Lattice-Based Multi-Key Homomorphic Encryption Scheme Without CRS

1. Introduction

With the continuous advancement of technologies such as the Internet, the Internet of Things, big data, and artificial intelligence, the demand for computing power and storage resources by enterprises and individuals has increased exponentially. Traditional local computing and storage methods can no longer meet the needs of modern society for data processing speed and capacity [1]. Outsourcing computing allows users to entrust complex computing tasks or data processing work to a third party (such as a cloud service provider) to perform computing tasks through a cloud platform or distributed computing resources, saving users a lot of time and computing costs[2].

Although outsourced computing provides flexibility and efficiency, it is also accompanied by some potential risks. In outsourced computing, users usually need to upload data to cloud service providers for processing. These outsourced data may contain some sensitive user information, such as personal privacy, commercial secrets or key business data[3,4,5]. Homomorphic encryption technology allows specific operations (such as addition or multiplication) to be performed directly on encrypted data without decrypting the data. The decrypted result is consistent with the result of performing the same operation on the plaintext[6]. User data remains encrypted during the calculation process, ensuring the privacy of the data throughout the calculation process, and users do not need to trust the cloud service provider.

Multi-key homomorphic encryption solves the above problem by allowing each user to encrypt data with his or her own key, while still supporting joint computing of encrypted data. The computing results can be obtained by collaborative decryption of the private keys of multiple users[7,8,9].

In a multi-key homomorphic encryption scheme, in order to enable multiple users to jointly perform homomorphic operations on ciphertext (for example, perform homomorphic operations such as addition and multiplication) and collaboratively decrypt the ciphertext after homomorphic operations, a mechanism is needed to coordinate and combine the public keys of different users[10]. The Common Random String (CRS) provides a shared public parameter based on which all users can generate their own public keys. Through the public parameters provided by the CRS, multiple public keys with the same parameters are integrated into an aggregate public key. Multiple users can perform homomorphic operations on ciphertext under the aggregate public key and collaboratively decrypt through a distributed decryption protocol.

CRS can simplify the scheme design and key generation process, but it also brings some problems: On the one hand, the existence of CRS means that the system relies on a public, predefined random string. This assumption may affect the independence and flexibility of the encryption scheme, which is difficult to meet in decentralized systems or scenarios with low trust requirements. On the other hand, the security and correctness of the scheme directly depend on the integrity and reliability of CRS. Dependence on CRS seriously affects the credibility of the scheme and even causes security vulnerabilities[12].

In order to avoid excessive reliance on public parameters, a multi-key homomorphic encryption scheme without pre-setting CRS is proposed based on a distributed key generation protocol. Furthermore, based on ciphertext expansion technology, a distributed ciphertext decryption method is proposed. In order to further protect the plaintext messages of each user, this paper proposes an enhanced multi-key homomorphic encryption scheme that only allows the target user to decrypt, by embedding the specified target user into the ciphertext.

Finally, by applying the proposed the lattice-based multi-key homomorphic encryption scheme into crowd sensing scenario, a crowd sensing scheme is proposed to protect the privacy of crowd sensing data.

The contributions of this paper are as follows:

• In order to avoid excessive reliance on public parameters, this paper proposes a multi-key homomorphic encryption scheme based on a distributed key generation protocol. Each user independently generates his or her own public and private key pair, and enhances the security and decentralization of the scheme. Based on ciphertext expansion technology, this paper proposes a distributed ciphertext decryption method suitable for multi-key scenarios. By expanding the ciphertext structure, multiple users can collaboratively participate in the decryption process.
• In order to further protect the plaintext privacy from each user, by embedding the specified target user into the ciphertext, this paper proposes an enhanced multi-key homomorphic encryption scheme that only allows only the target user to decrypt.
• By applying the proposed lattice-based multi-key homomorphic encryption scheme into the data submission stage, a crowd-sensing scheme is proposed, protecting the privacy of the users. This ensures that the data is not leaked during transmission and processing, and all entities except the data requester cannot obtain the perception results.

2. Materials and Methods

2.1. Symbols and Definitions

In this paper, $\lambda$ is used to denote the security parameter, and the dot product of two vectors u and v is denoted by $〈u,v〉$. Let $\mathsf{\Omega }$ denote a finite field and ${\rm X}$ be a probability distribution defined on $\mathsf{\Omega }$, then $\omega \leftarrow {\rm X}$ denotes that an element $\omega$ is randomly selected from the distribution ${\rm X}$[13]. $R_q=Z_q\left[X\right]/{\Phi }_M\left(X\right)$ denotes a cyclotomic polynomial ring, where $Z_q\left[X\right]$ is a ring of polynomials whose coefficients are taken from $Z_q$, and ${\Phi }_M\left(X\right)=X^{M/2}+1$ denotes a cyclotomic polynomial of order $M$[14].

Definition 1.

$B$-bounded distribution. Let $D$ be a random distribution. If any $x$ sampled from $D$ satisfies $P{r}_{x\leftarrow D}\left[\Vert x\Vert >B\right]=negl\left(\lambda \right)$ , then $D$ is called a $B$-bounded distribution[15].

