Achieving Message-Encapsulated Leveled FHE for IoT Privacy Protection
1. Introduction
The rapid development of the Internet of Things has made the issue of privacy protection even more concerning. Privacy protection has affected the large-scale application of the Internet of Things. Fully Homomorphic Encryption (FHE) is a newly emerging public key encryption scheme, which can be used to prevent information leakage. It allows performing arbitrary algebraic operations on data which are encrypted, such that the operation performed on the ciphertext is directly transformed into the corresponding plaintext. Recently, overwhelming majority of FHE schemes are confined to single-bit encryption, whereas how to achieve a multibit FHE scheme is still an open problem. This problem is partially (rather than fully) solved by Hiromasa-Abe-Okamoto (PKC′15), who proposed a packed message FHE scheme which only supports decryption in a bit-by-bit manner. Followed by that, Li-Ma-Morais-Du (Inscrypt′16) proposed a multibit FHE scheme which can decrypt the ciphertext at one time, but their scheme is based on dual LWE assumption. Armed with the abovementioned two schemes, in this paper, we propose an efficient packed message FHE that supports the decryption in two ways: single-bit decryption and one-time decryption.
In recent years, the Internet of Things (IoT) has become an attractive system paradigm to drive a substantive leap on goods and services and has been widely used in intelligent transportation, intelligent power grid, environmental monitoring and perception, intelligent home appliances, and other fields. It covers traditional equipment to general household equipment, which brings more efficiency and convenience to the users. Because many of the data transmitted in the Internet of Things are confidential information or personal privacy information, it usually needs to be encrypted first. With more and more encrypted data stored on the server, it is very frequent for us to retrieve and process these data. Although there are some algorithms for retrieving encrypted data, they are only suitable for small-scale data, and the cost is too high. The encrypted data retrieval method based on the Fully Homomorphic Encryption (FHE) can solve this problem. By directly retrieving the encrypted data, it not only ensures that the retrieved data will not be analyzed, but also carries out homomorphic operation on the retrieved data without changing the sequence of the corresponding plaintext. It can not only protect the user's data security but also improve the retrieval efficiency. Since the first introduction of Gentry in 2009, the construction and optimization of the Fully Homomorphic Encryption scheme have been paid special attention by researchers. However, most of the existing Fully Homomorphic Encryption schemes only allow cryptographic calculations for a single bit, and the efficiency is not satisfactory. Although the cascading (or simple combination) approach can be used to implement message-encapsulated calculations, the performance of such a simple message-encapsulated FHE is not ideal.
In an application scenario, in many cases, it is necessary to calculate data of multiple bits at a time, and thus, constructing an efficient Message-encapsulation Fully Homomorphic encryption becomes an urgent requirement. At present, the research in this area has made initial progress [[1]], which has increased the efficiency of FHE to a certain extent, but comprehensively, its efficiency still needs to be improved. Specifically, the following are considered:
- (1) Brakerski's scheme [[1]] is constructed on the basis of the Brakerski's [[3]] scheme and is a typical representative of the second generation of FHE. But, the latter scheme needs to implement homomorphic calculations by calculating the evaluation key, which increases the computational cost.
- (2) Hiromasa-Abe-Okamoto (HAO) [[2]] is based on the GSW [[4]] scheme and is a typical representative of the third generation of FHE. HAO constructs a message-encapsulation FHE scheme in the form of encapsulated messages, but it cannot implement one-time decryption and only decrypts the ciphertext bit-by-bit, so the scheme is still very inefficient.
An important question arises: Besides those mentioned above, is it possible to design an efficient method to decrypt the ciphertext of the message-encapsulation GSW-FHE scheme at one time?
Li et al. [[5]] used dual Regev [[6]] to construct a public key with multiple instances of the small short integer solution (SIS). Inspired by this work, we will construct public keys with multiple instances of LWEs (Learning with errors), and this constructs a Message-Encapsulation FHE scheme that can be decrypted at one time.
