LWR-Based Fully Homomorphic Encryption , Revisited

1School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China 2State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China 3Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing, China 4College of Science, Hangzhou Normal University, Hangzhou, China 5Westone Cryptologic Research Center, Beijing, China


Introduction
Fully homomorphic encryption (FHE) is a cryptographic primitive that allows performing arbitrarily complex and efficiently computable evaluations over encrypted data without decrypting them.But the problem of how to construct a FHE scheme had been bothering cryptologists since it was initially introduced by Rivest et al. [1].Until 2009, this conundrum was compromised due to Gentry's first plausible candidate FHE construction based on ideal lattices [2].Since then, a series of works [3][4][5][6][7][8] have been presented with much progress mainly in security assumptions and efficiencies.
Gentry's seminal work [2] showed for the first time that FHE can be based on cryptographic assumptions and put forward a remarkable "bootstrapping" theorem to achieve full homomorphism (which needs a "circular security" assumption).However, his scheme relies on relatively stronger cryptographic assumptions on ideal lattices (ideal lattices are a special breed that we know relatively little about) and can only evaluate "low degree" polynomials homomorphically without "bootstrapping." The LWE-based FHEs [5, 9-13] enjoy higher efficiency and stronger security compared to the previous schemes [2][3][4]7] (following a similar framework to Gentry's work), due to the simple algebraic structure of the well-studied LWE [14] and classical (quantum) reduction from some apparently intractable lattice problems (e.g., GapSVP) to LWE [14,15].The first LWE-based FHE was proposed by Brakerski and Vaikuntanathan [5] (henceforth, BV11b), who used a novel relinearization technique to construct a "somewhat homomorphic" encryption scheme based on LWE problem and introduced a novel dimension-modulus reduction technique, without resorting to the "squashing paradigm" used in the previous schemes [2][3][4]7].The subsequent improved works mainly refer to Brakerski et al. 's [9] BGV12 and Brakerski's [10] Bra12.In BGV12, Brakerski, Gentry, and Vaikuntanathan used the dimension reduction and modulus reduction (which are originated from BV11b) iteratively and gradually, to construct a "leveled" FHE scheme (capable of evaluating arbitrary polynomial-depth circuits).Bra12 used the dimension reduction without the modulus reduction, to build a better leveled FHE scheme, which is superior to the previous best known in simplicity, noise management, and security.This is mainly because of their noise which only grows linearly ( →  ⋅ poly()) with every homomorphic multiplication, while in all previous works, the noise grows quadratically ( →  2 ⋅ poly()) without modulus reduction.
In Crypto 2013, Gentry et al. [16] (henceforth, GSW13) presented a LWE-based FHE scheme of GSW style (which was improved by Alperin-Sheriff and Peikert [17], henceforth, AP14), using two novel techniques of so-called approximate eigenvector and flatten, where the ciphertext is a matrix rather than vector.For the most part, its homomorphic addition and multiplication are just matrix addition and multiplication, which avoids the key switching, modulus switching, and the "evaluation" key used in previous schemes (e.g., BV11b, BGV12).It is important to note that, besides the fact that the scheme does not need an "evaluation" key, it has an interesting property of asymmetric noise growth because of its specific GSW style.Based on GSW13, a sequence of schemes was proposed, including bootstrapping schemes [11,17], multikey schemes [6,12,13], and some other related schemes [18,19] (these schemes mainly leverage the homomorphic operations of GSW13).
Motivations.The above-mentioned LWE-based FHEs and related schemes suffered the complex and time-consuming Gaussian or sub-Gaussian noise sampling, due to the fact that the corresponding LWE problem needs a noise (error) vector sampled from a distribution, typically (discrete) Gaussian or sub-Gaussian distribution [5,9,10,12,16,17].In particular, some schemes (e.g., [6,18]) based on the LWE problem have to sample Gaussian noise in the encryption process, which seriously weakens the schemes' efficiencies.Moreover, it has been recently shown (e.g., [20,21]) that the Gaussian sampling will create lots of potential side-channel vulnerabilities that result in complete leakage of the secret key.Although it is possible to design good implementations which protect against side-channel attacks, these implementations are often very complex.
As a matter of course, this raises a question: can we cast away the Gaussian noise sampling in building a FHE scheme while maintaining the same (almost) security level as those based on LWE problem?Indeed, this is valuable theoretically and practically and even pedagogically.
Very recently, Costache and Smart [22] showed a FHE scheme based on the ring-LWR problem (or RLWR, a variant of Learning with Rounding (LWR) problem).Their scheme removes the Gaussian noise needed in the previous LWEbased FHEs and results in slightly smaller ciphertexts.Roughly speaking, they focused their attention on BGV12 and used the techniques of relinearization and modulus switching (1) We consider a leveled FHE scheme where the depth of circuits is polynomial .The homomorphic evaluation capability, efficiency, and security of the FHE scheme mainly depend on modulus , under the same dimension .Note that the modulus  of AP14 is relatively smaller than that of GSW13, for the sub-Gaussian in AP14 results in a tighter noise growth than the Gaussian.Here, we ignore this little difference.(2) Here, the security loss is caused by the reduction between the security of the FHE scheme and the LWE problem.Since the security of our FHE scheme is directly based on the LWR problem, the security loss involves the reduction loss incurred by the reduction between LWE and LWR (see Theorem 7 in Section 2).
