Achieving Message-Encapsulated Leveled FHE for IoT Privacy Protection

The rapid development of the Internet of Things has made the issue of privacy protection even more concerning. Privacy protection has aﬀected the large-scale application of the Internet of Things. Fully Homomorphic Encryption (FHE) is a newly emerging public key encryption scheme, which can be used to prevent information leakage. It allows performing arbitrary algebraic operations on data which are encrypted, such that the operation performed on the ciphertext is directly transformed into the corresponding plaintext. Recently, overwhelming majority of FHE schemes are conﬁned to single-bit encryption, whereas how to achieve a multibit FHE scheme is still an open problem. This problem is partially (rather than fully) solved by Hiromasa-Abe-Okamoto (PKC ′ 15), who proposed a packed message FHE scheme which only supports decryption in a bit-by-bit manner. Followed by that, Li-Ma-Morais-Du (Inscrypt ′ 16) proposed a multibit FHE scheme which can decrypt the ciphertext at one time, but their scheme is based on dual LWE assumption. Armed with the abovementioned two schemes, in this paper, we propose an eﬃcient packed message FHE that supports the decryption in two ways: single-bit decryption and one-time decryption.


Introduction
In recent years, the Internet of ings (IoT) has become an attractive system paradigm to drive a substantive leap on goods and services and has been widely used in intelligent transportation, intelligent power grid, environmental monitoring and perception, intelligent home appliances, and other fields. It covers traditional equipment to general household equipment, which brings more efficiency and convenience to the users. Because many of the data transmitted in the Internet of ings are confidential information or personal privacy information, it usually needs to be encrypted first. With more and more encrypted data stored on the server, it is very frequent for us to retrieve and process these data. Although there are some algorithms for retrieving encrypted data, they are only suitable for small-scale data, and the cost is too high. e encrypted data retrieval method based on the Fully Homomorphic Encryption (FHE) can solve this problem. By directly retrieving the encrypted data, it not only ensures that the retrieved data will not be analyzed, but also carries out homomorphic operation on the retrieved data without changing the sequence of the corresponding plaintext. It can not only protect the user's data security but also improve the retrieval efficiency. Since the first introduction of Gentry in 2009, the construction and optimization of the Fully Homomorphic Encryption scheme have been paid special attention by researchers. However, most of the existing Fully Homomorphic Encryption schemes only allow cryptographic calculations for a single bit, and the efficiency is not satisfactory. Although the cascading (or simple combination) approach can be used to implement message-encapsulated calculations, the performance of such a simple messageencapsulated FHE is not ideal.
In an application scenario, in many cases, it is necessary to calculate data of multiple bits at a time, and thus, constructing an efficient Message-encapsulation Fully Homomorphic encryption becomes an urgent requirement. At present, the research in this area has made initial progress [1,2], which has increased the efficiency of FHE to a certain extent, but comprehensively, its efficiency still needs to be improved. Specifically, the following are considered: (1) Brakerski's scheme [1] is constructed on the basis of the Brakerski's [3] scheme and is a typical representative of the second generation of FHE. But, the latter scheme needs to implement homomorphic calculations by calculating the evaluation key, which increases the computational cost. (2) Hiromasa-Abe-Okamoto (HAO) [2] is based on the GSW [4] scheme and is a typical representative of the third generation of FHE. HAO constructs a messageencapsulation FHE scheme in the form of encapsulated messages, but it cannot implement one-time decryption and only decrypts the ciphertext bit-bybit, so the scheme is still very inefficient.
An important question arises: Besides those mentioned above, is it possible to design an efficient method to decrypt the ciphertext of the message-encapsulation GSW-FHE scheme at one time?
Li et al. [5] used dual Regev [6] to construct a public key with multiple instances of the small short integer solution (SIS). Inspired by this work, we will construct public keys with multiple instances of LWEs (Learning with errors), and this constructs a Message-Encapsulation FHE scheme that can be decrypted at one time.

