Fully Dynamic Multi-Key FHE Without Gaussian Noise

Fully dynamic multi-key fully homomorphic encryption (FHE) that allows an unlimited number of homomorphic operations for unconstrained parties. That is to say, it supports performing as many computational procedures on inputs (which are encrypted by an unrestricted number of parties) as needed. The existed fully dynamic multi-key FHE scheme is based on the learning with errors (LWE) problem. However, the LWE problem suffers from the intricate and laborious Gaussian sampling which extremely weakens the schemes’ efficiencies. What’s more, it has been lately revealed that Gaussian sampling creates lots of possible side-channel vulnerabilities that result in the disclosure of secret keys. The paper proposed a fully dynamic multi-key FHE that based on the learning with rounding (LWR) problem which leaves out the time-consuming Gaussian sampling required in the LWE problem while sustaining almost the same security level.


I. INTRODUCTION
Fully homomorphic encryption (FHE), introduced by Rivest et al. [1] in 1978, is a very fascinating cryptography primitive which allows performing the unbounded number of computations on encrypted data while it remains encrypted. With this attractive attribute, FHE has many theoretical and functional appliances. However, it takes over 30 years for the first scheme in Gentry's break-through work [2], [3], since then it has developed rapidly and fast. Multi-key FHE is an extension of FHE which is proposed by López-Alt et al. [4]. MKFHE permitting us computation on ciphertexts encrypted by distinct and independent parties. Construct an on-the-fly multiparty computation (MPC) protocol are one of the most fascinating applications of it. In MKFHE, a trusted third party takes ciphertexts encrypted by different parties and performs computations on them. The result can then be decrypted via all of the keys involved in the computation procedure. Note that all keys need to be used for decryption due to security concerns. López-Alt et al. [4] construct an MKFHE scheme based on the NTRU scheme, but the scheme is controversial due to the fact that its security is based on a non-standard assumption on polynomial rings. Subsequently, Clear and The associate editor coordinating the review of this manuscript and approving it for publication was Noor Zaman .
McGoldrick [5] construct a scheme based on the learning with errors (LWE) problem whose security is supported by a worst-case hardness problem, using a variant of GSW-style FHE scheme [6]. Later, Mukherjee and Wichs [7] proposed a simpler but more efficient scheme of MKFHE and built a two-round MPC protocol upon it.
Peikert and Shiehian introduced the notion of single-hop and multi-hop MKFHE in [8]. Single-hop MKFHE means any new party is not allowed to participate except the parties determined ahead of the homomorphic computation step, while multi-hop MKFHE allows new participants to join in dynamically during the homomorphic evaluation procedure. Fully dynamic MKFHE which was proposed by Brakerski and Perlman in [9] is similar to multi-hop MKFHE, the difference between them is that fully dynamic MKFHE does not limit the number of users. We observe that both [5] and [7] are single-hop MKFHE while [4] is a multi-hop MKFHE scheme. In [9], Brakerski and Perlman proposed a fully dynamic MKFHE, and their ciphertexts grow just linearly with the number of parties involved in the encryption.
The above-mentioned FHEs and related schemes (e.g., [5]- [9]) are mostly based on the LWE problem which suffers an intricate and laborious Gaussian noise sampling problem. What's more, it has been lately revealed in [10], [11] that Gaussian sampling creates lots of possible side-channel exposures that cause the disclosure of secret keys. Though there are methods to prevent side-channel attacks, it is complicated and time-consuming.
Certainly, this triggered an idea that is there a method that can get rid of the Gaussian noise sampling process in constructing an FHE scheme without losing the security of the scheme (or almost the same level). The answer lies in the Learning with Rounding (LWR) problem.

