Towards Practical Multi-key TFHE: Parallelizable, Key-Compatible, Quasi-linear Complexity

Abstract

Multi-key homomorphic encryption is a generalized notion of homomorphic encryption supporting arbitrary computation on ciphertexts, possibly encrypted under different keys. In this paper, we revisit the work of Chen, Chillotti and Song (ASIACRYPT 2019) and present yet another multi-key variant of the TFHE scheme.

The previous construction by Chen et al. involves a blind rotation procedure where the complexity of each iteration gradually increases as it continuously operates on ciphertexts under different keys. Hence, the complexity of gate bootstrapping grows quadratically with respect to the number of associated keys.

Our scheme is based on a new blind rotation algorithm which consists of two separate phases. We first split a given multi-key ciphertext into several single-key ciphertexts, take each of them as input to the blind rotation procedure, and obtain accumulators corresponding to individual keys. Then, we merge these single-key accumulators into a single multi-key accumulator. In particular, we develop a novel homomorphic operation between single-key and multi-key ciphertexts to instantiate our pipeline. Therefore, our construction achieves an almost linear time complexity since the gate bootstrapping is dominated by the first phase of blind rotation which requires only independent single-key operations. It also enjoys with great advantages of parallelizability and key-compatibility.

We implement the proposed scheme and provide its performance benchmark. For example, our 16-key gate bootstrapping takes about 5.65 s, which is 4.38x faster compared to the prior work.

1 Introduction

Homomorphic encryption (HE) is a cryptosystem which allows us to evaluate arbitrary functions directly on encrypted data without decryption. For example, in a cloud environment, the user encrypts its message with its own key and send it to the cloud. The desired computations are executed in the cloud side and finally the user receive the ciphertext that encrypts the result of the computation without any information leakage. Due to such an attribute, it has been regarded as one of the promising solutions to process privacy-sensitive data such as financial or medical data. After the very first construction of HE by Gentry [16], a variety of HE schemes have been proposed such as BFV [3, 15], GSW [17], BGV [4], TFHE [10] and CKKS [9].

However, the conventional HE technology has an intrinsic disadvantage in that the authority is concentrated to a single party, as it only supports operations between data encrypted under the same secret key. Thereby, the usage of HE is restricted to scenarios where all data owners commonly trust a party who owns the secret key. To resolve this problem, several variants of HE with distributed authority have been studied, such as threshold HE [1, 25, 27] and multi-key HE (MKHE) [6, 7, 12, 22, 26, 28]. The former acts like a single-key HE by encrypting data under a jointly constructed public key and the latter supports operations between data encrypted with different secret keys. Although threshold HE is generally more efficient in ciphertext size and computation cost, no additional party can join the computation once the joint key is generated. On the other hand, MKHE allows each user to independently generate its own keys and join the computation. In this paper, we focus on the TFHE scheme [10], and its first and the only multi-key variant by Chen, Chillotti and Song (CCS19) [6].

TFHE is a well-known homomorphic encryption based on the Learning with Errors (LWE) [29] and Ring-LWE (RLWE) [23] problems. It allows us to perform arbitrary binary gate operations via a costly operation called the gate bootstrapping which mainly consists of three steps: linear combination, blind rotation and key-switching. In the first step, it computes a linear combination of input LWE ciphertexts corresponding to the gate to be evaluated. In the following blind rotation step, it homomorphically decrypts the resulting LWE ciphertext from the linear combination step over the exponent of a monomial using the external product operation. By multiplying this monomial to the test polynomial with pre-assigned coefficient and extracting the constant term, we obtain an LWE ciphertext with ring dimension encrypting the output of the gate. Finally, the key-switching step reduces the ciphertext dimension back to the LWE dimension.

The MK variant of TFHE follows the same pipeline although the blind rotation step is realized in a multi-key manner. During the blind rotation step in the original TFHE, it recursively evaluates the homomorphic MUX gates on the accumulator \(\textsf{ACC}\) via the external product that multiplies an RGSW ciphertext to an RLWE ciphertext. When it comes to the multi-key situation, the multiplicand of the external product is an MK-RLWE ciphertext whereas the multiplier is an RGSW ciphertext generated by a single party. In CCS19 [6], the authors designed an RGSW-like cryptosystem and a multiplication method called the hybrid product which has the same functionality to external product with faster speed and small noise growth. However, the time complexity of blind rotation step from hybrid product is quadratic with respect to the number of associated parties.

1.1 Our Contributions

In this paper, we construct an improved multi-key TFHE scheme with a blind rotation algorithm that is (1) asymptotically faster, (2) parallelizable, and (3) key-compatible with the single-key scheme. We refactored the blind rotation algorithm to first perform single-key multiplications and then merge the results into a multi-key ciphertext. During the party-wise computation, we only make use of a single-key multiplication and thus its time complexity is linear to the number of parties k. Merging the resulting ciphertexts of each party requires \(O(k^2)\) time complexity since we perform k multi-key multiplications, nevertheless it is relatively fast compared to the party-wise blind rotation. Consequently, we achieve quasi-linear time complexity which is dominated by the party-wise blind rotation.

However, this cannot be actualized with the existing building blocks in prior work since they only support a multiplication between a fresh (structured) single-key encryption and a multi-key ciphertext. Hence we instantiate our idea by introducing a new homomorphic multiplication method called the generalized external product. This generalized external product can be regarded as an improvement of the hybrid product from CCS19, but it exploits the hybrid product as a building block. It multiplies a single-key RLEV ciphertext, which is upper half of the RGSW ciphertext, directly to an MK-RLWE ciphertext, and then ‘relinearize’ the resulting ciphertext with a quadratic key structure using the hybrid product. As a side contribution, we improve the performance of hybrid product from the observation that we can rearrange the order of operations and reduce the execution time in almost half. The noise variance is slightly smaller than the original algorithm as well.

With the improved hybrid product and the generalized external product, we finally realize the asymptotically faster MK-TFHE scheme. In the blind rotation step, we first execute the blind rotation party-wise with the temporary accumulators \(\textsf{ACC}'_i\) of RLEV ciphertexts for \(1\le i\le k\) in a single-key manner. Then we merge the \(\textsf{ACC}'_i\)s into a single MK-RLWE ciphertext \(\textsf{ACC}\) using our generalized external product. Figure 1 depicts the blind rotation of CCS19 and our new algorithm.

Fig. 1.

High-level overview of the blind rotation algorithm of MK variant of TFHE from CCS19 and Ours.

We also remark that this party-wise blind rotation is parallelizable. Compared to the sequential multiplications in the blind rotation from CCS19, our algorithm can be executed party-wise in parallel and then merged sequentially. Furthermore, the bootstrapping key in our scheme is compatible to a single-party TFHE scheme [10] as well. Our scheme makes use of RGSW encryptions of the LWE secret key as blind rotation key, identical to the blind rotation key for the TFHE scheme with a single auxiliary key of the ring key.

Finally, we implement our multi-key variant of TFHE scheme and provide the basic benchmarks and the comparison between CCS19 and ours. For example, our experiment of 16-key gate bootstrapping demonstrates about 4.38x speedup without parallelization, and 52.60x speedup with parallelization over prior work.

1.2 Related Works

After López-Alt et al. [22] first proposed the concept of MKHE, there have been several follow-up studies to construct multi-key HE schemes. Clear and McGoldrick [12] constructed MKHE from GSW [17] by introducing a masking system where a ciphertext, encrypted under an individual key, is converted to be encrypted under a master secret key. Mukherjee and Wichs [26] simplified the masking system and build a two-round MPC protocol from the MKHE scheme. These schemes support a single-hop evaluation where participants must be determined at the start. The contemporary studies Peikert and Shiehian [28] constructed a multi-hop scheme from GSW [17] that supports dynamic computation on ciphertexts encrypted under additional keys by expanding the ciphertext to be encrypted under the union of the original set of keys and the additional keys.

Then, there have been several studies on MK variants of batched HE schemes. Chen, Zhang and Wang [8] built an MKHE scheme based on BGV [4] with a compact ciphertext extension. Chen, Dai, Kim and Song [7] presented multi-key variants of BFV [3, 15] and CKKS [9] with quadratic complexity, and it was improved to have a linear complexity in a recent work of Kim et al. [19].

On the other hand, Brakerski and Perlman [5] presented an MK-LWE scheme whose bootstrapping process relies on the external product. A follow-up study by Chen, Chillotti and Song [6] improved its efficiency by introducing a hybrid product between single-key and multi-key encryptions and constructing an MK-variant of TFHE [10]. This is the most relevant work to ours, and its detailed description will be given in Sect. 3.

Recently, Klemsa et al. [20] proposed a variant of TFHE scheme for multiple parties, which is partially MK and partially Threshold. Its blind rotation keys are encrypted as n-out-of-n threshold HE ciphertexts under a joint key structure, while it encrypts data and key-switching keys in a multi-key manner in order to enhance the bootstrapping performance. However, this approach requires an additional communication round in order to make the public RGSW blind rotation key, and even few more additional communication round in order to make the scheme fully-dynamic.

2 Background

2.1 Notation

The real torus \({\mathbb T}={\mathbb R}/{\mathbb Z}\) is the set of real numbers modulo 1. For a power-of-two integer N, we write \(T={\mathbb T}[X]/(X^N+1)\). We denote vectors in lower-case bold (e.g. \(\textbf{a}\)), and matrices in upper-case bold (e.g. \({\textbf{A}}\)). The inner product of two vectors \(\textbf{a}\), \({\textbf{b}}\) is denoted by \(\left\langle \textbf{a}, {\textbf{b}}\right\rangle \). For a positive integer k, we write \([k] = \{1, \dots , k\}\).

We use \(x \leftarrow S\) to denote that x is sampled uniformly from a set S. For a real \(\alpha \ge 0\), \({\psi }'\) denotes the Gaussian distribution of variance \(\alpha ^2\). When sampling a polynomial from T, we use \({\psi }\) to denote a distribution over T which samples N coefficients of the output polynomial independently from the Gaussian distribution of variance \(\beta ^2\) for a real \(\beta \ge 0\).

2.2 LWE and RLWE Assumptions

The security of TFHE relies on the torus variants of LWE and RLWE assumptions [10].

Definition 1

(The LWE assumption). Let n be a positive integer, \(\alpha >0\) a noise parameter, and \(\chi '\) a key distribution over \({\mathbb Z}^n\). An LWE instance of a secret \({\textbf{z}}\in {\mathbb Z}^n\) is a tuple \((b, \textbf{a})\in {\mathbb T}^{n+1}\) generated by \(\textbf{a}\leftarrow {\mathbb T}^n\), \(e \leftarrow {\psi }'\) and \(b=-\left\langle \textbf{a}, {\textbf{z}}\right\rangle +e \pmod 1\). The LWE assumption states that the LWE distribution of a secret \({\textbf{z}}\leftarrow \chi '\) is computationally indistinguishable from the uniform distribution over \({\mathbb T}^{n+1}\).

Definition 2

(The RLWE assumption). Let N be a power of two, \(\beta >0\) a noise parameter, and \(\chi \) a key distribution over R. An RLWE instance of a secret \(s\in R = {\mathbb Z}[X]/(X^N+1)\) is a pair \((b, a)\in T^2\) generated by \(a \leftarrow T\), \(e \leftarrow {\psi }\) and \(b=-a\cdot s + e \pmod 1\). The RLWE assumption states that the RLWE distribution of a secret \(s\leftarrow \chi \) is computationally indistinguishable from the uniform distribution over \(T^2\).

Under these assumptions, we can define the (R)LWE cryptosystem. An LWE ciphertext is a vector of torus elements, in a form of \((b, \textbf{a})\in {\mathbb T}^{n+1}\) and an RLWE ciphertext is a tuple \((b, a) \in T^2\). Now we introduce phase, a randomized encoding of (R)LWE ciphertexts. The phase for LWE ciphertext, \(\varphi _{\textbf{z}}(\cdot ) : {\mathbb T}^{n+1} \rightarrow {\mathbb T}\) is defined by \(\varphi _{\textbf{z}}(b, \textbf{a}) = b + \left\langle \textbf{a}, {\textbf{z}}\right\rangle \pmod 1\) and the phase for RLWE ciphertext \(\varphi _s(\cdot ) : T^2 \rightarrow T\) is defined by \(\varphi _s(b, a) = b + a\cdot s \pmod 1\). We remark that the phase preserves the linear combinations between the (R)LWE ciphertexts.

2.3 Multi-key Homomorphic Encryption

MKHE is a variant of HE that enables computation on ciphertexts encrypted under different keys. It contains five PPT algorithms (\(\texttt{Setup}\), \(\texttt{KeyGen}\), \(\texttt{Enc}\), \(\texttt{Eval}\), \(\texttt{Dec}\)).

• Setup: \(pp \leftarrow \texttt{Setup}(1^\lambda )\). Given the security parameter \(\lambda \), set the public parameter set pp.

• Key Generation: \((\textsf{sk}_i, \textsf{pk}_i) \leftarrow \texttt{KeyGen}(i)\). A party i generates its secret key \(\textsf{sk}_i\) and public key \(\textsf{pk}_i\).

• Encryption: \(\textsf{ct}\leftarrow \texttt{Enc}(\textsf{pk}_i;m)\). A party i encrypts its message m with its public key \(\textsf{pk}_i\) and output a ciphertext \(\textsf{ct}\).

