a more efficient fully homomorphic encryption scheme based

Research ArticleA More Efficient Fully Homomorphic Encryption SchemeBased on GSW and DM Schemes

Xun Wang 1 Tao Luo 12 and Jianfeng Li2

1Beijing Laboratory of Advanced Information Networks Beijing University of Posts and Telecommunications Beijing 100876 China2Beijing Key Laboratory of Network System Architecture and Convergence Beijing University of Posts and TelecommunicationsBeijing 100876 China

Correspondence should be addressed to Tao Luo tluobupteducn

Received 29 May 2018 Revised 29 October 2018 Accepted 7 November 2018 Published 16 December 2018

Academic Editor Jiankun Hu

Copyright copy 2018 Xun Wang et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Achieving both simplicity and efficiency in fully homomorphic encryption (FHE) schemes is important for practical applicationsIn the simple FHE scheme proposed by Ducas andMicciancio (DM) ciphertexts are refreshed after each homomorphic operationAnd ciphertext refreshing has become a major bottleneck for the overall efficiency of the scheme In this paper we propose a moreefficient FHE scheme with fewer ciphertext refreshings Based on the DM scheme and another simple FHE scheme proposed byGentry Sahai and Waters (GSW) ciphertext matrix operations and ciphertext vector additions are both applied in our schemeCompared with the DM scheme one more homomorphic NOT AND (NAND) operation can be performed on ciphertexts beforeciphertext refreshing Results show that under the same security parameters the computational cost of our scheme is obviouslylower than that of GSW and DM schemes for a depth-2 binary circuit with NAND gates And the error rate of our scheme is keptat a sufficiently low level

1 Introduction

With the rapid development of computer networks and bigdata the cloud has been playing an important role in storingand processing huge amounts of data [1] The cloud providesabundant flexible and on-demand remote storage and com-putational resources for network users However the cloud isnot fully trustable and users do not have full control poweron the data stored in the cloud Data in the cloud are facedwith the risk of leakage and personal privacy is seriouslythreatened In some recent research works approaches basedon network defense have been proposed for guaranteeingcloud security [2ndash6] Nevertheless data encryption providesa more fundamental and universal privacy protection fordata in the cloud In traditional encryption techniques whenthe encrypted data are stored in the cloud they need tobe decrypted before computation and personal privacy isstill seriously threatened Homomorphic encryption allowsciphertext operations to be performed directly thus anuntrusted third party can process the ciphertexts withoutdecrypting them The decryption of the result of ciphertext

operation is equivalent to the result of corresponding plain-text operation Furthermore fully homomorphic encryption(FHE) allows arbitrary operations to be performed on cipher-texts Concretely let Enc and Dec denote encryption anddecryption algorithms respectively And let 119898119894 and 119888119894 denotethe plaintexts and corresponding ciphertexts respectivelywhere 119894 = 1 2 119897 and 119888119894 = Enc(119898119894) For a function 119891119898of plaintexts 1198981 1198982 119898119897 and a corresponding function 119891119888of ciphertexts 1198881 1198882 119888119897 FHE schemes satisfy the followingproperty

Dec (119891119888 (11988811198882 119888119897)) = 119891119898 (11989811198982 119898119897) (1)

This ideal property can be applied to privacy protection inthe cloud where personal data are stored and processed inencrypted form

In FHE schemes ciphertexts are generated with a randomnoise to ensure semantic security The noise grows as homo-morphic operations proceed When the noise magnitudeexceeds a certain threshold ciphertext will no longer becorrectly decrypted By means of bootstrapping proposedby Gentry [7] ciphertext noise can be reduced and further

HindawiSecurity and Communication NetworksVolume 2018 Article ID 8706940 14 pageshttpsdoiorg10115520188706940

2 Security and Communication Networks

homomorphic operations can be performed However dueto its inherent complexity bootstrapping has become amajor bottleneck for the efficiency of all FHE schemesAlthough there are many studies on improving the efficiencyof FHE schemes [8ndash27] they are still not simple and efficientenough to be widely adopted in the real world Designing aconceptually simple and efficient FHE scheme has become achallenging issue

In this paper a new FHE scheme is proposed to achieveboth conceptual simplicity and higher efficiency The schemeis constructed using the ideas of ciphertext matrix operationsin the FHE scheme proposed by Gentry Sahai and Waters(GSW) [19] and ciphertext vector additions in the FHEscheme proposed by Ducas and Micciancio (DM) [21] Boththese schemes are conceptually simpler than most otherFHE schemes while suffering from low efficiency We haveproved that comparedwithDM our scheme allows onemorehomomorphic operation to be performed before ciphertextrefreshing And the computational cost of our scheme issignificantly lower than that of DM and GSW under the samesecurity parameters with the error rate kept at a sufficientlylow level Our scheme not only inherits the advantage of con-ceptual simplicity in DM and GSW but is also more efficient

AssumptionsThe assumptions in our scheme are specified asfollows (1) the hardness of the Learning with Errors (LWE)problem [28] (2) circular security in ciphertext refreshingthat is one can safely encrypt a secret key under its associatedpublic key [7] (3) the operations on the binary circuit whichare performed parallelly And the computational cost at eachlevel is represented as that of a specific gate at the level

Contributions The main contributions of our scheme aresummarized as follows (1) To the best of our knowledgeour scheme is one of the few FHE schemes which take bothsimplicity and efficiency into consideration (2) Our schemeinherits the advantage of conceptual simplicity in DM andGSW which are conceptually simpler than most other FHEschemes (3)Our scheme combines the advantage of efficienthomomorphic operation in DM with the advantage of mod-erate growth of noise magnitude in GSW When comparedwith DM it allows one more homomorphic operation tobe performed before ciphertext refreshing Under the samesecurity parameters the computational cost of our scheme isobviously lower than that of DM and GSW and the error rateis kept at a sufficiently low level

Organization The rest of this paper is organized as followsthe related work is discussed in Section 2 some preliminariesare given in Section 3 a review of GSW and DM is presentedin Section 4 our more efficient FHE scheme along with itscorrectness security and applicability analysis is presentedin Section 5 the comparison of our scheme with DM andGSW in terms of overall efficiency and error rate is given inSection 6 finally conclusions are drawn in Section 7

2 Related Work

21 Construction of FHE Schemes Gentry proposed the firstFHE scheme in 2009 [7] which marks a milestone in the

research of homomorphic encryption Gentryrsquos FHE schemeis based on ideal lattices which includes the followingmajor steps (1) the construction of a somewhat homo-morphic encryption scheme (SWHE) which allows limitedhomomorphic additions andmultiplications to be performedon ciphertexts (2) the squashing step for reducing thecomplexity of decryption algorithm (3) the bootstrappingtechnique for reducing ciphertext noise via re-encryption andhomomorphic decryption Despite its significant contribu-tion Gentryrsquos scheme sufferes from a rather low efficiencyFollowing Gentryrsquos work some other FHE schemes based onideal lattices have been proposed on improving the efficiencyofGentryrsquos scheme [8ndash11]However the inherent complicatedkey generation process along with large keyciphertext sizeshas made these schemes impractical for real-world applica-tions

In 2010 Dijk et al proposed a FHE scheme over theintegers [29] Both the keys and ciphertexts are integerswhich are much simpler than previous FHE schemes basedon ideal lattices However the scheme also suffers from lowefficiency due to large keyciphertext sizes Although someimproved FHE schemes on integers have been proposed [12ndash15] keys and ciphertexts in these schemes are still too large tobe deployed in any practical system

Recently most FHE schemes have been constructedbased on the LWE problem which is a computational prob-lem over lattices [28] LWE has now drawn the attention ofmore and more cryptographic researchers with its relativelysmall keyciphertext sizes and strong security Brakerskiand Vaikuntanathan presented the first LWE-based FHEscheme (BV) in 2011 [30] The relinearization techniquewas introduced for controlling ciphertext dimension inhomomorphic multiplications And the dimension-modulusreduction technique was proposed as a new method forsimplifying the decryption algorithm to make the schemebootstrappable thus fully homomorphic Compared withthe squashing technique proposed by Gentry the sparsesubset-sum assumption was removed in dimension-modulusreduction making it more natural Brakerski Gentry andVaikuntanathan proposed a leveled FHE scheme (BGV)in 2012 [16] The relinearization and dimension-modulusreduction techniques were improved as the key-switchingandmodulus-switching techniques in BGV formore efficientcontrol of ciphertext dimension and noise magnitude Brak-erski then introduced a scale-invariant leveled FHE scheme(Bra12) without modulus switching Compared with previousLWE-based FHE schemes Bra12 is simpler and ciphertextnoise magnitude grows by a constant multiplicative factor ashomomorphic operations proceed instead of exponentiallyHowever in all of these schemes the complex process ofkey switching (or relinearization) still introduces a hugecomputational cost which is unattractive in practice

In 2013 a new leveled FHE scheme known as GSW wasproposed by Gentry Sahai and Waters [19] GSW is basedon approximate eigenvectors of matrices The ciphertexts inGSW are square matrices and homomorphic additions andmultiplications are just matrix additions and multiplicationsrespectively Therefore ciphertext dimension always keepsconstant and key switching is no longer necessary Scale-invariance can also be achieved in GSW via the flatten

Security and Communication Networks 3

technique thus modulus switching is also no longer nec-essary GSW is simpler and more natural than previousLWE-based FHE schemes However matrix multiplicationstill brings about a high computational cost Ducas andMiccianico proposed a new FHE scheme with homomorphicNOT AND (NAND) gates [21] which is known as the DMscheme Homomorphic operations in DM are just ciphertextvector additions which are very simple operations Howeverciphertexts in DM need to be refreshed after each homomor-phic operation which becomes a bottleneck for the overallefficiency Although GSW and DM are conceptually simplerthan most other FHE schemes both of them still suffer fromefficiency bottlenecks

Other research works on the construction of LWE-basedFHE schemes generally focus on improving the efficiency[22ndash25] and optimizing the bootstrapping algorithm [2627] In some recent research works multikey FHE schemesare proposed for secure multiparty computation [31 32]However these schemes involve either key-switching orciphertextmatrix operations which are both computationallycosting Some of them are not conceptually simpleThereforeit is necessary to construct a new FHE scheme with bothconceptual simplicity and higher efficiency

22 Applications of Homomorphic Encryption Schemes Ashomomorphic encryption supports operations on encrypteddata it is definitely more powerful than traditional encryp-tion techniques and has a vast area of applications In recentyears with the wide adoption of cloud storage and cloudcomputation in real-world applications there have beenmany applications of homomorphic encryption schemes onprivacy protection in the cloud

Searchable encryption is a basic application of homo-morphic encryption where users can execute secure querieson encrypted data The query results are obtained throughhomomorphic operations between the encrypted query andthe encrypted data A lot of researchers have proposedsecure information retrieval schemes based on homomorphicencryption [33ndash36] Meng Shen et al proposed a graphencryption scheme which makes use of SWHE and enablesapproximate Constrained Shortest Distance (CSD) queryingover encrypted graph [37] Another common applicationof homomorphic encryption schemes is secure e-votingwhere the ballots of voters are encrypted and homomor-phic operations are performed on these data [38ndash41] Theproperty of homomorphic encryption makes it possible totally all encrypted ballots without accessing the plaintextcontent of any individual ballot thus voterrsquos privacy isprotected Recently with the rapid development of artificialintelligence and machine learning privacy protection inmachine learning has also drawn the attention of manyresearchers Many studies on encrypted machine learninghave emerged where homomorphic encryption schemes areadopted for computation on encrypted data Xiaoqiang Sun etal implemented three private classification algorithms basedon homomorphic encryption [42] which were hyperplanedecision-based classification Naıve Bayes classification anddecision tree classification M Kim et al proposed securelogistic regression for biomedical data [43] There are also

lots of research works on secure deep learning based onhomomorphic encryption [44ndash46] The activation functionsin deep learning algorithms are usually approximated aspolynomials which can be homomorphically evaluated byhomomorphic encryption schemes Other recent applica-tions of homomorphic encryption include integrity verifica-tion [47 48] data aggregation [49 50] and secure multipartycomputation [32 51]

