1 Introduction

Homomorphic encryption is a powerful cryptographic primitive that allow for a variety of applications. It is a form of encryption which allows specific types of computations to be carried out on ciphertext and obtain an encrypted result which decrypted matches the result of operations performed on the plaintext. There are many interesting applications including private information retrieval (PIR), electronic voting, database encryption, delegated computation and secure multiparty computation (Chen et al. 2012a, b).

Fully homomorphic encryption (FHE) permits arbitrarily computation on encrypted data (Gentry 2009). During the past 4 years, numerous constructions of FHE involving novel mathematical techniques and a number of applications have appeared (Dijk et al. 2010; Stehle and Steinfeld 2010; Smart and Vercauteren 2010; Brakerski and Vaikuntanathan 2011a; Bogdanov and Lee 2011; Brakerski et al. 2012). However, it seems that most of the available FHE schemes still have a long way to go before they can be used in practice. Comparing with the theoretical perfect but unpractical FHE, somewhat homomorphic encryption (SWHE), which only permits a specific set of operations, seems more efficient, and most of the actual applications only involve SWHE schemes by now.

The main target of this work is to construct an efficient multi-bit somewhat homomorphic encryption scheme. Starting from Regev’s Learning With Errors over Rings (RLWE)-based scheme (Regev 2009) and using canonical embedding to improve efficiency, we present a new construction of SWHE scheme that supports a larger plaintext space and faster encryption. Moreover, we provide a Private Block Retrieval (PBR) protocol using this scheme.

2 Related works

Boneh et al. (2005) described a cryptosystem (denoted by BGN) that permits arbitrary numbers of additions and one multiplication, without growing the ciphertext size. Later in EUROCRYPT 2010, Gentry et al. (2010) constructed a variant of BGN, called GHV, it is based on Learning With Errors (LWE) assumption, supports a larger message space and has a better message-to-ciphertext expansion ratio than BGN. In GHV, to encrypt m 2 bits, the encryption process has a computation cost of \({\tilde{\text{O}}}(m^{3} )\).

Aiming at constructing time-efficient schemes that supports larger message spaces, we present a multi-bit SWHE scheme that is basing on RLWE assumption. Comparing with GHV, our scheme are more time-efficient, to encrypt n bits, the total encryption cost is \(\tilde{\rm O}\left( {n\log n} \right)\). Such improvement attributes to the combination of the more compact RLWE assumption and canonical embedding. We show how to use this scheme to build an efficient PIR (private information retrieval) protocol.

3 Preliminaries

3.1 Homomorphic encryption schemes

Definition 1

A Homomorphic Encryption scheme (HE) can be described as a 4-tuple of algorithms HE = (KeyGen, Enc, Dec, Eval). The algorithms are probabilistic polynomial-time and satisfy the following properties:

  • KeyGen(1λ): given security parameter λ, output (pk, sk, evk), where pk and sk are public key and private key respectively, and evk is the public homomorphic evaluation key.

  • Enc(pk, m): given the encryption key pk and a message m, the encryption algorithm outputs a ciphertext c, denoted by c = Enc(pk, m).

  • Dec(sk, c): given a ciphertext c and decryption key sk, output a plaintext m.

  • Eval(evk, f, c 1, c 2…, c l ): Given the homomorphic evaluation key evk, a function f and l ciphertexts c 1, c 2…, c l , output a ciphertext c f , satisfying c f  = Enc(pk, f(Dec(sk, c 1), Dec(sk, c 2),……, Dec(sk, c l )))

This definition is a generic description of homomorphic encryption schemes, and the material of function f is omitted. Generally f can be expressed as a Boolean circuit on field GF(2n), and only contains ADD and OR operations.

3.2 RLWE assumption

The LWE problem has gained a universal notice since it had been first introduceed by Regev in (2009). In Eurocrypt 2010, Lyubashevsky et al. (2010) analyzed the efficiency of LWE-based cryptosystems. For a standard LWE assumption, obtaining one pseudorandom scalar b i  ∈  Z q requires an n-dim inner production computation. They propose a more compact version of LWE called RLWE, that is, LWE assumptions on a given ring, where conducting an n-dim inner production can get another n-dim vector. This makes an efficiency improvement by n times.

