One Improved RLWE-based FHE and Fast Private Information Retrieval

Abstract

With the rapid development of cloud computing, it raises real questions on privacy protection, which greatly limits the use of cloud computing. However, fully homomorphic encryption (FHE) can make cloud computing consistent with privacy. In this paper, we propose a simpler FHE scheme based on ring LWE problem, with a smaller size of ciphertext and a lower noise-expansion factor for homomorphic multiplication. Then based on our optimized RLWE-based FHE scheme, we propose a fast single-database private information retrieval protocol, combining with batching and number theoretic transform technology.

1. Introduction

 With the development of information technology, cloud computing has turned into a hot topic [1, 2]. Users can enjoy the excellent data computing performance of cloud computing, and not need care about the complex hardware management. However, for some private data (e.g.medical records or account informations), it is unsuitable or illegal to publicly stored in the cloud. Thus greatly limit the applications of cloud computing. Fortunately, the appearance of fully homomorphic encryption (FHE) makes cloud computing easier to be consistent with privacy.

 In 1978, FHE was firstly proposed by Rivest et al.[3]. It allows arbitrarily complex evaluation on encrypted data. It is an encryption scheme e  with an efficient algorithm   that, for any effective ciphertexts \(c_{i} \leftarrow E n c_{\varepsilon}\left(p k, m_{i}\right)\)  and function f , outputs \(c=\text {Evaluate}_{c}\left(f, c_{1}, c_{2}, \ldots, c_{t}\right)\)  with

\({Dec}(s k, c)={Dec}\left(s k, {Evaluate}_{\varepsilon}\left(f, c_{1}, c_{2}, \ldots, c_{t}\right)\right)=f\left(m_{1}, m_{2}, \ldots, m_{t}\right)\)

 Based on FHE, users can take advantage of the excellent data computing ability of the cloud server, without leaking private data.

 For example, an user Alice can upload her private data encrypted with an FHE scheme to the cloud server. When  she wants the cloud server to manipulate some private data \(m_{1}, \dots, m_{t}\) , she sends a description of manipulation f and the corresponding encrypted data to  cloud server. The cloud server runs an Evaluate algorithm and sends the result to Alice later. Thus, Alice can derive \(f\left(m_{1}, \dots, m_{t}\right)\) after decryption. The cloud never gets any unencrypted data throughout this process. Moreover, the fuction f in Evaluate algorithm can also be encrypted with the same FHE scheme. See Fig. 1.

Fig. 1. Private Cloud Computing based on FHE

 However, how to construct an FHE scheme has puzzled people for more than 30 years[4]. In 2009, Gentry constructed the first FHE scheme[5]. After Gentry’s breakthrough work, many of its implementations and improved schemes are proposed. They are based on different cryptographic assumptions: approximate greatest common divisors [6-10], standard learning with errors (LWE) [11-16], and ring-LWE (RLWE) [17-21].

 Note that, for a pure FHE scheme, Gentry’s bootstrapping technology is still essential. Unfortunately, the computation of bootstrapping technology is very expensive, despite a lot of efforts have been taken to improve its efficiency. Recent studies on FHE schemes are divided into two categories: improving the efficiency of bootstrapping technology or building efficient leveled FHE scheme without bootstrapping. For the latter, the key lies in reducing the noise-expansion factor for homomorphic multiplication.

 The Number Theoretic Transform (NTT), analogous to the well known fast fourier transform (FFT), can be used to effectively speed up the modular polynomial multiplications as described in Schonhage-Strassen multiplication algorithm [22]. Thus, our research is readily portable to the RLWE world. Note that, one of key features in the Gentry-Sahai-Waters (GSW) FHE scheme[15] is asymmetric noise growth on homomorphical multiplications. By taking advantage of the feature, it can get a a polynomial-factor error growth when performing a long chain of homomorphic multiplications , which this often incurs an exponential-factor error growth for other FHE schemes. This feature of asymmetric noise growth is important for building high-performance leveled FHE scheme without bootstrapping.

 But so far, the study for improving the noise performance of RLWE-based GSW system is seldom. Most relevant works are focused on improving the bootstrapping technology of GSW system[23,24], introducing packing technology into GSW system[25], or establishing new identity-based/attribute-based FHE based on GSW system, etc. [26]. The main achievement is the work [17] of Khedr et al., “They propose an optimized RLWE-based implementation of GSW-FHE schemes, and reduce the size of ciphertext in [15,16] from  \(N \times N \text { to } N \times 2\) to  , where \(N=n \times \log q\) . But same as [15,16], the expansion factor for noise over homomorphic multiplication is still  . Moreover, there are some security problems in their scheme.

 The quest for private information retrieval (PIR) protocol. PIR plays a very important role in private outsourcing storage and computation for cloud computing. It provides a protocol to retrieve a database from cloud server, but the cloud server does not learn any information on which item is retrieved.  More formally,  we model the database of cloud server as  a  t-bit string x .  And a user wants to retrieve the i-th bit x_i  privately while the server does not learn   at all. The main functionality indexes for PIR protocol are communication complexity and computational complexity. The security of PIR protocol can be divided into computational security and information-theoretic security. Their difference lies in which capable adversary to resist. The former need to resist an adversary with unlimited computational capability, and the latter only need to resist an adversary with limited computational capability. In this paper, the security of PIR protocol is referred to computational security.

