seIMC: A GSW-Based Secure and Efficient Integer Matrix Computation Scheme With Implementation

As atomic operations, secure matrix-based computations using homomorphic encryption (HE) have attracted much attention in cloud-based machine learning. However, most existing secure matrix computation solutions that focus on HE schemes suffer efficiency loss as the size of the matrix, which greatly limits their applications in the big data environment. To address these issues, this paper proposes seIMC, an integer matrix computation scheme based on the Gentry-Sahai-Waters (GSW) scheme, to cope with privacy protection and secure computation of large-scale data. In detail, we translate the GSW scheme to encrypt an integer matrix modulo $q$ (i.e., a large positive integer), and homomorphically compute matrix addition and multiplication, which is a natural extension of HAO scheme. Besides, the correctness and security analysis of seIMC are shown, and complexity analysis is also given in this study. Furthermore, the proposed schemes are implemented, including public-key encryption and private-key encryption schemes. Compared with existing secure matrix computation schemes, the proposed scheme performs better in execution time. Finally, seIMC is applied to solve the problem of the number of ways in which any two participants make friends through $k$ steps in an encrypted social network. Experiments show that when the cloud server processes an integer matrix of 1000 people with a security level of 90, namely, 1 million data volumes, it only takes approximately 1.9 minutes for each homomorphic matrix multiplication. Hence, the practicality of the proposed seIMC in privacy protection under a big data environment is highly proven.


