Efficient SMC Protocol Based on Multi-Bit Fully Homomorphic Encryption

Abstract

Aiming at the problems of large ciphertext size and low efficiency in the current secure multi-party computation (SMC) protocol based on fully homomorphic encryption (FHE), the paper proves that the fully homomorphic encryption scheme that supports multi-bit encryption proposed by Chen Li et al. satisfies the key homomorphism. Based on this scheme and threshold decryption, a three-round, interactive, leveled, secure multi-party computation protocol under the Common Random String (CRS) model is designed. The protocol is proved to be safe under the semi-honest model and the semi-malicious model. From the non-interactive zero-knowledge proof, it can be concluded that the protocol is also safe under the malicious model. Its security can be attributed to the Decisional Learning With Errors (DLWE) and a variant of this problem (some-are-errorless LWE). Compared with the existing secure multi-party computation protocol based on fully homomorphic encryption under the CRS model, the ciphertext size of this protocol is smaller, the efficiency is higher, the storage overhead is smaller, and the overall performance is better than the existing protocol.

1. Introduction

As cloud computing develops rapidly, the problem of user privacy data security has become increasingly prominent. Fully Homomorphic Encryption (FHE) has just solved the problem of data privacy computing. Fully homomorphic encryption was first proposed by Rivest et al. [1] in 1978, which could perform various meaningful calculations on ciphertext without knowing the key. In other words, for any plain-text m and function f, there is $f(Enc(m))=Enc(f(m))$. Since Gentry et al. [2] proposed the first fully homomorphic encryption scheme in 2009, many fully homomorphic encryption schemes such as BV11 [3], BGV12 [4], Bra12 [5], GSW13 [6], and CKKS17 [7] have appeared in recent years. Fully homomorphic encryption can be used as a building block of a secure multi-party computation (SMC) protocol and shows good potential in the design of a secure multi-party computation protocol. In addition, the concept of secure multi-party computation originated from the millionaire problem proposed by Yao [8], which is characterized by allowing multiple parties to jointly calculate a certain function to obtain the result without private data being leaked out.

Nowadays, domestic and international scholars have carried out much research on the secure multi-party computation protocol based on the fully homomorphic encryption scheme. In 2012, López-Alt et al. [9] proposed the concept of Multi-Key Fully Homomorphic Encryption (MFHE). Based on the improved NTRU scheme [10], an MFHE scheme was constructed, which can operate the input encrypted under multiple unrelated keys, but the complexity is too high. In 2016, based on the Learning With Errors (LWE) assumption, Mukherjee et al. (MW16 scheme) [11] implemented a multi-key secure multi-party computation protocol with only two rounds of interaction under the CRS model, achieving the best interaction rounds, but the ciphertext matrix was too large. In 2017, Wang et al. [12] constructed a simple three-round, leveled, multi-key, secure multi-party computation protocol under the CRS model based on the GSW13 scheme. Compared with the MW16 scheme, although an additional round of interaction was added, the complexity of encryption and decryption was low, and the ciphertext expansion rate was small, which did not require a running key. In 2018, due to the problem that the secure multi-party computation protocol under the CRS model weakened the user’s ability to independently generate their own keys, Kim et al. (KLP18 scheme) [13] constructed a three-round, secure, multi-party computation protocol without CRS. The protocol was safe against semi-malicious opponents, but it could not fight against completely malicious opponents. In 2020, Tang et al. [14] improved the ciphertext extension method of the KLP18 scheme with the help of the coding operation in Li’s scheme [15] and designed a three-round, secure, multi-party computation protocol based on MFHE without the CRS model, improving the efficiency and reducing decryption noise, but it still could not prove that it was safe in a fully malicious environment. In 2021, Tang et al. [16] proved the key homomorphism of the multi-bit fully homomorphic encryption scheme proposed by Li [17]. Moreover, based on this scheme, a three-round, secure, multi-party computation protocol that could support multi-bit encryption under the CRS model was designed, which further reduced the complexity of the NAND gate.

It can be seen from the above related work that although the secure multi-party computation protocol under the CRS-free model allows MFHE users to independently generate their own keys, the secure multi-party computation protocol under this model is not secure enough to resist completely malicious adversaries. What is more, nowadays, the fully homomorphic encryption-based secure multi-party computation protocol under the CRS model has problems such as large ciphertext size and insufficient efficiency. Therefore, to solve the problems mentioned above, a three-round secure multi-party computation protocol that can resist malicious opponents under the CRS model is designed in this paper with the help of the New Fully Homomorphic Encryption (NFHE) scheme [18] and threshold decryption. This protocol supports multi-bit encryption. In addition, compared with the existing secure multi-party computation protocol under the CRS model, the ciphertext size of the protocol is smaller, and the overall performance is better than the existing protocol.

2. Preliminaries

2.1. Symbolic Representation

In this paper, $\mathbb{Z}$, $ℝ$, and ${\mathbb{Z}}_q$ respectively represent the integer set, real number set, and integer modulo q residual ring. Bold italic lowercase letters represent vectors, and bold italic uppercase letters refer to matrices. Moreover, the length of the n-dimensional vector a is defined as its Euclidean norm $\Vert \mathit{a}\Vert =\sqrt{{\displaystyle \sum _{i=0}^{n-1}{\mathit{a}}_i^2}}$, and the length of the vector set S is defined as $\Vert S\Vert ={\max }_{a\in S}\Vert \mathit{a}\Vert$. $\mathit{a}\leftarrow D$ means randomly selecting variable a from probability distribution D, and $\mathit{a}\stackrel{R}{\leftarrow }U$ means randomly and uniformly selecting variable a from set U. Vector $\mathit{a}\in {\mathbb{Z}}_q^n$ can be expressed as $\mathit{a}=(a_0,\cdots ,a_{n-1})$. The polynomial $b\in R_q$ can be expressed as $b=(b_0,\cdots ,b_{n-1})$·$c_i$ represents the i-th row of the matrix C, $I_n$ is the n-dimensional identity matrix, and $\phi (y)$ refers to the probability $Pr\left[y\le x|y~N(0,1)\right]$. In addition, for the polynomial $b,c\in R$, $b\times c=bc \mathrm{mod}(x^n+1)$ can be defined.