 The first computational PIR protocol was introduced by Kushilevitz and Ostrovsky [27]. In 2007, paper [28] studied on the computational practicality of PIR protocol. They concluded that any computational PIR scheme is less efficient than  trivial PIR scheme, since for every bit of database, computational PIR protocol need one or more modular multiplications.  Later, by revisiting the performance analysis, paper [29] proposed an lattice-based PIR protocol, which is  efficient than the trivial PIR.

 In all these constructions, the key lies in how to find an efficient scheme based on a difficult computational problem. The aforementioned scheme use various methods and tools to construct computational PIR protocols. However, it is obvious that given an FHE scheme implementing a PIR construction is conceptually as simple as performing normal informat computational ion retrieval. Besides, Based on FHE schemes, it can evidently reduce the communication complexity of PIR protocol. Thus , we focus only on computational PIR protocol from FHE in this paper.

 Prior works. In 2009, a single-database PIR protocol with sub-linear communication complexity is sketchily described by Gentry [5]. Later, a general framework that combines FHE with encryption scheme of symmetric key is proposed by Brakerski and Vaikuntanathan in 2011 [12]. In TKDE13 [31], a more efficient PIRprotocol was proposed, called XMREF-PIR protocol for short. In 2014, a somewhat FHE scheme based on number theory research unit (NTRU) was customized [32]. In 2015, a fast PIR protocol based on RLWE-based GSW-FHE scheme was proposed.[17]. And in [33], an analysis of PIR scheme based on FHE was made. In 2016, a PIR protocol based on RLWE-based FHE scheme was proposed [34], which has the currently best performance on communication complexity for single database server. However, one of the drawbacks of their scheme is the need to perform expensive key switching operations.

 Contributions. In this paper, we improve the RLWE-based GSW [17] in the aspect of safety, efficiency, and ciphertext size. In [17], they proposed an RLWE-based GSW based on only one RLWE distribution instance, which is  not safe. Note that, it needs many RLWE distribution instancesinstances for RLWE-based FHE schemes to ensure the safety. For example, it needs \(\Omega(((n+\ell) \log q)+\omega(\log \lambda))\)  RLWE distribution instances for Regev scheme. In [17], although they introduced (LWE+LWE) model, which can reduce the number of LWE distribution instances, their scheme[17] still needs at least  \(n+\ell\) RLWE distribution instances to ensure the safety. Thus, we firstly improved the safety of scheme [17] by introducing  adequate RLWE distribution instances. In this paper, we cut down the noise-growth rate for homomorphic multiplication for paper [17] from  \(\Theta(\text { nlogq }) to \Theta(n)\)  . This mainly benefits from an important property of GSW scheme found by us. The property is as follows. When executing an encryption operation, multiplying the plaintext by an integer \(k \in Z_{q}\) , the error after one homomorphic multiplication of GSW scheme can be reduced to approximately 1/t . See section 3 for more details. Meanwhile, by taking full advantage of this property, we eliminate “flatten” operation of paper [17] and obtain a technically simpler variant and smaller sizes of keys and ciphertexts.

 Next, combining with batching and NTT technology, a fast single-database PIR protocol based on our optimized RLWE-based GSW scheme is proposed.

 Organization. The rest of this paper is organized as follows. We define notational conventions and present some definitions and theorems on FHE, bootstrapping and RLWE assumption In Section 2. In Section 3, an improved RLWE-based GSW-FHE scheme is presented. In Section 4, a fast single-database PIR from our optimized RLWE-based GSW scheme is presented. And in Section 5, we make an implementation of PIR protocol based on our optimized RLWE-based GSW scheme, together with other three representative PIR protocols from FHE. Finally, Section 6 concludes.

 

2. Preliminaries

 Basic Notations. In our construction, R represents either an integer ring or a polynomial ring. An element of   is written in lower-case letters, e.g., \(r \in R\) . The \(\ell_{\infty}\)  norm (the maximum norm) of vector v is denoted by \(\|v\|_{\infty}\) . If v  is a polynomial ring vector, then \(\|v\|_{\infty}=\max \left\{\left\|v_{i}\right\|_{\infty}\right\}\) . A matrix of ring elements is written in capital letter, e.g., \(A \in R^{n \times m}\), and the i-th column vector of  matrix A is denoted by a_i.

 We denote the integer ring by \(\mathbb{Z}\), and denote the scalar multiplication by ‘ ’. Rounding to the nearest integer is denoted by \(\lfloor x\rceil\)  , and rounding down to the nearest integer is denoted by \(\lfloor x\rfloor\) . By \(x \longleftarrow^{S} \mathbb{D}\) , we denote the   is sampled form a distribution  \(\mathbb{D}\), and \(a\longleftarrow^{u}\mathbb{G}\) ,  means that, a is chosen uniformly from.