• Evaluation: \(\overline{\textsf{ct}}\leftarrow \texttt{Eval}(\mathcal {C}, \textsf{pk}_1, \dots , \textsf{pk}_k;\overline{\textsf{ct}}_1, \dots , \overline{\textsf{ct}}_l)\). Given a circuit \(\mathcal {C}\), ciphertexts \(\overline{\textsf{ct}}_1, \dots , \overline{\textsf{ct}}_l\), and public keys \(\textsf{pk}_1, \dots , \textsf{pk}_k\) of associated parties, output a ciphertext \(\textsf{ct}\).

• Decryption: \(m\leftarrow \texttt{Dec}(\textsf{sk}_1, \dots , \textsf{sk}_k;\overline{\textsf{ct}})\). Given a ciphertext \(\overline{\textsf{ct}}\) and secret keys \(\textsf{sk}_1, \dots , \textsf{sk}_k\) of associated parties, output a message m.

Let \(\overline{\textsf{ct}}_1, \dots , \overline{\textsf{ct}}_l\) be ciphertexts encrypting \(m_1, \dots , m_l\), respectively, and \(\textsf{pk}_1, \dots , \textsf{pk}_k\) be public keys of associated parties. An MKHE scheme is considered to be secure if its encryption is semantically secure. A valid MKHE scheme satisfies that

$$\texttt{Dec}(\textsf{sk}_1, \dots , \textsf{sk}_k; \texttt{Eval}(\mathcal {C}, \textsf{pk}_1, \dots , \textsf{pk}_k; \overline{\textsf{ct}}_1, \dots , \overline{\textsf{ct}}_l)) = \mathcal {C}(m_1, \dots , m_l)$$

with an overwhelming probability.

We also compare the MKHE to n out of n threshold HE as well. The key difference is that given the secret keys of each party \(s_i~(1\le i \le k)\), MK ciphertexts are encrypted under a concatenated key structure of \((s_1, \dots , s_k)\) whereas threshold ciphertexts are encrypted under a joint key structure \(\sum _{i\in [k]}s_i\). Due to such key structure, MKHE scheme is less efficient than Threshold HE schemes, however it does not require any communications between the parties in the setup phase whereas Threshold HE scheme requires an additional communication in the setup phase. In addition, MKHE schemes are fully dynamic but Threshold HE schemes are not dynamic in general i.e., any additional party cannot join the computation once the setup phase is completed.

2.4 Gadget Decomposition

A gadget decomposition is a map \(h:\ {\mathbb T}\rightarrow {\mathbb Z}^d\) with a gadget vector \({\textbf{g}}\in {\mathbb T}^d\) that satisfies \(\Vert {h(a)}\Vert _{\infty }\le \delta \) and \(|\left\langle h(a), {\textbf{g}}\right\rangle -a|\le \epsilon \) for some small constants \(\epsilon , \delta > 0\). It is a widely used technique to manage noise growth in HE schemes. The digit decomposition is an example of gadget decomposition corresponding to the gadget vector \({\textbf{g}}= [B^{-1}, \dots , B^{-d}]\in {\mathbb T}^d\), defined by \(h(a)=(a_1, \dots , a_d)\) where \(a_i\) is the ith-digit of a in base B. We can also balance the output h(a) by decomposing a by \(a \ = \sum _{p=1}^d a_i \cdot B^{-p}\) where \(a_i \in (-B/2, B/2]\), which minimizes the decomposition error \(|\left\langle h(a), {\textbf{g}}\right\rangle -a|\).

The definition of a gadget decomposition is naturally extended to T as \(h: T \rightarrow R^d\) by identifying an element of T to the vector of its coefficients in \({\mathbb T}^N\). In TFHE [10], the digit decomposition is used for an element in \({\mathbb T}\) and the balanced version for T.

2.5 RLEV and RGSW

In this section, we describe the RLEV [11] and RGSW [17] encryptions, and multiplication operations between ciphertexts of different types. For a gadget decomposition \(h:T\rightarrow R^d\) corresponding to a gadget vector \({\textbf{g}}\in {\mathbb T}^d\), we define encryption algorithms as follows:

\(\bullet ~\underline{\texttt{RLEV}.\texttt{Enc}(s;\mu )}\): Given a secret key s and a message \(\mu \in R\), sample \(\textbf{a}\leftarrow T^d\) and \({\textbf{e}}\leftarrow {\psi }^d\). return \({\textbf{C}}\leftarrow [-s \cdot \textbf{a}+{\textbf{e}}+\mu \cdot {\textbf{g}}\pmod 1, \textbf{a}] \in T^{d \times 2}\).

\(\bullet ~\underline{\texttt{RGSW}.\texttt{Enc}(s;\mu )}\): Sample \(\textbf{a}\leftarrow T^{2d}\) and \({\textbf{e}}\leftarrow {\psi }^{2d}\). Given a secret key s and a message \(\mu \in R\), return \({\overline{\textbf{C}}}\leftarrow [-s\cdot \textbf{a}+ {\textbf{e}}, \textbf{a}] + \mu \cdot \begin{bmatrix} {\textbf{g}}&{} \textbf{0} \\ \textbf{0} &{} {\textbf{g}}\end{bmatrix} \pmod 1 \in T^{2d \times 2}\).

We also define the phase of an RLEV encryption \({\textbf{C}}= ({\textbf{b}}, \textbf{a}) \in T^{d \times 2}\) by \(\varphi _s({\textbf{C}})= {\textbf{b}}+ s \cdot \textbf{a}\pmod 1\). Note that an RLEV encryption \({\textbf{C}}\leftarrow \texttt{RLEV}.\texttt{Enc}(s;\mu )\) satisfies that \(\varphi _s({\textbf{C}}) \approx \mu \cdot {\textbf{g}}\pmod 1\).

Now we define three homomorphic multiplications between RLWE, RLEV and RGSW ciphertexts. For convenience, we generalize the definition of gadget decomposition to RLWE and RLEV ciphertexts by decomposing individual entries in T. For example, we write \(h({\textbf{c}}) = (h(c_0), h(c_1)) \in R^{2d}\) for an RLWE ciphertext \({\textbf{c}}=(c_0,c_1) \in T^2\), and \(h({\textbf{C}}) = \begin{bmatrix} h(c_{0,0}) &{} h(c_{0,1}) \\ \vdots \\ h(c_{d-1,0}) &{} h(c_{d-1,1}) \end{bmatrix} \in R^{d \times 2d}\) for an RLEV ciphertext \({\textbf{C}}= \begin{bmatrix} c_{0,0} &{} c_{0,1} \\ \vdots \\ c_{d-1,0} &{} c_{d-1,1} \end{bmatrix} \in T^{d \times 2}\).

Definition 3

(T -RLEV multiplication). Let \({\textbf{C}}\in T^{d \times 2}\) be an RLEV ciphertext and \(c\in T\) be a torus polynomial. We define the T-RLEV multiplication \(\odot : T \times T^{d\times 2} \rightarrow T^2\) as \(c \odot {\textbf{C}}= h(c)\cdot {\textbf{C}}\pmod 1\).

If \({\textbf{C}}\) is an RLWE encryption of \(\mu \) under s, then the T-RLWE multiplication outputs an RLWE ciphertext whose phase is

$$\varphi _s(c\odot {\textbf{C}}) = \left\langle h(c), \varphi _s({\textbf{C}})\right\rangle \approx \left\langle h(c), \mu \cdot {\textbf{g}}\right\rangle \approx \mu \cdot c \pmod 1.$$

Definition 4

(RLWE-RGSW multiplication). Let \({\textbf{c}}\in T^2\) be an RLWE ciphertext and \(\overline{{\textbf{C}}}\in T^{2d \times 2}\) be an RGSW ciphertext. We define the RLWE-RGSW multiplication \(\otimes : T^2 \times T^{2d\times 2} \rightarrow T^2\) as \({\textbf{c}}\otimes {\overline{\textbf{C}}}=h({\textbf{c}})\cdot {\overline{\textbf{C}}}\pmod 1\).

Definition 5

(RLEV-RGSW multiplication). Let \({\textbf{C}}\in T^{d\times 2}\) be an RLEV ciphertext and \(\overline{{\textbf{C}}}\in T^{2d \times 2}\) be an RGSW ciphertext. The RLEV-RGSW multiplication is defined as

If \({\overline{\textbf{C}}}\) is RGSW encryption of \(\mu \) under s, then the RLWE-RGSW multiplication outputs an RLWE ciphertext whose phase is

$$\varphi _s({\textbf{c}}\otimes \overline{\textbf{C}}) = \left\langle h({\textbf{c}}), \varphi _s({\overline{\textbf{C}}})\right\rangle \approx \left\langle h({\textbf{c}}), \mu \cdot ({\textbf{g}}, s\cdot {\textbf{g}})\right\rangle \approx \mu \cdot \varphi _s({\textbf{c}}) \pmod 1.$$

The RLWE-RGSW multiplication is also called the external product [10]. Similarly, the RLWE-RGSW multiplication outputs an RLEV ciphertext whose phase is

3 Overview of Chen et al. (2019)

In 2016, Chillotti et al. [10] designed TFHE, which is a fully homomorphic encryption scheme based on the LWE and RLWE assumptions. The TFHE scheme can encrypt a single bit in each LWE ciphertext, and evaluate an arbitrary binary gate homomorphically using the “gate bootstrapping”. The basic idea of TFHE bootstrapping is to homomorphically compute the phase of an LWE ciphertext on the exponent of a ring polynomial and extract the pre-assigned coefficient.

The gate bootstrapping of TFHE consists of three steps: linear combination, blind rotation and key-switching. Let \({\textbf{z}}= (z_0, \dots z_{n-1})\) be the LWE secret. Given LWE ciphertexts \(\textsf{ct}_1\) and \(\textsf{ct}_2\) such that \(\varphi _{{\textbf{z}}}(\textsf{ct}_i)\approx \frac{1}{4}m_i \pmod 1\), the linear combination step computes an LWE ciphertext \(\textsf{ct}\) such that \(\varphi _{\textbf{z}}(\textsf{ct})\approx \frac{1}{2}m \pmod 1\) where m is the resulting bit of a binary operation between \(m_1\) and \(m_2\). In the next step, the ciphertext \(\textsf{ct}\) is scaled by 2N and converted into \((\tilde{b}, \tilde{\textbf{a}}=(\tilde{a}_0, \dots , \tilde{a}_{n-1}))\) such that \(\tilde{b}+\left\langle \tilde{\textbf{a}}, {\textbf{z}}\right\rangle \approx N\cdot m\pmod {2N}\). The blind rotation algorithm initializes an “accumulator” as a trivial RLWE encryption \(({v}\cdot X^{\tilde{b}}, 0)\), where \({v}\) is a fixed torus polynomial called the test vector, and then multiplies \(X^{\tilde{a}_i z_i}\) recursively for \(0\le i<n\) using the external product to obtain an encryption of \({v}\cdot X^{\tilde{b} + \sum _{i=0}^{n-1}\tilde{a}_i z_i}\). The test vector v has pre-assigned coefficients so that we can extract an LWE ciphertext that is decryptable by the RLWE key into the constant term of the message polynomial of the output accumulator. Finally, the key-switching procedure is used to produce an LWE encryption of the same message under \({\textbf{z}}\).

In 2019, Chen, Chillotti and Song [6] presented the first MK variant of TFHE (which we will refer to as CCS19 throughout the paper). Its gate bootstrapping follows a similar pipeline but uses MK variants of LWE and RLWE. The main challenge was to re-design the blind rotation algorithm in an MK manner, which requires substitution of the external product. To resolve the issue, the authors introduced a variant of RGSW (called “uni-encryption”), together with a dyadic operation (called “hybrid product”) for multiplying a uni-encryption to an MK-RLWE ciphertext. In this section, we give a brief overview of CCS19.

3.1 Uni-Encryption and Hybrid Product

We first present basic setup and key generation algorithms, then describe uni-encryption and hybrid product. Uni-encryption is an RGSW-like single-key structured encryption scheme, while the hybrid product is a binary operation that takes its input as a pair of uni-encryption and MK-RLWE encryption and returns an MK-RLWE ciphertext. In general, an MK-RLWE ciphertext is in the form of \(\overline{\textsf{ct}}= (c_0, \dots , c_k) \in T^{k+1}\) with an index set \(\{1, \dots , k\}\) of the associated parties. An MK-RLWE ciphertext corresponds to the concatenated secret key \(\overline{{\textbf{s}}}= (s_1, \dots , s_k)\), and its phase is defined as \(\varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}}) = c_0 + c_1s_1+\dots +c_ks_k \pmod 1\).

\(\bullet ~\underline{\texttt{CCS}.\texttt {Setup}(1^\lambda )}\): Given the security parameter \(\lambda \), return the following parameters:

• An LWE dimension n, a key distribution \(\chi '\) over \({\mathbb Z}^n\), an error parameter \(\alpha >0\).

• A base \(B'\) and a degree \(d'\) to set a gadget vector \({\textbf{g}}'=[B'^{-1}, \dots , B^{-d'}]\) and a gadget decomposition \(h':{\mathbb T}\rightarrow {\mathbb Z}^{d'}\) for LWE.

• An RLWE dimension N, a key distribution \(\chi \) over \(R={\mathbb Z}[X]/(X^N+1)\), and an error parameter \(\beta >0\).

• A base B and a degree d to set a gadget vector \({\textbf{g}}=[B^{-1}, \dots , B^{-d}]\) and a gadget decomposition \(h:T\rightarrow R^{d}\) for ring-based schemes.

