Figure 1.
Types of homomorphic schemes.
Citation: Christina L. Ekegren, Rachel E. Climie, William G. Veitch, Neville Owen, David W. Dunstan, Lara A. Kimmel, Belinda J. Gabbe. Sedentary behaviour and physical activity patterns in adults with traumatic limb fracture[J]. AIMS Medical Science, 2019, 6(1): 1-12. doi: 10.3934/medsci.2019.1.1
| [1] | Shuangnian Hu, Rongquan Feng . The number of solutions of cubic diagonal equations over finite fields. AIMS Mathematics, 2023, 8(3): 6375-6388. doi: 10.3934/math.2023322 |
| [2] | Wenxu Ge, Weiping Li, Tianze Wang . A remark for Gauss sums of order 3 and some applications for cubic congruence equations. AIMS Mathematics, 2022, 7(6): 10671-10680. doi: 10.3934/math.2022595 |
| [3] | Junyong Zhao, Yang Zhao, Yujun Niu . On the number of solutions of two-variable diagonal quartic equations over finite fields. AIMS Mathematics, 2020, 5(4): 2979-2991. doi: 10.3934/math.2020192 |
| [4] | Shuangnian Hu, Rongquan Feng . On the number of solutions of two-variable diagonal sextic equations over finite fields. AIMS Mathematics, 2022, 7(6): 10554-10563. doi: 10.3934/math.2022588 |
| [5] | Yanbo Song . The recurrence formula for the number of solutions of a equation in finite field. AIMS Mathematics, 2021, 6(2): 1954-1964. doi: 10.3934/math.2021119 |
| [6] | Junyong Zhao, Shaofang Hong, Chaoxi Zhu . The number of rational points of certain quartic diagonal hypersurfaces over finite fields. AIMS Mathematics, 2020, 5(3): 2710-2731. doi: 10.3934/math.2020175 |
| [7] | Xiaoxue Li, Wenpeng Zhang . A note on the hybrid power mean involving the cubic Gauss sums and Kloosterman sums. AIMS Mathematics, 2022, 7(9): 16102-16111. doi: 10.3934/math.2022881 |
| [8] | Shuangnian Hu, Yanyan Li, Rongquan Feng . Counting rational points of quartic diagonal hypersurfaces over finite fields. AIMS Mathematics, 2024, 9(1): 2167-2180. doi: 10.3934/math.2024108 |
| [9] | Xiaodie Luo, Kaimin Cheng . Counting solutions to a system of quadratic form equations over finite fields. AIMS Mathematics, 2025, 10(6): 13741-13754. doi: 10.3934/math.2025619 |
| [10] | Hu Jiayuan, Chen Zhuoyu . On distribution properties of cubic residues. AIMS Mathematics, 2020, 5(6): 6051-6060. doi: 10.3934/math.2020388 |
Protecting the privacy of electronic data is a major challenge for today's security researchers. A 2013 study by the Cloud Security Alliance revealed a worrying increase in the number of incidents in which cloud data was leaked as a result of negligence, malware, or insider attacks [39]. The problem is that the users lose control over potentially privacy sensitive data. Encrypting data before sending it to the cloud is a simple way of guaranteeing confidentiality. However, if one uses traditional encryption, it also becomes impossible for the cloud operators to carry out any kind of processing of that data, as they would have to decrypt it first. Solving this problem is an active area of research. A number of approaches have been studied, relying on different techniques to address the problem of cloud security without compromising the functionality. Here we focus on solutions that are purely based on homomorphic encryption (HE) for privacy preservation.
Homomorphic encryption schemes allow computations on the encrypted data. The result of those computations remains in encrypted form, and can thus only be recovered by the owner of the decryption key. Hence, homomorphic encryption offers privacy for both the client's and the server's data. For these reasons HE has shown great success in a variety of domains and applications, from the financial/business sector to the healthcare sector, the government sector, and even to neural networks [47]. The concept was imagined in the late seventies, but the first realization did not come until three decades later. HE schemes can be grouped into different categories, based on what operations they support and limitations they put on the circuit. Partially homomorphic encryption (PHE) schemes only support either addition or multiplication. Somewhat homomorphic encryption (SHE) supports both multiplication and addition on encrypted data. It cannot support arbitrarily deep circuits, making it unsuitable for some applications. Fully homomorphic encryption (FHE) schemes support both addition, multiplication, and circuits of arbitrary depth.
Research in the area exploded after 2009 when Craig Gentry presented the first FHE scheme. In HE schemes, for security reasons, the encryption adds noise to the data and the decryption process is the removal of that noise. Performing operations on ciphertexts increases the noise and too much noise prevents correct decryption. It is possible to circumvent this by using the bootstrapping technique [25]. Bootstrapping reduces the accumulated noise so that further computation can be done. This process can be repeated as many times as needed to evaluate any given circuit. However, bootstrapping is computationally expensive which is why in practice many solutions do not use it. These days, both the public and private sectors are embracing this new security paradigm and are actively working at making HE more practical and easier to use.
Let $ \mathcal{P} $ denote a plaintext space and let $ F $ be a family of functions defined on $ \mathcal{P}^n = \{ (m_1, \dots, m_n) \mid m_i \in \mathcal{P} \} $ that can be viewed as Boolean circuits $ C $. In most cases $ \mathcal{P} = \{0, 1\} $ is identifiable with the ring $ \mathbb{Z}_2 = \{ [0]_2, [1]_2\} $.
An encryption scheme $ \mathcal{E} $ is F-homomorphic (or an F-evaluation scheme) if it is given by the following four probabilistic algorithms in polynomial time:
| $ \mathcal{E} = {( {\textsf{KeyGen}}, {\textsf{Enc}}, {\textsf{Dec}}, {\textsf{Eval}})} $ |
where
● $\textsf{KeyGen}$ is the key generator; it takes as inputs a security parameter $ \lambda $ and an optional parameter $ \alpha $, representing for instance the number of homomorphic operations allowed, and outputs the secret key $ {\textsf{sk}} $, the public key $\textsf{pk}$, and the (public) evaluation key $\textsf{evk}$, needed to compute the homomorphic operations on the ciphertext. Writing $ \mathcal{A} $ for the auxiliary space and $ \mathcal{K}_s, \mathcal{K}_p $, and $ \mathcal{K}_e $ for the spaces of the secret, public, and evaluation keys, respectively, we obtain
| $ {\textsf{KeyGen}} \colon \mathbb{N} \times \mathcal{A} \rightarrow \mathcal{K}_s \times \mathcal{K}_p \times \mathcal{K}_e $ |
| $ {\textsf{KeyGen}}(\lambda, \alpha) = ( {\textsf{sk}}, {\textsf{pk}}, {\textsf{evk}}). $ |
In this paper we will usually denote the security parameter by $ \lambda $. In other works, sometimes the security parameter is denoted by $ 1^\lambda $ to keep track of its length.
● $\textsf{Enc}$ is the encryption algorithm; it takes as inputs the public key $\textsf{pk}$ and the message $ m $ and returns the ciphertext $ c $ as an element of the ciphertexts space $ \mathcal{X} $,
| $ {\textsf{Enc}} \colon \mathcal{K}_p \times \mathcal{P} \rightarrow \mathcal{X} $ |
| $ {\textsf{Enc}}( {\textsf{pk}}, {m}) = c. $ |
● $\textsf{Eval}$ is the evaluation algorithm; it takes as inputs the evaluation key $\textsf{evk}$, a function $ f \in F $, and a string $ (c_1, \dots, c_n) $ of either ciphertexts or previous evaluated texts and returns as output a ciphertext $ c_f $. Writing $ \mathcal{Y} $ for the space of the outputs of $ {\textsf{Eval}} $, with $ \mathcal{Z} $ the union of $ \mathcal{X} $ and $ \mathcal{Y} $ and with $ \mathcal{Z}^* $ the space of $ n $-strings in $ \mathcal{Z} $ for a generic $ n $, we get
| $ {\textsf{Eval}} \colon \mathcal{K}_e \times F \times \mathcal{Z}^* \rightarrow \mathcal{Y} $ |
| $ {\textsf{Eval}}( {\textsf{evk}}, f, (c_1, \dots , c_n)) = c_f. $ |
● $\textsf{Dec}$ is the decryption algorithm; it takes as inputs the secret key $\textsf{sk}$ and a ciphertext $ c $ (or an output of the evaluation algorithm) and outputs the plaintext $ m' $,
| $ {\textsf{Dec}} \colon \mathcal{K}_s \times \mathcal{Z} \rightarrow \mathcal{P} $ |
| $ {\textsf{Dec}}( {\textsf{sk}}, c) = m'. $ |
Given a family $ F $ of functions, an $ F $-homomorphic scheme $ \mathcal{E} $ is called
● correct with respect to decrypting if for any plaintext $ m\in \mathcal{P} $, we have
| $ {\textsf{Dec}}( {\textsf{sk}}, {\textsf{Enc}}( {\textsf{pk}}, m)) = m. $ |
● correct with respect to evaluation if for any function $ f\in F $, we have
|
$ Pr[(Dec(sk,Eval(evk,f,(c1,…,cn)))=f(Dec(sk,c1),…,Dec(sk,cn))]=1−ϵ(λ), $
|
for a negligible function $ \epsilon $ *.
*A function $ \epsilon: \mathbb{N}\rightarrow \mathbb{R} $ is negligible if for any positive integer $ c $, there exists an integer $ N_c $ such that for every $ x > N_c $, one gets $ |\epsilon(x)| < x^{-c} $.