to build a RLWR-based FHE scheme.However, the LWR (the definition of LWR will be presented in Section 2.2), mainly leveraged by a scaled rounding function [23] including two different moduli  and , makes the tensor product ⊗ used by them to implement homomorphic multiplication intractable.In more detail, they chose RLWR instances as a public key and the private key therein as a secret key, and the ciphertext was computed as a vector c = (V, ) ∈   ×   decrypting to message  ∈   , where   ,   ,   are quotient rings.Then, they used the tensor product ⊗ to implement homomorphic multiplication, which results in a product of two different elements belonging to different rings (i.e., two moduli are tangled together).This makes their analysis of the multiplication noise complicated and obscure.In fact, this "tangly modulus" problem brings a large multiplication noise to their decryption equation (in terms of ciphertext after homomorphic multiplication) and thus leads to failure of the decryption.Therefore, how to construct a FHE scheme based on LWR problem, we think, is still an open problem, while we focus our attention on this problem.
Our Results.In this paper, we propose a workable LWRbased FHE scheme eliminating the tangly modulus problem by cleverly adopting the celebrated approximate eigenvector method in GSW13.Roughly speaking, we use a specific matrix multiplication to perform the homomorphic multiplication, which avoids the tangly modulus problem, where the specific matrix multiplication involves a variant of gadget matrix (which will be described in Section 2.3).The efficiency of our scheme is almost comparable to that of GSW13 and AP14 without counting the cost of Gaussian noise sampling, for the size of modulus  is almost the same as theirs which can be seen from Table 1 (our modulus  is larger; see Section 4.2).Indeed, it is mainly our larger security loss (up to a polynomial factor) that results in the larger modulus  (up to a polynomial factor).Our scheme can be seen as an alternative to the GSW13 and AP14.Furthermore, we also extend the LWR-based FHE scheme to multikey setting using the tricks used to construct LWE-based multikey FHE by Mukherjee and Wichs [12] at Eurocrypt 2016.Again, we leverage the specific GSW style to avoid the tangly modulus problem.Interestingly, it seems that the method of [12] has been tailored to be employed in constructing our LWR-based multikey FHE scheme, since it helps to avoid the tangly modulus problem when expanding the valid ciphertexts needed in multikey setting (see Section 5).Compared to Mukherjee and Wichs's scheme, our scheme can also be applied to multiparty computation and is more efficient; again, this is largely for the reason that there is no Gaussian noise sampling.This can be also verified by Table 1 and by the fact that the LWE-based multikey FHE [12] is an extension of AP14.
What is more, our LWR-based FHE and its extended multikey FHE support bootstrapping procedures; this is due to the fact that the encryption and decryption processes in our schemes are very similar to those in AP14, except that there are two different moduli in our scheme (which will not tangle together because of our specific structure).We believe that it is straightforward to convert our LWR-based scheme into a RLWR-based one.
Our Techniques.In our LWR-based FHE, we choose  pairs of LWR instances as a public key and the private key therein as a secret key.The public key is assembled as a matrix where A ∈ Z ×  , b ∈ Z   , and the secret key is s = (−/ ⋅ s  , 1), where s  ∈ {0, 1}  .Since there are two different moduli in a matrix, we use the symbol [×] (see Section 2) to differentiate from the conventional symbol ×.
For a message  ∈ {0, 1}, the ciphertext is computed as where G ∈ Z × [×]Z   is a variant of gadget matrix (see Section 2.3).To perform homomorphic multiplication (addition is very natural), do the following: given two ciphertexts C 1 , C 2 decrypting to message  1 ,  2 ∈ {0, 1}, we have . Hence, we assert that the structures of ciphertexts remain unchanged after  levels of multiplication, so they can be properly decrypted.Indeed, our homomorphic multiplication will not cause the tangly modulus problem existent in Costache and Smart's solution [22], because these two different modular operations (in terms of moduli , ) can be partitioned by our matrix operation but cannot be by the tensor product used by them.We defer the details to Section 4.
For the secret key, s = (−/ ⋅ s  , 1), where ,  are public and s  is privately and uniformly chosen from {0, 1}  instead of Z  for initial noise and efficiency.This is reasonable and secure relying on Theorem 7 in Section 2.2 and the hardness of LWE problem with binary secret (which was proved at least as hard as the original LWE problem by Brakerski et al. [24]).
Organization.In Section 2, we give some preliminaries including the LWE problem, LWR problem, and a variant of gadget matrix.We describe a basic LWR-based encryption scheme and give its full security proof in Section 3. Section 4 goes into the core of our LWR-based FHE scheme.In Section 5, we extend our main construction to the LWRbased multikey FHE.Finally, we conclude the paper in Section 6.