1.1. Our Contribution
Firstly, the public key of the Message-encapsulation Fully Homomorphic Encryption scheme of Hiromasa et al. [[2]] is as follows:
Among them are the secret matrix and the noise matrix . Then, the plaintext message is encapsulated in a matrix, and the public key of the abovementioned form is used to encrypt the message. However, the obtained ciphertext matrix cannot recover all the plaintext bits at one time, but can only be decrypted bit-by-bit.
Secondly, we notice that the public key matrix of the message-encapsulated fully homomorphic encryption scheme constructed by Li et al. [[5]] is as follows:
Among them, there is . Although Li et al.'s scheme [[5]] supports bit-by-bit encryption and one-time decryption, the scheme relies on the minimum integer solution hypothesis (see detailed analysis in [[7]]), and its parameter size depends on instead of causing the size of the evaluation key and the ciphertext to be too large.
Based on the abovementioned observations, in this paper, we construct a public key matrix first with multiple LWE instances. Different from the typical FHE scheme [[3], [8]] and follow-up works [[9]–[13]], its public key matrix contains only one LWE instance. Then, using the new public key, we construct a message-encapsulation GSW-class FEH scheme (MFHE). We give an overview of the scheme in the following:
- (1) Firstly, we use a new public key matrix with multiple LWE instances as follows:
- Among them, and is an LWE instance. This is significantly different from existing message-encapsulation PKE schemes (for example, [[14]]) and message-encapsulation FHE schemes (for example, [[1]]) and is also the fundamental difference between other schemes and the FHE scheme constructed in this paper. Private keys corresponding to the public key is shaped as follows:
- (2) Next, we use the public key matrix we constructed to encrypt multibit messages. The difference is that we use the message-encapsulation method of Li et al. [[5]] and Hiromasa et al. [[2]] to embed multibit messages into the plaintext of a diagonal matrix. That is,
and while constructing a private key matrix with private keys,
is the identity matrix, and we can get
Finally, using the matrix we constructed, calculation of can directly recover the message vector . See Section 4 for a detailed analysis.
1.2. Organization and Structure of the Paper
The rest of this paper is organized as follows. In Section 2, the definitions and symbols used in this paper are introduced. In Section 3, we review the scheme of Gentry-Sahai-Waters et al. In Section 4, we introduce the Message-encapsulation FHE (MFHE) scheme we constructed. Finally, we give a summary of the full paper in Chapter 5.
2. Preliminaries
In this section, we give the preparatory knowledge needed, including definitions and lemmas.
2.1. Symbols
For , we use to represent aggregation . For a real number , we use to represent the largest integer that is not greater than , to represent the nearest integer to . We represent vectors in bold lowercase letters, for example, , and the matrix in bold uppercase letters, for example, . In addition, we use to represent elements in from row and column . We use " " to indicate the assignment. It is worth noting that we use the definition of computationally indistinguishable and statistics indistinguishable and they are represented by and . In addition to this, we also define and . For convenience, we use to represent its norm.
We need to use the following variant of the Left-over Hash Lemma (LHL) [[16]].
Lemma 1.
(Matrix-Vector LHL). Let and . We select a uniform random matrix , and then, the statistical distance of the distribution and is as follows:
2.2. Learning with Errors (LWEs)
LWEs is the main computational assumption that cryptosystems and our variants rely on.
Definition 1.
(LWE Distribution). For safety parameters, let and be integers, let be the error distribution with the bound of , and let be an integer modulo of any polynomial that meets . Then, we select a vector and call it a secret, the LWE distribution in is selected uniformly and randomly, and we select and output .
There are two kinds of the LWE hypothesis: the search-LWE and the decision-LWE. The decision-LWE is defined as follows:
Definition 2.
(Decision- ). Assume an independent selected , which is selected according to one of the following distributions: (1) for from a uniform and random (i.e., ) or (2) uniform distribution (i.e., ). The two distributions mentioned above are computable indistinguishable.