Moreover homomorphic encryption can be applied inthe defense against phishing attack where userrsquos personalinformation is encrypted and the verification is completedvia homomorphic operations Even if personal informationis leaked to the phishing server nothing can be learned fromthe encrypted data Longfei Wu et al proposed a novel auto-mated lightweight antiphishing scheme formobile platformswhich is highly beneficial for mobile users [52] Adoptinghomomorphic encryption in the scheme would provide aneven stronger defense against phishing attacks With the riseof self-awareness of privacy protection and the developmentof homomorphic encryption there will be more and moreapplications of homomorphic encryption in the future

3 Preliminaries

31 Notations The mathematical symbols in this paper areshown in Table 1

32The LWEProblem LWE is a computational problem overlattices which is proposed by Regev [28] For security param-eter 120582 let 119899 = 119899(120582) and 119902 = 119902(120582) denote the dimension andmodulus of the vector respectively and let 120594 = 120594(120582) denotethe random distribution on Z for the random errors Thevector s is generated by sampling slarr997888 Z For vector alarr997888Z119899119902 and error 119890 larr997888 120594 output the following LWE instance(a 119887) = (a(a sdot s + 119890) mod 119902) isin Z119899+1119902 The LWE assumptionis that the distribution 1205941015840 formed by different LWE instancesis computationally indistinguishable from the uniformdistribution on Z119899+1119902

33 The Cyclotomic Ring Let 119873 be a power of 2 the 2119873-th cyclotomic polynomial is Φ2119873(119883) = 119883119873 + 1 and thecorresponding polynomial ring is 119877 = Z[119883]119883119873 + 1 119877119876 =119877119876119877 denotes the residue ring of 119877 modulo an integer 119876Each element in 119877 is a polynomial with integer coefficientswhose degree is at most 119873 minus 1 and each element in 119877119876 is anelement in 119877 with all its coefficients modulo 119876 For polyno-mial 119903 = sum119873minus1119894=0 119903119894119883119894 isin 119877 let CF(119903) = (1199030 119903119873minus1) denotethe coefficient vector of the polynomial And let ACR(119903)denote the following matrix the first column is CF(119903) andthe other columns are the anticyclic rotations of CF(119903) withthe cycled entries negated as shown in

ACR (119903) =[[[[[[[

1199030 minus119903119873minus1 sdot sdot sdot minus11990311199031 1199030 sdot sdot sdot minus1199032 d

119903119873minus1 119903119873minus2 sdot sdot sdot 1199030

]]]]]]]

(2)


Table 1 List of mathematical symbols with their meanings

Symbol MeaningRegular letters (with possibly superscripts andsubscripts) eg 119902 1198991015840 119861 Scalars

Bold lowercase letters (with possibly superscripts andsubscripts) eg e c1015840 Vectors

Bold uppercase letters (with possibly superscripts andsubscripts) eg AC1015840 Matrices

Z The set of all integersC The set of all complex numbersZ+ The set of all positive integers

Z119902The set of integers modulo an integer 119902 which are

reduced to (minus1199022 1199022]Z119898times119899119902 The set of119898 times 119899matrices with all coefficients in Z119902Z[119883] The set of all polynomials with integer coefficientsB(119899 119901) Binomial distribution with parameters 119899 119901lfloor119909rceil Rounding of 119909 to the nearest integer⟨ab⟩ or a sdot b Inner product of vectors ab[A||b] The horizontal concatenation of matrix A and vector bainfin The infinite norm of vector a a

infin= max119894|119886119894|

119889 larr997888 119863 If 119863 is a distribution 119889 is sampled according to 119863 If 119863is a set 119889 is uniformly sampled from 119863

negl(120582) A negligible amount negl(120582) = 119900(120582minus119888) for any constant119888 gt 0 as 120582 997888rarr +infin

34 BitDecomp and Flatten Techniques Let BD(sdot) denote theBitDecomp operation and let ab isin Z119896119902 119897 = lfloorlog 119902rfloor + 1 119873 =119896119897 The BitDecomp operation is defined as follows

BD (a) = (11988610 1198861119897minus1 1198861198960 119886119896119897minus1) (3)where 119886119894119895 is the 119895-th bit in 119886119894rsquos binary representation fromthe lowest to the highest bit After BitDecomp the upperbound of arsquos 1198971 norm goes down from 119899119902 to 119899 log 119902 LetBDminus1(sdot) denote the inverse operation of BD(sdot) for a vectora1015840 = (11988610 1198861119897minus1 1198861198960 119886119896119897minus1) isin Z119873119902 the operationBDminus1(sdot) is defined as follows

BDminus1 (a1015840) = (119897minus1sum119895=0

21198951198861119895 119897minus1sum119895=0

2119895119886119896119895) isin Z119896119902 (4)

LetFL(sdot) denote the flatten operation for a vector a1015840 isin Z119896119902FL(sdot) is defined as follows

FL (a1015840) = BD (BDminus1 (a1015840)) isin 0 1119873 (5)

There is another operation PowersofTwo(sdot)which comeshand in hand with BD(sdot) Let PT(sdot) denote the operationPowersofTwo( sdot ) which is defined as follows

PT (b) = (1198871 21198871 2119897minus11198871 119887119896 2119887119896 2119897minus1119887119896)isin Z119873119902

(6)

An obvious property between BD(sdot) and PT(sdot) is shown asfollows

⟨BD (a) PT (b)⟩ = ⟨ab⟩ (7)

For a vector a1015840 isin Z119873119902 the following property also holds

⟨a1015840PT (b)⟩ = ⟨BDminus1 (a1015840) b⟩ = ⟨FL (a1015840) PT (b)⟩ (8)

It can be observed from (8) that an important advantageof FL(sdot) lies in that it makes the coefficients of a vector smallwithout affecting its inner product with the vector PT(b)When the above operations are applied to a matrix they areperformed for each row of the matrix

4 A Review of GSW and DM Schemes

41TheGSWScheme GSW is constructed based on approxi-mate eigenvectors ofmatrices And homomorphic operationsin GSW are just ciphertext matrix operations GSW is morenatural and concise than previous LWE-based FHE schemeswhich require key switching (or relinearization) The mainalgorithms in GSW are shown as follows

(i) GSWKeyGen(120582 119871) 120582 119871 denote the security param-eter andmultiplicative depth respectively Ciphertextdimension 119899 = 119899(120582 119871) modulus 119902 = 119902(120582 119871) andnoise distribution 120594 = 120594(120582 119871) are set to guarantee asecurity level of 120582 Let119898 = 119874(119899 log 119902) 119897 = lfloorlog 119902rfloor + 1119873 = (119899+1)119897 and parameter set 119901119886119903119886119898119904 = (119899 119902 120594 119898)Sample t larr997888 Z119899119902 let s = (1 minus t) isin Z119899+1119902 and outputsecret key 119904119896 = k = PT(s) Sample B larr997888 Z119898times119899119902 e larr997888120594119898 let b=B sdot t+e A = [b B] and output public key119901119896 = A


1isin 01

2isin 01

C1isinZNtimesNq

C2isinZNtimesNq

GSWEnc

GSWEnc

GSWHomNAND

GSWDec = 1 minus 12

C＄isinZNtimesNq

Figure 1 Overall algorithm flow of the GSW scheme

(ii) GSWEnc(119901119886119903119886119898119904 119901119896 120583) for plaintext message 120583 isinZ119902 sample R larr997888 0 1119873times119898 output ciphertext

C = FL (120583 sdot I119873 + BD (R sdot A)) isin Z119873times119873119902 (9)

where I119873 denotes the119873-dimensional identity matrix(iii) GSWHomNAND(C1C2) on input ciphertext pair

C1C2 isin Z119873times119873119902 output ciphertext

CNAND = FL (I119873 minus C1C2) (10)

As a result of the homomorphic NAND operationCNAND satisfies the following property

CNAND sdot k = (1 minus 12058311205832) k minus 1205832e1 minus C1e2 (11)

where1205831 1205832 are the plaintext messages inC1C2 respectivelyand e1 e2 are the corresponding ciphertext noises Let 1198610denote the upper bound of the noise magnitudes in C1C2that is the upper bound for the 119897infin norms of e1 e2 It isobvious that maxe1infin e2infin lt 1198610 Actually C1C2 isin0 1119873times119873 as a result of the flatten operation As 1205832 isin 0 1the noise in CNAND is upper bounded by (119873+1)1198610 as shownby (11)

The overall algorithm flow of GSW is shown in Figure 1

42 The DM Scheme DM is a FHE scheme based on a LWEsymmetric encryption scheme Homomorphic operationsin DM correspond to ciphertext vector additions DM isconceptually simple for its simple homomorphic operationThe main algorithms in DM are shown as follows

(i) DMKeyGen(120582) 120582 denotes the security parameterInteger 119905 ge 2 is the plaintext modulus Ciphertextdimension 119899 = 119899(120582) modulus 119902 = 119902(120582) and cipher-text noise distribution 120594 = 120594(120582) are set to guaranteea security level of 120582 Here 119909 lt 1199022119905 for any 119909 larr997888120594 Let 119901119886119903119886119898119904 denote the parameter set 119901119886119903119886119898119904 =(119899 119902 119905 120594) The key is uniformly sampled fromZ119899119902 119901119896119904119896 larr997888 Z119899119902

(ii) DMEnc(119898 119901119896 119901119886119903119886119898119904) the plaintext and cipher-text spaces are Z119905Z119902 respectively Sample a larr997888 Z119899119902

119890 larr997888 120594 on input plaintext message 119898 isin Z119905 andoutput ciphertext

LWE119905119902s (119898) = (aa sdot s + 119898119902119905 + 119890) isin Z119899+1119902 (12)

(iii) DMHomNAND((a1 1198871) (a2 1198872)) on input cipher-texts c119894 = (a119894 119887119894) 119894 isin 1 2 and c119894 isin LWE4119902s (119898119894 11990216)encrypts the plaintext message119898119894 output c = (a 119887) isinLWE2119902s (1 minus 11989811198982 1199024) In particular

(a 119887) = (minusa1 minus a2 58119902 minus 1198871 minus 1198872) (13)

The ciphertext (a 119887) is a ciphertext of 1 minus 11989811198982 withnoise magnitude less than 1199024 which guarantees correctdecryption Homomorphic NAND operations in DM arecompleted by a few additions between ciphertext vectorswhich are simpler and faster than tensor products or matrixoperations in previous schemes However ciphertext mag-nitude would be at least 1199024 after a further homomor-phic operation then the ciphertext would no longer becorrectly decrypted After each homomorphic operationciphertext needs to be refreshed to keep the noise magnitudesmall

An efficient ciphertext refreshing algorithm based onRing-GSW is proposed in DM for reducing ciphertextnoise In the refreshing algorithm ciphertext (a 119887) isinLWE2119902s (119898 1199024) and refreshing key 119870119903119891 are taken as inputand base 119861119903 is used to encode the ciphertext (a 119887) 119870119903119891consists of the following ciphertexts

119870119894119888119895 = 119864 (119888119904119894119861119895119903 mod 119902) 119888 isin 0 119861119903 minus 1 119895 = 0 119889119903 minus 1 119894 = 1 119899 (14)

where 119889119903 = lceillog119861119903119902rceil and 119864(sdot) denotes the encryption algo-rithm in the ciphertext refreshing algorithm The ciphertextrefreshing algorithm is shown as in Algorithm 1 whereInit(sdot) and Incr(sdot) denote the initialization and homomorphicaddition of the accumulator ACC respectively ACC isinitialized as an encryption of 119887 + 1199024 When the main


DMEnc

DMEnc

DMHomNAND

ModulusSwitching

Key Switching

HomomorphicAccumulation

m1isin 01

m2isin 01

７4qs (m1 q 16)

７4qs (m2 q 16)

７4qs (mq16)

７2qs (mq 4)

７4QCF(z)(m E1)

７4Qs (m E2)

Figure 2 Overall algorithm flow of the DM scheme

1 Init(ACC 119887 + 1199024)2 for 119894 = 1 119899 do3 Expand minus 119886119894 as minus 119886119894 = sum119895 119886119894119895119861119895119903 (mod 119902)4 for 119895 = 0 119889119903 minus 1 do Incr(ACC119870119894119886119894119895119895)5 end for6 Output msbExtract(ACC)Algorithm 1 DM Refresh((a 119887)119870119903119891)

