Efficient GSW-Style Fully Homomorphic Encryption over the Integers

We propose a GSW-style fully homomorphic encryption scheme over the integers (FHE-OI) that is more efficient than the prior work by Benarroch et al. (PKC 2017). To reduce the expansion of ciphertexts, our scheme consists of two types of ciphertexts: integers and vectors. Moreover, the computational efficiency in the homomorphic evaluation can be improved by hybrid homomorphic operations between integers and vectors. In particular, when performing vector-integer multiplications, the evaluation has the computational complexity of Ο(c log c) and thus outperforms all prior FHE-OI schemes. To slow down the noise growth in homomorphic multiplications, we introduce a new noise management method called sequentialization; therefore, the noise in the resulting ciphertext increases by a factor of l · poly(λ) rather than poly(λ) in general multiplications, where l is the number of multiplications. As a result, the circuit with larger multiplicative depth can be evaluated under the same parameter settings. Finally, to further reduce the size of ciphertexts, we apply ciphertext truncation and obtain the integer ciphertext of size Ο(λ log λ), thus additionally reducing the size of the vector ciphertext in Benarroch’s scheme from 􏽥 Ο(λ4) to Ο(λ2log2 λ).


Introduction
Fully homomorphic encryption (FHE) allows us to evaluate any computable function on plaintext m but only manipulate the ciphertexts; moreover, this procedure will not reveal any private information. With this property, FHE can be applied to outsourcing computation, particularly in the scenario that the remote server is an untrusted third party.
FHE has received major attention in cryptography since the first breakthrough by Gentry [1]. In Gentry's blueprint, the first step is to construct a somewhat homomorphic encryption (SWHE) scheme based on ideal lattices, which can only evaluate a circuit of low depth since the ciphertext contains a noise component that grows exponentially after homomorphic multiplications. If the noise magnitude passes a predefined threshold, the correctness of decryption will no longer remain. en, by a key procedure called bootstrapping, the noise magnitude in the ciphertext can be reduced to the same level as that in the original ciphertext, and therefore, the SWHE scheme can be converted into an FHE scheme to evaluate a circuit of arbitrary depth. However, the costly bootstrapping procedure becomes a bottleneck in making this FHE scheme practical, and the complicated operations on ideal lattices become incomprehensible. Very shortly afterward, van Dijk, Gentry, Halevi, and Vaikuntanathan (DGHV) [2] proposed an alternative FHE scheme over the integers (FHE-OI) that is conceptually simpler than [1] since the homomorphic operations only consist of arithmetic operations on integers instead of ideal lattices. In addition, the scheme is based on a different hardness assumption, namely, the approximate greatest common divisor (AGCD) assumption [3]. Unfortunately, this scheme is still inefficient since it follows Gentry's blueprint, which has a costly bootstrapping procedure. Moreover, the large size of public keys results in an increased storage requirement.
In order to improve the efficiency and avoid bootstrapping, a new noise management technique called modulus switching was proposed by Brakerski et al. [4]. e authors first constructed an SWHE scheme based on the learning with errors (LWE) assumption. en, by applying modulus switching, the noise component in the ciphertext grows only linearly after homomorphic multiplications. As a result, they obtained a leveled FHE scheme that can evaluate any circuit with polynomial depth L by carefully calibrating L ladders of moduli. Later, this technique was adapted to the FHE-OI scheme [5]; however, it leads to a greater storage requirement since the circuit with multiplicative depth L needs to be evaluated via a procedure of key switching, and