Two-Party Secure Computation for Any Polynomial Function on Ciphertexts under Different Secret Keys

Multikey fully homomorphic encryption proposed by Lopez-Alt et al. (STOC12) is a signiﬁcant primitive that allows one to perform computation on the ciphertexts encrypted by multiple diﬀerent keys independently. Then, several schemes were constructed based on decisional small polynomial ratio or learning with errors. These schemes all require an expansion algorithm to transform a ciphertext under a single key into an encryption of the same message under a set of keys. To achieve the expansion algorithm without interaction with these key-keepers, their encryption algorithm not only outputs a ciphertext of a plaintext but also exports auxiliary information generated from the randomness used in the former encryption process. Beyond that, the size of the ciphertext encrypted by multiple keys increases linearly or quadratically in the number of participants. In this paper, we studied the problem whether someone can directly perform arbitrary computation on ciphertexts encrypted by diﬀerent keys without any auxiliary information in the output of the encryption algorithm and an increase in the size of the ciphertext in the expansion algorithm. To this end, we proposed a novel and simple scheme of secure computation on ciphertexts under two diﬀerent keys directly without any auxiliary information. In other words, each party just provides its own ciphertexts encrypted by the GSW scheme (CRYPTO13). In the procedure of executing evaluation on these ciphertexts, the size of the new ciphertext remains the same as that of the GSW ciphertext.


