An Effective NTRU-Based Fully Homomorphic Encryption Scheme

Fully homomorphic encryption (FHE) supports arbitrary computations on ciphertexts without decryption to protect users’ privacy. However, currently, there are still some shortcomings in research studies on FHE. For example, the NTRU-based FHE scheme constructed using the approximate eigenvector method requires complex matrix multiplications, and the power-of-two cyclotomic ring cannot prevent subﬁeld attacks. To address these problems, this paper proposed a NTRU-based FHE scheme constructed based on the power-of-prime cyclotomic ring and made the following improvements: (1) the power-of-prime cyclotomic ring is immune to subﬁeld attacks; (2) complex matrix multiplications are replaced with matrix-vector multiplications to modify the ciphertext forms and decryption structures, so as to gain advantages in storage, transportation, and computations; (3) the single instruction multiple data (SIMD) technology is introduced, and homomorphic operations are executed through the Chinese remainder theorem, further improving the scheme computation and storage eﬃciency. The ciphertext of the scheme is in a form of a vector, and no key exchange is required for homomorphic operations. In addition, this scheme can eliminate the decisional small polynomial ratio (DSPR) assumption under certain conditions and only relies on the ring learning with errors (RLWE) assumption. The standard security model can prove that this scheme is secure against chosen-plaintext (IND-CPA) attacks. Compared with similar schemes, the proposed scheme improves the eﬃciency at least by a factor of l φ ( x ) / d + 1 and quadratically decreases the noise growth rate.


Introduction
Fully homomorphic encryption supports arbitrary computations on the ciphertext without the requirement of decryption, and the result obtained is same as direct computations on plaintext after decryption. is can well solve the contradiction between the security of user privacy and the outsourcing of data storage and computation in an outsourced computing environment. erefore, fully homomorphic encryption is widely applied in cloud computing, healthcare, blockchain, and other industries [1]. e existing FHE schemes can be divided into three types: integer-type [2], Regev-type [3], and NTRU-type [4]. e first two types of schemes have low efficiency of homomorphic computations and large cost of key generation, while in the NTRU-based FHE scheme, algorithms can only use modular multiplication and modular inverse, which results in a faster decryption speed [5,6] and plays a promising role in the resource-constrained IoT environment. It can provide mutual authentication for devices and servers as well as resistance to known attacks. IoT devices based on the NTRU-based scheme can be connected to authentication schemes such as those described in the literature [7,8], improving the overall authentication efficiency of schemes as well as preventing quantum attacks. erefore, the study of the NTRU-based FHE scheme is of great significance.
In 2013, Gentry et al. proposed a FHE scheme, which was constructed based on the technique of approximate eigenvectors [9]. e homomorphic addition and homomorphic multiplication of this scheme are achieved by doing simple addition and multiplication on the matrix. e scheme is relatively simple, fast, and easy to understand, and the implementation of homomorphic computations can be achieved without computing the public key and only with the help of the user's public key [10]. In addition, the authors pointed out that the technique can be applied to construct an FHE scheme based on NTRU. However, no specific implementation was provided. e F-NTRU scheme proposed by Dor and Sunar [11] and the improved scheme proposed by Li et al. [12] are all constructed by adopting the flattening technique and the BitDecomp technique to derive an NTRU-based scheme based on approximate eigenvectors. However, the ciphertext of the FHE scheme constructed using approximate eigenvectors is in the form of a matrix. e ciphertext size is relatively large, and complex matrix multiplications are required, which greatly affects the computational efficiency. In 2018, Khedr and Gulak [13] used NTT (FastNumber-eoreticTransform) to perform matrix multiplication instead of circular convolution in the F-NTRU scheme to make the computation simple, but none of these improvements can essentially avoid matrix multiplication.
Meanwhile, the security of the above schemes is based on the power-of-two cyclotomic ring. e schemes based on this cyclotomic ring have a simple structure, but they cannot prevent subfield attacks [14,15] and use SIMD techniques [16]. Migliore et al. [17] also verified that the F-NTRU scheme suffers from the possibility of subfield attacks, so finding a more secure ring to guarantee the security of the scheme is especially important. In 2016, Doroz et al. [18] proposed for the first time a DHS16 scheme based on the power-of-prime cyclotomic ring to improve the LTV12 scheme [19], which improves the efficiency of the scheme in practical applications but does not give a theoretical proof of security. In 2018, Yu et al. [20] changed the ring structure of the SS11 scheme [21] to a power-of-prime cyclotomic ring and improved the key generation algorithm using a Gaussian distribution with regular embedding to make its security proven.
To address the abovementioned problems that occurred in the process of constructing FHE schemes using approximate eigenvectors, this paper firstly applies the existing power-of-two cyclotomic polynomial to the power-of-prime cyclotomic polynomial in terms of security enhancement and gives an NTRU-type FHE scheme based on the powerof-prime cyclotomic ring. e scheme eliminates the DSPR assumption under certain conditions, and its security only depends on the RLWE assumption. e standard security model can prove that this scheme is secure against chosenplaintext (IND-CPA) attacks. In terms of improving efficiency, the scheme introduces SIMD techniques and uses matrix-vector multiplication instead of complex matrix multiplication, which greatly enhances the efficiency. e ciphertext of the scheme is in a form of a vector, which is more advantageous in storage, transportation, and computation. In addition, the calculation order of multiplication can further optimize the noise management.

