Lattice-Based Multi-Key Homomorphic Encryption Scheme Without Common Random Strings

Abstract

Multi-key homomorphic encryption is widely applied into outsourced computing and privacy-preserving applications in multi-user scenarios. However, the existence of Common Random Strings (CRSs) weakens the ability of users to independently generate public keys, and it is difficult to implement in decentralized systems or scenarios with low trust requirements. In order to reduce excessive reliance on public parameters, a multi-key homomorphic encryption scheme without pre-setting CRSs is proposed based on a distributed key generation protocol. The proposed scheme does not require the pre-generation and distribution of CRSs, which enhances the security and decentralization of the scheme. Furthermore, in order to further protect the plaintext privacy from each user, by embedding the specified target user into the ciphertext, this paper proposes an enhanced multi-key homomorphic encryption scheme that allows the target user to decrypt. Finally, this paper applies the proposed lattice-based multi-key homomorphic encryption scheme into the data submission stage of the perceived users, and thereby proposes a crowd-sensing scheme with privacy preservation.

1. Introduction

With the continuous advancement of technologies such as the Internet, the Internet of Things, big data, and artificial intelligence, the demand for computing power and storage resources by enterprises and individuals has increased exponentially. Traditional local computing and storage methods can no longer meet the needs of modern society for data processing speed and capacity [1]. Outsourcing computing allows users to entrust complex computing tasks or data processing work to a third party (such as a cloud service provider) to perform computing tasks through a cloud platform or distributed computing resources, saving users much time and computing costs [2].

Although outsourced computing provides flexibility and efficiency, it is also accompanied by some potential risks. In outsourced computing, users usually need to upload data to cloud service providers for processing. These outsourced data may contain some sensitive user information, such as personal privacy, commercial secrets, or key business data [3,4,5]. Homomorphic encryption technology allows specific operations (such as addition or multiplication) to be performed directly on encrypted data without decrypting the data. The decrypted result is consistent with the result of performing the same operation on the plaintext [6]. User data remain encrypted during the calculation process, ensuring the privacy of the data throughout the calculation process, and users do not need to trust the cloud service provider.

Multi-key homomorphic encryption solves the above problem by allowing each user to encrypt data with his or her own key, while still supporting joint computing of encrypted data. The computing results can be obtained by collaborative decryption of the private keys of multiple users [7,8,9].

In a multi-key homomorphic encryption scheme, in order to enable multiple users to jointly perform homomorphic operations on ciphertext (for example, to perform homomorphic operations such as addition and multiplication) and collaboratively decrypt the ciphertext after homomorphic operations, a mechanism is needed to coordinate and combine the public keys of different users [10]. The Common Random String (CRS) model provides a shared public parameter based on which all users can generate their own public keys. Through the public parameters provided by the CRS model, multiple public keys with the same parameters are integrated into an aggregate public key. Multiple users can perform homomorphic operations on ciphertext under the aggregate public key and collaboratively decrypt through a distributed decryption protocol.

The CRS model can simplify the scheme design and key generation process, but it also brings some problems: On the one hand, the existence of CRSs means that the system relies on a public, predefined random string. This assumption may affect the independence and flexibility of the encryption scheme, which is difficult to meet in decentralized systems or scenarios with low trust requirements. On the other hand, the security and correctness of the scheme directly depend on the integrity and reliability of CRSs. Dependence on CRSs seriously affects the credibility of the scheme and even causes security vulnerabilities [11].

In order to avoid excessive reliance on public parameters, a multi-key homomorphic encryption scheme without pre-setting CRSs is proposed based on a distributed key generation protocol. Furthermore, based on ciphertext expansion technology, a distributed ciphertext decryption method is proposed. Distributed private key generation operation is transferred to multiple parties, simplifying the key management and encryption overloads, and more compact ciphertext is obtained. The more flexible key generation process does not rely on a single third party, and has a lighter interaction burden between multiple parties. In order to further protect the plaintext messages of each user, this paper proposes an enhanced multi-key homomorphic encryption scheme that only allows the target user to decrypt it, by embedding the specified target user into the ciphertext. In scenarios requiring the rapid encryption of large amounts of data, symmetric encryption schemes are the preferred choice. A symmetric encryption scheme is a cryptographic technique that uses the same key for both encrypting and decrypting information, which means that the sender and receiver must share the same key. The scheme proposed in this paper can be used as a tool for distributing symmetric keys. Once the communicating parties have obtained a shared symmetric key, they can securely and efficiently transmit large volumes of data.

Finally, by applying the proposed the lattice-based multi-key homomorphic encryption scheme into crowd-sensing scenario, a crowd-sensing scheme is proposed to protect the privacy of crowd-sensing data.

The contributions of this paper are as follows:

• In order to avoid excessive reliance on public parameters, this paper proposes a multi-key homomorphic encryption scheme based on a distributed key generation protocol. Each user independently generates his or her own public and private key pair, and enhances the security and decentralization of the scheme. Based on ciphertext expansion technology, this paper proposes a distributed ciphertext decryption method suitable for multi-key scenarios. By expanding the ciphertext structure, multiple users can collaboratively participate in the decryption process.
• In order to further protect the plaintext privacy from each user, by embedding the specified target user into the ciphertext, this paper proposes an enhanced multi-key homomorphic encryption scheme that allows the target user to decrypt.
• By applying the proposed lattice-based multi-key homomorphic encryption scheme into the data submission stage, a crowd-sensing scheme is proposed, protecting the privacy of the users. This ensures that the data are not leaked during transmission and processing, and all entities except the data requester cannot obtain the perception results.

