How to build a faster private information retrieval protocol?

A CPA secure multi-bit somewhat homomorphic encryption scheme based on Learning With Errors over Rings assumption is presented. We use canonical embedding to transform ring elements into vectors over Zq, and thus decrease encryption and decryption cost. Comparing with GHV scheme appeared in 2010, to encrypt n bits, this scheme can reduce encryption cost from O(n3/2) into O(nlog n). Finally, an efficient private information retrieval protocol that employs this scheme is presented.


Introduction
Homomorphic encryption is a powerful cryptographic primitive that allow for a variety of applications.It is a form of encryption which allows specific types of computations to be carried out on ciphertext and obtain an encrypted result which decrypted matches the result of operations performed on the plaintext.There are many interesting applications including private information retrieval (PIR), electronic voting, database encryption, delegated computation and secure multiparty computation (Chen et al. 2012a, b).
Fully homomorphic encryption (FHE) permits arbitrarily computation on encrypted data (Gentry 2009).During the past 4 years, numerous constructions of FHE involving novel mathematical techniques and a number of applications have appeared (Dijk et al. 2010;Stehle and Steinfeld 2010;Smart and Vercauteren 2010;Brakerski and Vaikuntanathan 2011a;Bogdanov and Lee 2011;Brakerski et al. 2012).However, it seems that most of the available FHE schemes still have a long way to go before they can be used in practice.Comparing with the theoretical perfect but unpractical FHE, somewhat homomorphic encryption (SWHE), which only permits a specific set of operations, seems more efficient, and most of the actual applications only involve SWHE schemes by now.
The main target of this work is to construct an efficient multi-bit somewhat homomorphic encryption scheme.Starting from Regev's Learning With Errors over Rings (RLWE)-based scheme (Regev 2009) and using canonical embedding to improve efficiency, we present a new construction of SWHE scheme that supports a larger plaintext space and faster encryption.Moreover, we provide a Private Block Retrieval (PBR) protocol using this scheme.
2 Related works Boneh et al. (2005) described a cryptosystem (denoted by BGN) that permits arbitrary numbers of additions and one multiplication, without growing the ciphertext size.Later in EUROCRYPT 2010, Gentry et al. (2010) constructed a variant of BGN, called GHV, it is based on Learning With Errors (LWE) assumption, supports a larger message space and has a better message-to-ciphertext expansion ratio than BGN.In GHV, to encrypt m 2 bits, the encryption process has a computation cost of Õðm 3 Þ.
Aiming at constructing time-efficient schemes that supports larger message spaces, we present a multi-bit SWHE scheme that is basing on RLWE assumption.Comparing with GHV, our scheme are more time-efficient, to encrypt n bits, the total encryption cost is Õ n log n ð Þ.Such improvement attributes to the combination of the more compact RLWE assumption and canonical embedding.We show how to use this scheme to build an efficient PIR (private information retrieval) protocol.

Homomorphic encryption schemes
Definition 1 A Homomorphic Encryption scheme (HE) can be described as a 4-tuple of algorithms HE = (Key-Gen, Enc, Dec, Eval).The algorithms are probabilistic polynomial-time and satisfy the following properties: • KeyGen(1 k ): given security parameter k, output (pk, sk, evk), where pk and sk are public key and private key respectively, and evk is the public homomorphic evaluation key.This definition is a generic description of homomorphic encryption schemes, and the material of function f is omitted.Generally f can be expressed as a Boolean circuit on field GF(2 n ), and only contains ADD and OR operations.

