In 1978, Rivest et al. (1978) proposed the concepts of data bank and fully homomorphic encryption. Some individuals and organizations encrypt the original data and store them in the data bank for privacy protection. Data bank is also called data cloud. Therefore, the cloud stores a large amount of original data, which is obviously a huge wealth. How to use these data effectively? First of all, we must solve the problem of calculation of these encrypted data, which is called a privacy calculation problem. Rivest, Adleman and Dertouzos conjecture that if all data is fully homomorphic encryption, that is, the addition and multiplication of ciphertext are homomorphic to the corresponding addition and multiplication of plaintext, then the encrypted data can be effectively computed by elementary calculation without changing the structure of the plaintext data (under the condition of homomorphism). The RAD conjecture has been proposed for more than 30 years, but no one could solve this problem since the cryptographic structure of the fully homomorphic encryption system is too complicated. In 2009, C. Gentry, a computer scholar at Stanford University, first proposed a fully homomorphic encryption scheme in Gentry (2009b) based on ideal lattice, for which he won the 2022 highest award in theoretical computer science—the Godel Award. Based on Gentry’s work, the second and third fully homomorphic encryption schemes based on LWE distribution and trapdoor matrix technology have also been proposed; see Brakerski and Vaikuntanathan (2011a), (2011b), (2012), (2014), (2015) and Gentry et al. (2013) in 2013. The main purpose of this chapter is to systematically analyze and discuss the above three fully homomorphic encryption techniques, in order to understand the latest research trends of the post-quantum cryptography.

6.1 Definitions and Examples

Let \(R_1\) be the plaintext space, \(R_2\) be the ciphertext space, R be the keyspace. For \(s\in R\),

$$\begin{aligned} R_1\xrightarrow {\quad f_s \quad } R_2 \xrightarrow {\quad f_s^{-1} \quad } R_1,\ s\in R, \end{aligned}$$

we call \(f_s\) the encryption function under the key s, and \(f_s^{-1}\) is called the decryption function. In mathematical cryptosystem, \(f_s\) is injective so that \(f_s^{-1}\) is the left inverse mapping of \(f_s\), i.e. \(f_s^{-1}f_s=1_{R_1}\), which guarantees decrypting plaintext successfully with probability \(100\%\). However, in probabilistic cryptosystem, \(f_s\) is not an injective mapping, while the probability of \(f_s^{-1}\) being a left inverse mapping should be close enough to 1, i.e.

$$\begin{aligned} {\text {Pr}}\{f_s^{-1}f_s=1_{R_1}\}\geqslant 1-\delta ,\ \forall \delta >0. \end{aligned}$$

Hash function is a classic probabilistic cryptosystem. The phenomenon that two plaintexts are encrypted into the same ciphertext, in other words, one ciphertext could be decrypted into two plaintexts, is called a collision. If the probability of collision is small enough, then it is called an anti-collision Hash function. The cryptosystem constructed by the anti-collision Hash function is the mainstream algorithm of probabilistic cryptography. No matter mathematical or probabilistic cryptosystem, we treat the decryption transformation \(f_s^{-1}\) as the left inverse mapping of \(f_s\), but it is only an equality with high probability.

Definition 6.1.1

Let \(R_1\xrightarrow {\quad f_s \quad } R_2 \xrightarrow {\quad f_s^{-1} \quad } R_1\), R be the keyspace, \(s\in R\), suppose \(R_1\) and \(R_2\) are additive groups.

  1. 1.

    If there is \(s\in R\) such that

    $$\begin{aligned} f_s^{-1}(c_1+c_2)=f_s^{-1}(c_1)+f_s^{-1}(c_2),\ \forall c_1,c_2\in R_2, \end{aligned}$$
    (6.1.1)

    we call \(f_s\) the additive homomorphic encryption function.

  2. 2.

    If ‘multiplication’ is defined in \(R_1\) and \(R_2\), and there is \(s\in R\) such that

    $$\begin{aligned} f_{s^{*}}^{-1}(c_1 c_2)=f_s^{-1}(c_1)\cdot f_s^{-1}(c_2),\ \forall c_1,c_2\in R_2, \end{aligned}$$
    (6.1.2)

    we call \(f_s\) the multiplicative homomorphic encryption function, where \(s^{*}\) is the corresponding key of s under multiplication.

  3. 3.

    If \(f_s\) is both additive and multiplicative homomorphic encryption function, then \(f_s\) is called the fully homomorphic encryption function.

Remark 6.1.1

The multiplication defined in the ciphertext space \(R_2\) is not closed, i.e. there are \(c_1,c_2\in R_2\), \(c_1 c_2\not \in R_2\). We denote the result of the multiplication as \(R_2\otimes R_2\), i.e.

$$\begin{aligned} \forall c_1,c_2\in R_2\Rightarrow c_1\cdot c_2\in R_2\otimes R_2, \end{aligned}$$

then the corresponding key in \(R_2\otimes R_2\) is \(s^{*}=s\otimes s\).

Remark 6.1.2

By (6.1.1), \(f_s^{-1}(c_1+c_2)\) is the plaintext u corresponding to the ciphertext \(c_1+c_2\), \(f_s^{-1}(c_1)\) and \(f_s^{-1}(c_2)\) are the plaintexts \(u_1\), \(u_2\) corresponding to the ciphertexts \(c_1\) and \(c_2\). (6.1.1) is equivalent to:

$$\begin{aligned} f_s^{-1}(c_1+c_2)=u=u_1+u_2, \end{aligned}$$

that is, ciphertext addition is homomorphic to plaintext addition, so is multiplication homomorphism. If \(f_s\) is fully homomorphic encryption, then we can perform polynomial calculations and rational function calculations on ciphertexts. By Taylor expansion, any elementary operation (exponential function, logarithmic function, trigonometric function, etc.) can be approximated by polynomials. Therefore, for fully homomorphic encrypted data c, we can do any elementary operation without changing the structure of the plaintext.

We give a few examples to further understand the Definition 6.1.1.

Example 6.1

Homogeneous Affine Hill Cryptosystem (see Chap. 4, Sect. 4.7 in Zheng 2022) is additive homomorphic encryption.

Let \(q\geqslant 1\) be a positive integer, \(\mathbb {Z}_q\) be the residue class ring \(\text {mod}\ q\), \(A\in \mathbb {Z}_q^{n\times n}\) be an invertible n dimensional matrix. The Homogeneous Affine Hill encryption function is \(f_A\): \(\forall m\in \mathbb {Z}_q^n\) is a plaintext, then

$$\begin{aligned} c=f_A(m)=A\cdot m\in \mathbb {Z}_q^n,\ c\ \text {is the ciphertext}, \end{aligned}$$

it follows that \(f_A^{-1}(c)=A^{-1}c=m\). For any \(c_1,c_2\in \mathbb {Z}_q^n\), we have

$$\begin{aligned} f_A^{-1}(c_1+c_2)=A^{-1}(c_1+c_2)=A^{-1}c_1+A^{-1}c_2=f_A^{-1}(c_1)+f_A^{-1}(c_2), \end{aligned}$$

so \(f_A\) is additive homomorphic encryption.

Example 6.2

The public key cryptography RSA (see Chap. 4, Sect. 4.7 in Zheng 2022) is multiplicative homomorphic encryption.

Let \(n>1\) be the product of two prime numbers, \(\varphi (n)\) be the Euler function, \(1\leqslant e<\varphi (n)\), \((e,\varphi (n))=1\), e be the public key, \(d=e^{-1}\ \text {mod}\ \varphi (n)\), \(1\leqslant d<\varphi (n)\), d be the private key, i.e.

$$\begin{aligned} ed\equiv 1\ (\text {mod}\ \varphi (n)),\ 1\leqslant d<\varphi (n). \end{aligned}$$

We define the encryption function of RSA \(f_e:\mathbb {Z}_n\rightarrow \mathbb {Z}_n\) which is a one-to-one correspondence,

$$\begin{aligned} c=f_e(m)\equiv m^e\ (\text {mod}\ n),\ \forall m\in \mathbb {Z}_n, \end{aligned}$$

the decryption function is

$$\begin{aligned} f_e^{-1}(c)\equiv c^d\ (\text {mod}\ n). \end{aligned}$$

Obviously, for any two ciphertexts \(c_1,c_2\in \mathbb {Z}_n\), it follows that

$$\begin{aligned} f_e^{-1}(c_1 c_2)\equiv (c_1 c_2)^d\ (\text {mod}\ n) \end{aligned}$$
$$\begin{aligned} \equiv c_1^d\cdot c_2^d\ (\text {mod}\ n) \end{aligned}$$
$$\begin{aligned} \equiv f_e^{-1}(c_1)f_e^{-1}(c_2)\ (\text {mod}\ n). \end{aligned}$$

Thus, we have \(f_e^{-1}(c_1 c_2)=f_e^{-1}(c_1)\cdot f_e^{-1}(c_2)\) in \(\mathbb {Z}_n\), and we confirm that RSA is multiplicative homomorphic encryption.

Based on Examples 6.1 and 6.2, to construct a fully homomorphic encryption system, which is essentially a ring homomorphism between two rings in algebra, let’s look at the following Example 6.3 first.

Example 6.3

Let \(R_1\) and \(R_2\) be two commutative rings, encryption function \(f: R_1\rightarrow R_2\) be a single ring homomorphism. The f is fully homomorphic encryption.

In fact, since f is a single homomorphism and \(R_1\) is the plaintext space, then \(f(R_1)\subset R_2\) is a subring of \(R_2\), that is, the plaintext space is embedded into the ciphertext space. Let \(c_1,c_2\in R_2\) be any two ciphertexts, there exist \(u_1,u_2\in R_1\Rightarrow f(u_1)=c_1\), \(f(u_2)=c_2\), thus,

$$\begin{aligned} f^{-1}(c_1+c_2)=f^{-1}(f(u_1)+f(u_2)) \end{aligned}$$
$$\begin{aligned} =f^{-1}(f(u_1+u_2))=u_1+u_2=f^{-1}(c_1)+f^{-1}(c_2). \end{aligned}$$

Similarly,

$$\begin{aligned} f^{-1}(c_1 c_2)=f^{-1}(f(u_1)\cdot f(u_2)) \end{aligned}$$
$$\begin{aligned} =f^{-1}(f(u_1 u_2))=u_1\cdot u_2=f^{-1}(c_1)\cdot f^{-1}(c_2). \end{aligned}$$

Hence, f is fully homomorphic encryption.

Next, we use the Chinese Remainder Theorem to construct an example of fully homomorphic encryption.

Example 6.4

Let \(N=n_1 n_2\ldots n_k\), where \(\{n_i\}\) are mutually coprime positive integers. Denote the plaintext spaces \(R_1\) and \(R_2\) as

$$\begin{aligned} R_1=\mathbb {Z}_{n_1}\oplus \mathbb {Z}_{n_2}\cdots \oplus \mathbb {Z}_{n_k},\ R_2=\mathbb {Z}_n, \end{aligned}$$

here \(R_1\) is the direct sum of k rings \(\mathbb {Z}_{n_i}\). Let \(a=(a_1,a_2,\dots ,a_k)\in R_1\) be a plaintext, based on the Chinese Remainder Theorem, there is only one \(x\in \mathbb {Z}_N\) such that

$$\begin{aligned} x\equiv a_i\ (\text {mod}\ n_i),\ 1\leqslant i\leqslant k. \end{aligned}$$

We define the encryption function \(f: R_1\rightarrow R_2\) as \(f(a)=x\). Now we prove that f is fully homomorphic encryption. Let \(f(a)=x_1\), \(f(b)=x_2\), then

$$\begin{aligned} x_1+x_2\equiv a_i+b_i\ (\text {mod}\ n_i),\ \forall i=1,2,\dots ,k. \end{aligned}$$

So we have

$$\begin{aligned} f^{-1}(x_1+x_2)=a+b=f^{-1}(x_1)+f^{-1}(x_2). \end{aligned}$$

Similarly,

$$\begin{aligned} x_1 x_2\equiv a_i b_i\ (\text {mod}\ n_i),\ \forall i=1,2,\dots ,k. \end{aligned}$$

Therefore,

$$\begin{aligned} f^{-1}(x_1 x_2)=a\cdot b=f^{-1}(x_1)\cdot f^{-1}(x_2). \end{aligned}$$

This means that f is fully homomorphic encryption. By Chinese Remainder Theorem, the computing complexity of x is \(O(k\text {log}^k N)\), we have the simplest fully homomorphic encryption in this example.

