A More Efficient Fully Homomorphic Encryption Scheme Based on GSW and DM Schemes

Achieving both simplicity and efficiency in fully homomorphic encryption (FHE) schemes is important for practical applications. In the simple FHE scheme proposed by Ducas andMicciancio (DM), ciphertexts are refreshed after each homomorphic operation. And ciphertext refreshing has become a major bottleneck for the overall efficiency of the scheme. In this paper, we propose a more efficient FHE scheme with fewer ciphertext refreshings. Based on the DM scheme and another simple FHE scheme proposed by Gentry, Sahai, and Waters (GSW), ciphertext matrix operations and ciphertext vector additions are both applied in our scheme. Compared with the DM scheme, one more homomorphic NOT AND (NAND) operation can be performed on ciphertexts before ciphertext refreshing. Results show that, under the same security parameters, the computational cost of our scheme is obviously lower than that of GSW and DM schemes for a depth-2 binary circuit with NAND gates. And the error rate of our scheme is kept at a sufficiently low level.


Introduction
With the rapid development of computer networks and big data, the cloud has been playing an important role in storing and processing huge amounts of data [1].The cloud provides abundant, flexible, and on-demand remote storage and computational resources for network users.However, the cloud is not fully trustable, and users do not have full control power on the data stored in the cloud.Data in the cloud are faced with the risk of leakage, and personal privacy is seriously threatened.In some recent research works, approaches based on network defense have been proposed for guaranteeing cloud security [2][3][4][5][6].Nevertheless, data encryption provides a more fundamental and universal privacy protection for data in the cloud.In traditional encryption techniques, when the encrypted data are stored in the cloud, they need to be decrypted before computation, and personal privacy is still seriously threatened.Homomorphic encryption allows ciphertext operations to be performed directly; thus an untrusted third party can process the ciphertexts without decrypting them.The decryption of the result of ciphertext operation is equivalent to the result of corresponding plaintext operation.Furthermore, fully homomorphic encryption (FHE) allows arbitrary operations to be performed on ciphertexts.Concretely, let Enc and Dec denote encryption and decryption algorithms, respectively.And let   and   denote the plaintexts and corresponding ciphertexts, respectively, where  = 1, 2, . . .,  and   = Enc(  ).For a function   of plaintexts  1 ,  2 , . . .,   , and a corresponding function   of ciphertexts  1 ,  2 , . . .,   , FHE schemes satisfy the following property: Dec (  ( 1,  2 , . . .,   )) =   ( 1,  2 , . . .,   ) This ideal property can be applied to privacy protection in the cloud, where personal data are stored and processed in encrypted form.
In FHE schemes, ciphertexts are generated with a random noise to ensure semantic security.The noise grows as homomorphic operations proceed.When the noise magnitude exceeds a certain threshold, ciphertext will no longer be correctly decrypted.By means of bootstrapping proposed by Gentry [7], ciphertext noise can be reduced and further homomorphic operations can be performed.However, due to its inherent complexity, bootstrapping has become a major bottleneck for the efficiency of all FHE schemes.Although there are many studies on improving the efficiency of FHE schemes [8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27], they are still not simple and efficient enough to be widely adopted in the real world.Designing a conceptually simple and efficient FHE scheme has become a challenging issue.
In this paper, a new FHE scheme is proposed to achieve both conceptual simplicity and higher efficiency.The scheme is constructed using the ideas of ciphertext matrix operations in the FHE scheme proposed by Gentry, Sahai and Waters (GSW) [19] and ciphertext vector additions in the FHE scheme proposed by Ducas and Micciancio (DM) [21].Both these schemes are conceptually simpler than most other FHE schemes, while suffering from low efficiency.We have proved that, compared with DM, our scheme allows one more homomorphic operation to be performed before ciphertext refreshing.And the computational cost of our scheme is significantly lower than that of DM and GSW under the same security parameters, with the error rate kept at a sufficiently low level.Our scheme not only inherits the advantage of conceptual simplicity in DM and GSW but is also more efficient.
Assumptions.The assumptions in our scheme are specified as follows: (1) the hardness of the Learning with Errors (LWE) problem [28]; (2) circular security in ciphertext refreshing; that is, one can safely encrypt a secret key under its associated public key [7]; (3) the operations on the binary circuit which are performed parallelly.And the computational cost at each level is represented as that of a specific gate at the level.
Contributions.The main contributions of our scheme are summarized as follows: (1) To the best of our knowledge, our scheme is one of the few FHE schemes which take both simplicity and efficiency into consideration.(2) Our scheme inherits the advantage of conceptual simplicity in DM and GSW, which are conceptually simpler than most other FHE schemes.(3) Our scheme combines the advantage of efficient homomorphic operation in DM with the advantage of moderate growth of noise magnitude in GSW.When compared with DM, it allows one more homomorphic operation to be performed before ciphertext refreshing.Under the same security parameters, the computational cost of our scheme is obviously lower than that of DM and GSW, and the error rate is kept at a sufficiently low level.
Organization.The rest of this paper is organized as follows: the related work is discussed in Section 2; some preliminaries are given in Section 3; a review of GSW and DM is presented in Section 4; our more efficient FHE scheme, along with its correctness, security, and applicability analysis, is presented in Section 5; the comparison of our scheme with DM and GSW in terms of overall efficiency and error rate is given in Section 6; finally, conclusions are drawn in Section 7.