2. Materials and Methods

2.1. Symbols and Definitions

In this paper, $\lambda$ is used to denote the security parameter, and the dot product of two vectors u and v is denoted by $<u,v>$. Let $\mathsf{\Omega }$ denote a finite field and ${\rm X}$ be a probability distribution defined on $\mathsf{\Omega }$; then $\omega \leftarrow {\rm X}$ denotes that an element $\omega$ is randomly selected from the distribution ${\rm X}$[12]. $\mathbb{Z}$ represents the set of integers, $\mathbb{R}$ denotes the set of real numbers, and $\mathbb{C}$ represents the set of complex numbers. $R_q={\mathbb{Z}}_q\left[X\right]/{\Phi }_M\left(X\right)$ denotes a cyclotomic polynomial ring, where ${\mathbb{Z}}_q\left[X\right]$ is a ring of polynomials whose coefficients are taken from ${\mathbb{Z}}_q$, and ${\Phi }_M\left(X\right)=X^{M/2}+1$ denotes a cyclotomic polynomial of order $M$[13].

Definition 1. 

$B$-bounded distribution. Let $D$ be a random distribution. If any $x$ sampled from $D$ satisfies ${Pr}_{x\leftarrow D}\left[‖x‖>B\right]=negl\left(\lambda \right)$, then $D$ is called a $B$-bounded distribution [14].

Definition 2. 

Ring Learning With Errors (RLWE) Problem. RLWE is a generalization of the LWE problem, which extends the vector operations in LWE to polynomial ring [15]. Given a polynomial ring $R=Z\left[X\right]/f\left(x\right)$, where $f\left(x\right)$ is an irreducible polynomial, define a ring $R_q=R/qR={\mathbb{Z}}_q\left[X\right]/f\left(x\right)$ modulo $q$. Select a secret vector $s\in R_q$, and give a RLWE sample pair $(a,b)\in R_q\times R_q$, where $b=a·s+e\left(modq\right)$, and $e$ is a random noise sampled from the noise distribution $\chi$[16]. Depending on the goal, the RLWE problem is divided into two types: search the RLWE problem and decision RLWE problem [17].

Definition 3. 

Decision RLWE Problem. The goal of the decision RLWE problem is to distinguish between two distributions: distribution 1 is an RLWE distribution, where the sample pair $(a_i,b_i)\in R_q\times R_q$ satisfies $b_i=a_i·s+e_i\left(modq\right)$, where $s\in R_q$ is the secret vector and $e\in \chi$ is the random error term; distribution 2 is a uniform distribution, where $a_i$ and $b_i$ in the sample pair $(a_i,b_i)\in R_q\times R_q$ are independently and uniformly randomly sampled from $R_q$ [8]. The RLWE assumption means that there is no effective polynomial algorithm that can distinguish between these two distributions, that is, for a probabilistic polynomial time algorithm $\mathcal{B}$ and security parameter $\lambda$, we have

$$Adv\left(\mathcal{B}\right)≔\left|Pr\left[{\mathcal{B}}^{A_{s,\chi }}\left(1^{\lambda }\right)=1\right]-Pr\left[{\mathcal{B}}^{R_q\times R_q}\left(1^{\lambda }\right)=1\right]\right|=negl\left(\lambda \right)$$

(1)

Definition 4. 

Canonical Embedding. Let K be an algebraic number field of degree n, with a total of $r_1+2r_2=n$ real embeddings and complex embeddings (where $r_1$ are the real embeddings, $r_2$ are the complex embeddings, and the complex embeddings come in conjugate pairs). The canonical embedding is defined as

$$\tau :K\to {\mathbb{R}}^{r_1}\times {\mathbb{C}}^{2r_2}\simeq {\mathbb{R}}^n$$

mapping $\alpha \in K$ to the vector consisting of the images under all embeddings.

2.2. Multi-Key Homomorphic Encryption

Multi-key homomorphic encryption allows users to encrypt their data using their own public keys and perform homomorphic operations on the ciphertext. At the same time, the calculation results are decrypted by all users collaboratively, which is more suitable for multi-user collaborative scenarios [18,19]. A multi-key homomorphic encryption scheme based on CKKS usually consists of nine polynomial time algorithms, namely $MFHE.Setup$, $MFHE.Keygen$, $MFHE.Encode$, $MFHE.Enc$, $MFHE.Expand$, $MFHE.Eval$, $MFHE.PartDec$, $MFHE.FinDec$, $MFHE.Decode$. The specific descriptions are as follows:

-

$MFHE.Setup\left(1^{\lambda }\right)$: Input security parameter $\lambda$ and output public parameter $params$.

-

$MFHE.KeyGen\left(params\right)$: Input public parameters $params$ and output the user’s public key and private key $(pk,sk)$.

-

$MFHE.Encode(z_i,\Delta )$: Input complex vector $z_i$ and scaling factor $\Delta$, output encoded plaintext polynomial $m$.

-

$MFHE.Enc(pk,m)$: For the plaintext $m$ that needs to be encrypted, input the public key $pk$ and output a ciphertext $ct$.

-

$MFHE.Expand\left(\right({pk}_1,\cdots ,{pk}_N),i,{ct}_i)$: Input the public keys of $N$ users ${pk}_1,\cdots {pk}_N$ and the ciphertext ${ct}_i$ encrypted by the $i$-th public key ${pk}_i$, and output the expanded ciphertext $\widehat{{ct}_i}$.