Preliminaries
As a preliminary matter, we give some explanations for some notations and operations throughout the paper.
Notations.For an integer , we define the set Z  ≜ (−/2, /2] ∩ Z, and all logarithms on  are to base 2. All arithmetics are performed over Z or Q when division is used, and for ease of use, we let [] ≜ {1, . . ., }.We denote vectors in bold lowercase (e.g., x) and matrices in bold uppercase (e.g., A).Let A  (resp., x  ) be the transpose of A (resp., x).For any  ∈ Q, we denote by ⌊⌋, ⌈⌉, and ⌈⌋ the rounding of  down, up, or to the nearest integer; these notations also apply to vector and matrix.We say that a function negl() is negligible if there are not any polynomial fractions smaller than the negl() for sufficiently large .All vectors are treated as rows in the paper.
Probability.We let ←  D denote that  is sampled uniformly at random from a distribution D and ←  S (e.g., Z  ) denote that  is uniform over a set S.
Given two different moduli , , and any integer , , for ( + 1) ×  matrix A, by abuse of notation, we let indicate that all row vectors of A are over Z   but the last one (i.e., ( + 1)-th) is over Z   , and we state that we should be careful about, for example, multiplying a matrix by a matrix R ∈ {0, 1} × (or a vector r ∈ {0, 1}  ).More precisely, we should multiply every row vector of A by the matrix R ∈ {0, 1} × , that is, multiply each row vector of A by each column vector of R ∈ {0, 1} × , and then take a modular operation (take the product modulo a modulus).Note that the last row vector of A is over Z   , and thus the multiplications between this row vector and the matrix R ∈ {0, 1} × are evaluated over Z   (take the products modulo the modulus ), while all the other multiplications are evaluated over Z   (take the products modulo the modulus ).(These two modular operations can be partitioned due to the matrix structure which, roughly speaking, avoids the tangly modulus problem existent in [22].)This principle also applies to addition between two matrices over Z ×  [×]Z   .Indeed, this is an important difference between LWE and LWR when performing addition and multiplication operations on matrices.
In our security proof, we will use the following variant of the standard leftover hash lemma [25].