RLWE assumption
The LWE problem has gained a universal notice since it had been first introduceed by Regev in (2009).In Eurocrypt 2010, Lyubashevsky et al. (2010) analyzed the efficiency of LWE-based cryptosystems.For a standard LWE assumption, obtaining one pseudorandom scalar b i [ Z q requires an n-dim inner production computation.They propose a more compact version of LWE called RLWE, that is, LWE assumptions on a given ring, where conducting an n-dim inner production can get another n-dim vector.This makes an efficiency improvement by n times.
Definition 2 (RLWE assumption) Let f(x) be an n-degree polynomial with integer coefficients, q is a prime, and ring R q is defined as R q ¼ Z q ½x= f ðxÞ h i.Let v be error distribution on R q , s $ R q , a i $ R q , k = poly(n).For any given , where e i is the error vector, then b i is computationally indistinguishable from any uniformly chosen element in R q .
Lyubashevsky et al. ( 2010) have proved that, the Shortest Independent Vector Problem (SIVP) or Shortest Vector Problem (SVP) in the worst case on ideal lattice can be reduced to RLWE.Their main result can be captured as the following: with error distribution be D n and n = aÁ(nl/ log (nl)) 1/4 , given l samples, the RLWE problem is at least as hard as SIVP problem in a lattice.
To make the description more clear, we only use RLWE assumption on a special polynomial R ¼ Z q ½x= x n þ 1 h i where n is a power of 2 and q = 1 mod 2n.

Canonical embedding in polynomial rings
Canonical embedding was first proposed by Minkowski (Lyubashevsky et al. 2010).Let n = 2 k , q = 1 mod 2n is a prime, and x = exp (pi/n), then canonical embedding is defined as a mapping r from R q ¼ Z q ½x= f ðxÞ h iinto vector space on complex numbers C n , that is aðxÞ7 !ðaðx 1 Þ; aðx 3 Þ; . ..; aðx 2nÀ1 ÞÞ 2 C n .Where a(x) 2 R q and f(x) = x n ? 1.
Using canonical embedding, we can map a polynomial in R q ¼ Z q ½x= f ðxÞ h iinto a Ring vector.When a polynomial is mapped into a vector in C n , both addition and multiplication can be conducted coordinate-wise, thus making computation more convenient.Especially when q is a prime and q = 1 mod 2n, x 2i-1 , i = 1, …, n-1 are just the n roots of x n ? 1 in Z q , so a polynomial aðxÞ 2 Z q ½x= x n þ 1 h ican be mapped into an elements in Z n q or a n-dim vector on Z q .For a given rðaðxÞÞ ¼ ðaðx 1 Þ; aðx 3 Þ; . . .; aðx 2nÀ1 ÞÞ 2 Z n q , we can get its preimage a(x) by solving a linear equation set of n variables.
4 Multi-bit homomorphic encryption schemes based on RLWE assumption

The basic scheme
The first single-bit public key encryption scheme basing on LWE assumption was proposed by Regev in ( 2009), and from this scheme, people have promoted some other constructions and applications.The multi-bit version of Regev's scheme can be implemented on RLWE assumption as the following (Ru ¨ckert and Schneider 2010).
Scheme 1 (RLWE based version of Regev's multi-bit encryption scheme) Parameters: let q be a prime, q : For a positive integer k, define two operations on R k : 1. Multiplication of two polynomial vectors : R k 9 R k ?R: For any x; ŷ 2 R k , x ŷ ¼ P k i¼1 x i y i 2. Multiplication of one polynomial vector and one polynomial: for any and the public key is ðâ; bÞ.To decrease key length, we could let all of the users share the same â.So the length of public key is kn log 2 q bits.
Correctness of scheme 1 is shown in Ru ¨ckert and Schneider (2010), and when a 1=30 ffiffiffiffiffi nk p r=2 d e, the scheme can decrypt correctly.

A new scheme using canonical mapping
Basing on scheme 1, we use canonical mapping to construct a new scheme.Scheme 2 • Parameters: Let q be a prime and q 1 mod 2n, let x be a root of x n ? 1 in Z q , and (q-1)/2 cannot be divided by x.The error distribution v R,a k is discrete Gaussian distribution on R k , with expectation 0 and standard deviation a 1=t ffiffiffiffiffi nk p r=2 d eþ 1 À Á .Definition of D r and polynomial vector operations are the same with scheme 1.
The length of private key is nlog 2 q bits.• Public key: Randomly choose a k-dim polynomial vector â $ R k .Choose error vector ê v k R;a and set b ¼ âs þ ê 2 R k .To reduce key length, we can let all of the users share the same â, and the public key is ðâ; bÞwhich has a length of kn log 2 q bits.• Encryption: Encryption has three steps.