From Example 6.4, it can be seen that it is not difficult to construct symmetric fully homomorphic encryption, but the data bank envisaged by Rivest, Adleman and Dertouzos are all data encrypted by public key cryptography. So RAD conjecture is to construct an asymmetric fully homomorphic encryption system. When the encryption key and the decryption key are separated, it becomes a very difficult work to satisfy the fully homomorphic property. The work of Gentry in 2009 or later only solve part of the RAD conjecture. They can construct a fully homomorphic encryption system under a bounded condition, while under the unbounded condition, the RAD problem is still an unsolved open problem.

Fully homomorphic encryption is similar to ring homomorphism. When constructing an asymmetric fully homomorphic encryption system, because the problem is too difficult, Gentry decomposed the decryption transformation into a composite of two mappings in Gentry (2010). The fully homomorphic properties are discussed separately for each composite factor, thus forming the current technology of bounded fully homomorphic encryption.

Let \(R_1\xrightarrow {f_s} R_2 \xrightarrow {f_s^{-1}} R_1\) be a cryptosystem, assume that \(R_1\) is a ring. Decompose \(f_s^{-1}\) into \(R_2\xrightarrow {\sigma _1} R_3 \xrightarrow {\sigma _2} R_1\), where \(R_3\) is a ring, \(f_s^{-1}=\sigma _2 \circ \sigma _1\). If both \(\sigma _1\) and \(\sigma _2\) are homomorphism of rings, then

$$\begin{aligned} f_s^{-1}(c_1+c_2) &=\sigma _2 (\sigma _1 (c_1+c_2))=\sigma _2(\sigma _1(c_1)+\sigma _1(c_2)) \\ &=\sigma _2 \sigma _1(c_1)+\sigma _2 \sigma _1(c_2)=f_s^{-1}(c_1)+f_s^{-1}(c_2). \end{aligned}$$

Definition 6.1.2

Under the above assumptions, if there is a set M such that

  1. 1.

    If \(f_s^{-1}(c_1)+f_s^{-1}(c_2)\in M\cap R_3\), then

    $$\begin{aligned} f_s^{-1}(c_1+c_2)=f_s^{-1}(c_1)+f_s^{-1}(c_2). \end{aligned}$$
  2. 2.

    If \(f_s^{-1}(c_1)\cdot f_s^{-1}(c_2)\in M\cap R_3\), then

    $$\begin{aligned} f_{s^{*}}^{-1}(c_1c_2)=f_s^{-1}(c_1)f_s^{-1}(c_2). \end{aligned}$$

Generally, a bounded fully homomorphic can only perform a finite number of homomorphic calculations. Because after repeated addition and multiplication of the ciphertext, the corresponding plaintext may run out of the boundary, so the homomorphic property cannot be guaranteed.

6.2 Gadget Matrix and Gadget Technique

Gadget technique is developed from the work of Ajtai in 1999 (Ajtai, 1999), see Agrawal et al. (2010), Alperin-Sheriff and Peikert (2013), Alwen and Peikert (2009), Peikert and Waters (2008) and which plays an important role in bounded fully homomorphic encryption. To better understand gadget matrix and gadget technique, we start with the classical short integer solution problem (SIS).

Let \(A\in \mathbb {Z}_q^{n\times m}\) be a given \(n\times m\) dimensional matrix, \(u\in \mathbb {Z}_q^n\) be the target vector. Find the shortest integer vector \(x\in \mathbb {Z}_q^m\) such that

$$\begin{aligned} Ax\equiv u\ (\text {mod}\ q),\ |x|\leqslant \beta . \end{aligned}$$
(6.2.1)

The shortest integer solution x in (6.2.1) is actually the shortest vector in the following q ary lattice

$$\begin{aligned} L_u^{\bot }(A)=\{x\in \mathbb {Z}_q^m\ |\ Ax\equiv u\ (\text {mod}\ q)\}\cup q\mathbb {Z}_q^m, \end{aligned}$$
(6.2.2)

which is the general form of the SIS problem. If \(u=0\), the above problem becomes the classic SIS problem. For general matrix A, the SIS problem is difficult, but for some special matrices, such as the gadget matrix we will introduce later, the exact shortest integer solution is easy to find.

We begin from \(n=1\), if A is an l dimensional row vector (\(1\times l\) dimensional matrix), where \(l=\lfloor \text {log}_2 q\rceil \), i.e. l is the largest integer such that \(2^{l-1}\leqslant q<2^l\), let

$$\begin{aligned} g=\begin{pmatrix} 1 \\ 2 \\ 4 \\ \vdots \\ 2^{l-1} \end{pmatrix}\in \mathbb {Z}_q^l. \end{aligned}$$
(6.2.3)

Lemma 6.2.1

Let \(A=g'\) be an l dimensional vector, then the shortest vector in the q ary lattice \(L_u^{\bot }(g')\) could be accurately calculated. Suppose the binary representation of \(u\in \mathbb {Z}_q\) is

$$\begin{aligned} u=(a_0a_1\dots a_{l-1})_2\Rightarrow \alpha =\begin{pmatrix} a_0 \\ a_1 \\ \vdots \\ a_{l-1} \end{pmatrix}\in L_u^{\bot }(g') \end{aligned}$$
(6.2.4)

is the shortest vector. In other words, the smallest integer solution of \(g'x\equiv u\ (\text {mod}\ q)\) is \(x=\alpha \).

Proof

\(u\in \mathbb {Z}_q\), \(0\leqslant u<q\), since \(2^{l-1}\leqslant q<2^l\), u could be represented as

$$\begin{aligned} u=a_0+a_1\cdot 2+\cdots +a_{l-1}2^{l-1},\ a_i=0\ \text {or}\ 1. \end{aligned}$$

Based on the definition of g in (6.2.3) and the definition of \(\alpha \) in (6.2.4), we have \(g'\alpha =u\), it follows that \(\alpha \) is the smallest integer solution of \(g'x\equiv 0\ (\text {mod}\ q)\). Lemma 2.1 holds.    \(\square \)

The gadget vector defined by (6.2.3) can also be used as a sample of the one dimensional LWE distribution, so that the solution of the LWE distribution can be easily solved. Let \(A=g'\in \mathbb {Z}_q^{1\times l}\), \(b=\begin{pmatrix} b_1 \\ b_2 \\ \vdots \\ b_l \end{pmatrix}\in \mathbb {Z}_q^l\), we get the \(\text {LWE}_{1,q,\chi ,l}\) problem (see Definition 3.3.3 in Chap. 3)

$$\begin{aligned} b_i\equiv _{\chi } 2^i s_i+e_i\ (\text {mod}\ q),\ e=\begin{pmatrix} e_1 \\ e_2 \\ \vdots \\ e_l \end{pmatrix}\leftarrow \chi ^l,\ 1\leqslant i\leqslant l. \end{aligned}$$

If the LWE distribution \(A_{s,\chi }=(i,b)\) is given, we can get the following relations with high probability

$$\begin{aligned} s_i\equiv _{\chi } 2^{-i}b_i\ (\text {mod}\ q),\ 1\leqslant i\leqslant l. \end{aligned}$$

In order to generalize the above gadget technique to high dimensions, i.e. \(n>1\), we need to replace the gadget vector g defined in (6.2.3) with the gadget matrix. Let \(A=(a_{ij})_{n_1\times n_2}\), \(B=(b_{ij})_{m_1\times m_2}\), the Kronecker product \(A\otimes B\) (see Chap. 2 in Zheng 2022) of the matrices A and B is defined as

$$\begin{aligned} A\otimes B= \begin{pmatrix} a_{11}B &{} a_{12}B &{} \cdots &{} a_{1n_2}B \\ a_{21}B &{} a_{22}B &{} \cdots &{} a_{2n_2}B \\ \vdots &{} \vdots &{} &{} \vdots \\ a_{n_11}B &{} a_{n_12}B &{} \cdots &{} a_{n_1n_2}B \end{pmatrix}_{n_1m_1\times n_2m_2}. \end{aligned}$$
(6.2.5)

Definition 6.2.1

Assume \(n>1\), \(I_n\) is the n dimensional identity matrix. We define the \(n\times nl\) dimensional gadget matrix G as the following block diagonal matrix,

$$\begin{aligned} G=I_n\otimes g'=\text {diag}\{g',g',\dots ,g'\}\in \mathbb {Z}_q^{n\times nl}, \end{aligned}$$
(6.2.6)

where g is the gadget vector defined in (6.2.3).

Lemma 6.2.2

Let G be a gadget matrix, \(u\in \mathbb {Z}_q^{nl}\) be the target vector. Then the shortest integer solution \(x\in \mathbb {Z}_q^{nl}\) of the SIS problem \(Gx\equiv u\ (\text {mod}\ q)\) could be uniquely determined by lemma 2.1.

Proof

Let \(u=\begin{pmatrix} u_1 \\ \vdots \\ u_n \end{pmatrix}\in \mathbb {Z}_q^n\) be a given target vector, x be an nl dimensional column vector divided into

$$\begin{aligned} x=\begin{pmatrix} x_1 \\ x_2 \\ \vdots \\ x_n \end{pmatrix},\ \text {where}\ x_i\in \mathbb {Z}^l,\ 1\leqslant i\leqslant n. \end{aligned}$$

Based on the definition of gadget matrix G, the SIS problem \(Gx\equiv u\ (\text {mod}\ q)\) is equivalent to the following n equations:

$$\begin{aligned} g'x_i\equiv u_i\ (\text {mod}\ q),\ 1\leqslant i\leqslant n. \end{aligned}$$

By lemma 2.1, the shortest integer solution of each equation could be uniquely determined as \(x_i=\alpha _i\in \mathbb {Z}^l\), so \(x=\begin{pmatrix} \alpha _1 \\ \alpha _2 \\ \vdots \\ \alpha _n \end{pmatrix}\) is the shortest integer solution of \(Gx\equiv u\ (\text {mod}\ q)\).    \(\square \)

Definition 6.2.2

For any \(u\in \mathbb {Z}_q^n\), we define function: \(\mathbb {Z}_q^n\xrightarrow {G^{-1}} \mathbb {Z}^{nl}\) as \(G^{-1}(u)=x\), where \(x\in \mathbb {Z}^{nl}\) is the shortest integer solution of \(Gx\equiv u\ (\text {mod}\ q)\).

Lemma 6.2.2 guarantees the existence of the function \(G^{-1}\) and gives the way to compute the vector x. By Definition 6.2.2, we have

$$\begin{aligned} GG^{-1}(u)\equiv u\ (\text {mod}\ q), \end{aligned}$$
(6.2.7)

the above function \(G^{-1}:\ \mathbb {Z}_q^n\rightarrow \mathbb {Z}^{nl}\) could be regarded as the ‘inverse’ matrix of the gadget matrix G.

When using the gadget matrix G as the LWE distribution sample to solve the LWE problem, notice that for any n dimensional vector \(s=\begin{pmatrix} s_1 \\ s_2 \\ \vdots \\ s_n \end{pmatrix}\in \mathbb {Z}_q^n\), we have

$$\begin{aligned} s'G=(s_1g',s_2g',\dots ,s_ng')\in \mathbb {Z}_q^{nl}. \end{aligned}$$
(6.2.8)

For the LWE distribution \(A_{s,\chi }=(G,b)\), where \(b\in \mathbb {Z}_q^{nl}\), to solve the private key s,

$$\begin{aligned} b'=s'G,\quad b\in \mathbb {Z}_q^{nl},\quad s\in \mathbb {Z}_q^n, \end{aligned}$$

based on (6.2.8), it can be transformed into n one dimensional LWE distribution problems, which has been discussed above.

