Efficient Batch Fully Homomorphic Encryption with a Shorter Key from Ring-LWE

Abstract

Fully homomorphic encryption allows users to use the computing resources of cloud servers for the computation of encrypted data without worrying about data leakage. The fully homomorphic encryption approach has problems with excessive noise and the expansion of the ciphertext dimension after the homomorphic evaluation. The key switching technology effectively solves the problem of the ciphertext dimension expansion. The generated evaluation key is a masked secret key that must be shared between the data owner and the computational entity, so the security must be guaranteed. In the RLWE-based FHE scheme, the efficiency improvement of the key switching depends on the circular security assumption, meaning the security needs to be improved. To solve the above problems, we select the secret key from the noise distribution with variable parameters so that the evaluation key and the initial noise of the encryption scheme are smaller. Specifically, the secret key is replaced after each homomorphic evaluation to ensure the security. We use the “modulus scaling” method to control the noise generated by itself, rather than the BitDecomp technology, which is complex when applied to polynomials. Finally, we combine the packing technology that relies on the polynomial CRT (Chinese remainder theorem) to design a batch-leveled fully homomorphic encryption scheme. We analyze the scheme’s noise, security proof, and specific security parameters. Compared with the FV12 scheme, our scheme is more secure. Compared with the MB18 scheme, our evaluation key size is smaller.

1. Introduction

Fully homomorphic encryption is an ideal privacy protection scheme for the cloud environment. It can compute encrypted data without a secret key, and the resulting ciphertext can be decrypted correctly. This allows the cloud server to complete the processing of the data without disclosing sensitive information, while protecting the users’ data and privacy security and making full use of the cloud server’s computing power. At present, fully homomorphic encryption technology has been widely used in deep learning [1,2], secure multiparty computation [3,4], and other fields. The first fully homomorphic encryption scheme was proposed by Gentry [5], which was constructed based on the bounded distance decoding problem (BDDP) and sparse subset sum problem (SSSP) on the ideal lattice. Firstly, an encryption scheme that can perform finite degree homomorphic evaluation is constructed. Then, the noise growth is controlled using “bootstrapping” technology to achieve an arbitrary degree of homomorphic evaluation. Smart and Vercauteren [6] proposed a variant of Gentry’s scheme [5] SV10 with a relatively small key and ciphertext size. Then, Gentry and Halevi [7] optimized the key generation process for SV10, but the limited condition of the finite field made the key generation algorithm very complex. The first-generation FHE (fully homomorphic encryption) scheme based on the ideal lattice has many disadvantages: (1) the complex construction; (2) the low efficiency of the encryption and decryption processes; (3) the security proof of the SSSP assumption is not sufficient. The construction of the second-generation FHE scheme is based on the LWE (learning with errors) or RLWE (ring LWE) assumption [8,9], whereby the security can be reduced to standard problems in the lattice without additional assumptions. In 2011, Brakerski and Vaikuntanathan [10] first used the LWE problem to construct the BV11 scheme, which uses a re-linearization method to achieve fully homomorphic encryption, breaking the construction framework used by Gentry. In 2012, Brakerski et al. [11] constructed the BGV12 scheme. They sorted out the re-linearization technology in the BV11 scheme and proposed the key switching technology and module switching technology schemes. They constructed a leveled FHE scheme with these technologies. Then, Brakerski [12] constructed a scale-invariant FHE scheme using tensor product technology, which no longer requires the module switching technology to compress the scheme noise. Later, Fan et al. [13] proposed the FV12 scheme to transplant the LWE-based Bra12 scheme to the RLWE problem. Two optimization methods were proposed to solve the problem of the low efficiency of the RLWE-based key switching technology. However, they rely on the circular security assumption without changing the key after re-linearization, which risks leaking the key. The second-generation FHE scheme is simple and efficient. However, bootstrapping technology is needed to gain an unbound number of computations for the ciphertext. The improvement of the bootstrapping process is one of the current research directions [14,15] because of its low efficiency. The leveled fully homomorphic encryption scheme can evaluate arbitrary polynomials homomorphically, which can meet the requirements of most applications. The research on the leveled FHE scheme mainly focuses on how to reduce the ciphertext size effectively [16], control the noise growth after the homomorphic evaluation [17], and explore new methods to construct the FHE scheme [18]. The key switching technology is an important technology scheme used to control the ciphertext dimensions, and its optimization is also an important direction to improve the leveled fully homomorphic encryption scheme.

Unlike the optimization of the above fully homomorphic encryption self-construction technology, researchers have tried to make breakthroughs in parallel computing. Under the construction of the first-generation fully homomorphic scheme, Smart et al. [19] improved the SV10 scheme. They used the polynomial CRT to construct the ‘plaintext slot’ and showed how to select parameters to achieve SIMD operations while maintaining the practicability of the key generation technology [7]. Gentry, Halevi, and Smart [20] implemented the homomorphic evaluation of a multi-logarithm overhead in the RLWE-based FHE scheme using the packing technology from SV11. In 2013, Brakerski et al. [21] proposed a packing method based on the LWE assumption, which can simplify the homomorphic scheme of the data movement on the plaintext slot. However, the asymptotic efficiency is not as good as the packing method based on the RLWE with the polynomial CRT. Chen [22] proposed a multi-bit FHE scheme with a shorter public key size based on the improvement of [21]. Since then, researchers have proposed many methods to improve the parallel efficiency of the fully homomorphic encryption process [23,24].

Regarding fully homomorphic encryption, many related studies have been focused on RLWE, relying on ring polynomials. Compared to the LWE problem, RLWE has many advantages: (1) the RLWE scheme has a great algebraic structure and simple lattice cipher characteristics; (2) the polynomial product in RLWE can be realized via fast Fourier transformation [25], and the multiplication evaluation is faster than that in LWE; (3) the batch technology based on RLWE is more efficient than the multi-bit technology based on LWE. Therefore, this paper studies how to improve the efficiency and security of fully homomorphic encryption schemes based on RLWE.

The key switching technology is proposed to solve the problem of dimension expansion of the ciphertext after homomorphic evaluation, especially after homomorphic multiplication. Its essence is to encrypt the old key with a new key as the evaluation key, which is used as auxiliary information to convert the long ciphertext under the old key into the short ciphertext under the new key. The key replacement is performed to avoid the circular security assumption. The circular security assumption is that it is safe to encrypt the leveled FHE secret key under its public key. Some problems arise when encryption schemes rely on the circular security assumption. On the one hand, to design a scheme that satisfies the circular security, it is necessary to follow a specific structure that will make the scheme complex. On the other hand, the existing schemes [26,27] that can satisfy the circular security assumption have problems with noncompact ciphertexts and low encryption and decryption efficiency rates.

The key switching technology based on LWE compresses the noise introduced from the binary expansion, which is more complex for polynomials. The scheme based on RLWE achieves the compression of the ciphertext dimension using re-linearization technology. The technology also requires the evaluation key to help implement ciphertext updates, but the difference is that the key is not changed after re-linearization. The evaluation key is neither an RLWE instance nor a real encryption of the key, but rather a masking version with noise added. The scheme relies on the weak circular security assumption; that is, the scheme is still secure when the adversary obtains the evaluation key, although the security requires more proof.

Our Contribution. We first propose that the secret key $s$ can be restricted to sampling from the error distribution on the ring via a transformation. This error distribution can be replaced by a smaller distribution with the variable parameter to make $s$ smaller. Since the essence of the evaluation key is the encrypted secret key, selecting the key from the new distribution reduces the noise of the scheme and the size of the evaluation key. Second, we propose a new key switching technology to use the method of “modulus scaling” to reduce the introduced noise, which is simple and efficient. Our key switching technology is as efficient in the RLWE-based scheme as in the LWE-based scheme, without depending on the circular security assumption. Specifically, we enlarge the modulus to accommodate the large noise generated by the process and finally reduce the modulus and noise without affecting the ciphertext update. Changing the key after each multiplication means that the leveled FHE scheme that can evaluate the L-leveled arithmetic circuit needs L keys, which will sacrifice the efficiency.

To further improve the efficiency of the leveled fully homomorphic encryption scheme based on RLWE, we also consider using batch technology. The polynomial Chinese remainder theorem is used to package multiple plaintexts into a ciphertext to improve the utilization of space and computing resources. Finally, we obtain a batch-leveled fully homomorphic encryption scheme with the shorter key without a circular security assumption. Our parameter size is better than the MB18 [28] scheme with the same batch technology.

