TSINGHUA SCIENCE AND TECHNOLOGY

ISSNll1007-0214 02/13 pp564–578

DOI: 1 0 . 2 6 5 9 9 / T S T . 2 0 1 9 . 9 0 1 0 0 7 6
Volume 25, Number 5, October 2020

Modified Multi-Key Fully Homomorphic Encryption Based on

NTRU Cryptosystem without Key-Switching

Xiaoliang Che, Tanping Zhou, Ningbo Li, Haonan Zhou, Zhenhua Chen, and Xiaoyuan Yang

Abstract: The Multi-Key Fully Homomorphic Encryption (MKFHE) based on the NTRU cryptosystem is an important
alternative to the post-quantum cryptography due to its simple scheme form, high efficiency, and fewer ciphertexts
and keys. In 2012, López-Alt et al. proposed the first NTRU-type MKFHE scheme, the LTV12 scheme, using the
key-switching and modulus-reduction techniques, whose security relies on two assumptions: the Ring Learning With
Error (RLWE) assumption and the Decisional Small Polynomial Ratio (DSPR) assumption. However, the LTV12
and subsequent NTRU-type schemes are restricted to the family of power-of-2 cyclotomic rings, which may affect
the security in the case of subfield attacks. Moreover, the key-switching technique of the LTV12 scheme requires a
circular application of evaluation keys, which causes rapid growth of the error and thus affects the circuit depth. In
this paper, an NTRU-type MKFHE scheme over prime cyclotomic rings without key-switching is proposed, which has
the potential to resist the subfield attack and decrease the error exponentially during the homomorphic evaluating
process. First, based on the RLWE and DSPR assumptions over the prime cyclotomic rings, a detailed analysis
of the factors affecting the error during the homomorphic evaluations in the LTV12 scheme is provided. Next, a
Low Bit Discarded & Dimension Expansion of Ciphertexts (LBD&DEC) technique is proposed, and the inherent
homomorphic multiplication decryption structure of the NTRU is proposed, which can eliminate the key-switching
operation in the LTV12 scheme. Finally, a leveled NTRU-type MKFHE scheme is developed using the LBD&DEC
and modulus-reduction techniques. The analysis shows that the proposed scheme compared to the LTV12 scheme
can decrease the magnitude of the error exponentially and minimize the dimension of ciphertexts.

Key words: NTRU-type Multi-Key Fully Homomorphic Encryption (MKFHE); prime cyclotomic rings; Low Bit
Discarded (LBD); homomorphic multiplication decryption structure

1 Introduction encrypted data at different public keys (users), and

the final ciphertext can be jointly decrypted by all the
The Multi-Key Fully Homomorphic Encryption
involved users. Moreover, the operation process between
(MKFHE) can perform arbitrary operations on
the ciphertexts of different users can be entrusted to the
 Xiaoliang Che, Tanping Zhou, Ningbo Li, Haonan Zhou, and
cloud offline, avoiding the interaction between users in
Xiaoyuan Yang are with the Engineering University of People’s
Armed Police, Xi’an 710086, China. E-mail: smo mrche@
the secure Multi-Party Computing (MPC) protocol. So,
[Link]; 850301775@[Link]; 372726936@[Link]; 19570 the MKFHE can be widely used in ciphertext retrieval[1] ,
28@qq. com; xawjchexl@[Link]. secure MPC[2–4] , privacy-preserving protocol[5] , etc.
 Zhenhua Chen is with Xi’an University of Science and In 2012, López-Alt et al.[6] proposed the concept
Technology, Xi’an 710054, China. E-mail: zhenhua@uow. of MKFHE for the first time and constructed the
[Link]. first MKFHE scheme LTV12 based on the NTRU
 To whom correspondence should be addressed.
cryptosystem (called NTRU-type MKFHE). Many
Manuscript received: 2019-10-29; revised: 2019-12-05;
accepted: 2019-12-06
studies on the MKFHE have been reported[7–14] . Similar
C The author(s) 2020. The articles published in this open access journal are distributed under the terms of the
Creative Commons Attribution 4.0 International License ([Link]
 Xiaoliang Che et al.: Modified Multi-Key Fully Homomorphic Encryption Based on NTRU Cryptosystem


565

to the traditional single-key Fully Homomorphic type MKFHE, which eliminates the key-switching in
Encryption (FHE), the MKFHE mainly includes NTRU- homomorphic multiplication and reduces the ciphertext
type MKFHE, GSW-type MKFHE[8–11] , and BGV- dimension.
type MKFHE[12] . Among the three types of MKFHE (3) A leveled NTRU-type MKFHE scheme over prime
schemes, the NTRU-type MKFHE scheme is the fastest cyclotomic rings, which successfully eliminates the
in encryption and decryption, and has the simplest form, relinearization and greatly decreases the error magnitude,
and uses the least ciphertexts and keys. The underlying is designed.
scheme of the NTRU encryption has been used to design The rest of this paper is organized as follows. In
various cryptographic primitives, including the digital Section 2, the basic mathematical techniques used in
signatures[15] , identity-based encryption[16, 17] , and multi- this work, and the RLWE and DSPR assumptions
linear maps[18, 19] . are presented. In Section 3, the NTRU-type MKFHE
The security of the NTRU-type homomorphic over prime cyclotomic rings is introduced, and its
encryption schemes is based on the Ring Learning cryptographic properties are analyzed. In Section 4,
With Error (RLWE) assumption and Decisional Small the inherent homomorphic decryption structure is
Polynomial Ratio (DSPR) assumption. Stehlé and modified by using the LBD&DEC technique, and
Steinfeld showed that the DSPR assumption could the detailed analysis of the size of error, ciphertext,
be reduced to the RLWE assumption under certain and evaluation key, etc., is provided. In Section 5, a
conditions (refer to Ref. [20] for details). The RLWE multi-key somewhat homomorphic encryption scheme
represents an algebraic variant of the LWE[21] , whose is designed by using the LBD&DEC technique, and
hardness can be reduced to the hardness of the worst- the parameter comparison between our scheme and
case problems on ideal lattices in the standard model. the LTV12 scheme is given. In Section 6, a leveled
However, recently, it has been shown that subfield NTRU-type MKFHE scheme without key-switching is
attacks[22–25] affected the asymptotic security of NTRU- presented. The conclusion is provided in Section 7.
type schemes for large moduli q: Yu et al.[26, 27]
2 Preliminary
considered a variant of NTRU encrypt over prime
cyclotomic rings and obtained the INDistinguish-ability Assume  denotes the security parameter, and negl./
under Chosen-Plaintext Attack (IND-CPA) secure results denotes a negligible function of ; a denotes the row
in the standard model assuming the hardness of the worst- vector, ai represents the i -th element of a, and aT
case problems on ideal lattices, which was shown to be represents the column vector. The element located in the
a good choice to resist the subfield attacks. i -th row and the j -th column of matrix C is represented
In LTV12[6] , the leveled NTRU-type MKFHE scheme as C Œi; j . In general, vectors can be regarded as a
was adopted by using the key-switching (known as the row matrix. Let v and w 2 Rm , where R denotes the
relinearization) and modulus-reduction techniques[28, 29] . cyclotomic rings, and assume the dimension of vector v
However, the key-switching process needed to be and w is m, so v
w D hv; wi D v1 w1 C v2 w2 C


Cvk wk
carried out before reducing the modulus during the denotes the inner product, v and w 2 Rm .
homomorphic evaluations, which increased the error In this paper, the prime cyclotomic rings R D
significantly. Hitherto, much work on the design and ZŒx=˚n .x/ and Rq D R=qR are used, where ˚n .x/ D
security research of the NTRU-type FHE scheme has x n 1 C x n 2 C


C 1 (n denotes a prime), q D
been done[30, 31] , but there are few outstanding results of q./ denotes a prime, and it satisfies q D 1 mod n.
the NTRU-type MKFHE. Addition and multiplication operation on these rings are
The main contributions of this work can be component-wise in their coefficients, and the coefficients
summarized as follows. of Rq are reduced to the range Πq=2; q=2/, except
(1) The NTRU-type MKFHE (LTV12) over prime for q D 2. We require the ability to sample from the
cyclotomic rings is adopted, and the parameters that probability distribution , i.e., the truncated discrete
affect the growth of error during the homomorphic Gaussian distribution DZn ; , with Gaussian parameter ,
p 2 2
evaluations are analyzed. deviation r D  2 , and Gaussian function e x = .
(2) A Low Bit Discarded and Dimension Expansion Refer to Ref. [32] for a detailed description of the
of Ciphertexts (LBD&DEC) technique is used to discrete Gaussian distribution. Let  D ./ be a B-
modify the inherent decryption structure of the NTRU- bound error distribution over R whose coefficients are
 566 Tsinghua Science and Technology, October 2020, 25(5): 564–578

in the range Œ B; B. For the probability distribution D, expanded ciphertext to the normal level. Generally, it
x D denotes that x is sampled fromD. can be used to transform a ciphertext c 2 Rq (under the
The vector length is generally measured by the secret key f) to another ciphertext cevk 2 Rq (under the
Euclidean norm. For v 2 R, we use kvk1 D secret key fevk ) while the corresponding message stays
max06i 6n 1 jvi j to denote the standard l1 -norm and unchanged. Let l D dlog qe, the key-switching process
use kvk1 D ni D01 jvi j to denote the standard l1 -norm.
P
mainly consists of two procedures.
The security of our scheme is based on the RLWE and (1) KeySwitchGen .f 2 RI fevk 2 Rq /: For h 2 Rq ;
DSPR assumptions. Following Refs. [26] and [27], a s ; e 2 Rql , output the evaluation key as
brief introduction to these assumptions over the prime evkf!fevk WD fk D hs C2e CPof2.f / 2 Rql g D1;:::;l :
cyclotomic rings is provided.
(2) KeySwitch .c; k ; q/: Compute the ciphertext
Definition 1 RLWE assumption: Let  be a
vector c0 D BitD.c/ 2 Rql , and output cevk D c0
k D
security parameter. q = q./ 2 Z is a prime integer.
hBitD.c/; k i 2 Rq .
˚n .x/ D x n 1 Cx n 2 C