Introduction
e concept of multikey fully homomorphic encryption was proposed by Lopez-Alt et al. [1], which allows someone to perform arbitrary computations on the ciphertexts encrypted by multiple different secret keys. Specifically, each party independently encrypts input x i , to obtain a ciphertext c i � Enc pk i (x i ), and one can homomorphically evaluate an arbitrary function on these encrypted data without interaction between them. After this, there has been a lot of research [2][3][4][5][6][7][8][9][10][11][12] for its assumptions, functionalities, and performance.
e main application of multikey FHE is that a plurality of parties is informed to engage in a computing task after they have submitted their data. is is a significant difference from the applications of the traditional (single-key) encryption schemes. For example, two hospitals want to cooperate and study the influence factors of some disease.
However, the data of these patients has been encrypted and stored in their own servers ahead of this cooperation. How could an evaluation algorithm be performed directly on these ciphertexts without decrypting them? In [1], Lopez-Alt et al. focused on a problem whereby a (untrusted) cloud server wants to perform some computations over data from multiple clients without interacting with them after each client transmits their own (encrypted) input to the cloud and other clients. In the scheme proposed by Lopez-Alt et al. [1], although a ciphertext only contains an encryption of a plaintext, the size of a ciphertext under multiple secret keys becomes much larger than that of the original ciphertext and its security is based on the nonstandard assumption. e ciphertext's length is related to the number of participants where the former increases at least linearly in the later. In the scheme of Clear and McGoldrick [3], an encryption of a message contains a universal mask U generated by another public-key encryption scheme. Also, the ratio of the size of the ciphertext under multiple keys and that under single key grow quadratically with an increase in the number of the associated participants. Afterwards, Mukherjee and Wichs [2] proposed an optimized scheme with a simple generation of the universal mask. However, there is still auxiliary information in the encryption algorithm and the ratio remains quadratic. Following the previous works, there are two independent researches about multikey fully homomorphic encryption introduced by Brakerski and Perlman [5] and Peikert and Shiehian [4], respectively. In the former scheme, although the authors replaced the algorithm of the universal mask with the bootstrapping algorithm, the ciphertext's growth rate was still linear and their evaluation keys were generated by the previous multikey fully homomorphic encryption schemes. ere are two versions in the paper in [4]. In the first scheme, the encryption of a message contains a commitment of the message and an encryption of the randomness used in the former commitment algorithm. e ratio becomes linear. In the second one, the encryption algorithm only outputs a ciphertext of a message, but the ratio becomes quadratic and the evaluation keys are generated by the first scheme. In [13], the growth rate is quadratic, and the output of the encryption algorithm also contains auxiliary information except a ciphertext of a plaintext. Recently, Chen et al. [6] proposed a multikey FHE scheme based on the ring-LWE (Learning with Errors) assumption, in which their ciphertext-extension algorithm only generates the evaluated keys for the scheme with multiple keys but the size of the ciphertext under multiple keys also relies on the number of associated parties. e first multikey fully homomorphic encryption was proposed by Lopez-Alt et al., but their solution is based on nonstandard assumptions. Subsequent solutions, despite being based on standard cryptographic assumptions (LWE), have two common shortcomings. e first shortcoming is that they require the encryption of not only the plaintext but also random numbers that have been used; namely, c � Enc(pk, m, r), and U � Enc(pk, r). Each ciphertext must be attached with additional information U. e second one is that the length of the ciphertext increases linearly or quadratically with the number of participants. In this paper, our main research problem is how to directly perform secure computation on ciphertext data c directly provided by each user without any additional information U. ese ciphertext data are encrypted with different secret keys. Our main focus here is the case of encryption with two different keys. We begin by taking the GSW13 encryption scheme [14] into consideration as we notice that the main process of its decryption algorithm is the inner product of two vectors; that is, 〈c, v〉 � m d + e, where d is a large constant. As such, if we want to calculate the product of ciphertexts c 1 and c 2 encrypted with different secret keys, we only need to cal- m 2 e 1 ) + e 1 e 2 . e final result is desirable, with m 1 m 2 being one of its factors. However, there is another problem: the constant factor becomes d 2 , and small noises e 1 and e 2 are also multiplied by a large number. erefore, we must find a way to decrease the constant factor to d, while keeping the noises within an acceptable range. Because the noise in the ciphertext grows with an increase in the number of addition and multiplication operations, when it increased to some value defined by the public parameters, it may cause incorrect decryption of the output ciphertext. erefore, we should reduce the noise growth in evaluation.
Our approach is to decrypt c 1 · c 2 in two steps without directly multiplying it by two secret keys. Instead, a single secret key is first used to decrypt it, that is, v T 1 · c 1 · c T 2 � (m 1 d + e 1 )c 2 (denoted as tc 1 ), before tc 1 /d is calculated and rounded to obtain tc � m 1 c 2 . Finally, another secret key is used to decrypt tc for the final plaintext m 1 m 2 . During the process, noises have been kept at a low level without being multiplied by a large constant factor. To sum up, the above description explains how to perform the multiplication operation on ciphertexts encrypted with two different keys. e addition operation can be transformed to the multiplication operation; that is, where c 1 ′ and c 2 ′ are encrypted from plaintext 1 with different secret keys. Till this step, we completed the addition and multiplication operations on ciphertexts encrypted with two different secret keys. However, this scheme has a shortcoming: the multiplication operation can only be performed once as the result of the multiplication operation on the ciphertexts encrypted with two different secret keys cannot be multiplied by other ciphertexts. In order to enable the support of polynomial calculation, we can write any poly- where the inputs of f i are x 1 , . . . , x u , and the inputs of g i are y 1 , . . . , y v . In this way, we can first use the single-key fully homomorphic encryption scheme to calculate f i and g i to obtain intermediate results and then calculate the final results with our proposed method. erefore, our secure computation only involves the GSW13 encryption scheme without the requirement for additional information U. Moreover, unlike previous schemes where a ciphertext's size grows linearly or quadratically as the number of secret keys increases, the ciphertext in our scheme always maintains its original size.
Our Contributions. We proposed a protocol that allows one to perform any polynomial functions on the GSW ciphertexts under two different keys directly. Unlike the previous works, each party just provides the GSW ciphertexts without anything auxiliary of the private inputs and the size of the new ciphertext remains invariant when executing evaluations on these ciphertexts. In our Addition and Multiplication algorithms on ciphertexts under two different keys, the noise increases linearly. Compared to the scheme in [1], our scheme is based on the standard assumption. Our scheme reduces the size of the ciphertext under a single key from O(n 4 log 4 q) in [2,3] to O(n 2 log 2 q), where n is the lattice dimension and q is a modulus. Compared to the scheme in [5], our scheme does not require the expensive technique of bootstrapping to transform a ciphertext under a single key to a ciphertext under a set of keys. In the first scheme of [4], the size of the ciphertext under a single key is O(n 3 log 3 q).
e second scheme of [4] requires its first scheme to generate a public key with larger size. Different from the scheme in [6], the size of the public key in our scheme is the same as that of the GSW13 scheme, whereas it is O(log q) times the size of the GSW13 scheme.

