Leveled Multi-Hop Multi-Identity Fully Homomorphic Encryption

Gentry, Sahai, and Waters (CRYPTO 2013) proposed the notion of multi-identity fully homomorphic encryption (MIFHE), which allows homomorphic evaluation of data encrypted under multiple identities. Subsequently, Clear and McGoldrick (CANS 2014, CRYPTO 2015) proposed leveled MIFHE candidates. However, the proposed MIFHE is either based on i O, which is a nonstandard assumption or single hop; that is, an arbitrary “evaluated” ciphertext under a set of identities is difficult to further evaluate when new ciphertexts are encrypted under additional identities. To overcome these drawbacks, we propose a leveled multi-hop MIFHE scheme. In a multi-hop MIFHE scheme, one can evaluate a group of ciphertexts under a set of identities to obtain an “evaluated” ciphertext, which can be further evaluated with other ciphertexts encrypted under additional identities. We also show that the proposed MIFHE scheme is secure against selective identity and chosen-plaintext attacks (IND-sID-CPA) under the learning with errors (LWE) assumption.


Introduction
e idea of homomorphic encryption was first proposed by Rivest et al. [1] in 1978. How to construct a scheme with homomorphic properties is used to be a difficult problem for cryptographers. With the advent of the information age and the development of cloud computing technology, it is particularly urgent to solve this problem. It was not until 2009 that Gentry proposed the first fully homomorphic encryption (FHE) system based on ideal lattices, allowing anyone without a secret key to compute any efficiently computable function over encrypted data [2]. Because FHE is suitable to apply cloud computing without compromising security, it has quickly become a research hot topic [3][4][5][6][7].
All of the above FHE schemes are single-key homomorphic, that is, only suitable for the homomorphic evaluation of ciphertext encrypted under a single key. However, in many realistic scenarios, the ciphertext of homomorphic encryption is usually encrypted under multiple different keys.
erefore, at STOC 2012, López-Alt, Tromer, and Vaikuntanathan [8] proposed the first cryptographic construction of multi-key full homomorphic encryption (MKFHE) based on NTRU cryptography, which enables the evaluation of data encrypted under different keys. Subsequently, a large number of articles appeared to improve MKFHE, including single hop only [9,10], multi-hop with bootstrapping [11][12][13][14][15][16], and multi-hop without bootstrapping [17]. Although (MK) FHEs have extensive applications, they require complex certificate management in implementation. To simplify the certificate management, Naccache [18] introduced a notion of identity-based fully homomorphic encryption (IBFHE), where there is no user-specific key that the evaluator must use. In particular, in an IBFHE scheme, data encrypted under a single identity can perform homomorphic operations by any evaluator with only public parameters. In 2013, Gentry et al. [7] constructed an IBFHE scheme from GSW-FHE. e IBFHE scheme only allows homomorphic evaluation of encrypted data under single identity but not multiple identities. Clear and McGoldrick [19] gave an MIFHE based on the indistinguishability obfuscation (i O) [20] to overcome the disadvantage of single identity at CANS 2014. en, they [9] proposed a leveled MIFHE candidate under LWE in the random oracle model at CRYPTO 2015. However, the later scheme needs to set the number of users participating in homomorphic evaluation in advance, and new users cannot be added to the operation process, which is single hop in MIFHE cryptography. In 2017, Canetti et al. [21] proposed two MIFHE schemes. e first combines MKFHE and identity-based encryption (IBE) on the fly. erefore, the ciphertext extension depends on the number of ciphertexts, which is not compact. e second is nonleveled, but uses i O. In 2020, with the help of an MKFHE, Pal and Dutta [22] extended IBE to a CCA1 secure MIFHE scheme. However, their extension process uses witness pseudorandom function (WPRF), which is a nonstandard assumption. Recently, Shen et al. [23] proposed a compressible MIFHE scheme based on [9,10,24]. e scheme is selectively secure under the LWE assumption and can reach an optimal compression rate, but it is single hop.
us, it is interesting to construct a compact MIFHE scheme with the multi-hop homomorphism under standard assumption, where one can evaluate a group of ciphertexts under a set of identities to obtain an "evaluated" ciphertext, which can be further evaluated with other ciphertexts encrypted under additional identities.

