Compressible Multikey and Multi-Identity Fully Homomorphic Encryption

Shen, Tongchen; Wang, Fuqun; Chen, Kefei; Shen, Zhonghua; Zhang, Renjun

doi:https://doi.org/10.1155/2021/6619476

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 6619476 | https://doi.org/10.1155/2021/6619476

Compressible Multikey and Multi-Identity Fully Homomorphic Encryption

Tongchen Shen,^1,2Fuqun Wang ,^1,2,3Kefei Chen,^1,2,3Zhonghua Shen,¹and Renjun Zhang¹

Academic Editor: Neetesh Saxena

Received03 Oct 2020

Revised04 Feb 2021

Accepted11 Feb 2021

Published04 Mar 2021

Abstract

With the development of new computing models such as cloud computing, user’s data are at the risk of being leaked. Fully homomorphic encryption (FHE) provides a possible way to fundamentally solve the problem. It enables a third party who does not know anything about the secret key and plaintexts to homomorphically perform any computable functions on the corresponding ciphertexts. In 2009, Gentry proposed the first FHE scheme. After that, its inefficiency has always been a bottleneck of the development of practical schemes and applications. At TCC 2019, Gentry and Halevi proposed the first compressible FHE scheme that enables the ratio of plaintext size to the ciphertext size (i.e., the compression rate) to reach for any small under the standard learning with errors (LWE) assumption. However, it is only a single-key one, where the homomorphic evaluation can only be performed over ciphertexts encrypted under the same key. Compared with single-key FHE, multikey FHE is more practical. Multikey FHE enables ciphertexts encrypted under different public keys to be homomorphically computed without having to decrypt these ciphertexts using their own private keys. In addition, in a multi-identity FHE scheme, only identity information and public parameters are required when encrypting, which simplifies certificate-based key management in public key infrastructure. In this paper, a new compressible ciphertext expansion technique is proposed. Then, we use this technique to construct a compressible multikey FHE scheme and a compressible multi-identity FHE scheme to overcome the bottleneck of bandwidth inefficiency in the multikey and multi-identity settings. The two schemes proposed in this paper make it possible that the objects of homomorphic operation can be the ciphertexts encrypted under different keys or different identities before compression, thus solving the single-key defect of the work of Gentry and Halevi.

1. Introduction

We are quickly entering a new digital era where huge amounts of data will be stored and operated remotely in powerful cloud servers. Cloud computing is a popular option for people and businesses for a number of reasons including cost savings, increased productivity, and performance. With all of these advantages, however, it also raises grave security issues and challenges. User’s sensitive information, such as medical data and organizational secrets, is vulnerable to be leaked to cloud providers and even clients. Thus, it is prudent for users to encrypt their data before transmitting to the cloud.

Fully homomorphic encryption (FHE) provides a fundamental method to solve the issue, making it possible to perform arbitrary operations over encrypted data. In particular, FHE enables the third party who does not know anything about the secret key and plaintexts to homomorphically evaluate any computable functions on the corresponding ciphertexts. Since 2009, when Gentry proposed the first FHE scheme [1], FHE has been a research hot spot. Various FHE schemes were then proposed [2–4].

However, conventional FHE is only a single-key one, where the homomorphic evaluation can only be performed over ciphertexts encrypted under the same key. Compared with single-key FHE, multikey FHE is more practical. In many scenarios, several users (often mutually distrusting) want to compute a joint function on their collective data, which have been encrypted and stored in the cloud. For example, two medical companies want the cloud to calculate some statistical information on their medical databases that are encrypted using their own public keys and stored on the cloud. In the meantime, they do not want to leak anything except the final result to others. Single-key FHE cannot deal with these situations, while multikey FHE enables ciphertexts encrypted under different public keys to be homomorphically computed without having to decrypt these ciphertexts using their own private keys.

At STOC 2012, López-Alt, Tromer and Vaikuntanathan [5] proposed the notion of multikey FHE (MKFHE) and they provided the first MKFHE candidate from NTRU-based cryptography. At CRYPTO 2015, Clear and McGoldrick [6] constructed an MKFHE scheme based on the learning with errors (LWE) assumption, which was simplified by Mukherjee and Wichs [7] and then followed by [8–11]. Very recently, Chen, Chillotti, and Song proposed an MKFHE scheme [12] based on TFHE [13], and they were the first to implement an MKFHE scheme.

Identity-based FHE (IBFHE) is an identity-based version of FHE. The first IBFHE scheme was achieved by Gentry, Sahai, and Waters [4] using a special compiler, which allows all lattice-based IBE schemes [14, 15] to be compiled into IBFHE schemes. Multi-identity FHE (MIFHE) is an identity-based version of MKFHE. In an MIFHE scheme, only identity information and public parameters are required when encrypting, which simplifies certificate-based key management in public key infrastructure. Clear and McGoldrick [6] also constructed the first MIFHE scheme in the random oracle model based on the GPV-IBE scheme [14].

However, there is always a question plaguing FHE researchers. How bandwidth-efficient can FHE be? Although it is quite easy to achieve public key encryption (PKE) with nearly no loss in bandwidth, the same is nontrivial in the FHE case because there should be much more redundancy in an FHE ciphertext to support homomorphism, which means much more bandwidth waste.

