FULLY HOMOMORHIC ENCRYPTION

Abstract

The present application is directed towards a new system for performing FHE and includes a method, system, program and storage medium configured for generating keys for fully homomorphic encryption, wherein generating the keys comprises: obtaining a first set of numbers, wherein the first set of numbers is a set of pairwise coprime numbers P1, . . . , Pk+1; obtaining a second set of prime numbers r1, r2, . . . , rk+1; obtaining a third set of numbers, wherein the third set of numbers is a set of random or pseudo random numbers s1, . . . , sn; calculating a secret key, sk, based on the first set of numbers, the second set of numbers, and third set of numbers; and calculating a public parameter, q, based on the first set of numbers and the second set of numbers.

Description

FIELD

The present disclosure is directed towards improvements in the field of Fully Homomorphic Encryption.

BACKGROUND

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. As such, computations can be performed on data that has been homomorphically encrypted without access to the secret key. The output from a computation performed on homomorphically encrypted data will be homomorphically encrypted data. This output can be left in an encrypted form. When the output of a computation performed on homomorphically encrypted data is decrypted, the output from the decryption will be identical to that produced by performing the computation on a plaintext (e.g. decrypted) version of the homomorphically encrypted data. Thus, homomorphic encryption can be used to provide the functionality to add two encrypted numbers or multiply two encrypted numbers (the word ‘or’ is intended to be an inclusive or—a or b means at least one from a, b, and ab; ‘xor’ is intended to be used as exclusive or—a xor b means either a or b). Further, any computation that is a combination of addition and multiplication can be performed on encrypted data.

For example, taking E( ) as an encryption function and x and y as two numbers, E(x), E(y) are the encrypted versions of x and y respectively. I.e. x→E(x), y→E(y). E( ) is homomorphic with respect to addition if we can evaluate E(x+y) (the encrypted sum of two numbers) from the encrypted numbers E(x), E(y) without decrypting them. I.e. E(x)+E(y)→E(x+y). Similarly, E( ) is homomorphic with respect to multiplication if we can evaluate encryption of E(x·y) (the encrypted product of two numbers) from encryption of individual numbers i.e., E(x),E(y) without decrypting them. I.e. E(x)·E(y)→E(x·y)

Thus, homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and out-sourced to commercial cloud environments for processing, all while encrypted.

Homomorphism and its applications are known from a number of papers including ‘On data banks and privacy homomorphism’ by R. Rivest et al, ‘On privacy homomorphisms by E. Brickell et al, and the papers entitled ‘Fully homomorphic encryption using ideal lattices’ and ‘Toward basing fully homomorphic encryption on worst-case hardness’ by C. Gentry.

For sensitive data, such as health care information, homomorphic encryption can be used to remove privacy barriers that obstruct the efficient exchange of data or to increase the security of existing services. For example, predictive analytics in health care (e.g. the use of analytics based on a user's weight to predict an imminent heart-attack) can be hard to apply via a third party service provider due to medical data privacy concerns—but if the predictive analytics service provider can operate on encrypted data instead, these privacy concerns are diminished or obviated. Moreover, even if the service provider's system is compromised, the data remains secure.

Partially Homomorphic Encryption (PHE) encompasses schemes that support the evaluation of circuits consisting of only one type of gate/operation, e.g., addition xor multiplication.

Fully Homomorphic Encryption (FHE) encompasses schemes that support the evaluation of arbitrary circuits composed of multiple types of gates (e.g. addition or multiplication) of unbounded depth and is the strongest notion of homomorphic encryption. As used herein ‘unbounded depth’ means that a FHE is not limited by a bound specified at setup (i.e. the number of operations that can be performed is not limited).

Homomorphic encryption methods have been developed using different approaches. For example, the research paper entitled “Fully Homomorphic Encryption Using Ideal Lattices” by Craig Gentry describes a method of FHE. This method uses ideal lattices in a lattice-based cryptography system. This method supports both addition and multiplication operations on ciphertexts, from which it is possible to construct circuits for performing arbitrary computation. Further, this scheme is a “bootstrappable” FHE scheme. A bootstrappable FHE scheme is capable of evaluating its own decryption circuit and then at least one more operation (e.g. NAND). To put it differently, ‘bootstrapping’ refers to homomorphically decrypting a ciphertext using a homomorphic encryption of its own decryption key, with the goal of reducing the noise the ciphertext contains.

Previously, there was a problem evaluating a circuit with too many gates. In particular, the evaluation of each gate in the circuit adds noise and, at a certain point, this amount of noise renders the ciphertext impossible to decrypt. However, i) taking the decryption algorithm for a scheme and converting it into a circuit and ii) passing a ciphertext and an encrypted version of the private key through the circuit produced a ‘clean’ ciphertext of the same plaintext—i.e. noise is removed from the ciphertext. Furthermore, the circuit allowed you to run at least one NAND gate on two ciphertexts (a couple of gates that were equivalent to a NAND) and the decryption circuit without the result being rendered unretrievable by noise. As used in this disclosure, unless otherwise specified, the term ‘circuit’ refers to a boolean circuit (i.e., a circuit made of Boolean gates such as AND, NAND, OR, NOR, and NOT gates) that computes a function f.

FHE schemes are based on noisy encryptions. In such encryption schemes, the noise guarantees the security of fresh encryption. However, in such schemes evaluating homomorphic operations increases the noise magnitude and lowers the quality, i.e., computational budget, of ciphertexts. Bootstrapping is used to convert an exhausted ciphertext into an “equivalent” refreshed ciphertext. Exhausted ciphertexts contain high noise and cannot be operated on further, whereas refreshed ciphertexts can support further homomorphic operations.

However, bootstrapping is computationally expensive and slow as it requires a FHE system to perform arbitrary number of additions and multiplications. This makes the overall system very slow. Although this scheme allows to perform large number of computations, it is unfortunately too slow for use for most, if not all, practical application.

The use of CRT (Chinese Reminder Theorem) as part of homomorphic encryption algorithms is known. The use of CRT in homomorphic encryption was introduced in ‘On data banks and privacy homomorphism’ by R. Rivest et al. However, this algorithm is known to be vulnerable to chosen plaintext attack (CPA). One attempt to address this vulnerability is outlined in the paper entitled ‘CRT-based fully homomorphic encryption over the integers’ by Cheon et al. This paper introduced a homomorphic encryption scheme based on CRT (Chinese Reminder Theorem).

According to CRT, if one knows the remainders of the Euclidean division of an integer x by a number of integers, then it is possible to determine uniquely the remainder of the division of x by the product of these integers, so long as the divisors are pairwise and coprime (i.e. no two divisors share a common factor other than 1). CRT is widely used for computing with large integers, as it allows replacing a computation on large integers (where the size of the result falls within a known bound), by several similar computations on small integers.

Assuming a mod p denotes the unique integer in

$(-\frac{p_o}{2},\frac{p_o}{2}]$

that is congruent to a modulo p and CRT_{(po, . . . ,pk)}(m_o, . . . , m_k) denotes the unique integer in

$(-\frac{\prod p_i}{2},\frac{\prod p_i}{2}]$

that is congruent m_i modulo p_i, the CRT-FHE scheme disclosed by Cheon et al. is based on three functions:

• • i) Key generation—KeyGen(λ{Q}): Given a security parameter k and relatively small pairwise coprime integers Q_i(i=1, . . . , k), choose large pairwise integers p_i(i=0, . . . , k) and let Π_i=0^kpⁱ. The KeyGen function outputs the secret key sk=(p_o, . . . , P_k) and the public parameter pp=(n, Q₁, . . . , Q_k). The message space is _Q for Q=Π_i=1^kQ_i.
  • ii) Encryption—Enc(sk, m): The Enc function outputs
    • c=CRT_{(po, . . . ,pk)}(e, m₁+e₁Q₁, . . . , m_k+e_kQ_k) where m_i=m mod q_i for all values of i, e is a random integer in

$(-\frac{p_o}{2},\frac{p_o}{2}]$

and e₁, . . . , e_k are p-bit random integers.