Related Work
In the scheme proposed by Lopez-Alt et al. [1], although a ciphertext only contains an encryption of a plaintext, the size of a ciphertext under multiple secret keys becomes much larger than that of an original ciphertext and their security is based on the nonstandard assumption. e ciphertext's length is related with the number of participants where the former increases at least linearly in the latter. In the scheme of Clear and McGoldrick [3], an encryption of a message contains a universal mask U generated by another publickey encryption scheme. Also, the ratio of the size of the ciphertext under multiple keys and that under single key grow quadratically with an increase in the number of the associated participants. Afterwards, Mukherjee and Wichs [2] proposed an optimized scheme with a simple generation of the universal mask. However, there is still auxiliary information in the encryption algorithm and the ratio remains quadratic. Following the previous works, there are two independent researches about multikey fully homomorphic encryption introduced by Brakerski and Perlman [5] and Peikert and Shiehian [4], respectively. In the former scheme, although the authors replaced the algorithm of the universal mask with the bootstrapping algorithm, the ciphertext's growth rate was still linear and their evaluation keys were generated by the previous multikey fully homomorphic encryption schemes. ere are two versions in the paper in [4]. In the first scheme, the encryption of a message contains a commitment of the message and an encryption of the randomness used in the former commitment algorithm. e ratio becomes linear. In the second one, the encryption algorithm only outputs a ciphertext of a message, but the ratio becomes quadratic and the evaluation keys are generated by the first scheme. In [13], the growth rate is quadratic and the output of the encryption algorithm also contains auxiliary information except a ciphertext of a plaintext. Recently, Chen et al. [6] proposed a multikey FHE scheme based on the ring-LWE assumption, in which their ciphertext-extension algorithm only generates the evaluated keys for the scheme with multiple keys but the size of the ciphertext under multiple keys also has a relationship with the number of associated parties.

Learning with Errors, SIVP, and GapSVP. Regev firstly introduced the Learning with Errors (LWE) problem in 2005
and showed that the hardness of LWE can be reduced quantum to the lattice hard problems. en, Peikert introduced an efficient classical reduction between LWE and the lattice intractable problems. e details are given below. Definition 1. (Learning with Errors). Let λ be the security parameter, let n � n(λ) be an integer dimension of a lattice, let q � q(λ) ≥ 2 be an integer, and let χ � χ(λ) be an error distribution over Z.
(i) (Searchable LWE) Sample s ⟵ Z n q uniformly and then draw a i ⟵ Z n q uniformly, e i ⟵ χ.
e searchable LWE is to find s, e decision LWE, denoted as LWE n,q,χ , is to distinguish two distributions: e first one is a uniform distribution over Z n+1 q . e second is that one first samples s ⟵ Z n q and then draws e Learning with Errors (LWE) assumption is that LWE n,m,q,χ (LWE n,q,χ ) is intractable.

Fully Homomorphic Encryption.
A fully homomorphic encryption is a tuple of algorithms (Gen, Enc, Dec, Eval) described as follows: (pk, sk, evk) ⟵ Gen(1 λ ): on the security parameter λ, output a public key pk, a secret key sk, and a public evaluation key evk. c ⟵ Enc(pk, μ): encrypt a message μ from the plaintext space and output a ciphertext c.

Security and Communication Networks
μ ⟵ De c(sk, c): decrypt a valid ciphertext c and output a corresponding message μ; otherwise, output a special symbol ⊥. c f ⟵ Eval(evk, f, c 1 , . . . , c l ): input the public evaluation key evk, a function f, and a sequence of ciphertexts c 1 , . . . , c l which are responding to the sequence of plaintexts μ 1 , . . . , μ l ; output a valid ciphertext c f responding to the message f(μ 1 , . . . , μ l ).
We say that a scheme Π � (Gen, Enc, De c, Eval) is fully homomorphic if it satisfies the following properties: Homomorphism: denote a class of all arithmetic circuits over GF(2) as C. If for arbitrary circuit f ∈ C, the following inequation holds: Compactness: if there exists a polynomial p � poly(λ), it holds that the output length of Eval is at most p(λ) bits without relation to the function f or the numbers of inputs.