C1 (n is a prime) is the sub-
There are some useful conflusions in the following.
cyclotomic polynomial. For the polynomial ring defined
Lemma 1 [26] Let ˚n .x/ D x n 1 C x n 2 C


C 1,
by R D ZŒx=˚n .x/ and Rq D R=qR, and an error
and R D ZŒx=˚n .x/, where n is a prime. For any
distribution  D ./ over R, the RLWE assumption
a; b 2 R, it holds that
states that the following two distributions cannot be
distinguished: (1) one samples .ai ; bi / uniformly from kabk16 2.n 1/kak1 kbk1 ;
p
RqnC1 , and (2) one first draws ai Rqn uniformly, kabk 6 2 n 1kakkbk:
and samples .ai ; bi / 2 RqnC1 by choosing si Rqn and According to Lemma 1, the following Lemma 2 can
ei  uniformly, and set bi D hai ; si i C ei . be drawn.
Definition 2 DSPR assumption: Let  be a Lemma 2 Let a; b 2 R be sampled from
security parameter. q = q./ 2 Z is a prime integer. p a
discrete Gaussian distribution with parameter B 2
˚n .x/ D x n 1 C x n 2 C


C 1 (n is a prime) is and bound B, under the worst-case conditions, the
the sub-cyclotomic polynomial. For the polynomial bound of ab mod ˚n .x/ is kabk1 6 2.n 1/B 2 ,
ring R D ZŒx=˚n .x/ and Rq D R=qR, and a B- for convenience, mod ˚n .x/ is omitted. In particular,
bound error distribution  D ./ over R, the DSPR when the bound of b is 1, it holds that kabk1 6
assumption states that the following two distributions 2.n 1/B.
cannot be distinguished: (1) a polynomial h D 2g=f , Remark According to Lemma 2, if a; b; c 2 R,
where f = 2f 0 C 1, and it is reversible over Rq , and (2) we have kabck16 2.n 1/kabk1 kcjj1622 .n 1/2 B 3 .
a polynomial h sampled uniformly at random over Rq . So Lemma 2 yields the following corollary.
Two subroutines: Here two subroutines Corollary 1 Let  be a security parameter, for the
BitDecomp. / and Powersof 2. /, which are widely used polynomial ring given by R D ZŒx=˚n .x/, ˚n .x/ D
in the FHE schemes, are introduced. Assuming that x n 1 C x n 2 C


C 1, where n is a prime,  D ./
l D dlog qe, these two subroutines can be expressed as is a B-bound error distribution, and q = q./ 2 Z is a
follows. prime integer, let s1 ; s2 ; : : : ; sk . Then, we have
BitDecomp (x 2 Rq ): Rq 7! R2l . On input x 2 Rq , Qk k 1 .k 1/ k
i D1 si 6 2 .n 1/ B :
outputs x 7! .x0 ; x1 ; : : : ; xl 1 / 2 f0; 1gl (For 1
convenience, we denote BitD.x/ 2 Rql ).
3 Basic NTRU-Type Multi-Key Somewhat
Powersof2 (x 2 Rq ): Rq 7! Rql . On input x 2 Rq ,
Homomorphic Encryption (MKSHE) over
outputs x 7! .x; 2x; : : : ; 2l 1 x/, where 2l 1 < q=2 (For
convenience, we denote Pof2.x/ 2 Rql ).
Prime Cyclotomic Rings
It’s obviously to verify that hBitD.x/; Pof 2.y/i D The NTRU key pairs consist of ring elements .h; f /,
hx; yi mod q, where hx; yi denotes the product of such that h D Œ2g=f q , where g and f denote small
polynomials x; y 2 Rq . elements sampled from a B-bounded distribution  and
Key-switching technique: The relinearization f is invertible in Rq , respectively. Further recall that an
technique in the LTV12 scheme is also known as NTRU ciphertext has the form of cO WD Œm C hOs C 2e Oq
the key-switching technique[28, 29] . The key-switching for small elements sO and eO sampled from , and m can
technique can be used to reduce the dimension of be recovered by computing Œf c O q .mod 2/.
 Xiaoliang Che et al.: Modified Multi-Key Fully Homomorphic Encryption Based on NTRU Cryptosystem


567

The NTRU-type homomorphic encryption naturally grows rapidly during the key-switching process. In the
supports the homomorphic evaluations between following, the error growing trend is explained in detail.
ciphertexts of different users (secret keys), which 3.1 Scheme
can be easily proven. Generally, it is assumed that
there are four users A; B; C , and D, corresponding The correctness and error of the NTRU-type multi-
to the four public keys .pkA ; pkB ; pkC ; pkD / and key homomorphic encryption scheme in the LTV12
four secret keys .skA ; skB ; skC ; skD /, respectively. scheme are analyzed. For prime cyclotomic rings, the
Plaintexts .mA ; mB ; mC ; mD / can be encrypted as correctness of the LTV12 scheme does not change, but
.cOA ; cOB ; cOC ; cOD /, where cOi WD hi sO C 2eO C mi 2 Rq , the error is different compared to the LTV12 scheme
i 2 fA; B; C; Dg. Set fpkA ; pkB ; pkC g 2 K1 ; fpkB ; on power-of-two cyclotomic rings. The basic LTV12
pkC ; pkD g 2 K2 , so K1 \ K2 D fpkB ; pkC g, and scheme over prime cyclotomic rings is described in this
K D K1 [ K2 D fpkA ; pkB ; pkC ; pkD g. It should section, and a detailed analysis of the factors affecting
be noted that since the method to process the cubic the error growth during the homomorphic evaluations is
(or larger order) of a ciphertext product is similar provided.
to quadratic order, only the quadratic order of the Let  be a security parameter, q = q./ 2 Z is a prime
ciphertext product is considered in this paper. integer, ˚n .x/ D x n 1 C x n 2 C


C 1 (n is a prime)
In particular, the two joint ciphertexts can be denote is the sub-cyclotomic polynomial. For the polynomial
as cO1 D cOA cOB cOC and cO2 D cOB cOC cOD , which can be ring R D ZŒx=˚n .x/ and Rq D R=qR, if the error
decrypted to the joint plaintexts m1 D mA mB mC and distribution  = ./ over R is B-bound, the dlog qe is
m2 D mB mC mD , respectively, by using the joint secret also a B-bound error distribution space.
keys FK1 D fA fB fC and FK2 D fB fC fD . That is As stated earlier in this section, we let K1 and K2
FK1 cO1 D FK1 m1 C v1 and FK2 cO2 D FK2 m2 C v2 . denote the two public-key sets containing N users. In the
Similarly, to decrypt cO1 cO2 D cOA cOB2 cOC2 cOD we need to LTV12 scheme, the exponential dependence of the error
multiply FK1 FK2 D fA fB2 fC2 fD . Thus, the magnitude on N is not eliminated, so it is assumed that there is an
of the coefficients of FK1 FK2 grows exponentially with a-priori upper bound on N , that is N  n" , with constant
the degree of the evaluated circuit. Namely, after L " 2 .0; 1/. Without loss of generality, we assume K1 \
multiplications, the needed joint secret key will represent K2 D fpki1 ; : : : ; pkij g, K1 [K2 D fpk1 ; pk2 ; : : : ; pkr g,
the product of L polynomials, and the magnitude of the where j 2 Œ0; N , r 2 ŒN; 2N .
coefficients in this product will increase exponentially The basic NTRU-type MKSHE over prime cyclotomic
with L. In order to solve these problems, the joint secret rings can be expressed as follows. This expression
key FK = fA fB fC fD , which has no quadratic items, represents the basic MKSHE (called BC-MKSHE)
is used to complete homomorphic decryption. Since scheme, whose security is based on the RLWE and
K1 ; K2  .K1 [ K2 /, we have DPSR assumptions over prime cyclotomic rings.
(1) BC-MKSHE: KeyGen.1 /: Sample f 0 ; g ,
ŒFK .cO1 C cO2 /q D 0
and set f = 2f C 1, so that f  [Link] 2/. If f is not
ŒFK .mA mB mC C mB mC mD / C fD v1 C fA v2 q : invertible in Rq , resample f 0 . Set h D 2g=f 2
However, since there are no fB2 and fC2 in FK , the Rq , so pk WD h 2 Rq , sk WD f 2 R. For all  2
multiplication cannot be decrypted correctly. Thus, we f1; : : : ; lg (here l D dlog qe ), sample s ; e l ,
have compute the evaluation key vector k D hs C 2e C
2 2 Pof2.f / 2 Rql .
 
