Subring Homomorphic Encryption

Abstract

In this paper, we construct subring homomorphic encryption scheme that is a homomorphic encryption scheme built on the decomposition ring, which is a subring of cyclotomic ring. In the scheme, each plaintext slot contains an integer in \(\mathbb {Z}_{p^l}\), rather than an element of \(\mathrm {GF}(p^d)\) as in conventional homomorphic encryption schemes on cyclotomic rings. Our benchmark results indicate that the subring homomorphic encryption scheme is several times faster than HElib for mod- \(p^l\) integer plaintexts, due to its high parallelism of mod-\(p^l\) integer slot structure. We believe in that such plaintext structure composed of mod-\(p^l\) integer slots will be more natural, easy to handle, and significantly more efficient for many applications such as outsourced data mining, than conventional \(\mathrm {GF}(p^d)\) slots.

A Appendices

1.1 A.1 Proofs of Lemma

Proof of Lemma 2. \(\mathrm {Tr}_{Z|\mathbb {Q}}(\eta _i) = \mathrm {Tr}_{Z|\mathbb {Q}}(\mathrm {Tr}_{K|Z}(\zeta ^{t_i})) = \mathrm {Tr}_{K|\mathbb {Q}}(\zeta ^{t_i})\). So, by Lemma 1, \(\mathrm {Tr}_{Z|\mathbb {Q}}(\eta _i) = -1\) for any i. Similarly, \(\mathrm {Tr}_{Z|\mathbb {Q}}(\overline{\eta }_i) = \mathrm {Tr}_{Z|\mathbb {Q}}(\mathrm {Tr}_{K|Z}(\zeta ^{-t_i})) = \mathrm {Tr}_{K|\mathbb {Q}}(\zeta ^{-t_i}) = -1\).    \(\Box \)

Proof of Lemma 3. Since the index m is prime, the cyclotomic ring R has a basis \(B = \{1, \zeta , \ldots , \zeta ^{m-2}\}\) over \(\mathbb {Z}\). Since \(\zeta \) is a unit of R, \(B^\prime := \zeta B = \{\zeta , \zeta ^2, \ldots , \zeta ^{m-1}\}\) is also a basis of R over \(\mathbb {Z}\). The fixing group \(G_Z = \langle \rho _p\rangle \) of Z acts on \(B^\prime \) and decomposes it into g orbits \(\zeta ^{t_i \langle p\rangle } = \{\zeta ^{t_i}, \zeta ^{t_i p}, \ldots , \zeta ^{t_i p^{d-1}} \}\) (\(i=0,\ldots ,g-1\)). An element \(z = \sum _{i=1}^{m-1} z_i \zeta ^i \in R_Z\) that is stable under the action of \(G_Z\) must have constant integer coefficients over the each orbits \(\zeta ^{t_i \langle p\rangle }\). Hence, z is a \(\mathbb {Z}\)-linear combination of \(\{\eta _1, \ldots , \eta _g\}\).    \(\Box \)

Proof of Lemma 4. For \(0 \le i,j < g\),

$$\begin{aligned} \overline{\eta }_i \eta _j&= \Bigl (\sum _{a \in \langle p\rangle } \zeta ^{-a t_i}\Bigr ) \Bigl (\sum _{b \in \langle p\rangle } \zeta ^{b t_j}\Bigr ) = \sum _{a,b \in \langle p\rangle } \zeta ^{- a t_i + b t_j} = \sum _{a \in \langle p\rangle } \sum _{b \in \langle p\rangle } \rho _a(\zeta ^{-t_i + b a^{-1} t_j}) \\&= \sum _{a \in \langle p\rangle } \sum _{b \in \langle p\rangle } \rho _a(\zeta ^{-t_i + b t_j}) = \sum _{b \in \langle p\rangle } \mathrm {Tr}_{K|Z}(\zeta ^{-t_i + b t_j}). \end{aligned}$$

Here, Suppose \(i \ne j\). Then, \(-t_i + b t_j \not \equiv 0 \pmod {m}\) for any \(b \in \langle p\rangle \). Hence, by Lemma 1,

$$\begin{aligned} \mathrm {Tr}_{Z|\mathbb {Q}}(\overline{\eta }_i \eta _j) = \sum _{b \in \langle p\rangle } \mathrm {Tr}_{K|\mathbb {Q}}(\zeta ^{-t_i + b t_j}) = |\langle p\rangle | \cdot (-1) = -d. \end{aligned}$$

