Practical Homomorphic Encryption Over the Integers for Secure Computation in the Cloud

Abstract

We present novel homomorphic encryption schemes for integer arithmetic, intended primarily for use in secure single-party computation in the cloud. These schemes are capable of securely computing arbitrary degree polynomials homomorphically. In practice, ciphertext size and running times limit the polynomial degree, but this appears sufficient for most practical applications. We present four schemes, with increasing levels of security, but increasing computational overhead. Two of the schemes provide strong security for high-entropy data. The remaining two schemes provide strong security regardless of this assumption. These four algorithms form the first two levels of a hierarchy of schemes which require linearly decreasing entropy. We have evaluated these four algorithms by computing low-degree polynomials. The timings of these computations are extremely favourable by comparison with even the best of existing methods, and dramatically out-perform running times of directly comparable schemes by a factor of up to 1000, and considerably more than that for fully homomorphic schemes, used in the same context. The results clearly demonstrate the practical applicability of our schemes.

Appendices

A  Generalisation to k Dimensions

In this appendix, we generalise HE2 and HE2N to k-vectors. HE1 and HE1N are the cases for \(k=1\) and HE2 and HE2N are the cases for \(k=2\).

1.1 A.1 Sufficient Entropy (HEk)

We generalise HE2 to k dimensions.

Key Generation. randomly chooses p and q according to the bounds given in Sect. 4.1. sets \({\varvec{a}}_j \xleftarrow {\$}[1,pq)^k\), \(\forall j\in [1,k-1]\), and R (detailed in “Multiplication” below). The secret key is \((p,{\varvec{a}}_1,\ldots ,{\varvec{a}}_{k-1})\), and the public parameters are pq and R.

Computational Overhead. The computational overhead increases, the number of arithmetic operations per plaintext multiplication is \(O(k^3)\), and the space requirement per ciphertext is O(k), by comparison with HE1.

Encryption. A plaintext, \(m \in [0,M]\), is enciphered as

where \({\varvec{c}}\) is a k-vector, \(r\xleftarrow {\$}[0,q)\), and \(\forall j, s_j \xleftarrow {\$}[0,pq)\). Let \({\varvec{a}}_0={\varvec{1}}\), and \(A_k=[{\varvec{a}}_0\ {\varvec{a}}_1\ \ldots \ {\varvec{a}}_{k-1}]\). We wish the columns of \(A_k\) to be a basis for \(\mathbb {Z}^k_{pq}\). We can show that they do so with high probability. If they do not, we generate new vectors until they do.

Lemma 2

\(\Pr ({\varvec{a}}_0,{\varvec{a}}_1,\ldots ,{\varvec{a}}_{k-1}\) do not form a basis\()\le (k-1)(1/p+1/q)\).

We extend our definition of an augmented vector \({\varvec{v}}_\star \), for a k-vector, \({\varvec{v}}\), such that \({\varvec{v}}_\star \) is a \(\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \)-vector, with components \(v_i\) (\(1\le i \le k\)) followed by \(2v_i-v_j\) (\(1\le i<j\le k\)). In general, for \(\ell >k\), \(v_\ell =2v_i-v_j\), where \(\ell =\left( {\begin{array}{c}i\\ 2\end{array}}\right) +k+j-1\). Note that \({\varvec{v}}_\star =U_k{\varvec{v}}\) for a \(\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \times k\) matrix with entries \(0,\pm 1,2\), and whose first k rows form the \(k\times k\) identity matrix \(I_k\). Note that \({\varvec{v}}_\star =U_k{\varvec{v}}\) implies that \({\varvec{1}}_\star \) is the \(\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \) vector of 1’s, and that \(*\) is a linear mapping, i.e. \((r_1{\varvec{v}}_1+r_2{\varvec{v}}_2)_\star =r_1{\varvec{v}}_{1*}+r_2{\varvec{v}}_{2*}\).

Decryption. , where \({\varvec{\gamma }}^T=(A_k^{-1})_1\) is the first row of \(A_k^{-1}\). We call \({\varvec{\gamma }}\) the decryption vector, as in HE2.

Addition. Addition is the vector sum of the ciphertext vectors as in HE2.

Multiplication. Consider the Hadamard product of two augmented ciphertext vectors, \({\varvec{c}}_\star \circ {\varvec{c}}'_\star \). For notational brevity, let \(\tilde{m}=m+rp\).

$$\begin{aligned}&{\varvec{c}}_\star \circ {\varvec{c}}'_\star \ =\ \big (\tilde{m}{\varvec{1}}_\star +\textstyle \sum _{j=1}^{k-1}s_j{\varvec{a}}_{\star j}\big )\circ \big (\tilde{m}'{\varvec{1}}_\star +\textstyle \sum _{j=1}^{k-1}s'_j{\varvec{a}}_{\star j}\big )\qquad \qquad \qquad \\&\qquad \qquad =\ \tilde{m}\tilde{m}'{\varvec{1}}_\star +\textstyle \sum _{j=1}^{k-1}(\tilde{m}s'_j+\tilde{m}'s_j){\varvec{a}}_{\star j} +\textstyle \sum _{j=1}^{k-1}s_js'_j{\varvec{a}}_{\star j}\circ {\varvec{a}}_{\star j}\\&\qquad \qquad \quad \quad + \textstyle \sum _{1\le i< j\le k-1}(s_is'_j+s_i's_j){\varvec{a}}_{\star i}\circ {\varvec{a}}_{\star j}, \end{aligned}$$

since \({\varvec{1}}_\star \circ {\varvec{v}}_\star ={\varvec{v}}_\star \) for any \({\varvec{v}}\). There are \(\left( {\begin{array}{c}k\\ 2\end{array}}\right) \) product vectors, which we must eliminate using the re-encryption matrix R, a \(k\times \left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \).

Lemma 3

Let \(A_{\star k}=[{\varvec{a}}_{\star 0}\ {\varvec{a}}_{\star 1}\ \ldots \ {\varvec{a}}_{\star ,k-1}]\), where the columns of \(A_k\) form a basis for \(\mathbb {Z}^k_{pq}\). If \(RA_{\star k}=A_k\), then \(R{\varvec{v}}_\star ={\varvec{v}}\) for all \({\varvec{v}}\in \mathbb {Z}^k_{pq}\).