I. INTRODUCTION
Fueled by the massive influx of data, extensive computational resources and advanced machine learning algorithms, artificial intelligence (AI) applications such as automatic driving, face recognition and smart homes have quickly entered The associate editor coordinating the review of this manuscript and approving it for publication was Sedat Akleylek .
people's lives [1]- [3]. Dependent on the powerful computation and storage abilities of cloud computing, a growing number of AI applications have migrated to the cloud to train their model with large-scale datasets by renting cloud-based machine learning services. In addition, increasing amounts of data and individual privacy information are collected and processed continuously in untrusted cloud servers [4]. Therefore, it poses a natural and important question on the VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ cloud-based machine learning that whether we can store and train such private data and model to the cloud environment in a secure manner, e.g., this issue is extremely relevant in social networks due to privacy concerns about individual sensitive information. This is also the case in the field of biomedicine concerning patients' private data. In this context, homomorphic encryption (HE) is one of the most promising approaches for addressing this challenge and receives much attention in both academic and industry [5]- [7]. Compared to secure multiparty computation and differential privacy technologies, homomorphic encryption has obvious advantages in supporting noninteractive operations and saving on communication costs, allowing us to evaluate functions over encrypted messages directly to obtain the same results as evaluating the corresponding plaintext [8], [9]. Based on these properties, AI applications integrated with HE technologies can effectively defend against attacks on data and models in untrusted third-party environments (e.g., cloud environments).
Regarding HE, Rivest et al. [10] first proposed the concept of privacy homomorphism in 1978 and adopted the homomorphism of encryption functions to protect data privacy. Since then, cryptology researchers have carried out extensive studies on homomorphic encryption [11]. For example, Elgamal [12] proposed a homomorphic encryption scheme that supports the multiplication operation. Paillier [13] designed a public-key homomorphic encryption system based on composite degree residuality classes, which can implement the addition operation on the encrypted data. These above solutions are called partially homomorphic encryption schemes (PHEs), which only support particular operations (e.g., addition or multiplication) on encrypted data with a limited number of times.
Until 2009, Gentry proposed the first plausible and achievable fully homomorphic encryption scheme (FHE) [14], which is based on the idea of mathematical lattices. However, it is a conceptually and practically unrealistic scheme. To control the noise growth, FHE requires the refreshing of ciphertexts frequently via bootstrapping technology, which incurs a heavy extra computational cost. After that, some bounded (leveled) FHE schemes (LHE) were proposed to make FHE more practical. For example, Brakerski and Vaikuntanathan proposed an efficient fully homomorphic encryption from the standard learning with error (LWE) problem [15]. In 2014, Brakerski, Gentry and Vaikuntanathan proposed the BGV [16] that utilizes the efficiency feature of the ring-learning with error (RLWE) problem to build HE schemes. With the introduction of new techniques (e.g., bit decomposition, module switching, key switching), HELIB [17] is the implementation of the BGV scheme, which uses the high-performance mathematical function library NTL. These BGV-based solutions are deemed secondgeneration HE schemes. However, these second-generation HE solutions also bring extra computation costs due to unnatural key switching. To address this issue, Gentry, Sahai and Waters proposed GSW [18] that encrypts the plaintexts using the approximate eigenvalues of the ciphertext matrix with the eigenvector as the secret key. GSW can largely reduce the unnecessary key switching brought by BGV-based solutions since the ciphertext computation of GSW is based on the matrix computation directly, which does not need to obtain the user's evaluation key. GSW-based solutions are called the third-generation of HE schemes. Note that as the weaker version of FHE, LHE can only support depth-bounded homomorphic operations (i.e., addition and multiplication) without bootstrapping, but it is applicable in various scenarios with reasonable performances. Hence, we focus on building our solution on the LHE scheme [8]. Furthermore, in this paper, we focus on constructing a secure and efficient integer matrix computation solution from the third-generation of HE schemes (i.e., GSW-based).
Currently, matrix-based computations are the core and atomic operations for major AI applications. 1). The collected data are often organized in the form of a matrix, which can be found in many domains, e.g., social network services dealing with friend relationships [19], the protein interaction network in bioinformatics [20], business intelligence from user-item rating data in recommendation systems [21], [34]. 2). Various tasks are executed via matrix-based computations, such as massive data-based statistical analysis, the training process of deep learning models, and the prediction task of learned neural network models. 3). In the cloud environment, the data are rarely organized in a bit matrix or an integer vector, in most cases they are organized in a rational number matrix. At the same time, in the allowable precision range, the fraction can be converted into an integer for approximate computation. Therefore, secure integer matrix computation becomes an important issue in the cloud. As a result, it is of great practical significance to establish an efficient and feasible integer matrix homomorphic encryption scheme for cloud-based machine learning.
Following this line, some secure matrix computation schemes based on HE have been proposed. For example, Wu and Haven et al. proposed a safety inner product method on packed ciphertexts using the single-instruction-multi-data (SIMD) approach [22]. It encrypts the rows or columns of the matrix as vectors and computes the result using homomorphism multiplication as the inner product of the two encrypted vectors. Duong et al. [23] packed the target matrix into a single ciphertext in polynomial form and then performed a homomorphic multiplication on the packed ciphertext over RLWE. Based on this method, Mishra et al. [24] built an enhanced version of the secure matrix multiplication proposed by Duong, but there are useless terms in the ciphertexts. As a result, these useless terms in the plaintext polynomials are eliminated by encrypting and recoding the plaintext information; thus it is only suitable for a one-depth homomorphic multiplication scenario, since it leads to a large expansion rate of ciphertexts.To address it, Jiang et al. [25] presented a novel matrix encoding method that can encrypt more than one matrix in a single ciphertext and adapted an efficient evaluation strategy for generic matrix operations via linear 98384 VOLUME 8, 2020 transformations. However, this method suffers efficiency loss when dealing with large-scale data. Taking advantage of the GSW scheme in which homomorphic addition and multiplication are just natural matrix addition and multiplication, Hiromasa et al. [27] first conducted a GSW-FHE scheme for matrix homomorphism computations (i.e., HAO) and optimized the bootstrapping technique proposed by [26]. However, all these improvements target binary plaintext, which greatly restricts its application in the real world.
To address the above issues, this paper proposes seIMC, a novel GSW-based integer matrix computation scheme. Different from the original GSW scheme that encrypts a bit or an integer into a ciphertext matrix, the seIMC directly encrypts a whole plaintext matrix into a ciphertext matrix to reduce the homomorphic computing time. The proposed scheme extends the plaintext space of the HAO scheme, which can encrypt not only the bit matrix but also the integer matrix modulo q, where q is a large positive integer. In addition, it supports the homomorphic computation of matrix addition and multiplication. The main contributions of this paper are as follows: • We propose a secure and efficient GSW-based integer matrix computation scheme for public-key encryption and private-key encryption, where the matrix element is an integer with modulo q. In detail, it includes the encryption algorithm, decryption algorithm, and generic homomorphic operations such as addition and multiplication.
• We give the security proofs and correctness analysis of the proposed scheme. Computational complexity analysis of the encryption, decryption and homomorphic algorithms are also given.
• We conduct extensive experiments to evaluate the efficiency of the proposed seIMC scheme in terms of encryption, decryption and homomorphic operations. Most importantly, we apply seIMC to solve the graph theory problem in social networks. The rest of this paper is organized as follows. Section II gives the preliminaries. Section III describes the proposed seIMC scheme in detail, and theoretical analyses are also given. Section IV empirically evaluates seIMC. Section V shows the application to social networks. Finally, Section VI discusses and concludes this paper.