Definition 2

(RLWE assumption) Let f(x) be an n-degree polynomial with integer coefficients, q is a prime, and ring R q is defined as \(R_{q} = {\mathbb{Z}}_{q} [x]/\left\langle {f(x)} \right\rangle\). Let χ be error distribution on R q , \(s\mathop \leftarrow \limits^{\$ } R_{q}\), \(a_{i} \mathop \leftarrow \limits^{\$ } R_{q}\), k = poly(n). For any given k pairs (a i , b i  = a i s + e i ) k i=1 , where e i is the error vector, then b i is computationally indistinguishable from any uniformly chosen element in R q .

Lyubashevsky et al. (2010) have proved that, the Shortest Independent Vector Problem (SIVP) or Shortest Vector Problem (SVP) in the worst case on ideal lattice can be reduced to RLWE. Their main result can be captured as the following: with error distribution be D ξ and ξ = α·(nl/ log (nl))1/4, given l samples, the RLWE problem is at least as hard as SIVP problem in a lattice.

To make the description more clear, we only use RLWE assumption on a special polynomial \(R = {\mathbb{Z}}_{q} [x]/\left\langle {x^{n} + 1} \right\rangle\)where n is a power of 2 and q = 1 mod 2n.

3.3 Canonical embedding in polynomial rings

Canonical embedding was first proposed by Minkowski (Lyubashevsky et al. 2010). Let n = 2 k, q = 1 mod 2n is a prime, and ω = exp (πi/n), then canonical embedding is defined as a mapping σ from \(R_{q} = {\mathbb{Z}}_{q} [x]/\left\langle {f(x)} \right\rangle\)into vector space on complex numbers \({\mathbb{C}}^{n}\), that is \(a(x) \mapsto (a(\omega^{1} ),a(\omega^{3} ), \ldots ,a(\omega^{2n - 1} )) \in {\mathbb{C}}^{n}\). Where a(x) ∊ R q and f(x) = x n + 1.

Using canonical embedding, we can map a polynomial in \(R_{q} = {\mathbb{Z}}_{q} [x]/\left\langle {f(x)} \right\rangle\)into a Ring vector. When a polynomial is mapped into a vector in \({\mathbb{C}}^{n}\), both addition and multiplication can be conducted coordinate-wise, thus making computation more convenient. Especially when q is a prime and q = 1 mod 2n, ω 2i−1, i = 1, …, n-1 are just the n roots of x n + 1 in \({\mathbb{Z}}_{q}\), so a polynomial \(a(x) \in {\mathbb{Z}}_{q} [x]/\left\langle {x^{n} + 1} \right\rangle\)can be mapped into an elements in \({\mathbb{Z}}_{q}^{n}\)or a n-dim vector on \({\mathbb{Z}}_{q}\).

For a given \(\sigma (a(x)) = (a(\omega^{1} ),a(\omega^{3} ), \ldots ,a(\omega^{2n - 1} )) \in {\mathbb{Z}}_{q}^{n}\), we can get its preimage a(x) by solving a linear equation set of n variables.

4 Multi-bit homomorphic encryption schemes based on RLWE assumption

4.1 The basic scheme

The first single-bit public key encryption scheme basing on LWE assumption was proposed by Regev in (2009), and from this scheme, people have promoted some other constructions and applications. The multi-bit version of Regev’s scheme can be implemented on RLWE assumption as the following (Rückert and Schneider 2010).

Scheme 1

(RLWE based version of Regev’s multi-bit encryption scheme) Parameters: let q be a prime, q ≡ 1 mod 2n, \(R = {\mathbb{Z}}_{q} [x]/\left\langle {x^{n} + 1} \right\rangle\), χ is discrete Gauss distribution. A sample that conforms to χ is noted by e(x) ∊ R with r ≥ 1. Define a set D r as \(D_{r} = \left( {Z \cap \left\{ { - \left\lfloor \frac{r}{2} \right\rfloor , \ldots ,\left\lceil \frac{r}{2} \right\rceil } \right\}} \right)/\left\langle {x^{n} + 1} \right\rangle\)

For a positive integer k, define two operations on R k:

  1. 1.

    Multiplication of two polynomial vectors ⊗ : R k × R k → R: For any \(\hat{x},\hat{y} \in R^{k}\), \(\hat{x} \otimes \hat{y} = \sum_{i = 1}^{k} {x_{i} y_{i} }\)

  2. 2.

