An Examination of Multi-Key Fully Homomorphic Encryption and Its Applications

Abstract

With the rapid development of the Internet of Things (IoT) technology, the security problems it faces are increasingly prominent and have attracted much attention in industry and the academy. Traditional IoT architecture comes with security risks. Illegal intrusion of attackers into the network layer disrupts the availability of data. The untrusted transmission environment increases the difficulty of users sharing private data, and various outsourced computing and application requirements bring the risk of privacy leakage. Multi-key fully homomorphic encryption (MKFHE) realizes operations between ciphertexts under different key encryption and has great application potential. Since 2012, the first MKFHE scheme LTV12 has been extended from fully homomorphic encryption (FHE) and has ignited the enthusiasm of many cryptographic researchers due to its lattice-based security and quantum-resistant properties. According to its corresponding FHE scheme, the MKFHE schemes can be divided into four kinds: Gentry–Sahai–Water (GSW), number theory research unit (NTRU), Brakerski–Gentry–Vaikuntanathan (BGV), and FHE over the tour (TFHE). Efficiency and cost are urgent issues for MKFHE. New schemes are mainly improved versions of existing schemes. The improvements are mostly related to the four parts of MKFHE: security assumption, key generation, plaintext encryption, and ciphertext processing. We classified MKFHE schemes according to the improved partial schemes, and we present some improved techniques and the applications of MKFHE.

1. Introduction

The Internet of Things (IoT) technology has been widely applied in various domains, such as the military, industry, logistics, medical care, and smart homes [1], in recent years. The era of the Internet of everything has arrived, and the interactions between hundreds of millions of terminal devices generate massive data. An important method to deal with massive data is to apply distributed processing model represented by cloud computing and federated learning, which can make full use of idle resources of IoT devices. The IoT involves most aspects of daily life. It inevitably needs to collect people’s personal information (such as consumption habits, travel routes, etc.). How the processing layer protects the privacy of all parties involved in processing is an urgent privacy protection problem.

Data security requires not only the security of the stored data but also the security of data processing. Fully homomorphic encryption (FHE) [2,3] allows arbitrary operations to be performed on encrypted data, with the same effect on the ciphertext as on the plaintext. Therefore, the users only have to upload data that have been encrypted with the user’s public key to the cloud to ensure that the data are stored and processed securely [4]. For example, there are already many applications of homomorphic encryption in the IoT combined with cloud computing. Users store the encrypted data in the cloud, and the decryption of the encrypted data needs to be jointly authorized by the user’s terminal and the cloud. However, the existing schemes basically use single-key homomorphic encryption, but similar scenarios such sa cloud computing and federated learning usually involve handling multi-user data, where different users jointly participate in the same operation process and the operation results should be jointly decrypted by the participating users. FHE [5] only supports the operation of ciphertext encrypted with the same key, and different users holding the same secret key obviously cannot meet the security requirements.

The properties of multi-key fully homomorphic encryption (MKFHE) can be perfectly applied to the multi-user model. Users can obtain different keys from the same key generation algorithm, and the ciphertexts encrypted under different keys can be operated arbitrarily. The decryption process needs to be jointly decrypted by each user, which can solve the security and privacy problems in distributed computing scenarios. Additionally, because MKFHE is constructed based on the lattice difficulty problem [6], it possesses the ability to resist quantum attacks [7], which meets the current demand for resisting quantum computer threats.

Efficiency and cost are the biggest problems between the current MKFHE and the applications. Once the issues of efficiency and cost are overcome, MKFHE will be the preferred choice for security protection in multi-user environments. To solve this problem, researchers reduce the sizes of public and private keys, reduce the size of ciphertext, design more efficient ciphertext calculation methods, and use batch processing and compression ciphertext to improve efficiency and reduce the cost of MKFHE. Not all researchers have focused on the study of the cost and efficiency of MKFHE. For example, some researchers noticed that the current MKFHE schemes are all under the CRS (commom reference string) setting and that the ability of each user to independently generate keys is limited, so they designed the first MKFHE under the non-CRS setting. Some researchers noticed the security risks of the difficult assumption problem and constructed a new scheme based on the optimized difficult assumption problem.

The optimization of MKFHE is mostly carried out in the stages of safety assumption, key generation, plaintext encryption, and ciphertext processing, with the objectives of reducing key size, improving encryption efficiency, creating more efficient extension methods, and making smaller extended ciphertexts. There are also optimizations of security assumptions that choose the non-traditional MKFHE hard problem.

In this article, we present a classification and introduction of MKFHE schemes, show some of the technologies and definitions of the optimized schemes, introduce the applications of MKFHE, and summarize the current developments in MKFHE.

Multi-Key Fully Homomorphic Encryption

Leveled MKFHE [8]: Given a safety parameter and operation circuit C with the depth of L, a leveled MKFHE scheme is a tuple of efficient randomized algorithms (Setup, KeyGen, Enc, Extend, Eval, Dec) described as follows:

Setup ( $1^{\lambda }$, $1^k$, $1^L$): Given the security parameter $\lambda$, a bound K on the number of keys, and a bound L on the circuit depth, output a public parameter pp.

KeyGen (pp): Input the public parameter pp; output public key $p{k}_i$ and secret key $s{k}_i$ (i = 1, ..., K) for each party, key $p{k}_i$ for ciphertext extension, and key $ev{k}_i$ for homomorphic evaluation.

Enc ($p{k}_i$, $m_i$): Input the public key $p{k}_i$ of party i and a message $m_i$ output a ciphertext $c_i$ which contains the relevant private key and circuit-level information.

Extend ($c_i,p{k}_s=\{p{k}_{i1},\cdots ,p{k}_{ik}\}$): Input ciphertext $c_i$ and key $e{k}_i$ for ciphertext; output extended ciphertext ${\widehat{c}}_{i,S}$. The corresponding user set is $S_i$  and the public key set corresponding to the user set $S(S_i\subset$ S) to be expanded is $p{k}_s=\{p{k}_i,\cdots ,p{k}_{ik}\}$. The corresponding private key is composed or calculated by the private keys of all users in S in a specific form. Notice that the ciphertext extension algorithm is not necessary for all MKFHE schemes (number theory research unit (NTRU) type MKFHE does not need to expand the ciphertext), not all the ciphertext extension process require extended key $e{k}_i$ (the ciphertext extension process of Brakerski–Gentry–Vaikuntanathan (BGV) type MKFHE does not require $e{k}_i$).

Eval (pp, C, (${\widehat{c}}_{1,S},ev{k}_1)$, ⋯, $({\widehat{c}}_{t,S},ev{k}_t)$): Input a boolean circuit C and the tuple ${({\widehat{c}}_{1,S},ev{k}_i)}_{i=\left[t\right]}$ corresponding to the same user set S (which can be implemented by ciphertext extension); output ${\widehat{c}}_S$ after homomorphic evaluation.

Dec ($s{k}_S,{\widehat{c}}_S$): Input a ciphertext ${\widehat{c}}_S$ corresponding to a set of parties S = $\{i_1,\cdots ,i_k\}\subseteq$ [K] and joint private key $s{k}_s=\{s{k}_{i1},s{k}_{i2},\cdots ,s{k}_{ik}\}$, which is composed or calculated by the private keys of all participants in a specific form; output the message $m_S$.

Correctness: To a leveled MKFHE, input any circuit C of depth at most L having t input wires and any tuples ${(c_{i,S},ev{k}_i)}_{i\in \left[t\right]}$, while letting ${\mu }_i=\mathbf{Dec}(s{k}_S,c_{i.S})$; then the MKFHE scheme is correct if and only if the following formula holds:

$$\begin{array}{c}\hfill Pr[\mathbf{Dec}(s{k}_S,\mathbf{Eval}(C,{(c_i,S,ev{k}_i)}_{i\in \left[t\right]}))\ne C({\mu }_1,\cdots ,{\mu }_t)]=negl\left(\lambda \right)\end{array}$$

(1)

Compactness: To a leveled MKFHE, if there exists a polynomial poly (·) such that $\mid c\mid \le$ poly ($\lambda$, K, L), and the length of c is independent of the circuit C, then the MKFHE scheme is compact. In general, the ciphertext length of MKFHE scheme is related to security parameter $\lambda$, the number of participants K, and the polynomial level of circuit depth L.