II. PRELIMINARIES A. NOTATIONS
We use the symbol Q to denote the set of rational numbers, and R is the set of real numbers, while N and Z are the sets of natural numbers and integers, respectively. Let D be some group, and P be some probability distribution, then we use a U ←− D to denote that a is chosen from D uniformly at random, and use b R ←− P to denote that b is chosen along with P.
Assume that vectors are in column form and are written using bold lower-case letters, e.g., x, where x i represents the ith element of a vector x. We denote the ∞ norm (i.e., the maximum norm) of the vector x by x ∞ . The inner product between two vectors is defined as <x, y >= x T y. Similarly, we use bold capital letters to denote matrices, e.g., X. For a matrix X ∈ Z m×n , X ∞ := max i∈[n] { x i ∞ } denotes the ∞ of X, where x i denotes the ith column vector of X. Meanwhile, X T ∈ Z n×m denotes the transpose of X. For matrices X ∈ Z m×n 1 , Y ∈ Z m×n 2 , [X|Y ] ∈ Z m×(n 1 +n 2 ) represents the column concatenation of X with Y , while the row concatenation of X ∈ Z m 1 ×n with Y ∈ Z m 2 ×n is Y X ∈ Z (m 1 +m 2 )×n .

B. THE LEARNING WITH ERRORS (LWE)
LWE is considered as one of the hardest problems to solve in regular time, even when using advanced quantum computing technology. It was first introduced by Regev [29]. The definition of the decisional version LWE is: Definition 1 (DLWE): Given a security parameter λ, let n := n(λ) be an integer dimension, q := q(λ) ≥ 2 be an integer modulus, and χ := χ(λ) be an error distribution over Z. Then, the DLWE n,q,χ is the problem to distinguish the following two distributions: The DLWE n,q,χ assumption is that the DLWE n,q,χ is infeasible.
Regev reduced the hardness of worst-case lattice problems such as GapSVP γ and SIVP γ to the DLWE n,q,χ problem. In detail, GapSVP γ has the problem of distinguishing between the case in which the lattice has a vector shorter than r ∈ Q and the case in which all the lattice vectors are greater than γ · r. The hardness of SIVP γ is defined to find the set of short linearly independent vectors in a lattice. The reductions are described in Corollary 1.
Corollary 1 [29]- [31]: Let q = q(n) ∈ N be a power of primes q := p r or a product of distinct prime numbers q := i q i such that q i :=poly(n) for all i, let α ≥ √ n q. If there is an efficient algorithm that solves the (average-case) DLWE n,q,χ problem, then: • There is an efficient quantum algorithm that solves GapSVPÕ (n/α) and SIVPÕ (n/α) in the worst-case for any n-dimensional lattices.
• If an addition q ≥Õ 2 n/2 , there exists an efficient classical algorithm to solve GapSVPÕ (n/α) in the worst-case for any n-dimensional lattices.

C. HOMOMORPHIC ENCRYPTION, CIRCULAR SECURITY
An HE scheme consists of four algorithms, HE = (Keygen, Enc, Dec, Eval), and is illustrated as follows: • KeyGen(1 λ ): it returns a secret key sk, a public key pk and a public evaluation key evk. VOLUME 8, 2020 • Enc pk (m): it encrypts a plaintext m ∈ M into a ciphertext c ∈ C by using public key pk.
• Dec sk (c): it recovers the original plaintext m from the ciphertext c via the secret key sk.
• Eval evk (f , c 1 , . . . , c k ): using the evaluation key evk, the ciphertext c ∈ C can be computed by using the function f : M k → M to c 1 , . . . , c k . To prove the security of an HE scheme, we introduce a special kind of circular security as follows.
Definition 2 (Circular Security): Denote κ as the keyspace defined by the security parameter λ, and M and C are the plaintext and ciphertext space, respectively. f is a function from M to C. For all probabilistic polynomial-time adversaries A, the homomorphic encryption scheme HE = (Keygen, Enc, Dec, Eval) is circular security with respect to f when the advantage of A can be negligible in the following games: and selects a bit b ← {0, 1}; • Define the function f + as M × M → M, and f + (x, y):= x + y ∈ M; then, the challenger computes a ciphertext c * as follows and sends c * to A.

