Enhancing Multi-Key Fully Homomorphic Encryption with Efficient Key Switching and Batched Multi-Hop Computations

Abstract

Multi-Key Fully Homomorphic Encryption (MKFHE) offers a powerful solution for secure multi-party computations, where data encrypted under different keys can be jointly computed without decryption. However, existing MKFHE schemes still face challenges such as large parameter sizes, inefficient evaluation key generation, complex homomorphic multiplication processes, and limited scalability in multi-hop scenarios. In this paper, we propose an enhanced multi-hop MKFHE scheme based on the Brakerski-Gentry-Vaikuntanathan (BGV) framework. Our approach eliminates the need for an auxiliary Gentry-Sahai-Waters (GSW)-type scheme, simplifying the design and significantly reducing the public key size. We propose novel algorithms for evaluation key generation and key switching that simplify the computation while allowing each party to independently precompute and share its evaluation keys, thereby reducing both computational overhead and storage costs. Additionally, we combine the tensor product and key switching processes through homomorphic gadget decomposition, developing a new homomorphic multiplication algorithm and achieving linear complexity with respect to the number of parties. Furthermore, by leveraging the Polynomial Chinese Remainder Theorem (Polynomial CRT), we design a ciphertext packing technique that transforms our BGV-type MKFHE scheme into a batched scheme with improved amortized performance. Our schemes feature stronger multi-hop properties and operate without requiring a predefined maximum number of parties, offering enhanced flexibility and scalability compared to existing similar schemes.

1. Introduction

The increasing adoption of big data and cloud computing has driven the need for secure outsourced computation. While cloud platforms enable efficient processing of large-scale data, they also introduce significant privacy risks, as sensitive data is often handled by untrusted servers. Fully Homomorphic Encryption (FHE), first proposed by Gentry in 2009 [1], provides a transformative cryptographic solution by allowing arbitrary computations on encrypted data without decryption. This powerful capability makes FHE particularly valuable in ciphertext retrieval [2], privacy-preserving data analytics [3], secure cloud computing, and confidential machine learning [4], where sensitive information must be processed without exposure. Since its inception, several highly influential single-key fully homomorphic encryption (SKFHE) schemes have been developed, including BGV [5], BFV [6,7], GSW [8], CKKS [9], and TFHE [10]. These schemes are renowned for their distinct advantages in functionality, computational efficiency, and adaptability to various application scenarios.

In cloud-based applications, especially in secure multi-party computation (MPC) protocols, multiple independent entities need to compute on their encrypted data collaboratively. However, SKFHE is not well-suited for multi-party settings, as it requires all plaintexts to be encrypted under the same secret key. This results in an authority concentration issue, where the entity holding the secret key can access and control all data, thereby potentially violating the privacy of other parties.

To address this limitation, Multi-Key Fully Homomorphic Encryption (MKFHE) [11,12,13,14,15,16,17,18,19,20] was introduced, enabling homomorphic operations on ciphertexts encrypted under different keys. Unlike SKFHE, MKFHE allows computations across independently encrypted data without requiring a shared secret key, making it a crucial cryptographic tool. Furthermore, MKFHE supports on-the-fly MPC [11], where the circuit to be evaluated can be dynamically chosen after the data providers upload their encrypted data. This feature allows computations to be carried out by a public server without requiring data owners to be online, significantly enhancing the flexibility and efficiency of real-time collaborative secure computing.

1.1. Related Works

The first MKFHE scheme was introduced by López-Alt et al. in 2012 [11]. Their construction enabled homomorphic evaluations over ciphertexts encrypted under different keys, with the computation results jointly decrypted by all participating parties. This approach addressed the challenge of collaborative encrypted computation across multiple users. However, this scheme relied on a non-standard security assumption related to NTRU [21] and suffered from exponential complexity growth with the number of participants, making it impractical for large-scale applications. In 2015, Clear et al. [12] extended the GSW scheme [8] to support a multi-identity (multi-key) setting, constructing the first MKFHE scheme based on the Learning with Errors (LWE) problem [22], thereby establishing its security under a standard security assumption. This work laid the foundation for subsequent optimizations and extensions of MKFHE. Mukherjee et al. [13] later simplified the scheme in [12] and proposed a new ciphertext extension algorithm, allowing for a single-round distributed decryption process for multi-key ciphertexts. This optimization enabled the construction of two-round MPC protocols. However, similar to [12], their scheme was limited to single-hop, meaning that the number of participants in the homomorphic computation had to be predefined. Furthermore, it did not support dynamic joining—once the homomorphic computation was performed, the resulting ciphertexts could not be further computed with ciphertexts from newly added participants.

To address this limitation, Peikert et al. [14] proposed a multi-hop MKFHE scheme based on the GSW framework, eliminating the need for prior knowledge of parties. The multi-hop nature of the scheme allows the output ciphertexts to continue being computed with ciphertexts from newly joined parties, enabling real-time, dynamic participation. Compared to [13], their approach also significantly reduced ciphertext size, though it still imposed a limitation on the maximum number of participants. Shortly thereafter, Brakerski and Perlman [15] proposed a fully dynamic MKFHE scheme based on the LWE assumption, allowing parties to dynamically join homomorphic computations without requiring a predefined number of participants. Their scheme supported an arbitrary polynomial number of parties and unlimited-depth homomorphic evaluations, with the spatial complexity of ciphertext extension and homomorphic operations growing only linearly with the number of parties. However, it relied on bootstrapping for ciphertext extension, and the generation of bootstrapping keys still required extending encrypted secret keys, significantly degrading efficiency.

In 2017, Chen et al. [16] proposed a batched multi-hop MKFHE scheme based on the BGV scheme [5], with security under the standard Ring Learning with Errors (RLWE) assumption [23]. Their scheme allowed ring elements to be encrypted as plaintexts, achieving higher computational efficiency. Additionally, they introduced methods for constructing two-round MPC protocols and threshold decryption protocols. In 2019, Li et al. [17] optimized the construction in [16], reducing the length of the extended ciphertext by nearly half. They also introduced a directed decryption protocol, enabling extended ciphertexts to be decrypted by specific designated users. This enhancement removed the limitation that only participating parties in the homomorphic evaluation could decrypt the result, thereby giving data owners greater control over access to decrypted information. In the same year, Chen et al. [18] constructed a TFHE-type MKFHE scheme, leveraging the low-latency homomorphic encryption techniques from TFHE [10]. They achieved a reduced concrete complexity, but their scheme did not support the packing technique, thereby resulting in a large expansion rate similar to TFHE. Later, Chen et al. [19] designed multi-key variants of BFV [6,7] and CKKS [9], optimizing the relinearization (key switching) process in batched MKFHE. They demonstrated the practicality of their work by applying it to oblivious neural network inference. In 2023, Kim et al. [20] introduced a homomorphic gadget decomposition technique, which can reduce the number of gadget decompositions required in MKFHE schemes. Furthermore, they proved that the gadget decompositions used in advanced FHE schemes [5,6,7,9,16,17,19] can support the homomorphic properties they proposed. As an attempt to explore different design approaches for multi-key variants, Zhou et al. [24] proposed a MKFHE scheme based on an accumulation-style key structure, inspired by the threshold FHE approach introduced in [25]. Their construction achieves more compact extended ciphertexts and enables more efficient homomorphic operations. However, similar to threshold FHE schemes, it also introduces certain inherent drawbacks, such as the use of more complex and diverse parameters, as well as increased frequency and complexity of interactions among the participating parties.

1.2. Motivations

The BGV-type scheme, as a representative of leveled FHE schemes, offers several advantages over other types of schemes, such as flexible noise management, the ability to avoid expensive bootstrapping by predefining the homomorphic evaluation depth for any polynomial size, and not relying on unreliable circular security assumptions. However, existing mainstream BGV-type MKFHE schemes still have some drawbacks. First, these schemes only support basic multi-hop features, requiring a predefined maximum number of participating parties during the initialization phase. Second, the tensor product in homomorphic multiplication results in further expansion of the dimensions of the extended ciphertext. After this tensor product, a key switching process is necessary to convert the expanded ciphertext back into a standard extended ciphertext. Due to the special and complex structure of the evaluation keys needed for key switching in a multi-party setting, existing BGV-type MKFHE schemes require an embedded extendable auxiliary ring-GSW scheme (which can be regarded as a separate GSW-type MKFHE scheme) to compute the evaluation key generation materials. These materials are then used to extend a large joint evaluation key at each level, and any change in the set of participating parties necessitates the recalculation of these joint evaluation keys. In simple terms, the presence of this auxiliary scheme leads to redundant and complex computations as well as significant storage overhead. Moreover, after eliminating the bootstrapping procedure, the tensor product and key exchange process become the new performance bottlenecks, introducing a square-level complexity related to the number of parties.

Additionally, the most efficient FHE schemes today are those that support batch techniques and allow SIMD (Single Instruction, Multiple Data) style operations. By utilizing ciphertext packing, such schemes pack multiple plaintexts into an equal number of independent “slots” within the plaintext space. However, existing mainstream MKFHE schemes [16,17,19] that theoretically support batching only make a simple claim that their schemes inherit the batch-processing capability of basic SKFHE schemes, without providing a detailed explanation of how to design ciphertext packing techniques to aggregate multiple plaintexts or how to specifically construct a batched MKFHE scheme.

1.3. Our Contributions

In this paper, we address the main issues present in existing works and propose an improved multi-hop BGV-type MKFHE scheme along with its batch-processing scheme.

First, we optimize the design of the multi-key variant of BGV by developing a simpler and more natural construction that eliminates the need for an additional auxiliary GSW-type MKFHE scheme. This innovation also enables a significant reduction in the size of the public key.

Next, we present novel evaluation key generation and key switching algorithms that allow each party to precompute and securely share its evaluation keys independently, without requiring the computation of evaluation key generation materials or the derivation of joint evaluation keys, and without needing to obtain or verify any information from other parties. These approaches substantially reduce both computational and storage costs, yielding performance improvements over existing mainstream MKFHE schemes.

