Recent Advances in Information SecurityView this Special Issue
Research Article | Open Access
Zhigang Chen, Jian Wang, Liqun Chen, Xinxia Song, "A Regev-Type Fully Homomorphic Encryption Scheme Using Modulus Switching", The Scientific World Journal, vol. 2014, Article ID 983862, 12 pages, 2014. https://doi.org/10.1155/2014/983862
A Regev-Type Fully Homomorphic Encryption Scheme Using Modulus Switching
A critical challenge in a fully homomorphic encryption (FHE) scheme is to manage noise. Modulus switching technique is currently the most efficient noise management technique. When using the modulus switching technique to design and implement a FHE scheme, how to choose concrete parameters is an important step, but to our best knowledge, this step has drawn very little attention to the existing FHE researches in the literature. The contributions of this paper are twofold. On one hand, we propose a function of the lower bound of dimension value in the switching techniques depending on the LWE specific security levels. On the other hand, as a case study, we modify the Brakerski FHE scheme (in Crypto 2012) by using the modulus switching technique. We recommend concrete parameter values of our proposed scheme and provide security analysis. Our result shows that the modified FHE scheme is more efficient than the original Brakerski scheme in the same security level.
A fully homomorphic encryption (FHE) scheme allows arbitrary functions on certain data (referred to as plaintexts) to be performed via their ciphertexts (the encrypted version of the plaintexts) without decrypting the ciphertexts first; therefore, performing these functions does not require one to hold the secret decryption key corresponding to the encryption algorithm. This cryptographic primitive has shown a variety of attractive applications both in theory and in practice. A typical application example is to outsource a computational job to a mistrusted remote server without compromising data privacy.
Since Gentry constructed the first FHE scheme in 2009 , a number of FHE schemes including various optimizations of the Gentry original scheme have been proposed. Gentry and colleagues developed several FHE schemes with different improvement, for example, [2–6]; one of them is how to bootstrap “packed” ciphertexts . Smart and Vercauteren modified the Gentry scheme with the purpose of reducing the key and ciphertext sizes . Stehlé and Steinfeld provides two improvements, respectively, on more aggressive analysis and probabilistic decryption algorithm in order to make the Gentry type of FHE schemes faster . Brakerski et al. made a number of important contributions to this research field, such as [9–13], the details of which will be discussed more in the late part of this paper. Furthermore, van Dijk et al. proposed a new FHE construction over the integers , and Coron et al. further suggested on how to optimize this idea with shorter keys [15, 16]. López-Alt et al. constructed a multikey FHE scheme, which allows multiple ciphertexts under different keys to be decrypted jointly . Alperin-Sheriff and Peikert introduced a method to achieve practical bootstrapping in Quasilinear time .
One critical challenge when constructing a FHE scheme is managing the noise growth in the process of homomorphic additions and multiplications. To our best knowledge, so far, there exist three techniques to manage the noise growth as follows.
The first technique is bootstrapping that was used in the first FHE scheme introduced by Gentry. Bootstrapping means to evaluate its own decryption circuit homomorphically. One can use a bootstrapping process to get a new ciphertext after each homomorphic addition or homomorphic multiplication. The noise level in the new ciphertext is maintained in a fixed level. As long as this noise level permits, one can handle the next homomorphic addition or multiplication. By recursing this process a leveled FHE scheme can be developed, and the number of levels (although say the depth of the levels) for a computational circuit could be arbitrary with an assumption of circular security. A FHE scheme with the property of having an arbitrary depth of leveled circuits is referred to as a “pure” FHE scheme.
The second technique is modulus switching. This technique was developed by Brakerski and Vaikuntanathan in  and improved in . The main idea of modulus switching is to scale down the ciphertext vector over or a factor after each multiplication, which results in a new ciphertext vector over . A scaling process switches the first modulus to the second modulus and also reduces the noise in the ciphertext vector to the new noise in the new ciphertext vector . By following this process, the absolute magnitude of the new noise in the new ciphertext actually decreases. Modulus switching therefore can be used to manage noise at the cost of sacrificing the size of modulus. A leveled FHE scheme without bootstrapping can be achieved by modulus switching. In this technique, the depth of leveled computational circuits is prearranged before the computation starts. The depth is presented as a polynomial. For any prearranged polynomial denoted by , one can evaluate circuits of depth by carefully choosing the ladder of decreasing modulus.