Construction of FHE Schemes.
Gentry proposed the first FHE scheme in 2009 [7], which marks a milestone in the research of homomorphic encryption.Gentry's FHE scheme is based on ideal lattices, which includes the following major steps: (1) the construction of a somewhat homomorphic encryption scheme (SWHE) which allows limited homomorphic additions and multiplications to be performed on ciphertexts; (2) the squashing step for reducing the complexity of decryption algorithm; (3) the bootstrapping technique for reducing ciphertext noise via re-encryption and homomorphic decryption.Despite its significant contribution, Gentry's scheme sufferes from a rather low efficiency.Following Gentry's work, some other FHE schemes based on ideal lattices have been proposed on improving the efficiency of Gentry's scheme [8][9][10][11].However, the inherent complicated key generation process, along with large key/ciphertext sizes, has made these schemes impractical for real-world applications.
In 2010, Dijk et al. proposed a FHE scheme over the integers [29].Both the keys and ciphertexts are integers, which are much simpler than previous FHE schemes based on ideal lattices.However, the scheme also suffers from low efficiency due to large key/ciphertext sizes.Although some improved FHE schemes on integers have been proposed [12][13][14][15], keys and ciphertexts in these schemes are still too large to be deployed in any practical system.
Recently, most FHE schemes have been constructed based on the LWE problem, which is a computational problem over lattices [28].LWE has now drawn the attention of more and more cryptographic researchers with its relatively small key/ciphertext sizes and strong security.Brakerski and Vaikuntanathan presented the first LWE-based FHE scheme (BV) in 2011 [30].The relinearization technique was introduced for controlling ciphertext dimension in homomorphic multiplications.And the dimension-modulus reduction technique was proposed as a new method for simplifying the decryption algorithm to make the scheme bootstrappable, thus fully homomorphic.Compared with the squashing technique proposed by Gentry, the sparse subset-sum assumption was removed in dimension-modulus reduction, making it more natural.Brakerski, Gentry, and Vaikuntanathan proposed a leveled FHE scheme (BGV) in 2012 [16].The relinearization and dimension-modulus reduction techniques were improved as the key-switching and modulus-switching techniques in BGV, for more efficient control of ciphertext dimension and noise magnitude.Brakerski then introduced a scale-invariant leveled FHE scheme (Bra12) without modulus switching.Compared with previous LWE-based FHE schemes, Bra12 is simpler, and ciphertext noise magnitude grows by a constant multiplicative factor as homomorphic operations proceed, instead of exponentially.However, in all of these schemes, the complex process of key switching (or relinearization) still introduces a huge computational cost, which is unattractive in practice.
In 2013, a new leveled FHE scheme, known as GSW, was proposed by Gentry, Sahai and Waters [19].GSW is based on approximate eigenvectors of matrices.The ciphertexts in GSW are square matrices, and homomorphic additions and multiplications are just matrix additions and multiplications, respectively.Therefore, ciphertext dimension always keeps constant and key switching is no longer necessary.Scaleinvariance can also be achieved in GSW via the flatten technique; thus modulus switching is also no longer necessary.GSW is simpler and more natural than previous LWE-based FHE schemes.However, matrix multiplication still brings about a high computational cost.Ducas and Miccianico proposed a new FHE scheme with homomorphic NOT AND (NAND) gates [21], which is known as the DM scheme.Homomorphic operations in DM are just ciphertext vector additions, which are very simple operations.However, ciphertexts in DM need to be refreshed after each homomorphic operation, which becomes a bottleneck for the overall efficiency.Although GSW and DM are conceptually simpler than most other FHE schemes, both of them still suffer from efficiency bottlenecks.
Other research works on the construction of LWE-based FHE schemes generally focus on improving the efficiency [22][23][24][25] and optimizing the bootstrapping algorithm [26,27].In some recent research works, multikey FHE schemes are proposed for secure multiparty computation [31,32].However, these schemes involve either key-switching, or ciphertext matrix operations, which are both computationally costing.Some of them are not conceptually simple.Therefore, it is necessary to construct a new FHE scheme with both conceptual simplicity and higher efficiency.