If \(i = j\), since \(\mathrm {Tr}_{K|\mathbb {Q}}(\zeta ^{-t_i + b t_i}) = m-1\) only if \(b = 1\) and −1 otherwise by Lemma 1,

$$\begin{aligned} \mathrm {Tr}_{Z|\mathbb {Q}}(\overline{\eta }_i \eta _i) = \sum _{b \in \langle p\rangle } \mathrm {Tr}_{K|\mathbb {Q}}(\zeta ^{-t_i + b t_i}) = m - 1 + (d - 1) \cdot (-1) = m - d \end{aligned}$$

   \(\Box \)

Proof of Corollary 1. For any i, by Lemmas 2 and 4 we have

$$\begin{aligned} \mathrm {Tr}_{Z|\mathbb {Q}}\Bigl (\frac{\eta _i - d}{m} \cdot \overline{\eta _i}\Bigr ) = \frac{1}{m} (m-d) - \frac{d}{m} \cdot (-1) = 1. \end{aligned}$$

Similarly, for any \(i \ne j\) we have

$$\begin{aligned} \mathrm {Tr}_{Z|\mathbb {Q}}\Bigl (\frac{\eta _i - d}{m} \cdot \overline{\eta _j}\Bigr ) = \frac{-d}{m} - \frac{d}{m} \cdot (-1) = 0 \end{aligned}$$

   \(\Box \)

Proof of Lemma 5

$$\begin{aligned} {\varvec{a}} \;&= \; \varGamma _Z {\varvec{b}} \; = \; \Bigl (\rho _{t_i}(\frac{\overline{\eta }_j - d}{m})\Bigr )_{ij} {\varvec{b}} \; = \; \Bigl (\frac{1}{m} \sum _j \rho _{t_i}(\overline{\eta }_j - d) b_j\Bigr )_i \\&= \; \frac{1}{m} \Bigl (\sum _j \rho _{t_i}(\overline{\eta }_j) b_j - d \sum _j b_j\Bigr )_i \; = \; \frac{1}{m} \Bigl (\overline{\varOmega }_Z {\varvec{b}}- d \bigl (\sum _j b_j\bigr ) \cdot {\varvec{1}} \Bigr ) \;\;\;\;\end{aligned}$$

   \(\Box \)

Proof of Lemma 6. The first claim is the definition of \(\varvec{\xi }\).

Since \( \varOmega _Z = \Bigl (\sigma _Z(\eta _j)\Bigr )_{0 \le j < g}, \) \(a = \varvec{\eta }^T \cdot {\varvec{a}}\) if and only if \(\sigma _Z(a) = \varOmega _Z {\varvec{a}}\).

Next,

$$\begin{aligned} a = \varvec{\xi }^T \cdot {\varvec{b}} \;&\Leftrightarrow \; a \equiv \varvec{\eta }^T (\varOmega _Z^{(q)})^{-1} \cdot {\varvec{b}} \pmod {\mathfrak {q}} \\&\Leftrightarrow \; \sigma _Z(a) \equiv \varOmega _Z (\varOmega _Z^{(q)})^{-1} \cdot {\varvec{b}} \equiv {\varvec{b}} \pmod {\mathfrak {q}} \;\;\;\;\end{aligned}$$

   \(\Box \)

Proof of Lemma 7.   \(\sigma _Z(a_1 a_2) = \sigma _Z(a_1) \odot \sigma _Z(a_2) = {\varvec{b}}_1 \odot {\varvec{b}}_2\)    \(\Box \)

Proof of Lemma 8. The ideal \(q R_Z\) factors in \(R_Z\) as

$$\begin{aligned} q R_Z= \mathfrak {q}_0 \mathfrak {q}_1 \cdots \mathfrak {q}_{g-1} \end{aligned}$$

where \(\mathfrak {q}_i = \mathfrak {Q}_i \cap R_Z\) for any i.

Let \(\{\tau _i^\prime \}_{i=0}^{g-1}\) be a resolution of unity in \(R_Z\) mod q. Here, we take the coefficients of each \(\tau _i^\prime \) from \([-q/2, q/2)\) over the \(\eta \)-basis \(\{\eta _0, \ldots , \eta _{g-1}\}\) of \(R_Z\).