D. GSW SCHEME
The original GSW scheme was proposed by Gentry, Sahai, Waters [19]. It adopts the approximate eigenvector method based on the plaintext space M to construct the ciphertext space C. We first introduce the Gadget matrix G and the randomized function G −1 .
Lemma 1 [32]: Let matrix C ∈ Z n×m q , there is a fixed and primitive matrix G ∈ Z n×n q and a deterministic, randomized , and I n be the n × n identity matrix, we define the Gadget matrix as where ⊗ is the tensor multiplication operation. The definition of sub-gaussian distribution can be found in [26].
For example, let = 3, n = 2, q = 8, G=I 2 ⊗ (2 0 , 2 1 , Next, we introduce the GSW scheme variant from [26], which is identical to the original GSW scheme except for the introduction of the Gadget matrix G and the randomized function G −1 , as well as some syntactic differences. The encryption algorithm can be further divided into the publickey encryption algorithm [33] and the private-key encryption algorithm [26]. The private-key encryption scheme can be described as follows: • Setup(λ, L): Given the security parameter λ and the circuit multiplication depth L, let n := n(λ) be an integer dimension, q := q(λ) ≥ 2 be an integer modulus, and χ := χ(λ) be a sub-gaussian error distribution over Z.
• KeyGen(params): Sampless • Dec(params, s, C): For q = 2 , select the last columns of C as C ( ) . Then, where e i is the ith element of e . The correctness of the GSW scheme can be guaranteed by Lemma 2.
Lemma 2 [18], [33]: For security key s, plaintext µ ∈ Z q , and the ciphertext C ∈ Z n×n q , let the noise term be e T such that s T C−µs T G = e T mod q. If e T ∞ < q/8, then Dec(params, s, C) can decrypt µcorrectly.
Since a fresh ciphertext is just µG plus a matrix of n independent LWE samples under secrets, the IND-CPA security of the above scheme follows from the assumed hardness of the DLWE n−1,q,χ , where C is pseudorandom by assumption and hence hides µG.
Note that the process of the public-key encryption scheme is similar to that of the private-key scheme, and the security of the public-key scheme follows directly from Lemma 1 in [18].

III. PROPOSED seIMC SCHEME
In this section, we first propose a secure and efficient matrix computation scheme via homomorphic encryption, and then present the security proofs and complexity analysis of the proposed scheme. Finally, the correctness proof and efficiency analysis of the proposed scheme are also given.
As the third-generation of HE schemes, GSW realizes the encryption of plaintext as bits and integers modulo q. Hence, it is natural to pack plaintexts as vectors or matrices for encryption. In [27], it was demonstrated that a simple extension of plaintext space from bits to binary vectors cannot yield plaintext-slot-wise homomorphic operations (e.g., addition and multiplication). However, homomorphic plaintextslot-wise operations can be supported by constructing matrices to store binary vectors in their diagonal entries. Based on this storage they constructed a matrix-based homomorphic encryption scheme HAO, which supports homomorphic binary matrix addition and multiplication. To extend the plaintext space of the HAO scheme to meet the requirements of large-scale AI applications in the real world, we construct the homomorphic integer matrix encryption scheme that encrypts integer modulo q, where q is a large positive integer.
The proposed seIMC public-key scheme is described in Fig. 1. It gives an example of a secure cloud computing organization. There are two sides: the data owner and the cloud server. By calling the functions seIMC.Setup() and seIMC.KeyGen(), the data owner first generates a key pair (i.e., the secret-key sk and the public key pk) with a specified cryptographic security parameter λ and the multiplication depth of circuit L. Then, the data owner uses the pk to encrypt plaintext data M with size of (r + 1) × (r + 1) by calling seIMC. PubEnc(), where only the data owner knows the sk. After that, the data owner sends the encrypted data to the cloud server, where the data are always kept in encrypted form C. In addition, the data owner also sends the function f() to the cloud server if he needs some data that satisfy certain conditions. Taking advantage of the GSW-based scheme with the approximate eigenvector method, the data owner does not need to create and send the evaluation key (evk) to the cloud server to support homomorphic operations. The cloud server receives the encrypted data C without sk and function f() from the data owner, and produces the necessary computations f(C) by calling seIMC. Eval add () or seIMC. Eval mult Then, result C is sent to the data owner as a response. When the data owner receives the result C , he can decrypt the C that satisfies the function f() by calling seIMC. Decrypt() withDecOneNum() and using the sk.

A. CONSTRUCTION OF THE seIMC SCHEME
In seIMC, for an integer modulus q, we let Z q = Z/qZ denote the quotient ring of integers modulo q. s is the column vector of the secret key matrix S and e is the column vector of the noise matrix E. A and R are uniformly random matrices. B and P denote the public key matrices. Let M ∈ Z r×r q be the plaintext matrix with size r × r in Z q .  params=(n, q, χ , m).