• • iii) Decryption—Dec(sk,c): The Dec function outputs m=CRT_{(Q1, . . . ,Qk)}(d₁, . . . , d_k), where d_i=(c mod p_i) mod Q_i for all values of i.

The scheme can be regarded as a generalisation of the Dijk-Gentry-Halevi-Vaikutanathan (DGHV) homomorphic encryption scheme which can be extended to a fully homomorphic encryption (FHE) scheme using bootstrapping.

However, as is clear from the above, the CRT-FHE proposed by Cheon et al still requires bootstrapping to perform arbitrary number of additions and multiplications on encrypted numbers, and as a result does not solve the computational and temporal problems caused by bootstrapping.

As used throughout this disclosure, the term random is intended to encompass random and pseudo random numbers. However, random numbers are preferred to pseudo random numbers.

SUMMARY

The present disclosure is directed towards a FHE scheme that utilizes Chinese Reminder Theorem (CRT) and learning with errors (LWE). The aim of the present disclosure is to provide a system and method for FHE that does not requires a bootstrapping function. As such, a system and method in accordance with the present disclosure may be configured to perform an arbitrary number of additions or multiplications on encrypted data without the need for decryption or bootstrapping. This will overcome all the computational and storage limitation caused by the bootstrapping.

Further, a system and method in accordance with the present disclosure supports Single Instruction Multiple Data (SIMD) operations. This means that a large set of numbers can be encrypted together and the encrypted operations (e.g. addition, multiplication, or addition and multiplication) on the set of data can be performed with a single instruction.

The present disclosure is directed towards a method of generating keys for fully homomorphic encryption, the method comprising: obtaining a first set of numbers S, wherein the first set of numbers is a set of pairwise coprime numbers P₁, . . . , P_k+1; obtaining another parameter, wherein another parameter is a random or pseudo random number P; and calculating a secret key, sk, based on the first set of numbers, and the another parameter.

In some embodiments, k+1=2. In one embodiment, the secret key, sk={S, P}.

In some embodiments, the method further comprises: obtaining a second set of prime numbers r₁, r₂, . . . , r_k+1; obtaining a third set of numbers as the another parameter, wherein the third set of numbers is a set of random or pseudo random numbers s₁, . . . , s_n; calculating the secret key, sk, based on the first set of numbers, the second set of numbers, and third set of numbers; and calculating a public parameter, q, based on the first set of numbers and the second set of numbers.

In some embodiments, at least one of the first set of numbers, the second set of random prime number, and the third set of random numbers selected based on a security parameter.

In some embodiments, q is calculated by multiplying the first set of numbers together with the first and second extra prime numbers, whereby q=(P₁× . . . ×P_k×P_k+1)×(r₁×r₂× . . . ×r_k+1).

In some embodiments, sk={s=(s₁, . . . , s_n), p=(p₁, . . . p_k, p_k+1), r=(r₁,r₂, . . . , r_k+1)}.

In some embodiments, the method comprises generating re-linearization keys, rlks, wherein generating the rlks comprises encrypting components of the secret key.

In some embodiments, the method comprises using a first set of random numbers a₁^ij, . . . , a_n^ij, e_ij to generate a first relinearization key θ^ij and using a set of random numbers α₁^j, . . . , a_n^j, e_j to generate a second relinearization key δ^j.

In some embodiments, the method comprises generating R-keys, wherein generating the R-Keys comprises encrypting components of the secret key.

In some embodiments, encrypting components of the secret key comprises performing an extended Chinese remainder function, XCRT, on the components of the secret key.

The present disclosure is also directed towards a method of fully homomorphic encryption which comprises obtaining a secret key, sk, and a plaintext m₁, . . . , m_k to be encrypted, wherein the secret key and the public parameter are generated in accordance with any preceding claim.

In some embodiments the method comprises generating and using a random number w.

In some embodiments, calculating the cypher text c comprises calculating c=P·w+CRT_(s) (m₁, . . . ,m_k,s), where e is a random integer in the range {0, 1, . . . , p_k+1−1}.

In some embodiments, the method comprises deleting w after it has been used.

In some embodiments, the method comprises selecting a value e representing a random noise or a noise signal.

In some embodiments, the method comprises performing an extended Chinese remainder function, XCRT, on a vector, wherein the vector is based on the plaintext and the value e.

In some embodiments, the vector is m₁r₁^l1, . . . , m_kr_k^lk, er_k+1, wherein l₁= . . . =l_k=1 are exponents.

In some embodiments, the method comprises selecting a plurality of random numbers a₁, . . . , a_n and subtracting the dot product of vector (a₁, . . . , a_n) and (s₁, . . . , s_n) from the XCRT.

In some embodiments, the method comprises performing a modulus operation based on q on the XCRT function after the dot product of vector (a₁, . . . , a_n) and (s₁, . . . , s_n) has been subtracted whereby a cipher value c₀ is obtained such that c₀=[−(Σ_i=1ⁿa_is_i)+xcrt_{(p1, . . . pk,pk+1), q}(m₁r₁^l1, . . . , m_kr_k^lk, er_k+1π mod q.

In some embodiments, the method comprises a generating a ciphertext c by forming a vector, wherein forming the vector comprises appending the values a₁, . . . , a_n and l₁, . . . , l_k to C₀.

The present disclosure is also directed towards decrypting a ciphertext generated as set out above, using a secret key sk generated as set out above, wherein the secret key comprises s and s equals (s₁, . . . , s_n), and the ciphertext comprises a vector a=(a₁, . . . , a_n), and the method comprises: determining the sum of i) the first coordinate of the ciphertext; and ii) the dot product of s=(s₁, . . . , s_n) and the vector a=(a₁, . . . , a_n) of ciphertext.

In some embodiments, the method comprises, for j=1, . . . , k, multiplying

${\left(r_j^{l_j}\right)}^{-1}\mathrm{mod}$

p_j to mod to the sum and then performing a modulus operation based on p_j on the result, whereby

$m_j=\left[\left(c_0+{\sum }_{i=1}^n{c}_i{s}_i\mathrm{mod}q\right)*{\left(r_j^{l_j}\right)}^{-1}\mathrm{mod}{p}_j\right],j=1,\dots ,k.$

The present disclosure is also directed towards a method of performing encrypted homomorphic multiplication, wherein the method is configured to perform a function ƒ_multiply( ) on two ciphertexts c and c′ together to produce a new ciphertext, c_multiply=ƒ_multiply(c, c′), wherein the ciphertext c and c′ are produced using a method of encryption as set out above.

In some embodiments, c_multiply is computed as c_multiply=[(c₀*, c₁*, . . . , c_n*), (l₁*, . . . , l_k*)], wherein: c_t*=ƒ(c, c′, {θ^ij}, {δ^j}); t is any integer from 0 to n; ƒ( ) is a predetermined function; and {θ^ij}, {δ^j} are relinearization keys.

In some embodiments, when t=0, ƒ(c, c′, {θ^ij}, {δ^j}) equals (c₀c₀′+Σ_{i,j=1, i≠j}ⁿc₀^ij(c_ic_j′+c_jc_i′)+Σ_j=1ⁿc_jc_j′c₀^j); when t>0, ƒ(c, c′, {θ^ij}, {δ^j}) equals (c_t^j+Σ_{i,j=1, i≠j}ⁿ(c_ic_j′+c_jc_i′)c_t^ij), t=1, . . . , n; and l_t*=l_t+l_t′, t=1, . . . , k.