Note 1.
Regev and others [[6], [17]–[19]] introduce the convention between the approximate shortest vector problem (for appropriate parameters) in the LWE hypothesis. We have omitted the lemma of the results of these schemes; see [[6], [17]–[19]] for details.
2.3. Discrete Gauss
In our structure, we need to analyze the behavior of choosing the wrong element from the Gaussian distribution.
Definition 3.
(B Bounded [[3]]). A distribution on an integer if the following exists:
and then, it is called -bound (represented as ).
For the analysis of our scheme, the vector selected from the Gaussian distribution needs to have a certain bound on its norm.
Lemma 2.
(See [[20]]). 1. For ; 2. for , there is Therefore, in this paper, we set and .
In this paper, we assume . So, if , then on average, . It can be known from Lemma 2.2 (2) that there is a high possibility that . Therefore, in this paper, we set and .
2.4. Leveled Fully Homomorphic Encryption
In public-key cryptography, the cipher keeps a public key and encrypts the message in order that the corresponding private key holder can recover the original plaintext message.
Definition 4.
(See [[21]]). Let a fixed function be the level of Fully Homomorphic Encryption. For a kind of circuit , the L-FHE scheme includes four Probabilistic Polynomial Times (PPTs), and the algorithm is as follows:
- The key generation algorithm (KeyGen) is a randomization algorithm that inputs security parameters and outputs public keys ( ) and private keys ( )
- The encryption algorithm Enc is a randomization algorithm that inputs a public key ( ) and a message and outputs a ciphertext
- The decryption algorithm Dec is a deterministic algorithm that inputs the private key and ciphertext and outputs the decrypted message
- The homomorphic algorithm Eval inputs a public key , a circuit , and a sequence of ciphertexts , here let be a polynomial related to the and outputs the computed ciphertext
- The correctness requirements are as follows:
- For arbitrary and output by , we have
- For arbitrary , arbitrary , and , we have
Definition 5.
(CPA Security [[21]]). One FHE scheme is indistinguishable from the choice of plaintext attack ( ): the condition that security needs to be satisfied is that for any PPT adversary , the following probabilities related to are negligible:
Among them, and is arbitrarily selected from the plaintext space by the adversary.
The security definition of a message-encapsulation GSW (MFHE) is the same as GSW for a single bit. Because in public key settings, the security of single message encryption implies the security of multiple message encryption. See section 11 in [[22]] for more details.
Definition 6.
(Compactness [[21]]). For a class of loops , if there is a polynomial such that the length of output ciphertext of Eval is at most , then an Fully Homomorphic Encryption is compact (if it is nontrivial, then for all , some , and we have ).
2.5. Basic Tools
Let us review some of the basic tools proposed by Brakerski and Vaikuntanathan [[23]] and Gentry et al. [[4]]. We fix . Let , and therefore, and .
Definition 7.
(See [[24]]). The algorithm BitComp enters a vector and outputs an -dimensional vector where is the bit in the binary representation of (sorted by minimum impact to maximum impact). In other words,
Definition 8.
(See [[24]]). Algorithm enters a vector
and output .
Note that the input vector does not need to be binary and any of the input vector algorithms in are already defined.
Definition 9.
(See [[24]]). The algorithm Flatten enters a vector and outputs an -dimension binary vector (i.e., an element from ) defined as
Definition 10.
(See [[24]]). The algorithm PoweOftwo enters an -dimension vector and outputs an -dimension vector in . The output is as follows:
Lemma 3.
(See [[26]]). For any , there is a fixed effective computable matrix and a valid computable deterministic "short-image" function that meets the following conditions. For arbitrary , we enter a matrix and the inverse function outputs a matrix so that .
Note 2.
