Efficient Leveled (Multi) Identity-Based Fully Homomorphic...

Received May 26, 2019, accepted June 1, 2019, date of publication June 13, 2019, date of current version July 1, 2019.

Digital Object Identifier 10.1109/ACCESS.2019.2922685

Efficient Leveled (Multi) Identity-Based FullyHomomorphic Encryption SchemesTONGCHEN SHEN 1,2, FUQUN WANG 1,2,3, KEFEI CHEN1,2,3,KUNPENG WANG3,4,5, (Member, IEEE), AND BAO LI3,4,51Department of Mathematics, Hangzhou Normal University, Hangzhou 311121, China2Guangxi Key Laboratory of Cryptography and Information Security, Guilin 541004, China3Westone Cryptologic Research Center, Beijing 100071, China3School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China4State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China5Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing 100093, China

Corresponding authors: Fuqun Wang ([email protected]) and Kefei Chen ([email protected])

This work was supported in part by the National Key R&D Program of China under Grant 2017YFB0802000, in part by the NationalNature Science Foundation of China under Grant U1705264, Grant 61672030, Grant 61502484, and Grant 61272040, in part by theZhejiang Provincial Natural Science Foundation of China under Grant LY19F020019, in part by the Research Fundation of Guangxi KeyLaboratory of Cryptography and Information Security under Grant GCIS201725, in part by the Research Foundation of Hangzhou NormalUniversity under Grant 2017QDL002, in part by the Scientific Research Fund of Zhejiang Provincial Education Department under GrantY201737292, and in part by the Zhejiang Xinmiao Talents Program under Grant 2025B20700590.

ABSTRACT The first identity-based fully homomorphic encryption (IBFHE) scheme was constructed fromidentity-based encryption (IBE) and lattice-based cryptography by Gentry, Sahai, and Waters in CRYPTO2013. Their IBFHE scheme is improved in this paper, exploiting Alperin–Sheriff and Peikert’s tight andsimple noise analysis method when evaluating homomorphically and Micciancio and Peikert’s powerfuland novel trapdoor. Furthermore, using the masking scheme(Mukherjee and Wichs in EUROCRYPT 2016),we construct an efficient multi-identity fully homomorphic encryption (MIFHE) scheme by expanding a‘‘fresh’’ ciphertext under a single identity key to an ‘‘expanded’’ one under a combined key that enablesciphertexts under different identities to be homomorphically evaluated.

INDEX TERMS Fully homomorphic encryption, identity-based encryption, identity-based fully homomor-phic encryption, learning with errors, multi-identity fully homomorphic encryption.

I. INTRODUCTIONAs an important extension of public-key encryption(PKE) [23], fully homomorphic encryption (FHE) allowsciphertexts to be operated homomorphically on any com-putable function without decrypting them first by a thirdparty without any knowledge of the private key and mes-sages, which is a superb property in cloud computing.Ideal lattices were used to achieve the first FHE by Gentryin [23]. And ever since then, a large number of FHE schemeswere constructed based on lattices [4], [7], [10]–[12], [22],[25]–[28], [49] or integers [14], [17]–[19], [21], [30], [35]. Inaddition, various types of applications of FHE have appeared,such as secure multi-party computation [38], computationon outsourced data [52], proxy re-encryption [50], [51], fully

The associate editor coordinating the review of this manuscript andapproving it for publication was Shuangqing Wei.

homomorphic signature [54], and secure convolutional neu-ral network [55].

Identity-based encryption (IBE) is another essential exten-sion of PKE [34], which allows encryption to take onlythe target identity id and public parameters, aside froma message µ, so that broadcasting the user-specific pub-lic key in advance is unnecessary. The first realization ofIBE schemes were based on Bilinear Diffie-Hellman [5] orQuadratic Residues [20]. Ever since then, a great varietyof IBE schemes were constructed based on pairing [6], [37]or lattices [1], [2], [13], [24].

Inevitably, IBFHE that brings together the benefits ofboth IBE and FHE, attracts researchers’ attention. The firstIBFHE scheme was achieved by Gentry, Sahai and Watersin CRYPTO 2013 [25] using a special compiler whichallows all lattice-based IBE schemes [1], [2], [13], [24] tobe compiled into IBFHE schemes. In STOC 2012, López-Alt, Tromer and Vaikuntanathan [42] coined the notion of

VOLUME 7, 20192169-3536 2019 IEEE. Translations and content mining are permitted for academic research only.

Personal use is also permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

79299

https://orcid.org/0000-0002-7283-5301

https://orcid.org/0000-0002-6178-3630

T. Shen et al.: Efficient Leveled (Multi) Identity-Based Fully Homomorphic Encryption Schemes

multi-key FHE (MKFHE) and constructed the first one basedon NTRU [44] followed by [39], [41], [43]. Recently, Chen,Chillotti, and Song proposed an MKFHE scheme [47] basedon TFHE [48], and they were the first one to implement anMKFHE scheme.

Multi-identity FHE (MIFHE) is an identity-based versionof MKFHE. In CRYPTO 2015, Clear and McGoldrick [15]constructed the first MIFHE scheme in the random oraclemodel based on theGPV-IBE scheme [24], whichwas simpli-fied by Mukherjee and Wichs [38] who presented a construc-tion of MKFHE in EUROCRYPT 2016. The schemes statedabove are leveled homomorphic, i.e., requiring some circuitsbounded by a polynomial-depth to be given in advance. Thefirst non-leveled IBFHE scheme was constructed by Clearand McGoldrick [16] supposing the existence of indistin-guishable obfuscators, followed by [40].

A. CONTRIBUTIONIn this paper, the ABB-IBE scheme [1] is promptedexploiting Micciancio-Peikert’s novel trapdoor [29] (calledMP12-trapdoor) to achieve shorter parameters. Micciancioand Peikert [29] claimed that all lattice-based cryptographywith a trapdoor comprising ABB-IBE can be optimizedusing their trapdoor (see also [32]). However, they did notexpound details. It is non-trivial to take full advantage ofMP12-trapdoor in IBE because noises should be carefullydevised when encrypting for security reasons. In the mannerof designing noises in [1], we are ignorant of how to simulatethe attack context when showing security, and thus unawareof how to realize the reduction from the security of theIBE scheme to the hardness of learning with errors (LWE)problem. The security proof in [1] is followed in this paper ina high level, though from a technical perspective they differin many details. Our proposed scheme is extendable, whichenables a hierarchical one as that in [1], [25], as well as thering setting for less storage space and higher efficiency.

In addition, we propose an IBFHE scheme compiling thenew IBE scheme above. On the one hand, Alperin-Sheriffand Peikert [4] used the gadget matrix method, which willbe adopted in our construction, to replace the operationsof Powerof2, BitDecomp and Flattening [25]. This yieldsa few advantages. In particular, appropriately randomizingnoises reduces the growth rate of noise under homomorphicevaluation and exploiting subgaussianity makes analyzingthe noise level easier. On the other hand, the approximateeigenvectormethod [25] is used in our construction to removethe evaluation key during homomorphic operations.

Our main contribution is to present a construction ofefficient leveled MIFHE. In CRYPTO 2015, Clear andMcGoldrick [15] proposed themasking system technique andconstructed the first MIFHE scheme. Later, in EUROCRYPT2016, using the gadget matrix and the masking system,Mukherjee and Wichs [38] proposed an MKFHE scheme.Based on these techniques, we manage to expand a ciphertextunder a key for a single identity to a ciphertext under a com-bined key for all identities, so that homomorphic operations

of ciphertexts under different identities are permitted. Theproposed MIFHE scheme has a smaller growth rate of noisewhen operating NAND-circuits compared with Clear andMcGoldrick’s scheme.

Part of this work was published in Network and SystemSecurity (NSS) 2015 [53]. This is the full version.

B. PAPER ORGANIZATIONIn Section II, some necessary foundation of lattices and rele-vant tools are given. The optimized IBE scheme is elaboratedin Section III. In Section IV, we propose a leveled IBFHEconstruction that compiles our IBE scheme. We presentour INDr-sID-CPA secure leveled MIFHE construction inSection V. Finally, we conclude in Section VI.

II. PRELIMINARIESThere are some notations that we will use throughoutthis paper. Matrices are represented by bold uppercase let-ters (e.g., A,B), column vectors by bold lowercase letters(e.g., a,b), the ith-entry of a by the notation of a[i], then-dimensional identity matrix by In, the Euclidean norm by

the notation of ‖a‖2 =√∑

a2i , the concatenation of twomatrices by the notation of [A‖B], and the concatenation oftwo column vectors by the notation of [a,b].Let n denote the security parameter throughout the paper.

We define [n] = {1, 2, . . . , n} for any positive integer n. LetNegl(n) denote a negligible function that grows slower thann−c for any constant c > 0 and any sufficiently large valueof n. An event occurs with an overwhelming probability,i.e., it occurs with a probability of at least 1 − negl(n). Fortwo distributions X and Y parameterized by the securityparameter, if they are statistically indistinguishable, then we

writeXstat≈ Y. Similarly, if they are computationally indistin-

guishable, then we write Xcomp≈ Y.