Moreover, by adopting homomorphic gadget decomposition, we combine the tensor product and key switching processes, redesigning the homomorphic multiplication algorithm. This further improves the computational performance of our scheme and achieves linear complexity with respect to the number of participating parties.

Finally, drawing inspiration from the single-key construction in [26], we design a novel ciphertext packing technique based on Polynomial Chinese Remainder Theorem (Polynomial CRT) for a multi-party setup. We provide a detailed construction that transforms our BGV-type MKFHE scheme into a batched MKFHE scheme with superior amortized performance. Our schemes both exhibit a stronger multi-hop property, as they do not require a predefined upper bound on the number of participating parties, thereby offering increased flexibility and scalability compared to previous schemes.

2. Preliminaries

2.1. Notation

In this paper, we employ standard cryptographic notations. Vectors are denoted in bold, like $\mathbf{a}$, and matrices are written in upper-case bold, like $\mathbf{A}$. For a positive integer $k$, let ${\mathrm{\Phi }}_k\left(X\right)$ be the $k$-th cyclotomic polynomial, whose degree is $N=\mathrm{\phi }\left(k\right)$, where $\mathrm{\phi }\left(\cdot \right)$ is the Euler’s totient function. We work over the polynomial ring $R=\mathbb{Z}\left[X\right]/\left({\mathrm{\Phi }}_k\left(X\right)\right)$ and the corresponding residue ring $R_Q=R/\left(Q\cdot R\right)$ for some integer modulus $Q$. In $R_Q$, each polynomial has coefficients in the interval $\left(-Q/2,Q/2\right]$. We use the security parameter $\lambda$, and denote a negligible function with respect to $\lambda$ as $\mathrm{neg}\left(\lambda \right)$. For a distribution $D$, $x\leftarrow D$ indicates that $x$ is sampled according to $D$. When referring to the uniform distribution over a finite set $S$, we use $U\left(S\right)$. For a polynomial $a$ in $R$, we define ${‖a‖}_{\mathrm{\infty }}$ as the standard $l_{\mathrm{\infty }}$-norm of its coefficient vector. All logarithms in this paper are taken to base 2 unless otherwise specified.

2.2. Ring Learning with Errors

The Ring Learning with Errors (RLWE) assumption [23] with parameter $\left(N,Q,\chi \right)$ is a central cryptographic assumption used in lattice-based encryption schemes. Given a set of polynomially many samples $\left(a_i,b_i=s\cdot a_i+e_i\right)\in R_Q^2$, where $a_i$ is uniformly sampled from $R_Q$, and both $s$ (the secret) and $e_i$ (the noise) are drawn from an error distribution $\chi$ over $R_Q$, the RLWE assumption asserts that it is computationally hard to distinguish the $b_i$’s from uniformly random elements of $R_Q$.

In standard RLWE-based constructions, the error distribution $\chi$ is defined as the spherical discrete Gaussian distribution $D_{{\mathbb{Z}}^N,\mathrm{\sigma }}$ over the ring $R=\mathbb{Z}\left[X\right]/\left({\mathrm{\Phi }}_k\left(X\right)\right)$, where ${\mathrm{\Phi }}_k\left(X\right)$ is the $k$-th cyclotomic polynomial and $N=\mathrm{\phi }\left(k\right)$ denotes its degree. In the context of RLWE, this degree $N$ is also referred to as the dimension of the RLWE assumption. The distribution $\chi$ is $B_{\chi }$-bounded, meaning that with overwhelming probability, the $l_{\mathrm{\infty }}$-norm of a sampled element—viewed as a coefficient vector in ${\mathbb{Z}}^N$—is at most a fixed bound $B_{\chi }$, where $B_{\chi }\ll Q$. Specifically, each element sampled from $\chi$ is represented as a polynomial in $R_Q$ whose coefficients are independently drawn from the same one-dimensional discrete Gaussian distribution $D_{\mathbb{Z},\mathrm{\sigma }}$ with mean zero and some standard deviation $\mathrm{\sigma }>0$.

2.3. Polynomial Chinese Remainder Theorem

Polynomial operations are fundamental to many cryptographic constructions, especially in the context of lattice-based schemes. In this section, we introduce the Polynomial Chinese Remainder Theorem, which facilitates the decomposition and reconstruction of polynomial residues under modular constraints.

Definition 1. 

(Polynomial Chinese Remainder Theorem (Polynomial CRT) [26]). Consider a set of polynomials $f_0\left(x\right),f_1\left(x\right),\dots ,f_{\xi -1}\left(x\right)$ that are pairwise relatively prime. Let $f\left(x\right)=f_0\left(x\right)\cdot f_1\left(x\right)\cdot \cdot \cdot f_{\xi -1}\left(x\right)$, and let ${\alpha }_0\left(x\right),{\alpha }_1\left(x\right),\dots ,{\alpha }_{\xi -1}\left(x\right)$ represent any given polynomial. Then, there exists a unique polynomial $g\left(x\right)$ such that $g\left(x\right)\equiv {\alpha }_i\left(x\right) \left(mod f_i\left(x\right)\right)$ for $i=\mathrm{0,1},\dots ,\xi -1$. The unique solution to this system of congruences is given by:

$$g\left(x\right)={\sum }_{i=0}^{\xi -1}{\mathrm{\alpha }}_i\left(x\right)\cdot {\beta }_i\left(x\right)\cdot {\gamma }_i\left(x\right)\left(\mathrm{mod}f\left(x\right)\right),$$

where ${\gamma }_i\left(x\right)={\displaystyle \frac{f\left(x\right)}{f_i\left(x\right)}}$ and ${\beta }_i\left(x\right)$ is the modular inverse of ${\gamma }_i\left(x\right)$ modulo $f_i\left(x\right)$, i.e., ${\beta }_i\left(x\right)={\displaystyle \frac{1}{{\gamma }_i\left(x\right)}} \left(mod f_i\left(x\right)\right)$.

2.4. Multi-Key Fully Homomorphic Encryption (MKFHE)

MKFHE is a cryptographic scheme that extends traditional FHE by enabling computations on ciphertexts encrypted under different keys. In contrast to single-key FHE, which requires all data to be encrypted under the same secret key, MKFHE allows encrypted data from multiple parties, each using its own secret key, to be processed together. This makes MKFHE a more flexible and scalable solution for privacy-preserving computations in multi-party settings.

An MKFHE scheme consists of five probabilistic polynomial-time (PPT) algorithms: $\mathrm{S}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{p}$, $\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{G}\mathrm{e}\mathrm{n}$, $\mathrm{E}\mathrm{n}\mathrm{c}$, $\mathrm{E}\mathrm{v}\mathrm{a}\mathrm{l}$, and $\mathrm{D}\mathrm{e}\mathrm{c}$. These algorithms are described as follows:

• Setup: $pp\leftarrow \mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{S}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{p}\left(1^{\lambda }\right)$. The setup algorithm takes the security parameter $\lambda$ as input and outputs the public parameters $pp$. These public parameters are implicitly used by other algorithms in the scheme.
• Key Generation: $\left(\mathbf{pk},\mathbf{sk}\right)\leftarrow \mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{G}\mathrm{e}\mathrm{n}\left(pp\right)$. The key generation algorithm takes the public parameters $pp$ as input and generates a public key $\mathbf{p}\mathbf{k}$ and a secret key $\mathbf{sk}$ for each participating party. Each party holds its own secret key while sharing the public key.
• Encryption: $\mathbf{c}\leftarrow \mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{Enc}\left(\mathbf{pk},m\right)$. The encryption algorithm takes a message $m$ and the corresponding public key $\mathbf{pk}$ as inputs, encrypting the message to produce a ciphertext $\mathbf{c}$.
• Evaluation: ${\mathbf{c}}^{\prime }\leftarrow \mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{Eval}\left(\mathcal{C},\left({\mathbf{pk}}_1,\dots ,{\mathbf{pk}}_j\right),\left({\mathbf{c}}_1,\dots ,{\mathbf{c}}_i\right)\right)$. The evaluation algorithm allows for computations on multiple ciphertexts ${\mathbf{c}}_1,\dots ,{\mathbf{c}}_i$, each encrypted under a (possibly repeated) public key from the set $\left\{{\mathbf{pk}}_1,\dots ,{\mathbf{pk}}_j\right\}$, where $j\le i$ denotes the number of distinct public keys involved. It performs homomorphic operations on these ciphertexts based on a given circuit $\mathcal{C}$, producing a new ciphertext ${\mathbf{c}}^{\prime }$ that is the encrypted result of the computation.
• Decryption: $m\leftarrow \mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{D}\mathrm{e}\mathrm{c}\left({\mathbf{c}}^{\prime },\left({\mathbf{sk}}_1,\dots ,{\mathbf{sk}}_j\right)\right)$. The decryption algorithm takes a ciphertext ${\mathbf{c}}^{\prime }$ and the corresponding secret keys ${\mathbf{sk}}_1,\dots ,{\mathbf{sk}}_j$ for the participating parties as input, decrypting the ciphertext to recover a plaintext message $m$.

Each MKFHE ciphertext implicitly contains references to the public keys associated with it. Initially, a ciphertext corresponds to a single key, but as computations proceed with ciphertexts encrypted under different keys, the reference set expands. When decrypting a ciphertext, all associated secret keys must be used.