-

$MFHE.Eval(params,f,(\widehat{{ct}_1},\cdots ,\widehat{{ct}_l}\left)\right)$: Given a function $f$, input $l$ extended ciphertexts $\widehat{{ct}_1},\cdots ,\widehat{{ct}_l}$, and output the ciphertext $\widehat{ct}$ after homomorphic operation.

-

$MFHE.Dec(params,({sk}_1,\cdots {,sk}_N),\widehat{ct})$: Input the private keys of $N$ users ${sk}_1,\cdots {,sk}_N$ and the homomorphic operation ciphertext $\widehat{ct}$, and output the plaintext $m$. The decryption process is divided into two steps, as follows:

• $MFHE.PartDec(i,{sk}_i,\widehat{ct})$: Input the private key ${sk}_i$ of the $i$-th user and the homomorphic operation ciphertext $\widehat{ct}$, and output the partial decryption result $p_i$.
• $MFHE.FinDec(p_1,\cdots ,p_N)$: Input the partial decryption results $p_1,\cdots ,p_N$ of $N$ users and output the plaintext $m$.

-

$MFHE.Decode\left(m\right)$: Input plaintext $m$, output decoded complex vector $m^{\prime }$.

3. Lattice-Based Multi-Key Homomorphic Encryption Scheme Without CRSs

In order to reduce the dependence on public parameters and enhance the ability of users to independently generate public keys, this section proposes a lattice-based multi-key homomorphic encryption scheme without CRSs. Through a distributed key generation protocol, all users independently generate their keys. Based on the ciphertext expansion technology [20], a distributed ciphertext decryption method in a multi-key scenario is proposed, thereby realizing cross-user homomorphic addition operations without public parameters. In order to further protect the plaintext messages of each user, this section embeds the target user’s information in the ciphertext, so that the encryption process supports the designated target user as the only decryptor, providing more flexible privacy preservation.

3.1. Security Model

INDistinguishability against Chosen Message Attacks (IND-CPA) security requirement: For any probabilistic polynomial time adversary $\mathcal{A}$, its advantage under the “chosen plaintext attack” is negligible. IND-CPA security is defined by the interactive game ${Game}_{\mathcal{A}}$ between challenger $\mathcal{C}$ and adversary $\mathcal{A}$. The specific steps are as follows.

• Initialization phase: Input the security parameter $\lambda$, $\mathcal{C}$ runs $params\leftarrow Setup(1^{\lambda },1^L)$ algorithm to generate system public parameter $params$. $\mathcal{C}$ runs the $\left(\right({pk}_i,{sk}_i),({pk}_T,{sk}_T\left)\right)\leftarrow KeyGen\left(params\right)$ algorithm to generate key pairs ${\left\{({pk}_i,{sk}_i)\right\}}_{i=1}^N$ for $N$ users and key pair $({pk}_T,{sk}_T)$ for target user $T$, and sends ${\left\{{pk}_i\right\}}_{i=1}^N$, ${pk}_T$ to $\mathcal{A}$.
• Query phase: $\mathcal{C}$ maintains a query record table $Q$, which is empty at initialization and records all ciphertext query indexes initiated by $\mathcal{A}$ during the entire query process. $\mathcal{A}$ can adaptively select any plaintext $m_i$ and initiate a query request. $\mathcal{C}$ runs the ${\{c_i\leftarrow Enc\left({pk}_i,{pk}_T,m_i\right)\}}_{i\in S}$ algorithm to generate the ciphertext $c_i$ and returns it to $\mathcal{A}$. This phase allows $\mathcal{A}$ to perform a polynomial number of queries.
• Challenge phase: After $\mathcal{A}$ finishes the query, it requests the challenge ciphertext. $\mathcal{A}$ selects two plaintexts $m_0$, $m_1$ of equal length and the target public key set $S^{\mathrm{*}}\in \left\{\mathrm{1,2},\cdots ,k\right\}$, and sends them to $\mathcal{C}$. $\mathcal{C}$ randomly selects a bit $b\leftarrow \left\{\mathrm{0,1}\right\}$, calculates the challenge ciphertext $c^{\mathrm{*}}=Enc\left({\left\{{pk}_i\right\}}_{i\in S^{\mathrm{*}}},{pk}_T,m_b\right)$, and returns $c^{\mathrm{*}}$ to $\mathcal{A}$.
• Guessing stage: $\mathcal{A}$ outputs a guess bit $b^{\mathrm{*}}\in \left\{\mathrm{0,1}\right\}$ based on $c^{\mathrm{*}}$. If $b^{\mathrm{*}}=b$, $\mathcal{A}$ wins and the game output is 1; otherwise, the output is 0.

If and only if for all PPT adversaries $\mathcal{A}$, there exists a negligible function $negl\left(\lambda \right)$ such that

$$\left|Pr\left[{Game}_{\mathcal{A}}=1\right]-{\displaystyle \frac{1}{2}}\right|\le negl\left(\lambda \right)$$

(2)

where $\lambda$ is a security parameter, the multi-key homomorphic encryption scheme without CRSs is IND-CPA secure, that is, it satisfies semantic security.

3.2. Scheme Construction

The lattice-based multi-key homomorphic encryption scheme without CRSs includes nine algorithms, namely: $Setup$ algorithm, $KeyGen$ algorithm, $Encode$ algorithm, $Enc$ algorithm, $Expand$ algorithm, $AddEval$ algorithm, $PartDec$ algorithm, $FinDec$ algorithm, and $Decode$ algorithm. The specific description of each algorithm is as follows.