A. IBE, IBFHE, AND MIFHEAn IBE scheme consists of the following four algorithms:• Setup(1n): Output a master secret key msk , a masterpublic key mpk and public parameters params.

• Extract(pramas,mpk,msk, id): Take pramas,mpk,mskand an identity id as input and output a user’s secret keyskid for id .

• Enc(pramas,mpk, id, µ): Output a ciphertext c thatencrypts a message µ to the identity id .

• Dec(pramas, c, skid ): Output the decryption of a cipher-text using the knowledge of skid .

IBE can be generalized to IBFHE that holds the fifthalgorithm:• Eval(f , params, id, c1, c2, . . . , ct ): Given a computablefunction f and ciphertexts ci ← Enc(params, id, µi)(i = 1, 2, . . . , t), a third party without the knowledgeof the secret key and messages can still calculate a newciphertext c encrypting f (µ1, µ2, . . . , µt ).

Homomorphically executing circuits with high depth isquite ineffective, thus, in general, some L is required to

79300 VOLUME 7, 2019


restrict the function’s depth, in which case it would be calledleveled IBFHE. The leveled version will be considered pri-marily in our paper, hence ‘‘leveled’’ is neglected for the sakeof simplicity.

AnMIFHE scheme is an IBFHE scheme that allows homo-morphic operations of ciphertexts under different identities. Ithas an additional algorithm Expand that expands a ‘‘fresh’’ciphertext ci under a single identity key to an ‘‘expanded’’one ci under a combined key.Security. Semantical security under chosen-identity-attack

and chosen-plaintext-attack (IND-ID-CPA) is supposed tobe satisfied by IBE schemes. This security model has twovariants. A weaker one (IND-sID-CPA) imposes a restrictionon the adversary who must declare the identity to be attackedbefore obtaining public parameters. A stronger one (INDr-ID-CPA) entails the ciphertext being indistinguishable froma randommember in the ciphertext space and indicates recip-ient anonymity.

We consider the security model of IBE and those of IBFHEand MIFHE as equal in disregard of the evaluation andexpansion algorithms because they are public, and do notcompromise security levels.

The INDr-sID-CPA security game for IBE (IBFHE,or MIFHE) is took into account in our paper. Let us recalla security game between a PPT adversary and a challenger.There are five stages of the game.

• Setup: Not until the identity to be attacked is obtainedfrom the adversary, does the challenger run Setup algo-rithm to gain (params,mpk,msk). params,mpk are thenreturned to the adversary.

• Queries 1: The adversary may adaptively select idj(idj 6= id∗) and enquire about the corresponding secretkey for no more than polynomial times from the chal-lenger.

• Challenge: The adversary chooses and sends a mes-sage µ∗ from the plaintext space to the challengerwho then selects a random bit b ∈ {0, 1}. The chal-lenger sets the challenge ciphertext, regarded as theIBE (IBFHE, or MIFHE) challenge, to be c∗ ←Enc(params,mpk, id∗, µ∗) if b = 0, and to be a cipher-text randomly chosen from the ciphertext space other-wise. The challenge c∗ is then sent back to the adversary.

• Queries 2: The adversary issues additional adaptivequeries up to polynomial times and receives responsesas in Queries 1.

• Guess: The adversary wins if a guess b′ is output andb′ = b, and loses otherwise.

The adversary has the advantage of Pr[b′ = b]− 12 . An IBE

(IBFHE, or MIFHE) scheme is said to be INDr-sID-CPAsecure if the adversary has the advantage less than somenegligible function negl(λ).

B. HASHING AND SUBGAUSSIANITYHere, we recall some facts about hash function andsubgaussianity.

Hashing. Given two finite sets A and B, a family offunctions H mapping A to B is said to be 2-universal ifPrh

$←H

[h(a) = h(a′)] = 1/|B| for all a, a′ ∈ A (a 6= a′).Let D be a distribution over {−1, 0, 1} that outputs 0 with

a probability of 0.5, -1 with a probability of 0.25, and 1 with aprobability of 0.25 (the notation ofD will be used throughoutthis paper to denote this distribution). Following is a variantof the leftover hash lemma.Lemma 1 ( [3]): Given an integer k ≥ 1 and a finite

abelian group B, the mapping hb : Dk→ B is defined

as hb(a) =∑k

i=1 aibi for every b ∈ Bk . The family ofH = {hb}b∈Bk is then 2-universal. It holds that (hb, hb(a))is 1

2

√q/2k -uniform.

Subgaussian Random Variable. In this work, it is con-ducive to manipulate the growth rate of noise using the sub-gaussian random variable. Given a real random variable X ,if we have Pr[|X | > t] ≤ 2 exp(−π t2/s2) for all t ≥ 0,then it is said to be subgaussian with parameter s ≥ 0. It isself-evident that any B-bounded 0-mean random variable X issubgaussian with parameter B

√2π . In addition, the gaussian

tail that has the expectation of zero indicates subgaussianity.More information about subgaussianity is available in [36].The following lemma is useful to analyze the change of noiseunder homomorphic evaluation.Lemma 2 ( [9]): Let X1,X2, . . . ,Xk be independent, 0-

mean, real subgaussian random variables with parameter sand a = (a1, a2, . . . , ak ) ∈ Rk . Then

∑i(aiXi) is a subgaus-

sian random variable with parameter s · ‖a‖2.Similarly, we say a random real vector a is subgaussian

with parameter s, if 〈a,u〉 ∈ R is subgaussian with equalparameter s for all unit vector u, which implies that theconcatenation of independent subgaussian random variableswith the same parameter s is subgaussian with parameter s.Subgaussianity has a matrix version as well. In summary,we have the following lemma.Lemma 3 ( [36]): LetX ∈ Rn×m be a subgaussian random

matrix with parameter s. There exists a constant c > 0 suchthat, with an overwhelming probability, ‖X‖2 ≤ c · s · (

√m+

√n) where ‖X‖2

1= max(‖Xu‖2) for all unit vector u.

C. LATTICES AND HARD PROBLEMSFor a vector u ∈ Znq and a matrix A ∈ Zn×mq , define:

3⊥(A) = {x ∈ Zm : Ax = 0 mod q}.

3⊥u (A) = {x ∈ Zm : Ax = u mod q}.

Note that 3⊥u (A) is a shift of 3⊥(A).

LWE. The learning with errors (LWE) problem plays avital role in lattice-based cryptography. We define the searchLWE (LWEn,m,q,χ ) problem as follow.

For a positive integer n, a prime q, an uniformly random

secret vector s$← Znq and a distribution χ over Zq, randomly

choose an error term e ← χ and a vector a$← Znq. Let

As,χ be the distribution of (a, [〈a, s〉 − 2e]q) over Znq × Zq.

VOLUME 7, 2019 79301


Given m = poly(n) independent instances from As,χ ,the LWEn,m,q,χ problem is to find the secret vector s.

The LWE problem has an important decisional versionthat will be used in this paper. Given m independentinstances sampled either from the uniform distribution overZnq × Zq, or from As,χ , the decisional learning with errors(DLWEn,m,q,χ ) problem is to determine which distributionthese samples come from. The DLWE assumption says thatthese two distributions are computationally indistinguishable.For simplicity, DLWEn,m,q,α is frequently used to denoteDLWEn,m,q,χ and As,α to denote As,χ for χ = DZ,αq.

It is generally known that the DLWEn,m,q,α problemin the average-case is as hard as approximation latticesproblems with approximation factors of O(n/α) in theworst-case by quantum or classical reductions, when αq ≥2√n [8], [29], [31], [33].Lattices Trapdoor. Our constructions will make use of

the following results including the MP12-trapdoor gen-eration algorithm, subgaussian sampling algorithm andGaussian sampling algorithm [29] while neglecting thedetails of implementation because they are not strictlyrequired.

Given a prime q > 2 and ` = dlog qe, define G 1= In ⊗

gT ∈ Zn×n`q , where gT = (1, 2, 22, . . . , 2`−1).Lemma 4 ( [29]): Let n,m0,m1,m, q, ` be positive inte-

gers such that q = q(n), ` = dlog qe,m0 = n` + O(n),

m1 = n` and m = m0 + m1. For A0$← Zn×m0

q , invert-ible H ∈ Zn×nq and R ← Dm0×m1 where D is definedin subsection II-B, there exists an efficiently randomizedalgorithm GenTrap(A0,H) to generate a matrix A (1= [A0‖

HG−A0R]) ∈ Zn×mq with trapdoor R and tag H such that Ais negl(n) -far from uniform. The matrixR is called anMP12-trapdoor of A with tag H.Lemma 5 ( [4], [29]): Given any matrixA ∈ Zn×m0

q , thereexists an efficiently randomized algorithm that samples asubgaussian matrix X with some constant parameter O(1)overZm1×m0

q such thatX = G−1(A), where the gadget matrixG is specified as above.Lemma 6 ( [29]): Using the parameters described in

lemma 4, given a uniformly random vector u ∈ Znq, thereexists an efficient algorithm SampleD(R,A0,H,u, s) thatsamples a vector t over Dm

Z,s·ω(√log n)

for some s ∈ R andω(√log n) satisfying A · t = u.