• A CRS \(\textbf{a}\leftarrow T^{d}\).

We set the LWE error distribution \({\psi }'\) as a Gaussian distribution over \(\mathbb R\) of variance \(\alpha ^2\), and the RLWE error distribution \({\psi }\) as a distribution over T which samples N coefficients independently from a Gaussian distribution of variance \(\beta ^2\).

\(\bullet ~\underline{\texttt{CCS}.\texttt{KeyGen}(i)}\): A party i generates its secret and public keys as follows:

• Sample an LWE secret key \({\textbf{z}}_i = (z_{i, 0}, \dots , z_{i, n-1}) \leftarrow \chi '\).

• Sample an RLWE secret key \(s_i = s_{i,0} + s_{i,1}X + \cdots + s_{i, N-1}X^{N-1} \leftarrow \chi \) and an error \({\textbf{e}}\leftarrow {\psi }^{d}\). Compute \({\textbf{b}}_i = -s_i \cdot \textbf{a}+ {\textbf{e}}\pmod 1\) and set the public key as \(\textsf{pk}_i = {\textbf{b}}_i\).

For simplicity, we write \(s_0=1\) and \({\textbf{b}}_0 = -\textbf{a}\).

\(\bullet ~\underline{\texttt{CCS}.\texttt{UniEnc}(s_i;\mu )}\): A party i samples \(r_i \leftarrow \chi \), \({\textbf{f}}_{i,1} \leftarrow T^{d}\), and \({\textbf{e}}_1, {\textbf{e}}_2 \leftarrow {\psi }^{d}\). Given a plaintext \(\mu \in R\) and a secret \(s_i\), return \({\textbf{d}}_i = r_i \cdot \textbf{a}+ \mu \cdot {\textbf{g}}+ {\textbf{e}}_1 \pmod 1\) and \({\textbf{F}}_i=[{\textbf{f}}_{i,0}|{\textbf{f}}_{i,1}]\) where \({\textbf{f}}_{i,0} = -s_i \cdot {\textbf{f}}_{i,1} + r_i \cdot {\textbf{g}}+ {\textbf{e}}_2 \pmod 1\).

\(\bullet ~\underline{\texttt{CCS}.\texttt{HbProd}(\{{\textbf{b}}_j\}_{j\in [k]};\overline{\textsf{ct}}, ({\textbf{d}}_i, {\textbf{F}}_i))}\): Given an MK-RLWE ciphertext \(\overline{\textsf{ct}}= (c_0, \dots , c_k) \in T^{k+1}\), a uni-encryption \(({\textbf{d}}_i, {\textbf{F}}_i)\) of party i and the public keys \(\{{\textbf{b}}_j\}_{j\in [k]}\) of the parties associated with \(\overline{\textsf{ct}}\), compute and output an MK-RLWE ciphertext \(\overline{\textsf{ct}}'\) as follows:

1. 1.

   For \(0 \le j \le k\), let

   $$\begin{aligned} u_j &= \left\langle h(c_j), {\textbf{d}}_i\right\rangle , \\ v_j &= \left\langle h(c_j), {\textbf{b}}_j\right\rangle , \\ w_{j, 0} &= \left\langle h(v_j), {\textbf{f}}_{i, 0}\right\rangle , \\ w_{j, 1} &= \left\langle h(v_j), {\textbf{f}}_{i, 1}\right\rangle . \end{aligned}$$
2. 2.

   Output \(\overline{\textsf{ct}}' = (c_0', \dots , c_k') \in T^{k+1}\) where

   $$c_j' = {\left\{ \begin{array}{ll} u_0 + \sum \limits ^{k}_{j=0}w_{j, 0} \pmod 1 &{} \text { if } j = 0, \\ u_i + \sum \limits ^{k}_{j=0}w_{j, 1} \pmod 1 &{} \text { if } j = i, \\ u_j &{} \text { otherwise}; \end{array}\right. } $$

Below, we describe the correctness of the hybrid product. We refer the reader to [6] for a more detailed analysis. Suppose that \(\overline{\textsf{ct}}\) is an MK-RLWE ciphertext and \(({\textbf{d}}_i, {\textbf{F}}_i)\) is a uni-encryption of \(\mu \in R\) of party i, and let \(\overline{\textsf{ct}}'\) be the resulting MK-RLWE ciphertext of the hybrid product algorithm. Then, we have

$$\begin{aligned} \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}') &\approx \sum _{j=0}^k \left\langle h(c_j), r_i \cdot \textbf{a}+ \mu \cdot {\textbf{g}}\right\rangle \cdot s_j + \sum _{j=0}^k \left\langle h(v_j), r_i \cdot {\textbf{g}}\right\rangle \pmod 1\\ &\approx \mu \cdot \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}) + \sum _{j=0}^k \left\langle h(c_j), \textbf{a}\cdot s_j\right\rangle \cdot r_i + \sum _{j = 0}^k \left\langle h(c_j), {\textbf{b}}_j\right\rangle \cdot r_i \pmod 1\\ &\approx \mu \cdot \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}) \pmod 1. \end{aligned}$$

In other words, the phase of \(\overline{\textsf{ct}}\) is multiplied by \(\mu \) with a small noise.

3.2 Gate Bootstrapping

We now describe the gate bootstrapping of CCS19 that is based on the uni-encryption and hybrid product algorithms. It requires additional generations of blind rotation and key-switching keys.

\(\bullet ~\underline{\texttt{CCS}.\texttt{BootKeyGen}(i)}\): Each party i generates and publishes a blind rotation key \(\textsf{brk}_i\) and a key-switching key \(\textsf{ksk}_i\) as follows:

• Generate \(\textsf{brk}_{i,j} = ({\textbf{d}}_{i,j}, {\textbf{F}}_{i,j}) \leftarrow \texttt{CCS}.\texttt{UniEnc}(s_i;z_{i,j})\) for \(0 \le j < n\). Set the blind rotation key as \(\textsf{brk}_i = \{\textsf{brk}_{i,j}\}_{0 \le j < n}\).

• Let \((s^*_{i, 0}, \dots , s^*_{i, N-1}) = (s_{i,0}, -s_{i, N-1}, \dots , -s_{i, 1})\). Sample \({\textbf{A}}_{i,j} \leftarrow {\mathbb T}^{d'\times n}\) and \({\textbf{e}}_{i,j} \leftarrow {\psi }'^{d'}\) for \(0 \le j < N\), and let \(\textsf{ksk}_{i,j} = [{\textbf{b}}_{i,j}|{\textbf{A}}_{i,j}]\) where \({\textbf{b}}_{i,j} = -{\textbf{A}}_{i,j} \cdot {\textbf{z}}_i + {\textbf{e}}_{i,j} + s^*_{i,j} \cdot {\textbf{g}}' \pmod 1\). Set the key-switching key as \(\textsf{ksk}_i = \{\textsf{ksk}_{i,j}\}_{0 \le j < N}\).

\(\bullet ~\underline{\texttt{CCS}.\texttt {Enc}({\textbf{z}}_i;m)}\): A party i samples \(\textbf{a}_i \leftarrow {\mathbb T}^n\) and \(e \leftarrow {\psi }'\). Given a message bit \(m \in \{0, 1\}\) and its secret key \({\textbf{z}}_i\), return the ciphertext \(\textsf{ct}= (b_i, \textbf{a}_i)\) where \(b_i = -\left\langle \textbf{a}_i, {\textbf{z}}_i\right\rangle + \frac{1}{4}m + e \pmod 1\).

\(\bullet ~\underline{\texttt{CCS}.\texttt {Dec}(\{{\textbf{z}}_i\}_{i \in [k]};\overline{\textsf{ct}})}\): Given a ciphertext \(\overline{\textsf{ct}}\in {\mathbb T}^{kn+1}\) and secret keys \(\{{\textbf{z}}_i\}_{i \in [k]}\), return the bit \(m\in \{0, 1 \}\) which minimizes \(|b + \sum _{i \in [k]} \left\langle \textbf{a}_i, {\textbf{z}}_i\right\rangle - \frac{1}{4}m|\).

A fresh encryption of CCS19 returns a usual (single-key) LWE ciphertext, but an MK-LWE ciphertext is generally written as a vector of the form \(\textsf{ct}= (b, \textbf{a}_1, \dots , \textbf{a}_k) \in {\mathbb T}^{kn+1}\) where k denotes the number of associated parties. It is decrypted using the concatenated key \(\overline{{\textbf{z}}}= ({\textbf{z}}_1, \dots , {\textbf{z}}_k)\) of k parties, i.e.,  \(\varphi _{\overline{{\textbf{z}}}}(\textsf{ct}) = b + \sum _{i=1}^k \left\langle \textbf{a}_i, {\textbf{z}}_i\right\rangle \approx \frac{1}{4}m \pmod 1\). In the encryption phase, each party locally encrypts its message without knowing any information about other parties. The ciphertexts are extended before evaluation to be encrypted under the concatenated secret key of associated parties.

\(\bullet ~\underline{\texttt{CCS}.\texttt{HomNAND}(\{(\textsf{pk}_i, \textsf{brk}_i, \textsf{ksk}_i)\}_{i \in [k]};\overline{\textsf{ct}}_1, \overline{\textsf{ct}}_2)}\): Given two ciphertexts \(\overline{\textsf{ct}}_1\), \(\overline{\textsf{ct}}_2\) and key-triple \(\{(\textsf{pk}_i, \textsf{brk}_i, \textsf{ksk}_i)\}_{i \in [k]}\) of associated parties, perform the following steps:

1. 1.

   Compute \(\overline{\textsf{ct}}\leftarrow (\frac{5}{8}, 0, \dots , 0) - \overline{\textsf{ct}}_1 - \overline{\textsf{ct}}_2 \pmod 1\).

2. 2.

   Compute \(\textsf{ACC}\leftarrow \texttt{CCS}.\texttt{BlindRotate}(\{(\textsf{pk}_i, \textsf{brk}_i)\}_{i \in [k]};\overline{\textsf{ct}})\) using the blind rotation algorithm (Algorithm 1).

3. 3.

   Compute \(\overline{\textsf{ct}}\leftarrow (\frac{1}{8}, 0, \dots , 0) + (b, \textbf{a}_1, \dots , \textbf{a}_k) \pmod 1 \in {\mathbb T}^{kN+1}\) where b is the constant term of \(\textsf{ACC}[0]\) and \(\textbf{a}_i\) is the coefficient vector of \(\textsf{ACC}[i]\) for \(i \in [k]\).

4. 4.

   Perform the key-switching process: Compute \((b'_i, \textbf{a}'_i) = \sum _{j=0}^{N-1} h'(a_{i,j}) \cdot \textsf{ksk}_{i,j} \pmod 1\) for \(i \in [k]\) and \(b' = b + \sum _{i\in [k]} b'_i\). Return \(\overline{\textsf{ct}}' = (b', \textbf{a}'_1, \dots , \textbf{a}'_k) \in {\mathbb T}^{kn+1}\).

Algorithm 1

. Blind Rotation of CCS [6]

4 Accelerating Multi-key TFHE

In this section, we present a new MK variant of the TFHE scheme. Our scheme is asymptotically faster than CCS19, and its bootstrapping procedure is parallelizable. In addition, its key structure is almost compatible with the original TFHE as each party only needs to publish a single auxiliary key. At the heart of our construction, we design a generalized external product to re-design the blind rotation algorithm.

Recall that the blind rotation algorithm (Algorithm 1) of CCS19 takes nk hybrid products to homomorphically multiply \(X^{\tilde{a}_{i,j} z_{i,j}}\) to the accumulator. The hybrid product algorithm operates on multi-key ciphertexts and achieves linear complexity in terms of the number of parties involved. Thus, this linear complexity results in a quadratic overall complexity.

In our scheme, we minimize the cost of operations on MK ciphertexts and exploit single-key multiplication to reduce the overall complexity. This is based on our observation that an encryption of \(X^{\left\langle \tilde{\textbf{a}}i, {\textbf{z}}_i\right\rangle }\) for each \(1 \le i \le k\) can be obtained in a ‘single-key’ manner since the secret \({\textbf{z}}_i = (z_{i,0}, \dots , z_{i,n-1})\) is related solely to party i. However, this approach cannot be achieved by known techniques in CCS19 since the hybrid product can only multiply a fresh single-key uni-encryption. To realize our framework, we introduce a novel homomorphic operation called the generalized external product, which enables us to multiply a single-key RLEV ciphertext to MK-RLWE accumulator. This operation does not require an input RLEV ciphertext to have a special structure like uni-encryption, so can be generally used for operation between possibly noisy ciphertexts.

In Sects. 4.1 and 4.2, we introduce our improved hybrid product and generalized external product as a building block. In Sect. 4.3, we describe the overall scheme.

