High-Precision Leveled Homomorphic Encryption for Rational Numbers

Abstract

In most homomorphic encryption schemes based on RLWE, native plaintexts are represented as polynomials in a ring ${\mathbb{Z}}_t\left[x\right]/x^N+1$, where t is a plaintext modulus and $x^N+1$ is a cyclotomic polynomial with a degree power of two. An encoding scheme should be used to transform some natural data types (such as integers and rational numbers) into polynomials in the ring. After homomorphic computations on the polynomial aare finished, the decoding procedure is invoked to obtain the results. We employ the Hensel code for encoding rational numbers and construct a high-precision leveled homomorphic encryption scheme with double-CRT. The advantage of our scheme is that the limitations of previous works are avoided, such as unexpected decoding results and loss of precision. Moreover, the plaintext space can be adjusted simply by changing a hyper-parameter to adapt to different computation tasks.

1. Introduction

1.1. Background

Fully homomorphic encryption (FHE) is a cryptographic scheme that allows us to evaluate an arbitrary Boolean or arithmetic circuit on data in an encrypted state directly without decryption. This notation, introduced by Rivest et al. [1], was first implemented by Gentry [2] with ideal lattices. Homomorphic encryption has become a basic tool for privacy computation nowadays. All of the schemes before Gentry either support homomorphic operations (homomorphic addition or multiplication) with a single type [3,4,5] or have some fatal drawbacks [6,7] (i.e., ciphertext size blows up exponentially with the depth of circuits). A new construction was proposed by Brakerski et al. [8] with the assumption of learning with error (LWE) [9]. Much effort has been made to improve its efficiency and make it simple [10,11,12,13].

The security of constructions mentioned above is based on either LWE or ring learning with error (RLWE) [14]. All of the schemes above for fully homomorphic encryption add noise into a ciphertext for security. The noise increases after homomorphic operations and destroys the plaintext once it reaches a certain threshold value, which is related to the parameters used in the scheme. Bootstrapping can be employed to refresh ciphertexts by calculating the decryption circuit homomorphically and reduce the noise to a small value subject to the depth of decryption circuit. There are many works that aim to improve the efficiency of the bootstrapping [15,16,17,18]. However, in some circumstances where the depth of circuits is predetermined, the costly bootstrapping procedure can be avoided by using a so-called leveled homomorphic encryption scheme (LHE). To prevent plaintexts from being destroyed by the noise, the LHE increases the threshold value by simply setting the corresponding parameters to be large enough.

Practically, a computation over bitwise encryptions is not efficient, and we are inclined to construct a scheme that manipulates integers directly. Other types of datam such as real numbers, complex numbers, and rational numbers, can be handled by encoding them as integers. The efficiency of homomorphic encryption schemes can be improved significantly by a judicious choice of plaintext space and encoding techniques. There are a number of works that focus on how to encode different types of data efficiently [19,20,21,22,23,24,25,26,27,28,29]. One useful technique adopted by previous works is to ‘spread out’ the numerical input data as evenly as possible over the whole plaintext space, allowing for a smaller value of the plaintext modulus. The other main approach used for a short amortized time employs the single instruction multiple data (SIMD) method [30], which is compatible with some encoding techniques.

1.2. Encoding for Integers and Real Numbers

In most schemes based on the RLWE assumption, the plaintext elements are represented as polynomials in a ring $R_t={\mathbb{Z}}_t\left[X\right]/{\mathrm{\Phi }}_m\left(x\right)$, where ${\mathrm{\Phi }}_m\left(x\right)$ denotes the m-th cyclotomic polynomial. Integers and real numbers should be transformed into polynomials in the ring before encryption. Here, we focus on how to encode one number as a polynomial. As an example, let $z,B\in \mathbb{Z}$ and encode z as ${\sum }_{i=0}^{n-1}{a}_i{X}^i$ such that $z={\sum }_{i=0}^{n-1}{a}_i{B}^i$, where n is the degree of ${\mathrm{\Phi }}_m\left(x\right)$ and $a_i\in [-(B-1),B-1]$. The above approach is called non-balanced base-B encoding. The other way is simply to encode an integer as a constant polynomial, which is referred to as scalar encoding. Dowlin et al. [21] presented two efficient methods to encode fixed-point numbers. In the first, a fixed point number is encoded via multiplying by a factor to obtain a scaled integer (which then is encoded as a polynomial), whilst in the second, they utilized a fractional representation (which is similar to the non-balanced base-B encoding and allows the exponent to be negative). Costache et al. [20] show that the two representations are, in fact, isomorphic when the same power of 2 cyclotomic ring is used. Many works develop fractional representations [28,29]. Another useful way to encode rational numbers is the Hensel code, which is used for encoding in some homomorphic encryption schemes [22,23].

Which method to use for encoding depends on the problems at hand. Scalar encoding is inefficient in its use of available space in the plaintext polynomial (only the constant coefficient is used). The non-balanced base-B encoding and some variants [20,31] (most of them focus on how to choose B, the range of coefficients, and the format of polynomials) make full use of the space in the plaintext polynomial. However, they have many limitations. When one of the coefficients of the plaintext polynomial exceeds the plaintext modulus t, or the degree of the plaintext polynomial exceeds the degree of ${\mathrm{\Phi }}_m\left(x\right)$, an unexpected result will occur, and we say the computation overflows. As an example, let $n=4,t=4,B=2$, where n is the degree of ${\mathrm{\Phi }}_m\left(x\right)$, and ${\mathrm{\Phi }}_m\left(x\right)=x^4+1$. For a given $z=9$, we have $z=B^3+1$ and thus encode z as $x^3+1$. Decoding is finished by simply replacing x in the plaintext polynomial with B. We add $3x+3$ to z and obtain $x^3+3xmod4$. Decoding $x^3+3x$ will yield the number 14 but not 18.

We stress that the result produced by an overflow is much more unacceptable than an explicit error. Just as with rules in programming, we prefer computer programs where an error occurs in the compilation phase to those returning a nice but incorrect result. The previous works using similar encodings (including the fractional representations for real numbers) suffer from this limitation. The scaling approach was adopted by Cheon et al. [24], who proposed a scheme to handle real numbers. A rescaling operation should be performed to keep the factor of the result consistent after multiplication is carried out. For security, the ciphertext modulus should be divided by the factor (since the ciphertext must look random in the ciphertext space), and the multiplication cannot be performed once the ciphertext modulus reaches some small value. On the other hand, their encoding scheme involves the computation of complex numbers (or circular functions), which leads to the loss of precision.