The third technique is called Flatten, developed by Gentry et al. in . It is designed for the case that an encryption key is presented as a vector and a ciphertext is presented as a matrix. It makes the coefficients of a vector or matrix small by using a flattening technique.
Among the three techniques for noise management, bootstrapping is a general technique that can be used to manage noise in any FHE scheme, but it is very costly! The technique of Flatten is only used in the case where ciphertexts are matrices and the secret keys are vectors. Modulus switching is a lightweight and very powerful way to manage noise and one can efficiently evaluate an arithmetic circuit with an arbitrary polynomial size without resorting to bootstrapping. In this paper, we will focus on modulus switching for noise management and consider the case that ciphertexts and the secret keys are both vectors.
In terms of noise growth, the noise grows from to with every multiplication in most of the existing FHE schemes, where denotes the noise magnitude in ciphertext. However, in the FHE scheme  by Brakerski in 2012 (we call it Bra12 for short), each homomorphic multiplication does not square the noise, and instead of the noise grows from to poly after each homomorphic multiplication. From this point of view, it looks like that the Bra12 scheme is more efficient, but in fact it is not true. Since the Bra12 scheme makes use of bootstrapping to manage noise, it requires modulus must be big in order to achieve the result that the scheme has a circuit with enough depth to evaluate its own decryption circuit, for example, . The security of the scheme depends on the ratio , where is an initial magnitude of noise; therefore, cannot be small. These reasons result in the secret key sampled uniformly from rather than from the error distribution in the Bra12 scheme. In addition, the noise mainly depends on one norm of writing as in homomorphic multiplication in the Bra12 scheme. In order to reduce the noise, the scheme uses binary decomposition of the secret key to reduce the norm . This means that a ciphertext under the key is converted into a new form of ciphertext, denoted by under key . Although the new form of the ciphertext and the secret key can effectively reduce the noise, it increases the dimension of ciphertext and the secret key. In particular, the dimension of the ciphertext and secret key can further blow up in homomorphic multiplication and key switching, which lead to a fatal result when evaluating deep circuits, since it may need too much memory to compute. This feature considerably affects efficiency in the Bra12 scheme.
In this paper, we use modulus switching and an additional technique to improve the efficiency of the Bra12 scheme. Our scheme has the following properties:(1)There is lower dimension of the ciphertext and the secret key in homomorphic multiplication and key switching than in the Bra12 scheme. The ciphertext for homomorphic multiplication is defined as that corresponds to the secret key in our scheme, while the ciphertext for homomorphic multiplication is defined as that corresponds to the secret key in the Bra12 scheme.(2)The secret key is sampled from a Gaussian distribution in our scheme, which can enable us to get small coefficients of . In the Bra12 scheme, the secret key is sampled uniformly from .(3)Our scheme uses modulus switching to manage noise, while the Bra12 scheme uses bootstrapping to manage noise.(4)In our scheme the initial modulus is that for every , while in the Bra12 scheme the modulus is that . The small modulus makes our scheme considerably efficient.For a FHE scheme using modulus switching, it is very important to choose a ladder of gradually decreasing moduli . However, so far there has not been a concrete method to tell how to choose these parameters in terms of a certain security level, even in the BGV scheme  that just provided a general method to choose moduli . In this paper, we provide a solution to this problem. We first derive a function between the lower bound on the dimension of the LWE problem and the security level. Then we can choose every concrete modulus and other parameters for a certain security level (e.g., the security level is 80 bit) according to this function.
The rest of this paper is organized as follows. Section 2 defines notational conventions, introduces the LWE assumption, and defines homomorphic encryption and its related terms. Section 3 introduces the Regev encryption scheme that our scheme is based on and defines invariant structure. There is a minor change in the Regev encryption scheme that we describe here. We sample the secret key from a Gauss distribution rather than sample uniformly from in the Regev encryption scheme. Section 4 analyzes the homomorphic properties by the opinion of invariant structure and the noise growth in homomorphic addition and multiplication. Section 5 introduces key switching and modulus switching. Our FHE scheme based on the modified Regev encryption scheme is presented in Section 6. We analyze how to enable the correctness of our scheme in Section 7. The security and the parameters of our scheme are presented in Section 8. We conclude the paper with a performance comparison between our scheme and the Bar12 scheme in Section 9.