The solutions of the SIS problem and the LWE problem discussed above are easy to compute because these problems are based on specific gadget vectors and gadget matrices. To get more general results, we need the trapdoor matrix, the tag matrix (tag) and the Gauss matrix. An integer matrix R is called a Gauss matrix, if all of its components are independent and have the discrete Gauss distribution. Since the Gauss distribution has the greatest probability near 0, a random Gauss matrix is also called a short integer vector matrix in the sense of high probability.

Definition 6.2.3

Let \(A\in \mathbb {Z}_q^{n\times m}\) be a given matrix, \(R\in \mathbb {Z}^{m\times nl}\) be a Gauss matrix, \(H\in \mathbb {Z}_q^{n\times n}\) be an invertible n dimensional square matrix, \(G\in \mathbb {Z}_q^{n\times nl}\) be a gadget matrix, if

$$\begin{aligned} AR\equiv HG\ (\text {mod}\ q), \end{aligned}$$
(6.2.9)

then we call R as the trapdoor matrix of A, and H is the tag matrix.

Generally, A is called the check matrix, and R satisfying (6.2.9) is called the trapdoor matrix of the check matrix A with the tag H. To better understand the Definition 6.2.2, by Lemma 6.2.2, the SIS problem generated by the gadget matrix G can be easily calculated. If \(H\in \mathbb {Z}_q^{n\times n}\) is an invertible matrix, then the SIS or LWE problems generated by HG are also easy to compute. In fact, for any target vector \(u\in \mathbb {Z}_q^{n\times n}\),

$$\begin{aligned} HGx\equiv u\ (\text {mod}\ q)\Leftrightarrow Gx\equiv H^{-1}u\ (\text {mod}\ q). \end{aligned}$$

The shortest integer solution of the SIS problem in the right hand is \(G^{-1}(H^{-1}u)\); therefore, the shortest integer solution of \(HGx\equiv u\ (\text {mod}\ q)\) is \(x=G^{-1}(H^{-1}u)\), where the target vector is replaced by \(H^{-1}u\). We can discuss the LWE problem generated by HG in the same way. Next we generalize the results to a general matrix A.

Lemma 6.2.3

For any check matrix \(A\in \mathbb {Z}_q^{n\times m}\), the shortest integer solution of the SIS problem \(Ax\equiv u\ (\text {mod}\ q)\) generated by A could be approximated as

$$\begin{aligned} x=Rw,\quad \text {where}\ w=G^{-1}(H^{-1}u), \end{aligned}$$
(6.2.10)

R is the trapdoor matrix of A with tag H.

Proof

If the trapdoor matrix R of A exists, let \(x=Rw\) in the SIS problem \(Ax\equiv u\ (\text {mod}\ q)\) (\(x\in \mathbb {Z}^m\), the target vector \(u\in \mathbb {Z}_q^n\)) generated by A, where \(w\in \mathbb {Z}^{nl}\), therefore,

$$\begin{aligned} Ax\equiv u\ (\text {mod}\ q)\Rightarrow ARw\equiv u\ (\text {mod}\ q), \end{aligned}$$

we have

$$\begin{aligned} HGw\equiv u\ (\text {mod}\ q)\Rightarrow w=G^{-1}(H^{-1}u). \end{aligned}$$
(6.2.11)

Since w is the shortest integer solution of (6.2.11), and the trapdoor matrix R is a Gauss matrix, so \(x=Rw=RG^{-1}(H^{-1}u)\) is a short integer solution of the SIS problem generated by A, i.e. we can regard \(RG^{-1}(H^{-1}u)\) as an approximation of the SIS problem.    \(\square \)

To quantify the efficiency of the approximation of (6.2.10), we define the mass \(s_1(R)\) of the trapdoor matrix R

$$\begin{aligned} s_1(R)=\max \limits _{z\in \mathbb {Z}^{nl},|z|=1} |Rz|. \end{aligned}$$
(6.2.12)

By (6.2.10),

$$\begin{aligned} |x|=|Rw|\leqslant s_1(R)|w|, \end{aligned}$$
(6.2.13)

thus, the smaller \(s_1(R)\) is, the shorter |x| is, and the approximation of the solution of the SIS problem is more accurate. So we can say that the smaller \(s_1(R)\), the higher mass of the trapdoor matrix R.

Finally, let’s discuss the generation of trapdoor matrix. For any uniformly distributed random matrix \(\overline{A}\in \mathbb {Z}_q^{n\times \overline{m}}\), suppose \(\overline{R}\in \mathbb {Z}_q^{\overline{m}\times nl}\) is a Gauss matrix, let

$$\begin{aligned} A=[\overline{A},HG-\overline{A}\ \overline{R}]\in \mathbb {Z}_q^{n\times m},\ m=\overline{m}+nl, \end{aligned}$$
(6.2.14)

where \(H\in \mathbb {Z}_q^{n\times n}\) is a given invertible matrix, G is the gadget matrix.

Lemma 6.2.4

If A is given by (6.2.14), then the trapdoor matrix of A with the tag H is

$$\begin{aligned} R=\begin{pmatrix} \overline{R} \\ I_n \end{pmatrix}\in \mathbb {Z}_q^{m\times nl},\ m=\overline{m}+nl. \end{aligned}$$
(6.2.15)

Proof

From the definition of A and R

$$\begin{aligned} AR &=[\overline{A},HG-\overline{A}\ \overline{R}]\begin{pmatrix} \overline{R} \\ I_n \end{pmatrix}\\ & \equiv \overline{A}\ \overline{R}+HG-\overline{A}\ \overline{R}\ (\text {mod}\ q)\\ & \equiv HG\ (\text {mod}\ q), \end{aligned}$$

so the trapdoor matrix of A with the tag H is \(\begin{pmatrix} \overline{R} \\ I_n \end{pmatrix}\).    \(\square \)

The mass \(s_1(R)\) of the Gauss matrix R can be estimated using classical random matrix theory. The following result is referred from R.Vershynin’s monograph ‘Compressed Sensing, Theory and Applications’ Chap. 5, p. 210–268, Cambridge University Press, 2012.

Lemma 6.2.5

Suppose \(R=\begin{pmatrix} \overline{R} \\ I_n \end{pmatrix}\) is given by (6.2.15), \(\overline{R}\) is a Gauss matrix with parameter s in the Gauss distribution. Then we have the following relation with high probability

$$\begin{aligned} s_1(R)=O(s(\sqrt{\overline{m}}+\sqrt{nl})). \end{aligned}$$

Proof

Based on the definition of trapdoor matrix,

$$\begin{aligned} s_1(R) &=\max \limits _{z\in \mathbb {Z}^{nl},|z|=1}|Rz|=\max \limits _{z\in \mathbb {Z}^{nl},|z|=1} \Big |\begin{pmatrix} \overline{R} \\ I_n \end{pmatrix} z \Big | \\ &=\max \limits _{z\in \mathbb {Z}^{nl},|z|=1} \Big | \begin{pmatrix} \overline{R} z \\ z \end{pmatrix} \Big |=\max \limits _{z\in \mathbb {Z}^{nl},|z|=1} \sqrt{|\overline{R}z|^2+|z|^2}, \end{aligned}$$

denote \(\overline{R}=(r_{ij})_{\overline{m}\times nl}\), where \(r_{ij}\) has the discrete Gauss distribution with parameter s. By Chebyshev inequality, for any positive integer k,

$$\begin{aligned} {\text {Pr}}\{|r_{ij}|\leqslant ks\}\geqslant 1-\frac{{\text {Var}}(r_{ij})}{k^2 s^2}\geqslant 1-\frac{s^2}{2\pi k^2 s^2}=1-\frac{1}{2\pi k^2}. \end{aligned}$$

It follows that the probability of all the \(\overline{m}\cdot nl\) variables \(r_{ij}\) satisfying \(|r_{ij}|\leqslant ks\) is at least \((1-\frac{1}{2\pi k^2})^{\overline{m}nl}\). We choose k large enough so that this probability is sufficiently close to 1, thus,

$$\begin{aligned} s_1(R)=\max \limits _{z\in \mathbb {Z}^{nl},|z|=1} \sqrt{|\overline{R}z|^2+|z|^2}\leqslant \sqrt{\sum \limits _{i=1}^{\overline{m}} \sum \limits _{j=1}^{nl} r_{ij}^2 +1 } \end{aligned}$$
$$\begin{aligned} \leqslant \sqrt{1+\overline{m}nl k^2 s^2}\leqslant Ks(\sqrt{\overline{m}}+\sqrt{nl}),\quad \end{aligned}$$

where \(K=(k+1)\sqrt{\overline{m}nl}\,/\,(\sqrt{\overline{m}}+\sqrt{nl})\), so we have

$$\begin{aligned} Pr\{s_1(R)\leqslant Ks(\sqrt{\overline{m}}+\sqrt{nl})\}\geqslant (1-\frac{1}{2\pi k^2})^{\overline{m}nl}, \end{aligned}$$

i.e. in the sense of high probability

$$\begin{aligned} s_1(R)=O(s(\sqrt{\overline{m}}+\sqrt{nl})). \end{aligned}$$

   \(\square \)

6.3 Bounded Fully Homomorphic Encryption

In 2009, C. Gentry of Stanford University in the USA first proposed a bounded fully homomorphic encryption based on ideal lattices, which has a great influence in the field of theoretical computer science, and a number of improved works have been proposed one after another. Brakerski and Vaikuntanathan proposed a fully homomorphic encryption system based on the LWE cryptography in 2011 (see Brakerski & Vaikuntanathan, 2011a, 2011b, 2014, 2015), which we call BV fully homomorphic encryption. Another improvement is the fully homomorphic encryption using trapdoor matrix proposed by Gentry, Sahai and Waters in 2013, which we call GSW fully homomorphic encryption. BV and GSW cryptosystems are currently the most active and cutting-edge research. The main purpose of this section is to introduce these two fully homomorphic encryption systems.

1. BV fully homomorphic encryption

Review the LWE cryptosystem by Regev introduced in Chap. 4. Let \(n\geqslant 2\), \(q\geqslant 2\), \(\chi \) is a given distribution on \(\mathbb {Z}_q\). The \((n-1)\) dimensional LWE distribution obtained by random sampling is (see Definition 3.3.2 in Chap. 3)

$$\begin{aligned} \left\{ \begin{array}{l} A_{s,\chi }=(\overline{a},b)\in \mathbb {Z}_q^{n-1}\times \mathbb {Z}_q,\\ b\equiv _{\chi } <\overline{a},\overline{s}>+e\ (\text {mod}\ q), \end{array} \right. \end{aligned}$$
(6.3.1)

where \(\overline{a}\in \mathbb {Z}_q^{n-1}\) is uniformly distributed, \(\overline{s}\in \mathbb {Z}_q^{n-1}\) is the randomly chosen private key, \(e\in \mathbb {Z}_q\) has the distribution \(\chi \). Generally, \(\chi \) is chosen as the discrete Gauss distribution on \(\mathbb {Z}_q\). Let

$$\begin{aligned} a=\begin{pmatrix} \overline{a} \\ b \end{pmatrix}\in \mathbb {Z}_q^n,\quad s=\begin{pmatrix} -\overline{s} \\ 1 \end{pmatrix}\in \mathbb {Z}_q^n, \end{aligned}$$

 a is the public key and s is the private key. The key equality of the LWE cryptosystem \((m=1)\) encryption and decryption algorithm is:

$$\begin{aligned} {<}a,s{>} & =(-\overline{s}',1)\begin{pmatrix} \overline{a} \\ b \end{pmatrix}\\ &=b{<}\overline{a},\overline{s}{>}\equiv _{\chi }e\ (\text {mod}\ q), \end{aligned}$$
(6.3.2)

\(e\in \mathbb {Z}_q\) has the discrete Gauss distribution, and e is very close to 0 with high probability, so it is also called the error term.

To better understand the fully homomorphic encryption technology based on the above LWE cryptosystem, we rewrite it into the form of symmetric encryption by formula (6.3.2).