Correctness and security: An MKFHE scheme is correct if, for any set of ciphertexts ${\mathbf{c}}_1,\dots ,{\mathbf{c}}_i$, the decryption of the result obtained from the homomorphic evaluation matches the result of applying the circuit $\mathcal{C}$ to the decrypted inputs with an overwhelming probability, i.e.,

$$\mathrm{Pr}\left[\mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{D}\mathrm{e}\mathrm{c}\left(\mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{Eval}\left(\mathcal{C},\left({\mathbf{pk}}_1,\dots ,{\mathbf{pk}}_j\right),\left({\mathbf{c}}_1,\dots ,{\mathbf{c}}_i\right)\right),\left({\mathbf{sk}}_1,\dots ,{\mathbf{sk}}_j\right)\right)=\mathcal{C}\left(m_1,\dots ,m_i\right)\right]\ge 1-\mathrm{neg}\left(\lambda \right)$$

An MKFHE scheme is IND-CPA secure if, for any pair of messages $m_1,m_2$, the distributions of ciphertexts $\mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{Enc}\left(\mathbf{pk},m_1\right)$ and $\mathrm{M}\mathrm{K}\mathrm{F}\mathrm{H}\mathrm{E}.\mathrm{Enc}\left(\mathbf{pk},m_2\right)$ are computationally indistinguishable.

2.5. Gadget Decomposition

Gadget decomposition, originally introduced by [27], is a fundamental technique extensively employed in FHE schemes (e.g., [5,6,7,8,9,10,15,16,17,18,19]) to mitigate the escalation of noise during homomorphic evaluations and bootstrapping. Intuitively, it expresses a ring element as a vector of polynomials with relatively small coefficients, thereby facilitating key switching and other noise-control procedures.

Formally, let $Q$ be a positive integer, and consider the ring $R_Q$. We define a gadget vector $\mathbf{g}=\left(g_0,g_1,\dots ,g_{t-1}\right)\in R_Q^t$. The gadget decomposition function $h\left(\cdot \right)$ maps each element $a\in R_Q$ to a vector $\mathbf{v}=\left(v_0,v_1,\dots ,v_{t-1}\right)\in R^t$ such that: $⟨h\left(a\right),\mathbf{g}⟩=⟨\mathbf{v},\mathbf{g}⟩=a\left(\mathrm{mod}\mathrm{Q}\right)$. In this decomposition, the parameter $t$ is a positive integer referred to as the decomposition degree. The resulting vector $\mathbf{v}$ is typically constrained to have a small $l_{\mathrm{\infty }}$-norm, i.e., ${‖\mathbf{v}‖}_{\mathrm{\infty }}\le B_h$, where $B_h>0$ is a predetermined bound significantly smaller than $Q$. For $x\in R_Q$ and $\mathbf{y}\in R_Q^t$, the external product is defined as $x⊡\mathbf{y}=⟨h\left(x\right),\mathbf{y}⟩ \left(\mathrm{mod} Q\right)$, where $⟨\cdot ,\cdot ⟩$ denotes the inner product between two vectors.

Over the years, multiple gadget decomposition variants have been employed in FHE schemes tailored to diverse design needs and constructions, including bit decomposition [5,6], residue-number-system (RNS)-oriented decomposition [28,29], base decomposition [10,30], and homomorphic gadget decomposition [20].

2.6. IND-CPA Security

A foundational security notion for modern public-key encryption schemes, including SKFHE schemes and MKFHE schemes, is indistinguishability under chosen plaintext attack (IND-CPA). This notion guarantees that any PPT adversary, even with access to an encryption oracle, cannot distinguish between the ciphertexts of any two messages of their choice with non-negligible advantage.

Definition 2. 

(IND-CPA Security [31]). Let $\mathcal{E}=\left(Setup,KeyGen,Enc,Dec\right)$ be a public-key encryption scheme, and let $\lambda \in \mathbb{N}$ denote the security parameter. Let $\mathcal{M}$ denote the message space. We say that $\mathcal{E}$ is IND-CPA secure if for every PPT adversary $\mathcal{A}$, there exists a negligible function $\mathit{neg}\left(\cdot \right)$ such that:

$$\left|\mathrm{Pr}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_{\mathcal{E},\mathcal{A}}^{\mathrm{I}\mathrm{N}\mathrm{D}-\mathrm{C}\mathrm{P}\mathrm{A}}\left(\lambda \right)=1\right]-{\displaystyle \frac{1}{2}}\right|\le \mathrm{neg}\left(\lambda \right),$$

where the experiment ${Exp}_{\mathcal{E},\mathcal{A}}^{IND-CPA}\left(\lambda \right)$ is defined as follows:

1. 

The challenger runs $\left(\mathit{pk},\mathit{sk}\right)\leftarrow KeyGen\left(1^{\lambda }\right)$, and sends the public key $\mathit{pk}$ to $\mathcal{A}$.

2. 

$\mathcal{A}$ sends two equal-length messages $m_0,m_1\in \mathcal{M}$ to the challenger.

3. 

The challenger samples a uniform bit $b\in \left\{\mathrm{0,1}\right\}$, computes the challenge ciphertext $\mathit{c}\leftarrow Enc\left(\mathit{pk},m_b\right)$, and sends $\mathit{c}$ to $\mathcal{A}$.

4. 

$\mathcal{A}$ outputs a guess bit $b^{\prime }\in \left\{\mathrm{0,1}\right\}$. The experiment outputs 1 if $b^{\prime }=b$, and 0 otherwise.

A scheme is IND-CPA secure if the adversary’s advantage in distinguishing $m_0$ from $m_1$ based on $\mathbf{c}$ is bounded by a negligible function with respect to $\lambda$. For FHE schemes, IND-CPA security is typically established under the RLWE assumption, ensuring that ciphertexts do not leak any partial information about the underlying plaintexts against passive adversaries.

3. New Multi-Key Variant of BGV

In this section, we present a novel multi-hop BGV-type MKFHE scheme. Unlike those in [16,17], our construction does not rely on a separately tailored auxiliary GSW-type MKFHE scheme. We then introduce new algorithms for evaluation key generation and key switching, which deliver superior performance compared to recent mainstream methods [16,17,19]. Moreover, by incorporating techniques introduced in [20], we redesign both the homomorphic multiplication and key switching procedures, thereby achieving further improvements in overall computational efficiency.

3.1. Improved Multi-Key BGV

Throughout this work, we adopt the standard convention used in leveled FHE schemes, where the evaluation of the input circuit proceeds from the highest level (the initial input level) down to level 0 (the final output level). Accordingly, the index variable $l$, which denotes the level index, ranges from high to low, and operations involving $l-1$—such as evaluation key generation, key switching, modulus switching, and homomorphic evaluation—are only performed at levels $l\ge 1$, and are not invoked at level 0.

In this section, we focus on presenting the overall structure of our $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme and provide an outline of the full homomorphic evaluation procedure. The formal algorithms for evaluation key generation and key switching—$\mathbf{E}\mathbf{v}\mathbf{k}\mathbf{G}\mathbf{e}\mathbf{n}$ and $\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\mathbf{K}\mathbf{e}\mathbf{y}$—will be described in detail in Section 3.2.

• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{S}\mathbf{e}\mathbf{t}\mathbf{u}\mathbf{p}\left(1^{\lambda },1^L\right)$: For a given $N$, $\lambda$, and $L$, where $N$ denotes the RLWE dimension, $L$ is a bound on the circuit depth, and $\lambda$ is the security parameter, define a sequence of ciphertext moduli $\{Q_l{\}}_{l=0}^L$ recursively as $Q_l={\prod }_{i=0}^l{q}_i$ for $l=\mathrm{0,1},\dots ,L$, where each $q_i$ is an integer. Specifically, the largest modulus is $Q_L=q_0\cdot q_1\cdots q_L$. Let the error distribution $\chi =\chi \left(\lambda \right)$ be a $B_{\chi }$-bounded spherical discrete Gaussian distribution $D_{{\mathbb{Z}}^N,\sigma }$ over the ring $R$, where the bound satisfies $B_{\chi }\ll Q_0$. Let $p\in \mathbb{Z}$ be the plaintext modulus, chosen such that $p$ is coprime with every $Q_l$. Let $h:R_{Q_l}\to R^t$ be a gadget decomposition function associated with the gadget vector $\mathbf{g}\in R_{Q_l}^t$. For each level $l$, uniformly sample a random vector ${\mathbf{a}}_l\leftarrow U\left(R_{Q_l}^t\right)$. Output the public parameters $pp=\left(R, p,\{Q_l,{\mathbf{a}}_l{\}}_{l=0}^L,\chi \right)$.
  In practical deployments, the $\mathbf{S}\mathbf{e}\mathbf{t}\mathbf{u}\mathbf{p}$ algorithm is executed once in a trusted setup phase, during which the public parameters are generated. This setup may be performed by a trusted third party (e.g., a cloud service provider) or collaboratively via a distributed multi-party protocol. Once established, the public parameters remain fixed and publicly known.
• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{K}\mathbf{e}\mathbf{y}\mathbf{G}\mathbf{e}\mathbf{n}\left(pp\right)$: The key generation algorithm is executed independently by each party without requiring any interaction or coordination with others. For each level $l$ (from $L$ down to 0) and for the $i$-th party, the secret key is sampled as $s_{l,i}\leftarrow \chi$, ensuring that $s_{l,i}$ is invertible in $R_{Q_l}$. A noise vector is drawn as ${\mathbf{e}}_{l,i}\leftarrow {\chi }^t$. The public key is then computed by ${\mathbf{b}}_{l,i}=-{\mathbf{a}}_l{s}_{l,i}+p{\mathbf{e}}_{l,i} \left(\mathrm{mod} Q_l\right)$, where ${\mathbf{b}}_{l,i}\in R_{Q_l}^t$. Thus, the key generation algorithm outputs $L+1$ pairs $\{\left(s_{l,i},{\mathbf{b}}_{l,i}\right){\}}_{l=0}^L$ for each party $i$.
  As detailed in [23,32], efficient algorithms exist to verify whether an element in $R_{Q_l}$ is invertible and to compute its inverse. Moreover, when setting $Q_l=\mathrm{\Omega }\left(n\right)$, elements that belong to $R_{Q_l}$ are invertible with overwhelming probability. We point out that since $\chi$ is a distribution over $R$, and $R_{Q_l}$ is defined as $R/\left(Q_{l}R\right)$, the sampled secret key $s_{l,i}$ is naturally an element of $R_{Q_l}$ [5,33].
• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{n}\mathbf{c}\left(\mu ,{\mathbf{b}}_{l,i},{\mathbf{a}}_l\right)$: The encryption algorithm is performed locally by each data owner. For a plaintext $\mu \in R_p$, sample a random element $r\leftarrow \chi$, and noise $e,e^{\prime }\leftarrow \chi$. Then, for party $i$ at level $l$, compute the ciphertext ${\mathbf{c}}_{l,i}=\left(c_{l,i}^0,c_{l,i}^1\right)\in R_{Q_l}^2$ as ${\mathbf{c}}_{l,i}=\left(c_{l,i}^0,c_{l,i}^1\right)=\left(\mu +{\mathbf{b}}_{l,i}\left[0\right]\cdot r+p\cdot e,{\mathbf{a}}_l\left[0\right]\cdot r+p\cdot e^{\prime }\right) \left(\mathrm{mod} Q_l\right)$.
  Here, ${\mathbf{b}}_{l,i}\left[0\right]\in R_{Q_l}$ and ${\mathbf{a}}_l\left[0\right]\in R_{Q_l}$ denote the first component of the vectors ${\mathbf{b}}_{l,i}$ and ${\mathbf{a}}_l$, respectively.
• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{C}\mathbf{T}\mathbf{E}\mathbf{x}\mathbf{t}\left(\mathbf{c},n^{*}\right)$: The ciphertext extension algorithm is performed by the evaluator, such as a cloud server or another computation entity. Suppose $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)\in R_{Q_l}^{n+1}$ is a ciphertext at level $l$ associated with $n$ parties. To extend this ciphertext to support $n^{*}$ parties (with $n^{*}\ge n$), construct and output an extended ciphertext