The Chinese remainder theorem (CRT) [21,28,30] and discrete fast Fourier transform (DFFT) [24,25] are two important ways to implement SIMD for a short, amortized time. The former decomposes the cyclotomic polynomial in the field ${\mathbb{Z}}_t$, where t is the plaintext modulus, by choosing the cyclotomic polynomial and the plaintext modulus carefully; it then builds an isomorphism between $R_t={\mathbb{Z}}_t\left[X\right]/{\mathrm{\Phi }}_m\left(x\right)$ and ${\prod }_{i=1}^k{\mathbb{Z}}_t\left[x\right]/Q_i\left(x\right)$ such that ${\mathrm{\Phi }}_m\left(x\right)={\prod }_{i=1}^k{Q}_i\left(x\right)modt$. Let $M=(m_1,\cdots ,m_k)$ be the message vector. The component $m_i$ can be encoded as a polynomial in the ring ${\mathbb{Z}}_t\left[X\right]/Q_i\left(x\right)$. Then we can construct the plaintext polynomial according to the CRT. The latter takes a message vector as input, then performs the inverse of DFFT on it and outputs the result as a plaintext polynomial. Note that the difference between the two methods is just the field focused on when the polynomial is decomposed as a product of a linear polynomial. We mean that the field in CRT is ${\mathbb{Z}}_t$, but in DFFT, it is $\mathbb{Z}$. We analyze the CRT in this case by the number theory transformation (NTT) for simplicity.

1.3. Our Techniques and Contribution

Here, we sketch the techniques adopted in our scheme. For a given rational number vector $\mathit{r}=(m_1,\cdots ,m_N)\in F_M^N$, we first encode this vector by the Hensel code and obtain $\mathit{z}=(z_1,\cdots ,z_N)$ in ${\mathbb{Z}}_t^N$. Then, we employ the CRT in the field ${\mathbb{Z}}_t$ to decompose $\mathit{z}$ and obtain $({\mathit{c}}_1,\cdots ,{\mathit{c}}_k)\in {\mathbb{Z}}_{t_1}\times \cdots {\mathbb{Z}}_{t_k}$, where $t={\prod }_{i=1}^k{t}_i$. It is known that the larger the plaintext modulus is, the faster the noise increases. The first CRT is used for a smaller plaintext modulus. At last, we perform the inverse of NTT on each component ${\mathit{c}}_i$ and obtain k plaintext polynomials, which can be handled by the FV scheme.

We can control the noise by simply increasing the number k and ensure the space $F_M$ is large enough so the result is always correct. There is no loss of precision during the computation since the scheme works in integer fields. We emphasize that our scheme is efficient, although the number of ciphertexts is linear with k since each ciphertext includes N messages. The security of our scheme is based on the RLWE, and we provide a thorough proof regarding correctness. The choice of parameters is also described in detail.

1.4. Related Work

The scaling approach to encode fixed-point numbers was first used to construct homomorphic encryption in [19]. As mentioned above, the rescaling operation should be performed to keep the factor consistent after multiplication. In their work, a complex extraction used to extract bits was employed to finish the rescaling. Instead, Cheon et al. [24] removed the plaintext modulus to prevent MSBs from being destroyed and used simple division for the rescaling. The non-balanced base-B encoding and some variants [28,29,31] suffer from similar limitations discussed in Section 1.2. The condition for decoding correctly in [28] is relaxed to some extent (the bounding box of the result is covered by the plaintext space). A rational number is encoded into a continued fraction (which can be represented as integers) in [26]. However, this encoding technique requires performing very complex arithmetic operations, such as division and modular reduction.

A variant of the FV scheme [12] was proposed by Chen et al. [23]. The plaintext space in their construction is isomorphic to $Z/(b^n+1)Z$. A new HE scheme with Hensel codes was proposed in [22]. However, the security is not based on the RLWE, and the scheme is substantially different from ours.

The construction proposed by Cheon et al. [24] supports SIMD implemented by the DFFT, different from the CRT adopted in previous works [21,30]. The plaintext modulus is removed in the work to prevent the MSBs of the result from being destroyed (i.e., the plaintext space is R but not $R_t$). Chen et al. [25] employed a new plaintext space and built a ring homomorphism between it and the plaintext space used in [24]. Therefore, they constructed an HE scheme supporting SIMD by combining the variant of FV by Bootland et al. [27] with the batching in [24]. However, the plaintext modulus removed in [24,25] is necessary to employ Hensel codes, which is used in [23] to handle rational numbers for high precision. The fully batching technique cannot be applied for the scheme in [23] because of the modification to the plaintext space.

1.5. Organization

The paper is organized as follows. In Section 2, we first introduce how to encode with batching, and then review the Hensel code. In Section 3, we construct our scheme for rational numbers with high precision and analyze the correctness and security. Section 4 presents rules for the choice of parameters.

2. Preliminaries

All logarithms are base 2 unless otherwise indicated. We denote vectors in bold, e.g., $\mathit{a}$, and every vector in this paper is a column vector. For simplicity, we make no distinction between a polynomial $c\left(x\right)$ and a vector $\mathit{c}$ since the coefficients’ embedding can be applied for transformation easily, and we use them alternately according to the context. For a vector $\mathit{a}$ with dimension m and a vector $\mathit{b}$ with dimension n, $(\mathit{a};\mathit{b})$ denotes the vector with dimension $m+n$ obtained by concatenating vectors $\mathit{a}$ and $\mathit{b}$ in a vertical direction. We denote by $a\mid b$ that a divides b. For a real number r, $\lfloor r\rceil$ denotes the nearest integer to r, and $\lfloor r\rfloor$ denotes the largest integer less than r, rounding upwards in case of a tie. The multiplication of vectors in a component-wise way is denoted by ⨂. For integers modulo $q\in Z_{>0}$, we always use representatives in the symmetric interval $(-q/2,q/2]$. ${[·]}_q$ and $modq$ denote reduction modulo q. We denote by $\overline{\xi }$ the conjugation of $\xi$. Operations defined in scalars can be extended to vectors in a component-wise way. We use $x\leftarrow D$ to denote sampling x according to a distribution D. $x\leftarrow U\left(D\right)$ denotes sampling from the uniform distribution over D when D is a finite set. We let $\lambda$ denote the security parameter throughout the paper: all known valid attacks against the cryptographic scheme under the scope should take $2^{\lambda }$ bit operations.

