國立臺灣大學理學院數學研究所 碩士論文

### Institute of Mathematical College of Science

### National Taiwan University Master Thesis

LWR, MPLWE 和 MPLWR 上的全同態加密

Fully Homomorphic Encryption on LWR, MPLWE and MPLWR

洪逸霖 Yi-Lin Hung

指導教授: 陳君明 博士 Advisor: Jiun-Ming Chen Ph.D.

中華民國 109 年 7 月

**Acknowledgements**

經過 2 年的時光，終於完成了這篇論文，我要感謝指導教授陳君明老師 帶給我的啟發，以及幫我處理一些困難的部分，此外我也很感謝我的同學以及曾 經教過我的老師給我一個環境能夠寫出這篇論文，非常的感謝大家。

### 摘要

我們改良了 Zvika Brakerski 研發的全同態加密系統，改成使用難題假設 LWR 以及 RLWR 而不是原先使用的 LWE 以及 RLWE 難題假設。並且我們用類似 的方法使得可以在 MPLWR 難題假設上使用同態加密。在過去，Rosca 證明了難 題假設 MPLWE 的安全性，我們同樣使用相似於的方法做成全同態加密。

關鍵字： LWR 同態加密、環 LWR 同態加密、中間積 LWE 同態加密、中間積 LWR 同態加密

**Abstract**

We modified the fully homomorphic encryption (FHE) scheme produced by Zvika

Brakerski with the hardness assumption learning with rounding (LWR) and ring learn-

ing with rounded (RLWR) instead of the hardness assumption learning with error (LWE)

and ring learning with rounding (RLWE). And we use the similar methods on the hard-

ness assumption middle product learning with rounding (MPLWR), i.e. making it into

FHE. In present, Rosca proves the hardness assumption middle product learning with er-

ror (MPLWE). We also use ”similar” Brakerski ideas to make it into FHE.

**Keywords:** Learning with rounding FHE, Ring learning with rounding FHE, Middle
product learning with error FHE, Middle product learning with rounding FHE

**Contents**

**Page**

**Acknowledgements** **3**

摘要 **5**

**Abstract** **7**

**Contents** **9**

**Denotation** **11**

**Chapter 1** **Introduction** **1**

1.1 Our result . . . 2

1.2 Modular Switching . . . 2

1.3 FHE Scheme . . . 3

1.4 Compare to LWE (RLWE) . . . 3

**Chapter 2** **Preliminaries** **5**
**Chapter 3** **Our Construction** **9**
3.1 Basic LWR (RLWR) encryption scheme . . . 9

3.2 Basic MPLWE encryption scheme . . . 10

3.3 Basic MPLWR encryption scheme . . . 10

3.6 FHE scheme . . . 15

**Chapter 4** **Correctness** **17**

4.1 Correctness of LWR (RLWR) scheme . . . 17 4.2 Correctness of MPLWE(MPLWR) scheme . . . 18

**Chapter 5** **Optimization** **21**

5.1 Bootstrapping and Batching . . . 21 5.2 Public Key Compression for LWR . . . 21

**Chapter 6** **Zero knowledge proof** **23**

**Chapter 7** **Application** **25**

**Chapter 8** **Summary** **27**

**Chapter 9** **Future Work** **29**

**References** **31**

**Denotation**

FHE 全同態加密 (Fully Homomorphic Encryption)

MPC 多方運算 (Mutiparty Computation)

(R)LWE (環) 從誤差中學習 ((Ring) Learning with Error)

(R)LWR (環) 從四捨五入學習 ((Ring) Learning with rounding)

MPLWE 中間積從誤差中學習 (Middle Product Learning with Error)

MPLWR 中間積從四捨五入中學習 (Middle Product Learning with Round- ing)

**Chapter 1** **Introduction**

Fully Homomorphic Encryption (FHE) is a scheme which supports both addi- tions and multiplications on ciphertexts. We can use these properties in cloud computing and multiparty computation (MPC) [2]. In 2009, Craig Gentry, using lattice-based cryp- tography, described the first homomorphic encryption scheme[4]. It starts from somewhat homomorphic encryption scheme and using Gentry’s ideas to make it bootstrappable , i.e., capable of evaluating its own decryption circuit and then at least one more operation.

These schemes are so-called first-generation FHE, i.e., bootstraping the somowhat homo- morphic encryption scheme.

In 2011, Zvika Brakerski, Craig Gentry and Vinod Vaikuntanathan publish ”Fully Ho- momorphic Encryption without Bootstrapping[11]”, representative of second-generation FHE. The second-generation FHE all feature a much slower growth of the noise during the homomorphic encryption. And they are efficient enough for many applications, even with- out invoking bootstrapping. The security of most of these schemes (second-generation FHE) based on the hardness of the LWE (RLWE)[10] problem, however, the variant LWR (RLWR)[7] does not describe in second-generation. So, we plan to change the scheme on the hardness assumption LWR (RLWR).