Applications of Homomorphic Encryption Schemes.
As homomorphic encryption supports operations on encrypted data, it is definitely more powerful than traditional encryption techniques and has a vast area of applications.In recent years, with the wide adoption of cloud storage and cloud computation in real-world applications, there have been many applications of homomorphic encryption schemes on privacy protection in the cloud.
Searchable encryption is a basic application of homomorphic encryption, where users can execute secure queries on encrypted data.The query results are obtained through homomorphic operations between the encrypted query and the encrypted data.A lot of researchers have proposed secure information retrieval schemes based on homomorphic encryption [33][34][35][36].Meng Shen et al. proposed a graph encryption scheme which makes use of SWHE and enables approximate Constrained Shortest Distance (CSD) querying over encrypted graph [37].Another common application of homomorphic encryption schemes is secure e-voting, where the ballots of voters are encrypted and homomorphic operations are performed on these data [38][39][40][41].The property of homomorphic encryption makes it possible to tally all encrypted ballots without accessing the plaintext content of any individual ballot; thus voter's privacy is protected.Recently, with the rapid development of artificial intelligence and machine learning, privacy protection in machine learning has also drawn the attention of many researchers.Many studies on encrypted machine learning have emerged, where homomorphic encryption schemes are adopted for computation on encrypted data.Xiaoqiang Sun et al. implemented three private classification algorithms based on homomorphic encryption [42], which were hyperplane decision-based classification, Naïve Bayes classification, and decision tree classification.M Kim et al. proposed secure logistic regression for biomedical data [43].There are also lots of research works on secure deep learning based on homomorphic encryption [44][45][46].The activation functions in deep learning algorithms are usually approximated as polynomials, which can be homomorphically evaluated by homomorphic encryption schemes.Other recent applications of homomorphic encryption include integrity verification [47,48], data aggregation [49,50], and secure multiparty computation [32,51].
Moreover, homomorphic encryption can be applied in the defense against phishing attack, where user's personal information is encrypted, and the verification is completed via homomorphic operations.Even if personal information is leaked to the phishing server, nothing can be learned from the encrypted data.Longfei Wu et al. proposed a novel automated lightweight antiphishing scheme for mobile platforms, which is highly beneficial for mobile users [52].Adopting homomorphic encryption in the scheme would provide an even stronger defense against phishing attacks.With the rise of self-awareness of privacy protection and the development of homomorphic encryption, there will be more and more applications of homomorphic encryption in the future.

Preliminaries
3.1.Notations.The mathematical symbols in this paper are shown in Table 1.

The LWE Problem.
LWE is a computational problem over lattices, which is proposed by Regev [28].For security parameter , let  = () and  = () denote the dimension and modulus of the vector, respectively, and let  = () denote the random distribution on Z for the random errors.The vector s is generated by sampling s ← Z.For vector a ← Z   and error  ← , output the following LWE instance (a, ) = (a,(a ⋅ s + ) mod ) ∈ Z +1  .The LWE assumption is that the distribution   formed by different LWE instances is computationally indistinguishable from the uniform distribution on Z +1  .

The Cyclotomic Ring.
Let  be a power of 2, the 2th cyclotomic polynomial is Φ 2 () =   + 1, and the corresponding polynomial ring is  = Z[]/  + 1.   = / denotes the residue ring of  modulo an integer .
Each element in  is a polynomial with integer coefficients whose degree is at most  − 1, and each element in   is an element in  with all its coefficients modulo .For polynomial  = ∑ −1 =0     ∈ , let CF() = ( 0 , . . .,  −1 ) denote the coefficient vector of the polynomial.And let ACR() denote the following matrix: the first column is CF(), and the other columns are the anticyclic rotations of CF() with the cycled entries negated, as shown in Table 1: List of mathematical symbols with their meanings.

Z
The set of all integers.

C
The set of all complex numbers.Z + The set of all positive integers.

Z 𝑞
The set of integers modulo an integer , which are reduced to The set of  ×  matrices with all coefficients in Z  .

Z[𝑋]
The set of all polynomials with integer coefficients.

⌊ 𝑥⌉
Rounding of  to the nearest integer.⟨a, b⟩ or a ⋅ b Inner product of vectors a, b.

[A||b]
The horizontal concatenation of matrix A and vector b.