2.1. Notations

An algebraic number $\xi \in \mathbb{C}$ is any root of a polynomial $f\left(x\right)\in \mathbb{Q}\left[x\right]$. The minimal polynomial of $\xi$ is the unique monic irreducible $f\left(x\right)\in \mathbb{Q}\left[x\right]$ with a minimal degree having $\xi$ as a root. An algebraic integer is an algebraic number whose minimal polynomial $f\left(x\right)$ is in $\mathbb{Z}\left[x\right]$. The quotient ring $R=\mathbb{Z}\left[x\right]/f\left(x\right)$ where $f\left(x\right)$ is a monic irreducible polynomial can be obtained by adjoining an algebraic integer $\xi$ (i.e., $\mathbb{Z}\left[\xi \right]\cong \mathbb{Z}\left[x\right]/f\left(x\right)$). The residue ring modulo of an integer q is denoted by $R_q=R/qR$. An element a in $R_q$ can be represented as $a\left(\xi \right)={\sum }_{i=0}^{N-1}{a}_i{\xi }^i$, whose corresponding vector is denoted by $\mathit{a}=(a_0,a_1,\dots ,a_{N-1})$, where $a_i\in (-q/2,q/2]$, and N is the degree of $f\left(x\right)$. The infinity norm $\parallel a\left(\xi \right)\parallel$ is defined as $max\left(\right|a_i\left|\right)$, and the expansion factor ${\sigma }_R$ is defined as $max(\parallel ab\parallel )/(\parallel a\parallel ·\parallel b\parallel )$. In our case, we use a cyclotomic polynomial with a degree N power of 2 to generate the ring and set the expansion factor N simply. We denote by $\chi$ a discrete Gaussian distribution having a standard deviation $\sigma$. A distribution over the integers is called B-bounded if it is only supported on $[-B,B]$ (with overwhelming probability). The Gaussian distribution with deviation $\sigma$ is B-bounded, and we set $B=8\sigma$ simply.

The semantic security of encryption schemes presented in this paper is based on the RLWE problem introduced in [14].

Definition 1 

(The decision RLWE problem). Let $f\left(x\right)$ be a cyclotomic polynomial with a degree power of 2, $s\in R_q$ be a random element where $R=\mathbb{Z}\left[x\right]/f\left(x\right)$, $a,a^{\prime },b^{\prime }\leftarrow U\left(R_q\right)$, and $e\leftarrow \chi$, where χ is a Gaussian distribution with some deviation σ. The RLWE problem is to distinguish between $(a,b=a·s+e)$ and $(a^{\prime },b^{\prime })$.

The RLWE assumption requires that there is no such probabilistic polynomial adversary that can solve the problem with non-negligible probability. Let $f\left(x\right)=x^N+1$, where $N=2^k$ and t is a prime. We decompose $f\left(x\right)$ in the group ${\mathbb{Z}}_t^{*}$ in the forms of $\prod (x-g^i)$ for NTT.

Lemma 1. 

Let $2N\mid (t-1)$. There exists an element $g\in {\mathbb{Z}}_t^{*}$ such that $f\left(x\right)={\prod }_{i=0}^{N-1}(x-g^{2i+1})modt$.

Proof. 

Let $h\left(x\right)=x^{2N}-1$ and $g\in Z_t^{*}$ be an element with order $2N$ (i.e., $g^{2N}=1modt$). Note that such g must exist since $2N\mid (t-1)$. We have

$$\begin{array}{cc}\hfill h\left(x\right)& =\prod _{i=0}^{2N-1}(x-g^i)modt\hfill \\ \hfill & =(x^N+1)(x^N-1)\hfill \\ \hfill & =f\left(x\right)\prod _{i=0}^{N-1}(x-g^{2i})\hfill \end{array}$$

It is obvious that the set $\{1,g,\cdots ,g^{2N-1}\}$ includes all roots of $h\left(x\right)$ in the field ${\mathbb{Z}}_t^{*}$, so the first equality holds naturally. The third equality holds since $g^2$ is an element in ${\mathbb{Z}}_t^{*}$ with order N. We deduce

$$f\left(x\right)=\prod _{i=0}^{N-1}(x-g^{2i+1})modt$$

□

As an example, let $N=4$ and $t=17$. We have $x^4+1={\prod }_{i=0}^3(x-2^{2i+1})mod17$ such that $2^8=1mod17$.

2.2. Encoding with Batching

Here, we describe the batching technique employed in the work by Cheon et al. Ref. [24] referred to it as HEAAN in a simpler way. Instead of encoding one message in a single plaintext polynomial (by the scalar encoding method or other ways), the batching technique allows us to encrypt multiple messages in a plaintext polynomial.

Write ${\mathbb{Z}}_m^{*}$ for the multiplicative group of units in ${\mathbb{Z}}_m$. The m-th cyclotomic polynomial ${\mathrm{\Phi }}_m\left(x\right)$ is defined as ${\prod }_{k\in {\mathbb{Z}}_m^{*}}(x-{\xi }_m^k)$, where ${\xi }_m={exp}^{2\pi i/m}$. Recall that we have ${\mathrm{\Phi }}_m\left(x\right)=x^{m/2}+1={\prod }_{k=0}^{m/2-1}(x-{\xi }_m^{2k+1})$ for a power-of-two integer m. Let $\mathit{z}$ be a vector of complex numbers with dimension $N/2$. We show how HEAAN encodes $\mathit{z}$ as a plaintext polynomial in $R=\mathbb{Z}\left[x\right]/(X^N+1)$ (note that the plaintext modulus is removed to prevent the MSBs of the results from being destroyed). Intuitively, at most, $N/2$ messages can be packed in a plaintext polynomial with degree N since the values of the polynomial at some root ${\xi }_{2N}^{2k+1}$ and its conjugation ${\xi }_{2N}^{2N-2k-1}$ are conjugate (recall that the values of a plaintext polynomial at all roots of $X^N+1$ are just the messages). The inverse of DFFT (IDFFT) can be applied to calculate the corresponding coefficient vector $\mathit{c}$ with degree N such that

$$\left(\begin{array}{cccc}1& {\xi }_{2N}& \cdots & {\xi }_{2N}^{N-1}\\ 1& {\xi }_{2N}^3& \cdots & {\xi }_{2N}^{3(N-1)}\\ ⋮& ⋮& \ddots & ⋮\\ 1& {\xi }_{2N}^{2N-1}& \cdots & {\xi }_{2N}^{(2N-1)(N-1)}\end{array}\right)\times \mathit{c}=(\mathit{z};\overline{\mathit{z}})$$