ŒFK cO1 cO2 q ¤ FK mA mB mC mD C errormult q ;
Output: .pk; sk; evk/ D .h; f; k /.
where errormult represents the error of homomorphic
(2) BC-MKSHE: [Link]; m/: Sample sO ; eO .
multiplication decryption.
Output the ciphertext: cO WD m C hOs C 2eO 2 Rq .
Therefore, the key-switching technique is used in the
O Let u WD
(3) BC-MKSHE: Dec.sk1 ; sk2 ; : : : ; skN ; c/:
LTV12 scheme to re-linearize cOmult = cO1 cO2 , and switch
.sk1 sk2


skN /cO 2 Rq .
ŒFK cO1 cO2 q to the decryption structure given by
  Output: m0 WD [Link] 2/.
ŒFK .cO1 cO2 /q D FK1 FK2 .cO1 cO2 / C errormult q : (4) BC-MKSHE: KeySwitch.c; Q k ; q/: Given the
Although cOmult = cO1 cO2 is decrypted by FK , and the ciphertext cQ and the evaluation key k , and output
dependence of the coefficient’ magnitude of the joint ŒhBitD.c/; Q k iq .
secret key on the circuit degree is eliminated, the error (5) BC-MKSHE: Eval: Add.cO1 ; cO2 /: Given two
 568 Tsinghua Science and Technology, October 2020, 25(5): 564–578

ciphertexts cO1 and cO2 with the corresponding public- By applying Lemma 2 and Corollary 1, we easily
key sets K1 and K2 , output the ciphertext cOadd D get cOi1 fi 1 < .2B C 1/ C 3.n 1/.2B C 1/2 . Let
ŒcO1 C cO2 q 2 Rq . .2B C 1/ C 3.n 1/.2B C 1/2 D 0 , then in the
(6) BC-MKSHE: Eval: Mult.cO1 ; cO2 ; KeySwitch/: above-mentioned worst case, cO1 FK1 D .cO11 f1 /.cO21 f2 /



1
Given two ciphertexts cO1 and cO2 with the corresponding .cON fN /. So can be bounded by
public-key sets K1 and K2 , let cQ0 D cO1 cO2 . For 6 2N 1 .n 1/N 1 . 0 /N <
j 2 Œ0; N , 1
23N .n 1/2N 1
.2B C 1/2N :
(a) If j D0, output cOmult D cQ0 2 Rq .
(b) If j ¤ 0, for t 2 Œ1; j , compute cQt D Necessarily, let < q=2.
[Link] 1 ; k t; ; q/ 2 Rq . Based on Corollary 1, we have kFK k1 6
Let cOmult D cQj at the end of the iteration. 2 .n 1/r 1 .2B C 1/r , and for convenience,
r 1

we set Er 6 2r 1 .n 1/r 1 .2B C 1/r .

3.2 Correctness analysis Since the error generated by homomorphic addition is
Multi-key homomorphism: Let FK1 and FK2 be much smaller than the multiplication, we analyze only
the joint decryption keys for ciphertext cO1 and cO2 , the error generated by the homomorphic multiplication.
respectively. Also, let F t D F t 1 .f t / 1 , t 2 Œ1; j , Thus, it can be written
where F0 D FK1 FK2 . According to the LTV12 scheme, kFj cQj k1 < 3l.n 1/ErC1 C kFj 1 cQj 1 k1 (2)
the addition and multiplication on ciphertexts can be Then, we obtain
decrypted using the product of the users’ secret keys in
kFj 1 cQj 1 k1 < 3l.n 1/ErC2 C kFj 2 cQj 2 k1 :
set K D K1 [ K2 . For given two ciphertexts cO1 and cO2
with the corresponding public-key sets K1 and K2 , we Thus, the final error is bounded in the following:
j
have FK1 cO1 D FK1 m1 C v1 , FK2 cO2 D FK2 m2 C v2 , X
and kFK1 cO1 k1 D kFK2 cO2 k1 < , where v1 and v2 kFj cQj k1 < 3l.n 1/ ErCt C 2.n 1/ 2 D
tD1
denote the error. Then, in the case of addition, we have
jX1
!
FK cOadd D FK .m1 Cm2 /CFK K1 v1 CFK K2 v2 Cv1 v2 : 3l.n 1/ErCj 1C E C2.n 1/ 2
<
t
Therefore, cOadd decrypts correctly. The multiplication t D1
case is more complex, and in that case, we have 2
6l.n 1/E2N C 2.n 1/ (3)
F t cQt D F t f t 1 .[Link] 1 /
2g t s /C Based on Eq. (3), it can be found that there are two
2F t .[Link] 1/
e / C F t 1 cQt 1 : main factors affecting the error growth, which are the
For all t 2 Œ1; j , by using the key-switching number of union secret keys N and the length of vector
technique, we can get the decryption structure in the [Link] /. Hence, these two factors can be used to control
following form: the error growth by applying the two following methods:
(1) Exponential dependence of the error on N can be
FK cOmult D Fj cQj D errormult C FK1 FK2 cQ0 (1)
reduced by eliminating the key-switching operations;
where FK D Fj D f1 f2


fr has no quadratic item of (2) Error magnitude can be decreased by reducing the
f t . Equation (1) represents the inherent decryption length of a ciphertext vector.
structure of the NTRU-type homomorphic multiplication.
By rounding of ŒFK1 FK2 cQ0 q , we get FK1 FK2 m1 m2 , 4 Modified Multi-Key Homomorphic
and thus cOmult can be decrypted correctly by FK . This Multiplication Decryption Structure
inherent decryption structure that is deduced by using
the key-switching technique is a guarantee that we can The key-switching technique causes fast error growth.
successfully decrypt cOmult by FK . The main way to decrease the error is to eliminate
Error analysis: Assume that there is no intersection the key-switching in the BC-MKSHE. However, to
between the public keys of the N users in K1 or K2 . ensure that the scheme works correctly, the decryption
For instance, consider the worst case of the ciphertext structure of the homomorphic multiplication has to be
cO1 encrypted by the public-key set K1 , and let cO1 modified. In Refs. [31] and [33], the decryption structure
be the multiplication of all users’ fresh ciphertexts, of a single-key homomorphic encryption scheme was
i.e., cO1 D cO11 cO21


cON
1
denotes the ciphertext of m1 D studied. Chen[33] extended the ciphertext to the vector
m1 m2


mN , where cOi1 denotes a fresh ciphertext, so
1 1 1 form, and performed the homomorphic decryption in the
cOi1 fi D m1i fi C vi1 . vector space. The main disadvantage of this approach
 Xiaoliang Che et al.: Modified Multi-Key Fully Homomorphic Encryption Based on NTRU Cryptosystem


569

is that the increase in the ciphertext dimension makes According to Eq. (6), the LBD is based only on the
the homomorphic evaluations more complex. However, functions BitDecomp./ and Powersof 2./.
in our multi-key homomorphic encryption scheme, 4.2 Modified method
the homomorphic decryption structure is improved by
expanding the ciphertext dimension, and the Low Bit In this section, the LBD technique is employed to
Discarded (LBD) method is used to control the ciphertext improve the homomorphic decryption process.
Method 1: In the BC-MKSHE scheme, the LBD
space size.
technique can be used to discard redundant bits of
4.1 LBD technique the evaluation key vector to simply the key-switching
In Ref. [34], the efficiency of the fully homomorphic operations. So we have Method 1 in the following.
encryption scheme was enhanced by discarding the lower Step 1 (Discard low bits of the evaluation key
bits. In this section, the LBD based on the functions vector): Let ˇ and d be positive constants, and l D
BitDecomp( ) and Powersof2( ) is presented. dlog qe. Perform the LBD functions to obtain the
LBD: By discarding elements with small coefficients evaluation key. Output: kQ  D LBDˇ !dCˇ 1 .k / 2 Rql d .
(i.e., low bits) of Powersof2( ) vector, a lower-dimension Step 2 (Simplify KeySwitch function): Compute
vector that has no influence on the final decryption the ciphertext vector LBDˇ !d Cˇ 1 .BitD.c//Q 2 Rql d .
is obtained. For instance, for a given ciphertext ci Output is as follows:
and a secret key fi , the inner product of [Link] / and KeySwitchLBD .Qc; kQ  ; q/ D
Pof [Link] / can be obtained, ŒhLBDˇ !d Cˇ 1 .BitD.c//; Q LBDˇ !d Cˇ 1 .k /iq :
[Link] /
[Link] / D Step 3 (Compute the homomorphic multiplication
.ci;1 ; ci;2 ; : : : ; ci;l /.20 fi ; 21 fi ; : : : ; 2l 1
fi / D of ciphertexts): Given two ciphertexts cO1 and cO2 with
0 1 l 1 the corresponding public-key sets K1 and K2 , let cQ0 D
2 ci;1 fi C ci;2 2 fi C