**1.1** **Our result**

**The LWE version has the form b = A**^{′}**s**^{′}**+ 2e where b, A**^{′}*are known and s** ^{′}* is

*the secret key and e*

*∈ {0, 1} is the error term. We have to random e to make it secret.*

**We think the error term can neglect and can decide by A, s with LWR based, which is***often the advantages of LWR. The LWR based encryption have the basic form b =d*^{1}_{2}**As***c.*

We think the key point to turn encryption into fully homomorphic encryption is double
the error term (error term is*d*^{1}_{2}**As***c −* ^{1}_{2}**As ).** It will finally be modular in the decryption
process.

In chapter 3, we also described the MPLWE and MPLWR, which publishes in 2017 and 2019. We use our idea to make MPLWR into FHE and use ”similar” Brakerski ideas to make MPLWE into FHE. It means that we introduce a new inner product compatible to MPLWE and MPLWR and use Brakerski ideas to make them into FHE.

**1.2** **Modular Switching**

We use the methods described in [11] and change they compatible to our new in-
ner product*h·, ·i** ^{⊙}*since the product used in MPLWE and MPLWR are not standard matrix
product, they introduced the ”middle product” instead. Our work in modular switching
step is to make sure the method described in [11] still work this means that we can also
use same methods to make them into FHE. To make our proof clear, the definition of inner
product we define will become complex, but we just want to prove the properties written
in [11].

**1.3** **FHE Scheme**

Since the work in key switching, it looks the same for our LWR (RLWR), MPLWE, MPLWR scheme. Actually, LWR (RLWR) scheme is the same as [11], since it is an equivalent modification from original LWE edition while MPLWE and MPLWR scheme should look different, i.e. we should read section 3.4 to know what should do in MPLWE and MPLWR .

**1.4** **Compare to LWE (RLWE)**

We can use the hardness assumption LWR (RLWR), MPLWE and MPLWR which usually think to be harder than LWE hardness assumption. In [8], it proves that the worst cases of LWR (RLWR) is harder than LWE (RLWE) average cases. And in [9], it proves that MPLWE is harder than polynomial LWE problems, also in [10], it proves that MPLWR is harder than polynomial LWR problems. And for LWR and MPLWR based encryption, we expand the dimension of public key size to trade-off the error generation.

**Chapter 2** **Preliminaries**

**Definition 1. (LWE)**

*For security parameter λ, let n = n(λ) be an integer dimension, let q = q(λ)* *≥ 2*
*be an integer, and let χ = χ(λ) be a distribution over*Z. The LWE*n,q,χ* problem is to
*distinguish the following two distributions: In the first distribution, one samples (a*_{i}*, b** _{i}*)
uniformly from Z

^{n+1}*q*

*. In the second distribution, one first draws s*

*← Z*

^{n}*q*uniformly

*and then samples (a*

_{i}*, b*

*)*

_{i}*∈ Z*

^{n+1}*q*

*by sampling a*

_{i}*← Z*

^{n}*q*

*uniformly, e*

_{i}*← χ, and setting*

*b*

*=*

_{i}*ha, a · s*

*i*

*+ ei . The LWE*

*n,q,χ*assumption is that the LWE

*problem is infeasible.*

_{n,q,χ}**Definition 2. (LWR)**

*For security parameter λ, let n = n(λ) be an integer dimension, let q = q(λ)* *≥ 2 be*
*an integer and p = p(λ) < q, and let χ = χ(λ) be a distribution over*Z. The LWR*n,q,χ*

problem is to distinguish the following two distributions: In the first distribution, one
*samples (a**i**, b**i*) uniformly fromZ^{n+1}*q* *. In the second distribution, one first draws s← Z*^{n}*q*

*uniformly and then samples (a**i**, b**i*) *∈ Z*^{n+1}*q* *by sampling a**i* *← Z*^{n}*q* uniformly and setting
*b**i* =*d*^{p}_{q}*· a · s**i**c . The LWR**n,q,χ*assumption is that the LWR*n,q,χ*problem is infeasible.

**Definition 3. Let d**_{a}*, d*_{b}*, d, k be integers such that d*_{a}*+d*_{b}*−1 = d+2k. The middle-product*
*d**: R*^{<d}_{a}*[x]× R*_{b}^{<d}*[x]→ R*^{<d}*[x] is the map:*

*(a, b)7→ a **d**b =*

⌊*(a**·b) mod x*^{k+d}*x*^{k}

⌋

We use the same notation*d**for every d**a**, d**b**such that d**a**+ d**b**−1−d is non-negative*
and even.

**Definition 4. (modular rounding function)**

Let p and q be integers both larger than 1. A modular rounding function*b·e**p* :Z*q* *→*
Z*p*as*bxe**p* =*b*^{p}_{q}*· xe mod p. The rounding function extends component-wise to vectors*
overZ*q*and coefficient-wise to polynomials inZ*q**[x]. Note that we use the same notation*
as Banerjee et al. [1] for the purpose of coherence. It is also possible to use the floor
rounding function b·c, where each element is rounded down to the next smaller integer,
as for instance done by Chen et al. [8].