2.1. Basic Notation
For an integer , we define the set . For any , let denote the unique value . We use to indicate rounding to the nearest integer, and , (for ) to indicate rounding down or up. When is not a power of two, we will use to denote .
We use to denote that is a sample from a distribution . We define -bounded distributions as ones whose magnitudes never exceed .
The inner product of two vectors , of dimension is denoted by , recalling that . The tensor product of two vectors of dimension , denoted by , is the dimensional vector containing all elements of the form . Note that .
A lattice is defined as the set of all integer combinations of linearly independent vectors in . The set of vectors is called a basis for the lattice. A basis can be represented by the matrix . The determinant of a lattice is the absolute value of the determinant of the basis matrix .
-ary lattices are most important in lattice-based cryptography. Given a matrix for integers , , , there are two kinds of -dimensional -ary lattices The two kinds of -ary lattices are dual to each other, namely, and .
2.2. Learning with Errors (LWE)
The learning with errors (LWE) problem was introduced by Regev . This problem was later generalized as the ring learning with errors (RLWE) problem by Lyubashevsky et al. . For security parameter , let be an integer dimension, let be an integer, a vector , and let be a distribution over . Let be the distribution obtained by choosing a vector from uniformly at random and a noise term , and outputting . The LWE problem includes the search-LWE problem and the decision-LWE problem. The search-LWE problem is giving an arbitrary number of independent samples from , output with a high probability. We are primarily interested in the decision-LWE (DLWE) problem for cryptographic applications. The DLWE problem is defined as follows.
Definition 1 (DLWE). For an integer and an error distribution over , the decision-LWE problem, denoted by , is to distinguish the following two distributions: in the first distribution, one sample from ; in the second distribution, one sample uniformly from . The assumption is that solving is computationally infeasible.
Two kinds of reductions are known, namely, the quantum reduction  and classical [22, 23] reduction, between and approximating short vector problems in lattices. Particularly, a probability distribution is taken to be the Gaussian distribution, which is statistically indistinguishable from the -bound distribution for an appropriate value .
Note that the DLWE problem can be seen as a bound distance decoding problem in -ary lattices. The second component of LWE instance can be seen as a perturbed lattice point in , to be decoded.
We now state the quantum reduction from worst-case lattice problems to the LWE problem introduced in .
Theorem 2. For any integer dimension , prime integer , and , there is an efficiently samplable -bound distribution such that if there exists an efficient (possibly quantum) algorithm that solves , then there is an efficient quantum algorithm for solving -approximate worst-case SIVP and gapSVP.
There are other forms of (see [24, 25]). In addition, if the vector is sampled from the distribution , then the LWE problem is still hard. We sample from the Gaussian distribution in our scheme.
2.3. Leveled Fully Homomorphic Encryption
At present, there are two types of fully homomorphic encryption schemes. One is leveled fully homomorphic encryption schemes, in which the parameters of a scheme depend on the depth of the circuits that the scheme can evaluate. In that case any circuit with a polynomial depth can be evaluated. The other is pure fully homomorphic encryption schemes, which can be built from a leveled fully homomorphic encryption scheme with the assumption of circular security. A pure fully homomorphic encryption scheme can evaluate the circuit whose depth is not limited. The following definitions are taken from .
Definition 3 (-homomorphism). A scheme HE is -homomorphic, for , if for any depth arithmetic circuit (over GF(2)) and any set of inputs, , it holds that where and .
Definition 4 (compactness, full homomorphism, and leveled full homomorphism). A homomorphic scheme is compact if its decryption circuit is independent of the evaluated function. A compact scheme is fully homomorphic if it is -homomorphic for any polynomial . The scheme is leveled fully homomorphic if it takes as additional input in key generation.
3. The Basic Encryption Scheme
As same as the Bra12 scheme, our scheme is based on Regev’s encryption scheme . We now describe the Regev encryption scheme, but we sample the secret key from a Gauss distribution while it was sampled uniformly from in the Regev encryption scheme. This modification allows us to achieve our goal that the error distribution can be set to be as small as possible in our scheme. We call this modified Regev encryption scheme the basic encryption scheme.
Let be the dimension of lattice, an odd modulus , and an error distribution . The basic encryption scheme is described as follows.: sample . Output . : let (). Sample and . Compute . Set to be the -column matrix consisting of followed by the columns of , namely . Note that . Set the public key . : to encrypt a message , set , sample , and output . : output .The basic encryption scheme above is semantic security based on the hardness of the LWE problem. The proof of this statement follows the proof of security of the original Regev encryption scheme given in .
