Efficient RLWE-Based Multi-key Fully Homomorphic Encryption Without Key-Switching

Abstract

The previous leveled BGV-type MKFHE schemes (e.g. CZW17, LZY⁺19) based on the standard RLWE assumption are implemented by using key-switching and modulus-switching techniques. However, the frequent usage of key-switching causes the low efficiency of homomorphic multiplication operation. The CDKS19 scheme proposed two new simpler and faster relinearization algorithms, which supported the homomorphic computation with certain circuit depth. However, the construction that satisfies the fully homomorphic computation was not designed, and its relinearization performance can be further optimized.

In this paper, a more efficient leveled BGV-type MKFHE scheme without key-switching is constructed. Firstly, the generation method of evaluation key is improved, and two optimized generation algorithms of relinearization key are proposed. Secondly, following the relinearization algorithm framework of CDKS19, two efficient relinearization algorithms are proposed. The new algorithms are much faster to re-linearize the product of ciphertexts. Finally, using the optimized relinearization algorithms to replace the key-switching technology logically, and combining the modulus-switching technology, an efficient leveled MKFHE is constructed.

The results show that our MKFHE scheme is IND-CPA secure based on the standard RLWE assumption, and supports any parties dynamically join the homomorphic computation at any time. Moreover, the time complexity of relinearization and decryption is less than that of CDKS19. So it is a leveled BGV-type MKFHE scheme with more efficient homomorphic computation.

Appendix

1.1 A. Time Complexity

In this appendix, we calculate the time complexity in Tables 1 and 2.

We define the time complexity as the scalar operation (addition or multiplication) of a polynomial, denoted as \(\Delta\). For example, the time complexity of the product of two n-dimensional polynomials \(a,b \in R_{q}\) is defined as \(\Delta n\). Also, our optimized relinearization algorithm allows parties to generate their evaluation key \({\mathbf{D}}_{i}\) offline, so we do not calculate the time complexity of \({\mathbf{D}}_{i}\) any more.

• A1. Time Complexity Calculation in Table 1

(1) For the CDKS19 scheme, the cloud server needs to perform \(\left( {2d^{3} + d + con} \right)\) (where \(con\) is a constant term) times polynomial multiplications to complete once relinearization, so the time complexity of once relinearization is about \(O(d^{3} n)\).

In the same way, we can calculate the time complexity of our optimized relinearization algorithms.

(2) For the Method 1, the cloud server needs to perform \(\left( {2d^{2} + d + con} \right)\) times polynomial multiplications to complete once relinearization, so the time complexity of once relinearization is about \(O(d^{2} n)\).

(3) For the Method 2, the cloud server needs to perform \(\left( {2d + con} \right)\) times polynomial multiplications to complete once relinearization, so the time complexity of once relinearization is about \(O(dn)\).

• A2. Time Complexity Calculation in Table 2

(1) For the CDKS19 scheme

Every two parties need to perform \(\left( {2d^{2} + con} \right)\) times polynomial multiplications to generate a relinearization key. For k parties, at least \(\left\lfloor {k/2} \right\rfloor\) relinearization keys need to be generated. So, the time complexity of generating all the relinearization keys is about \(O(d^{2} kn)\).

If the two parties decrypt the homomorphic multiplication of their ciphertexts successfully, the cloud server needs to perform \(\left( {2k^{{2}} d^{3} + k^{{2}} d + k + con} \right)\) times polynomial multiplications, so the time complexity is about \(O(k^{{2}} d^{3} n)\).

(2) For the Method 1

Every two parties need to perform \(\left( {2d + con} \right)\) times polynomial multiplications to generate a relinearization key. So, the time complexity of generating all the relinearization keys is about \(O(kdn)\).

If the two parties decrypt the homomorphic multiplication of their ciphertexts successfully, the cloud server needs to perform \(\left( {2k^{{2}} d^{2} + k^{{2}} d + k + con} \right)\) times polynomial multiplications, so the time complexity is about \(O(k^{{2}} d^{2} n)\).

(3) For the Method 2

Every two parties need to perform \(\left( {2d + con} \right)\) times polynomial multiplications to generate a relinearization key. So, the time complexity of generating all the relinearization keys is about \(O(kdn)\).

If the two parties decrypt the homomorphic multiplication of their ciphertexts successfully, the cloud server needs to perform \(\left( {2k^{{2}} d + {2}k^{{2}} d + k + con} \right)\) times polynomial multiplications, so the time complexity is about \(O(k^{{2}} d^{2} n)\).

1.2 B. Error Analysis

Set the bound of \(\psi\) and \(\chi\) is \(B\), so for the \(a,b \in \psi\), such that \(||a \cdot b||_{\infty } \le nB^{2}\).