**Definition 5. (MP distribution)**

*Let n, d > 0, q* *≥ 2, and χ a distribution over R*^{<d}*[x]. For s* *∈ Z*^{<n+d}*q* ^{−1}*[x], we*
define the distribution MP*q,n,d,χ*(s) overZ^{<n}*q* *[x]×R*^{<d}*q* *[x] as the one obtained by: sampling*
*a← U(Z*^{<n}*q* *[x]), e← χ and returning (a, b = a **d**s + e).*

**Definition 6. (MP-LWE)**

*Let n, d > 0, q* *≥ 2, and a distribution χ over R*^{<d}*[x]. The (decision) MP-LWE** _{n,d,q,χ}*
consists in distinguishing between arbitrarily many samples from MP

_{q,n,d,χ}*(s) and the*

*same number of samples from U (*Z

^{<n}

_{q}*[x]× R*

^{<d}

_{q}*[x]), with non-negligible probability over*

*the choices of s← U(Z*

^{<n+d}

_{q}

^{−1}*[x]).*

**Definition 7. (MP-CLWR assumption)**

*Let d, n, p, q and t be positive integers fulfilling 0 < d* *≤ n and q ≥ p ≥ 2. Choose*

*s uniformly at random over (*Z^{<n+d}_{q}^{−1}*[x])*^{×}*. Denote by χ*_{s}*the distribution of (a,ba **d*

*se**p**), where a* *← U(Z*^{<n}_{q}*[x]), and denote byU the distribution of (a, bbe**p* *), where a* *←*
*U (*Z^{<n}*q* *[x]) and b* *← U(Z*^{<d}*q* *[x]). For i∈ {1, 2} define the input for S**i**as (var*_{i}*, con), where*
*var*_{1} *denotes the distribution χ*^{t}_{s}*, and var*_{2} the distribution *U*^{t}*, and con is an arbitrary*
distribution over*{0, 1}*^{∗}*which is independent from var*_{1}*and var*_{2}. For a fixed challenger
*C let P**C,A* be the probability for an adversary *A to win Exp*1(*C, A, S*1), while*Q**C,A* be
that for*A to win Exp*2(*C, A, S*2).

**Definition 8. Let l, r***a**, r** _{b}*be the integers. The middle inner product

*ha, bi*

^{⊙}

_{(l,r}

^{d}

_{a}

_{,r}

_{b}_{)}

*: R*

_{a}

^{l+<d}*[x]×*

*R*

^{l+<d}

_{b}*[x]*

*→ R*

^{l+<d}*[x] is the function such that a, b do standard inner product for first l*

*entries of a, b , and the remainders do middle product for r*

_{a}*each rows of remainder a*

*products r*

_{b}*each rows of remainder b.*

*l*

*r*_{a1}*· · ·*

*l*

*r*_{b1}*· · ·*

*(The first l entries compute stardard inner product and plus r*_{a1}*d**r** _{b2}*+

*· · · + r*

*ak*

*r*

*bk*,

*where l = k× h )*

Notice that we use the notation*ha, bi*^{⊙}* ^{d}* to denote

*ha, bi*

^{⊙}*(d,t,<n+d+k*

^{d}*−1)*

**Chapter 3** **Our Construction**

We describe each basic encryption scheme on section 3.1 to section 3.3 and de- scribed the key switching for each scheme in section 3.4 and section 3.5. In section 3.6 we lay out our FHE scheme for each encryption scheme.

**3.1** **Basic LWR (RLWR) encryption scheme**

In this section, our encryption scheme do not need to generate the error terms and we use the hardness LWR (RLWR) instead. Basic encryption scheme:

*• E.Setup: Choose d = d(λ, µ, b), n = n(λ, µ, b), χ = χ(λ, µ, b) N =* *d(2n +*
*3) log qc same as the [*11] scheme. And let R =*Z[x]/(x** ^{d}*+ 1)

*• E.SecretKeyGen: s*^{′}*← χ*^{n}**. sk = s = (1, s**^{′}*[1], s*^{′}*[2], . . . , s*^{′}**[n]). s**∈ R^{n+1}*q*

**• E.PublicKeyGen: Generate matrix A**^{′}*∈ R*^{N}*q* ^{×n}**and set b = 2**^{2} *× d*^{1}_{2}**A**^{′}*s*^{′}*c − (2 −*
**1)A**^{′}*s*^{′}*∈ R**q***. Set A = [ b****| − A*** ^{′}*], notice that

**hA, si = 2**^{2}(

*d*

^{1}

_{2}

**A**

^{′}*s*

^{′}*c −*

^{1}

_{2}

**A**

^{′}*s*

*)*

^{′}*• E.Encryption: To encryption a message m* *∈ R*2**. Set m = (m, 0, . . . , 0)***∈ R*^{n+1}_{2} ,

**3.2** **Basic MPLWE encryption scheme**

In this section, we adjust the encryption scheme describe in [9] and compatible
*to our homomorphic encryption scheme. Let χ =* *bD**αq**e denote the distribution over*
Z^{<d+k}*[x] where each coefficient is sampled from D** _{α·q}*and then rounded to nearest integer.

