ResearchArticle - Hindawi Publishing Corporationdownloads.hindawi.com/journals/scn/2018/6362010.pdf · searchable encryption [], and ciphertext retrieval scheme ... ing ciphertexts

Research ArticleAnalysis on Matrix GSW-FHE and Optimizing Bootstrapping

Xiufeng Zhao 1 Hefeng Mao1 Shuai Liu1 Weitao Song1 and Bo Zhang 23

1Department of Information Research and Security Zhengzhou Information Science Technology Institute Zhengzhou 450001 China2School of Information Technology Deakin University Victoria 3125 Australia3School of Information Science and Engineering University of Jinan Jinan 250022 China

Correspondence should be addressed to Xiufeng Zhao zhao xiu feng163com

Received 8 August 2018 Revised 29 October 2018 Accepted 3 December 2018 Published 19 December 2018

Guest Editor Zhaoqing Pan

Copyright copy 2018 Xiufeng Zhao et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

With the rapid development of multimedia technologies the multimedia data storage and outsource computation are delegatedto the untrusted cloud which has led to a series of challenging security and privacy threats Fully homomorphic encryptioncan be used to protect the privacy of cloud data and solve the trust problem of third party In this paper we analyse circularsecurity of matrix GSW-FHE schemeWe derive a sufficient condition of circular security for matrix GSW-FHE scheme It allowsus to choose a good secret key via ldquoreject samplerdquo technique and furthermore obtain circular secure matrix GSW-FHE schemeWe also give an extended version of matrix GSW-FHE by defining deterministic asymmetric encryption algorithm and proposehybrid homomorphic plaintext slot-wise switching method which significantly reduces computation and storage complexity ofbootstrapping key generation thus optimizing the bootstrapping procedure

1 Introduction

With the rapid development of multimedia technologies forexample high-efficiency video coding (HEVC) is becomingpopular due to its excellent coding performance [1] themultimedia data storage and outsource computation aredelegated to the untrusted cloud server which has led to aseries of challenging security and privacy threats To tacklethe security and privacy issues in cloud computing andstorage a lot of researches have been performed such as fullyhomomorphic encryption [2 3] attribute-based encryptionsearchable encryption [4] and ciphertext retrieval scheme[5 6] The concept of homomorphic encryption is proposedby Rivest et al [7] and Gentry [2 3] proposed the firstfully homomorphic encryption (FHE) scheme based on ideallattice FHE allows us to evaluate any function over ciphertextand obtain the function over corresponding plaintext bydecryption Fully homomorphic encryption can be usedto protect the privacy of cloud data and solve the trustproblem of untrusted third party So the fully homomorphicencryption has a broad application prospect in the cloudcomputation and the big data field There are many fullyhomomorphic encryption schemes based NP-hard problems

such as ideal lattice [2 3] LWE [8 9] RLWE [10] LWR [11]and so forth

The difficulty of constructing fully homomorphic encryp-tion scheme is reducing the noise in the ciphertext Thenoise increases rapidly during ciphertext evaluations andeventually reaches a threshold beyond which we can nolonger decrypt the resulting ciphertext correctly Thereforethe somewhat homomorphic encryption scheme is con-structed which can homomorphically evaluates arithmeticcircuits of limited depth To get pure fully homomorphicencryption scheme Gentry proposed bootstrapping tech-nique The bootstrapping technique is currently the onlyway to get pure fully homomorphic encryption from some-what homomorphic encryption Its main idea is refreshingciphertext by homomorphic decryption and getting freshciphertext and realizing the purpose of reducing ciphertextnoise The critical process of bootstrapping technique isencrypting the pieces of secret key and the correspond-ing ciphertexts are viewed as public evaluation key Thusthe homomorphic encryption scheme must enjoy circularsecurity

Unfortunately all known FHE schemes are supposedto be circular secure except [10 12] If fully homomorphic

HindawiSecurity and Communication NetworksVolume 2018 Article ID 6362010 9 pageshttpsdoiorg10115520186362010

2 Security and Communication Networks

encryption scheme satisfies circular security it is not nec-essary to generate as many public evaluation keys as thedepth of evaluation circuit But being circular secure is nota naive security attribute so it is necessary to analyse circularsecurity for concrete fully homomorphic encryption schemeMeanwhile bootstrapping is used to refresh ciphertext andthe procedure is implemented frequently to get pure fullyhomomorphic encryption Therefore how to improve thebootstrapping efficiency is worth intensive studying

Our ResultsWeanalyse circular security ofmatrixGSW-FHEscheme [13] From formal definition of circular security wederive a sufficient condition of circular security for matrixGSW-FHE scheme That is the matrix GSW-FHE schemesatisfies circular security with some function if the equationsabout secret key have solution over Z119902 Therefore we canchoose a good secret key via ldquoreject samplerdquo techniqueand furthermore obtain circular secure matrix GSW-FHEscheme

We also give an extended version of matrix GSW-FHEby defining deterministic asymmetric encryption algorithmTo simplify the homomorphic equality test procedure wepropose hybrid homomorphic plaintext slot-wise switch-ing method using symmetric encryption and deterministicpublic encryption algorithms which significantly reducescomputational cost of bootstrapping key generation thusoptimizing the bootstrapping procedure of work [13]

Wemay implement a trade-off between computation andstorage complexity of bootstrapping We delete part of thebootstrapping keys and compute them online when runningRounding procedure In view of that their computationinvolves only matrix additions this cuts down the size ofthe large public bootstrapping key by a third paying matrixadditions with negligible computation complex

RelatedWorks Encryption scheme achieves circular securityif it remains secure and even the secret key is encrypted undercorresponding public key In other words circular secureencryption scheme resists key-dependent message (KDM)attack