BitDecomp and Flatten
where  , is the -th bit in   's binary representation from the lowest to the highest bit.After BitDecomp, the upper bound of a's  1 norm goes down from  to  log .Let BD −1 (⋅) denote the inverse operation of BD(⋅); for a vector a  = ( 1,0 , . . .,  1,−1 , . . .,  ,0 , . . .,  ,−1 ) ∈ Z   , the operation BD −1 (⋅) is defined as follows: Let FL(⋅) denote the flatten operation; for a vector a  ∈ Z   , FL(⋅) is defined as follows: There is another operation PowersofTwo(⋅) which comes hand in hand with BD(⋅).Let PT(⋅) denote the operation PowersofTwo( ⋅ ), which is defined as follows: An obvious property between BD(⋅) and PT(⋅) is shown as follows: For a vector a  ∈ Z   , the following property also holds: It can be observed from ( 8) that an important advantage of FL(⋅) lies in that it makes the coefficients of a vector small, without affecting its inner product with the vector PT(b).When the above operations are applied to a matrix, they are performed for each row of the matrix.(ii) GSW.Enc(, , ): for plaintext message  ∈ Z  , sample R ← {0, 1} × ; output ciphertext:

A Review of GSW and DM Schemes
where I  denotes the -dimensional identity matrix. (iii As a result of the homomorphic NAND operation, C NAND satisfies the following property: where  1 , The ciphertext (a, ) is a ciphertext of 1 −  1  2 with noise magnitude less than /4, which guarantees correct decryption.Homomorphic NAND operations in DM are completed by a few additions between ciphertext vectors, which are simpler and faster than tensor products or matrix operations in previous schemes.However, ciphertext magnitude would be at least /4 after a further homomorphic operation, then the ciphertext would no longer be correctly decrypted.After each homomorphic operation, ciphertext needs to be refreshed to keep the noise magnitude small.
An efficient ciphertext refreshing algorithm based on Ring-GSW is proposed in DM for reducing ciphertext noise.In the refreshing algorithm, ciphertext (a, ) ∈ LWE 2/ s (, /4) and refreshing key   are taken as input, and base   is used to encode the ciphertext (a, ).  consists of the following ciphertexts: where   = ⌈log Algorithm 2: msbExtract(ACC,   , t).
loop in Algorithm 1 ends, the underlying plaintext V of the accumulator satisfies where  is the noise in the input ciphertext (a, ).As || < /4, it is clear that 0 < V < /2 when  = 0 and /2 < V <  when  = 1.In other words, extracting the most significant bit (msb) in V would yield the plaintext .
During the msbExtract process in Algorithm 1, the accumulator ACC, along with a switching key   and a testing vector t = − ∑ /2−1 =0 CF(  ), is taken as input.Here  =  2/ , and  ∈  is the secret key used in the encryption algorithm of the ciphertext refreshing algorithm.The details of msbExtract are shown in Algorithm 2.
The ciphertext c in the 2nd step of Algorithm 2 is where a = t  ⋅ ACR(), [,   ] is the 2nd row of ACC and  = ⌈/2⌉ or ⌊/2⌋.As  ≈ /2, c is an encryption of msb(V)=.Thus, c∈ LWE / CF() (msb(V)).After key and modulus switching, c is transformed to a ciphertext under key s modulo .Under an appropriate parameter setting, the noise magnitude of the refreshed ciphertext would be lower than /16, and further homomorphic operations can be performed.
The overall algorithm flow of DM is shown in Figure 2, where  = 1 −  1  2 .

Efficient FHE Scheme Based on GSW and DM Schemes
Aimed at the problem of overly frequent ciphertext refreshings in DM, a new FHE scheme (NHE) is proposed to achieve a higher efficiency.The ciphertext matrix operations in GSW and ciphertext vector additions in DM are both applied in our scheme.And the advantage of conceptual simplicity of both GSW and DM is inherited in our scheme.Moreover, our scheme combines the advantage of efficient homomorphic operation in DM with the advantage of moderate growth of noise magnitude in GSW.The whole scheme is briefly shown here, and some related details will be illustrated later.
NHE.HomNAND DM Then the ( − 2)-th row is extracted from C  as the ciphertext c  ∈ Z   for the next homomorphic NAND operation.Clearly, c  .V= 1.For a pair of ciphertexts c  1 , c  2 ∈ Z   such that c  1 .V= c  2 .V= 1, homomorphic NAND operation is performed as follows: where c 0 is an auxiliary vector such that c 0 = BD((5/ 8, 0)) ∈ {0, 1}  .The homomorphic operations in (18) and ( 19) are based on the ideas of ciphertext matrix operations in GSW and ciphertext vector additions in DM, respectively.