Multikey Fully Homomorphic Encryption
Definition 5. (multikey FHE). A multikey FHE is a tuple of algorithms (Setup, Keygen, Encrypt, Expand, Eval, Decrypt) described as follows: params ⟵ Setup(1 λ , 1 d ): on the security parameter λ and the circuit depth d, the setup algorithm outputs the system parameters params. We assume that all the other algorithms take params as an input implicitly. (sk, pk) ⟵ Keygen (params): generate secret key sk and public key pk. c ⟵ Encrypt (pk, μ): take public key pk and a message μ as an input and output for a ciphertext c. c ⟵ Expand (pk 1 , . . . , pk N , i, c): on a sequence of N public keys and a fresh ciphertext c under the i− th key pk i , it outputs an expanded ciphertext c. c: �Eval (params, C, (c 1 , . . . , c l )): given a Boolean circuit C of depth ≤d along with l expanded ciphertexts c 1 , . . . , c l , output an evaluated ciphertext c. μ: �Decrypt (params, (sk 1 , . . . , sk N ), c): take some ciphertext c and a sequence of N secret keys as an input and output a message μ. e following properties hold: Semantic Security of Encryption. For any polynomial d � d(λ) and any two messages μ 0 , μ 1 , the distribution (params, pk, Encrypt(pk, μ 0 )) is computationally indistinguishable from the distribution (params, pk, Encrypt (pk, μ 1 )), where params ⟵ Setup (1 λ , 1 d ), (sk, pk) ⟵ Keygen (params). (1 λ , 1 d ). Consider any sequence of N correctly generated key pairs (pk i , sk i ) ⟵ Keygen(params) i∈ [N] and l− tuple of messages (μ 1 , . . . , μ l ). For any sequence of indices (I 1 , . . . , I l ) where each I i ∈ [N], let c i ⟵ Encrypt(pk I i , μ i ) i∈ [l] be encryptions of the messages μ i under the I i − th public key and let c i ⟵ Expan d((pk 1 , . . . , pk N ), I i , c i ) i∈ [l] be the corresponding expanded ciphertexts. Let C be any Boolean circuit of depth ≤d and let c: � Eval(C, (c 1 , . . . , c l )) be the evaluated ciphertext. en the following holds: ((sk 1 , . . . , sk N ), c) � C(μ 1 , . . . , μ l ). Compactness. ere exists a polynomial p(·) such as |c| ≤ p(λ, d, N). In other words, the size of c should be independent of C and l but can depend on λ, d, N.

A Scheme of Evaluation on Two-Key Ciphertexts for Any Polynomial
In this section, we formally describe our fully homomorphic encryption scheme. At the beginning, we introduce three operations used in the encryption algorithm for slow noise growth. Consider three vectors a � (a 0 , . . . , a n− 1 ) ∈ Z n q , (a 0,0 , a 0,1 , . . . , a 0,l− 1 , a 1,0 , . . . , a 1, l − 1, . . . , a n− 1,l− 1 ), where a i,j is the j-th element of the binary representation of a i .
We can see that BitDecomp(·) expands each element of a vector to its binary representation, BitDecomp − 1 (·) can be seen as the inverse operation of BitDecomp(·), and it makes each l element of a vector to a number in Z q . ese three operations on a matrix are that they are performed on each column vector of the matrix. at is, and Flatten(·) on a matrix are similar to that. Our scheme consists of the following probabilistic polynomial time algorithms (Setup, Gen, Enc, Dec, Add, Mult, Add2, Mult2, and Dec2).
Otherwise, set C 1 ′ and C 2 ′ as encryptions of message 1 under pk 1 and pk 2 , respectively, and output C 1,l− 1 · (C 2,l− 1 ′ ) T + C 1,l− 1 ′ · C T 2,l− 1 . Dec2 (parmas, C, sk 1 , sk 2 ): if C is an evaluated ciphertext from two ciphertexts under the public keys pk 1 and pk 2 , respectively, then the first secret key sk 1 holder computes tempc 1 � v T 1 · C and sends it to the sk 2 holder. Similarly, the sk 2 holder computes tempc 2 � C · v 2 and sends it to the first holder. en, the sk 1 holder outputs v T 1 · tempc 2 and the sk 2 holder outputs tempc 1 · v 2 . e evaluation algorithm Eval(·) that performs a depth-L circuit computations on polynomial GSW ciphertexts can be composed of Add and Multi operations.