In the last few years circular secure encryption schemeshave been studied extensively [14ndash17] Boneh et al con-structed a circular secure public key encryption schemebasedon the DDH assumption without random oracle [16] Basedon Regevrsquos LWE-based encryption scheme [18] Applebaumet al constructed efficient cryptosystems enjoying circularsecure [17] Brakerski and Vaikuntanathan [10] proposedcircular secure homomorphic encryption scheme based onthe ring-LWE assumption The main idea in the work of[10 17] is generating a valid ciphertext that decrypts to amessage related to secret key Because the entries of secret keyare not in the message space they introduced ldquonoise floodingtechniquerdquo and ldquorerandom techniquerdquo to ldquofitrdquo the entries intothe message space

Brakerski and Vaikuntanathan presented a fully homo-morphic encryption scheme based on the LWE assumptionusing relinearization technique [8] The relinearization pro-cess allows doing one multiplication without increasing thesize of the ciphertext and obtaining an encryption of the

product under a new secret key Posting a ldquochainrdquo of 119871 secretkeys allows performing up to 119871 levels of multiplications with-out blowing up to the ciphertext size Yang et al consider thatif the relinearization satisfies circular security the ldquochainrdquo of119871 secret keys may be back down to only one secret key andthey proposed a circular secure relinearization by defining anew assumption [12]

EuroCrypt 2013 Gentry Sahai and Waters proposed anew fully homomorphic encryption scheme based on theapproximate eigenvector method which is called GSW-FHE[19] In the GSW-FHE scheme homomorphic addition andmultiplication are just matrix addition and multiplicationBut GSW scheme operates one bit every running encryptionalgorithm PKC 2015 Hiromasa et al constructed a variantof GSW scheme called matrix GSW-FHE which encryptsmatrices and supports homomorphic matrix addition andmultiplication And they optimized the bootstrapping pro-cedure of Alperin-Sheriff and Peikert [20] using the matrixGSW-FHE scheme [13] To achieve homomorphic matrixoperation the pubic key of matrix GSW-FHE schemeincludes the ciphertexts that encrypt partial information ofthe secret key so the matrix GSW-FHE scheme resorts tocircular security assumption but formal circular securityproof was not given and it remains an open problem

There are other works to optimize the bootstrappingprocedure Ducas et al [21] proposed FHEW scheme whichaccelerates bootstrapping via embedding the cyclic group Z119902

into the group of roots of unity 119894 997888rarr 119883119894 where 119894 is aprimitive q-th root of unity Wang and Tang [22] proposed aninteger bootstrapping scheme by introducing new methodsto evaluate integer polynomials with GSW-FHE and theyextended the method to packing by encrypting the integersdiagonally in a matrix as the matrix GSW-FHE proposed byHiromasa et al [13] Similarly their scheme resorts to circularsecurity assumption

On the other hand packing technique is used to evaluateefficiently a large number of ciphertexts and it allows usto apply single-instruction-multiple-data (SIMD) homomor-phic operations to all encrypted data [23 24] The boot-strapping procedure [13 20] is optimized by embedding Z119902

into symmetric group 119878119902 the multiplication group of q timesq permutation matrix and homomorphic permuting SIMDciphertexts The mathematic preliminary of SIMD techniqueis Chinese Remainder Theorem (CRT) The plaintext spacecan be split into many small spaces via the CRT If theplaintext modulus q is a composite that factors into distinctpowers q = 1199031 119903119905 then the ring 119877119902 can be mapped via theCRT to direct product of ring 119877119903119894

rsquos

Organization In Section 2 we describe some preliminarieson the formal definition of homomorphic encryption andcircular security and the isomorphic from additive group Zqto a group of cyclic permutations In Section 3 we reviewthematrix GSW-FHE scheme and define a new deterministicasymmetric encryption algorithm We give the analysis oncircular security of matrix GSW-FHE scheme in Section 4In Section 5 we propose hybrid plaintext slot switchingmethod and optimize the bootstrapping procedure We giveconclusions in Section 6

Security and Communication Networks 3

2 Preliminaries

We denote the set of integers by Z Let G be some group andlet P be someprobability distribution and thenwe use 119886 119880larr997888 Gto denote that 119886 is chosen from G uniformly at random anduse 119887 119877larr997888 P to denote that 119887 is chosen along P

The vector is denoted by bold lowercase letter for exam-ple x and the i-th element of a vector x is denoted by 119909119894The inner product between two vectors is denoted by ⟨xy⟩Matrices are written by using bold capital letters for example119883 and the i-th columnvector of amatrix is denoted by119909 119894The119899 times 119899 identity matrix is denoted by 119868119899

21 Homomorphic Encryption Let Mand C be the messageand ciphertext space A homomorphic encryption schemeconsists of four algorithms 119870119890119910119866119890119899 119864119899119888119863119890119888 119864V119886119897

(i) 119870119890119910119866119890119899(1120582) input security parameter 120582 and output apublic encryption key 119901119896 a secret decryption key 119904119896and a public evaluation key 119890V119896

(ii) 119864119899119888119901119896(119898) input public key 119901119896 and plaintext 119898 isin M

and output ciphertext 119888 isin C(iii) 119863119890119888119904119896(119888) input secret key 119904119896 and ciphertext 119888 and

output the message encrypted in the ciphertext 119888(iv) 119864119907119886119897119890V119896(119891 1198881 1198882 119888119897) input the evaluation key 119890V119896

function 119891 and ciphertexts 1198881 1198882 119888119897 and output aciphertext 119888119891 isin C that is obtained by applying thefunction 119891 M119897 997888rarr M to 1198881 1198882 119888119897