2) KEY GENERATION ALGORITHM: KEYGEN()
We sample matrixS R ←− χ r×n , and denote I r as the r × r identity matrix, then the secret key matrix sk is computed by: For the public key matrix pk, we sample a uniformly random matrix A U ←− Z n×m q and a random noise matrix E R ←− χ r×m ; then, the public key matrix can be computed by: Finally, the output of KeyGen(params) is sk:=S, pk:=
• PubEnc pk (M): Sample a random matrix R U ←− {0, 1} m×N ; then, the ciphertext C can be computed by: where M [i, j] denotes the element of M in the ith row and jth column.

4) DECRYPTION ALGORITHMS: DECRYPT()
Note that for the public-key and private-key encryption algorithms, the decryption algorithms are the same. Let C be the input of Dec(), then the output is the plaintext M. In detail, the decryption processing can be described as follows: Step 1: compute the matrix H as according to (6) or (7). , homomorphic addition (i.e., Eval Add (C 1 , C 2 )) is defined as: For homomorphic multiplication (i.e., Eval Mult (C 1 , C 2 )), G −1 ( C 2 ) ∈ {0, 1} N ×N is computed first, and then outputs: The correctness of seIMC in the form of a public-key scheme and private-key scheme can be guaranteed by Lemma 3 and Lemma 4, respectively. Proof: According to (5) and (7), we know that SB = where E R + According to Lemma 2, we know that if E ∞ < q/8, then the private-key scheme can be decrypted correctly. For homomorphic multiplication, let S ∈ Z r×N q be the private key matrix, R ∈ Z m×N q and E ∈ Z m×N q , we have: In Lemma 3, we know that if N (1 + ρ 1 ) · E 1 ∞ + (1 + ρ 2 ) M 1 E 2 ∞ < q/8, the homomorphic multiplication can be decrypted correctly. From the above analysis, the size of noise is related not only to the size of matrices E 1 , and M 1 E 2 but also to ρ 1 and ρ 2 .
In the case of the private-key encryption scheme, we have: Similarly, it can decrypt the plaintext M 1 M 2 correctly when the absolute value of any element in E 1 G −1 (C 2 )+ M 1 E 2 is less than q/8. Hence, the size of the noise is dependent on E 1 , M 1 E 2 and C 2 .
For the homomorphic addition of the private-key encryption scheme, if E (1) + E (2) ∞ < q 8 , we can decrypt the plaintext M (1) + M (2) correctly due to S(C 1 + C 2 ) = E 1 + E 2 + (M 1 + M 2 ) SG. Furthermore, the noise of ciphertext increases linearly with the number of ciphertexts. The same analysis also works on the public-key encryption scheme.

2) SECURITY ANALYSIS
We prove that the encryption scheme defined above is IND-CPA secure under the LWE hardness assumption.
Theorem 1: For any adversary A, there exists an adversary B such that Adv CPA (A) ≤ 2 · Adv LWE (B).
Proof: Game0(G 0 ): IND-CPA security experiment. According to the proposed scheme, challenger C first initializes the encryption scheme and then generates a public key pk:={(P (i,j) , B) 1 ≤ i, j ≤ r} and a private key sk:=S. The adversary Aobtains the public key of the scheme and selects two challenge plaintexts m 0 and m 1 from the plaintext space, then sends them to challenger C. Challenger C selects b ∈ {0, 1} at random and encrypts m b using the public key. After that, the ciphertext is sent to the adversary A. The adversary guesses the plaintext corresponding to the ciphertext and outputs b . If b = b, the adversary attacks successfully, and the advantage of adversary A is recorded as: Adv CPA  . It is possible to verify that there exists an adversary B with the same running time as that of because distinguishing B and B' for adversary B is as hard as solving LWE problem. Meanwhile, the other public key value P (i,j) used in Game0 is also substituted by a uniform random value P (i,j) According to the game of Definition 2 in Section II.C, it is possible to verify that there exists an adversary B with the same running time as that of A such that |Pr Game2(G 2 ): In Game2, the value in the generation of the challenge ciphertext C : is substituted with uniform random elements in the matrix C In summary, Adv CPA (A) ≤ 2 · Adv LWE (B).