C ci;l 2 fi (4)
cO1 cO2 . For j 2 Œ0; N ,
where ci; 2 R2 ; l D dlog qe,  2 Œ1; l. Compared cQQ t D KeySwitchLBD .cQt 1 ; kQ t; ; q/ 2 Rq :
to 2l 1 ci;l fi , the value of 2d 1 ci;d fi (d  l) is
Set cmult D cQQj at the end of the iteration.
small. Thus, when l is large, discarding the terms
Correctness verification of Method 1: Sample
of ci;1 fi ; 2ci;2 fi ; 22 ci;3 fi ; : : : ; 2d 1 ci;d fi has a little
sQ ; eQ  l d , we have
effect on the overall value of Eq. (4). Further, the
F t cQQ t D F t f t 1 .LBDˇ !d Cˇ 1 .[Link] 1 //
2g t sQ /C
LBD function can be defined as LBDd1 !d2 .[Link] //,
which means that the columns from d1 to d2 (we 2F t .LBDˇ !d Cˇ 1 .[Link] 1 //
eQ  /
denote as (d1 ! d2 )) of vector [Link] / are discarded.
0 1
d Cˇ
X2
According to Eq. (4), assume that the .1 ! d / columns Ft 1 @ 2& 1 cQt 1;& A C F t 1 cQt 1 (7)
of [Link] / are discarded, to ensure the correctness &Dˇ C1
of the mathematical operation, we should discard the where cQt 1;& 2 R2 and & is a constant variable.
.1 ! d / columns of [Link] /. Therefore, we get According to Eq. (6) and since Fj 1 .mod 2/  1, we
set ˇ > 1 to ensure that F t 1 . d& Dˇ
P Cˇ 2 & 1
LBD1!d .[Link] //
LBD1!d .[Link] // D 2 cQt 1;& /
C1
.ci;d C1 ; : : : ; ci;l /.2d fi ; : : : ; 2l 1
fi / D is an even element. Thus, if ˇ > 1, we have F t cQQ t

d
ci;d C1 2 fi C


C ci;l 2 l 1
fi (5) .mod 2/ D F t 1 cQt 1 .mod 2/. Further, according to
Eq. (7), the error magnitude is given in the following:
According to Eq. (5), the dimensions of vectors
[Link] / and Pof [Link] / are reduced after the LBD, while kFj cQQj k1 D kFj f 1 .LBDˇ !d Cˇ 1 .[Link] 1 //

j

the operation efficiency is improved. 2gj sQ / k1 C k2Fj .LBDˇ !d Cˇ 1 .[Link] 1 //

If we set l D dlog qe and d D dlog q 0 e, the LBD 0
d Cˇ
1
X2
technique can be described, eQ  /k1 C Fj 1 @ 2& 1 cQj 1;&
A C
LBD1!d .[Link] //
LBD1!d .[Link] // D &Dˇ C1 1
l d dC2
X X kFj 1 cQj 1 k1< .3.l d /C.2 4// 
ci; 2 1
fi ci; 2 1
fi D
 D1  D1
.n 1/ErC1CkFj 1 cQj 1 k1 (8)
.[Link] /
[Link] //lDdlog qe For any a; b 2 Rq , it holds that ka bk1 6 kak1 C
kbk1 . Since F t D F t 1 .f t / 1 , the magnitude of
.[Link] /
[Link] //d Ddlog q 0 e (6) kFj fj 1 gj sQ k1 ; kFj eQ  k1 , and kFj 1 cQj 1;& k1 in Eq.
 570 Tsinghua Science and Technology, October 2020, 25(5): 564–578

(8) are the same. Compared to Eq. (2), it can be found Output: cmult D C
cT2 2 Rql d .
that when d > 1, kFj cQQj k1 > kFj cQj jj1 , which means Step 4 (Select decryption element): Select the first
that low bits are discarded, the error increases. Moreover, element cmult;1 from the ciphertext vector cmult . Here,
the value of kFj cQQj k1 increases with the use frequency FK D Fj D f1 f2


fr and K D K1 [ K2 .
of key-switching. Thus, it seems that this method does Output [Link] ; cmult;1 /.mod 2/.
not provide satisfactory results. We modify cO 2 Rq to obtain c WD Pof2.m/ C hOs C
Method 2: LBD&DEC is proposed to modify the 2Oe 2 Rql instead of c WD Pof2.m C hOs C 2e/, O so that
decryption structure of the NTRU-type MKSHE. First, the error generated by the term of [Link] C 2e/
O can be
the LBD technique is employed to discard redundant removed. In Section 4.3, the advantages of this change
elements in the plaintext vector, and then the plaintext will be introduced when calculating the error magnitude.
vector is encrypted to expand the ciphertext dimension. Correctness verification of Method 2: According to
Finally, the decryption structure in the vector space is Step 2, set ˛ D f1; 2g, we get
improved. Referring to Method 1, some bits of the
2 3
20 m˛ C hs˛;1 C 2e˛;1
plaintext vector from the second column are discarded 6 d C1
6 2 m˛ C hs˛;d C2 C 2e˛;d C2 7
7
to ensure the correctness of the decryption. Accordingly, T
c˛ WD 6 6 :: 7 2 Rl d :
q
:
7
the modified decryption structure can be improved by 4 5
the following steps: 2l 1
m˛ C hs˛;l C 2e˛;l
Step 1 (Discard the plaintext vector): Let l D
Thus, we have BitD.cT1 / 2 R2.l d /l . To keep the
dlog qe, d is a positive constant. Compute the plaintext
correctness of BitD.cT1 /
cT2 , we perform Step 3. After
vector mO D LBD2!d C1 .Pof 2.m// (m 2 f0; 1g).
discarding the .2 ! d C 1/ columns of matrix BitD.cT1 /,
Output: mO D .m; 2d C1 m;


; 2l 1 m/ 2 Rql d .
an .l d /  .l d / matrix is obtained,
Step 2 (Ciphertext expansion): Let pk WD h 2 Rq ,
sk WD f 2 R. Sample s; e l . Use public key pk C D LBD2!d C1 .BitD.cT1 // D
O D .m; 2d C1 m; : : : ;
2 3
to encrypt the plaintext vector m .c1;1 /1 .c1;1 /d C2


.c1;1 /l
l 1
2 m/. 6 .c1;d C2 /1 .c1;d C2 /d C2


.c1;d C2 /l 7
6 7
Output: c WD m O C hs C 2e 2 Rql d . 6 :: :: :: :: 7:
: : : :
6 7
Step 3 (Set the decryption structure): For given 4 5
two ciphertext vectors c1 and c2 with the corresponding .c1;l /1 .c1;l /d C2


.c1;l /l
public-key sets K1 and K2 , compute the matrix C, So, according to Step 4, we use the joint secret key
C D LBD2!d C1 .BitD.cT1 // 2 Rq.l d /.l d /
: FK to decrypt cmult .

cmult
FK .mod 2/ D C

FK .mod 2/ D LBD2!d C1 .BitD.cT1 //
cT2
FK .mod2/ D

cT2
2 3 2 3
.c1;1 /1 .c1;1 /d + 2


.c1;1 /l 20 m2 C hs2;1 C 2e2;1
7 6 d C1
6 .c1;d C2 /1 .c1;d C2 /d + 2


.c1;d C2 /l 7 6 2 m2 C hs2;d C2 C 2e2;d C2 e 0 Dhs2;&C2e2;&
6 7
7
FK 2;& D
7
:: :: :: 7
6 ::
::
6
: : : : :
6 7 6 7
4 5 4 5
.c1;l /1 .c1;l /d C2


.c1;l /l 2l 1 m2 C hs2;l C 2e2;l
2 3 2 3
.c1;1 /1 .c1;1 /d +2


.c1;1 /l 20 m2 FK C FK e 02;1
6 .c1;dC2 /1 .c1;dC2 /d +2


.c1;dC2 /l 7 6 2d C1 m2 FK C FK e 02;d C2 7
6 7 6 7
6 :: :: :: :: 7
6 :: 7D
: : : : :
6 7 6 7
4 5 4 5
.c1;l /1 .c1;l /dC2


.c1;l /l 2l 1 m2 FK C FK e 02;l
2 3
Xl
6 .c1;1 /1 .20 m2 FK C FK e 02;1 / C .c1;1 /& .2& 1 m2 FK C FK e 02;& / 7
6 7
6 &Dd C2 7
l
6 7
6 X 7
0
6 1;d C2 /1 .2 m2 FK C FK e 2;1 / C
6 .c 0
.c1;d C2 /& .2& 1 m2 FK C FK e 02;& / 7
7:
7
6
&Dd C2
::
6 7
6 7
6 : 7
6
6 Xl 7
7
0 0 & 1 0
4 .c1;l /1 .2 m2 FK C FK e2;1 / C .c1;l /& .2 m2 FK C FK e 2;& / 5
&Dd C2
 Xiaoliang Che et al.: Modified Multi-Key Fully Homomorphic Encryption Based on NTRU Cryptosystem


