Keywords

1 Introduction

Learning with Errors (LWE) is a computational problem which asks to distinguish a system of linear equations with small errors from a uniformly random one. After Regev [35] firstly introduced the LWE problem, it has been one of the standard assumptions for the construction of cryptographic primitives due to its security and versatility. Lyubashevsky, Peikert, and Regev [32] proposed a variant of LWE called the Ring Learning with Errors (RLWE) problem. They showed that the (decisional) RLWE problem over a cyclotomic ring can be reduced from the Shortest Independent Vectors Problem (SIVP) over ideal lattices.

Homomorphic Encryption (HE) is a cryptographic scheme which enables arithmetic operations on encrypted data without decryption. This technology is a promising solution which can prevent leakage of sensitive personal information such as financial, medical and genomic data. A number of HE schemes [5, 7, 8, 13, 15, 16, 18, 19, 21, 23, 24] have been suggested following Gentry’s blueprint [22]. Currently, most of the practical HE schemes [13, 15, 21, 23] rely their security on the hardness of RLWE over a cyclotomic ring. For years, the choice of base ring was restricted because nothing was known about the hardness of (decisional) RLWE over non-cyclotomic rings.

Cheon et al. [13] proposed a HE scheme (\(\text {HEAAN}\)) that supports the arithmetic of approximate numbers. In addition to homomorphic addition and multiplication, the \(\text {HEAAN}\) scheme can compute the rounding operation (extraction of the most significant bits) efficiently, which has traditionally been considered a challenging subject on HE system. Because of this functionality, \(\text {HEAAN}\) has showed a remarkable performance in many of the applications [6, 14, 17, 28,29,30], requiring computations of real numbers.

Motivation. The \(\text {HEAAN}\) scheme exploits a variant of the (complex) canonical embedding over a cyclotomic field to pack a number of plaintext values in a single ciphertext. Hence, each of the plaintext slots could store a complex number. We point out that this complex encoding method has some problems in terms of efficiency and precision. Since most of the real-world applications (e.g. machine learning) require computations over purely real numbers, the imaginary part of a plaintext of \(\text {HEAAN}\) is underutilized. It can be viewed as a waste of a plaintext space. In addition, homomorphic operations of \(\text {HEAAN}\), such as multiplication and rounding, generate additional complex errors which can reduce the computational accuracy.

Peikert et al. [34] recently showed that the RLWE problem over the ring of integers of an arbitrary number field is no easier than SIVP over ideal lattices of the same number field. So we aimed to find a new number field and construct a HE scheme over its ring of integers, which utilizes a fully packed plaintext space over real numbers to overcome the existing problem.

Our Contribution. We consider the maximal real subfield of a cyclotomic field as a base number field and define the RLWE problem over its ring of integers which is called the conjugate-invariant ring. We first show that the conjugate-invariant ring is the set of real numbers in the ring of integers of a cyclotomic field and adapt the reduction of [34] to guarantee the hardness of RLWE problem over the conjugate-invariant ring.

Based on this problem, we construct a new HE scheme that supports approximate arithmetic of real numbers. Our scheme can store a real number in each of the plaintext slots since the image of conjugate-invariant ring with respect to the canonical embedding belongs to the set of real vectors. We also propose a specialized Fast Fourier Transformation (FFT) algorithm over the residue ring of conjugate-invariant ring to minimize the complexity of arithmetic operations.

As a result, our HE scheme can encrypt twice as many plaintext slots as the original \(\text {HEAAN}\) scheme while maintaining the same security level and computational costs, i.e., the amortized complexity per slot is reduced by half.

Technical Details. Let m be a power-of-two integer, \(n=\phi (m)=m/2\) and \(\varPhi _m(X)=X^n+1\). Let \(\zeta =\exp (2\pi i/m)\) be an m-th primitive root of unity and let \(F={\mathbb Q}(\xi )\) be the maximal real subfield of the cyclotomic field \(K={\mathbb Q}(\zeta )\) for \(\xi =\zeta +\zeta ^{-1}\). Then the ring of integers of \(F={\mathbb Q}(\xi )\) is \(R ={\mathbb Z}[\xi ]\), and we call this ring the conjugate-invariant ring. By adapting the reduction in [34], we can show that RLWE over the ring R is no easier than SIVP over ideal lattices in K. This hardness proof reasonably motivates us to exploit R as a base ring for the construction of a HE scheme. We also give a cryptanalysis of RLWE over the conjugate-invariant ring \(R=\{a(X)\in {\mathbb Z}[X]/(X^n+1):a(X)=a(X^{-1})\}\) to study the concrete security level. We consider all known attacks on RLWE and conclude that this problem requires the same attack complexity as the ordinary (n/2)-dimensional LWE problem.

The plaintext encoding technique of \(\text {HEAAN}\) utilizes the canonical embedding map for the packing of plaintexts in a single ciphertext. Similarly, we consider the canonical embedding map \(\tau : F \rightarrow {\mathbb C}^{n/2}\) of the number field F. Since \(\xi \) and its conjugate elements are real, the image of F with respect to its canonical embedding actually lies in \({\mathbb R}^{n/2}\). Therefore, we can successfully define a ring homomorphism from F into the vector of purely real numbers, and make the use of plaintext encoding/decoding algorithms between R and \({\mathbb R}^{n/2}\) based on this canonical embedding.

We construct a new HE scheme whose security relies on the hardness of RLWE over R. We first propose a vector representation for the elements F, which is efficient for the rounding operation into R and the modulo operation of the residue ring \(R_q=R/qR\). Then, we describe a HE scheme over the real numbers, which provides approximate arithmetic operations and an approximate rounding operation.

We also explain how to represent the elements of \(R_q\) and perform the arithmetic operations between them. We present a specialized Fast Fourier Transform (FFT) algorithm for an efficient Number Theoretic Transform (NTT) on the residue ring \(R_q\) and fast multiplication between ring elements. This optimization technique constructs a simply computable ring isomorphism from \(R_q\) to \({\mathbb Z}_q[X]/(X^{n/2}-1)\), so the ordinary NTT conversion on \({\mathbb Z}_q[X]/(X^{n/2}-1)\) can be applied to \(R_q\) whose dimension is one quarter of that of a naive method.

In conclusion, our approximate HE scheme over R can encrypt (n/2) plaintext slots in a single ciphertext, twice as many plaintext slots compared to (n/4) of the ordinary \(\text {HEAAN}\) scheme over \({\mathbb Z}_q[X]/(X^{n/2}+1)\), while keeping the same concrete security level, storage, and computational costs.

Related Works. Arita and Handa [3] proposed a HE scheme based on RLWE over the decomposition ring, which is a subring of cyclotomic ring. Their subring technique is applied to HElib [26]: they consider the plaintext space as \({\mathbb Z}_p \oplus \cdots \oplus {\mathbb Z}_p\), which is a subring of the plaintext space \(\text {GF}(p^d)\oplus \cdots \oplus \text {GF}(p^d)\) of HElib for some integers p and d, where \(\text {GF}(p^d)\) denotes the Galois field of the cardinality \(p^d\). They claimed that RLWE over the decomposition ring is at least as hard as its search version. However, there is no known reduction from lattice problems over ideal lattices to the search version, since the decomposition ring is not known to be a ring of integers of some number field so far. In contrary, RLWE over the conjugate-invariant ring which we desired in this paper has a reduction from SIVP over ideal lattices.