The condition \(RA_{\star k}=A_k\) can be written more simply, since it is \(RU_kA_k=A_k\). Postmultiplying by \(A_k^{-1}\) gives \(RU_k=I_k\). Now, since \(RA_{\star k}=A_k\), we have

$$ R({\varvec{c}}_\star \circ {\varvec{c}}'_\star )\ =\ (mm'+\hat{r}p){\varvec{1}}+\textstyle \sum _{j=1}^{k-1}\hat{s}_j{\varvec{a}}_{j} + \textstyle \sum _{1\le i\le j\le k-1}\hat{s}_{ij}R({\varvec{a}}_{\star i}\circ {\varvec{a}}_{\star j}), $$

where \(\hat{r}\), \(\hat{s}_j\) and \(\hat{s}_{ij}\) (\(1\le i<j\le k-1\)) are some integers.

There are \(k(\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) -k)=k\left( {\begin{array}{c}k\\ 2\end{array}}\right) \) undetermined parameters \(R_{i\ell }\), \(1\le i\le k\), \(k < \ell \le \left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \). We now determine these by setting

$$\begin{aligned} R({\varvec{a}}_{\star i}\circ {\varvec{a}}_{\star j})\ =\ \varrho _{ij}p{\varvec{1}}+\textstyle \sum _{l=1}^{k-1}\sigma _{ijl}{\varvec{a}}_l \end{aligned}$$

(2)

Thus we have \(k\left( {\begin{array}{c}k\\ 2\end{array}}\right) \) new unknowns, the \(\varrho \)’s and \(\sigma \)’s, and \(k\left( {\begin{array}{c}k\\ 2\end{array}}\right) \) linear equations for the \(k\left( {\begin{array}{c}k\\ 2\end{array}}\right) \) unassigned \(R_{i\ell }\)’s. Let \(A^{\circ 2}_{\star k}\) be the \(\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \times \left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \) matrix with columns \({\varvec{a}}_{\star i}\circ {\varvec{a}}_{\star j}\) (\(0\le i< j < k\)), and let \(C_k\) be the \(k\times \left( {\begin{array}{c}k\\ 2\end{array}}\right) \) matrix with columns \(\varrho _{ij}p{\varvec{1}}+\sum _{l=1}^{k-1}\sigma _{ijl}{\varvec{a}}_l\) (\(0<i<j<k\)). Then the equations for the \(R_{i\ell }\) can be written as

$$\begin{aligned} RA^{\circ 2}_{\star k}\ =\ \left[ A_k \mid C_k\right] . \end{aligned}$$

(3)

giving \(k\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \) linear equations for the \(k\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \) \(R_{i\ell }\)’s in terms of quadratic functions of the \(k(k-1)\) \(a_{ij}\)’s (\(1\le i\le k, 1\le j\le k-1\)), which are undetermined. Thus the system has \(k(k-1)\) parameters that cannot be deduced from R.

The system of equations (3) has a solution provided that \(A^{\circ 2}_{\star k}\) has an inverse \(\bmod \ pq\). We prove that this is true with high probability. Again, in the unlikely event that this is not true, we generate new vectors \({\varvec{a}}_1,\ldots ,{\varvec{a}}_{k-1}\) until it is.

Theorem 6

\(A^{\circ 2}_{\star k}\text { has no inverse } \bmod {pq}\) with probability at most \((k^2-1)(1/p+1/q)\).

Note that Theorem 6 subsumes Lemma 2, since the first k columns of \(A^{\circ 2}_{\star k}\) contain \(A_k\) as a submatrix, and must be linearly independent.

Each \({\varvec{c}}\) introduces k new parameters \(rp,s_1,\ldots ,s_{k-1}\) and k equations, so the number of undetermined parameters is always \(k(k-1)\).

Cryptanalysis. Note that p can be determined from \(m_i\) for k ciphertexts. Let

$$\begin{aligned} C=[{\varvec{c}}_1-m_1{\varvec{1}}\ \ldots \ {\varvec{c}}_k-m_k{\varvec{1}}],\quad A_k=[{\varvec{1}}\ {\varvec{a}}_1\ \ldots \ {\varvec{a}}_{k-1}] \end{aligned}$$

and let

where \(r_i,s_{ij}\) refer to \({\varvec{c}}_i\). Then \(C=A_kW\), and so \(\det C=\det A_k\det W\). Note that \(\det W=p\det W'\), so \(\det C\) is a multiple of p. Now \(\det C\) can be determined in \(O(k^3)\) time and, if it is nonzero, p can be determined as \(\gcd (\det C,pq)\).

Lemma 4

\(\Pr (\det C = 0 \bmod \, pq)\le (2k-1)(1/p+1/q)\).

Once we have recovered p, we can use the known \(m_i\) to determine the decryption vector \({\varvec{\gamma }}\), by solving linear equations. Let \(C_0 = [{\varvec{c}}_1\ {\varvec{c}}_2\ \ldots \ {\varvec{c}}_k],\ {\varvec{m}}^T = [m_1\ m_2\ \ldots \ m_k]\).

Lemma 5

\(\Pr (\det C_0 = 0 \bmod \, pq)\le (2k-1)(1/p+1/q)\).

Thus, with high probability, we can uniquely solve the system \({\varvec{\gamma }}^TC_0= {\varvec{m}}^T \mod p\), to recover \({\varvec{\gamma }}\) and enable decryption of an arbitrary ciphertext. However, encryption of messages is not possible, since we gain little information about \({\varvec{a}}_1,\ldots ,{\varvec{a}}_k\). Note also that, if we determined p by some means other than using k known plaintexts, it is not clear how to recover \({\varvec{\gamma }}\).

To break this system, we need to guess k plaintexts. The entropy of a k-tuple of plaintexts \((m_1,m_2,\ldots ,m_k)\) is \(k\rho \), so effectively we need \(\mu ^k\) guesses, where \(\mu \) is the number of guesses needed to break HE1. So HEk can tolerate much smaller entropy than HE1, provided k is large enough. If k is sufficiently large, the scheme appears secure without adding noise, but does not have the other advantages of adding noise.