In this paper, the logarithmic function log is based on 2, except that the basis is specified. O and o represent the complexity of the calculation. At the same time, for variable $\mathit{\sigma }$ and any constant c, if $f(\sigma )=O({\sigma }^c)$, then $f(\sigma )$ can be expressed as $poly\left(\mathit{\sigma }\right)$. If there is $f(\sigma )=o({\sigma }^{-c})$, then $f(\sigma )$ can be expressed as $negl\left(\mathit{\sigma }\right)$, which is called a negligible function of $\mathit{\sigma }$.

2.2. Definitions and Theorems

Definition 1.

([19]) (Learning With Errors, LWE) For the vector $s\in {\mathbb{Z}}_q^n$, the LWE distribution $A_{s,\chi }$ on ${\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$ refers to uniformly selecting $a\in {\mathbb{Z}}_q^n$ at random, selecting the error $e\leftarrow \chi$, and outputting $(\mathit{a},\mathit{b}=\mathit{a}\cdot \mathit{s}+e \mathrm{mod}q)$.

Definition 2.

($Search.LW{E}_{m,n,q,\chi }$) For vector$s\in {\mathbb{Z}}_q^n$, sis recovered from the given m independent samples $({\mathit{a}}_i,{\mathit{b}}_i)\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$selected from the distribution of $A_{s,\chi }$.

Definition 3.

($Decision.LW{E}_{m,n,q,\chi }$) For vector $s\in {\mathbb{Z}}_q^n$, the attacker is required to distinguish two sets of random variables containing m independent samples with non-negligible advantage. The two sets of variables are taken from the uniform distributions on distributions $A_{s,\chi }$and ${\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$, respectively.

Definition 4.

(Some-are-errorless LWE) for $q\ge 1$, $n>0$, the error distribution on R is ${\chi }^{\prime }$,$T_q=\left\{0,\frac{1}{q},\cdots ,\frac{q-1}{q}\right\}$, where $q\in Z$. The distribution $A_{s,\chi }^{\prime }$on $T_q^n\times T_q$refers to uniformly selecting $\mathit{a}\in T_q^n$, selecting the error $e\leftarrow {\chi }^{\prime }$, and outputting $(\mathit{a},\mathit{b}=\mathit{a}\cdot \mathit{s}+e)$. Some-are-errorless LWE distinguishes the following two situations.

(1) 

Select all samples uniformly from $T_q^n\times T_q$.

(2) 

For the vector $s\in T_q^n$, the previous sample is selected from $A_{s,0}^{\prime }$. All the remaining samples are selected from $A_{s,\chi }^{\prime }$. In other words, the previous sample is $\left({\mathit{a}}_i,\mathit{b}={\mathit{a}}_i\cdot \mathit{s}\right)$, and no error e is introduced. The remaining samples are $\left({\mathit{a}}_i,\mathit{b}={\mathit{a}}_i\cdot \mathit{s}+e_i\right)$, $i>l$, and each sample introduces a small error $e_i$.

Definition 5.

Secure multi-party computation. The general formal definition of an SMC agreement [9] can be described as follows. It is assumed that there are N participants $\left\{P_1,P_2,\cdots ,P_N\right\}$, and $x_i\left(i\in \left[N\right]\right)$ is the private data owned by each participant P. In addition, all participants jointly calculate a certain effective function $y=f\left(x_1,x_2,\cdots ,x_N\right)$. After the calculation, each $P_i$ can obtain y but cannot obtain the private data of other participants.

Theorem 1.

If ${\alpha }_i\left(i\in \left[N\right]\right)$is a series of independent random variables that obey a bounded distribution of $B_{\chi }$, then the random variable $\alpha =\frac{1}{N}{\displaystyle \sum _{i=1}^N{\alpha }_i}$also obeys the bounded distribution of $B_{\chi }$.

Proof. 

Suppose $E\left({\alpha }_i\right)=\frac{B_{\chi }}{poly\left(\sigma \right)}$, according to Markov inequality,

$$\mathrm{Pr}\left\{\left|\alpha \right|>B_{\chi }\right\}\le \frac{E\left(\left|\alpha \right|\right)}{B_{\chi }}=\frac{1}{N·B_{\chi }}E\left({\displaystyle \sum _{i=1}^N{\alpha }_i}\right)$$

$=\frac{1}{\mathrm{poly}\left(\sigma \right)}$. So, the conclusion holds.

End. □

2.3. Secure Multi-Party Computation Model

(a) Semi-honest model: All participants will strictly abide by the agreement and will not actively change the agreement or data. However, intermediate calculation results may be retained and used to calculate the private data of other participants.

(b) Semi-malicious model: The adversary can decide whether to faithfully execute the original agreement based on the input and a certain degree of randomness.

(c) Malicious model: All computing participants can tamper with or leak the agreement and data at will, and even prevent the normal execution of the agreement.

3. Efficient Fully Homomorphic Encryption Scheme

This scheme is an improved NFHE scheme based on GSW13 in reference [18], and the structure of the scheme is as follows. The modulus q and the dimension N are settled, and the ciphertext C is an N×N-dimensional matrix defined on ${\mathbb{Z}}_p$. In addition, each component of the matrix is much smaller than q. The private key sk of C is an N-dimensional vector defined on ${\mathbb{Z}}_p$. Let the plain-text $\mu$ be a small integer. When $\mathit{C}\cdot \mathit{s}\mathit{k}=\mu \cdot \mathit{s}\mathit{k}+\mathit{e}$, C is called the ciphertext of $\mu$, where e is the small error vector. In the decryption process, first extract the i-th row ${\mathit{C}}_i$ of C, then calculate $x\leftarrow \langle {\mathit{C}}_i,\mathit{s}\mathit{k}\rangle =\mu \cdot s{k}_i+e_i$, and finally output $\mu =\lfloor x/s{k}_i\rceil$, where $s{k}_i$ is the i-th element of sk, $e_i$ is the i-th element of e, and $i\in \left[0,N-1\right]$. The message $\mu$ can be regarded as an eigenvalue of the ciphertext matrix C, and the private key sk is the approximate eigenvector of C corresponding to the eigenvalue $\mu$.

