Analysis on Matrix GSW-FHE and Optimizing Bootstrapping

. With the rapid development of multimedia technologies, the multimedia data storage and outsource computation are delegated to the untrusted cloud, which has led to a series of challenging security and privacy threats. Fully homomorphic encryption can be used to protect the privacy of cloud data and solve the trust problem of third party. In this paper, we analyse circular security of matrix GSW-FHE scheme. We derive a sufficient condition of circular security for matrix GSW-FHE scheme. It allows us to choose a good secret key via “reject sample” technique and furthermore obtain circular secure matrix GSW-FHE scheme. We also give an extended version of matrix GSW-FHE by defining deterministic asymmetric encryption algorithm and propose hybrid homomorphic plaintext slot-wise switching method, which significantly reduces computation and storage complexity of bootstrapping key generation, thus optimizing the bootstrapping procedure.


Introduction
With the rapid development of multimedia technologies, for example, high-efficiency video coding (HEVC) is becoming popular due to its excellent coding performance [1]; the multimedia data storage and outsource computation are delegated to the untrusted cloud server, which has led to a series of challenging security and privacy threats.To tackle the security and privacy issues in cloud computing and storage, a lot of researches have been performed, such as fully homomorphic encryption [2,3], attribute-based encryption, searchable encryption [4], and ciphertext retrieval scheme [5,6].The concept of homomorphic encryption is proposed by Rivest et al. [7], and Gentry [2,3] proposed the first fully homomorphic encryption (FHE) scheme based on ideal lattice.FHE allows us to evaluate any function over ciphertext and obtain the function over corresponding plaintext by decryption.Fully homomorphic encryption can be used to protect the privacy of cloud data and solve the trust problem of untrusted third party.So the fully homomorphic encryption has a broad application prospect in the cloud computation and the big data field.There are many fully homomorphic encryption schemes based NP-hard problems, such as ideal lattice [2,3], LWE [8,9], RLWE [10], LWR [11], and so forth.
The difficulty of constructing fully homomorphic encryption scheme is reducing the noise in the ciphertext.The noise increases rapidly during ciphertext evaluations and eventually reaches a threshold beyond which we can no longer decrypt the resulting ciphertext correctly.Therefore, the somewhat homomorphic encryption scheme is constructed, which can homomorphically evaluates arithmetic circuits of limited depth.To get pure fully homomorphic encryption scheme, Gentry proposed bootstrapping technique.The bootstrapping technique is currently the only way to get pure fully homomorphic encryption from somewhat homomorphic encryption.Its main idea is refreshing ciphertext by homomorphic decryption and getting fresh ciphertext and realizing the purpose of reducing ciphertext noise.The critical process of bootstrapping technique is encrypting the pieces of secret key, and the corresponding ciphertexts are viewed as public evaluation key.Thus, the homomorphic encryption scheme must enjoy circular security.
Unfortunately, all known FHE schemes are supposed to be circular secure except [10,12].If fully homomorphic encryption scheme satisfies circular security, it is not necessary to generate as many public evaluation keys as the depth of evaluation circuit.But being circular secure is not a naive security attribute, so it is necessary to analyse circular security for concrete fully homomorphic encryption scheme.Meanwhile, bootstrapping is used to refresh ciphertext, and the procedure is implemented frequently to get pure fully homomorphic encryption.Therefore, how to improve the bootstrapping efficiency is worth intensive studying.
Our Results.We analyse circular security of matrix GSW-FHE scheme [13].From formal definition of circular security, we derive a sufficient condition of circular security for matrix GSW-FHE scheme.That is, the matrix GSW-FHE scheme satisfies circular security with some function, if the equations about secret key have solution over Z  .Therefore, we can choose a good secret key via "reject sample" technique and furthermore obtain circular secure matrix GSW-FHE scheme.
We also give an extended version of matrix GSW-FHE by defining deterministic asymmetric encryption algorithm.To simplify the homomorphic equality test procedure, we propose hybrid homomorphic plaintext slot-wise switching method using symmetric encryption and deterministic public encryption algorithms, which significantly reduces computational cost of bootstrapping key generation, thus optimizing the bootstrapping procedure of work [13].
