1. Introduction
The Internet of Things (IoT) technology has been widely applied in various domains, such as the military, industry, logistics, medical care, and smart homes [
1], in recent years. The era of the Internet of everything has arrived, and the interactions between hundreds of millions of terminal devices generate massive data. An important method to deal with massive data is to apply distributed processing model represented by cloud computing and federated learning, which can make full use of idle resources of IoT devices. The IoT involves most aspects of daily life. It inevitably needs to collect people’s personal information (such as consumption habits, travel routes, etc.). How the processing layer protects the privacy of all parties involved in processing is an urgent privacy protection problem.
Data security requires not only the security of the stored data but also the security of data processing. Fully homomorphic encryption (FHE) [
2,
3] allows arbitrary operations to be performed on encrypted data, with the same effect on the ciphertext as on the plaintext. Therefore, the users only have to upload data that have been encrypted with the user’s public key to the cloud to ensure that the data are stored and processed securely [
4]. For example, there are already many applications of homomorphic encryption in the IoT combined with cloud computing. Users store the encrypted data in the cloud, and the decryption of the encrypted data needs to be jointly authorized by the user’s terminal and the cloud. However, the existing schemes basically use single-key homomorphic encryption, but similar scenarios such sa cloud computing and federated learning usually involve handling multi-user data, where different users jointly participate in the same operation process and the operation results should be jointly decrypted by the participating users. FHE [
5] only supports the operation of ciphertext encrypted with the same key, and different users holding the same secret key obviously cannot meet the security requirements.
The properties of multi-key fully homomorphic encryption (MKFHE) can be perfectly applied to the multi-user model. Users can obtain different keys from the same key generation algorithm, and the ciphertexts encrypted under different keys can be operated arbitrarily. The decryption process needs to be jointly decrypted by each user, which can solve the security and privacy problems in distributed computing scenarios. Additionally, because MKFHE is constructed based on the lattice difficulty problem [
6], it possesses the ability to resist quantum attacks [
7], which meets the current demand for resisting quantum computer threats.
Efficiency and cost are the biggest problems between the current MKFHE and the applications. Once the issues of efficiency and cost are overcome, MKFHE will be the preferred choice for security protection in multi-user environments. To solve this problem, researchers reduce the sizes of public and private keys, reduce the size of ciphertext, design more efficient ciphertext calculation methods, and use batch processing and compression ciphertext to improve efficiency and reduce the cost of MKFHE. Not all researchers have focused on the study of the cost and efficiency of MKFHE. For example, some researchers noticed that the current MKFHE schemes are all under the CRS (commom reference string) setting and that the ability of each user to independently generate keys is limited, so they designed the first MKFHE under the non-CRS setting. Some researchers noticed the security risks of the difficult assumption problem and constructed a new scheme based on the optimized difficult assumption problem.
The optimization of MKFHE is mostly carried out in the stages of safety assumption, key generation, plaintext encryption, and ciphertext processing, with the objectives of reducing key size, improving encryption efficiency, creating more efficient extension methods, and making smaller extended ciphertexts. There are also optimizations of security assumptions that choose the non-traditional MKFHE hard problem.
In this article, we present a classification and introduction of MKFHE schemes, show some of the technologies and definitions of the optimized schemes, introduce the applications of MKFHE, and summarize the current developments in MKFHE.
Multi-Key Fully Homomorphic Encryption
Leveled MKFHE [
8]: Given a safety parameter and operation circuit C with the depth of L, a leveled MKFHE scheme is a tuple of efficient randomized algorithms (
Setup,
KeyGen,
Enc,
Extend,
Eval,
Dec) described as follows:
Setup ( , , ): Given the security parameter , a bound K on the number of keys, and a bound L on the circuit depth, output a public parameter pp.
KeyGen (pp): Input the public parameter pp; output public key and secret key (i = 1, ..., K) for each party, key for ciphertext extension, and key for homomorphic evaluation.
Enc (, ): Input the public key of party i and a message output a ciphertext which contains the relevant private key and circuit-level information.
Extend (): Input ciphertext and key for ciphertext; output extended ciphertext . The corresponding user set is and the public key set corresponding to the user set S) to be expanded is . The corresponding private key is composed or calculated by the private keys of all users in S in a specific form. Notice that the ciphertext extension algorithm is not necessary for all MKFHE schemes (number theory research unit (NTRU) type MKFHE does not need to expand the ciphertext), not all the ciphertext extension process require extended key (the ciphertext extension process of Brakerski–Gentry–Vaikuntanathan (BGV) type MKFHE does not require ).
