Abstract
In this paper, we construct subring homomorphic encryption scheme that is a homomorphic encryption scheme built on the decomposition ring, which is a subring of cyclotomic ring. In the scheme, each plaintext slot contains an integer in \(\mathbb {Z}_{p^l}\), rather than an element of \(\mathrm {GF}(p^d)\) as in conventional homomorphic encryption schemes on cyclotomic rings. Our benchmark results indicate that the subring homomorphic encryption scheme is several times faster than HElib for mod- \(p^l\) integer plaintexts, due to its high parallelism of mod-\(p^l\) integer slot structure. We believe in that such plaintext structure composed of mod-\(p^l\) integer slots will be more natural, easy to handle, and significantly more efficient for many applications such as outsourced data mining, than conventional \(\mathrm {GF}(p^d)\) slots.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For instance, Lu, Kawasaki and Sakuma [13] uses the HElib with parameters \(n=m-1=27892\) and \(p \approx 2^{36}\) to perform homomorphic computation needed for their statistical analysis on encrypted data in 110-bit security, that results in the plaintext space composed of \(l \approx 70\) tuples of the Galois field \(\mathrm {GF}(p^d)\) of the degree \(d = n/l \approx 398\). They are enforced to use only constant polynomials in those Galois fields.
References
Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_4
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325. ACM (2012)
Cheon, J.H., Kim, M., Lauter, K.: Homomorphic computation of edit distance. In: Brenner, M., Christin, N., Johnson, B., Rohloff, K. (eds.) FC 2015. LNCS, vol. 8976, pp. 194–212. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48051-9_15
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptology ePrint Archive, 2012–144 (2012)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178. ACM (2009)
Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49
Graepel, T., Lauter, K., Naehrig, M.: ML confidential: machine learning on encrypted data. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 1–21. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37682-5_1
Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_31
Liu, J., Li, J., Xu, S., Fung, B.C.M.: Secure outsourced frequent pattern mining by fully homomorphic encryption. In: Madria, S., Hara, T. (eds.) DaWaK 2015. LNCS, vol. 9263, pp. 70–81. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22729-0_6
Lauter, K., López-Alt, A., Naehrig, M.: Private computation on encrypted genomic data. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 3–27. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16295-9_1
Lu, W., Kawasaki, S., Sakuma, J.: Using fully homomorphic encryption for statistical analysis of categorical ordinal and numerical data. In: Network and Distributed System Security Symposium (NDSS), February 2017
Laine, K., Player, R.: Simple Encrypted Arithmetic Library - SEAL (v2.0). Technical report, Microsoft Research, MSR-TR-2016-52, September 2016
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Smart, N.P., Vercauteren, F.: Fully homomorphic SIMD operations. Des. Codes Crypt. 71(1), 57–81 (2014)
Acknowledgments
This work was supported by JST CREST Grant Number JPMJCR1503. This work is further supported by the JSPS KAKENHI Grant Number 17K05353.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendices
A Appendices
1.1 A.1 Proofs of Lemma