22 Embedding Z119902 into Symmetric Group According toCayleyrsquos Theorem the additive group Zq is isomorphic to agroup of cyclic permutations G where119909 isin Zq corresponds toa cyclic permutation that can be represented by an indicatorvector with 1 in the (119909 + 1)-th position The permutationmatrix can be obtained from the cyclic rotation of the indica-tor vector The addition inZq leads to the composition of thepermutations the rounding function lfloor119909rceil2 Z119902 997888rarr 0 1 canbe computed by summing the entries of the indicator vectorcorresponding to those in Zq that round 1

By CRTZ119902 is isomorphic to the direct productZ1199031times times

Z119903119905 where q fl prod119905

119894=1119903119894 and 119903119894 are small and powers of distinctprimes Similarly Z119902 embeds into symmetric group 119878 = 1198781199031 times1198781199032 times times 119878119903119905 3 Matrix GSW-FHE

31 Review Matrix GSW-FHE Scheme In this section wereview the matrix GSW-FHE scheme Let 120582 be the securityparameter The matrix GSW-FHE scheme is parameterizedby an integer lattice dimension 119899 an integer modulus 119902 anda distribution 120594 overZwhich is assumed to be sub-Gaussianall of the parameters depend on 120582 Let 119897 fl lceillog 119902rceil 119898 fl119874((119899+119903) log 119902) andN fl (119899+119903)sdot119897 Let 119903 be the amount of bits tobe encrypted which defines the message space 0 1119903times119903 Theciphertext space is Z(119899+119903)times119873

119902 The scheme uses the roundingfunction lfloorsdotrceil2 where for any 119909 isin Z119902 lfloor119909rceil2 outputs 1 if 119909 is

close to 1199024 and 0 otherwise Recall that 119892119879 = (1 2 2119897minus1)and G = 119892119879 ⨂119868119899+119903

(i) KeyGen(1120582 119903) Sample a uniformly random matrix119880larr997888 Z119899times119898

119902 secret key matrix S1015840 119877larr997888 120594119903times119899 and noise

matrix E 119877larr997888 120594119903times119898 Let S fl [119868119903 || minus 1198781015840] and B fl( 1198781015840119860+119864119860

) isin Z(119899+119903)times119898119902 Let 119872(119894119895) isin 0 1119903times119903(i j =1 2 r) be the matrix with 1 in the (i j)minusth position

and 0 in the others For all i j = 1 2 r first sample119877(119894119895)

119880larr997888 0 1119898times119873 and set

119875(119894119895) fl 119861119877(119894119895) + (119872(119894119895)S0

)119866 isin Z(119899+119903)times119873119902 (1)

Output public key pk fl (119875(119894119895)119894119895isin[119903]119861) and secretkey sk fl S

(ii) SecEnc119904119896(119872 isin 0 1119903times119903) Sample random matrixesA1015840 119880larr997888 0 1119899times119873 and E1015840 119877larr997888 120594119903times119873 parse S = [119868119903 || minus 1198781015840]and output the ciphertext

C fl [(11987810158401198601015840 + 11986410158401198601015840

) + (MS0

)119866]119902

isin Z(119899+119903)times119873119902 (2)

(iii) PubEnc119904119896(119901119896119872 isin 0 1119903times119903) Sample a randommatrix R 119880larr997888 0 1119898times119873 and output the ciphertext

C fl 119861R + sum119894119895isin[119903]119872[119894119895]=1

119875(119894119895) isin Z(119899+119903)times119873119902 (3)

where119872[119894119895] is the (i j) minus th element of119872(iv) 119863119890119888119904119896(119904119896 119862) Output the matrix 119872 = (lfloor⟨119904119894119888119895119897minus1⟩rceil2)119894119895isin[119903] where 119904119879119894 is the 119894119905ℎ row of S

32 Deterministic Asymmetric Encryption We define a newdeterministic asymmetric encryption algorithm in thematrixGSW-FHE scheme as follows

(i) DetePubEnc119901119896(119872 isin 0 1119903times119903) input 119901119896 and 119872 isin0 1119903times119903 and output the ciphertext

C fl sum119894119895isin[119903]119872[119894119895]=1

119875(119894119895) isin Z(119899+119903)times119873119902 (4)

where119872[119894119895] is the (i j) minus th element of119872 The DetePubEncalgorithm has lower computational cost than SecEnc algo-rithm and PubEnc algorithm and it only involves matrixaddition whereas the SecEnc algorithm and PubEnc algo-rithm involve both matrix multiplication and matrix addi-tion

4 Analysis on Matrix GSW-FHE

In the KeyGen algorithm of matrix GSW-FHE119872(119894119895)S needsto be computed when generating public key119875(119894119895) We observethat

4 Security and Communication Networks

119872(119894119895)S =119872(119894119895) (119868119903 || minus1198781015840)= (119872(119894119895)

1003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038160minus11990411989511015840 minus11990411989511989910158400

) (5)

where right matrix is with (minus11990410158401198951 minus1199041198951198991015840) in the i-th row and0 in other rows Let119872(119894119895)

1015840 isin Z119899times119899119902 be an n times n matrix which

satisfies the following matrix equation

(119868119903 minus1198781015840) sdot (119872(119894119895) 00 119872(119894119895)

1015840)= (119872(119894119895)

1003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038160minus11990411989511015840 minus11990411989511989910158400

) (6)

That is

minus1198781015840 sdot1198721015840(119894119895) = ( 0minus11990411989511015840 minus1199041198951198991015840

0) (7)

Viewing the elements of 1198781015840 as the equation parameter and theelements of1198721015840