In fact, we can also express the abovementioned definitions and results as follows using the language of and . Micciancio and Peikert's [[26]] matrix can be expressed as , where . For , there is . For , there is . For , the algorithm is renamed as . For , there is . For , there is . For , the algorithm is renamed as .
3. Gentry–Sahai–Waters (GSW) Scheme
Before our work, we first review the GSW scheme and, then, summarize the safety of the scheme of Gentry et al. [[4]].
We review the algorithms which make up the GSW scheme [[4]]. These algorithms were originally defined based on functions , , and , but the ideas from [[19], [27]] borrowed into this paper are defined using tool matrix . Let be the security parameter and be the number of levels of homomorphic encryption.
-
:
- (1) Select a module of bit , error distribution on the parameter and , so that the problem is at least secure for known attacks. Choose a parameter .
- (2) Output: . We express and .
-
:
- (1) Select and calculate
- (2) Generate a matrix and a vector .
- (3) Calculate and construct matrix . Obviously, we observed.
- (4) Return to and .
-
: in order to encrypt a single-bit message ,
- (1) Let be the abovementioned matrix
- (2) Select a matrix evenly
- (3) Calculate
- In the original GSW scheme,
-
, where is an identity matrix.
-
:
- (1) We have .
- (2) Let meet . Let be column of .
- (3) Calculate within the scope of ; note and
- From that mentioned above, it can be seen that column of the ciphertext matrix selected in the calculation corresponds to coordinate of the vector , i.e. .
- (4) Output .
- So, if it is , then it returns to 0, and if it is , then it returns to 1.
-
:
-
: calculate and output
-
: output
Note that . In addition, use to calculate homomorphic gates.
Note 3.
Note that, in [[19]], the decryption algorithm is to select a suitable vector and calculate . It is much less efficient than the original one (all about calculation time and error item size). So, we used the GSW decryption algorithm in our scheme.
When is a power of 2, there is also a variant of the message in . See more details in [[4]].
3.1. Security
A brief proof of the following theorem is given in [[4]].
Theorem 1.
Let be public parameter so that the hypothesis is true, and let . Then, we can say that the GSW scheme is safe.
The most important step of the proof is to prove that and the uniform distribution is computational indistinguishable.
Note 4.
The correctness of the GSW scheme is obtained by analyzing the scale of the noise during encryption, decryption, and homomorphism. Always ensure that the maximum noise level in the abovementioned process is still less than 1/4, which can be decrypted correctly. This work is not the focus of this paper, so it will not be repeated. See more details [[4]].
4. Message-Encapsulation FHE
4.1. Message-Encapsulation FHE (MFHE Scheme)
Now, we introduce our MFHE scheme as follows: a message-encapsulation public-key encryption scheme based on the difficulty of the LWE hypothesis. We give the security parameter , set to be the private keys number, and then, can encrypt the -bit messages at one time.
Let be an integer, and let be a distribution set on . The definition of the variant of the GSW scheme is similar to the cryptosystem proposed in [[19], [27]]. More specifically,
-
:
- (1) In particular, we first select the modulo , and the dimension of lattice . We appropriately select the error distribution for for security against known LWE attacks, Finally, we select the parameter and a parameter .
- (2) Let and , and then, output .
-
:
- (1) For , select from and output
- the position of which is 1.
- (2) Select a matrix and vectors , evenly, and then, calculate and output
- where the size of is . In addition, we observed that .
- (3) Output and . It is worth noting that .
-
:
- (1) To encrypt -bit , , embed the bits into a -dimension matrix first, , where , , and . Later, for simplicity, will be abbreviated as , and the message matrix is constructed using a plaintext matrix .
- where is a random diagonal matrix, and note that is a -dimensional matrix.
- (2) Then, select a uniform matrix . Calculate and output cipher text:
- Now, we propose a decryption algorithm for the MFHE scheme which allows us to recover all the message bits at the one time.
-
:
- (1) First, assume that the user has a private key matrix as follows:
- What needs to be noted here is
- Therefore, it is easy for us to get the bound of which is less than or equal to , i.e. .