Most significant bit

Let \(s\in \mathbb {Z}_q^n\) be a private key, \(q>2\) be an odd number, \(u\in \mathbb {Z}_2\) be the plaintext. The most significant bit of plaintext u by the LWE distribution A is \(c=f_A(u)\), where \(c\in \mathbb {Z}_q^n\) is the ciphertext, satisfying

$$\begin{aligned} {<}s,c{>}\equiv _{\chi } u\left\lfloor \frac{q}{2}\right\rceil \ (\text {mod}\ q),\ c\in \mathbb {Z}_q^n, \end{aligned}$$
(6.3.3)

where \({<}s,c{>}\) is inner product. Equation (6.3.3) is not an exact congruence equation, but a congruence equation with error which has small probability. It should be noted that the encryption function \(f_A\) is only formal, and its specific algorithm depends on the samples of the LWE distribution (see Chap. 4).

Using the private key \(s\in \mathbb {Z}_q^n\), the decryption of the ciphertext c is defined by

$$\begin{aligned} f_A^{-1}(c) & \equiv _{\chi }\left\lfloor \frac{2}{q}{<}s,c{>}\right\rceil \ (\text {mod}\ q) \\ & \equiv _{\chi }\left\lfloor \frac{2}{q}\lfloor \frac{q}{2}u\right\rceil \rceil \ (\text {mod}\ q)\\ & \equiv _{\chi } u (\text {mod}\ q)\ (\text {see Lemma 3.3 in Chap.\,4}). \end{aligned}$$
(6.3.4)

In order to better understand the fully homomorphic property (bounded) of the LWE cryptosystem, we write the most significant bit as the following equivalent least significant bit.

Least significant bit

Assume \(q>2\) is an odd number, let \(m\equiv u\ (\text {mod}\ 2)\), and \(-\frac{q}{2}<m\leqslant \frac{q}{2}\), u be a given plaintext \(u\in \mathbb {Z}_2\), i.e.

$$\begin{aligned} m\in \{u+2\mathbb {Z}\}\cap \big (-\frac{q}{2},\frac{q}{2}\big ]. \end{aligned}$$
(6.3.5)

The least significant bit of u is \(f_A(u)=c\in \mathbb {Z}_q^n\), where the ciphertext c satisfies

$$\begin{aligned} {<}s,c{>}\equiv m\ (\text {mod}\ q), \end{aligned}$$
(6.3.6)

(6.3.6) is an exact congruence equation.

The decryption of the ciphertext c still uses the private key \(s\in \mathbb {Z}_q^n\), which is divided into the following two steps:

  1. 1.

    There exists only one m satisfying \(m\equiv {<}s,c{>}\ (\text {mod}\ q)\), and \(-\frac{q}{2}\leqslant m<\frac{q}{2}\).

  2. 2.

    \(u\equiv m\ (\text {mod}\ 2)\), then we get the plaintext \(f_A^{-1}(c)=u\).

We will prove that the most significant bit and the least significant bit are actually equivalent for multibit plaintext in the general case. First, we look at the difference between the two encryptions in the case of \(u\in \mathbb {Z}_2\). Write Eq. (6.3.3) in the error form,

$$\begin{aligned} {<}s,c{>}\equiv e+u\left\lfloor \frac{q}{2}\right\rceil \ (\text {mod}\ q), \end{aligned}$$

then

$$\begin{aligned} f_A^{-1}(c)\equiv \left\lfloor \frac{2}{q}e\right\rceil +u\ (\text {mod}\ q). \end{aligned}$$

For a real number x, \(\lfloor x\rceil =0\Leftrightarrow -\frac{1}{2}<x\leqslant \frac{1}{2}\), so \(-\frac{q}{4}<e\leqslant \frac{q}{4}\). Compared with (4.1.7) in Chap.  4, the decryption of the Regev’s cryptosystem is actually Eq. (6.3.4) here. This observation enables us to construct corresponding cryptosystem for multibit plaintext.

Let \(1<p<q\) be two positive integers, \((p,q)=1\), \(\mathbb {Z}_p\) be the plaintext space, \(\mathbb {Z}_q^n\) be the ciphertext, \(s\in \mathbb {Z}_q^n\) be the randomly chosen private key.

Most significant bit: for a given plaintext \(u\in \mathbb {Z}_p\), we define the most significant bit of u as \(M(u)=w\in \mathbb {Z}_q\) satisfying

$$\begin{aligned} \left\lfloor \frac{p}{q}w\right\rceil \equiv u\ (\text {mod}\ p), \end{aligned}$$
(6.3.7)

in fact, based on \(w={<}s,c{>}\), we can write the ciphertext as,

$$\begin{aligned} M(u)=w\equiv \left\lfloor \frac{q}{p}u\right\rceil \ (\text {mod}\ q), \end{aligned}$$
(6.3.8)

the decryption function

$$\begin{aligned} M^{-1}(w)\equiv \left\lfloor \frac{p}{q}w\right\rceil \equiv u\ (\text {mod}\ p), \end{aligned}$$

we can get the plaintext u.

Least significant bit: the least significant bit for a given plaintext \(u\in \mathbb {Z}_p\) is v, i.e. \(L(u)=v\in \mathbb {Z}_q\) satisfies

$$\begin{aligned} v\equiv e\ (\text {mod}\ q),\ e\equiv u\ (\text {mod}\ p),\ -\frac{q}{2}\leqslant e<\frac{q}{2}, \end{aligned}$$

the decryption for the ciphertext v: there exists only one \(e\in [-\frac{q}{2},\frac{q}{2})\Rightarrow v\equiv e\ (\text {mod}\ q)\), let \(u\equiv e\ (\text {mod}\ p)\), then \(M^{-1}(v)=u\). In fact the v here is \({<}s,c{>}\).

Lemma 6.3.1

If \(1<p<q\), \((p,q)=1\), then the most significant bit and the least significant bit are equivalent.

Proof

Since \((p,q)=1\), then there are integers \(c_p\in \mathbb {Z}\), \(c_q\in \mathbb {Z}\Rightarrow \)

$$\begin{aligned} c_p\cdot p+c_q\cdot q=1. \end{aligned}$$

Actually \(c_p\) is the multiplicative inverse of p under \(\text {mod}\ q\), \(c_q\) is the multiplicative inverse of q under \(\text {mod}\ p\). Denote \(c_p=p^{-1}\) and \(c_q=q^{-1}\).

Assume \(v\in \mathbb {Z}_q\) is the least significant bit of the plaintext \(u\in \mathbb {Z}_p\), i.e. \(L(u)=v\). We are to prove that the most significant bit of the plaintext \(-q^{-1}u\in \mathbb {Z}_p\) is \(p^{-1}v\in \mathbb {Z}_q\), i.e.

$$\begin{aligned} M(-q^{-1}u)=p^{-1}v. \end{aligned}$$

Based on \(v\equiv e\ (\text {mod}\ q)\), \(e\in \{u+p\mathbb {Z}\}\cap [-\frac{q}{2},\frac{q}{2})\), so we have

$$\begin{aligned} \left\lfloor \frac{p}{q}p^{-1}v\right\rceil & =\left\lfloor \frac{p}{q}e \frac{1-c_q q}{p}\right\rceil \\ & =\left\lfloor \frac{e}{q}-ec_q\right\rceil \\ & =-c_q e\equiv -q^{-1}u\ (\text {mod}\ p), \end{aligned}$$

this means \(M(-q^{-1}u)=p^{-1}v\). On the other hand, if \(w=M(u)\), i.e. w is the most significant bit of the plaintext u, we confirm that the least significant bit of \(-qu\) is just \(pw\in \mathbb {Z}_q\), i.e.

$$\begin{aligned} L(-qu)=pw\in \mathbb {Z}_q, \end{aligned}$$

by the definition of the most significant bit,

$$\begin{aligned} \left\lfloor \frac{p}{q}w\right\rceil =\frac{p}{q}w-r\equiv u\ (\text {mod}\ p), \end{aligned}$$

where \(-\frac{1}{2}\leqslant r<\frac{1}{2}\), so (since \((p,q)=1\))

$$\begin{aligned} pw-qr\equiv qu\ (\text {mod}\ p). \end{aligned}$$

Let \(qr=e\), we get

$$\begin{aligned} pw-e\equiv qu\ (\text {mod}\ pq),\ -\frac{q}{2}\leqslant e<\frac{q}{2}, \end{aligned}$$

it follows that \(pw\equiv e\ (\text {mod}\ q)\), and \(e\equiv -qu\ (\text {mod}\ p)\), namely \(L(-qu)=pw\).

Above all, there is a one-to-one correspondence between the most significant bit and the least significant bit for a plaintext, so the two forms of encryption are equivalent.    \(\square \)

Finally, we discuss the fully homomorphic property of the BV encryption system, which is summarized in the following theorem.

Theorem 6.3.1

Let \(p=2\), \(q>2\) be an odd number, then the BV encryption system is bounded fully homomorphic encryption, and its fully homomorphic boundary is

$$\begin{aligned} M=\left( -\frac{q}{2},\frac{q}{2}\right] . \end{aligned}$$

Proof

Based on the least significant bit of the BV encryption system, its decryption function \(f_s^{-1}\) can be divided into two parts: \(R_3=\mathbb {Z}_q\), \(\mathbb {Z}_q\xrightarrow {\sigma _2}\mathbb {Z}_2=R_1\) is natural homomorphism, then \(f_s^{-1}\) could be decomposed into

$$\begin{aligned} \mathbb {Z}_q^n\xrightarrow {\quad \sigma _1 \quad } M\cap \mathbb {Z}_q \xrightarrow {\quad \sigma _2 \quad }\mathbb {Z}_2, \end{aligned}$$

where \(\sigma _1\) is defined for any ciphertext \(c\in \mathbb {Z}_q^n\), \(c\xrightarrow {\sigma _1} m\in M\cap \mathbb {Z}_q\) satisfying

$$\begin{aligned} {<}s,c{>}\equiv m\ (\text {mod}\ q). \end{aligned}$$

Since there exists only one m satisfying the above formula, \(\sigma _1\) is well-defined. It follows that

$$\begin{aligned} {<}s,c_1+c_2> &=<s,c_1>+<s,c_2{>} \\ & \equiv m_1+m_2\ (\text {mod}\ q), \end{aligned}$$
(6.3.9)

i.e. \(\sigma _1(c_1+c_2)=m_1+m_2\), if \(m_1+m_2\in M\cap \mathbb {Z}_q\), then

$$\begin{aligned} f_s^{-1}(c_1+c_2) &=\sigma _2(\sigma _1(c_1)+\sigma _1(c_2))\\ &=\sigma _2(m_1+m_2)\\ & \equiv u_1+u_2\ (\text {mod}\ 2), \end{aligned}$$

so we have

$$\begin{aligned} f_s^{-1}(c_1+c_2)=u_1+u_2=f_s^{-1}(c_1)+f_s^{-1}(c_2), \end{aligned}$$

\(f_s\) is additive fully homomorphic encryption.

To introduce the multiplicative homomorphism, we define the Kronecker convolution for two vectors in \(\mathbb {Z}_q^n\). Let \(c_1=(c_{11},c_{12},\dots ,c_{1n})\in \mathbb {Z}_q^n\), \(c_2=(c_{21},c_{22},\dots ,c_{2n})\in \mathbb {Z}_q^n\) be two row vectors, we define the Kronecker convolution of \(c_1\) and \(c_2\) as \(c_1\otimes c_2\),

$$\begin{aligned} c_1\otimes c_2=(c_{1i}\cdot c_{2j})_{1\leqslant i,j\leqslant n}\in \mathbb {Z}_q^{n^2}. \end{aligned}$$
(6.3.10)

Obviously, for any four vectors \(a,b,c,d\in \mathbb {Z}_q^n\), we have

$$\begin{aligned} {<}a\otimes b,c\otimes d{>}={<}a,c{>}\cdot {<}b,d{>}. \end{aligned}$$
(6.3.11)

In fact, let \(a=(a_1,a_2,\dots ,a_n)\), \(b=(b_1,b_2,\dots ,b_n)\), \(c=(c_1,c_2,\dots ,c_n)\), \(d=(d_1,d_2,\dots ,d_n)\), by (6.3.10),

$$\begin{aligned} {<}a\otimes b,c\otimes d{>} &=\sum \limits _{i=1}^n \sum \limits _{j=1}^n a_i b_j c_i d_j \\ &=\left( \sum \limits _{i=1}^n a_i c_i)(\sum \limits _{j=1}^n b_j d_j \right)\\ &={<}a,c{>}\cdot {<}b,d{>}, \end{aligned}$$

thus, (6.3.11) holds.