Proof of Lemma 2. \(\mathrm {Tr}_{Z|\mathbb {Q}}(\eta _i) = \mathrm {Tr}_{Z|\mathbb {Q}}(\mathrm {Tr}_{K|Z}(\zeta ^{t_i})) = \mathrm {Tr}_{K|\mathbb {Q}}(\zeta ^{t_i})\). So, by Lemma 1, \(\mathrm {Tr}_{Z|\mathbb {Q}}(\eta _i) = -1\) for any i. Similarly, \(\mathrm {Tr}_{Z|\mathbb {Q}}(\overline{\eta }_i) = \mathrm {Tr}_{Z|\mathbb {Q}}(\mathrm {Tr}_{K|Z}(\zeta ^{-t_i})) = \mathrm {Tr}_{K|\mathbb {Q}}(\zeta ^{-t_i}) = -1\). \(\Box \)
Proof of Lemma 3. Since the index m is prime, the cyclotomic ring R has a basis \(B = \{1, \zeta , \ldots , \zeta ^{m-2}\}\) over \(\mathbb {Z}\). Since \(\zeta \) is a unit of R, \(B^\prime := \zeta B = \{\zeta , \zeta ^2, \ldots , \zeta ^{m-1}\}\) is also a basis of R over \(\mathbb {Z}\). The fixing group \(G_Z = \langle \rho _p\rangle \) of Z acts on \(B^\prime \) and decomposes it into g orbits \(\zeta ^{t_i \langle p\rangle } = \{\zeta ^{t_i}, \zeta ^{t_i p}, \ldots , \zeta ^{t_i p^{d-1}} \}\) (\(i=0,\ldots ,g-1\)). An element \(z = \sum _{i=1}^{m-1} z_i \zeta ^i \in R_Z\) that is stable under the action of \(G_Z\) must have constant integer coefficients over the each orbits \(\zeta ^{t_i \langle p\rangle }\). Hence, z is a \(\mathbb {Z}\)-linear combination of \(\{\eta _1, \ldots , \eta _g\}\). \(\Box \)
Proof of Lemma 4. For \(0 \le i,j < g\),
Here, Suppose \(i \ne j\). Then, \(-t_i + b t_j \not \equiv 0 \pmod {m}\) for any \(b \in \langle p\rangle \). Hence, by Lemma 1,
If \(i = j\), since \(\mathrm {Tr}_{K|\mathbb {Q}}(\zeta ^{-t_i + b t_i}) = m-1\) only if \(b = 1\) and −1 otherwise by Lemma 1,
\(\Box \)
Proof of Corollary 1. For any i, by Lemmas 2 and 4 we have
Similarly, for any \(i \ne j\) we have
\(\Box \)
Proof of Lemma 5
\(\Box \)
Proof of Lemma 6. The first claim is the definition of \(\varvec{\xi }\).
Since \( \varOmega _Z = \Bigl (\sigma _Z(\eta _j)\Bigr )_{0 \le j < g}, \) \(a = \varvec{\eta }^T \cdot {\varvec{a}}\) if and only if \(\sigma _Z(a) = \varOmega _Z {\varvec{a}}\).
Next,
\(\Box \)
Proof of Lemma 7. \(\sigma _Z(a_1 a_2) = \sigma _Z(a_1) \odot \sigma _Z(a_2) = {\varvec{b}}_1 \odot {\varvec{b}}_2\) \(\Box \)
Proof of Lemma 8. The ideal \(q R_Z\) factors in \(R_Z\) as
where \(\mathfrak {q}_i = \mathfrak {Q}_i \cap R_Z\) for any i.
Let \(\{\tau _i^\prime \}_{i=0}^{g-1}\) be a resolution of unity in \(R_Z\) mod q. Here, we take the coefficients of each \(\tau _i^\prime \) from \([-q/2, q/2)\) over the \(\eta \)-basis \(\{\eta _0, \ldots , \eta _{g-1}\}\) of \(R_Z\).
Then,
Since \(\mathfrak {q}_i \subset \mathfrak {Q}_i\) for any i, \(\{\tau _i^\prime \}_{i=0}^{g-1}\) is also a resolution of unity in R mod q. Since the coefficients of each \(\tau _i^\prime \) over the \(\eta \)-basis are in \([-q/2, q/2)\), by definition of \(\eta _i= \sum _{a \in \langle p \rangle } \zeta ^{t_i a}\), their coefficients over the basis \(B'\) are trivially also in \([-q/2, q/2)\). Hence, by the uniqueness of resolution, it must be that \(\tau _i^\prime = \tau _i\) for all i. \(\Box \)
1.2 A.2 Norms on the Decomposition Ring
Norms of \(a \in Z\) are defined by
Lemma 9
For any \(a, b \in Z\), we have
Proof
\(\Vert ab\Vert _\infty = \Vert \sigma _Z(ab)\Vert _\infty = \Vert \sigma _Z(a) \odot \sigma _Z(b)\Vert _\infty \le \Vert \sigma _Z(a)\Vert _\infty \cdot \Vert \sigma _Z(b)\Vert _\infty = \Vert a\Vert _\infty \cdot \Vert b\Vert _\infty .\) \(\Box \)
In the following, \({\varvec{a}}\) means the \(\eta \)-vector of given \(a = \varvec{\eta }^T \cdot {\varvec{a}} \in R_Z\).