• Encode(N,z): Let $\mathit{Z}=(\mathit{z};\overline{\mathit{z}})$ be the vector with dimension N. Let the vector ${\mathit{Z}}^{\prime }=(0,\mathit{Z}\left[0\right],0,\mathit{Z}\left[1\right],\dots ,\mathit{Z}[N-1])$ with dimension $2N$. Invoke $IDFF{T}_{2N}\left({\mathit{Z}}^{\prime }\right)$ and obtain $r\left(x\right)-x^{N}r\left(x\right)$. Return the coefficients of $2r\left(x\right)$ as a vector $\mathit{c}$ with dimension N.
• Decode(N,$\mathit{c}$): Let $\mathit{C}=(\mathit{c};\mathbf{0})$ be the vector with dimension $2N$. Invoke $DFF{T}_{2N}\left(\mathit{C}\right)$ and output a vector ${\mathit{Z}}^{\prime }$ with dimension $2N$. Return the vector $[{\mathit{Z}}^{\prime }\left[1\right],{\mathit{Z}}^{\prime }\left[3\right],\cdots ,{\mathit{Z}}^{\prime }[N-1]]$ with dimension $N/2$.

As an example, let ${\mathrm{\Phi }}_8\left(x\right)=x^4+1$. For a given $\mathit{z}=(3+4i,2-i)$, let ${\mathit{Z}}^{\prime }=[0,3+4i,0,2-i,0,2+i,0,3-4i]$, invoke $IDFF{T}_8\left({\mathit{Z}}^{\prime }\right)$, and obtain $1.25-0.3536x-1.25x^2-0.707x^3-1.25x^4+0.3536x^5+1.25x^6+0.707x^7$. We thus obtain $2r\left(x\right)=2.5-0.707x-2.5x^2-1.414x^3$ and return $\mathit{c}=(2.5,-0.707,-2.5,-1.414)$.

Lemma 2. 

Let $\mathit{z}$ be a vector of complex numbers with dimension $N/2$, $\mathit{c}=Encode(N,\mathit{z}$), and $c\left(x\right)$ be the corresponding polynomial of $\mathit{c}$ (by the coefficient embedding). We have decode(N,$\mathit{c})=\mathit{z}$ and $c\left({\xi }_{2N}^{2k+1}\right)=2r\left({\xi }_{2N}^{2k+1}\right)=\mathit{z}\left[k\right]$, where $k=0,1,\cdots ,N/2-1$.

Proof. 

Recall that we have $m\left({\xi }_{2N}^j\right)={\mathit{Z}}^{\prime }\left[j\right]$ ($j=0,1,\dots ,2N-1$), where $m\left(x\right)=IDFF{T}_{2N}\left({\mathit{Z}}^{\prime }\right)$ (According to our agreement, we make no distinction between a polynomial and its coefficient vector, i.e., $\mathit{c}\left(x\right)=c\left(x\right)$). It is easy to see that the roots of $m\left(x\right)$ in the field $\mathbb{C}$ consist of $\{1,{\xi }_{2N}^2,{\xi }_{2N}^4,\dots ,{\xi }_{2N}^{2N-2}\}$ since ${\mathit{Z}}^{\prime }\left[j\right]=0$ for $2\mid j$. Thus, we write $m\left(x\right)=(1-x^N)r\left(x\right)=c\left(x\right)$. We have $r\left({\xi }_{2N}^j\right)-{\xi }_{2N}^{j·N}r\left({\xi }_{2N}^j\right)={\mathit{Z}}^{\prime }\left[j\right]$. It is obvious that ${\xi }_{2N}^{j·N}=-1$ for an odd number j. We make the conclusion that

$$c\left({\xi }_{2N}^{2k+1}\right)=2r\left({\xi }_{2N}^{2k+1}\right)=\mathit{z}\left[k\right]k=0,1,\cdots ,N/2-1$$

We have $\mathit{C}\left({\xi }_{2N}^j\right)=\mathit{c}\left({\xi }_{2N}^j\right)$ and $\mathit{c}\left({\xi }_{2N}^{2k+1}\right)=\mathit{z}\left[k\right]$. It is easy to verify decode($N,\mathit{c})=\mathit{z}$. □

To finish the batching, the vector $\mathit{c}$ with dimension N should be mapped as a polynomial in R. This can be done by rounding coefficients to the nearest integers. However, this rounding introduces an error that might damage significant bits of input values. To eliminate this error, an input vector is scaled up by some value $\mathrm{\Delta }$. We now show how to encode an integer vector as a plaintext polynomial in $R_t$ with NTT. For $2N\mid (t-1)$, we have $x^N+1={\prod }_{i=0}^{N-1}(x-g^{2i+1})modt$ such that $g^{2N}=1modt$. Intuitively, for a given integral vector $\mathit{z}$, we can use a similar method to obtain the corresponding coefficient vector $\mathit{c}$ with dimension N such that

$$(\mathbf{U}=\left(\begin{array}{cccc}1& g& \cdots & g^{N-1}\\ 1& g^3& \cdots & g^{3(N-1)}\\ ⋮& ⋮& \ddots & ⋮\\ 1& g^{2N-1}& \cdots & g^{(2N-1)(N-1)}\end{array}\right))\times \mathit{c}=\mathit{z}$$

• EncodeINTT($N,\mathit{z}$): Let $\mathit{Z}=[0,\mathit{z}[0],0,\cdots ,\mathit{z}[N-1]$. Invoke $INT{T}_{2N}\left(\mathit{Z}\right)$ and obtain $r\left(x\right)-x^{N}r\left(x\right)$. Return the coefficients $\mathit{c}$ of $2r\left(x\right)$.
• DecodeNTT($N,\mathit{c}$): Let $\mathit{C}=[\mathit{c},\mathbf{0}]$ with dimension $2N$. Invoke $NT{T}_{2N}\left(\mathit{C}\right)$ and obtain ${\mathit{Z}}^{\prime }$. Return $[{\mathit{Z}}^{\prime }\left[1\right],{\mathit{Z}}^{\prime }\left[3\right],\cdots ,{\mathit{Z}}^{\prime }[2N-1]]$.