Fixing an Insecurity for \({{\varvec{k}}}>\mathbf{2.}\) The decryption vector for HEk is \({\varvec{\gamma }}^T=(A_k^{-1})_1\). Note that \({\varvec{\gamma }}^T{\varvec{1}}=1\) and \({\varvec{\gamma }}^T{\varvec{a}}_i=0\) (\(i\in [1,k-1]\)), since \({\varvec{\gamma }}^T{\varvec{a}}_i=I_{1i}\) (\(i\in [0,k-1]\)).

$$\begin{aligned} \text {The equations }&R({\varvec{a}}_{\star i}\circ {\varvec{a}}_{\star j})\ =\ p\varrho _{ij}{\varvec{1}}+\textstyle \sum _{l=1}^{k-1}\sigma _{ijl}{\varvec{a}}_l, \end{aligned}$$

(4)

define a product \(\cdot \) on \(\mathbb {Z}^k_{pq}\) so that \({\varvec{c}}\cdot {\varvec{c}}'=R({\varvec{c}}_{\star }\circ {\varvec{c}}'_{\star })\). This product is linear, commutative and distributive, since R and \(\star \) are linear operators, and \(\circ \) is commutative and distributive. So we have an algebra \({\mathcal {A}}_k\), with unit element \({\varvec{1}}\) [51]. The \(\varrho _{ij},\sigma _{ijl}\) (\(i,j,l\in [1,k-1])\) are the structure constants of the algebra. In general, \({\mathcal {A}}_k\) will not be associative, i.e. we can have \(({\varvec{c}}_1\cdot {\varvec{c}}_2)\cdot {\varvec{c}}_3 \ne {\varvec{c}}_1\cdot ({\varvec{c}}_2\cdot {\varvec{c}}_3)\) This leads to a potential insecurity. We must have

$$\begin{aligned} {\varvec{\gamma }}^T(({\varvec{c}}_1\cdot {\varvec{c}}_2)\cdot {\varvec{c}}_3)\ =\ {\varvec{\gamma }}^T({\varvec{c}}_1\cdot ({\varvec{c}}_2\cdot {\varvec{c}}_3))\quad \pmod p, \end{aligned}$$

(5)

in order to have correct decryption. The associator for \({\mathcal {A}}_k\) is

$$\begin{aligned}{}[{\varvec{c}}_i,{\varvec{c}}_j,{\varvec{c}}_l]\ = {\varvec{c}}_i\cdot ({\varvec{c}}_j\cdot {\varvec{c}}_l)-({\varvec{c}}_i\cdot {\varvec{c}}_j)\cdot {\varvec{c}}_l =rp{\varvec{1}}+\textstyle \sum _{l=1}^{k-1}s_{l}{\varvec{c}}_l\ \, \pmod {pq}. \end{aligned}$$

Thus \([{\varvec{c}}_i,{\varvec{c}}_j,{\varvec{c}}_l]\) is an encryption of 0. If we can find k associators from \({\varvec{c}}_1,\ldots ,{\varvec{c}}_n\) which violate (5), with high probability we have k linearly independent associators. We can use these to make a collision attack on HEk, similar to that described in Sect. 3.1. We use the \(\gcd \) method to determine p, and then \({\varvec{\gamma }}\), as described in Sect. A.1. In fact all we need is that (5) holds for any associator. That is, for all \({\varvec{c}}_1, {\varvec{c}}_2, {\varvec{c}}_3\), we need

$$\begin{aligned} {\varvec{\gamma }}^T(({\varvec{c}}_1\cdot {\varvec{c}}_2)\cdot {\varvec{c}}_3)\ =\ {\varvec{\gamma }}^T({\varvec{c}}_1(\cdot {\varvec{c}}_2\cdot {\varvec{c}}_3))\quad \pmod {pq}, \end{aligned}$$

or, equivalently, using the Chinese Remainder Theorem,

$$\begin{aligned} {\varvec{\gamma }}^T(({\varvec{c}}_1\cdot {\varvec{c}}_2)\cdot {\varvec{c}}_3)\ =\ {\varvec{\gamma }}^T({\varvec{c}}_1\cdot ({\varvec{c}}_2\cdot {\varvec{c}}_3))\quad \pmod {q}. \end{aligned}$$

(6)

By linearity, (6) holds if and only if it holds for all basis elements, excluding the identity. That is, for all \(i,j,l\in [1,k-1]\), we need

$$\begin{aligned} {\varvec{\gamma }}^T({\varvec{a}}_i\cdot ({\varvec{a}}_j\cdot {\varvec{a}}_l))\ =\ {\varvec{\gamma }}^T(({\varvec{a}}_i\cdot {\varvec{a}}_j)\cdot {\varvec{a}}_l)\quad \pmod {q}. \end{aligned}$$

(7)

The associator for \({\mathcal {A}}_k\) is

$$\begin{aligned}{}[{\varvec{a}}_i,{\varvec{a}}_j,{\varvec{a}}_l]\&= {\varvec{a}}_i\cdot ({\varvec{a}}_j\cdot {\varvec{a}}_l)-({\varvec{a}}_i\cdot {\varvec{a}}_j)\cdot {\varvec{a}}_l =rp{\varvec{1}}+\textstyle \sum _{l=1}^{k-1}s_{l}{\varvec{a}}_l\ \, \pmod {pq}, \end{aligned}$$

for some integers \(r,s_1,\ldots ,s_{k-1}\), and so \({\varvec{\gamma }}^T[{\varvec{a}}_i,{\varvec{a}}_j,{\varvec{a}}_l]=rp\).

If \({\mathcal {A}}_k\) is associative, the problem does not arise, since (7) will be satisfied automatically. Associativity holds if \(k\le 2\). All we have to check is that \({\varvec{a}}\cdot ({\varvec{a}}\cdot {\varvec{a}})=({\varvec{a}}\cdot {\varvec{a}})\cdot {\varvec{a}}\), which is true by commutativity. Thus HE1, HE2 cannot be attacked in this way.