● a somewhat homomorphic encryption scheme (SHE) if it is correct with respect to both decrypting and evaluation.
● compact if there exists a polynomial $ p $ such that for every function $ f\in F $, every triplet of keys ($ {\textsf{sk}}, {\textsf{pk}}, {\textsf{evk}} $), and every ciphertext $ c_i \in \mathcal{X} $, the output of the evaluation algorithm $ {\textsf{Eval}}({\textsf{evk}}, f, (c_1, \dots, c_n)) $ consists of at most $ p(\lambda) $ bits, independent from the complexity of the function $ f $ (that is, from the length of the corresponding Boolean circuit $ C $). In other words, the length of the ciphertext does not grow too much when involved in homomorphic operations and the length of the final output depends on the length of the security parameter only.
● a leveled homomorphic encryption scheme (LHE) if it is a compact SHE scheme in which the length of the output of $\textsf{Eval}$ does not depend on the auxiliary parameter, usually denoted in this context by $ L $, that specifies the maximum number of consequent products allowed.
● a fully homomorphic encryption scheme (FHE) if it is a compact SHE scheme and $ F $ is the set of all functions (efficiently computable).
We remark that in a scheme that is correct with respect to evaluation, the cipheretexts
| $ {\textsf{Eval}}( {\textsf{evk}}, f, (c_1, \dots , c_n)) \mbox{ and } {\textsf{Enc}}( {\textsf{pk}}, f( {\textsf{Dec}}( {\textsf{sk}},c_1), \dots, {\textsf{Dec}}( {\textsf{sk}},c_n))) $ |
correspond to the same plaintext, but arise from distinct constructions (for instance, they could have different levels of noise).
In practice, the functions considered often correspond to sums (denoted by $ f_s $ or $ + $) and products (denoted by $ f_p $ or $ \times $) defined on a specific algebraic structure and the fact that the scheme is correct with respect to evaluation makes sure that, given two ciphertexts $ c_1 $ and $ c_2 $, we get
| $ {\textsf{Dec}}( {\textsf{sk}}, c_{f_s}) = {\textsf{Dec}}( {\textsf{sk}},c_1) + {\textsf{Dec}}( {\textsf{sk}},c_2) $ |
and
| $ {\textsf{Dec}}( {\textsf{sk}}, c_{f_p}) = {\textsf{Dec}}( {\textsf{sk}},c_1) \times {\textsf{Dec}}( {\textsf{sk}},c_2). $ |
The origin of homomorphic encryption goes back to 1978 when, in [48], Rivest, Adleman and Dertouzos introduced the concept of privacy homomorphism and showed some examples of homomorphic schemes, one of which was RSA. Among other things, they posed the following question: For what algebraic systems does a useful privacy homomorphism exist? Later, various examples of homomorphic schemes based on a unique operation followed, such as the one by ElGamal [21] and Paillier [43]. In 2005, Boneh, Goh and Nissim (BGN) [7] described the first SHE scheme based on two operations: an arbitrary number of sums and a unique product, possibly followed by an arbitrary number of sums.
Craig Gentry was the first to describe a plausible construction of an FHE scheme in [25], marking a turning point in the theory. His strategy consisted of three steps: the construction of an SHE scheme based on evaluation of low-degree polynomials, the use of the technique of squashing to the encryption procedure in order to express it as a low-degree polynomial (supported by the scheme), and finally the application of the method of bootstrapping to obtain an FHE scheme. Gentry's SHE scheme is also the first to be built on ideal lattices: the secret key represents a good basis for the lattice, meaning that its vectors are pairwise orthogonal, while the public key is given by a bad basis of the same lattice, made by skew vectors. Indeed, the security of Gentry's scheme is based on the fact that the problem of finding an orthogonal basis of a lattice is hard. In order to make the scheme bootstrappable, Gentry suggested to reduce the length of the decrypting polynomial adding to the public key a large set of vectors, requiring for the secret key to be the sum of a very sparse subset of such a set (the security of the scheme is therefore based on the sparse subset sum problem (SSSP)).
The first implementation of Gentry's scheme was proposed in 2010 by Smart and Vercauteren (SV) in [51]. In that work, the authors used principal ideals with a prime determinant and expressed the secret key as a unique integer. However, given the complexity of the key generation (in order to obtain an ideal with a determinant that is prime, many candidates are required) such a scheme does not support parameters big enough to apply bootstrapping (it is not possible to generate keys with ideal lattices of dimension larger than 2048); it is therefore an SHE scheme that cannot be made into an FHE scheme.
Later, Gentry and Halevi (GH) [26] adopted the same approach of Smart and Vercauteren, working on the same ring $ R = \mathbb{Z}[x]/\langle x^N +1 \rangle $, for a positive integer $ N = 2^n $, but without requiring for the lattice to have a determinant that is a prime number. Moreover, they described a faster algorithm to generate the secret key (invoking Fourier's discrete transform and its inverse to compute the inverse of the polynomial that generates the principal ideal lattice in the case of a general integer $ N $ and an easier recursive procedure when $ N = 2^n $, as in the actual scheme described) and simplified the squashing, obtaining a decrypting polynomial of degree at most $ 15 $. In particular, the (GH) scheme is bootstrappable for every dimension of the lattice involved, even if its security is for low dimensions.
The strength of the SHE schemes based on lattices lies on their theoretical feasibility and on the efficiency of the encrypting and decrypting algorithms obtained using the techniques of batching and squashing: the first allows one to cipher multiple messages in a unique ciphertext and the latter decreases the decrypting complexity. On the other hand, the fact that such schemes are constructed on complex mathematical structures induces high computational costs and requires a large amount of memory space, making it hard to implement them efficiently. Moreover, in [19], Cramer et al. highlighted the vulnerability of such schemes if attacked, for instance, by a quantum algorithm in polynomial time.
In 2010, van Dijk, Gentry, Halevi and Vaikuntanathan introduced in [52] a new family of SHE schemes working on the ring of integers $ \mathbb{Z} $ and basing the security on the SSSP and the approximate greatest common divisor problem (AGCD). The (DGHV) scheme is easier to treat with respect to Gentry's scheme (G) [25] since the operations involved are sums and products of integers in modular arithmetic. In [52], the authors applied Gentry's approach to show how to use the techniques of squashing and bootstrapping to build FHE schemes. The (DGHV) scheme is notably valued for its elegance and simplicity, but its high computational complexity and long bit-length of the public key make it less efficient in practical uses. Moreover, such a scheme is vulnerable to chosen-ciphertext attacks and noise flood attacks.
In what follows we give a detailed description of Gentry's scheme and of Smart and Vercauteren's scheme.
Given a basis $ B = \{\vec{b}_1, \dots, \vec{b}_n\} $ of $ \mathbb {R}^n $, the corresponding lattice of dimension $ n $ is defined as
| $ L = \left\{ \sum\limits_{i = 1}^n z_i\vec{b}_i \mid z_i \in \mathbb{Z}\right\} $ |
and the parallelepiped associated to $ B $ is
| $ \mathcal{P}(B) = \left\{ \sum\limits_{i = 1}^n x_i\vec{b}_i \mid x_i \in \left[-\frac{1}{2}, \frac{1}{2}\right)\right\}. $ |
If $ \vec{u} \in \mathbb{R}^n $ is a vector, the expression
| $ \vec{u} \mod B $ |
denotes the unique vector $ \vec{u}' \in \mathcal{P}(B) $ such that $ \vec{u} - \vec{u}' \in L $.
Let $ f(x) \in \mathbb{Z}[x] $ be a monic and irreducible polynomial of degree $ n $ (whose definition depends on the security parameter $ \lambda $) and consider the ring of integer polynomials modulo $ f $:
| $ R = \mathbb{Z}[x]/\langle f(x) \rangle. $ |
Every ideal of $ R $ is a lattice, and we will refer to such a structure as the ideal lattice. Note also that $ R $ can be viewed as a subset of $ \mathbb{Z}^n $, identifying any polynomial of $ R $ with the vector of their coefficients. Suppose that if $ B $ is a basis of the ideal lattice $ I $ of $ R $, then for every $ x \in R $ (corresponding to the vector $ \vec{x} $), the vector $ \vec{x} \mod B $ is unique and can be computed efficiently.
The plaintext space is $ \mathcal{P} = \{0, 1\} $, which can be embedded in $ R $ (and so in $ \mathbb{Z}^n $) setting $ \vec{m} = (0, \dots, 0) $ if $ m = 0 $ and $ \vec{m} = (0, \dots, 0, 1) $ if $ m = 1 $. Let $ J $ be an ideal lattice of $ R $ (again seen as a subset of $ \mathbb{Z}^n $).
● The keys are given by
| $ {\textsf{KeyGen}} : \mathbb{N} \rightarrow \rm{Mat}_{n\times n}( \mathbb{Z}) \times \rm{Mat}_{n\times n}( \mathbb{Z}) \times \rm{Mat}_{n\times n}( \mathbb{Z}) $ |
| $ {\textsf{KeyGen}}(\lambda) = ( {\textsf{sk}} = B_{ {\textsf{sk}}}, {\textsf{pk}} = B_{ {\textsf{pk}}}, {\textsf{evk}} = {\textsf{pk}}) $ |
where $ B_{ {\textsf{sk}}} $ and $ B_{ {\textsf{pk}}} $ are bases for $ J $, described as matrices, and the secret key is good (formed by pairwise orthogonal vectors) while the pubblic key is bad.