Similarly, we can show that $2r\left(g^{2k+1}\right)=\mathit{z}\left[k\right]$ for $k=0,1,\dots ,N-1$. The main observation is that $\{1,g^2,\dots ,g^{2N-2}\}$ consists of all roots of $1-x^N$ in the field ${\mathbb{Z}}_t^{*}$. We have $g^{(2k+1)N}=-1modt$. The correctness of decoding is natural with the relationship of NTT and INTT. Different from computation in DFFT and its inverse, an evaluation in NTT and INTT can occur without a loss of precision.

2.3. Hensel Codes

Hensel codes are used to construct a leveled fully homomorphic encryption with the property of error-free computation (or high precision) [22,23]. The main idea is to build an isomorphism between a fraction set $F_M$ and ${\mathbb{Z}}_p$.

$$F_M=\{\frac{x}{y}\left|\right|x|\le M,|y|\le M\}$$

We define a map

$${\mathrm{\Psi }}_p:F_M\to {\mathbb{Z}}_p\frac{x}{y}\to h=x·y^{-1}modp$$

where $M=\lfloor \sqrt{(p-1)/2}\rfloor$ and p is a prime. We write ${\mathrm{\Psi }}_p$ as $\mathrm{\Psi }$ for simplicity. The inverse of the map is implemented by a modified extended Euclidean algorithm. At first, we review how the extended Euclidean algorithm (EEA) runs. The EEA takes as input two integers $x_0$ and $x_1$ and evaluates the greatest common divisors, y and z, for which $y·x_0+z·x_1=gcd(x_0,x_1)$. The computation generates the tuples $(x_2,\dots x_n),(y_2,\dots y_n),(z_2,\dots z_n)$ and $q_i=\lfloor x_{i-1}/x_i\rfloor$ such that

$$\begin{array}{cc}\hfill & x_{i+1}=x_{i-1}-q_i{x}_i\hfill \\ \hfill & y_{i+1}=y_{i-1}-q_i{y}_{i}with{y}_0=0,y_1=1\hfill \\ \hfill & z_{i+1}=z_{i-1}-q_i{z}_{i}with{z}_0=1,z_1=0\hfill \end{array}$$

Moreover, for each $i\le n$, we have $y_i{x}_1+z_i{x}_0=x_i$. The computation stops with $x_n=0$, and then $x_{n-1}$ is equal to $gcd(x_0,x_1)$.

Definition 2 

(Modified Extended Euclidean Algorithm). Let p be an odd prime, $h\in Z$, and $M=\lfloor \sqrt{(p-1)/2}\rfloor$. Run EEA with $x_0=p$ and $x_1=h$ (if $h>p$, we simply swap them). Once $|x_i|\le M$, output $(x,y)=({(-1)}^{i+1}{x}_i,{(-1)}^{i+1}{y}_i)$. We write MEEA $(p,h)=(x,y)$.

Now, we define the inverse of $\mathrm{\Psi }$

$${\mathrm{\Psi }}^{-1}:{\mathbb{Z}}_p\to F_{M}h\to \frac{x}{y}$$

subject to

$$(x,y)=MEEA(p,h)$$

Given $x/y\in F_M$ and an integer k, we have ${\mathrm{\Psi }}^{-1}(\mathrm{\Psi }(x/y)+k·p)=x/y$ because MEEA $(p,k·p)=0$, and $\mathrm{\Psi }\left({\mathrm{\Psi }}^{-1}\left(h\right)\right)=h$ if $h\in {\mathbb{Z}}_p$ [22].

Lemma 3. 

Let p be an odd prime, $M=\lfloor \sqrt{(p-1)/2}\rfloor$. The following hold:

1. 

For $x_1/y_1$ and $x_2/y_2\in F_M$ such that $x_1/y_1\ne x_2/y_2$, we have $x_1{y}_1^{-1}\ne x_2{y}_2^{-1}modp$.

2. 

For a given $h\in Z_p$, there exists $x/y\in F_M$ such that $x{y}^{-1}modp=h$.

3. 

Ψ can be seen as an isomorphism between $F_M$ and $Z_p$ when the evaluation in $F_M$ is closed.

Proof. 

1. From Lemma 1(ii) in [22].

2.

It is easy to verify that MEEA $(p,h)$ will stop and return $(x={(-1)}^{i+1}{x}_i,y={(-1)}^{i+1}{y}_i)$ since gcd $(p,h)=1<M$. Moreover, we have $h=y_i^{-1}{x}_{i}modp=x{y}^{-1}modp$ with $|x_i|<M$ because $y_{i}h+z_{i}p=x_i$.

3.

From proposition 3 in [22], we have that $\mathrm{\Psi }(x_1/y_1+x_2/y_2)=\mathrm{\Psi }(x_1/y_1)+\mathrm{\Psi }(x_2/y_2)$, $\mathrm{\Psi }(x_1/y_1·x_2/y_2)=\mathrm{\Psi }(x_1/y_1)·\mathrm{\Psi }(x_2/y_2)$ if $x_1/y_1+x_2/y_2$ and $x_1/y_1·x_2/y_2$ belong to $F_M$,. We complete the proof of (3) by combining it with (1,2).

□

3. Leveled Homomorphic Encryption Scheme

3.1. A Concrete Scheme

The plaintext space in the FV scheme is $R_t$, where t is referred to as the plaintext modulus and $R_t={\mathbb{Z}}_t\left[x\right]/f\left(x\right)$. Cyclotomic polynomials with a degree power of 2 are used to construct the ring in general for security and efficiency. In practice, error distributions of small width are employed to produce noise for convenience. When using error distributions with small width and considering other rings besides the 2-power cyclotomic rings, there are better-known attacks on the RLWE problem [32,33,34,35]. The ciphertext space is $R_q\times R_q$ and $q\gg t$, so there is enough space for the noise to grow.

We constructed a leveled homomorphic encryption scheme based on the FV scheme. Rational numbers can be handled with high precision.