this requires storing L public keys. e larger size of public keys is an inherent property in AGCD-based FHE schemes compared to LWE-based ones; hence, the public keys of L times larger size yield a huge storage requirement. Afterward, a scale-invariant LWE-based FHE scheme was proposed by Brakerski [6]. In this scheme, the message m is encrypted to a higher bit and the same modulus is used throughout the homomorphic evaluation process. By applying the bit decomposition technique on ciphertexts and the encryptions of secret keys, the author obtained a leveled LWE-based FHE scheme whose noise growth was still linear after homomorphic multiplications. e scale-invariant technique was subsequently applied to the FHE-OI scheme and shown to be more efficient than [5]. At PKC 2014, Coron et al. [7] proposed a scale-invariant FHE-OI scheme (CLT14) where only an extra multiplication key needed to be stored in the original public keys, which significantly reduced the storage requirement compared with [5]. To ensure the security of the secret key, they encrypted it into a subset sum as the multiplication key and made a circular-secure assumption. At Eurocrypt 2015, Cheon et al. [8] proposed another scale-invariant FHE-OI scheme (CS15), which introduced a dimension-reduction technique to homomorphic multiplications; they also used invalid encryptions of the bits of the secret key as the multiplication key instead of using subset sum, but they still needed a circular-secure assumption.
At Crypto 2013, Gentry, Sahai, and Waters (GSW) [9] proposed a conceptually simpler LWE-based leveled FHE scheme without using modulus switching and evaluation keys; however, the noise growth was still linear with the multiplicative depth. In this scheme, the plaintext bit m is extended into a plaintext vector by multiplying a gadget vector, and then each entry in the plaintext vector is encrypted to a vector ciphertext. Finally, the outputted ciphertext has the form of a matrix instead of a vector as in prior LWE-based FHE schemes. e homomorphic multiplication procedure is the general multiplicative operation between a ciphertext matrix and a decomposed binary ciphertext matrix. e main contribution of this scheme is the simple and natural homomorphic multiplication procedure rather than complicated modulus switching; however, it must generate a matrix ciphertext, which requires larger storage.
is new FHE scheme was studied by Benarroch et al. [10], and they proposed a complete GSW-style FHE-OI scheme (BBL17). In this scheme, there is no need to encrypt the secret key as the multiplication key and make the circular-secure assumption; however, like [9], it must expand the ciphertext from integer to vector, and therefore the size of the vector ciphertext becomes a bottleneck to this scheme's efficiency.
Note that the above FHE schemes are the encryptions of the plaintext m of a single bit, and the message space in these schemes is m ∈ 0, 1 { }. ere have been some SIMD approaches to make the FHE-OI scheme more efficient in parallel. In [11], the authors proposed a new technique to encrypt a vector of messages in a single ciphertext based on the Chinese Reminder theorem (CRT), thereby extending the message space from m ∈ 0, 1 { } to m ∈ 0, 1 { } l . is technique has been improved by subsequent studies [7,10]. In [12], the authors proposed an optimized bootstrapping procedure for larger message spaces of a single bit from m ∈ 0, 1 { } to m ∈ Z Q , where Q is the arbitrary prime larger than two. Subsequently, some improvements have been proposed to accelerate this technique and apply it to the homomorphic evaluation procedure [13][14][15][16][17][18][19].