 

2.1 Fully Homomorphic Encryption

 Definition 2.1 (Homomorphic), For and any plaintexts\(\mu_{1}, \dots, \mu_{l}\)  , any ciphertexts  \(c_{1}, \dots, c_{l}\), and any depth circuit f , if it holds that

\(\operatorname{Pr}\left[{Dec}_{s k}\left( {Eval}_{\text {evk}}\left(f, c_{1}, \ldots, c_{l}\right)\right) \neq f\left(\mu_{1}, \ldots, \mu_{l}\right)\right]={negl}(n)\)

where \((p k, s k, e v k) \leftarrow \operatorname{KeyGen}\left(1^{\lambda}\right)\)  and \(c_{i}=E n c_{p k}\left(\mu_{i}\right)\) . Then the scheme is L-Homomorphic

 Definition 2.2 (Compactness, Leveled and Fully Homomorphic Decryption), A homomorphic scheme is compact if and only if its decryption circuit and evaluated function are independent. If, A homomorphic scheme puts I^L  as an additional input in key generation, then it is leveled fully homomorphic if it.  If,  for any polynomial L ,A homomorphic scheme is compact and L-Homomorphic, then it is FHE scheme.

 

2.2 RLWE Assumption

 The LWE assumption was firstly introduced by Regev [35] in 2009. In Eurocrypt 2010, Lyubashevsky et al., “[36] extended LWE assumptions from integers to polynomial rings, and got a better performance on efficiency.

 Definition 2.3 (RLWE Assumption), Let \(R=\mathbb{Z}[X] / \Phi_{m}(X)\)  be a polynomialring, where \(\Phi_{m}(X)\)  is an irreducible m-th cyclotomic polynomial. Let x be a standard deviation of the discrete Gaussian error distribution over \(R_{q}\) . Sample polynomial \(s \longleftarrow^{u}R_{q}\) , and  \(a_{i} \longleftarrow^{u}R_{q}\). For any given k  pairs \(\left(a_{i}, b_{i}=a_{i} \cdot s+e_{i}\right)_{i=1}^{k}, \quad b_{i}\) is computationally indistinguishable from uniform over R_q, where \(\text { where } e_{i} \stackrel{\mathrm{s}}{\leftarrow} \chi_{i}\).

 

3. Improved RLWE-Based GSW-FHE Scheme

 In this section, we begin by presenting our improved RLWE-based GSW-FHE scheme (IRGSW) with an analysis of correctness and security. Then we discuss the performance on noise reduction and size of ciphertext for our IRGSW scheme, compared to the scheme of [17].

3.1 IRGSW scheme

 Our IRGSW scheme is described detailed as follows. 

 • \(\text {IRGSW.Setup}\left(1^{\lambda}, 1^{L}\right)\) : The parameters of the scheme are the security parameter \(\lambda\) , the upper bound L  for tolerant multiplicative depth, a lattice dimension \(n=n(\lambda, L)\) , a modulus \(q=q(\lambda, L) \in \mathbb{Z}^{+}\)  of l bits, an irreducible polynomial \(g(x)=x^{n-1}+1\) , a ring  \(R=\mathbb{Z}[x] /(g(x))\) and its quotient ring modulo \(q, R_{q}=\mathbb{Z}_{q}[x] /(g(x))\)  , a standard deviation of discrete gaussian error distribution x  over R_q  with \(\|\chi\|_{\infty} \leq B\) , and parameter \(m=m(\lambda, L)\) , appropriately chosen in order to achieve at least \(2^{\lambda}\)  security against known LWE attacks.

 •  IRGSW.KeyGen\(\left(1^{\lambda}, 1^{L}\right)\): Sample a ring vector \(\mathbf{a} \longleftarrow^{u}R_{q}^{m}\) , a secret polynomial \(t \longleftarrow^{$} x\) , and an error vector \(e \longleftarrow^{$} x^{m}\) . Compute \(\mathbf{b}=t \cdot \mathbf{a}+\mathbf{e}\). Then set secret key vector \(s k=\mathbf{s}=(1, t) \in R_{q}^{2}\) , and public key pk=A  to be the 2-column matrix made up of b  followed by the -a , namely \(A=[\mathbf{b}-\mathbf{a}] \in R_{q}^{m \times 2}\). Note that

\(A \times \mathbf{s}=\mathbf{b}-t \cdot \mathbf{a}=\mathbf{e}\)

 (Note that, in the paper [17], the public key is \(A=[b-a] \in R_{q}^{1 \times 2}\) . This means their RLWE-based GSW scheme is based on only one RLWE distributioninstance. It is unsafe. In our paper, we set the numbers of RLWE distribution instances be  m. )

 • \(I R G S W \cdot E n c(p k, \mu)\) : To encrypt a constant polynomial \(\mu \in R_{p}(p<<q)\) , sample  \(K \longleftarrow^{u}-R_{2}^{2 \times m}, X \longleftarrow^{s} \chi^{2 \times 2}\)  and output the ciphertext C  given below

As opposed to \(C_{N \times 2}\) in [17], where  \(N=2 \times \log q\) , we have a smaller size of ciphertext.)