Definition 2.

RLWE Problem. RLWE is a generalization of the LWE problem, which extends the vector operations in LWE to polynomial ring[16]. Given a polynomial ring $R=Z\left[X\right]/f\left(x\right)$ , where $f\left(x\right)$ is an irreducible polynomial, define a ring $R_q=R/qR=Z_q\left[X\right]/f\left(x\right)$ modulo $q$ . Select a secret vector $s\in R_q$ , and give a RLWE sample pair $\left(a,b\right)\in R_q\times R_q$ , where $b=a·s+e \left(mod q\right)$ , and $e$ is a random noise sampled from the noise distribution $\chi$ [17]. Depending on the goal, the RLWE problem is divided into two types: search RLWE problem and decision RLWE problem[18].

Definition 3.

Decision RLWE Problem. The goal of the decision RLWE problem is to distinguish between two distributions: distribution 1 is an RLWE distribution, where the sample pair $\left(a_i,b_i\right)\in R_q\times R_q$ satisfies $b_i=a_i·s+e_i \left(mod q\right)$ , where $s\in R_q$ is the secret vector and $e\in \chi$ is the random error term; distribution 2 is a uniform distribution, where $a_i$ and $b_i$ in the sample pair $\left(a_i,b_i\right)\in R_q\times R_q$ are independently and uniformly randomly sampled from $R_q$ [8]. The RLWE assumption means that there is no effective polynomial algorithm that can distinguish between these two distributions, that is, for a probabilistic polynomial time algorithm $\mathcal{B}$ and security parameter $\lambda$ , we have

$$Adv\left(\mathcal{B}\right)≔\left|Pr\left[{\mathcal{B}}^{A_{s,\chi }}\left(1^{\lambda }\right)=1\right]-Pr\left[{\mathcal{B}}^{R_q\times R_q}\left(1^{\lambda }\right)=1\right]\right|=negl\left(\lambda \right)$$

(1)

2.2. Multi-Key Homomorphic Encryption

Multi-key homomorphic encryption allows users to encrypt their data using their own public keys and perform homomorphic operations on the ciphertext. At the same time, the calculation results are decrypted by all users collaboratively, which is more suitable for multi-user collaborative scenarios[19,20]. A multi-key homomorphic encryption scheme usually consists of six polynomial time algorithms, namely $MFHE.Setup$, $MFHE.Keygen$, $MFHE.Enc$, $MFHE.Expand$, $MFHE.Eval$, and $MFHE.Dec$. The specific descriptions are as follows:

-

$MFHE.Setup\left(1^{\lambda }\right)$: Input security parameter $\lambda$ and output public parameter $params$.

-

$MFHE.KeyGen\left(params\right)$: Input public parameters $params$ and output the user's public key and private key $\left(pk,sk\right)$.

-

$MFHE.Enc\left(pk,m\right)$: For the plaintext $m$ that needs to be encrypted, input the public key $pk$ and output a ciphertext $ct$.

-

$MFHE.Expand\left(\left(p{k}_1,\cdots ,p{k}_N\right),i,c{t}_i\right)$: Input the public keys of $N$ users $p{k}_1,\cdots p{k}_N$ and the ciphertext $c{t}_i$ encrypted by the $i$-th public key $p{k}_i$, and output the expanded ciphertext $\widehat{c{t}_i}$.

-

$MFHE.Eval\left(params,f,\left(\widehat{c{t}_1},\cdots ,\widehat{c{t}_l}\right)\right)$: Given a function $f$, input $l$ extended ciphertexts $\widehat{c{t}_1},\cdots ,\widehat{c{t}_l}$, and output the ciphertext $\widehat{ct}$ after homomorphic operation.

-

$MFHE.Dec\left(params,\left(s{k}_1,\cdots ,s{k}_N\right),\widehat{ct}\right)$: Input the private keys of $N$ users $s{k}_1,\cdots ,s{k}_N$ and the homomorphic operation ciphertext $\widehat{ct}$, and output the plaintext $m$. The decryption process is divided into two steps, as follows:

• $MFHE.PartDec\left(i,s{k}_i,\widehat{ct}\right)$: Input the private key $s{k}_i$ of the $i$-th user and the homomorphic operation ciphertext $\widehat{ct}$, and output the partial decryption result $p_i$.
• $MFHE.FinDec\left(p_1,\cdots ,p_N\right)$: Input the partial decryption results $p_1,\cdots ,p_N$ of $N$ users and output the plaintext $m$.

3. Lattice-Based Multi-Key Homomorphic Encryption Scheme Without CRS

In order to reduce the dependence on public parameters and enhance the ability of users to independently generate public keys, this section proposes a lattice-based multi-key homomorphic encryption scheme without CRS. Through a distributed key generation protocol, all users independently generate their keys. Based on the ciphertext expansion technology, a distributed ciphertext decryption method in a multi-key scenario is proposed, thereby realizing cross-user homomorphic addition operations without public parameters. In order to further protect the plaintext messages of each user, this section embeds the target user's information in the ciphertext, so that the encryption process supports the designated target user as the only decryptor, providing more flexible privacy preservation.