Road-Map. In Sect. 2, we present notations of our paper and some backgrounds for RLWE. In Sect. 3, we define RLWE over the conjugate-invariant ring and discuss about its hardness. In Sect. 4, we present our new approximate HE scheme constructed over the conjugate-invariant ring, describe encoding/decoding algorithms for real numbers, and propose a specialized FFT algorithm for the desired ring. In last section, we give a summary on our approximate HE scheme compared to original \(\text {HEAAN}\).

2 Background

2.1 Notation

All logarithms are base 2 unless otherwise indicated. For an integer \(m \ge 2\), \({\mathbb Z}_m := {\mathbb Z}/m{\mathbb Z}\), and \({\mathbb Z}_m^{\times }\) is the multiplicative group of units in \({\mathbb Z}_m\). For a ring R, its residue ring R/qR modular an integer q is denoted by \(R_q\). For a real number r, \(\lfloor {r}\rceil \) denotes the nearest integer to r, rounding upwards in case of a tie. For a vector \({\varvec{u}}\) of (complex) numbers, \(\Vert {{\varvec{u}}}\Vert _2\) (\(\text {resp. }\Vert {{\varvec{u}}}\Vert _\infty \)) denotes the \(\ell _2\)-norm (\(\text {resp. }\ell _\infty \)-norm) of \({\varvec{u}}\). For an element a of a number field K, \(\Vert {a}\Vert _2^{\textsf {can}}\) (\(\text {resp. }\Vert {a}\Vert _\infty ^{\textsf {can}}\)) denotes the \(\ell _2\)-norm (\(\text {resp. }\ell _\infty \)-norm) of the image vector of a via the canonical embedding map. For vectors \({\varvec{a}}\) and \({\varvec{b}}\) of the same dimension, \({\varvec{a}}\odot {\varvec{b}}\) denotes the component-wise multiplication of \({\varvec{a}}\) and \({\varvec{b}}\). We denote by \(\phi (\cdot )\) the Euler’s totient function and \(\varPhi _m(X)\) the m-th cyclotomic polynomial. For a complex number \(z \in {\mathbb C}\), \(\overline{z}\) denotes the complex conjugation of z.

2.2 Number Fields and Ideal Lattices

For any number field K, there exists an element \(\zeta \) of K such that \(K = {\mathbb Q}(\zeta )\). Hence K is isomorphic to \({\mathbb Q}[X]/(f(X))\) for the minimal polynomial f(X) of \(\zeta \) over \({\mathbb Q}\). The degree n of f(X) equals to the extension degree \([K:{\mathbb Q}]\). There are exactly n injective ring homomorphisms \(\{\sigma _j\}_{1\le j\le n}\) from K to \({\mathbb C}\). The canonical embedding is defined as the n-tuple of these embeddings as follows:

$$\begin{aligned} \sigma : K\rightarrow & {} {\mathbb C}^n\\ a\mapsto & {} (\sigma _j(a))_{1\le j\le n}. \end{aligned}$$

Let \(s_1\) be the number of real embeddings of K, then \(n = s_1 + 2s_2\) for some non-negative integer \(s_2\). Without loss of generality, let \(\sigma _1,\dots ,\sigma _{s_1}\) be real embeddings of K. Then the image of \(\sigma \) lies in the space \(H :=\{(x_1, \ldots ,x_n)\in {\mathbb C}^n : x_{s_1+s_2+j} = \overline{x_{s_1+j}}, 1\le j \le s_2\}\). Let \(\{{\varvec{e}}_j\}_{1\le j \le n}\) be a canonical basis of \({\mathbb C}^n\). Let \({\varvec{h}}_j = {\varvec{e}}_j\) for \(1\le j \le s_1\), \({\varvec{h}}_{s_1+j} = ({\varvec{e}}_{s_1+j} + {\varvec{e}}_{s_1+s_2+j})/\sqrt{2}\) and \({\varvec{h}}_{s_1+s_2+j} = ({\varvec{e}}_{s_1+j} - {\varvec{e}}_{s_1+s_2+j})/\sqrt{-2}\) for \(1 \le j \le s_2\). Then, \(\{{\varvec{h}}_j\}_{1\le j\le n}\) forms an orthogonal \({\mathbb R}\)-basis of H.

An element of K is called an algebraic integer if its minimal polynomial over \({\mathbb Q}\) has integral coefficients. The set of all algebraic integers, denoted by \({\mathcal O}_K\), is called the ring of integers of K. A fractional ideal I of K is \({\mathcal O}_K\)-submodule of K such that there exists a non-zero element \(r\in {\mathcal O}_K\) which satisfies \(rI \subseteq {\mathcal O}_K\). If \(I \subseteq {\mathcal O}_K\), then we call I an (integral) ideal. The image \(\sigma (I)\) of a fractional ideal I via the canonical embedding forms a lattice in \({\mathbb C}^n\), and we call it an ideal lattice generated by I. The dual of I in K is a fractional ideal in K defined as \(I^{\vee }:=\{a\in K : \text {Tr}(aI) \subseteq {\mathbb Z}\}\).

For \(1\le k \le n\), the k-th successive minima of the lattice \({\mathcal L}\), denoted by \(\lambda _i({\mathcal L})\), is the minimum value of \(r>0\) such that \({\mathcal L}\) has k linearly independent vectors of length at most r. If \({\mathcal L}\) is an ideal lattice \(\sigma (I)\) for a fractional ideal \(I \in K\), we simply denote by \(\lambda _k(I)\). The SIVP over ideal lattices in K is defined as follow.

Definition 1

(SIVP over ideal lattices). For a number field K of degree n and an approximation factor \(\gamma \ge 1\), the K-\(\mathsf {SIVP}_\gamma \) problem is: given a fractional ideal I of K, output n linearly independently vectors in the ideal lattice \(\sigma (I)\) of length at most \(\gamma \cdot \lambda _n(I)\).

2.3 Ring Learning with Errors

For positive integers n and q, let R be the ring of integers of a number field K, \(R_q=R/qR\) and \(K_{{\mathbb R}} = K \otimes _{\mathbb Q}{\mathbb R}\). Let \(\chi _{{key}}\) and \(\chi _{{err}}\) be distributions over \( R^\vee \) and \( K_{{\mathbb R}}\), respectively. For \(s \in R_q^{\vee }\), \(A^{R\text {-}\mathsf {LWE}}_{q,\chi _{{err}}}(s)\) is a distribution which draws \(a\leftarrow R_q\) and \(e\leftarrow \chi _{err}\), and output the pair \({(a,a\cdot s+e)}\) in \(R_q \times K_{{\mathbb R}}/qR^\vee \). The (decisional) RLWE problem is defined as follows.

Definition 2

(Ring Learning with Errors). Let n, q be positive integers, and \(\chi _{{key}}\) (\(\text {resp. }\chi _{{err}}\)) be a distribution over \( R_q^\vee \) (\(\text {resp. }K_{{\mathbb R}}\)). The RLWE problem, denoted by \(R\text {-}\mathsf {LWE}_{q,\chi _{{err}}}(\chi _{{key}})\), is to distinguish between the uniform distribution over \(R_q \times K_{{\mathbb R}}/qR^\vee \) and \(A^{R\text {-}\mathsf {LWE}}_{q,\chi _{{err}}}(s)\) where \(s\leftarrow \chi _{{key}}\).