A FHE scheme needs to maintain an invariant structure in decryption that is composed of plaintext and noise. The scheme must keep the invariant structure in the process of homomorphic addition and homomorphic multiplication in order to achieve homomorphism. Next, we define the invariant structure in the above basic encryption scheme and explain the relationship between the correctness of decryption and the noise magnitude in ciphertext.
Lemma 5. Let and be two vectors such that where . If , then we have .
Proof. By definition
Since the coefficients of are taken from a Gaussian distribution , is also subject to a Gaussian distribution according to the standard fact from the Gaussian distribution. The Claim 5.2 in  showed that with high probability. Consider an encryption of 0 now; it is closer to 0 than to in this case and therefore the decryption is correct. The proof for an encryption of 1 is similar.
The term is called the noise. is called the invariant structure. The above Lemma 5 shows that the invariant structure will be hold as long as , which can ensure the correctness of decryption. Note that it is very important to keep the invariant structure in ciphertexts generated in homomorphic evaluation.
4. Homomorphic Properties and Noise Analysis
We take the definition of homomorphic addition and homomorphic multiplication from the Bra12 scheme, but here we analyze the homomorphic properties of the above scheme by the approach of the invariant structure. Now we analyze the noise growth in the homomorphic addition and multiplication.
Let and be two ciphertexts under the same secret key for modulus such that for some and .
4.1. Homomorphic Addition
Let . If the invariant structure can be held during the decryption of for some , the decryption would be correct such that homomorphic addition is obtained.
By definition Let . According to the Lemma 5, if , then . It also means that the invariant structure can be kept in the decryption of . We note that the noise term of output is the sum of input noises.
4.2. Homomorphic Multiplication
Multiplicative homomorphism cannot be straightforwardly achieved. We need to construct a form of the two input ciphertexts to represent the homomorphic multiplication such that we can get the product of the two plaintexts with respect to the input ciphertexts after decrypting the homomorphic multiplication. For this purpose, we now focus on the invariant structure in the process of decryption. If the invariant structure for some is kept in the decryption of the homomorphic multiplication, we could achieve multiplicative homomorphism. Next, we describe how to achieve multiplicative homomorphism by the approach of the invariant structure.
Consider the multiplication of and now, we have: In order to keep the invariant structure , we multiple the above equation by : where .
The invariant structure appears in (8). Since , multiplicative homomorphism is achieved by tensoring the input ciphertext . We note the ciphertext is fraction. For the sake of simplicity, we round the ciphertext for multiplication to the nearest integer ciphertext , which will bring out an error . Thus we get Plugging (8) into above equation, we have where and . The noise is in the ciphertext for multiplication. Particularly, the significant noise term of is , which is not like the many previous FHE schemes whose homomorphic multiplication operation squares the noise.
The ciphertext for multiplication can thus be defined as that can be decrypted using a tensored secret key . The invariant structure in the decryption of the homomorphic multiplication is . If , according to Lemma 5, the invariant structure can be kept such that the correctness of decryption can hold. So we have , where is . So far, we have finished the construction for the ciphertext for multiplication. We have achieved homomorphic addition and homomorphic multiplication. However, the noise growth is caused in the homomorphic addition and homomorphic multiplication.
The problem of noise growth in the homomorphic evaluation affects directly the homomorphic ability of the above basic encryption scheme, so it is critical to manage noise growth for constructing the FHE scheme. Before we solve the problem of noise growth, we in the next subsection analyze the noise growth in a homomorphic addition and homomorphic multiplication. Note that our analysis method for the noise growth is different from the one used in the Bra12 scheme, as the secret key is sampled from a Gaussian distribution which results in the secret key is -bounded. In addition, we give a tighter noise analysis than it in .
4.3. Noise Analysis
Lemma 6. Let be parameters as described in the basic encryption scheme. Let , be the ciphertexts under the secret key such that with .Then where , .
Analysis for Addition. By definition Then we get .