4.1 Improved Hybrid Product

We present an improved hybrid product that enjoys better performance in terms of speed and noise growth. In the correctness proof of hybrid product in CCS19, we have

$$\begin{aligned} \sum _{j=0}^k (w_{j,0} + w_{j,1}s_i) &= \sum _{j=1}^k \left\langle h(v_j), {\textbf{f}}_{i,0} + s_i \cdot {\textbf{f}}_{i,1}\right\rangle \approx \sum _{j=1}^k \left\langle h(v_j), r_i\cdot {\textbf{g}}\right\rangle \approx r_i \cdot \sum _{j=0}^k v_j \pmod 1. \end{aligned}$$

We observe that since

$$\sum _{j=1}^k \left\langle h(v_j), {\textbf{f}}_{i,0} + s_i \cdot {\textbf{f}}_{i,1}\right\rangle \approx \left\langle h\big (\sum _{j=1}^k v_j\big ), {\textbf{f}}_{i,0} + s_i \cdot {\textbf{f}}_{i,1}\right\rangle ,$$

the computation of \(h(v_j)\) for \(1\le j\le k\) can be replaced by a single decomposition \(h\big (\sum _{j=1}^k v_j\big )\). Below, we provide a formal description of the new hybrid product operation.

\(\bullet ~\underline{\texttt{NewHbProd}(\{{\textbf{b}}_j\}_{j\in [k]};\overline{\textsf{ct}}, ({\textbf{d}}_i, {\textbf{F}}_i))}\): Given an MK-RLWE ciphertext \(\overline{\textsf{ct}}= (c_0, \dots , c_k) \in T^{k+1}\), a uni-encryption \(({\textbf{d}}_i, {\textbf{F}}_i)\) of party i and the public keys \(\{{\textbf{b}}_j\}_{j\in [k]}\) of parties associated with \(\overline{\textsf{ct}}\), return an MK-RLWE ciphertext \(\overline{\textsf{ct}}'\) as follows:

1. 1.

   Compute

   $$\begin{aligned} u_j &= \left\langle h(c_j), {\textbf{d}}_i\right\rangle \quad (0 \le j \le k)\\ v &= \sum _{j=0}^{k}\left\langle h(c_j), {\textbf{b}}_j\right\rangle \end{aligned}$$
2. 2.

   Output \(\overline{\textsf{ct}}' = (c_0', \dots , c_k') \in T^{k+1}\) where

   $$c_j' = {\left\{ \begin{array}{ll} u_0 + \left\langle h(v), {\textbf{f}}_{i, 0}\right\rangle \pmod 1 &{} \text { if } j = 0, \\ u_i + \left\langle h(v), {\textbf{f}}_{i, 1}\right\rangle \pmod 1 &{} \text { if } j = i, \\ u_j &{} \text { otherwise}; \end{array}\right. }$$

Correctness. Let \(\overline{\textsf{ct}}= (c_0, \dots , c_k)\) be an MK-RLWE encryption and \(({\textbf{d}}_i, {\textbf{F}}_i)\) be a uni-encryption of \(\mu \) of party i. The output \(\overline{\textsf{ct}}' = (c_0', \dots , c_k')\) satisfies that

$$\begin{aligned} \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}') &= \sum _{j=0}^k \left\langle h(c_j), {\textbf{d}}_i\right\rangle \cdot s_j + \left\langle h(v), {\textbf{f}}_{i,0}\right\rangle + \left\langle h(v), {\textbf{f}}_{i, 1}\right\rangle \cdot s_i\\ &\approx \sum _{j=0}^k \left\langle h(c_j), r_i \cdot \textbf{a}+ \mu \cdot {\textbf{g}}\right\rangle \cdot s_j + \left\langle h(v), {\textbf{f}}_{i,0} + s_i \cdot {\textbf{f}}_{i,1}\right\rangle \\ &\approx \mu \cdot \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}) + r_i \cdot \sum _{j=0}^k \left\langle h(c_j), s_j \cdot \textbf{a}\right\rangle + r_i \cdot \sum _{j=0}^k \left\langle h(c_j), {\textbf{b}}_j\right\rangle \\ &\approx \mu \cdot \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}) \pmod 1. \end{aligned}$$

Performance. We estimate the number of \(\left\langle h(\cdot ), \cdot \right\rangle \), say gadget product, to analyze the time complexity. The hybrid product of CCS19 requires \(4(k+1)\) gadget products to compute \(u_j\), \(v_j\), \(w_{j,0}\), and \(w_{j,1}\) for \(0 \le j \le k\). Meanwhile, our algorithm takes only \(2k+4\) gadget products in total.

Noise growth. As we compute \(\left\langle h(v), {\textbf{f}}_{i,0}\right\rangle \) and \(\left\langle h(v), {\textbf{f}}_{i,1}\right\rangle \) for \(v = \sum _{j=0}^k\left\langle h(c_j), {\textbf{b}}_j\right\rangle \) where it previously computed \(\sum _{j=0}^k\left\langle h(v_j),{\textbf{f}}_{i, 0}\right\rangle \) and \(\sum _{j=0}^k\left\langle h(v_j),{\textbf{f}}_{i, 1}\right\rangle \), the error introduced in this part has reduced by a factor of \(k+1\). Nevertheless, the difference is negligibly small and thus the two hybrid product algorithms show similar error variance. We refer the reader to Sect. 5.2 for thorough noise analysis.

4.2 Generalized External Product

We introduce a new multiplication operation that multiplies an arbitrary single-key RLEV ciphertext to an MK-RLWE ciphertext. To understand the underlying idea, we first recall the external product: given an RLWE ciphertext \({\textbf{c}}\) and an RGSW encryption \(\overline{\textbf{C}}\) of \(\mu \) under the secret t, \({\textbf{c}}\otimes \overline{\textbf{C}}\) outputs an RLWE ciphertext with \(\varphi _t({\textbf{c}}\otimes \overline{\textbf{C}}) \approx \mu \cdot \varphi _t({\textbf{c}}) = \varphi _t (\mu \cdot {\textbf{c}})\). Our key observation is that the external product can be comprehended as multiplying the message \(\mu \) homomorphically to each component of \({\textbf{c}}\).

Now let us ‘generalize’ the external product to the multi-key setting. Suppose that we are given an MK-RLWE ciphertext \(\textsf{ct}= (c_0, \dots , c_k)\) under the concatenated key \(\overline{{\textbf{s}}}= (1, s_1, \dots , s_k)\) and a single-key RLEV encryption \({\textbf{C}}\) of \(\mu \) under another key \(t_i\) of party i. Inspired by the external product, we aim to multiply \(\mu \) to \(\textsf{ct}\) homomorphically. This goal can be achieved by executing \((k+1)\) T-RLEV multiplications: \(c_j \odot {\textbf{C}}\) for \(0 \le j \le k\). However, the resulting ciphertext is not decryptable by \({\textbf{s}}\), but it is encrypted under the tensor product of two keys, namely \((1, t) \otimes \overline{{\textbf{s}}}\) \(= (\overline{{\textbf{s}}}, t \cdot \overline{{\textbf{s}}})\). To change the secret key back to \(\overline{{\textbf{s}}}\), we exploit the relinearization technique, which is used in a variety of HE schemes such as [3, 4, 9, 15]. Let i-th party publish a relinearization key, a uni-encryption of t under the key \(s_i\). Then we can obtain an MK-RLWE ciphertext \(\overline{\textsf{ct}}'\) with \(\varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}}') \approx \mu \cdot \varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}})\) by multiplying t homomorphically to the corresponding components to \(t\cdot \overline{{\textbf{s}}}\) with hybrid product and adding it to the rest of the components. The exact algorithm is given below.

\(\bullet ~\underline{\texttt{ExtProd}(\{{\textbf{b}}_j\}_{j \in [k]},\textsf{rlk}_i;\overline{\textsf{ct}}, {\textbf{C}}_i)}\): Given an MK-RLWE ciphertext \(\overline{\textsf{ct}}= (c_0, \dots , c_k) \in T^{k+1}\), the public keys \(\{{\textbf{b}}_j\}_{j \in [k]}\) of parties associated with \(\overline{\textsf{ct}}\), an RLEV ciphertext \({\textbf{C}}_i \in T^{d\times 2}\) and the relinearization key \(\textsf{rlk}_i\) of party \(i \in [k]\), it returns an MK-RLWE ciphertext \(\overline{\textsf{ct}}'\) as follows:

1. 1.

   Compute \((x_j, y_j) \leftarrow c_j \odot {\textbf{C}}_i\) for \(0\le j\le k\). Let \(\overline{{\textbf{x}}}= (x_0, \dots , x_k)\) and \(\overline{{\textbf{y}}}= (y_0, \dots , y_k)\)

2. 2.

   Compute \(\overline{\textsf{ct}}' \leftarrow \texttt{NewHbProd}(\{{\textbf{b}}_j\}_{j \in [k]};\overline{{\textbf{y}}}, \textsf{rlk}_i) + \overline{{\textbf{x}}}\) and return \(\overline{\textsf{ct}}'\).

Correctness. Suppose that \(\overline{\textsf{ct}}= (c_0, c_1 \dots , c_k)\) is a MK-RLWE ciphertext under the secret \(\overline{{\textbf{s}}}= (s_1, \cdots , s_k)\) and \({\textbf{C}}_i\) is an RLEV encryption of \(\mu \) under the secret \(t_i\). Now, \(0 \le j \le k\), \((x_j, y_j) = c_j \odot {\textbf{C}}_i\) satisfies \(x_j \cdot t_i + y_j \approx \mu \cdot c_j\). Let \(\overline{\textsf{ct}}' = (c'_0, \dots , c'_k) \leftarrow \texttt{NewHbProd}(\{{\textbf{b}}_j\}_{j \in [k]};\overline{{\textbf{y}}}, \textsf{rlk}_i) + \overline{{\textbf{x}}}\) where \(\textsf{rlk}_i=\texttt{UniEnc}(s_i;t_i)\). Then we have

$$\begin{aligned} \varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}}') &\approx \sum _{j=0}^k x_js_j + t_i \cdot \sum _{j=0}^k y_js_j = \sum _{j=0}^k (x_j + t_iy_j) \cdot s_j\approx \mu \cdot \sum _{j=0}^k c_js_j = \mu \cdot \varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}}) \pmod 1 \end{aligned}$$

where \(s_0=1\). Note that this algorithm is exact for any RGSW ciphertext \(\overline{\textbf{C}}\) as well, by replacing \(c_j \odot {\textbf{C}}_i\) to \((0, c_j) \otimes \overline{\textbf{C}}\).

General-Purpose Utility. We remark that this generalized external product is a general-purpose multiplication in that it multiplies a commonly used single-key ciphertext to a multi-key ciphertext. Compared to the previous (R)GSW-like MKHEs [5, 12, 26, 28] which construct multiplications on multi-key ciphertexts, CCS19 [6] and our scheme introduces multiplications, hybrid product and external product, between single-key and multi-key ciphertexts. These multiplications enable better performance in both time and memory. However, the hybrid product requires fresh uni-encryption of a multiplicand. For example, if one wants to evaluate arbitrary operations between uni-encryptions from the same party before they are multiplied to an MK ciphertext, they should be expanded to an MK-RGSW ciphertext and then evaluated via MK-RGSW operations. In contrast, our generalized external product enables us to perform arbitrary operations as a single-key ciphertext and then multiply the resulting RLEV or RGSW ciphertext to a multi-key ciphertext at any time, with the relinearization key generated once in the key generation phase.

Performance. In the first step of the external product, it executes \(k+1\) T-RLEV multiplications, which takes \(2(k+1)\) gadget products in total. Then in the second step, the new hybrid product consumes \(2k+4\) gadget products as explained in Sect. 4.1. To sum up, the external product requires \(4k+6\) gadget products.

Noise Growth. The error variance of our external product will be discussed in Sect. 5.2.

4.3 Our Scheme

In this section, we combine all building blocks to construct yet another MK-variant of TFHE. Similar to CCS19, our scheme shares the same blueprint for gate bootstrapping as TFHE. However, the major difference is that our blind rotation algorithm has a different structure consisting of two distinguished phases involving single-key and multi-key computation, respectively.

More precisely, the first phase of our blind rotation aims to perform blind rotation party-wise with the accumulator staying as a single-key ciphertext. In other words, we compute \(X^{\left\langle \tilde{ba}i, {\textbf{z}}_i\right\rangle } (1\le i \le k)\) simultaneously. In the second phase of blind rotation, we merge k accumulators, which are single-key RLEV encryptions of \(X^{\left\langle \tilde{ba}_i, {\textbf{z}}_i\right\rangle }\) under \(s_i\), into a trivial MK-RLWE ciphertext of \(v\cdot X^{\tilde{ b}}\) under k secrets \(s_1\), ..., \(s_k\). This is achieved by using the generalized external product introduced in the previous section.

Below we provide a formal description of our MK-TFHE scheme. We remark that its setup, basic key generation and ciphertext structure are identical to that of CCS19.

\(\bullet ~\underline{\texttt {Setup}(1^\lambda )}\): Given the security parameter \(\lambda \), return the following parameters:

• An LWE dimension n, a key distribution \(\chi '\) over \({\mathbb Z}^n\), an error parameter \(\alpha >0\).

• A base \(B'\) and a degree \(d'\) to set a gadget vector \({\textbf{g}}'=[B'^{-1}, \dots , B^{-d'}]\) and a gadget decomposition \(h':{\mathbb T}\rightarrow {\mathbb Z}^{d'}\) for LWE.

• An RLWE dimension N, a key distribution \(\chi \) over \(R={\mathbb Z}[X]/(X^N+1)\), and an error parameter \(\beta >0\).

• A base B and a degree d to set a gadget vector \({\textbf{g}}=[B^{-1}, \dots , B^{-d}]\) and a gadget decomposition \(h:T\rightarrow R^{d}\) for ring-based schemes.

• A CRS \(\textbf{a}\leftarrow T^{d}\).

