Leveled FHE with Matrix Message Space

Abstract

Up to now, almost all fully homomorphic encryption (FHE) schemes can only encrypt bit or vector. In PKC 2015, Hiromasa et al. [12] constructed the only leveled FHE scheme that encrypts matrices and supports homomorphic matrix addition and multiplication. But the ciphertext size of their scheme is somewhat large and the security of their scheme depends on some special kind of circular security assumption.

We propose a leveled FHE scheme that encrypts matrices and supports homomorphic matrix addition, multiplication and Hadamard product. It can be viewed as matrix-packed FHE, and has much smaller ciphertext size. Its security is only based on LWE assumption. In particular, the advantages of our scheme are:

1. 1.

   Supporting homomorphic matrix Hadamard product. All entries in plaintext matrices can be viewed as plaintext slots. While the scheme in [12] doesn’t support this homomorphic operation and only the diagonal entries of plaintext matrix can be viewed as plaintext slots.

2. 2.

   Small ciphertext size. For a plaintext matrix \(\varvec{M} \in \{0,1\}^{r\times r}\), the size of ciphertext matrix is \(r\times (n+r)\), in contrast to \((n+r)\times (n+r)\lceil \log q\rceil \) in [12].

3. 3.

   Standard assumption. The security is based on LWE assumption merely, while the security of scheme in [12] depends additionally on some special kind of circular security assumption.

As Brakerski’s work [3] in CRYPTO 2012, our scheme can be improved in efficiency by using ring-LWE (RLWE).

A Proof of Theorem 3

Theorem 3. For \(\varvec{A},\varvec{B}\in \mathbb {Z}_q^{m\times n}, \varvec{S}\in \mathbb {Z}_q^{n\times m}\), we have

$$\begin{aligned} (\varvec{AS})\cdot (\varvec{BS})&=(\varvec{A} \otimes \varvec{B})_{sr}(\varvec{S} \otimes ' \varvec{S})_{sc}~~(\text {mod}~q)\,,\\ (\varvec{AS})\circ (\varvec{BS})&=(\varvec{A} \otimes \varvec{B})_{er} (\varvec{S} \otimes \varvec{S})_{ec}~~(\text {mod}~q)\,. \end{aligned}$$

Proof

For the conciseness of description, we let \(m=n=2\). One can easily check that the proof can be generalized to any positive integer m and n. Assume \(\varvec{A}=\begin{pmatrix} a_{11} &{} a_{12} \\ a_{21} &{} a_{22} \\ \end{pmatrix}, \varvec{B}=\begin{pmatrix} b_{11} &{} b_{12} \\ b_{21} &{} b_{22} \\ \end{pmatrix}, \varvec{S}=\begin{pmatrix} s_{11} &{} s_{12} \\ s_{21} &{} s_{22} \\ \end{pmatrix} \), then we have