 •  \(I R G S W \cdot \operatorname{Dec}(s k, C)\): First, compute

\(C \cdot s=\left\lfloor\frac{q}{p}\right\rfloor \cdot \mu \cdot \mathbf{s}+K \cdot \mathbf{e}+X \cdot \mathbf{s} \approx\left\lfloor\frac{q}{p}\right\rfloor \cdot \mu \cdot \mathbf{s} \bmod q\)

 Let the first component of vector C·s   be denoted by x . Then \(\mu\)  can be extracted from x  by \(\left[\left\lfloor\frac{p}{q} \cdot x\right\rceil\right]_{p}\). Actually, to decrypt, we only compute \(\left.\mu=\left[L p \cdot\left[<\mathbf{c}_{1}, \mathbf{s}>\right]_{q} / q\right]\right]_{p}\) where  c₁ is the first row vector of C .

 (As opposed to   in [17], we have fewer operations in Dec by a factor of   times.)

 • \(C_{1} \oplus C_{2}\) : Output  \(C_{a d d}=\left[C_{1}+C_{2}\right]_{q} \in \mathbb{R}_{q}^{2 \times 2}\) as the result of homomorphic addition between the input ciphertexts.

 • \(C_{1} \otimes C_{2}\) : Output  \(\left.C_{m u l t}=\left[L \frac{p}{q} C_{1} \cdot C_{2}\right]\right]_{q} \in \mathbb{R}_{q}^{2 \times 2}\) as the result of homomorphic multiplication between the input ciphertexts.

 

3.2 Correctness and Security

 Correctness. We discuss the noise magnitude at encryption and decryption. Firstly, Lemma 3.1 gives the noise magnitude at encryption of our scheme IRGSW.

 Lemma 3.1 (Encryption Noise), Let the parameters n,m,q,l , and x  be the parameters of our scheme IRGSW, and \(\mu \in R_{p}(p<<q)\) . Set \((s k, p k)=(\mathbf{s}, A) \leftarrow I R G S W \cdot K e y G e n\left(1^{\lambda}, 1^{L}\right)\) and \(C \leftarrow I R G S W \cdot \operatorname{Enc}(A, \mu)\)  . Then for some e  with \(\|\mathbf{e}\|_{\infty} \leq m \cdot n \cdot B+n \cdot B^{2}+B\)  it holds that

\([C \cdot \mathbf{s}]_{q}=[\lfloor q / p\rfloor \cdot \mu \cdot \mathbf{s}+\mathbf{e}]_{q}\)

 Proof. By definition

\([C \cdot \mathbf{s}]_{q}=[\lfloor q / p\rfloor \cdot \mu \cdot \mathbf{s}+K \cdot \mathbf{e}+X \cdot \mathbf{s}]_{q}\)

 Since \(g(x)=x^{n-1}+1, K \longleftarrow^{u}-R_{2}^{2 \times m}, \mathbf{e} \longleftarrow^{s}-\chi^{m}, X \stackrel{s}{\longleftarrow} \chi^{2 \times 2}, t \longleftarrow^{s}, \chi, s=(1, t)\) and  \(\|\chi\|_{\infty} \leq B\), then \(\left\|[K \cdot \mathbf{e}+X \cdot \mathbf{s}]_{q}\right\|_{\infty} \leq m \cdot n \cdot B+n \cdot B^{2}+B\) . Lemma 3.1 is proved.

 Next, we discuss the correctness of decryption for ciphertexts in Lemma 3.2. The proof is easily proved according to Regev[35] and is omitted.

 Lemma 3.2 (Decryption Noise),Let parameters n,m,q,l , and  x be the parameters of our scheme IRGSW. Suppose secret key \(s \in R_{q}^{2}\) and \(C \in R_{q}^{2 \times 2}\)  be such that \([C \cdot \mathbf{s}]_{q}=[\lfloor q / p\rfloor \cdot \mu \cdot \mathbf{s}+\mathbf{e}]_{q}\) with \(\mu \in R_{p}(p \ll q)\)  and  \(\|e\|_{\infty} \leq\lfloor q / p\rfloor / 2\) . Then  \(\text {IRGSW.Dec}(s k, C)=\mu\).

 From Lemma 3.2 we can get that the upper bound of decryption noise in our scheme is \(\lfloor q / p\rfloor / 2\) . Since the encryption noise \(\|e\|_{\infty} \leq m \cdot n \cdot B+n \cdot B^{2}+B \ll\lfloor q / p\rfloor / 2\) , then the correctness of our decryption function \(I R G S W \cdot \operatorname{Dec}(s k, C)\)  is guaranteed.

 Security. The security of our scheme is guaranteed if we can prove that the joint distribution \((A, K \cdot A+X)\)  is computationally indistinguishable from uniform over \(R_{q}^{m \times 2} \times R_{q}^{2 \times 2}\) . Since the rows of \((K \cdot A+X)\) are simply encryptions of 0 of Lindner and Peikert(LP)[42] for dimension  . Thus, the security of our scheme follows in a straightforward way from Lemma 3.3 below, which is used to prove the security of the encryption scheme of Lindner and Peikert[42].