A. RELATED WORK
The LWR problem was introduced by Banerjee, Peikert, and Rosen in [12], a variant of the LWE problem, which can be considered as a deterministic version of the LWE problem. Costache and Smart [13] constructed an FHE scheme without Gaussian noise based on the LWR problem, however, their scheme exists a ''tangly modulus'' problem according to [14]. In [14], Luo and Wang constructed a GSW-like FHE scheme based on the LWR problem. That is to say, their scheme eliminates the Gaussian noise sampling process needed in the previous FHE scheme. While they claim that they proposed a multi-key FHE scheme without Gaussian noise, they just construct a two-key FHE scheme indeed. What's more, there exist some obvious errors in their twokey FHE scheme. As to the hardness of the LWR problem, Alwen et al. [15] gave a reduction that allows for a polynomial modulus q. However, only part of modulus q satisfies its result. Bogdanov et al. [16] eliminating the restriction on q but still requires samples less than O(q/Bp) which results in weaker security. Alperin-Sheriff and Apon [17] showed a dimension-preserving reduction from LWE to LWR which improves the security and efficiency of parameters. Liu and Wang [18] establish the hardness reduction by conducting a comprehensive study for Ring-LWR. In their work, they first present an algebraic framework of LWR based on [19], then generalizing a result in the plain LWR by a search Ring-LWR to decision Ring-LWR reduction and generalizing the plain LWE to LWR reduction by a reduction from Ring-LWE to Module Ring-LWR, their central techniques is a new ring leftover hash lemma.
Brakerski et al. [20] proved that bin-LWE ({0,1}-LWE), which means the key is selected uniformly and randomly from {0,1}, is not easier than the LWE problem. Hence, by combining Theorem 1 and the bin-LWE problem, we can uniformly and randomly choose the secret key of the LWR problem from {0, 1} n . Then by combining the theorem in [16] and Lemma 1, we can get Theorem 2, where our scheme is based. Theorem 2 focuses on the search bin-LWE problem, which is harder than the decision bin-LWE problem.

B. OUR CONTRIBUTIONS
This paper focuses on designing a fully dynamic LWR-Based MKFHE scheme. Lots of LWE-Based FHE schemes have been proposed by utilizing the techniques of relinearization and modulus switching or approximate eigenvector. Considering that the LWR problem can be used to eliminate intricate and time-consuming Gaussian noise, we adapt it to design an LWR-Based fully dynamic MKFHE scheme. The efficiency of our scheme is almost equivalent to that of [9] without counting the cost of Gaussian noise sampling while sustaining almost the same security level. Our scheme can be seen as a substitute to the [9]. The contributions of this work are as follows: 1) A LWR-Based MKFHE scheme is proposed. Most MKFHE schemes are based on the LWE problem, thus suffering the intricate and laborious Gaussian sampling which extremely declines the schemes' efficiencies. What's more, it has been lately revealed that Gaussian sampling creates lots of possible side-channel exposures that cause the disclosure of secret keys. LWR problem allows us to dispense the costly Gaussian sampling required in the LWE problem while sustaining almost the same security level. 2) The proposed MKFHE is extended to the fully dynamic MKFHE that allows an unlimited number of homomorphic operations for unconstrained parties. That is to say, it supports performing as many computational procedures on inputs as needed.

C. PAPER ORGANIZATION
The rest of this paper is organized as follows: In Section II, we give the preliminaries such as the LWE problem, LWR problem. We describe a single key LWR-based FHE and extend it to a multi-key FHE scheme. In Section IV, the construction of the proposed Gaussian noise-free fully dynamic multi-key has been introduced. Summarizes the paper in Section V.