Let \(c_1,c_2\in \mathbb {Z}_q^n\) be two ciphertexts, \(s\in \mathbb {Z}_q^n\) be the private key, we define the multiplication as Kronecker convolution in the ciphertext space \(\mathbb {Z}_q^n\). Suppose \(s^{*}=s\otimes s\), then the decryption function \(f_{s^{*}}^{-1}\) is a mapping of \(\mathbb {Z}_q^{n^2}\rightarrow \mathbb {Z}_2\). Based on (6.3.11), we have

$$\begin{aligned} {<}s\otimes s,c_1\otimes c_2{>} &={<}s,c_1{>}\cdot {<}s,c_2{>}\\ & \equiv m_1\cdot m_2\ (\text {mod}\ q). \end{aligned}$$

If \(m_1m_2\in M\cap \mathbb {Z}_q\), then

$$\begin{aligned} m_1\equiv u_1\ (\text {mod}\ 2),\ m_2\equiv u_2\ (\text {mod}\ 2)\Rightarrow m_1m_2\equiv u_1u_2\ (\text {mod}\ 2), \end{aligned}$$

namely

$$\begin{aligned} f_{s^{*}}^{-1}(c_1\otimes c_2)=f_s^{-1}(c_1)\cdot f_s^{-1}(c_2), \end{aligned}$$

i.e. \(f_s\) satisfies the multiplicative homomorphism. So we prove the bounded fully homomorphic property of the BV encryption system, and its fully homomorphic boundary is \(M=(-\frac{q}{2},\frac{q}{2}]\).    \(\square \)

The above Theorem 6.3.1 can be generalized to the multibit case, that is, plaintext \(u\in \mathbb {Z}_p\), ciphertext \(c\in \mathbb {Z}_q^n\), \((p,q)=1\). Under these assumptions, the BV multibit fully homomorphic encryption system can be constructed, and we leave it as a question for the readers. Note that the dimensions of the ciphertext space and key space grow from n to \(n^2\) by the Kronecker convolution. The dimension could be reduced by using the gadget technique in Sect. 6.2. This reduction technique is called key conversion.

Key conversion

Let \(c_{\text {in}}=c_1\otimes c_2\) be an \(n_{\text {in}}\) dimensional ciphertext, where \(c_{\text {in}}\) and \(n_{\text {in}}\) represent the input ciphertext and the dimension of the ciphertext. By the most significant bit of BV fully homomorphic encryption, then

$$\begin{aligned} {<}s_{\text {in}},c_{\text {in}}{>}=s_{\text {in}}'\cdot c_{\text {in}}\equiv _{\chi } u\left\lfloor \frac{q}{2}\right\rceil \ (\text {mod}\ q). \end{aligned}$$
(6.3.12)

The above formula is obtained from (6.3.3), where \(s_{\text {in}}\) is the private key with dimension \(n_{\text {in}}\). In order to reduce the dimension \(n_{\text {in}}\), we construct a private key \(s_{\text {out}}\) with lower dimension and convert the input ciphertext \(c_{\text {in}}\) into the output ciphertext \(c_{\text {out}}\) encrypted by \(s_{\text {out}}\). Of course, the dimension \(n_{\text {out}}\) of the output ciphertext \(c_{\text {out}}\) and the key \(s_{\text {out}}\) is much smaller than the input dimension \(n_{\text {in}}\). To do this, let G be the gadget matrix,

$$\begin{aligned} G=I_{n_{\text {in}}}\otimes c_{\text {in}}'=\text {diag}\{c_{\text {in}}',c_{\text {in}}',\dots ,c_{\text {in}}'\}_{n_{\text {in}}\times n_{\text {in}}^2}. \end{aligned}$$
(6.3.13)

G is the \(n_{\text {in}}\times n_{\text {in}}^2\) gadget matrix generated by the \(n_{\text {in}}\) dimensional vector \(c_{\text {in}}\). By (6.2.7) and (6.3.12), we have

$$\begin{aligned} {<}s_{\text {in}},c_{\text {in}}{>}=s_{\text {in}}'\cdot c_{\text {in}}\equiv (s_{\text {in}}'G)\cdot G^{-1}(c_{\text {in}})\equiv _{\chi }u\left\lfloor \frac{q}{2}\right\rceil \ (\text {mod}\ q), \end{aligned}$$
(6.3.14)

where \(G^{-1}(c_{\text {in}})=x\) is the shortest integer solution of \(Gx\equiv c_{\text {in}}\ (\text {mod}\ q)\). Based on (6.2.8), \(s_{\text {in}}'\cdot G\) is an \(n_{\text {in}}^2\) dimensional vector.

Lemma 6.3.2

For any \(n<n_{\text {in}}\), then there exist a matrix \(K\in \mathbb {Z}_q^{n\times n_{\text {in}}^2}\) and an n dimensional private key \(s_{\text {out}}\) with high probability such that

$$\begin{aligned} s_{\text {out}}'\cdot K\equiv _{\chi } s_{\text {in}}'\cdot G\ (\text {mod}\ q). \end{aligned}$$
(6.3.15)

Proof

The construction of the matrix K and the transformed private key \(s_{\text {out}}\) are related to the resampling technique (Bootstrapping) of the LWE distribution. For a given vector \(b'=s_{\text {in}}'G\in \mathbb {Z}_q^{n_{\text {in}}^2}\), we can take a sample \(s_{\text {out}}\in \mathbb {Z}_q^n\) for very small error distribution \(e\in \mathbb {Z}_q^{n_{\text {in}}^2}\) (with high probability) and

$$\begin{aligned} A=[a_1,a_2,\dots ,a_{n_{\text {in}}}],\ \forall a_i\in \mathbb {Z}_q^n \end{aligned}$$

satisfying (see 4.1.3 in Chap. 4)

$$\begin{aligned} (s_{\text {out}}',-1)\begin{pmatrix} A \\ b' \end{pmatrix}\equiv _{\chi } e\ (\text {mod}\ q). \end{aligned}$$

Since e is a very small error term, the above equation can be written as the form of random congruence

$$\begin{aligned} s_{\text {out}}'A\equiv _{\chi } b'=s_{\text {in}}'G\ (\text {mod}\ q). \end{aligned}$$

Let \(K=A\in \mathbb {Z}_q^{n\times n_{\text {in}}^2}\), we have

$$\begin{aligned} s_{\text {out}}'K\equiv s_{\text {in}}'G\ (\text {mod}\ q). \end{aligned}$$

Lemma 6.3.2 holds.    \(\square \)

Remark 6.3.1

K is the public key which could be made public, the security of the private key \(s_{\text {out}}\) will not be affected based on the security of the LWE distribution.

By (6.3.14) in Lemma 6.3.2, the input ciphertext \(c_{\text {in}}\) is converted into a new output ciphertext \(c_{\text {out}}=KG^{-1}(c_{\text {in}})\). \(c_{\text {out}}\) is obtained by using the key \(s_{\text {out}}\), this is because

$$\begin{aligned} s_{\text {out}}'c_{\text {out}}=s_{\text {out}}'(KG^{-1}(c_{\text {in}})) \end{aligned}$$
$$\begin{aligned} \equiv _{\chi }s_{\text {in}}'G\cdot G^{-1}(c_{\text {in}})\equiv _{\chi }u \left\lfloor \frac{q}{2}\right\rceil \ (\text {mod}\ q). \end{aligned}$$

We replace \(c_{\text {in}}=c_1\otimes c_2\) and \(s_{\text {in}}=s\otimes s\) with the new ciphertext \(c_{\text {out}}\) and the converted key \(s_{\text {out}}\), which significantly reduces the dimension of the ciphertext.

2. GSW fully homomorphic encryption

In 2013, Gentry et al. (2013) further improved BV fully homomorphic encryption by using gadget matrix and gadget technology. The greatest advantage is that fully homomorphic multiplication does not require the key conversion introduced in the previous subsection.

First, we select a random matrix \(\overline{A}\in \mathbb {Z}_q^{n\times \overline{m}}\), with the number of columns \(\overline{m}\) large enough. Define the following two matrices by \(\overline{A}\)

$$\begin{aligned} A_i=x_iG-\overline{A}R_i\in \mathbb {Z}_q^{n\times nl},\ i=1,2, \end{aligned}$$
(6.3.16)

where \(x_1,x_2\in \mathbb {Z}_q\) are two integers, G is the gadget matrix,

$$\begin{aligned} G=\text {diag}\{g',g',\dots ,g'\}_{n\times nl},\ g'\in \mathbb {Z}_q^l, \end{aligned}$$

here \(l=\lfloor \text {log}_2 q\rceil \), \(R_i\in \mathbb {Z}_q^{\overline{m}\times nl}\) is the Gauss matrix.

Lemma 6.3.3

1. The trapdoor matrix of \([\overline{A},A_1+A_2]\) is \(\begin{pmatrix} R_1+R_2 \\ I_n \end{pmatrix}\), the tag matrix is \(x_1I_n+x_2I_n\).

2. The trapdoor matrix of \([\overline{A},A_1G^{-1}(A_2)]\) is \(\begin{pmatrix} R \\ I_n \end{pmatrix}\), the tag matrix is \(x_1x_2I_n\), where

$$\begin{aligned} R=x_1 R_2+R_1 G^{-1} (A_2). \end{aligned}$$
(6.3.17)

Proof

By (6.3.16), it is easy to get

$$\begin{aligned} A_1+A_2=(x_1+x_2)G-\overline{A}(R_1+R_2). \end{aligned}$$
(6.3.18)

We regard each column vector of \(A_2\) as the target vector u in Lemma 2.2, then the inverse matrix \(G^{-1}\) in Definition2.2 can be generalized to \(G^{-1}(A_2)\in \mathbb {Z}_q^{nl\times nl}\), here \(G^{-1}(A_2)=x\) is the shortest integer solution of (because each column of the matrix x is the shortest integer solution)

$$\begin{aligned} Gx\equiv A_2\ (\text {mod}\ q). \end{aligned}$$
(6.3.19)

Thus, (6.2.7) generalizes to

$$\begin{aligned} G\cdot (G^{-1}(A_2))\equiv A_2\ (\text {mod}\ q), \end{aligned}$$
(6.3.20)

so we have

$$\begin{aligned} A_1 G^{-1}(A_2) &=(x_1 G-\overline{A}R_1) G^{-1}(A_2)\\ &=x_1 A_2-\overline{A}R_1 G^{-1}(A_2)\\ &=x_1 x_2 G-x_1 \overline{A} R_2-\overline{A} R_1 G^{-1}(A_2)\\ &=x_1 x_2 G-\overline{A}(x_1 R_2+R_1 G^{-1}(A_2)). \end{aligned}$$
(6.3.21)

Let \(A=[\overline{A},A_1+A_2]\), \(R=\begin{pmatrix} R_1+R_2 \\ I_n \end{pmatrix}\), by (6.3.18), we get

$$\begin{aligned} AR=A_1+A_2+\overline{A}(R_1+R_2)=(x_1+x_2)I_n G, \end{aligned}$$

therefore, R is the trapdoor matrix of A, and the tag matrix is \(H=x_1 I_n+x_2 I_n\). We have proved (i) in this lemma. To prove (ii), let

$$\begin{aligned} A=[\overline{A},A_1 G^{-1}(A_2)],\ \overline{R}=\begin{pmatrix} R \\ I_n \end{pmatrix}, \end{aligned}$$

where

$$\begin{aligned} R=x_1 R_2+R_1 G^{-1}(A_2). \end{aligned}$$

Based on (6.3.21),

$$\begin{aligned} A\overline{R} &=\overline{A}R+A_1 G^{-1}(A_2)\\ &=\overline{A}x_1 R_2+\overline{A}R_1 G^{-1}(A_2)+A_1 G^{-1}(A_2)\\ &=x_1 x_2 G, \end{aligned}$$

this implies \(\overline{R}=\begin{pmatrix} R \\ I_n \end{pmatrix}\) is the trapdoor matrix of A, and the tag matrix is \(H=x_1 x_2 I_n\). So (ii) in this lemma holds.    \(\square \)

In order to fully prove the conclusion of lemma 3.3 , it is also necessary to prove that the corresponding trapdoor matrix is a Gauss matrix, which is summarized in the following lemma.

