In this section, we briefly review the construction and the correctness of the SHE scheme proposed by Brakerski and Vaikuntanathan [4]. The security of the scheme relies on the polynomial LWE assumption defined below, which can be regarded as a simplified version of the ring-LWE assumption of Lyubashevsky, Peikert and Regev [14] (see [4], Section 2 for details of the assumption).
Definition1 (Polynomial LWE assumption).
For a security parameter λ, let f(x)=xn+1 be the cyclotomic polynomial for an integer n=n(λ) of 2-power. Let q=q(λ) be an integer and set \(R= \mathbb {Z}[\!x]/(\,f(x))\) and R
q
=R/qR. Let χ=χ(λ) be a distribution over R. Then the polynomial LWE assumption PLWEn,q,χ is that it is infeasible to distinguish the following two distributions:
-
1.
One samples (a,b) uniformly from (R
q
)2.
-
2.
One draws s←χ uniformly and samples (a,b) by sampling a←R
q
uniformly, e←χ and setting b=as+e.
2.1 Construction of the SHE scheme
The following four parameters are needed for the scheme construction:
-
n: an integer of 2-power, which defines the base ring \(R = \mathbb {Z}[\!x]/(\,f(x))\) with the cyclotomic polynomial f(x)=xn+1 of degree n as in Definition 1. This degree n is often called the lattice dimension.
-
q: a prime number with q≡1 mod 2n, which defines the base ring \(R_{q} = \mathbb {F}_{q}[\!x]/(\,f(x))\) of ciphertext space. The condition q≡1 mod 2n is not necessary for the scheme construction, but it is required to discuss the provable security [4], Theorem 1.
-
t: an integer with t<q to determine a plaintext space \(R_{t} = (\mathbb {Z}/t\mathbb {Z})[x]/(\,f(x))\) (t is not necessarily prime).
-
σ: the parameter to define a discrete Gaussian error distribution \(\chi = D_{\mathbb {Z}^{n}, \sigma }\) with the standard deviation σ, namely, we select each entry in an n-dimensional vector by sampling from a Gaussian distribution N(0,σ), and then round it to the nearest integer. In practice, we choose relatively small value such as σ=4∼8.
Key generation We first choose an element R∋s←χ, and sample a uniformly random element a1∈R
q
and an error R∋e←χ. Then set pk=(a0,a1) with a0=−(a1s+te) as the public key and sk=s as the secret key.
Encryption For a plaintext m∈R
t
and the public key pk=(a0,a1), the encryption samples R∋u,f,g←χ and computes the “fresh ciphertext” given by
$$\begin{array}{*{20}l} \mathsf{Enc}(m, \mathsf{pk}) & = (c_{0}, c_{1}) \in (R_{q})^{2} \\ & = (a_{0}u + tg + m, a_{1}u + tf), \end{array} $$
((2))
where m∈R
t
is considered as an element of R
q
in the natural way due to the condition t<q.
Homomorphic operations While the above encryption algorithm generates ciphertexts with only two ring elements, the homomorphic multiplication defined below makes the ciphertext length longer. Therefore we need to define homomorphic operations for ciphertexts of any length as follows: Let ct′=(c0′,…,cξ′)∈(R
q
)ξ+1, \(\mathsf {ct}^{\prime \prime }= (c_{0}^{\prime \prime }, \ldots, c_{\eta }^{\prime \prime }) \in (R_{q})^{\eta + 1}\) be two ciphertexts. The homomorphic addition “\(\dotplus \)” is computed by component-wise addition of ciphertexts, namely, we have
$$\mathsf{ct}' \dotplus \mathsf{ct}^{\prime\prime} = (c_{0}'+c_{0}^{\prime\prime}, \ldots, c'_{\max (\xi, \eta)} + c^{\prime\prime}_{\max (\xi, \eta)}), $$
by padding with zero if necessary. Similarly, the homomorphic subtraction is computed by component-wise subtraction. On the other hand, the homomorphic multiplication “ ∗” is computed by
$$\mathsf{ct}' \ast \mathsf{ct}^{\prime\prime} = (\hat{c}_{0}, \ldots, \hat{c}_{\xi + \eta}), $$