Some works managed to partly improve the inefficiency by using the “dimension-modulus reduction” technique [16, 17] to make ciphertexts have smaller dimensions and coefficients, and some by using the “ciphertext packing” technique [18–20] managed to encrypt an array of plaintexts in a single ciphertext and even encrypt a matrix of plaintexts in a single ciphertext [21, 22]. But none of them achieved a “sufficiently high” rate; that is, none of them break the rate-1/2 bottleneck. Very recently, Gentry and Halevi [23] proposed the first compressible FHE scheme, allowing compressing many ciphertexts into a compressed one, so that the compression rate can reach for any small . A concurrent work of Brakerski et al. [24] also achieved compressible FHE, but their work is more general and is unlikely to yield practical schemes for applications.

A natural question is the following: how can we extend their idea of compressible single-key FHE into compressible MKFHE or compressible MIFHE to achieve an optimal compression rate even in the multikey and multi-identity cases? In other words, we want to construct a compressible MKFHE scheme and a compressible MIFHE scheme that enable ciphertexts encrypted under different public keys and different identities to perform homomorphic operations without having to decrypt these ciphertexts using their own private keys. At the same time, expanded ciphertexts (under the combined key) are supposed to be compressed to achieve an optimal compression rate. In this work, we focus on this problem.

1.1. Technical Overview

We now give a technical overview of our new compressible expansion algorithm, which is the key step towards our constructions of compressible MKFHE and compressible MIFHE. We start with Gentry and Halevi’s basic ideas of constructing compressible single-key FHE [23]. Then, we give a discussion about the difficulties encountered when trying to construct compressible multikey (multi-identity) FHE, which can be solved using our new compressible expansion algorithm.

1.1.1. Compressible Single-Key FHE

We begin with a brief description of the approach of Gentry and Halevi. At a very high level, their approach of building a compressible single-key FHE is based on two ideas: Using matrix versions of LWE and GSW-FHE [4]. Firstly, they noticed that the conventional GSW-FHE uses only one “slot” to place a message bit. To achieve an optimal compression rate, more message “slots” must be utilized. Their solution is to use LWE with matrix secrets, which yields a matrix version of GSW-FHE. Then, a compression algorithm is added after evaluation, so that multiple ciphertexts can be compressed into one. Besides, the secret key of matrix version is used in the decryption algorithm. The compression rate is now bounded by . Using a “nearly square” gadget matrix. The second idea is to transform a “fat” compressed ciphertext matrix into a “nearly square” compressed ciphertext matrix using a “nearly square” gadget matrix with some special properties, which comes with almost no dimension expansion. On the other hand, attributed to , the redundancy in ciphertexts enables us to erase the noise and finally recover the message matrix. Using instead of the original gadget matrix , the compression rate is now , an optimal compression rate!

More information can be found later in Section 2.4.

1.1.2. Compressible Multikey (Multi-Identity) FHE

We propose the first compressible multikey (multi-identity) FHE that achieves an optimal compression rate via a new compressible expansion algorithm. At a high level, the key observation of our compressible expansion algorithm is that we can transform a secret key vector and a “fat” ciphertext matrix into a “nearly square” secret key matrix and a “nearly square” ciphertext matrix, even in the multikey and multi-identity FHE cases.

We note that it is nontrivial to utilize the powerful functionality of the nearly square gadget matrix described above in the multikey (or multi-identity) setting. The idea of using the matrix version of secret key does not directly work because all of the secret matrices for different users, say 2 users totally, are required to decrypt the expanded ciphertext. Hence, the combined key matrix is a “fat” one, rather than a “nearly square” one. To the best of our knowledge, all of the existing GSW-based multikey (or multi-identity) FHE schemes combine secret keys like this. To make the combined secret key matrix more “square,” we must decrease the number of columns of the combined secret key matrix.

Our solution is to delete the identity matrix in every single secret key matrix because it seems like the most insignificant part compared with the LWE secrets. After all, everybody knows there is an identity matrix in the secret key matrix but no one can recover the LWE secrets after discarding them. The combined secret key matrix now becomes , a nearly square one again.

Meanwhile, the structure of corresponding expanded ciphertexts must be tailored to fit the combined secret key. Traditionally, the expanded ciphertexts are supposed to be partitioned into blocks, each with the same size. Since we have discarded some columns of the combined secret key, it is fair to also dump some rows of expanded ciphertexts. In particular, the expanded ciphertexts are now partitioned into blocks, each with different size, i.e.,

However, abandoning some rows disrupts the structure of the G-trapdoor, which bears great responsibility on evaluation and decryption. Here comes our second idea: restoring the disrupted structure of the G-trapdoor. In particular, the expanded ciphertexts should be partitioned into blocks rather than blocks as above. Our construction allows user 1 to generate some additional helper information and associated with the ciphertext when encrypting, and releasing all of them does not compromise semantic security. We define the expanded ciphertext asso that

Part 1 and Part 2 are nothing special and there are many ways to achieve them [6, 7, 11]. The major difficulty lies in Part 3, i.e., . The right-hand side must come from , since the randomness can only come from this. In terms of normal routine, , where is the public key of user 2 and is the encryption randomness. Thus, the only thing left is to construct .