1 [a119905 b119905] = [0119905 t119905 0119905 0119905] sdot ACR(ACC)2 c = (a 1198870 + 119906) isin LWE119905119876CF(119911)(msb(V))3 c1015840 = KeySwitch(c119870119896119904) isin LWE119905119876s (msb(V))4 c10158401015840 = ModSwitch(c1015840) isin LWE119905119902s (msb(V))Algorithm 2msbExtract(ACC119870119896119904 t)

loop in Algorithm 1 ends the underlying plaintext V of theaccumulator satisfies

V minus 1199024 = 119887 + sum119894119895

119886119894119895119904119894119861119895119903 = 119887 + sum119894

119904119894sum119895

119861119895119903119886119894119895= 119887 minus sum

119894

119886119894119904119894 = 1199022119898 + 119890 (15)

where 119890 is the noise in the input ciphertext (a 119887) As |119890| lt 1199024it is clear that 0 lt V lt 1199022 when 119898 = 0 and 1199022 lt V lt 119902when 119898 = 1 In other words extracting the most significantbit (msb) in V would yield the plaintext 119898

During themsbExtract process in Algorithm 1 the accu-mulator ACC along with a switching key 119870119896119904 and a testingvector t = minussum1199022minus1119894=0 CF(119884119894) is taken as input Here 119884 =1198832119873119902 and 119911 isin 119877 is the secret key used in the encryptionalgorithm of the ciphertext refreshing algorithm The detailsofmsbExtract are shown in Algorithm 2

The ciphertext c in the 2nd step of Algorithm 2 is

c = (a 1198870 + 119906) = (a sdot CF (119911) + t sdot e + 2119906 sdotmsb (V)) (16)

where a = t119905 sdot ACR(119886) [119886 1198871015840] is the 2nd row of ACC and119906 = lceil1198762119905rceil or lfloor1198762119905rfloor As 119906 asymp 1198762119905 c is an encryptionof msb(V)=119898 Thus cisin LWE119905119876CF(119911)(msb(V)) After key andmodulus switching c is transformed to a ciphertext underkey s modulo 119902 Under an appropriate parameter settingthe noise magnitude of the refreshed ciphertext would belower than 11990216 and further homomorphic operations can beperformed

The overall algorithm flow of DM is shown in Figure 2where119898 = 1 minus 119898111989825 Efficient FHE Scheme Based onGSW and DM Schemes

Aimed at the problem of overly frequent ciphertext refresh-ings inDM a new FHE scheme (NHE) is proposed to achievea higher efficiency The ciphertext matrix operations in GSWand ciphertext vector additions in DM are both applied inour scheme And the advantage of conceptual simplicity ofboth GSW and DM is inherited in our schemeMoreover ourscheme combines the advantage of efficient homomorphicoperation in DM with the advantage of moderate growth ofnoise magnitude in GSWThe whole scheme is briefly shownhere and some related details will be illustrated later

(i) NHEKeyGen(120582) here 120582 denotes the security param-eter Modulus 119902 = 119902(120582) = 2119896(119896 isin Z+) dimension 119899 =119899(120582) and ciphertext noise distribution 120594 = 120594(120582) areset to guarantee a security level of 120582 Concretely 120594 is adiscrete Gaussian distribution over integers with zeromean and standard deviation 120590 Let 119901119886119903119886119898119904 denotethe parameter set (119899 119902 120594) and let 119897 = log 119902 + 1119873 =(119899 + 1)119897 Sample t larr997888 Z119899119902 s=(1minust) isin Z119899+1119902 outputsecret key 119904119896 = k = PT(s) isin Z119873119902 Sample B larr997888


NHEEnc

NHEEnc

NHEEnc

NHEEnc

Key SwitchingModulusSwitching

NHEHomNANDGSW

NHEHomNANDGSW

m11isin 01

m12isin 01

m21isin 01

m22isin 01

C11isinZNtimesNq

C12isinZNtimesNq

C21isinZNtimesNq

C22isinZNtimesNq

c＄isinZn+1q

c2isinZNq

c1isinZNq

c＄isinZNqc＄ isinZn+1

q

NHEHomNANDDM

Figure 3 Overall algorithm flow of our scheme

Z119873times119899119902 e larr997888 120594119873 let b=Bt + e A = [b B] andoutput public key 119901119896 = A

(ii) NHEEnc(119898 119901119896) on input plaintext message 119898 isin0 1 output ciphertextC = FL (119898I119873 + BD (A)) isin Z

119873times119873119902 (17)

(iii) NHEHomNAND(C1C2) the input ciphertextsC1C2 isin Z119873times119873119902 correspond to encryptions of 11989811198982 isin 0 1 respectively Each ciphertext is assumedto have an internal attribute 119897119890V119890119897 indicatingthe number of homomorphic operations it hasgone through The 119897119890V119890119897 of any ciphertext is 0in the beginning and increases by 1 after eachhomomorphic operation For C1C2 such thatC1119897119890V119890119897 = C2119897119890V119890119897 = 0 homomorphic NANDoperation is performed as follows

C1015840 = FL (I119873 minus C1C2) (18)

Then the (119897 minus 2)-th row is extracted from C1015840 asthe ciphertext c1015840 isin Z119873119902 for the next homomorphicNAND operation Clearly c1015840119897119890V119890119897 = 1 For a pair ofciphertexts c10158401 c10158402 isin Z119873119902 such that c10158401119897119890V119890119897 = c10158402119897119890V119890119897 =1 homomorphic NAND operation is performed asfollows

cNAND = FL (minusc10158401 minus c10158402 + c0) isin 0 1119873 (19)

where c0 is an auxiliary vector such that c0 = BD((51199028 0)) isin 0 1119873 The homomorphic operations in (18)and (19) are based on the ideas of ciphertext matrixoperations in GSW and ciphertext vector additions inDM respectively

(iv) NHEKeySwitch(cNAND119870119896119904) the switching key119870119896119904 consists of the following ciphertexts k119894119888 isinLWE119902119902s1015840 (119888V119894) 119894 = 1 119873 119888 isin 0 1 where s1015840 larr9978880 11198991015840 is the new secret key On input ciphertextcNAND and the switching key119870119896119904 output ciphertext

c1015840NAND=sum119894

k119894119888119894 isin Z1198991015840+1119902 (20)

The above ciphertext c1015840NAND is a ciphertext under thenew secret key s1015840 instead of k

(v) NHEModSwitch(c1015840NAND) on input ciphertext c1015840NAND output ciphertext

c10158401015840NAND=lfloor 1199021015840119902 c1015840NANDrceil isin Z1198991015840+11199021015840 (21)

where 1199021015840 = 21198961015840(1198961015840 isin Z+) and 1199021015840 lt 119902 c10158401015840NAND is the finalciphertext after 2 homomorphic NAND operationsThe modulus in c10158401015840NAND is transformed from 119902 to 1199021015840Moreover dimension and modulus of c10158401015840NAND are setto be the same as those of the ciphertexts in DM

NHEKeySwitch corresponds to the sum of some (1198991015840 +1)-dimensional vectors and NHEModSwitch correspondsto rounding for each coefficient in a single vector Bothalgorithms involve just simple operations which have nosignificant effect on the simplicity of our schemeThe overallalgorithm flow of our scheme is shown in Figure 3 Here thealgorithms NHEHomNANDGSW and NHEHomNANDDMdenote the algorithms in (18) and (19) respectively

51 Correctness Analysis Assuming there are 4 fresh cipher-texts C11C12C21C22 isin Z119873times119873119902 as shown in Figure 3


Each coefficient of the noise vectors in the above ciphertextsfollows a discrete Gaussian distribution with zero mean andstandard deviation 120590 According to the property of discreteGaussian distribution the probability of each coefficientbeing in the interval [minus6120590 6120590] is 1199010 which is very close to 1The probability of the all the noises inC11C12C21C22 beingupper bounded by 1198610 = 6120590 is thus 1199011 = 11990141198730

It can be learned from (18) that the ciphertext C1015840 satis-fies

C1015840k = (1 minus 11989811198982) k minus 1198982e1 + C1e2 (22)

where e1 e2 are the noise vectors in C1C2 respectively Asthe first 119897 coefficients in k are (V1 V2 V119897) = (1 2 2119897minus1)and 119897 = log 119902 + 1 it is clear that V119897minus2 = 1199024 Let C1015840119897minus2 denotethe (119897 minus 2)-th row in C1015840 we have

C1015840119897minus2k= (1 minus 11989811198982) 1199024 + 119890 (23)

where 119890 = C1119897minus2sdote2 minus11989821198901119897minus2 And 1198901119897minus2C1119897minus2 are the (119897 minus 2)-th coefficient in e1 and the (119897 minus 2)-th row in C1 respectively119890 should satisfy the constraint |119890| lt 11990216 to guarantee correctdecryption after the next homomorphic operation

Assume the ciphertexts c10158401 c10158402 in (19) encrypt 11989810158401 11989810158402 isin0 1 respectively and the ciphertext noises in c10158401 c10158402 are 11989010158401 11989010158402respectively Clearly c1015840119894 sdot k = 1198981015840119894 (1199024) + 1198901015840119894 119894 isin 1 2 It is clearthat

(minusc10158401 minus c10158402) sdot k= minus (11989810158401 + 11989810158402) 1199024 minus (11989010158401 + 11989010158402) (24)

c0 sdot k = ⟨(51199028 0) (1 minust)⟩ = 51199028 (25)

Let the plaintext spaces of c1015840119894 (119894 = 1 2) and cNAND be Z4 andZ2 respectively as in DMThe noise in the ciphertext cNANDis

119890NAND=cNAND sdot k minus (1 minus 1198981015840111989810158402) 1199022= minus (11989810158401+11989810158402) 1199024 minus (11989010158401 + 11989010158402) + 58119902

minus (1 minus 1198981015840111989810158402) 1199022= 1199024 [12 minus (11989810158401minus11989810158402)2] minus (11989010158401 + 11989010158402)

(26)

For each ciphertext k119894119888 in the switching key119870119896119904 we havek119894119888 = (a119896119904 a119896119904 sdot s1015840 + 119888V119894 + 119890119896119904) where a119896119904 larr997888 Z119899

1015840

119902 119890119896119904 larr997888120594 Thus the ciphertext c1015840NAND can be further expressedas

c1015840NAND

= ( 119873sum119894=1

a119896119904119894 ( 119873sum119894=1

a119896119904119894) sdot s1015840 + cNAND sdot k + 119873sum119894=1

119890119896119904119894)isin Z1198991015840+1119902

(27)

where a119896119904119894 larr997888 Z1198991015840

119902 119890119896119904119894 larr997888 120594 119894 = 1 119873 The noise inc1015840NAND is

1198901015840NAND = cNAND sdot k minus (1 minus 1198981015840111989810158402) 1199022 + 119873sum119894=1

119890119896119904119894= 119890NAND + 119873sum

119894=1

119890119896119904119894(28)

Let c119903119890 denote the error vector brought about by therounding operation in (21) we have

c119903119890 =lfloor 1199021015840119902 c1015840NANDrceil minus 1199021015840119902 c1015840NAND isin (minus12 12]1198991015840+1

(29)

The noise introduced by modulus switching is

119890119903119890 = c119903119890minus(119899+1) sdot s1015840 + 119888119903119890119899+1 (30)

where c119903119890minus(119899+1) is the subvector extracted from all the coeffi-cients in c119903119890 except the (119899 + 1)-th coefficient and 119888119903119890119899+1 is the(119899 + 1)-th coefficient in c119903119890 Then the noise of c10158401015840NAND can beexpressed as

11989010158401015840NAND=1199021015840119902 (119890NAND + 119873sum119894=1

119890119896119904119894) + 119890119903119890 (31)

According to (11) the upper bounds for 11989010158401 11989010158402 are both(119873+1)1198610 where1198610 is the upper bound of the fresh ciphertextsgenerated in (17) Under an appropriate parameter setting wefurther have

max 100381610038161003816100381610038161198901015840110038161003816100381610038161003816 100381610038161003816100381610038161198901015840210038161003816100381610038161003816 le (119873 + 1) 1198610 lt 11990232 (32)

Then it can be learned from (26) (31) and (32) that the noisemagnitude in c10158401015840NAND satisfies

1003816100381610038161003816100381611989010158401015840NAND10038161003816100381610038161003816 lt 3119902101584016 + 1199021015840119902

1003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 +

10038161003816100381610038161198901199031198901003816100381610038161003816 (33)