(119894119895) as variables we can get equations from theabove matrix equation119904101584011 sdot 1198981015840

11 + sdot sdot sdot + 11990410158401119899 sdot 11989810158401198991 = 0119904101584011 sdot 1198981015840

12 + sdot sdot sdot + 11990410158401119899 sdot 11989810158401198992 = 0119904101584011 sdot 1198981015840

1119899 + sdot sdot sdot + 11990410158401119899 sdot 1198981015840119899119899 = 011990410158401198941 sdot 1198981015840

11 + sdot sdot sdot + 1199041015840119894119899 sdot 11989810158401198991 = 1199041015840119895111990410158401198941 sdot 1198981015840

12 + sdot sdot sdot + 1199041015840119894119899 sdot 11989810158401198992 = 1199041015840119895211990410158401198941 sdot 1198981015840

1119899 + sdot sdot sdot + 1199041015840119894119899 sdot 1198981015840119899119899 = 119904101584011989511989911990410158401199031 sdot 1198981015840

11 + sdot sdot sdot + 1199041015840119903119899 sdot 11989810158401198991 = 011990410158401199031 sdot 1198981015840

12 + sdot sdot sdot + 1199041015840119903119899 sdot 11989810158401198992 = 011990410158401199031 sdot 1198981015840

1119899 + sdot sdot sdot + 1199041015840119903119899 sdot 1198981015840119899119899 = 0

(8)

According to the knowledge of linear algebra the equationsexit nontrivial solution if the rank of coefficient matrix isequal to the rank of the augmented matrix as below

119903119886119899119896(((((((((((((((((((((((

119904101584011 119904101584012 11990410158401119899 119904101584011 119904101584012 1199041015840111989911990410158401198941 11990410158401198942 1199041015840119894119899 11990410158401198941 11990410158401198942 119904101584011989411989911990410158401199031 11990410158401199032 1199041015840119903119899 11990410158401199031 11990410158401199032 1199041015840119903119899

)))))))))))))))))))))))119903119899times119899

= 119903119886119899119896(((((((((((((((((((((((

119904101584011 119904101584012 11990410158401119899 0 119904101584011 119904101584012 11990410158401119899 011990410158401198941 11990410158401198942 1199041015840119894119899 11990410158401198951 11990410158401198941 11990410158401198942 1199041015840119894119899 119904101584011989511989911990410158401199031 11990410158401199032 1199041015840119903119899 0 11990410158401199031 11990410158401199032 1199041015840119903119899 0

)))))))))))))))))))))))119903119899times(119899+1)

(9)

That is

119903119886119899119896((((((

119904101584011 119904101584012 1199041015840111989911990410158401198941 11990410158401198942 119904101584011989411989911990410158401199031 11990410158401199032 sdot sdot sdot 1199041015840119903119899))))))119903times119899

= 119903119886119899119896((((((((((((

119904101584011 119904101584012 11990410158401119899 011990410158401198941 11990410158401198942 1199041015840119894119899 11990410158401198951 11990410158401198941 11990410158401198942 1199041015840119894119899 119904101584011989511989911990410158401199031 11990410158401199032 1199041015840119903119899 0

))))))))))))(119903+119899minus1)times(119899+1)

(10)

Security and Communication Networks 5

We denote the solution by 119872(119894119895) so we have

minus1198781015840 sdot119872(119894119895) = ( 0minus11990411989511015840 minus11990411989511989910158400

) =119872(119894119895) sdot (minusS1015840) (11)

From the above analysis we can derivate the circular securityof the matrix GSW-FHE scheme

Theorem 1 (circular security) If the equation

minus1198781015840 sdot1198721015840(119894119895) = ( 0minus11990411989511015840 minus1199041198951198991015840

0) (12)

exits nontrivial solution119872(119894119895) over Z119902 then the matrix GSW-FHE scheme is circular secure with function 119891119872(119894119895) (119878)Proof Let 1198881 be a ciphertext encrypting function 119891119872(119894119895) (119878) =(119872(119894119895)S0

)119866 isin Z(119899+119903)times119873119902 1198881 = 119861119877 + 119875(119894119895) and R 119880larr997888 0 1119898times119873

Then we have

1198881 = 119861119877 + 119875(119894119895) = 119861119877 + 119861 sdot 119877(119894119895) + (119872(119894119895)S0

) sdot119866= ((119868119903 minus1198781015840) sdot ( 119864minus119860) sdot (R + 119877(119894119895))

119860 sdot (R + 119877(119894119895)) ) + (119872(119894119895)S0

)sdot119866

= ((119868119903 minus1198781015840) sdot ( 119864minus119860) sdot (R + 119877(119894119895))119860 sdot (R + 119877(119894119895)) )

+ ((119872(119894119895)

1003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038160minus11990411989511015840 minus11990411989511989910158400

)0

) sdot 119866

(13)

From (12) we have

1198881 = ((119868119903 minus1198781015840) ( 119864minus119860) sdot (R + 119877(119894119895)) + (119868119903 minus1198781015840) sdot (119872(119894119895) 0

0 119872(119894119895)

)119866119860 sdot (R + 119877(119894119895)) )

= ((119868119903 minus1198781015840) ( 119864minus119860) sdot (R + 119877(119894119895)) + (119868119903 minus1198781015840) sdot (0 0

0 119872(119894119895)

)119866 + (119868119903 minus1198781015840) sdot (119872(119894119895) 0

0 0)119866

119860 sdot (R + 119877(119894119895)) )= ((119868119903 minus1198781015840)( 119864 sdot (R + 119877(119894119895))minus119860 sdot (R + 119877(119894119895)) +119872(119894119895) sdot (119892119879 ⨂ 119868119899)) + (119868119903 minus1198781015840) sdot (119872(119894119895) 0