Similarly, the expanded ciphertext for user 2 can be created, and then we can perform regular GSW-like homomorphic evaluations. Our new expansion technique leads to the first compressible MKFHE and the first compressible MIFHE. The relationship between them is just like the relationship between Regev-PKE [25] and GPV-IBE [14]. A more formal and detailed description can be found later in Sections 3 and 4.

1.2. Contribution

In this paper, a new compressible expansion algorithm is proposed, which makes it possible to construct the first compressible MKFHE scheme, as well as the first compressible MIFHE scheme, while the construction of Gentry and Halevi only works for compressible single-key FHE. Informally, the following theorem outlines our main result. A formal version will be presented later in Sections 3 and 4.

Theorem 1. For any , there exist a rate- compressible multikey fully homomorphic encryption scheme that is semantically secure and a rate- compressible multi-identity fully homomorphic encryption scheme that is selectively secure, both under the decisional learning with error assumption.

Besides, as Gentry and Halevi noted, a compressible MKFHE scheme or a compressible MIFHE scheme enables messages always in a compressed state except when operating homomorphic evaluation for a short time. In particular, freshly encrypted ciphertexts are compressed after encryption. The compressed ciphertexts are homomorphically decompressed before performing required homomorphic operations. Finally, these evaluated ciphertexts are compressed again and stored or transmitted to corresponding users.

1.3. Paper Organization

Firstly, we recall some notations, definitions, and facts in Section 2. Then, we present our compressible MKFHE scheme in Section 3 and our compressible MIFHE scheme in Section 4, respectively. Finally, we conclude the paper in Section 5.

2. Preliminaries

There are some notations that we will use throughout this paper. Let denote the security parameter throughout the paper. Matrices are represented by bold uppercase letters (e.g., ), vectors are represented by bold lowercase letters (e.g., ), the -entry of is represented by the notation of , the -dimensional identity matrix is represented by , the concatenation of two matrices is represented by the notation of , and the concatenation of two vectors is represented by the notation of .

2.1. Lattice Trapdoor

Our constructions will make use of the following results including the -trapdoor generation algorithm, sub-Gaussian sampling algorithm, and Gaussian sampling algorithm [26]. We only summarize the following lemmas here while neglecting the details of implementation because they are not strictly required.

Let be a distribution over which outputs 0 with a probability of 0.5, -1 with a probability of 0.25, and 1 with a probability of 0.25 (the notation of will be used throughout this paper to denote this distribution).

Given an integer , for any , define , where . The notation of will be used throughout this paper.

Lemma 1 (see [26]). Let be positive integers such that , , and . For , invertible , and , there exists an efficiently randomized algorithm GenTrap () to generate a matrix with trapdoor and tag such that is negl-far from uniform. The matrix is called the -trapdoor of with tag .

Lemma 2 (see [26, 27]). Given any matrix , there exists an efficiently randomized algorithm that samples a sub-Gaussian matrix with some constant parameter over such that , where the gadget matrix is specified as above.

Lemma 3 (see [26]). Using the parameters described in Lemma 1, given a uniformly random vector , there exists an efficient algorithm that samples a vector over for some and satisfying .

2.2. LWE

The learning with errors (LWE) problem plays an important role in lattice-based cryptography. Although a ring-based version is more efficient, this work is confined to LWE. We define the decisional LWE () problem as follows.

Definition 1. (DLWE) For positive integers and an error distribution over , let be the distribution of over , where , , and ; and additions are performed in . Given independent instances sampled either from the uniform distribution over or from , the decisional learning with errors () problem is to determine which distribution these samples come from. The DLWE assumption says that these two distributions are computationally indistinguishable.
For simplicity, is frequently used to denote and to denote for . It is generally known that the problem in the average case is as hard as approximation lattices problems with approximation factors of in the worst case by quantum or classical reductions, when [25, 26, 28, 29].
In this work, we rely on the matrix form of LWE denoted by MLWE.

Definition 2. (MLWE) For positive integers and an error distribution over , the problem is to distinguish between , where ; and additions are performed in , and sampled uniformly at random from .
Standard hybrid arguments show that MLWE is equivalent to DLWE with at most an factor loss in the distinguishing advantage.

2.3. GSW-FHE

In this subsection, a matrix version of GSW-FHE [4] is given. GSW.Setup: Given a security parameter , choose a lattice dimension , a sufficiently large m modulus , a number of LWE instances , and a -bounded error distribution . Set , , and . Output public parameters . GSW.KeyGen(): Randomly choose , , and . Compute . Let the secret key and public key be and . Note that . Output . GSW.Enc(): Choose random matrices . Set . Output the ciphertext . GSW.Dec: Let be the penultimate column vector of and let be any column of . Output , where maps a number to 0 if it is closer to 0 and to 1 if it is closer to . GSW.Eval: To homomorphically evaluate a function , perform homomorphic addition and multiplication in sequence.

Addition: .

Multiplication: .

This also allows us to compute a homomorphic NAND gate by outputting .