Lemma 10.
-
(1)
For any \(a \in Z\), \(\Vert a\Vert _2 \; \le \; \sqrt{m} \Vert {\varvec{a}}\Vert _2.\)
-
(2)
For any \({\varvec{a}} \in \mathbb {R}^g\), \(\Vert {\varvec{a}}\Vert _2 \; \le \; \Vert a\Vert _2.\)
-
(3)
If \({\varvec{a}} \in \mathbb {R}^g\) is far from being proportional to vector \({\varvec{1}}\) (far from constants in short), we have \(\Vert {\varvec{a}}\Vert _2 \; \approx \; \frac{1}{\sqrt{m}} \Vert a\Vert _2.\)
Proof.
(1) By Lemma 6, \(\sigma _Z(a) = \varOmega _Z {\varvec{a}}\) and by Lemma 4
The right-hand side matrix has eigenvalues \(g-1\) times of m and 1 with corresponding eigenvectors \((1,-1,0,\cdots ,0)\), \((1,0, -1,0,\cdots ,0)\), \(\ldots \), \((1,0,\cdots ,0,-1)\), \((1,1,\cdots ,1)\). So, the symmetric matrix \(\varOmega _Z^*\varOmega _Z\) can be diagonalized to \(\mathrm {Diag}(m, \cdots , m, 1)\) by an orthogonal transformation, and we have \(s_1(\varOmega _Z) = \sqrt{m}\). This means \( \Vert a\Vert _2 \; \le \; \sqrt{m} \Vert {\varvec{a}}\Vert _2.\) (2), (3) Conversely, \({\varvec{a}} = (\varOmega _Z)^{-1} \sigma _Z(a) = \varGamma _Z \sigma _Z(a)\). Similarly as above, the matrix \(\varGamma _Z^*\varGamma _Z\) can be diagonalized to \(\mathrm {Diag}(1/m, \cdots , 1/m, 1)\) by the orthogonal transformation. Hence, \(s_1(\varGamma _Z) = 1\) and \( \Vert {\varvec{a}}\Vert _2 \; \le \; \Vert a\Vert _2.\) Since almost all of the eigenvalues of \(\varGamma _Z^*\varGamma _Z\) are 1 / m, except 1 for eigenvector \((1,1,\cdots ,1)\), if \({\varvec{a}}\) is far from being proportional to the eigenvector \((1,1,\cdots ,1)\), \(\Vert {\varvec{a}}\Vert _2 \; \approx \; \frac{1}{\sqrt{m}} \Vert a\Vert _2\). \(\Box \)
Lemma 11.
-
(1)
For any \(a \in Z\), \(\Vert a\Vert _\infty \; \le \; \sqrt{mg} \Vert {\varvec{a}}\Vert _\infty .\)
-
(2)
For any \({\varvec{a}} \in \mathbb {R}^g\), \(\Vert {\varvec{a}}\Vert _\infty \; \le \; \sqrt{g} \Vert a\Vert _\infty .\)
-
(3)
If a is far from constants, we have \(\Vert {\varvec{a}}\Vert _\infty \; \lessapprox \; \sqrt{g/m} \Vert a\Vert _\infty .\)
Proof.
-
(1)
By Lemma 10-(1), \(\Vert a\Vert _\infty \le \Vert a\Vert _2 \le \sqrt{m} \Vert {\varvec{a}}\Vert _2 \le \sqrt{mg} \Vert {\varvec{a}}\Vert _\infty .\)
-
(2)
By Lemma 10-(2), \(\Vert {\varvec{a}}\Vert _\infty \le \Vert {\varvec{a}}\Vert _2 \le \Vert a\Vert _2 \le \sqrt{g} \Vert a\Vert _\infty .\)
-
(3)
By Lemma 10-(3), \(\Vert {\varvec{a}}\Vert _\infty \le \Vert {\varvec{a}}\Vert _2 \approx \frac{1}{\sqrt{m}} \Vert a\Vert _2 \le \sqrt{g/m} \Vert a\Vert _\infty .\) \(\Box \)
Subgaussian elements. We call a random variable \(a \in Z\) subgaussian with parameter s if corresponding random variable \(\sigma _Z(a)\) on \(H_Z\) is subgaussian with parameter s.