Learning with Errors (LWE).
The well-known LWE problem has been enjoying fame for its applicability in constructions of lattice-based schemes conjectured to be secure in quantum setting, ever since Regev introduced it and showed a quantum reduction [14] from some worst-case hardness of the standard lattice problems to LWE problem (followed by classical reductions [15,24]).It is defined as follows.
Definition 2 (see [9]).For positive integers ,  = (),  ≥ (log), a vector s ∈ Z   , and an error distribution  over Z (typically, a (discrete) Gaussian distribution with standard deviation  for  = (1)).Let A ,,, be the distribution over Z +1  obtained by choosing  independent samples a←  Z   and an error term ←   and outputting  pairs (a,  = ⟨a, s⟩  + ).Then, the (average-case) decision problem of the LWE, denoted by DLWE ,,, , is to distinguish, given arbitrarily many independent samples, the uniform distribution over Z +1  from A ,,, , for a fixed s ∈ Z   .The search problem of LWE ,,, is aim to find secret s given  independent samples from LWE ,,, (s) (for s ∈ Z   ).The LWE ,,, assumption is that the LWE ,,, problem is infeasible.

Learning with Rounding (LWR).
Learning with Rounding (LWR) problem, which was used to construct lossy trapdoor functions, reusable computational extractors, and deterministic encryption, was firstly proposed by Banerjee et al. [23] for improving the efficiency of pseudorandom generator (PRG) based on the LWE problem.Indeed, the LWR problem can be seen as a deterministic alternative to LWE problem, except that the noise in LWR is deterministic which derandomizes the Gaussian noise in LWE, and the noise in LWR resulted from the scale rounding function being smaller than that in LWE.Specifically, the noise in LWE is -bounded ( > 2√ for security [14]), whereas it has magnitude of less than 1/2 in LWR.We recall the scaled rounding function ⌈⋅⌋  [23] which is defined as follows: for  < , Similar to the LWE problem, we get the following analogous definition for the LWR problem.
Definition 4 (see [23]).For integers ,  > , and , sample uniformly at random an -dimensional vector s from Z   , and then the LWR distribution is defined as , where the pair (a, ⌈⟨a, s⟩  ⌋  ) is LWR sample (instance), and let LWR ,,, (s) be the distribution comprised of  independent samples from LWR ,, (s).Then, the search LWR ,,, problem is defined as finding secret s given  independent samples from LWR ,, (s), while the decision DLWR ,,, problem is to distinguish  independent samples (with nonnegligible advantage) chosen from the distribution LWR ,,, (s), for a fixed s←  Z   , from  samples chosen from uniform distribution over Z   × Z  .The LWR ,,, assumption is that the DLWR ,,, problem is infeasible.
As to the hardness of the LWR problem, Banerjee et al. [23] presented an efficient reduction from the LWE problem to the LWR problem for modulus  of superpolynomial size, followed by Alwen et al. [26], who gave a reduction that allowed for a polynomial modulus , but restricted the number of samples and failed to apply to all values of the modulus .In 2016, Bogdanov et al. [27] generalized the theorem of [26] by eliminating the theoretic restriction on the modulus , but the number of samples was required to be less than (/) (weaker than that of [26]), while Alperin-Sheriff and Apon [28] showed a dimension-preserving reduction from LWE to LWR with a polynomial-sized modulus, which immediately implies improvements in parameters (i.e., security and efficiency) for all known applications of polymodulus LWR.
Note that Brakerski et al. [24] proved that the bin-LWE (implies that the secret key is uniformly chosen from {0, 1}  ) is at least as hard as the original LWE problem (up to logarithmic loss).Hence, we can uniformly choose the secret s in LWR from {0, 1}  under the hardness of bin-LWE and the following theorem (Theorem 5).Next, we recall the main theorem in [27] (it is sufficient for our schemes, though the number of samples was required to be less than (/)).Then, by combining this theorem with Lemma 6 (it is a simple fact; here we present it as a lemma), we get our crucial Theorem 7 on which the proposed schemes' security is based.Note that Theorem 7 concerns the search problem of bin-LWE, which is harder than the decision problem of bin-LWE.
Theorem 5 (see [27]).For every  > 0, , ,  ≥ 2, and if there is an algorithm A such that where A←  Z ×  , s←  {0, 1}  , and u←  Z   , then there exists an efficient algorithm B that runs in time polynomial in , , the number of divisors of , and the running time of A such that where A←  Z ×  , s←  {0, 1}  , and k←  Z   , then there exists an efficient algorithm B that runs in time polynomial in , , the number of divisors of , and the running time of A such that for noise distribution e that is -bounded and balanced in each coordinate.
Proof of Sketch.Note that there is no restriction on the condition  |  in Theorem 5.In other words, Theorem 5 holds even under the additional condition  | .Therefore, Theorem 7 is obvious by combining Lemma 6 which implies that the vector ⌈u⌋  is equivalent to k.