3.1. Securrity Model

IND-CPA security requirement: For any probabilistic polynomial time adversary $\mathcal{A}$, its advantage under the "chosen plaintext attack" is negligible. IND-CPA security is defined by the interactive game $Gam{e}_{\mathcal{A}}$ between challenger $\mathcal{C}$ and adversary $\mathcal{A}$. The specific steps are as follows.

• Initialization phase: Input security parameter $\lambda$, $\mathcal{C}$ runs $params\leftarrow Setup\left(1^{\lambda },1^L\right)$ algorithm to generate system public parameter $params$. $\mathcal{C}$ runs $\left(\left(p{k}_i,s{k}_i\right),\left(p{k}_T,s{k}_T\right)\right)\leftarrow KeyGen\left(params\right)$ algorithm to generate key pairs ${\left\{\left(p{k}_i,s{k}_i\right)\right\}}_{i=1}^N$ for $N$ users and key pair $\left(p{k}_T,s{k}_T\right)$ for target user $T$, and sends ${\left\{p{k}_i\right\}}_{i=1}^N$, $p{k}_T$ to $\mathcal{A}$.
• Query phase: $\mathcal{C}$ maintains a query record table $Q$, which is empty at initialization and records all ciphertext query indexes initiated by $\mathcal{A}$ during the entire query process. $\mathcal{A}$ can adaptively select any plaintext $m_i$ and initiate a query request. $\mathcal{C}$ runs the ${\left\{c_i\leftarrow Enc\left(p{k}_i,p{k}_T,m_i\right)\right\}}_{i\in S}$ algorithm to generate the ciphertext $c_i$ and returns it to $\mathcal{A}$. This phase allows $\mathcal{A}$ to perform a polynomial number of queries.
• Challenge phase: After $\mathcal{A}$ finishes the query, it requests the challenge ciphertext. $\mathcal{A}$ selects two plaintexts $m_0$, $m_1$ of equal length and the target public key set $S^{*}\in \left\{1,2,\cdots ,k\right\}$, and sends them to $\mathcal{C}$. $\mathcal{C}$ randomly selects a bit $b\leftarrow \left\{0,1\right\}$, calculates the challenge ciphertext $c^{*}=Enc\left({\left\{p{k}_i\right\}}_{i\in S^{*}},p{k}_T,m_b\right)$, and returns $c^{*}$ to $\mathcal{A}$.
• Guessing stage: $\mathcal{A}$ outputs a guess bit $b^{*}\in \left\{0,1\right\}$ based on $c^{*}$. If $b^{*}=b$, $\mathcal{A}$ wins and the game output is 1; otherwise, the output is 0.
  If and only if for all PPT adversaries $\mathcal{A}$, there exists a negligible function $negl\left(\lambda \right)$ such that:

  $$\left|Pr\left[Gam{e}_{\mathcal{A}}=1\right]-{\displaystyle \frac{1}{2}}\right|\le negl\left(\lambda \right)$$

  (2)

Where $\lambda$ is a security parameter, the multi-key homomorphic encryption scheme without CRS is IND-CPA secure, that is, it satisfies semantic security.

3.2. Scheme Construction

The lattice-based multi-key homomorphic encryption scheme without CRS includes nine algorithms, namely: $Setup$ algorithm, $KeyGen$ algorithm, $Encode$ algorithm, $Enc$ algorithm, $Expand$ algorithm, $AddEval$ algorithm, $PartDec$ algorithm, $FinDec$ algorithm, and $Decode$ algorithm. The specific description of each algorithm is as follows.

• System Initialization $Setup\left(1^{\lambda },1^L\right)$

Step 1. Let the security parameter be $\lambda$, the circuit depth be $L$, and the number of users be $N$. Let the dimension of the polynomial ring $R_q={\mathbb{Z}}_q\left[X\right]/\left(X^K+1\right)$ be $K$, and the ciphertext modulus be $q$. Let $\chi =\chi \left(\lambda \right)$ be the key distribution on $R_q$, and $\psi =\psi \left(\lambda \right)$ be the error distribution on $R$.

Step 2. Returns the system common parameters $params=\left(K,q,\chi ,\psi \right)$.

2.

Key generation algorithm $KeyGen\left(params\right)$

Step 1. $U_i$ selects $s_i\leftarrow \chi$ and sets its private key to $s{k}_i=\left(1,s_i\right)$. $U_i$ randomly samples $e_i\leftarrow \psi$, $a_i\leftarrow R_q$, calculates $b_i=-a_i·s_i+e_{i}modq\in R_q$, and sets its public key to $p{k}_i=\left(b_i,a_i\right)$.

Step 2. $U_T$ selects $s_T\leftarrow \chi$ and sets its private key to $s{k}_T=\left(1,s_T\right)$. $U_T$ randomly samples $e_T\leftarrow \psi$, $a_T\leftarrow R_q$, calculates $b_T=-a_T·s_T+e_{T}modq\in R_q$, and sets its public key to $p{k}_T=\left(b_T,a_T\right)$.

