An optimization scheme of partial total homomorphic encryption

. In order to further improve the effectiveness of homomorphic cryptography, we optimize Lauter et al. 's partial homomorphic cryptography scheme, and propose a new RLWE-based total homomorphic cryptography (FHE) scheme, which combines a series of existing techniques with the Chinese residual theory, and merges several "plaintext slots" into a ciphertext for homomorphic computation. The extended key transformation technology and modulo transformation technology are used to reduce the noise of ciphertext and enable it to carry out the next homomorphic operation. Compared with the original scheme, the security and effectiveness of the scheme were studied on the premise of ensuring CPA security, and the results showed that the performance of the scheme was improved by N times.


Introduction
With the rapid development of cloud computing, reliable and affordable access to largescale shared computing resources is possible.However, such shared access poses huge privacy and security challenges.Therefore, new technologies are needed to guarantee the confidentiality of sensitive user data encryption, known as Full Homomorphic Encryption (FHE) [1,2], which enables cloud operators to perform extremely complex calculations of encrypted user data without decrypting it.This calculation based on homomorphic encryption is encrypted and can only be decrypted by the data owner.This excellent performance makes it widely used in cloud security [3], cloud computing [4], encrypted databases, and cipher retrieval among others.At present, the research on homomorphic cryptography has become one of the most active topics in cryptography theory.
Rivest et al [5] first proposed the concept related to FHE in 1978; it took nearly 30 years until 2009 when Gentry et al proposed a new FHE scheme based on the ideal lattice technique [6,7] to achieve a breakthrough.In 2010, Gentry et al [8] made the first attempt to implement the Gentry scheme, which can extend the homomorphism of single-bit messages to multi-bit In 2011, Smart et al [9] used the Chinese Remainder Theorem (CRT) to achieve encryption of multi-bit plaintexts, and in 2011, Brakerski et al in the literature [10] used key transformation techniques and simulation transformation techniques to achieve a hierarchical fully homomorphic cryptosystem without using homomorphic decryption techniques.In 2012, Gentry et al [11] gave an in-depth discussion of this technique, which led to a significant improvement in the performance of the overall homomorphic encryption.
The scheme in this paper is based on the SWHE scheme of Kristin Lauter et al. [12], in the original scheme, only one plaintext can be encrypted at a time, and the corresponding plaintext size is added to the public key and private key, and the encryption session is timeconsuming.In this paper, according to the Chinese residual theorem, the packing of plaintexts is achieved by combining the SMID technique of literature [9]; based on this, a new optimization scheme for partial homomorphic encryption is introduced by using the extended key transformation technique and the mode transformation technique.By introducing new security parameters and a smaller computationally intensive ciphertext generation algorithm, this scheme is made easier to implement in hardware.This scheme is more intuitive and has a clearer structure; compared with the SWHE scheme, it can encrypt multiple plaintexts at the same time, which considerably improves its encryption efficiency.

Basic notations
If A denotes an algorithm, then x←A implies that x is computed by algorithm A. If A denotes a set, then x←A implies that x is chosen randomly from the set A. For any integer q, denote ] /2 [ , / 2 q Z q q  , and for an integer x, let [] q x denote x(mod q) ∈ Zq.Denote a multidimensional vector in bold and lowercase letters, such as vector y, where y i denotes the ith component of vector y.Undefined elements are polynomials of x, denoted by lowercase letters, such as f (x).

Cyclotomic polynomial
Definition 1 (Cyclotomic polynomial) [13]: m is defined to be a positive integer not divisible by p, where p is an eigenvalue of the cyclotomic domain K. m  is an m-th original unit root on K, then the polynomial is called an m-th cyclotomic polynomial on K.The m-th subcircular domain is expanded by adding the original unit root to the rational number field Q, The cyclotomic polynomial over a finite field has the following lemma: Lemma 1 [13] (Cyclotomic polynomials over a finite field): Let F p be a finite field, m a positive integer, and (m,p)=1, then the partition polynomial  m (x) over F p [x] can be decomposed into the product of (m) different d times integrable polynomials n i (x), ; d is the smallest integer that satisfies 1(mod ) , so the minimal polynomial

Chinese remainder theorem
Definition 2 [14] (Chinese Remainder Theorem): Let n 1 ,…,n l be l>=2 two mutually prime integers greater than 1.Let N=n 1 ,n 2 …n i then the system of congruent equations.
From the above definition, the Chinese Remainder Theorem over the number field is extended to polynomial rings as follows.
Let n 1 (x),,n l (x) be l2 polynomials that are both approximately and such that n(x)= n 1 (x) n 1 (x) n l (x), then for any polynomial r 1 (x),,r i (x), g(x)R[x] such that there is a system of congruent equations.
There is a unique solution 0 ( ) ( ) ( ) ( )(mod ( )) , where The work in this paper is based on the algebraic structure ,combining the Chinese residue theorem with the following isomorphism.
  x n x  .Let L i be a "slot" point, the elements of R p are related to the l slots.This is done as follows.
We can define the mapping of Define the mapping of d l p to R p on the ciphertext domain as: ) .