A. NOTATIONS
The paper uses λ to represent the security parameter and negl(λ) to represent a negligible function of λ. Vectors are represented by bold lowercase symbols and matrixes are represented by bold uppercase symbols. In general, vectors are considered as a row matrix. For any x ∈ Q, x , x , and [x] denote x round down, round up and round to the nearest integer respectively. All vectors are treated as rows.
For an integer q, we define the set Z q (−q/2, q/2] ∩Z, and all logarithms on q are to base 2. We denote q = log q . All arithmetic are performed over Z or Q when division is used, and for a positive integer n, let be the k-th matrix. We let x←D denote that x is sampled uniformly and randomly from a distribution D and s ← S denote that s is uniform over a set S. For x ∈ Z q we define |x| = arg min y=x(modq) |y| (this function satisfies the triangle inequality properties of standard absolute value). Further, we denote v ∞ = max i |v[i]|.
x, y q denote the multiplication of vectors x, y over Z q . Given positive numbers n, m and two different modulus q, p a, [×] Z m p . Indeed, when performing computations on matrices, this is the significant modification between LWE and LWR.

B. LWE PROBLEM AND LWR PROBLEM
The LWE problem was initially proposed by Regev [21] as a variation of ''learning parity with noise'' [22], [23]. For positive integers n and q ≥ 2, a vectors s ∈ Z n q , and a probability distribution χ over Z, define the LWE distribution A s,χ acquired by selecting a vector a ← Z n q uniformly and randomly, a noise e ← χ , and outputting (a, [ a, s + e ] q ) ∈ Z n q × Z q . The decisional LWE (DLWE) is defined as follows.
The learning with rounding (LWR) problem [12], was first proposed to improve the proficiency of pseudorandom generator (PRG) based on the LWE problem. The LWR problem can be regarded as a deterministic version of the LWE problem. The LWR problem remove the Gaussian noise by rounding, and the magnitude of it less than 1/2 compared to 2 √ n (for security [21]) in the LWE problem. We recall the scaled rounding function [12] · p : Z q → Z p , where q ≥ p ≥2 will be apparent from the context as The definition of LWR problem is given as follows which is similar to LWE problem.
Definition 2 (DLWR): For integers n, q > p, m and s ← Z n q , let the LWR distribution LWR n,m,p,q achieved by selecting a vector a ← Z n q uniformly and randomly, then outputting (a, a, s q p ) ∈ Z n q × Z q . The decisional LWR problem is to distinguish m samples selected by the distribution LWR n,m,q,q from m samples selected by the uniform distribution over Z n q × Z q with non-negligible advantage. The DLWR n,m,p,q assumption is that the DLWR n,m,p,q problem is infeasible.
Theorem 1( [16]): For every ε > 0, n, m, q > 2 pB, and algorithm D such that The gadget matrix first proposed by [24] can be used to construct an LWE-based FHE scheme [25]. There are two modulus q, p in the LWR problem rather than one in the LWE problem, we introduce the variant of gadget matrix G which is very suitable for constructing an LWR-based FHE scheme: where g = (1,2,.., 2 q −1 ) ∈ Z q q , g n+1 = (1,2,.., 2 p −1 ) ∈ Z p q , and N = n q + p .
We also define the efficiently computable deterministic ''short preimage'' function G −1 (·) : Z n×m q × Z m p →{0, 1} N ×N , which has the following property: for any matrix A ∈ Z n×m q × Z m p , it holds that G·G −1 (A) = A. Note that G −1 (·) is an efficiently computable function rather than a matrix. For those who familiar with GSW scheme, function G −1 (·) is equal to BitDecomp operation and multiplication by G is the BitDecomp −1 operation.
Definition 3 (Fully Dynamic Multi-Key FHE [9]): Let MKHE be a multi-key FHE scheme, N = N λ be any polynomial in the security parameter, let C = C λ be a sequence of circuits, set params ← Setup(1 λ ) and (pk i , sk i ) (pk 1 , . . . , pk N ))) = C(µ 1 , . . . , µ )] = negl(λ) Definition 4 (Bootstrapping [2], [3]): A scheme is bootstrapping if the following holds. It can homomorphically evaluate its own augmented decryption circuits and is also VOLUME 9, 2021 weak circular secure (remain secure even the adversary who get the encryption of the secret key). This scheme can be transformed into a pure fully homomorphic encryption scheme.
Lemma 2( [26]): Let λ, n, q, p and m ≥ n q + p + 2λ be integers, and let y← Z n q × Z p . For matrix A← Z n×m where (X , Y ) denotes the statistical distance between two distributions X,Y.