- (2) Define the matrix as follows:
- Among them, we have , i.e.,
- (4) Finally, use the results mentioned above to output the complete message .
-
:there are two algorithms, which are, homomorphic addition and homomorphic multiplication. For any two plaintext matrices , we get the ciphertext separately.
- Therefore, the homomorphic addition and multiplication are as follows:
-
: output
-
.
- Here, we can calculate a homomorphic NAND gate from the output.
Note 5.
Generally, we can choose different private keys to decrypt column of the ciphertext bit-by-bit and get the bit message of , that is, we can get the bit in row and column under the private key. However, it is actually possible to recover the entire message using the private key matrix based on the abovementioned decryption algorithm. We calculate as follows:
The magnitude of the noise can be simply calculated and verified to grow linearly compared to single-bit decryption algorithm.
-
:
- (1) Suppose we want to decrypt the bit of row and column , so let , then define a vector so that the position is, and the other positions are 0, .
- (2) For to , calculate
- The inner product of equals to
- (3) Output a message , in which represents the operation that rounds to the nearest integer. Therefore the value belongs to . 4. Finally, by repeating it times, the entire message can be recovered. The algorithm here is similar to the algorithm in [[2]], which is achieved by recovering each element separately.
Note 6.
It should be noted here that due to the structural characteristics of the public key in our scheme, accurate decryption is achieved by dynamically adjusting the position of in the vector . That is, dot-multiply and to obtain the bits of the row and column of the plaintext matrix.
We can get all the bits of the message by using the decryption algorithm and appropriate private key.
Note 7.
It can be seen that our message-encapsulation GSW scheme is to implement -bit homomorphic addition. However, since the element of is not a product of , only -bit homomorphic multiplication is supported.
4.2. Correctness Analysis
Next, we analyze the correctness of the MFHE scheme.
Definition 11.
We call the message matrix which is obtained by decrypting the ciphertext under different private keys (see (2)). The noise of a single-bit message is as follows:
For flexible single-bit decryption algorithm , we represent the noise vector as . For simplicity, we abbreviate to when and do not affect the contextual understanding.
Note that, in our setup, due to the structure of the new public key, is the noise of row of the plaintext matrix , not the single-bit noise.
Lemma 4.
Obviously, using Definition 4.1, for convenience, for a decryption algorithm , if the noise meets
where is a one-time private key matrix, we can represent the entire noise matrix as
For convenience, we will abbreviate as when and do not affect the contextual understanding.
In order to analyze the correctness, for convenience, we first define the following noise ciphertext concept.
Definition 12.
( -Noise Ciphertext). A ciphertext matrix with noise, which makes in a private key , for a corresponding message . Then, let the norm of be
Lemma 5.
For a one-time private key matrix , we can get when we run the Dec algorithm. So, in this case, we get
Lemma 6.
For a plaintext matrix (a combination of ) and a private key , the noise vector of the ciphertext meets
In the following, we analyze the correctness of the decryption.
Lemma 7.
Let be an noise encryption of . If we can recover (an element of ) from the ciphertext under the private key , then there is
so that
Proof.
Obviously, by using Lemma 4.2 we can simply prove Lemma 4.7, and we will not go into details here.
Lemma 8.
Let be an noise encryption in . If we can recover all from the ciphertext , then there is a private key matrix such that
where .
Proof.
This proof can be obtained directly from Lemma 4.2 and Lemma 4.7. Now, we know that as long as , the decryption runs correctly, i.e., . Therefore, we call the value as the bound of noise.
The analysis of the homomorphic operation is given in the following. Before introducing the boundary of noise, the following notes are given.
Note 8.
For the convenience of reading, let and .
Lemma 9.
(See [[8]]). The boundary of the noise of homomorphic addition, homomorphic multiplication, and homomorphic negative is as follows:
- Addition: for , the following condition is met:
- Multiplication: for , the following condition is met:
- NAND: for , the following condition is met:
Proof.