We remark that the term 𝑃𝑟
in Theorem 7 can be interpreted as the decision DLWR ,,, problem, for the fixed s←  {0, 1}  .

Variant of Gadget Matrix.
The gadget matrix, which was proposed by [29], was used to build a LWE-based FHE scheme of GSW style by AP14, which extended the "flatten" skill in GSW13.Here, we construct a variant of gadget matrix which is specific to our LWR-based FHE scheme.
Since there are two moduli ,  in the LWR problem, a variant of gadget matrix G with invariant function is as follows: where g fl (1, 2, . . ., 2 ⌈log ⌉−1 ) ∈ Z ⌈log ⌉  , g n+1 fl (1, 2, . . ., , and  = ⌈log ⌉ + ⌈log ⌉.We also define the deterministic inversion function G −1 : Z ×  [×]Z   → {0, 1} × , which is equal to bit decomposition that decomposes  into its bit representation over Z  or Z  and has the following property: for any matrix is an expensively randomized inversion function in AP14, although it leads to a tighter noise analysis for its homomorphic operations.

Building Block
As a warmup, in this section, we present a basic encryption scheme construction based on LWR which is adapted from the ring-LWR-based FHE scheme [22].Then, based on the basic encryption scheme, we give our LWR-based FHE scheme in the next section.We remark that the secret key is uniformly chosen from {0, 1}  to keep the noise growing slower and speed up encryption and decryption processes, under the same (almost) security level as GSW13 and AP14.This can be guaranteed by Theorem 7 in Section 2.2 and the hardness of bin-LWE problem.(ii) KeyGen(): choose uniformly at random a secret key s  ←  {0, 1}  .Choose uniformly at random ℓ vectors a i ←  Z   , and then compute (iii) Enc(, , ): to encrypt a message  ∈ {0, 1}, choose a random vector r←  {0, 1} ℓ , and then output (iv) Dec(, , c): Correctness.As long as the noise , where   ∈ {0, 1} is the entry of the vector r, the above Dec algorithm can rightly recover the message .We prove this by the following steps: For every column vector (a  ,   )  of the matrix A, it holds that Then, we have s ⋅ A = e mod , and it follows that iff |⟨e, r⟩| ≤ 1/2 ⋅ ℓ < 1/2 ⋅ ⌈/2⌋.