From what has been discussed above, we can conclude that current FHE-OI schemes have significantly improved efficiency by adapting new noise management techniques from LWE-based schemes. While CLT14 [7] and CS15 [8] adapt the scale-invariant technique to obtain a leveled FHE-OI scheme and avoid costly bootstrapping procedures, the homomorphic evaluation procedure is still not efficient enough to be practical. Moreover, these schemes need to encrypt the secret key as the multiplication key and make a circular-secure assumption. Meanwhile, BBL17 [10] constructs a GSW-style FHE-OI scheme whose homomorphic multiplication procedure is a general multiplicative operation between vector and matrix, and the multiplication key is not needed. Unfortunately, it must expand the ciphertext from integer to vector, and this expansion renders difficult attempts to make this scheme more efficient. erefore, how to improve the computational efficiency in homomorphic evaluation and reduce the ciphertext expansion have remained a challenging and open problem.
Our Contribution. In this paper, we propose a GSW-style FHE-OI scheme that is similar to BBL17 [10] but has a better spatial and computational efficiency. e main contribution of our scheme is three-fold.
Firstly, our scheme reduces the expansion of ciphertexts by generating two types of ciphertexts (vector and integer ciphertexts), and not only the vector ciphertexts as in BBL17 [10]. Besides, our scheme supports some hybrid homomorphic operations between integer and vector ciphertexts in the homomorphic evaluation procedure, such as vectorvector, vector-integer, and integer-integer operations. Since the vector ciphertext has a size of Ο(c 2 ), which is c times larger than the integer ciphertext, it is easy to see that the vector-vector operations are more costly than the integerinteger and integer-vector operations. As a result, when performing integer-integer and integer-vector homomorphic operations, the computational efficiency in our scheme is better than that in BBL17 [10]. In particular, when performing vector-vector multiplications, the asymptotic computational complexity in our scheme is identical to the homomorphic multiplications in prior leveled FHE-OI schemes [7,8,10], i.e., there is a complexity of Ο(c 2 log c). However, when performing vector-integer multiplications, the asymptotic computational complexity in our scheme is Ο(c log c), which is better than that of all prior leveled FHE-OI schemes.
Secondly, our scheme displays better noise management since it performs the homomorphic multiplications in sequence. e method of sequentialization in homomorphic multiplications was first proposed in [20,21] and derived from the observation that the noise growth is asymmetric after the homomorphic multiplications in GSW-style FHE schemes based on LWE. We find that the noise terms in our scheme also have an asymmetric form such as r 1 + c · r 2 after homomorphic multiplications. Hence, if we perform homomorphic multiplications between L ciphertexts with the same noise magnitude r in the sequence, the resulting ciphertext will have a noise magnitude of Ο(L · c · r) rather than Ο(c L · r) after general multiplications. erefore, the circuit with a multiplicative depth larger than L can be evaluated under the same parameter settings as general multiplications.
Finally, the size of ciphertexts in our scheme can be further reduced by applying a technique of ciphertext compression called truncation.
is technique was first proposed in CS15 [8], and the authors obtained an integer ciphertext of size Ο(c − ρ). However, they only made a simple and abstract description of their technique and had not constructed a complete scheme. Moreover, they set c − ρ to be small to obtain better efficiency, but this has been proved to be insecure in subsequent works [22]. We adapt this technique to our scheme and generalize it to the vector ciphertext. In addition, we construct a complete scheme and make the tight analysis of noise growth. In order to thwart the optimized OL attack proposed in [22], we set c − ρ � λ log λ + Ω(L log λ), which significantly reduces the size of ciphertexts. Finally, we obtain an integer ciphertext of size Ο(λ + L) and vector ciphertext of size Ο(λ 2 + L 2 ).