In some embodiments, the present disclosure is also directed towards a method of performing encrypted homomorphic addition, wherein the method is configured to perform a function ƒ_add( ) on two ciphertexts c and c′ together to produce a new ciphertext, c_add wherein: c_add=ƒ_add(c, c′); c_add is the encryption of the sum of plaintext values corresponding to the ciphertexts c and c′; and the ciphertext c and c′ were produced using a method of encryption as set out above.

In some embodiments the method comprises determining a first set of level values l₁*, . . . , l_k* for c_add, wherein l_i* is max{l_i, l_i′}.

In some embodiments, the method comprises calculating a set of first intermediary values c⁽¹⁾ and a second set of intermediary values c⁽²⁾ based on the first set of level values and ciphertexts c and c′.

In some embodiments,

$\begin{array}{cc}{c}^{\left(1\right)}=\left(\sum _{i=1}^k{R}_i^{1_i^{*}-1_i}\right)*c,& c^{\left(2\right)}=\left(\sum _{i=1}^k{R}_i^{1_i^{*}-1_i^{\prime }}\right)*c^{\prime },\end{array}$

• • where, Σ represents coordinate-wise sum and * represents a homomorphic multiplication as set out above, and R_i^l represents homomorphic multiplication of R_i with itself l number of times.

In some embodiments,

$c_{add}=\left[\left(\left(c_0^{\left(1\right)}+c_0^{\left(2\right)}\right)\mathrm{mod}q,\dots ,\left(c_k^{\left(1\right)}+c_k^{\left(2\right)}\right)\mathrm{mod}q\right),\left(1_1^{*},\dots ,1_k^{*}\right)\right].$

The present disclosure is also directed towards a method of performing encrypted homomorphic Plaintext to Ciphertext multiplication wherein the method is configured to perform a function ƒ_multiply2( ) on a ciphertext c and a plaintext number x to produce a ciphertext c_multiply2, the ciphertext in an encryption, enc( ), of a plaintext vector (m₁, . . . , m_k) and c_multiply2=enc(x*m₁, . . . ,x*m_k).

In some embodiments c_muitiply2=[(c₀*, c₁*, . . . , c_n*), (l₁*, . . . , l_k*)], wherein: t is an integer value greater than or equal to 0 and less than or equal to n (i.e. 0≤t≤n)); c_t*=x * c_t mod q, t=0,1, . . . , n; and l_t*=l_t, t=0,1, . . . , n.

The present disclosure is also directed towards a method of generating Public Key, pk, from a secret key, wherein the secret key was generated as set out above.

In some embodiments, the method comprises: generating a zero vector that is e₀=(0,0, . . . ,0); and generating k non-zero vectors, wherein a non-zero vector contains the value 1 in its n^th coordinate and 0 in the remaining coordinates, wherein n is an integer and 1≤n≤k whereby e₁=(1,0, . . . ,0), e₂=(0,1,0, . . . ,0), . . . , e_k=(0,0, . . . ,0,1).

In some embodiments, generating the public key comprises encrypting e₀, e₁, . . . , e_k, whereby: p_k=(E₀=enc(e₀), E₁=enc(e₁), . . . , E_k=enc(e_k))

The present disclosure is also directed towards a method of performing Public Key encryption, wherein the method is configured to encrypt a plaintext vector (m₁, . . . , m_k) with a public key generated as set out above.

In some embodiments, the method comprises performing a plaintext-ciphertext multiplication as described above.

In some embodiments, a plaintext-ciphertext multiplication is performed on a random number r and ciphertext E₀; and a plaintext-ciphertext multiplication is performed on each coordinate m_i and ciphertext E_i for i=1, . . . , k; and the results of the plaintext-ciphertext multiplications are homomorphically added together, whereby c=r * E₀+Σ_i=1^km_i*E_i, wherein: r * E₀ and m_i*E_i are plaintext-ciphertext multiplications, r and m_i are plaintexts, E₀ and E_j are ciphertexts, and Σ represents the homomorphic addition of ciphertexts.

In some embodiments, the XCRT function is calculated according to the equation xcrt_{(n1,n2, . . . ,nk}),n′: _n1× . . . ×_nk→_n, where n₁, n₂, . . . , n_k are a plurality of pairwise coprime numbers, and n′ which is any suitable number.

The present disclosure is also directed towards a computer program comprising instructions which, when executed by a computing system, cause the computing system to carry out a method as set out above.

The present disclosure is also directed towards a computer-readable storage medium or a data carrier signal carrying the above computer program.

The present disclosure is also directed towards a computing system comprising at least computer, the computer system comprising means for performing a method as set out above.

DETAILED DESCRIPTION

The CRT function, may be defined as follows:

$cr{t}_{n_1,n_2,\dots ,n_k}:{\mathbb{Z}}_{n_1}\times \dots \times {\mathbb{Z}}_{n_k}\to {\mathbb{Z}}_n$

• • (x₁, . . . , x_k)x, x_i=x mod n_i ∈ _niΛi,
  • where n₁, n₂, . . . , n_k are a plurality of pairwise coprime numbers and n is the product of the plurality of pairwise coprime numbers (i.e. n=n₁n₂ . . . n_k).

If x ∈ _n we can compute the tuple (x₁, . . . , x_k) by computing each x_j=x mod n_j for j=1, . . . , k.

For (x₁, . . . , x_k) ∈ _n1× . . . ×_nk we can compute x as follows:

First, during a precompute stage, a value s is calculated for j=1, . . . , k as

$s_j=\frac{n}{n_j}.$

A value t is also calculated during the precompute stage for j=1, . . . , k as t_j=[s_j⁻¹]_nj which can be rewritten as t_j=s_j⁻¹ mod n_j

The CRT of (x₁, . . . , x_k) can then be calculated as x=crt(x₁, . . . , x_k)=Σx_js_jt_j mod n.

The CRT function can be extended to produce a new extended CRT function (XCRT) that performs the same computation as a CRT function does but with a different modulus. Similarly to a CRT function, the XCRT function is calculated based on a plurality of pairwise coprime numbers (n₁, n₂, . . . , n_k), However, the XCRT uses a number n′ which is any suitable number. Thus, the XCRT function may be calculated according to the following equation:

$\begin{array}{c}\mathrm{xcr}{t}_{\left(n_1,n_2,\dots ,n_k\right),n^{\prime }}:{\mathbb{Z}}_{n_1}\times \dots \times {\mathbb{Z}}_{n_k}\to {\mathbb{Z}}_{n^{\prime }}\\ \left(x_1,\dots ,x_k\right)\mapsto x=\sum _{j=1}^k{x}_j{s}_j{t}_j\mathrm{mod}{n}^{\prime }\end{array}$

• • When n′=n=n₁n₂ . . . n_k the xcrt function becomes the same as crt function. When the value of n′ for a XCRT function is a multiple of the value of n for the equivalent CRT function, the xcrt function retains the homomorphic properties of the equivalent CRT function.

Key Generation

A system in accordance with the present disclosure comprises key generation functions.

In a first embodiment, key generation produces a key that can be used for encryption. In some embodiments the key may also be used for decryption. In order to generate the key, a random number P of bit length η is selected. Two coprime numbers p₁ and P₂ are also selected. The number p₁ may represent the plain-text space. It may be selected so that it has a predetermined bit-size based on the bit-size required to represent the plain-text data. E.g. 64 bits. The number P₂ may represent the noise space. In some embodiments, P₂ is selected so that it has p bits. The secret key can be set as sk=(P, p₁, p₂).