Requiring associativity in \({\mathcal {A}}_k\) overconstrains the system, imposing \(k\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \) equations on the \(k\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \) structure constants. With only \(k(k-1)\) undetermined parameters, this is too much. But all we need is that (7) holds. We have

Lemma 6

Equation (7) holds if and only if \(\sum _{t=1}^{k-1}\sigma _{jlt}\varrho _{it}=\sum _{t=1}^{k-1}\sigma _{ijt}\varrho _{lt}\pmod {q}\), \(\forall i,j,l\in [1,k-1]\).

Now we can ensure (7) by giving the \(\varrho _{ij}\) a multiplicative structure.

Lemma 7

Let \(\tau ,\varrho _i\xleftarrow {\$}[0,q)\) \((i\in [1,k-1]\)), let \(\varrho _{ij}=\varrho _i\varrho _j \mod q\), and let the \(\sigma _{ijl}\) satisfy \(\sum _{l=1}^{k-1}\sigma _{ijl}\varrho _l=\tau \varrho _i\varrho _j\pmod {q}\) for all \(i,j\in [1,k-1]\). Then, for all \(i,j,\ell \in [1,k-1]\), \({\varvec{\gamma }}^T({\varvec{a}}_i\cdot ({\varvec{a}}_j\cdot {\varvec{a}}_l))=\tau \varrho _i\varrho _j\varrho _l\mod q\), the symmetry of which implies (7).

Thus the conditions of Lemma 7 are sufficient to remove the insecurity. The price is that we now have \((k-1)\left( {\begin{array}{c}k\\ 2\end{array}}\right) +(k-1)+k(k-1)=(k+1)\left( {\begin{array}{c}k\\ 2\end{array}}\right) +k-1\) parameters and \(k\left( {\begin{array}{c}k\\ 2\end{array}}\right) \) equations. There are \(\left( {\begin{array}{c}k\\ 2\end{array}}\right) +(k-1)=(k+2)(k-1)/2\) independent parameters. This is fewer than the original \(k(k-1)\), but remains \(\varOmega (k^2)\).

1.2 A.2 Insufficient Entropy (HE k N)

We generalise HE2N to k dimensions.

Key Generation. randomly chooses \(\kappa \), p and q as outlined in Sect. 4.2, and sets \({\varvec{a}}_j\) \(\forall j\) and R as in Sect. A.1. The secret key, , is (\(\kappa \), p, \({\varvec{a}}_1\), \(\ldots \), \({\varvec{a}}_{k-1}\)), and the public parameters are pq and R. Note that, as a result of adding the “noise” term, defence against non-associativity is not required.

Encryption. A plaintext, \(m \in [0,M]\), is enciphered as

where r, s are as in Sect. 4.2, and \(t_j \xleftarrow {\$}[0,pq)\) \(\forall j\in [1,k)\).

Decryption. If \({\varvec{\gamma }}^T\) is defined as in Sect. A.1, a ciphertext is deciphered by,

Arithmetic. Addition and multiplication of ciphertexts are as in Sect. A.1.

Security. The effective entropy of HEkN is \(\rho '=k(\rho + \lg \kappa )\). Thus, as we increase k, the “noise” term can be made smaller while still providing the requisite level of entropy.

Clearly HEkN also inherits the conclusions of Theorem 2, so this system also satisfies IND-CPA.

B Proofs

Theorem 1

An attack against HE1 is successful in polynomial time if and only if we can factorise a distinct semi-prime in polynomial time.

Proof

Suppose that we have an unknown plaintext m, encrypted as \(c = m + r p \mod pq\), where \(r\xleftarrow {\$}[1,q)\).

If we can factor pq in polynomial time, we can determine p and q in polynomial time, since we know \(p<q\). Therefore, we can determine \(m=c\bmod p\).

If we can determine m given c for arbitrary m, then we can determine \(rp=c-m\). We are given qp, and we know \(0< r < q\), so \(\gcd (rp,qp)\) must be p, and we can compute p in polynomial time. Now, given p, we can determine q as qp / p. Hence, we can factorise pq in polynomial time.    \(\square \)

Lemma 1

If the inputs m have entropy \(\rho \) then, for any two independent inputs \(m_1,m_2\), \(\Pr (m_1=m_2)\le 2^{-\rho }\).

Proof

\(\Pr (m_1=m_2)=\sum _{i=0}^{M-1} \xi _i^2= 2^{-H_2}\le 2^{-\rho }\), since \(H_2\ge H_\infty =\rho \).    \(\square \)

Theorem 2

For any encryption c, \(c\bmod \kappa \) is polynomial time indistinguishable from the uniform distribution on \([0,\kappa )\). Thus HE1N satisfies IND-CPA, under the assumption that SPACDP is not polynomial time solvable.

Proof

$$\begin{aligned} c = m + s\kappa + r p = m + r p \mod \kappa , \end{aligned}$$

where \(r\xleftarrow {\$}[1,q)\). Thus, for \(i\in [0,\kappa )\),

$$\begin{aligned} \Pr \big ( c\bmod \kappa =i)&= \Pr (m + rp =i\!\!\mod \kappa \big )\\&= \Pr \big (r= p^{-1}(i-m)\!\!\mod \kappa \big )\\&\in \big \{\lfloor q/\kappa \rfloor 1/q, \lceil q/\kappa \rceil 1/q\big \}\\&\in [1/\kappa -1/q,1/\kappa +1/q], \end{aligned}$$

where the inverse \(p^{-1}\) of p mod \(\kappa \) exists since p is a prime. Hence the total variation distance from the uniform distribution is

$$\begin{aligned} \tfrac{1}{2}\sum _{i=0}^{\kappa -1} |\Pr \big ( c\bmod \kappa =i)-1/\kappa | < \kappa /q . \end{aligned}$$

This is exponentially small in the security parameter \(\lambda \) of the system, so the distribution of \(c\bmod \kappa \) cannot be distinguished in polynomial time from the uniform distribution. Note further that \(c_1\bmod \kappa \), \(c_2\bmod \kappa \) are independent for any two ciphertexts \(c_i=m_i + s_i\kappa + r_i p\) \((i=1,2)\), since \(r_1,r_2\) are independent.