III. IDENTITY BASED ENCRYPTIONUtilizing the MP12-trapdoor, an IBE scheme with optimizedparameters that improves ABB-IBE [1] is constructed inthis section. Micciancio and Peikert [29] claimed that alllattice-based cryptography with a trapdoor can be optimizedusing their trapdoor. However, they lacked details of opti-mization that was de facto non-trivial because noises shouldbe carefully devised for security reasons. We will elabo-rate the noise, and our construction will be showed to beINDr-sID-CPA secure as long as the DLWE assumptionholds.

A. THE BASIC IDENTITY-BASED ENCRYPTIONRecall that n is the security parameter. We start with describ-ing some public parameters that will be used throughout thissection.

- The modulus q is a sufficiently large prime q = poly(n).Let ` = dlog qe, m0 = n(` + O(1)), m1 = n` and m =m0 + m1.

- G = In ⊗ gT ∈ Zn×n`q for gT = (1, 2, 22, . . . , 2`−1) isthe gadget matrix.

- Let D be the distribution over {−1, 0, 1} as defined insubsection II-B, such that (A0,A0R) is negl(n)-far from(U0,U1)

$← Zn×m0

q ×Zn×m1q forA0

$← Zn×m0

q andR←Dm0×m1 . See also [29] for more information about thisregularity. In addition, samplingR← Dm0×m1

Z,ω(√log n)

leadsto mildly larger parameters.

- Every identity is assumed to have a counterpart elementin GF(qn).H : GF(qn)→ Zn×nq is said to be an invertibledifference, if H is computable in polynomial time in n`and H(id1) − H(id2) is invertible for any two differentidentities id1, id2 (for more information, please referto [1]).

- The LWE error rate α is supposed be sufficiently largesatisfying αq ≥ 2

√n.

We now give a formal description of our basic IBEconstruction.• IBE.Setup(1n): Choose A0

$← Zn×m0

q , u$← Znq and

R ← Dm0×m1 . Let A = [A0‖A1] = [A0‖ − A0R] ∈Zn×mq . The master secret key and master public keyis set to be msk = R and mpk = [u‖A]. Outputpramas = (n, q, `,m0,m1,m,G), mpk, and msk. Note

that A ·[

RIm1

]= 0.

• IBE.Extract(pramas,mpk,msk, id): Given id ∈ Znq,compute H(id) and set Aid = [A0‖A1 + H(id) · G](Note that R is an MP12-trapdoor of Aid with tagH(id)). Sample a vector t ∈ Zm with small entriessatisfying Aid · t = u by running the algorithmSampleD(R,A0,H(id),u, ‖R‖2). Set the secret keyand public key for id as skid = s = (1,−t) and pkid =P = [u‖Aid ]. It is self-evident that P · s = 0. Outputpkid , skid .

• IBE.Enc(pramas, pkid , id, µ ∈ {0, 1}): Given a message

µ ∈ {0, 1}, randomly select two vectors y$← Znq and e =

(−e,−e0, e1) ∈ Zm+1, where e← DZ,αq, e0 ← Dm0Z,αq

and e1← Dm1Z,s for s

2= (‖e0‖22+m0α

2 q2)·ω(√log n)2.

Output a ciphertext vector

c 1= µv+ PT y+ 2e ∈ Zm+1q ,

where v = (1, 0, ..., 0)T ∈ {0, 1}m+1.• IBE.Dec(pramas, c, skid ): Output

µ′1= 〈c, s〉 mod q mod 2.

Remark: We sample the noise e1 from a slightwider (than e0) discrete Gaussian distribution Dm1

Z,s for

79302 VOLUME 7, 2019


TABLE 1. Parameters comparison with the ABB-IBE scheme [1].

s2 = (‖e0‖22+m0α2 q2)· ω(

√log n)2, which exerts a remark-

able function on the proof of security.

B. PARAMETERSLemma 7: Let q = m2

0 · ω(√log n)3, α = (m1.5

0 ·

ω(√log n)3)−1. The parameters specified in Section III

ensures the decryption in our IBE construction to work cor-rectly with an overwhelming probability.Proof 1: It is self-evident that

〈c, s〉 = µ · 〈v, s〉 + 2〈e, s〉

= µ+ 2〈e, s〉

= µ− 2e+ 2〈e0, t0〉 − 2〈e1, t1〉,

where short vector t 1= (t0, t1) ∈ Zm0 × Zm1 . We now bound|〈e1, t1〉|.By lemma 3, we have

‖e1‖2 ≤ c·O(√m0αq·ω(

√log n))·

√m1 ≤ m0αq·ω(

√log n)

with an overwhelming probability. So, by lemma 12 in [1],we get

|〈e1, t1〉| ≤ ‖e1‖2 ·√2π · ω(

√log n)2

≤ m0αq · ω(√log n)3.

By the setting of our parameters, we have |〈e1, t1〉| ≤m1.50 · ω(

√log n)3 with an overwhelming probability. Simi-

larly, |〈e0, t0〉| ≤ m1.50 · ω(

√log n)3 with an overwhelming

probability. Obviously, we have |e| ≤ αq√n. Hence |〈c, s〉| ≤

m1.50 · ω(

√log n)3, which completes the proof.

�The parameters of our basic IBE scheme is compared with

that of the ABB-IBE scheme [1] in Table 1, from which wefind that our scheme has optimized parameters.

C. SECURITYIn this subsection, our IBE construction is proved to be INDr-sID-CPA secure.The security proof in [1] is followed in ahigh level, though that of CCA-secure PKE in [29] is fol-lowed from a technical perspective.Theorem 1: The basic IBE construction in subsection III-A

is INDr-sID-CPA secure assuming that the DLWEn,m0+1,q,αassumption holds.Proof 2: We show the reduction to the hardness of the

DLWE problem as below.

Instance. The challenger receives DLWE instances{(ai, bi)}i+1∈[m0+1] that are sampled either from Ay,α oruniformly.

Targeting. The PPT adversary announces the challengeidentity id∗ to be attacked.Setup. The challenger simulates the attack context for the

adversary as follows.

1) Assemble A0 = (a1, a2, . . . , am0 ) and u = a0.2) Sample R ← Dm0×m1 and compute A1 = −A0R−H(id∗)G.

3) Set the master public key mpk = {u‖A0‖A1} and themaster secret keymsk = R to be an MP12-trapdoor for[A0‖A1] with tag −H(id∗).

4) Send the adversary pramas = (n, q, `,m0,m1,m, G),mpk .

In the adversary’s view, the master public-key mpk isnegl(n)-far from uniform in statistical distance because of theselection of m0 and D.Identity-secret-key Query 1. The adversary can issue

adaptive queries no more than polynomial times. To responda secret key query for idj, the challenger sets Aidj = [A0‖ −

A0R+ (H(idj)−H(id∗)) ·G].If idj 6= id∗, MP12-trapdoor R can be used to sample a

short vector t from3⊥u (Aidj ) = 3⊥u ([A0‖−A0R+ (H(idj)−

H(id∗)) ·G]) by lemma 6. The secret key skidj = s = (1,−t)is sent back as the response. However, if idj = id∗, a shortvector t is not supposed to be sampled from3⊥u (Aidj ) becausethe trapdoor-functionality disappears. Thus, all queries otherthan id∗ is appropriately responded, which means the queryis perfectly simulated by the challenger.Challenge. The challenger receives a message µ∗ ∈ {0, 1}

chosen by the adversary for the target identity id∗, and simu-lates a challenge ciphertext as follows:

1) Let b0, b1, . . . , bm0 be entries of the DLWE instances.Set c∗0 = b0 + µ∗ ∈ Zq to blind µ∗.

2) Assemble b∗ = (b1, . . . , bm0 ) and c∗1 =[b∗

−RTb∗ + 2e

]∈ Zmq , where R is the master secret

key and e← Dm1Z,αq√m0·ω(

√log n)

.3) Send the adversary c∗ = (c∗0, c

∗

1) as the challengeciphertext.

Identity-secret-key Queries 2. The adversary issues addi-tional adaptive queries up to polynomial times and receivesresponses as in Identity-secret-key Queries 1.

Guess. The challenger sets a guess b′ to be the same as theguess output by the adversary.

We claim that c∗ is indistinguishable from a fresh cipher-text of µ∗ for id∗ if the DLWE instances are sampled fromAy,α . Recall that Aid∗ = [A0‖ − A0R], b0 = aT0 y − 2ewhere e ← DZ,αq, and b∗ = AT

0 y − 2e0 where e0 ←Dm0

Z,αq. Hence, c∗

0 in the first stage of Challenge satisfiesc∗0 = aT0 y − 2e + µ∗,which is exactly the first part of avalid ciphertext. For c∗1 in the second stage of Challenge,

VOLUME 7, 2019 79303


We have

c∗1 =[

AT0 y− 2e0

−RT (AT0 y− 2e0)+ 2e

]= AT

id∗y+[−2e0

2(RT e0 + e)

].

Therefore, it is sufficient to show that for settled e0, everyrTi · e0 + ei is negl(n)-far from DZ,s, where s2 = (‖e0‖22 +m0α

2 q2) · ω(√log n)2, over the randomness of ri and of ei.