Since \(K_{{\mathbb R}}\) is isomorphic to the vector space H, a distribution over H can be identified as a distribution over \(K_{{\mathbb R}}\). If \(\chi _{{err}}\) is a (spherical) Gaussian distribution \(D_{\alpha q}\) over H with respect to the basis \(\{{\varvec{h}}_i\}_{1\le i \le n}\) and \(\chi _{{key}}\) is the uniform distribution over \(R_q^\vee \), we simply denote by \(R\text {-}\mathsf {LWE}_{q,\alpha }\).

Lyubashevsky et al. [32] proposed a polynomial-time quantum reduction from lattice problems over ideal lattices to the RLWE problem, which holds only for the cyclotomic fields with some special conditions on the modulus q. Peikert et al. [34] gave a new reduction from the same problem which can be applied to an arbitrary number field and modulus.

Theorem 1

([34, Corollary 7.3]). Let n, q be positive integers, \(0< \alpha < 1\) be a real number such that \(\alpha q = \omega (1)\), K be an arbitrary number field of degree n and \(R = {\mathcal O}_K\). Then there exists a polynomial-time quantum reduction from K-\(\mathsf {SIVP}_\gamma \) to \(R\text {-}\mathsf {LWE}_{q,\alpha }\) given \(\ell \) samples for \(\gamma = \max \{\omega (\sqrt{n\log n}/\alpha )\cdot (n\ell /\log (n\ell ))^{1/4}, \sqrt{2} n\}\).

Recently, it was shown by Rosca et al. [36] that the non-dual RLWE problem, i.e., RLWE with the distribution of the secret over \(R_q\) rather than \(R_q^\vee \), is at least as hard as the original RLWE problem. In addition, the rounding technique of Peikert [33] allows us to sample errors from a discrete Gaussian distribution rather than a continuous Gaussian distribution. With these settings, an RLWE sample lies in \(R_q \times R_q\) rather than \(R_q \times K_{{\mathbb R}}/qR^\vee \).

3 RLWE over the Conjugate-Invariant Ring

The cyclotomic rings have been the most commonly used as base rings for RLWE for two main reasons. The ring of integers of the m-th cyclotomic field is isomorphic to \({\mathbb Z}[X]/(\varPhi _m(X))\), and its structure was particularly well suitable in the construction of cryptographic schemes with the perspective of efficiency and some functionalities. In addition, there have been no known reduction to the RLWE over a non-cyclotomic ring for years until Peikert et al. [34] proposed a reduction from SIVP over ideal lattices to (decisional) RLWE for arbitrary number fields recently.

In this section, we introduce a new number field which has not been exploited in the lattice-based cryptography so far, and compute the ring of integers of the number field. Then we study on the hardness of RLWE problem over a new ring in two ways: we give a reduction from a standard lattice problem and study the concrete security level by considering all known attacks.

Let \(m\ge 2\) be an integer and \(n=\phi (m)\) for Euler’s totient function \(\phi (\cdot )\). For the m-th primitive root of unity \(\zeta =\exp (2\pi i/m)\), the m-th cyclotomic field is defined by \(K={\mathbb Q}(\zeta )\). Let \(\sigma _{-1}\) be the element of \(\text {Gal}(K/{\mathbb Q})\) defined by \(\sigma _{-1}:\zeta \mapsto \zeta ^{-1}\), and \(G=\{id,\sigma _{-1}\}\) be the cyclic subgroup of \(\text {Gal}(K/{\mathbb Q})\) generated by \(\sigma _{-1}\). We denote by \(F=K^G\) the G-invariant subfield of K which is defined as \(F=\{a\in K:\tau (a)=a, \forall \tau \in G\}\). We first remark that \(F = {\mathbb Q}(\xi )\) for \(\xi =\zeta +\zeta ^{-1}\). It is clear that \({\mathbb Q}(\xi ) \subseteq F \subseteq {\mathbb Q}(\zeta )\) and \([{\mathbb Q}(\zeta ) : F] = |G| = 2\). Since \(\zeta \) is a root of \(X^2 - \xi \cdot X + 1 \in {\mathbb Q}(\xi )[X]\), the inequality \([{\mathbb Q}(\zeta ):{\mathbb Q}(\xi )] \le 2\) holds and it implies \(F = {\mathbb Q}(\xi )\). In particular, we are interested in the set of integer coefficient elements in \({\mathbb Q}(\xi )\) with respect to the \({\mathbb Q}\)-basis \(\{1,\xi ,\xi ^2, \ldots ,\xi ^{{\frac{n}{2}}-1}\}\). We will call this set \({\mathbb Z}[\xi ]\) as the conjugate-invariant ring.

3.1 Reduction from SIVP

Some well-known reductions [32, 34] from standard problems over ideal lattices to RLWE requires a condition that the base ring exploited in RLWE should be a ring of integers of a number field. Therefore, it is crucial to study the ring of integers of a number field to define and show the hardness of RLWE problem.

We consider the subfield \(F={\mathbb Q}(\xi )\) of \(K={\mathbb Q}(\zeta )\) as a base number field, and compute its ring of integers \(R:={\mathcal O}_F\) in this section. Fortunately, the structure of a cyclotomic field derives a quite simple and nice result on the conjugate-invariant ring as follows.

Fig. 1.
figure 1

Number fields and their rings of the integers

Full size image

Lemma 1

\({\mathbb Z}[\xi ]\) is the ring of integers of \(F = {\mathbb Q}(\xi )\) (Fig. 1).

Proof

It is clear that \({\mathbb Z}[\xi ]\subseteq {\mathcal O}_F\). Since \({\mathcal O}_F \subseteq {\mathcal O}_K={\mathbb Z}[\zeta ]\), every element \(a\in {\mathcal O}_F\) is uniquely expressed as \(a = \sum _{-{\frac{n}{2}}\le j<{\frac{n}{2}}} a_j\cdot \zeta ^j\) for some integers \(a_{-{\frac{n}{2}}},\dots ,a_{{\frac{n}{2}}-1}\). From the definition of F, we obtain \(\sigma _{-1}(a) = a\), i.e., \(\sum _{j=-{\frac{n}{2}}}^{{\frac{n}{2}}-1}a_j\zeta ^j = \sum _{j=-{\frac{n}{2}}+1}^{{\frac{n}{2}}} a_{-j}\zeta ^j\) which implies \(a_j = a_{-j}\) for \(0 \le i < {\frac{n}{2}}\) and \(a_{-{\frac{n}{2}}} = 0\). Then, \(a = a_0 + \sum _{j=1}^{{\frac{n}{2}}-1}a_i(\zeta ^j + \zeta ^{-j}) \in {\mathbb Z}[\xi ]\), since \(\zeta ^j + \zeta ^{-j} \in {\mathbb Z}[\xi ]\) for \(1\le j <{\frac{n}{2}}\). Therefore, \({\mathcal O}_F \subseteq {\mathbb Z}[\xi ]\), which directly implies \({\mathbb Z}[\xi ] = {\mathcal O}_F\).   \(\square \)

It is derived from Lemma 1 that the RLWE problem over \(R={\mathbb Z}[\xi ]\), simply denoted by \(R\text {-}\mathsf {LWE}_{q,\alpha }\), is at least as hard as F-\(\mathsf {SIVP}\) from Theorem 1. We can naturally identify R with the ring of polynomials \({\mathbb Z}[Y]/(g(Y))\) for the minimal polynomial \(g(Y) \in {\mathbb Z}[Y]\) of \(\xi \) over \({\mathbb Q}\) via mapping \(a(Y) \mapsto a(\xi )\). However, it is more convenient to consider R as the subring

$$R = \{a(X)\in {\mathbb Z}[X]/(\varPhi _m(X)): a(X) = a(X^{-1})\}$$

of \({\mathcal O}_K={\mathbb Z}[X]/(\varPhi _m(X))\). Note that the condition \(a(X)= a(X^{-1})\) corresponds to the conjugation-invariant property. We will follow this subring perspective in the rest of paper.