Lemma 6.3.4

If R is a Gauss matrix, then \(\begin{pmatrix} R \\ I_n \end{pmatrix}\) is also a Gauss matrix. If \(R_1\) and \(R_2\) are independent Gauss matrices, then \(R_1+R_2\) is a Gauss matrix.

Proof

Since 0 and 1 can be regarded as discrete Gauss distributions with parameter s close enough to 0, then \(\begin{pmatrix} R \\ I_n \end{pmatrix}\) is also a Gauss matrix. On the other hand, the sum of two independent random variables with Gauss distribution still has Gauss distribution, so \(R_1+R_2\) is a Gauss matrix. The lemma holds.    \(\square \)

Now we discuss the workflow of the GSW fully homomorphic encryption.

Key: the public key is \(\overline{A}\in \mathbb {Z}_q^{n\times \overline{m}}\), \(\overline{m}=n+nl\), each column of \(\overline{A}\) is an independent sample of the LWE distribution \(A_{s,\chi }\) under the private key \(\overline{s}\in \mathbb {Z}^{n-1}\). Let \(s=\begin{pmatrix} -\overline{s} \\ 1 \end{pmatrix}\in \mathbb {Z}_q^n\), if \(\chi \) has discrete Gauss distribution, we have (see 4.1.3 in Chap. 4)

$$\begin{aligned} s'\overline{A}\equiv _{\chi } 0\ (\text {mod}\ q), \end{aligned}$$
(6.3.22)

with the private key \(s=\begin{pmatrix} -\overline{s} \\ 1 \end{pmatrix}\in \mathbb {Z}_q^n\).

Encryption: let \(x\in \mathbb {Z}\) be a plaintext, f(x) be an \(n\times nl\) dimensional matrix A encrypted for x,

$$\begin{aligned} f(x)=A=xG-\overline{A}R, \end{aligned}$$
(6.3.23)

i.e. A is the ciphertext, G is the \(n\times nl\) gadget matrix, \(R\in \mathbb {Z}_q^{n\times nl}\) is a Gauss matrix.

Decryption: based on (6.3.22), decrypt A with the private key \(s=\begin{pmatrix} -\overline{s} \\ 1 \end{pmatrix}\),

$$\begin{aligned} s'A &=xs'G-s'\overline{A}R\\ & \equiv _{\chi } xs'G\ (\text {mod}\ q). \end{aligned}$$
(6.3.24)

Correctness: since \(s'A\) is a given ciphertext matrix, and G is the gadget matrix, by (6.2.8),

$$\begin{aligned} xs'G\equiv _{\chi }s'A\ (\text {mod}\ q), \end{aligned}$$

we can solve the only one solution \(xs'\) with high probability, and get \(f^{-1}(A)=x\).

Theorem 6.3.2

The GSW encryption system is bounded fully homomorphic encryption, where the addition and multiplication of the ciphertexts are defined as if \(A_1=f(x_1)\), \(A_2=f(x_2)\), then \(A_1+A_2\) is the matrix addition, and

$$\begin{aligned} A_1A_2=A_1 G^{-1}(A_2)\in \mathbb {Z}_q^{n\times nl} \end{aligned}$$
(6.3.25)

is the matrix multiplication.

Proof

The conclusion of theorem 2 is actually implied in lemma 3.3. Let \(x_1,x_2\in \mathbb {Z}_q\) be two plaintexts,

$$\begin{aligned} \left\{ \begin{array}{l} A_1=f(x_1)=x_1 G-\overline{A}R_1,\\ A_2=f(x_2)=x_2 G-\overline{A}R_2, \end{array} \right. \end{aligned}$$

then

$$\begin{aligned} A_1+A_2=(x_1+x_2)G-\overline{A}(R_1+R_2), \end{aligned}$$

so we have (with high probability)

$$\begin{aligned} f^{-1}(A_1+A_2)=x_1+x_2=f^{-1}(A_1)+f^{-1}(A_2). \end{aligned}$$

Let

$$\begin{aligned} R=x_1 R_2+R_1 G^{-1}(A_2), \end{aligned}$$
(6.3.26)

according to (6.3.21),

$$\begin{aligned} A_1 A_2=A_1 G^{-1}(A_2)=x_1 x_2 G-\overline{A}R, \end{aligned}$$

therefore,

$$\begin{aligned} f^{-1}(A_1 A_2)=x_1 x_2=f^{-1}(A_1)f^{-1}(A_2). \end{aligned}$$

Since GSW encryption system is based on Gauss distribution, the Gauss matrix in (6.3.23) has errors. The error will be larger by adding and multiplying the ciphertext matrix many times. GSW encryption system is bounded fully homomorphic encryption, so it is necessary to control the error when adding and multiplying the ciphertexts in order to ensure high probability. This is because the larger the error of Gauss distribution, the smaller the probability, and the probability that the above equation holds also decreases.    \(\square \)

To complete the proof of Theorem 6.3.2, we need the following lemma.

Lemma 6.3.5

If \(R_1\) and \(R_2\) are Gauss matrices, then the matrix defined by (6.3.26) is also a Gauss matrix.

Proof

Since both \(R_1\) and \(R_2\) are Gauss matrices, then \(x_1 R_2\) and \(R_1 G^{-1}(A_2)\) are Gauss matrices, based on lemma 3.4,

$$\begin{aligned} R=x_1 R_2+R_1 G^{-1}(A_2) \end{aligned}$$

is a Gauss matrix. Lemma 3.5 holds.    \(\square \)

Finally, we emphasize that the advantage of GSW fully homomorphic encryption is that the dimension of ciphertext multiplication does not increase. The ciphertext multiplication defined by (6.3.25), in fact, \(A_1A_2\) and \(A_1, A_2\) are in the same ciphertext space.

6.4 Construction of Gentry

In 2009, C. Gentry first proposed a bounded algorithm for fully homomorphic encryption, which partially answered the RAD problem. The work by Gentry is an abstract description of fully homomorphic encryption (Garg et al., 2013a, 2013b; Gentry, 2009a, 2009b, 2010; Gentry et al., 2012a, 2012b, 2013a, 2015; Gentry & Halevi, 2011). It is difficult to understand the ideas and technologies by Gentry since there are many linguistic concepts. On the basis of BV fully homomorphic encryption and GSW fully homomorphic encryption in the previous section, it is possible for us to better understand Gentry’s ideas and methods.

Recall the working principle of the most representative public key cryptography RSA. Suppose N is the product of two different prime numbers, pk denotes the public key, and the public key of RSA is \(pk=(N,e)\), where \(1\leqslant e<\varphi (N)\), \((e,\varphi (N))=1\), \(\varphi (N)\) is the Euler function of N. For any plaintext \(\pi _i\in \mathbb {Z}_N\ (0\leqslant \pi _i<N)\), the encryption algorithm of RSA is \(\psi _i\equiv \pi _i^e\ (\text {mod}\ N)\), we write

$$\begin{aligned} \{\psi _i \leftarrow \pi _i^e\ \text {mod}\ N\} \end{aligned}$$
(6.4.1)

as the cryptosystem of the ciphertext \(\psi _i\) encrypted by the plaintext \(\pi _i\) using the public key pk. If there are t ciphertexts \(\{\psi _1,\psi _2,\dots ,\psi _t\}\), obviously,

$$\begin{aligned} \mathop {\Pi }\limits _{i=1}^t \psi _i\equiv \left( \mathop {\Pi }\limits _{i=1}^t \pi _i \right) ^e\ (\text {mod}\ N), \end{aligned}$$

so we have

$$\begin{aligned} \left\{ \mathop {\Pi }\limits _{i=1}^t \psi _i\leftarrow \left( \mathop {\Pi }\limits _{i=1}^t \pi _i \right) ^e\ \text {mod}\ N \right\} , \end{aligned}$$

this shows that the product \(\Pi \psi _i\) of t ciphertexts \(\psi _i\) is encrypted by the product \(\mathop {\Pi }\nolimits _{i=1}^ t \pi _i\) of the corresponding t plaintexts \(\pi _i\). In other words, the plaintext corresponding to the product of the t ciphertexts is the product of the t plaintexts \(\pi _i\). In section 6.1, we use the decryption algorithm to describe this multiplicative homomorphism as

$$\begin{aligned} f^{-1}\left( \mathop {\Pi }\limits _{i=1}^t \psi _i \right) =\mathop {\Pi }\limits _{i=1}^t f^{-1}(\psi _i). \end{aligned}$$

In order to define homomorphic encryption more generally, we first introduce the concept of circuit, which is widely used in the computer field.

Definition 6.4.1

A circuit C on the set A is a multivariate mapping defined on A. For any t elements \(a_1,a_2,\dots ,a_t\in A\), \(C(a_1,a_2 ,\dots ,a_t)\) is the image of the mapping C. From the perspective of computer work, we can take \((a_1,a_2,\dots ,a_t)\) as an input, and \(C(a_1,a_2,\dots ,a_t)\) is regarded as one output. Multiple input and output can be viewed as a circuit. If there are multiple circuits C on A, the set of these circuits is written as \(C_A\).

In a public key cryptosystem E, we use pk and sk to represent the public key and the private key respectively. Of course, pk and sk are not just one element, there may be many public and private keys.

Definition 6.4.2

A public key cryptosystem E with the circuit set \(C_E\) is called a fully homomorphic encryption system, if E contains the following four algorithms:

  1. 1.

    Key generated algorithm, denoted as \(KG_E\).

  2. 2.

    Encryption algorithm, denoted as \(E_{nE}\).

  3. 3.

    Decryption algorithm, denoted as \(D_{nE}\).

  4. 4.

    Ciphertext algorithm, denoted as \(Eval_E\).

For any public key pk, and any circuit \(C\in C_E\) on the plaintext space, any t ciphertexts \(\psi _1,\psi _2,\dots ,\psi _t\), where

$$\begin{aligned} \psi _i\leftarrow E_{nE}(pk,\pi _i),\ 1\leqslant i\leqslant t, \end{aligned}$$
(6.4.2)

the ciphertext algorithm \(Eval_E\) is to compute

$$\begin{aligned} \psi \leftarrow Eval_E(pk,C,\psi _1,\psi _2,\dots ,\psi _t), \end{aligned}$$

where \(\psi \) is the encryption of \(C(\pi _1,\pi _2,\dots ,\pi _t)\) under the public key pk, i.e.

$$\begin{aligned} \psi \leftarrow E_{nE}(pk,C(\pi _1,\pi _2,\dots ,\pi _t)). \end{aligned}$$
(6.4.3)

Remark 6.4.1

The number of elements of a circuit is denoted as |C|, which is called the boundary of the circuit. Usually the computational complexities of \(KG_E\), \(E_{nE}\), \(D_{nE}\) and \(Eval_E\) are polynomial of the security parameter \(\lambda \) and the circuit boundary |C|.