Security.
We argue that the above basic encryption scheme is IND-CPA secure under Theorem 7. In fact, the structure of our basic encryption scheme is identical to that of [14,16,17], and so is the strategy of security proof.In our paper, Theorem 7 guarantees the hardness of LWR ,,, assumption (where s←  {0, 1}  ) assuming the bin-LWE problem; hence, we can base the security of our basic encryption scheme on the LWR problem.For completeness, we give a full security proof below.
Theorem 8.The above basic LWR-based encryption scheme is IND-CPA secure under the LWR ,,, assumption.
Proof.We prove the theorem via a series of hybrid experiments.The analysis of probability is omitted here, since it is natural and very similar to that of [4,14].
(ii) Hybrid 1: this is the same as Hybrid 0 except that we use  pairs {(a i ,   )} =1,..., chosen uniformly from Z   × Z  , instead of being chosen from LWR samples in Hybrid 0, to assemble public key A. The ciphertext c is thus generated by encrypting  using the public key A as per the encryption procedure in Hybrid 0.
(iii) Hybrid 2: this is the same as Hybrid 1 except that the ciphertext c ∈ Z   × Z  is chosen from Z   × Z  uniformly and independently of the public key.
Firstly, we claim that Hybrid 1 is indistinguishable from Hybrid 0, under the LWR ,,, assumption.This is shown by a simple reduction: if any hypothetical adversary A can distinguish these two hybrids, then we can construct an algorithm B to break the LWR ,,, assumption.Specifically, B simply collects its input samples (challenged samples) into the public key A and encrypts a message  using the public key A to get a ciphertext c, and then it invokes A on (A, c), outputting the same accept/reject decision.It is clear that B perfectly simulates Hybrid 0 or Hybrid 1 depending on whether its input samples are LWR samples or uniform over Z   × Z  ; that is, if the input samples are LWR samples, then the ciphertext c is generated as per Hybrid 0; otherwise, the ciphertext c is generated as per Hybrid 1.Therefore, B and A have equal distinguishing advantages.Because B's advantage must be negligible by hypothesis, so is A's.
In the second place, we claim that Hybrid 1 is statistically indistinguishable from Hybrid 2; that is, even a computationally unbounded adversary has only negligible advantage in distinguishing them.This is easy to be justified by Lemma 1 in Section 2. In more detail, by Lemma 1, the term A ⋅ r in Hybrid 1 is statistically indistinguishable from any element y ∈ Z   × Z  .Hence, the ciphertext in Hybrid 1 is statistically indistinguishable from that of Hybrid 2, for adding any fixed vector (0, ⋅⌈/2⌋)  to A⋅r preserves its uniform distribution.
To sum up, we conclude that Hybrid 0 is indistinguishable from Hybrid 2, and the ciphertext in Hybrid 2 is independent of message  (regardless of  = 0 or  = 1), which completes the proof.(ii) KeyGen(): choose uniformly at random a secret key s  ←  {0, 1}  .As per KeyGen algorithm in Section 3, generate a matrix
(v) Add(C 1 , C 2 ): given two ciphertext matrices C 1 , C 2 decrypting to messages  1 and  2 , respectively, output decrypting to messages  1 and  2 , respectively, the multiplication is defined as where G −1 is brought from Section 2.3.We give Algorithm 3 only for homomorphic multiplication, because homomorphic addition is trivial, and homomorphic NAND depends on homomorphic multiplication.
(vii) NAND(C 1 , C 2 ): for two ciphertext matrices C 1 , C 2 decrypting to messages  1 and  2 , respectively, the NAND operation is defined as Note that any Boolean circuit can be converted to use only NAND operation.The IND-CPA security of the above scheme follows immediately from the security of the basic encryption scheme in Section 3. The ciphertext matrix is just G plus a matrix of  encryptions of 0 under the key s by the basic encryption in Section 3, which is pseudorandom by Theorem 8 and hence hides G.

Correctness.
In this subsection, we analyze the scheme's correctness and the noise growth of each homomorphic operation.Moreover, we also give a more detailed analysis for homomorphic multiplication to illustrate that our proposed construction is practicable.
Homomorphic NAND.To perform NAND operation on two ciphertext matrices where e 1 ⋅G −1 (C 2 )+ 1 e 2 is the noise of homomorphic NAND, which is identical to that of homomorphic multiplication.Therefore, the noise is also increased by a factor of at most  + 1.