To show IND-CPA, suppose now that known plaintexts \(\mu _1,\ldots ,\mu _n\) are encrypted by an oracle for HE1N, giving ciphertexts \(c_1,\ldots ,c_n\). Then, for \(r_i\xleftarrow {\$}[0,q)\), \(s_i\xleftarrow {\$}[0,\kappa )\), we have an SPACDP with ciphertexts \(c_i = m_i + s_i\kappa + r_i p\), and the approximate divisor p cannot be determined in polynomial time in the worst case. However, the offsets in this SPACDP are all of the form \(\mu _i + s_i\kappa \), for known \(m_i\), and we must make sure this does not provide information about p. To show this, we rewrite the SPACDP as

$$\begin{aligned} c_i = \mu _i + s_i\kappa + r_i p = \mu '_i + s'_i\kappa ,\quad (i=1,2,\ldots ,n), \end{aligned}$$

(8)

where \(s'_i=s_i+\lfloor (m_i+r_ip)/\kappa \rfloor \), and \(\mu '_i=\mu _i + r_ip\pmod \kappa \). Now we may view (8) as an ACDP, with “encryptions” \(\mu '_i\) of the \(\mu _i\), and approximate divisor \(\kappa \). Since ACDP is at least as hard as SPACDP, and the offsets \(\mu '_i\) are polynomial time indistinguishable from uniform \([0,\kappa )\), from above, we will not be able to determine \(\kappa \) in polynomial time. Now, the offsets \(m'_1,m'_2\) of any two plaintexts \(m_1,m_2\) are polynomial time indistinguishable from \(m'_2,m'_1\), since they are indistinguishable from two independent samples from uniform \([0,\kappa )\). Therefore, in polynomial time, we will not be able to distinguish between the encryption \(c_1\) of \(m_1\) and the encryption \(c_2\) of \(m_2\).    \(\square \)

Theorem 3

The encryption scheme produces ciphertexts with components which are random integers modulo pq.

Proof

Consider a ciphertext vector which encrypts the plaintext, m, and the expression \(m+rp+sa\mod pq\) which represents one of its elements. Then \(r \xleftarrow {\$}[0,q)\), \(s \xleftarrow {\$}[0,pq)\).

Consider first \(m+sa\). We know that \(a^{-1} \mod pq\) exists because \(a \ne 0\) (\(\bmod \ p\) and \(\bmod \ q\)). Thus, conditional on r,

$$\begin{aligned} \Pr [m+rp+sa=i\bmod \ pq]&=\\ \Pr [s = a^{-1}(i-m-rp)&\bmod \ pq]\,=\,\frac{1}{pq}. \end{aligned}$$

Since this holds for any \(i\in [0,pq)\), \(m+ra+sp \mod pq\) is a uniformly random integer from [0, pq).    \(\square \)

Theorem 4

If \({\varvec{c}}\) is an encryption of m and \({\varvec{c'}}\) is an encryption of \(m'\) then \(R({\varvec{c_{\star }}}\circ {\varvec{c'_{\star }}})\pmod {pq}\) is an encryption of \(mm'\).

Proof

Consider the Hadamard product modulo pq, \({\varvec{c}}_{\star } \circ {\varvec{c}}_{\star }'\), of the two augmented ciphertext vectors \({\varvec{c_{\star }}}\) and \({\varvec{c_{\star }}}'\):

$$\begin{aligned} {\varvec{z}}_{\star }={\varvec{c}}_{\star } \circ {\varvec{c}}_{\star }' = \begin{bmatrix} c_1 c_1' \\ c_2 c_2'\\c_3c_3' \end{bmatrix} \mod pq \end{aligned}$$

Therefore, if inputs \(m,m'\) are encrypted as \((m+rp){\varvec{1}}+s{\varvec{a}}\), \((m'+r'p){\varvec{1}}+s'{\varvec{a}}\), we first calculate

$$\begin{aligned} {\varvec{z}}_{\star }&= (m+rp)(m'+r'p){\varvec{1}}_{\star }+[(m+rp)s'+(m'+r'p)s]{\varvec{a}}_{\star }\\&+ss'{\varvec{a}}_{\star }^{\circ 2} =(mm'+r_1p){\varvec{1}}_{\star }+s_1{\varvec{a}}_{\star }+ss'{\varvec{a}}_{\star }^{\circ 2}\ \ \mod pq, \end{aligned}$$

where \(r_1=mr'+m'r+rr'p\), \(s_1=(m+rp)s'+(m'+r'p)s\), and \({\varvec{a}}_{\star }^{\circ 2}=[a_1^2\ \ a_2^2\ \ a_3^2]^T\).

As we can see, \({\varvec{z}}_{\star }\) is not a valid encryption of \(mm'\). We need to re-encrypt this product to eliminate the \({\varvec{a}}_{\star }^{\circ 2}\) term.

We achieve this by multiplying \({\varvec{z}}_{\star }\) by R. It is easy to check that \(R{\varvec{1}}_{\star }={\varvec{1}}\) and \(R{\varvec{a}}_{\star }={\varvec{a}}\), independently of \(a_1,a_2\). Now

$$\begin{aligned} (R{\varvec{a}}_{\star }^{\circ 2})_1&=(1-2\alpha _1)a_1^2+\alpha _1a_2^2+\alpha _1(2a_1-a_2)^2\\&=a_1^2+\alpha _1((2a_1-a_2)^2+a_2^2-2a_1^2) \\&=a_1^2+2\alpha _1(a_2-a_1)^2 \\&=a_1^2+\alpha _1\beta \\&=\varrho p + \sigma a_1\\ (R{\varvec{a}}_{\star }^{\circ 2})_2&=-2\alpha _2a_1^2+(\alpha _2+1)a_2^2+\alpha _2(2a_1-a_2)^2\\&=a_2^2+\alpha _2((2a_1-a_2)^2+a_2^2-2a_1^2) \\&=a_2^2+2\alpha _2(a_2-a_1)^2\\&=a_2^2+\alpha _2\beta \\&=\varrho p + \sigma a_2\\ \end{aligned}$$