Organization. The second chapter describes the notation and some basic definitions we need to use. The third chapter firstly proves that the secret key can be selected from a small noise distribution, and the security of the scheme is not affected. Then, the basic encryption scheme and the optimized key switching technology are described in detail. We also give the correctness and security proof. The fourth chapter describes how to construct a batch scheme by combining our key switching technology and the packing technology based on the polynomial CRT. The correctness and security proof of the scheme are given. The fifth chapter presents the parameter setting of the scheme and the parameter comparison of other schemes. The sixth chapter provides a summary.

2. Preliminaries

Notation. In the construction of the scheme, we will use a polynomial ring $R=\mathbb{Z}\left[x\right]∕\left(f\left(x\right)\right)$, where $f\left(x\right)\in \mathbb{Z}\left[x\right]$ is an irreducible polynomial with the degree $d$. Let $f\left(x\right)=x^d+1$. The elements in a polynomial ring $R$ are represented in lowercase, and the polynomial vectors are represented in bold lowercase. For example, the coefficient of element $a\in R$ is represented by $a_i$; that is, $a={\displaystyle \sum }_{i=0}^{d-1}{a}_i·x^i$. The infinity norm of polynomial $a$’s coefficient vector is defined as $\Vert a\Vert$, and the $l_1$-Norm is defined as $\Vert a{\Vert }_1$. The expansion factor of $R$ is defined as ${\delta }_R=max\left\{\frac{\Vert a·b\Vert }{\left(\Vert a\Vert ·\Vert b\Vert \right)}:a,b\in R\right\}$. When $d$ is the power of 2, then ${\delta }_R=d$. Let $q>1$ be an integer. Let ${\mathbb{Z}}_q$ denote the set of integers $(-q/2,q/2]$. For $x\in \mathbb{Z}$, we use ${\left[x\right]}_q$ to represent the unique integer in ${\mathbb{Z}}_q$. For $a\in R$, the notation ${\left[a\right]}_q$ denotes the coefficient modulus $q$ of polynomial $a$. Here, $\left[x\right]$ represents an integer set $\left\{1,2,\dots ,x\right\}$; $x\leftarrow \mathcal{D}$ denotes the random uniform sampling of $x$ from distribution $\mathcal{D}$. All logarithms are based on 2. The tensor product of two vectors $\mathit{v},\mathit{w}$ composed of polynomials with the same dimension is denoted as $\mathit{v}\otimes \mathit{w}$, and the inner product of the two tensor products is denoted as:

$$\langle \mathit{v}\otimes \mathit{w},\mathit{x}\otimes \mathit{y}\rangle =\langle \mathit{v},\mathit{x}\rangle ·\langle \mathit{w},\mathit{y}\rangle .$$

$\mathrm{BitDecomp} \left(\mathit{x}\in {\mathbb{Z}}^n\right)$ decomposes vector $\mathit{x}$ into its bit representation. Namely, $\mathit{x}={\displaystyle \sum }_{j=0}^{\lfloor \log q\rfloor }{2}^j\cdot {\mathit{u}}_j$ with all ${\mathit{u}}_j\in {\mathbb{Z}}_2^n$ outputs $\left({\mathit{u}}_0,{\mathit{u}}_{\mathbf{1}},\dots ,{\mathit{u}}_{\lfloor \mathbf{log}\mathit{q}\rfloor }\right)\in {\mathbb{Z}}_2^{n\cdot \lceil \log q\rceil }$.

2.1. RLWE

Lyubashevsky, Peikert, and Regev [29] introduced the ring learning with errors problem.

Definition 1 (Decision RLWE).

For security parameter $\lambda$, let $f\left(x\right)=x^d+1$, where $d=d\left(\lambda \right)$ has a power of 2. For $q=q\left(\lambda \right)\ge 2$, let $R=\mathbb{Z}\left[x\right]/\left(f\left(x\right)\right)$ and $R_q=R/qR$. Let $\chi =\chi \left(\lambda \right)$ be a distribution over $R$. The ${\mathrm{DRLWE}}_{d,q,\chi }$ problem is used to distinguish the following two distributions: the first distribution $\left(a_i,b_i\right) \in U(R_q^2)$ and the second distribution $\left(a_i,b_i\right)\in R_q\times R_q$, where $b_i=a_i·s+e_i$ with $s\leftarrow R_q$, $e_i\leftarrow \chi$, $a_i\leftarrow R_q$. The ${\mathrm{DRLWE}}_{d,q,\chi }$ assumption is that the ${\mathrm{DRLWE}}_{d,q,\chi }$ problem is difficult.

The RLWE problem is a variant of the LWE problem. DRLWE is a decision version of RLWE. In the worst case, the shortest vector problem (SVP) can be reduced to RLWE.

Theorem 1.

Let $d$ be the power of 2, and ring $R=\mathbb{Z}\left[x\right]/\left(f\left(x\right)\right)$, where $f\left(x\right)=x^d+1$, the prime integer $q=1 mod d$, and $B=\omega \left(\sqrt{d\log d}\right)$. There is an efficiently samplable distribution $\chi$, which can output elements of $R$ with a length at most $B$ with overwhelming probability, such that if there exists an efficient algorithm to solve the ${\mathrm{RLWE}}_{d,q,\chi }$ problem, then there is an efficient quantum algorithm to solve $d^{\omega \left(1\right)}·Here,\left(q/B\right)$ is the approximate worst-case SVP problem for ideal lattices over $R$.

Here, we define the B-bounded distribution as a distribution from sampling size not exceeding $B$.

Definition 2 (Polynomial B-Bounded Distribution).

Sample $x\leftarrow \chi$, $x\in \left[-B,B\right]$, then the distribution $\chi$ on the polynomial is B-bounded, denoted as $\Vert \chi \Vert \le B$.

2.2. A Generic Transformation

The binary LWE assumption given by Brakerski et al. [30] is that the original dimension $n$ is increased to $n\log \mathrm{q}$ to maintain the same security level when the key is selected from $U\left({\mathbb{Z}}_2\right)$. In this section, we prove that the key $s$ can be selected from $R_2$, and it is safe without changing the dimensions of the key.

In the following, we prove that through a transformation $T$, the sample of distribution ${\mathrm{A}}_{\mathrm{s},\mathsf{\chi }}^{*}$ can be mapped to the distribution ${\mathrm{A}}_{\mathsf{\kappa },\mathsf{\chi }}^{*}$. Therefore, $\mathrm{s}$ can be limited to be sampled from the error distribution $\mathsf{\chi }$ rather than uniformly sampled in ${\mathrm{R}}_{\mathrm{q}}$, without any security problems.

Lemma 1.

For the modulus $q$, there is an arbitrary $s\in R_q$ and error distribution $\chi$. There is an absolute advantage of the polynomial time transformation $T$, which maps $A_{s,\chi }^{*}$ to $A_{\kappa ,\chi }^{*}$, where $\kappa \leftarrow \chi$, and maps $U\left(R_q^{*}\times R_q\right)$ to itself.

Proof. 

The transformation $\mathit{T}$ is allowed to access the distribution $\mathit{D}$ over the set ${\mathrm{R}}_{\mathrm{q}}^{*}\times {\mathrm{R}}_{\mathrm{q}}$, where the distribution $\mathit{D}$ is ${\mathrm{A}}_{\mathrm{s},\mathsf{\chi }}^{*}$ or there is a uniform distribution $\mathrm{U}\left({\mathrm{R}}_{\mathrm{q}}^{*}\times {\mathrm{R}}_{\mathrm{q}}\right)$. The following involves two steps to prove the above lemma.

(1)

Transform $T$ obtains the sample $\left(\overline{\mathrm{a}},\overline{\mathrm{b}}\right)\in {\mathrm{R}}_{\mathrm{q}}^{*}\times {\mathrm{R}}_{\mathrm{q}}$ by sampling at random from the distribution $D$. When $D$ is ${\mathrm{A}}_{\mathrm{s},\mathsf{\chi }}^{*}$, the sample $\left(\overline{\mathrm{a}},\overline{\mathrm{b}}\right)$ satisfies $\overline{\mathrm{b}}=\overline{\mathrm{a}}·\mathrm{s}+\mathsf{\kappa }$, where $\mathsf{\kappa }\leftarrow \mathsf{\chi }$.