Then,

$$\begin{aligned} \tau _i^\prime \equiv \left\{ \begin{array}{ll} 1 \pmod {\mathfrak {q}_i} &{} (i=0,\ldots ,g-1) \\ 0 \pmod {\mathfrak {q}_j} &{} (j \ne i). \end{array} \right. \end{aligned}$$

Since \(\mathfrak {q}_i \subset \mathfrak {Q}_i\) for any i, \(\{\tau _i^\prime \}_{i=0}^{g-1}\) is also a resolution of unity in R mod q. Since the coefficients of each \(\tau _i^\prime \) over the \(\eta \)-basis are in \([-q/2, q/2)\), by definition of \(\eta _i= \sum _{a \in \langle p \rangle } \zeta ^{t_i a}\), their coefficients over the basis \(B'\) are trivially also in \([-q/2, q/2)\). Hence, by the uniqueness of resolution, it must be that \(\tau _i^\prime = \tau _i\) for all i.    \(\Box \)

1.2 A.2 Norms on the Decomposition Ring

Norms of \(a \in Z\) are defined by

$$\begin{aligned} \Vert a\Vert _2 {\mathop {=}\limits ^{\tiny \text{ def }}}\Vert \sigma _Z(a)\Vert _2, \; \Vert a\Vert _\infty {\mathop {=}\limits ^{\tiny \text{ def }}}\Vert \sigma _Z(a)\Vert _\infty . \end{aligned}$$

Lemma 9

For any \(a, b \in Z\), we have

$$\begin{aligned} \Vert ab\Vert _\infty \le \Vert a\Vert _\infty \cdot \Vert b\Vert _\infty . \end{aligned}$$

Proof

\(\Vert ab\Vert _\infty = \Vert \sigma _Z(ab)\Vert _\infty = \Vert \sigma _Z(a) \odot \sigma _Z(b)\Vert _\infty \le \Vert \sigma _Z(a)\Vert _\infty \cdot \Vert \sigma _Z(b)\Vert _\infty = \Vert a\Vert _\infty \cdot \Vert b\Vert _\infty .\)    \(\Box \)

In the following, \({\varvec{a}}\) means the \(\eta \)-vector of given \(a = \varvec{\eta }^T \cdot {\varvec{a}} \in R_Z\).

Lemma 10.

1. (1)

   For any \(a \in Z\), \(\Vert a\Vert _2 \; \le \; \sqrt{m} \Vert {\varvec{a}}\Vert _2.\)

2. (2)

   For any \({\varvec{a}} \in \mathbb {R}^g\), \(\Vert {\varvec{a}}\Vert _2 \; \le \; \Vert a\Vert _2.\)

3. (3)

   If \({\varvec{a}} \in \mathbb {R}^g\) is far from being proportional to vector \({\varvec{1}}\) (far from constants in short), we have \(\Vert {\varvec{a}}\Vert _2 \; \approx \; \frac{1}{\sqrt{m}} \Vert a\Vert _2.\)

Proof.

(1) By Lemma 6, \(\sigma _Z(a) = \varOmega _Z {\varvec{a}}\) and by Lemma 4

$$\begin{aligned} \varOmega _Z^*\varOmega _Z = m I_g - d {\varvec{1}} \cdot \mathbf 1 ^T. \end{aligned}$$