0 0)119866

119860 sdot (R + 119877(119894119895)) )= ((119868119903 minus1198781015840)( 119864 sdot (R + 119877(119894119895))minus119860 sdot (R + 119877(119894119895)) +119872(119894119895) sdot (119892119879 ⨂ 119868119899))

119860 sdot (R + 119877(119894119895)) minus119872(119894119895) sdot (119892119879 ⨂ 119868119899) ) + ((119868119903 minus1198781015840) sdot (119872(119894119895) 0

0 0)119866

119872(119894119895) sdot (119892119879 ⨂ 119868119899) ) = ((119868119903 minus1198781015840)( minus)

)+ ((119868119903 minus1198781015840) sdot (119872(119894119895) 0

0 0)119866

119872(119894119895) sdot (119892119879 ⨂ 119868119899) ) = (1198781015840 +

) + ((119872(119894119895)sdot (119892119879 ⨂ 119868119903) 0

0 0)

119872(119894119895) sdot (119892119879 ⨂ 119868119899) )

(14)

≜ 119864 sdot (R + 119877(119894119895)) ≜ 119860 sdot (R + 119877(119894119895)) minus119872(119894119895) sdot (119892119879 ⨂ 119868119899)therefore we derivate that

1198881 = (1198781015840 +

) + ((119872(119894119895)sdot (119892119879 ⨂ 119868119903) 00 0

)119872(119894119895) sdot (119892119879 ⨂ 119868119899) ) (15)

As ( 1198781015840+) is an instance of LWEoverZ(119899+119903)times119873119902 it satisfies

uniform distribution over Z(119899+119903)times119873119902 Furthermore 1198881 obeys

uniform distribution over Z(119899+119903)times119873119902

On the other hand suppose that 1198880 is a ciphertextencrypting 0 that is

6 Security and Communication Networks

1198880 = 1198611198771015840 = (1198781015840119860 + 119864119860

) sdot 1198771015840 isin Z(119899+119903)times119873119902

R1015840 119880larr997888 0 1119898times119873 (16)

It is also an instance of LWE overZ(119899+119903)times119873119902 and obeys uniform

distribution over Z(119899+119903)times119873119902 too Therefore distributions of1198880 and 1198881 are computationally indistinguishable and the

advantage of probabilistic polynomial-time adversary A isnegligible So we can conclude that the matrix GSW-FHE iscircular secure with function 119891119872(119894119895) (119878)

From Theorem 1 we can choose a good secret key thatsatisfies that (12) has solution via ldquoreject samplerdquo techniqueand obtain circular secure matrix GSW-FHE scheme

5 Optimizing Bootstrapping

In this section we describe how to optimize the boot-strapping procedure of [13] by introducing deterministichomomorphic plaintext slot-wise permutation

51 Motivation The decryption of all LWE-based FHEschemes consists of the inner product and rounding forsecret key s isin Z119889

119902 and a binary ciphertext 119888 isin 0 1119889 thedecryption algorithm computes

Dec (s c) = lfloor⟨119904 119888⟩rceil 2 isin 0 1 (17)

Note that the inner product itself is just a subset-sum of theZ119902-entries of s indicated by 119888 and uses only the additive groupstructure of Z119902 Alperin-Sheriff and Peikert [20] proposedan efficient bootstrapping algorithm by embedding Z119902 intopermutation group 119878119902 Thus the rounding function is nolonger just a sum and it can be expressed aslfloor119909rceil2 = sum

VisinZ119902 119904119905lfloorVrceil2=1[119909 = V] (18)

where each equality test [119909 = V] returns 0 for false and1 for true The equality test operation has homomorphiccounterpart called homomorphic equality test Homomor-phic equality test is an important primitive for optimizingbootstrapping procedure and it has many other applicationsas mentioned in [25]

For 119909 V isin Z119903 they map to the r-by-r permutationmatrices of group 119878119903 and are denoted as 120591 and 120590 respectivelyThe Eq algorithm is described as follows

(i) Eq (119862120591 = 119888120591119894119895 120590 isin 119878119903) given a ciphertext encryptingsome permutation 120591 isin 119878119903 and a permutation 120590 isin 119878119903(in the clear) output a ciphertext c encrypting 1 if 120591 =120590 otherwise output a ciphertext c encrypting 0

c larr997888 ⊡119894isin[119903]119888120591120590(119894)119895 ⊡ g (19)

Note that the permutation 120590 goes through all permutationsin 119878119903 and it is not masked in the homomorphic equality testEq Algorithm that is 120590 isin 119878119903 is in the clear

Let 120593119894 Z119902 997888rarr 0 1119903 be the isomorphism of an elementin Z119902 (q fl prod119905

119894=1119903119894) into the cyclic permutation thatcorresponds to an element in Z119903119894

where r ≜ max119894119903119894During homomorphic rounding process of work [13] 120593119894(119909)is encrypted as part of public bootstrapping key and used inthe homomorphic equality test algorithm

In fact 119909 traverses Z119902 and does not carry any privacyinformation It is not necessary to encrypt 120587120593119894(119909)

usingSecEnc algorithm which would increase computation costWe propose optimizing homomorphic equality test algo-rithm by defining hybrid homomorphic plaintext slot-wiseswitching method which reduces the computation cost ofbootstrapping key generation

52 Hybrid Homomorphic Plaintext Slot-Wise SwitchingPlaintext slot-wise permutation is an important operation inapplication of packed FHE [23 24] It can be achieved bymul-tiplying the encryption of a permutation and its inverse fromleft and rightWe propose hybrid homomorphic plaintext slotswitching procedure where the switch key is encrypted bysymmetric and asymmetric encryption algorithm The nicefeature of our switching procedure is that part of switch keycan be computed by deterministic public encryptions whichmakes our procedure more efficient than that of [13]