 Lemma 3.3 (Implicit in [42]) Let params=(n,q,x,m)  be what the \(R L W E_{n, q, \chi, m}\)  assumption holds, and sample a ring vector \(\mathbf{a} \longleftarrow^{u}R_{q}^{m}\) , a secret polynomial \(\mathbf{t} \longleftarrow^{$}\chi\)  , and an error vector \(\mathbf{e} \longleftarrow^{\mathrm{s}}\chi^{m}\) . Compute \(\mathbf{b}=t \cdot \mathbf{a}+\mathbf{e}\) . Then let A  be the 2-column matrix made up of b  followed by the -a  , namely \(A=[\mathbf{b}-\mathbf{a}] \in R_{q}^{m \times 2}\) . Sample \(K \longleftarrow^{u} R_{2}^{2 \times m}\) , and \(X \longleftarrow^{\mathrm{s}}\chi^{2 \times 2}\) . If \(m>n+\log q\) , then it holds that the joint distribution \((A, K \cdot A+X)\)  is computationally indistinguishable from uniform over \(R_{q}^{m \times 2} \times R_{q}^{2 \times 2}\) .

 Proof. The proof is easy. Assume that there exists a distinguisher \(\mathcal{D}\) with probability polynomial-time. And distinguisher  \(\mathcal{D}\) can distinguish\((A, K \cdot A+X)\)  from uniform over \(R_{q}^{m \times 2} \times R_{q}^{2 \times 2}\)  with non-negligible advantage e . It is straightforward that  \(\mathcal{D}\) gives a distinguisher of LP scheme [42]. From the proof of LP scheme, we know that there is no such distinguisher. Thus, Lemma 3.3 is proved.

 

3.3 Homomorphic Performance

 1) Homomorphic Noise   

 a)  : \(C_{a d d}: \text { Set } \mathbf{s} \leftarrow(1, t) \in R_{q}^{2} . \text { Let } C_{1} \in R_{q}^{2 \times 2}\) , and \(C_{2} \in R_{q}^{2 \times 2}\)  be both ‘fresh’ ciphertexts encrypted under the same key \(\mathbf{S}\) , \(B^{\prime}=m \cdot n \cdot B+n \cdot B^{2}+B\)  be the original bound on the error of a fresh encryption of \(R_{p}\) , and \(C_{a d d}=C_{1} \oplus C_{2}\) . It is easy to prove that \(\mathbf{e}_{a d d}=\mathbf{e}_{1}+\mathbf{e}_{2}\)  mod q. Meanwhile, since C₁  and C₂  are both ‘fresh’ ciphertexts, thus

\(\left\|\mathbf{e}_{a d d}\right\|_{\infty} \leq 2 B^{\prime} \ll\lfloor q / p\rfloor / 2\)

, then homomorphic addition on ciphertexts is guaranteed.

 b) C_mult : Set  \(C_{1} \in R_{q}^{2 \times 2}\), and  \(C_{2} \in R_{q}^{2 \times 2}\) be both input ‘fresh’ ciphertexts encrypted under the same key \(\mathbf{s}=(1, t)\) , and

\(C_{m u l t}=C_{1} \otimes C_{2}=\left\lfloor\frac{p}{q} C_{1} \cdot C_{2}\right\rceil\)

. Then compute

\(\begin{aligned}\left[C_{m u l t} \cdot \mathbf{s}\right]_{q} &=\left[\left\lfloor\frac{p}{q} C_{1} \cdot C_{2}\right\rceil \cdot \mathbf{s}\right]_{q}=\left[\frac{p}{q} C_{1} \cdot C_{2} \cdot \mathbf{s}+\delta_{1}\right]_{q} \\&=\left[\frac{p}{q} \cdot C_{1}\left(\left\lfloor\frac{q}{p}\right] \cdot \mu_{2} \cdot \mathbf{s}+\mathbf{e}_{2}\right)+\delta_{1}\right]_{q} \\&=\left[\mu_{2} \cdot\left(C_{1} \cdot \mathbf{s}\right)+\frac{p}{q} \cdot C_{1} \cdot \mathbf{e}_{2}+\delta_{1}+\delta_{2}\right]_{q} \\&=\left[\mu_{2} \cdot\left(\left\lfloor\frac{q}{p}\right\rfloor \cdot \mu_{1} \cdot \mathbf{s}+\mathbf{e}_{1}\right)+\delta_{1}+\delta_{2}+\delta_{3}\right] \\&=\left[\left\lfloor\frac{q}{p}\right\rfloor \cdot\left(\mu_{1} \cdot \mu_{2}\right) \cdot \mathbf{s}+\delta_{1}+\delta_{2}+\delta_{3}+\delta_{4}\right]_{q}\end{aligned}\)

 Where   \(\delta_{1}=\left[\left(\left\lfloor\frac{p}{q} C_{1} \cdot C_{2}\right\rceil-\frac{p}{q} C_{1} \cdot C_{2}\right) \cdot \mathbf{s}\right]_{q}, \quad \delta_{2}=\left[\frac{p}{q} \cdot\left(\left\lfloor\frac{q}{p} |-\frac{q}{p}\right) \cdot \mu_{2} \cdot C_{1} \cdot \mathbf{s}\right]_{g}, \delta_{3}=\left[\frac{p}{q} \cdot C_{1} \cdot \mathbf{e}_{2}\right]_{q}\right.\)   , and \(\delta_{4}=\left[\mu_{2} \cdot \mathbf{e}_{1}\right]_{q}\)