Notation. We denote the parameters in our scheme by
Greek letters (such as ρ, η, c, τ, λ). Scalars are denoted by lowercase Latin characters (such as p, q, x, y, and r). Vectors are denoted by lowercase bold English letters (such as p, q, x, y, and r). Matrices are denoted by uppercase English letters (such as P, Q, X, Y, and R). For two integers z and p, we denote by [z] p the result in (− (p/2), (p/2)] after computing zmodp. For an n-dimensional vector z and an integer p, we denote by [z] p the result in (− (p/2), (p/2)] n after computing (z i modp) n 0 ≤ i ≤ n− 1 , where z i is the i-th coordinate in z. For a vector z, we denote the norm ‖z‖ to be the infinity norm of z, i.e., ‖z‖ � ‖z‖ ∞ � max z i in z |z i |. For some real number r, we denote by r the nearest integer rounded to r, and we have r � r + δ, where δ ∈ [− (1/2), (1/2)] ∩ R. We denote a uniform distribution on a finite set A by U(A). All logarithms in this paper are base two.

Gadget Vector and Bit Decomposition Function.
For some integer n, define an n-dimensional gadget vector g � (2 0 , 2 1 , . . . , 2 n− 1 ). Define a decomposition function g − 1 : [0, 2 n ) ⟶ 0, 1 { } n that can decompose an n-bit-length integer to its binary representation and output an n-dimensional binary vector. For some integer z, we have { } n×l which can decompose an l-dimensional vector z � (z 0 , z 1 , . . . , z l− 1 ) to its binary representation and output an (n × l)-dimensional binary matrix such that Lemma 1 (leftover hash lemma [2]). Set x 1 , . . . , x m ⟵Z M uniformly and independently, set We can write the above leftover hash lemma as the following version, and we can see the obvious equivalence between the two lemmas.

Approximate GCD.
Since the first FHE scheme based on the approximate greatest common divisor (AGCD) problem was proposed in DGHV [2], there have been some AGCD variants proposed. e first noise-free AGCD variant was proposed in [23]. It generates a special public key element x 0 � pq 0 without noise component r 0 and sets q 0 to be a random square free 2 λ -rough integer to thwart some attacks based on factorization. Afterward, the first decisional and noise-free AGCD variant was proposed in [11]. In homomorphic evaluation, a noise-free x 0 will not introduce an extra noise component and will simplify the noise analysis; however, this could make the scheme vulnerable to thwart quantum attacks. erefore, to improve the security, some decisional-AGCD variants with a noise component in x 0 were proposed in [7,8,10]. In the present work, we consider the decisional noisy variant proposed in BBL17 [10], and formally define it as follows.
Definition 1. Let ρ, η, c, p be some integers satisfying c > η > ρ > 0, and p is an η-bit odd integer. Define the distribution D c,ρ (p) supported over [0, 2 c ) as follows: (1) e (ρ, η, c)-AGCD problem is to find p when given polynomially many samples from D c,ρ (p). e (ρ, η, c)-decisional-AGCD problem is to distinguish between D c,ρ (p) and the uniform distribution In the following, we define the truncated distribution and sample from this distribution via rejection sampling.
Definition 3 (see [10]). Let X be a distribution supported over Z, and let k ∈ Z. e distribution X ≤k is the distribution X conditioned on X ≤ k. If Pr[X ≤ k] � 0, then X ≤k is undefined. Analogously, we can define X ≥k .
Proof. First, we sample x i ⟵ D c,ρ (p) <x 0 via rejection sampling. It is easy to see that the rejection probability when sampling each

e GSW-Style FHE Scheme over the Integers.
We recall the first complete GSW-style FHE-OI scheme proposed in BBL17 [10].
(i) BBL.Keygen(1 λ ): Generate the public parameters params � c, ρ,η, τ according to the security parameter λ. Sample uniformly an η-bit integer p. First sample an integer x 0 ⟵D c,ρ (p) >2 c− 1 and then τ integers which is a vector of dimension c � log x 0 . (iii) BBL.Add((x 0 , c 1 , c 2 ): Given the public key element x 0 and two ciphertexts c 1 and c 2 , compute Note that this addition procedure is done when it is known that at most one of the plaintext messages is 1. (iv) BBL.Mult((x 0 , c 1 , c 2 ): Given the public key element x 0 and two ciphertexts c 1 and c 2 , compute (v) BBL.Dec(sk, c): Compute f � c · g − 1 (p/2)(modp), and output the following:

Our Basic Scheme
In this section, we first describe the construction of our GSW-style FHE scheme. en, we analyze the correctness and noise growth, and finally prove its underlying security.

Construction.
Recall that for a specific η-bit odd integer p, we define the distribution as follows: (i) HE.KeyGen(1 λ ): Given a security parameter λ, choose the parameters (ρ, c, η, τ) according to λ and some constraints to ensure the correctness and security (see analysis below). Sample uniformly an η-bit odd integer p. Sample an integer . Sample an integer y⟵D c,ρ (p) <x 0 and resample until y/p is odd, write y � pq ′ + r ′ . Output the secret key sk � p and the public key pk � (x 0 , x 1 , . . . , x τ , y).