We may implement a trade-off between computation and storage complexity of bootstrapping.We delete part of the bootstrapping keys and compute them online when running Rounding procedure.In view of that, their computation involves only matrix additions; this cuts down the size of the large public bootstrapping key by a third, paying matrix additions with negligible computation complex.Related Works.Encryption scheme achieves circular security, if it remains secure and even the secret key is encrypted under corresponding public key.In other words, circular secure encryption scheme resists key-dependent message (KDM) attack.
In the last few years, circular secure encryption schemes have been studied extensively [14][15][16][17].Boneh et al. constructed a circular secure public key encryption scheme based on the DDH assumption without random oracle [16].Based on Regev's LWE-based encryption scheme [18], Applebaum et al. constructed efficient cryptosystems enjoying circular secure [17].Brakerski and Vaikuntanathan [10] proposed circular secure homomorphic encryption scheme based on the ring-LWE assumption.The main idea in the work of [10,17] is generating a valid ciphertext that decrypts to a message related to secret key.Because the entries of secret key are not in the message space, they introduced "noise flooding technique" and "rerandom technique" to "fit" the entries into the message space.
Brakerski and Vaikuntanathan presented a fully homomorphic encryption scheme based on the LWE assumption using relinearization technique [8].The relinearization process allows doing one multiplication without increasing the size of the ciphertext and obtaining an encryption of the product under a new secret key.Posting a "chain" of  secret keys allows performing up to  levels of multiplications without blowing up to the ciphertext size.Yang et al. consider that if the relinearization satisfies circular security, the "chain" of  secret keys may be back down to only one secret key, and they proposed a circular secure relinearization by defining a new assumption [12].
EuroCrypt 2013, Gentry, Sahai, and Waters proposed a new fully homomorphic encryption scheme based on the approximate eigenvector method, which is called GSW-FHE [19].In the GSW-FHE scheme, homomorphic addition and multiplication are just matrix addition and multiplication.But GSW scheme operates one bit every running encryption algorithm.PKC 2015, Hiromasa et al. constructed a variant of GSW scheme called matrix GSW-FHE, which encrypts matrices and supports homomorphic matrix addition and multiplication.And they optimized the bootstrapping procedure of Alperin-Sheriff and Peikert [20] using the matrix GSW-FHE scheme [13].To achieve homomorphic matrix operation, the pubic key of matrix GSW-FHE scheme includes the ciphertexts that encrypt partial information of the secret key, so the matrix GSW-FHE scheme resorts to circular security assumption, but formal circular security proof was not given, and it remains an open problem.
There are other works to optimize the bootstrapping procedure.Ducas et al. [21] proposed FHEW scheme, which accelerates bootstrapping via embedding the cyclic group Z  into the group of roots of unity:  →   , where  is a primitive q-th root of unity.Wang and Tang [22] proposed an integer bootstrapping scheme by introducing new methods to evaluate integer polynomials with GSW-FHE, and they extended the method to packing by encrypting the integers diagonally in a matrix, as the matrix GSW-FHE proposed by Hiromasa et al. [13].Similarly, their scheme resorts to circular security assumption.
On the other hand, packing technique is used to evaluate efficiently a large number of ciphertexts, and it allows us to apply single-instruction-multiple-data (SIMD) homomorphic operations to all encrypted data [23,24].The bootstrapping procedure [13,20] is optimized by embedding Z  into symmetric group   , the multiplication group of q × q permutation matrix, and homomorphic permuting SIMD ciphertexts.The mathematic preliminary of SIMD technique is Chinese Remainder Theorem (CRT).The plaintext space can be split into many small spaces via the CRT.If the plaintext modulus q is a composite that factors into distinct powers q =  1 . . .  , then the ring   can be mapped via the CRT to direct product of ring    's.
Organization.In Section 2, we describe some preliminaries on the formal definition of homomorphic encryption and circular security and the isomorphic from additive group Z q to a group of cyclic permutations.In Section 3, we review the matrix GSW-FHE scheme and define a new deterministic asymmetric encryption algorithm.We give the analysis on circular security of matrix GSW-FHE scheme in Section 4. In Section 5, we propose hybrid plaintext slot switching method and optimize the bootstrapping procedure.We give conclusions in Section 6.