III. LWR-BASED FULLY HOMOMORPHIC ENCRYPTION AND MULTI-KEY FHE SCHEME A. LWR-BASED FULLY HOMOMORPHIC ENCRYPTION SCHEME
We present the LWR-based fully homomorphic encryption scheme, which is actually a restatement of the scheme of [14].
Output decrypted message µ = v p/2 . -SKFHE.Add(C 1 , C 2 ): for two ciphertext matrices C 1 and C 2 which can be decrypted to message µ 1 and µ 2 respectively, output addition ciphertext -SKFHE.Mult(C 1 , C 2 ): for two ciphertext matrices C 1 and C 2 which can be decrypted to message µ 1 and µ 2 respectively, output multiplication ciphertext

B. NOISE AND SECURITY
As long as the magnitude of noise eRG −1 (w t ) is less than 1/2· p 2 , the message µ can be recovered rightly. Obviously, eRG −1 (w t ) < (1/2)m · p . Hence, the correctness holds if (1/2)m· p < 1/2· p 2 . Next we mainly analyze the growth of noise in homomorphic multiplication.
where G −1 (C 2 )∈{0, 1} N ×N and e 1 G −1 (C 2 ) + µ 1 e 2 is the magnitude of noise after homomorphic multiplication, it holds that Therefore, it is obvious that, the magnitude of noise is (1/2)m(N + 1) L which is identical to GSW13 and AP14 after L times of homomorphic multiplication. In this scheme q = (O(n q )) L+O (1) , p = (O(n p )) L+O(1) and satisfying q ≥ 2 mpB so as to achieve almost the same security level, thus the parameter q is larger compared to q in GSW13 and AP14 where q = (O(n q )) L+O (1) .
Theorem 4: The scheme described above is IND-CPA secure under the LWR n,m,q,p assumption.
We prove this Theorem 4 by the following series of hybrid experiments, our proof process mainly refers to [14] and [27].
Game 0: This is the real IND-CPA game.
..,m are chosen uniformly from Z n q × Z p , rather than chosen from LWR samples compared to Game 0, to generate public key A. Then using the public key A to generate the ciphertext c by encrypting µ as the encryption procedure in Game 0.
Game 2: In this game, the ciphertext c is chosen uniformly from Z n q × Z p and thus independently of the public key A compared to Game 1.
We claim that Game 0 and Game 1 are indistinguishable under the LWR n,m,q,p assumption. To prove this we assume there is an adversary A that can distinguish Game 0 and Game 1, then construct an algorithm B that collects input samples to generate the public key A and get the ciphertext c by encrypting a message µ by the public key A, then invokes A on (A, c), outputting the accept/reject decision. It is obvious that B perfectly simulates Game 0 or Game 1 depending on 50642 VOLUME 9, 2021 its inputs, if the inputs are LWR samples, then algorithm B simulates Game 0, otherwise, algorithm B simulates Game 1. Therefore, B and A have equal distinguishing advantages. Because B's advantage must be negligible by hypothesis, so is A's.
Then we claim that Game 1 and Game 2 are statistically indistinguishable. This can be proved by Lemma 2 in Section II. Specifically, the term A·r in Game 1 and element y← Z n q × Z p are statistically indistinguishable by Lemma 2. Hence, the ciphertext c in Game 1 and Game 2 are statistically indistinguishable, adding any fixed vector to A·r does not change its uniform distribution.
In conclusion, we claim that Game 0 and Game 2 are indistinguishable under the LWR n,m,q,p assumption, and the ciphertext in Game 2 is independent of message µ. This concludes the proof.