The correctness of decryption and homomorphic evaluation is obvious due to the correctness of the conventional GSW-FHE, and the semantic security is based on the MLWE assumption, which is in turn based on the DLWE assumption.

2.4. Compressible Single-Key FHE

Very recently, Gentry and Halevi proposed the first compressible single-key FHE. At a high level, their approach is based on two ideas: Using matrix versions of LWE and GSW-FHE [4]. Firstly, they noticed that the conventional GSW-FHE uses only one “slot” when decrypting, i.e., Their solution to utilize more “slots” is to use LWE with matrix secrets, which yields the matrix version of GSW-FHE described above. They added a compression algorithm after evaluation: where is the compressed ciphertext and is an matrix that has 1 in the row and column and 0’s in all other entries. Then the matrix secrets are used in the decryption algorithm: where . The compression rate is now bounded by . Using a “nearly square” gadget matrix. The second idea is to transform a “fat” compressed ciphertext matrix into a “nearly square” compressed ciphertext matrix using a “nearly square” gadget matrix with some special properties, which comes with almost no dimension expansion. On the other hand, attributed to , the redundancy in ciphertexts enables us to erase the noise and finally recover the message matrix. We omit the details of constructing the “nearly square” gadget matrix because it is not strictly required in this paper. The essential characteristic of that is required in our construction is that it has a “public trapdoor” matrix satisfying the following:(1) has small entries ();(2) (mod ), i.e., all rows of span the kernel space of modulo ;(3) is full rank over ;(4) is efficiently computable.

Then, the compression algorithms can produce an optimal rate compressed ciphertext. In particular, let be GSW ciphertexts encrypting . Set the compressed ciphertextwhere is an matrix that has 1 in the row and column and 0’s in all other entries.

Roughly speaking, they have now achieved an optimal compression rate because after “routine decryption” we getwhere . The compression rate is now , an optimal compression rate!

In particular, they upgrade the “routine decryption” into “compressed decryption” which is composed of four steps:(1) (mod ), where is a message matrix; is the nearly square gadget matrix; is a small error matrix;(2) (mod ), where is the public trapdoor matrix;(3) (note that is full rank over and it is required that every entry of does not wrap around );(4) (mod ) (note that is a row full-rank matrix modulo ).

Recall that the compression rate is the ratio of plaintext size to the ciphertext size. To achieve an optimal compression rate of for some small , set , where is the compression parameter defined as a function of the desired compression rate. Then the compression rate .

The additional compression algorithm does not compromise security and the key-generation, encryption, and evaluation algorithms are basically the same as the ones of matrix version of GSW-FHE. Thus, the semantic security of their compressible FHE is based solely on the DLWE assumption. However, the compressed ciphertexts are not GSW ciphertexts any longer, which means they can only support homomorphic addition and multiplication on the left by some GSW ciphertexts encrypting a small scalar. For more information, please refer to [23].

3. Compressible Multikey Fully Homomorphic Encryption

In this section, utilizing the idea of our new compressible expansion algorithm described in Section 1.1, we propose the first compressible MKFHE scheme and analyze the correctness and security level of the construction.

3.1. Compressible Multikey FHE

We begin with the definition of compressible MKFHE, which is adapted from the definitions of compressible FHE in [23] and MKFHE in [7].

Definition 3. A compressible multikey fully homomorphic encryption scheme consists of seven PPT algorithms defined as follows: : Take a security parameter and a bound on the number of users involved as inputs and output parameters . is taken in as an input in all of the following algorithms; thus, we just omit it. : Output a secret key and a public key for the user. : Take a public key and a bit as inputs, and output a fresh low-rate ciphertext . : Take public keys and a fresh ciphertext under the public key as inputs; and compute and output an expanded low-rate ciphertext under ’s public keys . : Take a circuit and a vector of expanded ciphertexts as inputs, corresponding to each input bit of , and output another vector of evaluated low-rate ciphertext , corresponding to each output bit of . : Take a vector of expanded or evaluated low-rate ciphertexts as inputs, and output one or more compressed high-rate ciphertext(s) . : Take secret keys , corresponding to identities , and the compressed ciphertext(s) as inputs, and output a vector of message bits corresponding to .The scheme is said to be correct if, for every allowed circuit and a vector of message bits corresponding to each input bit of , it holds thatwhere each .
Using the parameters described above, the scheme is said to have a compression rate of for any if, for every allowed circuit that has sufficiently long outputs, the compression rateThe semantic security definition for compressible multikey fully homomorphic encryption is the same as that for multikey fully homomorphic encryption, which is the same as that for single-key fully homomorphic encryption because all of parameters used in the expansion and compression algorithms are public and thus do not compromise security. In particular, given a security parameter and a bound on the number of users involved, the following distributions are computationally indistinguishable:where and . We do not consider the distributed decryption for our MKFHE scheme, which can be used to construct round-efficient secure multiparty computation protocols, and instead put the main focus on the compressible expansion algorithm.