● Given the message $ m\in \{ 0, 1\} $ and the corresponding vector $ \vec{m} \in \mathbb{Z}^n $, the encryption algorithm is
| $ {\textsf{Enc}} \colon \rm{Mat}_{n \times n}( \mathbb{Z}) \times R \rightarrow \mathcal{P}(B_{ {\textsf{pk}}}) $ |
| $ {\textsf{Enc}}( {\textsf{pk}},\vec{m}) = (2\vec{r} +\vec{m}) \mod B_{ {\textsf{pk}}}, $ |
where $ \vec{r} \in \mathbb{Z}^n $ is a random vector representing the noise. In other words, $ {\textsf{Enc}}({\textsf{pk}}, \vec{m}) $ is the unique vector of the parallelepiped $ \mathcal{P}(B_{ {\textsf{pk}}}) $ such that
| $ (2\vec{r}+\vec{m}) - {\textsf{Enc}}( {\textsf{pk}},\vec{m}) \in J $ |
and we can compute it as
| $ {\textsf{Enc}}( {\textsf{pk}},\vec{m}) = (2\vec{r}+\vec{m}) - \left\lfloor (2\vec{r} +\vec{m}) \cdot B_{ {\textsf{pk}}}^{-1} \right\rceil \cdot B_{ {\textsf{pk}}} = \left[ (2\vec{r} +\vec{m}) \cdot B_{ {\textsf{pk}}}^{-1} \right] \cdot B_{ {\textsf{pk}}} . $ |
● The decryption algorithm is
| $ {\textsf{Dec}} \colon \rm{Mat}_{n \times n}( \mathbb{Z}) \times \mathcal{P}(B_{ {\textsf{pk}}}) \rightarrow \mathbb{Z}_2 $ |
| $ {\textsf{Dec}}( {\textsf{sk}},\vec{c}) = [ \vec{c} \mod B_{ {\textsf{sk}}} ]_2. $ |
That is, we consider the congruence class modulo $ 2 $ of the unique vector $ \vec{c}' $ of the parallelepiped $ \mathcal{P}(B_{ {\textsf{sk}}}) $ such that $ \vec{c} - \vec{c}' \in J $, which can be computed as
| $ \vec{c}' = \vec{c} - \left\lfloor \vec{c} \cdot B_{ {\textsf{sk}}}^{-1} \right\rceil \cdot B_{ {\textsf{sk}}} = \left[ \vec{c} \cdot B_{ {\textsf{sk}}}^{-1} \right] \cdot B_{ {\textsf{sk}}}. $ |
● $ F $ is the family of sums (denoted by $ f_s $) and products (denoted by $ f_p $) in the ring $ R $ (so they are sums and products among real coefficients polynomials modulo $ f(x) $). The algorithm $ {\textsf{Eval}} $ outputs sums and products modulo $ {\textsf{evk}} = B_{ {\textsf{pk}}} $. If $ c_1 $ and $ c_2 $ are two ciphertexts, seen as elements of $ R $, then
| $ {\textsf{Eval}} \colon \rm{Mat}_{n \times n}( \mathbb{Z}) \times R \times R \rightarrow R $ |
| $ {\textsf{Eval}}( {\textsf{evk}}, f_s, (c_1, c_2)) = \vec{(c_1 + c_2)} \mod B_{ {\textsf{pk}}} $ |
| $ {\textsf{Eval}}( {\textsf{evk}}, f_p, (c_1, c_2)) = \vec{(c_1 \cdot c_2)} \mod B_{ {\textsf{pk}}}. $ |
With the notations $ \vec{(c_1 + c_2)} $ and $ \vec{(c_1 \cdot c_2)} $ we mean that we first compute the sum or the product of the polynomials $ c_1 $ and $ c_2 $ in $ R $ and then we express the result as a vector of coefficients in $ \mathbb{Z}^n $.
We remark that the scheme described by Gentry in [25] also allows for a larger plaintext space. More precisely, fixing an ideal lattice $ I $ of $ R $ and a basis $ B_I $, one can consider as a plaintext space any subset $ \mathcal{P} $ of $ R\!\mod B_I $. In this case, the output of the decryption algorithm will not be modulo $ 2 $ but modulo $ B_I $:
| $ {\textsf{Dec}}( {\textsf{sk}},\vec{c}) = \left[ \vec{c} \mod B_{ {\textsf{sk}}} \right] \mod B_I. $ |
The scheme described above corresponds to taking $ I = \langle 2\rangle $, that is, the set of polynomials of degree at most $ n-1 $ with only even coefficients.
Gentry's scheme is correct with respect to decryption, as long as the noise vectors and the vectors of the public basis are small enough. Indeed, if $ \vec{m} \in \{0, 1\}^n $ is a plaintext (viewed as an element of $ R $), the corresponding ciphertext $ \vec{c} $ can be expressed as $ \vec{j} + (2\vec{r}+\vec{m}) $, for a vector $ \vec{j} \in J $. Hence
| $ \vec{c} \cdot B_{ {\textsf{sk}}}^{-1} = (\vec{j} + (2\vec{r}+\vec{m})) \cdot B_{ {\textsf{sk}}}^{-1} = (\vec{j} \cdot B_{ {\textsf{sk}}}^{-1}) + (2\vec{r}+\vec{m})\cdot B_{ {\textsf{sk}}}^{-1}. $ |
Since $ \vec{j} \in J $, the vector $ \vec{j} \cdot B_{ {\textsf{sk}}}^{-1} $ has integer coefficients and we deduce that
| $ \left[ \vec{c} \cdot B_{ {\textsf{sk}}}^{-1} \right] = \left[ (2\vec{r}+\vec{m})\cdot B_{ {\textsf{sk}}}^{-1}\right]. $ |
If the vectors forming the basis $ B_{ {\textsf{pk}}} $ and the vector $ 2\vec{r}+\vec{m} $ are small enough (for instance, if all coefficients of $ (2\vec{r}+\vec{m})\cdot B_{ {\textsf{sk}}}^{-1} $ have an absolute value less than $ 1/2 $), then
| $ \left[ (2\vec{r}+\vec{m})\cdot B_{ {\textsf{sk}}}^{-1}\right] = (2\vec{r}+\vec{m})\cdot B_{ {\textsf{sk}}}^{-1} $ |
and so
| $ {\textsf{Dec}}( {\textsf{sk}}, \vec{c}) = [ (2\vec{r}+\vec{m})\cdot B_{ {\textsf{sk}}}^{-1} \cdot B_{ {\textsf{sk}}}]_2 = [ (2\vec{r}+\vec{m})]_2 = m. $ |
The scheme is also correct with respect to the evaluation of sums. Let $ \vec{c}_1 = \vec{j}_1 + (2\vec{r}+\vec{m}_1) $ and $ \vec{c}_2 = \vec{j}_2 + (2\vec{r}+\vec{m}_2) $ be the ciphertexts associated with the plaintexts $ m_1 $ and $ m_2 $.
Then
|
$ Dec(sk,Eval(evk,fs,(→c1,→c2)))=Dec(sk,→c1+→c2modBsk)=[(→c1+→c2modBsk)modBsk]2=[→c1+→c2modBsk]2=[[(→c1+→c2)⋅B−1sk]⋅Bsk]2=[[→c1⋅B−1sk+→c2⋅B−1sk]⋅Bsk]2=[[→c1⋅B−1sk]⋅Bsk]2+[[→c2⋅B−1sk]⋅Bsk]2=Dec(sk,→c1)+Dec(sk,→c2). $
|
Similarly, it is possible to verify that the scheme is correct with respect to the evaluation of the product. This proves that Gentry's scheme is an SHE scheme.
Let $ \lambda $ be the fixed security parameter, and let us consider
● an integer $ N = N(\lambda) = 2^n \in \mathbb{N} $, that defines the polynomial $ f(x) = x^N +1 $ and the ring
| $ R = \mathbb{Z}[x]/\langle f(x) \rangle = \mathbb{Z}[x]/\langle x^N +1 \rangle; $ |
● an integer $ t = t(\lambda) \in N $.
Choose a polynomial $ v(x) = \sum_{i = 0}^{N-1} v_ix^i \in R $ such that $ v_0 $ is odd, and every coefficient has an absolute value less than $ 2^t $ (and at least one coefficient is an integer of bit-length $ t $). Given the matrix
|
$ V: = (v0v1⋯vN−1−vN−1v0⋯vN−2⋯−v1−v2⋯v0) \in M_N(\mathbb{Z}), $
|
its determinant $ d = \det(V) $ is a prime number.
Let us now consider the ideal lattice $ J = (v) $ generated by the polynomial $ v(x) $ and the unique number $ r \in [-d/2, d/2) $ that is a zero of both $ f(x) $ and $ v(x) $ modulo $ d $ (considering the reductions modulo $ d $ in the interval $ [-d/2, d/2) $). The uniqueness of $ r $ is proved in [50, Lemma 1] using algebraic number theory techniques. Note that the ideal $ J $ is completely determined by $ d $ and $ r $.