• SetUp($1^{\lambda }$): Given the security parameter $\lambda$, choose an integer N (N is a power of two), an integer q, denote a set of odd primes by $(t_1,\cdots ,t_k)$, and ensure that any two of them are coprime. For $i=1,\dots ,k$, there are $2N\left|\right(t_i-1)$ and $t_i|q$. Set ${\mathrm{\Delta }}_i=q/t_i$, $M=\lfloor \sqrt{(t-1)/2}\rfloor$, where $t={\prod }_{i=1}^k{t}_i$. Set the distributions ${\chi }_{key}$,${\chi }_{err}$ on $R=\mathbb{Z}\left[x\right]/f\left(x\right)$, where $f\left(x\right)=x^N+1$ for secrets and error, respectively. Choose an integer T.
• KeyGen($1^{\lambda }$): Sample $s\in R$ with coefficients that are uniform in $\{-1,0,1\}$. Output $sk=s$. Sample $a\leftarrow U\left(R_q\right)$ and $e\leftarrow \chi$. Output $pk=({[-(a·s+e)]}_q,a)\in R_q\times R_q$. For $i=0,1,\dots ,l=\lfloor lo{g}_{T}q\rfloor$, sample $a_i\leftarrow R_q,e_i\leftarrow \chi$ and return $rlk=[({[-(a_i·s+e_i)+T^i·s^2]}_q,a_i):i=1,\dots ,l]$.
• Ecd($\mathit{z}$): Given a vector of rational numbers $\mathit{r}\in F_M^N$, compute the integer vector $\mathit{z}={\mathrm{\Psi }}_t($r$)\in {\mathbb{Z}}_t$. Decompose the vector and obtain $\{{\mathit{d}}_1,\cdots ,{\mathit{d}}_k\}\in {\mathbb{Z}}_{t_1}\times \cdots {\mathbb{Z}}_{t_k}$ by the CRT (this process can be done simply by modular reduction). Return the plaintext polynomials $c_i=EncodeINTT(N,{\mathit{d}}_i)$ for $i=1,\dots ,k$. Denote the set $\{c_1,\cdots ,c_k\}$ by C.
• Enc($pk,C$): For $i=1,\dots ,k$, to encrypt the message $c_i\in R_{t_i}$, let $p_0=pk\left[0\right],p_1=pk\left[1\right]$, sample $u\leftarrow R_2,e_1,e_2\leftarrow \chi$, and return ${ct}_i=({[p_0·u+e_1+{\mathrm{\Delta }}_i·c_i]}_q,{[p_1·u+e_1]}_q)$. Denote the set $\{c{t}_i,\dots ,c{t}_k\}$ by $CT$.
• Add($C{T}_1,C{T}_2$): For $i=1,\dots ,k$, let $CT\left[i\right]=({[C{T}_1\left[i\right]\left[0\right]+C{T}_2\left[i\right]\left[0\right]]}_q,{[C{T}_1\left[i\right]\left[1\right]+C{T}_2\left[i\right]\left[1\right]]}_q)$ and return $CT$
• Mul($C{T}_1,C{T}_2,rlk$): For $j=1,\dots ,k$, compute

  $$f_0={\left[\lfloor \frac{t_j(C{T}_1\left[j\right]\left[0\right]·C{T}_2\left[j\right]\left[0\right])}{q}\rceil \right]}_q$$

  $$f_1={\left[\lfloor \frac{t_j(C{T}_1\left[j\right]\left[0\right]·C{T}_2\left[j\right]\left[1\right]+C{T}_1\left[j\right]\left[1\right]·C{T}_2\left[j\right]\left[0\right])}{q}\rceil \right]}_q$$

  $$f_2={\left[\lfloor \frac{t_j(C{T}_1\left[j\right]\left[1\right]·C{T}_2\left[j\right]\left[1\right])}{q}\rceil \right]}_q.$$
  Write $f_2$ in base T, i.e., $f_2={\sum }_{i=0}^l{f}_2^{\left(i\right)}{T}^i$, and set

  $$f_0^{\prime }={[f_0+\sum _{i=0}^{l}rlk\left[i\right]\left[0\right]·f_2^{\left(i\right)}]}_q,f_1^{\prime }={[f_1+\sum _{i=0}^{l}rlk\left[i\right]\left[1\right]]}_q.$$
  Let $CT\left[j\right]=(f_0^{\prime },f_1^{\prime })$ and return $CT$.
• Dec($sk,CT$): For $i=1,\dots ,k$, let $s=sk,f_0=CT\left[i\right]\left[0\right],f_1=CT\left[i\right]\left[1\right]$. Let

  $$C\left[i\right]={\left[\lfloor \frac{t_i{[f_0+f_1·s]}_q}{q}\rceil \right]}_q\in R_{t_i}.$$
• Dcd(C): For $i=1,\cdots ,k$, ${\mathit{d}}_i=$DecodeNTT($N,c_i$). Take $\{{\mathit{d}}_1,\dots ,{\mathit{d}}_k\}$ as input and recover the vector $\mathit{z}$ by the CRT. Return ${\mathrm{\Psi }}_t^{-1}\left(\mathit{z}\right)$.

We refer to $\left(ct\right[0]+ct[1]·s-\mathrm{\Delta }·m)$ as the noise in the ciphertext $ct$. The condition for correct decryption is that the size of noise in a ciphertext is less than $\mathrm{\Delta }/2$, and thus, the noise can be removed after rounding. In fact, not only the size of noise but also the encoding scheme can lead to an unexpected result, as mentioned before. The security of the scheme depends on the hardness of the decision RLWE problem. The following lemma is obtained from the standard noise growth argument for the FV [12].

Lemma 4. 