Let be a private key matrix. Let be the ciphertext of the encrypted message separately. Then,
- Homomorphic addition, that is, add ciphertext and ciphertext , so that
- Where and the noise is
- Obviously, the noise is .
- Homomorphic multiplication: that is, multiply the ciphertext and ciphertext , so that
- Then, we have which equals to
- For convenience, we first set the noise to
- Obviously, according to Lemma 4.2, there is
- and is a binary matrix ( ). Therefore, in this case,
- exists. Also, pay attention to that
- The boundary of ( ) is . Therefore,
- In this case, we can easily get the boundary . In other words, . Therefore, we have , and the ciphertext is noisy.
- NAND gate: the same operation is true for the NAND gate, and output matrix product is . Consider a Boolean circuit whose computational depth is while containing NAND gates. It takes the new ciphertext as input, that is, the noise ciphertext, the noise multiplied by a factor which is at most at each level, that is, the norm of the error element increases by a factor which is, at most, . Therefore, the wrong element norm of the final ciphertext is bounded as .
In order to ensure the correctness of the decryption, needs to be true. That is to say, the inequality must be true, which is guaranteed by the parameters we choose. The proof is completed.
4.3. IND−CPA Security Analysis
In the following, we use Theorem 4.1 to prove that the message-encapsulation GSW scheme based on the LWE assumption that it is safe and that the scheme is indistinguishable from the original GSW scheme [[4]].
Theorem 2.
Let and be a discrete Gaussian distribution on , which makes the problem difficult. Let be an integer that makes true. Define two distributions and as follows:
-
is a distribution on the matrix . Among them, is uniformly selected, for all , , in which are uniformly selected from , and is selected from a discrete Gaussian distribution .
-
is evenly distributed on .
Therefore, the distribution and is computational indistinguishable.
Theorem 3.
Let so that the assumption is true and . Then, the MFHE scheme is safe.
Proof.
The proof of security contains two steps:
- First, we use Theorem 4.11 to prove that, under the assumption, the matrix and the randomly chosen matrix are computationally indistinguishable
- Then, using the Left-over Hash Lemma, a uniform random value can be used to replace the ciphertext , that is, is indistinguishable from the uniform distribution
The brief proof is over. See more details in [[4]].
5. Conclusions
In this paper, we construct an efficient message-encapsulation FHE scheme. The scheme can achieve the decryption at one time and can also flexibly decrypt bit-by-bit. In Table 1, we give a comparison of the parameters of this scheme with the existing schemes. It can be seen from the comparison that compared with the previous ones, the scheme keeps the key length substantially, and this scheme is based on more conventional assumptions and, meanwhile, reduces the ciphertext length to some extent. The proposal of this scheme makes the full homomorphic encryption take a big step from theoretical research to large-scale application. It is conducive to greatly improving the efficiency of encrypted data processing (such as retrieval and operation) in the Internet of things, saving the energy consumption of nodes in the Internet of Things, and ensuring that the data are not statistically analyzed, which has a better application scenario [[29]–[31]].
Table 1 Comparison of the related works.
Underlying | HAO | Ours- | LMDO[ |
---|
Assumption | LWE | LWE | dual-LWE |
---|
| t | t | t |
| | | |
| | | |
| | | |
| | | |
| | | |
message length | |
cipher text length | |
In addition, there are many interesting open issues that may be resolved in the future. For example, our thinking has certain reference value for enhancing big data security and constructing a message-encapsulated casual transmission protocol, but it also has certain challenges.
Data Availability
No data were used in this study.
Conflicts of Interest
The authors declare no conflicts of interest.