3.

Coding $Encode\left(z_i,\mathsf{\Delta }\right)$

Step 1. The message of user $U_i$ is a complex vector $z_i=\left(z_{i,1},z_{i,2},\cdots ,z_{i,K/2}\right)$, where $K$ is the dimension of the polynomial ring. The complex vector $z_i$ is scaled to retain decimal precision, and $z_i=\Delta ·z_i$ is calculated, where $\Delta$ is the scaling factor.

Step 2. The complex vector $z_i$ is mapped to the polynomial ring $R=\mathbb{Z}\left[X\right]/\left(X^N+1\right)$ through $\tau$ mapping, that is, $m=\lfloor {\tau }^{-1}\left(z_i\right)\rceil$.

Step 3. Output integer coefficient plaintext polynomial $m_i$.

4.

Encryption algorithm $Enc\left(p{k}_i,p{k}_T,m_i\right)$

Step 1. $U_i$ randomly samples $v_i\leftarrow \chi$, $e_0^i,e_1^i,e_2^i\leftarrow \psi$, and sets $a_i=a_i\left[1\right]$, $a_T=a_T\left[1\right]$, $b_i=b_i\left[1\right]$, $b_T=b_T\left[1\right]$.

Step 2. $U_i$ uses public keys $p{k}_i$ and $p{k}_T$ to encrypt its plaintext $m_i$ and do the following calculation.

$$c_0^i=v_i·\left(b_i+b_T\right)+m_i+e_0^i\left(modq\right)$$

(3)

$$c_1^i=v_i·a_i+e_1^i\left(mod q\right)$$

(4)

$$c_2^i=v_i·a_T+e_2^i\left(mod q\right)$$

(5)

The output ciphertext is $c_i=\left(c_0^i,c_1^i,c_2^i\right)\in R_q^3$.

5.

Ciphertext expansion algorithm $Expand\left(c_i,i\right)$

Step 1. User $U_i$ expands its ciphertext $c_i\in R_q^3$ to a higher dimension and outputs the expanded ciphertext ${\widehat{c}}_i=\left(c_0^i,\underset{i-1}{\underbrace{0,\cdots }},c_1^i,0,\cdots ,c_2^i\right)\in R_q^{N+2}$.

Step 2. $U_i$ sends its extended ciphertext ${\widehat{c}}_i$ to CSP for homomorphic operation.

6.

Homomorphic operation algorithm $AddEval\left({\widehat{c}}_1,{\widehat{c}}_2,\cdots {\widehat{c}}_N\right)$

Step 1. After CSP collects the extended ciphertexts ${\widehat{c}}_1,{\widehat{c}}_2,\cdots {\widehat{c}}_N$ of all users $U_i\left\{i=1,2,\cdots ,N\right\}$, it performs homomorphic computation as follows. $C_{su{m}_0}={{\displaystyle \sum }}_{i=1}^N{c}_0^i$, $C_{su{m}_1}=\left(c_1^1,\cdots ,c_1^N\right)$, $C_{su{m}_2}={{\displaystyle \sum }}_{i=1}^N{c}_2^i$, and outputs the aggregated ciphertext $C_{sum}=\left(C_{su{m}_0},c_1^1,\cdots ,c_1^N,C_{su{m}_2}\right)$.

Step 2. CSP sends the aggregate ciphertext $C_{sum}$ to the target user $U_T$ for decryption.

7.

Partial decryption algorithm $PartDec\left(i,s{k}_i,c_i\right)$

Step 1. User $U_i$ uses his private key $s{k}_i$ to partially decrypt his ciphertext $c_i$ and calculates his decryption share $p_i=s_i·c_1^i+e_i^{*}\left(mod q\right)$, where $e_i^{*}\leftarrow \psi$.

Step 2. $U_i$ sends its decrypted share $p_i$ to $U_T$ for final decryption.

8.

Final decryption algorithm $FinDec\left(C_{sum},p_1,p_2,\cdots ,p_N\right)$

Step 1. After receiving the aggregate ciphertext $C_{sum}$ and the decryption shares $p_1,p_2,\cdots ,p_N$, $U_T$ uses its own private key $s{k}_T$ to perform the final decryption, calculate and output the aggregate plaintext value as follows.

$$m^{*}=C_{su{m}_0}+{{\displaystyle \sum }}_{i=1}^N{p}_i+s_T·C_{su{m}_2}\left(mod q\right)$$

(6)

9.

Decoding $Decode\left(m^{*}\right)$

Step 1. Use mapping $\tau$ to map $m^{*}$ and calculate $m=\lfloor \tau (m^{*})\rceil$.

Step 2. Perform an inverse scaling operation on m to restore the accuracy of the original data, that is, $m=\lfloor {\Delta }^{-1}\left(m\right)\rceil$, where Δ is the scaling factor used during encoding.