Finally, set $ r_i: = r^i \mod d $ and consider the normal Hermitian form of $ J $:
|
$ B=HNF(J)=(d00⋯0−r110⋯0−r201⋯0⋯−rN−100⋯1)∈MN×N(Z). $
|
(1) |
Note that the matrix $ V $ represents a good basis for $ J $, while $ B $ represents a bad basis. The plaintext space is $ \mathcal{P} = \mathbb{Z}_2 $. In this context, we can now present the algorithms of the scheme:
● The keys are given by
| $ {\textsf{KeyGen}} \colon \mathbb{N} \rightarrow R \times ( \mathbb{N} \times \mathbb{R}) \times \mathbb{N} $ |
| $ {\textsf{KeyGen}}(\lambda) = ( {\textsf{sk}} = w(x), {\textsf{pk}} = (d, r), {\textsf{evk}} = d), $ |
where $ w(x) $ is such that $ v(x) \cdot w(x) = d \mod f(x) $, so $ w(x) $ is an inverse of $ v(x) $ modulo $ f(x) $. The public key can also be defined as a matrix: $ {\textsf{pk}} = B $.
● Given the plaintext $ m\in \mathbb{Z}_2 $, the encryption algorithm is
| $ {\textsf{Enc}} \colon ( \mathbb{N} \times \mathbb{R}) \times \mathbb{Z}_2 \rightarrow \mathbb{Z}_d $ |
| $ {\textsf{Enc}}( {\textsf{pk}}, m) = [ 2u(r) + m ]_d $ |
where $ u = \sum_{i = 0}^{N-1} u_ix^i \in \mathbb{Z}[x] $ is a random polynomial with integer coefficients representing the noise and $ u(r) $ is the evaluation of the polynomial $ u $ in $ r $. If we write $ \vec{u} $ for the vector of the coefficients of $ u $ and $ \vec{m} $ for the vector corresponding to $ m $ (as in Gentry's scheme), encrypting $ m $ is equivalent to computing the first entry of the vector $ 2\vec{u} + \vec{m} \mod B $.
● The decryption algorithm is
| $ {\textsf{Dec}} \colon R \times \mathbb{Z}_d \rightarrow \mathbb{Z}_2 $ |
| $ {\textsf{Dec}}( {\textsf{sk}}, c) = \left[c - \left\lfloor \frac{cw_0}{d} \right\rceil \right]_2, $ |
where $ w_0 $ is the first coefficient of the polynomial $ w(x) $.
● The evaluation algorithm $ {\textsf{Eval}} $ outputs sums and products in the ring $ R $, computed modulo $ {\textsf{evk}} = d $.
By definition, the ciphertext $ c $ corresponding to the plaintext $ m $ is the first entry of the unique vector $ \vec{c'} $ of the parallelepiped $ \mathcal{P}(B) $ such that $ (2\vec{u} + m) - \vec{c'} \in J $. Using the polynomial notation and recalling that $ J $ is generated by $ v(x) $, we get
| $ 2u(r) + m - c = q(r) \cdot v_0 $ |
for a polynomial $ q(x) \in R $. Dividing by $ v(x) $, using the fact that $ v(x)^{-1} = w(x)d^{-1} $, and looking at the first coefficient of the polynomials, we obtain
| $ - c \cdot \frac{w_0}{d} = q(r) - \frac{(2u(r) + m)w_0}{d}. $ |
If the error is small enough, that is, such that $ \left\lfloor \frac{(2u(r) + m)w_0}{d} \right\rceil = 0 $, then
| $ - \left \lfloor \frac{c \cdot w_0}{d} \right \rceil = q(r) $ |
and the decryption procedure is correct (as $ v_0 $ is odd by assumption):
|
$ Dec(w0,Eval(pk,m))=[2u(r)+m−q(r)v0−⌊c⋅w0d⌉]2=[2u(r)+m−q(r)(v0−1)]2=m. $
|
It is not hard to prove that the evaluation is correct as well, and so this is an SHE scheme.
In 2011 Brakerski and Vaikuntanathan started a new reaserch direction introducing the first FHE schemes based on the learning with errors problem (LWE) [12] (extended version in [14]) and on the ring learning with errors problem (RLWE) [13]. Such schemes have a great relevance in modern cryptography. Indeed, they offer an optimal combination of security, functionality, and applicability. For $ n\geq 1 $ and $ q\geq 2 $, the (search-)LWE problem asks to recover $ s = (s_1, \ldots, s_n)\in \mathbb{Z}_q^n $ given any desired $ m = poly(n) $ independent linear equations such as the following,
|
$ {a11s1+…+a1nsn+e1=b1(modq)a21s1+…+a2nsn+e2=b2(modq)⋮⋮⋮am1s1+…+amnsn+em=bm(modq) $
|
where the matrix $ A = (a_{jk})\in \mathbb{Z}_q^{m\times n} $ is chosen uniformly, and each $ e_i $ is usually taken from a Gaussian distribution $ \chi $ and rounded to the nearest integer (modulo $ q $). The LWE problem is believed to be computationally hard, because of the Regev's reduction from the worst-case hardness of some lattice problems, such as GapSVP (the decision version of the Shortest Vector Problem, which consists in finding a non-zero vector $ v \in L $ that minimizes the Euclidean norm), to the search-LWE problem [46]. This reduction works for any modulus $ q\geq 2\sqrt n/\alpha $, with $ 0 < \alpha < 1 $, but it requires the use of quantum computation. In [45], Peikert proved that LWE is classically at least as hard as worst-case GapSVP on lattices for large modulus $ q\geq 2^{n/2} $. Since then, the LWE problem has become one of the most attractive and promising topics for post-quantum cryptography.
In Brakerski and Vaikuntanathan's scheme (BV), given a plaintext $ m\in \mathbb{Z}_2 $ and a secret key $ \vec{s} \in \mathbb{Z}_q^n $, the idea is to generate a ciphertext
| $ \vec{c} = (\vec{a}, \langle \vec{a}, \vec{s}\rangle + 2e + m) \in \mathbb{Z}_q^n \times \mathbb{Z}_q, $ |
where $ \vec{a} \in \mathbb{Z}_q^n $ is a vector chosen uniformly at random and $ e \in \mathbb{Z}_q $ is an error chosen with distribution $ \chi(\mathbb{Z}_q) $. In this way the message $ m $ is masked twice: by the scalar product $ \langle \vec{a}, \vec{s}\rangle $ and by the noise $ 2e $. These masks can be removed independently in the process of decrypting: the first is subtracted and the noise noise $ 2e $ is canceled considering the congruence class modulo $ 2 $ (as long as the error $ e $ is small enough, that is, such that $ 2e + m \mod q = 2e +m $). In [12] the authors also show how to make the scheme bootstrappable (and so into an FHE scheme), introducing the techniques of relinearization and modulus switching, in substitution of Gentry's squashing technique. The relinearization is used to control the growth of noise, in particular after operations of multiplication, while the modulus switching consists on considering an integer $ p $ smaller than $ q $ and, given a ciphertext $ c $ modulo $ q $, to multiply it by $ p/q $ and to approximate the result to the nearest integer, obtaining a new ciphertext $ c' $ modulo $ p $.
The scheme (BV-RLWE) described in [13] is a new version of (BV) whose security is based on the polynomial LWE problem, that is proved to be equivalent to the RLWE problem. The main difference is in the fact that plaintexts, keys and ciphertexts are built not working in $ \mathbb{Z}_q $, for an odd integer $ q $, but in the ring $ R_q = \mathbb{Z}_q[x]/\langle f(x) \rangle $, for a prime number $ q $ and a suitable polynomial $ f(x) \in \mathbb{Z}[x] $.
In 2012 Brakerski, Gentry and Vaikuntanathan (BGV) [10] (technical report in [9], extended version in [11]) proposed a procedure to build an LHE scheme (without invoking the bootstrapping) and a new bootstrapping technique used to obtain an FHE scheme. These innovations represented an important change in the field because they allow for the scheme to be truly applicable in various practical situations. The scheme (BGV) exists in two versions, based on the LWE and RLWE problems, respectively. The scheme (BGV-RLWE) is the most efficient and it was implemented in the open-source HElib library by IBM [35]. We point out that such a scheme has been improved in [27] (with optimized bootstrapping in [28]) and the library architecture is based on a variant of (BGV) proposed by Gentry, Halevi and Smart [29].
Again in 2012, Brakerski (B) [6] presented a variant of (BGV) based on the Scale-invariant technique, in substitution of modulus switching. In particular, in the encryption algorithm the plaintext $ \vec{m} $ is "scaled" multiplying it by the number $ \lfloor \frac{q}{2} \rfloor $ (and the decrypting algorithm is modified accordingly). In the scheme (B) the technique of key wwitching also appears, consisting of two algorithms: $ \texttt{SwitchKeyGen}_{q, \chi}(s, t) $ that, starting form a secret key $ s $ and a "target" key $ t $, outputs a matrix $ P_{s:t} $ and $ \texttt{SwitchKey}_{q}(P_{s:t}, c_s) $ that, using the matrix $ P_{s:t} $, allows it to express a ciphertext $ c_s $, encrypted using the key $ s $, as a ciphertext $ c_t $, encrypted using the key $ (1, t) $. As a consequence of this innovation, the dimension of the errors arising from the operations of multiplication grows linearly. Also, a classic reduction is used to show that its security is based on the hardness of (SVP) (in previous works the reductions were of quantum type only).
Fan and Vercauteren (FV) [24] implemented and optimized the RLWE version of Brakerski's scheme (B), introducing two ways of relinearizing the output of the product evaluation, in order to obtain a polynomial of degree 1 instead of 2. The scheme (FV) is one of the three schemes implemented in Microsoft's Simple Encrypted Arithmetic Library (SEAL) [49].