All the random noises 119890119896119904119894 (119894 = 1 119873) are drawnfrom an identical discrete Gaussian distribution The discreteGaussian distribution can be considered as the correspond-ing continuous Gaussian distribution with all the instancesrounded down to the nearest integer Assuming 119873 randomreal numbers are generated from a continuous Gaussiandistribution with zero mean and standard deviation 120590 theirsum also follows a Gaussian distribution with zero mean andstandard deviation radic119873120590 The probability of the above sumlying in the interval [minus6radic119873120590 6radic119873120590] satisfies 1199012 gt 1 minus 10minus8As the downward rounding has an errormagnitude of at most119873 we have 1003816100381610038161003816100381610038161003816100381610038161003816

119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 le 6radic119873120590 + 119873 (34)

Under an appropriate parameter setting we have

11990210158401199021003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 lt 1205981 (35)

where 1205981 is a very small positive number


For vectors a119896119904119894(119894 = 1 119873) which are independentlyand uniformly sampled from Z119899

1015840

119902 it is clear that sum119873119894=1 a119896119904119894also follows a uniform distribution over Z119899

1015840

119902 And eachcoefficient in c119903119890minus(119899+1) follows the uniform distribution overthe following set

119878119903119890=minus12 + 120575 minus 12 + 2120575 12 minus 120575 12 (36)

where 120575 = 1199021015840119902 = 21198961015840minus119896 The uniform distribution over 119878119903119890can be considered as the continuous uniform distributionover [minus12 12] with all the instances rounded up to thenearest element in 119878119903119890 Let 119906119904119906119898 denote the sum of 119899119903(0 le119899119903 le 1198991015840) independent random real numbers from the uniformdistribution over [0 1] The probability density function of119906119904119906119898 is given by

119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0

(minus1)119895 C119895119899119903 (119909 minus 119895)119899119903minus1 119909 isin [119896 119896 + 1]

(37)

where 119896 isin 0 1 119899119903 minus 1 and C119895119899119903 is the number ofcombinations when choosing 119895 items from 119899119903 itemsThus thecorresponding cumulative distribution function is

119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)

Let 1199013119899119903 denote the probability of 119906119904119906119898 lying in theinterval [1198991199032 minus 1198611 1198991199032 + 1198611] we have

1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)

where1198611 is a positive integer For 119899119903 independent random realnumbers from the uniformdistribution over [minus12 12]1199013119899119903is the probability of their sum lying in the interval [minus1198611 1198611]Let 1199013 = min1199013119899119903 119899119903=011198991015840 be the lowest probability among1199013119899119903(119899119903 = 0 1 1198991015840) 1199013 would be close to 1 as long as1198611 is sufficiently large And the absolute value of the abovesum can be considered as upper bounded by 1198611 When theabove 119899119903 independent random real numbers are rounded upto the nearest element in 119878119903119890 an extra error is introducedTheabsolute value of the error is upper bounded by 119899119903120575 As longas 120575 is sufficiently small the following is satisfied

119899119903120575 le 1198991015840120575 lt 1205982 (40)

where 1205982 is another very small positive numberThus we have

10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)

According to the requirement for correct decryption 1198611should satisfy

1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)

When 1199021015840 is sufficiently large 1199013 is still guaranteed to be closeto 1 even if1198611 is under the above constraint According to (33)

the upper bound of noise magnitude in the ciphertext c10158401015840NANDis

1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)

Then we have |11989010158401015840NAND|lt 1198612 le 11990210158404 and correct decryptionis guaranteed The ciphertext c10158401015840NAND can be refreshed usingthe ciphertext refreshing algorithm in DM and furtherhomomorphic operations can be performed

Therefore the correctness of our scheme lies in that thethree incidents corresponding to the probabilities 1199011 1199012 1199013are all true The error rate of our scheme is 119901NHE119890119903119903 = 1 minus11990111199012119901352 Security Analysis Wefirst give a formal definition for thethreatsecurity model of indistinguishability under chosenplaintext attack (IND-CPA) and then conduct a securityanalysis for our scheme in line with the modelThe IND-CPAthreatsecurity model is defined as the following challenge-guess game between the challenger and the adversary

(i) Initialization The challenger C runs the Keygenalgorithm to obtain the public and private keys(119901119896 119904119896) larr997888 NHEKeyGen(120582) and sends the publickey 119901119896 to the adversary A

(ii) Challenge The adversary A selects a pair of plain-texts 1198980 1198981 and sends them to the challenger Thechallenger C randomly selects a plaintext 119898119887 suchthat 119887 larr997888 0 1 encrypts the plaintext 119888 larr997888NHEEnc(119901119896119898119887) and then sends the ciphertext 119888 tothe adversary A

(iii) Guess The adversary A guesses the plaintext onreceiving ciphertext 119888 and outputs plaintext 1198981198871015840(1198871015840 isin0 1) If 1198871015840 = 119887 then the adversary A wins the game

LetA(119888) denote the index (01) of the adversaryrsquos outputplaintext on receiving ciphertext 119888The adversaryrsquos advantageadv(A) is defined as the difference between the probabilitiesthat the adversary guesses 119898119887 and 1198981minus119887 as shown in (44)

adv (A) = |Pr [A (119888) = 119887] minus Pr [A (119888) = 1 minus 119887]| (44)

The scheme is IND-CPA secure if for any polynomial timeadversary A the adversaryrsquos advantage adv(A) is negligibleadv(A)=negl(120582)

Generally the ciphertexts in homomorphic encryptionschemes are stored outside the local storageThus the storageproviders such as cloud service providers and remote serversmight be the direct potential adversaries Moreover thereare eavesdroppers who are trying to steal the stored dataAnd there may be coconspirators with an untrusted storageprovider who get the stored data from the untrusted storageproviderThey might also be the potential adversaries In ourscheme both the public key and ciphertexts can be revealedto them

Thus it is common for the adversaries to conduct chosenplaintext attacks (CPA)The IND-CPA security of our schemeis analyzed as follows


It can be learned from (17) that for the initial ciphertextCwe have BDminus1(C)=119898G+A where G=BDminus1(I119873) As BDminus1(C)can be transformed to C via BitDecomp C is secure ifBDminus1(C) effectively hides the plaintext119898[19]ThematrixA =[b B] isin Z119873times(119899+1)119902 consists of119873 independent LWE instances(B119894sdott+119890119894B119894) 119894 = 1 119873whereB119894 larr997888 Z119899119902 t larr997888 Z119899119902 119890119894 larr997888 120594

Suppose a polynomial time adversary A participates inthe challenge-guess game as described above If A achievesnonnegligible advantage in the game then the LWE problemcan be solved with equivalent advantage According to theLWE assumption no polynomial algorithm can solve theLWEproblemwith nonnegligible advantage Thus the adver-saryrsquos advantage adv(A) should be negligible Our scheme isIND-CPA secure with respect to the initial ciphertexts Fora final ciphertext c10158401015840NAND it can be regarded as a ciphertextfrom a LWE symmetric encryption scheme with secret keys1015840 In this case the challenger in the challenge-guess gameretains the secret key and performs encryption using thesecret key Following the above analysis it is easy to showthat our scheme is also IND-CPA secure with respect to thefinal ciphertexts Therefore our scheme achieves IND-CPAsecurity under the LWE assumption

53 Applicability Analysis In general our scheme supportsarbitrary operations on encrypted data it is universally appli-cable for privacy-preserving computations in the real worldsuch as financial and medical data analysis The underlyingplaintexts in each homomorphic NAND operation in ourscheme are a pair of bits which are at the lowest level of datagranularity Thus our scheme is highly flexible and extensibleand can be adjusted to various kinds of computations onencrypted data As our scheme is conceptually simple it canbe easily implemented deployed and maintained in real-world applications Furthermore the efficiency of our schemeis relatively high and the efficient ciphertext refreshingalgorithm in DM can be utilized in our scheme for efficientcomputation on encrypted data in real-world applications

6 Performance Comparison

In this section the homomorphic operations in DM GSWand our scheme are performed twice on a depth-2 binarycircuit with NAND gates We first present an analysis forthe computational costs and error rates of the three schemesThen based on the above analysis we present a comparisonfor the three schemes in terms of computational costs anderror rates To avoid name clashes the parameters in eachscheme are all local to the scheme and apply only to thescheme

61 Computational Cost of DM For a pair of fresh ciphertextsc0 c1 isin Z119899+1119902 the number of additions needed in the homo-morphic operation in (13) is

119899DM1 = 119899 + 2 (45)

It can be learned from DMRefresh that Incr(ACCC) isperformed 119899119889119903 times The operation in Incr(ACCC) can be

simplified as the multiplication between the 2nd row in ACCand the ciphertext C

The above multiplication needs 2 inner products betweena pair of 2119889119892-dimensional vectors in 1198772119889119892119876 The fast Fouriertransform (FFT) of the coefficient vector of each polynomialin119877119876withmaximum degree119873 can be represented as a vectorin C1198732 where 1198732 = 1198732 + 1 Inner product between apair of vectors in 1198772119889119892119876 needs 21198732119889119892 additions and 21198732119889119892multiplications on complex numbers Each multiplication oncomplex numbers needs 4 multiplications and 2 additions onreal numbers and each addition on complex numbers needs 2additions on real numbers As multiplication generally takesa longer time than addition each multiplication on complexnumbers needs at least 6 additions Therefore the number ofadditions needed in Incr(ACCC) is at least

119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)

The key switching in the 3rd step of Algorithm 2 needs119873119889119896119904 additions on (119899 + 1)-dimensional vectors Here 119889119896119904 =lceillog119861119896119904119902rceil and 119861119896119904 is the base for encoding ciphertexts asillustrated in DM [21]Thus the total additions needed in keyswitching is

119899DM3 = 119873119889119896119904 (119899 + 1) (47)

The number of additions needed in the next homomor-phic operation is the same as (45) As some other steps areomitted here a lower bound is obtained for the number ofneeded operations According to (45)sim(47) the number ofadditions needed in DM is at least

119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)

62 Computational Cost of Our Scheme For fresh ciphertextsC1C2 isin Z119873times119873119902 the first homomorphic NAND operation in(18) can be simplified as

C1015840119897minus2 = FL (I119873119897minus2 minus C1119897minus2C2) (49)

where I119873119897minus2C1119897minus2 are the (119897 minus 2)-th rows of the matricesI119873C1 respectively LetC119897+1119873119894119897+1119873 isin Z119899119897times119899119897119902 denote the submatrixextracted from the (119897+1)-th to the119873-th rows and columns ofC119894(119894 = 1 2) It is clear that each coefficient in C119897+1119873119894119897+1119873(119894 = 1 2)follows a uniform distribution over 0 1 Let C119897+11198731119897minus2 isin Z119899119897119902denote the subvector extracted from the (119897+1)-th to the119873-thcoefficients in C1119897minus2 It is clear that each coefficient in C119897+11198731119897minus2also follows a uniform distribution over 0 1

Let 119899119886119889119889119894 denote the number of additions needed in themultiplication betweenC119897+11198731119897minus2 and the 119894-th column inC119897+11198732119897+1119873119894 = 1 119899119897 For the above operation we need to add 1 to theintermediate result only when both coefficients being multi-plied are nonzero Thus the probability of needing 1 additionfor the multiplication between each pair of coefficients is14 Thus 119899119886119889119889119894 follows the binomial distribution B(119899119897 14)Let 1199014 denote the probability of 119899119886119889119889119894 being no more than


119899119887 (119899119887 lt 119899119897) And let 1199015 = 1199011198991198974 denote the probability that119899119886119889119889119894 is no more than 119899119887 for each 119894 = 1 119899119897 When 119899119887is sufficiently large both 1199014 and 1199015 would be close to 1 themultiplication between C119897+11198731119897minus2 and each column in C119897+11198732119897+1119873can be simplified as at most 119899119887 additions

For the multiplication between the other coefficients inC1119897minus2 and C2 an upper bound for the number of neededadditions can be derived assuming 1 addition for eachcorresponding coefficient pair

1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)

Considering the substraction between I119873119897minus2 andC1119897minus2C2an upper bound for the number of needed additions in the 1sthomomorphic NAND operation is obtained

119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)