Contribution.
We propose a leveled multi-hop MIFHE scheme adapted from the GPV-FHE [25], following the construction method of the PS-MKFHE, which is a leveled multi-hop MKFHE scheme built by Peikert and Shiehian [17]. We show that it is compact and secure against the IND-sID-CPA attack under the LWE assumption in the random oracle model. In our construction, we use a fully homomorphic commitment to commit the plaintext bit to help homomorphic operations. Additionally, by combining the transformation of MIFHE to the nonadaptive chosen-ciphertext attack (CCA1) secure FHE proposed by Canetti et al. [21], we can obtain a CCA1 secure FHE with multi-hop homomorphism. Finally, we note that our construction can be applied to the ring setting as [9] for shorter parameters.

Technical Overview.
It is well known that the efficient multi-hop MKFHE obtained by bootstrapping is difficult to generalize MIFHE, because the public homomorphic evaluation key cannot be extracted from identity secret key SK id as it is a ciphertext of SK id and even the SK id is not generated before decryption. erefore, we focus on the PS-MKFHE [17], which does not use bootstrapping. Our key observation is that we can construct a multi-hop MIFHE scheme following the ideas introduced by Peikert and Shiehian [17]. ey built multi-hop MKFHE schemes to overcome the single hop drawback of the MKFHE schemes [9,10]. In their first construction, a ciphertext consists of (C, F, D), where C is a GSW-FHE ciphertext [7] that encrypts message μ, F is a fully homomorphic commitment [26] to the same message, and D is a special encryption of the commitment randomness implied in F under the same key to C. Here, (D, F) provides the power of expanding C to C ′ with additional keys (with a part of the public key) and preserves some invariant, which can be further used. In total, after expanding or computing, the form of (C, F, D) remains. is finding is the reason to support the multi-hop computation with respect to additional keys.
However, it is nontrivial to construct a multi-hop MIFHE scheme because PS-MKFHE [17] is built from GSW-FHE [7] but not from GPV-FHE [26]. For simplicity, we now informally describe a multi-hop MKFHE from GPV-FHE [26], which can be converted into a multi-hop MIFHE scheme (see Section 3).
In a multi-hop MKFHE scheme based on GPV-FHE, a ciphertext under a secret key t ∈ Z mk consists of four components (C, D, E, F): (2) A GPV-FHE style fully homomorphic commitment D ∈ Z m×mℓ q to the same message μ with underlying commitment randomness (R, X).
(3) A special encryption E ∈ Z nmℓ×mℓ q under t of the former part of the commitment randomness R.
(4) Another special encryption F ∈ Z m 2 ×mℓ q under t of the latter part of the commitment randomness X.
To expand C to an additional secret key t ∈ Z m q , we define where U is derived from E. e commitment D is preserved, and E, F are padded with zeros to fit the long secret key (t, t). Moreover, the homomorphic evaluation can be simply designed as GPV-FHE (see Section 3 for more details about our MIFHE scheme).

Paper Organization.
First, we recall some notions, definitions, and facts in Section 2. en, we propose our MIFHE scheme that satisfies IND-sID-CPA secure in Section 3. In the end, we conclude in Section 4.

Preliminaries
Let us start with the following notations that will be used throughout the study. We use the bold uppercase letters (e.g., A, B) to represent matrices. Similarly, the bold lowercase letters (e.g., a, b) represent column vectors. We use a i to denote the i entry of a and a i,j to denote the (i, j) entry of A.
[A‖B] is used to denote the concatenation of two matrices. Similarly, (a, b) is used to denote the concatenation of two column vectors. Let λ denote the security parameter. We define [n] � 1, 2, . . . , n { } for any positive integer n. Let negl (λ) denote a negligible function that grows slower than λ − c for any constant c > 0 and any sufficiently large value of λ. An event occurs with overwhelming probability; i.e., it occurs with a probability of at least 1 − negl(λ).  [17] suggested a simple method to indicate that the two sides in some "noisy equations" extensively used in lattice-based cryptography were approximately equal to an additive error. We will follow their notation using: x ≈ y(error E).
To indicate that x � y + e for some e ∈ [−E, E], the notation can be naturally expanded to the vector or matrix type using the infinite norm.

Tensor Product.
For matrices A ∈ Z m×n , B ∈ Z s×t , tensor product A ⊗ B is an (ms × nt) matrix, which consists of (m × n) blocks, whose (i, j) block is a i,j · B.
In this work, we widely use the mixed-product property: for any matrices A, B, C, D with compatible dimensions, it holds that: (3)

Lattices.
For matrix A ∈ Z n×m q , we define the q-ary integer lattice in this way: For vector u ∈ Z n q , we now define the coset (or "shifted" lattice) in this way:

LWE.
e learning with errors (LWE) problem was first introduced by Regev [27] as an extension of the "learning parity with noise." In this study, we define the decisional learning with errors (DLWE) problem that is equivalent to LWE for certain parameters as follows.

Definition 1. (Decisional Learning with Errors (DLWE))
For positive integers n, m, q and an error distribution χ over Z, the DLWEn, m, q, χ problem is to distinguish with nonnegligible advantage between Let χ be a discrete Gaussian distribution over Z with parameter r � 2 � n √ , and it is a well-established instantiation of LWE. A sample drawn from this distribution has magnitude bounded by r � n √ � Θ(n) except with a probability of at most 2 −n . For this parameterization and any m � poly(λ), it is easy to see LWE by quantum reduction at least as difficult as certain worst-case difficult problems (e.g., the shortest independent vector problem) on n-dimensional lattices with approximate factor O(q � n √ ) [27]. Classical reductions are also famous for subexponential modulus q [28] and polynomial q [29].
In this work, we rely on the tensor form of LWE denoted by TLWE and the matrix form of LWE denoted by MLWE, whose specific definitions are introduced below.

Definition 2. ( e Matrix Form of Learning with Errors (MLWE))
For positive integers n, m, k, q and an error distribution χ over Z, the MLWE n,m,k,q,χ problem is to distinguish with nonnegligible advantage between (A, B �

Definition 3. ( e Tensor Form of Learning with Errors (TLWE))
For positive integers n, m, k, t, q and an error distribution χ over Z, the TLWEn, m, k, t, q, χ problem is to distinguish with nonnegligible advantage between According to the standard mixed argument, we can get that MLWE is equivalent to DLWE with at most k factor loss in the distinguishing advantage, and TLWE is equivalent to MLWE with at most t 2 factor loss in the distinguishing advantage.

Lattice Trapdoor.
We recall some cryptographic facts about trapdoor generation and preimage sampling algorithms with important properties [30]. Since all the details of implementation are not strictly necessary in this work, we ignore them. Note that there are improved algorithms but only within O(logλ) factor [31].
Lemma 1 (see [30]). Let n � poly(λ), q ≥ 3 be odd, and m � 6nlogq . ere is a probabilistic polynomial time (PPT) algorithm TrapGen(n, m, q) that outputs a pair (A ∈ Z n×m q , T A ∈ Z m×m ), such that A is statistically close to a uniform matrix in Z n×m q , and T A is a basis for Lemma 2 (see [30]). Let n � poly(λ) be a positive integer, q be a prime, and m ≥ 2nlogq. en, for all but a 2q −n fraction of all A ∈ Z n×m q and for any r ≥ ω( ���� � logm ), the distribution of the syndrome u � As mod q is statistically close to uniform over Z n q , where s←D Z m ,r .
en, for a parameter r ≥ ‖T A ‖ · ω( ���� � logm ) and a uniformly random vector u ∈ R n , there is a PPT algorithm, which outputs vector s ∈ Λ ⊥ u (A) sampled from a statistically similar distribution to D Λ ⊥ u (A),r ; thus, As � u whenever Λ ⊥ u (A) is not empty.

Gadget Matrices and Bit Decomposition.
We recall a useful notion of gadget matrix, which was first introduced in [31], to decompose vectors or matrices over Z q into short vectors or matrices over Z.
More generally, for any positive integer k,

Multi-Identity Fully Homomorphic Encryption.
We begin with the definition of the leveled multi-hop MIFHE, which is adapted and summarized from the definition of the single-hop MIFHE in [9], definition of the single-hop MKFHE in [10], and definition of the multi-hop MKFHE in [17]. Here, we require a bound d on the NAND circuit depth and a bound L on the number of identities in one evaluation, and we mainly focus on the bit encryption scheme and [17]. Now, a ciphertext is called a "fresh" ciphertext if it is generated by the encryption algorithm Enc defined below (i.e., it corresponds to a single identity), an "expanded" ciphertext if it is the output of expansion algorithm Expand (which relates to multiple identities), or an "evaluated" ciphertext if it is the output of homomorphic evaluation algorithm Eval. MSK, and identity id ∈ I, extract a user-specific secret key SK id , and output it (iii) Enc(MPK, id, μ ∈ 0, 1 { }): on inputting the MPK, identity id ∈ I, and bit μ ∈ 0, 1 { }, output a "fresh" ciphertext (id; c) (iv) Expand(MPK, id k+1 , (id 1 , id 2 , . . . , id k ; c)): on inputting the MPK, identity id k+1 , and any ("fresh," "expanded," or "evaluated") ciphertext under k identities (id 1 , id 2 , . . . , id k ), compute and output an "ex- which correspond to identities (id 1 , id 2 , . . . , id k ) and any ciphertext (id 1 , id 2 , . . . , id k ; c), output a bit μ We underline that we will homomorphically evaluate any NAND circuit gate by gate as described in [17], which indicates that the evaluation is multi-hop as previous multikey FHE schemes [8,17]. (which relates each input wire to a key pair), and for every μ ∈ 0, 1 { } N , the following experiment succeeds with overwhelming probability: , compute c f ←Eval(MPK, f, c 1 , c 2 , . . . , c N ) (may invoke algorithm Expand), and finally check whether

Compactness.
A leveled multi-hop MIFHE scheme is compact if there exists a polynomial p(·, ·, ·) such that |c f | ≤ p(λ, d, L) in the experiment from Definition 4. In other words, the length of c f is independent of both f and N but can depend polynomially on λ, d, and L.

Security.
e security game of MIFHE is the same as that of IBE, but there is no reference to the expansion algorithm and evaluation algorithm because they are public and do not impact the security. In this study, we will mainly focus on the semantically secure under selective identity and chosen-plaintext attack (IND-sID-CPA) security game for MIFHE between a challenger C and a PPT attacker A, which is defined as follows: (i) Initial Stage. Attacker A is given bound d on the NAND circuit depth and bound L on the number of identities and outputs target identity id * . (ii) Setup. Challenger C runs Setup(1 λ , 1 d , 1 L ) to generate (MPK, MSK) and sends MPK to attacker A. (iii) Query Stage 1. Adversary A adaptively issues a query on any identity id such that id ≠ id * . Challenger C runs Extract(MPK, MSK, id) to obtain identity secret key sk id that corresponds to id and sends sk id back to A. (iv) Challenge. Challenger C selects a uniformly random bit μ * ← $ 0, 1 { }, computes a challenge ciphertext c * ←Enc(MPK, id * , μ * ), and sends it to attacker A.
(v) Query Stage 2. Adversary A issues additional adaptive identity secret key queries, and challenger C responds as in query stage 1.
(vi) Output. e attacker outputs a guess μ ′ ∈ 0, 1 { } and wins if μ ′ � μ * . e advantage of the attacker in the above IND-sID-CPA security game is defined as Pr[μ ′ � μ * ] − 1/2, where the probability is taken over the random bits used by all algorithms in the game.