For any given
Noticing that c 0 , c 1 are two polynomials in R, we can use canonical mapping to change them into vectors in Z n q , namely c 0 7 !ðc0 ðxÞ; • Decryption: Also includes three steps.
Proof Consider the decryption process, We focus on the first item, and case of the other items is analogous.The first item of the above formula is where ê r ð Þ x ð Þis a polynomial about x in R, and after a module operation, only the constant term remains.Let Considering ê v k R;a , on account of Chebyshev's law, for n independent samples that abiding the same Gaussian distribution X i / N(l, r 2 ), 1 B i B n, their summation satisfies P i=1 n X i / N(nl, nr 2 ), thus P i=1 k e i r i obeys a Normal distribution with expectation 0 and standard devi- According to the truncated inequality of Normal distribution,we have Pr q e À t 2 32 .When t C 30, this value can be ignored, so Pr ([ Thus completes the proof.Theorem 2 For any e [ 0 and m C (1 ?e)(1 ?n)log q, if there exists a probabilistic polynomial-time algorithm that can attack the CPA security of scheme 2 with advantage e, then there exist a poly-time distinguisher V that for any possible private key s, can distinguish dis- Proof We only discuss the first bit m 0 of a plaintext.Suppose there exists a CPA attacker A that can distinguish the ciphertext of m 0 = 0 and m 0 = 1 with advantage e.We construct a distinguisher V which can distinguish the following two distributions with advantage at least e/2: The distinguisher V is constructed as the following:Input of V are two polynomial vectors â; b À Á in R k 9 R k , satisfying that each constant term of âis 1.Now V can invoke A to judge that whether â; b À Á obeys uniform distribution or is a RLWE vector.Using â; b À Á as private key, V invokes A, the latter generate two message bits m 0 , m 1 , and send them to V. V randomly choose i 2 {0, 1}, encrypt m i and send the ciphertext back to A. If A can guess the correct i and return it to V, then V outputs 1, else, outputs 0.Let the challenging ciphertext be (C 1 , C 2 ), if r is canonical mapping, then the first bit of C 1 and C 2 are â r 2 m 0 respectively.If bis chosen randomly and uniformly in R k , and is independent of â, then the first bit of the challenging ciphertext is also randomly and uniformly.In this case, the probability of ''V outputs 1'' is at most 1/2.On the other side, if b ¼ âs þ êand the parameters are chosen according to the requirement, then by assumption, the probability of A correctly guessing i is (1 ?e)/2, so V can output 1 with the same probability.
Thus completes the proof, namely, V can distinguish two distributions with advantage e/2.

Homomorphic evaluations
Given two pairs of ciphertexts (C 1 , C 2 ) and (C 1 0 , C 2 0 ), where When computing the sum of two ciphertexts, we could simply add them coordinate-wise, and get Due to the use of canonical mapping, multiplication of two vectors could also done coordinate-wisely.Let ''*'' denote the coordinate-wise multiplication of vectors, then We focus on the decryption of the first item.Case of the other items is analogous.
The first item of 4 m 0 m 0 0 .During the decryption process, we need to change C 1 -* C 1 0 into a polynomial, multiply it with s 2 and then transform the result into a vector S mult .The first item of S mult is The last decryption step in scheme 2 is to compute C 2 -S, and after homomorphic multiplication, it needs to compute Noticing that besides the first item, all of the other items are multiples of x, and recalling that x is not a divisor of (q-1) 2 /4, so we can divide the first item by x, and get the residue: m 0 m 0 0 Also noticing that s(0) is not a divisor of (q-1)/2, dividing the above formula by s(0) and get the residue, the first item becomes According to the proof of theorem 4.1, C 2 * C 2 0 can be correctly decrypted and thus obtain the multiplication of two plaintexts.