    Multiplication of one polynomial vector and one polynomial: for any \(\hat{x} \in R^{k}\), y ∊ R, \(\hat{x}y = (x_{1} y, \ldots ,x_{k} y) \in R^{k}\)

    • Private key: randomly choose \(s \xleftarrow{{^{\$ } }} R\), the length of s is nlog2 q bits.

    • Public key: randomly choose a k-dim vector \(\hat{a}\mathop \leftarrow \limits^{\$ } R^{k}\), choose error vector \(\hat{e} \leftarrow \chi_{R,\alpha }^{k}\), here χ k R,α obeys discrete Gaussian distribution on R k, with expectation 0 and standard deviation \(\alpha \le 1/t\left( {\sqrt {nk} \left\lceil {r/2} \right\rceil + 1} \right)\). Computing a vector \(\hat{b} = \hat{a}s + \hat{e} \in R^{k}\), and the public key is \((\hat{a},\hat{b})\). To decrease key length, we could let all of the users share the same \(\hat{a}\). So the length of public key is kn log2 q bits.

    • Encryption: given a plaintext \(m \in D_{1} = {\mathbb{Z}}_{2} [x]/\left\langle {x^{n} + 1} \right\rangle\), randomly choose \(\hat{r}\mathop \leftarrow \limits^{\$ } D_{r}^{k}\), compute a pair (c 0c 1) as the ciphertext, here \(c_{0} = \hat{a} \otimes \hat{r} \in R\)and \(c_{1} = \hat{b} \otimes \hat{r} + m(q - 1)/2 \in R\).

    • Decryption: compute \(c_{1} - c_{0} s = m(q - 1)/2 + \hat{e} \otimes \hat{r} \approx m(q - 1)/2\)

Correctness of scheme 1 is shown in Rückert and Schneider (2010), and when \(\alpha \le 1/30\sqrt {nk} \left\lceil {r/2} \right\rceil\), the scheme can decrypt correctly.

4.2 A new scheme using canonical mapping

Basing on scheme 1, we use canonical mapping to construct a new scheme.

Scheme 2

  • Parameters: Let q be a prime and \(q \equiv 1\;\bmod 2n\), let ω be a root of x n + 1 in \({\mathbb{Z}}_{q}\), and (q-1)/2 cannot be divided by ω. The error distribution χ k R,α is discrete Gaussian distribution on R k, with expectation 0 and standard deviation \(\alpha \le 1/t\left( {\sqrt {nk} \left\lceil {r/2} \right\rceil + 1} \right)\). Definition of D r and polynomial vector operations are the same with scheme 1.

  • Private key: \(s\mathop{\leftarrow}\limits^{\$} R\), s.t. s(0) is not a divisor of (q-1)/2. The length of private key is nlog2 q bits.

  • Public key: Randomly choose a k-dim polynomial vector \(\hat{a}\mathop \leftarrow \limits^{\$ } R^{k}\). Choose error vector \(\hat{e} \leftarrow \chi_{R,\alpha }^{k}\)and set \(\hat{b} = \hat{a}s + \hat{e} \in R^{k}\). To reduce key length, we can let all of the users share the same \(\hat{a}\), and the public key is \((\hat{a},\hat{b})\)which has a length of kn log2 q bits.

  • Encryption: Encryption has three steps.

    1. 1.

      For any given n-bits plaintext m ∈ D 1, let m = (m 0, m 1, …, m n−1) and randomly choose \(\hat{r}\mathop \leftarrow \limits^{\$ } D_{r}^{k}\)

    2. 2.

      Compute \(c_{0} = \hat{b} \otimes \hat{r}\), \(c_{1} = \hat{a} \otimes \hat{r}\). Noticing that c 0, c 1 are two polynomials in R, we can use canonical mapping to change them into vectors in \({\mathbb{Z}}_{q}^{n}\), namely

      $$c_{0} \mapsto (c_{0} (\omega ),c_{0} (\omega^{3} ), \ldots ,c_{0} (\omega^{2n - 1} )) = C_{0}$$
      $$c_{1} \mapsto (c_{1} (\omega ),c_{1} (\omega^{3} ), \ldots ,c_{1} (\omega^{2n - 1} )) = C_{1}$$
    3. 3.