The modulus in c 󸀠󸀠
NAND is transformed from  to   .Moreover, dimension and modulus of c  NAND are set to be the same as those of the ciphertexts in DM.NHE.KeySwitch corresponds to the sum of some (  + 1)-dimensional vectors, and NHE.ModSwitch corresponds to rounding for each coefficient in a single vector.Both algorithms involve just simple operations, which have no significant effect on the simplicity of our scheme.The overall algorithm flow of our scheme is shown in Figure 3.Here the algorithms NHE.HomNAND GSW and NHE.HomNAND DM denote the algorithms in ( 18) and (19), respectively.

Security and Communication Networks
Each coefficient of the noise vectors in the above ciphertexts follows a discrete Gaussian distribution with zero mean and standard deviation .According to the property of discrete Gaussian distribution, the probability of each coefficient being in the interval [−6, 6] is  0 , which is very close to 1.The probability of the all the noises in C 11 , C 12 , C 21 , C 22 being upper bounded by  0 = 6 is thus  1 =  4 0 .It can be learned from ( 18) that the ciphertext C  satisfies where Let the plaintext spaces of c   ( = 1, 2) and c NAND be Z 4 and Z 2 , respectively, as in DM.The noise in the ciphertext c NAND is For each ciphertext k , in the switching key   , we have k , = (a  , a  ⋅ s  + V  +   ) where a  ← Z    ,   ← .Thus, the ciphertext c  NAND can be further expressed as where a , ← Z    ,  , ← ,  = 1, . . ., .The noise in c  NAND is Let c  denote the error vector brought about by the rounding operation in (21); we have The noise introduced by modulus switching is where c ,−(+1) is the subvector extracted from all the coefficients in c  except the ( + 1)-th coefficient, and  ,+1 is the ( + 1)-th coefficient in c  .Then the noise of c  NAND can be expressed as According to (11), the upper bounds for   1 ,   2 are both (+1) 0 , where  0 is the upper bound of the fresh ciphertexts generated in (17) All the random noises  , ( = 1, . . ., ) are drawn from an identical discrete Gaussian distribution.The discrete Gaussian distribution can be considered as the corresponding continuous Gaussian distribution with all the instances rounded down to the nearest integer.Assuming  random real numbers are generated from a continuous Gaussian distribution with zero mean and standard deviation , their sum also follows a Gaussian distribution with zero mean and standard deviation √ .
where  1 is a very small positive number.
For vectors a , ( = 1, . . ., ) which are independently and uniformly sampled from Z    , it is clear that ∑  =1 a , also follows a uniform distribution over Z    .And each coefficient in c ,−(+1) follows the uniform distribution over the following set: where  =   / = 2 where  ∈ {0, 1, . . .,   − 1} and C    is the number of combinations when choosing  items from   items.Thus, the corresponding cumulative distribution function is Let  3,  denote the probability of   lying in the interval [  /2 −  1 ,   /2 +  1 ]; we have where  1 is a positive integer.For   independent random real numbers from the uniform distribution over [−1/2, 1/2],  3,  is the probability of their sum lying in the interval [− 1 ,  1 ].
Let  3 = min{ 3,  }   =0,1,...,  be the lowest probability among  3,  (  = 0, 1, . . .  ). 3 would be close to 1 as long as  1 is sufficiently large.And the absolute value of the above sum can be considered as upper bounded by  1 .When the above   independent random real numbers are rounded up to the nearest element in   , an extra error is introduced.The absolute value of the error is upper bounded by   .As long as  is sufficiently small, the following is satisfied: where  2 is another very small positive number.Thus we have According to the requirement for correct decryption,  1 should satisfy When   is sufficiently large,  3 is still guaranteed to be close to 1 even if  1 is under the above constraint.According to (33), the upper bound of noise magnitude in the ciphertext c  NAND is Then we have |  NAND |<  2 ≤   /4, and correct decryption is guaranteed.The ciphertext c  NAND can be refreshed using the ciphertext refreshing algorithm in DM, and further homomorphic operations can be performed.
Therefore, the correctness of our scheme lies in that the three incidents corresponding to the probabilities  1 ,  2 ,  3 are all true.The error rate of our scheme is  NHE, = 1 −  1  2  3 .