3.2 Cryptanalysis

In this section, we discuss the attack complexity of RLWE over the conjugate-invariant ring. In general, the RLWE problem does not guarantee the same security level as LWE with the same parameter. For example, there have been several attempts to attack the RLWE (or Poly-LWE) problem over a ring \({\mathbb Z}[X]/(f(X))\) by exploiting its ring structure [9, 10, 20]. One common limitation of these attacks is that f(X) should have a root modulo q satisfying some strong conditions.

The RLWE assumption can be viewed as a specific case of LWE \((A,{\varvec{b}}=A {\varvec{s}}+{\varvec{e}})\) where the random matrix A has a special algebraic structure. In the case of RLWE over a power-of-two cyclotomic ring, an RLWE sample can be understood as a variant of n-dimensional LWE instance where A is a random anti-circulant matrix. However, there has been no known attack achieving a lower complexity by exploiting this property. As a result, the current best known attacks are standard lattice attacks on the ordinary LWE problem such as dual attack and primal attack, which are well described in [1].

Now we explain how to understand an \(R\text {-}\mathsf {LWE}\) instance as an \(\mathsf {LWE}\) instance with a special structure. Let m be a power-of-two integer so that \(n=m/2\) and \(\varPhi _m(X)=X^n+1\). An element of \(R=\{a(X)\in {\mathbb Z}[X]/(X^n+1): a(X) = a(X^{-1})\}\) can be uniquely expressed as \(a(X) = a_0+\sum _{j=1}^{{\frac{n}{2}}-1}a_j\cdot (X^j+X^{-j})\) for some integers \(a_0,\dots ,a_{{\frac{n}{2}}-1}\). Therefore, a(X) can be identified with the vector \({\varvec{a}}=(a_0,a_1, \ldots ,a_{{\frac{n}{2}}-1})\) of length (n/2). Based on this identification, an RLWE sample over the conjugate-invariant ring \((a(X), b(X)= a(X)\cdot s(X) + e(X)) \in R_q^2\) with secret s(X) can be transformed to \((A, {\varvec{b}}= A{\varvec{s}}+ {\varvec{e}}) \in {\mathbb Z}_q^{{\frac{n}{2}}\times {\frac{n}{2}}} \times {\mathbb Z}_q^{\frac{n}{2}}\) where A is a square matrix of size (n/2) whose (ij)-th component is given by

$$\begin{aligned} A_{ij} = {\left\{ \begin{array}{ll} a_{|i-j|} &{} j = 0 \text {, or } i + j = {\frac{n}{2}}\\ a_{|i-j|} + a_{i+j} &{} j> 0 \text {, and } i + j < {\frac{n}{2}}\\ a_{|i-j|} - a_{n-(i+j)} &{} j> 0 \text {, and } i + j > {\frac{n}{2}}\end{array}\right. } \end{aligned}$$

for \(0\le i,j < n/2\). This transformation shows that \(R\text {-}\mathsf {LWE}\) can be viewed as a variant of the (n/2)-dimensional LWE problem where the random matrix A has this special form. We consider all known attacks on RLWE and claim that they do not achieve a lower complexity than the standard lattice attacks on LWE, i.e., currently there is no special attack on \(R\text {-}\mathsf {LWE}\) which exploits the ring structure of R corresponding to this special structural distribution of A, similar to the case of RLWE over a power-of-two cyclotomic ring. Therefore, we conclude that the current best attacks on \(R\text {-}\mathsf {LWE}_{q,\alpha }\) are the standard lattice attacks, which require the same attack complexity as the lattice attacks on the (n/2)-dimensional LWE problem.

4 Approximate Homomorphic Encryption over the Real Numbers

The \(\text {HEAAN}\) scheme of Cheon et al. [12, 13] is the first HE system which supports an efficient rounding operation for approximate arithmetic. It allows us to encrypt a number of complex numbers in a single ciphertext and perform an approximate arithmetic between encrypted vectors in a SIMD manner. However, there remained one significant problem about the plaintext space.

Most of the real-world applications require computations over the purely real numbers, but the original \(\text {HEAAN}\) scheme could encrypt a complex number in each of plaintext slots. The previous researches [29, 30] used the set of real numbers as a subring of complex numbers, but this approach cannot be a fundamental solution for the following reason. Every algorithm of the original \(\text {HEAAN}\) scheme, such as homomorphic arithmetic and rounding operation, adds a small complex error to the plaintext vector. The imaginary part of an encrypted plaintext can gradually increase as the computation progressed, and finally the desired result (real part) can no longer be recovered after its imaginary part becomes larger than the ciphertext modulus. Consequently, every circuit in previous applications had a limited depth to bound the size of imaginary parts during its evaluation.

In this section, we describe a HE scheme which is optimized in the approximate computation over the real numbers compared to the original \(\text {HEAAN}\) scheme with complex plaintext slots. The security of our scheme relies on the RLWE assumption over the ring \(R={\mathbb Z}[\xi ]\) introduced in the previous section. For simplicity, the integer m will be chosen as a power of two so that \(n=m/2\) and \(\varPhi _m(X)=X^n+1\).

4.1 Canonical Embedding and Packing Technique

In this subsection, we describe the canonical embedding map of the conjugate-invariant field and explain how to represent its elements. As mentioned in the previous section, the conjugate-invariant field \(F={\mathbb Q}(\xi )\) can be identified with the polynomial ring \({\mathbb Q}[Y]/(g(Y))\) for the minimal polynomial \(g(Y)\in {\mathbb Z}[Y]\) of \(\xi \) over \({\mathbb Q}\). Note that g(Y) is a polynomial of degree (n/2) satisfying \({g(X+X^{-1})=X^{{\frac{n}{2}}}+X^{-{\frac{n}{2}}}}\). Let \(\xi _j=\zeta ^{4j+1}+\zeta ^{-(4j+1)}\) for \(0\le j<n/2\). Then \(\{\xi _0,\dots ,\xi _{{\frac{n}{2}}-1}\}\) forms the set of distinct roots of g(Y) since \(X^n+1=(X-\zeta )(X-\zeta ^3)\dots (X-\zeta ^{m-1})=\prod _{j=0}^{{\frac{n}{2}}-1}(X^2-\xi _j\cdot X+1)\). Therefore, we have a commute diagram (Fig. 2) for a polynomial representation of number fields by identifying \(Y\mapsto X+X^{-1}\).