 Thus,

\(\begin{aligned}\left\|\mathbf{e}_{\text {mult }}\right\|_{\infty} &=\left\|\delta_{1}+\delta_{2}+\delta_{3}+\delta_{4}\right\|_{\infty} \leq\left\|\delta_{1}\right\|_{\infty}+\left\|\delta_{2}\right\|_{\infty}+\left\|\delta_{3}\right\|_{\infty}+\left\|\delta_{4}\right\|_{\infty} \\& \leq \frac{1}{2}\|s\|_{\infty}+p \cdot(p-1) \cdot(n \cdot B+1)+2 p \cdot n\left\|\mathbf{e}_{2}\right\|_{\infty}+(p-1) \cdot\left\|\mathbf{e}_{1}\right\|_{\infty} \\&<(2 n+1) \cdot p \cdot B^{\prime}\end{aligned}\)

 Since \(\left\|\mathbf{e}_{\text {mult }}\right\|_{\infty}<(2 n+1) \cdot p \cdot B^{\prime} \ll\lfloor q / p\rfloor / 2\)  , correctness is guaranteed. Meanwhile, as opposed to [17] , the error of  \(C_{m u l t}=C_{1} \odot C_{2}\)  is about   times of fresh error, of which in [17] is  . That is, we have a better performance on noise reduction than [17].

  Next, we compare our scheme to [17] in detail.

 2) Advantage

 Suppose we have the same set of \(\text {params}=(n, q, \chi, m)\) with scheme [16, 17]. Let the bit-string length of \(q=\Theta\left(2^{n}\right) \text { is } l=\left\lceil\log _{2} q\right\rceil\)  of of modulus, and \(N=n \cdot l=\Theta\left(n^{2}\right)\). Table 1 shows the concrete comparisons of parameters among  [16], [17] and IRGSW scheme.

Table 1. Comparisons of parameters among scheme [16], [17] and IRGSW scheme

 From Table 1, compared to [17], we can get that our scheme has a smaller dimension of ciphertext and a better performance on noise reduction from    to  . And although scheme [16] has a slight advantage on performance of noise-growth rate than our scheme, it has a poor performance on the efficiency and sizes of public key and ciphertext, compared to other two RLWE-based schemes. In summary, our scheme is the fastest, and has the best performance almost in all aspects among the three FHE schemes.

 

4. Fast Single-Database PIR Based on Our IRGSW Scheme

 In this section, we propose a fast PIR protocol by taking full advantage of our IRGSW scheme, combined with batching and NTT technology.

 

4.1 Our Basic PIR Protocol from IRGSW

We present our PIR protocol \(P I R=(\text {PIR.Setup}, \text {PIR.Query, PIR.Response, PIR.Decode})\)  in formal description and sketch the flaw of PIR protocol given in Fig. 2. Let t  be the size of retrieval database, and the index k be written in the binary representation, denoted as \(k=\left(k_{1}, \dots, k_{l}\right)\) , where \(k_{i} \in \mathbb{Z}_{2}\)  with  \(1 \leq i \leq l\) and  \(l=\lfloor\log t\rfloor+1\).

Fig. 2. Our PIR protocol interacts with sender S and receiver R

 - \((p k, s k) \leftarrow P I R . S e t u p\left(1^{\lambda}\right)\) : At the setup phase, the user A generates keys based on our IRGSW system \((p k, s k) \leftarrow I R G S W \cdot K e y G e n\left(1^{\lambda}\right)\)  and sends the public key sk  to the server S.

 - \(Q \leftarrow \operatorname{PIR} . Q \operatorname{Gen}\left(1^{\lambda}, s k, k\right)\) : At the query generation phase, firstly, the user A computes  with  \(1 \leq i \leq l\) and generates the query \(Q=\left(C_{1}, C_{2}, \dots, C_{l}\right)\)  , then he sends query Q to the server S.

 - \(R \leftarrow P I R . R G e n\left(1^{\lambda}, D B, p k, Q\right)\) : At response phase, after receiving the query Q, server S computes the response   as algorithm 4.1:

Algorithm4.1: PIR.Response algorithm from IRGSW

Input: Datebase \(D B=a_{1} a_{2}, \ldots, a_{t}\), query \(Q=\left(C_{1}, C_{2}, \ldots, C_{l}\right)\), and index  \(k\). Output: Response \(c'\). Step1. For each index \(r \in\{1,2, \ldots, t\}\), and each bit  \(r_{i}(1 \leq i \leq l=\lceil\log t\rceil)\), database server computes \(C_{r, i}={IRGSW.Enc}\left(p k, r_{i}\right)\); Step2. Compute \(\hat{\psi}_{r}=\bigotimes_{i=1}^{l}\left(C_{i} \oplus C_{r, i} \oplus \hat{1}\right)\),  where \(\hat{1}\) is an encryption of 1; Step3. Compute  \(R=\underset{a_{r}=1}{\oplus} \hat{\psi}_{r}\).

 -\(x \leftarrow P I R . D R e s\left(1^{\lambda}, s k, R\right)\) : At decode phase, user A  runs the decryption algorithm of IRGSW scheme, and decrypts the ciphertext associated with R , outputting \(x=I R G S W \cdot D e c(s k, R)\) .