The claim follows by the security proof of CCA-PKE in [29]but adapted from discrete Gaussian variable to discrete sub-gaussian variable because each of ri is independent discretesubgaussian.

In addition, we claim that the challenge ciphertext c∗ isuniform if the DLWE instances are uniformly random. Obvi-ously, both b0 and b∗ are uniform. By lemma 1, −RTb∗

is uniform and independent over Zm1q . Thus, −RTb∗ + 2e

is uniform, which means that the challenge ciphertext c∗ isuniform over Zm+1q . This completes the proof.

�

IV. IDENTITY-BASED FULLY HOMOMORPHICENCRYPTIONA leveled IBFHE scheme is formally described in this sectionbased on our basic IBE construction, and the proposed IBFHEis more efficient compared with GSW-IBFHE [25].

A. THE IDENTITY-BASED FHE SCHEMEAs in the previous section, we start with describing somepublic parameters that will be used throughout this section.

- Let L be the maximum multiplication depth of cir-cuit that is allowed to be evaluated homomorphically,and q be a sufficiently large prime q = q(n,L). Set`,m0,m1,m,G,D and H as specified in the subsec-tion III-A.

- We define another gadget matrix M = Im+1 ⊗gT ∈ Z(m+1)×(m+1)`

q for gT = (1, 2, . . . , 2`−1), where,by lemma 5, given any matrix A ∈ Z(m+1)×(m+1)`

q , thereexists an efficiently randomized algorithm that samplesa subgaussian matrix X with some constant parameterO(1) over Z(m+1)`×(m+1)` such that X =M−1(A).

A formal description of our IBFHE construction is given asbelow.• IBFHE.Setup(1n, 1L): Run the IBE.Setup algorithmto generate A = [A0‖A1] = [A0‖ − A0R] ∈Zn×mq ,mpk = [u‖A] and msk = R. Output pramas =(n,L, q, `,m0,m1,m,G,M, ), mpk, msk.

• IBFHE.Extract(pramas,mpk,R, id): Run the IBE.Extract algorithm to generate pkid = P = [u‖Aid ]and skid = s = (1,−t). Recall that, as speci-fied in the basic IBE scheme, Aid = [A0‖A1 +

H(id) · G] (note that R is an MP12-trapdoor of Aidwith tag H(id)), and the vector t ∈ Zm with smallentries satisfying Aid · t = u is sampled by runningthe algorithm SampleD(R,A0,H(id),u, ‖R‖2). Outputpkid , skid . Note that P · s = 0.

• IBFHE.Enc(pramas, pkid , id, µ ∈ {0, 1}): Given a mes-

sage µ, randomly select two matrices Y$← Zn×(m+1)`q

and E = [−e‖ − E0‖E1]T ∈ Z(m+1)×(m+1)`, wheree ← D(m+1)`

Z,αq , E0 = [e0,1‖e0,2‖ · · · ‖e0,(m+1)`]T ←

D(m+1)`×m0Z,αq and E1 = [e1,1‖e1,2‖ · · · ‖e1,(m+1)`]T

where e1,i ← Dm1Z,si for s

2i = (‖e0,i‖22 + m0(αq)2) ·

ω(√log n)2. Output the ciphertext matrix

C = µM+ PTY+ 2E ∈ Z(m+1)×(m+1)`q .

• IBFHE.Dec(pramas,C, skid ):Output µ′ = 〈c, s〉 mod q mod 2, where c is the firstcolumn of the ciphertext matrix C.

• IBFHE.NAND(pramas,C1,C2): Given two ciphertextmatrices C1,C2 under an identical identity for twoplaintexts µ1, µ2, homomorphic addition is defined as

CAdd = C1 ⊕ C21= C1 + C2,

and homomorphic multiplication is defined as

CMulti = C1 � C21= C1 ·M−1(C2).

With these operations, we can define

CNAND1=M− CMulti =M− C1 ·M−1(C2).

OutputCNAND. Observe thatM−1(·) is randomized, andso is this algorithm.

• IBFHE.Eval(pramas, f ,C1,C2, . . . ,Ct ): An NAND-circuit f : {0, 1}t → {0, 1} is applied to a set ofciphertexts C1,C2, . . . ,Ct , which leads to a ciphertextCf .

B. ANALYSISIn this subsection, the correctness, security and homomorphicproperty are analyzed.Correctness. The decryption algorithm in our IBFHE

construction works correctly because for a ciphertext C ∈Z(m+1)×(m+1)`q and a secret key s ∈ Zm+1, we have

CT· s = (µMT

+ YTP+ 2ET )s

= µMT s+ YTPs+ 2ET s

= µMT s+ 2ET s.

Thus, we have

〈c, s〉 = µ+ 2 · 〈(−e1,−e0,1, e1,1), s〉,

where c is set to be the first column of C. The first entry ofs is 1, and the first entry of of the first column of M is 1.Thus, the former equation about 〈c, s〉 is true because of themanner of the multiplication of a matrix and a vector. Thecorrectness follows with an overwhelming probability if weassign the parameters as in the section III by lemma 7.

Security. Exploiting a standard hybrid analysis, we claimthat the INDr-sID-CPA security of the IBFHE constructioncan be deduced directly from that of our basic IBE schemeby theorem 1. A ciphertext C of a bit 0 in IBFHE.Enc can

79304 VOLUME 7, 2019


be considered as the concatenation of (m + 1)` ciphertextsof a bit 0 in IBE.Enc. Hence, the claim follows because C isindistinguishable from C+M (a valid ciphertext of a bit 1).Homomorphic Property.Lemma 8: Let two fresh ciphertexts be C1,C2 such that

CTi · s = µiMT s + 2ET(i)s, i = 1, 2. We then have with an

overwhelming probability that

CTNAND · s = (1− µ1µ2)MT s− 2((M−1(C2))T

·ET(1)s+ µ1ET(2)s)1= (1− µ1µ2)MT s− 2e∗.

In addition, the decryption works correctly after one-timeNAND evaluation if q/4 ≥ O(m2

0 ·√`)· ω(

√log n)3.

Proof 3: For any two fresh cipertexts C1,C2, we have

CTNAND · s

= (M− C1 ·M−1(C2))T · s

= MT s−M−1(C2)T · CT1 · s

= MT s−M−1(C2)T · (µ1MT· s+ 2ET(1)s)

= MT s− µ1CT2 s− 2M−1(C2)T · ET(1)s

= MT s− µ1(µ2MT s+ 2ET(2)s)− 2M−1(C2)T · ET(1)s

= (1− µ1µ2)MT s− 2(M−1(C2)T · ET(1)s+ µ1ET(2)s)1= (1− µ1µ2)MT s− 2e∗,

where M−1(C2)T is a subgaussian random matrix withparameters O(1). By lemma 3, we have

‖M−1(C2)T ‖2 ≤ O(1) ·√(m+ 1)`.

By lemma 7, it holds that

‖ET(i)s‖∞ ≤ m1.50 · ω(

√log n)3 (i = 1, 2).

Therefore, we get

‖e∗‖∞ ≤ (O(1) ·√(m+ 1)`+ 1)m1.5

0 · ω(√log n)3

= O(m20

√`) · ω(

√log n)3.

Hence, the decryption works correctly after one-timehomomorphic NAND evaluation.

�The continuous use of the above lemma leads to our IBFHE

construction being an L-leveled one. We observe that thelevel of noise roughly grows from O(m1.5

0 ) · ω(√log n)3 to

O(m20 ·√`) ·ω(

√log n)3 after one-time homomorphic NAND

evaluation.Theorem 2: Given a NAND-circuit f for the depth of L,

the decryption of our IBFHE construction works correctlywith an overwhelming probability if all inputs are freshciphertexts and the parameter satisfies

q/4 ≥ O(√m0`)L · O(m1.5

0 ) · ω(√log n)3.

Remark: We observe that the noise grows asymmetricallyduring homomorphic evaluation, thus the techniques in [4]can be used to further optimize the parameters. However,

our IBFHE scheme is not bootstrappable because of the lackof the evaluation key encrypting user’s secret key that isneeded in the bootstrapping algorithm. In effect, it destroysthe anonymity and the indistinguishability between a cipher-text matrix and a random matrix from ciphertext space.

V. MULTI-IDENTITY FULLY HOMOMORPHICENCRYPTIONAn MIFHE scheme is an IBFHE scheme that allows homo-morphic operations of ciphertexts under different identities.In this section, we present a leveled MIFHE scheme, basedon the IBFHE scheme proposed in the preceding section.It is accomplished by adding an expansion algorithm thatexpands a ‘‘fresh’’ ciphertext under a single identity key toan ‘‘expanded’’ one under a combined key.

A. MASKING SCHEMEThe main technique we use in this section was coined as amasking scheme in [15]. Without loss of generality, let usconsider the case that we want to homomorphically operatetwo ciphertexts C1 and C2 encrypting µ1 and µ2 under twodifferent identities id1 and id2 respectively. However, IBFHEis not supposed to provide such functionality. A maskingscheme is capable of expanding a ‘‘fresh’’ ciphertext C1 intoan ‘‘expanded’’ one C1 which is allowed to be homomor-phically operated with other expanded ciphertext C2 derivedfrom other identity id2.