The next two subsections are devoted to the (BGV) scheme and to the (FV) scheme, respectively.
We first present a base scheme (without evaluation) on which both the LWE and RLWE versions of the (BGV) scheme are built, as described in [10]. Choosing a security parameter $ \lambda $, we consider a ring $ R $ depending on $ \lambda $, setting for instance $ R = \mathbb{Z} $ in the LWE version and $ R = \mathbb{Z}[x]/\langle x^d + 1 \rangle $ in the RLWE version, for an integer $ d = d(\lambda) = 2^k \in \mathbb{N} $. For every positive integer $ t \in \mathbb{N} $, set
| $ R_t = R/tR. $ |
Hence, if $ R = \mathbb{Z} $ we get $ R_t = \mathbb{Z}_t $ and if $ R = \mathbb{Z}[x]/\langle x^d + 1 \rangle $ we obtain $ R_t = \mathbb{Z}_t[x]/\langle x^d + 1 \rangle $. The plaintext space is $ \mathcal{P} = R_2 $.
Let us consider the following further parameters:
● an integer $ \mu = \mu(\lambda) \in N $;
● an odd modulus $ q = q(\lambda)\in \mathbb{N} $ of $ \mu $-bit;
● two dimensions $ n = n(\lambda), N = N(\lambda) \in \mathbb{N} $;
● a distribution $ \chi = \chi(\lambda) $ on $ R $ (as small as possible).
The algorithms of the base scheme are defined as follows.
● The keys are given by
| $ {\textsf{KeyGen}} \colon \mathbb{N} \rightarrow R_q^{n+1} \times \rm{Mat}_{N \times (n+1)}(R_q) $ |
| $ {\textsf{KeyGen}}(\lambda) = ( {\textsf{sk}} = \vec{s} = (1,\vec{s'}[1], \dots, \vec{s'}[n]), {\textsf{pk}} = A ), $ |
where $ \vec{s'} \in\chi(R_q^n) $ is a secret vector and, given a vector $ \vec{e} \in \chi(R_q^N) $ representing the error and a matrix $ A'\in \rm{Mat}_{N \times n}(R_q) $, the matrix $ A \in \rm{Mat}_{N \times (n+1)}(R_q) $ is defined as the matrix that has the vector $ \vec{b} = A'\cdot \vec{s'} + 2 \vec{e} \in R_q^N $ as the first column, followed by the $ n $ columns of the matrix $ -A' $. Note that $ A \cdot \vec{s} = 2\vec{e} $.
● Given a plaintext $ m \in R_2 $, set $ \vec{m} = (m, 0, \dots, 0) \in R_q^{n+1} $. The corresponding ciphertext is given by
| $ {\textsf{Enc}} \colon \rm{Mat}_{N \times (n+1)}(R_q) \times R_q^{n+1} \rightarrow R_q^{n+1} $ |
| $ {\textsf{Enc}}( {\textsf{pk}} = A, \vec{m}) = [ \vec{m} + A^T\cdot \vec{r}]_q, $ |
where $ \vec{r}\in R_2^N $ is a vector representing the error.
We point out that in [10] the authors remark that the scheme (BGV-RLWE) is more efficient if one puts $ N = 1 $ (so that the matrix $ A $ can be thought of as a vector of length $ n+1 $) and introducing in the output of $ {\textsf{Enc}} $ a further small error $ \vec{e'} \in R_q^{n+1} $:
| $ {\textsf{Enc}}( {\textsf{pk}} = A, \vec{m}) = [\vec{m} + 2\vec{e'} + A^T\cdot \vec{r}]_q. $ |
● The decryption algorithm is
| $ {\textsf{Dec}} \colon R_q^{n+1} \times R_q^{n+1} \rightarrow R_2 $ |
| $ {\textsf{Dec}}( {\textsf{sk}} = \vec{s}, \vec{c}) = \left[ \; [ \langle \vec{c}, \vec{s} \rangle ]_q \; \right]_2. $ |
Note that the base scheme is correct with respect to decryption if the error $ \vec{e} $ is small:
|
$ Dec(sk=→s,Enc(pk=A,→m))=[[⟨→m+AT⋅→r,→s⟩]q]2=[[⟨→m,→s⟩+⟨AT⋅→r,→s⟩]q]2=[[m+⟨A⋅→s,→r⟩]q]2=[[m+2⟨→e,→r⟩]q]2=m. $
|
In [10, Section 3.4] the authors describe an LHE scheme, in which for every level $ l $, with $ 0 < l \leq L $, distinct keys and distinct moduli are defined. Instead of using bootstrapping to make it into an FHE scheme, they define an algorithm, called $\texttt{Refresh}$, that allows one to modify the level of the ciphertext, passing to keys and modulus of the previous level and decreasing the noise. The $\texttt{Refresh}$ algorithm uses an extra evaluation key $ {\textsf{evk}} $ (that can be viewed as an encryption of the secret key) and is formed by
● $\texttt{SwitchKey}$: Allows it to pass from a ciphertext $ \vec{c} $, encrypted using the secret key $ \vec{s}_l $ defined at the level $ l $, to a ciphertext $ \vec{c}_1 $, encrypted using the secret key $ \vec{s}_{l-1} $ defined at the level $ l-1 $, preserving the initial modulus $ q_{l} $;
● $\texttt{Scale}$: Starting from the ciphertext $ \vec{c}_1 $, it outputs a ciphertext $ \vec{c}_2 $ encrypted using the same secret key $ \vec{s}_{l-1} $ but with respect to the modulus $ q_{l-1} $.
The family $ F $ of homomorphic operations is formed by sums $ f_s $ and products $ f_p $ in the ring $ R_q^{n+1} $. Given two ciphertexts $ \vec{c}_1 $ and $ \vec{c}_2 $, encrypted using the same secret key (at the same level $ l $), the evaluation of the sum is
| $ {\textsf{Eval}}( {\textsf{evk}}, f_s, (\vec{c}_1,\vec{c}_2)) = \texttt{Refresh}( {\textsf{evk}}, [\vec{c}_1 + \vec{c}_2]_{q_l}). $ |
As for the product $ f_p $, we consider the following linear equation depending on the ciphertext $ \vec{c} $:
| $ L_{\vec{c}}(\vec{x}) = \langle \vec{c}, \vec{x} \rangle. $ |
Note that decryption $ \vec{c} $ with the secret key $ \vec{s} $ corresponds to computing $ [[L_{\vec{c}}(\vec{s})]_q]_2 $. Given two ciphertexts $ \vec{c}_1 $ and $ \vec{c}_2 $, we can now consider a quadratic equation, that can be also viewed as a linear equation on tensor products:
| $ L^{long}_{\vec{c}_1, \vec{c}_2}(\vec{x} \otimes \vec{x} ) = L_{\vec{c_1}}(\vec{x}) \cdot L_{\vec{c_2}}(\vec{x}). $ |
We can now define the evaluation algorithm for the product:
| $ {\textsf{Eval}}( {\textsf{evk}}, f_s, (\vec{c}_1,\vec{c}_2)) = \texttt{Refresh}( {\textsf{evk}}, L^{long}_{\vec{c}_1, \vec{c}_2}(\vec{x} \otimes \vec{x} )). $ |
We refer to [10] for the proof of the correctness of the evaluation.
In [24] Fan and Vercauteren applied the relinearization technique to decrease the length of products of ciphertexts and proposed two SHE schemes, which we are going to describe, referring to them as version $ 1 $ and version $ 2 $ of (FV).
Given a security parameter $ \lambda $, let us consider the polynomial rings
| $ R = \mathbb{Z}[x]/ \langle x^d +1 \rangle \text{ and } R_t = \mathbb{Z}_t[x]/ \langle x^d +1 \rangle, $ |
for a positive integer $ d = 2^k $ and a positive integer $ t = t(\lambda) $. The plaintext space is $ \mathcal{P} = R_t $.
Moreover, we fix the following parameters:
● an odd integer $ q = q(\lambda) \in \mathbb{N} $ (the modulus);
● an integer $ T\in \mathbb{N} $ (used for relinearization in version $ 1 $);
● an integer $ p\in \mathbb{N} $ (used for relinearization through modulo switching in version 2);
● two error distributions $ \chi = \chi(\lambda) $ and $ \chi' = \chi'(\lambda) $ defined on $ R $. The distribution $ \chi $ can be identify with the discrete Gaussian distribution. However, $ \chi' $ is used in version $ 2 $ and must differ from $ \chi $, otherwise the security of the scheme would be considerably weakened.
We remark that if $ x \in R_t $ and $ y\in R_2 = \mathbb{Z}_2[x]/ \langle x^d +1 \rangle $, then both $ x $ and $ y $ can be viewed as elements of $ R $ and as such can be multiplied. With the symbol $ \cdot $ we denote the operation of multiplication in $ R $.
The algorithms of (FV) are the following:
● the keys are generated by
| $ {\textsf{KeyGen}} \colon \mathbb{N} \rightarrow R_2 \times (R_q \times R_q) \times \mathcal{K}_e $ |
| $ {\textsf{KeyGen}}(\lambda) = ( {\textsf{sk}} = s, {\textsf{pk}} = ([-(a \cdot s + e)]_q , a), {\textsf{evk}}) $ |
where $ s \in R_2 $ and $ a \in R_q $ are chosen uniformly at random, $ e \in \chi(R) $ is an error and with $ {\textsf{evk}}_1 $ and $ {\textsf{evk}}_2 $ we denote the evaluation keys in versions $ 1 $ and $ 2 $ of the (FV) scheme, respectively.