Analysis of Correctness and Noise Growth.
We first prove the correctness of our scheme and analyze the noise growth in encryption, decryption, and homomorphic operations procedures. en we convert our scheme into a leveled FHE-OI scheme by analyzing the multiplicative circuit depth L. Finally, we show that when performing homomorphic multiplications in sequence, the resulting ciphertext can have a smaller noise growth.

Lemma 14. Given any binary circuit C with depth L, the HE scheme can be converted to a leveled FHE-OI scheme to evaluate this circuit if
Proof. Assume that the given circuit C only consists of multiplication gates; then, a ciphertext will undergo L homomorphic multiplications. We first consider the vectorvector multiplications. For i ∈ [1, L], let c i � m i g + pq i + r i be the ciphertext after the i-th homomorphic multiplication, and c 0 be a fresh ciphertext. Let R i be the upper bound on the noise magnitude ‖r i ‖. First, we have R 0 � 2τ2 ρ by Lemma 6; then, after the i-th homomorphic multiplication, we have R i � (c + 1)R i− 1 + c2 ρ by Lemma 10. By solving the recurrence equation, we obtain which should be smaller than (1/η)((p/4) − (1/2)) for decryption correctness by Lemma 13. Hence, we have η − ρ ≥ L log(c + 1) + log(2τ + 1) + log η + 2.
Note that vector-integer multiplications have a similar noise growth than vector-vector multiplications, and hence, we omit vector-integer multiplication in the analysis of vector-vector multiplication.
Let (sk � p, pk � (x 0 , x 1 , . . . , x τ , y)⟵HE. KeyGen(1 λ )) and where k is an arbitrary positive integer larger than 1. en, for any fixed multiplication sequence x 0 . en we have ‖r ″ ‖ ≤ c‖r k− 2 ‖ + ‖r ′ ‖ + c2 ρ . By recursively performing the above procedure, we finally obtain a ciphertext c with the noise component r satisfying ‖r‖ ≤ c‖r 1 ‖ + c‖r 2 ‖ · · · + c‖r k− 1 ‖ + ‖r k ‖ + (k − 1)c 2 ρ ≤ (k− 1)(2τ+ 1)c2 ρ + τ2 ρ+1 . e above lemma implies that when we perform homomorphic multiplications between L+1 fresh ciphertexts and undergo at most L multiplications, if we operate these ciphertexts by a fixed multiplication sequence in Lemma 15, then the resulting ciphertext will have a noise growth of L(2τ + 1)c2 ρ + τ2 ρ+1 . is growth is in contrast to the noise blowup in general homomorphic multiplications, i.e., is is a unique property in the GSW-style FHE scheme since the noise terms in ciphertexts grow asymmetrically. We can realize better noise management and evaluate a circuit with a multiplicative depth larger than L by applying this multiplication sequence in homomorphic evaluation.
Note that the method of sequentialization in homomorphic multiplication can also be applied to vector-integer multiplication since it has the same asymmetrical property as vector-vector multiplication and the noise growth is similar. Here we omit the analysis of vector-integer multiplication.

Parameters.
We present some constraints in choosing parameters to ensure the correctness and security against known attacks. Let L be the circuit depth in homomorphic evaluation and let λ be the security parameter.
ρ is the bit-length of the noise r in public key elements, and it should satisfy ρ ≥ λ to protect against brute force attacks on the noise [3,5,24,25]. η is the bit-length of the secret key p, and it should satisfy η ≥ ρ + L log(c + 1) + log(2τ + 1) + log η + 2 to ensure decryption correctness (see Lemma 14). c is the bit-length of the public key elements x i , y and it should satisfy c ≥ Ω((λ/log λ)(η − ρ) 2 ) to thwart different lattice reduction attacks on the AGCD (as studied in [8]), such as orthogonal lattice attacks [2,26], the simultaneous Diophantine approximation attack [27], and the multivariate polynomial attack [28]. τ is the number of integers in the public keys, and it should satisfy τ � c + Ω(λ) to be able to use the leftover hash lemma in the security proof.
To satisfy the above constraints, we can take