The structure of the scheme is as follows. First of all, defining functions such as $\mathrm{mbDpt}\left(\mathit{a}\right)$, $\mathrm{mbDp}{\mathrm{t}}^{(-1)}({\mathit{a}}^{\prime })$, $\mathrm{mbFlatten}\left({\mathit{a}}^{\prime }\right)$, and $\mathrm{pofmb}\left(\mathit{b}\right)$, the expansion method of the NFHE scheme is given. Then, based on the above functions, the five polynomial time algorithms included in the NFHE program are designed, namely the key generation algorithm $\mathrm{NFHE.Keygen}(n,q)$, the encryption algorithm $\mathrm{NFHE.Encrypt}(pk,\mu )$, the decryption algorithm $\mathrm{NFHE.Decrypt}\left(\mathit{s}\mathit{k},\mathit{C}\right)$, the homomorphic addition algorithm $\mathrm{NFHE.Add}(C_1,C_2)$, and the homomorphic multiplication algorithm $\mathrm{NFHE.Mult}(C_1,C_2)$.

Let a and b be vectors on ${\mathbb{Z}}_q^k$. k is a positive integer, q is a modulus, and p is a power of 2. $t=\lceil {\log }_{p}q\rceil$, and $N=kt$. The definition of each function is shown in the following formula.

$$\mathrm{mbDpt}(\mathit{a})={\mathit{a}}^{\prime }=(a_{1,1},\cdots ,a_{1,t},\cdots ,a_{k,1},\cdots ,a_{k,t})\in {\mathbb{Z}}_p^N$$

where ${\mathit{a}}^{\prime }$ is an N-dimensional vector, $a_i={\displaystyle \sum _{j=1}^t{a}_{i,j}{p}^{j-1}}$, $a_{i,j}\in {\mathbb{Z}}_p$.

$$\mathrm{mbDp}{\mathrm{t}}^{(-1)}({\mathit{a}}^{\prime })=\left({\displaystyle \sum p^j\cdot a_{1,j},\cdots ,{\displaystyle \sum p^j\cdot a_{k,j}}}\right)$$

$$\mathrm{mbFlatten}({\mathit{a}}^{\prime })=\mathrm{mbDpt}(\mathrm{mbDp}{\mathrm{t}}^{(-1)}(a^{\prime }))$$

$$\mathrm{pofmb}\left(\mathit{b}\right)=\left(b_1,p{b}_1,\cdots ,p^{t-1}{b}_1,\cdots ,b_k,p{b}_k,\cdots ,p^{t-1}{b}_k\right)$$

a.

Key generation algorithm $\mathrm{NFHE.Keygen}(n,q)$. For a positive integer n, the depth of the homomorphic operation is l. Randomly and uniformly select $\mathit{A}\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{n\times n}$ from ${\mathbb{Z}}_q^{n\times n}$, and sample s from the discrete Gaussian distribution ${\chi }^{n\times l}$ on ${\mathbb{Z}}^{n\times l}$. In addition, $\mathit{e}\leftarrow {\chi }^n$. The public key is $pk=\left(\mathit{A},\mathit{b}=\mathit{A}\cdot \mathit{s}+\mathit{e}\right)\in {\mathbb{Z}}_q^{n\times n}\times {\mathbb{Z}}_q^n$, and the private key is $\mathit{s}\mathit{k}=\left(\begin{array}{c}-\mathit{s}\\ 1\end{array}\right)\in {\mathbb{Z}}_q^{n+1}$.

b.

Encryption algorithm $\mathrm{NFHE.Encrypt}(pk,\mu )$. For the plain-text $\mu \in \left\{0,1\right\}$ to be encrypted, randomly selecting ${\mathit{r}}_i$, $e_{i,1}\leftarrow {\chi }^n$ and $e_{i,2}\leftarrow \chi$, $i=1,\cdots ,\left(n+1\right)\cdot t$, calculate $C_{i,1}={\mathit{A}}^T\cdot {\mathit{r}}_i+e_{i,1}\in {\mathbb{Z}}_q^n$ and $C_{i,2}={\mathit{b}}^T\cdot {\mathit{r}}_2+e_{i,2}\in {\mathbb{Z}}_q$. Among them, $e_{ij}$ is the j-th element of $e_i$, and $C_{ij}$ is the j-th element of $C_i$. Let ${\mathit{C}}^{\prime }$ be a matrix formed by arraying $m=\left(n+1\right)\cdot t$ ciphertexts as column vectors, whose dimension is $\left(n+1\right)\times m$. Output ciphertext $\mathit{C}=\mathrm{mbFlatten}\left(\mathit{\mu }\cdot {\mathit{I}}_N+\mathrm{mbDpt}\left({\mathit{C}}^{\prime }\right)\right)\in {\mathbb{Z}}_p^{m\times m}$.

c.

Decryption algorithm $\mathrm{NFHE.Decrypt}\left(\mathit{s}\mathit{k},\mathit{C}\right)$. For ciphertext $\mathit{C}\in {\mathbb{Z}}_p^{m\times m}$ and private key $\mathit{s}\mathit{k}=\left(\begin{array}{c}-\mathit{s}\\ 1\end{array}\right)\in {\mathbb{Z}}_q^{n+1}$, let ${\mathit{s}}^{\prime }=\mathrm{pofmb}\left(\mathit{s}\mathit{k}\right)$, and calculate and output plain-text $\mu =\lfloor \langle s^{\prime },C_{m-1}\rangle /\left(q/2p\right)+\frac{1}{2}\rfloor \mathrm{mod}2$.

d.

Homomorphic addition algorithm $\mathrm{NFHE.Add}(C_1,C_2)$. Input the ciphertext $C_1$ and $C_2$, and output the new ciphertext $\mathit{C}=\mathrm{mbFlatten}\left(C_1+C_2\right)$ obtained after homomorphic addition.

Homomorphic multiplication algorithm $\mathrm{NFHE.Mult}(C_1,C_2)$. Input the cipher-text $C_1$ and $C_2$, and output the new ciphertext $C=\mathrm{mbFlatten}(C_1\cdot C_2)$ obtained after homomorphic multiplication.