(2)

The samples selected from distribution $D$ are transformed into a different distribution. The additional samples $\left(\mathrm{a},\mathrm{b}\right)\in {\mathrm{R}}_{\mathrm{q}}^{*}\times {\mathrm{R}}_{\mathrm{q}}$ are selected from $D$. The samples $\left(\overline{\mathrm{a}},\overline{\mathrm{b}}\right)$ are transformed to $\left({\mathrm{a}}^{\prime },{\mathrm{b}}^{\prime }\right)\in {\mathrm{R}}_{\mathrm{q}}^{*}\times {\mathrm{R}}_{\mathrm{q}}$ by transform $T$, where ${\mathrm{a}}^{\prime }={\left(-\overline{\mathrm{a}}\right)}^{-1}·\mathrm{a}$, ${\mathrm{b}}^{\prime }=\mathrm{b}+{\mathrm{a}}^{\prime }·\overline{\mathrm{b}}$.

Since $\overline{\mathrm{a}}\in {\mathrm{R}}_{\mathrm{q}}^{*}$ and $\mathrm{a}\in \mathrm{U}\left({\mathrm{R}}_{\mathrm{q}}^{*}\right)$, ${\mathrm{a}}^{\prime }\in {\mathrm{R}}_{\mathrm{q}}^{*}$ is uniform. If the distribution $D$ is uniformly distributed $\mathrm{U}\left({\mathrm{R}}_{\mathrm{q}}^{*}\times {\mathrm{R}}_{\mathrm{q}}\right)$, because $b$ and $\overline{b}$ are uniform, the sample $\left({\mathrm{a}}^{\prime },{\mathrm{b}}^{\prime }\right)$ belongs to $\mathrm{U}\left({\mathrm{R}}_{\mathrm{q}}^{*}\times {\mathrm{R}}_{\mathrm{q}}\right)$. It holds that the transformation maps the distribution $\mathrm{U}\left({\mathrm{R}}_{\mathrm{q}}^{*}\times {\mathrm{R}}_{\mathrm{q}}\right)$ to itself; if the distribution $D$ is ${\mathrm{A}}_{\mathrm{s},\mathsf{\chi }}^{*}$, then $\mathrm{b}=\mathrm{a}·\mathrm{s}+\mathrm{e}\in {\mathrm{R}}_{\mathrm{q}}$, $\mathrm{e}\leftarrow \mathsf{\chi }$, so it holds that:

$$\begin{array}{ll}{\mathrm{b}}^{\prime }& =\mathrm{b}+{\mathrm{a}}^{\prime }·\overline{\mathrm{b}}\\ & =\mathrm{a}·\mathrm{s}+\mathrm{e}+{\mathrm{a}}^{\prime }·\left(\overline{\mathrm{a}}·\mathrm{s}+\mathsf{\kappa }\right)\\ & ={\mathrm{a}}^{\prime }·\mathsf{\kappa }+\mathrm{e}.\end{array}$$

Therefore, $\left({\mathrm{a}}^{\prime },{\mathrm{b}}^{\prime }\right)$ is selected from distribution ${\mathrm{A}}_{\mathsf{\kappa },\mathsf{\chi }}^{*}$. The transformation maps the distribution ${\mathrm{A}}_{\mathrm{s},\mathsf{\chi }}^{*}$ to the distribution ${\mathrm{A}}_{\mathsf{\kappa },\mathsf{\chi }}^{*}$. As such, Lemma 1 is proved. □

Lemma 2.

([31]). For $m \ge 2$, we consider m-th cyclotomic polynomials of degree$n=\varphi \left(m\right)$. Then, for any $q\ge 2$, the fraction of reversible elements in $R_q$ is at least $1/poly\left(n, \log q\right)$.

According to Lemma 2, the probability of selecting reversible elements from $R_q$ is large, so the probability of selecting samples satisfying the distribution $R_q^{*}\times R_q$ from the distribution $R_q\times R_q$ is large. Therefore, according to Lemma 1, $s$ can be sampled from the error distribution χ.

Theorem 2.

([31]). Let ${\rm K}$ be the m-th cyclotomic number field with dimension $n=\varphi \left(m\right)$ and let $R=O_{{\rm K}}$ be its integer ring. Let $\alpha <\sqrt{\log n/n}$. Let $q=q\left(n\right)\ge 2$, $q=1 mod m$ be a prime integer of a polynomial bounded by $n$ so that $\alpha q\ge \omega \sqrt{\log n}$. Then, there will be a quantum reduction in the polynomial time from $\tilde{O}\left(\sqrt{n}/\alpha \right)$, the approximate SIVP (or SVP), on the ideal lattice of ${\rm K}$ to ${\mathrm{DRLWE}}_{q,Y_{\alpha }}$. Alternatively, for the arbitrary $\ell >1$, we can replace $\tilde{O}\left(\sqrt{n}/\alpha \right)$), the approximate SIVP (or SVP), by solving the ${\mathrm{DRLWE}}_{q,D_{\xi }}$ problem of the given $\ell$ samples, where $\xi =\alpha {\left(n\ell /\log \left(n\ell \right)\right)}^{1/4}$.

It is enough to know that $\mathsf{\Psi }$ and$D_{\xi }$ are the Gaussian distributions. See [32] for specific definitions. In the second reduction in Theorem 2, the DLWE of the fixed spherical error distribution $D_{\xi }$ can be used to replace the distribution of the error distribution in the lattice reduction. $D_{\xi }$ is a distribution affected by parameters. When the number of samples $\ell$ is small, this is desirable in applications. The reduction in both leads to essentially the same error parameters. We prove that the key $s$ can be selected from the error distribution $\chi$. We use the error distribution $D_{\xi }$ instead of the distribution $\chi$ so that $s$ can be sampled from the error distribution $D_{\xi }$, meaning the security is unchanged. When the sample number $\ell$ is small enough, the error distribution $D_{\xi }$ is limited to be small enough that $s\in R_2$, with an overwhelming probability.

2.3. Packing

This section introduces the batch technology that we will use, the packing technology of the polynomial Chinese remainder theorem, so that each ciphertext can correspond to multiple independent plaintexts and improve the encryption efficiency.

Definition 3

(Polynomial Chinese Remainder Theorem) [20]). Let $f_1\left(x\right),\cdots ,f_n\left(x\right)$ be $n\ge 2$ pairwise coprime polynomials. For arbitrary n polynomials $g_1\left(x\right),\cdots ,g_n\left(x\right)$, there is a unique polynomial $G\left(x\right)$, such that $G\left(x\right)\equiv g_i\left(x\right)\left(mod f_i\left(x\right)\right)$ and $G\left(x\right)={\displaystyle \sum }_{i=1}^n{g}_i\left(x\right)H_i\left(x\right)M_i\left(x\right)$$\left(mod F\left(x\right)\right)$, where $H_i\left(x\right)=\frac{F\left(x\right)}{f_i\left(x\right)}, M_i\left(x\right)=1/H_i\left(x\right)\left(mod f_i\left(x\right)\right)$,$i\in \left[n\right]$.

Our scheme is based on the algebraic structure $R_2=R/2R={\mathbb{Z}}_2\left[x\right]/f\left(x\right)$. In practical applications, $f\left(x\right)$ is generally set as the cyclotomic polynomial ${\mathsf{\Phi }}_m\left(x\right)$ with degree $\phi \left(m\right)=d$, while $\phi (·)$ represents the Euler function. The cyclotomic polynomial ${\mathsf{\Phi }}_m\left(x\right)$ can be decomposed into $n$ factors $f_i\left(x\right)$ with degree $d^{\prime }$ under module 2, namely ${\mathsf{\Phi }}_m\left(x\right)={\displaystyle \prod }_{i=1}^n{f}_i\left(x\right) mod 2$, which satisfies $2^{d^{\prime }}\equiv 1\left(mod m\right)$ and $n·d^{\prime }=\phi \left(m\right)$. ${\mathbb{F}}_p$ represents the finite field. According to the polynomial CRT in Definition 3, there is the following isomorphism relationship:

$$\begin{gathered} {R}_2\cong {\mathbb{Z}}_2\left[x\right]/f_0\left(x\right)\times {\mathbb{Z}}_2\left[x\right]/f_1\left(x\right)\times \cdots \times {\mathbb{Z}}_2\left[x\right]/f_{n-1}\left(x\right) \\ \cong {\mathbb{F}}_{2^{d^{\prime }}}\times \cdots \times {\mathbb{F}}_{2^{d^{\prime }}} \end{gathered}$$