Discrete gaussian distribution
Definition 3 [15] The error distribution χ is a discrete Gaussian distribution , and a sample e drawn from the distribution χ corresponds to a polynomial.For a Gaussian distribution with standard deviation () e x R  , a randomly drawn vector x is bounded

Learning with errors over rings
Definition 4 (RLWE problem [12]): for a security parameter λ, let ( ) , i i i i q a b a s e R     , solve for s.

Optimization scheme for partial homomorphic encryption
In this paper, based on the SWHE scheme [12], we construct a homomorphic encryption scheme supporting batch processing to encapsulate multiple plaintexts by using the Chinese residual theorem (CRT), and the scheme in this paper is constructed by combining two techniques of key conversion and mode conversion, which can reduce the ciphertext expansion rate and improve the encryption efficiency.

Program structure
Let the safety parameter of the scheme be λ and the number of circuit layers be L.
, where is a partitioned circular polynomial and the number of is d, where (m)=n=dl=n(,L).Let the scheme have a total of L+1 prime modes, q 0 <q 1 <…<q L , correspondingly the circuit polynomial ring at the i-th level is and the discrete Gaussian distribution of the circuit at each level is X(λ,L).Choose a prime number t satisfying t<q, 2) Batch encryption algorithm: input public key pk and plaintext (m i,0 ,…,m i,l-1 )F l pd , where i=0,1,…,L.The encryption process is as follows.
Step1: Randomly select u and e i , where i=0,1,…,L,both of which have the number of elements L. To encrypt the message m ∈ R p .

4) Batch (expanded) key conversion algorithm:
After multiplying the above homomorphic operations, the elements of the original ciphertext expand from 2 (L + 1) in two dimensions to 3 (L + 1) in three dimensions, and the corresponding key also expands from (1, s) in two dimensions to (1, s, s 2 ) in three dimensions, which decreases the decryption efficiency.Therefore, this section proposes an extended key transformation technique based on the key transformation technique of Brakerski et al. [10] combined with the batch homomorphic encryption scheme in this paper to reduce the ciphertext dimensionality.
Set   0, 0, s s s .KeySw itch(sk 1 , sk 2 (c 0 ,c 1 ,c 2 )) be the extended key conversion algorithm, which converts the ciphertext to:  ct cc and the corresponding private key to , and the algorithm is as follows.

5) Mode conversion algorithms
After performing a ciphertext multiplication, the ciphertext is first degraded using the KeySwitch algorithm to move to the next layer of the circuit.After that, the ciphertext noise is again reduced by the mode-conversion algorithm.The algorithm is as follows: Input: Scale(ct, q i , q i-1 , t) Step1:  ct =[( q i -1/q i ).ct]; Step2:   ct ct (mod t); Step3:Return  ct 6) Batch homomorphic algorithm: Addition: Step1: Let Step2: If not in the same circuit layer, the two pairs are made to be in the same circuit layer by calling algorithm Scale( , , , ) q q t    ct several times.Multiplication: Step1: If the corresponding multiplication operation is not in the same circuit layer, the mode-conversion algorithm is called to convert to the same layer.
is the L+1-dimensional variable ring vector, and consider it as a quadratic polynomial vector about v. Take its coefficients as the ciphertext ct mult of the output of the ciphertext multiplication operation.
Step2: Call the algorithm KeySwitch , and similarly have , , , , , , Considering it as a quadratic polynomial vector with respect to vi, the ciphertext output the ciphertext multiplication operation is , ,

Correctness of the program
The correctness of the decryption of the above scheme is verified below, which is known from the encryption algorithm:  , then the correct decryption can be performed, and then the initial plaintext can be found by the Chinese residue theorem   ,0

Homomorphism of the scheme
Let ct and  ct are the ciphertexts of the above homomorphic encryption scheme, and both encrypt plaintexts m and ′ m , respectively, corresponding to private keys s , then decryption of it has: Since the noise is sufficiently less than p/2, the above equation can be decrypted correctly, so the scheme satisfies additive homomorphism.

Proof of safety of the program
The security of the scheme in this paper is based on the RLWE problem, which is widely used in fully homomorphic cryptography because its public key scheme will be more efficient.The security of the RLWE problem depends on three main parameters: the modulus q, the number n of polynomials  m (x), and the standard deviation  of the discrete Gaussian distribution.
Then the encryption scheme  is IND-CPA secure.Lemma 2 [16] Let pk ← Batch-Keygen(params), pk is consistently indistinguishable on R p (L+1)/2 under the RLWEn,qi,x assumption.Theorem 1 The scheme is CPA-safe under the DRLWEn,q i ,x problem.
Hybird H L : This Hybird differs from the former in that its arithmetic public key is taken from a uniform distribution, setting up the existence of an adversary B L that solves the DRLWEn,q i ,x problem in time t + poly(λ), and with the advantage that Following the H L+1 to H L approach acts until in H 1 , the arithmetic public key is replaced one by one by the way it is generated in the scheme to a consistent uniformly chosen element on RqL.Hybird H 0 : In the H 0 public key of b i is uniformly selected in R qi .Under the assumption DRLWEn,q i ,x, H 1 and H 0 are computationally indistinguishable, then the adversary 0 ,who solves the problem in time t + poly(λ), has the advantage of Adversary 0 performs L+1 random sampling b i from the RLWE prophecy machine as the public key (b, a).If the sample is taken from the distribution A s,x , then b i is generated by the H 1 generation method; if the sample is taken from the uniform distribution, then b i is generated by the H 0 generation method.
Hybird H rand :This Hybird is different from H 0 in the ciphertext generation method, taken from a consistent uniform distribution R qi  R qi .Since b i is also taken from a uniform distribution, the ciphertext c0, c1) is indistinguishable from the uniform distribution on R qi , therefore we have Since in Hrand, both the public key and the ciphertext are randomly and uniformly selected, independent of each other and the plaintext information, .In summary, it is proved that the Batch.FHE scheme is IND-CPA secure.

Optimization scheme for partial homomorphic encryption
In this paper, we analyze the difficulty of the method according to the steps of Fan [17].Let the security parameter: λ, the distinguishing advantage:, the modulus:q, the number of ring polynomials R:n, and the standard deviation of the discrete Gaussian distribution Definition 10 [18] The Hermite Gen factor  .Let an n-dimensional lattice be L and one of the lattice bases be B. If , where b i is the shortest vector in the lattice base B, then  is said to be the Hermite Gen factor.Theorem 2 [18] Given , the time required to reduce a lattice group with Hermite factor  m depends mainly on .
Lindner,Peiker [19] used the optimized attack strategy to obtain a lattice base with Hermitgen factor  m .Given an Hermitgen factor , the length of the shortest vector is The scheme uses mode-conversion technique to downscale the ciphertext, and the riginal scheme is used as the basis for noise optimization of the product ciphertext; because the homomorphic scheme for single-bit encryption takes longer time, this paper uses the Chinese residual theorem to pack the plaintext, which increases the size of the ciphertext, public and private keys compared with the FV [17] scheme, but the amount of data processed in each batch is N times of the FV method.The efficiency of this scheme is significantly improved.Compared with the SWHE [12] scheme, the public and private key sizes are increased by λ times and the number of plaintexts per processing is Nλ times of the previous one, which improves the efficiency of encrypted transmission on the cloud.

Conclusion
At present, full homomorphic encryption has extremely promising applications in huge data and cloud computing environments.In this paper, based on the literature [12], we propose an optimization method for partial homomorphic encryption schemes.The method adopts the Chinese residual theorem (CRT) to pack multiple "plaintext slots" into one ciphertext, and the paper also provides the results of homomorphic operations on compressed ciphertexts, and adopts two noise reduction techniques, so that the scheme can achieve multiple homomorphic operations; therefore, compared with the original scheme, the efficiency of the encryption scheme is significantly compared with the original scheme.


be any m-th principal unit root on F p and is an explicit vector space, the mapping CRT p is an isomorphic mapping from d l p to R p , and CRT -l p is the inverse mapping from R p to d l p .https://doi.org/10.1051/shsconf/202316601025SHS Web of Conferences 166, 01025 (2023) EIMM 2022 1) Batch key generation algorithm: randomly select L+1 ring elements S i ←X, randomly and uniformly select the ring elements a i ←R qi , and error noise e←X, and i i i b a s te     , where i=0,1,…,L.Let a=(a 0 ,a 1 ,…,a L ), b=(b 0 ,b 1 ,…,b L ), set the public key pk= (b,a), private key key sk=s=(s 0 ,s 1 ,…,s L) .
/doi.org/10.1051/shsconf/202316601025SHS Web of Conferences 166, 01025 (2023) be two ciphertexts and in the same circuit layer, homomorphic addition operation that is added by bit: above multiplication operation is explained as follows: Let

d≡(m),and 12
i (x) under mod p with each number d, satisfying1(mod ) d pm ,and with l• where d=d(λ) is a power of 2 and a positive integer q=q(λ)>=2.
q R R qR  and let x=x(λ)be a discrete Gaussian distribution over the ring R. Take the random uniform distribution on , ab is computationally indistinguishable; Search-RLWEn, q, x problem: The values of a i ,b i are known and for   2 Proof Let A be an IND-CPA adversary to the FHE scheme, and Adv H [A] denote the attack advantage in a series of Hybird as follows:Hybird L+1 : The Hybird is an IND-CPA attack game of A against Batch.FHE, the adversary gets pk,evk generated by Batch.Keygen algorithm and encrypts 0 and 1 using Batch.
.If λ is the security parameter, let distinguish advantage =2 -64 , take the security parameter λ =128, attack time T=2 128 , can calculate 3.758,1.0052,can be computed by substituting , and the value of q, can be https

Table 2 .
Comparison of programs.