3) COMPLEXITY ANALYSIS
In this section, we analyze the computational complexity of the seIMC, including encryption, decryption and homomorphic computation.
For the private-key encryption algorithm (i.e., seIMC. SecEnc()), the computational complexity of (6) is O(r × n × N ) + O((n + r) 2 × N ). For the decryption algorithm (i.e., seIMC. Dec()), let S ∈ Z r×(n+r) q and C ∈ Z (n+r)×N q , the computational complexity of H=SC is O(r 2 (n+r) ), since it only uses the first r columns of C, instead of all the columns of C. Then, we recover the plaintext M by calling the function DecOneNum() iteratively, and the computational complexity of this step is O(r 2 ). In summary, the total computational complexity of seIMC. For the homomorphic operations of seIMC, we set the ciphertext C ∈ Z (n+r)×N q and N = (n+r) , the computational complexity of seIMC. Add() is O((n + r) 2 ). The seIMC. Mul() has two operations: calculation of the matrix G −1 and matrix multiplication. The computational complexity of the former is O((n+r) 2 ), while that of the latter is O((n+r) 3 2 ). Therefore, the total computation complexity of seIMC. Mul()

A. EXPERIMENTAL SETTING
We conduct our implementations on the cloud server hosted at the Chongqing Institute of Green and Intelligent Technology, Chinese Academy of Sciences. It is equipped with one Intel Xeon(R) E5-2680 2.4 GHz processor with 8 cores and 256 GB RAM. The operation system is Ubuntu 16.04. and the proposed seIMC scheme is written in Python 2.7. Furthermore, all the experiments are performed in sequence.
To obtain a fair result, all the experiments are run 20 times independently, and the average value is taken as the final result.
For the LWE issue, we set a fixed parameter q = 2 30 , the noise follows the sub-gaussian distribution with the variance var = q/8m, where m = (n + r)logq, and = logq = 30.

B. VERIFICATION OF COMPLEXITY ANALYSIS
We first validate the complexity analysis of the proposed seIMC scheme with varying LEW parameter n. Fig. 2 shows the run time of each algorithm in the seIMC private-key scheme with varying LWE parameter n and fixed r = 8.
From Fig. 2, we can see that the time increase ratio of each algorithm in the seIMC private-key scheme is proportional to the dimension of LEW (i.e., n) with fixed r. In detail, the slope of the encryption algorithm is approximately 2.55 < 3, which is consistent with the computational complexity of the encryption algorithm in the theoretical analysis (i.e., O((n + r) 3 )). Similarly, the growth ratio of the decryption algorithm conforms to the theoretical analysis results as well, since the slope of the decryption algorithm curve is 0.09 and the computational complexity of the decryption algorithm is O(r 2 (n+r) ). For the homomorphic addition and multiplication of seIMC, the growth ratios of each algorithm are 1.77 and 2.62, respectively, which are also satisfied by the computational result in the theoretical analysis (i.e., O((n + r) 2 ) and O((n + r) 3 2 )). Hence, the correctness of the computational complexity is verified, both from the perspective of the experiment and theory. Furthermore, Fig. 2 concludes that the homomorphic multiplication algorithm in seIMC is a time-consuming operation as it includes the computation of G −1 and matrix multiplication operations. Next, the encryption algorithm is nearly proportional to O(n 3 ) with fixed r and . Then, the homomorphic addition algorithm is proportional to O(n 1.77 ) The run time of the decryption algorithm is the shortest in the seIMC scheme and is proportional to O(n 0.09 ).