Preliminaries
We denote the set of integers by Z.Let G be some group and let P be some probability distribution, and then we use   ←  G to denote that  is chosen from G uniformly at random and use   ←  P to denote that  is chosen along P. The vector is denoted by bold lowercase letter, for example, x, and the i-th element of a vector x is denoted by   .The inner product between two vectors is denoted by ⟨x,y⟩.Matrices are written by using bold capital letters, for example, , and the i-th column vector of a matrix is denoted by   .The  ×  identity matrix is denoted by   .

Homomorphic Encryption. Let
Mand C be the message and ciphertext space.A homomorphic encryption scheme consists of four algorithms {, , , V}.(iv)  V (,

Embedding Z 𝑞 into Symmetric Group.
According to Cayley's Theorem, the additive group Z q is isomorphic to a group of cyclic permutations G, where  ∈ Z q corresponds to a cyclic permutation that can be represented by an indicator vector with 1 in the ( + 1)-th position.The permutation matrix can be obtained from the cyclic rotation of the indicator vector.The addition in Z q leads to the composition of the permutations; the rounding function ⌊⌉ 2 : Z  → {0, 1} can be computed by summing the entries of the indicator vector corresponding to those in Z q that round 1.By CRT, Z  is isomorphic to the direct product Z  1 × . . .× Z   , where q fl ∏  =1   , and   are small and powers of distinct primes.Similarly, Z  embeds into symmetric group  =   1 ×   2 × . . .×    .

Matrix GSW-FHE
3.1.Review Matrix GSW-FHE Scheme.In this section, we review the matrix GSW-FHE scheme.Let  be the security parameter.The matrix GSW-FHE scheme is parameterized by an integer lattice dimension , an integer modulus , and a distribution  over Z which is assumed to be sub-Gaussian; all of the parameters depend on .Let  fl ⌈log ⌉,  fl ((+) log ), and N fl (+)⋅.Let  be the amount of bits to be encrypted, which defines the message space {0, 1} .Let  (,) ∈ {0, 1} × (i, j = 1, 2, . . ., r) be the matrix with 1 in the (i, j)−th position and 0 in the others.For all i, j = 1, 2, . . ., r, first sample where  [,] is the (i, j) − th element of .

Deterministic Asymmetric Encryption.
We define a new deterministic asymmetric encryption algorithm in the matrix GSW-FHE scheme as follows: (i) DetePubEnc  ( ∈ {0, 1} × ): input  and  ∈ {0, 1} × and output the ciphertext where  [,] is the (i, j) − th element of .The DetePubEnc algorithm has lower computational cost than SecEnc algorithm and PubEnc algorithm, and it only involves matrix addition, whereas the SecEnc algorithm and PubEnc algorithm involve both matrix multiplication and matrix addition.

Analysis on Matrix GSW-FHE
In the KeyGen algorithm of matrix GSW-FHE,  (,) S needs to be computed when generating public key  (,) .We observe that where right matrix is with (−  1 , . . ., −   ) in the i-th row and 0 in other rows.Let  (,)  ∈ Z ×  be an n × n matrix, which satisfies the following matrix equation: That is, Viewing the elements of   as the equation parameter and the elements of   (,) as variables, we can get equations from the above matrix equation: According to the knowledge of linear algebra, the equations exit nontrivial solution if the rank of coefficient matrix is equal to the rank of the augmented matrix as below. ( ) ) ) ) ) ×(+1) .
We denote the solution by  (,) , so we have From the above analysis, we can derivate the circular security of the matrix GSW-FHE scheme.
From Theorem 1, we can choose a good secret key that satisfies that ( 12) has solution via "reject sample" technique and obtain circular secure matrix GSW-FHE scheme.