\(\bullet ~\underline{\texttt{KeyGen}(i)}\): A party i generates its secret and public keys as follows.

• Sample an LWE secret key \({\textbf{z}}_i = (z_{i, 0}, \dots , z_{i, n-1}) \leftarrow \chi '\).

• Sample an RLWE secret key \(s_i = s_{i,0} + s_{i,1}X + \cdots + s_{i, N-1}X^{N-1} \leftarrow \chi \) and an error \({\textbf{e}}\leftarrow {\psi }^{d}\). Compute \({\textbf{b}}_i = -s_i \cdot \textbf{a}+ {\textbf{e}}\pmod 1\) and set the public key as \(\textsf{pk}_i = {\textbf{b}}_i\).

\(\bullet ~\underline{\texttt{BootKeyGen}(i)}\): A party i generates and publishes a blind rotation key \(\textsf{brk}_i\), a relinearization key \(\textsf{rlk}_i\) and a key-switching key \(\textsf{ksk}_i\) as follows.

• Sample \(t_i \leftarrow \chi \) and generate \(\textsf{brk}_{i,j} \leftarrow \texttt{RGSW}.\texttt{Enc}(t_i;z_{i,j})\) for \(0 \le j < n\). Set the blind rotation key \(\textsf{brk}_i = \{\textsf{brk}_{i,j}\}_{0 \le j < n}\).

• Generate the relinearization key \(\textsf{rlk}_i \leftarrow \texttt{CCS}.\texttt{UniEnc}(s_i;t_i)\).

• Let \((s^*_{i, 0}, \dots , s^*_{i, N-1}) = (s_{i,0}, -s_{i, N-1}, \dots , -s_{i, 1})\). Sample \({\textbf{A}}_{i,j} \leftarrow {\mathbb T}^{d'\times n}\) and \({\textbf{e}}_{i,j} \leftarrow {\psi }'^{d'}\) for \(0 \le j < N\), and let \(\textsf{ksk}_{i,j} = [{\textbf{b}}_{i,j}|{\textbf{A}}_{i,j}]\) where \({\textbf{b}}_{i,j} = -{\textbf{A}}_{i,j} \cdot {\textbf{z}}_i + {\textbf{e}}_{i,j} + s^*_{i,j} \cdot {\textbf{g}}'\). Set the key-switching key \(\textsf{ksk}_i = \{\textsf{ksk}_{i,j}\}_{0 \le j < N}\).

\(\bullet ~\underline{\texttt {Enc}({\textbf{z}}_i;m)}\): A party i samples \(\textbf{a}_i \leftarrow {\mathbb T}^n\) and \(e \leftarrow {\psi }'\). Given a message bit \(m \in \{0, 1\}\) and its secret key \({\textbf{z}}_i\), return the ciphertext \(\textsf{ct}= (b_i, \textbf{a}_i)\) where \(b_i = -\left\langle \textbf{a}_i, {\textbf{z}}_i\right\rangle + \frac{1}{4}m + e \pmod 1\).

\(\bullet ~\underline{\texttt {Dec}(\{{\textbf{z}}_i\}_{i \in [k]};\overline{\textsf{ct}})}\): Given a ciphertext \(\overline{\textsf{ct}}\in {\mathbb T}^{kn+1}\) and secret keys \(\{{\textbf{z}}_i\}_{i \in [k]}\), return the bit \(m\in \{0, 1 \}\) which minimizes \(|b + \sum _{i \in [k]} \left\langle \textbf{a}_i, {\textbf{z}}_i\right\rangle - \frac{1}{4}m|\).

\(\bullet ~\underline{\texttt{HomNAND}(\{(\textsf{pk}_i, \textsf{brk}_i, \textsf{rlk}_i, \textsf{ksk}_i)\}_{i \in [k]};\overline{\textsf{ct}}_1, \overline{\textsf{ct}}_2)}\): Given two ciphertexts \(\overline{\textsf{ct}}_1\), \(\overline{\textsf{ct}}_2\) and key-quadruple \(\{(\textsf{pk}_i, \textsf{brk}_i, \textsf{rlk}_i, \textsf{ksk}_i)\}_{i \in [k]}\) of associated parties, perform the following steps:

1. 1.

   Compute \(\overline{\textsf{ct}}\leftarrow (\frac{5}{8}, 0, \dots , 0) - \overline{\textsf{ct}}_1 - \overline{\textsf{ct}}_2 \pmod 1\).

2. 2.

   Compute \(\textsf{ACC}\leftarrow \texttt{BlindRotate}(\{(\textsf{pk}_i, \textsf{brk}_i, \textsf{rlk}_i)\}_{i \in [k]};\overline{\textsf{ct}})\) where \(\texttt{BlindRotate}(\cdot )\) is the blind rotation algorithm in Algorithm 2.

3. 3.

   Compute \(\overline{\textsf{ct}}\leftarrow (\frac{1}{8}, 0, \dots , 0) + (b, \textbf{a}_1, \dots , \textbf{a}_k) \pmod 1 \in {\mathbb T}^{kN+1}\) where b is the constant term of \(\textsf{ACC}[0]\) and \(\textbf{a}_i\) is the coefficient vector of \(\textsf{ACC}[i]\) for \(i \in [k]\).

4. 4.

   Perform the key-switching process: Compute \((b'_i, \textbf{a}'_i) = \sum _{j=0}^{N-1} h'(a_{i,j}) \cdot \textsf{ksk}_{i,j} \pmod 1\) for \(i \in [k]\) and \(b' = b + \sum _{i\in [k]} b'_i\). Return \(\overline{\textsf{ct}}' = (b', \textbf{a}'_1, \dots , \textbf{a}'_k) \in {\mathbb T}^{kn+1}\).

Security. In the bootstrapping key generation, each party publishes the blind rotation key \(\textsf{brk}_i\) encrypting the elements of \({\textbf{z}}_i\) under \(t_i\), the relinearization key \(\textsf{rlk}_i\) encrypting \(t_i\) under \(s_i\), and key-switching key \(\textsf{ksk}_i\) encrypting the coefficients of \(s_i\) under \({\textbf{z}}_i\). As the previous TFHE [10] and multi-key TFHE [6] schemes, we require a circular security assumption along with the (R)LWE assumption to have our scheme semantically secure.

Correctness. We show that the output \(\textsf{ACC}\) of our blind rotation in Algorithm 2 is an MK-RLWE encryption of \({v}\cdot X^{\tilde{b} + \sum _{i=1}^k\left\langle \tilde{\textbf{a}}_i, {\textbf{z}}_i\right\rangle }\) under \(\overline{{\textbf{s}}}= (s_1, \dots , s_k) \in T^k\). Initially, \(\textsf{ACC}\) is an MK-RLWE encryption of \({v}\cdot X^{\tilde{b}}\) under \(\overline{{\textbf{s}}}\) (line 3). In the i-th iteration of the first loop, it computes \(\textsf{ACC}'_i\) which is an RLEV encryption of \(X^{\left\langle \tilde{\textbf{a}_i}, {\textbf{z}}_i\right\rangle }\) (line 5–8). In line 5, \(\textsf{ACC}'_i\) is initialized to a trivial RLEV encryption of \(1 \in T\). Then for \(0 \le j < n\) (line 6–8), \(\textsf{ACC}'\) is updated by Since \(\textsf{brk}_{i,j}\) is the RGSW encryption of \(z_{i,j}\), it implies that \(\textsf{ACC}'_i\) is multiplied by \(X^{\tilde{a}_{i,j}}\) if \(z_{i,j}=1\), or else (\(z_{i,j}=0\)), stays the same. As a result, we get k different \(\textsf{ACC}'_i (1\le i \le k)\) encrypting \(X^{\left\langle \tilde{\textbf{a}}_i, {\textbf{z}}_i\right\rangle }\) under \(t_i\). Finally, in the i-th iteration of the second loop (line 10–12), \(\textsf{ACC}\) is homomorphically multiplied by \(X^{\left\langle \tilde{\textbf{a}}_i, {\textbf{z}}_i\right\rangle }\) with external product. Consequently, \(\textsf{ACC}\) is an MK-RLWE encryption of \({v}\cdot X^{\tilde{b} + \sum _{i=1}^k\left\langle \tilde{\textbf{a}}_i, {\textbf{z}}_i\right\rangle }\) under \(\overline{{\textbf{s}}}\).

Our new scheme provides an asymptotically faster NAND algorithm as we perform single-key, parallelizable operations in the first phase by which the time complexity is dominated. Furthermore, the bootstrapping keys are almost compatible with the single-key TFHE [10], which allows to perform multi-key evaluation from the original (single-key) TFHE scheme with a small number of auxiliary keys. We describe the advantages in detail below.

• Performance. As will be analyzed in Sect. 5.1, our blind rotation algorithm Algorithm 2 requires \(O(nkd+k^2)\) gadget decompositions, while the blind rotation algorithm Algorithm 1 of CCS19 requires \(O(nk^2)\). In typical settings, n is much bigger than k, therefore the time complexity of our algorithm is quasi-linear to the number of parties.

• Parallelization. Our blind rotation generates k different single-key RLEV encryptions \(\textsf{ACC}'_i\) of \(X^{\left\langle \tilde{\textbf{a}}_i, {\textbf{z}}_i\right\rangle }\) and then merge them into a single MK-RLWE ciphertext \(\textsf{ACC}\) by the generalized external product. Since \(\textsf{ACC}'_i\)s are independently generated, we can evaluate them in parallel. However, merging the RLEV ciphertext cannot be parallelized since they should be sequentially multiplied, thus the time complexity of the parallelized algorithm becomes \(O(nd + k^2)\).

• Key Compatibility. Recall that our scheme generates three bootstrapping keys: the blind rotation key \(\textsf{brk}_i\), the relinearization \(\textsf{rlk}_i\) and the key-switching key \(\textsf{ksk}_i\). We note that the blind rotation key and the key-switching key is identical to the single-key TFHE [10]. Thus, the single-key TFHE scheme can be easily expanded to the multi-key scheme with each party generating a key \(\textsf{rlk}_i = \texttt{UniEnc}(s_i;t_i) (1\le i \le k)\).

On the other hand, our scheme consumes two levels (one for each phase) so that the noise blows up to an extent which cannot be handled in the ring dimension \(N=1024\) used in CCS19. We use a larger ring dimension \(N=2048\) in spite of performance degradation, but still, it is negligible as the number of parties increases. We compare CCS19 and our scheme using \(N=1024\) and \(N=2048\), respectively, in Sect. 6.

Algorithm 2

. New Blind Rotation

4.4 Using Different Gadget Decompositions

So far we have used the same gadget decomposition \(h\) for elements in T, but in fact, different gadgets can be applied for different encryptions in our scheme. Let \(h_{lev}\) and \(h_{uni}\) be two different gadget decompositions corresponding to gadget vectors \({\textbf{g}}_{lev}\) and \({\textbf{g}}_{uni}\), respectively. In the external product, for example, we can use \(h_{lev}\) in T-RLEV multiplication (step 1) and use \(h_{uni}\) in the hybrid product (step 2). More precisely, let the input RLEV ciphertext \({\textbf{C}}\) of \(\mu \) under a secret s involve the gadget vector \({\textbf{g}}_{lev}\) i.e.,  \({\textbf{C}}= ({\textbf{b}}= -s \cdot \textbf{a}+ {\textbf{e}}+ \mu \cdot {\textbf{g}}_{lev} \pmod 1, \textbf{a})\), and compute the T-RLEV multiplication as

$$c \odot {\textbf{C}}= (\left\langle h_{lev}(c), {\textbf{b}}\right\rangle , \left\langle h_{lev}(c), \textbf{a}\right\rangle ) \pmod 1$$

for \(c \in T\). Then it satisfies that

$$\varphi _s(c \odot {\textbf{C}}) = \left\langle h_{lev}(c), {\textbf{b}}\right\rangle + \left\langle h_{lev}(c), \textbf{a}\right\rangle \cdot s \approx \left\langle h_{lev}(c), \mu \cdot {\textbf{g}}_{lev}\right\rangle \approx \mu \cdot c \pmod 1.$$

In a similar argument, we can compute the hybrid product using the decomposition \(h_{uni}\) when the uni-encryption as input involves \({\textbf{g}}_{uni}\).

In the rest of the paper, we use different gadget decompositions for RGSW, RLEV ciphertexts and uni-encryption respectively, each of which contains the corresponding gadget vector. We write \(\{gsw, lev, uni\}\) by subscript to distinguish the gadget decompositions, i.e., \(h_{gsw}\) is the gadget decomposition corresponding to the gadget vector \({\textbf{g}}_{gsw}\) of dimension \(d_{gsw}\). The scheme using different gadget decompositions is provided in Appendix A.

4.5 Distributed Decryption

The decryption process of an MKHE scheme can be regarded as an interactive protocol between the parties associated with a ciphertext. To securely decrypt a ciphertext, a special functionality called the distributed decryption is used. Its functionality is presented in Fig. 2.

The parties are allowed to use any MPC protocol to realize the distributed decryption, but the most popular method involves the noise flooding technique [16]. In this approach, each i-th party publicly discloses \(\mu _i:=\left\langle \textbf{a}_i, {\textbf{s}}_i\right\rangle + e_i \pmod 1\) for some noise \(e_i\) sampled from a large error distribution. This allows the parties to recover the message by aggregating b and \(\mu _i\), and rounding it. This technique is generally applicable to various (R)LWE-based encryption schemes, such as CKKS, BGV or B/FV, which utilize large parameter sets. In contrary, the TFHE scheme has relatively tight parameters to provide the best performance, making the noise flooding technique potentially prone to a decryption failure.