The secret key sk can be calculated based on a security parameter λ. In particular, for a given value of λ, ρ represents a bound on the bit-length of the error, η the bit length of the secret greatest divisor, and y the bit length of an AGCD sample that is also equivalent to the cyphertext size. Thus for a given security parameter a, the other parameters may be set as follows:

• • Noise/Error: ρ←λ
  • Size of the secret key: η←λ+L log λ, for a constant L
  • Size of the cypher-text: γ←Lλ log λ, for a multiplication depth of k.

To encrypt a plain text message m ϵ Z_p1 using the secret key sk, a random noise e is selected. In some embodiments e is of bit-length p. A random number w is also selected. Based on these values a ciphertext may be calculated as follows:

$\begin{array}{c}{\Delta }_1=p_2\left(p_2^{-1}\mathrm{mod}{p}_1\right),{\Delta }_2=p_1\left(p_1^{-1}\mathrm{mod}{p}_2\right)\\ c=\mathrm{Pw}+{\Delta }_{1}m+{\Delta }_{2}e\end{array}$

The plaintext message m may be calculated from the cyphertext c as follows:

m=c mod P)mod p₁

Such a scheme supports fully homomorphic operations. In particular, addition and multiplication are supported. For example, if we have two ciphertexts c₁ and c₂ where c₁ is an encryption of m₁ and c₂ is an encryption of m₂, then

$\begin{array}{c}{c}_1+c_2=c_{\mathrm{add}}=\mathrm{enc}\left(m_1+m_2\right);\mathrm{and}\\ c_1\times c_2=c_{\mathrm{mult}}=\mathrm{enc}\left(m_1\times m_2\right).\end{array}$

This is based on the fact that, for any cyphertext of a message encrypted with a secret key, decrypting the cyphertext with the secret key will recover the message m. I.e.

Dec(Enc(m,sk(m sk)=m

In particular, if we encrypt m with the secret key sk=(P, p₁, p₂), encryption comprises calculating a first intermediate value Δ₁, where:

${\Delta }_1=p_2\left(p_2^{-1}\mathrm{mod}{p}_1\right)$

Further, a second intermediate value Δ₂ is calculated, where:

${\Delta }_2=p_1\left(p_1^{-1}\mathrm{mod}{p}_2\right)$

A cyphertext c can now be calculated:

$c=\mathrm{Pw}+{\Delta }_{1}m+{\Delta }_{2}e$

The calculation of the cyphertext can be rewritten using Chinese Remainder Theorem as:

$c=\mathrm{Pw}+{\mathrm{CRT}}_{p2,p2}\left(m,e\right)$

If we decrypt c using the decryption function described above:

$\left(c\mathrm{mod}P\right)\mathrm{mod}{p}_1={\Delta }_{1}m+{\Delta }_{2}e\mathrm{mod}{p}_1$

However,

Δ₁m+Δ₂6 mod p₁=m

Thus:

Dec(Enc(m,sk),sk)=m

As a result, decryption and encryption in accordance with the present disclosure are correct and consistent. The decryption of an encrypted message results in the original plaintext message without loss or alteration.

To prove the correctness of the homomorphic properties, consider the encryption, performance of a function, and decryption of two messages m and m′. First, the cyphertexts for m and m′ are calculated:

$c=\mathrm{Enc}\left(m,\mathrm{sk}\right)=\mathrm{Pw}+{\Delta }_{1}m+{\Delta }_{2}e$ $c^{\prime }=\mathrm{Enc}\left(m^{\prime },\mathrm{sk}\right)=c={\mathrm{Pw}}^{\prime }+{\Delta }_1{m}^{\prime }+{\Delta }_2{e}^{\prime }$

To perform homomorphic addition, c and c′ are added together:

$c_{\mathrm{add}}=\left(c+c^{\prime }\right)=c=P\left(w+w^{\prime }\right)+{\Delta }_1\left(m+m^{\prime }\right)+{\Delta }_2\left(e+e^{\prime }\right)$

The resulting cyphertext is decrypted:

$\mathrm{Dec}\left(c_{\mathrm{add}},\mathrm{sk}\right)=m+m^{\prime }$

Similarly for homomorphic multiplication:

$c_{\mathrm{mult}}=\left(c\times c^{\prime }\right)$

The resulting cyphertext is decrypted:

$\mathrm{Dec}\left(\mathrm{sk},c_{\mathrm{mult}}\right)=\mathrm{Dec}\left(\mathrm{sk},\left(c\times c^{\prime }\right)\mathrm{mod}N\right)$

And due to the properties of a scheme according to the present disclosure:

$\begin{array}{c}{c}_{\mathrm{mult}}=\left(c+c^{\prime }\right)=\left(\mathrm{Pw}+{\Delta }_{1}m+{\Delta }_{2}e\right)\left(\mathrm{Pw}+{\Delta }_{1}m+{\Delta }_{2}e\right)\\ ={\mathrm{Pw}}^{″}+{\Delta }_1{m}_1{m}_2+\Delta e^{″}\end{array}$

As such,

$\mathrm{Dec}\left(\mathrm{sk},\left(c\times c^{\prime }\right)\right)=m\times m^{\prime }$

As a result, a system in accordance with the present disclosure correctly performs homomorphic addition and multiplication.

The security of a scheme in accordance with the present disclosure can be demonstrated by performing a reduction to the approximate greatest common divisor (AGCD). In particular if there is a method X for breaking encryption according to the present disclosure and allowing the recovery of the secret keys from the AGCD sample.

• • 1. AGCD Sample:

x _i =P _qi +r _i

Here, P is the secret, q_i are random integers, and r_i are small errors.

• • 2. Cyphertext of the Proposed Scheme:

$c=\mathrm{Enc}\left(m,\mathrm{sk}\right)=\mathrm{Pw}+{\Delta }_{1}m+{\Delta }_{2}e$

The proposed scheme refers to a system in accordance with the present disclosure. From the above, assuming method X can recover the secret key P, which is identical to the secret key of the AGCD scheme. Thus, if there exists a method X capable of breaking encryption according to the present disclosure, the same method is used to break the AGCD scheme, validating the security of a system according to the present disclosure.

To ensure the system's security, the parameters can be selected to resist several types of attack.

For example, a lattice reduction attack, such as orthogonal lattice attacks, are optimized methods aimed at solving approximate common divisor problems. To ensure security against all known attacks, the parameters are selected such that:

$\gamma \ge \Omega \left(\frac{\lambda }{\log \lambda }{\left(\eta -\rho \right)}^2\right)$

To protect against brute force attacks on noise:

Thus, in some embodiments, the parameters are selected as follows:

• • Noise/Error: p←λ
  • Size of the secret key: η←λ+L log λ, where L is a constant
  • Size of the AGCD sample: γ←L²λ log λ, incorporating a multiplication depth k.

Using the above parameters,

$\frac{\lambda }{\log \lambda }{\left(\eta -\rho \right)}^2=\frac{\lambda }{\log \lambda }{\left(\lambda +L\log \lambda -\lambda \right)}^2=\frac{\lambda }{\log \lambda }{\left(L\log \lambda \right)}^2=L^2\lambda \log \lambda$

Thus γ=L²k log λ satisfies the security condition:

$\gamma \ge \Omega \left(\frac{\lambda }{\log \lambda }{\left(\eta -\rho \right)}^2\right)$

In a second embodiment, the key generation functions generate a number of different keys. In particular, the system can generate a secret key, a public parameter, re-linearization keys, and R-keys.

To generate the secret key, a first set of numbers is generated. The first set of numbers is generated by selecting a plurality of large pairwise coprime numbers p₁, . . . p_k, p_k+1. In some embodiments, the first set prime numbers comprises k+1 large pairwise coprime numbers, where k is the maximum size of a plaintext vector that can be encrypted by the system.