Analysis for Multiplication. By (10) We first analyze the bound of . The magnitude of mainly depends on the term , so we check the bound of the absolute value of (the same bound also holds for ): The absolute value of depends on from above inequality, then the bound of is . The tighter bound is described as follows: Next, we analyze the bound of . According to the definition of an error and the secret key sampled from a -bounded Gaussian distribution, we get and . Then Putting these together, we get We see that the significant noise term in the homomorphic multiplication depends on from Lemma 6, which also happens in the Bra12 scheme. In order to reduce the norm, the secret key is expressed in the form of binary, namely, , then the ciphertext corresponding to the is expressed in . The side effect is to produce the ciphertext vector and the secret key vector of a high dimension. In particularly, the ciphertext is the form of under the key after homomorphic multiplication, which results in a large amount of computation that requires a large memory. The process cannot be practical. However, our scheme does not have this result. Since we sample the secret key from a Gaussian distribution that enables the coefficients of the secret key to be as small as possible, the secret key needs not to be expressed in the form of binary, so the ciphertext. That is the reason why it can improve performance.
Under the above definition of homomorphic addition and homomorphic multiplication, we can perform only a bounded number of homomorphic operations (namely, a somewhat homomorphic encryption scheme), because the noise and the dimension grow as a result of performing homomorphic operations. Therefore, there are two problems that should be solved in order to achieve a FHE scheme based on the somewhat homomorphic encryption scheme.
First, we need to control the dimension of the ciphertext that increases from to after a homomorphic multiplication. We use the key switching technique to solve this problem.
Second, we need to manage the noise growth in homomorphic operations. We use modulus switching to solve this problem.
5. Key Switching and Modulus Switching
We describe the two techniques: key switching and modulus switching. Our notation is adopted from .
5.1. Key Switching
Key switching can transform a ciphertext under a secret key to a new ciphertext under a secret key , in which and encrypt the same message. If the dimension of and is lower than the dimension of and , the dimension of the key and ciphertect vectors is reduced by key switching.
Key switching consists of two procedures. The first procedure is denoted by , which takes as input the two secret key vectors, the respective dimension of these vectors, the corresponding modulus , and outputs some auxiliary information that is a matrix. The second procedure is denoted by , which takes as input the auxiliary information , a ciphertext , and its dimension , the dimension of the output ciphertext , and the modulus , and outputs a new ciphertext whose dimension is . :(1)Run for , namely, .(2)Set , which means to add the to ’s first column and add to ’s second column. Output . : output .Key switching is essentially the product of a high dimension vector and a high dimension matrix. Next, we describe the correctness of key switching; namely, the decryption of the new ciphertext can preserve correctness. The proof is based on the definition (see ).
Lemma 7. Let be parameters as described in and have . Let and . Then,
5.2. Modulus Switching
Definition 8 (Scale). For integer vector and integers , we define to be the vector closest to that satisfies .
The next lemma shows that it is possible to transform a ciphertext that encrypts under key for modulus into a ciphertext that encrypts under the same key for modulus . Since our basic encryption scheme is different from the basic scheme in the BGV scheme , the proof of Lemma 9 is slightly different from the proof in .
Lemma 9. Let , be odd and . Let and . Then, for any , if and , with , we have
Proof. By , we have for some . For the same , let . Next we just prove in order to prove .
Since , where , we have We thus have and .
Since mod and , we have mod mod . By definition, . Since and 2 are coprime, it follows that . Modulo 2, we have . We thus get mod 2.
The following corollary follows immediately from Lemma 9.
Corollary 10. Let and be two odd moduli. Let be a ciphertext under the key for the modulus , where . Suppose that is a completely short key, and assume that . Then we have , where is a ciphertext that encrypts the same message under the key for the modulus , namely, . The noise of the new ciphertext has magnitude at most .
Since the noise magnitude in the ciphertext depends on the length of the key vector , we must make the length of the key vector short in order to use modulus switching to reduce the magnitude of the noise. For this purpose, we sample the key from Gaussian distribution that is set to be as small as possible.