Lemma 12
(Claim 2.1, Claim 2.4 [16]). Let \(a_i\) be independent subgaussian random variables over Z with parameter \(s_i\) \((i=1,2)\). Then,
-
1.
The sum \(a_1 + a_2\) is subgaussian with parameter \(\sqrt{s_1^2 + s_2^2}\).
-
2.
For any \(a_2\) fixed, the product \(a_1 \cdot a_2\) is subgaussian with parameter \(\Vert a_2\Vert _\infty s_1\).
Lemma 13
Let \({\varvec{a}}\) be a subgaussian random variable over \(\mathbb {R}^g\) of parameter s. Then, \(a = \varvec{\eta }^T \cdot {\varvec{a}}\) is subgaussian over Z of parameter \(\sqrt{m} s\).
Proof
By Lemma 6 \(\sigma _Z(a) = \varOmega _Z {\varvec{a}}\). As seen in the proof of Lemma 10, \(s_1(\varOmega _Z) = \sqrt{m}\). Hence, \(\sigma _Z(a)\) is subgaussian of parameter \(\sqrt{m} s\). \(\Box \)
1.3 A.3 Correctness of Our Subring Homomorphic Encryption Scheme
Let \(\varvec{\chi }_{key}\) and \(\varvec{\chi }_{err}\) be discrete Gaussian distributions over \(\mathbb {Z}^g\) of parameters \(s_{key}\) and \(s_{err}\), respectively. In the following, vectors \({\varvec{a}}\), \({\varvec{b}}\), \(\cdots \) mean corresponding \(\eta \)-vectors of elements \(a = \varvec{\eta }^T \cdot {\varvec{a}}\), \(b = \varvec{\eta }^T \cdot {\varvec{b}}\), \(\cdots \) in the decomposition ring \(R_Z\), respectively.
Definition 4
The inherent noise term e of ciphertext \(ct = ({\varvec{a}}, {\varvec{b}})\) designed for \({\varvec{m}} \in \mathbb {Z}_t^g\) is an element \(e \in R_Z\) with the smallest norm \(\Vert e\Vert _\infty \) satisfying that
for some \(\alpha \in R_Z\), secret key \(\mathsf {sk} = {\varvec{s}}\), and \(m_\xi = \varvec{\xi }^T \cdot {\varvec{m}} \in R_Z\).
By definition, a ciphertext \(ct = ({\varvec{a}}, {\varvec{b}}) \leftarrow \mathsf {Encrypt}({\varvec{s}}, {\varvec{m}})\) has \(e = \varvec{\eta }^T \cdot {\varvec{e}}\) as an inherent noise term designed for \({\varvec{m}}\) with \({\varvec{e}} \leftarrow \varvec{\chi }_{err}\). By Lemma 13, e is subgaussian of parameter \(\sqrt{m} s_{err}\) and by the tail inequality (Eq. 2), \( \Vert e\Vert _\infty \le \omega (\sqrt{\log \lambda }) \sqrt{m} s_{err} \) with an overwhelming probability.