Remark 6.4.2

An equivalent form of (6.4.3) is

$$\begin{aligned} C(\pi _1,\pi _2,\dots ,\pi _t)=D_{nE}(\psi ), \end{aligned}$$
(6.4.4)

that is, the plaintext corresponding to the calculation result \(\psi \) under the ciphertext algorithm \(Eval_E\) by the t ciphertexts \(\psi _1,\psi _2,\dots ,\psi _t\) is the output in the circuit \(C(\pi _1,\pi _2,\dots ,\pi _t)\) by \(\pi _1,\pi _2,\dots ,\pi _t\). Therefore, in a fully homomorphic encryption system, the plaintext circuit C actually defines the ciphertext circuit D, where

$$\begin{aligned} D(\psi _1,\psi _2,\dots ,\psi _t)=Eval_E (pk,C,\psi _1,\psi _2,\dots ,\psi _t) \end{aligned}$$

satisfying

$$\begin{aligned} D_{nE}(D(\psi _1,\psi _2,\dots ,\psi _t))=C(\pi _1,\pi _2,\dots ,\pi _t). \end{aligned}$$
(6.4.5)

The basic idea of Gentry is to construct fully homomorphic encryption on a general ring. In order to prove the security, the ideal of a quotient ring on the rounding function ring \(\mathbb {Z}[x]\) is corresponding to an ideal lattice in \(\mathbb {Z}^n\) (see Chap. 5), so the construction of Gentry is called fully homomorphic encryption based on ideal lattice now.

Let R be a commutative ring with identity, I and J are two coprime nonzero ideals in R, i.e. \(I+J=R\), R/I and R/J denote the quotient rings. The construction of Gentry can be divided into the following steps:

\(\textcircled {1}\) :

Fix an ideal I of R and a basis \(B_I\) of I.

\(\textcircled {2}\) :

For any ideal J of R, \((I,J)=1\), we give an ideal generating algorithm \(\text {IdealGen}(R,B_I)\) to generate the public key basis \(B_J^{pk}\) and the private key basis \(B_J^{sk}\). In fact, \(B_J^{sk}\) could be chosen as another ideal \(J_1\) of R, such that \(J=J_1\), \(B_J^{sk}=B_{J_1}\) is the basis of \(J_1\).

\(\textcircled {3}\) :

Construct a sampling algorithm \(\text {Samp}(x,B_I,R,B_J)\),

$$\begin{aligned} \text {Samp}(x,B_I,R,B_J)=\text {a representative element of additive coset}\ x+I=\overline{x}. \end{aligned}$$
\(\textcircled {4}\) :

In the ciphertext algorithm any circuit of R is computed in R/I, i.e. if \(x_1,x_2\in R/I\), then \(C(x_1,x_2)\equiv x_3\ (\text {mod}\ I)\). Take the addition circuit and the multiplication circuit as an example, for any \(x_1,x_2\in R/I\), \(x_1+x_2\equiv x_3\ (\text {mod}\ I)\), there exists only one \(x_3\) under the sampling algorithm \(\text {Samp}(x,B_I,R,B_J)\), which is denoted as \(Add_{B_I}\). Similarly, the multiplication in R/I is denoted as \(Mult_{B_I}\).

\(\textcircled {5}\) :

Ciphertext generation. Fix a ring R and an ideal I of R, then

$$\begin{aligned} KG(R,B_I)=(B_J^{sk},B_J^{pk})\leftarrow \text {IdealGen}(R,B_I), \end{aligned}$$

the plaintext space is a representative element set of the quotient ring R/I.

The public key contains R, \(B_I\), \(B_J^{pk}\) and the sampling algorithm.

The private key sk contains \(B_J^{sk}\).

The encryption algorithm: the plaintext space is R/I, for any plaintext \(u\in R/I\), based on the sampling algorithm we have \(\text {Samp}(u,B_I,R,B_J^{pk})\rightarrow \psi '\), the encryption algorithm En(pku) is defined as

$$\begin{aligned} En(pk,u)=\psi =\psi '\ \text {mod}\ B_J^{pk}. \end{aligned}$$

The decryption algorithm \(De(sk,\psi )\) is defined as

$$\begin{aligned} u\leftarrow (\psi \ \text {mod}\ B_J^{sk})\ \text {mod}\ B_I. \end{aligned}$$

The ciphertext algorithm: if \(\psi _1\), \(\psi _2\) are two ciphertexts, then the addition and multiplication are defined as

$$\begin{aligned} Add(pk,\psi _1,\psi _2)=\psi _1+\psi _2=(\psi _1+\psi _2)\ \text {mod}\ B_J^{pk}, \end{aligned}$$
$$\begin{aligned} Mult(pk,\psi _1,\psi _2)=\psi _1\psi _2=(\psi _1\psi _2)\ \text {mod}\ B_J^{pk}. \end{aligned}$$

The key of Gentry’s construction is to verify the correctness of encryption and decryption and the homomorphism property of the ciphertext algorithm. We call the above public key generation algorithm, encryption algorithm, decryption algorithm and ciphertext algorithm as the fully homomorphic encryption system of Gentry, denoted as E. In order to prove the fully homomorphic property of E, we observe that there are two kinds of circuits in E. First, the circuit C used for encryption is defined by the addition and multiplication in the quotient ring R/I. The other circuit used in the ciphertext algorithm is defined by the addition and multiplication in R itself, which is called the generating circuit.

Definition 6.4.3

Given a circuit C in the plaintext space, we call g(C) its generating circuit if the operation of \(\text {mod}\ B_I\) in C is replaced by the original addition and multiplication.

Definition 6.4.4

Let \(X_{enc}\) be the image of R/I under the sampling algorithm Samp, i.e. \(X_{enc}\) is a set of representative elements of R/I, and \(X_{enc}\) is a plaintext space, so the ciphertext space is \(\{X_{enc}+J\}\). Define \(X_{Dec}\) as \(R\ \text {mod}\ B_J^{sk}\), i.e. the representation of the elements in R/J under \(\text {mod}\ B_J^{sk}\).

Definition 6.4.5

The circuit satisfying the following condition in the circuit set \(C_E\) is called an allowable circuit set,

$$\begin{aligned} C_E'=\{C:\ \forall (x_1,x_2,\dots ,x_t)\in X_{enc}^{T}\Rightarrow \ g(C)(x_1,x_2,\dots ,x_t)\in X_{Dec}\}. \end{aligned}$$
(6.4.6)

On the basis of the above definitions and notations, the main conclusion of Gentry is that for any ciphertext [see (6.4.3)] in any allowable circuit, it has the fully homomorphic property.

Theorem 6.4.1

Let \(C_E\) be an allowable circuit set, then the ciphertext encrypted by any allowable circuit C in \(C_E\) has the fully homomorphic property.

Proof

Let \(C\in C_E\), \(\psi =\{\psi _1,\psi _2,\dots ,\psi _t\}\), where each \(\psi _i\) is the encrypted ciphertext of the allowable circuit, so each ciphertext \(\psi _k\) could be written as

$$\begin{aligned} \psi _k=\pi _k+i_k+j_k,\ \pi _k\in R/I,\ i_k\in I,\ j_k\in J, \end{aligned}$$

and \(\pi _k+i_k\in X_{enc}\). We have

$$\begin{aligned} Eval(pk,C,\psi )=g(C)(\psi )\ \text {mod}\ B_J^{pk} \end{aligned}$$
$$\begin{aligned} \in g(C)(\pi _1+i_1,\pi _2+i_2,\dots ,\pi _t+i_t)+J. \end{aligned}$$

If \(C\in C_E\), then

$$\begin{aligned} g(C)(X_{enc},X_{enc},\dots ,X_{enc})\in X_{Dec}, \end{aligned}$$

therefore,

$$\begin{aligned} \text {Decrypt}(sk,Eval(pk,C,\psi )) \end{aligned}$$
$$\begin{aligned} &=g(C)(\pi _1+i_1,\pi _2+i_2,\dots ,\pi _t+i_t)\ \text {mod}\ B_I\\ &=g(C)(\pi _1+\pi _2+\cdots +\pi _t)\ \text {mod}\ B_I\\ &=C(\pi _1,\pi _2,\dots ,\pi _t). \end{aligned}$$

Applying the above conclusion to the addition circuit and the multiplication circuit respectively, we get the fully homomorphic property in the allowable circuit.    \(\square \)

We choose \(R=\mathbb {Z}[x]\,/\,{<}f(x){>}\), where \(f(x)\in \mathbb {Z}[x]\) is a monic polynomial of degree n. Each polynomial in the quotient ring R corresponds to a vector in \(\mathbb {Z}^n\):

$$\begin{aligned} \alpha (x)=a_0+a_1x+\cdots +a_{n-1}x^{n-1}\in R\longleftrightarrow \alpha =\begin{pmatrix} a_0 \\ a_1 \\ \vdots \\ a_{n-1} \end{pmatrix}\in \mathbb {Z}^n. \end{aligned}$$

Furthermore, the correspondence between the ideal in R and the ideal lattice in \(\mathbb {Z}^n\) is one-to-one (see Chap. 5). For example, \(I={<}\alpha (x){>}\) is the principal ideal generated by \(\alpha (x)\in R\), then

$$\begin{aligned} {<}\alpha (x){>}=I\longleftrightarrow L(H^*(\alpha )), \end{aligned}$$

where \(H^*(\alpha )\) is the ideal matrix generated by \(\alpha \), \(L(H^*(\alpha ))\) is the integral lattice generated by \(H^*(\alpha )\). For \(I\subset R\), I is not a principal ideal, based on Chap. 5 we know

$$\begin{aligned} L(I)=\{\alpha \ |\ \alpha (x)\in I\}\subset \mathbb {Z}^n \end{aligned}$$

is an integral lattice. Denote \(B_I\) as the generating matrix of L(I), then \(B_I\) is the basis of ideal I in the construction of Gentry. In the key generation algorithm constructed by Gentry, the public key is \(B_J^{pk}\). We select an ideal \(J\subset R\) such that \((I,J)=1\) with the basis \(B_J\), i.e. J is the generating matrix of the corresponding ideal lattice L(J). For convenience,

$$\begin{aligned} B_J^{pk}=\text {the HNF basis of}\ L(J) \end{aligned}$$

is the Hermite normal basis of L(J). The private key is \(B_J^{sk}\), we choose an ideal \(J_1\) larger than J, i.e. \(J\subset J_1\subset R\), \(J_1\ne J\), so

$$\begin{aligned} B_J^{sk}=\text {the generating matrix of the ideal lattice}\ L(J_1). \end{aligned}$$

Since \(J\subset J_1\), by the homomorphism theorem of ring we have

$$\begin{aligned} J_1/J\cong (R/J)/(R/J_1). \end{aligned}$$

Here \(R/J_1\) is a subring of R/J, so in the sampling algorithm, for any \(a\in R/J\), we can find only one \(a_{J_1}\in R/J_1\).

Above all, we can take R as a specific quotient ring \(\mathbb {Z}[x]\,/\,{<}f(x){>}\) of the integer coefficient polynomial ring \(\mathbb {Z}[x]\) to realize the construction of fully homomorphic encryption by Gentry. Since the correspondence between the ideal in R and the ideal lattice in \(\mathbb {Z}^n\) is one-to-one, Gentry’s construction is widely known as a fully homomorphic encryption system based on the ideal lattice. Because the conclusion is only valid on the set of allowable circuit, it is only a bounded fully homomorphic encryption.

6.5 Attribute-Based Encryption

Fully homomorphic digital signature is a research hotspot at present, among which attribute-based encryption is a relatively mature topic. Attribute-based encryption (ABE) is a generalized form of identity-based encryption which is proposed in Goyal et al. (2006) and Sahai and Waters (2005) first. In this section we will briefly introduce ABE.

Lemma 6.5.1

Let q be a prime number, \(F_q\) be a finite field with q elements, \(F_{q^n}\) be an extension of degree n of \(F_q\), then \(F_{q^n}\) is isomorphic to a subring \(\mathcal {H}\) of \(\mathbb {Z}_q^{n\times n}\), where \(a,b\in \mathcal {H}\Rightarrow a-b\in GL_n(F_q)\), i.e. \(a-b\) is an invertible matrix.