Multiplication.
Assume that C 1 is a GSW ciphertext of the message μ 1 under the public key pk 1 and C 2 is that of μ 2 under pk 2 . s 1 and s 2 are secret keys corresponding to pk 1 and pk 2 , respectively. Set v i �Powerof2(s i ), i � 1, 2. is function Powerof2() transforms a vector (a 0 , . . . , a n− 1 ) into a new vector (a 0 , 2a 0 , . . . , 2 l− 1 a 0 , . . . , a n− 1 , . . . , 2 l− 1 a n− 1 ), where l is the length of the binary representation of the modulus q.

Theorem 2.
Suppose that C 1 , C 2 are ciphertexts under the secret keys v 1 , v 2 , respectively. If C is obtained from Mult2(C 1 , C 2 ) or A dd 2(C 1 , C 2 ), the probability of the decryption algorithm De c2(·) on inputs v 1 , v 2 , C running correctly is negligible. at is, there exists a negligible function negl(·) on the security parameter λ, satisfying the following inequation: We also know that the first l elements of v i are (1, 2, . . . , 2 l− 1 ). us, we can decrypt the ciphertext C i as Running the first part of the decryption algorithm, we can obtain that tc � (└v T After the second part, we can get └〈tc, v 2 〉/ 2 l− 1 ┐ � └μ 1 〈c 2 , v 2 〉/2 l− 1 + 〈c ′ , v 2 〉/2 l− 1 ┐ � μ 1 μ 2 at is to say, one-time multiplication on two ciphertexts under different secret keys only increases doubly the size of noise because the noise in the intermediate ciphertext tc can be viewed as that in an addition to two GSW ciphertexts under the same secret key. erefore, the ciphertexts obtained from this multiplication algorithm can be decrypted correctly.
We can easily find that one-time multiplication causes a double increase of noise. us, scaling up the parameters or appending something auxiliary is undesired. We can directly perform one-time multiplication on two ciphertexts encrypted by two different keys without adjusting anything of the original GSW scheme.

Addition.
We can achieve the Addition operation by using the operation Multiplication. at is, A dd 2(C 1 , C 2 ) � Mult2(C 1 , C 2 ) + Mult2(C 1 , C 2 ), where C i is a ciphertext of message 1 under the secret key v i , i � 1, 2.
According to eorem 2, after one-time operation Multiplication on two ciphertexts under different secret keys, the noise increases doubly.
us, one-time operation

Security and Communication Networks
Addition causes the noise to increase quadruply, which is faster than that of Multiplication. It is not hard to find that the ciphertext C i is unnecessary to preserve the privacy of the plaintext, an exact number 1. erefore, when constructing C i , we can set the randomness to zero. at is to say, C i is a special "ciphertext" of the plaintext 1 without noise. is change makes both the operations Addition and Multiplication have the same growth of the noise. Note that the Add2 operation not only supports the input of two ciphertexts under different secret keys but also processes the input of one ciphertext obtained from the Add2 or Mult2 procedure and one ciphertext under a single key as well as the input of two former-type ciphertexts. e following are the details of the operation.
Assume that C ′ is output by the Add2 or Mult2 procedure and C is a ciphertext under the secret key v b+1 , where b ⟵ 0, 1 { }. en A DD(C, C ′ ) � Mult2(C, C) + C ′ , where C is a ciphertext of message 1 under the secret key v b+1 .
Assume that C, C ′ are both output by the Add2 or Mult2 procedure. en, A DD(C, C ′ ) � C + C ′ . It also can extend to the case of the input of polynomial ciphertexts from the Add2 or Mult2 procedure.
Because g i and f i are all L-bounded-depth circuits, C g i and C f i can be decrypted correctly by the secret keys sk 1 and sk 2 , respectively. e operations Addition and Multiplication both cause the noise to increase linearly. erefore, the output of the algorithm Eval can be decrypted correctly.