 Theorem 4.1 (Correctness). Let \(\lambda\)  be the security parameter, and L be the bound of depth of evaluation circuit for multiplication supported by IRGSW, and \(D B \in\{0,1\}^{t}\)  with \(\log t<2^{L}-1\) . Then for each \(k \in\{1,2, \ldots, t\}\) , it holds that

\(\operatorname{Pr}[{IRGSW.Dec}(s k, R) \neq D B[k]]=\operatorname{negl}(\lambda)\)  

 Proof. From our IRGSW-PIR protocol, it is easy to see that \(\hat{\psi}_{r}=\hat{1}\)  when \(r=k\)  and an encryption of 0 otherwise. And on the basis of FHE properties, since \(\log t<2^{L}-1\) , we can get that if

\(a_{k}=1, R=\underset{a_{i}=1}{\oplus \hat{\psi}_{r}}=\hat{\psi}_{k}=\hat{1}\)

 , and if

\(a_{k}=0, R=\underset{a_{i}=1}{\oplus} \hat{\psi}_{r}=\hat{0}\)

 Thus

\(\operatorname{Pr}[{IRGSW.Dec}(s k, R) \neq D B[k]]=0=\operatorname{negl}(\lambda).\)

 That is to say our IRGSW-PIR protocol satisfies perfect correctness.

 Theorem 4.2 (Security). The PIR protocol from IRGSW is semantically secure when the underlying IRGSW scheme is semantically secure.

 Proof. For our IRGSW-PIR protocol, suppose that there is an adversary who can gain an unnegligible advantage in semantic security game. Then, we can find an adversary \( \mathcal{A}  '\)(built on \( \mathcal{A}  \) ) with an unnegligible advantage in destroying the semantic security of IRGSW as follows:

 The adversary  \( \mathcal{A}  '\)   uses  some challenger C'  to initiate the semantic security game for the IRGSW. And C'  runs the IRGSW.KeyGen algorithm, gives pk  to  \( \mathcal{A}  '\) and makes the secret key sk  private. Then \( \mathcal{A}  '\)  chooses \(m_{0}=0 \in \mathbb{Z}_{2}\)  and \(m_{1}=1 \in \mathbb{Z}_{2}\) , and sends m₀,m₁ to  \(\mathcal{C}' \cdot \mathcal{C}'\).   randomly chooses one bit \(b \in \mathbb{Z}_{2}\)  , computes \(e_{b}=I R G S W \cdot \operatorname{Enc}\left(p k, m_{b}\right)\)  and then sends e_b  to  e_{b}=I R G S W \cdot \operatorname{Enc}\left(p k, m_{b}\right).

 Next, \( \mathcal{A}  '\) , playing a challenger \( \mathcal{C} \) , initiates the semantic security game for PIR protocol from IRGSW scheme with the adversary \( \mathcal{A}  \) . Firstly,  \( \mathcal{A}  \) chooses m₀=i  and   m₁ = j with \(1 \leq i<j \leq t\) , and sends m_o,m₁  to l=\lfloor\log t\rfloor+1 . Then \( \mathcal{A}  '\) randomly chooses one bit  \(b \in 0,1\), and bulids a  \(Q_{q}\) as follows: Suppose that \(\left(x_{q, 1}, \dots, x_{q, l}\right)\)  be the binary expression of \(x_{q}\), where  \(l=\lfloor\log t\rfloor+1\). And \( \mathcal{A}  '\) takes the place of all zeros with \(\hat{0}\)  and all ones with \(\hat{0} \square e_{b}\) to build the encryption of  x_q. We denote the result as \(Y_{q}=\left(\hat{y}_{q, 1}, \ldots, \hat{y}_{q, J}\right)\) . Then  \( \mathcal{A}  '\) sends \(Q_{q}=\left(p k, Y_{q}\right)\) to \( \mathcal{A}  \) .

 Next  \( \mathcal{A}  \) returns a guess q' . Since  \(e_{b}=\hat{0}\) with probability 1/2, that is, \(Y_{q}\)  is the encryption of all zeros, and for all  \(1 \leq r \leq t\), \(\hat{\psi}_{r}=\underset{i=1}{\otimes}\left(\hat{y}_{q, i} \oplus C_{r, i} \oplus \hat{1}\right)=\hat{0}\) . Then  \(R=\bigoplus_{a_{r}=1} \hat{\psi}_{r}\). In this event, A’s guess has no connection with  , and hence the probability \(q^{\prime}=q=1 / 2\) .

 However, since \(e_{b}=\hat{1}\)  with probability 1/2, that is,  \(Y_{q}\) is the encryption result of  \(x_{q}\). In this case, the adversary \(​​\)  will guess q  correctly with probability  \(1 / 2+\varepsilon\). The adversary\( \mathcal{A}  '\)  gets his guess \(b'\)  as follows: \( \mathcal{A}  '\)  will set \(b'=1\)  when \( \mathcal{A}  \)  guesses \(q'=q\)  correctly, and otherwise \( \mathcal{A}  '\)  will set  \(b'=0\).  Above all, we can get the correct probability of the guess of  \( \mathcal{A}  '\):

\(\operatorname{Pr}\left(b^{\prime}=b\right)=\frac{1}{2}\left(\frac{1}{2}\right)+\frac{1}{2}\left(\frac{1}{2}+\varepsilon\right)=\frac{1}{2}+\frac{\varepsilon}{2}\)

 Therefore, \( \mathcal{A}  '\)  has got a nonnegligible advantage in the semantic security game for the IRGSW scheme, wich is a contradiction to our assumption in the theorem.  Then the semantically secure of IRGSW-PIR protocol is proven.