Proof

\(F_{q^n}\,/\,F_q\) is an n dimensional linear space, let \(\{\alpha _1,\alpha _2,\dots ,\alpha _n\}\subset F_{q^n}\) be a basis. For any \(\alpha \in F_{q^n}\), we define a linear transformation \(\tau _{\alpha }\) on \(F_{q^n}\)

$$\begin{aligned} \tau _{\alpha }(x)=\alpha x,\ x\in F_{q^n}. \end{aligned}$$
(6.5.1)

Obviously \(\tau _{\alpha }\) is a linear transformation on \(F_{q^n}\). Under the given basis \(\{\alpha _1,\alpha _2,\dots ,\alpha _n\}\), let \(A_{\alpha }\) be the corresponding matrix of \(\tau _{\alpha }\), that is,

$$\begin{aligned} \tau _{\alpha }(\alpha _1,\alpha _2,\dots ,\alpha _n)=(\alpha \alpha _1,\alpha \alpha _2,\dots ,\alpha \alpha _n)=(\alpha _1,\alpha _2,\dots ,\alpha _n)A_{\alpha }. \end{aligned}$$

Let

$$\begin{aligned} \mathcal {H}=\{A_{\alpha }\ |\ \alpha \in F_{q^n}\}\subset \mathbb {Z}_q^{n\times n}, \end{aligned}$$

we have

$$\begin{aligned} A_{\alpha +\beta }=A_{\alpha }+A_{\beta },\ A_{\alpha \cdot \beta }=A_{\alpha }\cdot A_{\beta }, \end{aligned}$$

so \(F_{q^n}\rightarrow \mathcal {H}\) is a ring isomorphism. Note that if \(\alpha \ne 0\), then \(\tau _{\alpha }\) is an invertible linear transformation on \(F_{q^n}\), and the corresponding matrix \(A_{\alpha }\) of \(\tau _{\alpha }\) is an invertible matrix. If \(a,b\in F_{q^n}\), \(a\ne b\), it follows that \(A_{a-b}\in GL_n(F_q)\), in other words, the difference of any two different matrices in the matrix ring \(\mathcal {H}\) is an invertible matrix.    \(\square \)

Remark 6.5.1

The trace function and determinant of the matrix \(A_{\alpha }\) corresponding to the linear transformation \(\tau _{\alpha }\) are called the trace and norm of \(\alpha \), i.e.

$$\begin{aligned} \text {tr}(\alpha )=\text {tr}(A_{\alpha }),\ N(\alpha )=\text {det}(A_{\alpha }), \end{aligned}$$

where \(\text {tr}(\alpha )\) is an additive homomorphism of \(F_{q^n}\rightarrow F_q\), and \(N(\alpha )\) is a multiplicative Homomorphism of \(F_{q^n}\rightarrow F_q\).

Let \(F_{q^n}\) be an n dimensional linear space of \(F_q\). Given a basis, \(F_{q^n}\) and \(F_q^n\) are isomorphic as the linear spaces of \(F_q\). For any elements \(\alpha _1,\alpha _2,\dots ,\alpha _l\in F_{q^n}\) in \(F_{q^n}\), we can define the inner product based on Lemma 6.5.1.

Definition 6.5.1

For any \(\alpha ,\beta \in F_{q^n}\), let \(\alpha \rightarrow H\alpha \in \mathcal {H}\), \(\beta \rightarrow H_{\beta }\in \mathcal {H}\), we define the inner product of \(\alpha \) and \(\beta \) by

$$\begin{aligned} {<}\alpha ,\beta {>}=H_{\alpha }\cdot H_{\beta }. \end{aligned}$$
(6.5.2)

Remark 6.5.2

Since \(H_{\alpha }\cdot H_{\beta }\in F_q^{n\times n}\) is a square matrix of order n, the inner product of two field elements is a vector. If \(H_{\alpha }\cdot H_{\beta }\in \mathcal {H}\), based on lemma 5.1, there exists \(\gamma \in F_{q^n}\Rightarrow r\rightarrow H_{\alpha }\cdot H_{\beta }\). However, we cannot get \(\gamma =\alpha \cdot \beta \), which means that (6.5.2) and the one-to-one correspondence of lemma 5.1 are not commutative.

ABE encryption technique is a very complex matrix encryption method. The basic principle is to use the gadget matrix to generate encryption and decryption algorithms based on the LWE distribution. It involves the encryption public key of LWE cryptosystem, and a private key system based on the attribute vector and the dependent vector, which are the keys in the digital signature. In order to fully understand the workflow of ABE, we start with some basic matrices.

Let q be a prime number, \(\mathbb {Z}_q\) is equivalent to a finite field with q elements, and \(\mathbb {Z}_q^n\) is equivalent to an extension of degree n of \(\mathbb {Z}_q\). Let G be a gadget matrix of order n [see (6.2.6)], i.e.

$$\begin{aligned} G=I_n\otimes g'=\text {diag}\{g',g',\dots ,g'\}\in \mathbb {Z}_q^{n\times nl}, \end{aligned}$$

where \(l=\lfloor \text {log}_2 q\rceil \), define \(\overline{A}\) and A by

$$\begin{aligned} \left\{ \begin{array}{l} \overline{A}\in \mathbb {Z}_q^{n\times \overline{m}}\ \text {is a uniformly random matrix},\\ A=[A_1,A_2,\dots ,A_l]\in \mathbb {Z}_q^{n\times wl},\\ \overline{m}=n+nl,\quad w=nl, \end{array} \right. \end{aligned}$$
(6.5.3)

where each \(A_i\in \mathbb {Z}_q^{n\times nl}\) has the same dimension with the gadget matrix G. Let \(\overline{A}\) be the private key, \(R\in \mathbb {Z}_q^{\overline{m}\times nl}\) be the trapdoor matrix of \(\overline{A}\) with tag H, i.e.

$$\begin{aligned} \overline{A}R\equiv HG\ (\text {mod}\ q). \end{aligned}$$

Based on Lemma 6.5.1, we define the attribute vector \(\overrightarrow{n}\) by

$$\begin{aligned} \overrightarrow{n}=[H_1,H_2,\dots ,H_l]\in \mathcal {H}^l, \end{aligned}$$
(6.5.4)

where each \(H_i\in \mathbb {Z}_q^{n\times n}\) is an invertible matrix, so \(\overrightarrow{n}\in \mathbb {Z}_q^{n\times nl}\), let

$$\begin{aligned} \left\{ \begin{array}{l} G_{\overrightarrow{n}}=[H_1G,H_2G,\dots ,H_lG]\in \mathbb {Z}_q^{n\times wl},\\ A_{\overrightarrow{n}}=A+G_{\overrightarrow{n}}\in \mathbb {Z}_q^{n\times wl}, \end{array} \right. \end{aligned}$$
(6.5.5)

the dependent vector \(\overrightarrow{p}\in \mathcal {H}^l\) defined by the attribute vector \(\overrightarrow{n}\) satisfies

$$\begin{aligned} {<}\overrightarrow{n},\overrightarrow{p}{>}=0\Leftrightarrow \sum \limits _{i=1}^l H_i P_i=0, \end{aligned}$$

where \(\overrightarrow{p}=[P_1,P_2,\dots ,P_l]\in \mathbb {Z}_q^{n\times nl}\), and each \(P_i\in \mathbb {Z}_q^{n\times n}\).

In order to discuss the generated private key by the dependent vector \(\overrightarrow{p}\), let \(S_{\overrightarrow{p}}\) be

$$\begin{aligned} S_{\overrightarrow{p}}=\begin{pmatrix} G^{-1}(P_1G) \\ G^{-1}(P_2G) \\ \vdots \\ G^{-1}(P_lG) \end{pmatrix}, \end{aligned}$$
(6.5.6)

here \(G^{-1}(P_i G)\) is an integer matrix given by Definition 2.2.

Lemma 6.5.2

Under the above notations, we have

$$\begin{aligned} G_{\overrightarrow{n}}\cdot S_{\overrightarrow{p}}={<}\overrightarrow{n},\overrightarrow{p}{>}G=0. \end{aligned}$$

Proof

Combining (6.5.5), (6.5.6) and (6.2.7), it follows that

$$\begin{aligned} G_{\overrightarrow{n}}\cdot S_{\overrightarrow{p}}=[H_1G,H_2G,\dots ,H_lG] \begin{pmatrix} G^{-1}(P_1G) \\ \vdots \\ G^{-1}(P_lG) \end{pmatrix} \end{aligned}$$
$$\begin{aligned} =H_1GG^{-1}(P_1G)+\cdots +H_lGG^{-1}(P_lG) \end{aligned}$$
$$\begin{aligned} =H_1P_1G+H_2P_2G+\cdots +H_lP_lG \end{aligned}$$
$$\begin{aligned} =(H_1P_1+H_2P_2+\cdots +H_lP_l)G \end{aligned}$$
$$\begin{aligned} ={<}\overrightarrow{n},\overrightarrow{p}{>}G=0. \end{aligned}$$

   \(\square \)

Encryption: based on the above definitions, let \(u\in \mathbb {Z}_q^n\), we encrypt a single bit \(u\in \mathbb {Z}_2\) by the LWE cryptosystem, and the ciphertext \(\{\overline{c},c_{\overrightarrow{n}},c\}\) satisfies

$$\begin{aligned} \left\{ \begin{array}{l} \overline{c}\equiv _{\chi } s'\cdot \overline{A}\ (\text {mod}\ q),\\ c_{\overrightarrow{n}}\equiv _{\chi } s'\cdot A_{\overrightarrow{n}}\ (\text {mod}\ q),\\ c\equiv _{\chi } s'\cdot u+u\left\lfloor \frac{q}{2}\right\rceil , \end{array} \right. \end{aligned}$$
(6.5.7)

where s is the private key of the LWE cryptosystem.

We write \(\{\overline{c},c_{\overrightarrow{n}},c\}\) as the following form

$$\begin{aligned}{}[\overline{c}',c_{\overrightarrow{n}}',c]\equiv _{\chi } s' [\overline{A},A_{\overrightarrow{n}},u]+\begin{pmatrix} 0 \\ u\left\lfloor \frac{q}{2}\right\rceil \end{pmatrix}\ (\text {mod}\ q). \end{aligned}$$

Decryption: generate the private key vector \(x_{\overrightarrow{p}}\) satisfying the following equalities by the dependent vector \(\overrightarrow{p}\),

$$\begin{aligned} \left\{ \begin{array}{l} [\overline{A},B_{\overrightarrow{p}}]x_{\overrightarrow{p}}=u,\\ B_{\overrightarrow{p}}=A\cdot S_{\overrightarrow{p}}, \end{array} \right. \end{aligned}$$
(6.5.8)

use \(x_{\overrightarrow{p}}\) as the private key to decrypt the ciphertext \(\{\overline{c},c_{\overrightarrow{n}},c\}\) as follows

$$\begin{aligned}{}[\overline{c}',c_{\overrightarrow{n}}'\cdot S_{\overrightarrow{p}}]\cdot x_{\overrightarrow{p}}, \end{aligned}$$

by (6.5.7), we replace the congruence with equality, then (based on Lemma 5.2)

$$\begin{aligned} c_{\overrightarrow{n}}'\cdot S_{\overrightarrow{p}}=s' A_{\overrightarrow{n}}\cdot S_{\overrightarrow{p}}=s'(A+G_{\overrightarrow{n}})S_{\overrightarrow{p}} \end{aligned}$$
$$\begin{aligned} =s'B_{\overrightarrow{p}}+s'G_{\overrightarrow{n}}\cdot S_{\overrightarrow{p}}=s'B_{\overrightarrow{p}}, \end{aligned}$$

therefore,

$$\begin{aligned}{}[\overline{c}',c_{\overrightarrow{n}}'\cdot S_{\overrightarrow{p}}]\cdot x_{\overrightarrow{p}}\equiv _{\chi } s'[A',B_{\overrightarrow{p}}]\cdot x_{\overrightarrow{p}}\ (\text {mod}\ q) \end{aligned}$$
$$\begin{aligned} \equiv _{\chi }s'u\ (\text {mod}\ q) \end{aligned}$$
$$\begin{aligned} \equiv c-u\left\lfloor \frac{q}{2}\right\rceil \ (\text {mod}\ q) \end{aligned}$$
$$\begin{aligned} =u. \end{aligned}$$

Both \(x_{\overrightarrow{p}}\) and \(S_{\overrightarrow{p}}\) are the shortest integer solutions.

We will not verify the fully homomorphic property of ABE here, and leave it to the readers as an exercise. Constructing fully homomorphic digital signature by the ABE encryption technology is a popular research topic at present, and we suggest readers to follow up it further.