Namely, the elements on$R_2$ have a mapping relationship with $n$ elements in ${\mathbb{F}}_{2^{d^{\prime }}}\cong {\mathbb{Z}}_2\left[x\right]/f_i\left(x\right)$. If we set $T_i={\mathbb{Z}}_2\left[x\right]/f_i\left(x\right),i\in \left[n\right]$, it holds that:

$$\begin{gathered} \mathsf{\Gamma }:\{\begin{array}{c}{\mathbb{F}}_{2^{d^{\prime }}}\to T_i\\ m_i\mapsto {\mathsf{\Gamma }}_i\left(m_i\right)\end{array} \\ \mathsf{\Psi }:\{\begin{array}{c}{\mathbb{Z}}_2\left[x\right]/f_1\left(x\right)\times {\mathbb{Z}}_2\left[x\right]/f_2\left(x\right)\times \cdots \times {\mathbb{Z}}_2\left[x\right]/f_n\left(x\right)\to R_2\\ \left(h_1,\cdots ,h_n\right)\mapsto {\displaystyle \sum }_{i=1}^n{h}_i{H}_i\left(x\right)M_i\left(x\right)\end{array} \end{gathered}$$

where $H\left(x\right)={\mathsf{\Phi }}_m\left(x\right)/f_i\left(x\right),M_i\left(x\right)=1/H_i\left(x\right)\left(mod f_i\left(x\right)\right)$. The mapping of ${\mathsf{\Gamma }}_i$ is isomorphic from ${\mathbb{F}}_{2^{d^{\prime }}}$ to ${\mathbb{Z}}_p\left[x\right]/f_i\left(x\right),i\in \left[n\right]$ and the mapping of $CRT\left(X\right)=\mathsf{\Gamma }\circ \mathsf{\Psi }$ is isomorphic from ${\mathbb{F}}_{2^{d^{\prime }}}^n$ to $R_2$.

Here, we set polynomial vectors $\mathit{a},\mathit{b}\in R_2^n$, and according to the above isomorphism relationship we get:

$$\begin{gathered} CR{T}^{-1}\left(CRT\left(\mathit{a}\right)+CRT\left(\mathit{b}\right)\right)=\mathit{a}+\mathit{b} mod 2, \\ CR{T}^{-1}\left(CRT\left(\mathit{a}\right)\times CRT\left(\mathit{b}\right)\right)=\mathit{a}\times \mathit{b} mod 2. \end{gathered}$$

3. Building Block

3.1. Basic RLWE-Based Encryption

In Section 2.2, we proved that there is a transformation that means that the secret key $s$ is selected from $R_2$ rather than $R_q$ with an overwhelming probability, which does not affect the security of the scheme. This will be our optimization approach to make the scheme have less initial noise. Because the evaluation key generated by the key switching contains the private key, it will be also reduced. Although the FV12 [13] scheme proposes that the private key can be selected from $R_2$, the Hamming weight of the secret key is limited without further proof. The following describes our basic encryption scheme, which is a somewhat homomorphic encryption scheme. Here, $q$ is a prime numberand $\chi$ is the error distribution on $R_q$. The basic encryption scheme is defined as follows:

• $\mathrm{RE}.\mathrm{SecretKeyGen}(1^{\lambda }):$ Sample $s\leftarrow R_2$. Output $sk=s$.
• $\mathrm{RE}.\mathrm{PublicKeyGen}\left(sk\right):$ Input $\mathrm{s}k=s$. Sample $a\in R_q$, $e\leftarrow \mathsf{\chi }$, and then compute $b=-as+e mod q$. Output $pk=\left(b,a\right)\in R_q\times R_q$.
• $\mathrm{RE}.\mathrm{Encrypt}\left(pk,m\right):$ To encrypt a message $m\in R_2$. Set $b=pk\left[0\right]$, $a=pk\left[1\right]$, sample $e_1$, $e_2\leftarrow \chi$, $u\leftarrow R_2$. Compute $c_0=bu+\lfloor \frac{q}{2}\rfloor ·m+e_1 mod q$, $c_1=au+e_2 mod q$. Output $\mathit{c}=\left(c_0,c_1\right)\in R_q\times R_q$.
• $\mathrm{RE}.\mathrm{Decrypt}\left(sk,c\right):$ Input $\mathrm{s}k=s$. Compute $m=\lfloor 2/q{\left[\langle c,\left(1,s\right)\rangle \right]}_q\rceil mod 2$.

Security. The semantic security of the cryptosystem follows from the RLWE assumption by noting that ($bu+e_1$,$au+e_2$) is pseudorandom, meaning the ciphertext is indistinguishable from one that carries no information on the message.

To prove that the decryption is correct for properly encrypted ciphertexts, we prove the following lemma.

Lemma 3.

Using the notation of the above encryption scheme$RE$ and assuming that $\Vert \chi \Vert <B$, it holds that:

$${[\langle \mathit{c},\left(1,s\right)\rangle ]}_q=\lfloor \frac{q}{2}\rfloor ·m+\tilde{e}$$

(1)

with $\Vert \tilde{e}\Vert \le B·\left(2·{\delta }_R+1\right)$. This means that for $B·\left(2·{\delta }_R+1\right)<\lfloor q/2\rfloor /2$, the decryption work is correct.

Proof. 

By the definition of module $q$:

$$\begin{array}{ll}\langle \mathit{c},\left(1,s\right)\rangle & =c_0+c_1·s=b·u+e_1+\lfloor \frac{q}{2}\rfloor ·m+a·u·\mathrm{s}+e_2·s mod q\\ & =\lfloor \frac{q}{2}\rfloor ·m+e·u+e_1+e_2·s mod q.\end{array}$$

Since the error term $\lfloor \frac{q}{2}\rfloor ·m+e·u+e_1+e_2·s$ is small enough, we get $\tilde{e}=e·u+e_1+e_2·s$. Since $e,e_1,e_2\leftarrow \chi$ and $u,s\leftarrow R_2$, we get $\Vert u\Vert =\Vert s\Vert =1$ and get the bound term above $\Vert \tilde{e}\Vert \le B·\left(2·{\delta }_R+1\right)$.

According to the definition of module $q$, $c_0+c_1·s=\lfloor \frac{q}{2}\rfloor ·m+\tilde{e}+q·v$. Then, $\frac{2}{q}·\left(c_0+c_1·s\right)=m+\left(2/q\right)·\left(\tilde{e}-ϵ·m\right)+2·v$, where $ϵ=\frac{q}{2}-\lfloor \frac{q}{2}\rfloor <1$. To round correctly, we need $\left(2/q\right)· \Vert \tilde{e}-ϵ·m\Vert <1/2$. □

3.2. Homomorphic Properties of Basic Encryption

Homomorphic addition:

Let ${\mathit{c}}_{\mathbf{1}}$, ${\mathit{c}}_{\mathbf{2}}$ be the ciphertexts encrypted under $s$. According to Lemma 3, we get ${[\langle {\mathit{c}}_{\mathit{i}},\left(1,s\right)\rangle ]}_q=\lfloor \frac{q}{2}\rfloor ·m_i+{\tilde{e}}_i$, $i\in \left[2\right]$. It holds that:

$$\langle {\mathit{c}}_{\mathbf{1}}+{\mathit{c}}_{\mathbf{2}},\left(1,s\right)\rangle =\lfloor \frac{q}{2}\rfloor ·{\left[m_1+m_2\right]}_2+{\tilde{e}}_1+{\tilde{e}}_2-2·ϵ·w$$

where $ϵ=\frac{q}{2}-\lfloor \frac{q}{2}\rfloor <1$ and $m_1+m_2={\left[m_1+m_2\right]}_2+2· w$, with $\Vert w\Vert <1$. Let $e_{add}:={\tilde{e}}_1+{\tilde{e}}_2-2·ϵ·w$ and $\Vert e_{add}\Vert <2·\left(E+1\right)$. Here, $E$ is the bound of the original noise term, i.e., $\Vert {\tilde{e}}_i\Vert <E$, $i\in \left[2\right]$. We get Lemma 4.

Lemma 4.

Let ${\mathit{c}}_{\mathit{a}\mathit{d}\mathit{d}}={\mathit{c}}_{\mathbf{1}}+{\mathit{c}}_{\mathbf{2}}$and ${\mathit{c}}_{\mathbf{1}}$, ${\mathit{c}}_{\mathbf{2}}$ be the ciphertexts encrypted under $s$. Then:

$${[\langle {\mathit{c}}_{\mathit{a}\mathit{d}\mathit{d}},\left(1,s\right)\rangle ]}_q=\lfloor \frac{q}{2}\rfloor ·{\left[m_1+m_2\right]}_2+e_{add}$$

where$\Vert e_{add}\Vert <2·\left(E+1\right)$. The addition decryption is correct when$\Vert e_{add}\Vert <\lfloor \frac{q}{2}\rfloor /2$.