Fig. 2.
figure 2

Polynomial representation of number fields and canonical embedding

Full size image

Let us denote by \(\tau \) the canonical embedding of \(F={\mathbb Q}[Y]/(g(Y))\) into \({\mathbb C}^{n/2}\). It sends an element a(Y) to the vector of its evaluations \(\tau (a)=(a(\xi _j))_{0\le j<{\frac{n}{2}}}\) at the roots of g(Y). Since all roots of g(Y) are real, F is a totally real number field and the image of \(\tau \) is a subring of \({\mathbb R}^{n/2}\). The canonical embedding norm of an element of a number field is defined by the norm of its canonical embedding. For example, we write \(\Vert {a}\Vert _\infty ^{\textsf {can}}:=\Vert {\tau (a)}\Vert _\infty \) and \(\Vert {a}\Vert _2^{\textsf {can}}:=\Vert {\tau (a)}\Vert _2\) for \(a\in F\).

The packing technique of HE system allows us to encrypt a multiple number of messages in a single ciphertext and supports the parallel computation in a SIMD manner. It has been one of the most important techniques for the performance improvements of HE schemes in terms of expansion rate and amortized computational cost. The packing method of approximate HE scheme [13] is based on the canonical embedding over the complex numbers.

We present a new packing method over the real numbers, by modifying the previous solution over the complex plane. The core idea is to restrict the domain of canonical embedding \(\tau \) to the ring of integers \(R={\mathbb Z}[Y]/(g(Y))\). In other words, the decoding algorithm transforms an element a(Y) of R into the vector \(\tau (a)=(a(\xi _j))_{0\le j<n/2}\) of dimension (n/2). This vector is real as noted above. Conversely, the encoding map takes a real vector \({\varvec{x}}=(x_j)_{0\le j<n/2}\in {\mathbb R}^{n/2}\) as an input. It first computes the rounding \({\varvec{x}}'=\lfloor {{\varvec{x}}}\rceil _{\tau (R)}\in {\mathbb R}^{n/2}\), which is an element of \(\tau (R)\) with a small rounding error \(\Vert {{\varvec{x}}-{\varvec{x}}'}\Vert _2^{\textsf {can}}\). The output is obtained by computing the inverse of \({\varvec{x}}'\) which is an integral polynomial in \(R={\mathbb Z}[Y]/(g(Y))\). Our packing method is explicitly described as follows.

  • \(\texttt {Ecd}({\varvec{x}})\). For given \({\varvec{x}}= (x_j)_{0\le j<n/2} \in {\mathbb R}^{n/2}\), discretize \({\varvec{x}}\) into \(\tau (R)\). Output the corresponding polynomial \(\mathfrak {m}(Y) = \tau ^{-1}\left( \lfloor {{\varvec{x}}}\rceil _{\tau (R)}\right) \in R\).

  • \(\texttt {Dcd}(\mathfrak {m})\). For given \(\mathfrak {m}\in R\), output the vector \({\varvec{x}}= (\mathfrak {m}(\xi _j))_{0\le j<n/2} \in {\mathbb R}^{n/2}\).

The \(\texttt {Ecd}\) algorithm can be viewed as an approximate inverse of the decoding function with a small rounding error. One can multiply a scale factor to an input vector before the rounding operation to reduce the relative size of rounding error and preserve the precision of plaintexts.

As a toy example, let \(n = m/2 = 4\). Then \(\zeta _8 = \exp (\pi i /4) = (1+i)/\sqrt{2}\) is an m-th primitive root of unity, and we have \(\{\xi _0, \xi _1\} = \{\sqrt{2}, -\sqrt{2}\}\). For a real vector \({\varvec{x}}= (1.1, 2.3)\), its encoding polynomial with the scaling factor \(\varDelta = 64\) is obtained by \(\mathfrak {m}(Y) = \tau ^{-1}\left( \lfloor {\varDelta \cdot {\varvec{x}}}\rceil _{\tau (R)}\right) = 109 - 27 Y\). Conversely, the decoded vector of \(109-27Y\) is computed by \(\varDelta ^{-1}\cdot \texttt {Dcd}(\mathfrak {m}) = \frac{1}{64}(109 - 27\sqrt{2}, 109 + 27\sqrt{2})\approx (1.1065, 2.2997)\), which is a good approximation of the original vector \({\varvec{x}}\).

4.2 Scheme Description

This subsection gives a explicit description of our HE scheme over the real numbers. Our scheme is very similar to the original \(\text {HEAAN}\) scheme, but it exploits a different ring structure \(R={\mathbb Z}[\xi ]\). We first propose a method to represent the elements of the conjugate-invariant field F.

The number field F can be identified with \({\mathbb Q}^{n/2}\) as a \({\mathbb Q}\)-module. For example, an arbitrary element of \(F={\mathbb Q}[Y]/(g(Y))\) can be uniquely expressed as the sum \(\sum _{j=0}^{{\frac{n}{2}}-1}a_j\cdot Y^j\) for some \(a_j\in {\mathbb Q}\), which corresponds to the isomorphism \(a\mapsto (a_0,\dots ,a_{{\frac{n}{2}}-1})\) between two modules. However, this representation is not the best choice for the construction of HE system. One major reason is that the image \(\{\tau (1),\tau (Y),\dots ,\tau (Y^{{\frac{n}{2}}-1})\}\) of the basis \(\{1,Y,\dots ,Y^{{\frac{n}{2}}-1}\}\) does not form an orthogonal set in the space \({\mathbb R}^{n/2}\).

The conjugate-invariant field \(F={\mathbb Q}[Y]/(g(Y))\) can be understood as a subfield of \(K={\mathbb Q}[X]/(X^n+1)\) by identifying \(Y=X+X^{-1}\) as noted in the previous subsection. Every element a(X) of \(F\le K\) can be uniquely expressed as a Laurent polynomial \(a(X)=a_0+\sum _{i=1}^{{\frac{n}{2}}-1}a_i(X^i+X^{-i})\) of degree and order strictly less then (n/2) for some \(a_0,\dots ,a_{{\frac{n}{2}}-1}\in {\mathbb Q}\). In the following, an arbitrary element a(X) of F will be identified with its vector of coefficients \((a_0,\dots ,a_{{\frac{n}{2}}-1})\in {\mathbb Q}^{n/2}\). Note that the set \(\{1,X+X^{-1},\dots ,X^{\frac{n}{2}-1}+X^{1-\frac{n}{2}}\}\) is a basis of F (resp. R) as a module over \({\mathbb Q}\) (resp. \({\mathbb Z}\)). In addition, the image of this basis with respect to the canonical embedding map \(\tau \) forms an orthogonal basis in \({\mathbb R}^{n/2}\).