In some embodiments, the plurality of large pairwise coprime numbers selected for the first set of random numbers are selected by the system, based on a security parameter. The security parameter is selected by a user and sets the level of security of the system. In particular, the security parameter is indicative of the bit-size of the large coprime numbers. The system can be configured such that a user can use the security parameter to select a known standard such as 128 bit, 256-bit, 512-bit security.

In addition, a second set of numbers is also generated. The second set of numbers is generated by selecting a plurality of large prime numbers r₁, r₂, . . . , r_k+1. In some embodiments, the second set of numbers comprises k+1 large prime numbers, where k is the maximum size of a plaintext vector that can be encrypted by the system. The large prime numbers selected for the second set of numbers also can be selected by the system based on the security parameter.

A plurality of random numbers s₁, . . . , s_n, are also selected by the system. The number n is an integer which sets the size of the ciphertext. The system is configured to calculate a secret key (sk) based on the selected values. In particular, the sk may be calculated as follows:

$\mathrm{sk}=\left\{s=\left(s_1,...,s_n\right),p=\left(p_1,...p_k,p_{k+1}\right),r=\left(r_1,r_2,...,r_{k+1}\right)\right\}$

A public parameter q is also calculated using the first and second sets of prime numbers. In particular, q=(p₁× . . . ×P_k×p_k+1)×(r₁×r₂× . . . ×r_k+1)

Re-linearization keys (rlks) are also calculated. The rlks are used during multiplication of two encrypted data. The rlks are generated by encrypting the components of the secret key. In particular, for i,j=1, . . . , k the rlks keys for s_is_j, i≠j and s_j² are calculated as follows:

A first relinearization key θ^ij, corresponding to s_is_j, may be generated using a first set of random numbers a₁^ij, . . . , a_n^ij, e^ij. The first relinearization key θ^ij may be determined using the following equation:

$s_i{s}_j\to {\theta }^{\mathrm{ij}}=\left(-\left(\sum _{t=1}^n{\alpha }_t^{\mathrm{ij}}{s}_t\right)+s_i{s}_j+{\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(0,...,0,r_{k+1}{e}_{\mathrm{ij}}\right)\mathrm{mod}q,{\alpha }_1^{\mathrm{ij}},...,{\alpha }_n^{\mathrm{ij}}\right)$

A second relinearization key θ^ij, corresponding to s_j, may be generated using a second a set of random numbers a₁^j, . . . , a_n^j, e_j. The relinearization key δ^j may be determined using the following equation:

$s_j^2\to {\delta }^j=\left(-\left(\sum _{t=1}^n{\alpha }_t^j{s}_t\right)+s_j^2+{\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(0,...,0,r_{k+1}{e}_j\right)\mathrm{mod}q,{\alpha }_1^j,...,{\alpha }_n^j\right)$

The resultant first and second relinearization keys ({θ^ij}_{i,j=, . . . n}′{δ^j}_{j=1, . . . n}) are the relinearization keys (rlks) corresponding to the secret key sk described above.

In addition, R-keys are also calculated. The R-Keys are also calculated based on encrypting components of the secret key. In addition, the R-Keys may be generated using a third set of random numbers γ₁ⁱ, . . . , γ_nⁱ. For example, k R-keys can be calculated according to the following equation:

$R_i=\left(-\left({\sum }_{t=1}^n{\gamma }_t^i{s}_t\right)+{\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(0,...,r_i,...,0,r_{k+1}{e}_i\right)\mathrm{mod}q,{\gamma }_1^i,...,{\gamma }_n^i\right),$

where 1≤i≤k.The resultant (R₁, . . . , R_k) R-Keys are the R-keys corresponding to the above secret key sk above.

As a result, suitable keys for performing homomorphic operations:

$\left\{\left({\left\{{\theta }^{\mathrm{ij}}\right\}}_{i,j=1,...n},{\left\{{\delta }^j\right\}}_{j=1,...n}\right),\left(R_1,...,R_k\right)\right\}$

are provided.

Symmetric Key Encryption

The system also can comprise an encryption function. The encryption function operates on plaintexts (m₁, . . . , m_k) with the secret key sk. To encrypt, a plurality of random numbers a₁, . . . , a_n are selected. In some embodiments, the numbers are uniformly random—i.e. a₁, . . . , a_n ∈ F_q. In addition, a value e representing a random noise or a noise signal is selected. Based on these values, the secret key, and the public parameter q, a value c₀ is obtained. In particular, the XCRT function of the vector (m₁r₁^l1, . . . , m_kr_k^lk, er_k+1) is computed. In this disclosure, l₁= . . . =l_k=1 are exponents referred to as levels. The dot product of vector (a₁, . . . , a_n) and s=(s₁, . . . , s_n) is then subtracted. Further, modulus q of the result is computed i.e.

$c_0=\left[-\left({\sum }_{i=1}^n{a}_i{s}_i\right)+{\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(m_1{r}_1^{l_1},...,m_k{r}_k^{l_k},{\mathrm{er}}_{k+1}\right)\right]\mathrm{mod}q.$

The final ciphertext c is obtained by forming a vector by appending the values a₁, . . . , a_n and l₁, . . . , l_k to c₀ i.e.

C=[(c₀,a₁, . . . ,a_n),(l₁, . . . ,l_k)]

In contrast to the CRT-based encryption algorithm proposed by Cheon et al, a system in accordance with the present disclosure uses (Σ_i=1ⁿa_is_i).

In addition, in a system in accordance with the present disclosure, and in contrast with the crt-based encryption function proposed by Cheon et al, the XCRT function can be used. In particular, the XCRT of the vector (m₁r₁^l1, . . . , m_kr_k^lk, er_k+1) is computed. As noted above, r₁, . . . , r_k+1 are also components of the secret key in some embodiments.

In addition, in the crt function proposed by Cheon et al, e is placed before the plaintext m₁. In contrast, in the vector of the present disclosure, e is placed after the plaintext m_k.

Further, the public parameter and random numbers proposed by Cheon et al are not used in the encryption function of the present system in some embodiments—i.e. the CRT function utilized in a system in accordance with the present disclosure operates on m₁, . . . , m_k and not on m₁+e₁Q₁, . . . , m_k+e_kQ_k.

Decryption

According to the present disclosure, a ciphertext c can also be decomposed into n+1 partial ciphertexts (c₀, c₁, . . . , c_n)—i.e.

C=[(c₀,C₁, . . . ,C_n),(l₁, . . . ,l_k)]

As such, the decryption function can be performed according to the following equation:

$m_j=\left[\left(c_0+\sum _{i=1}^n{c}_i{s}_i\mathrm{mod}q\right)*{\left(r_j^{l_j}\right)}^{-1}\mathrm{mod}{p}_j\right],j=1,...,k$

Operating on Encrypted Data

If c is an encryption of plaintexts (m₁, . . . , m_k) which equals (c₀, . . . , c_n) and c′ is an encryption of plaintexts (m₁′, . . . , m_k′), which equals (c′₀, . . . , c′_n), then in order to perform a homomorphic addition, we need a function to compute the ciphertext c_add from c and c′ such that, when decrypted, c_add equals (m₁, . . . , m_k)+(m₁′, . . . , m_k′)=(m₁′+m_k, . . . , m_k+m_k′. In order to perform homomorphic multiplication, we also need a function to calculate the ciphertext c_multiply from c and c′ such that, when decrypted, c_multiply equals (m₁*m₁′, . . . , m_k*m_k′).