Homomorphic multiplication:

Let ${\mathit{c}}_{\mathbf{1}}$, ${\mathit{c}}_{\mathbf{2}}$ be the ciphertexts encrypted under $s$ and ${\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}}$ be a multiplicative ciphertext corresponding to ${\mathit{c}}_{\mathbf{1}}$, ${\mathit{c}}_{\mathbf{2}}$. To preserve the homomorphism of the multiplication, the following structure is needed:

$${\left[{\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}},\left(1,s\right)\right]}_q=\lfloor \frac{q}{2}\rfloor ·m_1·m_2+e_{mult}.$$

The tensor product is used to implement ciphertext multiplication to keep the structure divided by $\frac{q}{2}$. Therefore, we define ${\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}}=\lfloor \frac{2}{q}·{\mathit{c}}_{\mathbf{1}}\otimes {\mathit{c}}_{\mathbf{2}}\rceil$ and the secret key should be ${\mathit{s}}^{\prime }=\left(1,s\right)\otimes \left(1,s\right)$. We will discuss how to use our new key switching technology to replace the keys after homomorphic multiplication in Section 3.3. Here, we continue to discuss how the ciphertext multiplication obtains homomorphism.

$$\langle {\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}},{\mathit{s}}^{\prime }\rangle =\langle \lfloor \frac{2}{q}·{\mathit{c}}_{\mathbf{1}}\otimes {\mathit{c}}_{\mathbf{2}}\rceil ,{\mathit{s}}^{\prime }\rangle mod q$$

Set $\tilde{\mathit{c}}=\lfloor \frac{2}{q}·{\mathit{c}}_{\mathbf{1}}\otimes {\mathit{c}}_{\mathbf{2}}\rceil -\frac{2}{q}·{\mathit{c}}_{\mathbf{1}}\otimes {\mathit{c}}_{\mathbf{2}}$ with $\Vert \tilde{\mathit{c}}\Vert \le 1/2$. Let ${\xi }_1:=\langle \tilde{\mathit{c}},{\mathit{s}}^{\prime }\rangle$ and$\Vert {\xi }_1\Vert <\Vert \tilde{\mathit{c}}\Vert ·{\Vert {\mathit{s}}^{\prime }\Vert }_1<\frac{1}{2}·{\left({\delta }_R+1\right)}^2$. Using the properties of tensor product, we get:

$$\langle {\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}},{\mathit{s}}^{\prime }\rangle -{\xi }_1=\frac{2}{q}·\langle {\mathit{c}}_{\mathbf{1}},\left(1,s\right)\rangle ·\langle {\mathit{c}}_{\mathbf{2}},\left(1,s\right)\rangle .$$

(2)

According to Equation (1), we get:

$$\begin{gathered} \langle {\mathit{c}}_{\mathit{j}},\left(1,s\right)\rangle =\lfloor \frac{q}{2}\rfloor ·m_j+{\tilde{e}}_j mod q \\ =\lfloor \frac{q}{2}\rfloor ·m_j+{\tilde{e}}_j+q·v_j. \end{gathered}$$

(3)

It is easy to get $\Vert q·v_j\Vert <{\delta }_R·\Vert {\mathit{c}}_{\mathit{j}}\Vert ·\Vert \left(1,s\right)\Vert$ and $\Vert v_j\Vert <{\delta }_R$, where$j\in \left[2\right]$.

Plugging Equation (3) into Equation (2), we get:

$$\begin{array}{ll}\langle {\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}},{\mathit{s}}^{\prime }-{\xi }_1\rangle & =\frac{2}{q}·\left(\lfloor \frac{q}{2}\rfloor ·m_1+{\tilde{e}}_1+q·v_1\right)·\left(\lfloor \frac{q}{2}\rfloor ·m_2+{\tilde{e}}_2+q·v_2\right)\\ & =\lfloor \frac{q}{2}\rfloor ·m_1·m_2+{\xi }_2+q·\left(m_1{v}_2+m_2{v}_1+2v_1{v}_2\right).\end{array}$$

where ${\xi }_2=\left(2{\tilde{e}}_2-m_2\right)·v_1+\left(2{\tilde{e}}_1-m_1\right)·v_2+\frac{q-1}{q}·\left({\tilde{e}}_1{m}_2+{\tilde{e}}_2{m}_1\right)+\frac{1-q}{2q}{m}_1·m_2+\frac{2{\tilde{e}}_1{\tilde{e}}_2}{q}$ and $\Vert {\tilde{e}}_i\Vert <E<\lfloor \frac{q}{2}\rfloor /2\le q/4$, $i\in \left[2\right]$.

$$\Vert {\xi }_2\Vert \le 4·E·{\delta }_R^2+E·{\delta }_R.$$

Let $e_{mult}:={\xi }_1+{\xi }_2$, and $\Vert e_{mult}\Vert =\Vert {\xi }_1+{\xi }_2\Vert \le \frac{1}{2}·{\left({\delta }_R+1\right)}^2+4·E·{\delta }_R^2+E·{\delta }_R$, so that we get Lemma 5.

Lemma 5.

Let ${\mathit{c}}_{\mathbf{1}}$, ${\mathit{c}}_{\mathbf{2}}$ be the ciphertexts encrypted under $s$. Set ${\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}}=\lfloor \frac{2}{q}·{\mathit{c}}_1\otimes {\mathit{c}}_2\rceil$, ${\mathit{s}}^{\prime }=\left(1,s\right)\otimes \left(1,s\right)$. It follows that:

$${\left[\langle {\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}},{\mathit{s}}^{\prime }\rangle \right]}_q=\lfloor \frac{q}{2}\rfloor ·m_1·m_2+e_{mult}$$

where$\Vert e_{mult}\Vert \le \frac{1}{2}·{\left({\delta }_R+1\right)}^2+4·E·{\delta }_R^2+E·{\delta }_R$. The multiplication decryption is correct when $\Vert e_{mult}\Vert <\lfloor \frac{q}{2}\rfloor /2$.

3.3. Optimizing the Key Switching

The key switching technology was first proposed in the BGV [11] scheme, which is usually used after a homomorphic evaluation of the ciphertext to solve the problem of the dimensions of the ciphertext expanding after the tensor product. This technology converts the long ciphertext that can be decrypted by the key $s_1·s_1$ into a short ciphertext ${\mathit{c}}_{\mathbf{2}}$ that can be decrypted by another key $s_2$. Some form of a key $s_1·s_1$ is encrypted under the key $s_2$ as a hint, which is called the evaluation key, to complete this transformation. The noise introduced in the conversion process is compressed using BitDecomp technology.

BitDecomp has low efficiency in the binary expansion of polynomials. Therefore, the FHE scheme based on RLWE will not transplant the key switching technology based on LWE into RLWE. The re-linearization technology is used to compress the ciphertext dimensions without changing the key. With the re-linearization technology, it is also necessary to use the evaluation key to assist in the completion of the ciphertext compression. However, this evaluation key is a masking version containing the secret key, which is neither a real sample of the RLWE distribution nor a real encryption method. The scheme relies on a weak circular security assumption that the scheme is still secure even if the adversary obtains the evaluation key, which is not strictly proven. Moreover, there are problems that the size of the key is inversely proportional to the noise introduced by the re-linearization process, and the re-linearization process requires multiple multiplication evaluations.

In the following, we propose a new key switching technology based on RLWE, which does not need to use the BitDecomp technology, meaning we can replace the key to avoid the circular security assumption. We use the ‘modulus scaling’ method to reduce the noise using a large modulus. There is some performance loss due to the security enhancement, but our approach has more advantages during storage. Since we have proven in Section 2.2 that the key $s$ can be selected with a small noise distribution, we can further reduce the size of our evaluation key.

Our key switching method includes two processes. First, $\mathrm{SwitchKeyGen}\left({\mathit{s}}_{\mathbf{1}},{\mathit{s}}_{\mathbf{2}},p\right)$ inputs two keys and a large integer $p$, and the output key $s_2$ encrypts the key $s_1$ by $p$ times as the evaluation key ${\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}$. The modulus of the key is also amplified to accommodate additional noise. $\mathrm{SwitchKey}\left({\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}},{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}\right)$ inputs the evaluation key and the ciphertext ${\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}$ encrypted under the key ${\mathit{s}}_{\mathbf{1}}$ and outputs the new ciphertext ${\mathit{c}}_{{\mathit{s}}_{\mathbf{2}}}$ encrypted under the key ${\mathit{s}}_{\mathbf{2}}$. The ciphertext ${\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}$ and the ciphertext ${\mathit{c}}_{{\mathit{s}}_{\mathbf{2}}}$ are encrypted for the same plaintext message with the same modulus.