571

We set c1 FK1 D m O 1 FK1 Cv01 and c2 FK2 D m

O 2 FK2 C can be bounded as follows:
0 0 0
v2 , let kv1 jj1 D kv2 jj1 < . Thus, the first element is
selected as decryption, kcmult;1 FK k1 D m1 m2 FK C
c mult;1 FK D .c1;1 /1 .20 m2 FK C FK e 02;1 /C 0
l
X
l 0 0
K1 v 1;1 C
X @m2 FK .c1;1 /& FK K2 v 2;1
& 1
.c1;1 /& .2 m2 FK C FK e 02;& / D &D1
&Dd C2 1
dC1 dC1
l
X X
0
X .c1;1 /& FK K2 v 2;1 m2 .2& 1 c1;1 /& FKA 6
.c1;1 /& .2& 1
m2 FK C FK e 02;& / &D2 &D2 1
&D1
d C1 km1 m2 FK k1 C km2 FK K1 v 01;1 k1 C
X
.c1;1 /& .2& 1
m2 FK C FK e 02;& / D
0 1
Xl Xd C1
0
&D2 @ .c1;1 /& .c1;1 /& A FK K2 v 1;1 C
&D2
l l &D1 1
X X
.2& 1
c1;1 /& m2 FK C .c1;1 /& FK e 02;& d
X C1
&D1 &D1 m2 .2& 1
c1;1 /& FK 6 Er C2.n 1/Er NC
0 1
d C1 d C1 &D2 1
X X
@ .c1;1 /& FK e 02;& C .2& 1
c1;1 /& m2 FK A D .4.n 1/2 .l d //Er N C .2d C2 4/.n 1/Er (10)
&D2 &D2
0 Thus, the starting error can be easily obtained as
l
X 0 < 3.n 1/.2B C 1/2 . Then, the magnitude of 
0 0
m1 m2 FK C @m2 FK K1 v 1;1C .c1;1 /& FK K2 v 2;1 is calculated. For N users having a set of public-keys
&D1 K1 , the worst case is that c1 is the product of all the
1
d
X C1 dC1
X users’ fresh ciphertexts. Specifically, for N D 2, we
0
.c1;1 /& FK K2 v 2;1 m2 .2& 1 c1;1 /& FKA (9) have fc11 ; f1 g and fc12 ; f2 g, where c11 and c12 denote the
&D2 &D2 fresh ciphertext vectors. The magnitude of  is bounded,
where kv 01;1 k1
D kv01 jj1
and kv 02;1 k1 D kv02 jj1 . N D2 < .2.n 1/.2B C1// .2.n 1/.l d /C1/ 0 C
So we can get cmult;1 FK .mod 2/ D m1 m2 . The error
.2d C2 4/.n 1/E2 :
magnitude is bounded by kcmult;1 FK k1 6 q=2.
Further, as N D 3, set D c11 c12 ; f 01 D f1 f2 g and
fc01
4.3 Parameters analysis 1
fc3 ; f3 g. So the magnitude of  is bounded,
As already explained, by using the LBD&DEC N D3 < .2.n 1/.2B C 1// N D2 C
technique, the original, inherent decryption structure
.4.n 1/2 .l d //E2 0 C
of the NTRU-type MKHE can be modified.
d C2
Theorem 1 Set LBD constant d , c˛ FK˛ D .2 4/.n 1/E3 :
mO ˛ FK˛ C v0˛ , and kv0˛k1 < . Let cmult;1 be the first Accordingly, for N users, set D c11 : : : c1N 1 ; f 01 D
fc01
column of the ciphertext vector cmult D C
cT2 2 Rql d , 1
f1 : : : fN 1 g and fcN ; fN g. So, the magnitude of  is
and C D LBD2!d C1 .BitD.cT1 // 2 Rq.l d /.l d/
. Then, bounded,
we have  6 .2.n 1/.2B C 1//N 1 C
cmult;1 FK D m1 m2 FK C vmult;1 .4.n 1/2 .l d //EN 1 0 C
and .2d C2
4/.n 1/EN :
kvmult;1 k1 6 .2.n 1/.l d / C 1/  This yields to the following relationship:
 
3  6 .2.n 1/.2B C 1//N 0 C
ErC2 C 3N.n 1/.l d /ErC1 C
2
.3N.n 1/.l d /EN C1 /C
.1CN.2dC2 4/.n 1/ .2.n 1/.l d /C1// d C2
N.2 4/.n 1/EN D
.2d C2 4/.n 1/Er ;
3
where Er = 2r 1 .n 1/r 1 .2B C 1/r . EN C2 C 3N.n 1/.l d /EN C1 C
2
Proof According to Eq. (9), the error of cmult;1 FK N.2d C2 4/.n 1/EN (11)
 572 Tsinghua Science and Technology, October 2020, 25(5): 564–578

By combining Eqs. (10) and (11), we get 3N .n 1/dEN C1 > N.2d C2 4/.n 1/EN
kcmult;1 FK k1 6 Er C.2.n 1/.l d / C 1/ d C1
.2 2/

3
 ) 3.n 1/.2B C 1/ > (12)
ErC2 C 3N.n 1/.l d /ErC1 C d
2 It can be easily found that .2d 1//d is incremental
.1CN.2dC2 4/.n 1/.2.n 1/.l d /C1// of d .d > 0/. So, d has an upper bound that makes  be
the closest to 0 . We let d1 be the upper bound of d , if
.2d C2 4/.n 1/Er :
d D d1 , then   0 . Therefore, we need to verify
So, the decryption structure is obtained cmult;1 Fr D 
the correctness of the relationship kcmult;1 FK k1 >
m1 m2 Fr C vmult;1 . Since kcmult;1 FK k1 . So, we have
kcmult;1 Fr k1 D km1 m2 Fr k1 C kvmult;1 k1 : 
kcmult;1 FK k1 > kcmult;1 FK k1
Further, we obtain 0
)d1 2.n 1/Er N > .2d1 C1 2/Er
kvmult;1 k1 6 .2.n 1/.l d / C 1/ 

3
 3 .2d1 C1 2/Er
ErC2 C 3N.n 1/.l d /ErC1 C ) ErC2 C 3N.n 1/lErC1 >
2 2 d1
d1C1
.2 2/
.1CN.2dC2 4/.n 1/ .2.n 1/.l d /C1// )6.n 1/2 .2B C1/.N l C2B C1/ > (13)
d1
.2d C2 4/.n 1/Er :  Since 6.n 1/2 .2B C 1/.N l C 2B C 1/ > 3.n
According to Theorem 1, it can be found that when 1/.2B C 1/ is obviously satisfied, Eq. (13) holds. Thus,
3
d D 0, kvmult;1k16 .2.n 1/l C1/ ErC2C3N.n 1/l  for any value of N , we can select d that satisfies d D
 2 fmax.d /j.2d 1//d 6 3.n 1/.2B C 1/=2; d > 0g to
ErC1 . This denotes the error generated only by the 
ensure kcmult;1 FK k1 > kcmult;1 FK k1 . 
ciphertext dimension extension technique. According to Theorems 1 and 2, the LBD&DEC
Theorem 2 Set LBD constant d . The LBD&DEC can be used to improve the decryption structure, while
technique can decrease both the ciphertext dimension decreasing the error magnitude. Consequently, Method
and error magnitude, and d satisfies the following 2 can be used to modify the NTRU-type multi-key
relationship: homomorphic encryption schemes.
d D fmax.d /j.2d 1//d 6 3.n 1/.2BC1/=2; d > 0g:
Proof Take the homomorphic multiplication as an
5 Modified NTRU-Type Multi-Key
example, the LBD technique is to decrease the ciphertext Somewhat Homomorphic Encryption
dimension and error magnitude. If the LBD technique is According to the analysis provided in Section 4, Method
not used in the ciphertext vector, the decryption structure 2 has two advantages.
is assumed as cmult
FK D BitD..c1 /T /
.c2 /T
FK . The (1) The DEC technique improves the decryption
decryption can be completed by using the first column structure of the NTRU-type scheme and eliminates the
of cmult
FK , key-switching operations, which significantly decreases
 
cmult;1 FK D m1 m2 FK C m2 FK K1 v1;1 C the dependence of the error on N (the dependence is
l
X exponentially decreasing).
 
.c1;1 /& FK K2 v2;1 : (2) The LBD technique reduces the ciphertext
&D1 dimension and further decreases the error magnitude.
 
Assume the magnitude of errors v1;1 and v2;1 is 0 . Based on Method 2, we propose an NTRU-type
According to Eq. (10), MKSHE by using the LBD&DEC technique.

kcmult;1 FK k1 6 Er C.2.n 1/l C 1/ 2.n 1/Er N 0 : 5.1 Modified NTRU-type MKSHE
Obviously, the LBD can reduce the ciphertext
Let  be a security parameter; qDq./ 2 Z is a
dimension from l to .l d /, but we want to decrease the
prime integer; and ˚n .x/ D x n 1 C x n 2 C


C 1 (n
error magnitude at the same time. Note that the starting
is a prime) is the sub-cyclotomic polynomial. For the
error is 0 < 3.n 1/.2B C 1/2 . According to Theorem
polynomial ring given by R D ZŒx=˚n .x/ and Rq D
1, when d D 0, we can obtain
R=qR, and a B-bound error distribution  = ./ over
0 6 3EN C2 =2 C 3N.n 1/lEN C1 : R, set l as a B-bound error distribution space, where
Compared to Eq. (11), there is a constant d > 0 that l D dlog qe. The modified NTRU-type MKSHE (denote
makes 0 > , which is given by as M-MKSHE) can be described as follows.
 Xiaoliang Che et al.: Modified Multi-Key Fully Homomorphic Encryption Based on NTRU Cryptosystem


573

(1) M-MKSHE: KeyGen.1 /: Sample f 0 ; g , Homomorphic multiplication: Considering the