      Compute \(C_{2} = C_{0} + \frac{q - 1}{2}(m_{0} , \ldots m_{n - 1} )\), and output the ciphertext (C 1, C 2).

  • Decryption: Also includes three steps.

    1. 1.

      Use the inverse of canonical mapping to change C 1 into a polynomial \(c_{1} (x) = \hat{a} \otimes \hat{r}\);

    2. 2.

      Compute \(c_{1} (x) \cdot s = \hat{a} \otimes \hat{r} \cdot s = \hat{b} \otimes \hat{r} - \hat{e} \otimes \hat{r} \approx c_{0} (x)\), and transform c 1(xs into a vector S;

    3. 3.

      Compute \((C_{2} - S)\quad \bmod \;\omega \approx \frac{q - 1}{2}m\)

Theorem 1

When the parameters satisfy the aforementioned requirement, Scheme 2 can decrypt correctly.

Proof

Consider the decryption process,

$$\begin{aligned} C_{2} - S &= C_{0} + \frac{q - 1}{2}m - \sigma \left( {c_{1} \left( x \right) s} \right)\\ &= \left( {\left( {\hat{b} \otimes \hat{r}} \right)\left( \omega \right), \ldots ,\left( {\hat{b} \otimes \hat{r}} \right)\left( {\omega^{2n - 1} } \right)} \right) \\ &\quad-\left( {\left( {\hat{a} \otimes \hat{r}s} \right)\left( \omega \right), \ldots ,\left( {\hat{a} \otimes \hat{r}s} \right)\left( {\omega^{2n - 1} } \right)} \right) + \frac{q - 1}{2}m \end{aligned}$$

We focus on the first item, and case of the other items is analogous. The first item of the above formula is

$$\begin{aligned} &\left( {\hat{a} \otimes \hat{r}s} \right)\left( \omega \right) + \left( {\hat{e} \otimes \hat{r}} \right)\left( \omega \right) - \left( {\hat{a} \otimes \hat{r}s} \right)\left( \omega \right) + \frac{q - 1}{2}m_{0} \\ &\quad= \left( {\hat{e} \otimes \hat{r}} \right)\left( \omega \right) + \frac{q - 1}{2}m_{0} \end{aligned}$$

where \(\left( {\hat{e} \otimes \hat{r}} \right)\left( \omega \right)\)is a polynomial about ω in R, and after a module operation, only the constant term remains. Let \(\hat{e} = \left( {e_{1} , \ldots ,e_{k} } \right)\), \(\hat{r} = \left( {r_{1} , \ldots ,r_{k} } \right)\), then \(\hat{e} \otimes \hat{r} = \sum\nolimits_{i = 1}^{k} {e_{i} r_{i} }\). Considering \(\hat{e} \leftarrow \chi_{R,\alpha }^{k}\), on account of Chebyshev’s law, for n independent samples that abiding the same Gaussian distribution X i  ← N(μσ 2), 1 ≤ i ≤ n, their summation satisfies ∑ n i=1 X i  ← N( 2), thus ∑ k i=1 e i r i obeys a Normal distribution with expectation 0 and standard deviation \(\sqrt {\sum_{i = 1}^{k} {\left( {r\sqrt n \alpha /2} \right)^{2} } } = \sqrt {nk} r\alpha /2 \le \sqrt {nk} \left\lceil {r/2} \right\rceil \alpha \le 1/t\). According to the truncated inequality of Normal distribution,we have \(\Pr \left( {\left[ {\sum_{i = 1}^{k} {e_{i} \left( 0 \right)} } \right] > q/4} \right) = \frac{4}{t}\sqrt {\frac{2}{\pi }} e^{{ - \frac{{t^{2} }}{32}}}\). When t ≥ 30, this value can be ignored, so Pr ([∑ k i=1 e i (0)] ≤ q/4) ≈ 1. Considering that ω is not a divisor of (q-1)/2, the first item of \(\left( {C_{2} - S} \right)\quad \bmod \;\omega\)is not greater than \(\frac{q}{4} + \frac{q - 1}{2}m_{0}\). Thus completes the proof.