*And let t≥ 2.*

*• E.KeyGen: Random s*^{′}*← U(Z**<n+d+k−1*

*q* *[x]). For every i* *≤ t, random a*^{′}*i* *←*
*U (*Z^{<n}*q* *[x]), e*_{i}*← χ and compute b**i* *= a*^{′}_{i}*d+k* *s*^{′}*+ 2e*_{i}*∈ Z*^{<d+k}*q* *[x]. The se-*
**cret key sk=s = (1, s*** ^{′}*)

*∈ Z*

^{<n+2d+k}

_{q}

^{−1}*[x] and the public key pk = (a*

^{′}

_{i}*, b*

*)*

_{i}

_{i}*. Set*

_{≤t}**A = [ b**

**| − A***]*

^{′}*• E.Encryption: To encryption a message m∈ {0, 1}*^{<d}* [x]. Set m = (m, 0, . . . , 0)∈*
Z

^{<d+t}

**[x], random r**

_{i}*← U({0, 1}*

^{k+1}

**[x]) and output the ciphertext c = m + A**

^{T}*d*

**r**

*• E.Decryption: Output m = hc, si*

^{⊙}*q*

*mod 2*

^{d}**3.3** **Basic MPLWR encryption scheme**

In this section, we lay out our encryption scheme of MPLWR with the hardness
assumption describe in [10]. Let χ = *bD**αq**e denote the distribution over Z*^{<d+k}*[x] where*
*each coefficient is sampled from D*_{α·q}*and then rounded to nearest integer. And let t≥ 3.*

*• E.KeyGen: Random s*^{′}*← U(Z*^{<n+d+k}*q* ^{−1}*[x]). For every i* *≤ t, random a*^{′}*i* *←*
*U (*Z^{<n}*q* *[x]), e*_{i}*← χ and compute b**i* = 4*da*^{′}*i* *d+k**s*^{′}*c*2*-a*^{′}_{i}*d+k**s*^{′}*∈ Z*^{d+k}*q* *[x]. The*
**secret key sk = s = (1, s*** ^{′}*)

*∈ Z*

^{<n+2d+k}*q*

^{−1}*[x] and the public key pk = (a*

^{′}

_{i}*, b*

*)*

_{i}

_{i}*.*

_{≤t}**Set A = [ b**

**| − A***]*

^{′}*• E.Encryption: To encryption a message m∈ {0, 1}*^{<d}* [x]. Set m = (m, 0, . . . , 0)∈*
Z

^{<d+t}

**[x], random r**

_{i}*← U({0, 1}*

^{k+1}

**[x]) and output the ciphertext c = m + A**

^{T}*d*

**r**

*• E.Decryption: Output m = hc, si*

^{⊙}*q*

*mod 2*

^{d}**3.4** **Key Switching for MPLWE and MPLWR based**

FHE is a scheme which supports both additions and multiplications on cipher- texts. It is obviously that the addition property is barely not support, so we focus on how to satisfy multiplication property. Kroncker product is a heuristic way in our scheme.

*That is, to compute m*_{1}*× m*2, we compute* hc*1

*2*

**⊗ c***multiplication are too depth, the noise will become huge. In [11], its solution is the switch key method, which refreshes the ciphertexts to fix long. The scheme is evidently compat- ible to our LWE (RLWE) scheme. And our work is to prove that it can be compatible to MPLWE and MPLWR scheme. We use the notation denote in [11].*

**, s****⊗ si. However, if the levels of the****• BitDecomp (x***∈ Z*^{n}*q***[x], q) decomposes x into its bit representation for each entries.**

**Namely, write x =** ∑_{⌈log q⌋}

*j=0* 2^{j}**· u***j***, where all of the u***j* *∈ {0, 1}*^{n}*[x], and output*
**(u**0**, . . . , u*** _{⌈log q⌋}*)

*∈ Z*

*2*

^{⌈log q⌋×n}*[x]*

**• Powerof2 (x** *∈ Z*^{m}*q* **[x], q) Output (x, 2****· x, . . . , 2**^{⌈log q⌋}**· x) ∈ Z**^{⌈log q⌋×m}*q* *[x]*

**Lemma 1. We have****h BitDecomp(c, q), Powerof2(s, q)i**^{⊙}_{(}*⌈log q⌋,t,n+d+k−1)*^{d} =**hc, si**^{⊙}^{d}*mod q*
**for vectors c***∈ Z*^{d+t}*q* **, s***∈ Z*^{n+2d+k}*q* ^{−1}

tations then it is correct. Hence

**hc, si**^{⊙}* ^{d}* =

*h*

*⌈log q⌋*∑

*j=0*

2^{j}**· u***j***, s**i^{⊙}^{d}

=

*⌈log q⌋*∑

*j=0*

*h2*^{j}**· u***j***, s**i^{⊙}^{d}

=

*⌈log q⌋*∑

*j=0*

**hu***j**, 2*^{j}**· si**^{⊙}^{d}

=**hBitDecomp(c, q), Powerof2(s, q)i**^{⊙}_{(d}^{d}*⌈log q⌋,t,n+d+k−1)*

By the proof of our main lemma we can now introduce how to refresh the ciphertexts into fixed long.