 In order to improve the implementation performance on efficiency of our PIR protocol from IRGSW, two optimizations are introduced:

 Optimization: Speedups via batching and NTT technology. By introducing the batching and the NTT technology, we can remarkably increase the efficiency of our basic PIR protocol from IRGSW. Batching was firstly introduced by Smart and Vercauteren [37]. It allows SIMD (Single Instruction MultipleData) operations to be performed on homomorphically encrypted data. (see e.g. [8, 10, 20, 38]). This makes it be one of the most important and powerful tools in FHE schemes. Using batching, we can split the database into a few small partial databases and run the same query against all parts in parallel. The encoding is always achieved by taking advantage of the chinese remainder theorem. And NTT is used to speed up the polynomial multiplications with a linear cost in   [22,39].

 

5. Implementation and Discussions

 In this section, we implemented our PIR protocol based on IRGSW scheme. Meanwhile, we implemented PIR protocols [16,17,34], where [17] is the best we know in previous PIR constructions of RLWE-based GSW-FHE schemes, [34] is the best we know in previous PIR constructions of other FHE schemes based on RLWE assumption, and [16] is the best we know in previous PIR constructions of standard LWE-based GSW-FHE schemes. Let the polynomial ring be \(R=\mathbb{Z}[X] /\left(\Phi_{m}(X)\right)\) , where \(\Phi_{m}(X)\)  is the m-th cyclotomic polynomial.

 

5.1 Concert parameters

 Let L  be the multiplicative depth that the scheme can be homomorphically evaluated, and let \(\operatorname{error}_{L}\left(B^{\prime}, n, q\right)\)  denote the value of noise growth when evaluating any function f (with multiplicative depth L ) on ciphertexts in \(\mathbb{R}_{q}\)  , where the initial error of magnitude is B'  . Set error_UB  be the upper bound that corresponding FHE scheme can bear (for our IRGSW-FHE scheme, \(\text {error}_{U B}=\lfloor q / p\rfloor / 2\) ). For correct decryption, we need

\(\text {error}_{L}\left(B^{\prime}, n, q\right)<\text {error}_{U B}\)       (1)

 As for RLWE-based FHE schemes, we set the corresponding parameters following inequality (1) and the analysis of Peikert [43]. Note that, it’s an open problem to evaluate the practical security gap between RLWE problem and SLWE problem [37], we can only make a simple comparison at the same lattice dimension for SLWE-based scheme[16] and our IRGSW scheme. Table 2 summarizes our final parameters selection.

Table 2. Parameters of four PIR from FHE schemes

 Where the last three schemes are based on RLWE problems with the same safety level  , and scheme [16] is based on standard LWE problems with the same lattice dimension with our IRGSW and following the analysis of Regev [35].

 

5.2 Implementation Results

 We ran a test for all the following four PIR protocols separately. These tests were run on a four-year-old IBM system x3850 server, and it had 32GB of RAM at 3.0 GHz, 35MB L2 cache and two 64-bit 4-core Intel Xeon E5450 processors. Besides, based on Shoup’s NTL library [40] version 9.10.0 ((used for high-level numeric algorithms)), GNU’s GMP library(used for the underlying integer arithmetic operations) [41], and gcc compiler (version 4.9.1), we made the implementation.The results are given in Table 3.

Table 3. Comparisons of four PIR from FHE scheme

 

5.3 Discussions

 From Table 3, we can get that the performance of [16] on efficiency and communication bandwidth is the worst, although it has a stronger security hypothesis. That’s because  the other three schemes all choose RLWE-based FHE schemes to build PIR system and [16] choose standard LWE-based FHE schemes. Among [17,34] and our scheme, the query time of [34] costs most, although [34] has an advantage in communication bandwidth. That’s because [17] and our scheme both choose RLWE-based GWE-FHE schemes to build PIR system. They eliminate expensive key switching operations for [34]. Compared with [17], it’s easy to see our scheme has a better performance in all aspects. That’s because our scheme has a smaller size of ciphertexts and a lower expansion factor for noise over homomorphic multiplication. Lower expansion factor for noise means a smaller   needed to homomorphic retrieve the database correctly. In summary, our scheme is the fastest, and has the best performance almost in all aspects among the four PIR systems.

 

6. CONCLUSION

 In this paper, we eliminate “flatten” operation of paper and obtain a technically simpler variant  of RLWE-based GSW and smaller sizes of keys and ciphertexts. Meanwhile, since RLWE-based FHE schemes facilitate major efficiency and storage benefits over their non-ring counterparts (standard LWE-based FHE schemes), and combined with the batching and NTT technology, a fast PIR protocol for better privacy protection of cloud computing from our RLWE-based GSW-FHE scheme is proposed.