Homomorphic Multiplication

The system can comprise a homomorphic multiplication function to obtain a ciphertext that is encryption of the product of two plaintexts (m₁, . . . , m_k) and (m₁′, . . . , m_k′) I.e. c_multiply=enc(m₁*m₁′, . . . , m_k*m_k′). It has surprisingly been found that c_multiply can be calculated as c_multiply=(c₀*, c₁*, . . . , c_n*), where

$c_t^{*}=\left(c_t{c}_t^{\prime }+\sum _{i,j=1,i\ne j}^n{\alpha }_x^{\mathrm{ij}}\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)+\sum _{j=1}^n{c}_j{c}_j^{\prime }{\beta }_0^j\right)=f_1\left(c,c^{\prime },\left\{{\theta }^{\mathrm{ij}}\right\},\left\{{\delta }^j\right\}\right)$ $c_t^{*}={\delta }_t^j+{\sum }_{i,j=1,i\ne j}^n\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right){\theta }_t^{\mathrm{ij}}=f_2\left(c,c^{\prime },\left\{{\theta }^{\mathrm{ij}}\right\},\left\{{\delta }^j\right\}\right),$

and t refers to the index value of c_t*(for any integer value of t greater than or equal to 0 and less than or equal to n (i.e. 0≤t≤n)).

Remarkably, due to the properties of the XCRT function, the increase or decrease of noise e in xcrt_{(p1, . . . pk,Pk+1),q}(m₁r₁^l1, m_kr_k^lk, er_k+1 does not affect the values of plaintext m₁, . . . ,m_k.

This can be proved as follows:

If we have a first plaintext m₁, . . . , m_k, it can be written in encrypted form as:

${\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(m_1{r}_1^{l_1},...,m_k{r}_k^{l_k},{\mathrm{er}}_{k+1}\right)=\left(c_0+\sum _{i=1}^n{c}_i{s}_i\right)$

If we have a second plaintext m′₁, . . . , m,_k, it can be written in encrypted form as:

${\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(m_1^{\prime }{r}_1^{l_1^{\prime }},...,m_k^{\prime }{r}_k^{l_k^{\prime }},e^{\prime }{r}_{k+1}\right)=\left(c_0^{\prime }+\sum _{i=1}^n{c}_i^{\prime }{s}_i\right)$

If, taking the lefthand side of the equations above, we multiply the first encrypted plaintext by the second encrypted plaintext, we get:

${\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(m_1{r}_1^{l_1},...,m_k{r}_k^{l_k},{\mathrm{er}}_{k+1}\right)*{\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(m_1^{\prime }{r}_1^{l_1^{\prime }},...,m_k^{\prime }{r}_k^{l_k^{\prime }},e^{\prime }{r}_{k+1}\right)={\mathrm{xcrt}}_{\left(p_1,...p_k,p_{k+1}\right),q}\left(\left(m_1{m}_1^{\prime }\right)r_1^{l_1+l_1^{\prime }},...,\left(m_k{m}_k^{\prime }\right)r_k^{l_k+l_k^{\prime }},{\mathrm{ee}}^{\prime }{r}_{k+1}^2\right)$

If, taking the righthand side of the equations above, we multiply the first encrypted plaintext by the second encrypted plaintext, we get:

$\left(c_0+\sum _{i=1}^n{c}_i{s}_i\right)*\left(c_0^{\prime }+\sum _{i=1}^n{c}_i^{\prime }{s}_i\right)=c_0{c}_0^{\prime }+\sum _{i,j=1,i\ne j}^n\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)s_i{s}_j+\sum _{j=1}^n{c}_j{c}_j^{\prime }{s}_j^2$

If we use the re-linearization keys to replace s_is_j and s_j² from the equation, we get:

${\theta }^{\mathrm{ij}}=\left(-\left(\sum _{t=1}^n{\alpha }_t^{\mathrm{ij}}{s}_t\right)+s_i{s}_j+{\mathrm{crt}}_{\left(p_1,...p_k,p_E\right)}\left(0,...,0,{\mathrm{re}}_{\mathrm{ij}}\right)\mathrm{mod}q,{\alpha }_1^{\mathrm{ij}},...,{\alpha }_n^{\mathrm{ij}}\right)=\left(c_0^{\mathrm{ij}},c_1^{\mathrm{ij}},...,c_n^{\mathrm{ij}}\right)$

From this equation we can infer that

$s_i{s}_j=\left(c_0^{\mathrm{ij}}+\sum _{t=1}^n{c}_t^{\mathrm{ij}}{s}_t\right)-{\mathrm{crt}}_{\left(p_1,...p_k,p_E\right)}\left(0,...,0,{\mathrm{re}}_{\mathrm{ij}}\right)$ ${\delta }^j=\left(-\left(\sum _{t=1}^n{\alpha }_t^j{s}_t\right)+s_j^2+{\mathrm{crt}}_{\left(p_1,...p_k,p_E\right)}\left(0,...,0,{\mathrm{re}}_j\right)\mathrm{mod}q,{\alpha }_1^j,...,{\alpha }_n^j\right)=\left(c_0^j,c_1^j,...,c_n^j\right)$

And from this equation we an infer that

$s_j^2=\left(c_0^j+\sum _{t=1}^n{c}_t^j{s}_t\right)-{\mathrm{crt}}_{\left(p_1,\dots p_k,p_E\right)}\left(0,\dots ,0,{\mathrm{re}}_j\right)$

If one then replaces the values of s_js_j and s_j² from the equation

$c_0{c}_0^{\prime }+\sum _{i,j=1,i\ne j}^n\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)s_i{s}_j+\sum _{j=1}^n{c}_j{c}_j^{\prime }{s}_j^2\text{=>}{c}_0{c}_0^{\prime }+\sum _{i,j=1,i\ne j}^n\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)\left(c_0^{ij}+\sum _{t=1}^n{c}_t^{ij}{s}_t\right)+\sum _{j=1}^n{c}_j{c}_j^{\prime }\left(c_0^j+\sum _{t=1}^n{c}_t^j{s}_t\right)\text{=>}{c}_0{c}_0^{\prime }+\sum _{i,j=1,i\ne j}^n{c}_0^{ij}\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)+\sum _{i,j=1,i\ne j}^n\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)\sum _{t=1}^n{c}_t^{ij}{s}_t++\sum _{j=1}^n{c}_j{c}_j^{\prime }\sum _{t=1}^n{c}_t^j{s}_t\text{=>}\left(c_0{c}_0^{\prime }+\sum _{i,j=1,i\ne j}^n{c}_0^{ij}\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)+\sum _{j=1}^n{c}_j{c}_j^{\prime }{c}_0^j\right)+\sum _{t=1}^n\left(c_t^j+\sum _{i,j=1,i\ne j}^n\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)c_t^{ij}\right)s_t=c_0^{*}+\sum _{t=1}^n{c}_t^{*}{s}_t$ $\mathrm{Where}$ $c_0^{*}=\left(c_0{c}_0^{\prime }+\sum _{i,j=1,i\ne j}^n{c}_0^{ij}\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)+\sum _{j=1}^n{c}_j{c}_j^{\prime }{c}_0^j\right)$ $c_t^{*}=\left(c_t^j+\sum _{i,j=1,i\ne j}^n\left(c_i{c}_j^{\prime }+c_j{c}_i^{\prime }\right)c_t^{ij}\right),$ $t=1,\dots ,n{l}_t^{*}=l_t+l_t^{\prime },t=1,\dots ,k$

Re-equating the lefthand side of the equation to the righthand side of the equation:

$c_0^{*}+\sum _{t=1}^n{c}_t^{*}{s}_t={\mathrm{xcrt}}_{\left(p_1,\dots p_k,p_{k+1}\right),q}\left(m_1{m}_1^{\prime }{r}_1^{l_1+l_1^{\prime }},\dots ,m_k{m}_k^{\prime }{r}_k^{l_k+l_k^{\prime }},e{e}^{\prime }{r}_{k+1}^2\right)$ $⟹c_{\mathrm{multiply}}=\left[\left(c_0^{*},c_1^{*},\dots ,c_n^{*}\right),\left(l_1+l_1^{\prime },\dots ,l_k+l_k^{\prime }\right)\right]=Enc\left(m_1*m_1^{\prime },\dots ,m_k*m_k^{\prime }\right)$

Homomorphic Addition

The system can comprise a homomorphic addition function to obtain a ciphertext c_add that is encryption of the sum of two plaintexts (m₁, . . . , m_k) and (m₁′, . . . , m_k′)—i.e. C_add=enc(m₁+m₁′, m_k+m_k′.