C. LINEAR COMBINATION
We now describe the technique named Linear combination that plays an important role for construction of a multi-key FHE scheme.
Linear combination: Define a matrix M ∈{0, 1} N ×N and p be a vector, then there is a polynomial-time deterministic algorithm which outputs C lc ∈Z n×N q [×] Z n p such that tC lc = vM + e where e ∞ ≤ (1/2)mN 3 .
The algorithm LinComb is implemented as follows: as follows: In other words, except for the value v[i] in the j-th column of the last (n + 1-th) row of the matrix Z i,j , all other values are 0.
2) Then output C lc ∈Z n×N . Correctness follows because, (17) First recall that e i,j ∞ ≤(1/2)m (e i,j is the noise contained of public keys pk 1 ,. . . , pk K , a fresh ciphertext c = (U, C) encrypted under the public key pk i , run following algorithm for all pk i where i = j. 1. For j ∈ {(pk 1 ,. . . , pk K }\{i}, compute X j ← LinComb(U,pk i − pk j ). 2. Define a matrixĈ composed of K 2 sub-matrices, each sub-matrix C a,b is defined as: Below is the structure of the expanded ciphertextĈ : Finally outputĈ as the expanded ciphertext.

IV. LWR-BASED FULLY DYNAMIC MULTI-KEY FHE SCHEME A. CONSTRUCTION
In this section, we proposed our LWR-Based fully dynamic multi-key FHE scheme FDMK. This scheme is a little different from the MKFHE scheme. The most important difference is that a ciphertext of this scheme is the last column of a matrix derived from MKFHE, due to the fact that only the last column is used in the decryption process, and the public key is extended with the encryption of the secret keys. The public key of this scheme is as follows: The S part is not used for encryption but only for homomorphic evaluation. -FDMK.Enc(pk, µ): Sample uniformly and randomly r ∈ Z m 2 , and output the ciphertext: where u i is the i-th standard basis vector. -FDMK.Dec((sk 1 ,. . . , sk K ), c): Sett = (sk 1 ,. . . , sk K ) and get decrypt message µ where Threshold(t, c) = arg min µ∈{0,1} noise (t,µ) (c), and Then we state the security of FDMK scheme, which follows immediately from the security of MKFHE.
Lemma 3: If under the same DLWR parameter, MKFHE is weakly circular secure, we can conclude that FDMK is semantically secure.
Proof. Note that the ciphertext of FDMK is the last column of a matrix derived from MKFHE, and the public key in the FDMK is generated according to the MKFHE scheme, extended with the encryption of the secret keys, it is obvious that FDMK is semantically secure if MKFHE is weakly circular secure. Table 1 shows the comparison between our scheme and other schemes. Here n is the lattice dimension, K denotes the upper bounder of participants and k represents the actual number of parties who participated in encryption. As shown in Table 1, our scheme has better performance (the size of ciphertexts only grows linearly with the number of k) compared to [7] and [8], and leaves out the intricate and laborious Gaussian sampling process while maintaining similar performance compared to [9].

V. CONCLUSION
The paper proposes that the fully dynamic multi-key FHE can be based on the LWR problem. Therefore, our proposed scheme inherits the advantage of the fully dynamic multikey FHE and LWR-based FHE scheme, for example, it dispenses the costly Gaussian sampling required in the LWE problem while sustaining almost the same security level and allows an unlimited number of homomorphic operations for unconstrained parties. However, our scheme is somewhat ineffective due to the expensive bootstrapping process. Therefore, one can observe that our fully dynamic MKFHE as an alternative for the existing LWE-Based fully dynamic FHE scheme. Our future work includes the following: 1) The RLWR problem [12] is a ring version of the LWR problem. In general, FHE schemes based on the RLWR problem have much better performance than schemes based on the LWR problem. Thus, we will construct a fully dynamic multi-key FHE scheme based on the RLWR problem. 2) Authenticated Key Exchange (AKE) [28] enables two parties to generate the session key securely over an insecure network. There are many AKE protocols (e.g., [29,30]) over lattices, we can utilize the LWR problem to implements the authentication in AKE.