This orthogonal property allows us to use an efficient rounding operation on F as well as a modulo operation over R. We define the rounding operation \(\lfloor {\cdot }\rceil :F\rightarrow R\) by sending each of coefficients \(a_i\in {\mathbb Q}\) to the closest integer \(\lfloor {a_i}\rceil \in {\mathbb Z}\). Note that \(\lfloor {a}\rceil \) is an element of R which minimizes the rounding error \(\Vert {a-\lfloor {a}\rceil }\Vert _2^{\textsf {can}}\) with respect to the \(\ell _2\) canonical embedding norm. Similar to the rounding operation, the modulo q operation is simply defined by the coefficient-wise modular reduction, i.e., \([a]_q\) is the element of \(a+qR\) which minimizes the size \(\Vert {[a]_q}\Vert _2^{\textsf {can}}\).

  • \(\underline{\texttt {Setup}(p, 1^\lambda ,L)}.\)

    • The base integer p, the number of levels L and the security parameter \(\lambda \) are given as input. Set moduli \(q_1,q_2, \ldots ,q_L\), which are usually chosen as \(q_i = p^i\).

    • Choose integers m and P, and small distributions \(\chi _{key}\), \(\chi _{enc}\), and \(\chi _{err}\) over the ring R.

    • Return the parameter set \(\mathsf {params}\leftarrow (m,P,\chi _{key},\chi _{enc},\chi _{err})\).

The setup step should generate a HE parameter set that achieves \(\lambda \)-bit of security level against the best known attacks on RLWE. A security proof will be given at the end of this subsection.

  • \(\underline{\texttt {KeyGen}(\mathsf {params})}.\)

    • Sample \(s\leftarrow \chi _{key}\). Set the secret key as \(\mathsf {sk}\leftarrow (1,s)\).

    • Sample \(a\leftarrow U(R_{q_L})\) and \(e\leftarrow \chi _{err}\). Set the public key as \(\mathsf {pk}\leftarrow (b,a)\in R_{q_L}^2\) where \(b\leftarrow -as+e \pmod {q_L}\).

  • \(\underline{\texttt {KSGen}(s_1,s_2)}\). For \(s_1,s_2\in R\), sample \(a'\leftarrow U(R_{P\cdot q_L})\) and \(e'\leftarrow \chi _{err}\). Output the switching key as \(\mathsf {swk}\leftarrow (b',a')\in R_{P\cdot q_L}^2\) where \(b'\leftarrow -a's_2+e'+P\cdot s_1 \pmod {P\cdot q_L}\).

    • Set the evaluation key as \(\mathsf {evk}\leftarrow \texttt {KSGen}(s^2,s)\).

  • \(\underline{\texttt {Enc}_\mathsf {pk}(\mathfrak {m})}\). For \(\mathfrak {m}\in R\), sample \(v\leftarrow \chi _{enc}\) and \(e_0,e_1\leftarrow \chi _{err}\). Output \(v\cdot \mathsf {pk}+(\mathfrak {m}+e_0,e_1) \pmod {q_L}\).

  • \(\underline{\texttt {Dec}_\mathsf {sk}(\mathsf {ct})}\). For \(\mathsf {ct}= (c_0,c_1)\in R_{q_\ell }^2\), output \(\mathfrak {m}'=c_0 + c_1\cdot s \pmod {q_\ell }.\)

The decryption algorithm can be simply written by \(\mathfrak {m}'\leftarrow [\langle \mathsf {ct},\mathsf {sk}\rangle ]_{q_\ell }\). The encryption procedure returns a level L ciphertext \(\mathsf {ct}\) which satisfies \([\langle \mathsf {ct},\mathsf {sk}\rangle ]_{q_L}\approx \mathfrak {m}\), i.e., we can only recover an approximate value of \(\mathfrak {m}\) from its encryption. We use the canonical embedding norm to measure the size of polynomials in R.

  • \(\underline{\texttt {Add}(\mathsf {ct},\mathsf {ct}')}\). For \(\mathsf {ct},\mathsf {ct}'\in R_{q_\ell }^2\), output \(\mathsf {ct}_{add}\leftarrow \mathsf {ct}+\mathsf {ct}' \pmod {q_\ell }\).

  • \(\underline{\texttt {Mult}_\mathsf {evk}(\mathsf {ct},\mathsf {ct}')}\). For \(\mathsf {ct}=(c_0,c_1),\mathsf {ct}'=(c_0',c_1')\in {\mathcal R}_{q_\ell }^2\), let \((d_0, d_1,d_2)=(c_0c_0', c_0c_1'+c_1c_0',c_1c_1')\pmod {q_\ell }\). Output \(\mathsf {ct}_{mult}\leftarrow (d_0, d_1)+\lfloor {P^{-1}\cdot d_2\cdot \mathsf {evk}}\rceil \pmod {q_\ell }\).

  • \(\underline{\texttt {RS}_{\ell \rightarrow \ell '}(\mathsf {ct})}\). For a ciphertext \(\mathsf {ct}\in R_{q_\ell }^{2}\) at level \(\ell \), output \(\mathsf {ct}'\leftarrow \lfloor {(q_{\ell '}/q_{\ell })\cdot \mathsf {ct}}\rceil \pmod {q_{\ell '}}\). We will omit the subscript \((\ell \rightarrow \ell ')\) when \(\ell '=\ell -1\).

The algorithms \(\texttt {Add}\) and \(\texttt {Mult}_\mathsf {evk}\) perform the arithmetic operations over encrypted plaintexts. The rescaling procedure \(\texttt {RS}_{\ell \rightarrow \ell '}(\cdot )\) transforms a level \(\ell \) encryption of \(\mathfrak {m}\) into an encryption of \((q_{\ell '}/q_{\ell })\cdot \mathfrak {m}\) of level \(\ell '\) securely. We refer the refer to the full version of this paper for the correctness proof and noise estimation.Footnote 1

Security. We claim that our HE scheme is IND-CPA secure under the hardness of RLWE problems over the ring R. It can be shown by considering the following three distributions:

$$\begin{aligned} \begin{aligned} {\mathcal D}_1&=\{(\mathsf {pk},\mathsf {ct}):\mathsf {pk}\leftarrow \texttt {KeyGen}(\mathsf {params}), \mathsf {ct}\leftarrow \texttt {Enc}_\mathsf {pk}(0)\},\\ {\mathcal D}_2&=\{(\mathsf {pk},\mathsf {ct}):\mathsf {pk}\leftarrow U({\mathcal R}_q^2), \mathsf {ct}\leftarrow \texttt {Enc}_\mathsf {pk}(0)\},\\ {\mathcal D}_3&= \{(\mathsf {pk},\mathsf {ct}):\mathsf {pk}\leftarrow U({\mathcal R}_q^2), \mathsf {ct}\leftarrow U({\mathcal R}_q^2)\}. \end{aligned} \end{aligned}$$

First, the distributions \({\mathcal D}_1\) and \({\mathcal D}_2\) are computationally indistinguishable under the assumption of \(R\text {-}\mathsf {LWE}_{q_L,\chi _{err}}(\chi _{key})\) since the key generation step samples s from \(\chi _{key}\) and generates an RLWE sample \(\mathsf {pk}\) of parameter \((q_L,\chi _{err})\). The second and third distributions are computationally indistinguishable as long as \(R\text {-}\mathsf {LWE}_{q_L,\chi _{err}}(\chi _{enc})\) since a sample from \({\mathcal D}_2\) forms two independent RLWE samples of parameter \((q_L,\chi _{err})\) with a secret \(v\leftarrow \chi _{enc}\). Finally, the evaluation key \(\mathsf {evk}\leftarrow \texttt {KSGen}(s^2,s)\) can be viewed as an encryption of \(s^2\) encrypted by the secret s. The distribution of \(\mathsf {evk}\) can be indistinguishable from the uniform distribution on \({\mathcal R}_{P\cdot q_L}^2\) under the assumption of circular security when the \(R\text {-}\mathsf {LWE}_{P\cdot q_L, \chi _{err}}(\chi _{key})\) problem is hard.