The right-hand side matrix has eigenvalues \(g-1\) times of m and 1 with corresponding eigenvectors \((1,-1,0,\cdots ,0)\), \((1,0, -1,0,\cdots ,0)\), \(\ldots \), \((1,0,\cdots ,0,-1)\), \((1,1,\cdots ,1)\). So, the symmetric matrix \(\varOmega _Z^*\varOmega _Z\) can be diagonalized to \(\mathrm {Diag}(m, \cdots , m, 1)\) by an orthogonal transformation, and we have \(s_1(\varOmega _Z) = \sqrt{m}\). This means \( \Vert a\Vert _2 \; \le \; \sqrt{m} \Vert {\varvec{a}}\Vert _2.\) (2), (3) Conversely, \({\varvec{a}} = (\varOmega _Z)^{-1} \sigma _Z(a) = \varGamma _Z \sigma _Z(a)\). Similarly as above, the matrix \(\varGamma _Z^*\varGamma _Z\) can be diagonalized to \(\mathrm {Diag}(1/m, \cdots , 1/m, 1)\) by the orthogonal transformation. Hence, \(s_1(\varGamma _Z) = 1\) and \( \Vert {\varvec{a}}\Vert _2 \; \le \; \Vert a\Vert _2.\) Since almost all of the eigenvalues of \(\varGamma _Z^*\varGamma _Z\) are 1 / m, except 1 for eigenvector \((1,1,\cdots ,1)\), if \({\varvec{a}}\) is far from being proportional to the eigenvector \((1,1,\cdots ,1)\), \(\Vert {\varvec{a}}\Vert _2 \; \approx \; \frac{1}{\sqrt{m}} \Vert a\Vert _2\).    \(\Box \)

Lemma 11.

1. (1)

   For any \(a \in Z\), \(\Vert a\Vert _\infty \; \le \; \sqrt{mg} \Vert {\varvec{a}}\Vert _\infty .\)

2. (2)

   For any \({\varvec{a}} \in \mathbb {R}^g\), \(\Vert {\varvec{a}}\Vert _\infty \; \le \; \sqrt{g} \Vert a\Vert _\infty .\)

3. (3)

   If a is far from constants, we have \(\Vert {\varvec{a}}\Vert _\infty \; \lessapprox \; \sqrt{g/m} \Vert a\Vert _\infty .\)

Proof.

1. (1)

   By Lemma 10-(1), \(\Vert a\Vert _\infty \le \Vert a\Vert _2 \le \sqrt{m} \Vert {\varvec{a}}\Vert _2 \le \sqrt{mg} \Vert {\varvec{a}}\Vert _\infty .\)

2. (2)

   By Lemma 10-(2), \(\Vert {\varvec{a}}\Vert _\infty \le \Vert {\varvec{a}}\Vert _2 \le \Vert a\Vert _2 \le \sqrt{g} \Vert a\Vert _\infty .\)

3. (3)

   By Lemma 10-(3), \(\Vert {\varvec{a}}\Vert _\infty \le \Vert {\varvec{a}}\Vert _2 \approx \frac{1}{\sqrt{m}} \Vert a\Vert _2 \le \sqrt{g/m} \Vert a\Vert _\infty .\)    \(\Box \)

Subgaussian elements. We call a random variable \(a \in Z\) subgaussian with parameter s if corresponding random variable \(\sigma _Z(a)\) on \(H_Z\) is subgaussian with parameter s.

Lemma 12

(Claim 2.1, Claim 2.4 [16]). Let \(a_i\) be independent subgaussian random variables over Z with parameter \(s_i\) \((i=1,2)\). Then,

1. 1.

   The sum \(a_1 + a_2\) is subgaussian with parameter \(\sqrt{s_1^2 + s_2^2}\).

2. 2.

   For any \(a_2\) fixed, the product \(a_1 \cdot a_2\) is subgaussian with parameter \(\Vert a_2\Vert _\infty s_1\).

Lemma 13

Let \({\varvec{a}}\) be a subgaussian random variable over \(\mathbb {R}^g\) of parameter s. Then, \(a = \varvec{\eta }^T \cdot {\varvec{a}}\) is subgaussian over Z of parameter \(\sqrt{m} s\).

Proof

By Lemma 6 \(\sigma _Z(a) = \varOmega _Z {\varvec{a}}\). As seen in the proof of Lemma 10, \(s_1(\varOmega _Z) = \sqrt{m}\). Hence, \(\sigma _Z(a)\) is subgaussian of parameter \(\sqrt{m} s\).    \(\Box \)

1.3 A.3 Correctness of Our Subring Homomorphic Encryption Scheme

Let \(\varvec{\chi }_{key}\) and \(\varvec{\chi }_{err}\) be discrete Gaussian distributions over \(\mathbb {Z}^g\) of parameters \(s_{key}\) and \(s_{err}\), respectively. In the following, vectors \({\varvec{a}}\), \({\varvec{b}}\), \(\cdots \) mean corresponding \(\eta \)-vectors of elements \(a = \varvec{\eta }^T \cdot {\varvec{a}}\), \(b = \varvec{\eta }^T \cdot {\varvec{b}}\), \(\cdots \) in the decomposition ring \(R_Z\), respectively.