6. A Regev-Type FHE Scheme Using Modulus Switching
Next, we use modulus switching to construct a Regev-type FHE. This scheme is a leveled FHE scheme, in which the th level needs a modulus . The parameters in our scheme includes a ladder of decreasing modulus (), where a parameter indicates the depth that a circuit can be evaluated. It is very important to choose reasonable modulus from to , and we will focus on the details on how to choose reasonable modulus in Section 8. Since the magnitude of is related to the security parameter and different circuit depths result in different magnitude values of , the performance of our scheme depends on the security parameter and the circuit depth . : input the security parameter and the circuit level , output a ladder of decreasing modulus (), the noise distribution , and the dimension . Note that and are the same as in the previous basic encryption scheme. : For down to 0, do the following.(1)Run . Let .(2)Run . Let ().(3)Set .(4)Run . (Omit this step when .) Let (). Then output and . : take a message . Run . : assume that is a ciphertext under the secret key . Run . : input two ciphertexts , under the same secret key . If the two secret keys are different, we can use FHE.Refresh to refresh the two ciphertexts to the new two ciphertexts under the same secret key. Then, output . : input two ciphertexts , under the same secret key . If the two secret keys are different, we can use FHE.Refresh to make it so. Compute , and the relative secret key is . Then, output . : input ciphertext under the secret key for modulus . is the auxiliary information for key switching. The current and next modulus are and . Do the following.(1)Key switching: comput , a ciphertext under the key for .(2)Modulus switching: compute , a ciphertext under the key for .In order to enable the correctness of the above leveled FHE scheme, we must choose the correct parameters. Next, we describe how to enable the correctness of this scheme.
The correctness of the above leveled FHE scheme comes from the correctness of each step in homomorphic operations, that is, each step in FHE.Add and FHE.Mult. If the noise magnitude in ciphertext is below or after each step in homomorphic operations, correct decryption is guaranteed.
7.1. The Initial Noise
The initial ciphertext is output by FHE.Enc that just invokes E.Enc.
Lemma 11. Let , , be the parameters associated with FHE.Enc. is a -bounded Gaussian distribution. The length of the noise in ciphertexts output by FHE.Enc is at most . If , correct decryption is guaranteed.
Proof. shows that , where . We have , where and . Then we get According to Lemma 5, if , then correct decryption is guaranteed.
7.2. The Correctness of Homomorphic Operations
Lemma 12. Let and be two ciphertexts under for , where and with , . Let . The noise magnitude of is at most . If , we have ; namely, can be correctly decrypted.
Proof. The proof can be obtained easily from Lemma 6.
The procedure of FHE.Mult consists of three steps, namely, the multiplication, and then the key switching and modulus switching. Next, we analyze the correctness of each step.
Lemma 13. Let and be two ciphertexts under for , where and with , . Let , and let . The noise magnitude of is at most . If , we have ; that is, can be correctly decrypted.
Proof. The proof can be obtained easily from Lemma 6.
We note that the noise after multiplication is rather than like in many of the previous FHE schemes.
Lemma 14. Let be a ciphertext under for , where with . Let . The noise magnitude of is at most . If , we have ; namely, can be correctly decrypted.
Proof. By Lemma 7 where and . If , we have ; namely, can be correctly decrypted.
Lemma 15. Let be a ciphertext of dimension under for , where with . Let , The noise magnitude of is at most . If , we have ; that is, can be correctly decrypted.
Proof. By Corollary 10 If , we have .
8. Security and Parameters Settings
For a FHE scheme using modulus switching, it is most important to set up a reasonable ladder of decreasing modulus. The size of modulus is related to the dimension of the LWE problem and the circuit depth . Furthermore, the underlying security parameter is related to the dimension of the LWE problem. However, it does not provide the concrete connection between the underlying security parameter and the dimension of the LWE problem in Regev’s paper, nor the concrete parameters setting on its encryption scheme. It also does not provide the concrete method to set a concrete ladder of decreasing modulus based on a concrete security level and other parameters in the BGV scheme, even though BGV scheme is the first FHE scheme using modulus switching.
In this section, we will analyze the function between the lower bound in the dimension of the LWE problem and the security level. Then we will give the method how to set the concrete ladder of decreasing modulus based on a certain security level and other parameters in our scheme.
8.1. The Dimension of the LWE Problem and the Security Level
In order to estimate the hardness of LWE for a concert set of parameters, we first consider the distinguishing attack LWE; namely, the adversary distinguishes (with some noticeable advantage) an LWE instance from uniformly random, which can result in that the semantic security of an LWE-based cryptosystem is to be broken with the same advantage. Given a point that is either LWE instance or uniformly random. In order to do this attack, the adversary needs to find a short nonzero integral vector such that mod ; namely, is a short vector in . Since , we have , where is a short vector in the dual of the lattice . Then the adversary tries to test whether the inner product is close to zero modulo . When is a uniformly random instance, the test accepts with the probability exactly . When , where is sampled from a Gaussian distribution with standard deviation , we have mod , which is essentially Gaussian with standard deviation . When is not much larger than , the adversary can distinguish the Gaussian from the uniform with advantage of being very close to . In general, in order to do the distinguishing attack with high confidence, one needs , which need to reduce the basis well enough such that the shortest vector is of size roughly . We assume that the security depends on the ratio . Furthermore, we assume that the adversary will spend all the attack running time doing lattice reduction according to the paper .