3.1. The Correctness of the Scheme

First, correctly analyze the homomorphic addition and multiplication of the scheme. For the homomorphic addition, there will be $\mathit{C}=\mathrm{mbFlatten}\left(\left({\mu }_1+{\mu }_2\right)\cdot {\mathit{I}}_N+\mathrm{mbDmp}\left(C_1+C_2\right)\right)$ and $\mathrm{NFHE.Dec}(\mathit{s}\mathit{k},\mathit{C})=\left({\mu }_1+{\mu }_2\right)\mathrm{mod}2$. After homomorphic addition is performed on each scheme, the noise will not exceed twice the original ciphertext. For homomorphic multiplication, there will be $\mathit{C}\cdot \mathit{s}\mathit{k}={\mu }_1\cdot {\mu }_2\cdot \mathit{s}\mathit{k}+{\mu }_2\cdot {\mathit{e}}_1+C_1\cdot {\mathit{e}}_2$ and $\mathrm{NFHE.Dec}(\mathit{s}\mathit{k},\mathit{C})={\mu }_1\cdot {\mu }_2$ (${\mathit{e}}_1$ and ${\mathit{e}}_2$ refers to the noise in ciphertext $C_1$ and $C_2$). Since the coefficient of ${\mu }_2$ is {0, 1}, and the coefficient of $C_1$ is limited to ${\mathbb{Z}}_p$, the noise will not exceed $pN+1$ times the original ciphertext after each homomorphic multiplication.

Theorem 2.

For the NFHE scheme, L represents the maximum depth of the homomorphic operation circuit. In the case of no homomorphic operation, if C is the cipher-text obtained by encrypting 0, when$\left|\langle C_{m-1},s^{\prime }\rangle \right|<q/\left[4p{\left(pN+1\right)}^L\right]$, the scheme will be correct.

Proof. 

According to the analysis of the correctness of homomorphic addition and multiplication, after each homomorphic operation, the noise does not exceed pN+1 times of the original ciphertext. Therefore, when $\left|\langle C_{m-1},s^{\prime }\rangle \right|<q/\left[4p{\left(pN+1\right)}^L\right]$, after performing no more than L homomorphic operations, $\left|\langle C_{m-1},s^{\prime }\rangle \right|<q/\left(4p\right)$. According to the decryption algorithm, when $\left|\langle C_{m-1},s^{\prime }\rangle \right|<q/\left(4p\right)$, there is $\langle s^{\prime },C_{m-1}\rangle /\left(q/2p\right)<1/2$. Therefore, if the encrypted message is 0, then $\langle C_{m-1},s^{\prime }\rangle$ is closer to 0 than $q/\left(2p\right)$, $\mu =\lfloor \langle s^{\prime },C_{m-1}\rangle /\left(q/2p\right)+1/2\rfloor \mathrm{mod}2<\lfloor 1/2+1/2\rfloor \mathrm{mod}2=0$. Otherwise, the situation is reversed, and the correctness of the scheme can be guaranteed.

For the ciphertext obtained by encrypting 0, there are

$$\langle {\mathit{C}}_{m-1},{\mathit{s}}^{\prime }\rangle =\langle \mathit{r},\mathit{s}\rangle +e_{m-1,2}-\langle e_{m-1,1},\mathit{e}\rangle$$

Therefore, as long as the appropriate parameter q is selected, the correctness can be satisfied by making it large enough. □

3.2. Security of the Scheme

Theorem 3.

Supposing that parameters $n=\mathrm{poly}(\lambda )$and $q=\mathrm{poly}(\lambda )$are the polynomials of the security parameter $\lambda$, if the attacker can distinguish the ciphertext of the NFHE scheme from the uniform distribution on ${\mathbb{Z}}_p^{m\times m}$with a non-negligible advantage, the $DLW{E}_{q,n,2n+1,\chi }$problem can also be solved. Therefore, if the problem is assumed to be difficult, then the NFHE scheme can achieve IND-CPA security.

The detailed proof can be found in reference [18].

3.3. Optimization Based on Multi-Bit Encryption

In the GSW13 scheme and the NFHE scheme, although the plaintext messages are all $\mu \in \left\{0,1\right\}$, the GSW13 scheme cannot support multi- bit encryption under the condition that the system parameters remain unchanged [17]. In addition, the NFHE scheme adopts the following modifications to realize multi-bit encryption without changing system parameters.

Encryption Algorithm $\mathrm{NFHE.Encrypt}(pk,\mu )$. For plain- text $\mu \in {\mathbb{Z}}_p$, uniformly select ${\mathit{r}}_i$, $e_{i,1}\leftarrow {\chi }^n$, $e_{i,2}\leftarrow \chi$, and $i=1,\cdots ,\left(n+1\right)\cdot t$ at random. Calculate $C_{i,1}={\mathit{A}}^T\cdot {\mathit{r}}_i+e_{i,1}\in {\mathbb{Z}}_q^n$ and $C_{i,2}={\mathit{b}}^T\cdot {\mathit{r}}_2+e_{i,2}\in {\mathbb{Z}}_q$. Let ${\mathit{C}}^{\prime }$ be a matrix formed by arranging $m=\left(n+1\right)\cdot t$ ciphertexts as column vectors, the dimension of which is $\left(n+1\right)\times m$. Then output the ciphertext $\mathit{C}=\mathrm{mbFlatten}\left(\mathit{\mu }\cdot {\mathit{I}}_N+\mathrm{mbDpt}\left({\mathit{C}}^{\prime }\right)\right)\in {\mathbb{Z}}_p^{m\times m}$.

Decryption algorithm $\mathrm{NFHE.Decrypt}\left(\mathit{s}\mathit{k},\mathit{C}\right)$. For ciphertext $\mathit{C}\in {\mathbb{Z}}_p^{m\times m}$ and private key $\mathit{s}\mathit{k}=\left(\begin{array}{c}-s\\ 1\end{array}\right)\in {\mathbb{Z}}_q^{n+1}$, let ${\mathit{s}}^{\prime }=\mathrm{pofmb}\left(\mathit{s}\mathit{k}\right)$, and calculate and output plain-text $\mu =\lfloor \langle s^{\prime },C_{m-1}\rangle /\left(q/2p\right)+\frac{1}{2}\rfloor \mathrm{mod}p$.