In version $ 1 $, let $ \ell = \lfloor \log_T(q) \rfloor $, and for every $ i\in 0, \dots, \ell $ set $ a_i \in R_q $ (chosen uniformly at random), $ e_i \in \chi(R) $ and
| $ {\textsf{evk}} = {\textsf{evk}}_1 = \left( [-(a_i \cdot s + e_i) + T^i \cdot s^2]_q, a_i \right)_{\{i \in [0,\ell]\}} $ |
In version $ 2 $, the relinearization consists of passing from computations modulo $ q $ to computations modulo $ pq $:
| $ {\textsf{evk}} = {\textsf{evk}}_2 = \left( [-(a \cdot s + e) + p \cdot s^2]_{p\cdot q}, a \right), $ |
for $ a \in R_{p \cdot q} $ and $ e\in \chi'(R) $.
● Given a plaintext $ m \in \mathbb{R}_t $ and the public key
| $ {\textsf{pk}} = ( {\textsf{pk}}[1], {\textsf{pk}}[2]) = ([-(a \cdot s + e)]_q, a), $ |
we get
| $ {\textsf{Enc}} \colon (R_q \times R_q) \times R_t \rightarrow (R_q \times R_q) $ |
| $ {\textsf{Enc}}( {\textsf{pk}}, m) = \left( \; [ {\textsf{pk}}[1] \cdot u + e_1 + \lfloor \frac{q}{t}\rfloor \cdot m ]_q \; , \; [ {\textsf{pk}}[2] \cdot u + e_2]_q \; \right), $ |
for some $ u \in R_2 $ and errors $ e_1, e_2 \in \chi(R) $.
● Given a ciphertext $ \vec{c} = (\vec{c}[1], \vec{c}[2]) $, the decryption algorithm is
| $ {\textsf{Dec}} \colon R_2 \times (R_q \times R_q) \rightarrow R_t $ |
| $ {\textsf{Dec}}( {\textsf{sk}}, \vec{c}) = \left[ \left\lfloor \frac{t \cdot [\vec{c}[1] + \vec{c}[2] \cdot s]_q}{q} \right\rceil \right]_t. $ |
● The family $ F $ consists of sums $ f_s $ and products $ f_p $ in $ R $. Let $ \vec{c}_1 = (\vec{c}_1[1], \vec{c}_1[2]) $ and $ \vec{c}_2 = (\vec{c}_2[1], \vec{c}_2[2]) $ be two ciphertexts. The evaluation algorithm is defined among the sets
| $ {\textsf{Eval}} \colon \mathcal{K}_e \times F \times (R_q \times R_q) \rightarrow (R_q \times R_q) $ |
and, applied to the sum, is the natural evaluation:
| $ {\textsf{Eval}}( {\textsf{evk}}, f_s, (\vec{c}_1, \vec{c}_2)) = [\vec{c}_1 + \vec{c}_2]_q. $ |
As for the product, the relinearization technique is invoked and the output is different in the two versions of (FV). First, let us compute
| $ x = \left[ \left\lfloor \frac{t \cdot (\vec{c}_1[1] \cdot \vec{c}_2[1])}{q} \right\rceil \right]_q, $ |
| $ y = \left[ \left\lfloor \frac{t \cdot (\vec{c}_1[1] \cdot \vec{c}_2[2] + \vec{c}_1[2] \cdot \vec{c}_2[1])}{q} \right\rceil \right]_q, $ |
and
| $ z = \left[ \left\lfloor \frac{t \cdot (\vec{c}_1[2] \cdot \vec{c}_2[2])}{q} \right\rceil \right]_q. $ |
In version $ 1 $, we express $ z $ as: $ z = \sum_{i = 0}^l z_i \cdot T^i $, for $ z_i \in R_T $, and we get
| $ {\textsf{Eval}}( {\textsf{evk}}_1, f_p, (\vec{c}_1, \vec{c}_2)) = ( [ x + \sum\limits_{i = 0}^l {\textsf{evk}}_1[i][1] \cdot z_i ]_q \; , \; [y + \sum\limits_{i = 0}^l {\textsf{evk}}_1[i][2] \cdot z_i]_q ). $ |
Instead, in version $ 2 $ the evaluation of the product is:
| $ {\textsf{Eval}}( {\textsf{evk}}_2, f_p, (\vec{c}_1, \vec{c}_2)) = \left( \left[ x + \left[ \left\lfloor \frac{z \cdot {\textsf{evk}}_2[1]}{p} \right\rceil \right]_q \right]_q, \left[ y + \left[ \left\lfloor \frac{z \cdot {\textsf{evk}}_2[2]}{p} \right\rceil \right]_q \right]_q \right). $ |
Both versions of (FV) are correct with respect to both decryption and evaluation, and so they are SHE schemes. Indeed, if the errors are small enough (that is, such that $ 0 $ is the nearest integer to the product $ \frac{t}{q} \cdot [ e \cdot u + e_1 + e_2 \cdot s \; ] $), it is easy to see that the decryption procedure is correct:
|
$ Dec(sk,Enc(pk,m))==[⌊t⋅[[pk[1]⋅u+e1+⌊qt⌋⋅m]q+[pk[2]⋅u+e2]q⋅s]qq⌉]t=[⌊t⋅[[[−(a⋅s+e)]q⋅u+e1+⌊qt⌋⋅m]q+[a⋅u+e2]q⋅s]qq⌉]t=[⌊tq⋅[[[e⋅u+e1+⌊qt⌋⋅m]q+e2⋅s]q⌉]t=[⌊tq⋅[e⋅u+e1+⌊qt⌋⋅m+e2⋅s]⌉]t=m+[⌊tq⋅[e⋅u+e1+e2⋅s]⌉]t=m. $
|
The proof of the correctness of the evaluation of sums and products can be read in detail in [24, Section 4]. Moreover, in [24, Sections 5 e 6] the authors show how to produce an LHE scheme and an FHE scheme.
In 2013 Gentry, Sahai and Waters (GSW) [30] suggested a different approach for the computation of homomorphic operations, starting a research direction known as the third generation of FHE schemes. The (GSW) scheme does not invoke the modulus switching technique, but the approximate eigenvector method reduces the error arising from products to a small polynomial factor. On the other hand, the (GSW) scheme requires high communication costs (the ciphertext is larger with respect to the corresponding plaintext) and high computational complexity. To remedy such problems, various optimizations of such a scheme were later proposed. Alperin-Sheriff and Peikert (AP) [1] suggested a new bootstrapping algorithm considering the process of decrypting as an arithmetic function instead of a Boolean circuit, a procedure later improved by Hiromasa et al. [33] and extended to rings by Ducas and Micciancio (FHEW: Fastest Homomorphic Encryption in the West) [20]. We remark that the (FHEW) scheme is the first one to execute bootstrapping in a fraction of a second; in the literature, this innovative bootstrapping technique is known as AP/FHEW bootstrapping.
The (FHEW) scheme has been the starting point used by Chillotti et al. in 2020 [15] to define the (TFHE) scheme based on the torus that uses a new bootstrapping technique (known as GINX) first described by Gama et al. in [31]; see also [22] for an algebraic version of (TFHE) and [23] for an application. In a recent work, Lee and Micciancio et al. [41] described a bootstrapping technique combining the best aspects of AP/FHEW and GINX/TFHE.
In 2017, Cheon, A. Kim, M. Kim, and Song (CKKS) [17] started the so-called fourth generation of FHE schemes, suggesting a new method to construct an LHE scheme and including an open-source library (known as HEANN [34]) that implements it. The (CKKS) scheme was extended to an FHE scheme in [16] and constitutes the starting point for many further optimizations. For instance, in [37] Kim, Papadimitriou and Polyakov proposed a technique to decrease the propagation of errors, rescaling the ciphertexts before applying the homomorphic operations, and presented two RNS (residue number system) variants of (CKKS), both implemented in the PALISADE library [44].
One of the novelties of the fourth generation schemes is that they use approximate arithmetic, which makes the algorithms faster. In 2021, Li and Micciancio [40] proved that the (CKKS) scheme and its variants are vulnerable to attacks by adversaries knowing the encryption function.
We conclude this survey on fully homomorphic encryption briefly describing recent results aimed at improving efficiency and security of FHE schemes.
In 2020, Boura, Gama, Georgieva and Jetchev introduced the scheme known as CHIMERA [8]: a hybrid scheme combining (TFHE), (FV) and (CKKS). In CHIMERA, the plaintext space is defined in such a way that the plaintext spaces of (TFHE), (FV) and (CKKS) could embed in it. Using bootstrapping, the authors describe a procedure that allows it to pass from ciphertexts encrypted using (TFHE) or (CKKS) to ciphertexts encrypted according to (FV), and vice versa. CHIMERA turned out to be very useful in many practical scenarios, in which the various natures of the operations involved caused the application of only one of the schemes (TFHE), (FV) or (CKKS) inadequate. Moreover, CHIMERA contributes the project of standardization of FHE schemes.