Definition 4

The inherent noise term e of ciphertext \(ct = ({\varvec{a}}, {\varvec{b}})\) designed for \({\varvec{m}} \in \mathbb {Z}_t^g\) is an element \(e \in R_Z\) with the smallest norm \(\Vert e\Vert _\infty \) satisfying that

$$\begin{aligned} b - a s = \varDelta m_\xi + e + q \alpha \end{aligned}$$

for some \(\alpha \in R_Z\), secret key \(\mathsf {sk} = {\varvec{s}}\), and \(m_\xi = \varvec{\xi }^T \cdot {\varvec{m}} \in R_Z\).

By definition, a ciphertext \(ct = ({\varvec{a}}, {\varvec{b}}) \leftarrow \mathsf {Encrypt}({\varvec{s}}, {\varvec{m}})\) has \(e = \varvec{\eta }^T \cdot {\varvec{e}}\) as an inherent noise term designed for \({\varvec{m}}\) with \({\varvec{e}} \leftarrow \varvec{\chi }_{err}\). By Lemma 13, e is subgaussian of parameter \(\sqrt{m} s_{err}\) and by the tail inequality (Eq. 2), \( \Vert e\Vert _\infty \le \omega (\sqrt{\log \lambda }) \sqrt{m} s_{err} \) with an overwhelming probability.

Define \(B_{correct} {\mathop {=}\limits ^{\tiny \text{ def }}}\frac{\sqrt{m}}{2 \sqrt{g}} \varDelta .\)

Lemma 14

(Noise bound for correctness). Let e be the inherent noise term of ciphertext \(ct=({\varvec{a}}, {\varvec{b}})\) designed for \({\varvec{m}} \in \mathbb {Z}_t^g\). If \(\Vert e\Vert _\infty < B_{correct}\) (i.e. if \(\frac{\sqrt{g}}{\sqrt{m}} \Vert e\Vert _\infty < \frac{1}{2}\varDelta \)), then decryption works correctly, i.e. \( \mathsf {Decrypt}({\varvec{s}},ct) = {\varvec{m}}. \)

Proof

By definition of the inherent noise term, \({\varvec{a}}\) and \({\varvec{b}}\) satisfy that

$$\begin{aligned} \frac{1}{\varDelta }(b - as - \alpha q) \;=\; m_\xi + \frac{e}{\varDelta }. \end{aligned}$$

(9)

By Lemma 11-(3),

$$\begin{aligned} \Vert \frac{{\varvec{e}}}{\varDelta }\Vert _\infty < \sqrt{g/m} \cdot \Vert \frac{e}{\varDelta }\Vert _\infty \le \sqrt{g/m} \cdot \frac{\sqrt{m}}{2 \sqrt{g}} = \frac{1}{2}. \end{aligned}$$

Hence, the \(\eta \)-vector of the left-hand side of Eq. (9) rounds to \({\varvec{n}}\) satisfying that \(\varvec{\eta }^T \cdot {\varvec{n}} = m_\xi = \varvec{\xi }^T \cdot {\varvec{m}}\).    \(\Box \)

Lemma 15

(Noise bound for Add ). Let \(e_1\) and \(e_2\) be inherent noise terms of ciphertexts \(ct_1=({\varvec{a}}_1,{\varvec{b}}_1)\) and \(ct_2=({\varvec{a}}_2,{\varvec{b}}_2)\) designed for \({\varvec{m}}_1\) and \({\varvec{m}}_2 \in \mathbb {Z}_t^g\), respectively. Let e be the inherent noise term of \(ct = \mathsf {Add}(ct_1, ct_2)\) designed for \({\varvec{m}}_1 + {\varvec{m}}_2 \in \mathbb {Z}_t^g\). Then,

$$\begin{aligned} \Vert e\Vert _\infty \le \Vert e_1\Vert _\infty + \Vert e_2\Vert _\infty . \end{aligned}$$