In the following FL(sdot) operation BDminus1(sdot) is performedfollowed by a BD(sdot) operation In BDminus1( sdot ) multiplying apower of 2 is just a shift operation which generally takesless time than addition Regarding each shift operation as anaddition an upper bound for the amount of computation canbe derived According to (3) (119899 + 1)(119897 minus 1) shift operationsand (119899+1)(119897minus1) additions are needed in total in the BDminus1( sdot )operation In the following BD( sdot ) operation 2 shifts and 1addition are needed for each bit generated from BD( sdot ) The2 shifts correspond to shifting right then left by 1 bit eachand the addition corresponds to the subtraction between theoriginal data and the data after the 2 shifts The amount ofcomputation needed for generating each bit in BD( sdot ) isupper bounded by 3 additions Thus the number of additionsneeded in the flatten operation is upper bounded by thefollowing

119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)

According to (19) the number of additions in the 2ndhomomorphic NAND operation is

119899NHE3 = 2119873 (53)

And the following FL(sdot) operation again needs at most 119899NHE2additions According to (20) the number of additions neededin key switching is

119899NHE4 = 119873(1198991015840 + 1) (54)

As 1199021015840119902 = 21198961015840minus119896 modulus switching for each coefficientin the vector is just the process of shifting right for 119896 minus 1198961015840bits and then adding 1 or 0 to the lowest bit before the binarypointThus the amount of computation inmodulus switchingfor each coefficient can be represented as 2 additions Thenumber of additions needed in modulus switching is

119899NHE5 = 2 (1198991015840 + 1) (55)

Therefore the number of additions needed in our schemeis upper bounded by

119899NHE = 5sum119894=1

119899NHE119894

= (119899119887 + 1198991015840 + 2119897 + 3)119873 + (10119899 minus 119899119887 minus 119897 + 10) 119897+ (21198991015840 minus 4119899 minus 1)

(56)

63 Computational Cost of GSW In GSW as the ciphertextneeds to maintain the matrix structure in the 2nd homomor-phic operation the 1st homomorphic operation should beperformed as matrix operation The encryption algorithm ofGSW is modified as that in our scheme for a better contrastThe computational cost for the multiplication between eachrow of a matrix and another matrix is shown in (51) Andthe computational cost of the 2nd homomorphic operationin GSW is omitted here A lower bound is then obtained forthe computational cost of GSW From (51) it can be learnedthat the computational cost of GSW is at least

119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)

64 Performance Comparison among DMGSW and Our Scheme

641 Parameter Configuration For convenience the mod-ulus in each of the above schemes is set to be a power of2 The parameters in DM are initially set identical to thecorresponding simulation parameters in the original DMscheme [21] The secret key s in DM is uniformly sampledfrom 0 1119899 For the binary LWE problem the dimension119899 should increase to 119899 log 119899 to ensure equivalent securitylevel as the standard LWE problem [53 54] The adversaryrsquosadvantage is set to adv = 2minus64 for all the schemes For a LWEproblemwith modulus 119902 dimension 119899 and discrete Gaussiannoise distribution 120594with Gaussian parameter 119903 the followingshould be satisfied to guarantee a security level of 120582[55]

119899 ge log22((119902119903) sdot radic ln (1adv)120587 )

sdot (log2 (2120582 sdot adv) + 110)72119902

(58)

According to (58) and the simulation parameters it canbe learned that DM guarantees a security parameter of 120582 =58 When 120582 changes the modulus 119902 is kept unchangedand the dimension 119899 is set as the smallest integer whichguarantees a security level 120582 for the ciphertext The error rate119901DM119887119894119905119890119903119903 for each homomorphic operation in DM can bederived according to the standard deviation 120573 of the Gaussiannoise in the refreshed ciphertext [21] Specifically 119901DM119887119894119905119890119903119903 isthe probability that the ciphertext noise magnitude does notexceed 11990216 For depth-2 binary circuit withNANDgates theerror rate of DM is

119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)

For our scheme the final modulus 1199021015840 and dimension 1198991015840are set to be the same as those in DMThe standard deviation


Table 2 Computational costs and error rates of DM GSW and our scheme

119878119890119888119906119903119894119905119910 119875119886119903119886119898119890119905119890119903 58 64 70 76 82 88119901DM119890119903119903(times10minus10) 054 195 704 2207 6143 15453119901GSW119890119903119903(times10minus5) 427 451 476 500 555 580119901NHE119890119903119903(times10minus5) 189 230 318 431 603 852119899DM(times107) 528 561 599 637 675 713119899GSW(times1012) 168 197 231 268 364 416119899NHE(times107) 166 185 241 265 292 319of the Gaussian noise is set to 120590 = 3 The modulus anddimension of the initial ciphertext are set according to (32)and (58) Meanwhile they are set to be as small as possiblefor efficient operations 119899119887 is the upper bound for the numberof additions needed in the multiplication between C119897+11198731119897minus2 andeach column in C119897+11198732119897+1119873 as illustrated in Section 62 Here119899119887 is set to be as small as possible under the constraints1199014 gt 1 minus 10minus12 1199015 gt 1 minus 10minus8 where 1199014 1199015 are theprobabilities illustrated in Section 62Thus (51) holds and thecomputational cost of our scheme is made as low as possibleWhen the security parameter 120582 changes the final modulus1199021015840 is kept unchanged and the final dimension 1198991015840 is set as thesmallest integer which guarantees a security level 120582 for thefinal ciphertext In order to lower the error rate of our scheme1205981 1205982 are set to be as small as possible under the constraintsin (35) and (40) Thus 1198611 is made larger under the constraint(42) which promotes the probability 1199013 As discussed in theend of Section 51 the error rate of our scheme is

119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)

For the GSW scheme the standard deviation of the Gaus-sian noise is also set as 120590 = 3 as in our scheme Andmodulus119902 and dimension 119873 are set as small as possible under theconstraint of correct decryption after 2 homomorphicNANDoperations Meanwhile the ciphertext should guarantee asecurity level of 120582 As long as the noise of the initial 4ciphertexts are upper bounded by 1198610 = 6120590 decryption ofthe final ciphertext would be correct Therefore the errorrate of GSW is

119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)

642 Performance Comparison Here a group of secu-rity parameters are considered and the other parametersare set according to the configurations discussed above119901DM119890119903119903 119901GSW119890119903119903 119901NHE119890119903119903 denote the error rates in DM GSWand our scheme respectively and 119899DM 119899GSW 119899NHE denotethe corresponding computational costs as shown in previousdiscussions The computational costs and error rates of DMGSW and our scheme under different security parameters areshown in Table 2The error rates are obtained from (59)sim(61)and the computational costs are obtained from (48)(56)(57)

FromTable 2 it can be learned that the error rates ofGSWand our scheme are higher than that of DM Neverthelessthey can still be considered to be sufficiently low for beinglower than 10minus4Themain reason is that the noisemagnitudesinmultiple initial ciphertexts are constrained in a fixed range

Although 1199010 is very close to 1 1199011 = 11990141198730 is much lowerthan1199010 thus119901GSW119890119903119903 119901NHE119890119903119903 are both obviously higher than1 minus 1199010 In DM 119901DM119887119894119905119890119903119903 is dependent only on the standarddeviation of the refreshed ciphertext which is sufficientlysmall compared with 11990216 Thus 119901DM119887119894119905119890119903119903 is a rather lowprobability Moreover 119901DM119890119903119903 depends on the error rates ofthe 3 homomorphic NAND operations which is only slightlyhigher than 119901DM119887119894119905119890119903119903

It is also shown in Table 2 that 119901NHE119890119903119903 lt 119901GSW119890119903119903 forsmall security parameter and 119901NHE119890119903119903 gt 119901GSW119890119903119903 whenthe security parameter is sufficiently large This is because119901NHE119890119903119903 is affected by 1199013 the probability of the sumrsquos absolutevalue being no more than 1198611 As the security parameter getslarger the ciphertext dimension also gets higher while theupper bound 1198611 is kept unchanged When more randomerrors are summed up 1199013 would decrease by a certain extentand the decrease of 1199013 is more significant than that of 1199011 =11990141198730 as the increase of 119873 With the increase of the securityparameter 119901NHE119890119903119903 increases faster than 119901GSW119890119903119903

On the other hand the overall efficiency of our schemeis significantly higher than that of DM and GSW Specifically119899NHE is more than 50 percent lower than 119899DM and severalorders of magnitudes lower than 119899GSW The main reason liesin that ciphertext refreshing is removed in our scheme andthe 1st homomorphic operation is simplified as a vector-matrix multiplication The computational cost is furtherreduced after considering the uniform randomness on 0 1for most coefficients By contrast the 1st homomorphicoperation in GSW is performed as matrix multiplicationAnd ciphertext dimension in GSW is higher than that of theinitial ciphertext in our scheme In DM ciphertext refreshingintroduces a rather high computational cost

7 Conclusions

Aiming at the problem of low efficiency caused by overly fre-quent ciphertext refreshings in DM we propose a new FHEscheme to achieve a higher efficiency We utilize ciphertextmatrix operations in GSW and ciphertext vector additionsin DM to construct our scheme Furthermore we combinethe advantage of efficient homomorphic operation in DMwith the advantage of moderate growth of ciphertext noisemagnitude in GSW Our scheme inherits the conceptualsimplicity of DM and GSW and allows 2 homomorphicNAND operations to be performed on ciphertexts beforeciphertext refreshing Results show that under the samesecurity parameters the computational cost of our scheme


is obviously lower than that in DM and GSW for a depth-2 binary circuit with NAND gates Thus our scheme issignificantly more efficient than DM and GSW Meanwhilethe error rate of our scheme is kept at a sufficiently low level

Our work focuses on constructing a simple and efficientFHE scheme based on DM and GSW schemes We alsoanalyze its correctness security and applicability and presenta comparison with DM and GSW schemes in terms of com-putational costs and error rates Our FHE scheme is intendedfor universal privacy-preserving computations in the realworld However our work is limited to the theoretical levelConcrete implementation for our scheme is not consideredin our work And the application of our scheme to real-worldalgorithms needs to be further explored

Data Availability

The data for the parameters in the FHE schemes during thecurrent study are included within the article

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work was supported by the National Key Researchand Development Program of China [2016YFF0201003] theNational Natural Science Foundation of China [61571065]References

[1] I A T Hashem I Yaqoob N B Anuar S Mokhtar A Ganiand S Ullah Khan ldquoThe rise of lsquobig datarsquo on cloud computingreview and open research issuesrdquo Information Systems vol 47pp 98ndash115 2015

[2] D Gonzales J M Kaplan E Saltzman Z Winkelman andD Woods ldquoCloud-Trust-a Security Assessment Model forInfrastructure as a Service (IaaS) Cloudsrdquo IEEE Transactions onCloud Computing vol 5 no 3 pp 523ndash536 2017

[3] I Yaqoob I A Hashem A Ahmed S A Kazmi and C SHong ldquoInternet of things forensics Recent advances taxonomyrequirements and open challengesrdquo Future Generation Com-puter Systems vol 92 pp 265ndash275 2019

[4] J Chen and Q Zhu ldquoSecurity as a Service for Cloud-EnabledInternet of Controlled Things under Advanced PersistentThreats A Contract Design Approachrdquo IEEE Transactions onInformation Forensics and Security vol 12 no 11 pp 2736ndash27502017

[5] I Yaqoob E Ahmed M H U Rehman et al ldquoThe rise ofransomware and emerging security challenges in the Internetof Thingsrdquo Computer Networks vol 129 pp 444ndash458 2017

[6] S Pokharel K-K R Choo and J Liu ldquoMobile cloud securityAn adversary model for lightweight browser securityrdquo Com-puter Standards amp Interfaces vol 49 pp 71ndash78 2017

[7] C Gentry A fully homomorphic encryption scheme StanfordUniversity 2009

[8] D Stehle and R Steinfeld ldquoFaster Fully Homomorphic Encryp-tionrdquo in Proceedings of the International Conference on the

Theory and Application of Cryptology and Information Securityryptology - ASIACRYPT 2010 pp 377ndash394 Singapore 2010

[9] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo in Public KeyCryptographyndashPKC 2010 pp 420ndash443 Springer 2010

[10] N Ogura G Yamamoto T Kobayashi and S UchiyamaldquoAn Improvement of Key Generation Algorithm for GentryrsquosHomomorphic Encryption Schemerdquo in Proceedings of the Inter-national Workshop on Security Advances in Information andComputer Security pp 70ndash83 Kobe Japan 2010