Theorem 2

For any ɛ > 0 and m ≥ (1 + ɛ)(1 + n) log q, if there exists a probabilistic polynomial-time algorithm that can attack the CPA security of scheme 2 with advantage є, then there exist a poly-time distinguisher V that for any possible private key s, can distinguish distribution \(\left\{ {\left( {\hat{a},\hat{a}s + \hat{e}} \right)|\hat{a}\mathop \leftarrow \limits^{\$ } R^{k} ,\hat{e} \leftarrow D_{R,\xi } ,s\mathop \leftarrow \limits^{\$ } R} \right\}\) and uniform distribution U on R k × R k , here ξ = α · (nk/ log (nk)) 1/4.

Proof

We only discuss the first bit m 0 of a plaintext. Suppose there exists a CPA attacker A that can distinguish the ciphertext of m 0 = 0 and m 0 = 1 with advantage є. We construct a distinguisher V which can distinguish the following two distributions with advantage at least є/2: \(\left\{ {\left( {\hat{a},\hat{a}s + \hat{e}} \right)|\hat{a}\mathop \leftarrow \limits^{\$ } R^{k} ,a_{i} \left( 0 \right) = 1,i = 1, \ldots ,k,\hat{e} \leftarrow D_{R,\xi } ,s\mathop \leftarrow \limits^{\$ } R,s\left( 0 \right) = 1} \right\}\)and Uniform distribution U on R k × R k. The distinguisher V is constructed as the following:Input of V are two polynomial vectors \(\left( {\hat{a},\hat{b}} \right)\)in R k × R k, satisfying that each constant term of \(\hat{a}\)is 1. Now V can invoke A to judge that whether \(\left( {\hat{a},\hat{b}} \right)\)obeys uniform distribution or is a RLWE vector. Using \(\left( {\hat{a},\hat{b}} \right)\)as private key, V invokes A, the latter generate two message bits m 0, m 1, and send them to V. V randomly choose i ∊ {0, 1}, encrypt m i and send the ciphertext back to A. If A can guess the correct i and return it to V, then V outputs 1, else, outputs 0.Let the challenging ciphertext be (C 1C 2), if σ is canonical mapping, then the first bit of C1 and C2 are \(\left( {\hat{a} \otimes \hat{r}} \right)\left( \omega \right)\)and \(\left( {\hat{b} \otimes \hat{r}} \right)\left( \omega \right) + \frac{q - 1}{2}m_{0}\)respectively. If \(\hat{b}\)is chosen randomly and uniformly in R k, and is independent of \(\hat{a}\), then the first bit of the challenging ciphertext is also randomly and uniformly. In this case, the probability of “V outputs 1” is at most 1/2. On the other side, if \(\hat{b} = \hat{a}s + \hat{e}\)and the parameters are chosen according to the requirement, then by assumption, the probability of A correctly guessing i is (1 + є)/2, so V can output 1 with the same probability. Thus completes the proof, namely, V can distinguish two distributions with advantage є/2.

4.3 Homomorphic evaluations

Given two pairs of ciphertexts (C 1C 2) and (C 1 C 2 ), where

$$C_{ 1} = (c_{ 1} (\omega ), c_{ 1} (\omega^{ 3} ), \ldots , c_{ 1} (\omega^{ 2n - 1} ))$$
$$C_{2} = \left( {c_{0} \left( \omega \right) + \frac{q - 1}{2}m_{0} ,c_{0} \left( {\omega^{3} } \right) + \frac{q - 1}{2}m_{1} , \ldots ,c_{0} \left( {\omega^{2n - 1} } \right) + \frac{q - 1}{2}m_{n - 1} } \right)$$
$$C_{ 1}^{\prime } = (c_{ 1}^{\prime } (\omega ), c_{ 1}^{\prime } (\omega^{ 3} ), \ldots , c_{ 1}^{\prime } (\omega^{ 2n - 1} ))$$
$$C_{2}^{\prime } = \left( {c_{0}^{\prime } \left( \omega \right) + \frac{q - 1}{2}m_{0}^{\prime } ,c_{0}^{\prime } \left( {\omega^{3} } \right) + \frac{q - 1}{2}m_{1}^{\prime } , \ldots ,c_{0}^{\prime } \left( {\omega^{2n - 1} } \right) + \frac{q - 1}{2}m_{n - 1}^{\prime } } \right)$$