C. IMPLEMENTATION EFFICIENCY COMPARISON
The implementation efficiency of seIMC is tested and compared with the state-of-art security matrix computation schemes (e.g., original GSW scheme [18], HAO scheme [27] and Jiang's scheme [25]). Due to the lack of a ready-made code base of GSW, we implement the GSW scheme proposed in [18] by using Python program. In detail, matrix encryption and decryption are performed by iteratively encrypting/ decrypting the elements of the matrix, while the homomorphic operation is realized by transforming each element of the ciphertext matrix into a vector; then, it is calculated sequentially. The implementation efficiency of seIMC, HAO and GSW with different n and r values are shown in Table 1. Please note that the matrix operations are executed by using the Numpy library, which is a fundamental package for scientific computing in Python. Table 1 shows that the proposed seIMC scheme outperforms the original GSW scheme and HAO scheme in both encryption and decryption. For example, when n = 128 and r = 40, the encryption time and decryption time of the original GSW scheme are 41382.4s and 369.7s, respectively, while those of the seIMC private-key scheme are only 0.96s and 0.0017s, respectively. Even for the seIMC publickey scheme, it takes only 7.62s and 0.16s on encryption and decryption, respectively. For HAO, it spends 6.897s to finish the encryption task and 0.588s to complete decryption. Hence, it demonstrates that the implementation efficiency of the seIMC scheme is significantly higher than that of the original GSW scheme and HAO scheme. Furthermore, the seIMC private-key scheme performs better than the publickey scheme in terms of run time.
To compare the efficiency of the homomorphic operations, we conduct a set of experiments with fixed n = 32 and varied r. The time taken for the homomorphic operations for seIMC, HAO, and GSW are shown in Table 2 and Table 3. Table 2 and Table 3 show that the time cost of the GSW scheme increases significantly as the data size increases. Taking homomorphic addition as an example, the encryption time of GSW is only 3.42s for the 2 × 2 matrix, whereas the encryption time of the 4 × 4 matrix is 13.48s. For the 8 × 8 matrix, the encryption time increases to 54.52s. When the size of the matrix increases to 128 × 128, it takes 13682.9s to perform the homomorphic addition operation. The same scenario also occurred for the homomorphic multiplication operation. For HAO, it takes 39.31s and 93.27s to execute homomorphic addition and multiplication operations, respectively, when the matrix size is 128 × 128, while it only costs approximately 0.8s and 0.82s for seIMC. Therefore, the proposed seIMC also outperforms the original GSW and HAO in terms of homomorphic operations. The reasons for this outperformance are as follows: 1) The original GSW suffers from the ciphertext space expansion issue, which encrypts each element (i.e., bit or integer) of the matrix into a ciphertext matrix. 2) The HAO scheme is only suitable for the bit matrix. It first needs to transform the integer matrix into a binary matrix, which leads to a low efficiency due to a large expansion rate of ciphertext and a sharp increase in the amount of homomorphic computation. Compared to the original GSW and HAO, the seIMC directly encrypts the whole plaintext matrix into a ciphertext matrix in the form of an integer. Therefore, the seIMC private-key scheme is more suitable for large-scale data processing under privacy protection in realistic scenarios.
Finally, we test the performance of seIMC compared with Jiang's scheme [25], it is a newly HE-based secure matrix computation scheme that includes a novel matrix encoding method and an efficient evaluation strategy for basic matrix  operations (e.g., matrix addition and multiplication). It has been demonstrated that the implementation of efficient homomorphic matrix multiplication in [25] outperforms other existing schemes, such as [22][23]. We set the security level of seIMC and Jiang to 80 in this experiment. The cyclotomic ring dimension of seIMC is chosen as n = 450 to achieve at least an 80-bit security level against the known attacks of the LWE problem, based on the estimator of Albrecht et al. [33]. The parameter settings of Jiang's scheme are the same as in [25]. The results are shown in Table 4. Clearly, the running times of Jiang's scheme are faster than those of the seIMC in terms of encryption and homomorphic addition operations. However, the performance of seIMC is better than Jiang's scheme in the following aspects: In the case of homomorphic multiplication, the execution efficiency of seIMC is higher than that of Jiang's scheme when dealing with matrices of size r greater than 32. Furthermore, Jiang's scheme fails to cope with the large-scale matrix (e.g., r = 128 or 256 in Table 4). 2). The same phenomena also occurred in the decryption algorithm. It means that the implementation efficiency of jiang's scheme is seriously declining with the matrix size increases, while seIMC still enjoys a high efficiency even if the matrix size expands. Therefore, it demonstrates that seIMC is more suitable for real applications with large-scale datasets.