  $${\mathbf{c}}^{*}=\left(c_0^{*},c_1^{*},\dots ,c_{n^{*}}^{*}\right)\in R_{Q_l}^{n^{*}+1}$$

  by setting $c_0^{*}=c_0$ and $c_i^{*}=c_i$ for $1\le i\le n$, while $c_i^{*}=0$ for all $i$ satisfying $n<i\le n^{*}$. This construction guarantees that

  $$c_0^{*}+{\sum }_{i=1}^{n^{*}}{c}_i^{*}\cdot s_{l,i}=c_0+{\sum }_{i=1}^n{c}_i\cdot s_{l,i} \left(\mathrm{mod} Q_l\right).$$
  Thus, the extended ciphertext ${\mathbf{c}}^{*}$ encrypts the same underlying plaintext at the same level while now being associated with $n^{*}$ parties.
• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{D}\mathbf{e}\mathbf{c}\left(\mathbf{c},\{s_{l,i}{\}}_{i=1}^n\right)$: The decryption algorithm is jointly executed by all involved parties. Given an $n$-key ciphertext $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)\in R_{Q_l}^{n+1}$ at level $l$ associated with $n$ parties, along with the corresponding secret keys $\{s_{l,i}{\}}_{i=1}^n$, the plaintext $\mu$ is recovered by computing

  $$\mu =\left(c_0+{\sum }_{i=1}^n{c}_i\cdot s_{l,i}\right)\mathrm{mod} Q_l\mathrm{mod} p.$$
• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{M}\mathbf{o}\mathbf{d}\mathbf{u}\mathbf{l}\mathbf{u}\mathbf{s}\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\left(\mathbf{c}\right)$: The modulus switching algorithm is executed by the evaluator. Given a ciphertext $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)\in R_{Q_l}^{n+1}$ at level $l$, compute

  $$c_i^{\prime }\equiv ⌊{\displaystyle \frac{1}{q_l}}\cdot c_i⌉\left(\mathrm{mod} p\right)$$

  for $i=0,\dots ,n$, where $⌊\cdot ⌉$ denotes the rounding operation, and output the ciphertext ${\mathbf{c}}^{\prime }=\left(c_0^{\prime },c_1^{\prime },\dots ,c_n^{\prime }\right)\in R_{Q_{l-1}}^{n+1}$ at level $l-1$.
  In BGV-type schemes, reducing the inner modulus from $Q_l$ to $Q_{l-1}$ decreases the internal noise by roughly the factor $Q_{l-1}/Q_l=1/q_l$. The modulus switching technique ensures that the resulting ciphertext ${\mathbf{c}}^{\prime }$ can still be decrypted under the same secret key without affecting the correctness of the underlying plaintext, enabling continued homomorphic computations at the lower level. A detailed correctness proof for modulus switching can be found in [5].
• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{v}\mathbf{a}\mathbf{l}\left(\mathcal{C},\{{\mathbf{b}}_i{\}}_{i=1}^n,\left({\mathbf{c}}_1,\dots ,{\mathbf{c}}_x\right)\right)$: The homomorphic evaluation algorithm is executed by the evaluator. Let $\mathcal{C}$ denote the circuit provided as input for homomorphic evaluation on ciphertexts $\left({\mathbf{c}}_1,\dots ,{\mathbf{c}}_x\right)$. Each ciphertext ${\mathbf{c}}_j$ (where $j=1,\dots ,x$) is at a particular level and was originally encrypted under a subset of the parties’ keys. The algorithm proceeds as follows:
  • If any ciphertexts are at higher levels than others, apply the necessary key switching or modulus switching procedures so that all ciphertexts ${\mathbf{c}}_j$ are converted to a common level $l$.
  • For each ciphertext ${\mathbf{c}}_j$, invoke the ciphertext extension algorithm $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{C}\mathbf{T}\mathbf{E}\mathbf{x}\mathbf{t}\left({\mathbf{c}}_j,n\right)$ to extend ${\mathbf{c}}_j$ into an extended ciphertext ${\mathbf{c}}_j^{*}$ that is related to the union of all parties involved across these ciphertexts. This step ensures that all input ciphertexts are associated with the same set of $n$ parties.
  • For each involved party $i$, compute its level-$l$ evaluation key ${\mathcal{K}}_{l,i}=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{v}\mathbf{k}\mathbf{G}\mathbf{e}\mathbf{n}\left({\mathbf{a}}_l,{\mathbf{a}}_{l-1},{\mathbf{b}}_{l-1,i},s_{l,i},s_{l-1,i}\right)$.
  • To evaluate the circuit $\mathcal{C}$ gate by gate, simply apply the homomorphic operations $\mathbf{A}\mathbf{d}\mathbf{d}$ and $\mathbf{M}\mathbf{u}\mathbf{l}\mathbf{t}$ (detailed immediately below) on the extended ciphertexts.
  • After processing all gates in $\mathcal{C}$, output the final ciphertext ${\mathbf{c}}_{\mathrm{out}}$, which encrypts the result of $\mathcal{C}$ on the original plaintexts under the secret keys of all involved parties.
• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{A}\mathbf{d}\mathbf{d}\left(\mathbf{c},{\mathbf{c}}^{\prime }\right)$: For two ciphertexts $\mathbf{c}$ and ${\mathbf{c}}^{\prime }$ in $R_{Q_l}^{n+1}$, output their component-wise sum ${\mathbf{c}}^{″}=\mathbf{c}+{\mathbf{c}}^{\prime }\left(\mathrm{mod}{Q}_l\right)\in R_{Q_l}^{n+1}$.
• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{M}\mathbf{u}\mathbf{l}\mathbf{t}\left(\mathbf{c},{\mathbf{c}}^{\prime },\{\left({\mathbf{b}}_{l,i},{\mathcal{K}}_{l,i}\right){\}}_{i=1}^n\right)$: Given ciphertexts $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)$ and ${\mathbf{c}}^{\prime }=\left(c_0^{\prime },c_1^{\prime },\dots ,c_n^{\prime }\right)$ in $R_{Q_l}^{n+1}$ along with the public keys $\{{\mathbf{b}}_{l,i}{\}}_{i=1}^n$ and evaluation keys $\{{\mathcal{K}}_{l,i}{\}}_{i=1}^n$, compute the tensor product ${\mathbf{c}}_{mult}=\mathbf{c}\otimes {\mathbf{c}}^{\prime }={\left(c_{i,j}\right)}_{0\le i,j\le n}\in R_{Q_l}^{{\left(n+1\right)}^2}$ with components $c_{i,j}=c_i\cdot c_j^{\prime }\hspace{0.25em}\left(\mathrm{mod}{Q}_l\right)$ for all $0\le i,j\le n$. Then, compute ${\mathbf{c}}^{″}=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\mathbf{K}\mathbf{e}\mathbf{y}\left({\mathbf{c}}_{mult},\{\left({\mathbf{b}}_{l,i},{\mathcal{K}}_{l,i}\right){\}}_{i=1}^n\right)$, and finally output ${\mathbf{c}}^{‴}=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{M}\mathbf{o}\mathbf{d}\mathbf{u}\mathbf{l}\mathbf{u}\mathbf{s}\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\left({\mathbf{c}}^{″}\right)$.

Security: The security and correctness of our $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme derive from the inherent properties of both the RLWE assumption (with parameters ($N,Q_l,\chi$)) and the basic BGV scheme.

As in most mainstream FHE schemes [5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20], we consider a static, passive adversarial model, in which an adversary may corrupt an arbitrary subset (possibly large but not all) of parties before the setup phase but cannot adaptively corrupt parties during the computation. The adversary can observe all public parameters, public keys, and ciphertexts throughout the execution, but cannot access the secret keys of honest parties. Furthermore, all parties are assumed to honestly follow the specified steps of the $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme.

In our scheme, elements and vectors are independently and randomly sampled from discrete Gaussian or uniform distributions, such as $\chi$, ${\chi }^t,$ and $U\left(R_{Q_l}^t\right)$. This includes, for example, the secret keys $s_{l,i}$, noise vectors ${\mathbf{e}}_{l,i},$ and random vectors ${\mathbf{a}}_l\in R_{Q_l}^t$. These distributions ensure sufficient entropy and unpredictability in parameter generation, thereby satisfying the security requirements under the RLWE assumption.