Parameters and Comparisons.
Compared to GSW13 and AP14, we conclude, from the above analysis, that our noise growth factor is also  + 1 (identical to theirs) and the size of parameter  is almost the same as theirs.Hence, we claim that the efficiency of our scheme is almost comparable to theirs without considering the cost of the Gaussian noise sampling, since our encryption and decryption processes are identical to theirs.Concretely, we assume the depth of NAND operation is , and after  levels of homomorphic NAND operation, the noise is near (1/2)( + 1)  , and it holds that (1/2)( + 1)  < 1/2 ⋅ ⌈/2⌋ for decryption.Then, combining with the requirements of  ≥ 2 in Theorem 7 in Section 2, and  = ( log  + log ),  = ⌈log ⌉ + ⌈log ⌉ in our scheme, we can set  = (( log )) + (1) ,  = (( log )) + (1) satisfying  ≥ 2.Compared to the parameter  of  = (( log )) + (1) (since  ≥ 8  (  +1)  ) in GSW13 and AP14, our parameter  is larger (up to a polynomial factor); this is caused by the condition  ≥ 2 needed for achieving the same (almost) security level as GSW13 and AP14.Therefore, in consideration of the cost (e.g., running time, memory) of Gaussian or sub-Gaussian noise sampling in GSW13 and AP14, our scheme has some advantages over them and thus can be seen as an alternative to them.Actually, with the development of reduction between LWE and LWR, the moduli can be reduced.
Bootstrapping involves homomorphically evaluating the decryption function.Because our decryption process is identical to AP14, bootstrapping works on our proposed scheme as well.In more detail, similar to AP14, we can also directly evaluate the decryption function in an elementary and efficient arithmetic form, using just basic facts about cyclic groups, so as to achieve bootstrapping.In our scheme, the bootstrapping method also just results in polynomial noise, which allows the security to be based on the LWR problem with inverse-polynomial noise rates.Since the reduction from LWE to LWR incurs a polynomial loss (( log )) according to Theorem 7 in Section 2, the security can be based on LWE problem with inverse-polynomial noise rates and hence on worst-case lattice problems (e.g., GapSVP) with polynomial approximation factors.

LWR-Based Multikey FHE Scheme
FHE has been studied extensively also due to its versatility in cryptography and industrial application, such as the problem of outsourcing computation to a third trust party (a remote server) without compromising its privacy [5] and secure multiparty computation problem [12,30].In Eurocrypt 2016, Mukherjee and Wichs [12] extended AP14 to multikey case and presented a multikey FHE scheme for implementing two round multiparty computations, which enabled performing homomorphic computation over encrypted data under different keys and satisfied threshold decryption.Their solution, however, relies on the LWE problem, the efficiency of which is retarded by the sub-Gaussian noise sampling.But the tricks in [12] inspire us to construct a multikey FHE scheme based on LWR.In fact, our construction also satisfies threshold decryption; we will describe it in Section 5.3.Here, we just present some necessary tools and our main construction, and we refer interested readers to [12] for the definitions of multikey FHE and multiparty computation, the security definition of multiparty computation protocol, and some other related concepts.

Overview of the Techniques.
In this subsection, we will describe how to construct a LWR-based multikey FHE scheme (adapted from [12]); this helps readers understand our construction more easily.For simplicity, we consider a case of two keys, for it is natural to generalize to the case of any polynomial number of keys.According to (23) in Section 4.2, given two ciphertexts C 1 and C 2 decrypting to messages  1 and  2 , we can perform homomorphic operations on these two ciphertexts, iff they satisfy the equation s ⋅ C =   s ⋅ G + e  for small noise e  , where  ∈ [2].Hence, for the "combined secret key" ŝ = (s 1 , s 2 ), where s 1 = (−/ ⋅ s   1 , 1) and s 2 = (−/ ⋅ s  2 , 1) which correspond to two different users, if we can construct two expanded ciphertexts Ĉ1 and Ĉ2 , such that ŝ ⋅ Ĉ1 ≈  1 ŝ ⋅ Ĝ and ŝ ⋅ Ĉ2 ≈  2 ŝ ⋅ Ĝ (henceforth, ≈ is used for omitting the noise term e), where Ĝ is the expansion of G, then we can perform homomorphic operations on these two ciphertexts Ĉ1 and Ĉ2 .
Exactly as Mukherjee and Wichs [12] showed, we can create the expanded ciphertext as follows: such that iff where Ĝ fl [ G 0 0 G ]. Similarly, we can also generate the ciphertext Ĉ2 .Here, we have made a big step forward; next, we proceed to analyze how to construct this X without revealing the secret key s 2 .
Assume we are given a user-specific public key , and a ciphertext which is generated as per Enc algorithm in Section 4. Assume we are also given another user-specific public key ] and secret key s 2 = (−/ ⋅ s  2 , 1) (assume A is the public shared parameter), such that s 2 ⋅ A 2 = e mod ; then, we have Subtracting (34) from (32), we get We proceed to use an important tool brought from [12] to construct such matrix X. (