In particular, say s1 and s2 are secret keys for identitiesid1 and id2. We want the expanded ciphertext to be decryptedlikewise, i.e.,

C1 ·

[s1s2

]= µ1 ·

[M 00 M

] [s1s2

]+ 2e. (1)

Linear Combination. Before showing the concrete maskingscheme, we need an algorithm coined as the linear combina-tion in [38].• LinearComb((V(1,1), · · · ,V(n,(m+1)`)), v): V(a,b)

∈

Z(m+1)×(m+1)`q is the β-noisy encryption of the ath ∈ [n]

row and bth ∈ [(m + 1)`] column entry of a matrixY ∈ {0, 1}n×(m+1)` in the IBFHE scheme for the secretkey s ∈ Z(m+1)

q under an identity id . Given a vectorv ∈ Znq, set, for a ∈ [n], b ∈ [(m+ 1)`]

Za,b[x, y]1=

{v[a] x = 1 and y = b0 otherwise

i.e., Za,b1= v[a] · E1,b ∈ Z(m+1)×(m+1)`

q , where Ex,y isan (m + 1) × (m + 1)` matrix that has 1 in the x th rowand yth column, and 0’s in all other entries. Output

X 1=

∑a,b

V(a,b)·M−1(Za,b) ∈ Z(m+1)×(m+1)`

q .

We have the following lemma.Lemma 9: The preceding algorithm LinearComb ((V(1,1),

· · ·,V(n,(m+1)`)), v) which outputs amatrixX∈Z(m+1)×(m+1)`q

VOLUME 7, 2019 79305


satisfies

XT s = YT v+ 2e

with the noise ‖e‖2 ≤ m(m+ 1)2β.Proof 4: The correctness of this lemma follows because:

XT s

= (∑a,b

V(a,b)·M−1(Za,b))T s

= (∑a,b

(Y[a, b] ·M+ PTY(a,b)+ 2E(a,b))M−1(Za,b))T s

=

∑a,b

(Y[a, b] ·M−1(Za,b)TMT s

+ 2M−1(Za,b)T (E(a,b))T s)

=

∑a,b

(Y[a, b] · (Za,b)T s+ 2M−1(Za,b)T (E(a,b))T s)

=

∑a,b

(Y[a, b]v[a]ET1,b · s+ 2M−1(Za,b)T (E(a,b))T s)

= [YT v‖0(m+1)`×m] · [1, t]+ 2M−1(Za,b)T (E(a,b))T s)

= YT v+∑a,b

(2M−1(Za,b)T (E(a,b))T s)

1= YT v+ 2e,

where E(a,b) is the noise contained in V(a,b) that has themagnitude of ‖(E(a,b))T s‖2 ≤ β. Then ‖M−1(Za,b)T ·(E(a,b))T s‖2 ≤ (m + 1)β. Finally, we get the bound of theerror term

‖e‖2 ≤ n(m+ 1)`(m+ 1)β < m(m+ 1)2β.

�Masking Scheme. Adopting the public parameters in the

previous section, the masking scheme consists of three parts.• KeyMask(params,mpk, idi, (skj)j∈[N ]\{i}): On inputparams, mpk = [u‖A], an identity idi, secret keysskj ∈ Zm+1q for an identity idj, j ∈ [N ]\{i}, compute,for j ∈ [N ]\{i} ,

vi,j1= −u+ Aidi tj ∈ Znq.

Output a tuple of vectors

KeyMaski1= (vi,1, · · · , vi,N ) ∈ (Znq)

N .

• GenEnc(params, pkidi , idi, µi): On input params, pkid ,an identity idi, a message µi, compute the encryption

Ci←IBFHE.Enc(params, pkidi , idi, µi)∈Z(m+1)×(m+1)`q .

Decompose a matrix that has every entry in Zq to matri-

ces in binary representation Yi1=

∑blog qck=0 2k · Y(k)

i ,

where the matrix Yi ∈ Zn×(m+1)`q is the encryptionrandomness and Y(k)

i ∈ {0, 1}n×(m+1)`.

For x ∈ [n], y ∈ [(m + 1)`], k + 1 ∈ [blog qc + 1]compute the encryption

V(x,y)i,k ← IBFHE.Enc(params, pkidi , idi,Y

(k)i [x, y]),

Set

Ui1= (V(1,1)

i,0 , · · · ,V(n,(m+1)`)i,0 ,V(1,1)

i,1 , · · · ,V(n,(m+1)`)i,blog qc ).

Output a tuple of encryption CIPHERi1= (Ci,Ui).

• CipherMask(params, idi,KeyMaski): On input params,an identity idi, and KeyMaski, compute, for j ∈[N ]\{i}, k + 1 ∈ [blog qc + 1],

X(k)i,j ←LinearComb((V(1,1)

i,k , · · · ,V(n,(m+1)`)i,k ), 2k · vi,j).

Output

Xi1= (blog qc∑k=0

X(k)i,1 , · · · ,

blog qc∑k=0

X(k)i,N )

∈ (Z(m+1)×(m+1)`q )N−1.

Correctness and Security. The previous masking schemeis ‘‘correct’’, i.e., for any j ∈ [N ]\{i} ,

(blog qc∑k=0

X(k)i,j )

T si + CTi sj = µM

T sj + 2ei,j (2)

with the noise ‖ei,j‖2 ≤ (m+ 1)3`β assuming the ciphertextCi is β-noisy.The correctness of the masking scheme follows because:

(blog qc∑k=0

X(k)i,j )

T si + CTi sj

=

blog qc∑k=0

((Y(k)i )T · 2k · vi,j + 2e(k)i,j )+ CT

i sj

=

blog qc∑k=0

(2k · Y(k)i )T · vi,j +

blog qc∑k=0

(2e(k)i,j )+ CTi sj

= YTi (−u+ Aidi tj)+ 2

blog qc∑k=0

e(k)i,j

+ (µiMT+ YT

i Pi + 2ETi )sj

= µiMT sj + 2blog qc∑k=0

e(k)i,j + 2ETi sj

+YTi (−u+ Aidi tj + Pisj)

= µiMT sj + 2(blog qc∑k=0

e(k)i,j + ETi sj).

By the property of the linear combination (lemma 9), the errorterms

‖

blog qc∑k=0

e(k)i,j + ETi sj‖2 ≤ (m+ 1)3`β

By means of a hybrid argument, the semantic security ofour IBFHE construction implies that:

(params, idi,GenEnc(params, idi, 0))comp≈ (params, idi,GenEnc(params, idi, 1)).

79306 VOLUME 7, 2019


The matrix-vector leftover hash lemma [45] implies that:

(params, idi,KeyMask(params, idi, (skj)j∈[N ]\{i}))stat≈ (params, idi,KeyMask(params, idi, (1, xj)j∈[N ]\{i})),

where xj← DmZ,ω(√log n)

for j ∈ [N ]\{i}.Remark: If we modify the encryption randomness Yi ←

Zn×(m+1)`q into a binary one Yi ← {0, 1}n×(m+1)`, we willget a simpler version of the masking scheme. However, thismethod compromises the size of parameters. Specifically, thatwould base the security of our constructions on the hardnessof LWE with binary secrets which restricts the secret to abinary vector at the cost of increasing the dimension by afactor of log q [46].

B. OUR MIFHE SCHEMEJust like the IBFHE scheme, we start with describing somepublic parameters that will be used throughout this section.

- Let N be the maximum number of identities the schemecan support, L be the maximum multiplication depth ofcircuit that is allowed to be evaluated homomorphically,and q be a sufficiently large prime q = q(n,L,N ). Set`,m0,m1,m,G,D,H,M as specified in the section IV.Note that G is defined in the subsection III-A, while Mis defined in the subsection IV-A.

- We define another gadget matrix M = I(m+1)N ⊗ gT

∈ Z(m+1)N×(m+1)`Nq for gT = (1, 2, . . . , 2`−1). Given

any matrix A ∈ Z(m+1)N×(m+1)`Nq , by lemma 5, there

exists an efficiently randomized algorithm that samplesa subgaussian matrix X with some constant parameterO(1) over Z(m+1)`N×(m+1)`N such that X = M−1(A).

Finally, a formal description of our MIFHE construction isgiven as below.• MIFHE.Setup(1n, 1L , 1N ): Run the IBFHE.Setup algo-rithm to generate A = [A0‖A1] = [A0‖ − A0R] ∈Zn×mq ,mpk = [u‖A] and msk = R. Output paramas =(n,L,N , q, `,m0,m1,m,G,M, M), mpk, msk.

• MIFHE.Extract(params,mpk,msk, {idi|i ∈ [N ]}):Recall that, as specified in the IBFHE scheme, Aid =

[A0‖A1 + H(id) · G] (note that R is an MP12-trapdoorof Aid with tagH(id)), and the vector t ∈ Zm with smallentries satisfying Aid · t = u is sampled by runningthe algorithm SampleD(R,A0,H(id),u, ‖R‖2). For i ∈[N ], j ∈ [N ]\{i}, run

(pki = Pi = [u‖Aidi ], ski = si = (1,−ti))

← IBFHE.Extract;KeyMaski←KeyMask(params,mpk, idi,(skj)j∈[N ]\{i}).