0
and set f = 2f C 1, so that f  [Link] 2/. If f is not decryption of homomorphic multiplication, we can get
invertible in Rq , resample f 0 . Set h D 2g=f 2 cmult
FK D .LBD2!dC1 .BitD.cT1 //
cT2 /
FK 2 Rql d :
Rq , so pk WD h 2 Rq , sk WD f 2 R. Set l D dlog qe, By selecting the first column of cmult
FK , we get
and let discard constant d satisfy the following
relationship: 0
cmult;1 FK D m1 m2 FK C m2 FK K1 v 1;1 C
d D fmax.d /j.2d 1//d 6 3.n 1/.2B C 1/=2; d > 0g:
l dC1
Output: .pk; sk; int/ D .h; f; d /.
X X
0 0
.c1;1 /& FK K2 v2;1 .c1;1 /& FK K2 v 2;1
(2) M-MKSHE: [Link]; m/: Compute m O D & D1 &D2
LBD2!d C1 .Pof 2.m//, and sample s; e l d . dC1
!
Output: c WD m O C hs C 2e 2 Rql d .
X
m2 .2& 1 c1;1 /& FK :
(3) M-MKSHE. Dec.sk1 ; sk2 ; : : : ; skN ; c/: Select the &D2
first element c1 from the ciphertext vector c, let u WD Note that Œcmult;1 FK q .mod 2/ D m1 m2 .
.sk1 sk2


skN /c1 2 Rq . Remark: It is not necessary to consider whether K1 \
Output: m0 WD [Link] 2/. K2 is empty.
(4) M-MKSHE. Eval: Add.c1 ; c2 /: Compute the (2) Circuit depth of M-MKSHE scheme
addition of c1 and c2 as cadd D Œc1 C c2 q . Theorem 3 For the parameter values provided
(5) M-MKSHE. Eval: Mult.c1 ; c2 /: Compute the above, the M-MKSHE can evaluate any circuit depth,
matrix C D LBD2!d C1 .BitD.cT1 // 2 Rq.l d /.l d / : log q
L= :
Output: cmult D C
cT2 2 Rql d . .N j C 1/ log.n 1/ C log log q C O.1/
5.2 Analysis results Proof As already mentioned, in this work we
(1) Correctness of M-MKSHE scheme consider only the error of multiplication. Without loss
Homomorphic addition: Since m O ˛ D .m˛ ; of generation, we set K1 \ K2 D fpki1 ; : : : ; pkij g, so
2 d C1 l 1
m˛ ; : : : ; 2 m˛ /, by using FK = f1 f2


fr r D 2N j . For any level of multiplication operations,
to decrypt the ciphertext vector, we can get the multiplication of ciphertexts can be decrypted by
FK c˛ D .FK m˛ ; 2d C1 FK m˛ ; : : : ; 2l 1 FK m˛ / C v˛ ; FK . According to Theorem 1, after the first level
where v˛ denotes the error vector. For cadd D Œc1 C c2 q , homomorphic multiplication evaluation, the error of
.1/ .1/
we get cmult;1 FK (here cmult;1 denotes the first element of vector
cmult in the first level) is bounded,
cadd
FK DFK
.c1Cc2 /DFK
..m1Cm2 /; 2d C1 .m1Cm2 /; 
(1) 3
: : : ; 2l 1
.m1 Cm2 // C FK 0 0 kvmult;1 k1 6 .2.n 1/.l d / C 1/ ErC2 C
K1 v1 CFK K2 v2 ; 2

where v01 and v02 are the error vectors with the magnitude 3N.n 1/.l d /ErC1 C .2d C2 4/.n 1/Er C
of . So, by selecting the first column of cadd FK , we
have N.2.n 1/.l d /C1/..2dC2 4/.n 1//2 Er :
Œcadd;1 FK q .mod 2/ D .m1 C m2 /: At the second level, we set
2 3
l
.c1;1 /& .2& 1
m2 C e 02;& / C .c1;1 /1 .20 m2 C e 02;1 /
P
6 7
6 &Dd C2 7
l
6 7
0 0
.c1;d C2 /& .2& 1 0
6 P 7
6 m2 C e 2;& / C .c1;d C2 /1 .2 m2 C e 2;1 / 7
c.2/ D 7 2 Rql d
:
6 7
1 6 &Dd C2
6 :: 7
6
6 : 7
7
6 l 7
.c1;l /& .2& 1
m2 C e 02;& / C .c1;l /1 .20 m2 C e 02;1 /
4 P 5
&Dd C2

In the same way, we can get c.2/ l

2 2 Rq
d
. Let c.2/ c.2/ .2/ .2/ .2/ .2/ l d
1 mult
FK D .LBD2! dC1 .BitD.c1 //
c2 /
FK 2Rq :
and c.2/
correspond to the public-key sets K1 and K2 ,
2 Further, the first column of c.2/ .2/
mult
FK is selected for
respectively. It should be noted,
homomorphic decryption,
 574 Tsinghua Science and Technology, October 2020, 25(5): 564–578

.2/
FK.2/ D m.2/ .2/ .2/ log q C log 3
cmult;1 1 m2 FK C
0
l
log q
) L (15)
@m.2/ .1/ .1/ .N j C1/ log.n 1/Cloglog qCO.1/
X
2 FK N vmult;1 C .c1;1 /& FK N vmult;1
&D1 
1 According to Eqs. (14) and (15), with the increase of
dC1 dC1
X .1/ .2/
X parameter N , the error magnitude increases, and the
.c1;1 /& FK N vmult;1 Cm2 .2& 1 c1;1 /& FK A D
&D2 &D2
circuit depth decreases. However, j can reduce the
impact of N , which is contrary to the BC-MKSHE
m.2/ .2/ .2/ .2/
1 m2 FK C vmult;1 : scheme.
.2/
So, we obtain the bound of kvmult;1 k1 , 5.3 Parameters comparison
.2/ .1/
kvmult;1k162.n 1/.1C2.n 1/.l d //Er Nkvmult;1k1C In the BC-MKSHE scheme, after one homomorphic
.n 1/.2d C2 4/Er : multiplication operation, the error satisfies the following:
For convenience, let P = .1 C 2.n 1/.l d //, ErrorBC-MKSHE < 6l.n 1/E2N C 22N E4N :
Q D .2d C2 4/.n 1/. So, we have However, in our M-MKSHE scheme, the upper bound
.2/ .1/ of the error is given by:
kvmult,1 k1 6 2.n 1/P Er N kvmult,1 k1 CQEr 6
ErrorM-MKSHE 6 .2.n 1/l C 1/ 
3 2
P E2r N C2 C3N P .n 1/.l d /E2r N C1C
 
3
2 ErC2 C3N.n 1/lErC1 CEr :
.1 C N  Q  P / .P  Q/E2r N C Q  Er : 2
After L levels of homomorphic operations, the error The ratio of the two previous error bounds is given,
magnitude can grow up, ErrorBC-MKSHE
Ratio D 
.L/
kvmult;1 .L 1/
k1< 2.n 1/.1C2.n 1/.l d //Er N kvmult;1 k1C ErrorM-MKSHE
3 1/E2N C 22N E4N
6l.n
Q  Er < P L ELr .L 1/NC2 C   
2 3
.2.n 1/l C1/ ErC2C3N.n 1/lErC1 CEr
3N  P L 1
.n 1/.l d /ELr .L 1/NC1 C 2
2N
.1 C N  Q  P / .P L  Q/ELr 2 E2N
.L 1/N C (16)
L
N.n 1/ log q C O.1/
X
Q P@ 1
 E.@ 1/r .@ 2/N (14) According to Eq. (16), the error magnitude of our M-
@D2 MKSHE scheme is decreased exponentially compared
where @ is a constant variable. The magnitude of to the BC-MKSHE scheme.
km.L/ .L/
1 m2 FK k1 is ignored because it is much smaller In the following, the comparison of these two schemes
.L/ .L/ regarding the other parameters is provided, such as the
than kvmult;1 k1 , and let kvmult;1 k1 < q=2.
According to Theorem 2, if the LBD technique is not ciphertext size, secret key size, public key size, and
used in our scheme, the value of d is 0, which yields to evaluation key size.
.L/ Take one homomorphic multiplication operation as an
the following error bound of kvmult;1 k1 :
.L/ 3 example. In the BC-MKSHE scheme, the ciphertexts
kvQ mult;1 k1 < .1 C 2.n 1/l/L ELr .L 1/N C2 C are two polynomials in Rq , whose degree is smaller than
2
3N .1 C 2.n 1/l/L 1 .n 1/lELr .L 1/N C1 : .n 1/, so the size of ciphertexts is 2.n 1/ log q. Also,
the public keys are 2N polynomials in Rq , so the size of
Thus, by selecting d D fmax.d /j.2d C1 2/=d 6
.L/ public keys is 2N.n 1/ log q. Further, the joint secret
3.n 1/.2B C 1/; d > 0g, the magnitude of kvmult;1 k1
.L/ keys for decrypting are r polynomials in R, and their
becomes infinitely close to kvQ mult;1 k1 . The limit state is coefficients are smaller than .2B C 1/, so the size of
selected at each level, and the final error after the circuit joint secret keys is r.n 1/ log.2B C 1/. Furthermore,
depth of L satisfies the following relationship: the evaluation keys are dlog qe-dimensional polynomials
.L/ q
kvQ mult;1 k1 < whose degree is smaller than .n 1/. Then, after j -times
2
evaluations, the size of the evaluation keys is j.n
) L log .1 C 2.n 1/l/ C .Lr .L 1/N C 2/ 
  1/ dlog qe log q.
2 N In our modified scheme, the key-switching technique
log.2.n 1/.2BC1/ /Clog 1C <
4.n 1/.2BC1/2 is not used and none of the evaluation keys is
 Xiaoliang Che et al.: Modified Multi-Key Fully Homomorphic Encryption Based on NTRU Cryptosystem


575

required. The ciphertexts are .dlog qe d /-dimensional reduction during the homomorphic evaluations.
polynomial vectors, so their size is 2.n 1/.dlog qe KeyGen.1 / will sample a ladder of decreasing moduli
d / log q. The same as for the BC-MKSHE, the size of q0 > q1 >