Let $c{t}_i$ for $i=1,2$ be two ciphertexts, with ${\left[c{t}_i\left[s\right]\right]}_q={\left[(c{t}_i\left[0\right]+c{t}_i\left[1\right]·s)\right]}_q=\mathrm{\Delta }·m+v_i$ and $\parallel v_i\parallel <E<\mathrm{\Delta }/2$. Set $c{t}_{add}=FV.Add(c{t}_1,c{t}_2)$ and $c{t}_{mul}=FV.Mul(c{t}_1,c{t}_2,rlk)$; then,

$${\left[c{t}_{add}\left(s\right)\right]}_q=\mathrm{\Delta }·{[m_1+m_2]}_t+v_{add}$$

$${\left[c{t}_{mul}\left(s\right)\right]}_q=\mathrm{\Delta }·{[m_1·m_2]}_t+v_{mul}$$

with $\parallel v_{add}\parallel <2·E+t$ and $\parallel v_{mul}\parallel <E·t·{\delta }_R({\delta }_R+1.25)+(l+1)B·T·{\delta }_R/2$

Assuming that $\parallel \chi \parallel <B$, the FV can correctly evaluate circuits of multiplicative depth L with

$$4{\delta }_R^L{({\delta }_R+1.25)}^{L+1}{t}^{L+1}<\lfloor q/B\rfloor .$$

The noise growth can be described by Lemma 4. The correctness of decoding is guaranteed if and only if $F_M$ is large enough and the result belongs to the space. Fortunately, the size of the space can be adjusted simply by increasing the parameter k since $M=\sqrt{({\prod }_{i=1}^k{t}_i-1)/2}$. On the other hand, the speed of the noise growth is only related to the maximal value of the set of plaintext moduli. We will discuss the choice of parameters in Section 4 formally.

3.2. Correctness and Security Analysis

Theorem 1 

(Correctness). Let $sk,pk,rlk$ be the keys output by KeyGen($1^{\lambda }$), ${\mathit{z}}_i\in F_M^N(i=1,2)$, and $c{t}_i$ be the ciphertext such that $c{t}_i=$Enc($pk$,Ecd(${\mathit{z}}_i)$). The HE scheme is correct if the following hold:

1. 

Dcd(Dec($sk,c{t}_i$)) = ${\mathit{z}}_i$ for $i=1,2$.

2. 

Dcd(Dec($sk,c{t}_1+c{t}_2$)) = ${\mathit{z}}_1+{\mathit{z}}_2$ if ${\mathit{z}}_1+{\mathit{z}}_2\in F_M^N$.

3. 

Dcd(Dec($sk$,Mul($c{t}_1,c{t}_2,rlk$)))=${\mathit{z}}_1⨂{\mathit{z}}_2$ if ${\mathit{z}}_1⨂{\mathit{z}}_2\in F_M^N$.

Proof. 

The parameter k is set to 1 without loss of generality since the CRT never affects the correctness.

• We have Dec($sk,c{t}_i$) = $c_i\left(x\right)={\mathbf{U}}^{-1}·{\mathrm{\Psi }}_t\left({\mathit{z}}_i\right)$ since $e_i<B<\mathrm{\Delta }/2$. We can deduce that Dcd($c_i$) = ${\mathrm{\Psi }}_t^{-1}·\mathbf{U}({\mathbf{U}}^{-1}·{\mathrm{\Psi }}_t\left({\mathit{z}}_i\right))={\mathit{z}}_i$.
• Because the encryption scheme is based on the FV scheme, we claim that Dec($sk,(c{t}_1+c{t}_2)$) = $(c_1+c_2)modt$ and Dec($sk$, Mul($c{t}_1,c{t}_2$)) = $(c_1·c_2)modf\left(x\right)modt$. We complete the proof by showing Dcd(${\mathit{c}}_1+{\mathit{c}}_2+\mathit{k}·t$) = ${\mathit{z}}_1+{\mathit{z}}_2$ and Dcd($(c_1·c_2+c\left(x\right)·f\left(x\right))modt$) = ${\mathit{z}}_1⨂{\mathit{z}}_2$, respectively, where the degree of the polynomial $c_1\left(x\right)c_2\left(x\right)+c\left(x\right)·f\left(x\right)$ is less than $f\left(x\right)$ and $\mathit{k}$ is an integer vector. We have

  $$\begin{array}{cc}\hfill Dcd(Dec(sk,(c{t}_1+c{t}_2))& =Dcd({\mathit{c}}_1+{\mathit{c}}_2+\mathit{k}·t)\hfill \\ \hfill & ={\mathrm{\Psi }}_t^{-1}·\mathbf{U}({\mathbf{U}}^{-1}·{\mathrm{\Psi }}_t\left({\mathit{z}}_1\right)+{\mathbf{U}}^{-1}·{\mathrm{\Psi }}_t\left({\mathit{z}}_2\right)+\mathit{k}·t)\hfill \\ \hfill & ={\mathrm{\Psi }}_t^{-1}(\mathbf{U}·{\mathbf{U}}^{-1}({\mathrm{\Psi }}_t\left({\mathit{z}}_1\right)+{\mathrm{\Psi }}_t\left({\mathit{z}}_2\right))\hfill \\ \hfill & ={\mathrm{\Psi }}_t^{-1}\left({\mathrm{\Psi }}_t({\mathit{z}}_1+{\mathit{z}}_2)\right)\hfill \\ \hfill & ={\mathit{z}}_1+{\mathit{z}}_2\hfill \end{array}$$

  where, in the third equality, we use the property of Hensel codes that ${\mathrm{\Psi }}_t^{-1}(\mathit{b}·t+{\mathrm{\Psi }}_t\left(\mathit{d}\right))=\mathit{d}$ if d is in $F_M^N$ and b is an integer vector. The last equality holds since ${\mathit{z}}_1+{\mathit{z}}_2$ is in $F_M^N$.
• Let coef be the coefficient vector of the polynomial $c_1\left(x\right)c_2\left(x\right)+c\left(x\right)·f\left(x\right)$. We have

  $$\mathbf{U}·\mathit{coef}=\left(\begin{array}{cccc}1& g& \cdots & g^{N-1}\\ 1& g^3& \cdots & g^{3(N-1)}\\ ⋮& ⋮& \ddots & ⋮\\ 1& g^{2N-1}& \cdots & g^{(2N-1)(N-1)}\end{array}\right)·\mathit{coef}$$
  We interpret the vector $\mathbf{U}·\mathit{coef}$ as the value vector of the polynomial $(c_1{c}_2+c·f)\left(x\right)$ at $\{g,g^3,\dots ,g^{2N-1}\}$. Then,

  $$(\mathbf{U}·\mathit{coef})\left[i\right]=(c_1{c}_2+c·f)\left(g^{2i+1}\right).$$
  On the other hand, $\{g,g^3,\dots ,g^{2N-1}\}$ are all roots of $f\left(x\right)$ in ${\mathbb{Z}}_t^{*}$. We draw the conclusion that