When computing the sum of two ciphertexts, we could simply add them coordinate-wise, and get \(\left( {C_{add1} ,C_{add2} } \right) = \left( {C_{1} + C_{1}^{\prime } ,C_{2} + C_{2}^{\prime } } \right)\)

Due to the use of canonical mapping, multiplication of two vectors could also done coordinate-wisely. Let “*” denote the coordinate-wise multiplication of vectors, then \(\left( {C_{mult1} ,C_{mult2} } \right) = \left( {C_{1} *C_{1}^{\prime } ,C_{2} *C_{2}^{\prime } } \right)\)

We focus on the decryption of the first item. Case of the other items is analogous.

The first item of C 2 * C 2 is \(c_{0} \left( \omega \right)c_{0}^{\prime } \left( \omega \right) + \frac{q - 1}{2}m_{0} c_{0}^{\prime } \left( \omega \right) + \frac{q - 1}{2}m_{0}^{\prime } c_{0} \left( \omega \right) + \frac{{\left( {q - 1} \right)^{2} }}{4}m_{0} m_{0}^{\prime }\).

During the decryption process, we need to change C 1 * C 1 into a polynomial, multiply it with s 2 and then transform the result into a vector S mult . The first item of S mult is

$$s^{2} \left( \omega \right)c_{1} \left( \omega \right)c_{1}^{\prime } \left( \omega \right) = \hat{a} \otimes \hat{r}\left( \omega \right)s\left( \omega \right) \cdot \hat{a} \otimes \hat{r}^{\prime}\left( \omega \right)s\left( \omega \right)$$
(4-1)

Noticing that

$$c_{0} \left( \omega \right)c_{0}^{\prime } \left( \omega \right) = \left[ {\left( {\hat{a} \otimes \hat{r}} \right)\left( \omega \right)s\left( \omega \right) + \left( {\hat{e} \otimes \hat{r}} \right)\left( \omega \right)} \right]\left[ {\left( {\hat{a} \otimes \hat{r}^{\prime}} \right)\left( \omega \right)s\left( \omega \right) + \left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( \omega \right)} \right]$$
(4-2)

Subtract (4-2) by (4-1), we can get

$$\begin{gathered} \left( {\hat{e} \otimes \hat{r}} \right)\left( \omega \right)\left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( \omega \right) + \left( {\hat{a} \otimes \hat{r}} \right)\left( \omega \right)s\left( \omega \right)\left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( \omega \right) \hfill \\ \quad + \left( {\hat{a} \otimes \hat{r}^{\prime}} \right)\left( \omega \right)s\left( \omega \right)\left( {\hat{e} \otimes \hat{r}} \right)\left( \omega \right) = D \hfill \\ \end{gathered}$$

The last decryption step in scheme 2 is to compute C 2-S, and after homomorphic multiplication, it needs to compute C 2 * C 2 S mult . Then the first item is

$$D + \frac{q - 1}{2}m_{0} c_{0}^{\prime } \left( \omega \right) + \frac{q - 1}{2}m_{0}^{\prime } c_{0} \left( \omega \right) + \frac{{\left( {q - 1} \right)^{2} }}{4}m_{0} m_{0}^{\prime }$$

where \(c_{0} \left( \omega \right) = \left( {\hat{a} \otimes \hat{r}} \right)\left( \omega \right)s\left( \omega \right) + \left( {\hat{e} \otimes \hat{r}} \right)\left( \omega \right)\), \(c_{0}^{\prime } \left( \omega \right) = \left( {\hat{a} \otimes \hat{r}^{\prime}} \right)\left( \omega \right)s\left( \omega \right) + \left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( \omega \right)\). Noticing that besides the first item, all of the other items are multiples of ω, and recalling that ω is not a divisor of (q-1)2/4, so we can divide the first item by ω, and get the residue:

$$\begin{gathered} \left( {\hat{e} \otimes \hat{r}} \right)\left( 0 \right)\left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( 0 \right) + \left( {\hat{a} \otimes \hat{r}} \right)\left( 0 \right)s\left( 0 \right)\left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( 0 \right) + \hfill \\ \left( {\hat{a} \otimes \hat{r}^{\prime}} \right)\left( 0 \right)s\left( 0 \right)\left( {\hat{e} \otimes \hat{r}} \right)\left( 0 \right) + \frac{q - 1}{2}m_{0} \left[ {\left( {\hat{a} \otimes \hat{r}} \right)\left( 0 \right)s\left( 0 \right) + \left( {\hat{e} \otimes \hat{r}} \right)\left( 0 \right)} \right] \hfill \\ + \frac{q - 1}{2}m_{0}^{\prime } \left[ {\left( {\hat{a} \otimes \hat{r}^{\prime}} \right)\left( 0 \right)s\left( 0 \right) + \left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( 0 \right)} \right] + \frac{{\left( {q - 1} \right)^{2} }}{4}m_{0} m_{0}^{\prime } \hfill \\ \end{gathered}$$

Also noticing that s(0) is not a divisor of (q-1)/2, dividing the above formula by s(0) and get the residue, the first item becomes

$$\left( {\hat{e} \otimes \hat{r}} \right)\left( 0 \right)\left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( 0 \right) + \frac{q - 1}{2}m_{0} \left( {\hat{e} \otimes \hat{r}} \right)\left( 0 \right) + \frac{q - 1}{2}m_{0}^{\prime } \left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( 0 \right) + \frac{{\left( {q - 1} \right)^{2} }}{4}m_{0} m_{0}^{\prime } = \varDelta$$

where \(\left( {\hat{e} \otimes \hat{r}} \right)\left( 0 \right)\)and \(\left( {\hat{e} \otimes \hat{r}^{\prime}} \right)\left( 0 \right)\)are constant items of \(\hat{e} \otimes \hat{r}\)and \(\hat{e} \otimes \hat{r}^{\prime}\)respectively.

According to the proof of theorem 4.1, C 2 * C 2 can be correctly decrypted and thus obtain the multiplication of two plaintexts.

4.4 Efficiency

The advantage of scheme 2 lies in a shorter key length and smaller computation cost, we give a detailed analysis below.

Key length: The length of public key is knlog2 q bits. The private key is a polynomial in R with constant item 1, and the length of private key is nlog2 q bits.

Computation cost:

  1. 1.

    During encryption, the computing cost of polynomial convolution can be reduced through a Fast Fourier Transformation. To encrypt n bits, the total computation cost is \(\tilde{\rm O}\left( {n\log n} \right)\).

  2. 2.

    During decryption, it needs to compute the inverse of canonical mapping, then compute a polynomial multiplication and one canonical mapping, finally a vector subtraction. The total computation cost is \(\tilde{\rm O}\left( {n\log n} \right)\).

  3. 3.

    Homomorphic addition: The addition of two ciphertexts is simply vector addition, the computation cost is \(\tilde{\rm O}\left( n \right)\). After an addition, the length of ciphertext is not increased, and accordingly the computation cost of decryption remains the same.

  4. 4.

    Homomorphic multiplication: Multiplication of two ciphertexts only needs to directly compute vector multiplication on \({\mathbb{Z}}_{q}^{n}\)coordinate-wise, the computing cost is \(\tilde{\rm O}\left( {n\log n} \right)\). After multiplication, the length of ciphertext increase to 4nlog2 q bits, namely doubled. In decryption phase, for each ciphertext element, it needs to solve a linear equation set, then compute one polynomial multiplication and one subtraction, the total computation cost of decryption is \(\tilde{\rm O}\left( {n^{2} } \right)\).

To sum up, we confirm that comparing with scheme 1, scheme 2 has an obvious advantage in efficiency. The key length and computation cost is controlled in a rational bound. We believe that scheme 2 is a practical somewhat homomorphic encryption scheme.

5 Private information retrieval protocol basing on scheme 2

5.1 A PBR protocol

The most representative application of homomorphic encryption is to construct private information retrieval (PIR) protocols (Cachin et al. 1999). Using homomorphic encryption, communication complexity of PIR protocol can be reduced to poly(log n) bits, this is a great improvement. Kushilevitz and Ostrovsky (1997) first introduced homomorphic encryption into PIR protocols, their PIR protocol has sub-linear time-complexity and exponential communication cost. In 2009, Gentry discussed (2009) how to implement PIR protocol using homomorphic encryption. In 2011, Brakerski and Vaikuntanathan (2011b) presented a generic framework through combining a FHE with a symmetric key encryption scheme. Most of the available PIR protocols refer to single bit retrieval, while in fact, a record in a database is often longer than one bit, thus arise a natural expansion of PIR, namely PBR (Private Block Retrieval) protocols.