Thus, we obtain the identity \(R{\varvec{a}}_{\star }^{\circ 2} = \varrho p {\varvec{1}} + \sigma {\varvec{a}}.\)

So, applying R to \({\varvec{z}}_{\star }\), i.e. \({\varvec{z}}' = R {\varvec{z}}_{\star }\), gives

$$\begin{aligned} {\varvec{z}}'&= (mm'+r_1p)R{\varvec{1}}+s_1R{\varvec{a}}+ss'R{\varvec{a}}^{\circ 2}\\&= (mm'+r_1p){\varvec{1}}+s_1{\varvec{a}}+ss'(\sigma {\varvec{a}}+\varrho p{\varvec{1}})\\&=(mm'+r_2p){\varvec{1}}+(s_1+\sigma rr'){\varvec{a}}\\&=(mm'+r_2p){\varvec{1}}+s_2{\varvec{a}}\quad \pmod {pq} \end{aligned}$$

for some integers \(r_2,s_2\). So \({\varvec{z}}'\) is a valid encryption of \(mm'\).    \(\square \)

Theorem 5

SPACDP is of equivalent complexity to the special case of HE2 where \(\delta =a_2-a_1\) (\(0<\delta <q\)) is known.

Proof

Suppose we have a system of n approximate prime multiples, \(m_i+r_ip\) (\(i=1,2,\ldots ,n\)). Then we generate values \(a,s_1,s_2,\ldots ,s_n\xleftarrow {\$}[0,pq)\), and we have an oracle set up the cryptosystem with \(a_1=a\), \(a_2=a+\delta \). The oracle has access to p and provides us with R, but no information about its choice of \(\varrho \) and \(\sigma \). We then generate the ciphertexts \({\varvec{c}}_i\) \((i=1,2,\ldots ,n)\):

$$\begin{aligned} \begin{bmatrix} c_{i1} \\ c_{i2}\end{bmatrix}=\begin{bmatrix} m_i+r_ip+s_ia \\ m_i+r_ip+s_i(a+\delta )\end{bmatrix}\pmod {pq}. \end{aligned}$$

(9)

Thus \(c_{i1}-s_ia=c_{i2}-s_i(a+\delta )=m_i+r_ip\). Thus finding the \(m_i\) in (9) in polynomial time solves SPACDP in polynomial time.

Conversely, suppose we have any HE2 system with \(a_2=a_1+\delta \). The ciphertext for \(m_i\) (\(i=1,2,\ldots ,n\)) is as in (9). so \(s_i=\delta ^{-1}(c_{i2}-c_{i1})\). Since \(0<\delta<q<p\), \(\delta \) is coprime to both p and q, and hence \(\delta ^{-1}\mod pq\) exists. Thus breaking the system is equivalent to determining the \(m_i \mod p\) from \(m_i+\delta ^{-1}(c_{i2}-c_{i1})a+r_ip\) (\(i=1,2,\ldots ,n\)). Determining the \(m_i+\delta ^{-1}(c_{i2}-c_{i1})a\) from the \(m_i+\delta ^{-1}(c_{i2}-c_{i1})a+r_ip\) (\(i=1,2,\ldots ,n\)) can be done using SPACDP. However, we still need to determine a in order to determine \(m_i\). This can be done by “deciphering” R using SPACDP. We have

$$\begin{aligned} 2\delta ^2\alpha _1= \sigma a-a^2+\varrho p,\qquad 2\delta ^2\alpha _2= \sigma (a+\delta )-(a+\delta )^2+\varrho p, \end{aligned}$$

so \(\sigma =2\delta ^2(\alpha _2-\alpha _1)-2ka-\delta ^2\). Now a can be determined by first determining \(m_0=a(2\delta ^2(\alpha _2-\alpha _1)-(2\delta +1)a-\delta ^2)\) from \(m_0+\varrho p=2\delta ^2\alpha _1\). This can be done using SPACDP. Then a can be determined by solving the quadratic equation \(m_0=a(2\delta ^2(\alpha _2-\alpha _1)-(2\delta +1)a-\delta ^2) \mod p\) for a. This can be done probabilistically in polynomial time using, for example, the algorithm of Berlekamp [7]. So the case \({\varvec{a}}=[a\ \,a+\delta ]^T\), with known \(\delta \), can be attacked using SPACDP on the system

$$\begin{aligned} m_0&+\varrho p,\ m_1+\delta ^{-1}(c_{11}-c_{12})a+r_1p,\\ {}&\ldots ,\ m_n+\delta ^{-1}(c_{n1}-c_{n2})a+r_np. \end{aligned}$$

   \(\square \)

Lemma 2

\(\Pr ({\varvec{a}}_0,{\varvec{a}}_1,\ldots ,{\varvec{a}}_{k-1}\) do not form a basis\()\le (k-1)(1/p+1/q)\).

Proof

The \({\varvec{a}}\)’s are a basis if \(A_k^{-1}\) exists, since then \({\varvec{v}}=A_k{\varvec{r}}\) when \({\varvec{r}}=A_k^{-1}{\varvec{v}}\), for any \({\varvec{v}}\). Now \(A_k^{-1}\) exists \(\bmod \ {pq}\) if \((\det A_k)^{-1} \mod pq\) exists, by constructing the adjugate of \(A_k\). Now \((\det A_k)^{-1} \mod pq\) exists if \(\det A_k\ne 0 \mod p\) and \(\det A_k\ne 0\mod q\). Now \(\det A_k\) is a polynomial of total degree \((k-1)\) in the \(a_{ij}\) (\(0<i\le k,0<j<k\)), and is not identically zero, since \(\det A_k=1\) if \({\varvec{a}}_i={\varvec{e}}_{i+1}\) (\(1<i<k\)). Also \(a_{ij}\xleftarrow {\$}[0,pq)\) implies \(a_{ij}\bmod p\xleftarrow {\$}[0,p)\) and \(a_{ij}\bmod q\xleftarrow {\$}[0,q)\). Hence, using the Schwartz-Zippel Lemma (SZL) [44], we have \(\Pr (\det A_k = 0\bmod {p})\le (k-1)/p\) and \(\Pr (\det A_k = 0\bmod {q})\le (k-1)/q\), and it follows that \(\Pr (\not \exists \,(\det A_k)^{-1}\bmod {pq})\ \le \ (k-1)(1/p+1/q)\).    \(\square \)

Lemma 3

Let \(A_{\star k}=[{\varvec{a}}_{\star 0}\ {\varvec{a}}_{\star 1}\ \ldots \ {\varvec{a}}_{\star ,k-1}]\), where the columns of \(A_k\) form a basis for \(\mathbb {Z}^k_{pq}\). If \(RA_{\star k}=A_k\), then \(R{\varvec{v}}_\star ={\varvec{v}}\) for all \({\varvec{v}}\in \mathbb {Z}^k_{pq}\).