For each level $l$, a public key for party $i$ is ${\mathbf{b}}_{l,i}=-{\mathbf{a}}_l{s}_{l,i}+p{\mathbf{e}}_{l,i} \left(\mathrm{mod} Q_l\right)\in R_{Q_l}^t$, where ${\mathbf{a}}_l\leftarrow U\left(R_{Q_l}^t\right)$, $s_{l,i}\leftarrow \chi$, and ${\mathbf{e}}_{l,i}\leftarrow {\chi }^t$. Because negating $s_{l,i}$ remains within the same error distribution $\chi$ and multiplying by $p$ merely rescales the noise, $\left({\mathbf{a}}_l,{\mathbf{b}}_{l,i}\right)$ still constitutes an RLWE sample. Therefore, by the RLWE assumption, ${\mathbf{b}}_{l,i}$ is computationally indistinguishable from a uniform random vector in $R_{Q_l}^t$. A ciphertext at level $l$ similarly has a form ${\mathbf{c}}_{l,i}=\left(c_{l,i}^0,c_{l,i}^1\right)\in R_{Q_l}^2$ where $c_{l,i}^0=\mu +{\mathbf{b}}_{l,i}\left[0\right]r+pe \left(\mathrm{mod} Q_l\right)$ and $c_{l,i}^1={\mathbf{a}}_l\left[0\right]r+p{e}^{\prime } \left(\mathrm{mod} Q_l\right)$. Here, $\left({\mathbf{b}}_{l,i}\left[0\right],c_{l,i}^0\right)$ and $\left({\mathbf{a}}_l\left[0\right],c_{l,i}^1\right)$ each can be viewed as an RLWE sample with secret $r$, in which $c_{l,i}^0$ contains a plaintext $\mu$ in an otherwise random encryption of zero. Hence, ${\mathbf{c}}_{l,i}=\left(c_{l,i}^0,c_{l,i}^1\right)$ is computationally indistinguishable from a random pair in $U\left(R_{Q_l}^2\right)$ under the RLWE assumption.

To formally prove the IND-CPA security of our $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme under the RLWE assumption, we construct a hybrid argument consisting of two experiments: Hybrid 0 (the real IND-CPA experiment) and Hybrid 1 (an indistinguishable variant), and then argue their computational indistinguishability. The experiments are defined according to Definition 2 and aim to show that no PPT adversary can distinguish between the encryptions of any two chosen plaintexts with non-negligible advantage.

Hybrid 0: Let $n\in \mathbb{N}$ denote the number of participating parties. The experiment proceeds as follows:

• For each party $i\in \{1,\dots ,n\}$, the challenger generates key pairs $\{\left(s_{l,i},{\mathbf{b}}_{l,i}\right){\}}_{l=0}^L\leftarrow \mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{K}\mathbf{e}\mathbf{y}\mathbf{G}\mathbf{e}\mathbf{n}\left(pp\right)$, and sends the public keys $\{{\mathbf{b}}_{l,i}{\}}_{l=0}^L$ to the adversary $\mathcal{A}$.
• The adversary $\mathcal{A}$ selects two plaintexts ${\mu }_0,{\mu }_1\in R_p$, and specifies a public key ${\mathbf{b}}_{l,i}$ to be used for encryption.
• The challenger samples a uniform bit $b\in \left\{\mathrm{0,1}\right\}$, and returns the ciphertext ${\mathbf{c}}_{l,i}=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{n}\mathbf{c}\left({\mu }_b,{\mathbf{b}}_{l,i},{\mathbf{a}}_l\right)$ to $\mathcal{A}$.
• $\mathcal{A}$ outputs a guess bit $b^{\prime }\in \left\{\mathrm{0,1}\right\}$. The experiment outputs 1 if $b^{\prime }=b$, and 0 otherwise.

Let this experiment be denoted by ${\mathrm{E}\mathrm{x}\mathrm{p}}_0\left(\lambda \right)$.

Hybrid 1: This experiment is identical to Hybrid 0, except that the challenger encrypts the other message, i.e., ${\mu }_{1-b}$, instead of ${\mu }_b$. The same public key ${\mathbf{b}}_{l,i}$ specified by the adversary is used.

• All key generation and public key disclosure steps remain unchanged.
• The adversary submits the same two plaintexts ${\mu }_0,{\mu }_1\in R_p$ and public key ${\mathbf{b}}_{l,i}$ as in Hybrid 0.
• The challenger samples the same bit $b\in \left\{\mathrm{0,1}\right\}$, but now computes ${\mathbf{c}}_{l,i}^{\prime }=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{n}\mathbf{c}\left({\mu }_{1-b},{\mathbf{b}}_{l,i},{\mathbf{a}}_l\right)$, and returns it to $\mathcal{A}$.
• $\mathcal{A}$ outputs a guess bit $b^{\prime }\in \left\{\mathrm{0,1}\right\}$. The experiment outputs 1 if $b^{\prime }=b$, and 0 otherwise.

Let this experiment be denoted by ${\mathrm{E}\mathrm{x}\mathrm{p}}_1\left(\lambda \right)$.

In Hybrid 0, the challenge ciphertext is generated as ${\mathbf{c}}_{l,i}=\left({\mu }_b+{\mathbf{b}}_{l,i}\left[0\right]r+pe,{\mathbf{a}}_l\left[0\right]r+p{e}^{\prime }\right) \left(\mathrm{mod} Q_l\right)$, while in Hybrid 1, the ciphertext is constructed as ${\mathbf{c}}_{l,i}^{\prime }=\left({\mu }_{1-b}+{\mathbf{b}}_{l,i}\left[0\right]r+pe,{\mathbf{a}}_l\left[0\right]r+p{e}^{\prime }\right) \left(\mathrm{mod} Q_l\right)$. As analyzed earlier, both ciphertexts ${\mathbf{c}}_{l,i}$ and ${\mathbf{c}}_{l,i}^{\prime }$ are computationally indistinguishable from uniformly random pairs in $R_{Q_l}^2$ under the RLWE assumption. Since both ciphertexts are independently computationally indistinguishable from uniform, they are also computationally indistinguishable from each other. It follows that Hybrid 0 and Hybrid 1 are computationally indistinguishable from the perspective of any PPT adversary. Formally, we have:

$$\left|\mathrm{Pr}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_0\left(\lambda \right)=1\right]-\mathrm{Pr}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_1\left(\lambda \right)=1\right]\right|\le \mathrm{neg}\left(\lambda \right).$$

In Hybrid 1, the adversary $\mathcal{A}$ has no advantage beyond random guessing, and hence:

$$\mathrm{Pr}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_1\left(\lambda \right)=1\right]={\displaystyle \frac{1}{2}}.$$

By combining the above, we conclude that the adversary’s distinguishing advantage in the real IND-CPA experiment is negligible:

$$\left|\mathrm{Pr}\left[{\mathrm{E}\mathrm{x}\mathrm{p}}_0\left(\lambda \right)=1\right]-{\displaystyle \frac{1}{2}}\right|\le \mathrm{neg}\left(\lambda \right).$$

A similar analysis holds for extended ciphertexts. As a result, neither the secret keys nor the plaintexts are revealed by the public keys or ciphertexts, ensuring IND-CPA security for $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$.

Correctness: At level $l$, a ciphertext $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)\in R_{Q_l}^{n+1}$ is decrypted as $\mu =\left(c_0+{\sum }_{i=1}^n{c}_i{s}_{l,i}\right)\mathrm{mod} Q_l\mathrm{mod} p$, where $s_{l,i}$ denotes the secret key of party $i$ at level $l$. As long as ${‖c_0+{\sum }_{i=1}^n{c}_i{s}_{l,i}‖}_{\mathrm{\infty }}<Q_l/2$, the reduction modulo $Q_l$ and modulo $p$ correctly recover the plaintext $\mu$. Regarding the correctness of homomorphic evaluation, consider two ciphertexts $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)$ and ${\mathbf{c}}^{\prime }=\left(c_0^{\prime },c_1^{\prime },\dots ,c_n^{\prime }\right)$ at the same level $l$. Their homomorphic sum is defined as ${\mathbf{c}}^{″}=\mathbf{c}+{\mathbf{c}}^{\prime }$ component-wise modulo $Q_l$. Decryption then yields ${\mu }^{″}=\left(c_0+c_0^{\prime }\right)+{\sum }_{i=1}^n\left(c_i+c_i^{\prime }\right)s_{l,i}=\mu +{\mu }^{\prime } \left(\mathrm{mod} Q_l\right) \left(\mathrm{mod} p\right)$. In homomorphic addition, the noise components of the two ciphertexts are added linearly. Similarly, their homomorphic multiplication is computed as ${\mathbf{c}}_{mult}=\mathbf{c}\otimes {\mathbf{c}}^{\prime }$ and decryption of ${\mathbf{c}}_{mult}$ yields ${\sum }_{0\le i\le j\le n}{c}_{i,j}\cdot s_{l,i}{s}_{l,j}=\left(c_0+{\sum }_{i=1}^n{c}_i{s}_{l,i}\right)\left(c_0^{\prime }+{\sum }_{j=1}^n{c}_j^{\prime }{s}_{l,j}\right)\mathrm{mod} Q_l\mathrm{mod} p$, which simplifies to $\mu \cdot {\mu }^{\prime } \left(\mathrm{mod} p\right)$. In homomorphic multiplication, the noise components combine multiplicatively, and additional noise from cross-terms is introduced. However, with proper noise management techniques—such as gadget decomposition and modulus switching—the overall noise remains within the decryption threshold, ensuring that the correct product of the original plaintexts is recovered.

3.2. Novel Methods for Evaluation Key Generation and Key Switching

In this section, we present our scheme’s approach for generating evaluation keys $\left(\mathbf{E}\mathbf{v}\mathbf{k}\mathbf{G}\mathbf{e}\mathbf{n}\right)$ and performing key switching $\left(\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\mathbf{K}\mathbf{e}\mathbf{y}\right)$.

• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{v}\mathbf{k}\mathbf{G}\mathbf{e}\mathbf{n}\left({\mathbf{a}}_l,{\mathbf{a}}_{l-1},{\mathbf{b}}_{l-1,i},s_{l,i},s_{l-1,i}\right)$: For a party $i$ at level $l$, sample a random element $m_{l,i}\leftarrow \chi$, a random vector ${\mathbf{v}}_{l,i}\leftarrow U\left(R_{Q_l}^t\right)$, and noise vectors ${\mathbf{e}}_{l,i}^{\prime },{\mathbf{e}}_{l,i}^{″},{\mathbf{e}}_{l,i}^{‴}\leftarrow {\chi }^t$. Compute ${\mathbf{u}}_{l,i}=-{\mathbf{a}}_l\cdot m_{l,i}+s_{l,i}\cdot \mathbf{g}+p\cdot {\mathbf{e}}_{l,i}^{\prime }\left(\mathrm{mod}{Q}_l\right)$, ${\mathbf{w}}_{l,i}=-{\mathbf{v}}_{l,i}\cdot s_{l,i}-m_{l,i}\cdot \mathbf{g}+p\cdot {\mathbf{e}}_{l,i}^{″}\left(\mathrm{mod}{Q}_l\right)$, and ${\mathbf{x}}_{l,i}={\mathbf{b}}_{l-1,i}\cdot s_{l-1,i}^{-1}+{\mathbf{a}}_{l-1}+s_{l,i}\cdot s_{l-1,i}^{-1}\cdot \mathbf{g}+p\cdot {\mathbf{e}}_{l,i}^{‴}\left(\mathrm{mod}{Q}_l\right)$. Then, output the evaluation key ${\mathcal{K}}_{l,i}=\left({\mathbf{u}}_{l,i},{\mathbf{v}}_{l,i},{\mathbf{w}}_{l,i},{\mathbf{x}}_{l,i}\right)\in R_{Q_l}^{t\times 4}$.

We can observe that the evaluation key generation algorithm’s input depends solely on the public parameters and the parties’ own keys. Therefore, each party can generate its evaluation keys independently, and these evaluation keys in our scheme can be precomputed prior to encryption or homomorphic evaluation, and may even be stored publicly for potential future evaluations, irrespective of any changes in the set of participating parties.

• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\mathbf{K}\mathbf{e}\mathbf{y}\left({\mathbf{c}}_{mult},\{\left({\mathbf{b}}_{l,i},{\mathcal{K}}_{l,i}\right){\}}_{i=1}^n\right)$: The key switching algorithm is executed by the evaluator. Consider a tensored ciphertext ${\mathbf{c}}_{mult}={\left(c_{i,j}\right)}_{0\le i,j\le n}$ with each $c_{i,j}\in R_{Q_l}$, which is associated with the secret keys $\{s_{l,i}\cdot s_{l,j}{\}}_{i,j=1}^n$, and a set of public keys ${\mathbf{b}}_{l,i}$ together with evaluation keys ${\mathcal{K}}_{l,i}=\left({\mathbf{u}}_{l,i},{\mathbf{v}}_{l,i},{\mathbf{w}}_{l,i},{\mathbf{x}}_{l,i}\right)$ for $i=1,\dots ,n$. To produce a standard ciphertext ${\mathbf{c}}^{\prime }=\left(c_0^{\prime },c_1^{\prime },\dots ,c_n^{\prime }\right)\in R_{Q_l}^{n+1}$ at level $l$ that is associated with the secret keys $\{s_{l-1,i}{\}}_{i=1}^n$, perform the following steps:
  • Set the first component as $c_0^{†}=c_{\mathrm{0,0}}$, and for each $i=1,\dots ,n$, assign $c_i^{†}=c_{i,0}+c_{0,i}\left(\mathrm{mod}{Q}_l\right)$.
  • For each $j=1,\dots ,n$, update $c_j^{†}=c_j^{†}+{\sum }_{i=1}^n\left(c_{i,j}⊡{\mathbf{u}}_{l,i}\right)\left(\mathrm{mod}{Q}_l\right)$.
  • For each $i=1,\dots ,n$, compute $z_i={\sum }_{j=1}^n\left(c_{i,j}⊡{\mathbf{b}}_{l,j}\right)\left(\mathrm{mod}{Q}_l\right)$, and subsequently update $\left(c_0^{†},c_i^{†}\right)=\left(c_0^{†},c_i^{†}\right)+\left(z_i⊡{\mathbf{w}}_{l,i},z_i⊡{\mathbf{v}}_{l,i}\right)\left(\mathrm{mod}{Q}_l\right)$.
  • For the intermediate ciphertext ${\mathbf{c}}^{†}=\left(c_0^{†},c_1^{†},\dots ,c_n^{†}\right)\in R_{Q_l}^{n+1}$, set $c_0^{\prime }=c_0^{†}$ and for each $i=1,\dots ,n$, compute $c_i^{\prime }=c_i^{†}⊡{\mathbf{x}}_{l,i}\left(\mathrm{mod}{Q}_l\right)$.
  • Output the resulting ciphertext ${\mathbf{c}}^{\prime }=\left(c_0^{\prime },c_1^{\prime },\dots ,c_n^{\prime }\right)\in R_{Q_l}^{n+1}$.

Security: The security proofs for our evaluation key generation and key switching algorithms are essentially identical to the ciphertext security proofs presented in Section 3.1. Specifically, since ${\mathbf{a}}_l$, ${\mathbf{a}}_{l-1}$, and ${\mathbf{v}}_{l,i}$ are random vectors, and ${\mathbf{b}}_{l-1,i}$ is computationally indistinguishable from a random vector in $U\left(R_{Q_{l-1}}^t\right)$ (making it pseudorandom), replacing ${\mathbf{u}}_{l,i}$, ${\mathbf{v}}_{l,i}$, ${\mathbf{w}}_{l,i},$ and ${\mathbf{x}}_{l,i}$ by random vectors ${\mathbf{u}}^{\prime },{\mathbf{v}}^{\prime },{\mathbf{w}}^{\prime },{\mathbf{x}}^{\prime }\leftarrow U\left(R_{Q_l}^t\right)$ is computationally indistinguishable under the same RLWE assumption with parameters $\left(N,Q_l,\mathrm{\chi }\right)$ and the corresponding secrets $m_{l,i}$, $s_{l,i}$ or $s_{l-1,i}^{-1}$. Consequently, the distribution of each evaluation key ${\mathcal{K}}_{l,i}=\left({\mathbf{u}}_{l,i},{\mathbf{v}}_{l,i},{\mathbf{w}}_{l,i},{\mathbf{x}}_{l,i}\right)\in R_{Q_l}^{t\times 4}$ is computationally indistinguishable from $U\left(R_{Q_l}^{t\times 4}\right)$.

Correctness: To demonstrate the correctness of the key switching procedure, it suffices to show that the standard ciphertext output in the last step decrypts to the original plaintext under the new secret keys. Formally, we need to ensure $\mu ={\sum }_{i,j=0}^n{c}_{i,j}\cdot s_{l,i}{s}_{l,j}=c_0^{\prime }+{\sum }_{i=1}^n{c}_i^{\prime }\cdot s_{l-1,i} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)$. We first examine the intermediate ciphertext ${\mathbf{c}}^{†}=\left(c_0^{†},c_1^{†},\dots ,c_n^{†}\right)$ generated in Step 3 of the algorithm. One can verify that

$$\begin{array}{cc}{c}_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}\cdot s_{l,i}\hfill & =c_{\mathrm{0,0}}+{\displaystyle \sum _{j=1}^n}{z}_j⊡{\mathbf{w}}_{l,j}+{\displaystyle \sum _{i=1}^n}\left(c_{i,0}+c_{0,i}\right)\cdot s_{l,i}+{\displaystyle \sum _{i,j=1}^n}\left(c_{j,i}⊡{\mathbf{u}}_{l,j}\right)\cdot s_{l,i}+{\displaystyle \sum _{j=1}^n}\left(z_j⊡{\mathbf{v}}_{l,j}\right)\cdot s_{l,j} \hfill \\ & =c_{\mathrm{0,0}}+{\displaystyle \sum _{j=1}^n}{z}_j⊡\left({\mathbf{w}}_{l,j}+{\mathbf{v}}_{l,j}{s}_{l,j}\right)+{\displaystyle \sum _{i=1}^n}\left(c_{i,0}+c_{0,i}\right)\cdot s_{l,i}+{\displaystyle \sum _{i,j=1}^n}\left(c_{j,i}⊡{\mathbf{u}}_{l,j}\right)\cdot s_{l,i}\hfill \end{array}$$

Using the relations ${\mathbf{w}}_{l,j}+{\mathbf{v}}_{l,j}{s}_{l,j}=-m_{l,j}\mathbf{g} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)$ and ${\mathbf{u}}_{l,j}\cdot s_{l,i}=-{\mathbf{a}}_l\cdot s_{l,i}\cdot m_{l,j}+s_{l,j}\cdot s_{l,i}\cdot \mathbf{g}+p\cdot s_{l,i}\cdot {\mathbf{e}}_{l,j}^{\prime }={\mathbf{b}}_{l,i}\cdot m_{l,j}+s_{l,j}{s}_{l,i}\mathbf{g} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)$, it follows that

$$\begin{array}{cc}{c}_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}\cdot s_{l,i}& =c_{\mathrm{0,0}}+{\displaystyle \sum _{j=1}^n}{z}_j⊡\left(-m_{l,j}\mathbf{g}\right)+{\displaystyle \sum _{i=1}^n}\left(c_{i,0}+c_{0,i}\right)\cdot s_{l,i}+{\displaystyle \sum _{i,j=1}^n}{c}_{j,i}⊡\left({\mathbf{b}}_{l,i}\cdot m_{l,j}+s_{l,j}{s}_{l,i}\mathbf{g}\right)\hfill \\ & =c_{\mathrm{0,0}}-{\displaystyle \sum _{j=1}^n}{m}_{l,j}\cdot z_j+{\displaystyle \sum _{i=1}^n}\left(c_{i,0}+c_{0,i}\right)\cdot s_{l,i}+{\displaystyle \sum _{i,j=1}^n}{c}_{j,i}⊡{\mathbf{b}}_{l,i}\cdot m_{l,j}+{\displaystyle \sum _{i,j=1}^n}{c}_{j,i}\cdot s_{l,j}{s}_{l,i}\hfill \\ & =c_{\mathrm{0,0}}-{\displaystyle \sum _{i,j=1}^n}{m}_{l,j}\cdot c_{j,i}⊡{\mathbf{b}}_{l,i}+{\displaystyle \sum _{i=1}^n}\left(c_{i,0}+c_{0,i}\right)\cdot s_{l,i}+{\displaystyle \sum _{i,j=1}^n}{c}_{j,i}⊡{\mathbf{b}}_{l,i}\cdot m_{l,j}+{\displaystyle \sum _{i,j=1}^n}{c}_{j,i}\cdot s_{l,j}{s}_{l,i}\hfill \\ & =c_{\mathrm{0,0}}+{\displaystyle \sum _{i=1}^n}\left(c_{i,0}+c_{0,i}\right)\cdot s_{l,i}+{\displaystyle \sum _{i,j=1}^n}{c}_{j,i}\cdot s_{l,j}{s}_{l,i}={\displaystyle \sum _{i,j=0}^n}{c}_{i,j}\cdot s_{l,i}{s}_{l,j} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)\hfill \end{array}$$

Thus, the intermediate ciphertext ${\mathbf{c}}^{†}$ is normalized and correctly decryptable using the original secret keys. Next, we consider the final ciphertext ${\mathbf{c}}^{\prime }=\left(c_0^{\prime },c_1^{\prime },\dots ,c_n^{\prime }\right)\in R_{Q_l}^{n+1}$. By design, we have

$$\begin{array}{cc}{c}_0^{\prime }+{\displaystyle \sum _{i=1}^n}{c}_i^{\prime }\cdot s_{l-1,i}\hfill & =c_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}⊡{\mathbf{x}}_{l,i}\cdot s_{l-1,i}\hfill \\ & =c_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}⊡\left({\mathbf{b}}_{l-1,i}+{\mathbf{a}}_{l-1}\cdot s_{l-1,i}+s_{l,i}\mathbf{g}+p{\mathbf{e}}_{l,i}^{‴}\right)\hfill \\ & =c_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}⊡\mathbf{g}{s}_{l,i}\hfill \\ & =c_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}\cdot s_{l,i} \left(\mathrm{mod}{Q}_l\right)\left(\mathrm{mod}p\right)\hfill \end{array}$$

Hence, we obtain the desired equality $c_0^{\prime }+{\sum }_{i=1}^n{c}_i^{\prime }\cdot s_{l-1,i}={\sum }_{i,j=0}^n{c}_{i,j}\cdot s_{l,i}{s}_{l,j} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)$ which is exactly the intended decryption condition. This confirms the correctness of the key switching algorithm.

Performance: As an informal overview, our proposed evaluation key generation and key switching algorithms already provide superior parameter sizes and practical efficiency compared to the mainstream approaches in [16,17,19]. In [16,17], for each level, each party must run an additional GSW-type MKFHE protocol to generate its own evaluation key generation materials, and the public keys and associated materials of all participating parties must be combined to produce a large shared evaluation key. In contrast, our $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme achieves the same multi-party functionality without incurring these burdens. Moreover, in each key switching procedure, our evaluation key size is only $4tnN⌈\log Q_l⌉$, whereas [16,17] require $4t{n}^{2}N⌈\log Q_l⌉$ and $t{\left(n+1\right)}^{2}N⌈\log Q_l⌉$, respectively. Compared to [19], our $\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\mathbf{K}\mathbf{e}\mathbf{y}$ algorithm leverages a precomputation of $z_i$ in Step 3 so that, when updating $\left(c_0^{†},c_i^{†}\right)$, only $n^2+2n$ external products are required, instead of the $4n^2$ external products needed in their procedure. A more detailed performance analysis and comparison is presented in Section 5.

3.3. Redesigning Homomorphic Multiplication

Although our key switching algorithm exhibits improved performance, we recognize that our MK-BGV scheme still offers substantial potential for further optimization. In particular, homomorphic multiplication remains the most expensive component, both in our construction and in existing batched MKFHE frameworks. We observe that the most complex parts of this operation are the tensor product and the ensuing key switching process, which require, respectively, $O\left(n^2\right)$ ring multiplications and $O\left(n^2\right)$ gadget decompositions. Consequently, these steps introduce a square-level complexity tied to the number of participating parties, significantly affecting the overall efficiency. In [20], a novel concept called homomorphic gadget decomposition is introduced. In essence, a homomorphic gadget decomposition function $H\left(\cdot \right)$ not only satisfies the basic properties described in Section 2.5 but also allows arithmetic operations to be performed directly on the decomposed polynomials.

Definition 3. 

(Homomorphic Gadget Decomposition [20]). A function $H:R_Q\to R^t$ is called a homomorphic gadget decomposition if, for any $a,b\in R_Q$, it satisfies the following properties:

$$⟨H\left(a\right)+H\left(b\right),\mathbf{g}⟩=a+b\hspace{0.17em}\left(\mathrm{mod} Q\right),⟨H\left(a\right)\odot H\left(b\right),\mathbf{g}⟩=a\cdot b\hspace{0.17em}\left(\mathrm{mod}\hspace{0.17em}Q\right)$$

where $\odot$ denotes the component-wise product, and $\mathit{g}$ is the fixed gadget vector.

Inspired by this technique, we observe that $H\left(a\right)+H\left(b\right)$ and $H\left(a\right)\odot H\left(b\right)$ can serve as effectively bounded substitutes for $H\left(a+b\right)$ and $H\left(ab\right)$, since ${‖H\left(a\right)+H\left(b\right)‖}_{\mathrm{\infty }}\le 2B_H$ and ${‖H\left(a\right)\odot H\left(b\right)‖}_{\mathrm{\infty }}\le N\cdot B_H^2$. Leveraging this property, we redesign the homomorphic multiplication algorithm in our $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme by merging the tensor product and key switching steps into a single process, thereby reducing the overall complexity from $O\left(n^2\right)$ to $O\left(n\right)$ ring multiplications and gadget decompositions. As a result, our new homomorphic multiplication algorithm achieves a linear complexity in terms of the number of participating parties.

• $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{N}\mathbf{e}\mathbf{w}\mathbf{M}\mathbf{u}\mathbf{l}\mathbf{t}\left(\mathbf{c},{\mathbf{c}}^{\prime },\{\left({\mathbf{b}}_{l,i},{\mathcal{K}}_{l,i}\right){\}}_{i=1}^n\right)$: Consider two ciphertexts $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)$ and ${\mathbf{c}}^{\prime }=\left(c_0^{\prime },c_1^{\prime },\dots ,c_n^{\prime }\right)$ in $R_{Q_l}^{n+1}$, together with a set of public keys ${\mathbf{b}}_{l,i}$ and evaluation keys ${\mathcal{K}}_{l,i}=\left({\mathbf{u}}_{l,i},{\mathbf{v}}_{l,i},{\mathbf{w}}_{l,i},{\mathbf{x}}_{l,i}\right)$ for $i=1,\dots ,n$. To produce the multiplied ciphertext ${\mathbf{c}}^{″}=\left(c_0^{″},c_1^{″},\dots ,c_n^{″}\right)\in R_{Q_l}^{n+1}$ at level $l$ that is associated with the secret keys $\{s_{l-1,i}{\}}_{i=1}^n$, proceed as follows:
  • Set the first component as $c_0^{†}=c_0\cdot c_0^{\prime }\left(\mathrm{mod}{Q}_l\right)$, and for each $i=1,\dots ,n$, assign $c_i^{†}=c_i\cdot c_0^{\prime }+c_0\cdot c_i^{\prime }\left(\mathrm{mod}{Q}_l\right)$.
  • Compute $\mathbf{y}={\sum }_{i=1}^n\left(H\left(c_i\right)\odot {\mathbf{u}}_{l,i}\right)\left(\mathrm{mod}{Q}_l\right)$ and $\mathbf{z}={\sum }_{j=1}^n\left(H\left(c_j^{\prime }\right)\odot {\mathbf{b}}_{l,j}\right)\left(\mathrm{mod}{Q}_l\right)$.
  • For each $j=1,\dots ,n$, update $c_j^{†}=c_j^{†}+c_j^{\prime }⊡\mathbf{y}\left(\mathrm{mod}{Q}_l\right)$.
  • For each $i=1,\dots ,n$, update $\left(c_0^{†},c_i^{†}\right)=\left(c_0^{†},c_i^{†}\right)+\left(\hspace{0.17em}{c}_i⊡\mathbf{z}⊡{\mathbf{w}}_{l,i},c_i⊡\mathbf{z}⊡{\mathbf{v}}_{l,i}\right)\left(\mathrm{mod}{Q}_l\right)$.
  • For the intermediate ciphertext ${\mathbf{c}}^{†}=\left(c_0^{†},c_1^{†},\dots ,c_n^{†}\right)\in R_{Q_l}^{n+1}$, set $c_0^{″}=c_0^{†}$ and for each $i=1,\dots ,n$, compute $c_i^{″}=c_i^{†}⊡{\mathbf{x}}_{l,i}\left(\mathrm{mod}{Q}_l\right)$.

Finally, output the resulting ciphertext ${\mathbf{c}}^{‴}=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{M}\mathbf{o}\mathbf{d}\mathbf{u}\mathbf{l}\mathbf{u}\mathbf{s}\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\left({\mathbf{c}}^{″}\right)$.