(i) SwitchKeyGen(119878 120590) Input a secret key matrix119878 isin Z119903times(119899+119903)

119902 and a permutation 120590 let 120587120590 isin 0 1119903times119903 bea matrix corresponding to 120590 and compute119882120590 larr997888 SecEnc119878 (120587120590) 119882120590minus1 larr997888 SecEnc119878 (120587120590

119879) (20)

Output the switch key ssk120590 fl (119882120590119882120590minus1) Thealgorithm is the same as the work in [13]

(ii) 119878119897119900119905119878119908119894119905119888ℎ119904119904119896120590(119862) Input a switch key ssk120590 and aciphertext C output119862120590 larr997888 119882120590 ⨀(119862⨀(119882120590minus1⨀119866)) (21)

where 119866 isin Z(119899+119903)times119873119902 is the fixed encryption of 119868119903 with

noise zero(iii) DeteSwitchKeyGen(119878 120590) Input a secret key matrix119878 isin Z119903times(119899+119903)

119902 and a permutation 120590 and compute119863119882120590 larr997888 DetePubEnc119878 (120587120590) 119863119882120590minus1 larr997888 DetePubEnc119878 (120587120590119879) (22)

Output the deterministic switch key dssk120590 fl(119863119882120590 119863119882120590minus1 )(iv) 119863119890119905119890119878119897119900119905119878119908119894119905119888ℎ119889119904119904119896120590(119862) Input a deterministic switch

key dssk120590 and a ciphertext C output119862120590 larr997888 119863119882120590 ⨀(119862⨀(119863119882120590minus1⨀119866)) (23)

where 119866 isin Z(119899+119903)times119873119902 is the fixed encryption of 119868119903 with

noise zero

Security and Communication Networks 7

53 Optimized Bootstrapping Procedure Our optimizedbootstrapping procedure can be used to refresh ciphertexts ofall standard LWE-based FHE Let 119888 isin 0 1119889 be the ciphertextto be bootstrapped and let s isin Z119889

119902 be a secret key that corre-sponds to 119888The optimized bootstrapping procedure consistsof two algorithmsHybirdBootKeyGen andHybirdBootstrap

(i) HybridBootKeyGen(119901119896 119904119896 119904) Input a secret key 119904119896and public key 119901119896 for our bootstrapping scheme andthe secret key s = (1199041 119904119889) isin Z119889

119902 for ciphertextto be refreshed output a bootstrapping key bk Forevery i isin [t] and j isin [d] let 120587120593119894(119904119895)

be the permutationcorresponding to 120593119894(119904119895) and generate120591119894119895 119877larr997888 SecEnc119904119896 (diag (120593119894 (119904119895))) 119904119904119896119894119895 119877larr997888 SwitchKeyGen (sk 120587120593119894(119904119895)

) (24)

where for a vector 119909 isin Z119903 diag(119909) isin Z119903times119903 is thesquare integer matrix that has 119909 in its diagonal entriesand 0 in the others Then compute the hints usedin homomorphic equality test on packed indictorvectors For every i isin [t] and 119909 isin Z119902 such thatlfloor119909rceil2 = 1 compute119889119904119904119896120593119894(119909) larr997888 119863119890119905119890119878119908119894119905119888ℎ119870119890119910119866119890119899 (119904119896 120587120593119894(119909)

) (25)

Output the bootstrapping key119887119896 fl 120591119894119895 119904119904119896119894119895 119889119904119904119896120593119894(119909)119894isin[119905]119895isin[119889]119909isinZ119902lfloor119909rceil2=1 (26)

(ii) 119867119910119887119903119894119889119861119900119900119905119904119905119903119886119901119887119896(c) Input a bootstrapping keybk and a ciphertext 119888 isin 0 1119889 output the refreshedciphertext Clowast All the FHE schemes based on theLWE problem have similar decryption algorithmthat is the decryption algorithm needs to computelfloor⟨119904 119888⟩rceil2There are two phases in theHybridBootstrapalgorithm evaluate the inner product and roundingInner Product For every i isin [t] homomorphicallycompute an encryption of 120593119894(⟨119904 119888⟩) Let h fl minj isin[d] 119888119895 = 1 For i = 1 2 t set 119862lowast

119894 fl 120591119894ℎ anditeratively compute119862lowast

119894

119877larr997888 119878119897119900119905119878119908119894119905119888ℎ119904119904119896119894119895 (119862lowast119894 ) (27)

for j = h + 1 d such that 119888119895 = 1Rounding For each 119909 isin Z119902 such that lfloor119909rceil2 = 1homomorphically test the equality between 119909 and⟨119904 119888⟩ and sum their results The refreshed ciphertextis computed as119862lowast larr997888 ⨁

119909isinZ119902lfloor119909rceil2=1

(⨀119894isin[119905]

(119863119890119905119890119878119897119900119905119878119908119894119905119888ℎ119889119904119904119896120593119894(119909)(119862lowast

119894 ))⨀11987511) (28)

54 Correctness Analysis

Lemma 2 (correctness) Let 119904119896 be the secret key for ourscheme Let 119888 and 119904 be a ciphertext and secret key of LWE-basedFHE scheme Then for 119887119896 larr997888 HybridBootKeyGen(119901119896 119904119896 119904)the refreshed ciphertext 119862lowast larr997888 119867119910119887119903119894119889119861119900119900119905119904119905119903119886119901119887119896(c) isdesigned to encrypt 119863119890119888119904(119888) = lfloor⟨119904 119888⟩rceil2 isin 0 1 in the firstslot