Our Contribution.
Firstly, the public key of the Messageencapsulation Fully Homomorphic Encryption scheme of Hiromasa et al. [2] is as follows: Among them are the secret matrix T⟵Z n×t q and the noise matrix E⟵χ m×t . en, the plaintext message is encapsulated in a matrix, and the public key of the abovementioned form is used to encrypt the message. However, the obtained ciphertext matrix cannot recover all the plaintext bits at one time, but can only be decrypted bit-bybit.
Secondly, we notice that the public key matrix of the message-encapsulated fully homomorphic encryption scheme constructed by Li et al. [5] is as follows: Among them, there is e 1 , . . . , A · e t ⟵χ n×1 . Although Li et al.'s scheme [5] supports bit-by-bit encryption and onetime decryption, the scheme relies on the minimum integer solution hypothesis (see detailed analysis in [7]), and its parameter size depends on m(m ≥ n log q) instead of causing the size of the evaluation key and the ciphertext to be too large.
Based on the abovementioned observations, in this paper, we construct a public key matrix first with multiple LWE instances. Different from the typical FHE scheme [3,4,8] and follow-up works [9][10][11][12][13], its public key matrix contains only one LWE instance. en, using the new public key, we construct a message-encapsulation GSW-class FEH scheme (MFHE). We give an overview of the scheme in the following: (1) Firstly, we use a new public key matrix with multiple LWE instances as follows: (3) is is significantly different from existing message-encapsulation PKE schemes (for example, [14,15]) and message-encapsulation FHE schemes (for example, [1,2]) and is also the fundamental difference between other schemes and the FHE scheme constructed in this paper. Private keys corresponding to the public key [b 1 , . . . , b t ]|A is shaped as follows: (2) Next, we use the public key matrix A ′ we constructed to encrypt multibit messages. e difference is that we use the message-encapsulation method of Li et al. [5] and Hiromasa et al. [2] to embed multibit messages into the plaintext of a diagonal matrix. at is, and while constructing a private key matrix with private keys, E(n × n) is the identity matrix, and we can get Finally, using the matrix W ≔ [diag( (q/2) , . . . , (q/2) ) | 0] we constructed, calculation of SM · GG − 1(W) can directly recover the message vector (m 1 , . . . , m t ) . See Section 4 for a detailed analysis.

Organization and Structure of the Paper.
e rest of this paper is organized as follows. In Section 2, the definitions and symbols used in this paper are introduced. In Section 3, we review the scheme of Gentry-Sahai-Waters et al. In Section 4, we introduce the Message-encapsulation FHE (MFHE) scheme we constructed. Finally, we give a summary of the full paper in Chapter 5.

Preliminaries
In this section, we give the preparatory knowledge needed, including definitions and lemmas.

Symbols.
For n ∈ N, we use [n] to represent aggregation 1, . . . , n { }. For a real number x ∈ R, we use ⌊x⌋ to represent the largest integer that is not greater than x, ⌊x⌋ ≔ ⌊x + (1/2)⌋ to represent the nearest integer to x. We represent vectors in bold lowercase letters, for example, x, and the matrix in bold uppercase letters, for example, A. In addition, we use A i,j to represent elements in A i,j from row i and column j. We use "≔" to indicate the assignment. It is worth noting that we use the definition of computationally indistinguishable and statistics indistinguishable and they are represented by ≈ c and ≈ s . In addition to this, we also define ‖v‖ ∞ � max |v 1 |, . . . , |v n | and ‖R‖ � max i ‖r i ‖. For convenience, we use ‖v‖ to represent its l 2 norm.
We need to use the following variant of the Left-over Hash Lemma (LHL) [16].
We select a uniform random matrix A⟵ R Z m×n q , and then, the statistical distance of the distribution (A, A T r) and (A, y) is as follows:

Learning with Errors (LWEs).
LWEs is the main computational assumption that cryptosystems and our variants rely on.
Definition 1 (LWE Distribution). For safety parameters, let n � n(λ) and m � m(λ) be integers, let χ � χ(λ) be the Z error distribution with the bound of B � B(λ), and let q � q(λ) ≥ 2 be an integer modulo of any polynomial p � p(λ) that meets q ≥ 2 p · B. en, we select a vector s ∈ Z n×1 q and call it a secret, the LWE distribution A s,χ in Z n q × Z q is selected uniformly and randomly, and we select e⟵χ m×1 and output (A, b � A · s + e(modq)).
ere are two kinds of the LWE hypothesis: the search-LWE and the decision-LWE. e decision-LWE is defined as follows: Definition 2 (Decision-LWE n,q,χ,m ). Assume an independent selected (A, b) ∈ Z m×n q × Z m×1 q , which is selected according to one of the following distributions: (1) for A s,χ from a uniform and random s ∈ Z n q (i.e., . e two distributions mentioned above are computable indistinguishable. [6,[17][18][19] introduce the convention between the approximate shortest vector problem (for appropriate parameters) in the LWE hypothesis. We have omitted the lemma of the results of these schemes; see [6,[17][18][19] for details.

Discrete Gauss.
In our structure, we need to analyze the behavior of choosing the wrong element from the Gaussian distribution.
For the analysis of our scheme, the vector selected from the Gaussian distribution needs to have a certain bound on its norm.

Leveled Fully Homomorphic Encryption.
In public-key cryptography, the cipher keeps a public key and encrypts the message in order that the corresponding private key holder can recover the original plaintext message.
Definition 4 (See [21]). Let a fixed function L � L(λ) be the level of Fully Homomorphic Encryption. For a kind of circuit C λ λ∈N , the L-FHE scheme includes four Probabilistic Polynomial Times (PPTs), and the algorithm is as follows: (KeyGen, Enc, Dec, Eval).
e key generation algorithm (KeyGen) is a randomization algorithm that inputs security parameters 1 λ and outputs public keys (pk) and private keys (sk) e encryption algorithm Enc is a randomization algorithm that inputs a public key (pk) and a message m ∈ 0, 1 { } * and outputs a ciphertext c e decryption algorithm Dec is a deterministic algorithm that inputs the private key sk and ciphertext and outputs the decrypted message m ∈ 0, 1 { } * e homomorphic algorithm Eval inputs a public key pk, a circuit C ∈ C λ , and a sequence of ciphertexts c 1 , . . . , c ℓ(λ) , here let ℓ(λ) be a polynomial related to λ the and outputs the computed ciphertext c ⋆ e correctness requirements are as follows: For arbitrary λ, m ∈ 0, 1 { } * and (pk, sk) output by KeyGen(1 λ ), we have Mobile Information Systems m � Dec(sk, (Enc(pk, m))).
Definition 5 (CPA Security [21]). One FHE scheme is indistinguishable from the choice of plaintext attack (IND − CPA): the condition that security needs to be satisfied is that for any PPT adversary A, the following probabilities related to are negligible: Among them, (pk, sk)⟵KeyGen(1 λ ) and m 0 · m 1 is arbitrarily selected from the plaintext space by the adversary. e security definition of a message-encapsulation GSW (MFHE) is the same as GSW for a single bit. Because in public key settings, the security of single message encryption implies the security of multiple message encryption. See section 11 in [22] for more details.
Definition 6 (Compactness [21]). For a class of loops C k k∈N , if there is a polynomial α � α(λ) such that the length of output ciphertext of Eval is at most α, then an L Fully Homomorphic Encryption is compact (if it is nontrivial, then for all λ, some C ∈ C { } λ , and we have α(λ) ≤ |C|).

Basic Tools.
Let us review some of the basic tools proposed by Brakerski and Vaikuntanathan [23] and Gentry et al. [4]. We fix q, m ∈ N. Let l � log(q) + 1, and therefore, 2 l− 1 ≤ q < 2 l and N � m · l.
Definition 7 (See [24,25]). e algorithm BitComp enters a vector v ∈ Z m q and outputs an N-dimensional vector Definition 8 (See [24,25]). Algorithm enters a vector Note that the input vector v does not need to be binary and any of the input vector algorithms in Z N are already defined.
Definition 9 (See [24,25]). e algorithm Flatten enters a vector v ∈ Z N q and outputs an N-dimension binary vector (i.e., an element from 0, 1 N ) defined as Definition 10 (See [24,25]). e algorithm PoweOftwo enters an m-dimension vector v ∈ Z N q and outputs an N-dimension vector in Z N q . e output is as follows: Lemma 3 (See [26]). For any N ≥ m log q , there is a fixed effective computable matrix G ∈ Z m×N q and a valid computable deterministic "short-image" function G − 1 (·) that meets the following conditions. For arbitrary m ′ , we enter a matrix M ∈ Z m×m′ q and the inverse function Note 2. In fact, we can also express the abovementioned definitions and results as follows using the language of G and G − 1 . Micciancio and Peikert's [26] matrix G can be expressed as For a ∈ Z m q , the algorithm BitDecomp(a) is renamed as G − 1 (a).