4.3 Implications of the Conjugate-Invariant Ring

This section compares our approximate HE scheme over the real numbers with the original \(\text {HEAAN}\) scheme from a variety of perspectives. We claim that our scheme can have twice as many plaintext slots as \(\text {HEAAN}\) while guaranteeing the same security level and performance. Furthermore, the utilization of the conjugate-invariant ring fundamentally blocks the complex explosion problem of \(\text {HEAAN}\) which possibly effect on the most significant bits of real messages.

Representation of Ring Elements. Our HE scheme is constructed over the residue ring \(R_q=\{a(X)\in {\mathbb Z}_q[X]/(X^n+1):a(X)=a(X^{-1})\}\) for an integer q. We introduce two methods to represent the ring elements of \(R_q\) with different pros and cons.

Basically we use the coefficient representation \((a_0,\dots ,a_{n-1})\in {\mathbb Z}_q^{n/2}\) of \(a(X)\in R_q\) as described in the previous subsection. The coefficient representation is useful to perform the non-arithmetic operations such as the rounding operation in rescaling procedure. However, we have to consider the following representation for an efficient multiplication between polynomials in \(R_q\).

Suppose that q is an integer such that there exists an m-th primitive root \(\omega _m\) of unity in \({\mathbb Z}_q\). Note that \(\omega _n:= \omega _m^2\) (resp. \(\omega _{\frac{n}{2}}:=\omega _m^4\)) is an n-th (resp. (n/2)-th) primitive root of unity in \({\mathbb Z}_q\). The map \(Z_q[X]/(X^n+1)\rightarrow {\mathbb Z}_q^n\), \(a \mapsto (a(\omega _m),a(\omega _m^3),\dots ,a(\omega _m^{m-1}))\) is a ring isomorphism since the m-th cyclotomic polynomial is expressed as a product \(X^n+1=(X-\omega _m)(X-\omega _m^3)\dots (X-\omega _m^{2n-1})\) modulo q. We point out that an element \(a\in {\mathbb Z}_q[X]/(X^n+1)\) is contained in the subring \(R_q\) if and only if \(a(\omega _m^j)=a(\omega _m^{2n-j})\) for all \(j=1,3,\dots ,n-1\). Therefore, the map \(a\mapsto \hat{a}=(a(\omega _m),a(\omega _m^5),\dots ,a(\omega _m^{m-3}))\) is an ring isomorphism from \(R_q\) to \({\mathbb Z}_q^{n/2}\) satisfying \(\widehat{a\cdot b}=\hat{a}\odot \hat{b}\) for any \(a,b\in R_q\), where \(\odot \) denotes the Hadamard (component-wise) multiplication between vectors. It enables us to perform an arithmetic operation of \(R_q\) in O(n) modulo q operations, but the rescaling procedure cannot be done under this representation.

Complexity of Ring Operations. The conversion between two representations \(a\mapsto \hat{a}\) is one of the most important parts to improve the efficiency of the HE system on \(R_q\). It can be viewed as a linear transformation on \({\mathbb Z}_q^{n/2}\) by identifying the elements of \(R_q\) with their coefficient vectors.

The NTT is a discrete Fourier transform over a finite field. Specifically, the NTT over the finite field \({\mathbb Z}_q\) with an m-th primitive root \(\omega _m\) of unity modulo q, denoted by \(\texttt {NTT}_{m}(\cdot )\), converts a polynomial in \({\mathbb Z}_q[X]/(X^m-1)\) into a vector in \({\mathbb Z}_q^m\) by \(a\mapsto (a(\omega _m^j))_{0\le j < m}\). The NTT is a ring isomorphism between \({\mathbb Z}_q[X]/(X^m-1)\) and \({\mathbb Z}_q^m\), and its inverse is denoted by \(\texttt {INTT}_{m}(\cdot )\). The NTT conversion can be understood as a linear map from \({\mathbb Z}_q^n\) to \({\mathbb Z}_q^n\) whose matrix representation is the \(m\times m\) Vandermonde matrix generated by \(\{1,\omega _m,\dots ,\omega _m^{m-1}\}\). The FFT algorithm can compute \(\texttt {NTT}_m(\cdot )\) in \(O(m\cdot \log m)\) operations in \({\mathbb Z}_q\).

There have been suggested several methods to modify the NTT conversion to perform some operations used in cryptographic schemes. For example, Alkim et al. [2] and Longa-Naehrig [31] exploit a variant of NTT to make an efficient conversion between distinct representations of a ring element in \({\mathbb Z}_q[X]/(X^n+1)\). In the following, we propose a specialized FFT algorithm to perform the linear transformation \(a\mapsto \hat{a}\) on \(R_q\) efficiently.

The main idea is to express the linear transformation \(a\mapsto \hat{a}\) by a composition of (n/2)-dimensional NTT conversion and a few simple arithmetic operations. To be precise, the equality

$$\begin{aligned} a(\omega _m^{4j+1})=a(\omega _m\cdot \omega _{\frac{n}{2}}^j)= & {} a_0+\sum _{i=1}^{{\frac{n}{2}}-1}a_i\left( \omega _m^i\cdot \omega _{\frac{n}{2}}^{ij}+\omega _m^{-i}\cdot \omega _{\frac{n}{2}}^{-ij}\right) \\= & {} a_0+\sum _{i=1}^{{\frac{n}{2}}-1}a_i\cdot \omega _m^i\cdot \omega _{\frac{n}{2}}^{ij}+\sum _{i=1}^{{\frac{n}{2}}-1}a_{{\frac{n}{2}}-i}\cdot \omega _m^{-({\frac{n}{2}}-i)}\cdot \omega _{\frac{n}{2}}^{ij}\\= & {} a_0+\sum _{i=1}^{{\frac{n}{2}}-1} \left( a_i\cdot \omega _m^i+a_{{\frac{n}{2}}-i}\cdot \omega _m^{-({\frac{n}{2}}-i)}\right) \omega _{\frac{n}{2}}^{ij}=\tilde{a}(\omega _{\frac{n}{2}}^j) \end{aligned}$$

holds for any \(0\le j<{\frac{n}{2}}\) where

$$ \tilde{a}(X)=a_0+\left( a_1\cdot \omega _m+a_{{\frac{n}{2}}-1}\cdot \omega _m^{1-{\frac{n}{2}}}\right) X +\dots +\left( a_{{\frac{n}{2}}-1}\cdot \omega _m^{{\frac{n}{2}}-1}+a_1\cdot \omega _m^{-1}\right) X^{{\frac{n}{2}}-1}.$$