Proof Firstly 119862lowast119894 is designed to encrypt 120593119894([⟨119904 119888⟩]119902) and

⨀119894isin[119905]

(119863119890119905119890119878119897119900119905119878119908119894119905119888ℎ119889119904119904119896120593119894(119909)(119862lowast

119894 ))⨀11987511 (29)

is designed to encrypt 1 in the first slot if and only if 119909 =⟨119904 119888⟩ 119898119900119889 119902 Finally since the homomorphic sum is takenover every 119909 isin Z119902 such that lfloor119909rceil2 = 1 119862lowast is designed toencrypt 1 if and only if lfloor⟨119904 119888⟩rceil2 = 155 Security Analysis If the bootstrapping scheme secret key119904119896 is generated independently of the secret keys s of FHEscheme from LWE then Ind-CPA security of the bootstrap-ping key follows immediately from the security of hybridhomomorphic plaintext slot-wise switching and the securityof hybrid homomorphic plaintext slot-wise switching schemeresorts to the security of matrix GSW-FHE and hence thesecurity of our bootstrapping scheme from LWE assumption

56 Performance Analysis Let 119902 = 119874(120582) be the modulesof the ciphertext to be refreshed and 119902 has the form 119902 flprod119905

119894=1119903119894 where 119903119894 are small and powers of distinct primesThe following lemma allows us to choose a sufficientlylarge 119902 by letting it be the product of all maximal primepowers 119903119894 bounded by O(log120582) and then there exists t =O(log 120582log log 120582) where 120582 is security parameter

Lemma 3 (see [13 20]) For all 119909 ge 7 the product of allmaximal prime powers 119903119894 le 119909 is all at least exp(31199094)

On one hand our DetePubEnc algorithm involves matrixadditions operation only whereas SecEnc algorithm involvesmany matrix multiplication operations Our bootstrappingkey 119889119904119904119896120593119894(119909) is optimized from 119904119904119896120593119894(119909) Therefore our opti-mized bootstrapping key generation has lower computationcomplexity The comparison of computational complexity isillustrated in Table 1

On the other hand we may implement a trade-offbetween computation and storage complexity For every119896 119897 isin [r] 119875119896119897 = SecEnc119904119896(119872119896119897) can be used as public boot-strapping key delete 119889119904119904119896120593119894(119909) from the bootstrapping keyand compute 119889119904119904119896120593119894(119909) online when running rounding pro-cedure In view of 119889119904119904119896120593119894(119909) being obtained by DetePubEncalgorithm its computation involves only matrix additionsTherefore our optimized bootstrapping drastically cuts downthe size of the large public bootstrapping key by a third pay-ing matrix additions with negligible computation complexThe comparison of storage complexity is illustrated in Table 2

8 Security and Communication Networks

Table 1 Comparison of computational complexity

Bootstrapping key MM MA119904119904119896120593119894(119909) [13]0 le 119894 le 119905 O (log120582 log log 120582) O (log120582 log log 120582)119889119904119904119896120593119894(119909)[ours] 0 le 119894 le 119905 0 O (log2120582 log log 120582)

Note MM denotes matrix multiplication operation MA denotes matrix addition operation

Table 2 Comparison of storage complexity of bootstrapping key

Work Bootstrapping key[13] (120591119894119895 119904119904119896119894119895 119904119904119896120593119894(119909))119894isin[119905]119895isin[119889]119909isinZ119902lfloor119909rceil2=1[ours]-1 (120591119894119895 119904119904119896119894119895 119889119904119904119896120593119894(119909)

)119894isin[119905]119895isin[119889]119909isinZ119902 lfloor119909rceil2=1[ours]-2 (120591119894119895 119904119904119896119894119895)119894isin[119905]119895isin[119889]

Note [ours]-1 denotes save computation complexity in the cost of thestorage complexity [ours]-2 denotes save storage complexity in the cost ofcomputation complexity

6 Conclusions

Matrix GSW-FHE scheme encrypts multibit message andsupports complex homomorphic matrix operations and canbe used to optimize the bootstrapping procedureWe analysecircular security of matrix GSW-FHE scheme and derivea sufficient condition of circular security for matrix GSW-FHE scheme That is if the equations about secret key havesolution over Z119902 the matrix GSW-FHE scheme satisfiescircular security with function 119891119872(119894119895) (119878) Therefore we canchoose a good secret key that satisfies the sufficient conditionvia ldquoreject samplerdquo technique and furthermore obtain circularsecure matrix GSW-FHE scheme

We also propose hybrid homomorphic plaintext slot-wiseswitching method by defining deterministic public encryp-tion algorithm in matrix GSW-FHE which significantlyreduces computational complex or space complex of boot-strapping key generation thus optimizing the bootstrappingprocedure of Hiromasa and so forth Meanwhile perfor-mance analysis validates the effectiveness of the proposedoptimized bootstrapping scheme

Some questions remain for further study such as theprobability analysis of our sufficient condition and the suf-ficient and necessary condition for circular security of thematrix GSW-FHE scheme [26] And to make a fair com-parison with the state-of-the-art bootstrapping schemes suchas FHEW [21] WT [22] and so forth detailed securityparameters and efficiency experiment analysis remain to bea future work

Data Availability

The data used to support the findings of this study areavailable from the corresponding author upon request

Disclosure

The abstract of this manuscript has been submitted to the 4thInternational Conference on Cloud Computing and Security

but it has not been published and this manuscript cites theconference paper in the references

Conflicts of Interest

The authors declare that they have no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is supported by the National Natural ScienceFoundation of China under Grant no 61601515 and NaturalScience Foundation of Henan Province under Grant no162300410332