The key point is to compute inner product modulo for a enough short vector in the distinguishing attack described above, which do not use the secret of LWE sample. It means that the distinguishing attack still work whether the secret is sampled from a Gaussian distribution or uniform. Next, we analyze the relation between the dimension of LWE and the security level.
A short vector used in the distinguishing attack can be got from lattice reduction algorithm. From the analysis of lattice reduction algorithms by Gama and Nguyen , the Hermite factor is regarded as the dominant parameter in the runtime of the reduction and the quality of the reduced basis. A reduced basis of an -dimensional lattice has the Hermite factor for if . The term is called a quality parameter. In addition, Lindner and Peikert perform the experiments in the paper , which predict the runtime required to achieve a given root-Hermite factor in random -ary lattices arising from LWE. The result of their experiments show that the logarithm of the runtime should grow roughly linearly in . In particular, for a random -ary lattices arising from LWE, the time (in seconds) that is spent to compute a reduced basis of quality is conservatively estimated at least as follows: We note that the runtime estimated in (25) can be also applied in here to analyze our scheme. First, the random -ary lattices for experiments in the paper  include the random -ary lattices arising from LWE where the secret was sampled from a Gaussian distribution. Second, the encryption scheme described in the paper  is also based on the same LWE problem like our scheme; namely, the secret is choose from a Gaussian distribution.
Recall that the basis is required to be reduced well enough such that the shortest vector is of size roughly in the distinguishing attack. Thus the adversary needs to reduce the basis enough so that . Moreover, for a random -ary lattice of rank , the determinant is with high probability. By the definition of quality parameter , a basis that has quality parameter has . From the result in paper , when lattice reduction algorithms is applied to , the shortest vectors are produced when . For simplicity, we take such that , then we have We can solve for and plug Equation (25) into it, then get which is a function between and (recall ). In order to ensure the time that is spent to reduce the basis at least , we need to set to be at least We thus obtain the relation between the dimension of LWE and the security level. If we want to get 80 bit security level we need to set , for 128 bit security level we need to set .
8.2. Setting Concrete Parameters
Based on our scheme, we first set a concrete ladder of decreasing modulus. For a certain security level, we recommend specific dimension and modulus values for a specific circuit level .
8.2.1. The Upper Bound of Noise
In order to obtain a suitable modulus, we need to find a common upper bound of noise for each circuit level.
Assume that we have a common upper bound on noise magnitude, which means that the noise magnitude is at most for all ciphertexts in all levels. Let and be two ciphertexts at level . The noise magnitude is at most after multiplication by following Lemma 11. Then, we apply the key switching, and the noise magnitude is at most by following Lemma 12. Finally, we apply modulus switching, and the noise magnitude in this stage is at most According to our assumption, the above equation is less than . The dominant term is ; thus, we have We get from Inequality (29), and we plug it into Inequality (30); then we have We thus set , which is the approximate common upper bound. We also get the ratio of and that is approximately . Next we can set a concrete ladder of decreasing modulus.
8.2.2. A Concrete Ladder of Decreasing Modulus
We first consider the smallest modulus. At the level 0, the noise magnitude is at most after multiplication. In order for the correction of decryption to occur, we need to ensure . We can take , which is approximately the smallest modulus.
Since , we can derive ; for example, , . We thus obtain a concrete ladder of decreasing modulus.
8.2.3. The Concrete Parameters of Our Scheme
According to (27) and the largest modulus , we have , which is the lower bound of the dimension of LWE. We use the Gaussian parameter from the experiment in . Since , we have is the bound of Gaussian, and we use from the statement in . We then can obtain the lower bound of the dimension from the circuit depth as well as the security level.
For an 80-bit security level and different circuit depth , we derive the parameters of our scheme, as shown in the Table 1.
The computational complexity of our scheme comes from homomorphic multiplication which includes three steps. The computational cost that computes the tensored ciphertext is . The computational cost in the step of key switching is . The computational cost in the step of modulus switching is . As a result, the per-gate computation in our scheme is . As a comparison, in the Bra12 scheme the per-gate computation is