• System Initialization $Setup(1^{\lambda },1^L)$

Step 1. Let the security parameter be $\lambda$, the circuit depth be $L$, and the number of users be $N$. Let the dimension of the polynomial ring $R_q={\mathbb{Z}}_q\left[X\right]/(X^K+1)$ be $K$, and the ciphertext modulus be $q$. Let $\chi =\chi \left(\lambda \right)$ be the key distribution on $R_q$, and $\psi =\psi \left(\lambda \right)$ be the error distribution on $R$.

Step 2. Returns the system common parameters $params=(K,q,\chi ,\psi )$.

2.

Key generation algorithm $KeyGen\left(params\right)$

Step 1. $U_i$ selects $s_i\leftarrow \chi$ and sets its private key to ${sk}_i=(1,s_i)$. $U_i$ randomly samples $e_i\leftarrow \psi$, $a_i\leftarrow R_q$, calculates $b_i=-a_i·s_i+e_{i}modq\in R_q$, and sets its public key to ${pk}_i=(b_i,a_i)$.

Step 2. $U_T$ selects $s_T\leftarrow \chi$ and sets its private key to ${sk}_T=(1,s_T)$. $U_T$ randomly samples $e_T\leftarrow \psi$, $a_T\leftarrow R_q$, calculates $b_T=-a_T·s_T+e_{T}modq\in R_q$, and sets its public key to ${pk}_T=(b_T,a_T)$.

3.

Coding $Encode(z_i,\Delta )$

Step 1. The message of user $U_i$ is a complex vector $z_i=(z_{i,1},z_{i,2},\cdots ,z_{i,K/2})$, where $K$ is the dimension of the polynomial ring. The complex vector $z_i$ is scaled to retain decimal precision, and $z_i=\Delta ·z_i$ is calculated, where $\Delta$ is the scaling factor.

Step 2. The complex vector $z_i$ is mapped to the polynomial ring $R=\mathbb{Z}\left[X\right]/(X^N+1)$ through the canonical embedding mapping $\tau$, that is, $m=⌊{\tau }^{-1}\left(⌊z_i⌉\right)⌉$. Double rounding ensures that the message can be accurately mapped to the encryption space, controls errors, and improves the stability of the encryption process.

Step 3. Output integer coefficient plaintext polynomial $m_i$.

4.

Encryption algorithm $Enc\left({pk}_i,{pk}_T,m_i\right)$

Step 1. $U_i$ randomly samples $v_i\leftarrow \chi$, $e_0^i,e_1^i,e_2^i\leftarrow \psi$, and sets $a_i=a_i\left[1\right]$, $a_T=a_T\left[1\right]$, $b_i=b_i\left[1\right]$, $b_T=b_T\left[1\right]$.

Step 2. $U_i$ uses public keys ${pk}_i$ and ${pk}_T$ to encrypt its plaintext $m_i$ and performs the following calculations:

$$c_0^i=v_i·\left(b_i+b_T\right)+m_i+e_0^i\left(modq\right)$$

(3)

$$c_1^i=v_i·a_i+e_1^i\left(modq\right)$$

(4)

$$c_2^i=v_i·a_T+e_2^i\left(modq\right)$$

(5)

The output ciphertext is $c_i=(c_0^i,c_1^i,c_2^i)\in R_q^3$.

5.

Ciphertext expansion algorithm $Expand(c_i,i)$

Step 1. User $U_i$ expands its ciphertext $c_i\in R_q^3$ to a higher dimension and outputs the expanded ciphertext ${\widehat{c}}_i=(c_0^i,\underset{i-1}{\underbrace{0,\cdots }},c_1^i,0,\cdots ,c_2^i)\in R_q^{N+2}$.

Step 2. $U_i$ sends its extended ciphertext ${\widehat{c}}_i$ to CSP for homomorphic operation.

6.

Homomorphic operation algorithm $AddEval({\widehat{c}}_1,{\widehat{c}}_2,\cdots {\widehat{c}}_N)$

Step 1. After CSP collects the extended ciphertexts ${\widehat{c}}_1,{\widehat{c}}_2,\cdots {\widehat{c}}_N$ of all users $U_i\{i=\mathrm{1,2},\cdots ,N\}$, it performs homomorphic computation as follows: $C_{{sum}_0}={\sum }_{i=1}^N{c}_0^i$, $C_{{sum}_1}=(c_1^1,\cdots ,c_1^N)$, $C_{{sum}_2}={\sum }_{i=1}^N{c}_2^i$, and outputs the aggregated ciphertext $C_{sum}=(C_{{sum}_0},c_1^1,\cdots ,c_1^N,C_{{sum}_2})$.

Step 2. CSP sends the aggregate ciphertext $C_{sum}$ to the target user $U_T$ for decryption.

7.

Partial decryption algorithm $PartDec(i,{sk}_i,c_i)$

Step 1. User $U_i$ uses his private key ${sk}_i$ to partially decrypt his ciphertext $c_i$ and calculates his decryption share $p_i=s_i·c_1^i+e_i^{*}\left(modq\right)$, where $e_i^{*}\leftarrow \psi$.

Step 2. $U_i$ sends its decrypted share $p_i$ to $U_T$ for final decryption.

8.