References

[1] Z Pan J Lei Y Zhang and F L Wang ldquoAdaptive fractional-Pixel motion estimation skipped algorithm for efficient HEVCmotion estimationrdquoACMTransactions onMultimedia Comput-ing Communications and Applications (TOMM) vol 14 no 1pp 1ndash19 2018

[2] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[3] C GentryA fully homomophic encryption scheme [PhD thesis]Stanford University 2009 httpcryptostanfordeducraig

[4] Y LiuH Peng and JWang ldquoVerifiable diversity ranking searchover encrypted outsourced datardquo CMC vol 55 no 1 pp 37ndash572018

[5] W Xu S Xiang and V Sachney ldquoA cryptography domainimage retrieval method based on Paillier homomorphic blockencryptionrdquo CMC vol 55 no 2 pp 285ndash295 2018

[6] R Xie C He D Xie C Gao and X Zhang ldquoA Secure Cipher-text Retrieval Scheme against Insider KGAs for Mobile Devicesin Cloud Storagerdquo Security and Communication Networks vol2018 Article ID 7254305 7 pages 2018

[7] R L Rivest L Adleman and M L Dertouzos On Data BanksAnd Privacy Homomorphism Proc of Foundations of SecureComputation Academic Press New York NY USA 1978

[8] Z Brakerski and V Vaikuntanathan ldquoEfficient fully homomor-phic encryption from (standard) LWErdquo in Proceedings of theIEEE 52nd Annual Symposium on Foundations of ComputerScience (FOCS rsquo11) pp 97ndash106 Palm Springs Calif USAOctober 2011

[9] M R Albrecht R Player and S Scott ldquoOn the concrete hard-ness of learning with errorsrdquo Journal of Mathematical Cryptol-ogy vol 9 no 3 pp 169ndash203 2015

[10] Z Brakerski and V Vaikuntanathan ldquoFully homomorphicencryption from ring-LWE and security for key dependent

Security and Communication Networks 9

messagesrdquo inAdvances in CryptologymdashCRYPTO2011 R PhillipEd vol 6841 pp 505ndash524 Springer Berlin Germany 2011

[11] F Luo F Wang K Wang J Li and K Chen ldquoLWR-BasedFully Homomorphic Encryptionrdquo Security and CommunicationNetworks vol 2018 Article ID 5967635 12 pages 2018

[12] X Yang T Zhou W Zhang and L Wu ldquoApplication of a cir-cular secure variant of LWE in the homomorphic encryptionrdquoJisuanji Yanjiu yu FazhanComputer Research andDevelopmentvol 52 no 6 pp 1389ndash1393 2015

[13] R Hiromasa M Abe and T Okamoto ldquoPacking messagesand optimizing bootstrapping in GSW-FHErdquo in Public-keycryptographymdashPKC 2015 vol 9020 of Lecture Notes in ComputSci pp 699ndash715 Springer Heidelberg 2015

[14] D Hofheinz and D Unruh ldquoTowards key-dependent messagesecurity in the standard modelrdquo in Advances in cryptologymdashEUROCRYPT 2008 vol 4965 of Lecture Notes in Comput Scipp 108ndash126 Springer Berlin 2008

[15] I Haitner and T Holenstein ldquoOn the (im)possibility of keydependent encryptionrdquo in Theory of cryptography vol 5444of Lecture Notes in Comput Sci pp 202ndash219 Springer Berlin2009

[16] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008

[17] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in CryptologymdashCRYPTO2009 vol 5677 of Lecture Notes in Computer Science pp 595ndash618 Springer Germany Berlin 2009

[18] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) pp 84ndash93 ACM Baltimore Md USA May 2005

[19] C Gentry A Sahai and B Waters ldquoHomomorphicencryption from learning with errors Conceptually-simplerasymptotically-faster attribute-basedrdquo Proceedings of CRYPTO2013 vol 8042 no 1 pp 75ndash92 2013

[20] J Alperin-Sheriff and C Peikert ldquoFaster bootstrapping withpolynomial errorrdquo in Proceedings of the International CryptologyConference pp 297ndash314 Springer Berlin Germany 2014

[21] L Ducas and D Micciancio ldquoFHEW Bootstrapping Homo-morphic Encryption in Less Than a Secondrdquo in Proceedingsof the Advances in Cryptology ndash EUROCRYPT pp 617ndash640Springer Berlin Heidelberg 2015

[22] H Wang and Q Tang ldquoEfficient homomorphic integer poly-nomial evaluation based on GSW FHErdquoThe Computer Journalvol 61 no 4 pp 575ndash585 2018

[23] N P Smart and F Vercauteren ldquoFully homomorphic SIMDoperationsrdquo Designs Codes and Cryptography vol 71 no 1 pp57ndash81 2014

[24] Z Brakerski C Gentry and S Halevi ldquoPacked Ciphertexts inLWE-BasedHomomorphic Encryptionrdquo inPublic-KeyCryptog-raphy ndash PKC 2013 vol 7778 of Lecture Notes in Computer Sci-ence pp 1ndash13 Springer Berlin Heidelberg Berlin Heidelberg2013

[25] Y Wang H Pang N H Tran and R H Deng ldquoCCA Secureencryption supporting authorized equality test on ciphertextsin standard model and its applicationsrdquo Information Sciencesvol 414 pp 289ndash305 2017

[26] X Zhao H Mao S Liu and W Song ldquoCircular-secure anal-ysis on matrix GSW-FHE and optimizing bootstrappingrdquo inProceedings of the International Conference on Cloud Computingand Security ICCCS 2018 2018

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom