Modern techniques in somewhat homomorphic encryption

Massimo Giulietti; Paolo Martinelli; Marco Timpanella

doi:10.1515/jmc-2024-0041

Enjoy 40% off

academic books on De Gruyter Brill *

Article Open Access

Modern techniques in somewhat homomorphic encryption

Massimo Giulietti , Paolo Martinelli and Marco Timpanella

Published/Copyright: April 14, 2025

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 19 Issue 1

Abstract

The term “homomorphism” was introduced in cryptography by Rivest, Adleman, and Dertouzos in 1978 to address performing calculations on encrypted data without decryption. Since then, researchers have increasingly aimed to design schemes supporting numerous operations. This article aims to synthesize the current state of the art in the so-called somewhat homomorphic encryption.

Keywords: homomorphic encryption; somewhat homomorphic encryption; learning with errors

MSC 2010: 94A60

1 Introduction

From a historical perspective, the term “homomorphism” was first introduced in cryptography by Rivest, Adleman, and Dertouzos in 1978 as a solution to the problem of performing calculations on encrypted data without necessarily decrypting it. Since then, an increasing number of researchers have sought to design such schemes to support as many operations as possible. These attempts can be essentially divided into three categories based on the type and the number of operations allowed on the encrypted data.

Partially homomorphic encryption (PHE) schemes, which allow an unlimited number of operations of a single type (e.g., an unlimited number of additions or multiplications).
Somewhat homomorphic encryption (SWHE) schemes, which allow various types of operations but only in a limited number.
Fully homomorphic encryption (FHE) schemes, which allow an unlimited number of operations of any type.

The objective of this article is to provide a synthesis of the state of the art in SWHE schemes. For details on the development of FHE and PHE see the study by Acar et al. [1].

In this context, and more generally in the field of homomorphic cryptography, Gentry’s work in 2009 marked a significant turning point. Gentry demonstrated how it is possible to construct an FHE scheme from an SWHE scheme using the bootstrapping technique, thereby giving a significant boost to the construction of new SWHE schemes. Prior to 2009, SWHE schemes in the literature were standalone algorithms, conceived as intermediate results leading toward the definition of an FHE scheme. However, since 2009, SWHE schemes have become an integral part of FHE schemes. Consequently, advancements in somewhat homomorphic cryptography after 2009 are often indistinguishable from those in fully homomorphic cryptography.

In this work, we first distinguish between SWHE schemes introduced before 2009, which we refer to as first-generation schemes, and schemes developed after Gentry’s work. Regarding first-generation schemes, we focus particularly on the BGN (Boneh, Goh, and Nissim) algorithm from 2005, considered a milestone in the development of somewhat homomorphic cryptography. Among the algorithms developed after 2009, considerable attention is given to schemes based on the well-known “learning with errors (LWEs)” problem (e.g., FV, Brakerski-Gentry-Vaikuntanathan (BGV), NTRU-like), which are currently considered among the most secure and promising. This research line also includes the Cheon-Kim-Kim-Song (CKKS) scheme, notable for its ability to operate on real and complex numbers (as opposed to integers, like previous examples), making it particularly suitable for applications such as machine learning.

Finally, a different approach to the SWHE problem is described, with a scheme based on integers and the Approximate-Greatest Common Divisor (AGCD) problem.

2 Classic SWHE schemes

In the literature on homomorphic encryption schemes, one of the earliest attempts at SWHE is represented by the Polly Cracker scheme [2]. This scheme allows both multiplication and addition operations on encrypted texts. However, the size of the encrypted text grows exponentially when performing such operations, making the scheme impractical from a practical standpoint. In particular, the multiplication operation turns out to be particularly costly. Subsequently, more efficient variants of this scheme have been proposed [3,4], but almost all of them have later been found to be vulnerable to attacks. Therefore, these early schemes are either insecure or impractical. Another attempt was made by Sander et al. [5] in 1999. This scheme also allows for evaluating both types of operation, but the size of the encrypted text increases multiplicatively with each multiplication. This limits the depth of circuits that can be homomorphically evaluated. Further improvements following the path taken by Sander, Young, and Yung were made by Ishai and Paskin in 2007 [6] and by Melchor et al. in 2008 [7], but without definitively overcoming the problem of the growth of the size of the encrypted text. The BGN algorithm (Boneh, Goh, Nissim) of 2005, on the other hand, overcomes these limitations, allowing homomorphic evaluation of an arbitrary number of additions plus one multiplication, while keeping the size of the encrypted text constant. Given the importance that the BGN algorithm has had in the development of homomorphic cryptography, in this article we will provide its explicit mathematical description.

3 BGN scheme

Introduced in 2005 by Boneh et al. [8], the BGN algorithm marks a milestone in the history of homomorphic cryptography. The security of the BGN scheme relies on the difficulty of the so-called Subgroup Decision Problem, which involves determining whether a certain element of a group G of order n = p ⋅ q , with p and q distinct prime numbers, belongs to the subgroup of G with order p .

Below are the main phases of the BGN operation.

Given a security parameter κ ∈ N , we choose two κ -bit primes p and q and compute n = p q . We consider:

G and G ′ as cyclic groups of order n ;
g as a generator of G ;
e : G × G → G ′ as a bilinear map such that e ( g , g ) is a generator of G ′ .

One possible construction of such groups for an n > 3 without square factors and not divisible by 3 is as follows. Let l be the smallest integer such that p = l n − 1 is prime and p ≡ 2 ( mod 3 ) . Consider a supersingular elliptic curve y 2 = x 3 + 1 . Since p ≡ 2 ( mod 3 ) , the number of F p -rational points on this curve is p + 1 = l n , forming a group. Take G as the subgroup of order n of this group. Finally, if G ′ is the subgroup of F p 2 * of order n , then the Weil pairing on the curve ensures the existence of the desired bilinear form.

Given ( p , q , G , G ′ , e ) and g as a generator of G , we choose another random generator u of G and compute h = u q , which will be a generator of the subgroup of G of order p . The public key is then p k = ( n , g , h , G , G ′ , e ) , while the private key is s k = p .

Suppose we want to encrypt an element m ∈ Z 2 . We simply choose a random element r from Z n and use the public key p k = ( n , g , h , G , G ′ , e ) to generate the encryption c of m , defined as follows:

c = g m h r ∈ G .

To decrypt c , we use s k = p to compute:

c p = ( g m h r ) p = ( g p ) m ( h p ) r = ( g p ) m , since ord ( h ) = p .

At this point, we simply calculate the discrete logarithm m = log g p ( c p ) , for example, using Pollard’s lambda algorithm, to retrieve the message. Note that for this step to be feasible, the message space must be chosen small enough.

As mentioned earlier, BGN supports any number of homomorphic additions. Given m , m ˜ ∈ Z 2 and their respective encryptions c = E ( m ) = g m h r , c ˜ = E ( m ˜ ) = g m ˜ h r ˜ , anyone can construct a valid encryption c add for m + m ˜ by choosing s randomly from Z n and computing:

c add = c c ˜ h s = ( g m h r ) ( g m ˜ h r ˜ ) h s = ( g m + m ˜ ) h r add ,

where r add = r + r ˜ + s . It is clear that the obtained result is indeed an encryption of m + m ˜ :

( c add ) p = ( g p ) m + m ˜ ( h p ) r add = ( g p ) m + m ˜ ,

and we can calculate its discrete logarithm to obtain m + m ˜ .

Regarding homomorphic multiplication, the structure of BGN allows only one such operation through the bilinear map e . Let g ′ = e ( g , g ) ∈ G ′ and h ′ = e ( g , h ) ∈ G ′ . By assumption, o r d ( g ′ ) = n , while, due to the bilinearity of e , o r d ( h ′ ) = p . Also, write h = g α q for some α ∈ Z . Given two encrypted texts c , c ˜ ∈ G as mentioned earlier, we can compute the encryption c mult of m ⋅ m ˜ by choosing s ∈ Z n randomly and setting:

c mult = e ( c , c ˜ ) ( h ′ ) s = e ( g m h r , g m ˜ h r ˜ ) ( h ′ ) s = ( g ′ ) m m ˜ ( h ′ ) m r ˜ + m ˜ r + α q r r ˜ + s = ( g ′ ) m m ˜ ( h ′ ) r mult ∈ G ′ .

Clearly, as r is chosen, r mult is also uniformly distributed in Z n . Thus, c mult is an encryption for m ⋅ m ˜ . However, now c mult is in G ′ rather than G , so although decryption and homomorphic addition are still possible, homomorphic multiplication is not.

4 SWHE schemes based on LWE

LWE, initially introduced by Oded Regev as an extension of the “learning from parity with error” problem, is considered one of the most challenging problems to solve even for quantum computers. Regev himself reduced the complexity of some of the most well-known lattice problems, such as shortest vector problem (SVP), to LWE. This implies that if an algorithm were found to efficiently solve LWE, the same algorithm would also solve SVP efficiently. Since then, LWE has become one of the most studied and promising problems in the field of post-quantum cryptography. In this section, we will delve into the workings of the main SWHE schemes based on LWE.

In the context of homomorphic cryptography, the fame of this problem is largely due to its use in constructing SWHE and FHE schemes. A fundamental step in this regard was taken in 2011 by Brakerski and Vaikuntanathan [9]. The description of the algorithm they constructed (called BV) is reported in Section 5.

Subsequently, in 2013, Lyubashevsky et al. [10] proposed a significant improvement of LWE, introducing a variant called ring-LWE (RLWE), which shifts the problem into the context of polynomial rings. Since then, several researchers have worked to transfer the BV algorithm into this new environment, with the aim of achieving performance improvements. In this direction, we particularly mention the work of Fan and Vercauteren (FV scheme) [11] and BGV scheme [12].

A completely different approach to building an SWHE scheme using well-known lattice problems was presented by López-Alt et al. in 2012 in [13], with an algorithm inspired by the famous NTRU. NTRU-Encrypt is an example of a lattice-based cryptosystem that has already been extensively tested and strongly standardized, but whose homomorphic properties have only recently been recognized. In Section 8, we will describe this approach in more detail along with some encountered challenges.

4.1 Notations and LWE

Let S be a finite set and χ be a probability distribution over S . In the following, we will use the symbol x ← $ χ to indicate that x is chosen from S according to the distribution χ . Instead, we write x ← $ S to indicate that x is chosen from S uniformly. Scalars and vectors will be denoted respectively in italic and bold (e.g., x is a scalar, v is a vector), while matrices will be indicated in uppercase bold. The dot product between two vectors, denoted by ⟨ u , v ⟩ , is the usual dot product ⟨ u , v ⟩ = v T ⋅ u . If v is a vector of dimension n , the i th component of v is indicated by v [ i ] . By convention, v [ 0 ] ≔ 1 .

Now let’s describe the LWE problem. Let n and q be two natural numbers with q ≥ 2 . Also, let s ∈ Z q n be a vector and χ be a probability distribution over Z q . Consider the distribution A s , χ , which given a random vector a ← $ Z q n and “noise” e ← $ χ , returns the pair ( a , ⟨ a , s ⟩ + e ) from Z q n × Z q . The LWE n , m , q , χ problem is thus defined as follows: given m independent samples from the distribution A s , χ (for some s ∈ Z q n ), output s with high probability.

The decisional version of this problem, denoted by DLWE n , m , q , χ , instead consists of distinguishing m samples according to the distribution A s , χ (where s is chosen uniformly from Z q n ), from m samples uniformly drawn from Z q n × Z q .

For cryptographic applications, the DLWE problem is particularly interesting. Indeed, reductions (both classical and quantum) to lattice problems considered difficult to solve are known. It is not the objective of this report to delve into the nature and complexity of such lattice problems, it is sufficient to recall that the most efficient algorithms for solving these problems have an almost exponential complexity with respect to the lattice dimension, and for this reason, the cryptosystems based on them are considered secure.

5 BV scheme

The underlying idea behind Gentry’s construction is to exploit the difficulty of certain problems related to the so-called ideal lattices (a particular family of lattices). Ideals are mathematical objects that naturally appear in the context of homomorphic cryptography, as they are closed by definition under both addition and multiplication (while a generic lattice is closed only under addition). Despite the widespread use of lattices in cryptography, ideal lattices are a specific category about which we know relatively little. After Gentry, several constructions of FHE have been based on his approach, but although promising, these early “second-generation” schemes have never truly become practical.

In the study by Brakerski and Vaikuntanathan [9], however, the authors introduced a scheme, which we will refer to as BV from now on, whose security is based on generic lattice problems (not necessarily ideal lattices). In particular, the security of this system is solely based on the complexity of LWE, a problem that is widely studied and considered “reliable.” Furthermore, the definition of this scheme does not directly depend on lattices, making it easier to understand and implement.

5.1 Parameters

BV is a public-key SWHE scheme with plaintext space Z 2 . The scheme has parameters consisting of two natural numbers n and m , an odd modulus q , and an error distribution χ over Z q . Let κ ∈ N be a security parameter and L ∈ N be a parameter indicating the maximum number of homomorphic multiplications the scheme can perform. A possible choice of parameters is as follows: n polynomial in κ , m ≥ n log q + 2 κ polynomial in n , q ∈ [ 2 n ε , 2 ⋅ 2 n ε ) , where ε ∈ ( 0 , 1 ) is a constant (thus q is subexponential in n ), and L ≈ ε log n .

5.2 Key generation

First, we extract L + 1 vectors s 0 , … , s L ← $ Z q n . For each ℓ ∈ { 1 , … , L } , for each i , j with 0 ≤ i ≤ j ≤ n , and for each τ ∈ { 0 , … , ⌊ log q ⌋ } , we choose

a ℓ , i , j , τ ← $ Z q n , e ℓ , i , j , τ ← $ χ

and consider the pairs ψ ℓ , i , j , τ ≔ ( a ℓ , i , j , τ , b ℓ , i , j , τ ) ∈ Z q n × Z q , where

b ℓ , i , j , τ ≔ ⟨ a ℓ , i , j , τ , s ℓ ⟩ + 2 ⋅ e ℓ , i , j , τ + 2 τ ⋅ s ℓ − 1 [ i ] ⋅ s ℓ − 1 [ j ] ,

where by convention s ℓ − 1 [ 0 ] ≜ 1 . We then define Ψ ≔ { ψ ℓ , i , j , τ } as the set of these pairs. As the last step, the algorithm involves choosing a uniformly random matrix A ← $ Z q m × n , a vector of errors e ← $ χ m , and computing b ≔ A s 0 + 2 e ∈ Z q m .

At this point, the private key is s k = s L , the public key is p k = ( A , b ) , while e v k = Ψ (public) is required for homomorphically evaluating functions on ciphertexts. The key generation function, B V . K e y G e n ( 1 κ ) , thus takes as input the unary representation of the security parameter k and outputs the public key for encryption, the public key for homomorphic evaluation, and the private key for decryption.

5.3 Encryption

To encrypt a message μ ∈ Z 2 , we choose a random vector r ← $ { 0 , 1 } m and, using the public key p k = ( A , b ) , compute

v ≔ A T r ∈ Z q n , w ≔ b t r + μ ∈ Z q .

The encryption of μ contains, in addition to the pair ( v , w ) , a label that serves to keep track of the number of multiplications already performed. Consequently, for the first encryption, the label will be equal to 0.

Formally, the encryption algorithm B V . E n c p k ( μ ) takes as input a message μ ∈ Z 2 and returns the ciphertext c ≔ ( ( v , w ) , 0 ) for a message encrypted for the first time.

5.4 Homomorphic evaluation of functions

Let f : Z 2 t → Z . Suppose f is represented by a binary arithmetic circuit with “+” gates and “ × ” gates. The “+” gates can have an arbitrary number of inputs, while the “ × ” gates can only have two inputs. Furthermore, we require that the circuit be “layered,” in the sense that it must be composed of homogeneous levels consisting of either only addition gates or only multiplication gates (every arithmetic circuit can be written in this form). Finally, we require that the depth of the circuit with respect to multiplication, i.e., the total number of “ × ” layers, be exactly L . The function is evaluated homomorphically, so it is sufficient to analyze two cases: the addition of any number of ciphertexts and the multiplication of two ciphertexts.

During the evaluation of the function, the ciphertexts will be of the form c = ( ( v , w ) , ℓ ) , where ℓ is a label indicating the number of multiplications already performed. The requirement that the circuit be layered ensures that at each level, the various inputs of each gate have the same label. Finally, we will verify each time that the output of any gate c = ( ( v , w ) , ℓ ) satisfies the condition

(1) w − ⟨ v , s ℓ ⟩ = μ + 2 ⋅ e ( mod q ) ,

where μ is the plaintext corresponding to the output of the gate, and e is an error (also called noise) that depends on the inputs of the gate. This condition will be necessary for the decryption phase.

The evaluation of an addition homomorphically takes as input a certain number of ciphertexts c 1 , … , c t , where c i = ( ( v i , w i ) , ℓ ) , and returns

c add = ( ( v add , w add ) , ℓ ) ≔ ∑ i v i , ∑ i w i , ℓ .

We can observe that:

w add − ⟨ v add , s ℓ ⟩ = ∑ i ( w i − ⟨ v i , s ℓ ⟩ ) = ∑ i ( μ i + 2 e i ) = ∑ i μ i + 2 ∑ i e i ,

where μ i is the plaintext corresponding to c i , i.e., the sum of the ciphertexts is the encryption of the sum of the plaintexts, taking the sum of the errors.

We will now show how multiplication between two ciphertexts c = ( ( v , w ) , ℓ ) , c ′ = ( ( v ′ , w ′ ) , ℓ ′ ) results in a ciphertext c mult = ( ( v mult , w mult ) , ℓ + 1 ) .

Consider the following polynomial:

ϕ ( x ) = ϕ c , c ′ ( x ) = ( w − ⟨ v , x ⟩ ) ⋅ ( w ′ − ⟨ v ′ , x ⟩ )

in the variables x = ( x [ 1 ] , … , x [ n ] ) . Being a quadratic polynomial, it can be rewritten as follows:

ϕ ( x ) = ∑ 0 ≤ i ≤ j ≤ n h i , j ⋅ x [ i ] ⋅ x [ j ] .

Now, consider the binary representation of the coefficients h i , j , denoting by h i , j , τ the τ th bit of its representation, i.e.,

h i , j = ∑ τ = 0 ⌊ log q ⌋ h i , j , τ ⋅ 2 τ .

Then,

ϕ ( x ) = ∑ 0 ≤ i ≤ j ≤ n τ ∈ 0 , … , ⌊ log q ⌋ h i , j , τ ⋅ ( 2 τ ⋅ x [ i ] ⋅ x [ j ] ) .

Now, recalling that the evaluation key e v k = Ψ is composed by pairs ψ ℓ , i , j , τ = ( a ℓ , i , j , τ , b ℓ , i , j , τ ) such that

2 τ s ℓ [ i ] s ℓ [ j ] ≈ b ℓ + 1 , i , j , τ − ⟨ a ℓ + 1 , i , j , τ , s ℓ + 1 ⟩

up to an error 2 e ℓ + 1 , i , j , τ , the algorithm for the homomorphic multiplication of c and c ′ consists in computing

v molt ≔ ∑ 0 ≤ i ≤ j ≤ n τ ∈ 0 , … , ⌊ log q ⌋ h i , j , τ ⋅ a ℓ + 1 , i , j , τ , and w molt ≔ ∑ 0 ≤ i ≤ j ≤ n τ ∈ 0 , … , ⌊ log q ⌋ h i , j , τ ⋅ b ℓ + 1 , i , j , τ ,

and let c molt ≔ ( ( v molt , w molt ) , ℓ + 1 ) . It can be verified that property (1) still holds for the ciphertext c m u l t . The error of the new message depends both on the errors of the ciphertexts c , c ′ and the evaluation key.

5.4.1 Decryption

Suppose the multiplicative depth of the circuit is L . It is necessary to decrypt only ciphertexts of the form c = ( v , w , L ) . To perform this step, it is sufficient to compute

( ( w − ⟨ v , s L ⟩ ) mod q ) ( mod 2 ) ,

since, by (1),

( w − ⟨ v , s L ⟩ ) ( mod q ) = μ + 2 e ( mod q ) = e ≪ q μ + 2 e .

Consequently, the decryption phase requires an error e negligible compared to q . In the study by Brakerski and Vaikuntanathan [9], the potential growth of errors during the various stages of the algorithm is considered, and it is demonstrated that, under reasonable assumptions, it is possible to achieve a multiplicative depth L on the order of ε log n with ε < 1 .

6 Schemes based on RLWE

One of the most important algorithms that managed to adapt the Brakerski and Vaikuntanathan scheme and bring it into the context of the RLWE problem was described by Fan and Vercauteren in [11]. In this way, it was possible to obtain an SWHE scheme with a smaller key space compared to BV and faster computations. Since this scheme is essentially an adaptation of the BV algorithm, we will not provide the explicit details of the individual phases, but we will only describe the new setting in which it operates.

The mathematical environment in which Fan and Vercauteren define their scheme is the ring of polynomials R = Z [ x ] ⁄ ( f ( x ) ) , where f ( x ) ∈ Z [ x ] is a monic irreducible polynomial of degree d . Usually, f ( x ) is the minimal polynomial of a primitive m th root of unity, namely, a cyclotomic polynomial ϕ m ( x ) . The most common choice is f ( x ) = x d + 1 with d = 2 n .

Let q > 1 be an integer, and let Z q be the set of integers in the interval ( − q ⁄ 2 , q ⁄ 2 ] (not to be confused with the ring Z q ). Consider the set R q of polynomials in R with coefficients in Z q . All arithmetic of the FV scheme will take place in the ring R and the set R q . Given a ∈ Z , denote by [ a ] q the unique integer in Z q such that [ a ] q ≡ a ( mod q ) . Similarly, if a ∈ R , let [ a ] q be the element of R obtained by applying [ ⋅ ] q to all its coefficients.

As in the scheme of Brakerski and Vaikuntanathan, to define the RLWE problem, it is necessary to consider a distribution over R . The basic idea is to use the Gaussian distribution over integers to define a distribution over R . The most natural approach to do this is simply to select polynomials in R by choosing coefficients according to the Gaussian distribution. This approach is not applicable in the general case, but it works if f ( x ) = x d + 1 with d = 2 n . The RLWE problem, in its decisional version, can then be stated as follows.

Definition 1

Let f ( X ) be a cyclotomic polynomial ϕ m ( x ) of degree φ ( m ) . Let also R = Z [ x ] ⁄ ( f ( x ) ) and q ≥ 2 . Given s ∈ R q random and a distribution χ over R , let A s , χ ( q ) be the distribution obtained by uniformly choosing a ∈ R q and an error term e ← χ , and outputting the pair ( a , [ a ⋅ s + e ] q ) . The decisional RLWE problem is therefore to distinguish between the distribution A s , χ ( q ) and the uniform distribution.

The RLWE problem can be reduced (via a quantum algorithm) to the SVP problem on an ideal lattice. Moreover, it is possible to choose s ∈ R q according to the distribution χ and not necessarily uniformly, without compromising security. Finally, it has been shown that the complexity of the problem does not depend on the exact form of q , which can therefore be chosen simply as a power of 2.

Another significant step toward a practical SWHE scheme is the BGV scheme (Brakersi-Gentry-Vaikuntanathan), introduced in [12]. This scheme, like FV, bases its security on the RLWE problem, but unlike its predecessors, it significantly improves performance thanks to a noise management technique called “modulus switching.” The setting from which Brakersi et al. start is the same as the FV scheme. As seen, in order to decrypt a ciphertext encrypted with the BV scheme (or equivalently with the FV scheme), it is necessary for the accumulated noise during homomorphic operations to be less than q ⁄ 2 . Furthermore, the sum of two ciphertexts with noise less than or equal to B results in a ciphertext whose noise is at most 2 B . Multiplication of the same ciphertexts would result in a ciphertext with an error in the order of B 2 . By iteratively using the modulus switching technique, the BGV scheme manages to keep the noise level substantially constant, provided that the modulus size ( q according to previous notation) is sacrificed and therefore gradually sacrificing the remaining homomorphic capabilities of the system. The essence of modulus switching can be summarized in the following lemma. The notations are the same used before.

Lemma 1

Let p and q be two odd natural numbers and c be a vector of integers. Let c ′ be the vector of integers closest (with respect to a fixed norm) to ( p ⁄ q ) ⋅ c and such that c ′ = c ( mod 2 ) . Then, for any s such that ∣ [ ⟨ c , s ⟩ ] q ∣ < q ⁄ 2 − ( q ⁄ p ) ℓ 1 ( s ) , it holds that

[ ⟨ c ′ , s ⟩ ] p = [ ⟨ c , s ⟩ ] q ( mod 2 ) and ∣ [ ⟨ c ′ , s ⟩ ] p ∣ < ( p ⁄ q ) ⋅ ∣ [ ⟨ c , s ⟩ ] q ∣ + ℓ 1 ( s ) ,

where ℓ 1 ( s ) is the ℓ 1 norm of s .

In short, this lemma ensures that a user who does not know the secret key s , but knows a bound on its norm, can transform a ciphertext c modulo q into a different ciphertext c ′ modulo p while preserving the correctness of the scheme, i.e., [ ⟨ c ′ , s ⟩ ] p = [ ⟨ c , s ⟩ ] q ( mod 2 ) . This transformation simply involves scaling by a factor p ⁄ q and appropriately approximating. Furthermore, if the norm of s is sufficiently small, and p is sufficiently small compared to q , then the noise in the ciphertext is reduced. With this technique, a user can control the noise during the execution of the scheme, without knowing the secret key and without the need to introduce a public homomorphic evaluation key as in the BV scheme.

7 CKKS scheme

All the SWHE schemes seen so far are built to naturally support arithmetic of integers or binaries. However, since for various applications, such as machine learning, it is necessary to operate on real/complex numbers, there is a need for a scheme that can homomorphically handle approximated data. It is worth noting that even the FV and BGV schemes described previously are capable of evaluating homomorphic operations on real numbers, but this requires the introduction of sophisticated and often inefficient encoding procedures. The CKKS algorithm, introduced in [14], is instead an SWHE algorithm specifically designed to deal with this type of data and is considered the most efficient SWHE algorithm for applications involving such data.

From a formal point of view, the operation of CKKS has many similarities with other RLWE-based schemes, especially with BGV. However, in terms of security, there is an important difference between CKKS and BGV. In fact, Li and Micciancio [15] exhibited an attack against CKKS that exploits its decryption function, whose approximate results weaken the complexity of the RLWE problem. In the best-case scenario, through a simple algebraic manipulation, this attack allows the secret key to be recovered in a single attempt. Both FV and BGV are secure against this attack. In response to this vulnerability, Li and Micciancio [15] therefore proposed modifying the encryption function of CKKS, adding additional noise to the ciphertexts, so as not to weaken the underlying RLWE problem.

8 NTRU-based schemes

NTRU-Encrypt is a cryptosystem proposed by Hoffstein et al. [16] in 1998, and is one of the first attempts at lattice-based cryptography. Compared to RSA and GGH (Goldreich–Goldwasser–Halevi) cryptosystems, NTRU shows greater efficiency both in terms of hardware and software implementation. However, for 15 years, until the work of Stehlé and Steinfeld [17], there were doubts about its actual security. In this work, the authors succeeded, by introducing modifications to the original algorithm, in reducing the security of NTRU to the RLWE problem. This increased researchers’ interest in this scheme significantly. Furthermore, in 2012, both López-Alt et al. and Gentry independently observed how the NTRU scheme naturally possesses homomorphic properties. In particular, in [13], López-Alt et al. propose modifications to the classic NTRU algorithm to obtain an SWHE scheme. The mathematical environment in which this scheme operates is the same as that of the FV and BGV schemes. Let R = Z [ x ] ⁄ ( x d + 1 ) , where d is a power of 2, q is an odd prime number, and χ is a “ B -bounded” distribution over R , i.e., the coefficients of the polynomials selected through the distribution χ must be less than B , where B is a relatively small number compared to q . Let Z q be the set of integers in the interval ( − q ⁄ 2 , q ⁄ 2 ] and R q be the set of polynomials in R with coefficients in Z q . As mentioned earlier, given a polynomial a ∈ R , [ a ] q denotes the element of R obtained by applying the reduction [ ⋅ ] q to all its coefficients.

For key generation, the algorithm involves selecting two polynomials f ′ and g through the distribution χ , and setting f ≔ 2 f ′ + 1 , so that f ≡ 1 ( mod 2 ) . Let f − 1 be the inverse of f in R q (if f were not invertible in R q , the algorithm involves reselecting f ′ ). The public key of the scheme is the polynomial h ≔ [ 2 g f − 1 ] q ∈ R q , while the private key is f . To encrypt a message m ∈ Z 2 , it is necessary to select two polynomials s and e through χ and compute

c ≔ E ( m ) = [ h s + 2 e + m ] q ∈ R q .

To decrypt the ciphertext c using the secret key f , it is sufficient to compute [ f c ] q ( mod 2 ) . In fact,

[ f c ] q = [ f h s + 2 f e + f m ] q = [ 2 g s + 2 f e + f m ] q .

At this point if we assume that [ 2 g s + 2 f e + f m ] q = 2 g s + 2 f e + f m , then

[ f c ] q ( mod 2 ) = 2 g s + 2 f e + f m ( mod 2 ) = f m ( mod 2 ) = m .

By choosing the parameters appropriately, it is possible to ensure that decryption actually works correctly (i.e., there is no reduction modulo q in the calculation of f c ). As is easy to observe, this scheme possesses homomorphic properties. However, with each operation on the ciphertexts, the error increases (especially in the case of multiplications), thus imposing a limit on the depth of the circuit to be evaluated.

The scheme proposed by López-Alt et al. also represents a new type of SWHE, called “Multikey SWHE,” as it has the ability to evaluate ciphertexts with different and independent keys. In other words, each user can encrypt data with their own public key, and a third party can perform operations homomorphically on all these data. The only interaction required among the various users is the sharing of a common secret key, which depends on all the individual secret keys and which will then be used to decrypt the encrypted data. Suppose, for example, there are two users encrypting two messages m 1 , m 2 using their own public keys h i ≔ [ 2 g i f i − 1 ] q , obtaining the two ciphertexts

c i = E i ( m i ) = [ h i s i + 2 e i + m i ] ,

i = 1 , 2 . Let f 1 , 2 ≔ f 1 ⋅ f 2 be the common secret key of the two users. It is then possible to decrypt the two ciphertexts c 1 + c 2 and c 1 ⋅ c 2 using the key f 1 , 2 by calculating

[ f 1 , 2 ( c 1 + c 2 ) ] q = [ 2 f 1 f 2 e 1 + 2 f 1 f 2 e 2 + 2 f 2 g 1 s 1 + 2 f 1 g 2 s 2 + f 1 f 2 ( m 1 + m 2 ) ] q

and

[ f 1 , 2 c 1 ⋅ c 2 ] q = [ 4 g 1 g 2 s 1 s 2 + 2 g 1 s 1 f 2 ( 2 e 2 + m 2 ) + 2 g 2 s 2 f 1 ( 2 e 1 + m 1 ) + 2 f 1 f 2 ( e 1 m 2 + e 2 m 1 + 2 e 1 e 2 ) + f 1 f 2 ( m 1 m 2 ) ] q .

Therefore, since f 1 = f 2 = 1 ( mod 2 ) , assuming that the error associated with these two ciphertexts has not exceeded the maximum threshold of q ⁄ 2 , we have that

[ f 1 , 2 ( c 1 + c 2 ) ] q ( mod 2 ) = m 1 + m 2

and

[ f 1 , 2 ( c 1 ⋅ c 2 ) ] q ( mod 2 ) = m 1 ⋅ m 2 .

Obviously, in this case too, the error in the ciphertexts increases with each operation, and therefore, the correctness of decryption will only hold for a limited number of operations. What López-Alt et al. demonstrate in [13] is that the scheme can correctly evaluate circuits of approximately depth ε log ( n ) , with q = 2 n ε and B polynomial in n .

Despite the efficiency properties derived from NTRU, and the property of being a multikey scheme, some limitations have prevented this scheme from asserting itself compared to others based on LWE. One of the problems to consider regarding the scheme by López-Alt et al. are its starting assumptions, namely, the complexity of the RLWE and DSPR (decisional small polynomial ratio) problems. While RLWE has been widely studied and is now considered a standard, the assumption about the complexity of DSPR is less reassuring. For this reason, several researchers have tried to modify the scheme to remove the dependence on DSPR, but these attempts have resulted in the reintroduction of public evaluation keys and other complicated procedures, thus making the scheme inefficient. By reintroducing the DSPR problem, it is possible to obtain seemingly usable versions of these schemes. However, in 2016, Albrecht et al. in [18] showed an attack (based on lattices) on every SWHE scheme based on NTRU that uses the DSRP assumption. As a consequence, when the modulus q of these schemes is large compared to the dimension n , the scheme is not secure. At the same time, to increase the depth of the evaluable circuits, it is necessary to consider larger moduli, and consequently larger dimensions (to make the system secure). This problem has made SWHE schemes based on NTRU noncompetitive compared to other schemes based on RLWE. Research in this area is therefore trying to overcome this problem, for example, by further reducing the growth of errors during circuit evaluation, in order to keep the ratio between modulus and scheme dimension relatively low [19].

9 Somewhat homomorphic schemes based on integers

In 2010, 1 year after the famous Gentry scheme, van Dijk et al. [20] presented a new SWHE scheme whose security is based on the AGCD problem, namely, the problem of recovering an odd integer p , knowing a set of values x i = q i p + r i . Consequently, the scheme is defined over integers, and one of its strengths is certainly its conceptual simplicity. The various phases of this scheme can be summarized as follows. Let p be a sufficiently large prime number representing the secret key of the scheme. Given a message m ∈ Z 2 , choose a sufficiently large prime number q and a number r sufficiently small compared to p . Then m can be encrypted as c = E ( m ) = m + 2 r + p q . If m + 2 r < p ⁄ 2 , the ciphertext can be decrypted simply by computing m = ( c ( mod p ) ) ( mod 2 ) . Therefore, as in the previous schemes, the presence of an “error” term means that the number of performable homomorphic operations is not unlimited. The homomorphic properties of the scheme can be observed as follows. With respect to addition, it holds that

E ( m 1 ) + E ( m 2 ) = m 1 + 2 r 1 + p q 1 + m 2 + 2 r 2 + p q 2 = ( m 1 + m 2 ) + 2 ( r 1 + r 2 ) + ( q 1 + q 2 ) p .

Clearly, E ( m 1 ) + E ( m 2 ) still belongs to the space of ciphertexts, and it can be decrypted if ∣ ( m 1 + m 2 ) + 2 ( r 1 + r 2 ) ∣ < p ⁄ 2 . Since both r 1 and r 2 are relatively small compared to p , several additions on ciphertexts can be performed before the error exceeds the threshold of p ⁄ 2 .

With respect to multiplication, we can write

E ( m 1 ) E ( m 2 ) = ( m 1 + 2 r 1 + p q 1 ) ( m 2 + 2 r 2 + p q 2 ) = m 1 m 2 + 2 ( m 1 r 2 + m 2 r 1 + 2 r 1 r 2 ) + k p ,

which will be decryptable if ∣ m 1 m 2 + 2 ( m 1 r 2 + m 2 r 1 + 2 r 1 r 2 ) ∣ < p ⁄ 2 . Performing a multiplication on ciphertexts, we observe that the error grows exponentially, greatly limiting the number of multiplications that can be performed.

As mentioned, the scheme introduced by van Dijk et al. is extremely simple, but as observed, it is also inefficient. Over the years, several attempts have been made to improve the efficiency of this type of schemes; however, a level has not yet been reached that makes these algorithms applicable in practice.

Acknowledgements

This work was partially funded by the SERICS project (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union-NextGenerationEU. The authors also thank the Italian National Group for Algebraic and Geometric Structures and their Applications (GNSAGA-INdAM), which supported the research.

Funding information: Authors state no funding involved.
Author contributions: All authors have accepted responsibility for the entire content of this manuscript and consented to its submission to the journal, reviewed all the results and approved the final version of the manuscript.
Conflict of interest: The authors state no conflict of interest.

References

[1] Acar A, Aksu H, Uluagac AS, Conti M. A survey on homomorphic encryption schemes: Theory and implementation. ACM Comput Surv. 2018 Jul;51(4):Art. 79. 10.1145/3214303. Search in Google Scholar

[2] Fellows M, Koblitz N. Combinatorial cryptosystems galore! In: Finite fields: theory, applications, and algorithms (Las Vegas, NV, 1993). vol. 168 of Contemporary Mathematics. American Mathematical Society, Providence, RI, 1994. p. 51–61. 10.1090/conm/168/01688. Search in Google Scholar

[3] Levy-dit Vehel F, Perret L. A Polly Cracker system based on satisfiability. In: Coding, cryptography and combinatorics. vol. 23 of Progr. Comput. Sci. Appl. Logic. Birkhäuser, Basel; 2004. p. 177–92. 10.1007/978-3-0348-7865-4_11Search in Google Scholar

[4] Ly LV. Polly two: a new algebraic polynomial-based public-key scheme. Appl Algebra Engrg Comm Comput. 2006;17(3–4):267–83. 10.1007/s00200-006-0010-0. Search in Google Scholar

[5] Sander T, Young A, Yung M. Non-interactive cryptocomputing for NC1. In: 40th Annual Symposium on Foundations of Computer Science (New York, 1999). IEEE Computer Soc., Los Alamitos, CA; 1999. p. 554–66. 10.1109/SFFCS.1999.814630. Search in Google Scholar

[6] Ishai Y, Paskin A. Evaluating branching programs on encrypted data. In: Theory of cryptography. vol. 4392 of Lecture Notes in Comput. Sci., Berlin: Springer; 2007. p. 575–94. 10.1007/978-3-540-70936-7_31. Search in Google Scholar

[7] Aguilar Melchor C, Gaborit P, Herranz J. Additively homomorphic encryption with d-operand multiplications. In: Advances in cryptology-CRYPTO 2010. vol. 6223 of Lecture Notes in Comput. Sci. Berlin: Springer; 2010. p. 138–54. 10.1007/978-3-642-14623-7_8. Search in Google Scholar

[8] Boneh D, Goh EJ, Nissim K. Evaluating 2-DNF formulas on ciphertexts. In: Theory of cryptography. vol. 3378 of Lecture Notes in Comput. Sci. Berlin: Springer; 2005. p. 325–41. 10.1007/978-3-540-30576-7_18. Search in Google Scholar

[9] Brakerski Z, Vaikuntanathan V. Efficient fully homomorphic encryption from (standard) LWE. In: 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science; 2011. p. 97–106. 10.1109/FOCS.2011.12Search in Google Scholar

[10] Lyubashevsky V, Peikert C, Regev O. On ideal lattices and learning with errors over rings. J ACM. 2013;60(6):Art. 43, 35. 10.1145/2535925. Search in Google Scholar

[11] Fan J, Vercauteren F. Somewhat practical fully homomorphic encryption. 2012. https://eprint.iacr.org/2012/144. Search in Google Scholar

[12] Brakerski Z, Gentry C, Vaikuntanathan V. (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans Comput Theory. 2014;6(3):Art. 13, 36. 10.1145/2633600. Search in Google Scholar

[13] López-Alt A, Tromer E, Vaikuntanathan V. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: STOC’12-Proceedings of the 2012 ACM Symposium on Theory of Computing. New York: ACM; 2012. p. 1219–34. 10.1145/2213977.2214086. Search in Google Scholar

[14] Cheon JH, Kim A, Kim M, Song Y. Homomorphic encryption for arithmetic of approximate numbers; 2016. https://eprint.iacr.org/2016/421. Cryptology ePrint Archive, Paper 2016/421. https://eprint.iacr.org/2016/421. Search in Google Scholar

[15] Li B, Micciancio D. On the security of homomorphic encryption on approximate numbers; 2020. https://eprint.iacr.org/2020/1533. Cryptology ePrint Archive, Paper 2020/1533. Search in Google Scholar

[16] Hoffstein J, Pipher J, Silverman JH. NTRU: A ring-based public key cryptosystem. In: Buhler JP, editor. Algorithmic number theory. Berlin, Heidelberg: Springer Berlin Heidelberg; 1998. p. 267–88. 10.1007/BFb0054868Search in Google Scholar

[17] Stehl D, Steinfeld R. Making NTRUEncrypt and NTRUSign as secure as standard worst-case problems over ideal lattices; 2013. https://eprint.iacr.org/2013/004. Cryptology ePrint Archive, Paper 2013/004. Search in Google Scholar

[18] Albrecht M, Bai S, Ducas L. A subfield lattice attack on overstretched NTRU assumptions: Cryptanalysis of some FHE and graded encoding schemes; 2016. https://eprint.iacr.org/2016/127. Cryptology ePrint Archive, Paper 2016/127. 10.1007/978-3-662-53018-4_6Search in Google Scholar

[19] Kluczniak K. NTRU-ν-um: Secure fully homomorphic encryption from NTRU with small modulus; 2022. https://eprint.iacr.org/2022/089. Cryptology ePrint Archive, Paper 2022/089. 10.1145/3548606.3560700Search in Google Scholar

[20] van Dijk M, Gentry C, Halevi S, Vaikuntanathan V. Fully homomorphic encryption over the integers; 2009. https://eprint.iacr.org/2009/616. Cryptology ePrint Archive, Paper 2009/616. Search in Google Scholar

Received: 2024-11-17

Accepted: 2025-01-13

Published Online: 2025-04-14

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2024-0041

Keywords for this article

homomorphic encryption; somewhat homomorphic encryption; learning with errors

Creative Commons

BY 4.0