Step 3. Output the aggregate plaintext value $m$ in the form of a complex vector.

3.3. Correctness Analysis

Given security parameter $\lambda$ and circuit depth $L$, set modulus $q=2^{\lambda L·\omega \left(\log \lambda +\log L\right)}$, $B=\omega \left(\lambda L\right)$, and $\psi$ is a $B$-bounded distribution on $R$. Given the ciphertext $c_{sum}=\left({{\displaystyle \sum }}_{i=1}^N{c}_0^i,c_1^1,c_1^2,\cdots ,c_1^N\right)$ under $N$ user public keys and the private keys $sk=\left(1,s_1,s_2,\cdots ,s_N\right)$ of $N$ user connections, we have

$$\begin{array}{l}\langle sk,c_{sum}\rangle =\left(1,s_1,s_2,\cdots ,s_N\right)·\left({{\displaystyle \sum }}_{i=1}^N{c}_0^i,c_1^1,c_1^2,\cdots ,c_1^N\right)\\ ={{\displaystyle \sum }}_{i=1}^N{c}_0^i+{{\displaystyle \sum }}_{i=1}^N{s}_i·c_1^i\left(mod q\right)\\ ={{\displaystyle \sum }}_{i=1}^N{m}_i+e\prime \left(mod q\right)\end{array}$$

Among them, $e\prime ={{\displaystyle \sum }}_{i=1}^N\left(v_i·e_i+e_0^i+s_i·e_1^i\right)$, and ${\Vert e^{\prime }\Vert }_{\infty }\le 2^{L·O\left(\mathit{log}\lambda +\mathit{log}L\right)}$. Therefore, given the plaintext aggregation value $m_{sum}$ and the corresponding aggregation ciphertext $C_{sum}$, according to the definition of $PartDec$ algorithm and $FinDec$ algorithm, we can calculate

$$\begin{array}{l}{C}_{su{m}_0}+{{\displaystyle \sum }}_{i=1}^N{p}_i+s_T·C_{su{m}_2}\left(mod q\right)\\ ={{\displaystyle \sum }}_{i=1}^N{c}_0^i+{{\displaystyle \sum }}_{i=1}^N\left(s_i{c}_1^i+e_i^{*}\right)+s_T{{\displaystyle \sum }}_{i=1}^N{c}_2^i\left(mod q\right)\\ ={{\displaystyle \sum }}_{i=1}^N\left(v_i\left(b_i+b_T\right)+m_i+e_0^i\right)+{{\displaystyle \sum }}_{i=1}^N\left(s_i\left(v_i{a}_i+e_1^i\right)+e_i^{*}\right)\\ +s_T{{\displaystyle \sum }}_{i=1}^N\left(v_i·a_T+e_2^i\right)\left(mod q\right)\\ ={{\displaystyle \sum }}_{i=1}^N\left(v_i{b}_i+m_i+e_0^i+s_i\left(v_i·a_i+e_1^i\right)+e_i^{*}\right)\\ +{{\displaystyle \sum }}_{i=1}^N\left(v_i{b}_T+s_T\left(v_i{a}_T+e_2^i\right)\right)\left(mod q\right)\\ ={{\displaystyle \sum }}_{i=1}^N\left(v_i·e_i+m_i+e_0^i+s_i·e_1^i+e_i^{*}\right)\\ +{{\displaystyle \sum }}_{i=1}^N\left(v_i·e_T+s_T·e_2^i\right)\left(mod q\right)=m_{sum}+e^{\prime }+e\prime \prime \left(mod q\right)\end{array}$$

where $e^{″}={{\displaystyle \sum }}_{i=1}^N\left(e_i^{*}+v_i·e_T+s_T·e_2^i\right)$ and ${\Vert e^{″}\Vert }_{\infty }\le 2^{\lambda L·O\left(\mathit{log}\lambda +\mathit{log}L\right)}$. Therefore, if ${\Vert e^{\prime }+e^{\prime \prime }\Vert }_{\infty }<q/4$, the lattice-based multi-key homomorphic encryption scheme without CRS can be correctly decrypted.

3.4. Security Analysis

Theorem 3.1.

Assuming that the RLWE problem is difficult, if there is no adversary $\mathcal{A}$ that can win the following security game $Gam{e}_{\mathcal{A}}$ with non-negligible probability, then the lattice-based multi-key homomorphic encryption scheme without CRS is IND-CPA secure, that is, it satisfies semantic security.

Proof of Theorem 3.1.

Given an adversary $\mathcal{A}$ and a challenger $\mathcal{C}$, the theorem is proved by defining the following game sequence.

Game 0. Given public parameters $params=\left(K,q,\chi ,\psi \right)$ and vector $a_i\leftarrow R_q$, challenger $\mathcal{C}$ runs $KeyGen\left(params\right)$ algorithm to generate public key $p{k}_i=\left(b_i,a_i\right)$, and sends $p{k}_i$ to adversary $\mathcal{A}$, where $b_i=-a_i·s_i+e_i mod q$. The distribution of $pk$ at this stage is the same as that of MFHE scheme.