  $$(\mathbf{U}·\mathit{coef})\left[i\right]=\left(c_1{c}_2\right)\left(g^{2i+1}\right)+k_i·t·c\left(g^{2i+1}\right)$$

  and

  $$(\mathbf{U}·\mathit{coef})\left[i\right]modt=\left(c_1{c}_2\right)\left(g^{2i+1}\right).$$
  The following holds:

  $$Dcd\left((c_1\left(x\right)c{\left(x\right)}_2+c\left(x\right)·f\left(x\right))modt\right)={\mathrm{\Psi }}_t^{-1}·\mathbf{U}\left(\mathit{coef}modt\right)$$
  We claim that

  $${\mathrm{\Psi }}_t^{-1}(\mathbf{U}·\mathit{coef}modt)\left[i\right]={\mathit{z}}_1\left[i\right]·{\mathit{z}}_2\left[i\right]$$

  since

  $$\begin{array}{cc}\hfill {\mathrm{\Psi }}_t^{-1}(\mathbf{U}·\mathit{coef}modt)\left[i\right]& ={\mathrm{\Psi }}_t^{-1}\left((\mathbf{U}·\mathit{coef})\left[i\right]modt\right)\hfill \\ \hfill & ={\mathrm{\Psi }}_t^{-1}\left(\left(c_1{c}_2\right)\left(g^{2i+1}\right)\right)\hfill \\ \hfill & ={\mathrm{\Psi }}_t^{-1}(c_1\left(g^{2i+1}\right)·c_2\left(g^{2i+1}\right))\hfill \\ \hfill & ={\mathrm{\Psi }}_t^{-1}({\mathrm{\Psi }}_t\left({\mathit{z}}_1\left[i\right]\right)·{\mathrm{\Psi }}_t\left({\mathit{z}}_2\left[i\right]\right))\hfill \\ \hfill & ={\mathit{z}}_1\left[i\right]·{\mathit{z}}_2\left[i\right]\hfill \end{array}$$

  where the last equality holds because ${\mathit{z}}_1\left[i\right]·{\mathit{z}}_2\left[i\right]$ is in $F_M^N$. We deduce $Dcd\left((c_1\left(x\right)c_2\left(x\right)+c\left(x\right)·f\left(x\right))modt\right)={\mathit{z}}_1⨂{\mathit{z}}_2$. □

Our construction is based on the FV homomorphic encryption scheme, whose security is based on the hardness of the RLWE. By the RLWE assumption, the distribution $(b=a·s+e,a)$ is computationally indistinguishable from the uniform distribution $U(R_q\times R_q)$. More attacks apply when the secret key is sampled from $R_2$ [36]. There are theoretical results showing that certain small secret RLWE variants are as hard as those with $sk\leftarrow {\chi }_{err}$ if the dimension N is increased sufficiently [37].

4. Choice of Parameters

In this section, we discuss how to choose parameters, guarantee a given level of security, and allow a depth L circuit to be evaluated. On the one hand, we should ensure that the noise does not exceed $\mathrm{\Delta }/2$ for correct decryption. On the other hand, the result of the computation should be in $F_M^N$ for correct decoding. A discrete Gaussian distribution with small width (the deviation $\sigma =3.2$) is employed to sample the error in general. For a given security level, the homomorphic encryption standardization [38] gives pairs of $(N,q)$, which achieve the security level. The choice of other parameters depends on the circuits to be evaluated and data to be handled. The plaintext modulus (the maximal plaintext modulus of the plaintext moduli set) determines the depth of circuits by Lemma 4. The number of plaintext moduli k depends on the range of data and circuits. More precisely, we should ensure that the result of computation belongs to $F_M$, where $M=\sqrt{({\prod }_{i=1}^k{t}_i-1)/2}$. This condition can be met simply by increasing k at the cost of partial efficiency.

In

Table 1. Choice of parameters for evaluation of typical functions.

Fun	L	N	t (The Maximal Value)	q	V	k
$2x$	0	1024	$3·2^{12}+1$	$t·2^{17}$	39	1
$x^2$	1	4096	$3·2^{30}+1$	$t·2^{78}$	200	1
$x^4$	2	8192	$15·2^{44}+1$	$t·2^{171}$	58	1
$x^8$	3	16,384	$27·2^{56}+1$	$t·2^{380}$	13	1
$x^4$	2	8192	$15·2^{44}+1,14·2^{44}+1$	$t·2^{171}$	3664	2
$x^8$	3	16,384	$27·2^{56}+1,26·2^{56}+1$	$t·2^{380}$	184	2

, we present the method of parameter setting for the homomorphic evaluation of power functions with different degrees. The inputs for computation are sampled from the fraction set $F_V$ uniformly (i.e., the numerator and denominator of $\mathit{z}\left[i\right]\in [-V,V]$). Some other functions such as exponential functions and sine functions can be evaluated by the Taylor expansion.

The homomorphic evaluation of the circuit $x^4$ with $k=1$ can be computed simultaneously over 8192 slots. We show that the parameters are chosen correctly for decryption and decoding. At first, the choice of $(N,q)$ with a 128-bit security level follows the homomorphic encryption standardization. Secondly, we have $4{\delta }_R^L{({\delta }_R+1.25)}^{L+1}{t}^{L+1}<\lfloor q/B\rfloor$ with $t=15·2^{44}+1$. Finally, it is easy to verify $V^4<\sqrt{(t-1)/2}$ with $V=58$, so the result of computation is in $F_M^N$. We draw the conclusion that the decryption and decoding can be performed correctly. For the circuit $x^4$, we can see the value of V increases to 3664, and the available slots become 4096 when k increases to 2. In fact, we can deduce $V^{\prime }\approx V^k$ for the same circuit with different k, and the available slots are equal to $N/k$. Moreover, we can decrease the plaintext modulus and increase k to handle deeper circuits.

5. Conclusions

In this paper, we construct a leveled homomorphic encryption scheme for rational numbers based on the FV scheme. The deployment of NTT allows us to handle rational numbers by Hensel codes with high precision in parallel. An unexpected result will never occur in our scheme if parameters are chosen correctly, which is just the main idea of the leveled homomorphic encryption. The space $F_M$ never hinders the application of our scheme by simply adjusting the parameter k.