Basic Knowledge
e power-of-prime cyclotomic ring [22]on which this scheme is based is a special case of cyclotomic polynomial. e construction of the key generation algorithm involves Gaussian distribution under regular embedding [23]. e security of this scheme depends on RLWE assumption as well as DSPR assumption [24], and the security model proves that this scheme is secure against IND-CPA attacks [25].
is section focuses on the cyclotomic polynomial, RLWE assumption, DSPR assumption, Gaussian distribution with regular embedding, and definition of the security model.

Symbolic Representation. If A indicates an algorithm,
x←A indicates that x is obtained based on that algorithm. If A indicates a collection, x←A indicates that x is randomly chosen from Collection A. For any integer q, if Use lowercase letters to represent a multidimensional vector. For example, for vector y, y i indicates its ith component. e polynomial of an indeterminate of x is represented using lowercase letters, for example, f(x).

Cyclotomic Polynomial
Definition 1 (cyclotomic polynomial, see [22]). Assume Field K is the field of characteristic P, n is a positive integer that cannot be divided by P with no remainder, ξ n is a primitive nth root of unity in Field K, and the polynomial Φ n (x) � n i�1,gcd(i,n)�1 (x − ξ i ) is called the nth cyclotomic polynomial in Field K. Adjoin a primitive nth root of unity to Field Q of rational numbers to get an extension field K � Q(ξ n ), which is called the nth cyclotomic field.
, and R q � R/q R is the power-of-prime cyclotomic polynomial ring.
Theorem 1 (see [22]). If F q is a finite field and n is a positive integer, the sufficient and necessary condition for cyclotomic polynomial of order n Q n to be reducible over F q [x] is that the exponent of q mod n is Φ n (x) (that is, q is the primitive root of mod n). It can be seen from eorem 1 that if n ≡ ± 1mod8 is a prime or the square exponent of a prime, Q n is reducible over [26].
Theorem 2 (see [22]). If F q is a finite field, n is a positive integer, and gcd(n, d) where d is the exponent of q mod n, meeting the requirement of being the minimum integer of q d ≡ 1(mod n), and l � φ(x)/d. Theorem 3 (see [27]). If n ∈ N, Φ n (x) � x n + 1, and Ring R � Z[x]/Φ n (x), for any a and b ∈ R, the function is Theorem 4 (see [20]). If n � d v , d is a prime number, and For any a and b ∈ R, in the worst case, the function