In 2021, Cho et al. [18] proposed a scheme, called (RtF) (real-to-finite-field), that combines (CKKS) and (FV) and exploits a new stream cipher, known as HERA, based on modular arithmetic. They showed how such strategies allow one to encrypt large real numbers without incurring in an excessive growth of the ciphertext's dimension or of the memory space needed to compute homomorphic operations. In 2022, Ha et al. [32] followed the approach of Cho et al. [18] and introduced a new stream cipher, called RUBATO, that further decreases the computational complexity of (RtF).
In 2023, Bae, Cheon, Kim, Park, and Stehlé [3] proposed two solutions to the ring packaging problem, that is, the problem of conversion of a scheme based on the LWE problem to one based on the RLWE problem. On one hand, they presented a strategy that speeds up the existing ring packaging technique through bootstrapping and ring switching; on the other, they introduced a completely new method, called HERMES, showing how to apply it to transform a symmetric cryptosystem based on LWE into a variant of (CKKS). In particular, the authors proved that HERMES is more efficient than both HERA and RUBATO.
In 2021, Kim, Polyakov and Zucca [38] described new schemes inspired by the (BGV) and (FV) schemes. The variant of (FV) contains various optimizations, including decreasing of noise growth and the definition of a novel algorithm for the evaluation of multiplication that reduces the computational complexity of the original one. As for (BGV), the authors describe a "pratical" variant that is more efficient than (FV) in certain real scenarios. Both variants have been implemented in the PALISADE library.
In 2023, Okada, Player and Pohmann [42] proposed a strategy to improve the evaluation of polynomials in the bootstrapping of (FV), using Galois automorphisms. Moreover, they showed how some of the bootstrapping techniques of (FHEW) and (TFHE) can be applied to (FV).
One of the strategies invoked to strengthen the security of public-key cryptosystems consists in dividing the secret key into $ n $ parts, delivered to $ n $ distinct clients, so that only their cooperation (or the cooperation of a certain number of them) could lead to decryption. Such a technique is known as threshold public key encryption and the expression $ t $-out-of-$ n $ means that at least $ t+1 $ of the $ n $ clients must cooperate to decipher the message. In [2] the authors showed that threshold public key encryption can be applied to FHE schemes, that are in this case denoted by ThFHE. In 2023, Boudgoust and Scholl [5] introduced a new ThFHE scheme of type $ t $-out-of-$ n $ based on the LWE problem that involves the use of a modulus given by a polynomial function of the security parameter (while previous works required a superpolynomial modulus, with consequent increase of computational costs).
We remark that the innovative bootstrapping procedure elaborated by Lee et al. in [41] is particularly efficient when applied to ThFHE schemes.
One of the major difficulties in applying FHE schemes to real scenarios lies in the determination of the best parameters to use in order to preserve security requiring low computational costs. In 2023, Bergerat et al. [4] formalized the problem of the parameters' choice as an optimization problem and suggested to encrypt a plaintext into more than one ciphertexts using novel algorithms. Their work focused on the (TFHE) scheme, but the strategy illustrated can also be applied to other FHE schemes.
Certain FHE schemes, such as (FV) and (CKKS), support rotation operations, that is, permutations of the ciphertexts components (e.g., the entries of the vector corresponding to the ciphertext). These operations are needed if the scheme contains homomorphic operations involving distinct components of the ciphertext and they require an evaluation key, called the rotation key. In 2023, Lee, Lee, Kim, and No [36] introduced a hierarchic system of rotation keys, which allows it to generate such keys starting from the public key and a small number of rotation keys, significantly decreasing the communication costs between client and server.
Fully homomorphic encryption represents an important step forward in cryptography, offering unprecedented levels of privacy and data security. Its ability to perform computations on encrypted data without decryption has the potential to transform how we handle and use sensitive information in various domains, including healthcare, finance and national security. As FHE schemes continue to mature and practical applications emerge, this revolutionary technology is poised to play a critical role in defining the future of data security and privacy.
Gentry's work represented a breakthrough in the field of cryptography by presenting the first plausible scheme that supports arbitrary computations on encrypted data. This achievement has long been considered the Holy Grail of cryptography, due to its usefulness in multiple industries, from cloud computing to data mining. The original scheme was based on ideals and lacked efficient implementation. However, its central idea, i.e., the use of an SHE scheme capable of evaluating its own decryption circuit, was subsequently applied to other cryptographic systems, including LWE and AGCD, providing more efficient schemes. With the introduction of other important techniques, such as module and key switching, these systems have become increasingly efficient over time. The key advances in FHE cryptography can be summarized as follows:
● Development of FHE schemes based on cryptographic systems other than ideal ones: this has led to more efficient and practical schemes.
● Development of techniques to improve the efficiency of FHE schemes: such techniques include module and key switching and packing.
● Development of efficient implementations of FHE schemes: these implementations have made FHE schemes more accessible and usable.
Overall, advances in FHE have led to more efficient FHE schemes, which can be used in a wide range of applications, including:
● Healthcare data analytics: FHE can be used to perform complex analytics on sensitive healthcare data, such as medical images or genetic data, without compromising patient privacy.
● Financial data analysis: FHE can be used to perform complex financial analysis, such as risk assessment or price forecasting, without revealing sensitive customer or transaction information.
● Government data analysis: FHE can be used to perform analysis of sensitive government data, such as intelligence data or national security data, without compromising national security.
● Cloud computing: FHE can be used to allow cloud providers to process sensitive data securely, without having to decrypt it.
● Data mining: FHE can be used to perform data analysis on large datasets, without having to reveal sensitive information contained in the data.
Advances in the field have made FHE schemes a promising technology with significant potential to transform the way sensitive data is handled. As FHE schemes continue to improve, they are expected to have a significant impact on a wide range of scenarios.
Valentina Grazian: Investigation, Writing – original draft; Antonio Tortora and Maria Tota: Writing – review and editing.
The authors declare they have not used Artificial Intelligence (AI) tools in the creation of this article.
The authors are members of the National Group for Algebraic and Geometric Structures, and their Applications. They would like to thank the referees for their useful comments, and Prof. Carlo Blundo for the inspiring conversations and meaningful suggestions that enabled them to improve this work.
The authors declare no conflict of interest in this paper.
| [1] | Bradley C, Harrison J (2004) Descriptive epidemiology of traumatic fractures in Australia. INJCAT 57 ed. Adelaide: AIHW. |
| [2] | Henley G, Harrison JE (2017) Work-related hospitalised injury, Australia, 2006-07 to 2013-14. INJCAT 180 ed. Canberra: AIHW. |
| [3] | Bradley C, Harrison JE (2008) Hospital separations due to injury and poisoning, Australia 2004-05. INJCAT 117 ed. Canberra: AIHW. |
| [4] | Kreisfeld R, Harrison JE, Pointer S (2014) Australian sports injury hospitalisations 2011-12. INJCAT 168 ed. Canberra: AIHW. |
| [5] | Brinker MR, O'Connor DP (2004) The incidence of fractures and dislocations referred for orthopaedic services in a capitated population. J Bone Joint Surg Am 86-a: 290–297. |
| [6] |
Faergemann C, Frandsen PA, Rock ND (1998) Residual impairment after lower extremity fracture. J Trauma 45: 123–126. doi: 10.1097/00005373-199807000-00026
|
| [7] |
Pape HC, Probst C, Lohse R, et al. (2010) Predictors of late clinical outcome following orthopedic injuries after multiple trauma. J Trauma 69:1243–1251. doi: 10.1097/TA.0b013e3181ce1fa1
|
| [8] |
Bonafede M, Espindle D, Bower AG (2013) The direct and indirect costs of long bone fractures in a working age US population. J Med Econ 16:169–178. doi: 10.3111/13696998.2012.737391
|
| [9] | Caspersen CJ, Powell KE, Christenson GM (1985) Physical activity, exercise, and physical fitness: definitions and distinctions for health-related research. Public Health Rep 100:126–131. |
| [10] |