3.2. Our Construction

C-MKFHE.Setup: Choose a lattice dimension parameter , a sufficiently large modulus , a -bounded error distribution , and a compression parameter . The parameter will be specified in Subsection 3.3.2. All of the rows of the nearly square gadget matrix span the kernel space of its public trapdoor matrix having the properties stated in 2.4. Let , , , , and . Then, set and . Choose a random matrix . Output . C-MKFHE.KeyGen(): Choose random matrices and . Compute . Let the secret key and public key be and . Note that . Output . C-MKFHE.Enc(): Given a message bit , randomly select a matrix . Set Then, partition as follows: where . Let be the last columns of . Note that For , compute where and . Set Output a tuple of encryption C-MKFHE.Exp(): For every , compute that is, , where is an matrix that has in the row and the column and 0’s in all other entries. Set Compute Finally, expand a fresh ciphertext to an expanded one. Output . C-MKFHE.Comp: In this algorithm, a series of low-rate expanded (or evaluated) ciphertexts are compressed into a high-rate ciphertext. Let , where is an matrix that has in the row and the column and 0’s in all other entries. Set the compressed ciphertext as Note that the nearly square gadget matrix and its public trapdoor play a significant role in the compression and compressed decryption algorithms. C-MKFHE.CompDec: Given a compressed ciphertext , set the combined key . The compressed decryption is composed of four steps:(1) (mod );(2) (mod ), where is the public trapdoor matrix;(3) (note that is full rank over );(4) (mod ) (note that is a row full-rank matrix modulo , so that there exists a matrix such that ). C-MKFHE.NAND: Given two expanded ciphertext matrices for two plaintexts , homomorphic NAND operation is defined as Output . Observe that is randomized, and so is this algorithm. C-MKFHE.Eval: An NAND-circuit is applied to a set of ciphertexts , which leads to a ciphertext .

3.3. Setting the Parameters

In this subsection, the correctness, homomorphic properties, security, and compression rate of the proposed compressible MKFHE are analyzed. If we use a somewhat (or leveled) version without bootstrapping, then the error bound is dependent on the maximal multiplication depth of allowed evaluated functions. In this paper, we would like to give an asymptotic analysis of various parameters of a fully homomorphic one with bootstrapping so that all ciphertexts before being packed have an error bound similar to that of freshly expanded ciphertexts.

3.3.1. Correctness and Homomorphism

The correctness of compressed decryption may be less obvious, since the encryption and expansion algorithms are quite different from previous ones. During encryption, it holds thatbecause .

Besides, for the additional helper information matrices, we havebecause .

During the expansion algorithm, those weird matrices and are customized to eliminate the undesired in . In particular, we have

The underlined part can be a tricky step. We now analyze it as follows:where is an matrix that has in the row and the column and 0’s in all other entries.

Thus, for any expanded ciphertext, we have

There are only two types of all blocks in the above seemingly cumbersome matrix. The first comes from equation (23) by partitioning

The second comes from equations (24)–(26):

Finally, we get the most important decryption invariant in all GSW-like encryption from equations (28)–(30):

In terms of the error bound, we have ; that is, with overwhelming probability.

With equation (31) in mind, everything turns familiar again. Homomorphic properties are obvious, and one can find them in most GSW-like FHE (or MKFHE) schemes. Thus, we just omit them here.

On the other hand, the correctness of compressed decryption also turns obvious. According to equation (31), we havewhere is an matrix that has in the row and the column and 0’s in all other entries and is a compressed plaintext matrix that can be obtained from , by using Gentry and Halevi’s idea of the nearly square gadget matrix, which was briefly described in 2.4. That is,(1) (mod ), where is the public trapdoor matrix;(2) (note that is full rank over );(3) (mod ) (note that is a row full-rank matrix modulo , so that there exists a matrix such that ).

The matrix is the desired one if every entry of does not wrap around ; that is, over the integers. As for the error bound, we have ; that is, with overwhelming probability. On the other hand, by the construction of the public trapdoor matrix , it is required that .

3.3.2. Security and Compression Rate

It remains to show the security level and compression rate of our construction.

The additional expansion and compression algorithms are public and do not compromise security. The key-generation algorithm is basically the same as that of the underlying GSW-FHE scheme. In addition, during the encryption procedure, a fresh ciphertext for the user consists of two parts and , of which randomness matrices are mutually independent, all in a similar encryption form. Exploiting a standard hybrid analysis, one can easily verify that the semantic security of our compressible MKFHE is based solely on the DLWE assumption.

The view of the attacker is the following distribution:generated via , , and , where .

We prove the semantic security of our construction by relying on the semantic security of the underlying matrix version of GSW-FHE scheme. The proof consists of the following hybrids:(1)Firstly, we alter each of the ciphertexts , where so that, instead of being GSW ciphertexts of , we change them to GSW ciphertexts of 0. It follows from the semantic security of GSW encryption which is based solely on the DLWE assumption.(2)After the first step, no information about the encryption randomness is given out. Then, we choose as a GSW ciphertext of 0. It also follows from the semantic security of GSW encryption.(3)Finally, the distribution is totally irrelevant to the plaintext bit , which completes the proof.

Then, let us consider the compression rate of our construction. Recall that is the compression parameter. In order to achieve a compression rate of for some small , it is sufficient to set , so that the compression rate

Thus, we need

Setting , we need . This means that the semantic security of our construction is based on approximation lattices problems with gap . In particular, if we view the compression rate and maximal number of parties involved as constants, then the hardness is only based on ones with polynomial gap. Formally, we have the following theorem.