Gaussian Distribution with Regular Embedding
Definition 2 (Gaussian distribution with regular embedding, see [26]). Assume that P(X) ∈ Z[x] is a monic reducible polynomial of degree n, R � Z[x]/P(x), the roots of P(X) in the field of complex numbers are w 1 , w 2 , . . . , w n , respectively, V � (w n−i j ) ij , 0 ≤ i ≤ n − 1, and 1 ≤ j ≤ n is called a regular transformation matrix. Let t � t n−1 x n− 1 + t n−2 x n− 2 + · · · + t 0 ϵR, the embedding of coefficients is represented by t n−1 , t n−2 , . . . , t 0 , and the transformation of regular embedding is represented by σ(t) � (t n−1 , t n−2 , . . . , t 0 )Vσ, and Gaussian distribution with regular embedding is represented as follows:

RLWE (Φ, n, q, χ) Assumption
Definition 3 (RLWE (Φ, n, q, χ) assumption, see [27]). Assume , R q � R/qR, and a discrete Gaussian distribution χ on ring R with regular embedding. e RLWE (Φ, n, q, χ) assumption states that, for a random ring element s←R q , given a polynomial (a i , b i � a i · s + e i ) ∈ (R q ) 2 where a i is uniformly random in R q and e i is drawn from an error distribution χ, it is very hard to distinguish whether b i is drawn from computations or directly from the uniform distribution of R q .

DSPR (Φ, n, q, χ) Assumption
Definition 4 (DSPR (Φ, n, q, χ) assumption, see [24]). Let , R q � R/qR, and a discrete Gaussian distribution χ on ring R with regular embedding. e DSPR (Φ, n, q, χ) assumption is that it is hard to distinguish whether the element f of the polynomial h � g/f, where f and g are sampled from distribution χ, is drawn from a uniformly random element of R q or is reversible in R q � R/qR.

Security Model
Definition 5 (security model, see [25]). Define a game between the attacker and challenger. is game is divided into four phases.
Setup phase: the challenger runs the key generation algorithm of the encryption scheme to generate a public key and makes the attacker get the public key.
Oracle machine access phase: the attacker chooses the plaintext and initiates queries to the oracle machine for encryption. After the attacker gets the ciphertext in a response, the attacker can submit the chosen plaintext multiple times in different stages and get the ciphertexts corresponding different plaintexts.
Challenge phase: the attacker chooses two plaintext messages m 0 and m 1 and sends them to the challenger. e challenger chooses b ∈ 0, 1 { } and sends the ciphertext c � Enc pk (m b ) to the attacker.
Guess phase: the attacker gives his guess b ′ corresponding to the ciphertext. When b ′ � b, the attacker wins.
Assume that there is an encryption scheme ε for the public key within the bounded polynomial time, and a tiny function negl(λ) that gets the advantage of the attacker A is where negl(λ) can be ignored and λ is the security parameter of the scheme. e game includes an attacker of polynomial time attacker A. Let Adv IND−CPA (A) be the probability that attacker A wins in the game. is scheme is secure against IND-CPA attacks.

Efficient NTRU-Based Fully Homomorphic Encryption
is section first introduces the SIMD technique for plaintext batch processing, then describes the algorithm construction of the scheme in this paper, and finally proves the correctness of the encryption and decryption process and homomorphic operations of the scheme and provides an analysis of the noise growth during the process.

SIMD Technique.
It can be derived from eorems 1 and 2 that the power-of-prime cyclotomic ring can be decomposed into multiple irreducible polynomials in F q [x]. erefore, in this paper, we use the Chinese remainder theorem [28] to batch process the data of plaintext slots and perform homomorphic computations in parallel to improve the execution efficiency of the scheme. e specific procedure is given below.
Decompose the entire plaintext space R p � R/pR into l subrings with the same size. e corresponding plaintext slots are plaintexts are waiting to be encrypted. en, combine l plaintexts in the slots into a plaintext space. c(x) and c ′ (x) indicate the ciphertexts obtained after encryption using a same plaintext space, respectively, and their corresponding plaintexts are m 1 (x), m 2 (x), . . . , m l (x) and m 1 ′ (x), m 2 ′ (x), . . . , m l ′ (x), respectively. e homomorphic operations that are performed in parallel on l plaintexts are as follows: where l add and l mult indicate the batch homomorphic addition and homomorphic multiplication operations on plaintexts, respectively. erefore, homomorphic operations can be regarded as being executed in parallel on the plaintext slots by using the SIMD technique. Because data at different indexes within the arrays can never interact, l add and l mult operations are not sufficient to perform arbitrary computations on encrypted arrays. To obtain a complete operation set of data arrays, this paper introduces the l permute operation described in the literature [29] to impose an arbitrary ordering on data in arrays and supports plaintext slots of m(x) ⟶ m(x 2 i ) to move cyclically by i plaintext slots. When i � 1, the plaintext slot of m(x) moves by one slot. Accordingly, the plaintext of each plaintext slot is changed to , so as to perform the whole operations on the data. When the ciphertext requires decryption, the Chinese remainder theorem is used for reversible processing to decrypt to l plaintexts.