*SwitchKeyGen(s*_{1} *∈ Z*^{n}*q*^{1}*[x], s*_{2} *∈ Z*^{n}*q*^{2}*[x]):*

**1. Run A***← E.PublicKeyGen(s*2*, N ) for N = n*_{1}*· dlog qc.*

**2. Set B*** ← A + Powerof2(s*1

**) (add it to A’s first column). Output τ**

_{s}_{1}

_{→s}_{2}

**= B**

*SwitchKey(τ*_{s}_{1}_{→s}_{2}*, c*_{1}*): Output c*_{2} = BitDecomp(c_{1})^{T}d**B***∈ Z*^{n}q^{2}[x]

**Lemma 2. Let s**_{1}**, s**_{2}*, q, n*_{1}*, n*_{2}**, A, B = τ**_{s}_{1}_{→s}_{2} **be as in SwitchKeyGen(s**_{1}**, s**_{2}), and let
**A***d***s**_{2} **= 2e**_{2} *∈ Z*^{n}*q*^{2}* [x](For MPLWR we have A*d

**s**

_{2}= 2(2

*da*

^{′}_{i}ds

^{′}_{i}

*c*2

*− a*

^{′}_{i}ds

^{′}_{i}

*)). Let*

**c**

_{1}

*∈ Z*

^{n}*q*

^{1}

**[x] and c**_{2}

*← SwitchKey(τ*s1

*→s*2

**, c**_{1}

*). Then,*

* hc*2

**, s**_{2}

*i*

^{⊙}*= 2*

^{d}*1*

**hBitDecomp(c**

**), e**_{2}

*i*

^{⊙}_{(}

_{⌈log q⌋,n}^{d}

_{1}

_{−d,n}_{2}

*+*

_{−d)}*1*

**hc**

**, s**_{1}

*i*

^{⊙}^{d}

*Proof.*

* hc*2

**, s**_{2}

*1)d*

**i = BitDecomp(c****B**d

**s**1

**= BitDecomp(c**_{1})d**(2e**_{2}**+ Powerof2(s**_{1}))

= 2* hBitDecomp(c*1

**), e**_{2}

*i*

^{⊙}_{(}

_{⌈log q⌋,n}^{d}

_{1}

_{−d,n}_{2}

*+*

_{−d)}*1*

**hBitDecomp(c**

**), Powerof2(s**_{1})

*i*

^{⊙}_{(}

_{⌈log q⌋,n}^{d}

_{1}

_{−d,n}_{2}

_{−d)}= 2* hBitDecomp(c*1

**), e**_{2}

*i*

^{⊙}_{(}

_{⌈log q⌋,n}^{d}

_{1}

_{−d,n}_{2}

*+*

_{−d)}*1*

**hc**

**, s**_{1}

*i*

^{⊙}^{d}

**3.5** **Key Switching for LWR(RLWR) based**

In this section we will provide the LWR(RLWR) based key switching. Since it is an equivalent modification from LWE(RLWE) based, we will find it similar to it. We will use the notation denoted in [11].

**• BitDecomp(x** *∈ R*^{n}*q***, q) decomposes x into its bit representation for each entries.**

**Namely, write x =**∑_{⌈log q⌋}

*j=0* 2^{j}**·u***j***, where all of the u***j* *∈ R** ^{n}*2

**, and output (u**0

**, . . . , u***)*

_{⌈log q⌋}*∈*

*R*

^{⌈log q⌋×n}_{2}

**• Powerof2(x***∈ R*^{m}*q* **, q) Output (x, 2****· x, . . . , 2**^{⌈log q⌋}**· x) ∈ R**^{⌈log q⌋×m}*q*

*Proof.*

**hc, si =**

⟨_{⌈log q⌉}

∑

*j=0*

2^{j}**· u***j***, s**

⟩

=

*⌈log q⌉*∑

*j=0*

*h2*^{j}**· u***j***, s**i

=

*⌈log q⌉*∑

*j=0*

**hu***j**, 2*^{j}**· si**

=**hc, sihBitDecomp(c, q), Powerof2(s, q)i**

And hence we have

*SwitchKeyGen(s*_{1} *∈ R*^{n}_{q}^{1}*, s*_{2} *∈ R*^{n}_{q}^{2}):

**1. Run A***← E.PublicKeyGen(s*2*, N ) for N = n*_{1}*· dlog qc.*

**2. Set B*** ← A + Powerof2(s*1

**) (add it to A’s first column). Output τ**

_{s}_{1}

_{→s}_{2}

**= B**

*SwitchKey(τ*_{s}_{1}_{→s}_{2}*, c*_{1}*): Output c*_{2} = BitDecomp(c_{1})^{T}**· B ∈ R**^{n}q^{2}

**Lemma 4. Let s**_{1}**, s**_{2}*, q, n*_{1}*, n*_{2}**, A, B = τ**_{s}_{1}_{→s}_{2} **be as in SwitchKeyGen(s**_{1}**, s**_{2}**), and let A***·*
**s**_{2} = 2^{2}(*d*^{1}_{2}**A**^{′}*s*^{′}*c −* ^{1}_{2}**A**^{′}*s** ^{′}*)

*∈ R*

^{N}*q*

**. Let c**

_{1}

*∈ R*

*q*

^{n}^{1}

**and c**

_{2}*← SwitchKey(τ*s1

*←s*2

**, c**_{1}

*). Then,*

* hc*2

**, s**_{2}

*1*

**i = 2hBitDecomp(c***), 2(d*1

2**A*** ^{′}*s

^{′}*c −*1

2**A*** ^{′}*s

*)*

^{′}*1*

**i + hc**

**, s**_{1}

*i mod q*

*Proof.*

* hc*2

**, s**_{2}

*1)*

**i = BitDecomp(c**^{T}

*2*

**· B · s****= BitDecomp(c**_{1})^{T}*· (2*^{2}(*d*1

2**A*** ^{′}*s

^{′}*c −*1

2**A*** ^{′}*s

^{′}**) + Powerof2(s**

_{1}))