Definition 5.
A leveled multi-identity fully homomorphic encryption scheme is IND-sID-CPA secure if any PPT attacker has at most a negligible advantage in the IND-sID-CPA security game defined above.

Multi-Identity Fully
Homomorphic Encryption

MIFHE Scheme.
In this section, we will describe the proposed MIFHE scheme. We present one more algorithm MIFHE.NAND to help understand MIFHE.Eval. We parameterize the system by dimension n � poly(λ), modulus q, and error distribution χ for the underlying LWE problem; we set m � 6nlogq , . For the worst-case security, we set χ to be the standard discrete Gaussian distribution over Z with parameter 2 � n √ , which implies that the samples drawn from χ have magnitudes bounded by E � Θ(n) except with probability 2 −n . Modulus q is set in the following Section 3.2 based on the bound on the maximum depth of the supported circuit and the bound of the number of identities. e scheme is described as follows: (1) Run algorithm TrapGen (n, m − 1, q) to generate a uniformly random matrix A 1 ∈ Z n×(m−1) q with a short basis  SamplePre(A 1 , T A 1 , u − a, r) to output a vector s ∈ Z m− 1 such that A 1 s � u − a. Set userspecific secret key SK id � t � (s, 1), and store (id, u, t) locally. Note that At � u and ‖t‖ ∞ ≤ B.
(2) Choose a uniformly random matrix Q← $ Z n×mℓ q and a discrete Gaussian matrix W←χ m×mℓ , and define the following: Note that C is nicely a GPV-FHE ciphertext [26] encrypting μ under the secret key t. In particular, (3) Choose a matrix R← $ Z n×mℓ q and a discrete Gaussian matrix X←χ m×mℓ , and define the following: Here, D is regarded as a commitment to the message μ under commitment randomness (R, X). (4) Choose a matrix S← $ Z n 2 ℓ×mℓ q and a discrete Gaussian matrix Y←χ nmℓ×mℓ , and define the following: Note that error β E (10) erefore, E is regarded as a sort of encryption of R (the tensor product with g corresponding to some bit decomposition appeared in expansion algorithm is vital to control the error growth), the former part of the commitment randomness used in D.
(5) Choose a uniformly random matrix T← $ Z nm×mℓ q and a discrete Gaussian matrix Z←χ m 2 ×mℓ , and define the following: Note that: erefore, F is regarded as a sort of encryption of X, the latter part of commitment randomness used in D. (1) Set u k+1 � H(id k+1 ).

Analyzing the Noise Growth and Setting the Parameters.
Now, we provide the reasons for definitions and analyze the noise growth in MIFHE.Expand and MIFHE.NAND to easily set the parameters. We instantiate the parameters and ensure correctness of MIFHE. First, as described in the previous section in the MIFHE.Expand algorithm, let us do the following analysis: (1) We have the following: Given t ∈ Z mk that is the (column) concatenation of the secret keys corresponding to identities (id 1 , id 2 , . . . , id k ), respectively, and a new secret key t k+1 , which is the secret key of id k+1 , we set t ′ � (t, t k+1 ) and then have the following: which indicates that (7) holds. In general, the error implied in the "expanded" ciphertext C ′ is as follows: (2) is visibly satisfies equation (8), and the error implied in the "expanded" ciphertext D ′ is as follows: (3) We have the following: It is obvious that: us, (10) is kept up to expansion.
(4) We have the following: Similar to the above step, (12) is also kept up to expansion as follows: Second, we analyze the MIFHE.NAND algorithm.
(1) We have the following: With t ∈ Z mk , which is the (column) concatenation of the secret keys that correspond to identities (id 1 , id 2 , . . . , id k ), we have the following: which indicates that (7) holds. In total, the error implied in the NAND ciphertext C NAND is as follows: (2) We have the following: and the commitment randomness is as follows: By simply computing, we can see that (8) is preserved:

Security and Communication Networks
(3) We have the following: To see that (10) holds for E NAND , first note that: Second, note that: Finally, from the above, we have the following: which indicates that (10) holds. (4) We have the following: To see that (12) holds for F NAND , first, note that: Second, note that: Finally, from the above, we have the following: which indicates that (12) holds. en, as [17], we now instantiate the parameters by bounding the worst-case error growth when homomorphically computing a depth d NAND circuit for up to L distinct identities. For a ciphertext (id 1 , id 2 , . . . , id k ; C, D, E, F) with commitment randomness (R, X), the max error is defined: With the bounds from the above, for any ciphertext with errors bounded by β, its "expanded" ciphertext has a max error of at most (nℓ + m + 1) · β � poly(n, ℓ) · β. Similarly, when we homomorphically compute an NAND gate of two ciphertexts with errors bounded by β, the result has a max error of at most (m 2 Lℓ + mℓ + 1) · β � poly(n, ℓ, L) · β. us, after computing any depth d NAND circuit on "fresh" ciphertexts under L distinct keys, then the result has a max error of at most: poly(n, ℓ, L) d+L . (45) us, we can set 4 · poly(n, ℓ, L) d+L � q for the correctness of decryption. Recall that ℓ � Θ(logq) � O(d + L); therefore, poly(n, ℓ, L) d+L � poly(n, d, L) d+L . us, the security of our scheme corresponds to a worst-case n-dimensional lattice problem with an approximation factor of poly(n, d, L) d+L .
Finally, the compactness requirement is satisfied because any ciphertext in our construction is bounded by poly(n, d, L) � poly(λ, d, L).

3.3.
Security. Now, we prove that the proposed scheme MIFHE is IND-sID-CPA secure under the hardness of the DLWE assumption in the random oracle model.