Proof

We have \({\varvec{v}}=A_k{\varvec{r}}\) for some \({\varvec{r}}\in \mathbb {Z}^k_{pq}\). Then \(A_{\star k}=U_kA_k\) and \({\varvec{v}}_{\star k}=U_k{\varvec{v}}\), so \(R{\varvec{v}}_\star =RU_k{\varvec{v}}=RU_kA_k{\varvec{r}}=RA_{\star k}{\varvec{r}}=A_{k}{\varvec{r}}={\varvec{v}}\).    \(\square \)

Theorem 6

\(A^{\circ 2}_{\star k}\text { has no inverse } \bmod {pq}\) with probability at most \((k^2-1)(1/p+1/q)\).

Proof

We use the same approach as in Lemma 2. Thus \(A^{\circ 2}_{\star k}\) is invertible provided \(\det A^{\circ 2}_{\star k}\ne 0\mod p\) and \(\det A^{\circ 2}_{\star k}\ne 0\mod q\). Let \({\varvec{A}}\) denote the vector of \(a_{ij}\)’s, \((a_{ij}:1\le i\le k, 1\le j<k)\). The elements of \(A^{\circ 2}_{\star k}\) are quadratic polynomials over \({\varvec{A}}\), except for the first column, which has all 1’s, and columns \(2,3,\ldots , k\) which are linear polynomials. So \(\det A^{\circ 2}_{\star k}\) is a polynomial over \({\varvec{A}}\) of total degree \(2\left( {\begin{array}{c}k\\ 2\end{array}}\right) +k-1=k^2-1\). Thus, unless \(\det A^{\circ 2}_{\star k}\) is identically zero as a polynomial over \({\varvec{A}}\), the SZL [44] implies \(\Pr (\not \exists \,(\det A^{\circ 2}_{\star k})^{-1}\bmod {p})\le (k^2-1)/p\) and \(\Pr (\not \exists \,(\det A^{\circ 2}_{\star k})^{-1}\bmod {q})\le (k^2-1)/q\). Therefore we have \(\Pr (\not \exists \,(\det A^{\circ 2}_{\star k})^{-1}\bmod {pq})\le (k^2-1)(1/p+1/q)\).

It remains to prove that \(\det A^{\circ 2}_{\star k}\) is not identically zero as a polynomial over \({\varvec{A}}\) in either \(\mathbb {Z}_p\) or \(\mathbb {Z}_q\). We prove this by induction on k. Consider \(\mathbb {Z}_p\), the argument for \(\mathbb {Z}_q\) being identical. Since \(\mathbb {Z}_p\) is a field, \(\det A^{\circ 2}_{\star k}\) is identically zero if and only if it has rank less than \(\left( {\begin{array}{c}k+1\\ 2\end{array}}\right) \) for all \({\varvec{A}}\). That is, there exist \(\lambda _{ij}({\varvec{A}})\in \mathbb {Z}_p\) (\(0\le i\le j<k\)), not all zero, so that

$$\begin{aligned} {\mathcal {L}}({\varvec{A}})\,&=\,\sum _{0\le i\le j}^{k-1} \lambda _{ij}{\varvec{a}}_{\star i}\circ {\varvec{a}}_{\star j}\\&\,={\varvec{\alpha }}+ {\varvec{a}}_{\star ,k-1}\circ {\varvec{\beta }}+ \lambda _{k-1,k-1}{\varvec{a}}^{\circ 2}_{\star ,k-1}\ \,=\, 0, \end{aligned}$$

where \({\varvec{\alpha }}=\sum _{0\le i\le j}^{k-2} \lambda _{ij}{\varvec{a}}_{\star i}\circ {\varvec{a}}_{\star j}\) and \({\varvec{\beta }}=\sum _{i=0}^{k-2}\lambda _{i,k-1}{\varvec{a}}_{\star i}\) are independent of \({\varvec{a}}_{\star ,k-1}\).

Clearly \(\lambda _{k-1,k-1}=0\). Otherwise, whatever \({\varvec{\alpha }},{\varvec{\beta }}\), we can choose values for \({\varvec{a}}_k\) so that \({\mathcal {L}}\ne 0\), a contradiction. Now suppose \(\lambda _{i,k-1}\ne 0\) for some \(0\le i<k-1\). The matrix \(\hat{A}_\star \) with columns \({\varvec{a}}_{\star i}\) (\(0\le i<k-1\)) contains \(A_{k-1}\) as a submatrix, which has rank \((k-1)\) with high probability by Lemma 2. Thus \(\beta \ne {\varvec{0}}\) and, whatever \({\varvec{\alpha }}\), we can choose values for \({\varvec{a}}_k\) so that \({\mathcal {L}}\ne 0\). Thus \(\lambda _{i,k-1}= 0\) for all \(0\le i<k\). Thus \(\lambda _{ij}\ne 0\) for some \(0\le i\le j<k-1\). Now the matrix \(\hat{A}_\star ^{\circ 2}\) with \(\left( {\begin{array}{c}k\\ 2\end{array}}\right) \) columns \({\varvec{a}}_{\star i}\circ {\varvec{a}}_{\star j}\) \((0\le i\le j<k-1)\) contains \(A^{\circ 2}_{\star ,k-1}\) as a submatrix, and therefore has rank \(\left( {\begin{array}{c}k\\ 2\end{array}}\right) \) by induction. Hence \(\alpha \ne {\varvec{0}}\), implying \({\mathcal {L}}\ne 0\), a contradiction.    \(\square \)

Lemma 4

\(\Pr (\det C = 0 \bmod \, pq)\le (2k-1)(1/p+1/q)\).