When not performing homomorphic operation, if the plain-text message is ${\mu }^{\prime }$, according to the encryption/decryption process, there will be $\mu =\lfloor \langle s^{\prime },C_{m-1}\rangle /\left(q/2p\right)+\frac{1}{2}\rfloor \mathrm{mod}p=\lfloor {\mu }^{\prime }+e/\left(q/2p\right)+\frac{1}{2}\rfloor \mathrm{mod}p$ after decryption. When $\left|e/\left(q/2p\right)<1/2\right|$, there will be $\mu ={\mu }^{\prime }$, which can be decrypted correctly. For homomorphic addition, there will be $\mathit{C}=\mathrm{mbFlatten}\left(\left({\mu }_1+{\mu }_2\right)\cdot {\mathit{I}}_N+\mathrm{mbDmp}\left(C_1+C_2\right)\right)$ and $\mathrm{NFHE.Dec}(\mathit{s}\mathit{k},\mathit{C})=\left({\mu }_1+{\mu }_2\right)\mathrm{mod}p$. For homomorphic multiplication, there will be $\mathit{C}\cdot \mathit{s}\mathit{k}={\mu }_1\cdot {\mu }_2\cdot \mathit{s}\mathit{k}+{\mu }_2\cdot {\mathit{e}}_1+C_1\cdot {\mathit{e}}_2$ and $\mathrm{NFHE.Dec}(\mathit{s}\mathit{k},\mathit{C})={\mu }_1\cdot {\mu }_2$. Therefore, it can be decrypted correctly.

After homomorphic multiplication, since the coefficients of ${\mu }_2$ and $C_1$ are both limited to ${\mathbb{Z}}_p$, the noise does not exceed $pN+p$ times of the original ciphertext. Therefore, when performing multi-bit encryption, the noise limit of Theorem 2 becomes $\left|\langle C_{m-1},s^{\prime }\rangle \right|<q/\left[4p{\left(pN+p\right)}^L\right]$. In addition, due to $pN=pkt\gg p$, the effect of this change on modulus q can be ignored.

4. Key Homomorphism of NFHE Scheme

4.1. Definition of Key Homomorphism

It is assumed that $F:K\times X\to Y$ is a pseudo-random function (PRF) [20], and K is the key space, which has a group structure and satisfies a certain ⊕ operation on the group. Besides, X is the plain-text space, and Y is the ciphertext space. If for any $k_1$, $k_2$ ∈ K and $\xi \in X$, an effective algorithm can be found to calculate $F\left(k_1\oplus k_2,\xi \right)$ from $F\left(k_1,\xi \right)$ and $F\left(k_2,\xi \right)$.

Now its definition is extended to multiple keys, assuming that the number of keys is N. For a public key encryption scheme E, if $\left(p{k}_i,s{k}_i\right)$ is the effective public key or private key pair of the scheme, and for $pk=g\left(p{k}_1,p{k}_2,\cdots ,p{k}_N\right)$, $sk=g^{\prime }\left(s{k}_1,s{k}_2,\cdots ,s{k}_N\right)$ can be found. $\left(pk,sk\right)$ can also be the effective public key or private key pair of E and E is called the key pair homomorphic nature. Among them, g and g’ are both effective computable functions. In particular, if both g and g’ are sum (product/linear) functions, then E is said to have the property of key addition (multiplication/linear) homomorphism.

4.2. Proof of Key Homomorphism

In the NFHE scheme, $s\in {\mathbb{Z}}^{n\times l}$, $\mathit{s}\mathit{k}=\overline{\mathit{t}}=\left(\begin{array}{c}-s\\ 1\end{array}\right)\in {\mathbb{Z}}_q^{n+1}$ is the private key, and $pk=\overline{\mathit{K}}=\left(\mathit{A},\mathit{b}=\mathit{A}\cdot \mathit{s}+\mathit{e}\right)\in {\mathbb{Z}}_q^{n\times n}\times {\mathbb{Z}}_q^n$ is the public key. Denote it as $pk=\overline{\mathit{K}}=\frac{1}{N}{\displaystyle \sum _{i=1}^N{\overline{\mathit{K}}}_i}$. If pk is used to encrypt the plain-text μ, $\mathit{C}=\mathrm{mbFlatten}\left(\mathit{\mu }\cdot {\mathit{I}}_N+\mathrm{mbDpt}\left({\mathit{C}}^{\prime }\right)\right)$ $=\mathrm{mbFlatten}\left(\mathit{\mu }\cdot {\mathit{I}}_N+\mathrm{mbDpt}\left(\mathit{r}\cdot \mathit{K}\right)\right)$ is obtained.

$sk=\overline{\mathit{t}}=\frac{1}{N}{\displaystyle \sum _{i=1}^N{\overline{\mathit{t}}}_i}$ can be used to decrypt the ciphertext. In other words, if A remains unchanged, the scheme will satisfy the linear homomorphism of the key.

Proof. 

$\overline{\mathit{t}}\overline{\mathit{K}}=\frac{1}{N}{\displaystyle \sum _{i=1}^N{\overline{\mathit{t}}}_i}\cdot \frac{1}{N}{\displaystyle \sum _{i=1}^N{\overline{\mathit{K}}}_i}$

$=\left(\begin{array}{c}-\frac{1}{N}{\displaystyle \sum _{i=1}^N{\mathit{s}}_i}\\ 1\end{array}\right)\left(\mathit{A},\frac{1}{N}{\displaystyle \sum _{i=1}^N{b}_i}\right)$

$=\frac{1}{N}{\displaystyle \sum _{i=1}^N{e}_i}\approx 0$

is right. Therefore, there is still $\overline{\mathit{t}}\mathit{C}=\mathrm{mbFlatten}\left(\mathit{\mu }\cdot {\mathit{I}}_N+\mathrm{mbDpt}\left(\mathit{r}\cdot \overline{\mathit{K}}\right)\right)\overline{\mathit{t}}$$=\mu \cdot \overline{\mathit{t}}+\mathit{r}\cdot \overline{\mathit{K}}\cdot \overline{\mathit{t}}=\mu \cdot \overline{\mathit{t}}+\mathit{r}\cdot e=\mu \cdot \overline{\mathit{t}}+\overline{e}$. and $\overline{e}=\mathit{r}\cdot e$

Therefore, plain-text $\mu$ can be obtained by decryption according to the original scheme. Therefore, when A is unchanged, the scheme will satisfy the linear homomorphism of the key. □

5. Secure Multi-Party Computation Protocol Based on NFHE Scheme

5.1. SMC Protocol Based on Leveled NFHE Scheme

The basic NFHE scheme in this paper is leveled, which can only carry out a limited number of homomorphic operations. Although this limitation can be removed by bootstrapping to achieve any number of homomorphic operations, most of the advantages of the scheme will also be destroyed. Therefore, an SMC protocol based on the leveled NFHE scheme can be constructed.

