, GSW, and our scheme are performed twice on a depth-2 binary circuit with NAND gates. We first present an analysis for the computational costs and error rates of the three schemes. Then based on the above analysis, we present a comparison for the three schemes in terms of computational costs and error rates. To avoid name clashes, the parameters in each scheme are all local to the scheme and apply only to the scheme.

##### 6.1. Computational Cost of DM

For a pair of fresh ciphertexts , the number of additions needed in the homomorphic operation in (13) is

It can be learned from that is performed times. The operation in can be simplified as the multiplication between the row in and the ciphertext .

The above multiplication needs 2 inner products between a pair of -dimensional vectors in . The fast Fourier transform (FFT) of the coefficient vector of each polynomial in with maximum degree can be represented as a vector in where . Inner product between a pair of vectors in needs additions and multiplications on complex numbers. Each multiplication on complex numbers needs 4 multiplications and 2 additions on real numbers, and each addition on complex numbers needs 2 additions on real numbers. As multiplication generally takes a longer time than addition, each multiplication on complex numbers needs at least 6 additions. Therefore, the number of additions needed in is at least

The key switching in the step of Algorithm 2 needs additions on -dimensional vectors. Here and is the base for encoding ciphertexts, as illustrated in DM [21]. Thus the total additions needed in key switching is

The number of additions needed in the next homomorphic operation is the same as (45). As some other steps are omitted here, a lower bound is obtained for the number of needed operations. According to (45)~(47), the number of additions needed in DM is at least

##### 6.2. Computational Cost of Our Scheme

For fresh ciphertexts , the first homomorphic NAND operation in (18) can be simplified aswhere are the -th rows of the matrices , respectively. Let denote the submatrix extracted from the -th to the -th rows and columns of . It is clear that each coefficient in follows a uniform distribution over . Let denote the subvector extracted from the -th to the -th coefficients in . It is clear that each coefficient in also follows a uniform distribution over .

Let denote the number of additions needed in the multiplication between and the -th column in , . For the above operation, we need to add 1 to the intermediate result only when both coefficients being multiplied are nonzero. Thus, the probability of needing 1 addition for the multiplication between each pair of coefficients is . Thus follows the binomial distribution . Let denote the probability of being no more than . And let denote the probability that is no more than for each . When is sufficiently large, both and would be close to 1, the multiplication between and each column in can be simplified as at most additions.

For the multiplication between the other coefficients in and , an upper bound for the number of needed additions can be derived assuming 1 addition for each corresponding coefficient pair:

Considering the substraction between and , an upper bound for the number of needed additions in the homomorphic NAND operation is obtained:

In the following operation, is performed followed by a operation. In , multiplying a power of 2 is just a shift operation, which generally takes less time than addition. Regarding each shift operation as an addition, an upper bound for the amount of computation can be derived. According to (3), shift operations and additions are needed in total in the operation. In the following operation, 2 shifts and 1 addition are needed for each bit generated from . The 2 shifts correspond to shifting right then left by 1 bit each, and the addition corresponds to the subtraction between the original data and the data after the 2 shifts. The amount of computation needed for generating each bit in is upper bounded by 3 additions. Thus the number of additions needed in the flatten operation is upper bounded by the following:

According to (19), the number of additions in the homomorphic NAND operation isAnd the following operation again needs at most additions. According to (20), the number of additions needed in key switching is

As , modulus switching for each coefficient in the vector is just the process of shifting right for bits and then adding 1 or 0 to the lowest bit before the binary point. Thus the amount of computation in modulus switching for each coefficient can be represented as 2 additions. The number of additions needed in modulus switching is

Therefore, the number of additions needed in our scheme is upper bounded by

##### 6.3. Computational Cost of GSW

In GSW, as the ciphertext needs to maintain the matrix structure in the homomorphic operation, the homomorphic operation should be performed as matrix operation. The encryption algorithm of GSW is modified as that in our scheme for a better contrast. The computational cost for the multiplication between each row of a matrix and another matrix is shown in (51). And the computational cost of the homomorphic operation in GSW is omitted here. A lower bound is then obtained for the computational cost of GSW. From (51), it can be learned that the computational cost of GSW is at least

##### 6.4. Performance Comparison among DM, GSW, and Our Scheme

###### 6.4.1. Parameter Configuration

For convenience, the modulus in each of the above schemes is set to be a power of 2. The parameters in DM are initially set identical to the corresponding simulation parameters in the original DM scheme [21]. The secret key in DM is uniformly sampled from . For the binary LWE problem, the dimension should increase to to ensure equivalent security level as the standard LWE problem [53, 54]. The adversary’s advantage is set to for all the schemes. For a LWE problem with modulus , dimension , and discrete Gaussian noise distribution with Gaussian parameter , the following should be satisfied to guarantee a security level of [55]:

According to (58) and the simulation parameters, it can be learned that DM guarantees a security parameter of . When changes, the modulus is kept unchanged, and the dimension is set as the smallest integer which guarantees a security level for the ciphertext. The error rate for each homomorphic operation in DM can be derived according to the standard deviation of the Gaussian noise in the refreshed ciphertext [21]. Specifically, is the probability that the ciphertext noise magnitude does not exceed . For depth-2 binary circuit with NAND gates, the error rate of DM is

For our scheme, the final modulus and dimension are set to be the same as those in DM. The standard deviation of the Gaussian noise is set to . The modulus and dimension of the initial ciphertext are set according to (32) and (58). Meanwhile, they are set to be as small as possible for efficient operations. is the upper bound for the number of additions needed in the multiplication between and each column in , as illustrated in Section 6.2. Here is set to be as small as possible under the constraints , where are the probabilities illustrated in Section 6.2. Thus (51) holds and the computational cost of our scheme is made as low as possible. When the security parameter changes, the final modulus is kept unchanged, and the final dimension is set as the smallest integer which guarantees a security level for the final ciphertext. In order to lower the error rate of our scheme, are set to be as small as possible under the constraints in (35) and (40). Thus is made larger under the constraint (42), which promotes the probability . As discussed in the end of Section 5.1, the error rate of our scheme is

For the GSW scheme, the standard deviation of the Gaussian noise is also set as , as in our scheme. And modulus and dimension are set as small as possible under the constraint of correct decryption after 2 homomorphic NAND operations. Meanwhile, the ciphertext should guarantee a security level of . As long as the noise of the initial 4 ciphertexts are upper bounded by , decryption of the final ciphertext would be correct. Therefore, the error rate of GSW is