Proof

From Lemma 2, \(\det A = 0\) \(\mod p\) or \(\det A= 0\) \(\mod q\) with probability at most \((k-1)(1/p+1/q)\). So \(\det A\) is not zero or a divisor of zero \(\bmod \,pq\). The entries of \(W'\) are random [0, pq), and \(\det W'\) is a polynomial of total degree k in its entries. It is a nonzero polynomial, since \(W'=I_k\) is possible. Hence, using the SZL [44], \(\Pr (\det W'=0\bmod p)\le k/p\) and \(\Pr (\det W'=0\bmod q)\le k/q\). So \(\det W'\) is zero or a divisor of zero \(\bmod \,pq\) with probability at most \(k(1/p+1/q)\). So \(\det A\det W'=0\) \(\bmod \,pq\) with probability at most \((2k-1)(1/p+1/q)\). So \(\det C\ne 0\) with high probability.    \(\square \)

Lemma 5

\(\Pr (\det C_0 = 0 \bmod \, pq)\le (2k-1)(1/p+1/q)\).

Proof

Note that \(C_0=C\) if \(m_1=m_2=\cdots =m_k=0\). Since Lemma 4 holds in that case, the result follows.    \(\square \)

Lemma 6

Equation (7) holds if and only if \(\sum _{t=1}^{k-1}\sigma _{jlt}\varrho _{it}=\sum _{t=1}^{k-1}\sigma _{ijt}\varrho _{lt}\pmod {q}\), \(\forall i,j,l\in [1,k-1]\).

Proof

Since \({\varvec{\gamma }}^T{\varvec{1}}=1\) and \({\varvec{\gamma }}^T{\varvec{a}}_i=0\), \(i\in [1,k-1]\), \({\varvec{\gamma }}^T({\varvec{a}}_i\cdot {\varvec{a}}_j)={\varvec{\gamma }}^T\big (p\varrho _{ij}{\varvec{1}}+\sum _{l=1}^{k-1}\sigma _{ijl}{\varvec{a}}_l\big ) =p\varrho _{ij}\). Thus

and hence . Similarly , and the lemma follows.    \(\square \)

Lemma 7

Let \(\tau ,\varrho _i\xleftarrow {\$}[0,q)\) \((i\in [1,k-1]\)), let \(\varrho _{ij}=\varrho _i\varrho _j \mod q\), and let the \(\sigma _{ijl}\) satisfy \(\sum _{l=1}^{k-1}\sigma _{ijl}\varrho _l=\tau \varrho _i\varrho _j\pmod {q}\) for all \(i,j\in [1,k-1]\). Then, for all \(i,j,\ell \in [1,k-1]\), \({\varvec{\gamma }}^T({\varvec{a}}_i\cdot ({\varvec{a}}_j\cdot {\varvec{a}}_l))=\tau \varrho _i\varrho _j\varrho _l\mod q\), the symmetry of which implies (7).

Proof

We have \({\varvec{\gamma }}^T({\varvec{a}}_j\cdot {\varvec{a}}_l)=p\varrho _{ij}=p\varrho _j\varrho _l\) for all \(j,\ell \in [1,k-1]\). Hence, \(\bmod \ q\),

   \(\square \)

C Derivation of Bounds

To recap, n is the number of inputs, M is an exclusive upper bound on the inputs, d is the degree of the polynomial we wish to calculate. We take \(p \approx 2^\lambda \) and then \(q \approx 2^\eta \), where \(\eta = \lambda ^2/\rho -\lambda \), to guard against the attacks of [17, 36].

For HE1, we assume \(M\approx 2^\rho \), \(n \le \sqrt{M}\). Therefore,

$$ p>(n+1)^dM^d \approx (nM)^d \text {for large}\ n. $$

So, we may take

$$\begin{aligned} p=2^\lambda&> M^{3d/2}\approx 2^{3d\rho /2}\quad \text {i.e.}\ \lambda \approx 3d\rho /2\\ \text {and}\ \eta&\approx \frac{\lambda ^2}{\rho } -\lambda = \frac{3d\lambda }{2} - \lambda = \frac{3d\rho }{2}\left( \frac{3d}{2} - 1\right) \end{aligned}$$

For HE1N, we assume \(M \approx 2^\rho \), and we have \(\rho ' = \rho + \lg {\kappa }\). Now,

$$\begin{aligned} \kappa >(n+1)^dM^d \approx (nM)^d\ \text {for large}\ n,\quad \text {i.e.}\ \lg {\kappa } \approx d (\lg {n} + \rho ) \end{aligned}$$

Therefore, since \(\rho =\rho '-\lg {\kappa }\),

$$\begin{aligned} \lg {\kappa } > d \lg {n} + d(\rho '-\lg {\kappa })\quad \text {i.e.}\ \lg {\kappa } \approx \frac{d(\lg {n} + \rho ')}{d+1} \end{aligned}$$

Since \(\kappa \) is much larger than M, we also have

$$\begin{aligned} p=2^\lambda&> (n+1)^d(M+\kappa ^2)^d \approx (n\kappa ^2)^d \ \text {for large}\ n\quad \text {i.e.}\ \lambda \approx d (\lg {n} + 2 \lg {\kappa }),\\ \text {and}\ \eta&\approx \frac{\lambda ^2}{\rho '} -\lambda = \frac{3d\lambda }{2} - \lambda = \frac{3d\rho '}{2}\left( \frac{3d}{2} - 1\right) \end{aligned}$$

Then we can calculate \(\eta \) as for HE1 above. Note that, in both HE1 and HE1N, \(\lambda \) scales linearly with d, and \(\eta \) scales quadratically. These bounds carry over to HE2, HE2N, HEk and HEkN.