Construction of Two-Key FHE Scheme from LWR.
For ease of description, here we just give a construction of twokey FHE scheme based on LWR, for everything extends naturally to any polynomial number of keys.
Construction.Now, we describe the two-key FHE construction.
(ii) TFHE.KeyGen(): run the KeyGen algorithms in Section 4 to get Finally, output an expanded ciphertext: where results in This also applies to verify ŝ ⋅ Ĉ2 ≈  2 ŝ ⋅ Ĝ.
Parameters and Security.Though our LWR-based multikey FHE scheme does not need the sub-Gaussian noise sampling compared to Mukherjee and Wichs's [12], the structure of our construction is identical to theirs.Indeed, we just cleverly use the scaled rounding function instead of their sub-Gaussian noise, to hide the message, and this is done thanks to our specific structure which helps us circumvent the tangly modulus problem that exists in [22].Since the LWEbased multikey FHE [12] is an extension of AP14, while the parameter  in our LWR-based FHE is almost identical to that of AP14 according to Section 4.2, hence the LWR-based multikey FHE which is the extension of LWR-based FHE has almost the same parameter  as that of [12].As to the security, we remark that the main difference between multikey setting in this section and single key setting in Section 4 is the number of ciphertexts.In multikey setting, there is an additional helper set H which involves  ciphertexts, but the  ciphertexts are encryptions of entries of the random matrix R ∈ {0, 1} × , which are independent of other ciphertexts.In other words, the helper set H does not affect scheme's security; therefore, our LWR-based multikey FHE scheme has the same security level as the LWR-based FHE scheme in Section 4.

Threshold Decryption for
Two-Key FHE Scheme.In [12], the main idea of designing a multiparty computation protocol is to leverage the property of "threshold decryption" of multikey FHE and rely on the "smudging lemma [31]."In the secure multiparty computation distributed protocol, the parties run a secure distributed protocol using their own secret key to decrypt the output ciphertext and finally recover the plaintext .Specifically, each party will obtain partial information by operating their own secret key on the common ciphertext Ĉ, and then they broadcast the information they get added by some medium-sized smudging noise from a uniform distribution (adding the noise is needed to "smudge out" any information about the noise contained in ciphertext Ĉ and is needed for security proof); finally, each party can sum up all the other partial information and get the final decryption .We can achieve the construction of multiparty computation protocol as well, for our LWR-based multikey FHE scheme also satisfies the threshold decryption.Compared to [12], our threshold decryption also needs the smudging noise, but the whole computation overhead is lower in that our LWR-based multikey FHE scheme does not need the sub-Gaussian noise sampling.The threshold decryption follows.For simplicity, we again cover the case of two-key FHE.

Conclusions
We present the first workable LWR-based FHE scheme.Our FHE scheme erases the expensive Gaussian noise sampling and thus can be seen as an alternative to the existing LWEbased FHEs.Furthermore, based on our main construction, we give the first LWR-based multikey FHE scheme, which is an alternative to the existing multikey FHEs that can also be applied to multiparty computation.However, neither our LWR-based multikey FHE scheme nor Mukherjee and Wichs's can be used to construct multiparty computation protocol without the smudging lemma (which means that the corresponding modulus has to be set exponentially in security parameter).Therefore, it remains an open problem to construct multiparty computation protocol via multikey FHEs without the smudging lemma.

3. 1 .
The Basic LWR-Based Encryption Scheme.The basic encryption scheme based on LWR is constructed as follows.

4. 1 .
Our Construction.Our LWR-based FHE scheme is constructed as follows.