If the two plaintexts have been encrypted using the encryption function above, then: c=enc(m₁, . . . ,m_k)=[(c₀, c₁, . . . , c_n), (l₁, . . . , l_k)]and c′=enc(m₁′, . . . , m_k′)=[(c₀′, c₁′, . . . , c_n′), (l₁′, . . . , l_k′)]

Intermediary values c⁽¹⁾, c⁽²⁾ and l_i*can be computed based on c and c′ using the following equations:

$l_i^{*}=\max \left\{l_i,l_i^{\prime }\right\},$ $c^{\left(1\right)}=\left(\sum _{i=1}^k{R}_i^{l_i^{*}-l_i}\right)*c,c^{\left(2\right)}=\left(\sum _{i=1}^k{R}_i^{l_i^{*}-l_i^{\prime }}\right)*c^{\prime }$

Where Σ represents coordinate-wise sum, * represents a homomorphic multiplication in accordance with the present disclosure as defined in above, and R_i^l represents homomorphic multiplication of R_i with itself l number of times. The final result is obtained by decomposing c to C₀, c₁, . . . , c_n and c₀′ to c₀′, c₁′, . . . , c_n′ and performing a coordinate wise sum of the resultant c_i's of c⁽¹⁾ and c⁽²⁾ to obtain:

$c_{add}=\left[\left(\left(c_0^{\left(1\right)}+c_0^{\left(2\right)}\right)\mathrm{mod}q,\dots ,\left(c_k^{\left(1\right)}+c_k^{\left(2\right)}\right)\mathrm{mod}q\right),\left(l_1^{*},\dots ,l_k^{*}\right)\right]$

Due to the properties of the encryption algorithm according to the present disclosure,

$\left[\left(\left(c_0^{\left(1\right)}+c_0^{\left(2\right)}\right)\mathrm{mod}q,\dots ,\left(c_k^{\left(1\right)}+c_k^{\left(2\right)}\right)\mathrm{mod}q\right),\left(l_1^{*},\dots ,l_k^{*}\right)\right]=\mathrm{enc}\left(m_1+m_1^{\prime },\dots ,m_k+m_k^{\prime }\right).$

Plaintext to Ciphertext Multiplication

A system according to the present disclosure can provide a second multiplication function, mf2( ), for homomorphic plaintext to ciphertext multiplication. The second multiplication function is configured to generate a ciphertext C_multiply2 that is an encryption of the product of plaintext (m₁, . . . , m_k) and a plaintext number x. I.e. mf2((m₁, . . . , m_k), x)=C_multiply2=enc(x*m₁, . . . ,x*m_k).

It has surprisingly been found that c_multiply2 can be calculated as c_multiply2=[(c₀*, c₁*, . . . , c_n*), (l₁*, . . . , l_k*)], where c_t* refers to the index value of c_t* (for any integer value of t greater than or equal to 0 and less than or equal to n (i.e. 0≤t≤n)). In particular,

$c_t^{*}=x*c_t\mathrm{mod}q,t=0,1,\dots ,n$

For this function, the level c_t* is the same as the level for c_t, i.e.

l _t *=l _t ,t=0,1, . . . ,n

As such the final ciphertext will be

C _Multiply2=[(c₀*,c₁*, . . . ,c_N*),(l₁*, . . . ,l_K*)]

Generating a Public Key

The system also can be configured in some embodiments to provide a function for generating one or more public keys from a secret key. In some embodiments, the secret key is provided as input, and is used to encrypt the following plaintext vectors: a zero vector that is e₀=(0,0, . . . ,0); and

k non-zero vectors that contain the value 1 in the n^th coordinate and 0 in the remaining coordinates, where 1≤n≤k. E.g. e₁=(1,0, . . . ,0), e₂=(0,1,0, ,0), . . . , e_k=(0,0, . . . ,0,1).

A public key is then generated by encrypting e₀, e₁, . . . , e_k in accordance with the present disclosure—i.e:

pk=(E₀=enc(e₀),E₁=enc(e₁), . . . ,E_k=enc(e_k))

Public Key Encryption

The system also can be configured to provide a public key encryption function. The public key encryption function encrypts the plaintext vector (m₁, . . . , m_k) with the public key (instead of the secret key) to obtain a ciphertext that can only be decrypted using the corresponding secret key from which the public key was generated.

To encrypt the plaintext vector (m₁, . . . , m_k) with a public key pk generated as described above, the plaintext-ciphertext multiplication function described above is performed: on a random number r and the ciphertext E₀ of the public key pk; and on each coordinate m_i and ciphertext E_i of the public key pk for i=1, . . . , k. The public key encrypted ciphertext c is then computed by performing a homomorphic addition of all the results of plaintext-ciphertext multiplications. I.e:

$c=r*E_0+{\Sigma }_{i=1}^k{m}_i*E_i,$

where r * E₀ and m_i*E_i represent plaintext-ciphertext multiplication, the values of r and m_i are plaintext values and the values of E_i are ciphertexts. In the above equation, Σ represents the homomorphic addition of ciphertexts.

CONCLUSION

The present disclosure provides a novel FHE scheme that does not require bootstrapping for performing arbitrary number of computations on encrypted data. As a result, the present disclosure significantly increases the speed of performing calculations on encrypted data without compromising on security. This has the potential to extend the use of FHE into applications where FHE was previously not possible due to time & computational constraints. For example, it may be possible to use FHE in machine learning and artificial intelligence through performing analytics on encrypted data without facing any of the efficiency issues known in conventional approaches.

Claims

1. A method of generating keys for fully homomorphic encryption, the method comprising: obtaining a first set of numbers S, wherein the first set of numbers S is a set of pairwise coprime numbers p1, . . . , pk+1;obtaining another parameter, wherein the another parameter is a random or pseudo random number P; andcalculating a secret key, sk, based on the first set of numbers S, and the another parameter.

2. The method of claim 1, wherein k+1=2.

3. The method of claim 1, wherein the secret key sk={S, P}.

4. The method of claim 1, wherein: obtaining the another parameter P comprises obtaining a second set of prime numbers r1, r2, . . . , rk+1, and the method further comprises:obtaining a third set of numbers as the another parameter, wherein the third set of numbers is a set of random or pseudo random numbers s1, . . . , sn;calculating the secret key, sk, based on the first set of numbers, the second set of numbers, and third set of numbers; andcalculating a public parameter, q, based on the first set of numbers and the second set of numbers.

5. The method of claim 1, wherein at least one of the first set of numbers, the second set of random prime numbers, and the third set of random numbers selected based on a security parameter.

6. The method of claim 4, wherein q is calculated by multiplying the first set of numbers together with the first and second extra prime numbers, whereby q=(p1× . . . ×pk×pk+1)×(r1×r2× . . . ×rk+1).