Final decryption algorithm $FinDec(C_{sum},p_1,p_2,\cdots ,p_N)$

Step 1. After receiving the aggregate ciphertext $C_{sum}$ and the decryption shares $p_1,p_2,\cdots ,p_N$, $U_T$ uses its own private key ${sk}_T$ to perform the final decryption, and calculate and output the aggregate plaintext value as follows:

$$m^{*}=C_{{sum}_0}+{\sum }_{i=1}^N{p}_i+s_T·C_{{sum}_2}\left(modq\right)$$

(6)

9.

Decoding $Decode\left(m^{\mathrm{*}}\right)$

Step 1. Use mapping $\tau$ to map $m^{*}$ and calculate $m=⌊\tau (m^{*})⌉$.

Step 2. Perform an inverse scaling operation on m to restore the accuracy of the original data, that is, $m=⌊{\Delta }^{-1}\left(m\right)⌉$, where Δ is the scaling factor used during encoding.

Step 3. Output the aggregate plaintext value $m$ in the form of a complex vector.

3.3. Correctness Analysis

Given security parameter $\lambda$ and circuit depth $L$, set the modulus $q=2^{\lambda L·\omega (\mathit{log}\lambda +\mathit{log}L)}$, $B=\omega \left(\lambda L\right)$, and $\psi$ is a $B$-bounded distribution on $R$. Given the ciphertext $c_{sum}=\left({\sum }_{i=1}^N{c}_0^i,c_1^1,c_1^2,\cdots ,c_1^N\right)$ under $N$ user public keys and the private keys $sk=\left(1,s_1,s_2,\cdots ,s_N\right)$ of $N$ user connections, we have

$$\begin{array}{c}〈sk,c_{sum}〉=\left(1,s_1,s_2,\cdots ,s_N\right)·\left({\sum }_{i=1}^N{c}_0^i,c_1^1,c_1^2,\cdots ,c_1^N\right)\hfill \\ ={\sum }_{i=1}^N{c}_0^i+{\sum }_{i=1}^N{s}_i·c_1^i\left(modq\right)\hfill \\ ={\sum }_{i=1}^N{m}_i+e^{\prime }\left(modq\right)\hfill \end{array}$$

Among them, $e^{\prime }={\sum }_{i=1}^N(v_i·e_i+e_0^i+s_i·e_1^i)$, and ${‖e^{\prime }‖}_{\infty }\le 2^{L·O(\mathit{log}\lambda +\mathit{log}L)}$. Therefore, given the plaintext aggregation value $m_{sum}$ and the corresponding aggregation ciphertext $C_{sum}$, according to the definition of $PartDec$ algorithm and $FinDec$ algorithm, we can calculate

$$\begin{array}{c}{C}_{{sum}_0}+{\sum }_{i=1}^N{p}_i+s_T·C_{{sum}_2}\left(modq\right)\hfill \\ ={\sum }_{i=1}^N{c}_0^i+{\sum }_{i=1}^N\left(s_i{c}_1^i+e_i^{*}\right)+s_T{\sum }_{i=1}^N{c}_2^i\left(modq\right)\hfill \\ ={\sum }_{i=1}^N\left(v_i\left(b_i+b_T\right)+m_i+e_0^i\right)+{\sum }_{i=1}^N\left(s_i\left(v_i{a}_i+e_1^i\right)+e_i^{*}\right)+s_T{\sum }_{i=1}^N\left(v_i·a_T+e_2^i\right)\left(modq\right)\hfill \\ ={\sum }_{i=1}^N\left(v_i{b}_i+m_i+e_0^i+s_i\left(v_i·a_i+e_1^i\right)+e_i^{*}\right)+{\sum }_{i=1}^N\left(v_i{b}_T+s_T\left(v_i{a}_T+e_2^i\right)\right)\left(modq\right)\hfill \\ ={\sum }_{i=1}^N\left(v_i·e_i+m_i+e_0^i+s_i{·e}_1^i+e_i^{*}\right)+{\sum }_{i=1}^N\left(v_i·e_T+s_T·e_2^i\right)\left(modq\right)\hfill \\ =m_{sum}+e^{\prime }+e^{″}\left(modq\right)\hfill \end{array}$$

where $e^{″}={\sum }_{i=1}^N\left(e_i^{\mathrm{*}}+v_i·e_T+s_T·e_2^i\right)$ and ${‖e^{″}‖}_{\mathrm{\infty }}\le 2^{\lambda L·O(\mathit{log}\lambda +\mathit{log}L)}$. Therefore, if ${‖e^{\prime }+e^{″}‖}_{\mathrm{\infty }}<q/4$, the lattice-based multi-key homomorphic encryption scheme without CRSs can be correctly decrypted.

3.4. Security Analysis

Theorem 1. 

Assuming that the RLWE problem is difficult, if there is no adversary $\mathcal{A}$ that can win the following security game ${Game}_{\mathcal{A}}$ with non-negligible probability, then the lattice-based multi-key homomorphic encryption scheme without CRSs is IND-CPA secure, that is, it satisfies semantic security.

Proof of Theorem 1. 

Given an adversary $\mathcal{A}$ and a challenger $\mathcal{C}$, the theorem is proved by defining the following game sequence.

Game 0. Given public parameters $params=(K,q,\chi ,\psi )$ and vector $a_i\leftarrow R_q$, challenger $\mathcal{C}$ runs the $KeyGen\left(params\right)$ algorithm to generate a public key ${pk}_i=\left(b_i,a_i\right)$, and sends ${pk}_i$ to adversary $\mathcal{A}$, where $b_i=-a_i·s_i+e_{i}modq$. The distribution of $pk$ at this stage is the same as that of the MFHE scheme.