Output (pki, ski,KeyMaski)i∈[N ].• MIFHE.Enc(params, pkidi , idi, µi ∈ {0, 1}): To encrypta bit µi ∈ {0, 1}, compute

CIPHERi← GenEnc(params, pkidi , idi, µi).

Output CIPHERi.

• MIFHE.Expand(params, idi,CIPHERi,KeyMaski): Toencrypt a bit µ ∈ {0, 1}, compute

Xi← CipherMask(params, idi,KeyMaski).

Expand the fresh ciphertext to an expanded one. Forx, y ∈ [N ], set

C(x,y)i

1=

Ci x = y∑blog qc

k=0 X(k)i,j x = i 6= j and y = j

0(m+1)×(m+1)` otherwise

We regard these matrices as sub-matrices and concate-nate them into a big one

Ci1= [C(x,y)

i ]x,y∈[N ] ∈ Z(m+1)N×(m+1)`Nq .

Output Ci.• MIFHE.Dec(params, C, (ski)i∈[N ]): This algorithm isbasically identical to IBFHE.Dec. Given an expandedciphertext C, set the combined key s 1

= [s1, · · · , sN ],and let c be the first column of C.Output µ′ 1= 〈c, s〉 mod q mod 2.

• MIFHE.NAND(params,C1,C2): This algorithm is basi-cally identical to IBFHE.NAND. Given two expandedciphertext matrices C1, C2 for two plaintexts µ1, µ2,compute

CNAND← IBFHE.NAND

with the expanded dimension (m+1)N× (m+1)`N andM, M−1(·). Output CNAND.Observe that M−1(·) is randomized, and so is this algo-rithm.

• MIFHE.Eval(params, f , C1, C2, . . . , Ct ): An NAND-circuit f : {0, 1}t → {0, 1} is applied to a set of cipher-texts C1, C2, . . . , Ct , which leads to a ciphertext Cf .

Correctness. Correctness of our MIFHE construction fol-lows because:

CTi s = [(

blog qc∑k=0

X(k)i,1 )

T si + CTi s1, · · · ,C

Ti si,

· · · , (blog qc∑k=0

X(k)i,N )

T si + CTi sN ]

= [µiMT s1 + 2ei,1, · · · , µiMT si + 2ei,i,

· · · , µiMT sN + 2ei,N ]

= µiMT s+ 2[ei,1, · · · , ei,i, · · · , ei,N ]1= µiMT s+ 2ei.

So, let ci be the first column of Ci, we obtain 〈ci, s〉 =µi + 2 · ei[1]. The first entry of s is 1, and the first entry ofof the first column of M is 1. Thus, the upper equation about〈c, s〉 is true because of the manner of the multiplication ofa matrix and a vector. The decryption works correctly if theparameters satisfies

ei[1] ≤ (m+ 1)3`β ≤q4,

where β is the noise of the ciphertext C.

VOLUME 7, 2019 79307


Security. The security follows directly from the securityof our IBFHE scheme in the preceding section according tothe semantic security of the masking scheme, because theexpansion algorithm is public and does not impact security.

Homomorphic Property. The homomorphic property ofthe MIFHE scheme follows directly from that of the IBFHEscheme in the preceding section because MIFHE.NAND isbasically identical to IBFHE.NAND except with the expandeddimension (m+1)N×(m+1)`N and M, M−1. The theorem 2implies that our MIFHE scheme is an L-leveled MIFHEscheme. An L-level homomorphic NAND circuit increasesthe noise of the ciphertexts by a factor of O(

√(m+ 1)`N )L .

Then, we have a corresponding theorem.Theorem 3: Given a depth-L NAND-circuit f , if its inputs

are fresh ciphertexts and

q/4 ≥ O(√(m+ 1)`N )L · O(m4.5) · ω(

√log n)3,

then it holds that the decryption algorithm of ourMIFHE con-struction works correctly with an overwhelming probability.Proof 5: For any two fresh ciphertexts C1, C2, we have

CTNAND · s

= (M− C1 · M−1(C2))T · s

= MT s− M−1(C2)T · (µ1MT· s+ 2e1)

= (1− µ1µ2)MT s− 2(M−1(C2)T · e1 + µ1e2)1= (1− µ1µ2)MT s− 2e∗,

where (M−1(C2))T is a subgaussian random matrix withparameters O(1).

By lemma 3, we have

‖(M−1(C2))T ‖2 ≤ O(1) ·√(m+ 1)`N .

The correctness part implies that

‖e(i)‖∞ ≤ (m+ 1)3`m1.50 · ω(

√log n)3

≤ O(m4.5) · ω(√log n)3 (i = 1, 2).

Therefore, we get

‖e∗‖∞ ≤ (O(1) ·√(m+ 1)`N + 1)O(m4.5) · ω(

√log n)3

= O(√m`N )O(m4.5) · ω(

√log n)3.

Hence, the decryption correctness follows, which com-pletes the proof.

�We compare the parameters of the proposed MIFHE

scheme with the CM-MIFHE scheme [15] in Table 2, fromwhich we can see that our scheme has a smaller noise growthrate when performing homomorphic evaluation. Althoughthese two schemes seem to have the same sizes of the privatekey and the ciphertext, our construction has a smaller q,which, in effect, leads to smaller sizes of the private key andthe ciphertext.

TABLE 2. Parameters comparison with the CM-MIFHE scheme [15].

VI. CONCLUSION AND OPEN PROBLEMUtilizing the powerful MP-12 trapdoor, a refined IBE schemewas proposed based on the ABB-IBE [1] in this paper.Further, IBFHE and MIFHE schemes with short parame-ters without compromising security was constructed usingAlperin-Sheriff and Peikert’s tight and simple noise analysismethod as well as Mukherjee and Wichs’s masking schemetechnique. There is one drawback that the proposed IBFHEscheme and MIFHE scheme are only leveled homomorphicschemes as the GSW-IBFHE scheme. As far as we know,it remains open to build non-leveled ones without using theindistinguishable obfuscator.

REFERENCES[1] S. Agrawal, D. Boneh, and X. Boyen, ‘‘Efficient lattice (H)IBE in the stan-

dard model,’’ in Advances in Cryptology—EUROCRYPT (Lecture Notesin Computer Science), vol. 6110. 2010, pp. 553–572. doi: 10.1007/978-3-642-13190-5_28.

[2] S. Agrawal, D. Boneh, and X. Boyen, ‘‘Lattice basis delegation infixed dimension and shorter-ciphertext hierarchical IBE,’’ in Advances inCryptology—CRYPTO (Lecture Notes in Computer Science) vol. 6223.2010, pp. 98–115. doi: 10.1007/978-3-642-14623-7_6.

[3] J. Alwen and C. Peikert, ‘‘Generating shorter bases for hard randomlattices,’’ Theory Comput. Syst., vol. 48, pp. 535–553, Apr. 2011. doi:10.1007/s00224-010-9278-3.

[4] J. Alperin-Sheriff and C. Peikert, ‘‘Faster bootstrapping with polynomialerror,’’ in Advances in Cryptology—CRYPTO (Lecture Notes in ComputerScience) vol. 8618. 2014, pp. 297–314. doi: 10.1007/978-3-662-44371-2_17.

[5] D. Boneh and M. Franklin, ‘‘Identity-based encryption from the Weil pair-ing,’’ in Advances in Cryptology—CRYPTO (Lecture Notes in ComputerScience), vol. 2139. 2001, pp. 213–229. doi: 10.1007/3-540-44647-8_13.

[6] D. Boneh and X. Boyen, ‘‘Secure identity based encryption without ran-dom oracles,’’ in Advances in Cryptology—CRYPTO (Lecture Notes inComputer Science) vol. 3152. 2004, pp. 443–459. doi: 10.1007/978-3-540-28628-8_27.

[7] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, ‘‘Fully homomorphicencryption without bootstrapping,’’ in Proc. ITCS, 2012, pp. 309–325. doi:10.1145/2633600.

[8] Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé, ‘‘Classicalhardness of learning with errors,’’ in Proc. STOC, 2013, pp. 575–584. doi:10.1145/2488608.2488680.

[9] A. Banerjee and C. Peikert, ‘‘New and improved key-homomorphicpseudorandom functions,’’ in Advances in Cryptology—CRYPTO (Lec-ture Notes in Computer Science) vol. 8616. 2014, pp. 335–352. doi:10.1007/978-3-662-44371-2_20.

[10] Z. Brakerski, ‘‘Fully homomorphic encryption without modulus switchingfrom classical GapSVP,’’ in Advances in Cryptology—CRYPTO (Lec-ture Notes in Computer Science), vol. 7417. 2012, pp. 868–886. doi:10.1007/978-3-642-32009-5_50.

[11] Z. Brakerski andV. Vaikuntanathan, ‘‘Efficient fully homomorphic encryp-tion from (Standard) LWE,’’ in Proc. FOCS, 2011, pp. 97–106. doi:10.1109/FOCS.2011.12.