Lemma 16

(Noise bound for linearization). Let \(\mathsf {ev}=\bigl ((\varvec{\alpha }_k, \varvec{\beta }_k)\bigr )_{k=0}^{l_w-1} \leftarrow \mathsf {EvaluateKeyGen}({\varvec{s}})\) be an evaluation key for a secret key \(\mathsf {sk} = {\varvec{s}}\). Suppose that a triple of elements e, c, d in \(R_Z\) satisfies

$$\begin{aligned} e - c s + d s^2 \equiv \varDelta m_\xi + x \pmod {q} \end{aligned}$$

with \(m_\xi = \varvec{\xi }^T \cdot {\varvec{m}}\) and some \(x \in R_Z\) bounded as \(\Vert x\Vert _\infty \le B\). Let \(({\varvec{d}}_0, \cdots , {\varvec{d}}_{l_w-1}) = \mathsf {WD}({\varvec{d}})\). Then, for \(a = c + \sum _{k=0}^{l_w-1} d_k \alpha _k\) and \(b = e + \sum _{k=0}^{l_w-1} d_k \beta _k\), the pair \(ct = ({\varvec{a}}, {\varvec{b}})\) constitutes a ciphertext that has an inherent noise term y designed for \({\varvec{m}}\) bounded as

$$\begin{aligned} \Vert y\Vert _\infty \le B + \omega (\sqrt{\log \lambda }) \sqrt{l_w m g} w s_{err}. \end{aligned}$$

Proof

By definition of \(\mathsf {EvaluateKeyGen}\), the k-th pair \((\varvec{\alpha }_k, \varvec{\beta }_k)\) of \(\mathsf {ev}\) has an inherent noise term \(x_k\) designed for \(w^k s^2\), which is subgaussian of parameter \(\sqrt{m} s_{err}\). Then,

$$\begin{aligned} b - as&\equiv \Bigl (e + \sum _{k=0}^{l_w-1} d_k \beta _k\Bigr ) - \Bigl (c + \sum _{k=0}^{l_w-1} d_k \alpha _k\Bigr ) s \; \equiv \; e - c s + \sum _{k=0}^{l_w-1} d_k (\beta _k - \alpha _k s) \\&\; \equiv \; e - c s + \sum _{k=0}^{l_w-1} d_k (w^k s^2 + x_k) \; \equiv \; e - c s + d s^2 + \sum _{k=0}^{l_w-1} d_k x_k \\&\; \equiv \; \varDelta m_\xi + x + \sum _{k=0}^{l_w-1} d_k x_k \pmod {q}. \end{aligned}$$

We estimate \(\Vert y\Vert _\infty \) for \(y := x + \sum _{k=0}^{l_w-1} d_k x_k\). First by Lemma 11 (1), \(\Vert d_k\Vert _\infty \le \sqrt{mg} \Vert {\varvec{d}}_k\Vert _\infty \le \sqrt{mg} w\). Then, by Lemma 12, \(d_k x_k\) are independently subgaussian of parameter \(\Vert d_k\Vert _\infty s_{err} \le \sqrt{mg} w s_{err}\), and \(\sum _{k=0}^{l_w-1} d_k x_k\) is subgaussian of parameter \(\sqrt{l_w} \sqrt{mg} w s_{err}\). Hence,

$$\begin{aligned} \Vert y\Vert _\infty \le \Vert x\Vert _\infty + \Vert \sum _{k=0}^{l_w-1} d_k x_k\Vert \le B + \omega (\sqrt{\log \lambda }) \sqrt{l_w} \sqrt{mg} w s_{err}. \end{aligned}$$

   \(\Box \)

Lemma 17

(Noise bound for \(\mathsf {Mult}\) ). Let \(e_1\) and \(e_2\) be inherent noise terms of ciphertexts \(ct_1=({\varvec{a}}_1,{\varvec{b}}_1)\) and \(ct_2=({\varvec{a}}_2,{\varvec{b}}_2)\) designed for \({\varvec{m}}_1\) and \({\varvec{m}}_2 \in \mathbb {Z}_t^g\), respectively. Suppose \(\Vert e_i\Vert _\infty \le B \, (< B_{correct})\) for \(i=1,2\). Let f be the inherent noise term of \(ct = \mathsf {Mult}(ct_1, ct_2)\) designed for \({\varvec{m}}_1 \odot {\varvec{m}}_2 \in \mathbb {Z}_t^g\). Then,

$$\begin{aligned} \big \Vert f\big \Vert _\infty \le t \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key} \cdot B + \omega (\sqrt{\log \lambda }) \sqrt{l_w m g} w s_{err}. \end{aligned}$$

Proof

We prepare two claims.