Game 1. Except for the key generation phase, the steps of other phases are the same as Game 0. The distribution of public keys is redefined in Game 1. Given public parameters $params=(n,q,\chi ,\psi )$ and vector $a_i\leftarrow R_q$, generate a public key ${{pk}_i}^{\prime }=\left({b_i}^{\prime },a_i\right)$, where ${b_i}^{\prime }\leftarrow R_q$. According to the difficulty and cyclic security assumed by RLWE, the computational difference between ${pk}_{Game0}$ and ${pk}_{Game1}$ cannot be distinguished, so $b_i$ and ${b_i}^{\prime }$ are also computationally indistinguishable, so the advantage of the attacker distinguishing Game 0 from Game 1 can be ignored.

$$Adv\left(\mathcal{A}\right)=\left|{Pr}_{Game0}\left[\mathcal{A}\left(1^{\lambda },{pk}_i\right)=1\right]-{Pr}_{Game1}\left[\mathcal{A}\left(1^{\lambda },{{pk}_i}^{\prime }\right)=1\right]\right|=negl\left(\lambda \right)$$

(7)

Within a certain period of time, $\mathcal{A}$ challenges $\mathcal{C}$ and sends the challenge plaintext ${\mu }_1,{\mu }_2\in \left\{\mathrm{0,1}\right\}$. $\mathcal{C}$ randomly selects $k\in \{0,1\}$, runs the $Enc\left({pk}_i,{pk}_T,m_i\right)$ algorithm to output the challenge ciphertext $c_i$, and then sends the ciphertext $c_i$ to $\mathcal{A}$. $\mathcal{A}$ outputs the guess result of the scheme and outputs $k^{\prime }\in \left\{\mathrm{0,1}\right\}$. If $k^{\prime }=k$, output 1; otherwise, output 0. Since the probability of $\mathcal{A}$ distinguishing $b_i$ and ${b_i}^{\prime }$ can be ignored, the multi-key homomorphic encryption scheme without CRSs proposed in this paper is IND-CPA secure, that is, it satisfies semantic security. □

3.5. Comparison

Firstly, we conduct a comparison of the time complexity of various algorithms. Secondly, we analyze the advantage of the proposed scheme over other schemes in terms of efficiency. Finally, the unique security advantage of our scheme is also highlighted.

Table 1. Comparison of the time complexity.

Scheme	KeyGen	Enc	Expand	AddEval	PartDec	FinDec
Our Scheme	O(NK)	O(K)	O(N)	O(N)	O(K)	O(N + K)
[21]	O(NK)	O(K)	O(N)	O($N^2$)	O(K)	O(N)
[11]	O(NK)	O(K)	O(N)	O($N^2$)	O(K)	O(N)

presents a comparison of the time complexity of various algorithms between the proposed scheme and other multi-key homomorphic encryption schemes without CRSs.

In Table 1, N represents the number of users, and K denotes the dimension of the polynomial ring. In terms of efficiency, the AddEval operation can be implemented in O(N), while the other schemes can be implemented in O($N^2$). Simultaneously, FinDec operation is implemented at a constant cost increasement, while other operations are implemented with no cost increasement.

Figure 1 illustrates that our scheme achieves a time complexity of O(N), which is more efficient than the O($N^2$) complexity found in other schemes. Additionally, the time complexity of the Enc algorithm in our proposal is O(N+K), contrasting with O(N) in other schemes. Furthermore, compared with some comparative schemes that involve complex operations related to high-complexity processes such as tensor products and relinearization, our scheme demonstrates higher efficiency in managing multi-user scenarios. It enables faster completion of ciphertext expansion and homomorphic computation tasks.

Not only that, in terms of security, the unique design of embedding the target user in the ciphertext enables only the target user to decrypt, providing a higher level of privacy protection and satisfying the strict requirements for data privacy in specific scenarios.

4. Crowd-Sensing Scheme with Privacy Preservation

Crowd sensing refers to a mode in which a large number of sensing devices (usually personal smartphones, wearable devices, sensors, etc.) distributed in different geographical locations work together to collect, process and share information [22]. This mode usually involves multiple participants collaborating to complete a task without central control, especially in the fields of environmental monitoring, urban management, intelligent transportation, etc. [23].

In a crowd-sensing system, the task issued by the data requester requires multiple sensing users to upload sensing data to the sensing platform, and the platform aggregates and calculates these data to obtain the sensing results. However, the data uploaded by users may contain personal sensitive information, such as location information, health data, etc.. And the sensing platform cannot be fully trusted, that is, users may worry that the platform may abuse or leak the sensing result data. Multi-key homomorphic encryption allows the data of multiple users to be calculated in an encrypted state, which can achieve secure data calculation under the premise of protecting user privacy data. In order to solve the data privacy problem of sensing users, this section applies the lattice-based multi-key homomorphic encryption scheme without CRSs to the data submission stage of sensing users, thereby designing a crowd-sensing scheme with privacy protection. Specifically, users encrypt data before uploading it, and the perception platform only aggregates multiple data ciphertexts. The perception results are obtained by decryption by the data requester, ensuring that the data are not leaked during transmission and processing. At the same time, no other entity except the data requester can obtain the perception results.

4.1. System Model

This section proposes a crowd-sensing scheme based on multi-key homomorphic encryption. The entities involved in this scheme are sensing users, sensing platforms, and data receivers.