[11] C Gentry and S Halevi ldquoImplementing Gentryrsquos Fully-Homomorphic Encryption Schemerdquo in Proceedings of theInternational Conference on Theory and Applications of Cryp-tographic Techniques Advances in Cryptology pp 129ndash148Springer-Verlag 2011

[12] YGRamaiah andGVKumari ldquoTowardsPracticalHomomor-phic Encryption with Efficient Public key Generationrdquo AceeeInternational Journal on Network Security 2012

[13] C Jeansebastien T Lepoint and M Tibouchi ldquoScale-InvariantFullyHomomorphic Encryption over the Integersrdquo Ilar Journalvol 50 no 4 pp 361ndash372 2014

[14] J H Cheon J Kim M S Lee and A Yun ldquoCRT-basedfully homomorphic encryption over the integersrdquo InformationSciences vol 310 pp 149ndash162 2015

[15] N Koji and K Kurosawa ldquoFully Homomorphic Encryptionover Integers for Non-Binary Message Spacesrdquo in Proceedingsof the International Conference on the Theory and Applicationsof Cryptographic Techniques pp 537ndash555 Springer BerlinGermany 2015

[16] Z Brakerski C Gentry and V Vaikuntanathan ldquo(Leveled)fully homomorphic encryption without bootstrappingrdquo in Pro-ceedings of the 3rd Innovations in Theoretical Computer ScienceConference pp 309ndash325 ACM 2012

[17] Z Brakerski ldquoFully homomorphic encryptionwithoutmodulusswitching from classical GapSVPrdquo in Lecture Notes in ComputerScience vol 7417 pp 868ndash886 Springer 2012

[18] J Alperin-Sheriff and C Peikert ldquoPractical bootstrapping inquasilinear timerdquo in Advances in Cryptology ndash CRYPTO vol8042 pp 1ndash20 2013

[19] C Gentry A Sahai and B Waters ldquoHomomorphic encryp-tion from learning with errors Conceptually-simpler asymp-totically-faster attribute-basedrdquo Proceedings of CRYPTO 2013vol 8042 no 1 pp 75ndash92 2013

[20] H Shai and V Shoup ldquoAlgorithms in HElibrdquo in Proceedings ofthe International Cryptology Conference pp 554ndash571 SpringerBerlin Germany 2014

[21] L Ducas and D Micciancio ldquoFHEW Bootstrapping Homo-morphic Encryption in Less Than a Secondrdquo in Proceedingsof the International Conference on the Theory and Applicationsof Cryptographic Techniques pp 617ndash640 Springer BerlinGermany 2015

[22] T Wu H Wang and Y P Liu ldquoOptimizations of Brakerskirsquosfully homomorphic encryption schemerdquo in Proceedings of the2nd International Conference on Computer Science and NetworkTechnology ICCSNT 2012 pp 2000ndash2005 December 2012

[23] X Zhang C Xu C Jin R Xie and J Zhao ldquoEfficient fullyhomomorphic encryption from RLWE with an extension toa threshold encryption schemerdquo Future Generation ComputerSystems vol 36 pp 180ndash186 2014

[24] C Ma J Li and G Du ldquoA Flexible Fully HomomorphicEncryptionrdquo Wireless Personal Communications vol 95 no 2pp 1ndash12 2016


[25] Z Li C Ma G Du and O Weiping ldquoDual LWE-based fullyhomomorphic encryption with errorless key switchingrdquo in Pro-ceedings of the 22nd IEEE International Conference on Paralleland Distributed Systems ICPADS pp 1169ndash1174 December2016

[26] J Alperin-Sheriff and C Peikert ldquoFaster bootstrapping withpolynomial errorrdquo in Proceedings of the International CryptologyConference pp 297ndash314 Springer Berlin Germany 2014

[27] H Shai and V Shoup ldquoBootstrapping for HElibrdquo in Proceedingsof the International Conference on the Theory and Applicationsof Cryptographic Techniques pp 641ndash670 Springer BerlinGermany 2015

[28] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo Journal of the ACM vol 56 no 6article 34 2009

[29] M vanDijk C Gentry S Halevi andV Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[30] B Zvika and V Vaikuntanathan ldquoEfficient Fully HomomorphicEncryption from (Standard) LWErdquo in Foundations of ComputerScience IEEE pp 97ndash106 2011

[31] M Clear and C McGoldrick ldquoMulti-identity and multi-keyleveled fhe from learning with errorsrdquo in Proceedings of theAnnual Cryptology Conference pp 630ndash656 Springer BerlinGermany 2015

[32] P Mukherjee and D Wichs ldquoTwo round multiparty compu-tation via multi-key fherdquo in Advances in Cryptology ndash EURO-CRYPT vol 9666 pp 735ndash763 Springer Berlin Germany 2016

[33] R Bellafqira G Coatrieux D Bouslimi and G QuellecldquoContent-based image retrieval in homomorphic encryptiondomainrdquo in Proceedings of the 37th Annual International Con-ference of the IEEE Engineering in Medicine and Biology SocietyEMBC 2015 pp 2944ndash2947 August 2015

[34] V Anand and S C Satapathy ldquoHomomorphic encryption forsecure information retrieval from the cloudrdquo in Proceedingsof the 1st International Conference on Emerging Trends inEngineering Technology and Science ICETETS 2016 pp 1ndash5February 2016

[35] M Nie P Ran and H Yang ldquoEfficient Multi-keyword RankedSearch over Outsourced Cloud Data based on HomomorphicEncryptionrdquo in Proceedings of the 2016 8th International Con-ference on Computer and Automation Engineering ICCAE 2016vol 56 March 2016

[36] F Chen ldquoPrivacy preserving image retrieval method basedon binary SIFT and homomorphic encryptionrdquo TransducerMicrosystem Technologies 2017

[37] M Shen B Ma L Zhu R Mijumbi X Du and J Hu ldquoCloud-Based Approximate Constrained Shortest Distance Queriesover Encrypted Graphs with Privacy Protectionrdquo IEEE Trans-actions on Information Forensics and Security vol 13 no 4 pp940ndash953 2018

[38] M A Will B Nicholson M Tiehuis and R K L Ko ldquoSecurevoting in the cloud using homomorphic encryption andmobileagentsrdquo in Proceedings of the 3rd International Conference onCloud Computing Research and Innovation ICCCRI 2015 pp173ndash184 Singapore October 2015

[39] S M Anggriane S M Nasution and F Azmi ldquoAdvanced e-voting system using Paillier homomorphic encryption algo-rithmrdquo in Proceedings of the 1st International Conference onInformatics and Computing ICIC 2016 pp 338ndash342 October2016

[40] X Yang X Yi S Nepal A Kelarev and F Han ldquoA SecureVerifiable Ranked Choice Online Voting System Based onHomomorphic Encryptionrdquo IEEE Access pp 20506ndash205192018

[41] I Chillotti N Gama M Georgieva and M Izabachene ldquoAHomomorphic LWEBasedE-voting Schemerdquo inPost-QuantumCryptography pp 245ndash265 Springer International Publishing2016

[42] X Sun P Zhang J K Liu J Yu and W Xie ldquoPrivate machinelearning classification based on fully homomorphic encryp-tionrdquo IEEE Transactions on Emerging Topics in Computing 2018

[43] M Kim Y Song S Wang Y Xia and X Jiang ldquoSecure LogisticRegression Based on Homomorphic Encryption Design andEvaluationrdquo JMIR Medical Informatics vol 2 2018

[44] T P Le Y Aono T Hayashi L Wang and S MoriaildquoPrivacy-Preserving Deep Learning via Additively Homomor-phic Encryptionrdquo IEEETransactions on Information Forensics ampSecurity vol 99 pp 1-1 2018

[45] D Nathan R Gilad-Bachrach K Laine K Lauter M Naehrigand J Wernsing ldquoCryptoNets Applying Neural Networks toEncrypted Data with High Throughput and Accuracyrdquo RadioandWireless Symposium IEEE pp 76ndash78 2016

[46] H Ehsan H Takabi and M Ghasemi CryptoDL Deep NeuralNetworks over Encrypted Data 2017

[47] R Mukundan ldquoEfficient integrity verification of replicated datain cloudrdquo Dissertations Theses - Gradworks 2013

[48] S Rajat and S Dey ldquoCloud Audit A Data Integrity VerificationApproach for Cloud Computingrdquo Procedia Computer Sciencevol 89 pp 142ndash151 2016

[49] S Tonyali K Akkaya N Saputro and A S Uluagac ldquoA reliabledata aggregation mechanism with Homomorphic Encryptionin Smart Grid AMI networksrdquo in Proceedings of the 13th IEEEAnnual ConsumerCommunications andNetworkingConferenceCCNC 2016 pp 550ndash555 USA January 2016

[50] H Hayouni and M Hamdi ldquoA Data Aggregation SecurityEnhancing Scheme inWSNsUsingHomomorphic EncryptionrdquoIntelligent Automation and Soft Computing pp 1ndash9 2017

[51] Y Yao J Wei J Liu and R Zhang ldquoEfficiently secure mul-tiparty computation based on homomorphic encryptionrdquo inProceedings of the 4th IEEE International Conference on CloudComputing and Intelligence Systems CCIS 2016 pp 343ndash349August 2016

[52] LWu XDu and JWu ldquoEffective defense schemes for phishingattacks on mobile computing platformsrdquo IEEE Transactions onVehicular Technology vol 65 no 8 pp 6678ndash6691 2016

[53] Z Brakerski A Langlois C Peikert O Regev and D StehleldquoClassical hardness of learning with errorsrdquo in Proceedings of the45th Annual ACM Symposium on Theory of Computing (STOCrsquo13) pp 575ndash584 2013

[54] D Micciancio and C Peikert ldquoHardness of SIS and LWE withSmall Parametersrdquo in Lecture Notes in Computer Science vol8042 pp 21ndash39 Springer 2013

[55] C Z Gang Y F Shi and X X Song ldquoEstimating Concert Secu-rity Parameters of Fully Homomorphic Encryptionrdquo Journal ofCryptologic Research 2016

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


homomorphic operations can be performed However dueto its inherent complexity bootstrapping has become amajor bottleneck for the efficiency of all FHE schemesAlthough there are many studies on improving the efficiencyof FHE schemes [8ndash27] they are still not simple and efficientenough to be widely adopted in the real world Designing aconceptually simple and efficient FHE scheme has become achallenging issue

In this paper a new FHE scheme is proposed to achieveboth conceptual simplicity and higher efficiency The schemeis constructed using the ideas of ciphertext matrix operationsin the FHE scheme proposed by Gentry Sahai and Waters(GSW) [19] and ciphertext vector additions in the FHEscheme proposed by Ducas and Micciancio (DM) [21] Boththese schemes are conceptually simpler than most otherFHE schemes while suffering from low efficiency We haveproved that comparedwithDM our scheme allows onemorehomomorphic operation to be performed before ciphertextrefreshing And the computational cost of our scheme issignificantly lower than that of DM and GSW under the samesecurity parameters with the error rate kept at a sufficientlylow level Our scheme not only inherits the advantage of con-ceptual simplicity in DM and GSW but is also more efficient

AssumptionsThe assumptions in our scheme are specified asfollows (1) the hardness of the Learning with Errors (LWE)problem [28] (2) circular security in ciphertext refreshingthat is one can safely encrypt a secret key under its associatedpublic key [7] (3) the operations on the binary circuit whichare performed parallelly And the computational cost at eachlevel is represented as that of a specific gate at the level

Contributions The main contributions of our scheme aresummarized as follows (1) To the best of our knowledgeour scheme is one of the few FHE schemes which take bothsimplicity and efficiency into consideration (2) Our schemeinherits the advantage of conceptual simplicity in DM andGSW which are conceptually simpler than most other FHEschemes (3)Our scheme combines the advantage of efficienthomomorphic operation in DM with the advantage of mod-erate growth of noise magnitude in GSW When comparedwith DM it allows one more homomorphic operation tobe performed before ciphertext refreshing Under the samesecurity parameters the computational cost of our scheme isobviously lower than that of DM and GSW and the error rateis kept at a sufficiently low level