Scheme Construction.
Assume that λ is a security parameter, L is the number of circuit layers, and n is a dimension and a power of a prime number. Let is the vector space of plaintexts, and mapping CRT q is the isomorphic mapping from F l q d to R q .

Key Generation Algorithm.
Select a relatively large standard error σ, and make f represent f � p · f ′ + 1 where f ′ is a polynomial sampled from a discrete Gaussian distribution D z n ,σ (x) with regular embedding. Input n and q ∈ Z, p ∈ R * q , and σ ∈ R, where R * q is a collection of reversible elements in R q .
q . e detailed procedure is as follows:

Encryption Algorithm.
Use the Chinese remainder theorem to calculate the plaintext m←

Additive
Homomorphism. c + represents the result obtained by performing the homomorphic addition operation on two plaintexts. c ' and c ' ′ represent the fresh ciphertexts in a form of a column vector. Because the ciphertexts are in the same form, only a simple addition operation is needed to achieve the homomorphic addition operation:

Multiplicative
Homomorphism. c * indicates the result obtained by performing the homomorphic multiplication operation on two ciphertexts. e ciphertext c * obtained through calculation is a column vector, which is in a same form as the original ciphertext. erefore, no key exchange is required: 3.2.5. Decryption Algorithm. c ′ indicates the fresh ciphertext in a form of a column vector. When performing decryption operations, the first element c 0 ′ of this ciphertext is selected for calculation: According to (m 1 (x), m 2 (x), . . . , m l (x))m ← CRT −1 q (x) ∈ F l q d , l plaintexts can be decrypted.

Correctness Analysis.
In this section, the encryption and decryption process of the scheme and the corresponding noise growth are analyzed. It can be known from the encryption and decryption algorithms that Because f ≡ 1(modp), c 0 ′ fmod p � m can be obtained from formula (9). Combine the Chinese remainder theorem (m 1 (x), m 2 (x), . . . , m l (x))m←CRT −1 q (x) ∈ F l q d to decrypt to l plaintexts.
where v � p(gs 0 + e 0 f) is the noise of the ciphertext. mf � m(p · f ′ + 1) contains part of noise of mf ′ to correct messages that have few packaging [30]. erefore, this part of noise is ignored in this paper.
Proof. According to the basic encryption scheme c 0 ′ f � mf + pgs 0 + pe 0 f, let v � pgs 0 + pe 0 f be the noise of the fresh ciphertext. As the upper bound of χ is B, we can know that the upper bound of coefficient g, s, and e is B, and the upper bound of coefficient f is pB + 1. Combining eorem 4, we can obtain that the upper bound of coefficient Proof.
Combining eorem 1, we can reach the conclusion that when the noise is less than q/2p, the decryption is successful.

Additive Homomorphism.
Let c + be a ciphertext that is equivalent to the encryption of the sum of the two plaintexts. e ciphertext form is not changed, and the following can prove the additive homomorphism: From formula (13), ciphertext c + can be seen as a result of the sum of two plaintexts. erefore, this scheme has the additive homomorphism.

Addition Noise.
Let c + 0 represent the first row of the fresh ciphertext on which the homomorphic addition operation is performed.

Multiplicative Homomorphism.
Let c * be a ciphertext that is equivalent to the encryption of the multiplication result of two plaintexts. e following can prove the multiplicative homomorphism: where the value ranges of v 1 , v 2 , and BitDecomp(c ′ ) are small. It can be seen from formula (14) that c * can be decrypted to the multiplication result of two plaintexts; therefore, this scheme has multiplicative homomorphism.