-

$\mathrm{SwitchKeyGen}\left({\mathit{s}}_{\mathbf{1}},{\mathit{s}}_{\mathbf{2}},p\right):$ Input two keys ${\mathit{s}}_1\in R_q^{n_1},{\mathit{s}}_{\mathbf{2}}\in R_q^{n_2}$ and a large integer $p$. Let $Q=p·q$. Uniformly sample a matrix composed of polynomials${\mathit{A}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}\leftarrow R_Q^{n_1\times n_2}$ and an error vector ${\mathit{e}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}\leftarrow {\chi }^{n_1}$, where ${\chi }^{n_1}$ is the noise distribution over $R_Q^{n_1}$. The output is a matrix of polynomials.

• Compute ${\mathit{b}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}={\left[{\mathit{A}}_{{\mathit{s}}_1\to {\mathit{s}}_2}·{\mathit{s}}_{\mathbf{2}}+{\mathit{e}}_{{\mathit{s}}_1\to {\mathit{s}}_2}+p·{\mathit{s}}_{\mathbf{1}}\right]}_Q\in R_Q^{n_1}$.
• Output the evaluation key ${\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}$. The matrix ${\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}$ with $\left(n_2+1\right)$ columns consists of the matrix $-{\mathit{A}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}$ with $n_2$ columns and ${\mathit{b}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}$:

  $${\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}=\left[{\mathit{b}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}\parallel -{\mathit{A}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}\right]\in R_Q^{n_1\times \left(n_2+1\right)}$$

-

$\mathrm{SwitchKey}\left({\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}},{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}\right):$ To switch a ciphertext under a secret key ${\mathit{s}}_1$ to $\left(1,{\mathit{s}}_{\mathbf{2}}\right)$, output:

$${\mathit{c}}_{{\mathit{s}}_{\mathbf{2}}}:={\left[\lfloor \frac{{\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}^{\mathit{T}}·{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}}{p}\rceil \right]}_q.$$

To ensure the security, the variance of ${\chi }^{n_1}$ cannot be simply taken as the variance of $\chi$, otherwise it will lead to great security losses. In Section 5, we prove that if for some real number $k>0$, written as $p·q=q^k$, and suppose $\Vert \chi \Vert <B$, we need $\Vert {\chi }^{n_1}\Vert =B_k>{\alpha }^{1-\sqrt{k}}·q^{k-\sqrt{k}}·B^{\sqrt{k}}$, where $\alpha$ is a constant, e.g., $\alpha \simeq 3.758$. The correctness and security are as shown below.

Lemma 6 (Correctness).

Set${\mathit{s}}_{\mathbf{1}}\in R_q^{n_1}$, ${\mathit{s}}_{\mathbf{2}}\in R_q^{n_2}$, ${\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}\in R_q^{n_1}$as arbitrary vectors of polynomials. Let${\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}\leftarrow \mathrm{SwitchKeyGen}\left({\mathit{s}}_{\mathbf{1}},{\mathit{s}}_{\mathbf{2}},p\right).$Let ${\mathit{c}}_{{\mathit{s}}_{\mathbf{2}}}\leftarrow \mathrm{SwitchKey}\left({\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_2},{\mathit{c}}_{{\mathit{s}}_1}\right)$. Then:

$$\langle {\mathit{c}}_{{\mathit{s}}_{\mathbf{2}}},\left(1,{\mathit{s}}_{\mathbf{2}}\right)\rangle =\langle {\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}},{\mathit{s}}_1\rangle +r \left(mod q\right).$$

where$\Vert r\Vert <\frac{q·B_k·{\delta }_R}{p}+\left({\delta }_R·\Vert {\mathit{s}}_{\mathbf{2}}\Vert +1\right)/2$.

Proof. 

Let $\mathsf{ϵ}:=\left(\frac{{\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}^{\mathit{T}}·{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}}{p}-\lfloor \frac{{\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}^{\mathit{T}}·{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}}{p}\rceil \right)$ and $\Vert \mathsf{ϵ}\Vert \le 1/2$. According to the definition:

$$\begin{array}{ll}\langle {\mathit{c}}_{{\mathit{s}}_{\mathbf{2}}},\left(1,{\mathit{s}}_{\mathbf{2}}\right)\rangle & =\langle \lfloor \frac{{\mathit{W}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}^{\mathit{T}}·{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}}{p}\rceil ,\left(1,{\mathit{s}}_{\mathbf{2}}\right)\rangle mod q\\ & =\langle \frac{{\left[{\mathit{b}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}\parallel -{\mathit{A}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}\right]}^{\mathit{T}}·{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}}{p},\left(1,{\mathit{s}}_{\mathbf{2}}\right)\rangle -\langle \mathit{ϵ},\left(1,{\mathit{s}}_{\mathbf{2}}\right)\rangle mod q\\ & =\frac{{\mathit{b}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}·{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}-{\mathit{A}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}^{\mathit{T}}·{\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}}·{\mathit{s}}_{\mathbf{2}}}{p}-\langle \mathit{ϵ},\left(1,{\mathit{s}}_{\mathbf{2}}\right)\rangle mod q\\ & =\langle {\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}},{\mathit{s}}_{\mathbf{1}}\rangle +\frac{\langle {\mathit{c}}_{{\mathit{s}}_{\mathbf{1}}},{\mathit{e}}_{{\mathit{s}}_{\mathbf{1}}\to {\mathit{s}}_{\mathbf{2}}}\rangle }{p}-\langle \mathit{ϵ},\left(1,{\mathit{s}}_{\mathbf{2}}\right)\rangle mod q\end{array}$$

Lemma 6 is proven. According to Lemma 6, we can choose p to minimize the error so that it is less than the error of the multiplication. Then, we must choose $p\ge q^3$ when $B$ is small and does not depend on $q$. □

Lemma 7 (Security).

Let ${\mathit{s}}_{\mathbf{1}}\in R_q^{n_1}$be the arbitrary vectors of polynomials. If ${\mathit{s}}_{\mathbf{2}}\leftarrow \mathrm{RE}.\mathrm{Sec}\mathrm{retKeyGen}\left(1^{\lambda }\right)$and$\mathit{W}\leftarrow \mathrm{SwitchKeyGen}\left({\mathit{s}}_{\mathbf{1}},{\mathit{s}}_{\mathbf{2}},p\right)$, then $\mathit{W}$ is computationally indistinguishable on$R_Q^{n_1\times \left(n_2+1\right)}$, assuming that${\mathrm{DRLWE}}_{d,q,\chi }$holds.

Proof. 

According to the key switching process, $\mathrm{SwitchKeyGen}\left({\mathit{s}}_{\mathbf{1}},{\mathit{s}}_{\mathbf{2}},p\right)$, $\mathit{W}=\left[\mathit{b}\parallel -\mathit{A}\right]\in R_Q^{n_1\times \left(n_2+1\right)}$, where $A$ is a uniform matrix, $\mathit{b}={\left[\mathit{A}·{\mathit{s}}_{\mathbf{2}}+\mathit{e}+p·{\mathit{s}}_{\mathbf{1}}\right]}_Q$. Since each element of $\mathit{b}$ is the ciphertext of the RE encryption scheme, $\mathit{b}$ is indistinguishable from the uniform distribution $U\left(R_Q^{n_1}\right)$. Therefore, $\mathit{W}$ is computationally indistinguishable from the uniform distribution on $R_Q^{n_1\times \left(n_2+1\right)}$ and Lemma 7 is proven. □

4. Batch Leveled FHE Scheme

Based on the scheme described in Section 3.1, this section shows how to use the key switching technology discussed in Section 3.2 and the packing technology discussed in Section 2.3 to obtain a leveled fully homomorphic encryption scheme with better security and efficiency supporting batch processing.

4.1. Construction

In this part, we will derive an RLWE-based leveled homomorphic encryption scheme named $\mathrm{Batch}.\mathrm{RFHE}$ for batch processing.

-

$\mathrm{Batch}.\mathrm{RFHE}.\mathrm{Setup}\left(1^L,1^{\lambda }\right):$ Assume that the security parameter is $\lambda$ and the circuit level is $L$. Let $R=\mathbb{Z}\left[x\right]/{\mathsf{\Phi }}_m\left(x\right)$, where ${\mathsf{\Phi }}_m\left(x\right)={\displaystyle \prod }_{i=1}^n{f}_i\left(x\right)$ is a cyclotomic polynomial with degree $\phi \left(m\right)=d$, and the degree of each $f_i\left(x\right)$ is $d^{\prime }$, where $\phi \left(m\right)=d=n·d^{\prime }$. Let $q$ be the modulus. Let $\chi =\chi \left(\lambda \right)$ be the error distribution over $R$. ${\mathbb{F}}_{2^{d^{\prime }}}^n$ the plaintext vector space, and the mapping CRT is the isomorphism mapping from ${\mathbb{F}}_{2^{d^{\prime }}}^n$ to $R_2$.