Gentry-Sahai-Waters (GSW) Scheme
Before our work, we first review the GSW scheme and, then, summarize the safety of the scheme of Gentry et al. [4].
We review the algorithms which make up the GSW scheme [4]. ese algorithms were originally defined based on functions BitDecomp, BitDecomp − 1 , and Flatten, but the ideas from [19,27] borrowed into this paper are defined using tool matrix G. Let λ be the security parameter and L be the number of levels of homomorphic encryption.
Obviously, we observed. (4) Return to sk⟵s and pk⟵A.
Note 3. Note that, in [19], the decryption algorithm is to select a suitable vector w and calculate sCG − 1 (w T ). It is much less efficient than the original one (all about calculation time and error item size). So, we used the GSW decryption algorithm in our scheme.
When q is a power of 2, there is also a variant of the message in Z q . See more details in [4].

Security.
A brief proof of the following theorem is given in [4]. Theorem 1. Let (n, q, χ) be public parameter so that the LWE (n,q,χ) hypothesis is true, and let m � O(n log(q)). en, we can say that the GSW scheme is IND − CPA safe. e most important step of the proof is to prove that (A, RA) and the uniform distribution is computational indistinguishable.

Note 4.
e correctness of the GSW scheme is obtained by analyzing the scale of the noise during encryption, decryption, and homomorphism. Always ensure that the maximum noise level in the abovementioned process is still less than 1/4, which can be decrypted correctly. is work is not the focus of this paper, so it will not be repeated. See more details [4].

Message-Encapsulation FHE (MFHE Scheme)
. Now, we introduce our MFHE scheme as follows: a message-encapsulation public-key encryption scheme based on the difficulty of the LWE hypothesis. We give the security parameter λ, set t to be the private keys number, and then, can encrypt the t-bit messages at one time.

Mobile Information Systems 5
(2) Select a matrix B⟵Z m×n q and t vectors e i ⟵χ m×1 , i ∈ [t] evenly, and then, calculate b i � B · t i + e i (mod q) and output pk � P � b 1 | · · · |b t | B ∈ Z m×(n+t) q , (24) where the size of pk is O(nm · log 2 q). In addition, we observed that P · s i � e i (mod q).