${\mathit{\pi }}_f$: Under the CRS model, a protocol for safely computing a single-valued function f is constructed, which is always safe under the semi-honest model and the semi-malicious model. The details are as follows.

Preprocessing: Set parameter, ensuring that all participants share parameter settings. Choose a lattice dimension parameter n, where $\lambda$ is the security parameter. Pick an error distribution $\chi$ and a modulus q, such that for $l=\lfloor \log q\rfloor +1$, the some-are-errorless $LW{E}_{n,q,l,\chi }$ holds. Let $\overline{m}=n\cdot l$. A common random string matrix $\mathit{A}\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{n\times n}$ is selected.

Input: For $i\in \left[N\right]$, each participant $P_i$ inputs private data $x_i\in \{0,1\}$, then calculate the function $f\left({\left\{0,1\right\}}^N\to \left\{0,1\right\}\right)$. d is the circuit depth of f.

Round 1. For $P_i$, the following is operated.

-

Generate $\left(p{k}_i,s{k}_i\right)\leftarrow \mathrm{NFHE.Keygen}\left(n,q\right)$.

-

Release the public key ${\left\{p{k}_i\right\}}_{i\in \left[N\right]}$.

Round 2. Each $P_i$ receives the public key ${\left\{p{k}_i\right\}}_{i\in \left[N\right]\backslash \left\{i\right\}}$ of others and performs the following operations.

-

Calculate the joint public key $pk=\overline{\mathit{K}}=\frac{1}{N}{\displaystyle \sum _{i=1}^N{\overline{\mathit{K}}}_i}$.

-

pk is used to calculate ciphertext $\mathit{C}=\mathrm{mbFlatten}\left(\mathit{\mu }\cdot {\mathit{I}}_N+\mathrm{mbDpt}\left({\mathit{C}}^{\prime }\right)\right)$ and publish ciphertext ${\left\{C_i\right\}}_{i\in \left[N\right]}$.

Round 3. Each party $P_i$ receives the ciphertext ${\left\{C_i\right\}}_{i\in \left[N\right]\backslash \left\{i\right\}}$ of others and performs the following operations.

-

Perform homomorphic operations.

-

Perform threshold decryption. $P_i$ selects a random vector ${\mathit{\gamma }}_i^{\prime }\leftarrow {\mathit{\chi }}^{\overline{m}-l}$. Let ${\mathit{\gamma }}_i=\left({\mathit{\gamma }}_i^{\prime },0,\cdots ,0\right)\in {\mathit{\chi }}^{\overline{m}}$, then calculate the partial decryption result ${\mathit{\eta }}_i={\overline{\mathit{t}}}_i\cdot \mathit{C}+{\mathit{\gamma }}_i\in {\mathbb{Z}}_q^{\overline{m}}$. Finally, release ${\eta }_i$.

Output: Each participant $P_i$ accepts others to decrypt ${\left\{{\mathit{\eta }}_i\right\}}_{i\in \left[N\right]\backslash \left\{i\right\}}$. Calculate $\mathit{\eta }=\frac{1}{N}{\displaystyle \sum _{i=1}^N{\mathit{\eta }}_i}=\overline{\mathit{t}}\mathit{C}+\frac{1}{N}{\displaystyle \sum _{i=1}^N{\mathit{\gamma }}_i}=\overline{\mathit{t}}\mathit{C}+\mathit{\gamma }$, then calculate $v=\mathit{\eta }{\mathit{G}}^{-1}\left({\mathit{w}}^T\right)$, where ${\mathit{G}}^{-1}\left({\mathit{w}}^T\right)$ is a bit decomposition of ${\mathit{w}}^T$ and $\mathit{w}=\left(0,0,\cdots ,\lceil \frac{q}{2}\rceil \right)$. If the value of v is close to 0, then μ = 0. If the value of v is close to $\lceil \frac{q}{2}\rceil$, then μ = 1.

5.2. Correctness

The correctness of the agreement mainly depends on two aspects:

a.

It has been proven that it is right to use the NFHE scheme in the protocol, so it is only necessary to verify whether the parameters used are correct. Besides, it can be seen from this scheme that through setting the parameter mentioned above, the noise does not exceed $pN+p$ times of the original ciphertext after each homomorphic operation. Therefore, when $\left|\langle C_{m-1},s^{\prime }\rangle \right|<q/\left[4p{\left(pN+p\right)}^L\right]$, if it does not exceed L homomorphic operations, $\left|\langle C_{m-1},s^{\prime }\rangle \right|<q/\left(4p\right)$, and the scheme can be decrypted correctly.

b.

The correctness of the encryption and decryption of the protocol mainly involves three issues. Upon analyzing the key homomorphism in the previous scheme, it can be seen that the key pair used in protocol ${\pi }_f$ is effective. Besides, from Theorem 1, it can be seen that the joint error in protocol ${\pi }_f$ also obeys $B_{\chi }$ bounded distribution. Then, prove the correctness of the protocol joint decryption.

Proof. 

According to $\mathit{\eta }=\frac{1}{N}{\displaystyle \sum _{i=1}^N{\mathit{\eta }}_i}=\overline{\mathit{t}}\mathit{C}+\frac{1}{N}{\displaystyle \sum _{i=1}^N{\mathit{\gamma }}_i}=\overline{\mathit{t}}\mathit{C}+\mathit{\gamma }$

There is $\mathit{\eta }{\mathit{G}}^{-1}\left({\mathit{w}}^T\right)=\left(\overline{\mathit{t}}\mathit{C}+\mathit{\gamma }\right){\mathit{G}}^{-1}\left({\mathit{w}}^T\right)$

$=\overline{\mathit{t}}\mathit{C}{\mathit{G}}^{-1}\left({\mathit{w}}^T\right)+\mathit{\gamma }{\mathit{G}}^{-1}\left({\mathit{w}}^T\right)$

$=\mu \lceil \frac{q}{2}\rceil +\left({\mathit{\gamma }}_1^{’},\cdots ,{\mathit{\gamma }}_{\left(\overline{\mathit{m}}-l\right)}^{’},0,\cdots ,0\right){\mathit{G}}^{-1}\left(\begin{array}{c}0\\ ⋮\\ \lceil \frac{q}{2}\rceil \end{array}\right)=\mu \lceil \frac{q}{2}\rceil$

Since ${\mathit{G}}^{-1}\lceil \frac{q}{2}\rceil$ is a bit decomposition of $\lceil \frac{q}{2}\rceil$, the maximum decomposition length of $\lceil \frac{q}{2}\rceil$ is $\lfloor \log q\rfloor +1$. Moreover, from $l=\lfloor \log q\rfloor +1$, the maximum length of ${\mathit{G}}^{-1}\left(\begin{array}{c}\lceil \frac{q}{2}\rceil \\ ⋮\\ \lceil \frac{q}{2}\rceil \end{array}\right)$ is l. Then, as the last l bits in γ are all 0, and the protocol can correctly perform joint decryption. □

5.3. Security

5.3.1. In Semi-Honest Model

In the CRS model, the security of the protocol is based on the following issues.

a.