Eval (pp, C, (, ⋯, ): Input a boolean circuit C and the tuple corresponding to the same user set S (which can be implemented by ciphertext extension); output after homomorphic evaluation.
Dec (): Input a ciphertext corresponding to a set of parties S = [K] and joint private key , which is composed or calculated by the private keys of all participants in a specific form; output the message .
Correctness: To a leveled MKFHE, input any circuit C of depth at most L having t input wires and any tuples
, while letting
; then the MKFHE scheme is correct if and only if the following formula holds:
Compactness: To a leveled MKFHE, if there exists a polynomial poly (·) such that poly (, K, L), and the length of c is independent of the circuit C, then the MKFHE scheme is compact. In general, the ciphertext length of MKFHE scheme is related to security parameter , the number of participants K, and the polynomial level of circuit depth L.
The properties of homomorphic evaluation are presented in
Figure 1.
Taking A and B as an example, the encrypted ciphertexts are EA and EB. After the homomorphic addition and the homomorphic multiplication of EA and EB, the decryption of the homomorphic operation has the same result as the direct addition and multiplication of A and B.
3. Optimization Techniques for MKFHE
In this section, two techniques are introduced that the authors believe should be investigated in depth. One is the LinkAlgo algorithm that allows the non-CRS setting of MKFHE, and the other is the compressible ciphertext in SWC21. The former is the first MKFHE scheme to be constructed in a non-CRS setting, focusing on and strengthening the user’s individual key generation ability. Previously, MKFHE could not avoid the distribution of CRS, and the user’s personal ability to generate keys was limited. On the one hand, this technique is introduced here in the hope that other researchers can be inspired to develop a more efficient MKFHE without CRS or other ways to enhance the user’s ability to generate keys by himself. The ciphertext compression method used by the latter breaks through the compression ratio of 1/2 of the ciphertext size reduction technique used by MKFHE. Although this technique has strict requirements on the ciphertext structure, it is extremely restrictive. However, this idea can be extended for other schemes based on it to involve an efficient compression method combined with its own optimization. Hopefully, these two techniques will be enlightening.
3.1. LinkAlgo Algorithm for the KLP18 Scheme
When the KLP18 scheme extends the single-key GSW-type FHE scheme into MKFHE, firstly, the public random string in the public parameters is dispensed with, and secondly, the single-key scheme is independent of the LinkAlgo algorithm designed by it, so that the user only needs to use the single-key scheme for encryption, and finally, the users involved in the operation will jointly extend it into a multi-key ciphertext through the LinkAlgo algorithm and carry out joint decryption, and its design. The algorithm and the idea of its design provide a new direction for the design of the MKFHE scheme, which has great referential significance. Therefore, the LinkAlgo algorithm is introduced here.
3.1.1. Notion of LinkAlgo
The lowercase bold letters denote vectors, and the uppercase bold letters denote matrices. is the column vector, is the row vector. is a matrix, denote the i-th row and j-th column element of matrix , denotes the j-th column of the matrix, and denotes the i-th row of the matrix. denotes the horizontal connection of a vector or matrix.
Theorem 1. ([
35]).
To any , there is a matrix , its corresponding matrix , and matrix ( is random), which satisfy and . Theorem 2. ([
23]).
Set . χ is a discrete Gaussian distribution over Z which makes LWE a hard problem. is an integer. Define two distributions X and Y as follows:X is distributed matrices. . is randomly selected. When , . is drawn from a Gaussian discrete distribution . Y is a uniform distribution over . Then, X and Y are computationally indistinguishable.
Definition 1. Suppose a distribution is based on a distribution of integers. If the distribution satisfies the following property:then the distribution is called B-bounded. Definition 2. β-noisy ciphertext: A ciphertext C that encrypts under a private key is called β-noisy ciphertext. , .
3.1.2. LinkAlgo Algorithm
The matrix , is the -noise ciphertext of encrypted under using the GSW encryption algorithm, i.e., , where (). Let ()=() be another pair of keys. Inputs and all are given to the algorithm, and it outputs .
It holds that
and (
is noise)
Algorithm 1 LinkAlgo algorithms. |
- Input:
; - Output:
; - 1:
Let ; - 2:
Output Y=
|
A detailed proof that
,
holds is given below:
where
has a norm
.
The correctness of
:
Therefore, , where has norm
Input public key and fresh ciphertext into LinkAlgo algorithm, which outputs the following extended ciphertext:
- 1.
- 2.
Compute [t]. The extended ciphertext is:
This type of scheme allows users to use single-key homomorphic encryption, and homomorphic evaluation can be performed after the ciphertext is extended using the LinkAlgo algorithm. Users can generate secret keys independently, which has application prospects in some scenarios with related requirements.