Security Analysis.
We first give a formal definition for the threat/security model of indistinguishability under chosen plaintext attack (IND-CPA) and then conduct a security analysis for our scheme in line with the model.The IND-CPA threat/security model is defined as the following challengeguess game between the challenger and the adversary: (i) Initialization.The challenger C runs the Keygen algorithm to obtain the public and private keys, (, ) ← NHE.KeyGen(), and sends the public key  to the adversary A.
(ii) Challenge.The adversary A selects a pair of plaintexts  0 ,  1 and sends them to the challenger.The challenger C randomly selects a plaintext   such that  ← {0, 1}, encrypts the plaintext:  ← NHE.Enc(,   ), and then sends the ciphertext  to the adversary A.
(iii) Guess.The adversary A guesses the plaintext on receiving ciphertext  and outputs plaintext    (  ∈ {0, 1}).If   = , then the adversary A wins the game.
Let A() denote the index (0/1) of the adversary's output plaintext on receiving ciphertext .The adversary's advantage adv(A) is defined as the difference between the probabilities that the adversary guesses   and  1− , as shown in ( 44) The scheme is IND-CPA secure if for any polynomial time adversary A, the adversary's advantage adv(A) is negligible: adv(A)=negl().Generally, the ciphertexts in homomorphic encryption schemes are stored outside the local storage.Thus, the storage providers, such as cloud service providers and remote servers, might be the direct potential adversaries.Moreover, there are eavesdroppers who are trying to steal the stored data.And there may be coconspirators with an untrusted storage provider who get the stored data from the untrusted storage provider.They might also be the potential adversaries.In our scheme, both the public key and ciphertexts can be revealed to them.Thus, it is common for the adversaries to conduct chosen plaintext attacks (CPA).The IND-CPA security of our scheme is analyzed as follows.
It can be learned from ( 17) that, for the initial ciphertext C, we have BD −1 (C)=G+A where G=BD −1 (I  ).As BD −1 (C) can be transformed to C via BitDecomp, C is secure if BD −1 (C) effectively hides the plaintext  [19].
consists of  independent LWE instances (B  ⋅t+  , B  ),  = 1, . . . where B  ← Z   , t ← Z   ,   ← .Suppose a polynomial time adversary A participates in the challenge-guess game as described above.If A achieves nonnegligible advantage in the game, then the LWE problem can be solved with equivalent advantage.According to the LWE assumption, no polynomial algorithm can solve the LWE problem with nonnegligible advantage.Thus, the adversary's advantage adv(A) should be negligible.Our scheme is IND-CPA secure with respect to the initial ciphertexts.For a final ciphertext c  NAND , it can be regarded as a ciphertext from a LWE symmetric encryption scheme with secret key s  .In this case, the challenger in the challenge-guess game retains the secret key and performs encryption using the secret key.Following the above analysis, it is easy to show that our scheme is also IND-CPA secure with respect to the final ciphertexts.Therefore, our scheme achieves IND-CPA security under the LWE assumption.

Applicability Analysis.
In general, our scheme supports arbitrary operations on encrypted data; it is universally applicable for privacy-preserving computations in the real world, such as financial and medical data analysis.The underlying plaintexts in each homomorphic NAND operation in our scheme are a pair of bits, which are at the lowest level of data granularity.Thus, our scheme is highly flexible and extensible and can be adjusted to various kinds of computations on encrypted data.As our scheme is conceptually simple, it can be easily implemented, deployed, and maintained in realworld applications.Furthermore, the efficiency of our scheme is relatively high, and the efficient ciphertext refreshing algorithm in DM can be utilized in our scheme for efficient computation on encrypted data in real-world applications.

Performance Comparison
In this section, the homomorphic operations in DM, GSW, and our scheme are performed twice on a depth-2 binary circuit with NAND gates.We first present an analysis for the computational costs and error rates of the three schemes.Then based on the above analysis, we present a comparison for the three schemes in terms of computational costs and error rates.To avoid name clashes, the parameters in each scheme are all local to the scheme and apply only to the scheme.