= 2* hBitDecomp(c*1

*), 2(d*1

2**A*** ^{′}*s

^{′}*c −*1

2**A*** ^{′}*s

*)*

^{′}*1*

**i + hBitDecomp(c**

**), Powerof2(s**_{1})

*i*

= 2* hBitDecomp(c*1

*, 2(d*1

2**A*** ^{′}*s

^{′}*c −*1

2**A*** ^{′}*s

*)*

^{′}*1*

**i + hc**

**, s**_{1}

*i*

**3.6** **FHE scheme**

The previous lemma provide us compatible to [11] scheme. In this section, we
will present our scheme modify from [11].(Notation: L_{c}**(x) =** **hc, xi**^{⊙}* ^{q}* is a ciphertext-

**dependent linear equation over the coefficients of x, and a linear equation L**

^{long}

_{c}1* ,c*2

**(x**

**⊗ x) is****a linear equation over the coefficient over the coefficients of x**

**⊗ x )***• FHE.KenGen. For j = L→ 0 do*

*1. Generation s*_{j}**and A*** _{j}* for each encryption scheme.

*2. Set s*^{′}_{j}*= s*_{j}*⊗ s**j* kronecker tensor in here.

*3. Set s*^{′′}* _{j}* = BitDecomp(s

^{′}_{j}

*, q*

_{j})

*4. Run τ*

_{s}

^{′′}*j**→s**j* *=SwitchKeyGen(s*^{′′}_{j}*, s**j**−1*) (Omit this step in the beginning i.e.

*j = L)*

• FHE.Enc. Basic encryption scheme to encrypt messages.

*• FHE.Dec. Suppose the cipertext is under key s*_{j}*. Decrypt the message under key s** _{j}*
in E.Decryption

*• FHE.Add. Take two cipertexts encrypt under key s** _{j}* (if not, do FHE.Refresh to

*make it encrypts under same key s*

_{j}**). Set c**

_{3}

**= c**

_{1}

**+ c**

_{2}

*mod q*

*. (In [11], it expands*

_{j}**the cipertexts size to make it indistinguishable to FHE.Mult) Hence we interpret c**

_{3}

*• FHE.Mult. Take two cipertexts encrypt under key s** _{j}* (if not, do FHE.Refresh to

*make it encrypts under same key s*

*). The new cipertexts is the kronecker tensor of*

_{j}*two cipertexts, with key s*

^{′}

_{j}*= s*

_{j}*⊗ s*

*j*

**, and store it into a line, i.e. c**

_{3}

*= L*

^{long}

_{c}_{1}

_{,c}_{2}

**(x**

*and output*

**⊗ x)****c**4 * = FHE.Refresh(c*3

*, τ*

_{s}

^{′′}j*→s*j*−1**, q*j*, q*j*−1*)

*• FHE.Refresh. Takes a cipertext encrypted under s*^{′}_{j}*, the auxiliary information τ*_{s}*′′*

*j**→s**j**−1*

*to facilitate key switching, and the current and next modulo q*_{j}*and q*_{j}* _{−1}*. Do the fol-
lowing:

**1. Expand: Set c**_{1} **= Powerof2(c, q*** _{j}*).

**2. Switch Moduli: Set c**2 **= Scale(c**1*, q**j**, q**j**−1**, 2), a ciphertext under the key s*^{′′}_{j}*for modulus q** _{j−1}*.

**3. Switch Keys: Output c**_{3} *= SwitchKey(τ*_{s}*′′*

*j**→s**j**−1***, c**_{2}*, q*_{j}* _{−1}*), a ciphertext under

**the key s**

_{j}

_{−1}*for modulus q*

_{j}*.*

_{−1}Since we have expressed our notation compatible to [11] it may look similar to its scheme. But, it actually does different things in MPLWE and MPLWR schemes. And for the LWR(RLWR) scheme, it can seem to be an equivalent modification to LWE(RLWE) scheme. Hence, we can use initial LWE(RLWE) scheme to make them into FHE. Since it looks almost the same, so we do not emphasis it particular.

**Chapter 4** **Correctness**

**4.1** **Correctness of LWR (RLWR) scheme**

**Lemma 5 (Correctness). Let c, A, r be described in the Encryption scheme of LWR***(RLWR), then we can decrypt the message m ∈ {0, 1} using the secret key s*

*Proof.*

*m = hc, si*

*q*mod 2 =

**hm + A**

^{T}

**r, s****i = hm, si + hA**

^{T}

**r, s**i*= m + 2× 2 × (d*1

2**A**^{′}**s***c −* 1

2**A**^{′}* s)r* mod 2

*= m*

**Lemma 6 (homomorphic properties). Let c**_{1}*, c*_{2} **be two different messages encrypt by s**
**and A, r be described in Encryption scheme of LWR (RLWR), then we can decrypt the***message m*_{1}*+ m*_{2} *and m*_{1}*× m*2 **using the secrete key s**