To address this issue, Dahl et al. [13] recently introduced a distributed decryption technique tailored for the Threshold TFHE scheme, with communication overhead. In their approach, each participating party provides an additional blind rotation key with a larger dimension which can accommodate exponential errors during the setup phase. It is worth noting that this approach is directly applicable to the multi-key scenario, but can be more expensive compared to the threshold case. On other hand, the garbled circuit can also serve as the building block for the distributed decryption. Kraitsberg et al. [21] proposed a distributed decryption method of two-out-of-three threshold FV ciphertexts, which exploits a garbled circuit scheme for honest majority in a three party setting. This approach can be naturally extended to the multi-key setting using the multi-party garbling [2], however, it would require quadratic communication costs with respect to the number of parties involved.

Fig. 2.

The distributed decryption functionality for TFHE.

5 Performance Analysis

5.1 Time and Space Complexity

We remark that the hybrid product of CCS19 and our novel hybrid product require \(4(k+1)\) and \(2k+4\) uni-gadget products, respectively. Furthermore, the external product performs \(k+1\) T-RLEV multiplications and one novel hybrid product to require \(2(k+1)\) lev-gadget and \(2k+4\) uni-gadget products. As the previous blind rotation in Algorithm 1 performs nk hybrid products of CCS19, it takes \(4nk(k+1)\) uni-gadget products. In our novel blind rotation Algorithm 2, it performs nk RLEV-RGSW multiplications and k external products to have \(2nkd_{lev}\) gsw-gadget, \(2k(k+1)\) lev-gadget, and \(k(2k+4)\) uni-gadget decompositions. Since the gadget decomposition takes by a factor of its degree, we have the complexity of about \(O(nkd_{lev}d_{gsw} + k^2d_{lev} + k^2d_{uni})\). As the time complexity almost depends on \(d_{lev}d_{gsw}\), we minimize \(d_{lev}d_{gsw}\) when setting parameters in Sect. 6.

In the blind rotation, previous algorithm Algorithm 1 takes the blind rotation keys \(\textsf{brk}_i\) for \(1 \le i \le k\) as input where \(\textsf{brk}_i\) consists of n uni-encryptions. However, our algorithm Algorithm 2 takes the blind rotation keys \(\textsf{brk}_i\) and the relinearization keys \(\textsf{rlk}_i\) for \(1 \le i \le k\), where \(\textsf{brk}_i\) consists of n RGSW encryptions and \(\textsf{rlk}_i\) is a uni-encryption. Since a uni-encryption is in \(T^{d\times 3}\) and an RGSW encryption is in \(T^{2d \times 2}\), the size of the key used in our blind rotation is about \(\frac{4}{3}\) times bigger than the previous one.

We remark that the blind rotation key size of our scheme can be reduced using key-compression methods for the TFHE scheme. For example, we can halve the size of the blind rotation key using the key compression method proposed by Kim et al. [18]. Or, we can replace the RGSW keys with uni-encryptions since the hybrid product is exact for a single party as well. However, there is a trade-off between the size of the key and the execution time for key-compression tricks in general.

5.2 Noise Growth

In this section, we provide an average-case noise analysis of homomorphic operations and analyze the noise growth from our gate bootstrapping procedure. We focus on the new blind rotation algorithm since other algorithms such as key-switching have been studied already in CCS19.

We start from introducing several assumptions and terminologies which we use in our analysis.

• For an RLEV encryption \({\textbf{C}}\) of \(\mu \) under secret s, the error of \({\textbf{C}}\) is defined as \(\textsf {Err}({\textbf{C}}) = \varphi _s({\textbf{C}}) - \mu \cdot {\textbf{g}}_{lev}\in T^{d_{lev}}\).

• For an RGSW encryption \(\overline{\textbf{C}}\) of \(\mu \) under secret s, the error of \(\overline{\textbf{C}}\) is defined as \(\textsf {Err}(\overline{\textbf{C}}) = \varphi _s(\overline{\textbf{C}}) - \mu \cdot \begin{bmatrix} {\textbf{g}}&{} \textbf{0} \\ \textbf{0} &{} {\textbf{g}}\end{bmatrix} \in T^{2d_{gsw}}\).

• In our scheme, all entries of the error vector of an RLEV (RGSW) ciphertext have the same variance. Therefore, we use \(\textsf {Var}\textsf {Err}(\cdot )\) to denote the common variance of error components.

• For the gadget decomposition \(h\) with the gadget base B (a power-of-two) and the degree d, we define \(\epsilon ^2 = 1/(12B^{2d})\), the variance of uniform distribution over \((-\frac{1}{2}B^{-d}, \frac{1}{2}B^{-d}]\), and \(V = \frac{1}{12}(B^2 + 2)\), the mean square of a uniform distribution over \({\mathbb Z}_B = {\mathbb Z}\cap (-B/2, B/2]\). We use \(\{gsw, lev, uni\}\) as subscript to distinguish the variance and the mean square of specific gadget decompostions, e.g., we write \(\epsilon _{gsw}\), \(V_{gsw}\) for the gadget decomposition \(h_{gsw}\).

• We assume that each component of an RLWE, RLEV, or RGSW ciphertext behaves as if it is a uniform random variable on T. Hence, the entries of the gadget decompositions are uniformly distributed over the set of polynomials of coefficients in \({\mathbb Z}_B\).

We provide the lemmas, corollaries and theorem on the error of the operations and algorithms used in CCS19 and our scheme. The proofs for the following lemmas, corollaries and theorem are given in Appendix B.

Lemma 1

(T -RLEV Multiplication). Let c be a torus polynomial and \({\textbf{C}}\) be an RLEV encryption of \(\mu \) under secret s. Then \({\textbf{c}}\leftarrow c\odot {\textbf{C}}\) is an RLWE ciphertext such that \(\varphi _s({\textbf{c}}) = \mu \cdot c + e \pmod 1\) for some error \(e \in R\) whose variance is

$$\textsf {Var}(e) = \Vert \mu \Vert _2^2\epsilon _{lev}^2 + d_{lev}N V_{lev}\textsf {Var}\textsf {Err}({\textbf{C}}).$$

Lemma 2

(RLWE-RGSW Multiplication). Let \({\textbf{c}}\) be an RLWE ciphertext and \(\overline{\textbf{C}}\) an RGSW encryption of \(\mu \) under secret s. Then \({\textbf{c}}'\leftarrow {\textbf{c}}\otimes \overline{\textbf{C}}\) is an RLWE ciphertext such that \(\varphi _{s}({\textbf{c}}')=\mu \cdot \varphi _{s}({\textbf{c}})+e\pmod 1\) for some error \(e\in R\) whose variance is

$$\textsf {Var}(e)= (1 + N/2) \Vert \mu \Vert _2^2\epsilon _{gsw}^2 + 2d_{gsw}N V_{gsw}\textsf {Var}\textsf {Err}(\overline{\textbf{C}}).$$

Corollary 1

(RLEV-RGSW Multiplication). Let \({\textbf{C}}\) be an RLEV ciphertext and \(\overline{\textbf{C}}\) be an RGSW encryption of \(\mu \) under secret s. Then is an RLEV ciphertext with \(\varphi _s({\textbf{C}}') = \mu \cdot \varphi _s({\textbf{C}}) + {\textbf{e}}\) for some error \({\textbf{e}}= \begin{bmatrix} e_1 \\ \vdots \\ e_{d_{lev}} \end{bmatrix} \in T^{d_{lev}}\) with

$$ \textsf {Var}(e_i) = (1 + N/2) \Vert \mu \Vert _2^2\epsilon _{gsw}^2 + 2d_{gsw}N V_{gsw}\textsf {Var}\textsf {Err}(\overline{\textbf{C}}) (1 \le i \le d_{lev}).$$

We provide a noise analysis on the hybrid product and blind rotation algorithms in CCS19.

Lemma 3

(Hybrid Product). Let \(\overline{\textsf{ct}}\) be an MK-RLWE ciphertext and \(({\textbf{d}}_i, {\textbf{F}}_i)\) be a uni-encryption of \(\mu \) of party i. Then \(\overline{\textsf{ct}}' \leftarrow \texttt{HbProd}(\{{\textbf{b}}_j\}_{j\in [k]}; \textsf{ct}, ({\textbf{d}}_i, {\textbf{F}}_i))\) is an MK-RLWE ciphertext such that \(\varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}') = \mu \cdot \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}) + e\pmod 1\) for some error \(e \in R\) with

$$\textsf {Var}(e) \approx \frac{k}{2}\Vert \mu \Vert _2^2N^2\epsilon _{uni}^2 + kd_{uni}N^2 V_{uni}\beta ^2 .$$

Corollary 2

(Blind Rotation of CCS19). Let \(\textsf{ACC}\) be the resulting MK-RLWE ciphertext from the blind rotate algorithm 1. Then \(\varphi _{\overline{\textbf{s}}}(\textsf{ACC}) = X^{\sum _{i=1}^k \left\langle \tilde{\textbf{a}}_i, {\textbf{z}}_i\right\rangle + \tilde{ b}} \cdot {v}+ e\pmod 1\) for some error \(e \in T\) with

$$ \textsf {Var}(e) \approx \frac{k(k+1)}{8}nN^2(\epsilon _{uni}^2 + 4d_{uni}V_{uni}\beta ^2).$$

Now, we provide a noise analysis of our new hybrid product and generalized external product and the blind rotation.

Lemma 4

(New Hybrid Product). Let \(\overline{\textsf{ct}}\) be an MK-RLWE ciphertext and \(({\textbf{d}}_i, {\textbf{F}}_i)\) be a uni-encryption of \(\mu \) of party i. Then \(\overline{\textsf{ct}}' \leftarrow \texttt{NewHbProd}(\{{\textbf{b}}_j\}_{j\in [k]}; \textsf{ct}, ({\textbf{d}}_i, {\textbf{F}}_i))\) is an MK-RLWE ciphertext such that \(\varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}') = \mu \cdot \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}) + e\pmod 1\) for some error \(e \in R\) with

$$ \textsf {Var}(e) \approx \frac{k}{2}\Vert \mu \Vert _2^2N^2\epsilon _{uni}^2 + kd_{uni}N^2 V_{uni}\beta ^2.$$

Lemma 5

(Generalized External Product). Let \(\overline{\textsf{ct}}\) be an MK-RLWE ciphertext, \({\textbf{C}}_i\) be a single-key RLEV encryption of \(\mu \) under secret key t and \(\textsf{rlk}_i = ({\textbf{d}}_i, {\textbf{F}}_i)\) be a uni-encryption of t of party i. Then \(\overline{\textsf{ct}}' \leftarrow \texttt{ExtProd}(\{{\textbf{b}}_j\}_{j\in [k]}, \textsf{rlk}_i; \overline{\textsf{ct}}, {\textbf{C}}_i)\) is an MK-RLWE ciphertext such that \(\varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}') = \mu \cdot \varphi _{\overline{\textbf{s}}}(\overline{\textsf{ct}}) + e\pmod 1\) for some error \(e \in T\) with

$$\textsf {Var}(e) \approx (1+kN/2) \left[ \Vert \mu \Vert _2^2\epsilon _{lev}^2 + d_{lev}N V_{lev}\textsf {Var}\textsf {Err}({\textbf{C}}_i) \right] + \frac{k}{4}N^3\epsilon _{uni}^2 + kd_{uni}N^2 V_{uni}\beta ^2.$$

Theorem 1

(Our Blind Rotation). Let \(\textsf{ACC}\) be the resulting MK-RLWE ciphertext from our new blind rotation algorithm [2]. Then \(\varphi _{\overline{\textbf{s}}}(\textsf{ACC}) = X^{\sum _{i=1}^k\left\langle \tilde{\textbf{a}}_i, {\textbf{z}}_i\right\rangle +\tilde{ b}}\cdot {v}+ e \pmod 1\) for some error \(e\in T\) with

$$\textsf {Var}(e) \approx \frac{k(k+1)}{8} \left[ 2d_{lev}nN^3 V_{lev}\cdot \left( 2d_{gsw}V_{gsw}\beta ^2 + \epsilon _{gsw}^2 \right) + N^3\epsilon _{uni}^2 + 4d_{uni}N^2 V_{uni}\beta ^2 \right] .$$

6 Implementation

  We provide a proof-of-concept implementation of our MK-TFHE scheme and the previous work [6]. Note that in the implementation of CCS19, the underpinning algorithms for the original TFHE [10] such as external product are optimized, however the algorithms for the multi-key variant are not fully optimized. Since our algorithm exploits the algorithms from original TFHE, we implemented our scheme and CCS19 based in Julia for a fair comparison. All experiments were performed on a machine with Intel(R) Xeon(R) Platinum 8268 @ 2.90 GHz CPU and 192 GB RAM running Ubuntu 20.04.2 LTS. Our source code is available at https://github.com/SNUCP/MKTFHE.

Table 1. Recommended parameter settings for our scheme. \(n, \alpha \) and \(N, \beta \) denote the dimension and the standard deviations for LWE and RLWE ciphertexts, respectively. \(B_{ksk}\) and \(d_{ksk}\) are the gadget decomposition parameter for key-switching key.