Organization The rest of this paper is organized as followsthe related work is discussed in Section 2 some preliminariesare given in Section 3 a review of GSW and DM is presentedin Section 4 our more efficient FHE scheme along with itscorrectness security and applicability analysis is presentedin Section 5 the comparison of our scheme with DM andGSW in terms of overall efficiency and error rate is given inSection 6 finally conclusions are drawn in Section 7

2 Related Work

21 Construction of FHE Schemes Gentry proposed the firstFHE scheme in 2009 [7] which marks a milestone in the

research of homomorphic encryption Gentryrsquos FHE schemeis based on ideal lattices which includes the followingmajor steps (1) the construction of a somewhat homo-morphic encryption scheme (SWHE) which allows limitedhomomorphic additions andmultiplications to be performedon ciphertexts (2) the squashing step for reducing thecomplexity of decryption algorithm (3) the bootstrappingtechnique for reducing ciphertext noise via re-encryption andhomomorphic decryption Despite its significant contribu-tion Gentryrsquos scheme sufferes from a rather low efficiencyFollowing Gentryrsquos work some other FHE schemes based onideal lattices have been proposed on improving the efficiencyofGentryrsquos scheme [8ndash11]However the inherent complicatedkey generation process along with large keyciphertext sizeshas made these schemes impractical for real-world applica-tions

In 2010 Dijk et al proposed a FHE scheme over theintegers [29] Both the keys and ciphertexts are integerswhich are much simpler than previous FHE schemes basedon ideal lattices However the scheme also suffers from lowefficiency due to large keyciphertext sizes Although someimproved FHE schemes on integers have been proposed [12ndash15] keys and ciphertexts in these schemes are still too large tobe deployed in any practical system

Recently most FHE schemes have been constructedbased on the LWE problem which is a computational prob-lem over lattices [28] LWE has now drawn the attention ofmore and more cryptographic researchers with its relativelysmall keyciphertext sizes and strong security Brakerskiand Vaikuntanathan presented the first LWE-based FHEscheme (BV) in 2011 [30] The relinearization techniquewas introduced for controlling ciphertext dimension inhomomorphic multiplications And the dimension-modulusreduction technique was proposed as a new method forsimplifying the decryption algorithm to make the schemebootstrappable thus fully homomorphic Compared withthe squashing technique proposed by Gentry the sparsesubset-sum assumption was removed in dimension-modulusreduction making it more natural Brakerski Gentry andVaikuntanathan proposed a leveled FHE scheme (BGV)in 2012 [16] The relinearization and dimension-modulusreduction techniques were improved as the key-switchingandmodulus-switching techniques in BGV formore efficientcontrol of ciphertext dimension and noise magnitude Brak-erski then introduced a scale-invariant leveled FHE scheme(Bra12) without modulus switching Compared with previousLWE-based FHE schemes Bra12 is simpler and ciphertextnoise magnitude grows by a constant multiplicative factor ashomomorphic operations proceed instead of exponentiallyHowever in all of these schemes the complex process ofkey switching (or relinearization) still introduces a hugecomputational cost which is unattractive in practice

In 2013 a new leveled FHE scheme known as GSW wasproposed by Gentry Sahai and Waters [19] GSW is basedon approximate eigenvectors of matrices The ciphertexts inGSW are square matrices and homomorphic additions andmultiplications are just matrix additions and multiplicationsrespectively Therefore ciphertext dimension always keepsconstant and key switching is no longer necessary Scale-invariance can also be achieved in GSW via the flatten








3 Preliminaries




ACR (119903) =[[[[[[[



]]]]]]]

(2)









infin= max119894|119886119894|






21198951198861119895 119897minus1sum119895=0

2119895119886119896119895) isin Z119896119902 (4)





(6)


⟨BD (a) PT (b)⟩ = ⟨ab⟩ (7)








1isin 01

2isin 01

C1isinZNtimesNq

C2isinZNtimesNq

GSWEnc

GSWEnc

GSWHomNAND

GSWDec = 1 minus 12

C＄isinZNtimesNq























DMEnc

DMEnc

DMHomNAND

ModulusSwitching

Key Switching


m1isin 01

m2isin 01

７4qs (m1 q 16)

７4qs (m2 q 16)

７4qs (mq16)

７2qs (mq 4)

７4QCF(z)(m E1)

７4Qs (m E2)





V minus 1199024 = 119887 + sum119894119895

119886119894119895119904119894119861119895119903 = 119887 + sum119894

119904119894sum119895

119861119895119903119886119894119895= 119887 minus sum

119894

119886119894119904119894 = 1199022119898 + 119890 (15)










NHEEnc

NHEEnc

NHEEnc

NHEEnc


NHEHomNANDGSW

NHEHomNANDGSW

m11isin 01

m12isin 01

m21isin 01

m22isin 01

C11isinZNtimesNq

C12isinZNtimesNq

C21isinZNtimesNq

C22isinZNtimesNq

c＄isinZn+1q

c2isinZNq

c1isinZNq


q

NHEHomNANDDM




119873times119873119902 (17)


C1015840 = FL (I119873 minus C1C2) (18)





c1015840NAND=sum119894

k119894119888119894 isin Z1198991015840+1119902 (20)












C1015840119897minus2k= (1 minus 11989811198982) 1199024 + 119890 (23)




c0 sdot k = ⟨(51199028 0) (1 minust)⟩ = 51199028 (25)




(26)


1015840


c1015840NAND

= ( 119873sum119894=1

a119896119904119894 ( 119873sum119894=1


119890119896119904119894)isin Z1198991015840+1119902

(27)

where a119896119904119894 larr997888 Z1198991015840



119890119896119904119894= 119890NAND + 119873sum

119894=1

119890119896119904119894(28)



(29)


119890119903119890 = c119903119890minus(119899+1) sdot s1015840 + 119888119903119890119899+1 (30)


11989010158401015840NAND=1199021015840119902 (119890NAND + 119873sum119894=1

119890119896119904119894) + 119890119903119890 (31)


max 100381610038161003816100381610038161198901015840110038161003816100381610038161003816 100381610038161003816100381610038161198901015840210038161003816100381610038161003816 le (119873 + 1) 1198610 lt 11990232 (32)


1003816100381610038161003816100381611989010158401015840NAND10038161003816100381610038161003816 lt 3119902101584016 + 1199021015840119902

1003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 +

10038161003816100381610038161198901199031198901003816100381610038161003816 (33)


119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 le 6radic119873120590 + 119873 (34)


11990210158401199021003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 lt 1205981 (35)




1015840


1015840




119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0


(37)


119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)


1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)


119899119903120575 le 1198991015840120575 lt 1205982 (40)


10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)


1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)



1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)


















119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









3 Preliminaries




ACR (119903) =[[[[[[[



]]]]]]]

(2)









infin= max119894|119886119894|






21198951198861119895 119897minus1sum119895=0

2119895119886119896119895) isin Z119896119902 (4)





(6)


⟨BD (a) PT (b)⟩ = ⟨ab⟩ (7)








1isin 01

2isin 01

C1isinZNtimesNq

C2isinZNtimesNq

GSWEnc

GSWEnc

GSWHomNAND

GSWDec = 1 minus 12

C＄isinZNtimesNq























DMEnc

DMEnc

DMHomNAND

ModulusSwitching

Key Switching


m1isin 01

m2isin 01

７4qs (m1 q 16)

７4qs (m2 q 16)

７4qs (mq16)

７2qs (mq 4)

７4QCF(z)(m E1)

７4Qs (m E2)





V minus 1199024 = 119887 + sum119894119895

119886119894119895119904119894119861119895119903 = 119887 + sum119894

119904119894sum119895

119861119895119903119886119894119895= 119887 minus sum

119894

119886119894119904119894 = 1199022119898 + 119890 (15)










NHEEnc

NHEEnc

NHEEnc

NHEEnc


NHEHomNANDGSW

NHEHomNANDGSW

m11isin 01

m12isin 01

m21isin 01

m22isin 01

C11isinZNtimesNq

C12isinZNtimesNq

C21isinZNtimesNq

C22isinZNtimesNq

c＄isinZn+1q

c2isinZNq

c1isinZNq


q

NHEHomNANDDM




119873times119873119902 (17)


C1015840 = FL (I119873 minus C1C2) (18)





c1015840NAND=sum119894

k119894119888119894 isin Z1198991015840+1119902 (20)












C1015840119897minus2k= (1 minus 11989811198982) 1199024 + 119890 (23)




c0 sdot k = ⟨(51199028 0) (1 minust)⟩ = 51199028 (25)




(26)


1015840


c1015840NAND

= ( 119873sum119894=1

a119896119904119894 ( 119873sum119894=1


119890119896119904119894)isin Z1198991015840+1119902

(27)

where a119896119904119894 larr997888 Z1198991015840



119890119896119904119894= 119890NAND + 119873sum

119894=1

119890119896119904119894(28)



(29)


119890119903119890 = c119903119890minus(119899+1) sdot s1015840 + 119888119903119890119899+1 (30)


11989010158401015840NAND=1199021015840119902 (119890NAND + 119873sum119894=1

119890119896119904119894) + 119890119903119890 (31)


max 100381610038161003816100381610038161198901015840110038161003816100381610038161003816 100381610038161003816100381610038161198901015840210038161003816100381610038161003816 le (119873 + 1) 1198610 lt 11990232 (32)


1003816100381610038161003816100381611989010158401015840NAND10038161003816100381610038161003816 lt 3119902101584016 + 1199021015840119902

1003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 +

10038161003816100381610038161198901199031198901003816100381610038161003816 (33)


119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 le 6radic119873120590 + 119873 (34)


11990210158401199021003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 lt 1205981 (35)




1015840


1015840




119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0


(37)


119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)


1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)


119899119903120575 le 1198991015840120575 lt 1205982 (40)


10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)


1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)



1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)


















119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia










infin= max119894|119886119894|






21198951198861119895 119897minus1sum119895=0

2119895119886119896119895) isin Z119896119902 (4)





(6)


⟨BD (a) PT (b)⟩ = ⟨ab⟩ (7)








1isin 01

2isin 01

C1isinZNtimesNq

C2isinZNtimesNq

GSWEnc

GSWEnc

GSWHomNAND

GSWDec = 1 minus 12

C＄isinZNtimesNq























DMEnc

DMEnc

DMHomNAND

ModulusSwitching

Key Switching


m1isin 01

m2isin 01

７4qs (m1 q 16)

７4qs (m2 q 16)

７4qs (mq16)

７2qs (mq 4)

７4QCF(z)(m E1)

７4Qs (m E2)





V minus 1199024 = 119887 + sum119894119895

119886119894119895119904119894119861119895119903 = 119887 + sum119894

119904119894sum119895

119861119895119903119886119894119895= 119887 minus sum

119894

119886119894119904119894 = 1199022119898 + 119890 (15)










NHEEnc

NHEEnc

NHEEnc

NHEEnc


NHEHomNANDGSW

NHEHomNANDGSW

m11isin 01

m12isin 01

m21isin 01

m22isin 01

C11isinZNtimesNq

C12isinZNtimesNq

C21isinZNtimesNq

C22isinZNtimesNq

c＄isinZn+1q

c2isinZNq

c1isinZNq


q

NHEHomNANDDM




119873times119873119902 (17)


C1015840 = FL (I119873 minus C1C2) (18)





c1015840NAND=sum119894

k119894119888119894 isin Z1198991015840+1119902 (20)












C1015840119897minus2k= (1 minus 11989811198982) 1199024 + 119890 (23)




c0 sdot k = ⟨(51199028 0) (1 minust)⟩ = 51199028 (25)




(26)


1015840


c1015840NAND

= ( 119873sum119894=1

a119896119904119894 ( 119873sum119894=1


119890119896119904119894)isin Z1198991015840+1119902

(27)

where a119896119904119894 larr997888 Z1198991015840



119890119896119904119894= 119890NAND + 119873sum

119894=1

119890119896119904119894(28)



(29)


119890119903119890 = c119903119890minus(119899+1) sdot s1015840 + 119888119903119890119899+1 (30)


11989010158401015840NAND=1199021015840119902 (119890NAND + 119873sum119894=1

119890119896119904119894) + 119890119903119890 (31)


max 100381610038161003816100381610038161198901015840110038161003816100381610038161003816 100381610038161003816100381610038161198901015840210038161003816100381610038161003816 le (119873 + 1) 1198610 lt 11990232 (32)