*Proof.*

*m*_{1}*× m*2 =* hc*1

*2*

**⊗ c***1*

**, s****⊗ si = h(m****+ A**

^{T}*r*

_{1})

*2*

**⊗ (m****+ A**

^{T}*r*

_{2}

**), s****⊗ si**=* hm*1

*2*

**⊗ m**

**, s****⊗ si + hA**

^{T}*r*

_{1}

*2*

**⊗ m***+*

**, s****⊗ si***hm*1

**⊗ A**

^{T}*r*

_{2}

**, s****⊗ si + hA**

^{T}*r*

_{1}

**⊗ A**

^{T}*r*

_{2}

**, s****⊗ si***= m*_{1}*× m*2

**4.2** **Correctness of MPLWE(MPLWR) scheme**

**Lemma 7 (Correctness). Assume that α < 1/(16**√

*λtk) and q≥ 16t(k + 1). With prob-*
ability*≥ 1−d·2*^{−Ω(λ)}*over the randomness of (sk, pk)← KeyGen, for all plaintext µ and*
*with probability 1 over the randomness of Encrypt, we have Decrypt(sk, Encrypt(pk, µ)) =*
*µ*

*Proof. In [9] Lemma 4.1.*

* Lemma 8 (homomorphic properties). Let c*1

*, c*

_{2}

**be two different messages encrypt by s**

**and A, r be described in Encryption scheme of MPLWE (MPLWR), then we can decrypt***the message m*

_{1}

*+ m*

_{2}

*and m*

_{1}

*× m*2

**using the secrete key s**

*Proof.*

*m*_{1}*+ m*_{2} =* hc*1

**+ c**

_{2}

**, s**i

^{⊙}*q*

*=*

^{d}*1*

**hc**

**, s**i

^{⊙}*q*

*+*

^{d}*2*

**hc**

**, s**i

^{⊙}*q*

^{d}*= m*_{1} *+ m*_{2}

*m*_{1}*× m*2 =* hc*1

*2*

**⊗ c**

**, s****⊗ si**

^{⊙}*q*

*=*

^{d}*1*

**h(m****+ A**

^{T}*r*

_{1})

^{⊙}

_{q}

^{d}*2*

**⊗ (m****+ A**

^{T}*r*

_{2}

**), s****⊗ si**

^{⊙}*q*

^{d}=* hm*1

*2*

**⊗ m**

**, s****⊗ si**

^{⊙}*q*

*+*

^{d}

**hA**

^{T}*r*

_{1}

*2*

**⊗ m**

**, s****⊗ si**

^{⊙}*q*

^{d}+*hm*1**⊗ A**^{T}*r*_{2}**, s****⊗ si**^{⊙}*q** ^{d}*+

**hA**

^{T}*r*

_{1}

**⊗ A**

^{T}*r*

_{2}

**, s****⊗ si**

^{⊙}*q*

^{d}*= m*_{1}*× m*2

**Chapter 5** **Optimization**

**5.1** **Bootstrapping and Batching**

A somewhat homomorphic encryption scheme is a scheme which contains ad-
dition and multiple properties at the same time (Roughly speaking). In [4], Gentry has
proved that there exist an efficient transformation that given a description of a bootstrap-
*pable scheme ε and a parameter d = d(λ) outputs a description of another encryption*
*scheme such that ε** ^{(d)}* is compact (which means the size of the ciphertext is bound) and

*ε*

^{(d)}*is homomorphic for all circuits of depth up to d.*

Our scheme is obviously a somewhat homomorphic scheme, i.e. we still can make our scheme into bootstrappable. The advantage to make our scheme into bootstrapple is that in [5] it has described a way to batch the bootstrapping scheme and have high efficient in specific problems.

**5.2** **Public Key Compression for LWR**

In [6], introduce a way to compress the public key size with a pseudo-random

• KeyGen(1^{λ}*) Generate a random prime integer p of size η bits. And randomly gener-*
**ate a**_{i}*’s, compute b** _{i}* = 4

*d*

^{1}

_{2}

*a*

_{i}*sc − a*

*i*

*s. Initialize a pseudo-random number generator*

*f with a random seed se. Use f (se) to generate a set of integers χ*

_{i}*∈ [0, 2*

*) for 1*

^{γ}*≤ i ≤ τ. For all 1 ≤ i ≤ τ compute:*

*δ**i* =*hχ**i**i**p**+ ξ· p − r**i*

*where r*_{i}*← Z ∩ (−2*^{ρ}*, 2*^{ρ}*) and ξ*_{i}*← Z ∩ [0, 2*^{λ+η}*/p]. For all 1≤ i ≤ τ compute:*

*b**i* *= χ**i**− δ**i*

*Let pk = (a*_{0}*, . . . , a*_{τ}*, se, δ*_{0}*, . . . , δ*_{τ}*) and sk = p*

*We should store all of a*_{i}*and about a one dimension terms b** _{i}*’s, i.e. we store about

*τ*

*· η + γ + η bits public key instead of 2τη public key, which is about halves the initial*public key, but notice that we should calculate the public key each time we need to use.