Tremblay MS, Aubert S, Barnes JD, et al. (2017) Sedentary Behavior Research Network (SBRN)-Terminology Consensus Project process and outcome. Int J Behav Nutr Phys Act 14: 75. doi: 10.1186/s12966-017-0525-8
|
| [11] |
Ekegren CL, Beck B, Climie RE, et al. (2018) Physical Activity and Sedentary Behavior Subsequent to Serious Orthopedic Injury: A Systematic Review. Arch Phys Med Rehabil 99: 164–177. doi: 10.1016/j.apmr.2017.05.014
|
| [12] |
Zusman EZ, Dawes MG, Edwards N, et al. (2018) A systematic review of evidence for older adults' sedentary behavior and physical activity after hip fracture. Clin Rehabil 32: 679–691. doi: 10.1177/0269215517741665
|
| [13] |
Owen N, Healy GN, Matthews CE, et al. (2010) Too Much Sitting: The Population-Health Science of Sedentary Behavior. Exerc Sport Sci Rev 38: 105–113. doi: 10.1097/JES.0b013e3181e373a2
|
| [14] |
Hamilton MT, Hamilton DG, Zderic TW (2007) Role of low energy expenditure and sitting in obesity, metabolic syndrome, type 2 diabetes, and cardiovascular disease. Diabetes 56: 2655–2667. doi: 10.2337/db07-0882
|
| [15] | Ferrando AA, Lane HW, Stuart CA, et al. (1996) Prolonged bed rest decreases skeletal muscle and whole body protein synthesis. Am J Physiol 270: E627–633. |
| [16] | Convertino VA (1997) Cardiovascular consequences of bed rest: effect on maximal oxygen uptake. Med Sci Sports Exerc 29: 191–196. |
| [17] |
Van der Wiel HE, Lips P, Nauta J, et al. (1994) Loss of bone in the proximal part of the femur following unstable fractures of the leg. J Bone Joint Surg Am 76: 230–236. doi: 10.2106/00004623-199402000-00009
|
| [18] |
van der Sluis CK, Eisma WH, Groothoff JW, et al. (1998) Long-term physical, psychological and social consequences of severe injuries. Injury 29: 281–285. doi: 10.1016/S0020-1383(98)80206-4
|
| [19] |
Beckenkamp PR, Lin CW, Engelen L, et al. (2016) Reduced Physical Activity in People Following Ankle Fractures: A Longitudinal Study. J Orthop Sports Phys Ther 46: 235–242. doi: 10.2519/jospt.2016.6297
|
| [20] |
Biswas A, Oh PI, Faulkner GE, et al. (2015) Sedentary Time and Its Association With Risk for Disease Incidence, Mortality, and Hospitalization in Adults: A Systematic Review and Meta-analysis. Ann Intern Med 162: 123–132. doi: 10.7326/M14-1651
|
| [21] | Ekelund U, Steene-Johannessen J, Brown WJ, et al. (2016) Does physical activity attenuate, or even eliminate, the detrimental association of sitting time with mortality? A harmonised meta-analysis of data from more than 1 million men and women. Lancet 388: 1302–1310. |
| [22] |
Stewart IJ, Sosnov JA, Howard JT, et al. (2015) Retrospective Analysis of Long Term Outcomes After Combat Injury: A Hidden Cost of War. Circulation 132: 2126–2133. doi: 10.1161/CIRCULATIONAHA.115.016950
|
| [23] |
Gabbe BJ, Simpson PM, Harrison JE, et al. (2016) Return to work and functional outcomes after major trauma: who recovers, when and how well? Ann Surg 263: 623–632. doi: 10.1097/SLA.0000000000001564
|
| [24] |
Hekler EB, Buman MP, Haskell WL, et al. (2012) Reliability and validity of CHAMPS self-reported sedentary-to-vigorous intensity physical activity in older adults. J Phys Act Health 9: 225–36. doi: 10.1123/jpah.9.2.225
|
| [25] | Veitch WG, Climie RED, Gabbe BJ, et al. (2018) Validation Of Two Physical Activity And Sedentary Behavior Questionnaires In Orthopedic Trauma Patients. Med Sci Sports Exerc 50: 711. |
| [26] | IPAQ Group, International Physical Activity Questionnaire. Secondary International Physical Activity Questionnaire, 2016. Available from: www.ipaq.ki.se |
| [27] |
Lyden K, Kozey Keadle SL, Staudenmayer JW, et al. (2012) Validity of two wearable monitors to estimate breaks from sedentary time. Med Sci Sports Exerc 44: 2243–2252. doi: 10.1249/MSS.0b013e318260c477
|
| [28] |
Harrington DM, Welk GJ, Donnelly AE (2011) Validation of MET estimates and step measurement using the ActivPAL physical activity logger. J Sports Sci 29: 627–633. doi: 10.1080/02640414.2010.549499
|
| [29] |
Treacy D, Hassett L, Schurr K, et al. (2017) Validity of Different Activity Monitors to Count Steps in an Inpatient Rehabilitation Setting. Phys Ther 97: 581–588. doi: 10.1093/ptj/pzx010
|
| [30] |
Ryan CG, Grant PM, Tigbe WW, et al. (2006) The validity and reliability of a novel activity monitor as a measure of walking. Br J Sports Med 40: 779–784. doi: 10.1136/bjsm.2006.027276
|
| [31] |
Sasaki JE, John D, Freedson PS (2011) Validation and comparison of ActiGraph activity monitors. J Sci Med Sport 14: 411–416. doi: 10.1016/j.jsams.2011.04.003
|
| [32] |
Winkler EA, Bodicoat DH, Healy GN, et al. (2016) Identifying adults' valid waking wear time by automated estimation in activPAL data collected with a 24 h wear protocol. Physiol Meas 37: 1653–1668. doi: 10.1088/0967-3334/37/10/1653
|
| [33] | Choi L, Liu Z, Matthews CE, et al. (2011) Validation of accelerometer wear and nonwear time classification algorithm. Med Sci Sports Exerc 43: 357–364. |
| [34] |
Edwardson CL, Winkler EAH, Bodicoat DH, et al. (2017) Considerations when using the activPAL monitor in field-based research with adult populations. J Sport Health Sci 6: 162–178. doi: 10.1016/j.jshs.2016.02.002
|
| [35] |
Ward DS, Evenson KR, Vaughn A, et al. (2005) Accelerometer use in physical activity: best practices and research recommendations. Med Sci Sports Exerc 37: S582–588. doi: 10.1249/01.mss.0000185292.71933.91
|
| [36] |
Freedson PS, Melanson E, Sirard J (1998) Calibration of the Computer Science and Applications, Inc. accelerometer. Med Sci Sports Exerc 30: 777–781. doi: 10.1097/00005768-199805000-00021
|
| [37] | WHO (1995) Physical status: the use and interpretation of anthropometry. Report of a WHO Expert Committee. World Health Organ Tech Rep Ser, 854, Geneva: World Health Organization, 1–452. |
| [38] |
Fleig L, McAllister MM, Brasher P, et al. (2016) Sedentary Behavior and Physical Activity Patterns in Older Adults After Hip Fracture: A Call to Action. J Aging Phys Act 24: 79–84. doi: 10.1123/japa.2015-0013
|
| [39] |
Ceroni D, Martin X, Lamah L, et al. (2012) Recovery of physical activity levels in adolescents after lower limb fractures: a longitudinal, accelerometry-based activity monitor study. BMC Musculoskel Dis 13: 131. doi: 10.1186/1471-2474-13-131
|
| [40] |
Resnick B, Galik E, Boltz M, et al. (2011) Physical Activity in the Post-Hip-Fracture Period. J Aging Phys Act 19: 373–387. doi: 10.1123/japa.19.4.373
|
| [41] | Hosmer JDW, Lemeshow S, Sturdivant RX (2013) Model-Building Strategies and Methods for Logistic Regression. Applied Logistic Regression: John Wiley & Sons, Inc., 89–151. |
| [42] | Portney LG, Watkins MP (2000) Foundations of Clinical Research: Applications to Practice. New Jersey: Prentice Hall Health. |
| [43] |
Friedrich JO, Adhikari NK, Beyene J (2012) Ratio of geometric means to analyze continuous outcomes in meta-analysis: comparison to mean differences and ratio of arithmetic means using empiric data and simulation. Stat Med 31: 1857–1886. doi: 10.1002/sim.4501
|
| [44] |
Austin PC, Steyerberg EW (2015) The number of subjects per variable required in linear regression analyses. J Clin Epidemiol 68: 627–636. doi: 10.1016/j.jclinepi.2014.12.014
|
| [45] |
Matthews CE, Chen KY, Freedson PS, et al. (2008) Amount of Time Spent in Sedentary Behaviors in the United States, 2003–2004. Am J Epidemiol 167: 875–881. doi: 10.1093/aje/kwm390
|
| [46] |
Dwyer T, Pezic A, Sun C, et al. (2015) Objectively Measured Daily Steps and Subsequent Long Term All-Cause Mortality: The Tasped Prospective Cohort Study. PLoS ONE 10: e0141274. doi: 10.1371/journal.pone.0141274
|
| [47] |
Troiano RP, Berrigan D, Dodd KW, et al. (2008) Physical Activity in the United States Measured by Accelerometer. Med Sci Sports Exerc 40: 181–188. doi: 10.1249/mss.0b013e31815a51b3
|
| [48] |
Davenport SJ, Arnold M, Hua C, et al. (2015) Physical Activity Levels During Acute Inpatient Admission After Hip Fracture are Very Low. Physiother Res Int 20: 174–181. doi: 10.1002/pri.1616
|
| [49] |
Bellettiere J, Winkler EAH, Chastin SFM, et al. (2017) Associations of sitting accumulation patterns with cardio-metabolic risk biomarkers in Australian adults. PLoS ONE 12: e0180119. doi: 10.1371/journal.pone.0180119
|
| [50] |
Dempsey PC, Larsen RN, Sethi P, et al. (2016) Benefits for Type 2 Diabetes of Interrupting Prolonged Sitting With Brief Bouts of Light Walking or Simple Resistance Activities. Diabetes Care 39: 964–972. doi: 10.2337/dc15-2336
|
| [51] |
Dunstan DW, Kingwell BA, Larsen R, et al. (2012) Breaking up prolonged sitting reduces postprandial glucose and insulin responses. Diabetes Care 35: 976–983. doi: 10.2337/dc11-1931
|
| [52] |
Harris TJ, Victor CR, Carey IM, et al. (2008) Less healthy, but more active: Opposing selection biases when recruiting older people to a physical activity study through primary care. BMC Public Health 8: 182. doi: 10.1186/1471-2458-8-182
|
 medsci-06-01-001-s001.pdf |
 |
Christina L. Ekegren, Rachel E. Climie, William G. Veitch, Neville Owen, David W. Dunstan, Lara A. Kimmel, Belinda J. Gabbe. Sedentary behaviour and physical activity patterns in adults with traumatic limb fracture[J]. AIMS Medical Science, 2019, 6(1): 1-12. doi: 10.3934/medsci.2019.1.1
DownLoad:
