An Efficient BGV-type Encryption Scheme for IoT Systems

Abstract

Internet of Thing (IoT) systems usually have less storage and computing power than desktop systems. This paper proposes an efficient BGV-type homomorphic encryption scheme in order fit for secure computing on IoT system. Our scheme reduces the storage space for switch keys and ciphertext evaluation time comparing with previous BGV-type cryptosystems. Specifically, the switch key in homomorphic computations can be a constant but no longer one for each level. Moreover, the product of two ciphertexts can be at the same sublayer as them and the multiplication operations can be repeated between two sublayers. As a result, the multiplication times will not be limited by L in an L-level circuit and, thus, the ciphertext evaluation time will decrease significantly. We implement the scheme with the C language. The performance test shows that the efficiency of the improved scheme is better than Helib in same configurations.

1. Introduction

The Internet of Thing (IoT) systems have been widely used in people’s daily life [1,2]. In an IoT system, one can control his/her remote devices [3] to finish expected tasks. That requires the devices to have secure computing power [4]. Homomorphic encryption allows a device to perform arbitrary computations on encrypted data without user secret key. When compared with non-homomorphic encryptions, it removes the trust on the device and makes us ease to use the computing power of the device. Hence, homomorphic encryption has broad application prospects [5,6,7,8,9,10,11]. In a breakthrough work [12], Gentry demonstrated that fully homomorphic encryption was theoretically possible based on ideal lattices. In Gentry’s work, the ciphertext can be regarded as some “noise” attached to the plaintext, and the noise will increase along with evaluation times. When the noise exceeds a threshold value, which makes decryption fail, a bootstrapping program can refresh the noise introduced by evaluations and make the ciphertext as a new one generated by the encryption algorithm. However, the efficiency of the scheme is far from practical application.

Following Gentry’s work, many researchers tried to improve the performance of homomorphic encryption. Based on the learning with error assumption [13,14], Brakerski and Vaikuntanathan [15,16] (BV) presented a dimension-modulus reduction technique and constructed a leveled homomorphic encryption without the requirement of a bootstrappable encryption. Brakerski, Gentry, and Vaikuntanathan [17] (BGV) then dramatically improved the performance of the BV-type homomorphic encryption. Moreover, Gentry and Halevi and Smart reduced the size of public keys and ciphertexts [18] of the BGV-type scheme at the cost of increasing the probability of key recovery attack. Subsequently, they optimized the execution times of fast Fourier transform (FFT) and Chinese reminder theorem (CRT) by reducing the number of times to convert polynomials between coefficient and evaluation representations [16,17,19]. Brakerski [20] further reduced the ciphertext noise growth rate of multiplication operations. Halevi and Shoup [21,22,23] continuously and roundly optimized BGV-type scheme in the algorithm implementation aspect. Castryck, Iliashenko, and Vercauteren [24] improved parallel performance to packet more data within one instruction. Öztürk, Doröz, Savas and Sunar [25] designed a custom hardware accelerator to improve the performance of polynomial multiplier. Eric, Chris, and Chad [26] provided a compiler for homomorphic encryption and let the programmer with no special knowledge of homomorphic encryption easily use it. In addition, many efforts [22,27,28,29,30,31,32,33,34] have been paid for improving the performance of bootstrapping. As Chen, Chillotti, and Song [34] declared, the bootstrapping time per plaintext slot had been reduced to about 1 s.

This paper primarily focuses on improving the storage and computation efficiency of BGV-type cryptosystem. In previous works, we find that only [19] mentioned this problem. However, the main goal of [19] is to reduce the representation transformation times of FFT and CRT, but not reduce the size of public key, simplify the multiplication algorithm, or further control the noise. Hence, the improvement directions presented in [19] are different from our work.

Organization. In Section 2, we introduce the plaintext and ciphertext encoding manners and the principle of BGV. Afterwards, in Section 3, we briefly introduce a BGV-type scheme and then our modifications on BGV. In Section 4, our scheme is given and a proof of concept implementation with the C language and a performance test are provided in Section 5. Section 6 concludes the paper. At last, all of the source codes of our proof of concept implementation are given in Appendix A and the codes of benchmark implementations of Helib and RSA are given in Appendixes Appendix B and Appendix C. These appendics may help reviews.

2. Background Knowledge

2.1. Plaintext Encoding

Based on the underlying algebra, we know that a cyclotomic polynomial can be factorized into l irreducible polynomials as ${\mathsf{\Phi }}_m\left(x\right)$ = ${\prod }_{i=1}^l{F}_i\left(x\right)$ mod p. Hence, the quotient ring $R_p$ = ${\mathbb{Z}}_p\left[x\right]/{\mathsf{\Phi }}_m\left(x\right)$≅${\mathbb{Z}}_p\left[x\right]/F_1\left(x\right)$⊗⋯⊗${\mathbb{Z}}_p\left[x\right]/F_l\left(x\right)$. Let d be the order of $(m,p)$, such that $p^d$ = 1 mod m. We have l = $\varphi \left(m\right)/d$. Here, $\varphi \left(\right)$ is Euler function, d is the degree of each $F_i\left(x\right)$, and l is the number of $F_i\left(x\right)$, which represents the number of plaintext slots. Subsequently, a message can be encoded with the coefficients and modulus of a polynomial ring as the plaintext.

As a concrete example, assume p = 17 and m = 8. We have $(p$ = ${17)}^{d=1}$ = 1 mod $(m$ = 8) and thus l = $\left(\varphi \right(m)$ = 4$)/(d$ = 1) = 4. As a result, ${\mathsf{\Phi }}_8\left(x\right)$ = $x^4$ + 1 = $(x-2)(x-2^3)(x-2^5)(x-2^7)$ mod 17. For a message 5491 = ${17}^3$ + 2$\times {17}^2$ + 3 × 17 + 4, we can express it as $x^3$+2$x^2$ + 3x + 4 mod ($x^4$ + 1,17). Because

$$\begin{array}{cc}\hfill x^3+2x^2+3x+4& \cong 9mod(x-2,17)\hfill \\ \hfill & \cong 5mod(x-2^3,17)\hfill \\ \hfill & \cong 15mod(x-2^5,17)\hfill \\ \hfill & \cong 4mod(x-2^7,17)\hfill \end{array}$$

$x^3$ + 2$x^2$ + 3x + 4 can be further represented by a vector (9,5,15,4). Next, we have $(x^3$ + 2$x^2$ + 3x + 4) · ($x^3$ + 2$x^2$ + 3x + 4) mod $x^4$+ 1 = 3$x^3$ + 7$x^2$ + 3x + 6. Meanwhile, (9,5,15,4)·(9,5,15,4) mod 17 = (81,25,225,16) mod 17 = (13,8,4,16). We may verify that 3$x^3$ + 7$x^2$ + 3x + 6 can be represented by (13,8,4,16). Similarly, $(x^3$ + 2$x^2$ + 3x + 4) + $(x^3$ + 2$x^2$ + 3x + 4) mod $x^4$ + 1 = (2$x^3$ + 4$x^2$ + 6x + 8)≅ (1,10,13,8) = (9,5,15,4) + (9,5,15,4) mod 17. Hence, the encoded vector supports multiplication and addition simultaneously. According to CRT on the polynomial ${\mathsf{\Phi }}_m\left(x\right)$ and modulu p, a vector can also recover the polynomial and, thus, the plaintext.

2.2. Ciphertext Encoding

Similar to the plaintext case, the ciphertext space in BGV [17] is defined by a quotient ring $R_q$ = ${\mathbb{Z}}_q\left[x\right]/{\mathsf{\Phi }}_m\left(x\right)$, where q is far greater than p. Naturally, we wonder what is the detailed relationship between p and q. Reference [19] indicates that q can be the product of a series of prime numbers $p_0$⋯$p_{L-1}$. L is the depth of the circuit in a leveled homomorphic encryption scheme and a new ciphertext is with respect to $q_{L-1}$. Each time two ciphertexts multiply, the new ciphertext of the product is mapped from $R_{q_i}$ to $R_{q_{i-1}}$, where $q_i$ = ${\prod }_{j=0}^i{p}_i$ for i = 0,⋯, $L-1$. ([19], Section 3.2) introduces the procedure for mapping an element in $R_{q_i}$ to the corresponding element in $R_{q_{i-1}}$ in the modulus-reduction process. Hence, L is the upper bound of the multiplication and addition times. As an optimization of keeping ciphertexts and key switch matrices in evaluation (CRT) representation, Ref. [19] also suggests that $p_i$ = 1 mod m for each i = 0,⋯,$L-1$.

As a toy example of ciphertext encoding, assume $p_0$ = 11, $p_1$ = 23, and $p_2$ = 67. We have $q_0$ = $p_0$ = 11, $q_1$ = $p_0{p}_1$ = 11 × 23 = 253, and $q_2$ = $p_0{p}_1{p}_2$ = 16951. Let 10 be the ciphertext $c{t}^{\left(1\right)}\in R_{q_1}$, we can compute its equivalent ciphertext $c{t}^{\left(2\right)}$ = $(c{t}^{\left(1\right)}\times p_2)\in R_{q_2}$ = 10 $\times 67$ mod 16951 = 670. To directly verify the correctness of the reduction, we may map $c{t}^{\left(2\right)}$ to $c{t}^{\left(1\right)}$ by multiplying the inverse mapping element $r{p}_1$ from $R_{q_2}$ to $R_{q_1}$ ($p_2$ and $r{p}_1$ are mutually inversed when mapping elements between $R_{q_1}$ and $R_{q_2}$). Here, we directly give that element $r{p}_1$ = 34 in the toy example. Please see ([19], Section 3.2) to find the way to compute it. Then we may test 670 × 34 mod 253 = 10.

2.3. Security Assumption of BGV

The security of BGV-type cryptosystems is based on the learning with errors over rings (RLWE) assumption [13,35]. The RLWE($\lambda$,q,$\chi$) assumption is to distinguish two distributions (a,$a·s$ + $ϵ$) and (a,b), where a, s, and b are randomly selected from $R_q$ and $ϵ$ is selected from $\chi$ referencing security parameter $\lambda$. This assumption has been proved hard over ideal lattices in [35].

2.4. Principle of BGV

Let p, q be two prime numbers and $p<q$. $R_p$ and $R_q$ are groups formed by p and q according to algebra. For any number $m\in R_p$, if 0 <m + $ϵp$<q, we have [$(m$ + $ϵp$) mod q] mod p = m. For example, let p = 5, q = 19, and m = 3. If $ϵ$ = 3, m+$ϵp$ = 18. 18 mod 19 mod 5 = 3. Otherwise, if $ϵ$ = 4, m + $ϵp$ = 23.23 mod 19 mod 5 = 4. If $ϵ=-1$, m + $ϵp=-2$. $-2$ mod 19 mod 5 = 2. Let m be the plaintext and $(m$ + $ϵp)$ be the ciphertext. If the operations on the ciphertext do not make the intermediate result exceeding the modulu q, all the errors can be eliminated by moding q and then moding p. That is because the error term is multiplied by p. In our opinion, the BGV and BGV type schemes construct cryptosystems based on this principle and try their best to control the error growth in computing.

3. Introduction of BGV

In original BGV [17], public key and switch keys are matrices. ([18], Appendix D.2)

indicates those keys can also be vectors over polynomial ring. Subsequently, the key size can be reduced. In this section, we describe BGV in vector form. As all the other encryption schemes, BGV includes four algorithms, Setup, Keygen, Encrypt, and Decrypt as the basic encryption-decryption part. Moreover, it includes Add and Multiply to perform homomorphic calculations. These algorithms are as follows.

Setup: given a security parameter $\lambda$ and level L, the setup algorithm generates L large prime numbers $q_0$, ⋯, $q_{L-1}$, where $q_0$<⋯<$q_{L-1}$ and selects the discrete Gaussian distribution $\chi$ as the error distribution. It defines the plaintext space by selecting m and p and computing l and d. $q_0$, ⋯, $q_{L-1}$, $\chi$, p, and l are public parameters.

KeyGen: given the public parameters, first, the key generation algorithm selects a random vector s as the secret key. Then, it computes b = $-(a·s$ +$p·ϵ)$ mod $q_{L-1}$, where a is a random element in $R_{q_{L-1}}$, $ϵ$ is sampled from $\chi$, and p is the plaintext modulu, and let $(a,b)$ be the public key. Next, it computes $b_i$ = $-(a_i·s$ + $p·{ϵ}_i-$$t_i·s^2)$ mod $t_i·q_i$, where $a_i$ a random element in $R_{q_i}$, $t_i$ is an integer, and ${ϵ}_i$ is sampled from $\chi$, and finally let $(a_0,b_0,t_0,0)$, ⋯, $(a_{L-1},b_{L-1},t_{L-1},L-1$) be the switch key.

Encrypt: given a plaintext m, the encryption algorithm randomly selects a vector v, where each $v_i\in \{0,\pm 1\}$ with probability $\{\frac{1}{2},\frac{1}{4}\}$, samples $e_0$ and $e_1$ from $\chi$, and computes $c_0$ = $b·v$ + $p·e_0$ + m mod $q_{L-1}$, $c_1$ = $a·v$ + $p·e_1$ mod $q_L$. $ct$ = $(c_0$, $c_1$, $L-1$) is the initial ciphertext.

Decrypt: given a ciphertext $ct$ = ($c_0,c_1,i$) and the secret key s, the decryption algorithm computes m←$c_0$ + $c_1·s$ mod $q_i$ mod p.

Mul: given two ciphertexts $c{t}^{\prime }$ = ($c_0^{\prime }$,$c_1^{\prime }$,i) and $c{t}^{\prime \prime }$= ($c_0^{\prime \prime }$,$c_1^{\prime \prime }$,i) under same secret key, the multiplication algorithm first computes $d_0$ = $c_0^{\prime }·c_0^{\prime \prime }$, $d_1$ = $c_0^{\prime }·c_1^{\prime \prime }$ + $c_1^{\prime }·c_0^{\prime \prime }$, and $d_2$ = $c_1^{\prime }·c_1^{\prime \prime }$, Then it compresses ($d_0$, $d_1$, $d_2$) to $c{t}^{\ast }$ = ($c_0^{\ast }$, $c_1^{\ast }$), where $c_0^{\ast }$ = $t_i{d}_0$ + $b_i·d_2$ mod $t_i{q}_i$ and $c_1^{\ast }$ = $t_i{d}_1$ + $a_i·d_2$ mod $t_i{q}_i$, with the switch key $(a_i,b_i,t_i,i)$. Next, $c{t}^{\ast }\in R_{t_i{q}_i}$ is first converted into $c{t}^{\ast }\in R_{q_i}$ and then the output ciphertext $ct\in R_{q_{i-1}}$ by SwitchModulu.

Add: given two ciphertexts $c{t}^{\prime }$ = ($c_0^{\prime }$, $c_1^{\prime }$, i) and $c{t}^{\prime \prime }$ = ($c_0^{\prime \prime }$, $c_1^{\prime \prime }$, i), the addition algorithm computes the sum of the two ciphertext as $c{t}^{\ast }$ = ($c_0^{\prime }$+$c_0^{\prime \prime }$ mod $q_i$, $c_1^{\prime }$+$c_1^{\prime \prime }$ mod $q_i)$, and then converts $c{t}^{\ast }\in R_{q_i}$ to $ct\in R_{q_{i-1}}$ as the output.

SwitchModulu: given a ciphertext ct = $(c_0,c_1,i)$ mod $q_i$, two modulus $q_i$ and $q_j$ where $i>j$, the modulu switch algorithm computes the modulo inverse element $r{p}_j$ = $\frac{q_j}{q_i}$ in $q_j$, and output the new ciphertext ct${}^{\prime }$=$(c_0^{\prime },c_1^{\prime },j)$, where $c_1^{\prime }$ = $c_1·r{p}_j$ mod $q_j$ and $c_2^{\prime }$ = $c_2·r{p}_j$ mod $q_j$.

Correctness. first, given ct = ($c_0,c_1,L-1$) and corresponding secret key s, $\langle ct,s\rangle$ = $c_0$ + $c_1·s$ = $\{b·v$ + $p·e_0$ + m + ($a·v$ + $p·e_1$)$·s\}$ mod $q_{L-1}$ = $\{m-$$a·s·v-$$p·ϵ·v$ + $p·e_0$ + $a·v·s$ + $p·e_1·s\}$ mod $q_{L-1}$ = $\{m-$$pϵv$ + $p(e_0+e_{1}s)\}$ mod $q_{L-1}$. Let error be $-pϵv$ + $p(e_0+e_{1}s)$. If 0 < error <$q_{L-1}$, $\langle ct,s\rangle$ mod p = m.

Second, given ct = $(c_0,c_1,i-1$) and secret key s, where ct is the product of ct${}_1$ = $(c_0^{\prime },c_1^{\prime },i)$ and ct${}_2$ = $(c_0^{\prime \prime },c_1^{\prime \prime },i)$ outputted by Mul, let $r{t}_i$ be the inverse element of $t_i$ that maps element from $R_{t_i{q}_i}$ to $R_{q_i}$, we have $\langle ct,s\rangle$ = $c_0$ + $s·c_1$ = $r{t}_i(t_i{d}_0$ + $b_i{d}_2)$ + $s[r{t}_i(t_i{d}_1$ + $a_i{d}_2\left)\right]$ = $d_0$ + $s{d}_1$ + $r{t}_i(b_i+a_{i}s)d_2$ = $d_0$ + $s{d}_1$ + $r{t}_i(t_i{s}^2-p{ϵ}_i)d_2$ = $d_0$ + $s{d}_1$ + $s^2{d}_2-$$r{t}_{i}p{ϵ}_i{d}_2$. Because

$$\begin{array}{cc}\hfill & d_0+d_1·s+d_2·s^2=\{c_0^{\prime }·c_0^{\prime \prime }+(c_0^{\prime }·c_1^{\prime \prime }+c_1^{\prime }·c_0^{\prime \prime })s+c_1^{\prime }·c_1^{\prime \prime }{s}^2\}=\{m^{\prime }{m}^{\prime \prime }+v^{\prime }{v}^{\prime \prime }{\left(pϵ\right)}^2+pϵv^{\prime \prime }[m^{\prime }+p(e_0^{\prime }+e_1^{\prime }s)]\hfill \\ \hfill & +pϵv^{\prime }[m^{\prime \prime }+p(e_0^{\prime \prime }+e_1^{\prime \prime }s)]+p^2(e_0^{\prime }+e_1^{\prime }s)(e_0^{\prime \prime }+e_1^{\prime \prime }s)+p(m^{\prime }+m^{\prime \prime })·(e_0^{\prime \prime }+e_1^{\prime \prime }s)\}mod{q}_{i-1}\hfill \end{array}$$

and $r{t}_{i}p{ϵ}_i{d}_2$ = $r{t}_{i}p{ϵ}_i{c}_1^{\prime }·c_1^{\prime \prime }$ = $r{t}_{i}p{ϵ}_i(a{v}^{\prime }+p{e}_1^{\prime })(a{v}^{\prime \prime }+p{e}_1^{\prime \prime })$ mod $q_{i-1}$

Let error represents $v^{\prime }{v}^{\prime \prime }{\left(pϵ\right)}^2$ + $pϵv^{\prime \prime }[m^{\prime }+p(e_0^{\prime }+e_1^{\prime }s)]$ +$pϵv^{\prime }[m^{\prime \prime }$ + $p(e_0^{\prime \prime }+e_1^{\prime \prime }s)]$ + $p^2(e_0^{\prime }+e_1^{\prime }s)(e_0^{\prime \prime }+e_1^{\prime \prime }s)$ + $p(m^{\prime }+m^{\prime \prime })(e_0^{\prime \prime }+e_1^{\prime \prime }s)-r{t}_{i}p{ϵ}_i(a{v}^{\prime }+p{e}_1^{\prime })(a{v}^{\prime \prime }+p{e}_1^{\prime \prime })$. If 0 < error <$q_{i-1}$, $\langle ct,s\rangle$ mod p = $m^{\prime }{m}^{\prime \prime }$.

Third, given ct = $(c_0,c_1,i-1$) and secret key s, where ct is the sum of ct${}_1$ = $(c_0^{\prime },c_1^{\prime },i)$ and ct${}_2$ = $(c_0^{\prime \prime },c_1^{\prime \prime },i)$ outputted by Add, we have $\langle ct,s\rangle$ = $c_0$ + $s·c_1$ = $(c_0^{\prime }$ + $c_0^{\prime \prime })$ + $s(c_1^{\prime }$ + $c_1^{\prime \prime })$ = $\{m^{\prime }$ + $p(e_0^{\prime }$ + $ϵ-s{e}_1^{\prime })$ + $m^{\prime \prime }$ + $p(e_0^{\prime \prime }$ + $ϵ-s{e}_1^{\prime \prime }\left)\right\}$ mod $q_{i-1}$. Let error be $p(e_0^{\prime }$ + $ϵ-s{e}_1^{\prime })$ + $p(e_0^{\prime \prime }$ + $ϵ-s{e}_1^{\prime \prime })$. If 0 < error <$q_{i-1}$, $\langle ct,s\rangle$ mod p = $m_1$ + $m_2$.

By selecting small parameters, like v, $ϵ$, $e_0$, $e_1$, etc., the components of a ciphertext may be far less than modulu. However, with the increasement of multiplication and addition times, errors will eventually exceed the modulu. The function of SwitchModulu is to continually scale cumulative errors to $\frac{q_{i-1}}{q_i}$ by map components from $R_{q_i}$ to $R_{q_{i-1}}$. That is why the maximum multiplication and addition times are limited by the predefined parameters L. In the multiplication algorithm, the direct product of two ciphertexts is a new ciphertext with three elements, key switch is to recompress it to two elements and the errors are still the same.

3.1. Modifications on BGV-type Cryptosystems

Based on the BGV-type Cryptosystems, we make following changes. We may observe the decryption processes after the modifications.

First, let $q_0$ = $p_0$ = p, $p_i$ = 1 mod p, and $q_i={\prod }_{j=0}^i{p}_j$ for i = 1,⋯,$L-1$ in the setup algorithm. Second, replace $t_i$ with $p_{i+1}$ in switch key generation and key switch algorithms, and then remove the SwitchModulu operations that map elements from $R_{p_{i+1}·q_i}$ to $R_{q_i}$. That is to say, each $b_i$ = $-(a_i·s$ + $p·{ϵ}_i-p_{i+1}·s^2)$ mod $p_{i+1}·q_i(=q_{i+1})$. Third, move the SwitchModulu operation in Mul from the last step to the first step.

Because the encryption, decryption, and addition algorithms do not change, we focus on the multiplication algorithm. Given two ciphertexts ct${}_1^{\left(i\right)}$ = $(c_0^{\left(1\right)},c_1^{\left(1\right)},i$) and ct${}_2^{\left(i\right)}$ = $(c_0^{\left(2\right)},c_1^{\left(2\right)}$, i) of the plaintexts $m_1$ and $m_2$, the multiplication algorithm first SwitchModulu them to ct${}_1^{(i-1)}$ = $(c_0^{\left(1\right)},c_1^{\left(1\right)},i-1$) and ct${}_2^{(i-1)}$ = $(c_0^{\left(2\right)},c_1^{\left(2\right)},i-1$) and then SwitchKey the product of ct${}_1^{(i-1)}$ and ct${}_2^{(i-1)}$ to ct${}^{\left(i\right)}$ = $(c_0,c_1,i$) as below: $c_0$←$\{p_i{c}_0^{\left(1\right)}{c}_0^{\left(2\right)}$ + $b_i{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}\}$ mod $q_i$ and $c_1$←$\{p_i(c_0^{\left(1\right)}{c}_1^{\left(2\right)}$ + $c_0^{\left(2\right)}{c}_1^{\left(1\right)})$ + $a_i{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}\}$ mod $q_i$

Given the secret key s, we have

$$\begin{array}{cc}\hfill & \langle ct,s\rangle =c_0+s·c_1=\{p_i{c}_0^{\left(1\right)}{c}_0^{\left(2\right)}+p_{i}s{c}_0^{\left(1\right)}{c}_1^{\left(2\right)}+p_{i}s{c}_0^{\left(2\right)}{c}_1^{\left(1\right)}+p_i{s}^2{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}-p{ϵ}_i{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}\}mod{q}_i\hfill \\ \hfill & =p_i(c_0^{\left(1\right)}+s{c}_1^{\left(1\right)})(c_0^{\left(2\right)}+s{c}_1^{\left(2\right)})mod{q}_i-p{ϵ}_i{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}mod{q}_i\hfill \end{array}$$

If the error terms are less than $q_i$, we have $\langle ct,s\rangle$ mod p = $m_1{m}_2$. Obviously, the correctness condition is the same as the BGV scheme.

Observation 1.

Next, we replace the normal switch key $ep{k}_i$ with another sublayer’s switch key $ep{k}_j$ in Mul and observe the decryption process. In this condition, the ciphertext outputted by Mul is as follows: $c_0$←$\{p_i{c}_0^{\left(1\right)}{c}_0^{\left(2\right)}$ + $b_j{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}\}$ mod $q_i$ and $c_1$←$\{p_i(c_0^{\left(1\right)}{c}_1^{\left(2\right)}$ + $c_0^{\left(2\right)}{c}_1^{\left(1\right)})$ + $a_j{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}\}$ mod $q_i$.

Given the secret key s, we have

$$\begin{array}{cc}\hfill & \langle ct,s\rangle =c_0+s·c_1=\{p_i{c}_0^{\left(1\right)}{c}_0^{\left(2\right)}+p_{i}s{c}_0^{\left(1\right)}{c}_1^{\left(2\right)}+p_{i}s{c}_0^{\left(2\right)}{c}_1^{\left(1\right)}+p_j{s}^2{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}-p{ϵ}_j{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}\}mod{q}_i\hfill \\ \hfill & =p_{i}mod{q}_i·c_0^{\left(1\right)}{c}_0^{\left(2\right)}mod{q}_i+p_{i}mod{q}_i·s{c}_0^{\left(1\right)}{c}_1^{\left(2\right)}mod{q}_i+p_{i}mod{q}_i·s{c}_0^{\left(2\right)}{c}_1^{\left(1\right)}mod{q}_i+p_{j}mod{q}_i\hfill \\ \hfill & ·s^2{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}mod{q}_i-p{ϵ}_j{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}mod{q}_i\hfill \\ \hfill & \ne p_i(c_0^{\left(1\right)}+s{c}_1^{\left(1\right)})(c_0^{\left(2\right)}+s{c}_1^{\left(2\right)})mod{q}_i-p{ϵ}_i{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}mod{q}_i\hfill \end{array}$$

However, if $p_i$=1 mod p and $q_i={\prod }_{j=0}^i{p}_j$ for i = 1,⋯,L, we have $p_i$ mod $q_i$ mod p = $p_j$ mod $q_i$ mod p = 1. Thus, $\langle ct,s\rangle$ mod p = $(c_0^{\left(1\right)}+s{c}_1^{\left(1\right)})(c_0^{\left(2\right)}+s{c}_1^{\left(2\right)})$ mod $q_i$ mod $p-p{ϵ}_i{c}_1^{\left(1\right)}{c}_1^{\left(2\right)}$ mod $q_i$ mod p. The correctness condition is the same as BGV. If the error terms are less than $q_i$, we also have $\langle ct,s\rangle$ mod p = $m_1{m}_2$.

As a result, we do not need to generate a switch key for each level after the modification. Only one l-dimension switch key is enough for multiplication. Thus, the total size of public keys can be reduced from linear to constant.

Observation 2.

Two ciphertexts and their product are at the same sublayer after the modifications. The reason that each $b_i$ should modulu $t_i·q_i$, but not $q_i$ in BGV is the SwitchKey operation in Mul will lift elements from $R_{q_i}$ to $R_{t_i·q_i}$. After replacing $t_i$ with $p_{i+1}$, the elements will be lifted from $R_{q_i}$ to $R_{q_{i+1}}$. The reason we move the SwitchModulu operation in Mul from the last step to the first step is to satisfy this requirement. Because all of the input elements belong to $R_{q_i}$ in Mul, the accumulative errors are far less than $R_{q_{i+1}}$. Thus, the decryption can succeed and another SwitchModulu operation can be omitted.

The advantage of this change is all of the multiplication operations can be repeatedly done between $R_{q_i}$ and $R_{q_{i+1}}$. Subsequently, the multiplication times will not be limited by L in an L-level circuit and, thus, naturally become unlimited without bootstrapping. That is to say, L can be very small. We may use small number of large primes to replace large number of small primes. As a matter of fact, the product of several large primes is far less than the product of many small primes. For example, we know ${100}^2$≪$2^{100}$. As a result, the ciphertext evaluation time will decrease significantly.

4. Scheme Description

In this section, we describe a variant BGV-type scheme under our modifications. Because the scheme is to optimize the ciphertext evaluation processes. The description of encoding a message to a vector as plaintext is ignored. Moreover, the basic secret key generation, public key encryption, encryption, and decryption algorithms are the same as known schemes [5,19]. The details are as follows:

Setup: given a security parameter $\lambda$, the setup algorithm selects a prime number $p\left(\lambda \right)$ and a number $m\left(\lambda \right)$ and computes corresponding parameters d and l to define the plaintext space. Afterwards, it selects a series of prime number $p_0\left(\lambda \right)$, ⋯, $p_{L-1}\left(\lambda \right)$, where $p_0$ = p, $p_1\left(\lambda \right)$ = ⋯ = $p_{L-1}\left(\lambda \right)$ = 1 mod $p\left(\lambda \right)$, and computes $q_i$ = ${\prod }_{j=0}^i{p}_j$, for i = 0, $\cdots ,L-1$. All of the ciphertexts and keys are defined in $R_{q_{L-1}}$. The public parameters include all above parameters.

SecretKeyGen: given the public parameters, the secret key generation algorithm selects an l-dimension vector s. Each element in s is chosen from a noise distribution $\chi$. Output SK = s.

PublicKeyGen: given the public parameters and an l-dimension vector s, the public key generation algorithm selects an l-dimension vector a from $R_{q_{L-1}}$, an l-dimension error vector $ϵ$ from distribution $\chi$, and computes an l-dimension vector b = $a·s$ + $p·ϵ$ mod $q_{L-1}$. Output PK = $(a,b)$.

SwitchKeyGen: given the public parameters and an l-dimension vector s, the switch key generation algorithm selects an l-dimension vector a uniformly from $R_{q_{L-1}}$, an l-dimension error vector $ϵ$ from distribution $\chi$, and computes an l-dimension vector b = $a·s$ + $p·ϵ-s^2·(p·r+1)$ mod $q_{L-1}$, where r is a random number. Output EPK = $(a,b)$.

Encrypt: given the public parameters, a public key PK = $(a,b)$ and a message $m\in R_p^l$, the encryption algorithm selects an l-dimension vector v. Each of its element is chosen from $\{-1,0,1\}$ with probability of $(\frac{1}{4},\frac{1}{2},\frac{1}{4})$. Then it selects two l-dimension error vectors $e_0$ and $e_1$, which their elements are sampled from the discrete Gaussian distribution with variance $\sigma$. The ciphertext ct consists of two elements $c_0,c_1\in R_{q_{L-1}}$ and the depth is $L-1$. $c_0$ = $b·v$ + $p·e_0$ + m mod $q_{L-1}$ and $c_1$ = $a·v$ + $p·e_1$ mod $q_{L-1}$. ct = $(c_0,c_1,L-1$) is outputted.

Decrypt: given the public parameters, a secret key SK = s and a ciphertext ct = $(c_0,c_1,i)$, the decryption algorithm computes m←$\left(\right(c_0$−$s·c_1)$ mod $q_i)$ mod p.

SwitchModulu: given a ciphertext ct = $(c_0,c_1,i)$ mod $q_i$, two modulus $(i,q_i)$ and $(j,q_j)$ where $i>j$, the modulu switch algorithm computes the modulo inverse element $r{p}_j$ = $\frac{q_j}{q_i}$ in $q_j$, and output the new ciphertext ct${}^{\prime }$=$(c_0^{\prime },c_1^{\prime },j)$, where $c_1^{\prime }$ = $c_1·r{p}_j$ mod $q_j$ and $c_2^{\prime }$ = $c_2·r{p}_j$ mod $q_j$. Usually, i = j + 1 is enough if L is just fit for security requirements. The modulo inverse element $r{p}_j$ can be computed by the extended Euclid algorithm (see ex_gcd in Appendix A.2).

CTLinearization: given two ciphertexts ct${}_1$ = $(c_0^{\left(1\right)},c_1^{\left(1\right)},i)$ and ct${}_2$ = $(c_0^{\left(2\right)},c_1^{\left(2\right)},i)$, the ciphertext relinearization algorithm outputs the three-dimension ciphertext d = $(d_0,d_1,d_2,i$ + 1) = (ct${}_1\otimes$ct${}_2$, i + 1) = $\{(c_0^{\left(1\right)}·c_0^{\left(2\right)})$, $(c_0^{\left(1\right)}·c_1^{\left(2\right)}+c_0^{\left(2\right)}·c_1^{\left(1\right)}),\left(c_1^{\left(1\right)}{c}_1^{\left(2\right)}\right)$, i + $1\}$.

SwitchKey: given a three-dimension ciphertext d = $(d_0,d_1,d_2,i)$ and a switch key EPK = $(a,b)$, the key switch algorithm computes $c_0$ = $p_i·d_0-b·d_2$ mod $q_i$ and $c_1$ = $p_i·d_1-a·d_2$ mod $q_i$ and outputs ct = $(c_0,c_1,i)$.

Mul: given two ciphertexts ct${}_1$ = $(c_0^{\left(1\right)},c_1^{\left(1\right)},i)$ and ct${}_2$ = $(c_0^{\left(2\right)},c_1^{\left(2\right)},i)$, the multiplication algorithm invokes ct${}_1$← SwitchModulu(ct${}_1$) and ct${}_2$← SwitchModulu(ct${}_2$), and then invokes d← CTLinearization (ct${}_1$, ct${}_2$). Finally, it invokes ct ← SwithchKey(d) and outputs ct.

Add: given two ciphertexts ct${}_1$ = $(c_0^{\left(1\right)},c_1^{\left(1\right)},i)$ and ct${}_2$ = $(c_0^{\left(2\right)},c_1^{\left(2\right)},i)$, the addition algorithm computes $c_0$ = $c_0^{\left(1\right)}$+$c_0^{\left(2\right)}$ mod $q_i$ and $c_1$ = $c_1^{\left(1\right)}$+$c_1^{\left(2\right)}$ mod $q_i$, and then outputs ct = $(c_0,c_1,i)$.

Correctness. Above scheme is nearly same as BGV except that the switch key is fixed and the key switch algorithm does not switch ct to a lower level one at last.

First, given a ciphertext ct = $(c_0,c_1,L-1$) outputted by Encrypt, a secret key SK = s, we have $\langle ct,s\rangle$ mod p = $c_0-s·c_1$ mod p = $(b·v$ + $p·e_0$ + $m-sa·v-sp·e_1)$ mod $q_{L-1}$ mod p = m + $p(e_0$ + $ϵ-s·e_1)$ mod $q_{L-1}$ mod p = m.

Second, given a secret key SK = s, a ciphertext ct = $(c_0,c_1,i)$ outputted by Mul, where ct is the product of ct${}_1$ = $(c_0^{\left(1\right)},c_1^{\left(1\right)},i)$ and ct${}_2$ = $(c_0^{\left(2\right)},c_1^{\left(2\right)},i)$, we have $\langle ct,s\rangle$ mod p = $c_0-s·c_1$ mod p. As the observations in Section 3.1, $c_0-s·c_1$ mod p = $(c_0^{\left(1\right)}-s{c}_1^{\left(1\right)})(c_0^{\left(2\right)}-s{c}_1^{\left(2\right)})-pϵc_1^{\left(1\right)}{c}_1^{\left(2\right)}$ mod $q_i$ mod p = $(m_1$ + $p(e_0^{\left(1\right)}$ + $ϵ-s·e_1^{\left(1\right)}\left)\right)$$(m_2$ + $p(e_0^{\left(2\right)}$ + $ϵ-s·e_1^{\left(2\right)}\left)\right)-pϵc_1^{\left(1\right)}{c}_1^{\left(2\right)}$ mod $q_i$ mod p = $m_1{m}_2$.

Third, given a secret key SK = s, a ciphertext ct = $(c_0,c_1,i)$ outputted by Add, where ct is the sum of ct${}_1$ = $(c_0^{\left(1\right)},c_1^{\left(1\right)},i)$ and ct${}_2$ = $(c_0^{\left(2\right)},c_1^{\left(2\right)},i)$, we have $\langle ct,s\rangle$ mod p = $c_0-s·c_1$ mod p = $(c_0^{\left(1\right)}$ + $c_0^{\left(2\right)})-s(c_1^{\left(1\right)}$+$c_1^{\left(2\right)})$ mod $q_i$ mod p = $m_1$ + $p(e_0^{\left(1\right)}$ + $ϵ-s·e_1^{\left(1\right)})$ + $m_2$ + $p(e_0^{\left(2\right)}$ + $ϵ-s·e_1^{\left(2\right)})$ mod $q_i$ mod p = $m_1$ + $m_2$.

Security. All of our changes are on the homomorphic computation parts, including the switch key generation algorithm and the multiplication algorithm. The basic encryption-decryption function parts, including the secret key generation algorithm, the public key generation algorithm, the encryption algorithm, and the decryption algorithm are the same as known schemes [5,19]. As introduced in the background, the security of BGV-type cryptosystems is based on the RLWE assumption. In our scheme, the public key (a,b) where b = $a·s$ + $p·ϵ$ mod $q_{L-1}$ has similar form as that of the distribution (a,$a·s$ + $ϵ$). The difference is p and $q_{L-1}$ are exposed to the adversary in the setup algorithm. However, this does not reveal more information, because the error is provided by $ϵ$ but not p. We may regard the distribution in RLWE assumption as (a,$a·s$ + $p·ϵ$) where p =1. In our scheme, p is a prime number referencing the security parameter. Then the forms of the assumption are same. Logically, only modifying the multiplication algorithm will not affect the security of the basic encryption-decryption function. Thus, the security of our scheme does not need to be re-proved.

5. Implementation and Performance Analysis

In this section, we instantiate the above scheme in the range of “int”, which occupies 32 bits. “int” is the most intuitive data type in the C language. It expresses numbers between −2147483648 and 2147483647. We remove the negative part and let all computation results within [0,2147483647]. Although “int” is too small to prevent attacks, the correctness and performance of above scheme can be verified. In practical applications, large number, like “bigint” in C++ or “biginteger” in Java can easily replace it. In our implementation, the depth L is set to 3. p = 11, m = 5, d = 1, and l = $\left(\varphi \right(5)=4)/(d=1)$ = 4. Moreover, $p_0$ = 11, $p_1$ = 23(=2 × 11 + 1), and $p_2$ = 67(=6 × 11 + 1). Correspondingly, $q_0$ = 11, $q_1$ = 253 (=11 × 23), $q_2$ = 16951 (=11 × 23 × 67). The modulu inverse $r{p}_1$ = 34 can be computed such that $p_2·r{p}_1$ = 67 × 34 = 1 mod 253. Detailed implements to find it are given in Appendix A.2 The reason we set p = 11 is that the two smallest prime numbers those equal 1 modulu 11 are 23 and 67. Then 16951${}^2$ = 287336401 < 2147483647 can ensure all of the intermediate computation results do not exceed the representation range of “int”. If we set p = 13, the two smallest prime numbers are $p_1$ = 53 and $p_2$ = 79. Then we have $q_1$ = 689, $q_2$ = 54431. Because ${54431}^2$ = 2962733761 > 2147483647, the decryption may fail at last. Of course, p can be set to smaller prime numbers than 11 in the toy implementation. The initial ciphertext generated by the encryption algorithm, the secret key, the public key, and the switch key generated by the key generation algorithms are all at level 2. To simplify the implementation, all of the random numbers are chosen from the random number generator in the C library but not $\chi$.

Without loss of generality, we simply select a four-dimension vector (1,2,3,4) as the initial plaintext and generate corresponding ciphertext ct${}_0$. Subsequently, we compute ct${}_{i+1}$ = ct${}_i·$ct${}_0$ and ct${}_{i+2}$ = ct${}_{i+1}$ + ct${}_0$ for i = 0,2,4,6,8. For example, ct${}_1$ should be (1,4,9,5) and ct${}_2$ should be (2,6,1,9), etc. The result of correctness validation is in Figure 1.

The vectors, pt[0], ⋯, pt[10], are plaintext multiplication and addition results. The vectors, dpt[0], ⋯, dpt[10], are the decryption results of the ciphertext of corresponding plaintext. We can see that dpt[i]s are the same as corresponding pt[i]s.

Next, we test the performance of our scheme. The source code of our implementation is given in Appendix A. It includes three files, stdafx.h, stdafx.cpp, and unlimited homomorphic encryption.cpp. "stdafx.h" defines all the data structures. "stdafx.cpp" defines all of the functions. The functions are invoked in "unlimited homomorphic encryption.cpp". Appendix B lists the source code of an implementation based on the Helib library. The implementation uses similar parameters as ours. Figure 2 lists their executing time. Our test machine is a ThinkPad X1 laptop with Intel(R) Core(TM)i7-8750H CPU @2.2GHz 8 cores Visual Studio 2005, Microsoft, Redmond, WS, USA).

Intuitively, the homomorphic calculation time grows linearly in our scheme, but sub-exponentially in the Helib-based scheme. Meanwhile, the execution time of our scheme is much less than the Helib-based one.

We know that RSA is an encryption scheme only supporting multiplicative homomorphic and it has been applied into many security applications. As a further comparison, we list the Mul operation time of RSA. Since the ciphertext modulu of our scheme is $q_2$ = 16951, we select p = 127 and p = 131 in the toy RSA example, such that their product n = 16637 is very close to $q_2$. The execution time of our scheme is about 100 times of RSA. The source code of the benchmark RSA is in Appendix C.

Finally, Figure 3 lists the storage costs of Helib and ours. The size of public key in Helib is linear growth with maximum multiplications times, while the size of public key in our scheme is a constant.

6. Conclusions

In this paper, we present an efficient BGV-type scheme for IoT systems. Our scheme reduces the storage space and evaluation time, and it is more suitable for secure IoT systems. The performance test of the proof of concept implementation shows thatour new scheme is more practical than thecurrent method.