Semantic Security.
We show that the security of our HE scheme can be based on the decisional-AGCD problem; the main proof process is to show that it is difficult to distinguish the ciphertext from a uniform integer module x 0 .
Proof. We will use a three-step hybrid argument to prove that both the integer and vector ciphertexts in our HE scheme have computational indistinguishability and there is no such a probabilistic polynomial-time adversary A that can distinguish these ciphertexts.
EncVec(pk,m)�[m·g+xS] x 0 and c⟵HE.EncInt(pk,m)� [m· y/2 +〈x,s〉] x 0 for a message m∈ 0,1 { }. By the leftover hash lemma in Lemmas 2 and 3, the tuple (x,xS (mod x 0 ),〈x,s〉 (mod x 0 )) is within an exponentially small statistical distance by (1/2) ���� x 0 /τ �negl(λ). As a result, the tuple (x,xS (mod x 0 ),〈x,s〉 (mod x 0 )c,c) is within an exponentially small statistical distance by negl(λ), independent of the underlying plaintext. Hence, we have  , x ′ , y). e resulting public key distribution is computationally indistinguishable from the genuine public key distribution in H 0 by Lemma 4. Hence, we have Hybrid By the leftover hash lemma in Lemmas 2 and 3, the tuple (x ′ , x ′ S (mod x 0 ′ ),〈x ′ , s〉 (mod x 0 ′ )) is within an exponentially small statistical distance by is within an exponentially small statistical distance by negl(λ), independent of the underlying plaintext. Hence, we have Finally, we conclude that which proves the IND-CPA security of the HE scheme.

Ciphertext Compression
e above HE scheme reduces the ciphertext expansion in BBL17 [10] by generating two types of ciphertexts. Moreover, the computational efficiency in homomorphic evaluation can be improved by hybrid homomorphic operations between integers and vectors. However, the size of the vector ciphertext (Ο(c 2 )) is still a bottleneck to making our scheme more efficient.
In this section, we will use a technique of ciphertext compression to reduce the size of both integer and vector ciphertexts. e technique was first proposed in CS15 [8], and we observe that it can also be applied to our HE scheme.
Note that the plaintext bit m is embedded into the most significant bit of the integer ciphertext c modulo p, i.e., c � p/2m + rmodp. For vector ciphertext c, first compute c ′ � c · g − 1 ( p/2); then, c ′ has the same form as integer ciphertext c (see the proof in Lemma 13). In this case, some least significant bits of ciphertexts c and c ′ are irrelevant for decryption correctness, and therefore, we can truncate these bits to obtain a ciphertext of smaller size. However, the number of bits we can truncate must be limited to an upper bound since the decryption failure probability becomes overwhelming if we truncate more bits. According to CS15 [8], truncating a ciphertext by ρ bits can result in optimal performance. We follow this approach and describe the truncation procedure in the HE scheme below.
Define N � 2 ρ . For integer ciphertext c, define c � c/N so that |Nc − c| ≤ N/2. For vector ciphertext c, define c � (c i /N) In the following, we formally present the truncated version of the HE scheme (we call this truncated scheme THE).
By applying the above THE scheme, the size of integer and vector ciphertexts in HE scheme can be reduced to c − ρ and (c − ρ) 2 . Besides, the noise growth in homomorphic evaluation is similar between the two schemes. As a result, if the c − ρ is set small, the spatial and computational efficiency in the THE scheme can be significantly improved.
In CS15 [8], the authors set c − ρ � λ + Ω(L log λ) to obtain an integer ciphertext of small size, but this was proved insecure in subsequent works. In [22], the authors proposed an optimized OL attack to obtain the (c − ρ) most significant bits of the secret key p, and the computational complexity was Ω(2 λ/log λ ). erefore, to thwart this optimized OL attack and obtain a security level of Ο(2 λ ), we need to set c − ρ � λ log λ + Ω(L log λ), which significantly reduces the size of ciphertexts. Moreover, the truncated scheme is as secure as before. Consequently, we have a better spatial and computational efficiency compared to the HE scheme.
To satisfy the above conditions and the constraints in Section 3.3, we can set

Comparison with Prior Works
In this section, we make a comparison between our scheme and prior schemes, such as CLT14 [7], CS15 [8], BBL17 [10], and Per20b [19]. We show that our scheme has more advantages in regards to spatial and computational efficiency.
Our HE scheme reduces the ciphertext expansion by generating integer and vector ciphertexts instead of only generating vector ciphertexts as in BBL17 [10]. Additionally, the size of both ciphertexts can be further reduced by applying the THE scheme. Compared to CLT14 [7], the vector ciphertexts in the HE scheme have a larger size since the CLT14 [7] scheme only consists of integer ciphertexts; moreover, by applying the THE scheme, the vector ciphertexts are similar to the integer ciphertexts in CLT14 [7]. However, we cannot compare our schemes with Per20b [19] directly since Per20b used a variant called RAGCD and it has a larger message space such that m ∈ Z t . However, we can convert Per20b into a general AGCD scheme and set message space to m ∈ 0, 1 { } by restricting the parameters to some concrete values. Roughly, we can take N � 1, B � 1, l � c, b � 2 and set the size of scalar and vector ciphertexts in Per20b equal to Ω(L 2 λ log λ) and cl � Ω(L 4 λ 2 log 2 λ). In this way, we can see that our schemes have similar performance as Per20b. Table 1 shows the concrete parameters of the size of ciphertexts in our schemes and prior schemes.
In homomorphic evaluation, since the multiplication procedure takes up most of the running time, it determines the final computational efficiency. In the following, we show that the homomorphic multiplication in our scheme has more advantages than prior schemes.
Note that the vector-vector multiplication in our HE scheme includes the general multiplication operation between a vector and a decomposed vector (a binary matrix). Vector-vector multiplication must compute c times (for each coefficient) about c/2 modular additions of c-bit numbers; this procedure has an asymptotic computational complexity of Ο(c 2 log c), which is identical to that of prior schemes. However, the vector-integer multiplication in our HE scheme is between a vector and a decomposed integer (a binary vector), and it only requires computation of about c/2 modular additions of c-bit numbers and has a computational complexity of Ο(c log c). is complexity is smaller than that of CLT14, CS15, and BBL17, and is identical to the vector-scalar multiplication of Per20b. Furthermore, by applying the THE scheme, both kinds of multiplications are faster than in prior schemes since they have a smaller computational complexity of Ο((c − ρ) 2 log(c − ρ)) and Ο((c − ρ)log(c − ρ)). Table 2 shows the asymptotic computational complexity of homomorphic multiplication in our scheme and prior schemes.

Conclusion
In this work, we present a GSW-style FHE-OI scheme and reduce the ciphertext expansion by generating integer and vector ciphertexts. e computational efficiency in homomorphic evaluation is improved by hybrid homomorphic operations between integers and vectors, especially when performing vector-integer multiplications. Our computational complexity is better than those of all prior leveled FHE-OI schemes. By applying sequentialization in homomorphic multiplications, the noise growth in the resulting ciphertext is smaller than that produced through general multiplications, and therefore, our scheme can evaluate a circuit with a larger multiplicative depth under the same parameter settings as general multiplications. Finally, the efficiency in our scheme can be further improved by a technique of ciphertext compression called truncation, and the optimized scheme is as secure as before when it comes to thwarting known attacks. Note that our scheme can also be generalized to SIMD operations such as the batch technique based on Chinese remainder theorem and larger prime message space.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.

Authors' Contributions
Ruwei Huang and Bo Yang are contributed equally to this work.

Acknowledgments
is work was supported in part by the National Natural Science Foundation Project under Grant No. 62062009 and Table 1: Ciphertext size comparison with across various schemes.