Therefore, the linear transformation \(a\mapsto \hat{a}\) can be written by the composition of \(\texttt {NTT}_{n/2}\) and a simple arithmetic operation

$$\begin{aligned} (a_0,\dots ,a_{{\frac{n}{2}}-1}) \mapsto \left( a_0,a_1\cdot \omega _m+ a_{{\frac{n}{2}}-1}\cdot \omega _m^{1-{\frac{n}{2}}},\dots ,a_{{\frac{n}{2}}-1}\cdot \omega _m^{{\frac{n}{2}}-1} + a_1\cdot \omega _m^{-1}\right) , \end{aligned}$$

and we can compute its inverse by

$$\begin{aligned} a=\left( \tilde{a}_0, 2^{-1}\cdot (\tilde{a}_1\cdot \omega _m^{-1} + \tilde{a}_{{\frac{n}{2}}-1}\cdot \omega _m), \dots ,~2^{-1}\cdot (\tilde{a}_{{\frac{n}{2}}-1}\cdot \omega _m^{1-{\frac{n}{2}}}+ \tilde{a}_{1}\cdot \omega _m^{{\frac{n}{2}}-1})\right) \end{aligned}$$

for \(\tilde{a}=(\tilde{a}_0,\dots ,\tilde{a}_{{\frac{n}{2}}-1})\leftarrow \texttt {INTT}_{n/2}(\hat{a})\).

Now let us consider the multiplication of polynomials in the conjugate-invariant ring R. For given polynomials \(a,b\in R_q\) with coefficient representation, we compute their product \(c=a\cdot b\) by computing \(\hat{c}=\widehat{a\cdot b}=\hat{a}\odot \hat{b}\) and recovering c from \(\hat{c}\). It consists of three Hadamard multiplications on \({\mathbb Z}_q^{n/2}\), two \(\texttt {NTT}_{n/2}\) conversions, and a single \(\texttt {INTT}_{n/2}\). Since the Hadamard multiplication takes only O(n), the complexity of a multiplication over the special ring \(R_q\) can be estimated by three NTT conversions of dimension (n/2), while a multiplication over the ring \({\mathbb Z}_q[X]/(X^n+1)\) includes three NTT conversions of dimension n. As a result, the computational cost of an arithmetic operation on \(R_q\) is almost half that of the m-th cyclotomic ring.

4.4 Application to Fixed-Point Operation

The \(\text {HEAAN}\) scheme is able to evaluate a circuit approximately, and specifically our variant is optimized in an arithmetic over the real numbers. We explain how to use our scheme to perform the fixed-point operation with a finite precision.

As described in Sect. 4.1, a real-valued vector can be identified with a polynomial in the conjugate-invariant ring R via the canonical embedding \(\tau \). For the use of our scheme in fixed-point operation, the base p in scheme description will be chosen as a scaling factor. So an arbitrary real vector \({\varvec{x}}\in {\mathbb R}^{n/2}\) is encoded to a polynomial \(\mathfrak {m}\in R\) such that \(\mathfrak {m}\approx p\cdot \tau ^{-1}({\varvec{x}})\) with a small rounding error. An encryption procedure induces an additional error so that an encryption of \(\mathfrak {m}\) is a pair \(\mathsf {ct}=(c_0,c_1)\in R_{q_L}^2\) satisfying \([c_0+c_1\cdot s]_{q_L} =\mathfrak {m}+e \approx p\cdot \tau ^{-1}({\varvec{x}})\) for some small error e. The precision of an encrypted plaintext is decided by a scaling factor p and the size of errors, i.e., we can use a larger scaling factor to keep more significant bits.

Fig. 3.
figure 3

An example of fixed-point operation

Full size image

Let \(\mathsf {ct}_i\) be an encryption of \(\mathfrak {m}_i\approx p\cdot \tau ^{-1}({\varvec{x}}_i)\) for \(i=1,2\). Then their homomorphic multiplication returns a ciphertext \(\mathsf {ct}_{mult}\) encrypting

$$\begin{aligned} \mathfrak {m}_1\cdot \mathfrak {m}_2\approx p^2\cdot \tau ^{-1}({\varvec{x}}_1)\cdot \tau ^{-1}({\varvec{x}}_2)=p^2\cdot \tau ^{-1}({\varvec{x}}_1\odot {\varvec{x}}_2) \end{aligned}$$

which is an encoding of the slot-wise product \({\varvec{x}}_1\odot {\varvec{x}}_2\) with scaling factor \(p^2\). Then, we can use the rescaling procedure \(\texttt {RS}(\cdot )\) to obtain an encryption of \(p\cdot \tau ^{-1}({\varvec{x}}_1\odot {\varvec{x}}_2)\) and recover the initial scaling factor p. In Fig. 3, we describe an example of fixed-point multiplication between 1.12 and 2.34 with scaling factor \(p=10^4\). Numbers in gray boxes represent the encrypted values in plaintext slots.

The scaling factor stays the same and the rescaling procedure reduces a ciphertext level by one. Therefore, for the evaluation of a circuit with depth L, the bitsize of largest ciphertext modulus should be \(O(L\cdot \log p)\) which grows linearly on the depth and bit precision of plaintext, compared to the exponential growth based on the HE schemes for exact computations without rounding operation [8, 21].

Table 1. Comparison of our scheme and \(\text {HEAAN}\)
Full size table

5 Discussions

5.1 Comparison with \(\text {HEAAN}\)

The security of our scheme relies on the hardness of \(R\text {-}\mathsf {LWE}\) problem. From the cryptanalysis on RLWE over the conjugate-invariant ring in Sect. 3.2, our approximate HE scheme over \(R = \{a(X)\in {\mathbb Z}[X]/(X^{2n}+1): a(X) = a(X^{-1})\}\) has (approximately) the same security level as the original \(\text {HEAAN}\) over \({\mathbb Z}[X]/(X^{n}+1)\) for a power-of-two integer n, while the other parameters are set equal. In this setting, the maximum number of plaintexts packed in a single ciphertext in our scheme is n, while that of \(\text {HEAAN}\) is (n/2). This implies our approximate HE scheme supports twice more parallel computations than \(\text {HEAAN}\) in a SIMD manner (Table 1).

Since it requires \(n \log q\) bits to express an element of the form \(a_0 + \sum _{i=1}^{n-1}a_i(X^i + X^{-i}) \in R_q\), both schemes essentially have the same key size and ciphertext size. Furthermore, both schemes exploit the NTT of dimension n for a ring multiplication, so they have almost same arithmetic complexity. As a result, our scheme over the dimension 2n actually performs as well as \(\text {HEAAN}\) over the dimension n while carrying a definite advantage in the number of plaintext slots.

5.2 Full RNS Variant

Many of ring-based HE schemes such as BGV [8, 23] and BFV [7, 21] require polynomial arithmetic over a huge modulus. Recent implementations of HE schemes [27, 37] exploit the Residue Number System (RNS) for the performance improvements. In particular, there have been suggested some variants of BFV [4, 25] which can be implemented without high-precision arithmetic.

In both the original HEAAN and our scheme, ciphertext moduli are chosen to be powers of a base because the scaling factor of a rescaling procedure is equal to the ratio of two consecutive ciphertext moduli. Unfortunately, this restriction makes it difficult to apply the existing RNS techniques to HEAAN.

Cheon et al. [11] recently proposed a method to fully eliminate the high-precision arithmetic of HEAAN based on the approximate base. We leave it to the reader to check that this idea can be directly applied to our scheme.