C⟵MFHE.Enc(params, pk, M):
(1) To encrypt t-bit μ i ∈ 0, 1, μ i ∈ 0, 1, embed the t bits into Later, for simplicity, μ i,j will be abbreviated as μ i , and the message matrix is constructed using a plaintext matrix U.
where U is a random diagonal matrix, and note that E is a (n × n)-dimensional matrix.
(2) en, select a uniform matrix R⟵0, 1 m×N . Calculate and output cipher text: Now, we propose a decryption algorithm for the MFHE scheme which allows us to recover all the message bits at the one time. U⟵MFHE.Dec(params, pk, C): (1) First, assume that the user has a private key matrix S � (s 1 , . . . , s t ) ∈ Z (n+t)×t q as follows: What needs to be noted here is erefore, it is easy for us to get the bound of P · S which is less than or equal to t|e|, i.e. ‖P · S‖ ≤ t|e|.
(32) erefore, the homomorphic addition and multiplication are as follows: Here, we can calculate a homomorphic NAND gate from the output.
Note 5. Generally, we can choose different private keys sk i to decrypt column j of the ciphertext C j bit-by-bit and get the i bit message of C j , that is, we can get the bit in row i and column j under the i private key. However, it is actually possible to recover the entire message using the private key matrix S based on the abovementioned decryption algorithm. We calculate V i,j � S T C · G − 1 (W T ) as follows: e magnitude of the noise can be simply calculated and verified to grow linearly compared to single-bit decryption algorithm.
μ i,j ⟵MFHE.bitDec(params, sk i , C, w j ): (1) Suppose we want to decrypt the bit μ i,j of row i and column j, so let sk i � s i ≔ , then define a vector so that the position is, and the other positions are 0, (2) For i, j to t, calculate e inner product of 〈s i , C〉 equals to (3) Output a message μ i,j � ‖ V i,j /(q/2)) � � � � � ∈ 0, 1 { }, in which ⌊ · ⌋ represents the operation that rounds to the nearest integer. erefore the value belongs to 0, 1 { }. 4. Finally, by repeating it t 2 times, the entire message can be recovered. e bitDec algorithm here is similar to the algorithm in [2], which is achieved by recovering each element separately. Note 6. It should be noted here that due to the structural characteristics of the public key in our scheme, accurate decryption is achieved by dynamically adjusting the position of ⌈(q/2)⌉ in the vector w. at is, dot-multiply s T i C and G − 1 (w j ) to obtain the bits of the row and column of the plaintext matrix.
We can get all the bits of the message by using the bitDec decryption algorithm and appropriate private key.
Note 7. It can be seen that our message-encapsulation GSW scheme is to implement t × t-bit homomorphic addition. However, since the (i, j) element of U 1 × U 2 is not a product of μ 1 i,j × μ 2 i,j , only t-bit homomorphic multiplication is supported.

Correctness
Analysis. Next, we analyze the correctness of the MFHE scheme.
Definition 11. We call the message matrix U ∈ Z t×t q which is obtained by decrypting the ciphertext under t different private keys s i , i ∈ [t] (see (2)). e noise of a single-bit message is as follows: For flexible single-bit decryption algorithm bitDec, we represent the noise vector as noise ∈ Z 1×N q . For simplicity, we abbreviate noise (s i ,M) (C) to noise s i when M and C do not affect the contextual understanding.
Note that, in our setup, due to the structure of the new public key, noise s i is the noise of row i of the plaintext matrix U, not the single-bit noise.

Lemma 4. Obviously, using Definition 4.1, for convenience, for a decryption algorithm Dec, if the noise meets
where S � [s 1 , . . . , s t ] is a one-time private key matrix, we can represent the entire noise matrix as For convenience, we will abbreviate Noise (S,M) (C) as Noise S when M and C do not affect the contextual understanding.
In order to analyze the correctness, for convenience, we first define the following noise ciphertext concept.
Definition 12 (E-Noise Ciphertext). A ciphertext matrix C ∈ Z (m+1)×N q with E noise, which makes in a private key for a corresponding message M, 〈s i , C〉 � s T i · M · G + e T i · R. en, let the norm of noise s i be In the following, we analyze the correctness of the decryption.

Mobile Information Systems
Lemma 7. Let C be an E noise encryption of M. If we can recover μ i,j (an element of U ) from the ciphertext C under the private key s i , then there is so that where Proof. is proof can be obtained directly from Lemma 4.2 and Lemma 4.7. Now, we know that as long as ‖Noise S · G − 1 (W T )‖ ∞ ≤ (q/8), the decryption runs correctly, i.e., E < (q/4tN). erefore, we call the value E � (q/4tN) as the bound of noise. e analysis of the homomorphic operation is given in the following. Before introducing the boundary of noise, the following notes are given. □ Note 8. For the convenience of reading, let Υ C 1 ≔ Noise (S,M 1 ) (C 1 ) and Υ C 2 ≔ Noise (SS,M 2 ) (C 2 ). [8]). e boundary of the noise of homomorphic addition, homomorphic multiplication, and homomorphic negative is as follows:

Lemma 9 (See
, the following condition is met: Multiplication: for M 1 , M 2 , the following condition is met: NAND: for M, the following condition is met: Proof. Let S ∈ Z (n+t)×t be a private key matrix. Let C 1 , C 2 ∈ Z (m+1)×N q be the ciphertext of the encrypted message M 1 , M 2 ∈ 0, 1 { } (n+t)×(n+t) separately. en, Homomorphic addition, that is, add ciphertext and ciphertext C Add � C 1 + C 2 (mod q), so that Where M Add � M 1 + M 2 and the noise is Obviously, the noise is t · (E 1 + E 2 ). Homomorphic multiplication: that is, multiply the ciphertext and ciphertext en, we have 〈S, C Mult 〉 which equals to For convenience, we first set the noise to Obviously, according to Lemma 4.2, there is and C 2 is a (n + t) × N binary matrix (G − 1 ∈ Z N×(n+t) q ). erefore, in this case, exists. Also, pay attention to that In this case, we can easily get the boundary In other words, Mobile Information Systems NAND gate: the same operation is true for the NAND gate, and output matrix product is Consider a Boolean circuit whose computational depth is L while containing NAND gates. It takes the new ciphertext as input, that is, the E noise ciphertext, the noise multiplied by a factor which is at most (Nt + � t √ ) at each level, that is, the norm of the error element increases by a factor which is, at most, (Nt + � t √ ). erefore, the wrong element norm of the final ciphertext is bounded as In order to ensure the correctness of the decryption, E final ≤ ( (q/2) /4) needs to be true. at is to say, the inequality (Nt + � t √ ) L · E ≤ ( (q/2) /4) must be true, which is guaranteed by the parameters we choose. e proof is completed. In the following, we use eorem 4.1 to prove that the message-encapsulation GSW scheme based on the LWE assumption that it is IND − CPA safe and that the scheme is indistinguishable from the original GSW scheme [4].

Theorem 2.
Let m > n ∈ N, q ∈ N and χ be a discrete Gaussian distribution on Z, which makes the (n, q, χ, m) − LWE problem difficult. Let t be an integer that makes t � O(log(n)) true. Define two distributions X and Y as follows: X is a distribution on the m × (t + n) matrix [b 1 | · · · |b t | B]. Among them, B ∈ Z m×n q is uniformly selected, for all 1 ≤ i ≤ t, b i � Bt i + e i (modq), in which t i are uniformly selected from Z n q , and e i is selected from a discrete Gaussian distribution χ. Y is evenly distributed on Z m×(t+n) q . erefore, the distribution X and Y is computational indistinguishable.
Theorem 3. Let params � (n, q, χ, m, t) so that the assumption LWE n,q,χ,m is true and m � O(n log q). en, the MFHE scheme is IND − CPA safe.
Proof. e proof of security contains two steps: First, we use eorem 4.11 to prove that, under the LWE assumption, the matrix P � [b 1 , . . . , b t , B] ∈ Z m×(n+t) q and the randomly chosen matrix are computationally indistinguishable en, using the Left-over Hash Lemma, a uniform random value C ′ can be used to replace the ciphertext C � MG + P T R, that is, P T · R is indistinguishable from the uniform distribution e brief proof is over. See more details in [4].

Conclusions
In this paper, we construct an efficient message-encapsulation FHE scheme. e scheme can achieve the decryption at one time and can also flexibly decrypt bit-by-bit. In Table 1, we give a comparison of the parameters of this scheme with the existing schemes. It can be seen from the comparison that compared with the previous ones, the scheme keeps the key length substantially, and this scheme is based on more conventional assumptions and, meanwhile, reduces the ciphertext length to some extent. e proposal of this scheme makes the full homomorphic encryption take a big step from theoretical research to large-scale application. It is conducive to greatly improving the efficiency of encrypted data processing (such as retrieval and operation) in the Internet of things, saving the energy consumption of nodes in the Internet of ings, and ensuring that the data are not statistically analyzed, which has a better application scenario [29][30][31].
In addition, there are many interesting open issues that may be resolved in the future. For example, our thinking has certain reference value for enhancing big data security and constructing a message-encapsulated casual transmission protocol, but it also has certain challenges.

Data Availability
No data were used in this study.

Conflicts of Interest
e authors declare no conflicts of interest.