• Sensing users

The sensing users are data providers in the crowd-sensing system, responsible for collecting data using their own devices (such as smartphones, wearable devices, environmental sensors, etc.). For example, smartphone users can provide data such as location, acceleration, and temperature; health monitoring device users can provide physiological data such as steps, heart rate, and sleep quality. Their data usually contain personal privacy information, so the data need to be encrypted before uploading to the sensing platform.

2.

Sensing platform

The sensing platform is an intermediary platform between sensing users and data requesters in the crowd-sensing system, responsible for receiving encrypted data from multiple sensing users and performing homomorphic operations, and feeding the results back to the data requester.

3.

Data requester

The data requester is the subject that uses the crowd-sensing results, usually a government department, enterprise, or individual. According to their own needs (such as traffic management, environmental monitoring, health management, etc.), they publish data request tasks, receive aggregated ciphertext from the perception platform and decrypt it, and then analyze the perception data to make decisions, provide services, or optimize operations.

The crowd intelligence perception scheme based on multi-key homomorphic encryption proposed in this section is divided into four stages: initialization, perception data submission, ciphertext aggregation, and perception result decryption. Figure 2 shows the four stages of the scheme and the interaction process between perception users, perception platforms, and data requesters.

The crowd-sensing solution based on multi-key homomorphic encryption proposed in this section contains five core functional modules, namely, the task management module, data collection module, encryption module, ciphertext aggregation module, and access control module. The introduction of each functional module is as follows.

The task management module is responsible for allocating and coordinating user tasks to ensure the effectiveness of data collection. In crowd sensing, different tasks need to be assigned to different perception users, and tasks need to be dynamically allocated, taking into full consideration factors such as user location and device capabilities.

The data collection module is responsible for the collection of environmental information or data by crowd-sensing terminals (such as smartphones and IoT devices). Data may need to be pre-processed, such as by denoising, format conversion, and data compression, to reduce the communication overhead and computing burden.

The encryption module is responsible for encrypting the collected data to ensure privacy preservation during data transmission and calculation. The perception user encrypts the data with his own public key and then submits the ciphertext.

The ciphertext aggregation module is the perception platform that performs homomorphic calculations on the ciphertexts of multiple perception users without decrypting the data.

The access control module allows the perception user to embed the public key information of the data requester in the ciphertext to ensure that only the data requester has the right to decrypt the aggregated ciphertext, and thus access the perception results, to ensure privacy protection and security.

4.2. Construction of a Crowd-Sensing Scheme Based on Multi-Key Homomorphic Encryption

4.2.1. Initialization Phase

Define data requester $D$ and $L$ perception users $U_1,\cdots ,U_L$. Perception user $U_i$ runs the $({pk}_i,{sk}_i)\leftarrow KeyGen\left(params\right)$ algorithm to generate its key pair $({pk}_i,{sk}_i)$, and data requester $D$ runs the $({pk}_D,{sk}_D)\leftarrow KeyGen\left(params\right)$ algorithm to generate its key pair $({pk}_D,{sk}_D)$.

Data requesters publish perception tasks to the perception platform according to their needs. The perception platform is responsible for organizing appropriate users to collect and upload data according to the tasks. The perception platform selects perception users $U_1,\cdots ,U_N$ that meet the task requirements and sends task invitations to the selected perception users $U_i$. Users can choose to accept or reject.

4.2.2. Perception Data Submission Phase

The perceptual user $U_i$ who receives the task collects data through its perceptual device and runs the $m_i\leftarrow Encode(i,z_i,\Delta )$ algorithm to encode the collected data into $m_i$. $U_i$ uses its own public key ${pk}_i$ and the public key ${pk}_D$ of the data requester $D$ to encrypt $m_i$, and runs the $c_i\leftarrow Enc\left({pk}_i,{pk}_D,m_i\right)$ algorithm to obtain the ciphertext $c_i=(c_0^i,c_1^i,c_2^i)=(v_i·({pk}_i+{pk}_D)+m_i+e_0^i,v_i·a_i+e_1^i,v_i·a_D+e_2^i)\left(modq\right)$, where $v_i\leftarrow \chi$, $e_0^i,e_1^i{,e}_2^i\leftarrow \psi$, $a_i=a_i\left[0\right]$, $a_D=a_D\left[0\right]$, ${pk}_i={pk}_i\left[0\right]$, ${pk}_D={pk}_D\left[0\right]$.

The perceptual user $U_i$ sends the ciphertext $c_i$ to the perceptual platform. The platform can only store and homomorphically compute encrypted data and cannot view the user’s plaintext data $m_i$.

4.2.3. Ciphertext Aggregation Phase

The perception platform receives the ciphertext $c_1,\cdots ,c_N$ from the perception users $U_1,\cdots ,U_N$ and performs homomorphic computation without decryption. The perception platform runs the $C_{sum}\leftarrow AddEval(c_1,c_2,\cdots ,c_N)$ algorithm to calculate the aggregated ciphertext $C_{sum}=\sum _{i=1}^N{c}_i=(C_{{sum}_0},C_{{sum}_1},C_{{sum}_2})=(\sum _{i=1}^N{c}_0^i,\sum _{i=1}^N{c}_1^i,\sum _{i=1}^N{c}_2^i)$. The aggregated ciphertext is still encrypted, and the perception platform cannot decrypt it to obtain the perception result. The perception platform sends $C_{sum}$ to the data requester $D$ for result decryption.

4.2.4. Perception Result Decryption Phase

The decryption phase of the perception result is divided into two steps: partial decryption and final decryption. In the partial decryption step, the perception user $U_i$ runs the $p_i\leftarrow PartDec(i,c_i{,sk}_i)$ algorithm to calculate the decryption share $p_i=s_i·c_1^i+e_i^{*}$, where $e_i^{*}\leftarrow \psi$, and then sends $p_i$ to the data requester $D$. In the final decryption step, after receiving the decryption shares $p_1,\cdots ,p_N$ of all perception users, the data requester $D$ uses its own private key ${sk}_D$ to decrypt the aggregated ciphertext, runs the $m^{*}\leftarrow FinDec(C_{sum},p_1,p_2,\cdots ,p_N)$ algorithm for final decryption, and obtains the perception result $m^{*}$. The data $m$ obtained after decoding $m^{*}$ is the perception result required by the data requester $D$. The perception result is the aggregated perception data, not the data of a single perception user, to ensure user privacy.

5. Security Analysis of a Crowd-Sensing Scheme Based on Multi-Key Homomorphic Encryption

In the crowd-sensing scheme based on multi-key homomorphic encryption, the entire sensing process is completed through information transmission between three entities: the sensing user, the sensing platform, and the data requester. Therefore, the security of the scheme will be discussed from two aspects: the sensing user and the sensing platform.

Theorem 2. 

In the crowd-sensing scheme based on multi-key homomorphic encryption, no entity can obtain the plaintext data of a single sensing user, that is, the privacy data of the sensing user is safe.

Proof of Theorem 2. 

In the crowd-sensing scheme based on multi-key homomorphic encryption, the sensing user does not need to trust the sensing platform or other users, and generates its key independently according to the distributed key generation protocol, and the data are encrypted locally. The plaintext data $m_i$ of the sensing user $U_i$ are encrypted locally into the ciphertext $c_i=Enc\left({pk}_i,{pk}_D,m_i\right)$, and $c_i$ is uploaded to the sensing platform through the network. $U_i$’s data remain encrypted during transmission. According to Theorem 3.1, the ciphertext $c_i\leftarrow Enc\left({pk}_i,{pk}_D,m_i\right)$ is computationally indistinguishable from the uniform distribution on $R_q$. The security of IND-CPA based on the RLWE problem ensures that the ciphertext $c_i$ cannot be cracked, that is, the plaintext data $m_i$ cannot be recovered from $c_i$. Therefore, even if an attacker or data requester intercepts the ciphertext of the perceived user $U_i$, no information related to $m_i$ can be inferred from it. □

Theorem 3. 

In the crowd-sensing scheme based on multi-key homomorphic encryption, no entity other than the data requester can decrypt the aggregated ciphertext to obtain the perception result, that is, the perception result is secure.

Proof of Theorem 3. 

In the crowd-sensing scheme based on multi-key homomorphic encryption, the perception platform only stores and homomorphically calculates the ciphertext $c_1,c_2,\cdots ,c_N$, but does not hold any user’s private key ${sk}_i$, so it is impossible to decrypt the ciphertext of a single user. The result $C_{sum}$ after homomorphic calculation is still encrypted, and the perception platform cannot deduce the plaintext data through calculation. The decryption of the aggregated ciphertext $C_{sum}$ requires the decryption shares the $p_i$ of all users and the private key ${sk}_D$ of the data requester. Only the data requester can decrypt and obtain the perception result. Even if the perception platform obtains the aggregated ciphertext $C_{sum}$ and the decryption shares $p_1,p_2,\cdots ,p_N$, its calculation is as follows:

$$\begin{array}{c}{C}_{{sum}_0}+{\displaystyle \sum _{i=1}^N}{p}_i\left(modq\right)={\sum }_{i=1}^N{c}_0^i+{\sum }_{i=1}^N\left(s_i·c_1^i+e_i^{*}\right)\left(modq\right)\hfill \\ ={\sum }_{i=1}^N\left(v_i·\left({pk}_i+{pk}_D\right)+m_i+e_0^i\right)+{\sum }_{i=1}^N\left(s_i·\left(v_i·a_i+e_1^i\right)+e_i^{*}\right)\left(modq\right)\hfill \\ \approx {\sum }_{i=1}^N{m}_i+{\sum }_{i=1}^N{v}_i·{pk}_D\left(modq\right)\hfill \end{array}$$

In addition to the aggregated plaintext ${\sum }_{i=1}^N{m}_i$, the calculation result also contains the partial ciphertext ${\sum }_{i=1}^N{v}_i·{pk}_D\left(modq\right)$ encrypted by ${pk}_D$. Since the perception platform does not have the private key ${\sum }_{i=1}^N{v}_i·{pk}_D\left(modq\right)$ of the data requester, it cannot eliminate ${\sum }_{i=1}^N{v}_i·{pk}_D\left(modq\right)$ in the calculation result, so it is impossible to obtain the aggregated plaintext data through calculation. □

6. Conclusions

In multi-user scenarios, CRSs, as centralized public information, not only provide a basis for collaboration for participating users, but also simplify the process of key generation and management, so that the encrypted data of multiple users can be effectively operated in the same computing environment. However, the existence of CRSs weakens the ability of users to independently generate public keys, and it is difficult to achieve in decentralized systems or scenarios with low trust requirements. This section proposes a lattice-based multi-key homomorphic encryption scheme without CRSs, aiming to eliminate the dependence on public parameters and improve the system’s anti-attack capability. The proposed scheme not only solves the problems of privacy preservation and data security, but also maintains high efficiency and scalability in large-scale distributed systems. Multi-key full homomorphic encryption schemes will be our research direction in the future, for wider application.