Efficiency
The advantage of scheme 2 lies in a shorter key length and smaller computation cost, we give a detailed analysis below.
Key length: The length of public key is knlog 2 q bits.The private key is a polynomial in R with constant item 1, and the length of private key is nlog 2 q bits.Computation cost: 1.During encryption, the computing cost of polynomial convolution can be reduced through a Fast Fourier Transformation.To encrypt n bits, the total computation cost is Õ n log n ð Þ. 2. During decryption, it needs to compute the inverse of canonical mapping, then compute a polynomial multiplication and one canonical mapping, finally a vector subtraction.The total computation cost is Õ n log n ð Þ. 3. Homomorphic addition: The addition of two ciphertexts is simply vector addition, the computation cost is Õ n ð Þ.After an addition, the length of ciphertext is not increased, and accordingly the computation cost of decryption remains the same.
4. Homomorphic multiplication: Multiplication of two ciphertexts only needs to directly compute vector multiplication on Z n q coordinate-wise, the computing cost is Õ n log n ð Þ.After multiplication, the length of ciphertext increase to 4nlog 2 q bits, namely doubled.In decryption phase, for each ciphertext element, it needs to solve a linear equation set, then compute one polynomial multiplication and one subtraction, the total computation cost of decryption is Õ n 2 ð Þ.
To sum up, we confirm that comparing with scheme 1, scheme 2 has an obvious advantage in efficiency.The key length and computation cost is controlled in a rational bound.We believe that scheme 2 is a practical somewhat homomorphic encryption scheme.
5 Private information retrieval protocol basing on scheme 2

A PBR protocol
The most representative application of homomorphic encryption is to construct private information retrieval (PIR) protocols (Cachin et al. 1999).Using homomorphic encryption, communication complexity of PIR protocol can be reduced to poly(log n) bits, this is a great improvement.Kushilevitz and Ostrovsky (1997) first introduced homomorphic encryption into PIR protocols, their PIR protocol has sublinear time-complexity and exponential communication cost.
In 2009, Gentry discussed (2009) how to implement PIR protocol using homomorphic encryption.In 2011, Brakerski and Vaikuntanathan (2011b) presented a generic framework through combining a FHE with a symmetric key encryption scheme.Most of the available PIR protocols refer to single bit retrieval, while in fact, a record in a database is often longer than one bit, thus arise a natural expansion of PIR, namely PBR (Private Block Retrieval) protocols.We introduce a PBR protocol basing on scheme2.Considering a database that each record of which is more than one bit, we use multi-bit encryption scheme to encrypt index information, thus can reduce the number of ciphertext, and also reduce communication cost.
Suppose there are n records in a database, each has a length of d bits.The initial position of each record is represented by indexes, which has a length of log n bits.Let SYM = (SYM.KeyGen, SYM.Enc, SYM.Dec) be a secure symmetric key encryption scheme, with plaintext space {0,1} logn , without lost of generality, assuming that the ciphertext space also be {0,1}

Analysis
The above protocol can be implemented using a LWEbased symmetric encryption scheme combining with our multi-bit SWHE scheme.In this implementation, the index has a length of log n bits (here n present the number of records in a database), so the size of query information query is log n bits.According to scheme 2, the response information to a query has 2d logq bits.So in the above PBR protocol, to retrieve d bits, the protocol has a communication complexity of 2dlogq ?logn, communication cost of each bit is 2 log q ?( log n)/d, which is a polynomial of the length of q and n.Such a communication complexity is fairly reasonable.On the other hand, let's consider the computational cost of this protocol.Also according to the SWHE scheme, suppose the decryption algorithm has one multiplication, then to generate response information, the server has a computation cost of Õ n log n ð Þ, while in user end, computation cost of decryption is Õ n 2 ð Þ.

Conclusion
In this paper we provide a somewhat homomorphic multibit encryption scheme that is basing on RLWE assumption.
We use canonical mapping in the process of encryption and homomorphic evaluations.Due to this technique and the comparatively compact RLWE assumption, the new scheme is time-efficient and the number of ciphertext elements will not increase after homomorphic evaluations.Using this scheme, an efficient PIR protocol can be constructed.Homomorphic encryption scheme is a new hot area in cryptography.There has been abundant works in recent years focusing on scheme construction and application, and new methods and new ideas have appeared continuously.However there still leaves a lot of problems to solve, both in theoretical and practical.
Aiming on performance improvement, we use a new technique to construct scheme, and our scheme is practical due to its computation cost and key length, while because homomorphic multiplication can cause an increase in ciphertext length, the scheme is somewhat but not fully homomorphic.Further studies on controlling ciphertext length and ultimately constructing fully homomorphic encryption schemes will be our target in the future.