$$\begin{aligned} \varvec{AS}&=\begin{pmatrix} a_{11}s_{11}+a_{12}s_{21} &{} a_{11}s_{12}+a_{12}s_{22} \\ a_{21}s_{11}+a_{22}s_{21} &{} a_{21}s_{12}+a_{22}s_{22} \\ \end{pmatrix}\\ \varvec{BS}&=\begin{pmatrix} b_{11}s_{11}+b_{12}s_{21} &{} b_{11}s_{12}+b_{12}s_{22} \\ b_{21}s_{11}+b_{22}s_{21} &{} b_{21}s_{12}+b_{22}s_{22} \\ \end{pmatrix}\\ \varvec{A} \otimes \varvec{B}&=\begin{pmatrix} a_{11}b_{11} &{} a_{11}b_{12} &{} a_{12}b_{11} &{} a_{12}b_{12}\\ a_{11}b_{21} &{} a_{11}b_{22} &{} a_{12}b_{21} &{} a_{12}b_{22} \\ a_{21}b_{11} &{} a_{21}b_{12} &{} a_{22}b_{11} &{} a_{22}b_{12} \\ a_{21}b_{21} &{} a_{21}b_{22} &{} a_{22}b_{21} &{} a_{22}b_{22}\end{pmatrix}\\ \varvec{S} \otimes \varvec{S}&=\begin{pmatrix} s_{11}s_{11} &{} s_{11}s_{12} &{} s_{12}s_{11} &{} s_{12}s_{12}\\ s_{11}s_{21} &{} s_{11}s_{22} &{} s_{12}s_{21} &{} s_{12}s_{22} \\ s_{21}s_{11} &{} s_{21}s_{12} &{} s_{22}s_{11} &{} s_{22}s_{12} \\ s_{21}s_{21} &{} s_{21}s_{22} &{} s_{22}s_{21} &{} s_{22}s_{22}\end{pmatrix}\\ \varvec{S} \otimes ' \varvec{S}&=\begin{pmatrix} s_{11}s_{11} &{} s_{12}s_{11} &{} s_{11}s_{12} &{} s_{12}s_{12}\\ s_{11}s_{21} &{} s_{12}s_{21} &{} s_{11}s_{22} &{} s_{12}s_{22} \\ s_{21}s_{11} &{} s_{22}s_{11} &{} s_{21}s_{12} &{} s_{22}s_{12} \\ s_{21}s_{21} &{} s_{22}s_{21} &{} s_{21}s_{22} &{} s_{22}s_{22}\end{pmatrix}\\ (\varvec{A} \otimes \varvec{B})_{sr}&=\begin{pmatrix} a_{11}b_{11} &{} a_{11}b_{12} &{} a_{12}b_{11} &{} a_{12}b_{12} &{} a_{11}b_{21} &{} a_{11}b_{22} &{} a_{12}b_{21} &{} a_{12}b_{22} \\ a_{21}b_{11} &{} a_{21}b_{12} &{} a_{22}b_{11} &{} a_{22}b_{12} &{} a_{21}b_{21} &{} a_{21}b_{22} &{} a_{22}b_{21} &{} a_{22}b_{22}\end{pmatrix}\\ (\varvec{S} \otimes ' \varvec{S})_{sc}&=\begin{pmatrix} s_{11}s_{11} &{} s_{11}s_{12}\\ s_{11}s_{21} &{} s_{11}s_{22}\\ s_{21}s_{11} &{} s_{21}s_{12} \\ s_{21}s_{21} &{} s_{21}s_{22} \\ s_{12}s_{11} &{} s_{12}s_{12}\\ s_{12}s_{21} &{} s_{12}s_{22} \\ s_{22}s_{11} &{} s_{22}s_{12}\\ s_{22}s_{21} &{} s_{22}s_{22}\end{pmatrix} \end{aligned}$$

\(((\varvec{A} \otimes \varvec{B})_{sr}(\varvec{S} \otimes ' \varvec{S})_{sc})_{11}=a_{11}b_{11}s_{11}s_{11}+a_{11}b_{12}s_{11}s_{21}+a_{12}b_{11}s_{21}s_{11}+a_{12}b_{12} s_{21}s_{21} +a_{11}b_{21}s_{12}s_{11}+a_{11}b_{22}s_{12}s_{21}+a_{12}b_{21}s_{22}s_{11}+a_{12}b_{22}s_{22}s_{21}=(\varvec{ASBS})_{11} \)

For other entries of \(\varvec{ASBS}\), one can check the correctness in the same way.

For the second equation, we have

\((\varvec{A} \otimes \varvec{B})_{er}=\begin{pmatrix} a_{11}b_{11} &{} a_{11}b_{12} &{} a_{12}b_{11} &{} a_{12}b_{12}\\ a_{21}b_{21} &{} a_{21}b_{22} &{} a_{22}b_{21} &{} a_{22}b_{22}\end{pmatrix}\), \((\varvec{S} \otimes \varvec{S})_{ec}=\begin{pmatrix} s_{11}s_{11} &{} s_{12}s_{12}\\ s_{11}s_{21} &{} s_{12}s_{22} \\ s_{21}s_{11} &{} s_{22}s_{12} \\ s_{21}s_{21} &{} s_{22}s_{22}\end{pmatrix}\)

then \(((\varvec{A} \otimes \varvec{B})_{er}(\varvec{S} \otimes \varvec{S})_{ec})_{11}=a_{11}b_{11}s_{11}s_{11}+a_{11}b_{12}s_{11}s_{21}+a_{12}b_{11}s_{21}s_{11}+a_{12}b_{12} s_{21}s_{21}=((\varvec{AS})\circ (\varvec{BS}))_{11}\)

For other entries of \((\varvec{AS})\circ (\varvec{BS})\), one can check the correctness in the same way.