where we consider ciphertexts ct′,ct′′ as elements of R
q
[ z] by an embedding map \((R_{q})^{r} \ni (v_{0}, \ldots, v_{r-1}) \mapsto \sum _{i = 0}^{r-1} v_{i} z^{i} \in R_{q}[\!z]\) for any r≥1, and compute
$$\sum_{i=0}^{\xi + \eta} \hat{c}_{i} z^{i} = \left(\sum_{i=0}^{\xi} c'_{i} z^{i} \right) \cdot \left(\sum_{i=0}^{\eta} c_{i}^{\prime\prime} z^{i} \right) \in R_{q}[\!z]. $$
Decryption For any (fresh or non-fresh) ciphertext ct′=(c0′,…,cξ′)∈(R
q
)ξ+1, the decryption with the secret key sk=s is computed by
$$\mathsf{Dec}(\mathsf{ct}', \mathsf{sk}) = \;[\!\tilde{m}]_{q} \bmod t \in R_{t}, $$
where \(\tilde {m} = \sum _{i = 0}^{\xi } c_{i}' s^{i} \in R_{q}\). For the vector \(\vec {s} = (1, s, s^{2}, \ldots)\) (called the secret key vector), we can also rewrite
$$\mathsf{Dec}(\mathsf{ct}', \mathsf{sk}) = [\!\langle \mathsf{ct}', \vec{s} \rangle]_{q} \bmod t. $$
Let ct=(c0,c1) be a fresh ciphertext given by (2). Since a0+a1s=−te, we have
$$\begin{array}{*{20}l} \langle \mathsf{ct}, \vec{s} \rangle &= (a_{0}u +tg + m) + s\cdot (a_{1}u + tf) \\ &= m + t\cdot (g + sf -ue) \end{array} $$
in the ring R
q
. If the value m+t·(g+sf−ue) does not wrap around mod q (i.e., all errors R∋e,f,g,u←χ must be sufficiently small), we have
$$[\!\langle \mathsf{ct}, \vec{s} \rangle]_{q} = m + t \cdot (g + sf -ue) $$
in the ring “R” (see also Lemma 2 below for the condition of successful decryption). In this case, we can recover the correct plaintext m by mod t-operation, which shows the decryption mechanism for fresh ciphertexts. Furthermore, for two fresh ciphertexts ct1,ct2, we clearly have
$$\begin{aligned} \langle \mathsf{ct}_{1} \dotplus \mathsf{ct}_{2}, \vec{s} \rangle & = \langle \mathsf{ct}_{1}, \vec{s} \rangle + \langle \mathsf{ct}_{2}, \vec{s} \rangle \\ \langle \mathsf{ct}_{1} \ast \mathsf{ct}_{2}, \vec{s} \rangle & = \langle \mathsf{ct}_{1}, \vec{s} \rangle \cdot \langle \mathsf{ct}_{2}, \vec{s} \rangle \end{aligned} $$
in the ring R
q
. These two equations help us to understand the construction and the correctness of homomorphic operations in the encryption scheme, but please refer ([4], Section 1.1) for details. Here we also give a lemma on the “cryptographic security” of the scheme constructed above (see [4] for details).
Lemma1 (security).
Given (n,q,t,σ), the scheme is provably secure in the sense of IND-CPA under the polynomial LWE assumptionPLWEn,q,χwith\(\chi = D_{\mathbb {Z}^{n}, \sigma }\)(see Definition 1 for the definition ofPLWEn,q,χ).
2.2 Correctness of the SHE scheme
By correctness, we mean that the decryption can recover the operated result over plaintexts after some homomorphic operations over ciphertexts. For the scheme constructed above, the homomorphic operations over ciphertexts correspond to the ring structure of the plaintext space R
t
, namely, we have
-
(Addition) \(\mathsf {Dec}(\mathsf {ct} \dotplus \mathsf {ct}', \mathsf {sk}) = m + m' \in R_{t}\), and
-
(Multiplication) Dec(ct∗ct′,sk)=m×m′∈R
t
for ciphertexts ct,ct′ corresponding to plaintexts m,m′, respectively. However, the scheme merely gives an SHE scheme (not FHE), and its correctness holds under the following condition (see the proof of [16], Lemma 3.3):
Lemma2 (Condition for successful decryption).
For a ciphertextct, the decryptionDec(ct,sk)recovers the correct result if\(\langle \mathsf {ct}, \vec {s} \rangle \in R_{q}\)does not wrap around modq, namely, if the condition
$$ ||\langle \mathsf{ct}, \vec{s} \rangle ||_{\infty} < \frac{q}{2} $$
((3))
is satisfied, where for\(a = \sum a_{i}x^{i} \in R_{q}\)let ||a||
∞
= max|a
i
|denote the∞-norm of its coefficient representation.