Multiplication Noise.
After the homomorphic addition operation is performed on two ciphertexts, the noise is the sum of the noises of two ciphertexts. After the homomorphic multiplication operation is performed, the noise is the multiplication result of the noises of two ciphertexts. erefore, the factor that affects the correctness of decryption is multiplicative homomorphism. erefore, this paper presents the noise obtained by performing the homomorphic multiplication and the calculated noise of the ciphertext circuit layer L. Let c * 0 represent the first row of the fresh ciphertext after the homomorphic multiplication operation was performed Mathematical Problems in Engineering 5 on it. Let v * represent the noise after a homomorphic multiplication operation. According to the multiplication definition, we have a formula c * f � m 2 m 1 Powerof2 and c 0 ′ is the first row of matrix BitDecomp(c ′ ), a polynomial containing l − 1 coefficients whose value is 0 or 1. rough the formula, we can get Assume that the noise of the ith layer is c i ; according to the homomorphic operation, we can get c i � c i− 1 * c i− 1 . e calculated noise of this scheme after the second multiplication circuit is as follows: A homomorphic multiplication operation is performed on 2φ(x)/d plaintexts. erefore, the maximum noise deduced from the calculation of a circuit with a depth of L is As long as (2nlE + 2E) dL/φ(X) does not exceed q/2p, the encryption of ciphertexts is correct. To compare with the F-NTRU scheme in terms of the noise, this paper analyzes the noise growth of the F-NTRU scheme.
Let c ′ and c ″ be the ciphertexts encrypted by using the F-NTRU scheme. e corresponding private key is f, c * 0 represents the first row of the ciphertext after a homomorphic multiplication operation is performed, and v * represents the noise after a homomorphic multiplication operation is performed. According to the F-NTRU scheme, the multiplication definition is erefore, in the F-NTRU scheme, the noise after a homomorphic multiplication operation is performed is v * ∝ ≤ 2E + nE 2 . Assume that the noise of the ith layer is c i , c i � c i−1 * c i−1 according to the homomorphic operation, and the noise calculated after the second multiplication circuit in the F-NTRU scheme is as follows: A homomorphic multiplication operation is performed on two plaintexts. erefore, the maximum noise deduced from the calculation of a circuit with a depth of L is As long as (2E + nE 2 ) L does not exceed the encryption condition of the F-NTRU scheme, the ciphertext can be decrypted correctly. Combining the noise analysis of this scheme, we can get that compared with the F-NTRU scheme, the noise growth of this scheme after a homomorphic multiplication operation is performed decreases quadratically. In addition, the noise growth frequency of the F-NTRU scheme is φ(x)/d times of this scheme. erefore, this scheme has a better performance in the noise management.