> qL . The error distribution  is chosen
public keys is 2N.n 1/ log q, and the size of joint secret in order to guarantee that any sample is B-bounded,
keys is r.n 1/ log.2B C 1/. See Table 1 for details, where B  qL . In contrast to the M-MKSHE, the
the comparison of the parameters of the M-MKSHE and M-MKFHE adopts the LBD technique twice to keep
BC-MKSHE schemes is provided. the right dimension of ciphertexts. Therefore, in the
As shown in Table 1, our scheme does not require following, two kinds of LBD functions are introduced.
the evaluation key, and the error magnitude is reduced Let LBD! d1 !d2 .V/ denote the .d1 ! d2 / columns of
exponentially, but the ciphertext size is increased by the matrix V are discarded.
.dlog qe d / times. Let LBD#d1 !d2 .V/ denote the .d1 ! d2 / rows of the
matrix V are discarded.
6 Leveled NTRU-Type Fully Homomorphic
The modified leveled scheme is as presented below.
Encryption (1) M-MKFHE: KeyGen.1 /: For every i 2 f0; 1;
According to Theorem 3, the circuit depth is reduced : : : ; Lg, sample g .i / ; f 0.i / , and set f .i / D 2f 0.i / C
with the decrease of N , so the modulus-reduction 1, so that f .i /  [Link] 2/. If f .i / is not invertible in
technique has to be used to decrease the error magnitude Rqi , resample f 0.i / . Let h.i / D 2g .i / =f .i / 2
after every homomorphic evaluation. Rqi 1 , and set pk WD h 2 Rq0 , sk WD f .L/ 2 RqL .
.0/

Modulus-reduction[28, 29] : Modulus-reduction Set the low bit discarded constant d on each ladder,
technique can change the inner modulus q of a where d D fmax.d /j.2dC1 2/=d 6 3.n 1/.2BC1/; d >
ciphertext c to the smaller modulus p (p D q mod 2) 0g.
while roughly scaling down the error by the ratio of p=q Output: fpk; sk; intg D fh.0/ ; f .L/ ; d g.
and preserving the correctness of the decryption under (2) M-MKFHE: [Link]; m/: Sample s.0/ ; e.0/
the same secret key. l0 d , let li D dlog qi e and m O D .Pof 2.m//T 2 Rql00 .
ModulusSwitch.c; q; p/: For input c 2 Rp , and a Output the ciphertext vector,
smaller modulus p, output is c 0 2 Rp , which is the c.0/ WD h.0/ s.0/ C 2e.0/ C LBD#2!d C1 .m/ O 2 Rql00 d :
closest element to .p=q/
c and c 0 D c mod 2. (3) [Link].sk1 ; sk2 ; : : : ; skN ; c.L/ /: Select
Lemma 3 [28] Let p and q be two odd modulus, let the first element c1.L/ 2 RqL from ciphertext vector
c 2 Rq , and define c 0 2 Rq , whose value is the closest
c.L/ 2 RqlLL , set u WD .sk1 sk2


skN /c1.L/ 2 RqL .
to .p=q/c, then c 0  [Link] 2/. So for any f , if
Output: m0 WD [Link] 2/.
kŒf cq k1 < q=2 .q=p/kf k1 , there is
(4) M-MKFHE : Eval: Add.c.i / .i /
1 ; c2 /: For the two
Œf c 0 p D Œf cq .mod 2/; kŒf c 0 p k1 < ciphertexts c.i / .i / li d
1 ; c2 2 Rqi in the i -th level, compute
.p=q/kŒf cq k1 C kf k1 : the addition of c1 and c.i
.i / /
as c.i / .i /
2 add D Œc1 C
Then, by using the modulus-reduction technique, a .i / li d
c2 qi 2 Rqi . Then, reduce the modulus, so we have
leveled MKFHE scheme is designed.
c.i
add
+ 1/
= .qi C1 =qi /
c.i /
add .mod 2/.
6.1 Leveled NTRU-type MKFHE Output: cQ .i C1/
add D LBD#liC1 d + 1!li d
.c.iC1/
add /.
The M-MKSHE is changed so that it uses modulus (5) M-MKFHE : Eval: Mult.c.i / .i /
1 ; c2 /: For the two

Table 1 Comparison of parameters between BC-MKSHE and M-MKSHE.

Parameter BC-MKSHE scheme M-MKSHE scheme
 
3
Maximum size Er C .2.n 1/.l d / C 1/ ErC2 C3N.n 1/.l d /ErC1 C
6l.n 1/E2N C22N E4N 2
of error d C2
.2 4/.n 1/Er C .2.n 1/.l d / C 1/ .N.2d C2 4/.n 1//2 Er
Ciphertext size 2.n 1/ log q 2.n 1/.dlog qe d / log q
Evaluation key size j.n 1/ dlog qe log q 0
Public key size 2N.n 1/ log q 2N.n 1/ log q
Secret key size r.n 1/ log.2B C 1/ r.n 1/ log.2B C 1/
Note: d D fmax.d /j.2d + 1 2/=d 6 3.n 1/.2B C 1/; d > 0g:
 576 Tsinghua Science and Technology, October 2020, 25(5): 564–578

dlog q e d
ciphertexts c.i/ .i /
1 ; c2 2 Rqi i in the i-th level, the ciphertext is decomposed by BitDecomp():RqiC1 !
dlog q e
compute the multiplication of c.i 1
/
and c.i / .i /
2 as cmult D RqiC1 iC1 at the .i C 1/-th level, c.i / .i /
add and cmult are
.i / .i / l d
LBD! 2!d C1 .BitD.c1 //
c2 2 Rqii . Then, by decomposed to .li d /  .li C1 d /-dimension matrices.
reducing the modulus, we get c.iC1/ D .qi C1 =qi /
Therefore, the following algorithm has to be performed,
mult
.i/ and the last .li liC1 /-th rows of the matrixes have
cmult .mod 2/.
to be discarded to keep the correctness of the next
Output: cQ .i C1/ # .iC1/
mult D LBDliC1 d + 1!li d .cmult /. homomorphic operation. The conversion progress is
6.2 Analysis provided in Algorithm 1.
(1) Scheme framework The conversion algorithm is important to achieve
The process of homomorphic operation in the M- a fully homomorphic operation in our M-MKFHE
MKFHE scheme is shown in Fig. 1. The flowchart scheme. It can be seen that the ciphertext dimension
presented in Fig. 1 can be used as a model framework is reduced with the increase in the circuit depth L
for algorithm design. In Fig. 1, the ciphertext is by using the LBD&DEC technique. So, the modulus-
expanded to the vector starting from the plaintext reduction of our M-MKFHE scheme has two main
vector, i.e., c WD LBD#2!d C1 (Pof2T .m// C hs C 2e 2 advantages: (1) Reducing the modulus can decrease the
Rql d . Only the first element of the ciphertext vector is error magnitude. (2) Reducing the modulus can also
decrypted. Therefore, the correctness of the first term of decrease the ciphertext dimension at different levels.
LBD! .i / .i / Both of these advantages can improve the efficiency
2!d C1 .BitD.c1 //
c2 should be ensured. In order
to complete the homomorphic operation, the ciphertext of the MKFHE scheme.
has to be maintained in the vector form. Although the (3) Security
complexity of the ciphertext calculation is increased Our leveled M-MKFHE denotes a modified MKFHE
when the ciphertext vectors are multiplied, the key- in the LTV12 scheme. The techniques of LBD& DEC
switching technique is not used in our scheme. are used. The security of dimension expansion depends
(2) Correctness on the RLWE and DSPR assumptions over prime
For B  qL , the selected LBD constant d is suitable cyclotomic rings. The LBD is based on functions
for all levels of homomorphic operations. Thus, to BitDecomp./ and Powersof 2./. As known in Ref. [6],
reduce the modulus every time, we need to perform functions BitDecomp./ and Powersof 2./ have no effect
the LBD#i !j ./ to discard some rows of the ciphertext on security. Thus, the LBD technique does not affect
vector. For instance, at the i-th level, when the the security of our scheme. According to Refs. [6, 26],
homomorphic operations are completed, we get the .li our M-MKFHE scheme is IND-CPA secured under the
d /-dimensional ciphertexts c.i / .i / li d RLWE and DSPR assumptions over prime cyclotomic
add ; cmult 2 Rqi . After
rings.

sk1 sk2 7 Conclusion

li li
By using the LBD&DEC technique, our modified
multi-key FHE improves the inherent homomorphic
T

Algorithm 1 Conversion at different levels

At the i-th level, the output is expressed as
li d
c.i/ .i/ .i/
add D Œc1 C c2 qi 2 Rqi and
li d
c.i/ ! .i/
mult D LBD2!d C1 .BitD.c1 //
c2 2 Rqi
.i/
.
At the .i C 1/-th level, compute
H
c.iC1/
add D .qiC1 =qi /Œc.i/ .i/
1 C c2 .mod 2/ and
H .iC1/ .i/
cmult D .qi C1 =qi /
cmult .mod 2/:
then input
dimension l d
dimension cQ .iC1/
add D LBD#
liC1 d + 1!li
.iC1/
d .cadd / 2 RqiC1
iC1
and
l d
cQ .iC1/
mult D LBD#
liC1 d + 1!li
.iC1/
d mult /
.c 2 RqiC1
iC1
.
Fig. 1 Process of homomorphic operation in the M-MKFHE
Note: cQ .iC1/
add or cQ .iC1/
mult is the input ciphertext at the .i C 1/-th
scheme.
level.
 Xiaoliang Che et al.: Modified Multi-Key Fully Homomorphic Encryption Based on NTRU Cryptosystem