[12] Z. Brakerski and V. Vaikuntanathan, ‘‘Lattice-based FHE as secure asPKE,’’ in Proc. ITCS, 2014, pp. 1–12. [Online]. Available: http://eprint.iacr.org/2013/541

[13] D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, ‘‘Bonsai trees, or howto delegate a lattice basis,’’ in Advances in Cryptology—EUROCRYPT(Lecture Notes in Computer Science), vol. 6110. 2010, pp. 523–552. doi:10.1007/978-3-642-13190-5_27.

79308 VOLUME 7, 2019

http://dx.doi.org/10.1007/978-3-642-13190-5_28

http://dx.doi.org/10.1007/978-3-642-13190-5_28

http://dx.doi.org/10.1007/978-3-642-14623-7_6

http://dx.doi.org/10.1007/s00224-010-9278-3

http://dx.doi.org/10.1007/978-3-662-44371-2_17

http://dx.doi.org/10.1007/978-3-662-44371-2_17

http://dx.doi.org/10.1007/3-540-44647-8_13

http://dx.doi.org/10.1007/978-3-540-28628-8_27

http://dx.doi.org/10.1007/978-3-540-28628-8_27

http://dx.doi.org/10.1145/2633600

http://dx.doi.org/10.1145/2488608.2488680

http://dx.doi.org/10.1007/978-3-662-44371-2_20

http://dx.doi.org/10.1007/978-3-642-32009-5_50

http://dx.doi.org/10.1109/FOCS.2011.12

http://dx.doi.org/10.1007/978-3-642-13190-5_27


[14] J. H. Cheon, J.-S. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi,and A. Yun, ‘‘Batch fully homomorphic encryption over the integers,’’in Advances in Cryptology—EUROCRYPT (Lecture Notes in ComputerScience), vol. 7881. 2013, pp. 315–335. doi: 10.1007/978-3-642-38348-9_20.

[15] M. Clear and C. McGoldrick, ‘‘Multi-identity and multi-key leveled FHEfrom learning with errors,’’ Advances in Cryptology—CRYPTO (Lec-ture Notes in Computer Science), vol. 9216. 2015, pp. 630–656. doi:10.1007/978-3-662-48000-7_31.

[16] M. Clear and C. McGoldrick, ‘‘Bootstrappable identity-based fully homo-morphic encryption,’’ in Cryptology and Network Security—CANS (Lec-ture Notes in Computer Science), vol. 8813. 2014, pp. 1–19. doi:10.1007/978-3-319-12280-9_1.

[17] J.-S. Coron, A. Mandal, D. Naccache, and M. Tibouchi, ‘‘Fully homomor-phic encryption over the integers with shorter public keys,’’ in Advancesin Cryptology—CRYPTO (Lecture Notes in Computer Science), vol. 6841.2011, pp. 487–504. doi: 10.1007/978-3-642-22792-9_28.

[18] J.-S. Coron, D. Naccache, and M. Tibouchi, ‘‘Public key compression andmodulus switching for fully homomorphic encryption over the integers,’’in Advances in Cryptology—EUROCRYPT (Lecture Notes in ComputerScience), vol. 7237. 2012, pp. 446–464. doi: 10.1007/978-3-642-29011-4_27.

[19] J.-S. Coron, T. Lepoint, andM. Tibouchi, ‘‘Scale-invariant fully homomor-phic encryption over the integers,’’ in Public-Key Cryptography—PKC,vol. 8383. 2014, pp. 311–328. doi: 10.1007/978-3-642-54631-0_18.

[20] C. Cocks, ‘‘An identity based encryption scheme based on quadraticresidues,’’ in Proc. IMA Int. Conf. Cryptogr. Coding, 2001, pp. 360–363.doi: 10.1007/3-540-45325-3_32.

[21] J. H. Cheon and D. Stehlé, ‘‘Fully homomophic encryption over theintegers revisited,’’ in Advances in Cryptology—EUROCRYPT, vol. 9056.2015, pp. 513–536. doi: 10.1007/978-3-662-46800-5_20.

[22] L. Ducas and D. Micciancio, ‘‘FHEW: Bootstrapping homomorphicencryption in less than a second,’’ in Advances in Cryptology—EUROCRYPT, vol. 9056. 2015, pp. 617–640. doi: 10.1007/978-3-662-46800-5_24.

[23] C. Gentry, ‘‘Fully homomorphic encryption using ideal lattices,’’ in Proc.STOC, 2009, pp. 169–178. doi: 10.1145/1536414.1536440.

[24] C. Gentry, C. Peikert, and V. Vaikuntanathan, ‘‘Trapdoors for hard latticesand new cryptographic constructions,’’ in Proc. STOC, 2008, pp. 197–206.doi: 10.1145/1374376.1374407.

[25] C. Gentry, A. Sahai, and B.Waters, ‘‘Homomorphic encryption from learn-ing with errors: Conceptually-simpler, asymptotically-faster, attribute-based,’’ in Advances in Cryptology—CRYPTO (Lecture Notes in ComputerScience), vol. 8042. 2013, pp. 75–92. doi: 10.1007/978-3-642-40041-4_5.

[26] R. Hiromasa, M. Abe, and T. Okamoto, ‘‘Packing messages and opti-mizing bootstrapping in GSW-FHE,’’ in Public-Key Cryptography—PKC(Lecture Notes in Computer Science), vol. 9020. 2015, pp. 699–715. doi:10.1007/978-3-662-46447-2_31.

[27] S. Halevi and V. Shoup, ‘‘Algorithms in HElib,’’ in Advances inCryptology—CRYPTO (Lecture Notes in Computer Science), vol. 8616.2014, pp. 554–571. doi: 10.1007/978-3-662-44371-2_31.

[28] S. Halevi and V. Shoup, ‘‘Bootstrapping for HElib,’’ in Advancesin Cryptology—EUROCRYPT (Lecture Notes in Computer Science),vol. 9056. 2015, pp. 641–670. doi: 10.1007/978-3-662-46800-5_25.

[29] D. Micciancio and C. Peikert, ‘‘Trapdoors for lattices: Simpler, tighter,faster, smaller,’’ in Advances in Cryptology—EUROCRYPT (LectureNotes in Computer Science), vol. 7237. 2012, pp. 700–718. doi:10.1007/978-3-642-29011-4_41.

[30] K. Nuida and K. Kurosawa, ‘‘(Batch) fully homomorphic encryption overintegers for non-binary message spaces,’’ in Advances in Cryptology—EUROCRYPT (Lecture Notes in Computer Science), vol. 9056. 2015,pp. 537–555. doi: 10.1007/978-3-662-46800-5_21.

[31] C. Peikert, ‘‘Public-key cryptosystems from the worst-case shortest vectorproblem: Extended abstract,’’ in Proc. STOC, 2009, pp. 333–342. doi:10.1145/1536414.1536461.

[32] C. Peikert. Lattice-Based Cryptography: Constructing Trapdoorsand more Applications. Tutorials from crypt@b-it 2013 summerschool at Bonn University. [Online]. Available: http://www.cc.gatech.edu/~cpeikert/pubs/slides-abit4.pdf

[33] O. Regev, ‘‘On lattices, learning with errors, random linear codes,and cryptography,’’ in Proc. STOC, 2005, pp. 84–93. doi: 10.1145/1060590.1060603.

[34] A. Shamir, ‘‘Identity-based cryptosystems and signature schemes,’’ inAdvances in Cryptology—CRYPTO (Lecture Notes in Computer Science),vol. 196. 1984, pp. 47–53. doi: 10.1007/3-540-39568-7_5.

[35] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, ‘‘Fully homo-morphic encryption over the integers,’’ in Advances in Cryptology—EUROCRYPT (Lecture Notes in Computer Science), vol. 6110. 2010,pp. 24–43. doi: 10.1007/978-3-642-13190-5_2.

[36] R. Vershynin, Compressed Sensing: Theory and Applications. Cambridge,U.K.: Cambridge Univ. Press, 2012, pp. 210–268 [Online]. Available:http://www-personal.umich.edu/~romanv/papers/non-asymptotic-rmt-plain.pdf

[37] B. Waters, ‘‘Dual system encryption: Realizing fully secure IBE andHIBE under simple assumptions,’’ in Advances in Cryptology—CRYPTO(Lecture Notes in Computer Science), vol. 5677. 2009, pp. 619–636. doi:10.1007/978-3-642-03356-8_36.

[38] P.Mukherjee andD.Wichs, ‘‘Two roundmultiparty computation viamulti-key FHE,’’ in Advances in Cryptology—EUROCRYPT (Lecture Notes inComputer Science), vol. 9665. 2016, pp. 735–763. doi: 10.1007/978-3-662-49896-5_26.

[39] Z. Brakerski and R. Perlman, ‘‘Lattice-based fully dynamic multi-keyFHE with short ciphertexts,’’ in Advances in Cryptology—CRYPTO (Lec-ture Notes in Computer Science), vol. 9814. 2016, pp. 190–213. doi:10.1007/978-3-662-53018-4_8.

[40] R. Canetti, S. Raghuraman, S. Richelson, and V. Vaikuntanathan,‘‘Chosen-ciphertext secure fully homomorphic encryption,’’ in Public-KeyCryptography—PKC (Lecture Notes in Computer Science), vol. 10175.2017, pp. 213–240. doi: 10.1007/978-3-662-54388-7_8.