Table 1 and Table 2 describe candidate parameter sets for our MK-TFHE scheme and CCS19, respectively. They achieve at least 110-bit of security level according to LWE-estimator [24] with the same LWE parameters in both schemes. However, we use different RLWE parameters as our scheme introduces high noise variance due to an additional level consumption in the generalized external product, which is intolerable by the conventional ring dimension \(N=1024\) and the standard deviation \(3.72\cdot 10^{-9}\) of TFHE. Using a larger ring dimension \(N = 2048\) in our scheme, we then have smaller \(\beta = 4.63 \cdot 10^{-18}\) and accordingly implement high-precision torus arithmetic (64-bit). The five parameters sets from I to V in Table 1 supports up to 2, 4, 8, 16, and 32 parties. In Table 2, the first three parameter sets I\('\), II\('\), and III\('\) of CCS19 are introduced in the original paper [6] that support at most 2, 4, and 8 parties, respectively. We note that we changed the gadget base for parameter set I\('\), to guarantee the correct functionality of fully homomorphic encryption. To compare the performance under more parties, we additionally use the parameter set IV\('\) to evaluate the scheme on 16 parties, but could not find an appropriate parameter set that handles 32 parties in ring dimension \(N=1024\) of CCS19.

We make use of a well-known optimization technique with space-time tradeoff used in [10, 14]. In the key-switching key generation step of party i, we publish LWE encryptions of \(b \cdot s^*_{i, j} \cdot {\textbf{g}}'\) for \(0\le j < n\) and \(b \in {\mathbb Z}\cap (-B'/2, B'/2]\), instead of \(s^*_{i, j} \cdot {\textbf{g}}'\). With this technique, we do not need to perform any multiplication during the key-switching phase with \(B'-1\) times bigger key-switching key size.

As mentioned in Sect. 5.1, we aim to minimize \(d_{gsw}\cdot d_{lev}\) with smallest error variance possible. Let us recall the error analysis of our blind rotation given in Sect. 5.

$$\frac{k(k+1)}{8} \left[ 2d_{lev}nN^3 V_{lev}\cdot \left( 2d_{gsw}V_{gsw}\beta ^2 + \epsilon _{gsw}^2 \right) + N^3\epsilon _{uni}^2 + 4d_{uni}N^2 V_{uni}\beta ^2 \right] $$

We note that the effect of the uni-encryption on both the noise variance and the performance of the blind rotation is almost negligible, therefore we mainly focus on the parameters of RGSW and RLEV ciphertexts. As the error variance is dominated by \(d_{lev}V_{lev}(d_{gsw}V_{gsw}\beta ^2 + \epsilon _{gsw}^2)\), it follows that the gadget base and the gadget length of both RGSW and RLEV ciphertexts affect the final noise variance. However, the decomposition error of RLEV ciphertexts has little influence whereas that of RGSW ciphertexts has a great influence on the final noise. Based on this observation, our strategy to find the suitable parameter set is to set \(d_{lev}\cdot d_{gsw}\) first, and then set the gadget base of RGSW ciphertexts according to \(d_{gsw}\) with small decomposition noise, followed by setting the gadget base of RLEV ciphertexts with regard to other parameters. Although the effect of the parameters for uni-encryptions are almost negligible to the time complexity, the final error variance, and even the space complexity, we chose the parameter achieving the least space complexity.

Table 2. Recommended parameter settings for CCS19 scheme.

We describe the performance of our scheme and of CCS19 in Table 3. Our scheme is slower when the number of parties is small due to a larger ring dimension \(N=2048\). However, our algorithmic improvements overwhelm its disadvantage and outperform the previous scheme. Finally, our experiments verify that the running time of our NAND algorithm is almost linear with the number of parties as expected, compared to quadratic growth of CCS19 (see Fig. 3). We also provide the execution time of our NAND and parallelized NAND algorithm and that of CCS19 in Table 3.

Table 3. The memory consumed by keys and the elapsed time of NAND algorithms in our scheme and the CCS19 scheme.

Fig. 3.

The time elapsed in NAND algorithms of ours and CCS19 for parameter set IV and IV\('\), respectively.

Appendices

A Multi-key TFHE Variant Using Different Gadget Decompositions

We provide the algorithms of our new MK-TFHE scheme with different gadget decompositions. The encryption and decryption algorithms are the same as given in Sect. 4.3.

\(\bullet ~\underline{\texttt {Setup}(1^\lambda )}\): Given the security parameter \(\lambda \), return the following parameters:

• An LWE dimension n, a key distribution \(\chi '\) over \({\mathbb Z}^n\), and an error variance \(\alpha > 0\).

• An RLWE dimension N, a key distribution \(\chi \) over \(R={\mathbb Z}[X]/(X^N+1)\), and an error variance \(\beta > 0\).

• A CRS \(\textbf{a}\leftarrow T^{d_{uni}}\).

• 4 pairs of gadget decompositions and gadget vectors.

  • A gadget decomposition \(h_{ksk}\) of key-switching key and the corresponding gadget vector \({\textbf{g}}_{ksk}\) with base \(B_{ksk}\) and degree \(d_{ksk}\).

  • A gadget decomposition \(h_{gsw}\) of RGSW encryption and the corresponding gadget vector \({\textbf{g}}_{gsw}\) with base \(B_{gsw}\) and degree \(d_{gsw}\).

  • A gadget decomposition \(h_{lev}\) of RLEV encryption and the corresponding gadget vector \({\textbf{g}}_{lev}\) with base \(B_{lev}\) and degree \(d_{lev}\).

  • A gadget decomposition \(h_{uni}\) of uni-encryption and the corresponding gadget vector \({\textbf{g}}_{uni}\) with base \(B_{uni}\) and degree \(d_{uni}\).

\(\bullet ~\underline{\texttt{KeyGen}(i)}\): A party i generates its secret and public keys as follows.

• Sample LWE secret key \({\textbf{z}}_i = (z_{i, 0}, \dots , z_{i, n-1}) \leftarrow \chi \).

• Sample RLWE secret key \(s_i = s_{i,0} + s_{i,1}X + \cdots + s_{i, N-1}X^{N-1} \leftarrow \chi '\) and error \({\textbf{e}}\leftarrow {\psi }^{d_{uni}}\). Compute \({\textbf{b}}_i = -s_i \cdot \textbf{a}+ {\textbf{e}}\pmod 1\) and set the public key as \(\textsf{pk}_i = {\textbf{b}}_i\).

\(\bullet ~\underline{\texttt{BootKeyGen}(i)}\): A party i generates and publishes a blind rotation key \(\textsf{brk}_i\), a relinearization key \(\textsf{rlk}_i\) and a key-switching key \(\textsf{ksk}_i\) as follows.

• Sample \(t_i \leftarrow \chi '\) and generate \(\textsf{brk}_{i,j} \leftarrow \texttt{RGSW}.\texttt{Enc}_{h_{gsw}}(t_i;z_{i,j})\) for \(0 \le j < n\). Set the blind rotation key \(\textsf{brk}_i = \{\textsf{brk}_{i,j}\}_{0 \le j < n}\).

• Generate the relinearization key \(\textsf{rlk}_i \leftarrow \texttt{UniEnc}_{h_{uni}}(s_i;t_i)\).

• Let \((s^*_{i, 0}, \dots , s^*_{i, N-1}) = (s_{i,0}, -s_{i, N-1}, \dots , -s_{i, 1})\). Sample \({\textbf{A}}_{i,j} \leftarrow {\mathbb T}^{d_{ksk}\times n}\) and \({\textbf{e}}_{i,j} \leftarrow {\psi }'^{d_{ksk}}\) for \(0 \le j < N\), and let \(\textsf{ksk}_{i,j} = [{\textbf{b}}_{i,j}|{\textbf{A}}_{i,j}]\) where \({\textbf{b}}_{i,j} = -{\textbf{A}}_{i,j} \cdot {\textbf{s}}_i + {\textbf{e}}_{i,j} + s^*_{i,j} \cdot {\textbf{g}}_{ksk}\). Set the key-switching key \(\textsf{ksk}_i = \{\textsf{ksk}_{i,j}\}_{0 < N}\).

\(\bullet ~\underline{\texttt{HomNAND}(\{(\textsf{pk}_i, \textsf{brk}_i, \textsf{rlk}_i, \textsf{ksk}_i)\}_{i \in [k]};\overline{\textsf{ct}}_1, \overline{\textsf{ct}}_2)}\): Given two \(\textsf{LWE}\) ciphertexts \(\overline{\textsf{ct}}_1\), \(\overline{\textsf{ct}}_2\) and key-quadruple \(\{(\textsf{pk}_i, \textsf{brk}_i, \textsf{rlk}_i, \textsf{ksk}_i)\}_{i \in [k]}\) of associated parties, perform the following steps:

1. 1.

   Compute \(\overline{\textsf{ct}}\leftarrow (\frac{5}{8}, 0, \dots , 0) - \overline{\textsf{ct}}_1 - \overline{\textsf{ct}}_2 \pmod 1\).

2. 2.

   Compute \(\overline{\textsf{ct}}\leftarrow \texttt{BlindRotate}(\{(\textsf{pk}_i, \textsf{brk}_i, \textsf{rlk}_i)\}_{i \in [k]};\overline{\textsf{ct}})\) where \(\texttt{BlindRotate}(\cdot )\) is the blind rotation algorithm in Algorithm 3.

3. 3.

   Compute \(\overline{\textsf{ct}}\leftarrow (\frac{1}{8}, 0, \dots , 0) + \overline{\textsf{ct}}\pmod 1\) and return \(\textsf{ct}= (b, \textbf{a}_1, \dots , \textbf{a}_k) \in {\mathbb T}^{kN+1}\) where b is the constant term of \(\overline{\textsf{ct}}_0\) and \(\textbf{a}_i\) is the coefficient vector of \(\overline{\textsf{ct}}_i\) for \(i \in [k]\).

4. 4.

   Perform the key-switching process: Compute \((b'_i, \textbf{a}'_i) = \sum _{j=0}^{N-1} h'(a_{i,j}) \cdot \textsf{ksk}_{i,j} \pmod 1\) for \(i \in [k]\) and \(b' = b + \sum _{i\in [k]} b'_i\). Return \(\textsf{ct}' = (b', \textbf{a}'_1, \dots , \textbf{a}'_k) \in {\mathbb T}^{kn+1}\).

Algorithm 3

. New Blind Rotation using Different Gadget Decompositions

B Proofs for the Noise Analysis

First we define \(\textsf{GdErr}_{gsw}\), \(\textsf{GdErr}_{lev}\) and \(\textsf{GdErr}_{uni}\), the gadget decomposition error of \(h_{gsw}, h_{lev}\) and \(h_{uni}\) respectively.

Proof of Lemma 1 (T-RLEV Multiplication)

Proof

By definition, we have

$$\begin{aligned} \varphi _s(c \odot {\textbf{C}}) &= \left\langle h_{lev}(c), \varphi _s({\textbf{C}})\right\rangle \\ &= \left\langle h_{lev}(c), \mu \cdot {\textbf{g}}_{lev}+ \textsf {Err}({\textbf{C}})\right\rangle \\ &= \mu \cdot c + \mu \cdot \textsf{GdErr}_{lev}(c) + \left\langle h_{lev}(c), \textsf {Err}({\textbf{C}})\right\rangle \pmod 1. \end{aligned}$$

Therefore \(e = \mu \cdot \textsf{GdErr}_{lev}(c) + \left\langle h_{lev}(c), \textsf {Err}({\textbf{C}})\right\rangle \). Since \(h_{lev}(c)\) and \(\textsf {err}({\textbf{C}})\) are vectors of length \(d_{lev}\), we get

$$\textsf {Var}(e) = \Vert \mu \Vert _2^2\epsilon _{lev}^2 + d_{lev}N V_{lev}\textsf {Var}\textsf {Err}({\textbf{C}})$$

   \(\square \)

Proof of Lemma 2 (RLWE-RGSW Multiplication)

Proof

Let \({\textbf{c}}= (b, a)\) and \(\textsf {Err}({\textbf{C}}) = \begin{bmatrix} {\textbf{e}}_0 \\ {\textbf{e}}_1 \end{bmatrix}\) where \({\textbf{e}}_0, {\textbf{e}}_1 \in T^{d_{gsw}}\). Then we can obtain

$$\begin{aligned} \varphi _s({\textbf{c}}\otimes \overline{\textbf{C}}) &= \left\langle h_{gsw}({\textbf{c}}), \varphi _s(\overline{\textbf{C}})\right\rangle \\ &= \left\langle h_{gsw}(b), \mu \cdot {\textbf{g}}_{gsw}+{\textbf{e}}_0\right\rangle +\left\langle h_{gsw}(a), \mu \cdot s\cdot {\textbf{g}}_{gsw}+{\textbf{e}}_1\right\rangle \\ &= \mu \cdot \varphi _s({\textbf{c}})+\mu \cdot (\textsf{GdErr}_{gsw}(b)+\textsf{GdErr}_{gsw}(a)s)+\left\langle h_{gsw}({\textbf{c}}), \textsf {Err}(\overline{\textbf{C}})\right\rangle \pmod 1. \end{aligned}$$

Therefore, we can get the following error variance.

$$ \textsf {Var}(e) = (1 + N/2) \Vert \mu \Vert _2^2\epsilon _{gsw}^2 + 2d_{gsw}N V_{gsw}\textsf {Var}\textsf {Err}(\overline{\textbf{C}}).$$

   \(\square \)

Proof of Corollary 1 (RLEV-RGSW Multiplication)

Proof

An RLEV ciphertext can be seen as a column vector of RLWE ciphertexts. Therefore, this corollary can be shown directly from the previous lemma.    \(\square \)

For efficiency, we prove Lemma 4 first, and then prove Lemma 3.