Claim

Let \(e_0 = \frac{1}{\varDelta } b_1 b_2\), \(c_0 = \frac{1}{\varDelta } (a_1 b_2 + a_2 b_1)\), \(d_0 = \frac{1}{\varDelta } a_1 a_2\). Then,

$$\begin{aligned} e_0 - c_0 s + d_0 s^2 \equiv \varDelta m_\xi + x \pmod {q} \end{aligned}$$

with \(m_\xi = (m_1)_\xi (m_2)_\xi \) and some \(x \in R_Z\) bounded as

$$\begin{aligned} \Vert x\Vert _\infty \le t \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key} \cdot B. \end{aligned}$$

Proof

By assumption,

$$\begin{aligned} b_i - a_i s = \varDelta (m_i)_\xi + x_i + \alpha _i q \quad (i=1,2) \end{aligned}$$

(10)

with \(\Vert x_i\Vert _\infty < B\). By Lemma 12 the product \(a_i s\) is subgaussian of parameter \(\Vert a_i\Vert _\infty s_{key} \le \sqrt{mg} \Vert {\varvec{a}}_i\Vert _\infty s_{key} \le \sqrt{mg} q s_{key}\). So, \(\alpha _i = \bigl \lfloor (b_i - a_i s)/q\bigr \rfloor \) is bounded as

$$\begin{aligned} \Vert \alpha _i\Vert _\infty \le \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key}. \end{aligned}$$

By taking product of the two equations (10), we get

$$\begin{aligned} e_0 - c_0 s + d_0 s^2&= \frac{1}{\varDelta }\Bigl (b_1 b_2 - (a_1 b_2 + a_2 b_1) s + a_1 a_2 s^2\Bigr ) \\&= \varDelta (m_1)_\xi (m_2)_\xi + x + q v \end{aligned}$$

with some \(v \in R_Z\), where

$$\begin{aligned} x = (m_1)_\xi x_2 + (m_2)_\xi x_1 + \frac{1}{\varDelta } x_1 x_2 + t (x_1 \alpha _2 + x_2 \alpha _1). \end{aligned}$$

By Lemmas 9 and 11,

$$\begin{aligned} \Vert (m_i)_\xi x_j\Vert _\infty \le \Vert (m_i)_\xi \Vert _\infty \Vert x_j\Vert _\infty = \sqrt{mg} \Vert {\varvec{n}}_i\Vert _\infty \Vert x_j\Vert _\infty \le \sqrt{mg} t B \\ \Vert \frac{1}{\varDelta } x_1 x_2\Vert _\infty \le \frac{1}{\varDelta } \Vert x_1\Vert _\infty \Vert x_2\Vert _\infty \le \frac{1}{\varDelta } B_{correct} \cdot \Vert x_2\Vert _\infty \le \frac{\sqrt{m}}{2 \sqrt{g}} \cdot B \\ \Vert t x_i \alpha _j\Vert _\infty \le t \Vert x_i\Vert _\infty \Vert \alpha _j\Vert _\infty \le t B \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key}. \end{aligned}$$

Hence, x is bounded as

$$\begin{aligned} \Vert x\Vert _\infty&\le 2 \sqrt{mg} t B + \frac{\sqrt{m}}{2 \sqrt{g}} \cdot B + 2 \sqrt{mg} t B \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key} \\&= (2 \sqrt{mg} t + \frac{\sqrt{m}}{2 \sqrt{g}} + 2 t \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key}) B \\&= t \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key} \cdot B \end{aligned}$$

   \(\Box \)

Claim

Let \({\varvec{e}} = \Bigl \lfloor {\varvec{e}}_{\mathbf {0}}\Bigr \rceil \), \({\varvec{c}} = \Bigl \lfloor {\varvec{c}}_{\mathbf {0}}\Bigr \rceil \), \({\varvec{d}} = \Bigl \lfloor {\varvec{d}}_{\mathbf {0}}\Bigr \rceil \). Then,

$$\begin{aligned} e - c s + d s^2 \equiv e_0 - c_0 s + d_0 s^2 + y \pmod {q} \end{aligned}$$

with some \(y \in R_Z\) bounded as

$$\begin{aligned} \Vert y\Vert _\infty \le \omega (\log \lambda ) \sqrt{mg} s_{key}^2. \end{aligned}$$

Proof

Let \(y = (e-e_0) - (c-c_0) s + (d-d_0) s^2 \pmod {q}\).