Game 1. Except for the key generation phase, the steps of other phases are the same as Game 0. The distribution of public keys is redefined in Game 1. Given public parameters $params=\left(n,q,\chi ,\psi \right)$ and vector $a_i\leftarrow R_q$, generate public key $p{k}_i\prime =\left(b_i\prime ,a_i\right)$, where $b_i\prime \leftarrow R_q$. According to the difficulty and cyclic security assumed by RLWE, the computational difference between $p{k}_{Game 0}$ and $p{k}_{Game 1}$ cannot be distinguished, so $b_i$ and $b_i\prime$ are also computationally indistinguishable, so the advantage of the attacker distinguishing Game 0 from Game 1 can be ignored.

$$Adv\left(\mathcal{A}\right)=\left|P{r}_{Game 0}\left[\mathcal{A}\left(1^{\lambda },p{k}_i\right)=1\right]-P{r}_{Game 1}\left[\mathcal{A}\left(1^{\lambda },p{k}_i\prime \right)=1\right]\right|=negl\left(\lambda \right)$$

(7)

Within a certain period of time, $\mathcal{A}$ challenges $\mathcal{C}$ and sends the challenge plaintext ${\mu }_1,{\mu }_2\in \left\{0,1\right\}$. $\mathcal{C}$ randomly selects $k\in \left\{0, 1\right\}$, runs the $Enc\left(p{k}_i,p{k}_T,m_i\right)$ algorithm to output the challenge ciphertext $c_i$, and then sends the ciphertext $c_i$ to $\mathcal{A}$. $\mathcal{A}$ outputs the guess result of the scheme and outputs $k\prime \in \left\{0,1\right\}$. If $k\prime =k$, output 1, otherwise output 0. Protection Since the probability of $\mathcal{A}$ distinguishing $b_i$ and $b_i\prime$ can be ignored, the multi-key homomorphic encryption scheme without CRS proposed in this paper is IND-CPA secure, that is, it satisfies semantic security. □

4. Crowd-sensing Scheme with privacy preservation

Crowd sensing refers to a mode in which a large number of sensing devices (usually personal smartphones, wearable devices, sensors, etc.) distributed in different geographical locations work together to collect, process and share information[22]. This mode usually involves multiple participants collaborating to complete a task without central control, especially in the fields of environmental monitoring, urban management, intelligent transportation, etc.[23].

In a crowd sensing system, the task issued by the data requester requires multiple sensing users to upload sensing data to the sensing platform, and the platform aggregates and calculates these data to obtain the sensing results. However, the data uploaded by users may contain personal sensitive information, such as location information, health data, etc. On the other hand, the sensing platform cannot be fully trusted, that is, users are worried that the platform may abuse or leak the sensing result data. Multi-key homomorphic encryption allows the data of multiple users to be calculated in an encrypted state, which can achieve secure data calculation under the premise of protecting user privacy data. In order to solve the data privacy problem of sensing users, this section applies the lattice-based multi-key homomorphic encryption scheme without CRS to the data submission stage of sensing users, thereby designing a crowd sensing scheme with privacy protection. Specifically, users encrypt data before uploading it, and the perception platform only aggregates multiple data ciphertexts. The perception results are obtained by decryption by the data requester, ensuring that the data is not leaked during transmission and processing. At the same time, no other entity except the data requester can obtain the perception results.

4.1. System Model

This section proposes a crowd sensing scheme based on multi-key homomorphic encryption. The entities involved in this scheme are sensing users, sensing platforms, and data receivers.

• Sensing users

Sensing users are data providers in the crowd sensing system, responsible for collecting data using their own devices (such as smartphones, wearable devices, environmental sensors, etc.). For example, smartphone users can provide data such as location, acceleration, and temperature; health monitoring device users can provide physiological data such as steps, heart rate, and sleep quality. Their data usually contains personal privacy information, so the data needs to be encrypted before uploading to the sensing platform.

2.

Sensing platform

Sensing platform is an intermediary platform between sensing users and data requesters in the crowd sensing system, responsible for receiving encrypted data from multiple sensing users and performing homomorphic operations, and feeding the results back to the data requester.

3.

Data requester

Data requester is the subject that uses the crowd sensing results, usually a government department, enterprise, or individual. According to their own needs (such as traffic management, environmental monitoring, health management, etc.), they publish data request tasks, receive aggregated ciphertext from the perception platform and decrypt it, and then analyze the perception data to make decisions, provide services or optimize operations.

The crowd intelligence perception scheme based on multi-key homomorphic encryption proposed in this section is divided into four stages: initialization, perception data submission, ciphertext aggregation, and perception result decryption. Figure 1 shows the four stages of the scheme and the interaction process between perception users, perception platforms, and data requesters.

The crowd-sensing solution based on multi-key homomorphic encryption proposed in this section contains five core functional modules, namely task management module, data collection module, encryption module, ciphertext aggregation module, and access control module. The introduction of each functional module is as follows.

Task management module is responsible for allocating and coordinating user tasks to ensure the effectiveness of data collection. In crowd-sensing, different tasks need to be assigned to different perception users, and tasks need to be dynamically allocated, taking into full consideration factors such as user location and device capabilities.

Data collection module is responsible for the collection of environmental information or data by crowd-sensing terminals (such as smartphones and IoT devices). Data may need to be pre-processed such as denoising, format conversion, and data compression to reduce communication overhead and computing burden.

Encryption module is responsible for encrypting the collected data to ensure privacy preservation during data transmission and calculation. The perception user encrypts the data with his own public key and then submits the ciphertext.

Ciphertext aggregation module is the perception platform performs homomorphic calculations on the ciphertexts of multiple perception users without decrypting the data.

Access control module allows the perception user embeds the public key information of the data requester in the ciphertext to ensure that only the data requester has the right to decrypt the aggregated ciphertext and thus access the perception results to ensure privacy protection and security.

4.2. Construction of Crowd-sensing Scheme Based on Multi-key Homomorphic Encryption

4.2.1. Initialization Phase

Define data requester $D$ and $L$ perception users $U_1,\cdots ,U_L$. Perception user $U_i$ runs $\left(p{k}_i,s{k}_i\right)\leftarrow KeyGen\left(params\right)$ algorithm to generate its key pair $\left(p{k}_i,s{k}_i\right)$, and data requester $D$ runs $\left(p{k}_D,s{k}_D\right)\leftarrow KeyGen\left(params\right)$ algorithm to generate its key pair $\left(p{k}_D,s{k}_D\right)$.

Data requesters publish perception tasks to the perception platform according to their needs. The perception platform is responsible for organizing appropriate users to collect and upload data according to the tasks. The perception platform selects perception users $U_1,\cdots ,U_N$ that meet the task requirements and sends task invitations to the selected perception users $U_i$. Users can choose to accept or reject.

4.2.2. Perception Data Submission Phase

The perceptual user $U_i$ who receives the task collects data through its perceptual device and runs the $m_i\leftarrow Encode\left(i,z_i,\Delta \right)$ algorithm to encode the collected data into $m_i$. $U_i$ uses its own public key $p{k}_i$ and the public key $p{k}_D$ of the data requester $D$ to encrypt $m_i$, and runs the $c_i\leftarrow Enc\left(p{k}_i,p{k}_D,m_i\right)$ algorithm to obtain the ciphertext $c_i=\left(c_0^i,c_1^i,c_2^i\right)=\left(v_i·\left(p{k}_i+p{k}_D\right)+m_i+e_0^i,v_i·a_i+e_1^i,v_i·a_D+e_2^i\right)\left(mod q\right)$, where $v_i\leftarrow \chi$, $e_0^i,e_1^i,e_2^i\leftarrow \psi$, $a_i=a_i\left[0\right]$, $a_D=a_D\left[0\right]$, $p{k}_i=p{k}_i\left[0\right]$, $p{k}_D=p{k}_D\left[0\right]$.

The perceptual user $U_i$ sends the ciphertext $c_i$ to the perceptual platform. The platform can only store and homomorphically compute encrypted data and cannot view the user's plaintext data $m_i$.

4.2.3. Ciphertext Aggregation Phase

The perception platform receives the ciphertext $c_1,\cdots ,c_N$ from the perception users $U_1,\cdots ,U_N$ and performs homomorphic computation without decryption. The perception platform runs the $C_{sum}\leftarrow AddEval\left(c_1,c_2,\cdots ,c_N\right)$ algorithm to calculate the aggregated ciphertext $C_{sum}={\displaystyle \sum }_{i=1}^N{c}_i=\left(C_{su{m}_0},C_{su{m}_1},C_{su{m}_2}\right)=\left({\displaystyle \sum }_{i=1}^N{c}_0^i,{\displaystyle \sum }_{i=1}^N{c}_1^i,{\displaystyle \sum }_{i=1}^N{c}_2^i\right)$. The aggregated ciphertext is still encrypted, and the perception platform cannot decrypt it to obtain the perception result. The perception platform sends $C_{sum}$ to the data requester $D$ for result decryption.

4.2.4. Perception Result Decryption Phase

The decryption phase of the perception result is divided into two steps: partial decryption and final decryption. In the partial decryption step, the perception user $U_i$ runs the $p_i\leftarrow PartDec\left(i,c_i,s{k}_i\right)$ algorithm to calculate the decryption share $p_i=s_i·c_1^i+e_i^{*}$, where $e_i^{*}\leftarrow \psi$, and then sends $p_i$ to the data requester $D$. In the final decryption step, after receiving the decryption shares $p_1,\cdots ,p_N$ of all perception users, the data requester $D$ uses its own private key $s{k}_D$ to decrypt the aggregated ciphertext, runs the $m^{*}\leftarrow FinDec\left(C_{sum},p_1,p_2,\cdots ,p_N\right)$ algorithm for final decryption, and obtains the perception result$m^{*}$. The data $m$ obtained after decoding $m^{*}$ is the perception result required by the data requester $D$. The perception result is the aggregated perception data, not the data of a single perception user, to ensure user privacy.