[
REFERENCES
1
Brakerski Z., Gentry C., Halevi S. Packed ciphertexts in LWE-based homomorphic encryptionProceedings of the Public-Key Cryptography—PKC 2013—16th International Conference on Practice and Theory in Public-Key Cryptography. February 2013. Nara, Japan, 1-13, 10.1007/978-3-642-36362-7_1n
2
Hiromasa R., Abe M., Okamoto T. Packing messages and optimizing bootstrapping in GSW-FHEProceedings of the Public-Key Cryptography—PKC 2015—18th IACR International Conference on Practice and Theory in Public-Key Cryptography. March 2015. Gaithersburg, MD, USA, 699-715
3
Brakerski Z. Fully homomorphic encryption without modulus switching from classical gapsvpProceedings of the Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference. August 2012. Santa Barbara, CA, USA, 868-886, 10.1007/978-3-642-32009-5_50, 2-s2.0-84865507640
4
Gentry C., Sahai A., Waters B. Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-basedProceedings of the Part I Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference. August 2013. Santa Barbara, CA, USA, 75-92
5
Li Z., Ma C., Morais E., Du G. Multi-bit leveled homomorphic encryption via dual LWE-basedProceedings of the Revised Selected Papers Information Security and Cryptology—12th International Conference. November 2016. Beijing, China, 221-242, 10.1007/978-3-319-54705-3_14, 2-s2.0-85014881685
6
Regev O. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM. 2009; 56(6): 1-34, 10.1145/1568318.1568324, 2-s2.0-70349309809
7
Li Z., Galbraith S. D., Ma C. Preventing adaptive key recovery attacks on the gentry-sahai-waters leveled homomorphic encryption scheme. IACR Cryptology ePrint Archive. 2016, 1146
8
Brakerski Z., Perlman R. Lattice-based fully dynamic multi-key FHE with short ciphertextsProceedings of the Part I Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference. August 2016. Santa Barbara, CA, USA, 190-213, 10.1007/978-3-662-53018-4_8, 2-s2.0-84979545709
9
Li Z., Ma C., Wang D. Leakage resilient leveled FHE on multiple bit message. IEEE Transactions on Big Data. 2017, 10.1109/TBDATA.2017.2726554
Li Z., Ma C., Wang D. Towards multi-hop homomorphic identity-based proxy re-encryption via branching program. IEEE Access. 2017; 5, 16214-16228, 10.1109/access.2017.2740720, 2-s2.0-85028514211
Li Z., Ma C., Wang D. Achieving multi-hop PRE via branching program. IEEE Transactions on Cloud Computing. 2020; 8(1): 45-58, 10.1109/tcc.2017.2764082, 2-s2.0-85032299590
Li Z., Ma C., Zhou H. Multi-key FHE for multi-bit messages. Sciece China Information Sciences. 2018; 61(2), 029101, 10.1007/s11432-017-9206-y, 2-s2.0-85040117356
Li Z., Xiang C., Wang C. Oblivious transfer via lossy encryption from lattice-based cryptography. Wireless Communications and Mobile Computing. 2018; 2018, 11, 5973285, 10.1155/2018/5973285, 2-s2.0-85053668224
Lindner R., Peikert C. Better key sizes (and attacks) for LWE-based encryptionProceedings of the Topics in Cryptology—CT-RSA 2011—the Cryptographers' Track at the RSA Conference 2011. February 2011. San Francisco, CA, USA, 319-339, 10.1007/978-3-642-19074-2_21, 2-s2.0-79951793525
Peikert C., Vaikuntanathan V., Waters B. A framework for efficient and composable oblivious transferProceedings of the 28th Annual International Cryptology Conference Advances in Cryptology—CRYPTO 2008. August 2008. Santa Barbara, CA, USA, 554-571, 10.1007/978-3-540-85174-5_31, 2-s2.0-51849126892
Hastad J., Impagliazzo R., Levin L. A., Luby M. Pseudo-random generation from one-way functions (extended abstracts)Proceedings of the 21st Annual ACM Symposium on Theory of Computing. May 1989. Seattle, Washigton, USA, 12-24