[41] L. Chen, Z. Zhang, and X. Wang, ‘‘Batched multi-hop multi-keyFHE from ring-LWE with compact ciphertext extension,’’ in Theory ofCryptography—TCC (Lecture Notes in Computer Science), vol. 10678.2017, pp. 597–627. doi: 10.1007/978-3-319-70503-3_20.

[42] A. López-Alt, E. Tromer, and V. Vaikuntanathan, ‘‘On-the-fly multipartycomputation on the cloud via multikey fully homomorphic encryption,’’ inProc. STOC, 2012, pp. 1219–1234. doi: 10.1145/2213977.2214086.

[43] C. Peikert and S. Shiehian, ‘‘Multi-key FHE from LWE, revisited,’’ inTheory of Cryptography—TCC (Lecture Notes in Computer Science),vol. 9986. 2016, pp. 217–238. doi: 10.1007/978-3-662-53644-5_9.

[44] J. Hoffstein, J. Pipher, and J. H. Silverman, ‘‘NTRU: A ring-basedpublic key cryptosystem,’’ in Algorithmic Number Theory—ANTS (Lec-ture Notes in Computer Science), vol. 1423. 1998, pp. 267–288. doi:10.1007/BFb0054868.

[45] J. HÅstad, R. Impagliazzo, L. A. Levin, and M. Luby, ‘‘A pseudorandomgenerator from any one-way function,’’ SIAM J. Comput., vol. 28, no. 4,pp. 1364–1396, 1999. doi: 10.1137/s0097539793244708.

[46] D. Micciancio, ‘‘On the hardness of learning with errors with binarysecrets,’’ THEORY OF COMPUTING, vol. 14, Nov. 2018, Art. no. 13.[Online]. Available: http://eprint.iacr.org/2018/988

[47] H. Chen, I. Chillotti, and Y. Song. Multi-Key Homomophic EncryptionFrom TFHE. [Online]. Available: http://eprint.iacr.org/2019/116

[48] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène. TFHE: FastFully Homomorphic Encryption Library. [Online]. Available: https://tfhe.github.io/tfhe/

[49] Z. Li, C. Ma, and D. Wang, ‘‘Leakage resilient leveled FHE onmultiple bit message,’’ IEEE Trans. Big Data, to be published. doi:10.1109/TBDATA.2017.2726554.

[50] Z. Li, C. Ma, and D. Wang, ‘‘Towards multi-hop homomorphic identity-based proxy re-encryption via branching program,’’ IEEE Access, vol. 5,pp. 16214–16228, 2017. doi: 10.1109/ACCESS.2017.2740720.

[51] Z. Li, C. Ma, and D. Wang, ‘‘Achieving multi-hop PRE via branch-ing program,’’ IEEE Trans. Cloud Comput., to be published. doi:10.1109/TCC.2017.2764082.

[52] L. Jiang, C. Xu, X.Wang, K.-F. Chen, and B.Wang, ‘‘Application of (fully)homomorphic encryption for encrypted computing models,’’ J. Cryptol.Res., vol. 4, no. 6, pp. 596–610, 2017. doi: 10.13868/j.cnki.jcr.000210.

[53] F.Wang, K.Wang, and B. Li, ‘‘An efficient leveled identity-based FHE,’’ inNetwork and System Security—NSS (Lecture Notes in Computer Science),vol. 9408. 2015, pp. 303–315. doi: 10.1007/978-3-319-25645-0_20.

[54] S. Gorbunov, V. Vaikuntanathan, and D. Wichs, ‘‘Leveled fully homomor-phic signatures from standard lattices,’’ in Proc. STOC, 2015, pp. 469–477.doi: 10.1145/2746539.2746576.

[55] H. Chen, W. Dai, M. Kim, and Y. Song. Efficient Multi-Key HomomorphicEncryption With Packed Ciphertexts With Application to Oblivious NeuralNetwork Inference. [Online]. Available: https://eprint.iacr.org/2019/524

VOLUME 7, 2019 79309

http://dx.doi.org/10.1007/978-3-642-38348-9_20

http://dx.doi.org/10.1007/978-3-642-38348-9_20

http://dx.doi.org/10.1007/978-3-662-48000-7_31

http://dx.doi.org/10.1007/978-3-319-12280-9_1

http://dx.doi.org/10.1007/978-3-642-22792-9_28

http://dx.doi.org/10.1007/978-3-642-29011-4_27

http://dx.doi.org/10.1007/978-3-642-29011-4_27

http://dx.doi.org/10.1007/978-3-642-54631-0_18

http://dx.doi.org/10.1007/3-540-45325-3_32

http://dx.doi.org/10.1007/978-3-662-46800-5_20

http://dx.doi.org/10.1007/978-3-662-46800-5_24

http://dx.doi.org/10.1007/978-3-662-46800-5_24

http://dx.doi.org/10.1145/1536414.1536440

http://dx.doi.org/10.1145/1374376.1374407

http://dx.doi.org/10.1007/978-3-642-40041-4_5

http://dx.doi.org/10.1007/978-3-662-46447-2_31

http://dx.doi.org/10.1007/978-3-662-44371-2_31

http://dx.doi.org/10.1007/978-3-662-46800-5_25

http://dx.doi.org/10.1007/978-3-642-29011-4_41

http://dx.doi.org/10.1007/978-3-662-46800-5_21

http://dx.doi.org/10.1145/1536414.1536461

http://dx.doi.org/10.1145/1060590.1060603

http://dx.doi.org/10.1145/1060590.1060603

http://dx.doi.org/10.1007/3-540-39568-7_5

http://dx.doi.org/10.1007/978-3-642-13190-5_2

http://dx.doi.org/10.1007/978-3-642-03356-8_36

http://dx.doi.org/10.1007/978-3-662-49896-5_26

http://dx.doi.org/10.1007/978-3-662-49896-5_26

http://dx.doi.org/10.1007/978-3-662-53018-4_8

http://dx.doi.org/10.1007/978-3-662-54388-7_8

http://dx.doi.org/10.1007/978-3-319-70503-3_20

http://dx.doi.org/10.1145/2213977.2214086

http://dx.doi.org/10.1007/978-3-662-53644-5_9

http://dx.doi.org/10.1007/BFb0054868

http://dx.doi.org/10.1137/s0097539793244708

http://dx.doi.org/10.1109/TBDATA.2017.2726554

http://dx.doi.org/10.1109/ACCESS.2017.2740720

http://dx.doi.org/10.1109/TCC.2017.2764082

http://dx.doi.org/10.13868/j.cnki.jcr.000210

http://dx.doi.org/10.1007/978-3-319-25645-0_20

http://dx.doi.org/10.1145/2746539.2746576


TONGCHEN SHEN received the B.S. degreein mathematics and applied mathematics fromHangzhouNormalUniversity, Hangzhou, Zhejiang,China, in 2017. He is currently pursuing theM.S. degree with the Department of Mathematics,Hangzhou Normal University. His research inter-ests include fully homomorphic cryptography andidentity-based cryptography.

FUQUN WANG received the B.S. degree in infor-mation and computing science and theM.S. degreein pure mathematics from Zhengzhou University,Zhengzhou, Henan, China, in 2003 and 2006,respectively, and the Ph.D. degree in informationsecurity from the Institute of Information Engi-neering of Chinese Academy of Sciences, Beijing,China, in 2016. He is currently a Lecturer with theDepartment of Mathematics, Hangzhou NormalUniversity. His research interests include fully

homomorphic cryptography and lattices-based cryptography.

KEFEI CHEN received the B.S. and M.S. degreesin applied mathematics from Xidian Univer-sity, Xi’an, in 1982 and 1985, respectively, andthe Ph.D. degree from Justus-Liebig University,Giessen, Germany, in 1994. From 1996 to 2012,he was a Professor with the Department of Com-puter Science and Engineering, Shanghai JiaoTong University. He is currently a Professor withthe Department of Mathematics, Hangzhou Nor-mal University. His current research interests

include cryptography, theory, and technology of network security.

KUNPENG WANG (M’87) received the B.S.degree from the Department of Mathematics,Hebei Normal University, Shijiazhuang, Hebei,China, in 1994, and the M.S. and Ph.D. degreesin pure mathematics from Tsinghua University,Beijing, China, in 1997 and 2000, respectively.He is currently a Professor with the Institute ofInformation Engineering, Chinese Academy ofSciences. His current research interests includecryptography, theory, and technology of networksecurity.

BAO LI received the B.S. andM.S. degrees in puremathematics from Lanzhou University, Lanzhou,Gansu, China, in 1982 and 1989, respectively, andthe Ph.D. degrees in cryptography from XidianUniversity, Xi’an, Shanxi, China, in 1998. He iscurrently a Professor with the Institute of Informa-tion Engineering, Chinese Academy of Sciences.His current research interests include elliptic curvecryptography, design, and analysis of securityprotocol.

79310 VOLUME 7, 2019

Efficient Leveled (Multi) Identity-Based Fully Homomorphic...

Documents

Transcript of Efficient Leveled (Multi) Identity-Based Fully Homomorphic...