V. APPLICATION TO SOCIAL NETWORK
In this section, we consider an untrusted cloud computing scenario to test seIMC on encrypted large-scale social network information. We propose a secure privacy data analysis solution in which data owners provide private social information to a public cloud and the cloud server offers a large-scale data analysis service to data owners who upload their encrypted data. In this instance, the cloud server should learn nothing about the private information of the data owners. As the world's largest online social network, Facebook allows users to follow streams of posts generated by hundreds of their friends and acquaintances. Clearly, the user's friend circles belong in their privacy information.
In this experiment, the social network dataset is obtained from SNAP 1 (Stanford Network Analysis Project). It collects Facebook data and consists of 4,039 nodes and 88234 edges. Each node represents an individual, and the edge denotes the friend relation between two individuals. Note that the Facebook data have been anonymized by replacing the Facebookinternal ids for each user with a new value. Furthermore, we format the undirect graph of Facebook as the adjacency matrix A. For  Step 1: The client encrypts the adjacency matrix A to E(A) by his private key using seIMC. SecEnc(A), and then the encrypted data E(A) is uploaded to public clouds via the internet; Step 2: The cloud server receives the encrypted data E(A) and calculates the left multiplication of E(A) with K continuously by using seIMC. Eval mult (E(A)). Then, it returns the encrypted result E k (A) to the client; Step 3: The client receives the encrypted result E k (A) and uses the private key to decrypt it with seIMC. Dec(E k (A)). Finally, the client obtains A k , and each element of A k represents the number of ways to recognize other users in the social network through k-times communication.
The implementation environment of seIMC is the same as section V. In detail, we set q = 2 30 and n = 512; the noise is a gaussian distribution with variance q/8m (i.e., var= q/8m), m = (n + r)logq, and = logq = 30. Besides, we also adopt the Numpy library to accelerate the computation speed of matrix operations. We take the first 1000 users in the dataset (i.e., r = 1000) and call the seIMC private-key encryption scheme. The estimated security parameter of the above setting is 90, based on the estimator of Albrecht et al. [33]. The time costs of encryption, decryption and homomorphic multiplication on client and cloud servers are shown in Table 5.
Instead of using the bootstrapping technology to flash the ciphertext and compress the noise expansion, we set a 1 http://snap.stanford.edu/data/ smaller noise, according to the number of multiplication layers, to ensure correct decryption. Table 5 shows that seIMC takes 78.25s and 34.95s to finish encryption and decryption, respectively. The left multiplication of encrypted social matrix E(A) (i.e., the total number of matrix A is 1,000,000) spends an average of 115.94 s on each homomorphic multiplication.
The cloud server with the seIMC scheme can support not only the power operation, but also the homomorphic addition and subtraction operations for the statistical analysis. In addition, it is easy to modify the system to parallel execution to improve the operation efficiency. Therefore, it is feasible to apply the proposed integer matrix computation to protect and process sensitive matrix data in theory and practice.

VI. CONCLUSION
To address the secure and efficient data analysis under privacy protection, this paper proposes a GSW-based integer matrix computation scheme seIMC, which can guarantee the security of data processing and has a high computational efficiency. It includes the public-key and private-key encryption schemes. Furthermore, we also present the correctness and security proof of the proposed seIMC. Then, we evaluate the performance of the proposed seIMC in terms of efficiency, compared to the state-of-art schemes (i.e, GSW,HAO and Jiang's scheme). Finally, to solve the problem of the number of ways in which any two participants made friends throught k steps in an encrypted social network, we apply the seIMC private-key encryption scheme to the collected Facebook dataset with 1000 users. When the security level is 90, the serial encryption and decryption algorithm took approximately 1.3 minutes and 0.6 minutes, respectively; and homomorphic multiplication took approximately 1.9 minutes. Experiments showed that the proposed privatekey encryption scheme can be effectively applied to privacy protection and secure data processing of integer matrix modulo q.
In future work, we plan to further expand the plaintext space and homomorphic operations for a wide range of applications in realistic scenarios.
YANAN BAI was born in 1984. She is currently pursuing the Ph.D. degree with the University of Chinese Academy of Sciences, and studies in the Chongqing Institute of Green and Intelligent Technology, Chinese Academy of Sciences, Chongqing, China. Her research interests include homomorphic encryption and applications, big data privacy protection, and cryptography theory. His research interests include recommender systems, cloud computing, artificial intelligence, and big data applications.
WENYUAN WU was born in 1972. He is currently a Ph.D. Professor with the Chongqing Institute of Green and Intelligent Technology, Chinese Academy of Sciences, Chongqing, China. His main research interests include cryptography theory, symbolic computation, zero error computation, and automated reasoning. VOLUME 8, 2020 JINGWEI CHEN was born in 1984. He is currently a Ph.D. Associate Professor with the Chongqing Institute of Green and Intelligent Technology, Chinese Academy of Sciences, Chongqing, China. His main research interests include symbol numerical mixing algorithm, lattice reduction algorithm, and lattice-based cryptography research.
YONG FENG was born in 1965. He is currently a Ph.D. Supervisor and a Professor with the Chongqing Institute of Green and Intelligent Technology, Chinese Academy of Sciences, Chongqing, China. He is also the Vice President of the Chongqing Society of electronics and the Chief Scientist of automatic reasoning and its application in high and new technology. His research interests include zero error computation in automatic reasoning, information security, and adaptive optical simulation.