Computational Cost of DM. For a pair of fresh ciphertexts
, the number of additions needed in the homomorphic operation in (13) is It can be learned from DM.Refresh that Incr(ACC,C) is performed   times.The operation in Incr(ACC,C) can be simplified as the multiplication between the 2nd row in ACC and the ciphertext C.
The above multiplication needs 2 inner products between a pair of 2  -dimensional vectors in  2   .The fast Fourier transform (FFT) of the coefficient vector of each polynomial in   with maximum degree  can be represented as a vector in C  2 where  2 = /2 + 1. Inner product between a pair of vectors in  2   needs 2 2   additions and 2 2   multiplications on complex numbers.Each multiplication on complex numbers needs 4 multiplications and 2 additions on real numbers, and each addition on complex numbers needs 2 additions on real numbers.As multiplication generally takes a longer time than addition, each multiplication on complex numbers needs at least 6 additions.Therefore, the number of additions needed in Incr(ACC,C) is at least The key switching in the 3rd step of Algorithm 2 needs   additions on ( + 1)-dimensional vectors.Here   = ⌈log   ⌉ and   is the base for encoding ciphertexts, as illustrated in DM [21].Thus the total additions needed in key switching is The number of additions needed in the next homomorphic operation is the same as (45).As some other steps are omitted here, a lower bound is obtained for the number of needed operations.According to (45)∼ (47), the number of additions needed in DM is at least , the first homomorphic NAND operation in (18) can be simplified as where Let  , denote the number of additions needed in the multiplication between C +1: 1,−2 and the -th column in C +1: 2,+1: ,  = 1, . . ., .For the above operation, we need to add 1 to the intermediate result only when both coefficients being multiplied are nonzero.Thus, the probability of needing 1 addition for the multiplication between each pair of coefficients is 1/4.Thus  , follows the binomial distribution B(, 1/4).Let  4 denote the probability of  , being no more than   (  < ).And let  5 =   4 denote the probability that  , is no more than   for each  = 1, . . ., .When   is sufficiently large, both  4 and  5 would be close to 1, the multiplication between C +1: 1,−2 and each column in C +1: 2,+1: can be simplified as at most   additions.
For the multiplication between the other coefficients in C 1,−2 and C 2 , an upper bound for the number of needed additions can be derived assuming 1 addition for each corresponding coefficient pair: Considering the substraction between I ,−2 and C 1,−2 C 2 , an upper bound for the number of needed additions in the 1st homomorphic NAND operation is obtained: In the following FL(⋅) operation, BD −1 (⋅) is performed followed by a BD(⋅) operation.In BD −1 ( ⋅ ), multiplying a power of 2 is just a shift operation, which generally takes less time than addition.Regarding each shift operation as an addition, an upper bound for the amount of computation can be derived.According to (3), ( + 1)( − 1) shift operations and ( + 1)( − 1) additions are needed in total in the BD −1 ( ⋅ ) operation.In the following BD( ⋅ ) operation, 2 shifts and 1 addition are needed for each bit generated from BD( ⋅ ).The 2 shifts correspond to shifting right then left by 1 bit each, and the addition corresponds to the subtraction between the original data and the data after the 2 shifts.The amount of computation needed for generating each bit in BD( ⋅ ) is upper bounded by 3 additions.Thus the number of additions needed in the flatten operation is upper bounded by the following: According to (19), the number of additions in the 2nd homomorphic NAND operation is And the following FL(⋅) operation again needs at most  NHE,2 additions.According to (20), the number of additions needed in key switching is As   / = 2   − , modulus switching for each coefficient in the vector is just the process of shifting right for  −   bits and then adding 1 or 0 to the lowest bit before the binary point.Thus the amount of computation in modulus switching for each coefficient can be represented as 2 additions.The number of additions needed in modulus switching is Therefore, the number of additions needed in our scheme is upper bounded by (56) 6.3.Computational Cost of GSW.In GSW, as the ciphertext needs to maintain the matrix structure in the 2nd homomorphic operation, the 1st homomorphic operation should be performed as matrix operation.The encryption algorithm of GSW is modified as that in our scheme for a better contrast.The computational cost for the multiplication between each row of a matrix and another matrix is shown in (51).And the computational cost of the 2nd homomorphic operation in GSW is omitted here.A lower bound is then obtained for the computational cost of GSW.From (51), it can be learned that the computational cost of GSW is at least According to (58) and the simulation parameters, it can be learned that DM guarantees a security parameter of  = 58.When  changes, the modulus  is kept unchanged, and the dimension  is set as the smallest integer which guarantees a security level  for the ciphertext.The error rate  DM, for each homomorphic operation in DM can be derived according to the standard deviation  of the Gaussian noise in the refreshed ciphertext [21].Specifically,  DM, is the probability that the ciphertext noise magnitude does not exceed /16.For depth-2 binary circuit with NAND gates, the error rate of DM is For our scheme, the final modulus   and dimension   are set to be the same as those in DM.The standard deviation of the Gaussian noise is set to  = 3.The modulus and dimension of the initial ciphertext are set according to (32) and (58).Meanwhile, they are set to be as small as possible for efficient operations.  is the upper bound for the number of additions needed in the multiplication between C +1: 1,−2 and each column in C +1: 2,+1: , as illustrated in Section 6.2.Here   is set to be as small as possible under the constraints  4 > 1 − 10 −12 ,  5 > 1 − 10 −8 , where  4 ,  5 are the probabilities illustrated in Section 6.2.Thus (51) holds and the computational cost of our scheme is made as low as possible.When the security parameter  changes, the final modulus   is kept unchanged, and the final dimension   is set as the smallest integer which guarantees a security level  for the final ciphertext.In order to lower the error rate of our scheme,  1 ,  2 are set to be as small as possible under the constraints in (35) and (40).Thus  1 is made larger under the constraint (42), which promotes the probability  3 .As discussed in the end of Section 5.1, the error rate of our scheme is For the GSW scheme, the standard deviation of the Gaussian noise is also set as  = 3, as in our scheme.And modulus  and dimension  are set as small as possible under the constraint of correct decryption after 2 homomorphic NAND operations.Meanwhile, the ciphertext should guarantee a security level of .As long as the noise of the initial 4 ciphertexts are upper bounded by  0 = 6, decryption of the final ciphertext would be correct.Therefore, the error rate of GSW is  GSW, = 1 −  1 = 1 −  4 0 (61) 6.4.2.Performance Comparison.Here a group of security parameters are considered, and the other parameters are set according to the configurations discussed above. DM, ,  GSW, ,  NHE, denote the error rates in DM, GSW, and our scheme, respectively, and  DM ,  GSW ,  NHE denote the corresponding computational costs, as shown in previous discussions.The computational costs and error rates of DM, GSW, and our scheme under different security parameters are shown in Table 2.The error rates are obtained from (59)∼(61), and the computational costs are obtained from (48)(56)(57).
From Table 2, it can be learned that the error rates of GSW and our scheme are higher than that of DM.Nevertheless, they can still be considered to be sufficiently low for being lower than 10 −4 .The main reason is that the noise magnitudes in multiple initial ciphertexts are constrained in a fixed range.
Although  0 is very close to 1,  1 =  4 0 is much lower than  0 , thus  GSW, ,  NHE, are both obviously higher than 1 −  0 .In DM,  DM, is dependent only on the standard deviation of the refreshed ciphertext, which is sufficiently small compared with /16.Thus  DM, is a rather low probability.Moreover,  DM, depends on the error rates of the 3 homomorphic NAND operations, which is only slightly higher than  DM, .
It is also shown in Table 2 that  NHE, <  GSW, for small security parameter, and  NHE, >  GSW, when the security parameter is sufficiently large.This is because  NHE, is affected by  3 , the probability of the sum's absolute value being no more than  1 .As the security parameter gets larger, the ciphertext dimension also gets higher, while the upper bound  1 is kept unchanged.When more random errors are summed up,  3 would decrease by a certain extent, and the decrease of  3 is more significant than that of  1 =  4 0 as the increase of .With the increase of the security parameter,  NHE, increases faster than  GSW, .
On the other hand, the overall efficiency of our scheme is significantly higher than that of DM and GSW.Specifically,  NHE is more than 50 percent lower than  DM , and several orders of magnitudes lower than  GSW .The main reason lies in that ciphertext refreshing is removed in our scheme, and the 1st homomorphic operation is simplified as a vectormatrix multiplication.The computational cost is further reduced after considering the uniform randomness on {0, 1} for most coefficients.By contrast, the 1st homomorphic operation in GSW is performed as matrix multiplication.And ciphertext dimension in GSW is higher than that of the initial ciphertext in our scheme.In DM, ciphertext refreshing introduces a rather high computational cost.