Theorem 2. For any , there exists a rate- compressible multikey fully homomorphic scheme that is semantically secure assuming the hardness of approximate lattices problems with gap .

4. Compressible Multi-Identity Fully Homomorphic Encryption

In this section, we propose the first compressible MIFHE scheme. All of the new techniques and analyses are similar to what we have done when constructing compressible MKFHE scheme.

4.1. Compressible Multi-Identity FHE

Similarly, we begin with the definition of the compressible MIFHE.

Definition 4. A compressible multi-identity fully homomorphic encryption scheme consists of seven PPT algorithms defined as follows: : Take a security parameter and a bound on the number of identities involved as inputs, generate a master public key and a master secret key , and output . is taken in as an input in all of the following algorithms; thus, we just omit it. The security parameter also defines an identity space . : Take the master secret key and an identity as inputs; and extract and output a user-specific secret key for . : Take an identity and a bit as inputs, and output a fresh low-rate ciphertext under the identity . : Take identities and a fresh ciphertext under the identity as inputs; and compute and output an expanded low-rate ciphertext under ’s identities . : Take a circuit and a vector of expanded ciphertexts as inputs, corresponding to each input bit of , and output another vector of evaluated low-rate ciphertext , corresponding to each output bit of . : Take a vector of expanded or evaluated low-rate ciphertexts as inputs, and output one or more compressed high-rate ciphertext(s) . : Take secret keys , corresponding to identities as inputs, as well as the compressed ciphertext(s) , and output a vector of message bits corresponding to .The definitions of correctness and compression rate are exactly the same as those of the compressible MKFHE in Section 3.1. The selective security definition for compressible multi-identity fully homomorphic encryption is the same as that for multi-identity fully homomorphic encryption, which is the same as that for identity-based encryption. We do not consider the distributed decryption for our MIFHE scheme, which can be used to construct round-efficient secure multiparty computation protocols, and instead put the main focus on the compressible expansion algorithm.

4.2. Public Parameters

Before giving our construction of the first compressible MIFHE scheme, we first describe some public parameters that will be used throughout the rest of this section.(i)Let be the maximum number of identities the scheme can support. The integer is a lattice dimension parameter. The modulus is a sufficiently large number. Let , , , and .(ii)Given any matrix , by Lemma 2, there exists an efficiently randomized algorithm that samples a sub-Gaussian matrix with some constant parameter over such that .(iii)Let be the distribution over as defined in Subsection 2.1, such that is -far from for and . For more information, please refer to [26].(iv)Every identity is assumed to have a counterpart element in . is said to be an invertible difference, if is computable in polynomial time in and is invertible for any two different identities . For more information, please refer to [15].(v)The LWE error rate should be sufficiently large satisfying for the sake of security.(vi)Let be the compression parameter. The parameter will be specified in Subsection 4.4.2, All of the rows of the nearly square gadget matrix span the kernel space of its public trapdoor matrix having the properties stated in 2.4. Then, set and .

4.3. Our Construction

C-MIFHE.Setup: Choose , , and . Let . Let the master secret key and the master public key be and . Output . C-MIFHE.Ext(): Given , compute and set . Sample vectors for with small entries satisfying by running the algorithm . Set . Let the secret key and public key for be and . Note that . Output . C-MIFHE.Enc(): Given a message bit , randomly select two matrices and , where , , and , where for . Set

Remark 1. The setting of error parameters, especially , plays a critical role in the security proof. For more information, please refer to [30, 31].
Then, partition as follows:where .
For every , randomly select two matrices and , where , and , where for . SetThen, decompose the matrix that has every entry in to matrices in binary representation , where .
For , computewhere , is extracted from the same distribution of , and , where and is extracted from the same distribution of , and .
Set , where . Output a tuple of encryption . C-MIFHE.Exp(): For every , compute that is, , where is an matrix that has in the row and the column and 0’s in all other entries. Set Compute Finally, expand a fresh ciphertext to an expanded one. Output . C-MIFHE.Comp: In this algorithm, a series of low-rate expanded (or evaluated) ciphertexts are compressed into a high-rate ciphertext. Let , where is a matrix that has in the row and the column and 0’s in all other entries. Set the compressed ciphertext as Note that the nearly square gadget matrix and its public trapdoor play a significant role in the compression and compressed decryption algorithms. C-MIFHE.CompDec: Given a compressed ciphertext , set the combined key . The compressed decryption is composed of four steps:(1) (mod );(2) (mod ), where is the public trapdoor matrix;(3) (note that is full rank over );(4) (mod ) (note that is a row full-rank matrix modulo , so that there exists a matrix such that ). C-MIFHE.NAND: Given two expanded ciphertext matrices for two plaintexts , homomorphic NAND operation is defined as Output . Observe that is randomized, and so is this algorithm. C-MIFHE.Eval: An NAND-circuit is applied to a set of ciphertexts , which leads to a ciphertext .