5. Security Analysis of Crowd-sensing Scheme Based on Multi-key Homomorphic Encryption

In the crowd sensing scheme based on multi-key homomorphic encryption, the entire sensing process is completed through information transmission between three entities: the sensing user, the sensing platform, and the data requester. Therefore, the security of the scheme will be discussed from two aspects: the sensing user and the sensing platform.

Theorem 5.1.

In the crowd sensing scheme based on multi-key homomorphic encryption, no entity can obtain the plaintext data of a single sensing user, that is, the privacy data of the sensing user is safe.

Proof of Theorem 5.1.

In the crowd sensing scheme based on multi-key homomorphic encryption, the sensing user does not need to trust the sensing platform or other users, and generates its key independently according to the distributed key generation protocol, and the data is encrypted locally. The plaintext data $m_i$ of the sensing user $U_i$ is encrypted locally into the ciphertext $c_i=Enc\left(p{k}_i,p{k}_D,m_i\right)$, and $c_i$ is uploaded to the sensing platform through the network. $U_i$'s data remains encrypted during transmission. According to Theorem 3.1, the ciphertext $c_i\leftarrow Enc\left(p{k}_i,p{k}_D,m_i\right)$ is computationally indistinguishable from the uniform distribution on $R_q$. The security of IND-CPA based on the RLWE problem ensures that the ciphertext $c_i$ cannot be cracked, that is, the plaintext data $m_i$ cannot be recovered from $c_i$. Therefore, even if an attacker or data requester intercepts the ciphertext of the perceived user $U_i$, no information related to $m_i$ can be inferred from it. □

Theorem 5.2.

In the crowd-sensing scheme based on multi-key homomorphic encryption, no entity other than the data requester can decrypt the aggregated ciphertext to obtain the perception result, that is, the perception result is secure.

Proof of Theorem 5.2.

In the crowd-sensing scheme based on multi-key homomorphic encryption, the perception platform only stores and homomorphically calculates the ciphertext $c_1,c_2,\cdots ,c_N$, but does not hold any user's private key $s{k}_i$, so it is impossible to decrypt the ciphertext of a single user. The result $C_{sum}$ after homomorphic calculation is still encrypted, and the perception platform cannot deduce the plaintext data through calculation. The decryption of the aggregated ciphertext $C_{sum}$ requires the decryption shares $p_i$ of all users and the private key $s{k}_D$ of the data requester. Only the data requester can decrypt and obtain the perception result. Even if the perception platform obtains the aggregated ciphertext $C_{sum}$ and the decryption shares $p_1,p_2,\cdots ,p_N$, its calculation

$$\begin{array}{l}{C}_{su{m}_0}+{\displaystyle {\displaystyle \sum }_{i=1}^N}{p}_i\left(mod q\right)={{\displaystyle \sum }}_{i=1}^N{c}_0^i+{{\displaystyle \sum }}_{i=1}^N\left(s_i·c_1^i+e_i^{*}\right)\left(mod q\right)\\ ={{\displaystyle \sum }}_{i=1}^N\left(v_i·\left(p{k}_i+p{k}_D\right)+m_i+e_0^i\right)\\ +{{\displaystyle \sum }}_{i=1}^N\left(s_i·\left(v_i·a_i+e_1^i\right)+e_i^{*}\right)\left(mod q\right)\\ \approx {{\displaystyle \sum }}_{i=1}^N{m}_i+{{\displaystyle \sum }}_{i=1}^N{v}_i·p{k}_D\left(mod q\right)\end{array}$$

In addition to the aggregated plaintext ${{\displaystyle \sum }}_{i=1}^N{m}_i$ , the calculation result also contains the partial ciphertext ${{\displaystyle \sum }}_{i=1}^N{v}_i·p{k}_D\left(modq\right)$ encrypted by $p{k}_D$. Since the perception platform does not have the private key ${{\displaystyle \sum }}_{i=1}^N{v}_i·p{k}_D\left(modq\right)$ of the data requester, it cannot eliminate ${{\displaystyle \sum }}_{i=1}^N{v}_i·p{k}_D\left(mod q\right)$ in the calculation result, so it is impossible to obtain the aggregated plaintext data through calculation. □

6. Conclusion

In multi-user scenarios, CRS, as a centralized public information, not only provides a basis for collaboration for participating users, but also simplifies the process of key generation and management, so that the encrypted data of multiple users can be effectively operated in the same computing environment. However, the existence of CRS weakens the ability of users to independently generate public keys, and it is difficult to achieve in decentralized systems or scenarios with low trust requirements. This section proposes a lattice-based multi-key homomorphic encryption scheme without CRS, aiming to eliminate the dependence on public parameters and improve the system's anti-attack capability. The proposed scheme not only solves the problems of privacy preservation and data security, but also maintains high efficiency and scalability in large-scale distributed systems. Multi-key full homomorphic encryption scheme will be our research direction in future for more wide application.