Multiplication Computation Optimization.
As the noise depends mainly on the noise of the first ciphertext, changing the order of multiplication can optimize the homomorphic computation of the scheme. For example, there are 4 initial ciphertexts denoted as c 1 , c 2 , c 3 , and c 4 . e original order of computation is first calculate c 5 � c 1 · c 2 , then calculate c 6 � c 3 · c 4 , and then get the final ciphertext c 7 obtained by calculating c 7 � c 5 · c 6 . However, when the order of computation changes to first calculate c 5 � c 1 · c 2 , then calculate c 6 � c 3 · c 5 , and then get the final ciphertext c 7 obtained by calculating c 7 � c 4 · c 6 , the dependence on the noise of the multiplied ciphertext can be reduced because the noise growth of such schemes is asymmetric. For example, in the literature [31] when using the first computation order, the noise obtained after the calculation of the circuit with a depth of L is (N + 1)L · E. However, when the second computation order is used, the noise obtained after the same calculation is (L · N + 1) · E. e noise of the former grows exponentially, while the noise of the latter grows linearly; therefore, changing the multiplication order can optimize the homomorphic computation of the scheme and reduce the noise growth rate of the homomorphic multiplication, which means that the latter computation order can meet the calculation of a circuit with a depth more than L for the same noise threshold. For details, see the literature [32].
Proof. When f and g meet the above situation, there exists a probability of 1 − n − ω(1) that formulas (20) and (21) can be established [21]. For polynomial f ′ , same parameters also apply to the formula f � p · f ′ + 1, that is, there exists a probability of 1 − n − ω (1) ).p. Combining eorem 4, we can get that there exists a probability of 1 − n − ω (1) ).pr. For a power-of-two cyclotomic ring and a power-of-prime cyclotomic ring, we already prove that, in normal cases, polynomial f, g h have a relatively smaller value. erefore, sample f and g with a certain width of r, and make the public key h distribute uniformly when its norm growth does not affect a single homomorphic multiplication operation. Combining the inverse property, we can get that the inverses of f, g, f −1 , and g −1 that belong to R q . erefore, we get the following formula: In the DSPR assumption, h � 2g/f can be changed to 2h ′ . In the RLWE (Φ, n, q, χ) assumption, c * � hs + 2e + m can be changed to c * � u + m. In c * � hs + 2e + m, the value range of e is very small and can be ignored. Combining formula (22), we can convert the form of fraction in the DSPR assumption to the form of multiplication in the RLWE (Φ, n, q, χ) assumption. erefore, the security of this scheme can be reducible over the RLWE (Φ, n, q, χ) assumption. □ Proof.
e following adopts the game hopping method to prove. In the formulas, Adv IND−CPA (A) indicates the advantage of attacker A in the Game.
Game 0: standard IND-CPA game, that is, the challenger invokes the KeyGen algorithm of the scheme and makes attacker A get the generated public key pk. A has the capability of accessing the oracle machine for encryption. e challenger outputs the ciphertext c � Enc pk (m b ), and attacker A tries to distinguish the plaintexts corresponding to c. In m b , b ∈ (0, 1), Game 0 the advantage of attacker A is Pr A pk, Enc pk m 0 � 1 −Pr A pk, Enc pk m 1 � 1

. (23)
Game 1: the difference between Game 1 and Game 0 is the method to generate a public key. In Game 1, public key pk is not sampled from the Gaussian distribution with regular embedding and a private key sk. But it is directly selected at random in a uniform way from R * q . It can be obtained from Definition 3 that the result generated from the discrete Gaussian distribution cannot be distinguished from the distribution probability of R * q . It can be seen from the literature [33] that the error between the result generated from the discrete Gaussian distribution and the distributed result of R * q is within 2 − Ω(n) . erefore, we get the following formula: Game 2: the difference between Game 2 and Game 1 is that the encryption algorithm of Game 2 is not performed according to the scheme, but is randomly selected in a uniform way from 0, 1 { }. From eorem 3, we can get that the DSPR (Φ, n, q, χ) assumption in this scheme has been reducible over RLWE (Φ, n, q, χ). erefore, in Game 2 and Game 1, the advantage difference of attacker A lies in the solution to the RLWE (Φ, n, q, χ) problem: Adv Game 2 (A) − Adv Game 1 (A) ≤ RLWE(Φ, n, q, χ)Adv(A). (25) Game 3: in Game 3, the ciphertext c given by the challenger is no longer generated by the encryption algorithm. It is selected randomly in a uniform way from 0, 1 { }. e security analysis of Game 3 is the same as Game 2. We get the following formula: In Game 3, the public key pk and ciphertext c given by the challenger are all random, which are not related to plain text m b , b ∈ (0, 1). erefore, attacker A has no advantage in Game 3 that means From formulas (23)- (27), we can get Above all, in the RLWE(Φ, n, q, χ) assumption, RLWE(Φ, n, q, χ)Adv(A) can be ignored, which meets the requirement of Definition 5. erefore, this scheme is secure against IND-CPA attacks.

Performance Analysis
In this section, the proposed scheme and the F-NTRU scheme are analyzed to show the advantages of the proposed scheme in terms of ciphertext size and homomorphic computational complexity.