7. The method of claim 4, wherein sk={s=(s1, . . . , sn), p=(p1, pk, pk+1), r=(r1,r2, . . . , rk+1)}.

8. The method of claim 1, further comprising generating re-linearization keys, rlks, wherein generating the rlks comprises encrypting components of the secret key.

9. The method of claim 5, further comprising using a first set of random numbers a1ij, . . . , anij, eij to generate a first relinearization key θij and using a set of random numbers a1j, . . . , anj, ej to generate a second relinearization key δj.

10. The method of claim 1, further comprising R-keys, wherein generating the R-Keys comprises encrypting components of the secret key.

11. The method of claim 8, wherein encrypting components of the secret key comprises performing an extended Chinese remainder function, XCRT, on the components of the secret key.

12. A method of fully homomorphic encryption comprising obtaining a secret key, sk, and a plaintext m1, . . . , mk to be encrypted, wherein the secret key and the public parameter are generated in accordance with the method of claim 1.

13. The method of claim 12, comprising generating and using a random number w.

14. The method of claim 12, wherein calculating the cypher text c comprises calculating

15. The method of claim 13, comprising deleting w after it has been used.

16. The method of claim 12, comprising selecting a value e representing a random noise or a noise signal.

17. The method of claim 16, comprising performing an extended Chinese remainder function, XCRT, on a vector, wherein the vector is based on the plaintext and the value e.

18. The method of claim 17, wherein the vector is (m1r1l1, . . . , mkrklk, erk+1, wherein l1= . . . =lk=1 are exponents.

19. The method of claim 18, comprising selecting a plurality of random numbers a1, . . . , an and subtracting the dot product of vector (a1, . . . , an) and (s1, . . . , sn) from the XCRT.

20. The method of claim 19, comprising performing a modulus operation based on q on the XCRT function after the dot product of vector (a1, . . . , an) and (s1, . . . , sn) has been subtracted whereby a cipher value c0 is obtained such that c0=[−(Σi=1naisi)+xcrt(p1, . . . pk,Pk+1),q (m1r1l1, . . . ,mkrklk, erk+1 ] mod q.

21. The method of claim 20, comprising generating a ciphertext c by forming a vector, wherein forming the vector comprises appending the values a1, . . . , an, and l1, . . . , lk to c0.

22. A method of decrypting a ciphertext generated by a method of fully homomorphic encryption comprising obtaining a secret key, sk, and a plaintext m1, . . . , mk to be encrypted, using a secret key sk generated according to claim 4, wherein the secret key comprises s and s equals (s1, . . . , sn), and the ciphertext comprises a vector a=(a1, . . . , an), the method comprising: determining the sum of i) the first coordinate of the ciphertext; and ii) the dot product of s=(s1, . . . , sn) and the vector a=(a1, . . . , an) of ciphertext.

23. The method of claim 16, further comprising, for j=1, . . . , k, multiplying (rjlj)−1 mod pj to the sum and then performing a modulus operation based on pj on the result, whereby

24. A met hod of performing encrypted homomorphic multiplication, wherein the method is configured to perform a function ƒmultiply( ) on two ciphertexts c and c′ together to produce a new ciphertext, cmultiply=ƒmultiply(c, c′), wherein the ciphertext c and c′ are produced using a method of encryption according to claim 12.

25. The method of claim 24, wherein cmultiply is computed as cmultiply=[(c0*, c1*, . . . , cn*), (l1*, . . . , lk*)], wherein: ct*=ƒ(c, c′, {θij}, {δj});t is any integer from 0 to n;ƒ( ) is a predetermined function; and{θij}, {δj} are relinearization keys.

26. The method of claim 25, wherein: when t=0, ƒ(c, c′, {θij}, {δj}) equals (c0c0′+Σi,j=1,i≠jnc0ij(cicj′+cjci′)+Σj=1ncjcj′c0j)when t>0, ƒ(c, c′, {θij}, {δj}) equals

27. A method of performing encrypted homomorphic addition, wherein the method is configured to perform a function ƒadd( ) on two ciphertexts c and c′ together to produce a new ciphertext, cadd wherein: cadd=ƒadd (C, C′);cadd is the encryption of the sum of plaintext values corresponding to the ciphertexts c and c′; andthe ciphertext c and c′ were produced using a method of encryption according to claim 12.

28. The method of claim 27, comprising determining a first set of level values l1*, . . . , lk* for cadd, wherein li* is max{li, li′}.

29. The method of claim 28, comprising calculating a set of first intermediary values c(1) and a second set of intermediary values c(2) based on the first set of level values and ciphertexts c and c′.

30. The method of claim 29, wherein

31. The method of claim 28, wherein

32. A met hod of performing encrypted homomorphic Plaintext to Ciphertext multiplication wherein the method is configured to perform a function ƒmultiply2( ) on a ciphertext c and a plaintext number x to produce a ciphertext cmultiply2, the ciphertext in an encryption, enc( ), of a plaintext vector (m1, . . . , mk) and cmultiply2=enc(x*m1, . . . , x * mk).

33. The method of claim 32, wherein Cmultiply2=[(c0*, c1*, . . . , cn*), (l1*, . . . , lk*)], and wherein: t is an integer value greater than or equal to 0 and less than or equal to n (i.e. 0≤t≤n));

34. A met hod of generating Public Key, pk, from a secret key, wherein the secret key was generated by a method according to claim 1.

35. The method of claim 34, comprising: generating a zero vector that is e0=(0,0, . . . ,0); andgenerating k non-zero vectors, wherein a non-zero vector contains the value 1 in its nth coordinate and 0 in the remaining coordinates, wherein n is an integer and 1≤n≤k whereby e1=(1,0, . . . ,0), e2=(0,1,0, . . . ,0), . . . , ek=(0,0, . . . ,0,1).

36. The method of claim 35, wherein the generating the public key comprises encrypting e0, e1, . . . , ek, whereby:

37. A met hod of performing Public Key encryption, wherein the method is configured to encrypt a plaintext vector (m1, . . . , mk) with a public key generated by a method configured to perform a function ƒmultiply2 ( ) on a ciphertext c and a plaintext number x to produce a ciphertext cmultiply2, the ciphertext in an encryption, enc( ), of a plaintext vector (m1, . . . , mk) and cmultiply2=enc(x*m1, . . . , x*mk).

38. The method of claim 37, comprising performing a plaintext-ciphertext multiplication configured to perform a function ƒmultiply2 ( ) on a ciphertext c and a plaintext number x to produce a ciphertext cmultiply2, the ciphertext in an encryption, enc( ), of a plaintext vector (m1, . . . ,mk) and cmultiply2=enc(x*m1, . . . ,x*mk).

39. The method of claim 38, wherein: a plaintext-ciphertext multiplication is performed on a random number r and ciphertext E0; anda plaintext-ciphertext multiplication is performed on each coordinate mi and ciphertext Ei for i=1, . . . , k; andthe results of the plaintext-ciphertext multiplications are homomorphically added together, whereby c=r * E0+Σi=1kmi*Ei, wherein:r * E0 and mi*Ei are plaintext-ciphertext multiplications,r and mi are plaintexts,E0 and Ei are ciphertexts, andΣ represents the homomorphic addition of ciphertexts.

40. The method of claim 11, wherein the XCRT function is calculated according to the equation xcrt(n1,n2, . . . ,nk),n′: n1× . . . ×nk→n, where n1, n2, . . . , nk are a plurality of pairwise coprime numbers, and n′ which is any suitable number.

41. A computer program comprising instructions which, when executed by a computing system, cause the computing system to carry out the method according to claim 1.

42. A computer-readable storage medium or a data carrier signal carrying the computer program of claim 41.

43. A computing system comprising at least one computer, the computing system comprising means for performing the method according to claim 1.