-

$\mathrm{Batch}.\mathrm{RFHE}.\mathrm{KeyGen}\left(1^L,1^{\lambda }\right):$ Sample $L+1$ polynomials $\left\{s_0,\cdots ,s_L\right\}\leftarrow \mathrm{RE}.\mathrm{Sec}\mathrm{retKeyGen}\left(1^{\lambda }\right)$. Compute the public key: ${{\rm P}}_0\leftarrow \mathrm{RE}.\mathrm{PublicKeyGen}\left({\mathit{s}}_0\right)$. For all $i\in \left[L\right]$, define ${\mathit{s}}_{\mathit{i}-1}^{\prime }=\left(1,s_{i-1}\right)\otimes \left(1,s_{i-1}\right)\in R_2^3$. Then, compute:

$${\mathit{W}}_{\left(\mathit{i}-1\right)\to i}\leftarrow \mathrm{SwitchKeGen}\left({\mathit{s}}_{\mathit{i}-1}^{\prime },s_i\right).$$

Output $pk={{\rm P}}_0$, $evk={\left\{{\mathit{W}}_{\left(\mathit{i}-1\right)\to i}\right\}}_{i\in \left[L\right]}$ and $sk=\left\{s_0,\cdots ,s_L\right\}$.

-

$\mathrm{Batch}.\mathrm{RFHE}.\mathrm{Enc}\left(pk,\left(m_0,\cdots ,m_{n-1}\right)\in {\mathbb{F}}_{2^{d^{\prime }}}^n\right)$: First, we use the polynomial-CRT to pack the plaintext $m\leftarrow CRT\left(m_0,\cdots ,m_{n-1}\right)\in R_2$, then output $c\leftarrow \mathrm{RE}.\mathrm{Encrypt}\left(pk,m\right)$.

-

$\mathrm{Batch}.\mathrm{RFHE}.\mathrm{Add}\left({\mathit{c}}_{\mathbf{1}},{\mathit{c}}_{\mathbf{2}}\right)$: Suppose the ciphertexts ${\mathit{c}}_{\mathbf{1}}$, ${\mathit{c}}_{\mathbf{2}}$ are respectively encrypted under $s_{i-1}$ and $s_{j-1}$.

(1) If $i\ne j$, suppose $i<j$, then repeat the following steps until $i=j$ and turn to step (2):

(a)

${\mathit{c}}^{\prime }={\mathit{c}}_1\otimes \left(1,0\right)$;

(b)

${\mathit{c}}_1\leftarrow \mathrm{SwitchKey}\left({\mathit{W}}_{\left(\mathit{i}-1\right)\to \mathit{i}},{\mathit{c}}^{\prime }\right)$;

(c)

$i=i+1$.

(2) If $i=j$, perform the following steps:

(a)

${\mathit{c}}_{\mathit{a}\mathit{d}\mathit{d}}^{\text{'}}=\left({\mathit{c}}_1+{\mathit{c}}_2\right)\otimes \left(1,0\right)$;

(b)

${\mathit{c}}_{\mathit{a}\mathit{d}\mathit{d}}\leftarrow \mathrm{SwitchKey}\left({\mathit{W}}_{\left(\mathit{i}-1\right)\to \mathit{i}},{\mathit{c}}_{\mathit{a}\mathit{d}\mathit{d}}^{\text{'}}\right)$

-

$\mathrm{Batch}.\mathrm{RFHE}.\mathrm{Mult}\left({\mathit{c}}_1,{\mathit{c}}_2\right)$: Suppose ciphertexts ${\mathit{c}}_1$, ${\mathit{c}}_2$ encrypted and $s_{j-1}$.

(1) If $i\ne j$, suppose $i<j$, repeat the following steps until $i=j$ and then turn to step (2):

(a)

${\mathit{c}}^{\prime }={\mathit{c}}_1\otimes \left(1,0\right)$;

(b)

${\mathit{c}}_1\leftarrow \mathrm{SwitchKey}\left({\mathit{W}}_{\left(\mathit{i}-1\right)\to \mathit{i}},{\mathit{c}}^{\prime }\right)$;

(c)

$i=i+1$.

(2) If $i=j$, perform the following steps:

(a)

${\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}}^{\prime }=\lfloor \frac{2}{q}·{\mathit{c}}_1\otimes {\mathit{c}}_2\rfloor$;

(b)

${\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}}\leftarrow \mathrm{SwitchKey}\left({\mathit{W}}_{\left(\mathit{i}-1\right)\to \mathit{i}},{\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}}^{\prime }\right).$

-

$\mathrm{Batch}.\mathrm{RFHE}.\mathrm{Dec}\left(sk,\mathit{c}\right):$ Assume that $\mathit{c}$ is encrypted under ${\mathrm{s}}_i$. First compute:

$$m\leftarrow \mathrm{RE}.\mathrm{Decrypt}\left({\mathrm{s}}_i,\mathit{c}\right).$$

Then output:

$$\left(m_0,\cdots ,m_{n-1}\right)\leftarrow CR{T}^{-1}\left(m\right)\in {\mathbb{F}}_{2^{}}^n.$$

The correctness of the scheme will be discussed together with the homomorphism of the scheme in Section 4.2.

Lemma 8 (Security).

Let$d$, $q$, $\chi$be certain parameters, so that${\mathrm{DRLWE}}_{d,q,\chi }$holds and$L=L\left(d\right)$is polynomially bounded. For any$\left(m_0,\cdots ,m_{n-1}\right)\in {\mathbb{F}}_{2^{d^{\prime }}}^n$, if$\left(pk,evk,sk\right)\leftarrow \mathrm{Batch}.\mathrm{RFHE}.\mathrm{KeyGen}\left(1^L,1^{\lambda }\right)$,$\mathit{c}\leftarrow \mathrm{Batch}.\mathrm{RFHE}.\mathrm{Enc}\left(pk,\left(m_0,\cdots ,m_{n-1}\right)\in {\mathbb{F}}_{2^{d^{\prime }}}^n\right)$, then it is considered that the joint distribution$\left(pk,evk,\mathit{c}\right)$is uniformly indistinguishable during computation.

Proof. 

We consider the distribution $\left(pk,evk,\mathit{c}\right)$ and apply a hybrid argument. Firstly, based on Lemma 7, $s_L$ is used to generate ${\mathit{W}}_{\left(\mathit{L}\mathbf{-}\mathbf{1}\right)\to \mathit{L}}$. We prove that ${\mathit{W}}_{\left(\mathit{L}\mathbf{-}\mathbf{1}\right)\to \mathit{L}}$ is uniformly indistinguishable. Then, based on the same argument, we replace all ${\mathit{W}}_{\left(\mathit{i}\mathbf{-}\mathbf{1}\right)\to \mathit{i}}$ in descending order with uniform values. Finally, $\left({{\rm P}}_0,\mathit{c}\right)$ are exactly the public key and ciphertext of the basic scheme in Section 3.2. Therefore, $\left({{\rm P}}_0,\mathit{c}\right)$ is uniformly indistinguishable, which completes the proof of Lemma 8. □

4.2. Homomorphic Properties of the Batch FHE Scheme

The following theorem summarizes the homomorphic properties of our scheme.

Theorem 3.

For the $\mathrm{Batch}.\mathrm{RFHE}$scheme with parameters$n$, $q$, $\Vert \chi \Vert <B$, $L$:

$$4·{\delta }_R{}^L·{\left({\delta }_R+1\right)}^{L+1}<\frac{q}{B}$$

$L$is homomorphic.

Proof. 

Let $n$, $q$, $\Vert \chi \Vert <B$, $L$ be the parameters for $\mathrm{Batch}.\mathrm{RFHE}$, and compute $\left(pk,evk,sk\right)\leftarrow \mathrm{Batch}.\mathrm{RFHE}.\mathrm{KeyGen}\left(1^L,1^{\lambda }\right)$.

