Multi-Group Fully Homomorphic Encryption Scheme Based on LWE and NTRU

1. Introduction

Homomorphic encryption (HE) is a cryptographic technology that enables computations to be performed directly on encrypted data. Dubbed the "holy grail" of cryptography, HE holds enormous application potential in the field of information security. Based on the scope of homomorphic computations supported, HE can be categorized into Partial Homomorphic Encryption (PHE), Leveled Homomorphic Encryption (LHE), and Fully Homomorphic Encryption (FHE). Early research on HE focused on PHE, with representative schemes including the RSA scheme proposed by Rivest et al. [2] and the Paillier encryption scheme [3] developed later. The RSA scheme exhibits multiplicative homomorphism—decrypting the product of two ciphertexts yields the product of the corresponding plaintexts. In contrast, the Paillier scheme possesses additive homomorphism—decrypting the product of two ciphertexts results in the sum of the corresponding plaintexts. However, PHE schemes are highly restrictive as they only support either additive or multiplicative homomorphism. Decades after the concept of "homomorphic encryption" was proposed, Gentry [4] introduced a framework for constructing FHE, shifting academic focus from PHE to LHE and FHE. LHE supports both additive and multiplicative operations on ciphertexts, and the resulting new ciphertexts are encryptions of the corresponding plaintext sums or products. Nevertheless, LHE does not allow unlimited homomorphic computations—if the noise accumulated after each computation exceeds the scheme’s tolerance threshold, the ciphertext will fail to decrypt. Gentry’s FHE framework consists of LHE and bootstrapping. The core idea of bootstrapping is to execute a homomorphic decryption circuit on the ciphertext before the noise reaches the threshold. As long as the noise of the bootstrapped ciphertext remains sufficiently low to support one additional homomorphic operation, LHE can be transformed into FHE.

Existing bootstrapping methods primarily fall into three categories. The first category is tailored for BGV/BFV schemes [5,6,7,8], leveraging the Chinese Remainder Theorem (CRT) over polynomial rings. Its core idea involves re-encrypting the original ciphertext and then decrypting the inner-layer ciphertext of the new ciphertext. The second category is designed for the CKKS scheme [9]. Since CKKS ciphertexts treat noise as part of the plaintext, the decryption function is replaced by an approximate modulus function, with the remaining steps closely resembling those of the first category. The third category is the bootstrapping based on blind rotation in TFHE schemes [10,11]. Unlike the previous two, blind rotation utilizes the negative cyclic property of the polynomial ring ${\mathbb{Z}}_Q\left[X\right]/(X^N+1)$. By iteratively multiplying the rotation polynomial with key-related monomials, specific coefficients of the rotation polynomial are rotated to the constant term in the encrypted state, thereby achieving homomorphic decryption. In TFHE, blind rotation consists of two types of ciphertexts (RLWE and RGSW) and their "external product". Given the large size of these two ciphertext types, Bonte et al. [12] proposed the NTRU-based FINAL scheme to reduce the size of bootstrapping keys. The FINAL scheme replaces RLWE and RGSW ciphertexts with scalar NTRU and vector NTRU ciphertexts, respectively. Since scalar NTRU ciphertexts consist of only one polynomial, and the size of vector NTRU ciphertexts is half that of RGSW ciphertexts, the NTRU-based bootstrapping algorithm not only offers superior space complexity but also requires fewer polynomial multiplications for executing the "external product" compared to TFHE.

The primary application of FHE is outsourcing computation, where data owners can encrypt their data and entrust it to untrusted computing service providers without revealing sensitive information. However, in secure multi-party computation (SMPC) scenarios, there is a need to compute data from multiple sources, rendering single-key FHE inadequate. To meet this demand, researchers have extended FHE to multi-party settings, leading to two main technical routes: static Multi-Party Homomorphic Encryption (MPHE) [13,14,15] and dynamic Multi-Key Homomorphic Encryption (MKHE) [16,17,18]. MPHE requires parties to be fixed prior to computation, with various keys generated collectively by all parties. Since encryption, decryption, and bootstrapping are performed under the same key, its computational efficiency is independent of the number of parties, ensuring high efficiency but limited flexibility. In contrast, MKHE does not require pre-computation negotiation among parties—each party generates its own key and participates in encryption, decryption, and bootstrapping without disclosing any key-related information. However, the size of multi-key ciphertexts is positively correlated with the number of parties, resulting in high flexibility but low computational efficiency. To balance flexibility and efficiency, Kwak et al. [19] proposed a new HE primitive called Multi-Group Homomorphic Encryption (MGHE). MGHE treats ciphertexts of MPHE as single-key ciphertexts under a joint public key, while ciphertexts encrypted under joint public keys of different groups are computed jointly in a multi-key manner. In the initial MGHE construction, bootstrapping adheres to the first, second, and third methods based on RLWE and RGSW, lacking support for NTRU-based blind rotation bootstrapping. To harness the advantages of the FINAL scheme and enhance the practicality of MGHE, this study designs an NTRU-based bootstrapping algorithm for multi-group LWE ciphertexts. Specifically, the main contributions of this paper are as follows:

1.

A secret sharing-based bootstrapping key generation algorithm is proposed. The FINAL scheme lacks an asymmetric encryption variant, and existing NTRU-based blind rotation algorithms [20,21] employ symmetrically encrypted bootstrapping keys. To ensure compatibility between the proposed bootstrapping algorithm and NTRU-based blind rotation while maintaining low noise levels in bootstrapping keys, additive secret sharing is introduced in the offline phase before bootstrapping. parties within the same group collectively negotiate and generate bootstrapping keys through operations such as addition and multiplication of secret shares.

2.

A multi-group hybrid product algorithm is proposed. To parallelize bootstrapping, the core steps of bootstrapping are divided into multiple subtasks by group. Each subtask independently performs blind rotation using the corresponding group bootstrapping key, and the outputs of the subtasks are aggregated using the multi-group hybrid product algorithm.

3.

Secure parameter sets are determined and the effectiveness is verified through experiments. Since the FINAL scheme is based on NTRU, "overstretched" parameters render the scheme vulnerable to sublattice attacks. By analyzing the upper bound of noise, the parameters of the proposed scheme are ensured to remain within a secure range using LWE [22] and NTRU estimators [23]. Experiments are conducted under two different parameter sets with the number of groups ranging from 2 to 8, validating the effectiveness of the proposed scheme.

2. Related Work

In MGHE, plaintexts within the same group are encrypted using a joint public key in the form of MPHE, while ciphertexts encrypted under joint public keys of different groups are computed in a multi-key manner. Thus, MGHE can be regarded as an extension of MPHE to multi-key scenarios. Current mainstream single-key HE schemes include BGV [24], BFV [25], CKKS [26], and FHEW [27]/TFHE [10,11]. Both MPHE and MKHE schemes are constructed on top of these single-key schemes.

2.1. Multi-Party Homomorphic Encryption Schemes

The earliest MPHE scheme was constructed by Asharov et al. [28] based on the LWE-based BGV scheme. In this scheme, parties independently generate public keys, broadcast them, and compute the joint public key locally by summing the received public keys from other parties. Similarly, Mouchet et al. [14] constructed an RLWE-based MPHE on the BFV scheme, which can be easily extended to BGV and CKKS schemes. FHEW/TFHE-type schemes employ two layers of ciphertexts: the first layer is basic LWE ciphertexts, and the second layer is RGSW ciphertexts for homomorphic decryption. Unlike BGV, BFV, and CKKS schemes, TFHE encodes the LWE secret key into the monomial X and encrypts it into the second-layer ciphertext as the bootstrapping key, achieving homomorphic decryption through the blind rotation algorithm. Thus, constructing a multi-party TFHE scheme requires generating multi-party bootstrapping keys. Lee et al. [29] realized the generation of multi-party blind rotation keys by leveraging homomorphic multiplication between RGSW ciphertexts, constructing a feasible multi-party bootstrapping algorithm. Subsequently, Park et al. [30] built the first multi-party TFHE scheme based on this bootstrapping algorithm.

2.2. Multi-Key Homomorphic Encryption Schemes Based on Blind Rotation

As the fastest method for bootstrapping a single ciphertext, blind rotation is not only applicable to TFHE schemes but also compatible with all (R)LWE-based encryption schemes. Thus, blind rotation is a key technology for both MPHE and MKHE schemes. Chen et al. [18] first extended TFHE to multi-key scenarios, proposing the CCS scheme. This scheme uses the hybrid product between multi-key RLWE ciphertexts and single-key Uni-Enc ciphertexts to replace the external product between multi-key RLWE and multi-key RGSW ciphertexts, achieving lower time and space overhead. Based on the hybrid product algorithm proposed by Chen et al., Kwak et al. [31] constructed a generalized external product algorithm and designed a parallelizable multi-key LWE ciphertext bootstrapping algorithm (KMS scheme). The initial blind rotation algorithm, which used RLWE and RGSW ciphertexts as inputs, was later improved in the FINAL scheme by Bonte et al. [12]. Based on the NTRU problem, their key modification was to replace these ciphertexts with the more compact scalar NTRU and vector ciphertexts, respectively. Since NTRU scalar and vector ciphertexts are smaller in size than RLWE and RGSW ciphertexts, and fewer polynomial multiplications are required for their homomorphic multiplication, the overhead of blind rotation is reduced. Building on the FINAL scheme, Xu et al. [32] proposed an MKHE scheme that achieves approximately 5x speedup compared to the CCS scheme for two parties. However, this scheme controls noise accumulation during homomorphic computations by fixing the Hamming weight of NTRU keys, which Kim et al. [33] pointed out compromises the scheme’s security, making it unsuitable for practical applications. Park et al. [34] applied the hybrid product algorithm to the key switching key generation protocol, avoiding the invocation of the hybrid product during blind rotation, resulting in significant performance improvements over the CCS and KMS schemes. Nevertheless, it still does not support parallel execution.

3. Preliminaries

3.1. Notions

Boldface letters denote vectors (e.g., $\mathit{a}$), and the inner product between two vectors $\mathit{a}$ and $\mathit{b}$ is denoted as$\langle \mathit{a},\mathit{b}\rangle$. $\mathbb{Z}$ denotes the ring of integers. For a given positive integer q, ${\mathbb{Z}}_q$ denotes the quotient ring $\mathbb{Z}/q\mathbb{Z}$, whose elements are integers in the interval $[-{\displaystyle \frac{q}{2}},{\displaystyle \frac{q}{2}})$. Similarly, given positive integers Q and N (where N is a power of 2), $R=\mathbb{Z}\left[X\right]/(X^N+1)$ denotes the 2N-th cyclotomic ring, and the quotient ring $R_Q=R/QR={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$ consists of integer polynomials with coefficients in ${\mathbb{Z}}_Q$. $e\leftarrow \chi$ indicates that the random variable e is sampled from the distribution $\chi$. Similarly, $e=(e_1,\dots ,e_n)\leftarrow {\chi }^n$ denotes that the vector e is obtained by sampling n times independently from $\chi$. For clarity, if e is a polynomial (even if its coefficients are sampled multiple times from a distribution), the former notation is still used. $\sigma$ and ${\sigma }^2$ denote the standard deviation and variance of a distribution, respectively. For a random variable a, $\mathrm{Var}\left(a\right)$ denotes its variance if $a\in \mathbb{Z}$, or the variance of its coefficients if $a\in R$. For a ciphertext c, $\mathrm{err}\left(c\right)$ denotes the ciphertext noise, and $\mathrm{Var}\left(\mathrm{err}\right(c\left)\right)$ denotes the variance of the ciphertext noise. $\lfloor ·\rceil$, $\lceil ·\rceil$, and $\lfloor ·\rfloor$ denote the rounding function, ceiling function, and floor function, respectively. In secret sharing schemes, for a secret s, ${\left[s\right]}_i$ denotes the secret share belonging to the i-th party, and $\left[s\right]=\left\{{\left[s\right]}_i\right\}$ denotes the set of secret shares.

3.2. Hard Problems

Definition 1.

Decisional LWE Problem [35].

Given positive integers q, n and a distribution $\chi$ over $\mathbb{Z}$, the decisional LWE problem is to distinguish between:

1.

Randomly sampled pairs $(x,\mathit{y})\in {\mathbb{Z}}_q^{n+1}$;

2.

Pairs $(b=-{\sum }_{i=1}^n{a}_i{s}_i+e,\mathit{a})\in {\mathbb{Z}}_q^{n+1}$, where $\mathit{a}$ is uniformly sampled from ${\mathbb{Z}}_q^n$, $a_i$ is the i-th element of $\mathit{a}$, $\mathit{s}$ is uniformly sampled from ${\mathbb{Z}}^n$, $s_i$ is the i-th element of $\mathit{s}$, and e is sampled from $\chi$.

Definition 2.

Decisional RLWE Problem [36].

Given positive integers Q, N, the polynomial ring $R=\mathbb{Z}\left[X\right]/(X^N+1)$, $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$, and a distribution $\chi$ over R, the decisional RLWE problem is to distinguish between:

1.

Randomly sampled pairs $(x,y)\in R_Q^2$;

2.

Pairs $(b=-as+e,a)\in R_Q^2$, where $a,s$ are uniformly sampled from $R_Q$, and e is sampled from $\chi$.

Definition 3.

Decisional NTRU Problem [12].

Given positive integers Q, N, the polynomial ring $R=\mathbb{Z}\left[X\right]/(X^N+1)$, $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$, and a distribution $\chi$ over R, let $f\leftarrow \chi$, $e\leftarrow \chi$ with f invertible in $R_Q$. The decisional NTRU problem is to distinguish between:

1.

A randomly sampled element $a\in R_Q$;

2.

The element ${\displaystyle \frac{e}{f}}\in R_Q$.

Definition 4.

Decisional Vector NTRU Problem [37].

Given positive integers Q, N, d, the polynomial ring $R=\mathbb{Z}\left[X\right]/(X^N+1)$, $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$, and a distribution $\chi$ over R, let $f,e_1,\dots ,e_d\leftarrow \chi$ with f invertible in $R_Q$. The decisional vector NTRU problem is to distinguish between:

1.

A randomly sampled vector $\mathit{a}=(a_1,\dots ,a_d)\in R_Q^d$;

2.

The vector $\left({\displaystyle \frac{e_1}{f}},\dots ,{\displaystyle \frac{e_d}{f}}\right)\in R_Q^d$.

3.3. Gadget Decomposition

Gadget decomposition is a technique for decomposing an integer in $({\mathbb{Z}}_Q$ into multiple small integers in $\mathbb{Z}$. Given positive integers B, $d=\lceil {log}_{B}Q\rceil$, and $a\in {\mathbb{Z}}_Q$, the gadget decomposition vector with base B is defined as ${\mathit{g}}_B=(B^0,B^1,\dots ,B^{d-1})\in {\mathbb{Z}}_Q^d$. The decomposition function of the integer a with base B is given by:

$${\mathfrak{g}}_B^{-1}\left(a\right)=(a_1,a_2,\dots ,a_d)\in {\mathbb{Z}}^d,$$

(1)

where ${\sum }_{i=1}^d{a}_i·B^{i-1}=amodQ$. For brevity, $\langle {\mathfrak{g}}_B^{-1}\left(a\right),{\mathit{g}}_B\rangle$ is denoted as ${\mathfrak{g}}_B^{-1}\left(a\right)·{\mathit{g}}_B$. Gadget decomposition is not limited to ${\mathbb{Z}}_Q$ but can also be extended to the polynomial ring $R_Q$. For a polynomial $a\left(X\right)\in R_Q$, it is treated as a coefficient vector, and the above conclusion holds by decomposing each element of the vector individually.

3.4. FINAL Scheme

The NTRU problem serves as a crucial hard problem for constructing post-quantum FHE schemes, and its parameter selection directly impacts the security of the cryptographic scheme. Schemes built on NTRU are vulnerable to sublattice attacks if "overstretched" parameters are used [38]. To avoid overstretched parameters while ensuring the correctness of homomorphic operations, Bonte et al. proposed the FINAL scheme [12]. Subsequently, Xiang et al. [20] modified the ciphertext form of the scheme to construct their ring isomorphism-based blind rotation algorithm. The modified FINAL scheme is described as follows:

• FINAL.Setup($1^{\lambda }$): Input a security parameter $\lambda$, generate security-compliant parameters including the NTRU polynomial modulus Q, polynomial degree N, Gadget decomposition base B, key distribution ${\chi }_{nk}$ over R, and noise distribution ${\chi }_{ne}$ over R. Output $Params=(Q,N,B,{\chi }_{nk},{\chi }_{ne})$.
• FINAL.KeyGen(): Input the parameters generated by the Setup algorithm, select an invertible polynomial $f\in R$ from ${\chi }_{nk}$, and output the NTRU key f.
• FINAL.ScalarEnc(m, f): Input a plaintext $m\in R_Q$ and the NTRU key f, randomly select noise $e\leftarrow {\chi }_{ne}$, set $\Delta ={\displaystyle \frac{Q}{4}}$ as the scaling factor, and output the NTRU scalar ciphertext

  $$c={\displaystyle \frac{e+\Delta m}{f}}\in R_Q.$$

  (2)
• FINAL.VectorEnc(m, f): Input a plaintext $m\in R_Q$ and the NTRU key f, randomly select noise $e_1,\dots ,e_d\leftarrow {\chi }_{ne}$ where $d=\lceil {log}_{B}Q\rceil$, and output the NTRU vector ciphertext

  $$\mathit{c}=\left({\displaystyle \frac{e_1}{f}}+B^0·m,\dots ,{\displaystyle \frac{e_d}{f}}+B^{d-1}·m\right)\in R_Q^d.$$

  (3)

To implement the CMux gate, the TFHE scheme defines the external product between TRLWE and TRGSW ciphertexts. Similarly, the FINAL scheme defines the external product between scalar NTRU and vector NTRU ciphertexts, and proves the upper bound of the noise variance for this external product operation.

Definition 5.

NTRU External Product

Let $c=NTR{U}_{Q,f,\Delta }\left(m\right)$ denote a scalar NTRU ciphertext encrypting the plaintext m with modulus Q, scaling factor $\Delta$, and NTRU key f. Let $\mathit{c}=NTR{U}_{Q,f,B}^{\prime }\left(m\right)$ denote a vector NTRU ciphertext encrypting the plaintext m with modulus Q, Gadget decomposition base B, and NTRU key f. The external product is defined as

$$⊡:NTR{U}_{Q,f,\Delta }\times NTR{U}_{Q,f,B}^{\prime }\to NTR{U}_{Q,f,\Delta },$$

(4)

where

$$c⊡\mathit{c}=\langle {\mathfrak{g}}_B^{-1}\left(c\right),\mathit{c}\rangle .$$

(5)

Lemma 1.

Noise of NTRU External Product

Given positive integers Q, N, B, d, a scalar NTRU ciphertext $c={\displaystyle \frac{e+\Delta m}{f}}\in R_Q$, and a vector NTRU ciphertext $\mathit{c}=\left({\displaystyle \frac{e_1}{f}}+B^0·m^{\prime },\dots ,{\displaystyle \frac{e_d}{f}}+B^{d-1}·m^{\prime }\right)\in R_Q^d$, let $err\left(c\right)$ and $err\left(\mathit{c}\right)$ denote the noise of c and $\mathit{c}$, respectively, and $Var\left(err\right(c\left)\right)$ and $Var\left(err\right(\mathit{c}\left)\right)$ denote their noise variances. Then, the noise variance of the ciphertext $c^{\prime }=c⊡\mathit{c}$ satisfies

$$Var\left(err\left(c^{\prime }\right)\right)\le dN·{\displaystyle \frac{B^2}{12}}·Var\left(err\left(c\right)\right)+Var\left(err\left(\mathit{c}\right)\right).$$

(6)

3.5. XZD Blind Rotation

The first automorphism-based blind rotation algorithm was proposed by Lee et al. [29] (LMKC scheme). Unlike the AP scheme [39], which achieves exponent accumulation through multiplication operations, the LMKC scheme leverages the automorphism map $X\to X^t$ to implement scalar multiplication on exponents, thereby significantly reducing the number of multiplication operations in the accumulator. Subsequently, the XZD scheme proposed by Xiang et al. [20] further shortens the time required for key switching after multiplication in the accumulator by adopting scalar and vector NTRU ciphertexts, effectively reducing the overall computational overhead of blind rotation.

The order of the monomial X over the 2N-th cyclotomic polynomial ring $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$ is 2N, i.e., $X^{2N}=1mod(X^N+1)$. Thus, for a positive integer t, multiplying any element $r\left(X\right)\in R$ by the monomial $X^t$ results in a regular cyclic left or right shift of the polynomial’s coefficients. Blind rotation leverages this property to rotate specific coefficients to the leading term. Formally, given an element $r\left(X\right)={\sum }_{i=0}^{q-1}i·X^{-i}\in R$, compute the rotation polynomial

$$r\left(X^{{\displaystyle \frac{2N}{q}}}\right)=\sum _{i=0}^{q-1}i·X^{-{\displaystyle \frac{2N}{q}}i}.$$

(7)

For a ciphertext $c=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_q^{n+1}$ satisfying $\Delta ·m+e=b+{\sum }_{i=1}^n{a}_i{s}_i$ (where $\Delta$ is the LWE scaling factor, q is the LWE ciphertext modulus, and q divides 2N), the goal of blind rotation is to compute the following in the encrypted state

$$r\left(X^{{\displaystyle \frac{2N}{q}}}\right)·X^{{\displaystyle \frac{2N}{q}}·\left(b+{\sum }_{i=1}^n{a}_i{s}_i\right)}=(\Delta ·m+e)+\sum _{i\ne \Delta m+e}i·X^{{\displaystyle \frac{2N}{q}}(\Delta ·m+e-i)}.$$

(8)

Before performing blind rotation, the XZD scheme preprocesses the ciphertext to be bootstrapped $c=(b,a_1,\dots ,a_n)$ by computing

$$c^{\prime }=\left({\displaystyle \frac{2N}{q}}b+1,{\displaystyle \frac{2N}{q}}{a}_1+1,\dots ,{\displaystyle \frac{2N}{q}}{a}_n+1\right)\in {\mathbb{Z}}_q^{n+1},$$

(9)

ensuring the existence of the automorphism. Subsequently, the rotation polynomial is encrypted into a scalar NTRU ciphertext, and the monomial $X^{s_i}$ (related to the i-th component of the LWE secret key) is encrypted into a vector NTRU ciphertext. During blind rotation, $X^{s_i}$ is iteratively multiplied into the rotation polynomial via the external product between the two types of ciphertexts, followed by key switching based on automorphism to multiply the ciphertext component$a_i$into the rotation polynomial.

The XZD blind rotation consists of two algorithms: the Blind Rotation Key Generation (BRKGen) algorithm and the Blind Rotation Evaluation (BREval) algorithm. Let $Params=(Q,N,B_{br},{\chi }_{nk},{\chi }_{ne})$ be the public parameters output by $FINAL.Setup$, and $d_{br}=\lceil {log}_{B_{br}}Q\rceil$. Define the set $S=\left\{{\displaystyle \frac{2N}{q}}·i+1\mid 1\le i\le q-1\right\}$, and let $LW{E}_{q,\mathit{s}}\left(m\right)=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_q^{n+1}$ denote the LWE ciphertext encrypting the plaintext m with modulus q and secret key $\mathit{s}$. The two algorithms are described as follows.

• BRKGen(): Given an LWE secret key $\mathit{s}=(s_1,\dots ,s_n)\in {\mathbb{Z}}_q^n$ and an NTRU key $f\in R_Q$, the algorithm outputs $EVK=\{ev{k}_j\mid 1\le j\le n+1\}\cup \{nksv{k}_j\mid j\in S\}$, where

  1.

  $ev{k}_1=NTR{U}_{Q,f,B_{br}}^{\prime }\left({\displaystyle \frac{X^{s_1}}{f}}\right)$, $ev{k}_i=NTR{U}_{Q,f,B_{br}}^{\prime }\left(X^{s_i}\right)$ for $2\le i\le n$, $ev{k}_{n+1}=NTR{U}_{Q,f,B_{br}}^{\prime }\left(X^{-{\sum }_{i=1}^n{s}_i}\right)$,

  2.

  $nksv{k}_j=NTR{U}_{Q,f,B_{br}}^{\prime }\left({\displaystyle \frac{f\left(X^j\right)}{f\left(X\right)}}\right)$.

• BREval($(b,\mathit{a}),r,EVK,\Delta$): Input an LWE ciphertext $LW{E}_{q,\mathit{s}}\left(m\right)=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_q^{n+1}$, a rotation polynomial r, the evaluation key $EVK$ generated by BRKGen, and the NTRU scaling factor $\Delta$. The algorithm computes and outputs

  $$ACC=NTR{U}_{Q,f,\Delta }\left(r\left(X^{{\displaystyle \frac{2N}{q}}}\right)·X^{{\displaystyle \frac{2N}{q}}·\left(b+{\sum }_{i=1}^n{a}_i{s}_i\right)}\right).$$

  (10)

The detailed steps are presented in Algorithm 1.

Algorithm 1 BREval($(b,\mathit{a}),r,EVK,\Delta )$ (adapted from [20]).

3.6. Additive-Only Multi-Party RLWE-Based Homomorphic Encryption

The core algorithms of the multi-party BFV scheme proposed by Mouchet et al. [40] can be combined to form an additive-only (supporting scalar multiplication) multi-party RLWE homomorphic encryption scheme (AHE).

• AHE.Setup($1^{\lambda }$): Input a security parameter $\lambda$, output security-compliant public parameters including the RLWE ciphertext modulus Q, plaintext modulus t, polynomial degree N, secret key distribution ${\chi }_{rk}$ over R, noise distribution ${\chi }_{re}$ over R, and a common reference polynomial $p\in R$. Output $Params=(Q,t,N,{\chi }_{rk},{\chi }_{re},p)$.
• AHE.SKeyGen(): Each party ${\mathcal{P}}_i\in \mathcal{G}$ selects an RLWE secret key $z_i\leftarrow {\chi }_{rk}$.
• AHE.PKeyGen($z_i$): Each party ${\mathcal{P}}_i\in \mathcal{G}$ selects noise $e_i\leftarrow {\chi }_{re}$, computes $r=-p·z_i+e_i$, and sets $pk=(r,p)\in R_Q^2$.
• AHE.JointPKeyGen(${\left\{z_i\right\}}_{i\in \mathcal{G}}$): Input the public keys $pk=(r_i,p)$ of all parties, compute $\tilde{r}={\sum }_{i\in \mathcal{G}}{r}_i$, and output the joint RLWE public key $rjpk=(\tilde{r},p)\in R_Q^2$.
• AHE.Enc(m): Input a plaintext $m\in R_t$, select noise $e1$, $e_2\leftarrow {\chi }_{re}$, randomly select a temporary secret polynomial $g\leftarrow {\chi }_{rk}$, compute $b=\tilde{r}·g+{\displaystyle \frac{Q}{t}}·m+e_1$ and $a=p·g+e_2$, and output the ciphertext $c=(b,a)\in R_Q^2$.
• AHE.Dec($c,{\left\{z_i\right\}}_{i\in G}$): Input a ciphertext $c=(b,a)$ encrypted under the joint RLWE public key $rjpk$ and the RLWE secret keys ${\left\{z_i\right\}}_{i\in G}$ of all parties, compute $m=\lfloor {\displaystyle \frac{t·(b+{\sum }_{i\in \mathcal{G}}a·z_i)}{Q}}\rceil \in R_t$.
• AHE.Add($c,c^{\prime }$): Input two multi-party RLWE ciphertexts $c=(b,a)$ and $c^{\prime }=(b^{\prime },a^{\prime })$ encrypting plaintexts $m,m^{\prime }\in R_t$ under the same public key, compute and output $\overline{c}=(b+b^{\prime },a+a^{\prime })\in R_Q^2$.
• AHE.ScalarMult($\beta ,c$): Input a scalar polynomial $\beta \in R_t$ and a multi-party RLWE ciphertext $c=(b,a)$, compute and output $\overline{c}=(\beta ·b,\beta ·a)\in R_Q^2$.

4. Basic Multi-Group LWE-Based Homomorphic Encryption without Bootstrapping

This section first introduces the basic LWE-based multi-group homomorphic encryption scheme, whose network architecture is shown in Figure 1.

Parties in each group encrypt plaintexts using the group joint public key to obtain ciphertexts $ct$, which are then sent to the server. After receiving the ciphertexts, the server performs homomorphic computation and bootstrapping, and returns the new ciphertext $c{t}^{\prime }$ to be decrypted. Under the MGHE framework, our basic scheme includes two sets of algorithms: SKeyGen, PKeyGen, JointPKeyGen and Enc, which are dedicated to intra-group interactive computation, as well as Setup, NAND and Dec, which are for inter-group computation. In addition, to support asymmetric encryption while maintaining a small ciphertext modulus, we distinguish between the encryption modulus $q^{\prime }$ and the bootstrapping modulus q. The encryption modulus $q^{\prime }$ is much larger than q, and ciphertexts under the encryption modulus $q^{\prime }$ can tolerate greater noise. After encrypting a plaintext, a party needs to switch the ciphertext modulus to the bootstrapping modulus q through the ModulusSwitch algorithm to perform subsequent NAND and bootstrapping algorithms.

Let $\mathcal{G}$ be a set of parties, ${\mathcal{G}}_i$ denote the i-th group, j be the unique index of the party in the i-th group within ${\mathcal{G}}_i$, and ${\mathcal{P}}_{i,j}$ denote the j-th party in the i-th group. Our MGHE includes the following algorithms.

• MGHE.Setup($1^{\lambda }$): Takes a security parameter $\lambda$ as input, generates global parameters meeting security requirements, including LWE encryption modulus $q^{\prime }$, LWE bootstrapping modulus q, LWE dimension n, LWE secret key distribution ${\chi }_{lk}$ over $\mathbb{Z}$, noise distribution ${\chi }_{le}$ over $\mathbb{Z}$, and a common reference matrix $M\in {\mathbb{Z}}^{n\times n}$. Outputs $Params=(q^{\prime },q,n,{\chi }_{lk},{\chi }_{le},M)$.
• MGHE.SKeyGen(): Parties ${\mathcal{P}}_{i,j}$ in each group independently generate a private LWE secert key $\mathit{s}\leftarrow {\chi }_{lk}^n$, and output the LWE secret key $\mathit{s}\in {\mathbb{Z}}^n$.
• MGHE.PKeyGen($\mathit{s}$): Party ${\mathcal{P}}_{i,j}$ selects noise $\mathit{e}\leftarrow {\chi }_{le}^n$, computes $\mathit{r}=-M·\mathit{s}+\mathit{e}\in {\mathbb{Z}}_{q^{\prime }}^n$, and sets $pk=(\mathit{r},M)\in {\mathbb{Z}}_{q^{\prime }}^n\times {\mathbb{Z}}_{q^{\prime }}^{n\times n}$.
• MGHE.JointPKeyGen(${\left\{p{k}_j\right\}}_{j\in \mathcal{G}}$): Takes the LWE public keys $p{k}_j=({\mathit{r}}_j,M)$ of each party in a group $\mathcal{G}$, computes $\tilde{\mathit{r}}={\sum }_{j\in G}{\mathit{r}}_j$, and outputs the LWE joint public key $jpk=(\tilde{\mathit{r}},M)\in {\mathbb{Z}}_{q^{\prime }}^n\times {\mathbb{Z}}_{q^{\prime }}^{n\times n}$.
• MGHE.Enc($jpk,m$): Takes a plaintext bit $m\in \{0,1\}$ and the LWE joint public key $jpk$ of a group as input, randomly selects a temporary secret vector $\mathit{v}\leftarrow {\chi }_{lk}^n$, noise $e_1\leftarrow {\chi }_{le}$, ${\mathit{e}}_2\leftarrow {\chi }_{le}^n$, computes $b=\langle \tilde{\mathit{r}},\mathit{v}\rangle +{\displaystyle \frac{q^{\prime }}{4}}m+e_1\in {\mathbb{Z}}_{q^{\prime }}$, $\mathit{a}={\mathit{v}}^T·M+{\mathit{e}}_2\in {\mathbb{Z}}_{q^{\prime }}^n$, and outputs the LWE ciphertext $c=(b,\mathit{a})\in {\mathbb{Z}}_{q^{\prime }}^{n+1}$ encrypting the plaintext m under the joint LWE public key $jpk$.
• MGHE.ModulusSwitch($\mathit{c},q$): Takes the LWE ciphertext $\mathit{c}=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_{q^{\prime }}^{n+1}$ generated by the MGHE.Enc algorithm and the LWE bootstrapping modulus q for bootstrapping, computes and outputs ${\mathit{c}}^{\prime }=\left(\lceil {\displaystyle \frac{q}{q^{\prime }}}·b\rceil ,\lceil {\displaystyle \frac{q}{q^{\prime }}}·a_1\rceil ,\dots ,\lceil {\displaystyle \frac{q}{q^{\prime }}}·a_n\rceil \right)\in {\mathbb{Z}}_q^{n+1}$.
• MGHE.Dec($\mathit{c},{\left\{{\mathit{s}}_{i,j}\right\}}_{1\le i\le k,j\in {\mathcal{G}}_i}$): Takes the multi-group LWE ciphertext $c=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)$ and the LWE secret keys ${\mathit{s}}_{i,j}$ of each party in each group as input, computes $u_{i,j}=\langle {\mathit{a}}_i,{\mathit{s}}_{i,j}\rangle$ and outputs $m=\lfloor {\displaystyle \frac{2(b+{\sum }_{i=1}^k{\sum }_{j\in {\mathcal{G}}_i}{u}_{i,j})}{q}}\rceil \in {\mathbb{Z}}_2$.
• MGHE.NAND($\mathit{c},{\mathit{c}}^{\prime }$): Takes two multi-group LWE ciphertexts $\mathit{c}=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)\in {\mathbb{Z}}_q^{kn+1}$ and ${\mathit{c}}^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })\in {\mathbb{Z}}_q^{kn+1}$ encrypted under the same set of public keys ${\left\{jp{k}_i\right\}}_{1\le i\le k}$, which encrypt plaintext bits $m,m^{\prime }$ respectively. For $1\le i\le k$, let ${\mathit{a}}_i=(a_{i,1},\dots ,a_{i,n})$ and ${\mathit{a}}_i^{\prime }=(a_{i,1}^{\prime },\dots ,a_{i,n}^{\prime })$, computes ${\tilde{\mathit{a}}}_i=(a_{i,1}-a_{i,1}^{\prime },\dots ,a_{i,n}-a_{i,n}^{\prime })\in {\mathbb{Z}}_q^n$, and outputs the ciphertext $c=({\displaystyle \frac{5q}{8}}-b-b^{\prime },{\tilde{\mathit{a}}}_1,\dots ,{\tilde{\mathit{a}}}_k)\in {\mathbb{Z}}_q^{kn+1}$ encrypting the plaintext m NAND $m^{\prime }$.

RLWE is a ring variant of LWE. The above multi-group homomorphic encryption scheme can be constructed based on RLWE. Since the RLWE-based multi-group scheme operates on the ring $R_Q$, the main difference between the RLWE-based multi-group homomorphic encryption scheme and the above LWE-based scheme lies in the encryption and decryption algorithms. Let the RLWE joint public key be $jpk=(r,p)\in R_Q^2$. In the encryption algorithm, we compute $b=r·v+{\displaystyle \frac{Q}{4}}·m+e_1$ and $a=p·v+e_2$, where $v\in R_Q$ is a secret polynomial, and $e_1$, $e_2$ are selected from a distribution over a certain polynomial ring. We denote $\mathit{c}=(b,a_1,\dots ,a_k)\in R_Q^{k+1}$ as the multi-group RLWE ciphertext encrypted by the RLWE joint public keys of k groups, with the corresponding secret keys ${\left\{z_{i,j}\right\}}_{1\le i\le k,j\in \mathcal{G}i}$. The ciphertext satisfies $b+{\sum }_{i=1}^k{\sum }_{j\in {\mathcal{G}}_i}{a}_i·z_{i,j}\approx \Delta ·m$, where $\Delta$ is a scaling factor.

The encryption scheme in this paper is based on Boolean circuits. Since the NAND gate has functional completeness, we can use the NAND gate as the basic unit to construct any Boolean function. Since homomorphic computation is performed under the circuit model, the bootstrapping scheme introduced in this paper belongs to gate bootstrapping. That is, homomorphic decryption is performed immediately after computing a NAND gate, and the scaling factor is converted from ${\displaystyle \frac{q}{2}}$ to ${\displaystyle \frac{q}{4}}$ to support the next homomorphic NAND computation. After multiple gate bootstrapping operations, the decryption algorithm MGHE.Dec requires each party in each group to execute an interactive protocol called "distributed decryption" to ensure the security of the joint key. The current mainstream implementation is based on the smudging lemma in the AJL scheme [28]. Each party samples an super-polynomially large smudging noise $e_{smg}^{(i,j)}$ from a large noise distribution, computes $u_{i,j}+e_{smg}^{(i,j)}$ and broadcasts it to mask the intermediate results during the decryption process. To ensure the correctness of decryption, the ciphertext modulus also needs to be set very large. However, in our multi-group ciphertext bootstrapping algorithm based on NTRU and LWE, since the NTRU ciphertext modulus Q cannot be super-polynomially large, this method is not applicable.

For such schemes with limited ciphertext modulus, the KLO scheme proposed by Kraitsberg et al. [41] constructs a secure three-party distributed decryption protocol using garbled circuits, and the scheme can be extended to more parties. Although this decryption protocol requires additional communication overhead, no additional noise needs to be introduced, so the parameters of the encryption scheme do not need to be adjusted.

5. Bootstrapping for Multi-Group LWE Ciphertext

This section introduces how to bootstrap multi-group LWE ciphertexts. Bootstrapping can be divided into two parts: bootstrapping key generation and bootstrapping execution. The generation of the bootstrapping key uses additive secret sharing technology to compute the bootstrapping key related to the joint NTRU key $F=f_1{f}_2\dots f_k$. In addition, in additive secret sharing, the secret can be recovered by simply summing the secret shares held by each party. Therefore, we can design a multi-group hybrid product algorithm suitable for multi-group ciphertexts to realize the multiplication between different types of ciphertexts, and further construct a parallelizable bootstrapping algorithm.

5.1. Generating Polynomial Multiplication Triples

The multiplication triple $(a,b,c=a·b)$ was proposed by Beaver [42] to reduce the number of communication rounds in secret sharing multiplication, thereby converting communication overhead into precomputation overhead in the offline phase. Existing multiplication triple generation schemes mainly include the MASCOT scheme [43] based on Oblivious Transfer (OT) and the Low/High Gear scheme [44] based on Additive-only Homomorphic Encryption (AHE). However, the triple elements generated by these schemes are all values over the integer ring (field), which cannot be used for secret multiplication over the polynomial ring $R_Q$. Therefore, we design a multi-party multiplication triple generation algorithm TripleGen that supports polynomial secret multiplication according to the framework proposed in [45]. The algorithm comprises two sub-algorithms: the Setup sub-algorithm is used to initialize public parameters, and the EvalGen is used to generate triples.

• TripleGen.Setup(): Successively executes AHE.Setup, AHE.SKeyGen, AHE.PKeyGen, and AHE.JointPKeyGen, outputs public parameters $Params=(Q,t,N,{\chi }_{rk},{\chi }_{re},p)$, secret keys ${\left\{z_i\right\}}_{1\le i\le k}$ of each party, and joint public key $rjpk=(r,p)$.
• TripleGen.EvalGen($Params,{\left\{z_i\right\}}_{1\le i\le k},rjpk$): Takes the public parameters $Params$ output by TripleGen.Setup, the secret keys ${\left\{z_i\right\}}_{1\le i\le k}$ of each party, and the joint public key $rjpk$ as input, and outputs a random polynomial multiplication triple. The detailed specifications referred to Algorithm 2.

Algorithm 2 TripleGen($Params,{\left\{z_i\right\}}_{1\le i\le k},rjpk$).

When performing decryption in the fifth step, we also need to use a distributed decryption protocol. The difference is that party ${\mathcal{P}}_1$ does not need to broadcast its partial decryption result, while other parties need to send their partial decryption results to ${\mathcal{P}}_1$. This asymmetric decryption method ensures that no party other than ${\mathcal{P}}_1$ knows the decryption result.

Let the secrets corresponding to the triple shares output by the algorithm be $a,b,c$. Since we need $c=a·b$ to hold over the ring $R_Q$, the plaintext modulus t of AHE is required to be larger than the coefficients of c to ensure that the c output by the algorithm is not implicitly modulo t.

In the second step of the algorithm, party ${\mathcal{P}}_1$ broadcasts the ciphertext C, which encrypts ${\sum }_{i=1}^k{a}_i$, and the upper bound of its plaintext coefficients is k. In the third step, each party ${\mathcal{P}}_i$ computes the ciphertext $C_i^{\prime }$, which encrypts the plaintext $b_i·{\sum }_{i=1}^k{a}_i$, with the upper bound of coefficients being $kN$. Similarly, the ciphertext $C^{\prime }$ in the fifth step encrypts $\left({\sum }_{i=1}^k{a}_i\right)·\left({\sum }_{i=1}^k{b}_i\right)$, with the upper bound of plaintext coefficients being $k^{2}N$. The ciphertext $C^{\prime \prime }$ encrypts $c_1=\left({\sum }_{i=1}^k{a}_i\right)·\left({\sum }_{i=1}^k{b}_i\right)-{\sum }_{i=2}^k{c}_i$, with the upper bound of its coefficients being $k^{2}N+k-1$. Therefore, to ensure correctness, it is required that $t>2kN+k-1$.

5.2. Additive Secret Sharing over Polynomial Ring

In additive secret sharing, a secret dealer splits a secret into k secret shares and distributes them to k parties ${\mathcal{P}}_i(1\le i\le k)$. To reconstruct the secret, it is only necessary to simply sum the secret shares of each party. It should be noted that the secret cannot be reconstructed with fewer than k secret shares. The classic additive secret sharing is defined over the integer ring (field) [46], and we extend it to the polynomial ring $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$. Since the secret shares are elements over the polynomial ring, we add an automorphism algorithm. Therefore, additive secret sharing over polynomial rings has a total of 6 algorithms (all operations are implicitly performed over the polynomial ring $R_Q$), as follows.

• ASS.Split(s): Takes a secret $s\in R_Q$ belonging to ${\mathcal{P}}_i$ as input. For $1\le i\le k$, party ${\mathcal{P}}_i$ randomly selects $k-1$ elements ${\left[s\right]}_1,\dots ,{\left[s\right]}_{i-1},{\left[s\right]}_{i+1},\dots ,{\left[s\right]}_k$ in $R_Q$, computes ${\left[s\right]}_i=s-{\sum }_{j=1}^{i-1}{\left[s\right]}_j-{\sum }_{j=i+1}^k{\left[s\right]}_j$, and distributes the secret share ${\left[s\right]}_i$ of the secret s to party ${\mathcal{P}}_i$.
• ASS.Recover(${\left\{{\left[s\right]}_i\right\}}_{1\le i\le k}$): Each party ${\mathcal{P}}_i$ broadcasts the share ${\left[s\right]}_i$ of the secret s. After collecting ${\left\{{\left[s\right]}_j\right\}}_{1\le j\le k,j\ne i}$ sent by the other $k-1$ parties, computes $s={\sum }_{i=1}^k{\left[s\right]}_i$.
• ASS.Add(${\left\{{\left[x\right]}_i\right\}}_{1\le i\le k},{\left\{{\left[y\right]}_i\right\}}_{1\le i\le k}$): Takes the secret shares ${\left[x\right]}_i,{\left[y\right]}_i$ of secrets x and y as input. For $1\le i\le k$, party ${\mathcal{P}}_i$ locally computes ${\left[z\right]}_i={\left[x\right]}_i+{\left[y\right]}_i$, and outputs the secret shares ${\left\{{\left[z\right]}_i\right\}}_{1\le i\le k}$ of the secret $z=x+y$.
• ASS.ScalarMult($\alpha ,{\left\{{\left[x\right]}_i\right\}}_{1\le i\le k}$): Takes the secret shares ${\left[x\right]}_i$ of the secret x and a polynomial $\alpha \in R_Q$ as input. For $1\le i\le k$, party ${\mathcal{P}}_i$ locally computes ${\left[z\right]}_i=\alpha ·{\left[x\right]}_i$, and obtains the secret shares ${\left\{{\left[z\right]}_i\right\}}_{1\le i\le k}$ of the secret $z=\alpha ·x$.
• ASS.Mult(${\left\{{\left[x\right]}_i\right\}}_{1\le i\le k},{\left\{{\left[y\right]}_i\right\}}_{1\le i\le k},{\{{\left[a\right]}_i,{\left[b\right]}_i,{\left[c\right]}_i\}}_{1\le i\le k}$): Takes the secret shares ${\left[x\right]}_i$, ${\left[y\right]}_i$ of secrets x and y, and the secret shares ${\left[a\right]}_i$, ${\left[b\right]}_i$, ${\left[c\right]}_i$ of the multiplication triple $(a,b,c=a·b)$ as input. Each party ${\mathcal{P}}_i$ locally computes ${\left[u\right]}_i={\left[x\right]}_i-{\left[a\right]}_i$, ${\left[v\right]}_i={\left[y\right]}_i-{\left[b\right]}_i$ and broadcasts them. After receiving the broadcasts from other parties, party ${\mathcal{P}}_i$ locally recovers the secrets $u={\sum }_{i=1}^k{\left[u\right]}_i$ and $v={\sum }_{i=1}^k{\left[v\right]}_i$. For ${\mathcal{P}}_1$, locally computes ${\left[z\right]}_1=u·v+{\left[c\right]}_1+v·{\left[a\right]}_1+u·{\left[b\right]}_1$; for other parties ${\mathcal{P}}_i(2\le i\le k)$, locally computes ${\left[z\right]}_i={\left[c\right]}_i+v·{\left[a\right]}_i+u·{\left[b\right]}_i$.
• ASS.Auto(${\left\{{\left[x\right]}_i\right\}}_{1\le i\le k},{\tau }_t$): Takes the secret shares ${\left[x\right]}_i$ of the secret x and an automorphism ${\tau }_t:X\to X^t$ as input. For $1\le i\le k$, party ${\mathcal{P}}_i$ locally computes ${\left[z\right]}_i={\tau }_t\left({\left[x\right]}_i\right)$, and obtains the secret shares ${\left\{{\left[z\right]}_i\right\}}_{1\le i\le k}$ of the secret $z={\tau }_t\left(x\right)$.

In the same computation task, the multiplication triple input to the ASS.Mult algorithm cannot be reused; otherwise, other parties can infer the corresponding secret. For brevity, the parameter passed to ASS.Mult in the following is a set of triple slices, and the used triple is discarded after each call to secret multiplication. Meanwhile, if the number of parties k is already clear in the following, we will use $\left[x\right]$ instead of ${\left\{{\left[x\right]}_i\right\}}_{1\le i\le k}$ to denote the secret shares of the secret x.

5.3. Multi-Group Hybrid Product

The hybrid product algorithm was proposed by Chen et al. [18] in the MK-TFHE scheme in 2019 to support the product between multi-key RLWE ciphertexts and single-key Uni-Enc ciphertexts for constructing CMux gates in the multi-key scenario. Subsequently, Kwak [31] generalized it to support the multiplication of single-key RLEV ciphertexts and multi-key RLWE ciphertexts, thereby realizing the parallelization of blind rotation. In our parallelized bootstrapping scheme, since the intermediate ciphertext of bootstrapping is a single-group NTRU ciphertext rather than a single-key RLEV ciphertext, we propose a multi-group hybrid product algorithm to support the parallelization of bootstrapping, which includes the hybrid product key generation(MGHPKeyGen) , as well as the hybrid product(MGHybridProd) that takes scalar NTRU ciphertexts and multiple sets of ciphertexts as inputs.

• MGHPKeyGen(${\left\{z_j\right\}}_{j\in \mathcal{G}},\left[F\right]$): Takes the RLWE secret key $z_j$ of the j-th party ${\mathcal{P}}_j$ in group G and the secret share $\left[F\right]$ of the joint NTRU key F as input, randomly selects a common reference polynomial vector $\mathit{p}\in R^{d_{br}}$, each party selects a secret polynomial $r_j\leftarrow {\chi }_{nk}$ from the noise distribution over the ring R and noise polynomial vectors ${\mathit{e}}_j^{\left(0\right)},{\mathit{e}}_j^{\left(1\right)},{\mathit{e}}_j^{\left(2\right)}\leftarrow {\chi }_{ne}^{d_{br}}$. Denote $B_{br}$ and $d_{br}$ as the decomposition base and decomposition degree of the ciphertext modulus Q respectively, and ${\mathit{g}}_{B_{br}}$ as the corresponding decomposition vector. For $j\in \mathcal{G}$, compute

  $${\mathit{H}}_j=-\mathit{p}·z_j+{\mathit{e}}_j^{\left(0\right)},\tilde{\mathit{H}}=\sum _{j\in \mathcal{G}}{\mathit{H}}_j\in R_Q^{d_{br}},$$

  (11)

  $${\mathit{I}}_{j,0}\leftarrow {\chi }_{ne}^{d_{br}},{\tilde{\mathit{I}}}_0=\sum _{j\in \mathcal{G}}{\mathit{I}}_{j,0}\in R_Q^{d_{br}},$$

  (12)

  $${\mathit{I}}_{j,1}=\mathit{p}·r_j+{\left[F\right]}_j·{\mathit{g}}_{B_{br}}+{\mathit{e}}_j^{\left(1\right)},{\tilde{\mathit{I}}}_1=\sum _{j\in \mathcal{G}}{\mathit{I}}_{j,1}\in R_Q^{d_{br}},$$

  (13)

  $${\mathit{I}}_{j,2}=-{\tilde{\mathit{I}}}_0·z_j+r_j·{\mathit{g}}_{B_{br}}+{\mathit{e}}_j^{\left(2\right)},{\tilde{\mathit{I}}}_2=\sum _{j\in \mathcal{G}}{\mathit{I}}_{j,2}\in R_Q^{d_{br}},$$

  (14)
  Then output $\tilde{\mathit{H}},HPK={\tilde{\mathit{I}}}_0,{\tilde{\mathit{I}}}_1,{\tilde{\mathit{I}}}_2$.
• MGHybridProd(${\left\{{\tilde{\mathit{H}}}_l\right\}}_{1\le l\le k},HP{K}_i,ct,{\tilde{\mathit{c}}}_i$): Takes the MGRLWE public keys ${\left\{{\tilde{\mathit{H}}}_l\right\}}_{1\le l\le k}$, the $HP{K}_i$ output by the i-th group after executing MGHPKeyGen, the multi-group RLWE ciphertext $ct=(c_0,\dots ,c_k)\in R_Q^{k+1}$ encrypting the plaintext m, and the vector NTRU ciphertext ${\tilde{\mathit{c}}}_i=NTR{U}_{Q,Fi,B_{br}}^{\prime }\left({\displaystyle \frac{m}{F_i}}\right)$ encrypting the plaintext $\mu$ as input. For $0\le l\le k$, let ${\tilde{\mathit{H}}}_0=-\mathit{p}$, where $\mathit{p}$ is the polynomial vector shared by multiple groups in MGHPKeyGen, computes

  $$y_l=c_l⊡{\tilde{\mathit{c}}}_i,u_l=y_l⊡{\tilde{\mathit{I}}}_{i,1},v=\sum _{l=0}^k{y}_l⊡{\tilde{\mathit{H}}}_l$$

  (15)

  then update

  $$c_l^{\prime }=\left\{\begin{array}{c}\hfill u_0+v⊡{\tilde{\mathit{I}}}_{i,2},l=0\\ \hfill u_l+v⊡{\tilde{\mathit{I}}}_{i,0},l=i\\ \hfill u_l,otherwise\end{array}\right.$$

  (16)
  Outputs the multi-group RLWE ciphertext $c{t}^{\prime }=(c_0^{\prime },\dots ,c_k^{\prime })\in R_Q^{k+1}$ encrypting the plaintext $\mu ·m$.

5.4. Other Core algorithms for Bootstrapping

This subsection introduces other core algorithms for multi-group ciphertext bootstrapping, including the group registration algorithm Enroll for generating auxiliary material of the bootstrapping key, the JBRKGen algorithm for generating the joint bootstrapping key, the sample extraction algorithm SampleExt for extracting multi-group LWE ciphertexts from multi-group RLWE ciphertexts, the ModSwitch algorithm for switching the modulus of multi-group LWE ciphertexts, the algorithm LKSKeyGen for generating LWE key switching keys, and the LKeySwitch algorithm for switching LWE ciphertext keys.

• Enroll(${\{{\mathit{s}}_j,f_j\}}_{j\in \mathcal{G}}$): Takes the LWE secret key ${\mathit{s}}_j$ and its corresponding NTRU key $f_j$ of each party ${\mathcal{P}}_j$ in a group $\mathcal{G}$ as input, and outputs $SF,SIF,SSK,SNSSK$, which respectively denote the secret share of the joint NTRU key F, the secret share of $F^{-1}$(multiplicative inverse of F), the secret share of the secret key, and the secret share of the negative sum secret keys. The algorithm is presented as shown in Algorithm 3.

Algorithm 3:$\mathrm{Enroll}({\{{\mathit{s}}_j,f_j\}}_{j\in \mathcal{G}},Triples)$.

The secret shares $SF$, $SIF$ ,$SSK$, $SNSSK$ are key information for generating the evaluation key $EVK$ in the XZD scheme. After obtaining the share sets of these four components, we can easily generate the joint bootstrapping key(multi-group version of $EVK$) in the multi-group scenario using additive secret sharing.

• JBRKGen($SF,SIF,SSK,SNSSK,Triples$): Takes $SF$, $SIF$, $SSK$, $SNSSK$ output by the Enroll algorithm and a set of multiplication triples $Triples$ as input, outputs the joint bootstrapping key $JEVK$. The details are as shown in Algorithm 4.

Algorithm 4 JBRKGen($SF,SIF,SSK,SNSSK,Triples$).

The above algorithm generates multi-group version of the $EVK$ in the XZD scheme via additive secret sharing; specifically, it implements the encryption algorithm in the FINAL scheme using various algorithms under the framework of additive secret sharing, and completes the encryption of the relevant keys in accordance with the flow of BRKGen algorithm in the XZD scheme.

• SampleExt($\mathit{c}$): Takes the MGRLWE ciphertext $\mathit{c}=(c_0,...,c_k)\in R_Q^{k+1}$ as input, denotes $c_{i,j}$ as the j-th coefficient of the polynomial $c_i$, sets $c_0^{\prime }=c_{0,0}$ and ${\mathit{c}}_i^{\prime }=(c_{i,0},-c_{i,N-1},...,-c_{i,1})$ for $1\le i\le k$, and outputs $\tilde{\mathit{c}}=(c_0^{\prime },{\mathit{c}}_1^{\prime },...,{\mathit{c}}_k^{\prime })\in {\mathbb{Z}}_Q^{kn+1}$.
• ModSwitch($\tilde{\mathit{c}},Q,q$): Takes the MGLWE ciphertext $\tilde{\mathit{c}}=\left(c_0,{\mathit{c}}_1,\dots ,{\mathit{c}}_k\right)$, the original modulus Q and the new modulus q as input, computes $c_0^{\prime }=⌊{\displaystyle \frac{q}{Q}}·c_0⌉$ and ${\mathit{c}}_i^{\prime }=⌊{\displaystyle \frac{q}{Q}}·{\mathit{c}}_i⌉$ for $1\le i\le k$, and outputs the new ciphertext ${\tilde{c}}^{\prime }=\left(c_0^{\prime },{\mathit{c}}_1^{\prime },\dots ,{\mathit{c}}_k^{\prime }\right)$.
• LKSKeyGen(${\mathit{z}}_j,{\mathit{s}}_j$): Takes the LWE secret keys ${\mathit{z}}_j=\left(z_{j,1},\dots ,z_{j,N}\right)\in {\mathbb{Z}}^N$ and ${\mathit{s}}_j=\left(s_{j,1},\dots ,s_{j,n}\right)\in {\mathbb{Z}}^n$ of party ${\mathcal{P}}_j$ in the group $\mathcal{G}$ as input, randomly selects a matrix $A_l\in {\mathbb{Z}}_{q_{ks}}^{d\times n}$ within the group, randomly samples the noise ${\mathit{e}}_{j,l}\leftarrow {\chi }_{le}^{d_{ks}}$ for $1\le l\le N$, computes ${\mathit{b}}_{j,l}=-A_l·{\mathit{s}}_j+{\mathit{e}}_{j,l}+z_{j,l}·{\mathit{g}}_{B_{ks}}$ , denotes ${\tilde{\mathit{b}}}_l={\sum }_{j\in \mathcal{G}}{\mathit{b}}_{j,l}\in {\mathbb{Z}}_{q_{ks}}^{d_{ks}}$, and outputs $LKS{K}_l={\left\{\left({\tilde{\mathit{b}}}_l,A_l\right)\right\}}_{1\le l\le N}$.
• LKeySwitch($\mathit{c},{\left\{LKS{K}_i\right\}}_{1\le i\le k}$): Takes the MGLWE ciphertext $\mathit{c}=\left(c_0,{\mathit{c}}_1,\dots ,{\mathit{c}}_k\right)\in {\mathbb{Z}}^{kN+1}$ as well as the key switching key $LKS{K}_i={\left\{\left({\tilde{\mathit{b}}}_{i,l},A_{i,l}\right)\right\}}_{1\le l\le N}$ for the i-th group as input, denotes ${\mathit{c}}_i=\left(c_{i,1},\dots ,c_{i,N}\right)$ for $1\le i\le k,1\le l\le N$, computes $c_0^{\prime }=c_0+{\sum }_{i=1}^k{\sum }_{l=1}^N{\left({\mathfrak{g}}_{B_{ks}}^{-1}\left(c_{i,l}\right)\right)}^T·{\tilde{\mathit{b}}}_{i,l}\in {\mathbb{Z}}_{q_{ks}}$, ${\mathit{c}}_i^{\prime }={\sum }_{l=1}^N{\left({\mathfrak{g}}_{B_{ks}}^{-1}\left(c_{i,l}\right)\right)}^T·A_{i,l}\in {\mathbb{Z}}_{q_{ks}}^n$, and outputs ${\tilde{c}}^{\prime }=\left(c_0^{\prime },{\mathit{c}}_1^{\prime },\dots ,{\mathit{c}}_k^{\prime }\right)\in {\mathbb{Z}}_{q_{ks}}^{kn+1}$.

5.5. Parallelizable Multi-Group Ciphertext Bootstrapping Algorithm

In this subsection, we formally describe the multi-group LWE ciphertext bootstrapping algorithm based on LWE and NTRU proposed in this paper. The algorithm takes a multi-group LWE ciphertext to be bootstrapped and some precomputed bootstrapping materials as inputs, and outputs a multi-group LWE ciphertext with a lower noise that encrypts the same plaintext.

In the proposed multi-group homomorphic encryption scheme, bootstrapping involves three types of keys: LWE secret keys, RLWE secert keys, and NTRU keys. For $1\le i\le k$ and $j\in {\mathcal{G}}_i$, let ${\mathit{s}}_{i,j}\leftarrow {\chi }_{lk}^n$, $z_{i,j},f_{i,j}\leftarrow {\chi }_{nk}$ denote the LWE secret key, RLWE secret key, and NTRU key of ${\mathcal{P}}_{i,j}$, respectively. Let Q, $q_{ks}$, and q denote the ciphertext modulus of NTRU/MGRLWE, the LWE key switching modulus, and the LWE bootstrapping modulus, respectively, with $d_{br}=\lceil {log}_{B_{br}}Q\rceil$. We define the following precomputed materials.

1.

Set of multiplication triples: $Triples\leftarrow$ TripleGen.

2.

Secret shares generated by Enroll algorithm of parties ${\mathcal{P}}_{i,j}$ in group ${\mathcal{G}}_i$:

$S{F}_i,SI{F}_i,SS{K}_i,SNSS{K}_i\leftarrow$ Enroll.

3.

Joint bootstrapping key of group ${\mathcal{G}}_i$: $JEV{K}_i\leftarrow$ JBRKGen.

4.

Multi-group hybrid product key of group ${\mathcal{G}}_i$: ${\tilde{\mathit{H}}}_i,HP{K}_i\leftarrow$ MGHPKeyGen.

5.

LWE key switching key of group ${\mathcal{G}}_i$: $LKS{K}_i\leftarrow$ LKSKeyGen.

We define the multi-group ciphertext bootstrapping algorithm BootMGCT in Algorithm 5.

Algorithm 5$\mathrm{BootMGCT}(\mathit{c},r\left(X\right),{\left\{JEV{K}_i\right\}}_{1\le i\le k},{\left\{HP{K}_i\right\}}_{1\le i\le k},{\left\{LKS{K}_i\right\}}_{1\le i\le k})$.

Line 1 of the algorithm stores the rotation polynomial into the accumulator ($ACC$). Lines 3 to 5 compute the ciphertext ${\mathrm{NTRU}}_{Q,F_i,B_{br}}^{\prime }\left({\displaystyle \frac{X^{{\sum }_{j\in {\mathcal{G}}_i}\langle {\mathit{a}}_i,{\mathit{s}}_{i,j}\rangle }}{F_i}}\right)$. These two values are taken as inputs to perform k rounds of iteration(MGHybridProd), outputting the multi-group RLWE (MGRLWE) ciphertext encrypted under the joint RLWE public key of each group, wherein the ciphertext encrypt the value of $L\left(X\right)=\lfloor {\displaystyle \frac{Q}{8}}\rceil ·r\left(X^{{\displaystyle \frac{2N}{q}}}\right)·X^{{\displaystyle \frac{2N}{q}}(b+{\sum }_{i=1}^k{\sum }_{j\in {\mathcal{G}}_i}\langle {\mathit{a}}_i,{\mathit{s}}_{i,j}\rangle )}$. The exponent part of the monomial $r\left(X^{{\displaystyle \frac{2N}{q}}}\right)·X^{{\displaystyle \frac{2N}{q}}(b+{\sum }_{i=1}^k{\sum }_{j\in {\mathcal{G}}_i}\langle {\mathit{a}}_i,{\mathit{s}}_{i,j}\rangle )}$ corresponds to the decryption formula of MGLWE ciphertexts. The SampleExt algorithm in Line 11 outputs the LWE ciphertext that encrypts the first coefficient of $L\left(X\right)$ under the encryption of the RLWE secret key coefficient vector. Since its first coefficient is either -1 or 1, Step 12 accumulates $({\displaystyle \frac{Q}{8}},\mathbf{0},\dots ,\mathbf{0})$ into ACC, mapping its value to either 0 or 1. After the subsequent steps of the algorithm, a low-noise MGLWE ciphertext with ${\displaystyle \frac{q}{4}}$ as the scaling factor is output.

6. Noise Analysis

This section analyzes the noise generated by the proposed bootstrapping algorithm. For an input multi-group LWE ciphertext $\mathit{c}$, the noise of the output ciphertext ${\mathit{c}}^{\prime }$ originates from BREval, MGHybridProd, ModSwitch, and LKeySwitch. We analyze the noise output by each of these algorithms separately, and finally derive the total noise output by the bootstrapping algorithm.

The LWE scheme has parameters $q^{\prime }$, q, $q_{ks}$, $B_{ks}$, $d_{ks}$, n, which correspond to the LWE ciphertext modulus of MGHE.Enc, the LWE ciphertext modulus for bootstrapping, the ciphertext modulus for key switching, the gadget decomposition base, the gadget decomposition degree, and the LWE dimension, respectively. The RLWE/NTRU scheme has parameters Q, $B_{br}$, $d_{br}$, N, which correspond to the RLWE/NTRU ciphertext modulus, the corresponding gadget decomposition base, the gadget decomposition degree, and the degree of the polynomial in the RLWE/NTRU ciphertext, respectively. Two bootstrapping schemes are involved in the bootstrapping process: LWE and RLWE/NTRU, with noise distributions ${\chi }_{le}$ and ${\chi }_{ne}$ (corresponding variances ${\sigma }_{le}^{2}2$ and ${\sigma }_{ne}^2$) and key distributions ${\chi }_{lk}$ and ${\chi }_{nk}$ (corresponding variances ${\sigma }_{lk}^2$ and ${\sigma }_{nk}^2$), respectively. For the convenience of analysis, we assume that there are k groups participating in the computation, and each group has K parties.

Lemma 2.

Noise Variance of BREval [20]

Let ${\sigma }_{brk}^2$ denote the noise variance of the input $jevk$, $jnksk$. For the ciphertext c output by the BREval algorithm, the noise variance of c satisfies

$$Var\left(err\left(c\right)\right)\le \left(2n+1\right)·N{d}_{br}{\displaystyle \frac{B_{br}^2}{12}}·{\sigma }_{ne}^2.$$

(17)

Proof. 

The BREval algorithm performs at most $2n+1$ external products between scalar NTRU ciphertexts and vector NTRU ciphertexts. The rotation polynomial can be regarded as a vector NTRU ciphertext with zero noise. Hence, we complete the proof via Lemma 1.

Lemma 3.

Noise Variance of MGHybridProd

Given a multi-group RLWE ciphertext c with noise variance $Var\left(err\right(c\left)\right)$, the noise $err\left(c^{\prime }\right)$ of the ciphertext $c^{\prime }$ output by the MGHybridProd algorithm satisfies

$$\begin{array}{cc}\hfill Var\left(err\left(c^{\prime }\right)\right)& =Var\left(err\left(c\right)\right)+{\displaystyle \frac{Kk{d}_{br}{N}^2{B}_{br}^2{\sigma }_{ne}^{2}Var\left(err\left({\tilde{\mathit{c}}}_i\right)\right)}{12}}\hfill \\ \hfill & +{\displaystyle \frac{K^{2}k{d}_{br}{B}_{br}^2{\sigma }_{nk}^2{\sigma }_{ne}^2}{6}}\hfill \\ \hfill & +{\displaystyle \frac{(2k{\sigma }_{ne}^2+Var\left(err\left({\tilde{\mathit{c}}}_i\right)\right)d_{br}{B}_{br}^2}{12}}.\hfill \end{array}$$

(18)

Proof. 

Assume that the noise variance of the multi-group RLWE ciphertext c encrypting the plaintext m before MGHybridProd is $Var\left(err\right(c\left)\right)$, and the noise variance of the ciphertext $c^{\prime }$ encrypting the plaintext $\mu m$ after MGHybridProd is $Var\left(err\left(c^{\prime }\right)\right)$. Let Z denote the group joint RLWE secret key, and R, E denote the sums of r and e defined in the algorithm, respectively. According to the MGHybridProd algorithm, the noise $err\left(c^{\prime }\right)$ of the new ciphertext satisfies

$$\begin{array}{cc}\hfill err\left(c^{\prime }\right)& =\left(\sum _{l=0}^k{c}_l^{\prime }·Z_l\right)-{\displaystyle \frac{Q}{4}}\mu m\hfill \\ \hfill & =\mu ·err\left(c\right)+\left(\sum _{l=0}^k{Z}_l·err\left(y_l\right)\right)+R_i\left(\sum _{l=1}^k{y}_l⊡{\mathit{E}}_l^{\left(0\right)}\right)\hfill \\ \hfill & +\left(\sum _{l=0}^k{y}_l⊡{\mathit{E}}_i^{\left(0\right)}·Z_l\right)+\left(v⊡{\mathit{E}}_i^{\left(2\right)}\right),\hfill \end{array}$$

(19)

Given that $\mu$ is a monomial with an absolute coefficient value of 1, the variance of the first term is $Var\left(err\left(c\right)\right)$. Since $err\left(y_l\right)=err\left(c_l⊡{\tilde{\mathit{c}}}_i\right)$, it follows from Lemma 1 that $err\left(y_l\right)=d_{br}N{\displaystyle \frac{B_{br}^2}{12}}·err\left({\tilde{\mathit{c}}}_i\right)$. As $Z_0=1$ and $Z_l$ is the sum of the RLWE secret keys held by K parties, we can derive that $Var\left(Z_l\right)=K{\sigma }_{nk}^2$. Accordingly, the variance corresponding to the second term in the noise expression is $\left(1+Kk{\sigma }_{nk}^{2}N\right)d_{br}N{\displaystyle \frac{B_{br}^2}{12}}\mathrm{Var}\left(err\left({\tilde{\mathit{c}}}_i\right)\right)$. On the other hand, $R_i$ and ${\mathit{E}}_l^{\left(0\right)}$ are both accumulations of random variables independently selected by K parties, which means their variances are $K{\sigma }_{nk}^2$ and $K{\sigma }_{ne}^2$, respectively. Based on this, the variance of the third term in the expression can be expressed as $Kk{\sigma }_{nk}^2{d}_{br}N{\displaystyle \frac{B_{br}^2}{12}}·\left(K{\sigma }_{ne}^2\right)$. Similarly, the variance of the fourth term is given by ${\displaystyle \frac{d_{br}N\left(K{\sigma }_{ne}^2\right)B_{br}^2}{12}}+{\displaystyle \frac{Kk{\sigma }_{nk}^2{d}_{br}N\left(K{\sigma }_{ne}^2\right)B_{br}^2}{12}}$, and the variance of the last term is ${\displaystyle \frac{d_{br}N·\left(K{\sigma }_{ne}^2\right)B_{br}^2}{12}}$. By integrating and rearranging all the aforementioned variance terms, the lemma is thus proved. □

Lemma 4.

Noise Variance of ModSwitch

Given positive integers Q, q, a multi-group LWE ciphertext $\mathit{c}=({\mathit{c}}_0,{\mathit{c}}_1,\dots ,{\mathit{c}}_k)$ with noise variance $Var\left(err\right(\mathit{c}\left)\right)$, and the corresponding joint LWE secret key $\mathit{s}$, a new ciphertext ${\mathit{c}}^{\prime }$ is obtained after modulus switching. The noise $err\left({\mathit{c}}^{\prime }\right)$ of the new ciphertext satisfies

$$Var\left(err\left({\mathit{c}}^{\prime }\right)\right)={\displaystyle \frac{q^2}{Q^2}}·Var\left(err\left(\mathit{c}\right)\right)+{\displaystyle \frac{1+Kkn·{\sigma }_{lk}^2}{12}}$$

(20)

Proof. 

Consider an original ciphertext $\mathit{c}=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)$ with modulus q, LWE dimension n, and secret keys ${\mathit{s}}_{i,j}$ of each party in each group, which needs to be switched to modulus Q. After modulus switching, $c^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })$, where $b^{\prime }=⌊{\displaystyle \frac{q}{Q}}·b⌉={\displaystyle \frac{q}{Q}}·b+ϵ,{\mathit{a}}_i^{\prime }=\left(⌊{\displaystyle \frac{q}{Q}}·a_{i,1}⌉,\dots ,⌊{\displaystyle \frac{q}{Q}}·a_{i,n}⌉\right)=\left({\displaystyle \frac{q}{Q}}·a_{i,1}+ϵ,\dots ,{\displaystyle \frac{q}{Q}}·a_{i,n}+ϵ\right)$. Here, $ϵ$ denotes the rounding error, which follows a uniform distribution over $\left(-{\displaystyle \frac{1}{2}},{\displaystyle \frac{1}{2}}\right)$. The noise satisfies $e^{\prime }=b^{\prime }-{\sum }_{i=1}^k{\sum }_{j=1}^K〈{\mathit{a}}_i^{\prime },{\mathit{s}}_{i,j}〉-{\displaystyle \frac{q}{4}}m={\displaystyle \frac{q}{Q}}e+ϵ-{\sum }_{i=1}^k{\sum }_{j=1}^K〈ϵ,{\mathit{s}}_{i,j}〉$, thus $Var\left(err\left({\mathit{c}}^{\prime }\right)\right)={\displaystyle \frac{q^2}{Q^2}}err\left(\mathit{c}\right)+{\displaystyle \frac{1+Kkn·{\sigma }_{lk}^2}{12}}$. □

Lemma 5.

Noise Variance of LKeySwitch

Given a multi-group LWE ciphertext $\mathit{c}=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)$ with LWE dimension N encrypted under k joint RLWE secret key coefficient vectors ${\mathit{z}}_i,(1\le i\le k)$, the LWE key switching algorithm outputs a multi-group LWE ciphertext ${\mathit{c}}^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })$ with LWE dimension n encrypted under k LWE joint secret keys ${\mathit{s}}_i$. The noise variance of the new ciphertext ${\mathit{c}}^{\prime }$ satisfies

$$Var\left(err\left(c^{\prime }\right)\right)=Var(err\left(c\right)+{\displaystyle \frac{KkN{d}_{ks}{B}_{ks}^2{\sigma }_{le}^2}{12}}.$$

(21)

Proof. 

The components of the joint LWE secret key corresponding to the ciphertext ${\mathit{c}}^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })$ output by the LKeySwitch algorithm are denoted by ${\mathit{s}}_i$. The corresponding noise ${\mathit{e}}^{\prime }$ satisfies

$$\begin{array}{cc}\hfill e^{\prime }& =b^{\prime }+\sum _{i=1}^K\langle {\mathit{a}}_i^{\prime },{\mathit{s}}_i\rangle -{\displaystyle \frac{q}{4}}m\hfill \\ \hfill & =b+\sum _{i=1}^K\sum _{l=0}^{N-1}{\mathfrak{g}}_{B_{ks}}^{-1}{\left(a_{i,l}\right)}^T·({\mathit{g}}_{B_{ks}}·z_{i,l}+e_{i,l})-{\displaystyle \frac{q}{4}}m\hfill \\ \hfill & =b+\sum _{i=1}^K\sum _{l=0}^{N-1}{a}_{i,l}·z_{i,l}+\sum _{i=1}^K\sum _{l=0}^{N-1}{\mathfrak{g}}_{B_{ks}}^{-1}{\left(a_{i,l}\right)}^T·e_{i,l}-{\displaystyle \frac{q}{4}}m\hfill \\ \hfill & =e+\sum _{i=1}^K\sum _{l=0}^{N-1}{\mathfrak{g}}_{B_{ks}}^{-1}{\left(a_{i,l}\right)}^T·e_{i,l}.\hfill \end{array}$$

(22)

Since the variance of $e_{i,l}$ is $K{\sigma }_{le}^2$, it follows that $Var\left(err\left(c^{\prime }\right)\right)=Var(err\left(\mathit{c}\right)+{\displaystyle \frac{KkN{d}_{ks}{B}_{ks}^2{\sigma }_{le}^2}{12}}$.

Theorem 1.

Noise Variance of the Multi-Key Bootstrapping Algorithm

Given a ciphertext $\mathit{c}$ to be bootstrapped with noise variance $Var\left(err\right(\mathit{c}\left)\right)$, a rotation polynomial r, joint bootstrapping keys ${\left\{JEV{K}_i\right\}}_{1\le i\le k}$, hybrid product keys ${\left\{HP{K}_i\right\}}_{1\le i\le k},{\left\{{\tilde{\mathit{H}}}_i\right\}}_{0\le i\le k}$, and LWE key switching keys ${\left\{LKS{K}_i\right\}}_{1\le i\le k}$, the noise variance of the new ciphertext output by the BootMGCT algorithm, denoted as $Var\left(err\left({\mathit{c}}^{\prime }\right)\right)$, satisfies

$$\begin{array}{cc}\hfill Var\left(err\left({\mathit{c}}^{\prime }\right)\right)& ={\displaystyle \frac{q^{2}Kk\left(k+1\right)d_{br}^2{N}^3\left(2n+1\right)B_{br}^4{\sigma }_{ne}^4}{288Q^2}}\hfill \\ \hfill & +{\displaystyle \frac{q^2{K}^{2}k\left(k+1\right)d_{br}{B}_{br}^2{\sigma }_{nk}^2{\sigma }_{ne}^2}{12Q^2}}\hfill \\ \hfill & +{\displaystyle \frac{q^{2}k{d}_{br}{B}_{br}^2}{144Q^2}}\left(24K+d_{br}N\left(2n+1\right)B_{br}^2\right){\sigma }_{ne}^2\hfill \\ \hfill & +{\displaystyle \frac{q^2\left(1+KkN{\sigma }_{lk}^2\right)+q_{ks}^2\left(1+Kkn{\sigma }_{lk}^2\right)}{12q_{ks}^2}}\hfill \\ \hfill & +{\displaystyle \frac{q^{2}KkN{d}_{ks}{B}_{ks}^2{\sigma }_{le}^2}{12q_{ks}^2}}.\hfill \end{array}$$

(23)

Proof. 

According to Lemma 2, the noise variance of ${\tilde{\mathit{c}}}_i$ input to MGHybridProd is $\left(2n+1\right)·N{d}_{br}{\displaystyle \frac{B_{br}^2}{12}}·{\sigma }_{ne}^2$, denoted as ${\sigma }_{br}^2$. Before entering the i-th loop in Line 9 of the algorithm, the last $k-i$ terms of the multi-group RLWE ciphertext stored in ACC are all zero, so no noise accumulates. According to Lemma 3, after executing the MGHybridProd loop in Line 9, the noise variance of the ciphertext is ${\sigma }_{hp}^2={\displaystyle \frac{Kk\left(k+1\right)d_{br}{N}^2{B}_{br}^2{\sigma }_{ne}^2{\sigma }_{br}^2}{24}}+{\displaystyle \frac{K^{2}k\left(k+1\right)d_{br}{B}_{br}^2{\sigma }_{nk}^2{\sigma }_{ne}^2}{12}}+{\displaystyle \frac{k\left(2K{\sigma }_{ne}^2+{\sigma }_{br}^2\right)d_{br}{B}_{br}^2}{12}}$. According to Lemma 4, after the modulus switching in Line 12, the noise variance of the ciphertext is ${\sigma }_{m{s}_1}^2={\displaystyle \frac{q_{ks}^2}{Q^2}}{\sigma }_{hp}^2+{\displaystyle \frac{1+KkN{\sigma }_{lk}^2}{12}}$. According to Lemma 5, after the LWE key switching in Line 13, the noise variance of the ciphertext is ${\sigma }_{ks}^2={\sigma }_{m{s}_1}^2+{\displaystyle \frac{KkN{d}_{ks}{B}_{ks}^2{\sigma }_{le}^2}{12}}$. Similar to the first modulus switching, the noise after the second modulus switching in Line 14 of the algorithm is ${\sigma }_{m{s}_2}^2={\displaystyle \frac{q^2}{q_{ks}^2}}{\sigma }_{ks}^2+{\displaystyle \frac{1+Kkn{\sigma }_{lk}^2}{12}}$. The theorem is proved by combining the above results.

□

7. Parameters and Implementation

7.1. Security Model and Security Analysis

The proposed scheme is divided into an offline phase and an online phase. The offline phase refers to the key generation phase, which is distinguished from the online phase of computing the target function. Since the security of the online phase has been proven in [20,31], we focus on the security proof of the offline phase.

Under the semi-honest adversary model, the additive secret sharing (ASS) over the polynomial ring $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$ ensures secret confidentiality through strict share randomness and operational security. In the secret splitting phase (ASS.Split), a secret $s\in R_Q$ is split into k shares, where $k-1$ shares are uniformly randomly selected from $R_Q$, and only the remaining 1 share is determined by the difference between the secret and other shares. This ensures that any subset of shares from fewer than k parties contains no valid information about the secret, and the adversary cannot infer the secret from the subset of shares. Secret addition (ASS.Add), scalar multiplication (ASS.ScalarMult), and automorphism (ASS.Auto) are all completed through local computations by parties, and new secret shares can be generated without interaction, avoiding the leakage of intermediate information. Secret multiplication (ASS.Mult) relies on Beaver multiplication triple $\left(\right[a],[b],[c\left]\right)$, as long as the same triple is not reused, the adversary cannot obtain the original secret through intermediate differences [42]. The security of the triple generation protocol directly depends on the RLWE-based additive homomorphic encryption (AHE) scheme, and the security of AHE is based on the computational hardness of the decisional RLWE problem. Thus, semi-honest adversaries cannot obtain secrets from the triple generation process.

Additive secret sharing is used in the Enroll algorithm, JBRKGen algorithm, and MGHPKeyGen algorithm. The Enroll algorithm does not involve secret reconstruction, so the security of the Enroll algorithm is equivalent to that of additive secret sharing. The JBRKGen and MGHPKeyGen algorithms need to obtain vector NTRU ciphertexts and RLWE ciphertexts through secret reconstruction, without directly leaking key information.

In summary, the offline phase of the proposed scheme can guarantee privacy under the semi-honest adversary model. The semantic security (IND-CPA) of the online phase can be directly derived based on the decisional LWE/RLWE problem, decisional NTRU problem, and decisional vectorized NTRU problem through conventional security reduction methods.

7.2. Parameter Selection

We consider the parameter selection of the multi-group homomorphic encryption scheme from two dimensions: usability and security. Usability means that the set parameters must ensure that the noise size of the ciphertext is always within a specified range to maintain the correctness of the decryption process. Security means that the parameter configuration should be able to resist common attack algorithms, making it impossible for attackers to successfully crack the scheme within the scope of computational feasibility.

According to Lemma 7 of the FHEW scheme [27], for two LWE ciphertexts $c_1$, $c_2$ encrypting plaintexts $m_1,m_2\in {\mathbb{Z}}_2$ with noises $e_1,e_2$ respectively, after performing the homomorphic NAND operation, the noise $e^{\prime }$ of the new ciphertext $c^{\prime }$ satisfies $e^{\prime }=e_1+e_2\pm {\displaystyle \frac{q}{8}}$. At this time, the scaling factor corresponding to the ciphertext is ${\displaystyle \frac{q}{2}}$, so the absolute value of the noise $e^{\prime }$ needs to satisfy $|{\displaystyle \frac{2e^{\prime }}{q}}|<{\displaystyle \frac{1}{2}}$, i.e., $\left|e^{\prime }\right|<{\displaystyle \frac{q}{4}}$. Therefore, the sum of the noises of the two ciphertexts undergoing the homomorphic NAND gate needs to satisfy $\left|e_1+e_2\right|<{\displaystyle \frac{q}{8}}$. In gate bootstrapping, we need to control the upper noise bound of the two input ciphertexts, i.e., the upper noise bound of each ciphertext after bootstrapping needs to be lower than ${\displaystyle \frac{q}{16}}$. To ensure the correctness of decryption, the upper noise bound of each step in the bootstrapping algorithm is also required not to exceed the threshold ${\displaystyle \frac{Q_i}{16}}$, where $Q_i$ is the ciphertext modulus of the current ciphertext. We use 6 times the standard deviation as the high-probability upper bound of the noise. Based on the noise variances of ciphertexts at different stages listed in the noise analysis, we obtain the constraints

$$6{\sigma }_{br}<{\displaystyle \frac{Q}{16}},6{\sigma }_{hp}<{\displaystyle \frac{Q}{16}},6{\sigma }_{m{s}_1}<{\displaystyle \frac{q_{ks}}{16}},6{\sigma }_{ks}<{\displaystyle \frac{q_{ks}}{16}},6{\sigma }_{m{s}_2}<{\displaystyle \frac{q}{16}},$$

(24)

which serve as one of the bases for parameter selection. The LWE secret key distribution is a symmetric three-point distribution over $\{-1,0,1\}$, where the probability of taking values -1 and 1 is ${\displaystyle \frac{1}{4}}$, and the probability of taking value 0 is ${\displaystyle \frac{1}{2}}$. The noise of the LWE scheme is sampled from a discrete Gaussian distribution with the mean of 0 and the standard deviation of 3. For the keys and noises of the NTRU and RLWE schemes, we also use the above two distributions respectively. Sampling a polynomial means sequentially sampling coefficients from the distribution, so ${\sigma }_{lk}^2={\sigma }_{nk}^2={\displaystyle \frac{1}{2}},{\sigma }_{le}^2={\sigma }_{ne}^2=9$.

From the noise analysis, the noise level of NTRU ciphertexts reaches its peak after executing the MGHybridProd operation. At this time, the NTRU modulus Q satisfies $Q=O\left(N^{1.5}\right)<O\left(N^{2.484}\right)$. From the perspective of the asymptotic complexity of noise, the parameter selection of this scheme can theoretically ensure that it is within a safe range. Therefore, we can use the NTRU estimator [23] to evaluate the security strength of the NTRU parameters. Similarly, we use the LWE estimator [22] for parameter selection of the (R)LWE scheme. Table 1 and Table 2 show the parameter sets for 100-bit security and 128-bit security, respectively.

7.3. Experimental Results

All experiments are conducted on a server equipped with an Intel(R) Xeon(R) Platinum 8481C processor (3.8GHz) and 64GB of memory, with the operating system Ubuntu 22.04.5 LTS. The algorithms proposed in this paper are implemented based on the OpenFHE open-source library. Table 3 and Table 4 show the execution time required for the proposed algorithm to perform a homomorphic NAND gate computation under different parameter sets (I, II, III and I’, II’, III’), respectively.

As illustrated in the BootMGCT algorithm, the number of intra-group parties does not affect the number of homomorphic computations required for ciphertext bootstrapping. The algorithm needs to execute the BREval algorithm $k·d_{br}$ times. Under the same parameter set, the time for serialized bootstrapping increases with the number of groups, which can be verified by the data in Table 3 and Table 4. When $k=7$, the time for a single bootstrapping operation exceeds 200 seconds. This indicates that under constrained parameter selection (the ratio of Q to N cannot be excessively large, so $d_{br}$ needs to be increased to reduce noise), serialized bootstrapping of multi-group ciphertexts based on NTRU is infeasible. In contrast, if the bootstrapping algorithm is executed in parallel, the bootstrapping time will be significantly reduced. Figure 2 intuitively illustrates the variation trend of bootstrapping time. When bootstrapping is performed in parallel, for both parameters for 100-bit security and 128-bit security, the bootstrapping time can be controlled within 10 seconds when the number of groups is less than 8. This result shows that by fully leveraging the parallel computing resources of the server, the proposed scheme can achieve bootstrapping efficiency close to that of single-key ciphertexts, greatly enhancing the practicality in multi-group scenarios.

8. Conclusions

This paper proposes a novel multi-group homomorphic encryption scheme based on LWE and NTRU. By linearizing the NTRU joint key through additive secret sharing technology, the scheme designs a multi-group hybrid product algorithm, enabling parallel bootstrapping of multi-group LWE ciphertexts for encrypted bits. In a multi-core server environment, the time cost of bootstrapping a multi-group ciphertext is comparable to that of bootstrapping a single-key ciphertext, significantly improving the practicality of the homomorphic encryption scheme. Additionally, specific parameter selections are provided to ensure the scheme can effectively resist sublattice attacks. Finally, the scheme is implemented on OpenFHE, and its effectiveness is verified. Experimental results show that under the 100-bit security, refreshing a collaborative computing ciphertext involving 50 parties (divided into 2 groups with 25 parties each) only takes less than 2 seconds. Therefore, this scheme provides a new solution for application scenarios requiring group-based computing.