Conclusions
Aiming at the problem of low efficiency caused by overly frequent ciphertext refreshings in DM, we propose a new FHE scheme to achieve a higher efficiency.We utilize ciphertext matrix operations in GSW and ciphertext vector additions in DM to construct our scheme.Furthermore, we combine the advantage of efficient homomorphic operation in DM with the advantage of moderate growth of ciphertext noise magnitude in GSW.Our scheme inherits the conceptual simplicity of DM and GSW and allows 2 homomorphic NAND operations to be performed on ciphertexts before ciphertext refreshing.Results show that under the same security parameters, the computational cost of our scheme is obviously lower than that in DM and GSW for a depth-2 binary circuit with NAND gates.Thus our scheme is significantly more efficient than DM and GSW.Meanwhile, the error rate of our scheme is kept at a sufficiently low level.
Our work focuses on constructing a simple and efficient FHE scheme based on DM and GSW schemes.We also analyze its correctness, security, and applicability and present a comparison with DM and GSW schemes in terms of computational costs and error rates.Our FHE scheme is intended for universal privacy-preserving computations in the real world.However, our work is limited to the theoretical level.Concrete implementation for our scheme is not considered in our work.And the application of our scheme to real-world algorithms needs to be further explored.

Figure 1 :
Figure 1: Overall algorithm flow of the GSW scheme.

Figure 2 :
Figure 2: Overall algorithm flow of the DM scheme.

Figure 3 :
Figure 3: Overall algorithm flow of our scheme.

Table 2 :
Computational costs and error rates of DM, GSW, and our scheme.