We introduce a PBR protocol basing on scheme2. Considering a database that each record of which is more than one bit, we use multi-bit encryption scheme to encrypt index information, thus can reduce the number of ciphertext, and also reduce communication cost.

Suppose there are n records in a database, each has a length of d bits. The initial position of each record is represented by indexes, which has a length of log n bits. Let SYM = (SYM.KeyGen, SYM.Enc, SYM.Dec) be a secure symmetric key encryption scheme, with plaintext space {0,1}logn, without lost of generality, assuming that the ciphertext space also be {0,1}logn. Let \(SWHE = \left( {SWHE.KeyGen,\;SWHE.Enc,\;SWHE.Dec,\;SWHE.Eval} \right)\)be a somewhat homomorphic encryption scheme on plaintext space {0,1}k, where k = poly(log n).

Our PBR protocol is comprised of four algorithms:

$$PBR = (Setup,Query,Response,Decode)$$

The algorithms are defined as the following:

  • Setup(1λ): on inputting the security parameter λ, generate the symmetric key symsk ← SYM.Keygen(1λ) and keys of the SWHE scheme (hpk, hevk, hsk) ← SWHE.Keygen(1λ), then encrypt symsk with the public key, namely Csymsk ← SWHE.Enc hpk( symsk).

    The setup stage output the public parameters Params: = (hpk,hevk,Csymsk), and private parameters Setupstate: = (hsk, symsk).

  • Query(1λ, setupstate, i): Suppose the i th record is to be required, i∈{1,…,n}, the user encrypts i by symsk, and generate the query string query, namely query ← SYM.Enc symsk (i).

  • Response(1λ,DB,params,query): Upon receiving the query string query, database compute the query function h(Csymsk), and let resp ← SWHE.Eval hevk (h(Csymsk)), thus can get the a ciphertext of DB[i]. Where the query function h(x) is defined as

    $$h\left( x \right)\mathop = \limits^{def} DB\left[ {SYM.Dec\left( {x,query} \right)} \right]$$

  • Decode(1λ,setupstate, qstate, resp): the receiver decrypt resp, and obtain b ← SWHE.Dec hsk (resp)

5.2 Analysis

The above protocol can be implemented using a LWE-based symmetric encryption scheme combining with our multi-bit SWHE scheme. In this implementation, the index has a length of log n bits (here n present the number of records in a database), so the size of query information query is log n bits. According to scheme 2, the response information to a query has 2d logq bits. So in the above PBR protocol, to retrieve d bits, the protocol has a communication complexity of 2dlogq + logn, communication cost of each bit is 2 log q + ( log n)/d, which is a polynomial of the length of q and n. Such a communication complexity is fairly reasonable.

On the other hand, let’s consider the computational cost of this protocol. Also according to the SWHE scheme, suppose the decryption algorithm has one multiplication, then to generate response information, the server has a computation cost of \(\tilde{\rm O}\left( {n\log n} \right)\), while in user end, computation cost of decryption is \(\tilde{\rm O}\left( {n^{2} } \right)\).

6 Conclusion

In this paper we provide a somewhat homomorphic multi-bit encryption scheme that is basing on RLWE assumption. We use canonical mapping in the process of encryption and homomorphic evaluations. Due to this technique and the comparatively compact RLWE assumption, the new scheme is time-efficient and the number of ciphertext elements will not increase after homomorphic evaluations. Using this scheme, an efficient PIR protocol can be constructed.

Homomorphic encryption scheme is a new hot area in cryptography. There has been abundant works in recent years focusing on scheme construction and application, and new methods and new ideas have appeared continuously. However there still leaves a lot of problems to solve, both in theoretical and practical.

Aiming on performance improvement, we use a new technique to construct scheme, and our scheme is practical due to its computation cost and key length, while because homomorphic multiplication can cause an increase in ciphertext length, the scheme is somewhat but not fully homomorphic. Further studies on controlling ciphertext length and ultimately constructing fully homomorphic encryption schemes will be our target in the future.