4.4. Setting the Parameters

In this subsection, the correctness, homomorphic properties, security, and compression rate of the proposed compressible MIFHE are analyzed. If we use a somewhat (or leveled) version without bootstrapping, then the error bound is dependent on the maximal multiplication depth of allowed evaluated functions. In this paper, we would like to give an asymptotic analysis of various parameters of a fully homomorphic one with bootstrapping, so that all ciphertexts before being packed have an error bound similar to that of freshly expanded ciphertexts.

4.4.1. Correctness and Homomorphism

The correctness of compressed decryption may be less obvious, since the encryption and expansion algorithms are quite different from previous ones. During encryption, it holds that, for every identity and ,because . One can calculate the error bound ; that is, with overwhelming probability.

Besides, for the additional helper information matrices, we havebecause . Similarly, one can easily verify that, with overwhelming probability,

During the expansion algorithm, those weird matrices and are customized to eliminate the undesired in . In particular, we have

The underlined part can be a tricky step. We now analyze it as follows:where is a matrix that has in the row and the column and 0’s in all other entries.

Thus, for any expanded ciphertext, we have

There are only two types of all blocks in the above seemingly cumbersome matrix. The first comes from equation (47) by partitioning

The second comes from equations (48), (49), and (51):

Finally, we get the most important decryption invariant in all GSW-like encryptions from equations (52)–(54).

In terms of the error bound, we have ; that is, with overwhelming probability.

With equation (55) in mind, everything turns familiar again. Homomorphic properties are obvious, and one can find them in most GSW-like FHE (or MKFHE) schemes. Thus, we just omit them here.

On the other hand, the correctness of compressed decryption also turns obvious. According to equation (55), we havewhere is a matrix that has in the row and the column and 0’s in all other entries, and is a compressed plaintext matrix that can be obtained from , by using Gentry and Halevi’s idea of the nearly square gadget matrix, which was briefly described in 2.4. That is,(1) (mod ), where is the public trapdoor matrix;(2) (note that is full rank over );(3) (mod ) (note that is a row full-rank matrix modulo , so that there exists a matrix such that ).

The matrix is the desired one if every entry of does not wrap around ; that is, over the integers. As for the error bound, we have , i.e., with overwhelming probability. On the other hand, by the construction of the public trapdoor matrix , it is required that .

4.4.2. Security and Compression Rate

The security level and compression rate of our construction remain to be shown.

The additional expansion and compression algorithms are public and do not compromise security. The key-extraction algorithm is similar to that of the underlying IBE in [15, 26] (ABB-IBE). In addition, during the encryption procedure, a fresh ciphertext for the user consists of three parts , and , of which randomness matrices are mutually independent, all in a similar form. Exploiting a standard hybrid analysis, one can easily verify that the selective security of our compressible MIFHE is based solely on the DLWE assumption.

The view of the attacker is the following distribution: , where generated via , , and , where .

We prove the selective security of our construction by relying on the selective security of the underlying ABB-IBE. The proof consists of the following hybrids:(1)Firstly, we alter each of the ciphertexts , where , so that, instead of being ciphertexts of , we change them to ciphertexts of 0. It follows from the selective security of ABB-IBE, which is based solely on the DLWE assumption.(2)After the first step, no information about the encryption randomness is given out. Then, we choose as ciphertexts of 0. It also follows from the selective security of ABB-IBE.(3)Finally, the distribution is totally irrelevant to the plaintext bit , which completes the proof.

Then, let us consider the compression rate of our construction. Recall that is the compression parameter. In order to achieve a compression rate of for some small , it is sufficient to set , so that the compression rate

Thus, we need

Setting , we need . This means that the selective security of our construction is based on approximation lattices problems with gap . In particular, if we view the compression rate and maximal number of parties involved as constants, then the hardness is only based on ones with polynomial gap. Formally, we have the following theorem.

Theorem 3. For any , there exists a rate- compressible multi-identity fully homomorphic scheme that is selectively secure assuming the hardness of approximate lattices problems with gap .

5. Conclusion

Many outsourced computations require homomorphic evaluations on data provided by different owners (often mutually distrusting), thus encrypted using their own keys. Single-key FHE only allows homomorphic evaluation over ciphertexts encrypted under the same key, while MKFHE or MIFHE under different keys or different identities thus solves this issue. However, the compression rate (the ratio of plaintext size to the ciphertext size) is often too small to be tolerated. Our main technical contribution is that we proposed a new compressible expansion algorithm. Furthermore, we presented the first compressible MKFHE scheme that is semantically secure and the first compressible MIFHE scheme that is selectively secure, both under the decisional learning with error assumption, and both can reach an optimal compression rate. Our future direction is to concretely construct a homomorphic decompression algorithm to unpack compressed ciphertexts, which is a limitation of our constructions because homomorphic evaluations (except some special ones) are not allowed after compression.

Data Availability

No data were required in this work.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Key R&D Program of China (no. 2017YFB0802000), the National Natural Science Foundation of China (nos. U1705264, 61972124, 61672030, and 11974096), the Zhejiang Provincial Natural Science Foundation of China (no. LY19F020019), the Research Foundation of Guangxi Key Laboratory of Cryptography and Information Security (no. GCIS201725), and the Research Foundation of Hangzhou Normal University (no. 2017QDL002).