Ciphertext Size Analysis.
e ciphertext of the F-NTRU scheme consists of two polynomials whose number of times is less than 2 n , and the ciphertext extension is in a matrix form of logq · logq . From eorem 3, we can get that the upper bound of the size is logq 2 · n · logq 2 . e public key used by the F-NTRU scheme consists of two polynomials, and the size is n · logq 2 . During decryption, a polynomial private key has the number of times less than 2 n and coefficient less than (2B + 1), and the size is log(2B + 1). In this scheme, the ciphertext is a polynomial in a form of a dimension vector logq. It can be deduced from eorem 4 that the ciphertext size of this scheme is 2 logq · ���� φ(n) · logq 2 . e cyclotomic polynomial of the public key and private key of the scheme in this paper is different from that of the F-NTRU scheme. erefore, the sizes of the public key and private key in this scheme are changed and are 2φ(n) · logq 2 and log(2B + 1), respectively, compared with the F-NTRU scheme. e details are shown in Table 1.
As can be seen from Table 1, compared with the F-NTRU scheme, this scheme optimizes the public key size while keeping the private key size unchanged. e ciphertext size of this scheme is reduced from quadratic to cubic, which gains more advantages in storage and transmission.

Computational Complexity Analysis.
Assume that the time for performing a vector addition operation is T add and for performing a vector multiplication operation is T mult . In the F-NTRU scheme, performing a homomorphic addition operation (C ′ + C ″ ) is equivalent to performing l times of vector addition operations and performing a homomorphic multiplication operation C ′ · C ″ is equivalent to performing l × l times of vector multiplication operations. However, in this scheme, performing a homomorphic addition operation (C ′ + C ″ ) is equivalent to performing one single vector addition operation and performing a homomorphic multiplication operation BitDecomp(c ′ ) · c ″ is equivalent to performing l times of vector multiplication operations. Because in the BitDecomp(c ′ ) matrix form of BitDecomp(c ′ ) · c ″ , c ″ is in a form of a vector. e computational volume of the matrix calculation and a column vector operation actually equal l times of vector multiplication operations. In addition, in this scheme, multiple plaintexts are packed into one ciphertext using the Chinese remainder theorem for parallel processing, which effectively improves the computational efficiency. For details, see Table 2: From Table 2, it can be seen that this scheme improves the efficiency by a factor of l +1 by changing the ciphertext to a form of a vector. e adoption of the batch processing technique also helps enhance the computational efficiency by a factor of φ(x)/d + 1. erefore, in terms of efficiency, this scheme overall improves by a factor of lφ(x)/d + 1 compared with the F-NTRU scheme. In terms of communication cost, the plaintext space in this scheme is divided into φ(x)/d plaintext slots, which has lower communication cost and computational cost. Normally, matrix-vector multiplication is O(l 2 ) order of magnitude faster than matrix multiplication, but since this scheme does not use the flattening technique to binarize the ciphertexts, the multiplication operation of values is slower than that of binarized values. Fortunately, the actual time spent in computing a large number of products of matrix vectors (value 0) is greatly reduced.
is is a major breakthrough in terms of efficiency after the matrix multiplication is replaced with the matrix-vector multiplication in this scheme.

Conclusion
To solve the problems of constructing fully homomorphic encryption schemes using approximate eigenvectors, this paper proposes an NTRU-based fully homomorphic encryption scheme based on a power-of-prime cyclotomic ring. is scheme can eliminate the DSPR assumption under certain conditions so that the scheme only relies on the RLWE assumption and can also be secure against IND-CPA attacks. e ciphertext of this scheme is in a form of a vector, and the use of matrix-vector multiplication operations instead of complex matrix multiplication operations effectively improves the efficiency of the scheme. Meanwhile, the noise growth decreases quadratically. Combining the multiplication execution order optimization method, the scheme performs better in noise management. Compared with the F-NTRU scheme, the ciphertext of this scheme has obvious advantages in storage, transportation, and computation, but the reduction in the number of times to decompose polynomial mods using the Chinese remainder theorem in this scheme affects the security of the RLWE (Φ, n, q, χ) assumption. erefore, security parameters need to be selected more stringently in order to ensure the data security.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.