Proof of Lemma 4 (New Hybrid Product)

Proof

We shall use \({\textbf{e}}_0 = {\textbf {0}}\) and the same temporary variables as in the algorithm description for the easier notation. Let \({\textbf{u}}= (u_0, \dots , u_k)\) and \({\textbf{w}}= (w_0, w_1)\). Then we have \(\varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}}') = \varphi _{\overline{{\textbf{s}}}}({\textbf{u}}) + \varphi _{s_i}({\textbf{w}}) \pmod 1\). The first term is

$$\begin{aligned} \varphi _{\overline{{\textbf{s}}}}(u) &= \sum _{j=0}^k \left\langle h_{uni}(c_j), r\cdot \textbf{a}+ \mu \cdot {\textbf{g}}_{uni}+ {\textbf{e}}_{i, 1}\right\rangle \cdot s_j \\ &= \mu \cdot \varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}}) + \mu \cdot \sum _{j=0}^k\textsf{GdErr}_{uni}(c_j) \cdot s_j + r\cdot \sum _{j=0}^k\left\langle h_{uni}(c_j), s_j \cdot \textbf{a}\right\rangle \\ &+ \sum _{j=0}^k\left\langle h_{uni}(c_j), {\textbf{e}}_{i, 1}\right\rangle \cdot s_j \pmod 1 , \end{aligned}$$

and the second term is

$$\begin{aligned} \varphi _{s_i}({\textbf{w}}) &= \left\langle h_{uni}(v), {\textbf{F}}_{i, 0}\right\rangle + \left\langle h_{uni}(v), {\textbf{F}}_{i, 1}\right\rangle \cdot s_i \\ &= \left\langle h_{uni}(v), r\cdot {\textbf{g}}_{uni}+ {\textbf{e}}_{i, 2}\right\rangle \\ &= r\cdot v + r \cdot \textsf{GdErr}_{uni}(v) + \left\langle h_{uni}(v), {\textbf{e}}_{i, 2}\right\rangle \pmod 1. \end{aligned}$$

Now, from the fact that

$$\begin{aligned} v + \sum _{j=0}^k \left\langle h_{uni}(c_j), s_j \cdot \textbf{a}\right\rangle &= \sum _{j=0}^k (\left\langle h_{uni}(c_j), {\textbf{b}}_j\right\rangle + \left\langle h_{uni}(c_j), s_j \cdot \textbf{a}\right\rangle ) \\ &= \sum _{j=1}^k \left\langle h_{uni}(c_j), {\textbf{e}}_j\right\rangle \pmod 1 , \end{aligned}$$

it follows that \(e = \varphi _{\overline{\textbf{s}}} (\overline{\textsf{ct}}') - \mu \cdot \varphi _{\overline{\textbf{s}}} (\overline{\textsf{ct}})\) is

$$\begin{aligned} &\mu \cdot \sum _{j=0}^k\textsf{GdErr}_{uni}(c_j) \cdot s_j + \sum _{j=0}^k\left\langle h_{uni}(c_j), {\textbf{e}}_{i, 1}\right\rangle \cdot s_j + \\ r \cdot &\textsf{GdErr}_{uni}(v) + \left\langle h_{uni}(v), {\textbf{e}}_{i, 2}\right\rangle + r\cdot \sum _{j=1}^k\left\langle h_{uni}(c_j), {\textbf{e}}_j\right\rangle . \end{aligned}$$

Therefore, we have

$$\begin{aligned} \textsf {Var}(e) &= \Vert \mu \Vert _2^2 (1 + kN/2)N \epsilon _{uni}^2 + (1+kN/2)d_{uni}NV_{uni}\beta ^2 \\ & + (N/2)\epsilon _{uni}^2 + d_{uni}NV_{uni}\beta ^2 + kd_{uni}(N^2/2)V_{uni}\beta ^2 \\ &\approx \frac{k}{2}\Vert \mu \Vert _2^2N^2\epsilon _{uni}^2 + kd_{uni}N^2 V_{uni}\beta ^2. \end{aligned}$$

   \(\square \)

Proof of Lemma 3 (Hybrid Product)

Proof

The only difference of the error variance of \(\texttt{HbProd}\) to the error variance \(\texttt{NewHbProd}\) is the error from \(w_{j, 0}\) and \(w_{j, 1}\)’s, which is \(k+1\) times bigger than \(\texttt{NewHbProd}\). Therefore, we get the error variance of

$$\begin{aligned} \textsf {Var}(e) &= \Vert \mu \Vert _2^2 (1 + kN/2)N \epsilon _{uni}^2 + (1+kN/2)d_{uni}NV_{uni}\beta ^2 \\ & + (k+1)(N/2)\epsilon _{uni}^2 + (k+1)d_{uni}NV_{uni}\beta ^2 + kd_{uni}(N^2/2)V_{uni}\beta ^2 \\ &\approx \frac{k}{2}\Vert \mu \Vert _2^2N^2\epsilon _{uni}^2 + kd_{uni}N^2 V_{uni}\beta ^2. \end{aligned}$$

   \(\square \)

Proof of Corollary 2 (Blind Rotation of CCS19)

Proof

We first analyze the line 6. Let \(\overline{{\textbf{c}}}_{i, j} = \texttt{HbProd}(\{\textsf{pk}_j\}_{j\in [k]}, (X^{\tilde{a}_{i, j}}-1)\cdot \textsf{ACC}, \textsf{BK}_{i, j})\) and \({\textbf{e}}_{i, j}\) be the error solely from the \(\texttt{HbProd}\). Then,

$$\begin{aligned} \varphi _{\overline{{\textbf{s}}}}(\textsf{ACC}+ \overline{{\textbf{c}}}_{i, j}) &= \varphi _{\overline{{\textbf{s}}}}(\textsf{ACC}) + \varphi _{\overline{{\textbf{s}}}}((X^{\tilde{a}_{i, j}}-1)\cdot \textsf{ACC})+{\textbf{e}}_{i, j} \\ &= \varphi _{\overline{{\textbf{s}}}}(X^{\tilde{a}_{i, j}z_{i, j}}\cdot \textsf{ACC}) + {\textbf{e}}_{i, j}\pmod 1. \end{aligned}$$

Note that during the i-th iteration, \(\textsf{ACC}\) should be regarded as a multi-key \(\textsf{RLWE}\) ciphertext with i parties since \(i+1, \dots , k\)-th indices remains zero. Therefore,

$$\begin{aligned} \textsf {Var}({\textbf{e}}_{i, j}) &\approx \frac{i}{2}\Vert z_{i, j} \Vert _2^2N^2\epsilon _{uni}^2 + id_{uni}N^2 V_{uni}\beta ^2 \\ &= \frac{i}{4}N^2\epsilon _{uni}^2 + id_{uni}N^2 V_{uni}\beta ^2 \end{aligned}$$

Since \(X^{\tilde{a}_{i, j}z_{i, j}}\) is a monomial, the variance adds up every iteration in the inner loop (line 5–7) and therefore an error variance of \(\frac{i}{4}nN^2\epsilon _{uni}^2 + id_{uni}nN^2 V_{uni}\beta ^2\) is added for every iteration in the outer loop (line 4–8). Therefore we get the error variance of

$$ \frac{k(k+1)}{8}nN^2(\epsilon _{uni}^2 + 4d_{uni}V_{uni}\beta ^2). $$

   \(\square \)

Proof of Lemma 5 (Generalized External Product)

Proof

Let us follow the notations from the algorithm description. First, by Lemma 1 we obtain

$$\begin{aligned} \varphi _{\overline{{\textbf{s}}}}(\overline{{\textbf{x}}}+ \overline{{\textbf{y}}}\cdot t) = \sum _{j=0}^{k} (x_j + y_j \cdot t) \cdot s_j &= \sum _{j=0}^{k} \varphi _t(c_j\odot {\textbf{C}}_i) \cdot s_j \\ &= \mu \cdot \varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}}) + \sum _{j=0}^{k} e_j \cdot s_j\pmod 1. \end{aligned}$$

where \(e_j = \varphi _t(c_j \odot {\textbf{C}}_i) - \mu \cdot c_j (0\le j \le k)\pmod 1 \in T\) with variance

$$ \textsf {Var}(e_j) = \Vert \mu \Vert _2^2 \epsilon _{lev}^2 + d_{lev}N V_{lev}\textsf {Var}\textsf {Err}({\textbf{C}}_i).$$

Let \(\overline{{\textbf{y}}}' = \texttt{NewHbProd}(\{{\textbf{b}}_j\}_{j\in [k]}, \textsf{ct}, \textsf{rlk}_i)\). By Lemma 4, \(\varphi _{\overline{\textbf{s}}}(\overline{{\textbf{y}}}') = t \cdot \varphi _{\overline{\textbf{s}}}(\overline{{\textbf{y}}}) + e'\) for some \(e'\in T\) with variance

$$\begin{aligned} \textsf {Var}(e') &\approx \frac{k}{2}\textsf {Var}(\Vert t\Vert _2^2)N^2\epsilon _{uni}^2 + kd_{uni}N^2 V_{uni}\beta ^2 \\ &= \frac{k}{4}N^3\epsilon _{uni}^2 + kd_{uni}N^2 V_{uni}\beta ^2. \end{aligned}$$

Therefore, we get

$$\begin{aligned} \varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}}') = \varphi _{\overline{{\textbf{s}}}}(\overline{{\textbf{x}}}) + \varphi _{\overline{{\textbf{s}}}}(\overline{{\textbf{y}}}') &= \varphi _{\overline{{\textbf{s}}}}(\overline{{\textbf{x}}}) + \varphi _{\overline{{\textbf{s}}}}(\overline{{\textbf{y}}})\cdot t + e' \\ &= \mu \cdot \varphi _{\overline{{\textbf{s}}}}(\overline{\textsf{ct}})+\sum _{j=0}^{k} e_j \cdot s_j + e'\pmod 1. \end{aligned}$$

Therefore the variance of error \(e = \sum _{j=0}^k e_j \cdot s_j + e'\) be

$$\begin{aligned} \textsf {Var}(e) \approx & (1+kN/2) \left[ \Vert \mu \Vert _2^2\epsilon _{lev}^2 + d_{lev}N V_{lev}\textsf {Var}\textsf {Err}({\textbf{C}}_i) \right] \\ & + \frac{k}{4}N^3\epsilon _{uni}^2 + kd_{uni}N^2 V_{uni}\beta ^2. \end{aligned}$$

   \(\square \)

Proof of Theorem 1 (Our Blind Rotation)

Proof

We start from analyzing line 7 of the algorithm. By Corollary 1,

for some \({\textbf{e}}_{i, j} \in T^{d_{lev}}\) with the common variance of rows \((1 + N/2)\Vert \mu z_{i, j}\Vert _2^2 \epsilon _{gsw}^2 + 2d_{gsw}N V_{gsw}\textsf {Var}\textsf {Err}(\textsf{BK}_{i, j})\). Therefore, with each iteration within the for loop 6–8, the error variance increases by \(V_{ACC} = (1 + N) \epsilon _{gsw}^2 + 2d_{gsw}N V_{gsw}\beta ^2\). Hence, the error variance of the resulting RLEV ciphertext \(\textsf{ACC}'_i\) of the for loop is \(n\cdot ((1 + N) \epsilon _{gsw}^2 + 2d_{gsw}N V_{gsw}\beta ^2 )\) with message \(X^{\sum _{j=1}^n \tilde{a}_{i, j}z_{i, j}}\).

Note that only \(0, \dots , i\)-th indices of the MK-RLWE ciphertext \(\textsf{ACC}\) are non-zero after the \(i-th\) iteration of the for loop 4–10, hence it can be regarded as an MK-RLWE encryption of i parties. Now we let \(\textsf{ACC}_i\) be \(\textsf{ACC}\) after the \(\texttt{ExtProd}\), then by the Lemma 5, we have

$$\begin{aligned} \varphi _{\overline{\textbf{s}}}(\textsf{ACC}_i) = X^{\left\langle \tilde{\textbf{a}}_i, {\textbf{z}}_i\right\rangle }\cdot \varphi _{\overline{\textbf{s}}}(\textsf{ACC}_{i-1}) + e_i (1\le i \le k) \end{aligned}$$

where

$$\begin{aligned} \textsf {Var}(e_i) &\approx (1+iN/2) \left[ \epsilon _{lev}^2 + d_{lev}N V_{lev}V_{ACC} \right] + \frac{i}{4}N^3\epsilon _{uni}^2 + id_{uni}N^2 V_{uni}\beta ^2. \end{aligned}$$

Since \(X^{\tilde{\textbf{a}}_i, {\textbf{z}}_i}\) is a monomial, the error variance adds up every iteration and thus the error variance of the final output of our new blind rotation algorithm is

$$ \frac{k(k+1)}{8} \left[ 2d_{lev}nN^3 V_{lev}\cdot \left( 2d_{gsw}V_{gsw}\beta ^2 + \epsilon _{gsw}^2 \right) + N^3\epsilon _{uni}^2 + 4d_{uni}N^2 V_{uni}\beta ^2 \right] . $$

   \(\square \)