References

C. Gentry, “Fully homomorphic encryption using ideal lattices,” STOC, vol. 2009, pp. 169–178, 2009.
View at: Google Scholar
M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43, 2010.
View at: Google Scholar
Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical GapSVP,” CRYPTO 2012. LNCS, vol. 7417, pp. 868–886, 2012.
View at: Google Scholar
C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92, 2013.
View at: Google Scholar
A. López-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption,” STOC, vol. 2012, pp. 1219–1234, 2012.
View at: Google Scholar
M. Clear and C. McGoldrick, “Multi-identity and multi-key leveled FHE from learning with errors,” CRYPTO 2015, Part II, LNCS 9216, vol. 2015, pp. 630–656, 2015.
View at: Google Scholar
P. Mukherjee and D. Wichs, “Two round multiparty computation via multi-key FHE,” EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 735–763, 2016.
View at: Google Scholar
C. Peikert and S. Shiehian, “Multi-key FHE from LWE, revisited,” 2020.
View at: Google Scholar
Z. Brakerski and R. Perlman, “Lattice-based fully dynamic multi-key FHE with short ciphertexts,” CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 190–213, 2016.
View at: Google Scholar
L. Chen, Z. Zhang, and X. Wang, “Batched multi-hop multi-key FHE from ring-LWE with compact ciphertext extension,” TCC 2017. LNCS, vol. 10678, pp. 597–627, 2017.
View at: Google Scholar
E. Kim, H. S. Lee, and J. Park, “Towards round-optimal secure multiparty computations: multikey FHE without a CRS,” ACISP 2018, LNCS, vol. 10946, pp. 101–113, 2018.
View at: Google Scholar
H. Chen, I. Chillotti, and Y. Song, “Multi-key homomorphic encryption from TFHE,” Lecture Notes in Computer Science, vol. 2019, pp. 446–472, 2019.
View at: Publisher Site | Google Scholar
I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, “TFHE: fast fully homomorphic encryption over the torus,” Journal of Cryptology, vol. 33, no. 1, pp. 34–91, 2020.
View at: Publisher Site | Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” STOC, vol. 2008, pp. 197–206, 2008.
View at: Google Scholar
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” EUROCRYPT 2010, LNCS, vol. 6110, pp. 553–572, 2010.
View at: Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” FOCS, vol. 2011, pp. 97–106, 2011.
View at: Google Scholar
Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) Fully homomorphic encryption without bootstrapping,” ITCS, vol. 2012, pp. 309–325, 2012.
View at: Google Scholar
C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and composable oblivious transfer,” CRYPTO 2008. LNCS, vol. 5157, pp. 554–571, 2008.
View at: Google Scholar
N. P. Smart and F. Vercauteren, “Fully homomorphic SIMD operations,” 2020.
View at: Google Scholar
Z. Brakerski, C. Gentry, and S. Halevi, “Packed ciphertexts in LWE-based homomorphic encryption,” PKC 2013, LNCS, vol. 7778, pp. 1–13, 2013.
View at: Google Scholar
R. Hiromasa, M. Abe, and T. Okamoto, “Packing messages and optimizing bootstrapping in GSW-FHE,” PKC 2015, vol. 9020, pp. 699–715, 2015.
View at: Publisher Site | Google Scholar
N. Genise, C. Gentry, S. Halevi, B. Li, and D. Micciancio, “Homomorphic encryption for finite automata,” ASIACRYPT 2019. LNCS, vol. 11922, pp. 473–502, 2019.
View at: Google Scholar
C. Gentry and S. Halevi, “Compressible FHE with applications to PIR,” TCC 2019. LNCS, vol. 11892, pp. 438–464, 2019.
View at: Google Scholar
Z. Brakerski, N. Dottling, S. Garg, and G. Malavolta, “Leveraging linear decryption: rate-1 fully-homomorphic encryption and time-lock puzzles,” TCC 2019. LNCS, vol. 11892, pp. 407–437, 2019.
View at: Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and Cryptography,” STOC, vol. 2005, pp. 84–93, 2005.
View at: Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718, 2012.
View at: Google Scholar
J. Alperin-Sheriff and C. Peikert, “Faster bootstrapping with polynomial error,” CRYPTO 2014, Part I, LNCS, vol. 8618, pp. 297–314, 2014.
View at: Google Scholar
Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé, “Classal hardness of learning with errors,” STOC, vol. 2013, pp. 575–584, 2013.
View at: Google Scholar
C. Peikert, “Public key cryptosystems from the worst-case shortest vector problem,” STOC, vol. 2009, pp. 333–432, 2009.
View at: Google Scholar
T. Shen, F. Wang, K. Chen, K. Wang, and B. Li, “Efficient leveled (multi) identity-based fully homomorphic encryption schemes,” IEEE Access, vol. 7, pp. 79299–79310, 2019.
View at: Publisher Site | Google Scholar
F. Wang, K. Wang, and B. Li, “An efficient leveled identity-based FHE,” Network and System Security, vol. 9408, pp. 303–315, 2015.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Tongchen Shen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

799

Downloads

858

Citations