**Chapter 6** **Zero knowledge proof**

In [3], it introduces a way to do Zero knowledge proof via fully homomorphic encryption. It is still compatible to our scheme. The generic protocol, between a prover P and a verifier V, is as follows.

*P*_{1}*. Choose an encryption c*^{′}*= b*^{′}*+ r*^{′}*of zero and send c** ^{′}* to the verifier.

*V*_{1}*. Select e← {0, 1} and send e to the prover.*

*P*_{2}*. If e = 0, set d = b*^{′}*, or if e=1, set d = b + b*^{′}*. Transmit d.*

*V*_{2}*. Verify that d is a lattice point, and check that the noise ec + c*^{′}*− d is well-formed and*
sufficiently small.

This is also our advantage to choose lattice based encryption. It is easily to compatible our scheme to other lattice based protocol.

**Chapter 7** **Application**

There are many situations we will likely to use fully homomorphic encryption.

For example, machine learning may need a huge amounts of computing. However, it may be a hard time for a start-up company to buy high-performance computers. The solutions to this situation are to rend computing power via cloud computing. However, how to save data security ? Hence, we can save our security via fully homomorphic encryption. Since we have addition properties and multiplication properties. We can do all kinds of comput- ing in encrypted state.

Although we may spend more computing resource to keep the data security, it is still pay-off if the total spending time is fewer than using personal computer. Hence fully ho- momorphic encryption may be a good choice to keep data safe and save more times than usual.

Otherwise, fully homomorphic encryption may also be a good choice to do multi- party computation. Since we have addition properties and multiplication properties we can easily construct a scheme.

If you want to do secure multi-party computation, you can express the computation as a boolean circuit C, and you can easily transform any circuit so that it uses only AND

ing relationship: when working with 0,1, AND can be done by multiplication (x AND y

=xy), and NOT can be done with addition (NOT(x) =1−x). Since the fully homomorphic encryption lets you do addition, subtraction, and multiplication on encrypted values, it also lets you do NOT and AND on encrypted values, which is all you need to do secure multi-party computation.

**Chapter 8** **Summary**

We introduce a way to do FHE on LWR, MPLWE and MPLWR which have higher security than basic LWE scheme. And it seems that the variants of LWE have the similar properties. And we also introduce the public key compression, which is useful when the transfer costs may be high in certain case.

The table below show the different between these protocol. The estimate time showed in the table is calculated by the numbers of multiplication. We consider that we calculate 1 GB messages AES-128 with 3.60GHz. And the multiplication in AES-128 contains 7568 multiplications over finite field. The finite field multiplication algorithm we use is the Montgomery modular multiplication with each piece 32 bits. The estimated performance times is about 484 times AES-128 computing times (about 14.48 (s) for 1GB AES-128).

LWE LWR MPLWE MPLWR

Public key *d(2n + 3) log qc d(2n + 3) log qc* *(n + d + k− 1)t* *(n + d + k− 1)t*
Secret key *(n + 1) log q* *(n + 1) log q* *(n + d + k− 1) log q (n + d + k − 1) log q*
Ciphertext *(n + 1) log q* *(n + 1) log q* *(n + k) log q + d log q* *(n + k) log q + d + k*

Estimate time 1.953 (h) 1.954 (h) 2.198 (h) 2.210 (h)

Hardness LWE*≤LWR, LWE≤MPLWE≤MPLWR*

**Chapter 9** **Future Work**

In 2018, the most simple fully homomorphic encryption scheme DGHV is said to be broken via quantum computer in quantum polynomial times. For our scheme, we still do not have a security proof to withstand quantum computer. We hope that we can prove the quantum security to our scheme. Otherwise, it seems that we have to transmit more information on computing, if there is some transmitting error the message will be to break. We hope that we can solve this problem for example changing the scheme for code based encryption.

**References**

[1] C. P. Abhishek Banerjee and A. Rosen. Pseudorandom functions and lattices. 26, 2011.

[2] E. T. Adriana Lopez-Alt and V. Vaikuntanathan. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. 70, 2013.

[3] G. T. D. K. G. Christopher Carr, Anamaria Costache and M. Strand. Zero-knowledge proof of decryption for fhe ciphertexts. 16:16, 2018.

[4] C. Gentry. Fully homomorphic encryption using ideal lattices. 28:169–178, 2009.

[5] T. L. Jean-Sebastien Coron and M. Tibouchi. Batch fully homomorphic encryption over the integers. 27, 2013.

[6] D. N. Jean-S´ebastien Coron and M. Tibouchi. Public key compression and modulus switching for fully homomorphic encryption over the integers. 27, 2011.

[7] K. P. Joel Alwen, Stephan Krenn and D. Wichs. Learning with rounding, revisited.

Annual Cryptology Conference, 18:57–74, 2013.

[9] D. S. Miruna Rosca, Amin Sakzad and R. Steinfeld. Middle-product learning with errors. 17, 2017.

[10] D. D. A. R.-L. W. W. Shi Bai, Katharina Boudgoust and Z. Zhang. Middle-product learning with rounding problem and its applications. 32, 2019.

[11] C. G. Zvika Brakerski and V. Vaikuntanathan. Fully homomorphic encryption with- out bootstrapping. 26, 2011.