577

multiplication decryption structure of the NTRU in the [10] C. Peikert and S. Shiehian, Multi-key FHE from LWE,
LTV12 scheme, and successfully eliminates the key- revisited, in Proceedings of Theory of Cryptography-14th
switching operations and decreases the magnitude of International Conference, Berlin, Germany, 2016, pp. 217–
238.
error exponentially. Moreover, our scheme can more [11] Z. Brakerski and R. Perlman, Lattice-based fully dynamic
effectively process the quadratic part of a ciphertext multi-key FHE with short ciphertexts, in Proceedings of
product. The LBD technique used in our M-MKFHE Advances in Cryptology-CRYPTO 2016, Berlin, Germany,
can minimize the ciphertext dimension and improve the 2016, pp. 190–213.
[12] L. Chen, Z. Zhang, and X. Wang, Batched multi-hop multi-
efficiency of the homomorphic operation. key FHE from ring-LWE with compact ciphertext extension,
Acknowledgment in Proceedings of Theory of Cryptography Conference,
Berlin, Germany, 2017, pp. 597–627.
This work was supported by the National Key R&D [13] W. Chongchitmate and R. Ostrovsky, Circuit-private multi-
Program of China (No. 2017YFB0802000), the National key FHE, in Proceedings of IACR International Workshop
on Public Key Cryptography, Berlin, Germany, 2017, pp.
Natural Science Foundation of China (Nos. U1636114
241–270.
and 61872289), and National Cryptography Development [14] T. Li, Q Liu, and R Huang, Multi-user fully homomorphic
Fund of China (No. MMJJ20170112). encryption scheme based on proxy re-encryption for cloud
computing, Tsinghua Science & Technology, vol. 58, no. 2,
References pp. 143–149, 2018.
[15] J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H.
[1] A. Hamlin, A. Shelat, M. Weiss, and D. Wichs, Multi- Silverman, and W. Whyte, NTRUSign: Digital signatures
key searchable encryption, revisited, in Proceedings of using the NTRU lattice, in Proceedings of Cryptographers
IACR International Workshop on Public Key Cryptography, Track at the RSA Conference, Berlin, Germany, 2003, pp.
Berlin, Germany, 2018, pp. 95–124. 122–140,
[2] O. Goldreich, S. Micali, and A. Wigderson, How to play
[16] L. Ducas, V. Lyubashevsky, and T. Prest, Efficient identity-
any mental game or a completeness theorem for protocols
based encryption over NTRU lattices, in Proceedings of
with honest majority, in Proceedings of the 19th Annual
International Conference on the Theory and Application
ACM Symposium on Theory of Computing, New York, NY,
of Cryptology and Information Security, Berlin, Germany,
USA, 1987, pp. 218–229.
[3] M. Ben-Or, S. Goldwasser, and A. Wigderson, 2014, pp. 22–41.
[17] D. Li, J. Liu, Z. Zhang, Q. Wu, and W. Liu, Revocable
Completeness theorems for non-cryptographic fault-
hierarchical identity-based broadcast encryption, Tsinghua
tolerant distributed computation, in Proceedings of the 20th
Science & Technology, vol. 5, no. 2, pp. 539–549, 2018.
Annual ACM Symposium on Theory of Computing, Chicago, [18] S. Garg, C. Gentry, and S. Halevi, Candidate multilinear
IL, USA, 1988, pp. 1–10. maps from ideal lattices, in Proceedings of Annual
[4] D. Chaum, C. Crépeau, and I. Damgard, V Multiparty
International Conference on the Theory and Applications
unconditionally secure protocols (abstract), in Proceedings
of Cryptographic Techniques, Berlin, Germany, 2013, pp.
of Advances in Cryptology-CRYPTO’87, Berlin, Germany,
1–17.
1987, pp. 462–462.
[5] H. Huang, T. Gong, P. Chen, R. Malekian, and T. Chen, [19] A. Langlois, D. Stehlé, and R. Steinfeld, GGHLite: More
Secure two-party distance computation protocol based on efficient multilinear maps from ideal lattices, in Proceedings
privacy homomorphism and scalar product in wireless of EUROCRYPT 2014, Lecture Notes in Computer Science,
sensor networks, Tsinghua Science & Technology, vol. 21, Berlin, Germany, 2014, pp. 239–256.
[20] D. Stehlé and R. Steinfeld, Making NTRU as secure as
no. 4, pp. 385–396, 2016.
[6] A. López-Alt, E. Tromer, and V. Vaikuntanathan, On-the-fly worst-case problems over ideal lattices, in Proceedings of
multiparty computation on the cloud via multikey fully EUROCRYPT 2011, Lecture Notes in Computer Science,
homomorphic encryption, in Proceedings of the Forty- Berlin, Germany, 2011, pp. 27–47.
Fourth Annual ACM Symposium on Theory of Computing, [21] V. Lyubashevsky, C. Peikert, and O. Regev, On ideal
New York, NY, USA, 2012, pp. 1219–1234. lattices and learning with errors over rings, in Proceedings
[7] C. Gentry, A. Sahai, and B. Waters, Homomorphic of Annual International Conference on the Theory and
encryption from learning with errors: Conceptually-simpler, Applications of Cryptographic Techniques, Berlin, Germany,
asymptotically-faster, attributebased, in Proceedings of 2010, pp. 1–23.
Advances in Cryptology-CRYPTO 2013, Berlin, Germany, [22] M. Albrecht, S. Bai, and L. Ducas, A subfield lattice attack
2013, pp. 75–92. on overstretched NTRU assumptions, in Proceedings of
[8] M. Clear and C. McGoldrick, Multi-identity and multi-key Annual Cryptology Conference, Berlin, Germany, 2016, pp.
leveled FHE from learning with errors, in Proceedings of 153–178.
Advances in Cryptology - CRYPTO 2015, Berlin, Germany, [23] J. H. Cheon, J. Jeong, and C. Lee, An algorithm for NTRU
2015, pp. 630–656. problems and cryptanalysis of the GGH multilinear map
[9] P. Mukherjee and D. Wichs, Two round multiparty without an encoding of zero, LMS Journal of Computation
computation via multi-key FHE, in Proceedings of and Mathematics, vol. 19, no. 1, pp. 255–266, 2016.
Advances in Cryptology - EUROCRYPT 2016, Berlin, [24] Y. Wang, R. Chen, C. Liu, B. Wang, and Y. Wang,
Germany, 2016, pp. 735–763. Asymmetric subversion attacks on signature and
 578 Tsinghua Science and Technology, October 2020, 25(5): 564–578

identification schemes, [Link] 018- 325.

01193-x, 2019. [30] Y. Doröz, Y. Hu, and B. Sunar, Homomorphic AES
[25] Z. Yang, R. Chen, C. Li, L. Qu, and G. Yang, On the evaluation using the modified LTV scheme, Designs Codes
security of LWE cryptosystem against subversion attacks, and Cryptography, vol. 80, no. 2, pp. 1–26, 2015.
[Link] 2019. [31] J. W. Bos, K. Lauter, J. Loftus, and M. Naehrig, Improved
[26] Y. Yu, G. Xu, and X. Wang, Provably secure NTRU security for a ring-based fully homomorphic encryption
instances over prime cyclotomic rings, in Proceedings of scheme, in Proceedings of International Conference on
IACR International Workshop on Public Key Cryptography, Cryptography and Coding, Berlin, Germany, 2013, pp. 45–
Berlin, Germany, 2017, pp. 409–434. 64.
[27] Y. Yu, G. Xu, and X. Wang, Provably secure NTRU [32] D. Micciancio and O. Regev. Worst-case to average-
encrypt over more general cyclotomic rings, https:// case reductions based on Gaussian measures, Society for
[Link]/2017/[Link], 2017. Industrial and Applied Mathematics Journal on Computing,
[28] Z. Brakerski and V. Vaikuntanathan, Efficient fully vol. 37, no. 1, pp. 267–302, 2004.
homomorphic encryption from (standard) LWE, in [33] Z. Chen, Research and design of fully homomorphic
Proceedings of Annual Symposium on Foundations of encryption based on lattice, PhD dissertation, Nanjing
Computer Science, Los Alamitos, CA, USA, 2011, pp. 97– University of Aeronautics and Astronautics, Nanjing, China,
106. 2015.
[29] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, (Leveled) [34] T. Zhou, X. Yang , L. Liu, W. Zhang, and N. Li, Faster
Fully homomorphic encryption without bootstrapping, in bootstrapping with multiple addends, IEEE Access, vol. 1,
Proceedings of the 3rd Innovations in Theoretical Computer no. 1, pp. 49868– 49876, 2018.
Science Conference, Cambridge, MA, USA, 2012, pp. 309–

Xiaoliang Che is a PhD candidate in the Haonan Zhou is a master student in

Engineering University of People’s Armed the Engineering University of People’s
Police, Xi’an, China. His main research Armed Police. His main research interests
interests include fully homomorphic include fully homomorphic encryption and
encryption and encryption scheme based encryption scheme based on lattice.
on lattice.

Tanping Zhou received the PhD degree Zhenhua Chen received the PhD degree
from the Engineering University of People’s from Shaanxi Normal University, Xi’an,
Armed Police in 2018. He is now a lecturer China in 2014. Currently, she is an associate
in Engineering University of People’s professor at Xi’an University of Science and
Armed Police. His main research interests Technology. Her research interests include
include fully homomorphic encryption and secure multiparty computation, public-key
encryption scheme based on lattice. encryption, etc.

Xiaoyuan Yang received the MS degree

Ningbo Li is a PhD candidate in the from Xi’an Electronic Science and
Engineering University of People’s Technology University, Xi’an, China in
Armed Police. His main research interests 1991. He is now a professor and a PhD
include fully homomorphic encryption and supervisor in the Engineering University of
encryption scheme based on lattice. People’s Armed Police. His main research
His main research interests include fully interests include information security and
homomorphic encryption and encryption cryptology.
scheme based on lattice.