Define \(B_{correct} {\mathop {=}\limits ^{\tiny \text{ def }}}\frac{\sqrt{m}}{2 \sqrt{g}} \varDelta .\)
Lemma 14
(Noise bound for correctness). Let e be the inherent noise term of ciphertext \(ct=({\varvec{a}}, {\varvec{b}})\) designed for \({\varvec{m}} \in \mathbb {Z}_t^g\). If \(\Vert e\Vert _\infty < B_{correct}\) (i.e. if \(\frac{\sqrt{g}}{\sqrt{m}} \Vert e\Vert _\infty < \frac{1}{2}\varDelta \)), then decryption works correctly, i.e. \( \mathsf {Decrypt}({\varvec{s}},ct) = {\varvec{m}}. \)
Proof
By definition of the inherent noise term, \({\varvec{a}}\) and \({\varvec{b}}\) satisfy that
By Lemma 11-(3),
Hence, the \(\eta \)-vector of the left-hand side of Eq. (9) rounds to \({\varvec{n}}\) satisfying that \(\varvec{\eta }^T \cdot {\varvec{n}} = m_\xi = \varvec{\xi }^T \cdot {\varvec{m}}\). \(\Box \)
Lemma 15
(Noise bound for Add ). Let \(e_1\) and \(e_2\) be inherent noise terms of ciphertexts \(ct_1=({\varvec{a}}_1,{\varvec{b}}_1)\) and \(ct_2=({\varvec{a}}_2,{\varvec{b}}_2)\) designed for \({\varvec{m}}_1\) and \({\varvec{m}}_2 \in \mathbb {Z}_t^g\), respectively. Let e be the inherent noise term of \(ct = \mathsf {Add}(ct_1, ct_2)\) designed for \({\varvec{m}}_1 + {\varvec{m}}_2 \in \mathbb {Z}_t^g\). Then,
Lemma 16
(Noise bound for linearization). Let \(\mathsf {ev}=\bigl ((\varvec{\alpha }_k, \varvec{\beta }_k)\bigr )_{k=0}^{l_w-1} \leftarrow \mathsf {EvaluateKeyGen}({\varvec{s}})\) be an evaluation key for a secret key \(\mathsf {sk} = {\varvec{s}}\). Suppose that a triple of elements e, c, d in \(R_Z\) satisfies
with \(m_\xi = \varvec{\xi }^T \cdot {\varvec{m}}\) and some \(x \in R_Z\) bounded as \(\Vert x\Vert _\infty \le B\). Let \(({\varvec{d}}_0, \cdots , {\varvec{d}}_{l_w-1}) = \mathsf {WD}({\varvec{d}})\). Then, for \(a = c + \sum _{k=0}^{l_w-1} d_k \alpha _k\) and \(b = e + \sum _{k=0}^{l_w-1} d_k \beta _k\), the pair \(ct = ({\varvec{a}}, {\varvec{b}})\) constitutes a ciphertext that has an inherent noise term y designed for \({\varvec{m}}\) bounded as
Proof
By definition of \(\mathsf {EvaluateKeyGen}\), the k-th pair \((\varvec{\alpha }_k, \varvec{\beta }_k)\) of \(\mathsf {ev}\) has an inherent noise term \(x_k\) designed for \(w^k s^2\), which is subgaussian of parameter \(\sqrt{m} s_{err}\). Then,
We estimate \(\Vert y\Vert _\infty \) for \(y := x + \sum _{k=0}^{l_w-1} d_k x_k\). First by Lemma 11 (1), \(\Vert d_k\Vert _\infty \le \sqrt{mg} \Vert {\varvec{d}}_k\Vert _\infty \le \sqrt{mg} w\). Then, by Lemma 12, \(d_k x_k\) are independently subgaussian of parameter \(\Vert d_k\Vert _\infty s_{err} \le \sqrt{mg} w s_{err}\), and \(\sum _{k=0}^{l_w-1} d_k x_k\) is subgaussian of parameter \(\sqrt{l_w} \sqrt{mg} w s_{err}\). Hence,
\(\Box \)
Lemma 17
(Noise bound for \(\mathsf {Mult}\) ). Let \(e_1\) and \(e_2\) be inherent noise terms of ciphertexts \(ct_1=({\varvec{a}}_1,{\varvec{b}}_1)\) and \(ct_2=({\varvec{a}}_2,{\varvec{b}}_2)\) designed for \({\varvec{m}}_1\) and \({\varvec{m}}_2 \in \mathbb {Z}_t^g\), respectively. Suppose \(\Vert e_i\Vert _\infty \le B \, (< B_{correct})\) for \(i=1,2\). Let f be the inherent noise term of \(ct = \mathsf {Mult}(ct_1, ct_2)\) designed for \({\varvec{m}}_1 \odot {\varvec{m}}_2 \in \mathbb {Z}_t^g\). Then,
Proof
We prepare two claims.