1003816100381610038161003816100381611989010158401015840NAND10038161003816100381610038161003816 lt 3119902101584016 + 1199021015840119902

1003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 +

10038161003816100381610038161198901199031198901003816100381610038161003816 (33)


119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 le 6radic119873120590 + 119873 (34)


11990210158401199021003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 lt 1205981 (35)




1015840


1015840




119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0


(37)


119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)


1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)


119899119903120575 le 1198991015840120575 lt 1205982 (40)


10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)


1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)



1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)


















119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



1isin 01

2isin 01

C1isinZNtimesNq

C2isinZNtimesNq

GSWEnc

GSWEnc

GSWHomNAND

GSWDec = 1 minus 12

C＄isinZNtimesNq























DMEnc

DMEnc

DMHomNAND

ModulusSwitching

Key Switching


m1isin 01

m2isin 01

７4qs (m1 q 16)

７4qs (m2 q 16)

７4qs (mq16)

７2qs (mq 4)

７4QCF(z)(m E1)

７4Qs (m E2)





V minus 1199024 = 119887 + sum119894119895

119886119894119895119904119894119861119895119903 = 119887 + sum119894

119904119894sum119895

119861119895119903119886119894119895= 119887 minus sum

119894

119886119894119904119894 = 1199022119898 + 119890 (15)










NHEEnc

NHEEnc

NHEEnc

NHEEnc


NHEHomNANDGSW

NHEHomNANDGSW

m11isin 01

m12isin 01

m21isin 01

m22isin 01

C11isinZNtimesNq

C12isinZNtimesNq

C21isinZNtimesNq

C22isinZNtimesNq

c＄isinZn+1q

c2isinZNq

c1isinZNq


q

NHEHomNANDDM




119873times119873119902 (17)


C1015840 = FL (I119873 minus C1C2) (18)





c1015840NAND=sum119894

k119894119888119894 isin Z1198991015840+1119902 (20)












C1015840119897minus2k= (1 minus 11989811198982) 1199024 + 119890 (23)




c0 sdot k = ⟨(51199028 0) (1 minust)⟩ = 51199028 (25)




(26)


1015840


c1015840NAND

= ( 119873sum119894=1

a119896119904119894 ( 119873sum119894=1


119890119896119904119894)isin Z1198991015840+1119902

(27)

where a119896119904119894 larr997888 Z1198991015840



119890119896119904119894= 119890NAND + 119873sum

119894=1

119890119896119904119894(28)



(29)


119890119903119890 = c119903119890minus(119899+1) sdot s1015840 + 119888119903119890119899+1 (30)


11989010158401015840NAND=1199021015840119902 (119890NAND + 119873sum119894=1

119890119896119904119894) + 119890119903119890 (31)


max 100381610038161003816100381610038161198901015840110038161003816100381610038161003816 100381610038161003816100381610038161198901015840210038161003816100381610038161003816 le (119873 + 1) 1198610 lt 11990232 (32)


1003816100381610038161003816100381611989010158401015840NAND10038161003816100381610038161003816 lt 3119902101584016 + 1199021015840119902

1003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 +

10038161003816100381610038161198901199031198901003816100381610038161003816 (33)


119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 le 6radic119873120590 + 119873 (34)


11990210158401199021003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 lt 1205981 (35)




1015840


1015840




119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0


(37)


119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)


1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)


119899119903120575 le 1198991015840120575 lt 1205982 (40)


10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)


1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)



1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)


















119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



DMEnc

DMEnc

DMHomNAND

ModulusSwitching

Key Switching


m1isin 01

m2isin 01

７4qs (m1 q 16)

７4qs (m2 q 16)

７4qs (mq16)

７2qs (mq 4)

７4QCF(z)(m E1)

７4Qs (m E2)





V minus 1199024 = 119887 + sum119894119895

119886119894119895119904119894119861119895119903 = 119887 + sum119894

119904119894sum119895

119861119895119903119886119894119895= 119887 minus sum

119894

119886119894119904119894 = 1199022119898 + 119890 (15)










NHEEnc

NHEEnc

NHEEnc

NHEEnc


NHEHomNANDGSW

NHEHomNANDGSW

m11isin 01

m12isin 01

m21isin 01

m22isin 01

C11isinZNtimesNq

C12isinZNtimesNq

C21isinZNtimesNq

C22isinZNtimesNq

c＄isinZn+1q

c2isinZNq

c1isinZNq


q

NHEHomNANDDM




119873times119873119902 (17)


C1015840 = FL (I119873 minus C1C2) (18)





c1015840NAND=sum119894

k119894119888119894 isin Z1198991015840+1119902 (20)












C1015840119897minus2k= (1 minus 11989811198982) 1199024 + 119890 (23)




c0 sdot k = ⟨(51199028 0) (1 minust)⟩ = 51199028 (25)




(26)


1015840


c1015840NAND

= ( 119873sum119894=1

a119896119904119894 ( 119873sum119894=1


119890119896119904119894)isin Z1198991015840+1119902

(27)

where a119896119904119894 larr997888 Z1198991015840



119890119896119904119894= 119890NAND + 119873sum

119894=1

119890119896119904119894(28)



(29)


119890119903119890 = c119903119890minus(119899+1) sdot s1015840 + 119888119903119890119899+1 (30)


11989010158401015840NAND=1199021015840119902 (119890NAND + 119873sum119894=1

119890119896119904119894) + 119890119903119890 (31)


max 100381610038161003816100381610038161198901015840110038161003816100381610038161003816 100381610038161003816100381610038161198901015840210038161003816100381610038161003816 le (119873 + 1) 1198610 lt 11990232 (32)


1003816100381610038161003816100381611989010158401015840NAND10038161003816100381610038161003816 lt 3119902101584016 + 1199021015840119902

1003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 +

10038161003816100381610038161198901199031198901003816100381610038161003816 (33)


119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 le 6radic119873120590 + 119873 (34)


11990210158401199021003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 lt 1205981 (35)




1015840


1015840




119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0


(37)


119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)


1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)


119899119903120575 le 1198991015840120575 lt 1205982 (40)


10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)


1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)



1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)


















119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



NHEEnc

NHEEnc

NHEEnc

NHEEnc


NHEHomNANDGSW

NHEHomNANDGSW

m11isin 01

m12isin 01

m21isin 01

m22isin 01

C11isinZNtimesNq

C12isinZNtimesNq

C21isinZNtimesNq

C22isinZNtimesNq

c＄isinZn+1q

c2isinZNq

c1isinZNq


q

NHEHomNANDDM




119873times119873119902 (17)


C1015840 = FL (I119873 minus C1C2) (18)





c1015840NAND=sum119894

k119894119888119894 isin Z1198991015840+1119902 (20)












C1015840119897minus2k= (1 minus 11989811198982) 1199024 + 119890 (23)




c0 sdot k = ⟨(51199028 0) (1 minust)⟩ = 51199028 (25)




(26)


1015840


c1015840NAND

= ( 119873sum119894=1

a119896119904119894 ( 119873sum119894=1


119890119896119904119894)isin Z1198991015840+1119902

(27)

where a119896119904119894 larr997888 Z1198991015840



119890119896119904119894= 119890NAND + 119873sum

119894=1

119890119896119904119894(28)



(29)


119890119903119890 = c119903119890minus(119899+1) sdot s1015840 + 119888119903119890119899+1 (30)


11989010158401015840NAND=1199021015840119902 (119890NAND + 119873sum119894=1

119890119896119904119894) + 119890119903119890 (31)


max 100381610038161003816100381610038161198901015840110038161003816100381610038161003816 100381610038161003816100381610038161198901015840210038161003816100381610038161003816 le (119873 + 1) 1198610 lt 11990232 (32)


1003816100381610038161003816100381611989010158401015840NAND10038161003816100381610038161003816 lt 3119902101584016 + 1199021015840119902

1003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 +

10038161003816100381610038161198901199031198901003816100381610038161003816 (33)


119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 le 6radic119873120590 + 119873 (34)


11990210158401199021003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 lt 1205981 (35)




1015840


1015840




119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0


(37)


119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)


1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)


119899119903120575 le 1198991015840120575 lt 1205982 (40)


10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)


1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)



1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)


















119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







C1015840119897minus2k= (1 minus 11989811198982) 1199024 + 119890 (23)




c0 sdot k = ⟨(51199028 0) (1 minust)⟩ = 51199028 (25)




(26)


1015840


c1015840NAND

= ( 119873sum119894=1

a119896119904119894 ( 119873sum119894=1


119890119896119904119894)isin Z1198991015840+1119902

(27)

where a119896119904119894 larr997888 Z1198991015840



119890119896119904119894= 119890NAND + 119873sum

119894=1

119890119896119904119894(28)



(29)


119890119903119890 = c119903119890minus(119899+1) sdot s1015840 + 119888119903119890119899+1 (30)


11989010158401015840NAND=1199021015840119902 (119890NAND + 119873sum119894=1

119890119896119904119894) + 119890119903119890 (31)


max 100381610038161003816100381610038161198901015840110038161003816100381610038161003816 100381610038161003816100381610038161198901015840210038161003816100381610038161003816 le (119873 + 1) 1198610 lt 11990232 (32)


1003816100381610038161003816100381611989010158401015840NAND10038161003816100381610038161003816 lt 3119902101584016 + 1199021015840119902

1003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 +

10038161003816100381610038161198901199031198901003816100381610038161003816 (33)


119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 le 6radic119873120590 + 119873 (34)


11990210158401199021003816100381610038161003816100381610038161003816100381610038161003816119873sum119894=1

1198901198961199041198941003816100381610038161003816100381610038161003816100381610038161003816 lt 1205981 (35)




1015840


1015840




119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0


(37)


119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)


1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)


119899119903120575 le 1198991015840120575 lt 1205982 (40)


10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)


1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)



1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)


















119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




1015840


1015840




119891119899119903 (119909) = 1(119899119903 minus 1)119896sum119895=0


(37)


119865119899119903 (119909) = 1119899119903119896sum119895=0

(minus1)119895 119862119895119899119903 (119909 minus 119895)119899119903 119909 isin [119896 119896 + 1] (38)


1199013119899119903 = 119865119899119903 (1198991199032 + 1198611) minus 119865119899119903 (1198991199032 minus 1198611) (39)


119899119903120575 le 1198991015840120575 lt 1205982 (40)


10038161003816100381610038161198901199031198901003816100381610038161003816 lt 1198611 + 1205982 + 12 (41)


1198611 le 119902101584016 minus (1205981 + 1205982 + 12) (42)



1198612 = 3119902101584016 + (1198611 + 1205981 + 1205982 + 12) le 11990210158404 (43)


















119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









119899DM1 = 119899 + 2 (45)




119899DM2 = 2 sdot (6 + 2) sdot 21198732119889119892 = 321198732119889119892 (46)


119899DM3 = 119873119889119896119904 (119899 + 1) (47)


119899DM = 2119899DM1 + 119899119889119903 sdot 119899DM2 + 119899DM3= 321198732119899119889119892119889119903 + (119899 + 1) (119873119889119896119904 + 2) + 2 (48)








1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





1198991015840119886119889119889=119873119897 + 119897 (119873 minus 119897) = (2119873 minus 119897) 119897 (50)


119899NHE1 = 119899119887119899119897 + 1198991015840119886119889119889 + 1 = (119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1 (51)


119899NHE2 = 2 (119899 + 1) (119897 minus 1) + 3119873 = (119899 + 1) (5119897 minus 2) (52)


119899NHE3 = 2119873 (53)


119899NHE4 = 119873(1198991015840 + 1) (54)


119899NHE5 = 2 (1198991015840 + 1) (55)


119899NHE = 5sum119894=1

119899NHE119894


(56)


119899GSW = 119873 [(119899119887 + 119897) (119873 minus 119897) + 119873119897 + 1] (57)




sdot (log2 (2120582 sdot adv) + 110)72119902

(58)


119901DM119890119903119903 = 1 minus (1 minus 119901DM119887119894119905119890119903119903)3 (59)





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





119901NHE119890119903119903 = 1 minus 119901111990121199013 (60)


119901GSW119890119903119903 = 1 minus 1199011 = 1 minus 11990141198730 (61)






7 Conclusions





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





Data Availability




Acknowledgments





























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


a more efficient fully homomorphic encryption scheme based

Documents