Under the above settings, the security of the NFHE solution can be attributed to the DLWE problem.

b.

In ${\mathit{\eta }}_i={\overline{\mathit{t}}}_i\cdot \mathit{C}+{\mathit{\gamma }}_i$ and $\mathit{\eta }=\overline{\mathit{t}}\mathit{C}+\mathit{\gamma }$, the first l components in ${\mathit{\gamma }}_i$ and $\mathit{\gamma }$ obey the bounded distribution of $B_{\chi }$, which implies that these two equations constitute two some-are-errorless LWE instances discussed in Section 2. Therefore, after each party announces its own ${\mathit{\eta }}_i$ in Round 3, its private key and joint key will not be disclosed, and the protocol is safe under the semi-honest model.

5.3.2. In Semi-Malicious Model

To be easily expressed, ${\mathit{\rho }}_i={\mathit{\eta }}_i{\mathit{G}}^{-1}\left({\mathit{w}}^T\right)+{\mathit{\epsilon }}_i={\mathit{v}}_i+{\mathit{\epsilon }}_i$ and ${\mathit{\epsilon }}_i\leftarrow \chi$ are used to replace ${\mathit{\eta }}_i$ as part of the decryption of $P_i$. If the ${\mathit{\rho }}_i$ obtained by simulation is indistinguishable from the real ${\mathit{\rho }}_i$ obtained by decrypting ${\mathit{\eta }}_i$, the ${\mathit{\eta }}_i$ obtained by the simulation will be also indistinguishable from the real ${\mathit{\eta }}_i$.

Theorem 4.

If f is a computable function with N inputs and one output of a deterministic polynomial time (PPT), then the above protocol${\mathit{\pi }}_f$can realize that f is safe when facing a semi-malicious adversary who happens to capture$N-1$ participants.

Proof. 

A PPT simulator S is constructed to target a semi-malicious adversary who has captured $N-1$ users, and this static semi-malicious adversary is denoted as A. $P_h$ is assumed as the only honest party left. Simulator S performs the following operations on behalf of $P_h$.

In the second round, the simulator S uses 0 to replace the real input of the honest party $P_h$ for encryption. Then the simulator S obtains the input and private keys of $N-1$ captured parties from the “evidence tape”. These inputs are sent by S to an ideal machine to obtain the output y. Meanwhile, the ciphertext C that performed the homomorphic calculation can be obtained. Moreover, S calculates the simulated part to decrypt ${\mathit{\rho }}_h^{\prime }\leftarrow S\left(\mathit{y},\mathit{C},h,{\left\{s{k}_i\right\}}_{i\in \left[N\right]\backslash \left\{h\right\}}\right)$ for $P_h$, and the decryption results of the simulated part are published in the third round, instead of the real decryption.

A series of mixed attack games are used to prove that the real result and the simulated result cannot be distinguished, namely $IDEA{L}_{F,S,Z}\stackrel{\mathrm{comp}}{\approx }REA{L}_{\pi ,A,Z}$. Z represents a specific environment.

Game $REA{L}_{\pi ,A,Z}$: In the real environment Z, there is a semi-malicious adversary who executes protocol ${\mathit{\pi }}_f$.

Game $HY{B}_{\pi ,A,Z}$: Similar to game $REA{L}_{\pi ,A,Z}$, the difference is that it is assumed that $P_h$ obtains all the private keys ${\left\{s{k}_i\right\}}_{i\in \left[N\right]\backslash \left\{h\right\}}$ after the second round, and in the third round, the simulated part is used to decrypt ${\mathit{\rho }}_h^{\prime }\leftarrow S\left(\mathit{y},\mathit{C},h,{\left\{s{k}_i\right\}}_{i\in \left[N\right]\backslash \left\{h\right\}}\right)$ instead of the real decryption being released.

Game $IDEA{L}_{F,S,Z}$: Similar to game $HY{B}_{\pi ,A,Z}$, except that in the second round, $P_h$ uses 0 to replace the real input encryption and is released. □

Lemma 1.

$REA{L}_{\pi ,A,Z}\stackrel{\mathrm{stat}}{\approx }HY{B}_{\pi ,A,Z}$

Proof. 

The difference between the two games is that the decryption ${\mathit{\rho }}_h^{\prime }$ of the real part of $P_h$ is replaced by analog decryption ${\mathit{\rho }}_h^{\prime }$. So, if $\mathit{v}=\mathit{\mu }\lceil \frac{q}{2}\rceil +{\mathit{e}}^{\prime }$, its simulated decryption algorithm can be

$$\begin{gathered} {\mathit{\rho }}_h^{\prime }=N\mathit{\mu }\lceil \frac{q}{2}\rceil +N{\mathit{e}}^{\prime }-{\displaystyle \sum _{i\ne h}{\overline{\mathit{t}}}_i}\mathit{C}{\mathit{G}}^{-1}\left(w^T\right)+{\mathit{\epsilon }}_h^{\prime } \\ =N\mathit{\mu }\lceil \frac{q}{2}\rceil +N{\mathit{e}}^{\prime }+{\mathit{\epsilon }}_h^{\prime }-{\displaystyle \sum _{i\ne h}{v}_i} \end{gathered}$$

where $e^{\prime }\leftarrow \chi$, ${\epsilon }_h^{\prime }\leftarrow \chi$.