Using Lemma 11 (1), \(\Vert e-e_0\Vert _\infty \le \sqrt{mg} \Vert {\varvec{e}}-{\varvec{e}}_0\Vert _\infty \le \sqrt{mg}/2\).

Similarly, \(\Vert c-c_0\Vert _\infty \le \sqrt{mg}/2\) and by Lemma 9, \(\big \Vert (c-c_0) s\big \Vert _\infty \le \big \Vert c-c_0\big \Vert _\infty \big \Vert s\big \Vert _\infty \le \sqrt{mg}/2 \cdot \omega (\sqrt{\log \lambda }) s_{key} = \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key}\). Similarly, \(\big \Vert (d-d_0) s^2\big \Vert _\infty \le \omega (\log \lambda ) \sqrt{mg} s_{key}^2\).

Thus,

$$\begin{aligned} \big \Vert y\big \Vert _\infty&\le \big \Vert e-e_0\big \Vert _\infty + \big \Vert (c-c_0)s\big \Vert _\infty + \big \Vert (d-d_0)s^2\big \Vert _\infty \\&\le \sqrt{mg}/2 + \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key} + \omega (\log \lambda ) \sqrt{mg} s_{key}^2 \\&\le \omega (\log \lambda ) \sqrt{mg} s_{key}^2 \end{aligned}$$

   \(\Box \)

By the two claims we know that

$$\begin{aligned} e - c s + d s^2 \equiv \varDelta m_\xi + z \pmod {q} \end{aligned}$$

with \(z=x+y\) bounded as

$$\begin{aligned} \big \Vert z\big \Vert _\infty&\le \big \Vert x\big \Vert _\infty + \big \Vert y\big \Vert _\infty \le t \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key} \cdot B + \omega (\log \lambda ) \sqrt{mg} s_{key}^2 \\&\le t \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key} \cdot B. \end{aligned}$$

Finally, applying Lemma 16 to our situation, we know that Mult will output a ciphertext \(ct=({\varvec{a}}, {\varvec{b}})\) that has an inherent noise term f designed for \(m_\xi = (m_1)_\xi (m_2)_\xi \), satisfying that

$$\begin{aligned} \big \Vert f\big \Vert _\infty&\le \big \Vert z\big \Vert _\infty + \omega (\sqrt{\log \lambda }) \sqrt{l_w m g} w s_{err} \\&\le t \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key} \cdot B + \omega (\sqrt{\log \lambda }) \sqrt{l_w m g} w s_{err}. \;\;\;\; \end{aligned}$$

   \(\Box \)

Proof of Theorem 2. By Lemma 14, a ciphertext ct that encrypts plaintext \({\varvec{m}}\) can be correctly decrypted if its inherent noise term e designed for \({\varvec{m}}\) satisfies that

$$\begin{aligned} \frac{\sqrt{g}}{\sqrt{m}} \big \Vert e\big \Vert _\infty < \frac{1}{2}\varDelta = \frac{q}{2t}. \end{aligned}$$

By Lemma 17, by one multiplication, \(\frac{\sqrt{g}}{\sqrt{m}}\) times of infinity norm of noises under input ciphertexts increases \(\log _2(t \omega (\sqrt{\log \lambda }) g s_{key}) = O(\log \lambda )\) bits. Hence, to correctly evaluate an arithmetic circuit over \(\mathbb {Z}_t^g\) with L levels of multiplications, it suffices that

$$\begin{aligned} \log q > L \log \lambda . \end{aligned}$$

By Lemma 4 of [3], we can implement \(\mathsf {Decrypt}\) algorithm by some circuit of level \(L_{dec} = O(\log \lambda )\). Hence by taking \(q = O(\lambda ^{\log \lambda })\), the subring homomorphic encryption scheme can homomorphically evaluate its own \(\mathsf {Decrypt}\) circuit and will be fully homomorphic under circular security assumption.    \(\Box \)