Peikert C. Public-key cryptosystems from the worst-case shortest vector problem: extended abstractProceedings of the STOC 2009 41st Annual ACM Symposium on Theory of Computing. May 2009. Bethesda, MD, USA, 333-342, 10.1145/1536414.1536461, 2-s2.0-70350642078
Peikert C., Waters B. Lossy trapdoor functions and their applicationsProceedings of the 40th Annual ACM Symposium on Theory of Computing. May 2008. British Columbia, Canada, 187-196, 10.1145/1374376.1374406
Mukherjee P., Wichs D. Two round multiparty computation via multi-key FHEProceedings of the Part II Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques. May 2016. Vienna, Austria, 735-763, 10.1007/978-3-662-49896-5_26, 2-s2.0-84964956073
Lyubashevsky V. Lattice signatures without trapdoorsProceedings of the Advances in Cryptology—EUROCRYPT 2012— 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques. April 2012. Cambridge, UK, 738-755, 10.1007/978-3-642-29011-4_43, 2-s2.0-84859986507
Katz J., Thiruvengadam A., Zhou H. Feasibility and infeasibility of adaptively secure fully homomorphic encryptionProceedings of the Public-Key Cryptography—PKC 2013—16th International Conference on Practice and Theory in Public-Key Cryptography. February 2013. Nara, Japan, 14-31
Katz J., Lindell Y. Introduction to Modern Cryptography. 2014Second: Boca Raton, FL, USA; CRC Press
Brakerski Z., Vaikuntanathan V. Efficient fully homomorphic encryption from (standard) LWEProceedings of the FOCS 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science. October 2011. Palm Springs, CA, USA, 97-106, 10.1109/FOCS.2011.12, 2-s2.0-80955132201
Clear M., McGoldrick C. Multi-identity and multi-key leveled FHE from learning with errorsProceedings of the Part II Advances in Cryptology—CRYPTO 2015—35th Annual Cryptology Conference. August 2015. Santa Barbara, CA, USA, 630-656
Brakerski Z., Vaikuntanathan V. Lattice-based FHE as secure as PKEProceedings of the ITCS'14 Innovations in Theoretical Computer Science. January 2014. Princeton, NJ, USA, 1-12, 10.1145/2554797.2554799, 2-s2.0-84893301353
Micciancio D., Peikert C. Trapdoors for lattices: simpler, tighter, faster, smallerProceedings of the Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques. April 2012. Cambridge, UK, 700-718, 10.1007/978-3-642-29011-4_41, 2-s2.0-84859976564
Alperin-Sheriff J., Peikert C. Faster bootstrapping with polynomial errorProceedings of the Part I Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference. August 2014. Santa Barbara, CA, USA, 297-314, 10.1007/978-3-662-44371-2_17, 2-s2.0-84905365008
Ducas L., Micciancio D. FHEW: bootstrapping homomorphic encryption in less than a secondProceedings of the Part I Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques. April 2015. Sofia, Bulgaria, 617-640, 10.1007/978-3-662-46800-5_24, 2-s2.0-84942694191
Li Z., Sharma V., Ma C., Ge C., Susilo W. Ciphertext-policy attribute-based proxy re-encryption via constrained PRFS. Science China Information Sciences. 2020; 64(6), 10.1007/s11432-019-2856-8
Li Z., Wang J., Choi C., Zhang W. Multi-factor password-authenticated key exchange via pythia PRF service. Computers, Materials & Continua. 2020; 63(2): 663-674, 10.32604/cmc.2020.06565
Sharma V., Jayakody D. N. K., Qaraqe M. Osmotic computing-based service migration and resource scheduling in mobile augmented reality networks (MARN). Future Generation Computer Systems. 2020; 102, 723-737, 10.1016/j.future.2019.09.008
]
By Weiping Ouyang; Chunguang Ma; Guoyin Zhang and Keming Diao
Reported by Author; Author; Author; Author