Let ${\mathit{c}}_1$, ${\mathit{c}}_2:$

$$\begin{gathered} \langle {\mathit{c}}_1,\left(1,s_{i-1}\right)\rangle =\lfloor \frac{2}{q}\rfloor ·m_1+e_1 \left(mod q\right) \\ \langle c_2,\left(1,s_{i-1}\right)\rangle =\lfloor \frac{2}{q}\rfloor ·m_2+e_2 \left(mod q\right) \end{gathered}$$

with $\Vert e_1\Vert$, $\Vert e_2\Vert \le E<\lfloor \frac{q}{2}\rfloor /2$. Define ${\mathit{c}}_{\mathit{a}\mathit{d}\mathit{d}}\leftarrow \mathrm{Batch}.\mathrm{RFHE}.\mathrm{Add}\left({\mathit{c}}_1,{\mathit{c}}_2\right)$, ${\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}}=\mathrm{Batch}.\mathrm{RFHE}.\mathrm{Mult}\left({\mathit{c}}_1,{\mathit{c}}_2\right)$, then:

$$\begin{gathered} \langle {\mathit{c}}_{\mathit{a}\mathit{d}\mathit{d}},\left(1,{\mathit{s}}_{\mathit{i}}\right)\rangle =\lfloor \frac{2}{q}\rfloor ·{\left[m_1+m_2\right]}_2+e_{add} \left(mod q\right) \\ \langle {\mathit{c}}_{\mathit{m}\mathit{u}\mathit{l}\mathit{t}},\left(1,{\mathit{s}}_{\mathit{i}}\right)\rangle =\lfloor \frac{2}{q}\rfloor ·m_1·m_2+e_{mult} \left(mod q\right), \end{gathered}$$

From Lemma 4 and Lemma 5:

$$\begin{gathered} \Vert e_{add}\Vert \le 2·\left(E+1\right)+E_{switchKey} \\ \Vert e_{mult}\Vert <E·{\delta }_R\left({\delta }_R+1\right)+E_{switchKey} \end{gathered}$$

where $E_{switchKey}=\frac{q·B_k·{\delta }_R}{p}+\frac{\left({\delta }_R+1\right)}{2}$, $p=q^{k-1}$ and $B_k>{\alpha }^{1-\sqrt{k}}·q^{k-\sqrt{k}}·B^{\sqrt{k}}$.

The additive noise is much smaller than the multiplicative noise, so we only observe the multiplicative noise. We choose the appropriate $p$ so that the noise introduced by the key switching is smaller than that introduced via multiplication, and the noise term $E_{switchKey}$ will be ignored in the following analysis. From Lemma 3, $E_0=B·\left(2·{\delta }_R+1\right)$, and $E_{i+1}={\delta }_R\left({\delta }_R+1\right)·E_i$. $E_L={\delta }_R{}^L·{\left({\delta }_R+1\right)}^{L+1}·B$ is obtained. If $E_L<\lfloor q/2\rfloor /2$, the decryption is successful and Theorem 3 is proven. □

5. Parameter Setting and Efficiency Analysis

The batch scheme in this paper is mainly based on the RLWE problem, and the difficulty of the RLWE problem is analyzed according to [26].

Let $q$ denote the modulus and $d$ represent the degree of polynomial ring $R$, then let ${\sigma }^2$ denote the variance of the probability distribution $\chi$.

Definition 4.

([9]). Let an $m$-dimensional lattice $\Lambda$ based on B have a factor ${\delta }^m$ satisfying $\Vert \mathit{b}\Vert <{\delta }^m·det{\left(\Lambda \right)}^{1/m}$, where $\mathit{b}$ is the shortest vector of $B$, then ${\delta }^m$ is called the Hermite root factor.

Theorem 4.

([9]) Given $\delta$, the time required to reduce the lattice basis with the Hermite factor ${\delta }^m$ mainly depends on $\delta$

Theorem 5.

([9]). For a Hermite factor ${\delta }^m$, the length of the shortest vector is computed to be $\alpha ·\frac{q}{\sigma }\le 2^{2\sqrt{d{\log }_2\left(q\right){\log }_2\left(\delta \right)}}$. The base time is about ${\log }_2\left(time\right)=\frac{1.8}{{\log }_2\left(\delta \right)}-110$, where $\alpha =\sqrt{\ln \left(1/\epsilon \right)/\pi }$, and $\epsilon$ is the advantage in distinguishing attacks.

According to the above theorem, it can be quickly deduced that for a fixed $d$ and a fixed security level, as long as ${\sigma }_k>{\alpha }^{1-\sqrt{k}}·q^{k-\sqrt{k}}·{\sigma }^{\sqrt{k}}$ is selected, an effective parameter pair $\left(q,\sigma \right)$ can be transformed into another effective parameter pair $\left(q^k,{\sigma }^k\right)$, where $k>1$ is the arbitrary real number. During key switching, $B_k$ also uses this bound.

To obtain the parameters that guarantee that the homomorphism scheme of a circuit with depth $L$ can be executed, we choose the degree $d$ and then calculate the effective value of $q$. Let $B=10·\sigma$, then the distribution $\chi$ can be considered $B$ bounded. According to Theorem 3, the maximum multiplication depth that $\mathrm{Batch}.\mathrm{RFHE}$ can handle satisfies:

$$10·4·{\delta }_R{}^L·{\left({\delta }_R+1\right)}^{L+1}<\frac{q}{\sigma }$$

(4)

In the above inequality, we assume that the noise introduced by key switching is less than that after the first multiplication. Therefore, we can get:

$$\alpha ·10·4·{\delta }_R{}^L·{\left({\delta }_R+1\right)}^{L+1}<2^{2\sqrt{d{\log }_2\left(q\right){\log }_2\left(\delta \right)}}$$

(5)

According to Theorem 5, if we set the security level at $\lambda$, then we can set the time as $2^{\lambda }$. Then, the minimum $\delta$ can be obtained as ${\log }_2\left(\delta \right)=1.8/\left(\lambda +110\right)$. Assuming $\lambda =128$, we obtain $\delta \simeq 1.0052$, ${\log }_2\left(\delta \right)=0.0076$. If we let $\epsilon =2^{-64}$, we get $\alpha \simeq 3.758$. To ensure that the circuit with depth $\mathit{L}$ can be executed, the sizes of $d$ and module $q$ at different circuit depths are shown in

Table 1. Dimensions of degree $d$ and modulus $q$ at the different circuit depths.

$\mathit{L}$	0	1	5	10	15
$d$	$1024$	2048	8192	16,384	32,768
$\log q$	11	27	91	183	225

.

Next, we compare our batch FHE scheme with the FV12 [13] and MB18 [28] schemes. The comparison shows that there is obvious optimization. In

Table 2. A scheme parameter size comparison.

Scheme	Plaintexts	Ciphertext	Public Key	Secret Key	Evaluation Key
FV12	$\mathsf{{\rm O}}\left(1\right)$	$2dlogq$	$2dlogq$	$\left(d+1\right)logq$	$2l·d·logq$
MB18	$\mathsf{{\rm O}}\left(n\right)$	$2d\log q$	$2d\log q$	$\left(L+1\right)\left(d+1\right)\log q$	$2l·d·L·\log q$
Our scheme	$\mathsf{{\rm O}}\left(n\right)$	$2d\log q$	$2d\log q$	$\left(L+1\right)\left(d+1\right)$	$6dL\log q$

, all parameter sizes are in bits.

Compared with the FV12 scheme, since we do not rely on the circular security assumption, the scheme requires $\mathit{L}$ evaluation keys for the circuit depth $\mathit{L}$. The evaluation key size of our scheme is slightly larger than that of the FV12 scheme, but we can encrypt more plaintext bits at a time, making it more secure. Compared with the MB18 scheme ($l=\lfloor lo{g}_{T}q\rfloor$, $\mathrm{T}<q$ is used to reduce noise), the number of encrypted plaintext bits is the same, but the size of the secret key and the evaluation key in our scheme is better.

6. Conclusions

In this paper, we prove that the secret key can be selected from the error distribution $D_{\xi }$ with small samples and variable parameters. A public key encryption scheme with less noise is proposed. In addition, a new key switching technology is proposed. The noise generated by the key switching is controlled by “modulus scaling”, which does not depend on the circular security assumption and generates a smaller evaluation key. It can effectively solve the problem of key switching on RLWE, sacrificing security for efficiency. The result shows that the evaluation key size of our scheme is less than that of the MB18 scheme. We construct a shorter key batch FHE scheme for RLWE with key switching technology and packing technology using the polynomial CRT, and give the noise analysis and security proof in detail. Finally, the parameter setting process of the scheme and the parameter comparison of the FV12 and the MB18 schemes are given. The result shows that the parameter size of our scheme is better than that of the MB18 scheme. When the security is improved, the evaluation key size of our scheme is slightly larger than that of the FV12 scheme.