Analysis
6.1. Correctness. Suppose that C 1 and C 2 are GSW ciphertexts of the plaintexts μ 1 and μ 2 under the public keys pk 1 and pk 2 , respectively, so that ese two ciphertexts are possibly fresh GSW ciphertexts and also can be evaluated ciphertexts through a circuit of the depth less than L. Also, a fresh GSW ciphertext has a B− bounded noise, namely, |small| ∞ ≤ B. e error is bounded by B(N + 1) after one homomorphic operation. So, C i is a ciphertext with B(N + 1) L − bounded noise. From the simple analysis in the front section, the noise in Mult2 (C 1 , C 2 ) is bounded by 2B(N + 1) L . Moreover, the noise in the addition of C 1 and C 2 increases linearly as the same as that of the Multiplication. So, finishing one-time homomorphic operation on two ciphertexts under different encryption keys, the noise grows up to 2B(N + 1) L . We only discuss one multiplication operation on two ciphertexts under different keys and polynomial additions on two multiplied ciphertexts.
us, we assume that there are polynomial additions w � poly(λ, L). e final evaluated ciphertext is bounded 2wB(N + 1) L . As long as this bound is less than q/8, we can decrypt the evaluated ciphertext correctly. We just set B(N + 1) L ≤ (1/4) ��� � q/w. en, it satisfies B(N + 1) L ≤ q/8 so that GSW ciphertexts can be decrypted correctly. Also, 2Bw(N + 1) L ≤ q/8. We can decrypt correctly evaluated ciphertexts through quadratic computations on ciphertexts under two different keys. Now, we conclude this in the following theorem.
Theorem 3. Given the parameters, a modulus q, a lattice dimension n, a B− bounded distribution χ, and the max circuit-depth L, set N � n × ( log q + t1). If B(N + 1) L ≤ q/8, we can decrypt correctly a ciphertext from evaluating a depth-L circuit. Theorem 4. Given the above parameters q, n, χ, B, L, N, and w, that is, the number of additions of a quadratic function, if B(N + 1) L ≤ (1/4) ��� � q/w, we can decrypt a ciphertext, that is, from performing a quadratic computations on fresh GSW ciphertexts under two different keys or evaluated ciphertexts through a depth-L circuit under two different keys.

Security.
e security of our scheme is dependent on that of the GSW scheme. e inputs of the evaluation algorithm are just the GSW-type ciphertexts, two public keys, and some common parameters without other information of private inputs. us, this process reveals no knowledge. In the process of the decryption, the output of the first part is indistinguishable with the uniform distribution because it adds a fresh ciphertext of message 0 and introduces a new noise in the intermediate result. So, we can conclude the following theorem.
Theorem 5. Assume that the GSW scheme is semantically secure, and so does our scheme. at is, if there exists a probabilistic polynomial time adversary A which can distinguish the distribution of the ciphertext of the GSW scheme and the uniform distribution, we can construct another probabilistic polynomial time adversary B which can distinguish the distribution of the ciphertext of our scheme and the uniform distribution.

Conclusion
In this paper, we present an efficient algorithm of secure computation on ciphertexts under two different keys. In previous works, when evaluating multikey ciphertexts, the size of the ciphertext grows with the number of participants at a more or less linear rate. Although the size of the ciphertext remains invariant, it also provides auxiliary information of the plaintexts. We wanted to evaluate directly on the GSW ciphertexts from two parties without any auxiliary information or interaction between them. We designed a scheme in which one can directly perform any polynomial function on the GSW ciphertexts under two different keys.

Data Availability
No data were used to support this study.

Conflicts of Interest
e author declares that there are no conflicts of interest.