The properties of homomorphic evaluation are presented in Figure 1.

Taking A and B as an example, the encrypted ciphertexts are EA and EB. After the homomorphic addition and the homomorphic multiplication of EA and EB, the decryption of the homomorphic operation has the same result as the direct addition and multiplication of A and B.

2. MKFHE Scheme Classification

2.1. MKFHE Classified by Improvement Steps

The biggest problems that stand between MKFHE schemes and their application are efficiency and cost. After the three classical types of MKFHE schemes were proposed, subsequent schemes were mostly constructed by improving on the various steps of the classical schemes. In this paper, MKFHE schemes are divided into four categories according to the different steps of improvement.

(a) The first category involves schemes that have improvements in security assumptions. Che et al. proposed the NTRU-type MKFHE scheme CZL20 [9] for prime cyclotomic rings in 2020, and other schemes that improve security assumptions.

(b) The second category involves schemes that have improvements in the key generation step. Kim et al. constructed the common random/reference string (CRS)-free KLP18 [10] scheme in 2018, which improves the MW16 [11] scheme, and some subsequently improved schemes.

(c) The third category involves schemes that have improvements in the encryption step. Chen et al. constructed the first CZW17 [12] scheme supporting multi-bit encryption based on BGV12 [13] in 2017, and subsequently improved schemes and multi-bit encryption schemes implemented in other ways.

(d) The fourth category involves schemes that have improvements in the ciphertext processing step. The CZW17 scheme implements an efficient ciphertext extension to obtain compact ciphertexts, and other schemes that improve on ciphertext extension, and the SWC21 [14] scheme that is able to compress ciphertexts.

The flowchart of the development of MKFHE according to this classification is shown in Figure 2.

2.2. Security Assumptions

The security of MKFHE schemes is based on their assumptions. Some of the assumptions used in the schemes have security challenges. Current NTRU-type MKFHE schemes are mainly constructed based on a polynomial ring of order 2 in powers; therefore, the security of these NTRU schemes may be threatened by subdomain attacks [15]. The security of the scheme can be enhanced by optimizing the security assumption problem.

The summary of Section 2.2 is shown in

Table 1. Summary of Section 2.2.

Scheme	Technology	Function	Emphasis
CZL20	LBD and DEC	reduce the ciphertext size	cost and efficient
ZLC20	prime power cyclotomic polynomial ring	resist subdomain attacks	security
HWC21	learning-with-rounding (LWR)	avoid gaussion sampling	efficient and security

.

In 2020, Che et al. proposed an NTRU-type MKFHE scheme, CZL20 [9], based on the LTV12 [8]. The security of the scheme is based on the RLWE and DSPR assumptions over prime cyclotomic rings, and it has been proven that the NTRU encryption on prime partitioned rings has the potential to resist subdomain attacks. Che analyzed the impact elements of the LTV12 homomorphic evaluation process and proposed a low bit drop and dimensionally extended ciphertext (LBD&DEC) technique and a homomorphic multiplicative decryption structure for the NTRU that can eliminate the key-switching in the LTV12 scheme, and a modulus reduction technique is also applied to reduce ciphertext’s dimension.

In 2020, Zhou et al. constructed the ZLC20 [16] scheme by replacing the power of two cyclotomic rings in the LTV12 scheme with a prime-power cyclotomic polynomial ring, which increased the number of optional ring structures during practical applications and makes the scheme able to resist subdomain attacks. Additionally, the key generation algorithm was optimized by using a Gaussian distribution under regular embedding based on the NTRU scheme [17], which is also based on prime cyclotomic rings.

In 2021, Huang et al. constructed a fully dynamic multi-hop (users can join the operation at any time) Gentry–Sahai–Water (GSW)-type MKFHE scheme HWC21 [18]. Its security is based on the learning with rounding (LWR) problem [19], which has similar performance to the BP16 [20] scheme. The LWR assumption allows the scheme to avoid the time-consuming Gaussian sampling ("research has shown that Gaussian sampling may create side-channel vulnerabilities leading to key leakage") required in the learning with error (LWE) problem while sustaining almost the same security level.

2.3. Key Generation

Key generation is an important step in the actual application. Generally, when a single-key scheme is extended to a multi-key scheme, the public keys of different users are linked to each other by a CRS generated in the setup phase to enable ciphertexts under different key encryption to perform homomorphic operations. However, this weakens the ability of each user to generate public keys independently. Therefore, some researchers want to develop a MKFHE scheme without CRS in the public parameters.

The summary of Section 2.3 is shown in

Table 2. Summary of Section 2.3.

Scheme	Technology	Function	Emphasis
KLP18	LinkAlgo	convert single key to multi-key scheme	decentralization
LTH21	combined KLP18 and LMZ18	similar to above but multi-bit encryption	efficient and decentralization
THL21	MKFHE.Expand (Encode, Link, Decode)	convert single key to multi-key scheme	efficient and decentralization
BD21	symmetric key setting without CRS	similar to above but more efficient	efficient and decentralization

.

In 2018, Kim et al., based on MW16 [11], constructed a GSW-type KLP18 [10] scheme which discards the CRS in the public parameters. This scheme does not directly extend from single-key to a multi-key. Users use the same single-key FHE algorithm, and the polynomial-time algorithm LinkAlgo will link different users’ keys and extend single-key ciphertext into multi-key ciphertext. The single-key encryption step is independent of LinkAlgo, so that when this scheme is used in practice, users can each use single-key encryption and then jointly transform the ciphertext from single-key into multi-key form. They also used the scheme to construct a three-round secure multi-party computation (MPC) protocol against semi-malicious security.

In 2021, Li et al. constructed the LTH21 [21] scheme by combining the advantages of both LMZ18 [22] and KLP18 [10]. They obtained a CRS-free multi-bit encryption MKFHE by using the LinkAlgo algorithm in KLP18 and a plaintext matrix in LMZ18. The former realized the discarding of CRS and a single-key to multi-key transformation, and the latter realized multi-bit encryption.

In 2021, inspired by the KLP18 scheme, Tang et al. also did not extend the single-key, GSW, fully homomorphic scheme to a multi-key one, but designed the algorithm MFHE.Expend (encode, link, decode) based on the original single-key, GSW, FHE scheme to extend the ciphertext of the original scheme from the single-key form to the multi-key form and to link the user’s keys, and the THL21 [23] scheme was obtained. In terms of memory and noise, the KLP18 scheme requires each participant to compute and store numbers of n×m dimensional matrices when generating the extended ciphertext, and its final decryption noise is $2(m^4+m)mN{B}_{\chi }$. The THL21 scheme requires only one dimensional matrix and N numbers of dimensional matrices, and its decryption noise is (2 + m)mN$B_{\mathit{\chi }}$. The THL21 scheme is more efficient and less costly compared to the KLP18 scheme.

In 2021, Biswas et al., constructed the BD21 [24] scheme based on PS16 [25], which reduces the overhead by discarding CRS making the ciphertext extension require only one component (less than PS16) while retaining the advantages of PS16: it is dynamic and multi-hop; there is no necessity to set the number of participants; any user can participate in the operation; and it is bootstrap free. The sizes of BD21’s public extension key and extension ciphertext exceed those of PS16, MW16, KLP18, and CCS19, but it does not require a public random matrix, unlike PS16, MW16, and CCS19 [26], and it is multi-hop, unlike KLP18.

2.4. MKFHE for Multi-Bit Encryption

The original multi-key fully homomorphic scheme can only support single-bit encryption. When it comes to dealing with a large amount of data in practice, the encryption step needs to be performed repeatedly. Additionally, the single-bit encrypted ciphertext makes the homomorphic operation inefficient. Therefore, MKFHE schemes that implement multi-bit encryption can effectively improve efficiency. The schemes presented in this section all implement multi-bit encryption, and some of them support batch processing techniques.

The summary of Section 2.4 is shown in

Table 3. Summary of Section 2.4.

Scheme	Technology	Function	Emphasis
CZW17	first BGV MKFHE	encrypt ring plaintext	efficient
LMZ18	ciphertext packing	build a plaintext matrix	efficient
LJ20	gadget vector and bit decomposition	remain ciphertext size unchanged	efficient and cost

.

In TCC2017, Chen et al. proposed the first BGVtype multi-hop MKFHE scheme, CZW17 [12], with security based on ring learning with error (RLWE). The previous GSW-type MKFHE schemes, such as CM15 [27], MW16 [11], BP16 [20], and PS16 [25], although they also have a version based on RLWE, are only capable of encrypting single-bit ciphertexts due to the property of GSW13. The CZW17 scheme is constructed based on the BGV FHE [19]. On the other hand, it can encrypt ring elements rather than single bits. Thereafter, in 2019, Ningbo Li optimized the ciphertext extension of CZW17 to obtain the LZY+19 [28] scheme. Chen et al. optimized the relinearization step of LZY+19 to construct the CDKS19 [29] scheme. In 2021, Yang et al. optimized the relinearization process of CDKS19 to obtain the YZZ22 [30] scheme. These schemes all support multi-bit encryption. In addition, all these schemes are able to realize batch processing using the Chinese residue theorem [31].

In 2018, Li et al. successfully constructed a GSW-type MKFHE scheme LMZ18 [22] based on MW16 that supports multi-bit encryption by using the "ciphertext packing" technique [32] to build a plaintext matrix by embedding the plaintext into the message matrix. Both encryption and ciphertext expansion operations are performed on the basis of the plaintext matrix to achieve the goal of multi-bit encryption. The LTH21 scheme above uses the same method to realize multi-bit encryption.

In 2020, Li et al. proposed NTRU-type MKFHE scheme LJ20 [33] that supports encrypt ring elements. They replace relinearization with gadget vector and bit decomposition techniques [34]. This scheme is capable of batch processing by the Chinese remainder theorem (CRT). No relinearization or ciphertext expansion is required for the ciphertext size to remain unchanged. This scheme is a hierarchical MKFHE, which also needs to be transformed into a full MKFHE using Gentry’s bootstrapping theorem [35].

2.5. MKFHE with Cipher Processing Optimization

There is much room for optimization in the processing of ciphertext. Both ciphertext extension and joint decryption have efficiency and overhead issues. Optimizing the extension method by reducing the size of the extended cipher and implementing compressible ciphertexts are solutions to the problem. This section introduces schemes that optimize the processing of ciphertext.

The summary of Section 2.5 is shown in

Table 4. Summary of Section 2.5.

Scheme	Technology	Function	Emphasis
CZW17	zero-padded ciphertext vector	reduce complexity of ciphertext expansion	efficient
LZY+19	nested ciphertext extension	reduce extended ciphertext size	efficient and cost
CCS19	a new ciphertext multiplication	reduce evaluated ciphertext size	efficient and cost
ZZC20	compact ciphertexts	reduce ciphertext size	efficient and cost
SWC21	compressible ciphertexts	compress multiple ciphertexts into one	cost
CDL21	distributed ciphertext extension		efficient and cost
YZZ22	rescaling techniques	reduce the complexity of relinearization	efficient

.

The CZW17 [12] scheme proposed by Chen et al. in 2017 not only has the advantage of being able to encrypt ring elements, but also improves on ciphertext expansion. The ciphertext expansion is realized by using a zero-padded ciphertext vector, and the computational complexity of the ciphertext expansion is not related to the sizes of ciphertexts, but only to the number of keys involved in the process. Chen also used this scheme to construct a 2-round MPC that supports threshold decryption.

In 2019, Li et al. obtained the LZY+19 [28] scheme by optimizing CZW17. They proposed a nested ciphertext extension method to reduce the size of the evaluation key and the extended ciphertext. They also designed a directed decryption protocol that allows any user to access the decryption results, not limited to those participating in homomorphic evaluation. In the same year, Chen et al. obtained the CDKS19 scheme by optimizing the relinearization procedure of the LZY+19 scheme. LZY+19 does not need ciphertext expansion, which greatly improves efficiency. Chen applies it in privacy protection in neural networks.

In 2019, Chen et al. proposed the MKFHE scheme CCS19 [26] based on the framework of Chillotti et al. (2017) (CCGI17), which can evaluate any binary gate on the encryption bits and then bootstrap. It uses two methods to multiply single-key encryption by multi-key RLWE ciphertexts and controls the growth of the ciphertext size with the ciphertext length, which is only linearly related to the number of participants. The MKFHE software library TFHE, which is an important guide, was also written.

In 2020, Zhou et al. proposed the general MKFHE construction ZZC20 [36] which has compact ciphertexts and specifically two MKFHE schemes (BGV type and TFHE type) with compact ciphertexts. In this construction, a joint secret key, also called a compact key, whose length is independent of the number of parties, is constructed by accumulating the secret keys of the parties. They obtained a joint ciphertext by designing a new ciphertext extension algorithm, whose length is also irrelevant to the number of parties involved in encryption. As a result, the efficiency of homomorphic computation for this general scheme is comparable to that of a single-key FHE scheme. In addition, the user needs to be authorized to add the ciphertext to the homomorphic operation; i.e., all parties involved need to regenerate their cumulative evaluation keys.

In 2019, Gentry et al. proposed a ciphertext compression method that can compress multiple ciphertexts into a single compressed ciphertext, which can reduce communication consumption, and specifically constructed a GSW-type single-key fully homomorphic scheme, GH21 [37], with compressible ciphertexts.

In 2021, Shen et al. proposed the MKFHE scheme SWC21 [14] with compressible ciphertexts based on the single-key, fully homomorphic ciphertext compression scheme proposed by Gentry et al. They applied this method to MKFHE. They removed the unit matrix in the private key and modified the structure of the extended ciphertext to conform to the conditions of use of the pseudo-square tool array proposed by Gentry when extending the matrix version of the original GSW, fully homomorphic scheme to MKFHE. This scheme can compress the obtained ciphertext and reduce communication cost.

In 2021, Chen et al. constructed a dynamic NTRU-type MKFHE scheme CDL21 [38] based on the LWE assumption in the public key setting of requiring less local random access memory (RAM). The original dynamic MKFHE ciphertext extension and homomorphic operations are performed on the cloud, which requires higher computational power for the cloud and more fees to be delivered to the cloud service provider. Therefore, Chen et al. designed a distributed ciphertext extension method that allows participants to interact over the Internet to perform the ciphertext extension process, and the cloud only undertakes homomorphic computations, reducing the work of the cloud and improving the efficiency of ciphertext extension.

In 2022, Yang et al. obtained the YZZ22 [30] scheme by optimizing the relinearization process of CDKS19. Instead of using gadget vectors to decompose the public key and extended ciphertext, they chose to increase the modulus and use rescaling techniques to realize relinearization. However, this also leads to an increase in errors, which needs to be reduced by decreasing the modulus after key switching.

The comparison of all selected schemes is shown in

Table 5. Comparison of selected schemes.

Scheme	Assumption	pk	CT	CRM	Dynamic	Bootstrap	Batch
CM15	LWE	$n^2{d}^2$	$k^2{n}^2{d}^2$	yes	no	no	no
CM15	RLWE	$n{d}^2$	$k^{2}n{d}^2$	yes	no	no	no
BP16	LWE	$n^3$	$nk$	yes	yes	yes	no
MW16	LWE	$n{d}^2$	$n^2{k}^2{d}^2$	yes	no	yes
PS16 1	LWE	$n{(K+d)}^2$	$n^{3}k{(K+d)}^4$	yes	yes	no	no
PS16 2	LWE/KDM	$n^4{(K+d)}^4$	$n^2{k}^2{(K+d)}^2$	yes	yes	no	no
KLP18	LWE	$n{d}^2$	$n^2{k}^2{d}^2$	no	no	yes	no
CCS19	RLWE&Circular Security	$n^2{k}^2$	$nk$	yes	no	yes	no
CZL20	RLWE	nk (K + d)	$n{(K+d)}^2$	no	no	no	no
BD21	LWE	$n^3{(K+d)}^2$	$n^2{k}^2{(K+d)}^2$	no	yes	no	no
CZW17	LWE	$n^3{d}^7$	$knd$	yes	yes	no	no
CZW17	RLWE	$n^2{d}^6$	$kd$	yes	yes	no	yes
CDL21	LWE	$n^3{(K+1)}^2$	$n^2{k}^2{(K+d)}^2$	yes	yes	no	no
CDKS19	RLWE	$nk$	$nk$	yes		yes	yes
LZY+19	GLWE	$n{k}^3$	$nk$	yes	no	yes	yes
ZZC20	GLWE	$nk$	$nk$	yes		yes
HWC21	LWR	$k^3$	$nk$	yes	yes		no
YZZ22	RLWE	$nk$	$nk$	yes	no	yes	no
CZY21	RLWE			yes		yes	no
LJ20	RLWE&DSPR	$n^{2}K{d}^3$	$n^{2}K{d}^4$			yes	yes

.

3. Optimization Techniques for MKFHE

In this section, two techniques are introduced that the authors believe should be investigated in depth. One is the LinkAlgo algorithm that allows the non-CRS setting of MKFHE, and the other is the compressible ciphertext in SWC21. The former is the first MKFHE scheme to be constructed in a non-CRS setting, focusing on and strengthening the user’s individual key generation ability. Previously, MKFHE could not avoid the distribution of CRS, and the user’s personal ability to generate keys was limited. On the one hand, this technique is introduced here in the hope that other researchers can be inspired to develop a more efficient MKFHE without CRS or other ways to enhance the user’s ability to generate keys by himself. The ciphertext compression method used by the latter breaks through the compression ratio of 1/2 of the ciphertext size reduction technique used by MKFHE. Although this technique has strict requirements on the ciphertext structure, it is extremely restrictive. However, this idea can be extended for other schemes based on it to involve an efficient compression method combined with its own optimization. Hopefully, these two techniques will be enlightening.

3.1. LinkAlgo Algorithm for the KLP18 Scheme

When the KLP18 scheme extends the single-key GSW-type FHE scheme into MKFHE, firstly, the public random string in the public parameters is dispensed with, and secondly, the single-key scheme is independent of the LinkAlgo algorithm designed by it, so that the user only needs to use the single-key scheme for encryption, and finally, the users involved in the operation will jointly extend it into a multi-key ciphertext through the LinkAlgo algorithm and carry out joint decryption, and its design. The algorithm and the idea of its design provide a new direction for the design of the MKFHE scheme, which has great referential significance. Therefore, the LinkAlgo algorithm is introduced here.

3.1.1. Notion of LinkAlgo

The lowercase bold letters denote vectors, and the uppercase bold letters denote matrices. $\mathbf{x}$ is the column vector, ${\mathbf{x}}^T$ is the row vector. $\mathbf{A}$ is a matrix, ${\mathbf{A}}^{(i,j)}$ denote the i-th row and j-th column element of matrix $\mathbf{A}$, ${\mathbf{A}}_j^{col}$ denotes the j-th column of the matrix, and ${\mathbf{A}}_i^{row}$ denotes the i-th row of the matrix. $[\mathbf{A}\mid \mathbf{Ax}]$ denotes the horizontal connection of a vector or matrix.

Theorem 1.

([35]). To any $m>n\lceil logq\rceil$, there is a matrix $\mathbf{G}\in Z_q^{n\times m}$, its corresponding matrix ${\mathbf{G}}^{-1}(·)$, and matrix $\mathit{M}\in Z_q^{n\times m^{\prime }}$ ($m^{\prime }$ is random), which satisfy ${\mathbf{G}}^{-1}\left(\mathit{M}\right)\in {0,1}^{m\times m^{-1}}$ and $\mathbf{G}{\mathbf{G}}^{-1}\left(\mathit{M}\right)=\mathit{M}$.

Theorem 2.

([23]). Set $m⩾nlogq+2\lambda ,n\in N,q\in N$. χ is a discrete Gaussian distribution over Z which makes LWE a hard problem. $t=O\left(logn\right)$ is an integer. Define two distributions X and Y as follows:

X is $m\times n$ distributed matrices. $X=\mathit{A}=[\overline{\mathit{A}}\mid {\mathbf{b}}_1\mid \cdots \mid {\mathbf{b}}_t]=[\overline{\mathit{A}}\mid \mathit{u}-\overline{\mathit{A}}\overline{{\mathbf{t}}_1}\mid \cdots \mid \mathit{u}-\overline{\mathit{A}}\overline{{\mathbf{t}}_t}]$. $\overline{\mathit{A}}\in Z_q^{n\times \overline{m}}$ is randomly selected. When $1\le i\le t$, ${\mathbf{b}}_i=\mathit{u}-\overline{\mathbf{A}}\overline{{\mathbf{t}}_i}modq\in Z_q^{n\times 1}$. $\overline{{\mathbf{t}}_i}$ is drawn from a Gaussian discrete distribution ${\chi }^{\overline{m}\times 1}$. Y is a uniform distribution over $Z_q^{n\times 1}$. Then, X and Y are computationally indistinguishable.

Definition 1.

Suppose a distribution ${{\chi }_n}_{n\in N}$ is based on a distribution of integers. If the distribution satisfies the following property:

$$P{r}_{x\leftarrow {\chi }_n}[\mid x\mid \ge B]=negl\left(\lambda \right),$$

then the distribution is called B-bounded.

Definition 2.

β-noisy ciphertext: A ciphertext C that encrypts $m^{\prime }$ under a private key $\tilde{t}$ is called β-noisy ciphertext. $\widetilde{t^T}·C=error+\widetilde{t^T}·\mathit{M}·\mathbf{G}$, ${\Vert error\Vert }^{\infty }⩽\beta$.

3.1.2. LinkAlgo Algorithm

The matrix $\mathbf{M}\in \{0,1{\}}^{n\times N}$, ${\mathbf{C}}^{(s,t)}$ is the $\beta$-noise ciphertext of ${\mathbf{M}}^{(s,t)}$ encrypted under $(pk,sk)=(\mathbf{F},\tilde{\mathbf{t}})$ using the GSW encryption algorithm, i.e., ${\mathbf{C}}^{(s,t)}=F^{T}M+M^{[s,t]}G$, where ($s\in \left[n\right],t\in \left[N\right]$). Let ($p{k}^{{}^{\prime }},s{k}^{{}^{\prime }}$)=(${\mathbf{F}}^{{}^{\prime }},{\tilde{\mathbf{t}}}^{{}^{\prime }}$) be another pair of keys. Inputs $p{k}^{{}^{\prime }}$ and all ${\mathbf{C}}^{(s,t)}\in Z_q^{(m+1)\times N}$ are given to the $LinkAlgo$ algorithm, and it outputs $\mathbf{Y}$.

It holds that ${\mathbf{S}}^T\mathbf{Y}={\mathbf{S}}^T{\mathbf{F}}^{{}^{\prime }T}\mathit{M}+\mathbf{e}$ and (${\Vert \mathbf{e}\Vert }_{\infty }\le m^3\beta$ is noise)

Algorithm 1 LinkAlgo algorithms.

Input:  $p{k}^{{}^{\prime }},\{{\mathbf{C}}^{(s,t)}{\}}_{s\in \left[n\right],t\in \left[N\right]}$; Output:  $\mathbf{Y}\in Z_q^{(m+1)\times N}$; 1: Let ${\mathbf{K}}_{s,t}\in Z_q^{(m+1)\times N},s\in \left[n\right],t\in \left[N\right]$; 2: Output Y=${\sum }_{s=1}^n{\sum }_{t=1}^N{\mathbf{C}}^{(s,t)}{\mathbf{G}}^{-1}\left({\mathbf{K}}_{s,t}\right)\in Z_q^{(m+1)\times N}$

A detailed proof that ${\mathbf{S}}^T\mathbf{Y}={\mathbf{S}}^T{\mathbf{F}}^{{}^{\prime }T}\mathbf{M}+\mathbf{e}$, ${\Vert \mathbf{e}\Vert }_{\infty }\le m^3\beta$ holds is given below:

$$\begin{array}{cc}\hfill {\mathbf{S}}^T\mathbf{Y}& {\displaystyle =\sum _{s,t}^{}{\mathbf{S}}^T{\mathbf{C}}^{(s,t)}{\mathbf{G}}^{-1}\left({\mathbf{K}}_{(s,t)}\right)}\hfill \\ \hfill & =\sum _{s,t}^{}({\mathbf{S}}^T{\mathbf{M}}^{(s,t)}\mathbf{G}+{\mathbf{e}}_{s,t}){\mathbf{G}}^{-1}\left({\mathbf{K}}_{s,t}\right)\hfill \\ \hfill & =\sum _{s,t}{\mathbf{S}}^T{\mathbf{M}}^{(s,t)}{\mathbf{K}}_{s,t}+{\mathbf{e}}_{s,t}^{{}^{\prime }}\hfill \\ \hfill & ={\mathbf{S}}^T\sum _{s,t}{\mathbf{M}}^{(s,t)}{\mathbf{K}}_{s,t}+\sum _{s,t}{\mathbf{e}}_{s,t}^{{}^{\prime }}\hfill \end{array}$$

(2)

where ${\mathbf{e}}_{s,t}={\mathbf{S}}^T{\mathbf{F}}^{{}^{\prime }T}\mathbf{M},{\mathbf{e}}_{s,t}^{{}^{\prime }}={\mathbf{e}}_{s,t}+{\mathbf{G}}^{-1}\left({\mathbf{K}}_{s,t}\right)$ has a norm $\Vert {\mathbf{e}}_{s,t}^{{}^{\prime }}\Vert \le m\beta$.

The correctness of ${\sum }_{s=1}^n{\sum }_{t=1}^N{\mathbf{M}}^{(s,t)}{\mathbf{K}}^{s,t}={\mathbf{F}}^{{}^{\prime }T}\mathbf{M}$:

$$\begin{array}{cc}\hfill {\displaystyle \sum _{s=1}^n\sum _{t=1}^N{\mathbf{M}}^{(s,t)}{\mathbf{K}}_{s,t}}& {\displaystyle =\sum _{s=1}^n\sum _{t=1}^N\left[\begin{array}{ccccc}0& \cdots & {\mathbf{M}}^{(s,t)}{{\mathbf{F}}^{\prime }}^{\mathrm{T}(1,\mathrm{s})}& \cdots & 0\\ ⋮& \cdots & {\mathbf{M}}^{(s,t)}{{\mathbf{F}}^{\prime }}^{\mathrm{T}(2,\mathrm{s})}& \cdots & ⋮\\ ⋮& ⋮& \cdots & \cdots & ⋮\\ 0& \cdots & {\mathbf{M}}^{(s,t)}{{\mathbf{F}}^{\prime }}^{\mathrm{T}(\mathrm{N},\mathrm{s})}& \cdots & 0\end{array}\right]}\hfill \\ \hfill & {\displaystyle =\sum _{t=1}^N\left[\begin{array}{ccccc}0& \cdots & \sum _{s=1}^n{\mathbf{M}}^{(s,t)}{{\mathbf{F}}^{\prime }}^{\mathrm{T}(1,\mathrm{s})}& \cdots & 0\\ ⋮& \cdots & \sum _{s=1}^n{\mathbf{M}}^{(s,t)}{{\mathbf{F}}^{\prime }}^{\mathrm{T}(2,\mathrm{s})}& \cdots & ⋮\\ ⋮& ⋮& \cdots & \cdots & ⋮\\ 0& \cdots & \sum _{s=1}^n{\mathbf{M}}^{(s,t)}{{\mathbf{F}}^{\prime }}^{\mathrm{T}(\mathrm{N},\mathrm{s})}& \cdots & 0\end{array}\right]}\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill & =\sum _{t=1}^N\left[\begin{array}{ccccc}0& \cdots & {\mathbf{F}}_1^{\mathrm{Trow}}{\mathbf{M}}_t^{\mathrm{col}}& \cdots & 0\\ ⋮& \cdots & {\mathbf{F}}_2^{\mathrm{Trow}}{\mathbf{M}}_t^{\mathrm{col}}& \cdots & ⋮\\ ⋮& ⋮& \cdots & \cdots & ⋮\\ 0& \cdots & {\mathbf{F}}_n^{\mathrm{Trow}}{\mathbf{M}}_t^{\mathrm{col}}& \cdots & 0\end{array}\right]\hfill \\ \hfill & ={\mathbf{F}}^{\mathrm{T}}\mathbf{M}\hfill \end{array}$$

(4)

Therefore, ${\mathbf{S}}^T\mathbf{Y}={\mathbf{S}}^T{\mathbf{F}}^{{}^{\prime }T}\mathbf{M}+\mathbf{e}$, where $\mathbf{e}={\sum }_{s=1}^n{\sum }_{t=1}^N{\mathbf{e}}_{s,t}^{{}^{\prime }}$ has norm ${\Vert e\Vert }_{\infty }\le m^3\beta .$

Input public key $p{k}_1,p{k}_2,\cdots ,p{k}_t$ and fresh ciphertext ${\mathbf{C}}_i$ into LinkAlgo algorithm, which outputs the following extended ciphertext:

1.

$\{{\mathbf{V}}^{(s,t)}{\}}_{s\in \left[n\right],t\in \left[N\right]}\leftarrow \{\mathbf{GSW}.\mathbf{ENC}({\mathbf{M}}^{(s,t)},p{k}_j){\}}_{s\in \left[n\right],t\in \left[N\right]}$

2.

Compute $Y_i^j\leftarrow \{\mathbf{Linkalgo}(C^{(s,t)},p{k}_j){\}}_{s\in \left[n\right],t\in \left[N\right]}j\in$ [t]. The extended ciphertext is:

$$\begin{array}{c}\hfill {\widehat{\mathbf{C}}}_i=\left[\begin{array}{ccccc}{\mathbf{C}}_i-{\mathbf{Y}}_i^1& 0& \dots & 0& 0\\ 0& {\mathbf{C}}_i-{\mathbf{Y}}_i^2& \dots & 0& 0\\ ⋮& ⋮& ⋮& ⋮& ⋮\\ {\mathbf{Y}}_i^i& \dots & {\mathbf{C}}_i& \dots & {\mathbf{Y}}_i^i\\ ⋮& ⋮& ⋮& ⋮& ⋮\\ 0& 0& \dots & 0& {\mathbf{C}}_i-{\mathbf{Y}}_i^t\end{array}\right]\end{array}$$

(5)

This type of scheme allows users to use single-key homomorphic encryption, and homomorphic evaluation can be performed after the ciphertext is extended using the LinkAlgo algorithm. Users can generate secret keys independently, which has application prospects in some scenarios with related requirements.

3.2. SWC21 Ciphertext Compression Algorithm

Gentry proposed an algorithm for compressing ciphertexts for single-key schemes in GH19 [37] in 2019, and Shen et al. extended the algorithm to the MKFHE scheme SWC21 [14] in 2021, which effectively reduces the communication overhead after compressing ciphertexts, and to some extent drives the development of the MKFHE scheme in terms of efficiency and cost improvements.

Notion of SWC21

Definition 3.

DLWE (decisional learning with errors): Positive integers n and q and an error distribution χ over Z. Let ${\mathit{A}}_{s,\chi }$ denote the distribution $(\mathit{a},{[<\mathit{a},\mathit{s}>-2e]}_q)$ on $Z_q^n\times Z_q$, where $\mathit{s}\stackrel{\$}{⟵}{Z}_q^n$, $\mathit{a}\stackrel{\$}{⟵}{Z}_q^n$ and $e⟵\chi$. Given m = poly(n) mutually independent instances, these instances are chosen either from the uniform distribution $Z_q^n\times Z_q$ or from the distribution ${\mathit{A}}_{s,\chi }$.

Definition 4.

MLWE (matrix learning with errors): Positive integers n, m, r, and q, and an error distribution χ over Z. The matrix learning with errors is to distinguish two distributions. One is $(\mathit{B},\mathit{A}=\mathit{SB}+\mathit{E})$, where $\mathit{S}\stackrel{\$}{⟵}{Z}_q^{n\times r}$, $\mathit{B}\stackrel{\$}{⟵}{Z}_q^{r\times m}$ and $\mathit{E}⟵{\chi }^{n\times m}$. Additionally, the other one is uniform distribution $Z_q^{r\times m}\times Z_q^{n\times m}$.

Definition 5.

Given an integer $q>2$, for any positive integer $n\in Z^{+}$, define ${\mathbf{G}}_n\triangleq {\mathit{I}}_n⨂{\mathit{g}}^T\in Z_q^{n\times n\lfloor logq\rfloor }$, where ${\mathit{g}}^T=[1,2,2^2,\cdots ,2^{\lfloor logq\rfloor -1}]$. The symbol ${\mathbf{G}}_n$ is used to denote this matrix in SWC21.

Lemma 1.

([35]). Positive integers $n,m_0,m_1,m,q,andl$; $q=q\left(n\right)$; $l=\lfloor logq\rfloor$; $m_0=nl+O\left(n\right)$; $m_1=nl$; and $m=m_0+m_1$. To ${\mathit{A}}_0\stackrel{\$}{⟵}{Z}_q^{n\times m_0}$, invertible matrix $\mathit{H}\in Z_q^{n\times n}$ and $\mathit{R}⟵{\mathit{D}}^{m_0\times m_1}$, there is an efficient randomization algorithm $\mathrm{GemTrap}$(${\mathit{A}}_0$,H), which can generate a matrix $\mathit{A}\triangleq [{\mathit{A}}_0\Vert \mathit{H}{\mathbf{G}}_n-{\mathit{A}}_0\mathit{R}]\in Z_q^{n\times m}$ and a trapdoor $\mathit{R}$, and label $\mathit{H}$. $\mathit{A}$ is not uniformly distributed.

Lemma 2.

([35]). Given random matrix $\mathit{A}\in Z_q^{n\times n^{{}^{\prime }}}$, an efficient randomization algorithm can extract a sub-Gaussian matrix $\mathit{X}$ over $Z_q^{nl\times n^{{}^{\prime }}}$ with O(1) as the parameter, which has $\mathit{X}={\mathbf{G}}_n^{-1}\left(\mathit{A}\right)$.

A new technique, the nearly square tool matrix L, is used in GH19 and is also required in SWC21. An open trapdoor matrix ${\mathbf{L}}^{-1}\left(0\right)=\mathbf{F}$ satisfying:

• $\mathbf{F}$ has small entries ($\ll q$)
• $\mathbf{L}\times \mathbf{F}$ = 0(mod q), i.e., all row vectors of $\mathbf{L}$ can generate a kernel space of $\mathbf{F}$ mod q;
• $\mathbf{F}$ is full-rank over $\mathbf{R}$.

When they apply this technology to multi-key version scheme, they adjust the structure of private key and the extended ciphertext. The identity in the private key matrix was deleted so that the extended private key would turn from $s=\left[i_n{s}_1{i}_n{s}_2\right]$ into $s=\left[i_n{s}_1{s}_2\right]$, which is a nearly square matrix. Additionally, the extended ciphertext would be split into ${(2+1)}^2$ parts rather than $2^2$ parts. Meanwhile, there is some information attached to the ciphertext. The extended ciphertext would be like:

$$\begin{array}{c}\hfill \widehat{C}=\left[\begin{array}{ccc}{C}_{1,1}& C_{1,2}& D_1\\ C_{2,1}& C_{2,2}& D_2\\ 0& 0& C_{3,3}\end{array}\right]\end{array}$$

(6)

• $\mathbf{Initialization}\mathbf{Setup}(1^k,1^N):$ Let k be the security parameter for a large module q with an error distribution $\chi$ = $\chi$(k,N) bounded by ${\beta }_{\chi }$. Additionally, taken $t\triangleq (t^{{}^{\prime }}-1)N$ for the $Comp$ step.
  Let ${\mathbf{L}}^{{}^{\prime }}\times {\mathbf{F}}^{{}^{\prime }}=0$, $\mathbf{L}\triangleq {\mathbf{L}}^{{}^{\prime }}⨂{\mathbf{I}}_{rN}\in Z_q^{n\times \overline{n}}$ and $\mathbf{F}\triangleq {\mathbf{F}}^{{}^{\prime }}⨂{\mathbf{I}}_{r}N\in Z_q^{\overline{n}\times \overline{n}}$ (where ${\mathbf{L}}^{{}^{\prime }}\in Z_q^{(t^{{}^{\prime }}-1)t^{{}^{\prime }}}$ and ${\mathbf{F}}^{{}^{\prime }}\in Z_q^{t^{{}^{\prime }}\times t^{{}^{\prime }}}$, $\ell \triangleq logq$, $n\triangleq tr$, $\overline{n}\triangleq (t+N)r$, $n\triangleq (t+1)r\ell$ and $\overline{m}\triangleq (t+N)r\ell$), choose $\mathbf{B}\stackrel{\$}{⟵}{Z}_q^{r\times m}$.
  Output params = $(r,N,q,\ell ,{\beta }_{\chi },\chi ,t^{{}^{\prime }},t,n,\overline{n},m,\overline{m},\mathbf{L},{\mathbf{L}}^{{}^{\prime }},\mathbf{F},{\mathbf{F}}^{{}^{\prime }},\mathbf{B})$.
• $\mathbf{Keygen}$ (params): Choose $\mathbf{S}\stackrel{\$}{⟵}{Z}_q^{r\times m}$ and $\mathbf{E}\leftarrow {\chi }^{tr\times m}$. Let $\mathbf{A}=\mathbf{SB}+\mathbf{E}$, $\overline{\mathbf{S}}\triangleq [{\mathbf{I}}_{tr}\mid \mathbf{S}]\in Z_q^{tr\times (t+1)r}$ and $\overline{\mathbf{A}}\triangleq \left[\begin{array}{c}\mathbf{A}\\ \mathbf{B}\end{array}\right]\in Z_q^{(t+1)r\times m}$, noticed that $\overline{\mathbf{SA}}=\mathbf{E}$. Output $PK\triangleq \overline{\mathbf{A}}$, $SK\triangleq \overline{\mathbf{S}}$.
• $\mathbf{Enc}$ ($P{K}_i$, $\mu$): Input a plaintext bit $\mu \in \{0,1\}$, choose ${\overline{\mathbf{J}}}_i\stackrel{\$}{⟵}\{0,1{\}}^{m\times m}$, let ciphertext be ${\overline{\mathbf{C}}}_i\triangleq \mu {\mathbf{G}}_{(t+1)r}+{\overline{\mathbf{A}}}_i{\overline{\mathbf{J}}}_i\in Z_q^{(t+1)r\times m}$. ${\overline{\mathbf{C}}}_i$ will be divided as follows for the $Exp$ step:

  $$\begin{array}{cc}\hfill & {\overline{\mathbf{C}}}_i^{(1,1)}={\overline{\mathbf{C}}}_i\left[\mathrm{pre}\mathrm{tr}\mathrm{rows},\mathrm{pre}\mathrm{tr}\ell \mathrm{columns}\right]\in {\mathrm{Z}}_{\mathrm{q}}^{\mathrm{tr}\times \mathrm{tr}\ell };\hfill \\ \hfill & {\overline{\mathbf{C}}}_i^{(2,1)}={\overline{\mathbf{C}}}_i\left[\mathrm{last}\mathrm{r}\mathrm{rows},\mathrm{pre}\mathrm{tr}\ell \mathrm{columns}\right]\in {\mathrm{Z}}_{\mathrm{q}}^{\mathrm{r}\times \mathrm{tr}\ell };\hfill \\ \hfill & {\overline{\mathbf{C}}}_i^{(1,2)}={\overline{\mathbf{C}}}_i\left[\mathrm{last}\mathrm{tr}\mathrm{rows},\mathrm{last}\mathrm{r}\ell \mathrm{columns}\right]\in {\mathrm{Z}}_{\mathrm{q}}^{\mathrm{tr}\times \mathrm{r}\ell };\hfill \\ \hfill & {\overline{\mathbf{C}}}_i^{(2,2)}={\overline{\mathbf{C}}}_i\left[\mathrm{last}\mathrm{r}\mathrm{rows},\mathrm{last}\mathrm{tr}\ell \mathrm{columns}\right]\in {\mathrm{Z}}_{\mathrm{q}}^{\mathrm{r}\times \mathrm{r}\ell };\hfill \end{array}$$

  (7)
  Let ${\mathbf{J}}_i={\overline{\mathbf{J}}}_i\left[\mathrm{the}\mathrm{last}\mathrm{r}\ell \mathrm{columns}\right]\in \{0,1{\}}^{\mathrm{m}\times \mathrm{r}\ell }$.
  Notice that ${\overline{\mathbf{C}}}_i^{(2,2)}=\mu {\mathbf{G}}_r+\mathbf{B}{\mathbf{J}}_i$.
  Attached information ${\mathbf{O}}_i\triangleq {({\mathbf{V}}_{i,1}^{(x,y,b)},{\mathbf{V}}_{i,2}^{(x,y,b)})}_{x\in \left[t\right],y\in \left[m\right],b\in \left[rl\right]}$ is needed to successfully execute the Exp step.

  $$\begin{array}{c}\hfill {\mathbf{V}}_{i,1}^{(x,y,b)}=-{\mathbf{A}}_i{\tilde{\mathbf{J}}}_i^{(x,y,b)}+{\mathbf{J}}_i[y,b]{\mathbf{G}}_m^{\left(x\right)}\in Z_q^{tr\times r\ell };\end{array}$$

  (8)

  $$\begin{array}{c}\hfill {\mathbf{V}}_{i,2}^{(x,y,b)}=\mathbf{B}{\tilde{\mathbf{J}}}_i^{(x,y,b)}\in Z_q^{r\times r\ell };\end{array}$$

  (9)

  where ${\overline{\mathbf{J}}}_i^{(x,y,b)}\triangleq \{0,1{\}}^{m\times r\ell }$, ${\mathbf{G}}_r\left(x\right)=\left[\begin{array}{c}{0}^{(x-1)r\times r\ell }\\ {\mathbf{G}}_r\\ 0^{(t-x)r\times r\ell }\end{array}\right]$. The complete ciphertext tuple is $C_i\triangleq (\overline{C},O_i)$
• $\mathbf{Exp}(i{d}_i\in \left[N\right],C_i)$: extended ciphertext is:

  $$\begin{array}{c}\hfill {\overline{\mathbf{C}}}_i\triangleq \left[\begin{array}{cccccc}{\overline{\mathbf{C}}}_i^{(1,1)}& {\mathbf{D}}_{i,1}^{\left(1\right)}& \dots & {\overline{\mathbf{C}}}_i^{(1,2)}& \dots & {\mathbf{D}}_{i,N}^{\left(1\right)}\\ & {\overline{\mathbf{C}}}_i^{(2,2)}& & & & \\ & & \ddots & & & \\ {\overline{\mathbf{C}}}_i(2,1)& {\mathbf{D}}_{i,1}^{\left(2\right)}& \dots & {\overline{\mathbf{C}}}_i^{(2,2)}& \dots & \\ & & & & \ddots & \\ & & & & & {\overline{\mathbf{C}}}_i^{(2,2)}\end{array}\right]\in Z_q^{\overline{n}\times \overline{m}}\end{array}$$

  (10)
  Fresh ciphertext does not support compression. Therefore, the ciphertext of different users needs to be pre-processed before compression, which is similar to the traditional GSW-expand step.
  (1) Generate components required for extended ciphertext:

  $$\begin{array}{c}\hfill {\displaystyle {\mathbf{Z}}_{i,j}^{(x,y,b)}\triangleq \sum _{z_1=1}^r-{\mathbf{A}}_j[z_1+(x-1)r,y]·{\mathbf{E}}_{z_1,b}^{{}^{\prime }}\in Z^{r\times r\ell }}\end{array}$$

  (11)

  where ${\mathbf{E}}_{z_1,b}^{{}^{\prime }}\in Z^{r\times r\ell }$ and only the intersection of column b and row $z_1$ is 1; all others are 0.
  Let

  $$\begin{array}{c}\hfill {\overline{\mathbf{Z}}}_{i,j}^{(x,y,b)}\triangleq \left[\begin{array}{c}{0}^{(x-1)r\times r\ell }\\ {\mathbf{Z}}_{i,j}^{(x,y,b)}\\ 0^{(t-x)r\times r\ell }\end{array}\right]\in Z_q^{tr\times r\ell }\end{array}$$

  (12)
  (2) Generate auxiliary ciphertext $X_{i,j}^s,s\in (0,1)$:

  $$\begin{array}{c}\hfill {\mathbf{D}}_{i,j}^{\left(1\right)}\triangleq \sum _{x=1}^t\sum _{y=1}^m\sum _{b=1}^{rl}{\mathbf{V}}_{i,1}^{(x,y,b)}·{\mathbf{G}}_r^{-1}\left(Z_{i,j}^{(x,y,b)}\right)\in Z_q^{tr\times r\ell };\end{array}$$

  (13)

  $$\begin{array}{c}\hfill {\mathbf{D}}_{i,j}^{\left(2\right)}\triangleq \sum _{x=1}^t\sum _{y=1}^m\sum _{b=1}^{rl}{\mathbf{V}}_{i,2}^{(x,y,b)}·{\mathbf{G}}_r^{-1}\left(Z_{i,j}^{(x,y,b)}\right)\in Z_q^{r\times r\ell };\end{array}$$

  (14)
• $\mathbf{Comp}$ (params,$\{{\widehat{\mathbf{C}}}_{u,v,w}{\}}_{u,v\in \left[n\right],w\in [\ell ]}$): Compress one or some ciphertext into ciphertext of a smaller size. Let ${\mathbf{T}}_{O,V}\triangleq \left[\begin{array}{c}{\mathbf{E}}_{u,v}^{{}^{\prime }}\\ 0^{Nt\times n}\end{array}\right]\in Z^{\overline{n}\times n}$, where ${\mathbf{E}}_{u,v}^{{}^{\prime }}\in Z^{n\times n}$ and only the intersection of the u-th row and v-th column are 1; all others are 0. Let compressed ciphertext be:

  $$\begin{array}{c}\hfill {\displaystyle {\mathbf{C}}^{*}\triangleq \sum _{u\in \left[n\right]}\sum _{v\in \left[n\right]}\sum _{w\in [\ell ]}{\widehat{\mathbf{C}}}_{u,v,w}\times {\mathbf{G}}_{\overline{n}}^{-1}(2_w·{\mathbf{T}}_{u,v}\times \mathbf{L})\in Z_q^{\overline{n}\times \overline{n}}.}\end{array}$$

  (15)
  The compressing algorithm is the same as Gentry’s GH19 scheme; all the cipher processing is to meet the requiements of this algorithm.
• $\mathbf{Eval}$ (params, f, ${\widehat{\mathbf{C}}}_1$, ${\widehat{\mathbf{C}}}_2$, ⋯, ${\widehat{\mathbf{C}}}_s$): Input N and circuit $f:\{0,1{\}}^t\to \{0,1\}$ and a string of ciphertext ${\widehat{\mathbf{C}}}_1$, ${\widehat{\mathbf{C}}}_2$, ⋯, ${\widehat{\mathbf{C}}}_s$; output the ciphertext ${\widehat{C}}_f$ after homomorphism.
  Eval.add $\triangleq {\mathbf{C}}_1+{\mathbf{C}}_2;$
  Eval.mult $\triangleq {\mathbf{C}}_1\times {\mathbf{G}}_{{\overline{n}}^{-1}}\times {\mathbf{C}}_2$
• $\mathbf{CompDec}$ (${\mathbf{C}}^{*}$, ${\left(S{K}_i\right)}_{i\in \left[N\right]}$): Input the private key of N participants; let $\mathbf{S}\triangleq [{\mathbf{I}}_n,{\mathbf{S}}_1,\cdots ,$${\mathbf{S}}_N]\in Z_q^{\overline{n}\times \overline{n}}$ be the extended private key. Decrypting a compressed cipher involves the following four steps:
  • $\mathbf{Z}\triangleq \mathbf{S}\times {\mathbf{C}}^{*}\left(modq\right);$
  • $\mathbf{W}\triangleq \mathbf{Z}\times \mathbf{F}\left(modq\right)$;
  • $\mathbf{P}\triangleq \mathbf{W}\times {\mathbf{F}}^{-1}$, $where\mathbf{F}\in Z_q^{\overline{n}\times \overline{n}}$ is the open trapdoor matrix;
  • ${\mathbf{M}}^{{}^{\prime }}\triangleq (\mathbf{Z}-\mathbf{P})\times {\mathbf{L}}^{-1}\left(modq\right)$ ($\mathbf{L}$ is full-rank and $\mathbf{L}\times {\mathbf{L}}^{-1}\in Z_q^{\overline{n}\times \overline{n}}={\mathbf{I}}_n$).

4. Application of MKFHE

As the current cloud environment is booming, there are increasingly many scenarios where multiple users are involved in the computation. Users want to participate in the computation to get the result, but at the same time they do not want to share their data with others. MKFHE has the characteristics of homomorphic computation between ciphertexts under different keys and joint decryption by participating users, which is very suitable for the requirement of privacy protection [39,40]. MKFHE has been applied in the following applications:

4.1. Medical Applications

For medical research, comprehensive and rich patient data can facilitate the progress of medical practice. Adequate patient data can be used to build predictive models for rapid detection of disease causes and timely treatment, e.g., for disease-causing gene localization [41], which requires access to a sufficient amount of patient genetic information from different medical institutions.

Model of MKFHE’s Application to Medical Data

Patient privacy issues cannot be avoided in medical research. Therefore, in this model, the medical-information-sharing organization composed of medical institutions carries out secure personal data sharing according to the following model when the researcher initiates the request to query data.

In this model, we add a homomorphic accelerator next to the aggregation server. Some researchers take advantage of the parallel computing capabilities of high-performance computing platform architectures (GPUs and FPGA) to deal with the numerous repeated and complex operations in homomorphic evaluation to improve data throughput and computing parallelism. The methods used include, but are not limited to, using mathematical theorems to convert operations into a form suitable for parallel computing and designing specialized homomorphic evaluation hardware (FPGA). The aggregation server can hand over the complex homomorphic evaluation process to the homomorphic accelerator to improve efficiency.

• After each medical institution receives the request, locally compute the result of query; then encrypt the result and broadcast.
• Each medical institution aggregates encrypted results locally. For iterative tasks, each medical institution repeats the process until the requirements are met.
• The public key of the final result switched from collective public key to the public key of querier through collective key switching.
• The querier decrypts the final result.

The model of MKFHE on medical is shown in Figure 3.

4.2. Financial Scenarios

Any service in the financial industry is based on credit. Financial institutions need to evaluate all aspects of the client to complete the user’s image. This involves several different data sources, and the data providers are responsible for the client’s privacy and comply with the relevant privacy protection laws while sharing clients’ data. MKFHE can be applied to create a privacy-protected customer credit evaluation system [42] and perfect the current credit system.

Model of MKFHE’s Application to Financial Data

In this model, banks form a data sharing organization. Each bank registers with the TA (trusted authentic) and negotiates the signature key. Each bank obtains a pseudonymous ID, and the real ID is stored in the TEE (trusted execution environment) by the TA. When a bank needs to use the data of other banks to evaluate the user’s credit, it initiates a data sharing request. Additionally, due to the time-fake ID used at request, none of the parties know the real identity of the initiator. After completing the data sharing, this data sharing will be recorded in the blockchain. The specific data sharing process is as follows:

After completing the registration and KeyGen of MKFHE, each bank holds the PID (pseudonym ID), signing key, and MKFHE key pair. The bank initiates the data sharing request and sends the request, PID, and digital signature to the TA. The TA locally retrieves the users that match the request and forms them into a data sharing group.

• Each bank in the group trains the model on the local data and encrypts the obtained gradient using the public key of MKFHE. After signing the encrypted gradient, it is sent to other users.
• After receiving the information, each user verifies the validity of the information via digital signature. If valid, then the local model is obtained by training together with the local gradient.
• The local model is sent to the AS (aggregation server), and the corresponding block is generated in the blockchain for record keeping. The AS aggregates all the models and broadcasts them to the users within the group.
• Each user updates the local model with the global model. We repeat steps three and four until the accuracy condition is met. Then, each user performs partial decryption of MKFHE to obtain the plaintext result.

When a malicious behavior occurs, the trusted third party can retrieve the real identity of the malicious user in the local trusted execution environment (TEE). The malicious user’s identity is then broadcast to all participants and included in the list of malicious users.

The model of MKFHE on financial is shown in Figure 4.

4.3. IoT

The IoT is usually combined with cloud computing, which connects physical terminals through the cloud and gives life to data. Physical terminals include personal devices, such as mobile phones, tablets, and cars, and important devices related to national security, such as national power grids and military drones, which are inevitably threatened by hackers during data collection, transmission, and use. However, most of these schemes use single-key homomorphic encryption [43,44,45], and there is only one recent study that used multi-key homomorphic encryption in a scenario where federal learning was combined with IoT [46].

Model of MKFHE’s Application on IoT

Multi-key fully homomorphic encryption can be applied to most multi-user scenarios for privacy protection. Take Iot as an example. Iot can be combined with federated learning to protect the privacy of edge devices. In this structure, local data of edge devices do not come out; only the model parameter which was trained from local data will be shared. However, the attackers may infer from the model parameters of participants’ information. Therefore, MKFHE can be used to encrypt local model parameters to further enhance the data security of edge devices.

Preparation: Initialize MKFHE, and each party has obtained their own public and secret key pair.

• Each device uses the downloaded global model to train the local data to get the local model and uses its own public key $p{k}_i$ to encrypt the local model parameter; then, it sends the encrypted parameter to the aggregation server.
• After receiving the encrypted model parameters of all parties, the aggregation server uses the aggregation algorithm to get the average model. The aggregation server sends the average model parameter to all parties.
• After receiving the average model parameter, all parties use it to update the local model.

Repeat the above steps until the preset stop condition is met.

After meeting the stop condition, each participant can use their own private key for partial decryption, and the final decryption result can be obtained after all partial decryption is summarized.

The model of MKFHE on Iot with federated learning is shown in Figure 5.

4.4. Service Recommendation

Product recommendations, user matching, and friend recommendations in web services need to use data such as users’ personal information and browsing history, which makes many users feel their privacy is being violated. MKFHE can perform operations with data encrypted into ciphertext. Service providers can combine it with their technology to provide services to users without disclosing their data, such as online car matching [47], Drip, Uber, and other taxi-hailing software, which require access to the user’s location information, which means the service provider can obtain or infer the user’s address or work address. With the help of MKFHE, a taxi matching system can effectively hide the user’s personal information while completing the match.

4.5. Research Innovation

MKFHE technology has been introduced for a short period of time, and there is still great room for improvement. Its multi-key feature meets the requirements of the cloud environment, so there are considerable prospects for innovation—for example, combining MKFHE with technologies such as federation learning [48,49], secure multi-party computing [50], deep learning [51,52], and blockchain [53,54] to enhance the properties of privacy protection and build solutions that meet the current emphasis on personal information protection policy requirements.

The potential of MKFHE does not stop with these cases. As long as there are multi-user scenarios, MKFHE has the potential to be applied.

5. Conclusions

The urgent need for privacy protection and the birth and development of quantum computers has stimulated the need for protection methods against quantum attacks. This demand promotes the development of MKFHE, which provides theoretical support for future secure data sharing among multiple users. Currently, the complex operation of MKFHE makes it inefficient and costly to apply. Therefore, MKFHE only accounts for a small part of the application scheme of homomorphic encryption on the Internet of Things. As we have discussed at the end of Section 4.1, the application of hardware for acceleration has the potential to enable the application of multi-key fully homomorphic encryption.

In addition to accelerated homomorphic encryption, solutions such as KLP18 and THL21, where each user uses a single key encryption and the process of converting the public extended cipher into a multi-key cipher that is then placed in the cloud, may also be a solution. As the size of the extended ciphertext becomes larger, and the cloud is undertaking the process of ciphertext extension, which can reduce the loss of bandwidth.

Therefore, in the authors’ opinion, users only need to upload encrypted data, and the cloud with the corresponding homomorphic hardware accelerator will be set to undertake a large number of homomorphic operations. If possible, acceleration hardware based on a trusted execution environment can be used to further enhance security.