Claim
Let \(e_0 = \frac{1}{\varDelta } b_1 b_2\), \(c_0 = \frac{1}{\varDelta } (a_1 b_2 + a_2 b_1)\), \(d_0 = \frac{1}{\varDelta } a_1 a_2\). Then,
with \(m_\xi = (m_1)_\xi (m_2)_\xi \) and some \(x \in R_Z\) bounded as
Proof
By assumption,
with \(\Vert x_i\Vert _\infty < B\). By Lemma 12 the product \(a_i s\) is subgaussian of parameter \(\Vert a_i\Vert _\infty s_{key} \le \sqrt{mg} \Vert {\varvec{a}}_i\Vert _\infty s_{key} \le \sqrt{mg} q s_{key}\). So, \(\alpha _i = \bigl \lfloor (b_i - a_i s)/q\bigr \rfloor \) is bounded as
By taking product of the two equations (10), we get
with some \(v \in R_Z\), where
Hence, x is bounded as
\(\Box \)
Claim
Let \({\varvec{e}} = \Bigl \lfloor {\varvec{e}}_{\mathbf {0}}\Bigr \rceil \), \({\varvec{c}} = \Bigl \lfloor {\varvec{c}}_{\mathbf {0}}\Bigr \rceil \), \({\varvec{d}} = \Bigl \lfloor {\varvec{d}}_{\mathbf {0}}\Bigr \rceil \). Then,
with some \(y \in R_Z\) bounded as
Proof
Let \(y = (e-e_0) - (c-c_0) s + (d-d_0) s^2 \pmod {q}\).
Using Lemma 11 (1), \(\Vert e-e_0\Vert _\infty \le \sqrt{mg} \Vert {\varvec{e}}-{\varvec{e}}_0\Vert _\infty \le \sqrt{mg}/2\).
Similarly, \(\Vert c-c_0\Vert _\infty \le \sqrt{mg}/2\) and by Lemma 9, \(\big \Vert (c-c_0) s\big \Vert _\infty \le \big \Vert c-c_0\big \Vert _\infty \big \Vert s\big \Vert _\infty \le \sqrt{mg}/2 \cdot \omega (\sqrt{\log \lambda }) s_{key} = \omega (\sqrt{\log \lambda }) \sqrt{mg} s_{key}\). Similarly, \(\big \Vert (d-d_0) s^2\big \Vert _\infty \le \omega (\log \lambda ) \sqrt{mg} s_{key}^2\).
Thus,
\(\Box \)
By the two claims we know that
with \(z=x+y\) bounded as
Finally, applying Lemma 16 to our situation, we know that Mult will output a ciphertext \(ct=({\varvec{a}}, {\varvec{b}})\) that has an inherent noise term f designed for \(m_\xi = (m_1)_\xi (m_2)_\xi \), satisfying that
\(\Box \)
Proof of Theorem 2. By Lemma 14, a ciphertext ct that encrypts plaintext \({\varvec{m}}\) can be correctly decrypted if its inherent noise term e designed for \({\varvec{m}}\) satisfies that
By Lemma 17, by one multiplication, \(\frac{\sqrt{g}}{\sqrt{m}}\) times of infinity norm of noises under input ciphertexts increases \(\log _2(t \omega (\sqrt{\log \lambda }) g s_{key}) = O(\log \lambda )\) bits. Hence, to correctly evaluate an arithmetic circuit over \(\mathbb {Z}_t^g\) with L levels of multiplications, it suffices that
By Lemma 4 of [3], we can implement \(\mathsf {Decrypt}\) algorithm by some circuit of level \(L_{dec} = O(\log \lambda )\). Hence by taking \(q = O(\lambda ^{\log \lambda })\), the subring homomorphic encryption scheme can homomorphically evaluate its own \(\mathsf {Decrypt}\) circuit and will be fully homomorphic under circular security assumption. \(\Box \)
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Arita, S., Handa, S. (2018). Subring Homomorphic Encryption. In: Kim, H., Kim, DC. (eds) Information Security and Cryptology – ICISC 2017. ICISC 2017. Lecture Notes in Computer Science(), vol 10779. Springer, Cham. https://doi.org/10.1007/978-3-319-78556-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-78556-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78555-4
Online ISBN: 978-3-319-78556-1
eBook Packages: Computer ScienceComputer Science (R0)