Optimizing Bootstrapping
In this section, we describe how to optimize the bootstrapping procedure of [13] by introducing deterministic homomorphic plaintext slot-wise permutation.

Motivation.
The decryption of all LWE-based FHE schemes consists of the inner product and rounding: for secret key s ∈ Z   and a binary ciphertext  ∈ {0, 1}  , the decryption algorithm computes Note that the inner product itself is just a subset-sum of the Z  -entries of s indicated by  and uses only the additive group structure of Z  .Alperin-Sheriff and Peikert [20] proposed an efficient bootstrapping algorithm by embedding Z  into permutation group   .Thus the rounding function is no longer just a sum, and it can be expressed as where each equality test [ = V] returns 0 for false and 1 for true.The equality test operation has homomorphic counterpart, called homomorphic equality test.Homomorphic equality test is an important primitive for optimizing bootstrapping procedure, and it has many other applications as mentioned in [25].
For , V ∈ Z  , they map to the r-by-r permutation matrices of group   and are denoted as  and , respectively.The Eq? algorithm is described as follows: (i) Eq? (  =   , ,  ∈   ): given a ciphertext encrypting some permutation  ∈   and a permutation  ∈   (in the clear), output a ciphertext c encrypting 1 if  = ; otherwise, output a ciphertext c encrypting 0: Note that the permutation  goes through all permutations in   , and it is not masked in the homomorphic equality test Eq?Algorithm; that is,  ∈   is in the clear.
Let   : Z  → {0, 1}  be the isomorphism of an element in Z  (q fl ∏  =1   ) into the cyclic permutation that corresponds to an element in Z   , where r ≜ max  {  }.During homomorphic rounding process of work [13],   () is encrypted as part of public bootstrapping key and used in the homomorphic equality test algorithm.
In fact,  traverses Z  and does not carry any privacy information.It is not necessary to encrypt    () using SecEnc algorithm, which would increase computation cost.We propose optimizing homomorphic equality test algorithm by defining hybrid homomorphic plaintext slot-wise switching method, which reduces the computation cost of bootstrapping key generation.

Hybrid Homomorphic Plaintext Slot-Wise Switching.
Plaintext slot-wise permutation is an important operation in application of packed FHE [23,24].It can be achieved by multiplying the encryption of a permutation and its inverse from left and right.We propose hybrid homomorphic plaintext slot switching procedure where the switch key is encrypted by symmetric and asymmetric encryption algorithm.The nice feature of our switching procedure is that part of switch key can be computed by deterministic public encryptions, which makes our procedure more efficient than that of [13].
(iv) ℎ   (): Input a deterministic switch key dssk  and a ciphertext C; output where  ∈ Z (+)×  is the fixed encryption of   with noise zero.5.3.Optimized Bootstrapping Procedure.Our optimized bootstrapping procedure can be used to refresh ciphertexts of all standard LWE-based FHE.Let  ∈ {0, 1}  be the ciphertext to be bootstrapped, and let s ∈ Z   be a secret key that corresponds to .The optimized bootstrapping procedure consists of two algorithms, HybirdBootKeyGen and HybirdBootstrap.
(i) HybridBootKeyGen(, , ): Input a secret key  and public key  for our bootstrapping scheme and the secret key s = ( 1 , . . .,   ) ∈ Z   for ciphertext to be refreshed; output a bootstrapping key bk.For every i ∈ [t] and j ∈ [d], let    (  ) be the permutation corresponding to   (  ), and generate where, for a vector  ∈ Z  , diag() ∈ Z × is the square integer matrix that has  in its diagonal entries and 0 in the others.Then compute the hints used in homomorphic equality test on packed indictor vectors.For every i ∈ [t] and  ∈ Z  such that ⌊⌉ 2 = 1, compute Output the bootstrapping key  (ℎ is designed to encrypt 1 in the first slot if and only if  = ⟨, ⟩  .Finally, since the homomorphic sum is taken over every  ∈ Z  such that ⌊⌉ 2 = 1,  * is designed to encrypt 1 if and only if ⌊⟨, ⟩⌉ 2 = 1.