The real decryption result of $P_h$ is: if $\mathit{v}=\frac{1}{N}{\displaystyle \sum _{i\in \left[N\right]}{\mathit{v}}_i}=\mathit{\mu }\lceil \frac{q}{2}\rceil +{\mathit{e}}^{\prime }\Rightarrow N{\mathit{e}}^{\prime }={\displaystyle \sum _{i\in \left[N\right]}{\mathit{v}}_i}-N\mathit{\mu }\lceil \frac{q}{2}\rceil$, then:

$$\begin{gathered} {\mathit{\rho }}_h={\mathit{\eta }}_h{\mathit{G}}^{-1}\left({\mathit{w}}^T\right)+{\mathit{\epsilon }}_h={\mathit{v}}_h+{\mathit{\epsilon }}_h \\ ={\displaystyle \sum _{i\in \left[N\right]}{\mathit{v}}_i}-{\displaystyle \sum _{i\ne h}{\mathit{v}}_i}+{\mathit{\epsilon }}_h \\ ={\displaystyle \sum _{i\in \left[N\right]}{\mathit{v}}_i}-N\mathit{\mu }\lceil \frac{q}{2}\rceil +N\mathit{\mu }\lceil \frac{q}{2}\rceil -{\displaystyle \sum _{i\ne h}{\mathit{v}}_i}+{\epsilon }_h \\ =N{\mathit{e}}^{’}+N\mathit{\mu }\lceil \frac{q}{2}\rceil -{\displaystyle \sum _{i\ne h}{\mathit{v}}_i}+{\epsilon }_h \end{gathered}$$

where ${\epsilon }_h\leftarrow \chi$.

It is easy to determine that ${\epsilon }_h$ and ${\epsilon }_h^{\prime }$ are statistically indistinguishable, which proves that ${\mathit{\rho }}_h$ and ${\mathit{\rho }}_h^{\prime }$ cannot be distinguished, so the conclusion is proven. □

Lemma 2

. $HY{B}_{\pi ,A,Z}\stackrel{\mathrm{comp}}{\approx }IDEA{L}_{F,S,Z}$

Proof 

. The ciphertext generated by $P_h$ is the only difference between the two games. From the semantic security of the encryption method of the NFHE scheme, it can be seen that the ciphertext is computationally indistinguishable, so the two games are also computationally indistinguishable.

From Lemma 1 and Lemma 2, $IDEA{L}_{F,S,Z}\stackrel{\mathrm{comp}}{\approx }REA{L}_{\pi ,A,Z}$ can be obtained.

End. □

5.3.3. In Malicious Model

Due to the SMC protocol under the CRS model, if the protocol is proven to be safe under the semi-malicious model, the protocol can be converted into a protocol under the malicious model by non-interactive zero-knowledge proofs (NIZKs) [21]. Therefore, the SMC protocol designed in this paper is also safe under the malicious model.

5.4. Performance and Comparison

References [11,12] are both single-bit SMC protocols. If B is the number of input bits, then the two schemes need to be repeated B times. Reference [16] and the SMC protocol in this paper both support multi-bit encryption, which only needs to be executed once.

Compared with the protocol in reference [16], the protocol constructed in this paper has the following two improvements.

(a) From the perspective of efficiency, the protocol constructed in this paper improves the ciphertext size ${(n+1)}^2{\lceil \log q\rceil }^2$ by modifying the expansion method of the GSW13 scheme, and the obtained cipher-text size is $\frac{{(n+1)}^2{\lceil \log q\rceil }^2}{\lceil \log p\rceil }$. In addition, under the multi-bit encryption, the ciphertext size is $\frac{{(n+B)}^2{\lceil \log q\rceil }^2}{\lceil \log p\rceil }$, as shown in

Table 1. Performance comparison of SMC protocol based on FHE.

Protocol	Basic	Rd	CTE Ratio	Depth	Ciphertext Size
Mukherjee et al. [11]	GSW13	2	$O(1)$	$\tilde{O}\left(BN{\left(nd\right)}^{\omega }\right)$	${(n+1)}^2{\lceil \log q\rceil }^2$
Wang et al. [12]	GSW13	3	$O(1)$	$\tilde{O}\left(B{\left(nd\right)}^{\omega }\right)$	${(n+1)}^2{\lceil \log q\rceil }^2$
Tang et al. [16]	GSW13	3	$O(1)$	$\tilde{O}\left({\left(nd\right)}^{\omega }\right)$	${(n+B)}^2{\lceil \log q\rceil }^2$
Ours	GSW13	3	$O(1)$	$\tilde{O}\left({\left(nd\right)}^{\omega }\right)$	$\frac{{(n+B)}^2{\lceil \log q\rceil }^2}{\lceil \log p\rceil }$

. Therefore, the performance of the protocol under the existing CRS model is the best.

(b) Moreover, in terms of storage overhead, the ciphertext of the NFHE scheme based on the SMC protocol in this paper is a matrix, so the ciphertext expansion rate is also $O(1)$. At the same time, since the size of the ciphertext is much larger than the size of the key, the protocol in this paper effectively reduces the storage overhead of the system by greatly compressing the size of the ciphertext.

The main performance comparison of the existing secure multi-party computation protocols based on fully homomorphic encryption under the CRS model is shown in Table 1, where “Basic” represents the basic fully homomorphic encryption scheme used in the protocol; “Rd” represents the protocol Interactive rounds; “CTE Ratio” represents the ciphertext expansion ratio; “Depth” represents the complexity of the NAND gate; and the last column “Ciphertext Size” represents the size of the ciphertext. B is the number of input bits; N is the number of users; n is the lattice dimension; d is the NAND depth of the circuit to be evaluated; $\omega <2.3727$ is a constant; $q\in \mathbb{Z}$ is a modulus; and p is a power of 2.

6. Conclusions

Based on the efficient FHE scheme, a leveled, multi-bit, multi-key, secure multi-party computation protocol under the CRS model is constructed in this paper. This protocol has a total of three rounds of communication, which is proven to be safe in a semi-honest and semi-malicious environment, and the security is based on DLWE and the some-are-errorless LWE. Moreover, compared with the existing protocol, the ciphertext expansion rate of this protocol is small, and the multi-bit encryption greatly reduces the number of homomorphic calculations. Meanwhile, the complexity of the NAND gate is low, and the ciphertext size is small. The overall performance is optimal among the existing FHE-based secure multi-party computation protocols. Therefore, for the next study steps, attention will be paid to how to conduct the appropriate methods to ensure the safe transmission of data and meet the coordination requirements of the session when implementing the protocol. Meanwhile, the protocol will be further improved to achieve practical standards.