3.2. SWC21 Ciphertext Compression Algorithm
Gentry proposed an algorithm for compressing ciphertexts for single-key schemes in GH19 [
37] in 2019, and Shen et al. extended the algorithm to the MKFHE scheme SWC21 [
14] in 2021, which effectively reduces the communication overhead after compressing ciphertexts, and to some extent drives the development of the MKFHE scheme in terms of efficiency and cost improvements.
Notion of SWC21
Definition 3. DLWE (decisional learning with errors): Positive integers n and q and an error distribution χ over Z. Let denote the distribution on , where , and . Given m = poly(n) mutually independent instances, these instances are chosen either from the uniform distribution or from the distribution .
Definition 4. MLWE (matrix learning with errors): Positive integers n, m, r, and q, and an error distribution χ over Z. The matrix learning with errors is to distinguish two distributions. One is , where , and . Additionally, the other one is uniform distribution .
Definition 5. Given an integer , for any positive integer , define , where . The symbol is used to denote this matrix in SWC21.
Lemma 1. ([
35]).
Positive integers ; ; ; ; ; and . To , invertible matrix and , there is an efficient randomization algorithm (,H), which can generate a matrix and a trapdoor , and label . is not uniformly distributed. Lemma 2. ([
35]).
Given random matrix , an efficient randomization algorithm can extract a sub-Gaussian matrix over with O(1) as the parameter, which has .
A new technique, the nearly square tool matrix L, is used in GH19 and is also required in SWC21. An open trapdoor matrix satisfying:
has small entries ()
= 0(mod q), i.e., all row vectors of can generate a kernel space of mod q;
is full-rank over .
When they apply this technology to multi-key version scheme, they adjust the structure of private key and the extended ciphertext. The identity in the private key matrix was deleted so that the extended private key would turn from
into
, which is a nearly square matrix. Additionally, the extended ciphertext would be split into
parts rather than
parts. Meanwhile, there is some information attached to the ciphertext. The extended ciphertext would be like:
Let k be the security parameter for a large module q with an error distribution = (k,N) bounded by . Additionally, taken for the step.
Let , and (where and , , , , and ), choose .
Output params = .
(params): Choose and . Let , and , noticed that . Output , .
(
,
): Input a plaintext bit
, choose
, let ciphertext be
.
will be divided as follows for the
step:
Let .
Notice that .
Attached information
is needed to successfully execute the Exp step.
where
,
. The complete ciphertext tuple is
: extended ciphertext is:
Fresh ciphertext does not support compression. Therefore, the ciphertext of different users needs to be pre-processed before compression, which is similar to the traditional GSW-expand step.
(1) Generate components required for extended ciphertext:
where
and only the intersection of column b and row
is 1; all others are 0.
(2) Generate auxiliary ciphertext
:
(params,
): Compress one or some ciphertext into ciphertext of a smaller size. Let
, where
and only the intersection of the u-th row and v-th column are 1; all others are 0. Let compressed ciphertext be:
The compressing algorithm is the same as Gentry’s GH19 scheme; all the cipher processing is to meet the requiements of this algorithm.
(params, f, , , ⋯, ): Input N and circuit and a string of ciphertext , , ⋯, ; output the ciphertext after homomorphism.
Eval.add
Eval.mult
(, ): Input the private key of N participants; let be the extended private key. Decrypting a compressed cipher involves the following four steps:
;
, is the open trapdoor matrix;
( is full-rank and ).
5. Conclusions
The urgent need for privacy protection and the birth and development of quantum computers has stimulated the need for protection methods against quantum attacks. This demand promotes the development of MKFHE, which provides theoretical support for future secure data sharing among multiple users. Currently, the complex operation of MKFHE makes it inefficient and costly to apply. Therefore, MKFHE only accounts for a small part of the application scheme of homomorphic encryption on the Internet of Things. As we have discussed at the end of
Section 4.1, the application of hardware for acceleration has the potential to enable the application of multi-key fully homomorphic encryption.
In addition to accelerated homomorphic encryption, solutions such as KLP18 and THL21, where each user uses a single key encryption and the process of converting the public extended cipher into a multi-key cipher that is then placed in the cloud, may also be a solution. As the size of the extended ciphertext becomes larger, and the cloud is undertaking the process of ciphertext extension, which can reduce the loss of bandwidth.
Therefore, in the authors’ opinion, users only need to upload encrypted data, and the cloud with the corresponding homomorphic hardware accelerator will be set to undertake a large number of homomorphic operations. If possible, acceleration hardware based on a trusted execution environment can be used to further enhance security.