• 1. For the Method 1

As shown in Method 1 of Subsect.3.1, the error size of \({\mathbf{K}}_{i,j} \cdot \left( {1,s_{i} ,s_{j} } \right)\) is as follows.

$$ ||e_{{{\text{small}}}} ||_{\infty } = ||{\mathbf{g}}^{ - 1} (b_{j} ){\mathbf{e}}_{1} + s_{j} e_{2} + r_{i} e_{j} {||}_{\infty } \le n\left\lceil {\log q_{l} } \right\rceil (d + 1)B + n\left\lceil {\log q_{l} } \right\rceil B^{2} ; $$

After relinearization and decryption, we can get the following results.

$$ \begin{array}{*{20}l} {< {\overline{{{\mathbf{ct^{\prime}}}}} ,{\overline{\mathbf{s}}}} > = c^{\prime}_{0} + \sum\nolimits_{i = 1}^{k} {c^{\prime}_{i} } \cdot s_{i} } \hfill \\ { = c_{0,0} + \sum\nolimits_{i = 1}^{k} {(c_{i,0} + c_{0,i} )_{i} } s_{i} + \sum\nolimits_{i,j = 1}^{k} {\sum\nolimits_{\varsigma = 0}^{d - 1} {\left( {c_{i,j} } \right)_{\varsigma } \cdot {\mathbf{K}}_{i,j} \cdot \left( {1,s_{i} ,s_{j} } \right)} } \begin{array}{*{20}c} {} & {(\bmod q_{l} )} \\ \end{array} } \hfill \\ { = c_{0,0} + \sum\nolimits_{i = 1}^{k} {(c_{i,0} + c_{0,i} )_{i} } s_{i} + \sum\nolimits_{i,j = 1}^{k} {c_{i,j} \cdot s_{i} s_{j} } + e_{{{\text{mult}}}} } \hfill \\ \end{array} $$

Therefore, after successful decryption, the final error size is as follows.

$$ \begin{array}{*{20}l} {||e_{{{\text{mult}}}} ||_{\infty } = ||\sum\nolimits_{i,j = 1}^{k} {\sum\nolimits_{\varsigma = 0}^{d - 1} {\left( {c_{i,j} } \right)_{\varsigma } \cdot e_{{{\text{small}}}} } } {||}_{\infty } } \hfill \\ { = \,k^{2} nd\left( {n\left\lceil {\log q_{l} } \right\rceil (d + 1)B + n\left\lceil {\log q_{l} } \right\rceil B^{2} } \right) \le O\left( {k^{2} n^{2} d^{2} \left\lceil {\log q_{l} } \right\rceil B^{2} } \right)} \hfill \\ \end{array} ; $$

• 2. For the Method 2

As shown in Method 2 of Subsect.3.1, we have

$$ ||e^{\prime}_{{{\text{small}}}} ||_{\infty } = ||\left( {{\mathbf{g}}^{ - 1} (b_{j} ){\mathbf{e}}_{1} + r_{i} e_{j} + s_{j} e_{2} } \right){||}_{\infty } { = }n\left\lceil {\log P \cdot q_{l} } \right\rceil (dB + B^{2} + B) $$

After relinearization and decryption, we can get the following results.

$$ \begin{array}{*{20}l} {||e^{\prime}_{{{\text{mult}}}} ||_{\infty } = ||\sum\nolimits_{i,j = 1}^{k} {P^{ - 1} \cdot c_{i,j} e^{\prime}_{{{\text{small}}}} } {||}_{\infty } } \hfill \\ {{ = }\left( {\left( {q_{l} \left\lceil {\log P \cdot q_{l} } \right\rceil } \right)/2P} \right)k^{2} n^{2} (dB + B^{2} + B) \le O\left( {\left( {\left( {q_{l} \left\lceil {\log P \cdot q_{l} } \right\rceil } \right)/2P} \right)k^{2} n^{2} dB^{2} } \right)} \hfill \\ \end{array} $$

Note. we usually choose the \(P \succ q_{l}\), that is \(P/q_{l} \approx 1\). So

$$ O\left( {\left( {\left( {q_{l} \left\lceil {\log P \cdot q_{l} } \right\rceil } \right)/2P} \right)k^{2} n^{2} dB^{2} } \right) \approx O\left( {k^{2} n^{2} d\left\lceil {\log q_{l} } \right\rceil B^{2} } \right). $$

• 3. For the CDKS19

As shown in Subsect. 2.5, the CDKS19 scheme completes once relinearization and decryption generating the error as follows.

$$ ||e_{{{\text{CDKS}}}} ||_{\infty } = k^{2} nd\left( {n\left\lceil {\log q_{l} } \right\rceil (d + 1)B + n\left\lceil {\log q_{l} } \right\rceil B^{2} } \right) \le O\left( {k^{2} n^{2} d^{2} \left\lceil {\log q_{l} } \right\rceil B^{2} } \right). $$