Theorem 1.
e multi-hop multi-identity fully homomorphic encryption scheme MIFHE, which was constructed in Section 3.1, is IND-sID-CPA secure in the random oracle model assuming that the DLWE n,q,χ assumption holds.
Proof. We prove the security of the proposed scheme MIFHE using a sequence of hybrid games. e first one of this game is the real IND-sID-CPA security game in Definition 5, and the last one is the ideal game, where the challenge ciphertext (except challenge identity id * ) is uniformly random and independent of the challenge bit μ * . We proceed by considering a sequence of hybrid games as follows: Game 0: is is the original game described in Definition 5, and it is IND-sID-CPA security. Recall that id * ∈ I is the target identity; that is, attacker A plans to attack id * , and the challenge ciphertext is (id * ; C * , D * , E * , F * ) encrypting μ * . Game 1: In this game, we change the methods of generating master public key A, answering hash (random oracle) queries and answering identity secret key queries as follows.
(1) Uniformly select at random a matrix A 1 ← $ Z n×(m−1) q and a vector a← $ Z n q , and set A � [A 1 ‖a] ∈ Z n×m q . (2) Uniformly select at random a vector u id * ← $ Z n q . (3) When attacker A issues a hash query H on identity id ∈ I, do: (c) Otherwise, sample vector s id ∈ D Z m−1 ,r , and compute u id � A 1 s id + a, set t id � (s id , 1), and store (id, u id , t id ) locally. Finally, return u id . (4) When attacker A issues an identity secret key query on identity id ∈ I, where id ≠ id * , without loss of generality, we assume that A has queried H on id and return t id , where (id, u id , t id ) ∈ store.
Game 2: this game is the same as Game 1 except that (C * , E * , F * ), which is a part of the challenge ciphertext, is selected as uniformly random independent elements in Z m×mℓ q × Z nmℓ×mℓ q × Z m 2 ×mℓ q . Game 3: this game is the same as Game 2, except that D * is selected as a uniformly random element in Z m×mℓ q . In fact, Game 3 is the ideal game.
We show the indistinguishability among all sequential hybrid games. Proof. We show that Game 0 is statistically close to Game 1 by analyzing that the changes are undetectable by any attacker between them step by step using Lemmas 1-3.
First, note that while the former part of master public key A 1 is generated by running algorithm TrapGen(n, m − 1, q) (with a trapdoor T A 1 ) in Game 0, A 1 is sampled from the uniform distribution over Z n×(m−1) q in Game 1. By Lemma 1, A 1 in Game 0 is distributed statistically close to a uniform distribution over Z n×(m−1) q as in Game 1.
Second, in regard to the simulation of hash query H, we discuss two cases: (1) If id � id * , then return u id * , which was uniformly sampled from Z n q at random. is perfectly simulates hash query H(id * ).
(2) Otherwise, sample a Gaussian vector s id ∈ D Z m−1 ,r , compute u id � A 1 s id + a, and return u id . Here, u id is distributed statistically close to the uniform distribution over Z n q , since A 1 s id is distributed statistically close to uniform distribution over Z n q by Lemma 2 and a← $ Z n q . Finally, note that the identity secret key of id is t id � (s id , 1), where s id is generated by running algorithm SamplePre(A 1 , T A 1 , u id − a, r) in Game 0, and the identity secret key of id is t id � (s id , 1), where s id is sampled from D Z m−1 ,r such that u id � A 1 s id + a in Game 1. By Lemma 3, s id in Game 0 is distributed statistically close to D Λ ⊥ u id −a (A 1 ),r such that A 1 s id � u id − a. us, the identity secret key t id in Game 0 is distributed statistically close to that in Game 1. erefore, Game 0 and Game 1 are statistically indistinguishable. Proof. e computational indistinguishability between Game 1 and Game 2 follows the assumed intractability of DLWE (and MLWE and TLWE). To show this behavior, we present a simulator S that can draw samples and form (B, C * , E * , F * ); it simulates Game 1 when the samples are DLWE samples; it simulates Game 2 when they are uniformly random samples. S proceeds as follows: (1) Draw sufficient samples, and form (B, C * , E * , F * ).
Uniformly select at random a vector u id * ← $ Z n q , and let A � B + e T n ⊗ u id * ∈ Z n×m q . (2) e hash query and identity secret key query are identical to those in Game 1. Generate D * exactly as in MIFHE.Enc. erefore, if (B, C * , E * , F * ) is sampled from DLWE, then S perfectly simulates Game 1. In contrast, if (B, C * , E * , F * ) is uniformly random, then S simulates perfectly Game 2previous. Proof. Similar to the previous proof of Lemma 5, the computational indistinguishability between Game 2 and Game 3 follows the assumed intractability of DLWE (or MLWE). To show this effect, we present a simulator S that can draw samples and form (A, D * ); it simulates Game 2 when the samples are DLWE samples; it simulates Game 3 when they are uniformly random samples. S proceeds as follows:

Security and Communication Networks
(1) Draw sufficient samples, and form (A, D * ). Uniformly choose at random a vector u id * ← $ Z n q , and let B � A − e T n ⊗ u id * ∈ Z n×m q . (2) e hash query and identity secret key query are identical to those in Game 2. Uniformly choose random (C * , E * , F * ).
erefore, if (A, D * ) is sampled from DLWE, then S perfectly simulates Game 2. In contrast, if (A, D * ) is uniformly random, then S perfectly simulates Game 3. □ ere is no information of message μ * in Game 3. Additionally, Game 0 and Game 3 are computationally indistinguishable by Lemmas 4-6. erefore, if the DLWE is difficult, attacker A only has negligible advantage, which completes the proof of the IND-sID-CPA security of MIFHE.

Conclusion and Open Problem
We present a multi-hop MIFHE scheme, which is IND-sID-CPA secure in the random oracle model under the standard LWE assumption. However, the proposed MIFHE scheme is only leveled homomorphic. erefore, it is interesting to construct a nonleveled multi-hop MIFHE scheme (i.e., there is no a priori bound on the depth of the circuits) under standard assumptions such as LWE (without unfalsifiable i O or WPRF).

Data Availability
No data were required in this work.

Conflicts of Interest
e authors declare that they have no conflicts of interest.