Security Analysis. If the bootstrapping scheme secret key
is generated independently of the secret keys s of FHE scheme from LWE, then Ind-CPA security of the bootstrapping key follows immediately from the security of hybrid homomorphic plaintext slot-wise switching, and the security of hybrid homomorphic plaintext slot-wise switching scheme resorts to the security of matrix GSW-FHE and hence the security of our bootstrapping scheme from LWE assumption.

Performance Analysis.
Let  = Õ() be the modules of the ciphertext to be refreshed, and  has the form  fl ∏  =1   , where   are small and powers of distinct primes.The following lemma allows us to choose a sufficiently large  by letting it be the product of all maximal prime powers   bounded by O(log ), and then there exists t = O(log /log log ), where  is security parameter.Lemma 3 (see [13,20]).For all  ≥ 7, the product of all maximal prime powers   ≤  is all at least exp(3/4).
On one hand, our DetePubEnc algorithm involves matrix additions operation only, whereas SecEnc algorithm involves many matrix multiplication operations.Our bootstrapping key    () is optimized from    () .Therefore, our optimized bootstrapping key generation has lower computation complexity.The comparison of computational complexity is illustrated in Table 1.
On the other hand, we may implement a trade-off between computation and storage complexity.For every ,  ∈ [r],  , = SecEnc  ( , ) can be used as public bootstrapping key, delete    () from the bootstrapping key, and compute    () online when running rounding procedure.In view of    () being obtained by DetePubEnc algorithm, its computation involves only matrix additions.Therefore, our optimized bootstrapping drastically cuts down the size of the large public bootstrapping key by a third, paying matrix additions with negligible computation complex.The comparison of storage complexity is illustrated in Table 2.  Note: [ours]-1 denotes save computation complexity in the cost of the storage complexity; [ours]-2 denotes save storage complexity in the cost of computation complexity.

Conclusions
Matrix GSW-FHE scheme encrypts multibit message and supports complex homomorphic matrix operations and can be used to optimize the bootstrapping procedure.We analyse circular security of matrix GSW-FHE scheme and derive a sufficient condition of circular security for matrix GSW-FHE scheme.That is, if the equations about secret key have solution over Z  , the matrix GSW-FHE scheme satisfies circular security with function   (,) ().Therefore, we can choose a good secret key that satisfies the sufficient condition via "reject sample" technique and furthermore obtain circular secure matrix GSW-FHE scheme.We also propose hybrid homomorphic plaintext slot-wise switching method by defining deterministic public encryption algorithm in matrix GSW-FHE, which significantly reduces computational complex or space complex of bootstrapping key generation, thus optimizing the bootstrapping procedure of Hiromasa and so forth.Meanwhile, performance analysis validates the effectiveness of the proposed optimized bootstrapping scheme.Some questions remain for further study, such as the probability analysis of our sufficient condition and the sufficient and necessary condition for circular security of the matrix GSW-FHE scheme [26].And to make a fair comparison with the state-of-the-art bootstrapping schemes such as FHEW [21], WT [22], and so forth, detailed security, parameters, and efficiency experiment analysis remain to be a future work.
(i) (1  ): input security parameter  and output a public encryption key , a secret decryption key , and a public evaluation key V.(ii)   (): input public key  and plaintext  ∈ M and output ciphertext  ∈ C. (iii)   (): input secret key  and ciphertext  and output the message encrypted in the ciphertext .