Performance: In previous versions of the homomorphic multiplication algorithm, each component of a tensored ciphertext was computed as $c_{i,j}=c_i\cdot c_j^{\prime }\left(\mathrm{mod} Q_l\right)$, which led to $O\left(n^2\right)$ computational complexity. By applying the homomorphic gadget decomposition, we substitute $H\left(c_{i,j}\right)$ with the component-wise product of decompositions $H\left(c_i\right)\odot H\left(c_j^{\prime }\right)$. Equally significant, the component-wise product operation $\odot$ is commutative and can be reordered without affecting the correctness of the inner product, thereby enabling further simplifications. Specifically, we can rewrite the expressions in Steps 2 and 3 of the $\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\mathbf{K}\mathbf{e}\mathbf{y}$ algorithm as:

$$\begin{array}{cc}{\displaystyle \sum _{i=1}^n}{c}_{i,j}⊡{\mathbf{u}}_{l,i}\hfill & ={\displaystyle \sum _{i=1}^n}⟨H\left(c_i\right)\odot H\left(c_j^{\prime }\right),{\mathbf{u}}_{l,i}⟩\hfill \\ & =⟨H\left(c_j^{\prime }\right),{\displaystyle \sum _{i=1}^n}H\left(c_i\right)\odot {\mathbf{u}}_{l,i}⟩\hfill \\ & =c_j^{\prime }⊡\left({\displaystyle \sum _{i=1}^n}H\left(c_i\right)\odot {\mathbf{u}}_{l,i}\right)\hfill \end{array}$$

and similarly,

$$\begin{array}{cc}{\displaystyle \sum _{j=1}^n}{c}_{i,j}⊡{\mathbf{b}}_{l,j}& ={\displaystyle \sum _{j=1}^n}⟨H\left(c_i\right)\odot H\left(c_j^{\prime }\right),{\mathbf{b}}_{l,j}⟩\hfill \\ & =⟨H\left(c_i\right),{\displaystyle \sum _{j=1}^n}H\left(c_j^{\prime }\right)\odot {\mathbf{b}}_{l,j}⟩\hfill \\ & =c_i⊡\left({\displaystyle \sum _{j=1}^n}H\left(c_j^{\prime }\right)\odot {\mathbf{b}}_{l,j}\right)\hfill \end{array}$$

Note that ${\sum }_{i=1}^{n}H\left(c_i\right)\odot {\mathbf{u}}_{l,i}$ is independent of index $j$, and similarly, ${\sum }_{j=1}^{n}H\left(c_j^{\prime }\right)\odot {\mathbf{b}}_{l,j}$ is independent of index $i$. Thus, once computed, these values can be reused repeatedly for each subsequent external product computation, significantly reducing computational overhead. As a result, this optimization substantially decreases the number of required ring multiplications and gadget decompositions, both of which are scaled down to $O\left(n\right)$.

Correctness: To demonstrate the correctness of our new homomorphic multiplication algorithm, it suffices to show that the multiplied ciphertext ${\mathbf{c}}^{″}=\left(c_0^{″},c_1^{″},\dots ,c_n^{″}\right)\in R_{Q_l}^{n+1}$ from the multiplication of two $n$-key ciphertexts $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)$ and ${\mathbf{c}}^{\prime }=\left(c_0^{\prime },c_1^{\prime },\dots ,c_n^{\prime }\right)$ decrypts correctly under the new secret keys $\{s_{l-1,i}{\}}_{i=1}^n$. Formally, we need to verify that:

$$\mu \cdot {\mu }^{\prime }=c_0^{″}+{\sum }_{i=1}^n{c}_i^{″}\cdot s_{l-1,i}=\left(c_0+{\sum }_{i=1}^n{c}_i\cdot s_{l,i}\right)\left(c_0^{\prime }+{\sum }_{i=1}^n{c}_i^{\prime }\cdot s_{l,i}\right) \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right).$$

We begin by analyzing the intermediate ciphertext ${\mathbf{c}}^{†}=\left(c_0^{†},c_1^{†},\dots ,c_n^{†}\right)\in R_{Q_l}^{n+1}$ generated in Step 4 of the algorithm. The expression for $c_0^{†}+{\sum }_{i=1}^n{c}_i^{†}\cdot s_{l,i}$ expands as:

$$\begin{array}{cc}{c}_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}\cdot s_{l,i}& =c_0\cdot c_0^{\prime }+{\displaystyle \sum _{i=1}^n}{c}_i⊡\mathbf{z}⊡{\mathbf{w}}_{l,i}+{\displaystyle \sum _{i=1}^n}\left(c_i\cdot c_0^{\prime }+c_0\cdot c_i^{\prime }\right)\cdot s_{l,i}+{\displaystyle \sum _{j=1}^n}\left(c_j^{\prime }⊡\mathbf{y}\right)\cdot s_{l,j}+{\displaystyle \sum _{i=1}^n}{c}_i⊡\mathbf{z}⊡{\mathbf{v}}_{l,i}\cdot s_{l,i}\hfill \\ & =c_0{c}_0^{\prime }+{\displaystyle \sum _{i=1}^n}\left(c_i⊡\mathbf{z}\right)⊡\left({\mathbf{w}}_{l,i}+{\mathbf{v}}_{l,i}\cdot s_{l,i}\right)+{\displaystyle \sum _{i=1}^n}\left(c_i{c}_0^{\prime }+c_0{c}_i^{\prime }\right)\cdot s_{l,i}+{\displaystyle \sum _{j=1}^n}\left(c_j^{\prime }⊡\mathbf{y}\right)\cdot s_{l,j} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)\hfill \end{array}$$

Using the homomorphic properties of the gadget decomposition $H\left(\cdot \right)$ and the relation

$${\mathbf{u}}_{l,i}\cdot s_{l,j}=-{\mathbf{a}}_l\cdot s_{l,j}\cdot m_{l,i}+s_{l,i}\cdot s_{l,j}\cdot \mathbf{g}+p\cdot s_{l,j}\cdot {\mathbf{e}}_{l,i}^{\prime }={\mathbf{b}}_{l,j}\cdot m_{l,i}+s_{l,i}{s}_{l,j}\mathbf{g} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right),$$

the term ${\sum }_{j=1}^n\left(c_j^{\prime }⊡\mathbf{y}\right)\cdot s_{l,j}$ becomes:

$$\begin{array}{cc}{\displaystyle \sum _{j=1}^n}\left(c_j^{\prime }⊡\mathbf{y}\right)\cdot s_{l,j}& ={\displaystyle \sum _{j=1}^n}{c}_j^{\prime }⊡\left({\displaystyle \sum _{i=1}^n}H\left(c_i\right)\odot {\mathbf{u}}_{l,i}\right)\cdot s_{l,j}\hfill \\ & ={\displaystyle \sum _{i,j=1}^n}⟨H\left(c_j^{\prime }\right),H\left(c_i\right)\odot {\mathbf{u}}_{l,i}⟩\cdot s_{l,j}\hfill \\ & ={\displaystyle \sum _{i,j=1}^n}⟨H\left(c_i\right)\odot H\left(c_j^{\prime }\right),{\mathbf{u}}_{l,i}⟩\cdot s_{l,j}\hfill \\ & ={\displaystyle \sum _{i,j=1}^n}⟨H\left(c_i\right)\odot H\left(c_j^{\prime }\right),{\mathbf{b}}_{l,j}⟩\cdot m_{l,i}+{\displaystyle \sum _{i,j=1}^n}{c}_i{c}_j^{\prime }\cdot s_{l,i}{s}_{l,j} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)\hfill \end{array}$$

Similarly, using the relation ${\mathbf{w}}_{l,i}+{\mathbf{v}}_{l,i}{s}_{l,i}=-m_{l,i}\mathbf{g} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)$, we obtain:

$$\begin{array}{cc}{\displaystyle \sum _{i=1}^n}\left(c_i⊡\mathbf{z}\right)⊡\left({\mathbf{w}}_{l,i}+{\mathbf{v}}_{l,i}\cdot s_{l,i}\right)& =-{\displaystyle \sum _{i=1}^n}\left(c_i⊡\mathbf{z}\right)\cdot m_{l,i}\hfill \\ & =-{\displaystyle \sum _{i=1}^n}\left(c_i⊡{\displaystyle \sum _{j=1}^n}\left(H\left(c_j^{\prime }\right)\odot {\mathbf{b}}_{l,j}\right)\right)\cdot m_{l,i}\hfill \\ & =-{\displaystyle \sum _{i,j=1}^n}⟨H\left(c_i\right),H\left(c_j^{\prime }\right)\odot {\mathbf{b}}_{l,j}⟩\cdot m_{l,i}\hfill \\ & =-{\displaystyle \sum _{i,j=1}^n}⟨H\left(c_i\right)\odot H\left(c_j^{\prime }\right),{\mathbf{b}}_{l,j}⟩\cdot m_{l,i} \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)\hfill \end{array}$$

Combining all terms together, we arrive at:

$$\begin{array}{cc}{c}_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}\cdot s_{l,i}& =c_0{c}_0^{\prime }-{\displaystyle \sum _{i,j=1}^n}⟨H\left(c_i\right)\odot H\left(c_j^{\prime }\right),{\mathbf{b}}_{l,j}⟩\cdot m_{l,i}+{\displaystyle \sum _{i=1}^n}\left(c_i{c}_0^{\prime }+c_0{c}_i^{\prime }\right)\cdot s_{l,i}+{\displaystyle \sum _{i,j=1}^n}⟨H\left(c_i\right)\odot H\left(c_j^{\prime }\right),{\mathbf{b}}_{l,j}⟩\cdot m_{l,i}+{\displaystyle \sum _{i,j=1}^n}{c}_i{c}_j^{\prime }\cdot s_{l,i}{s}_{l,j}\hfill \\ & =c_0{c}_0^{\prime }+{\displaystyle \sum _{i=1}^n}\left(c_i{c}_0^{\prime }+c_0{c}_i^{\prime }\right)\cdot s_{l,i}+{\displaystyle \sum _{i,j=1}^n}{c}_i{c}_j^{\prime }\cdot s_{l,i}{s}_{l,j}\hfill \\ & =\left(c_0+{\displaystyle \sum _{i=1}^n}{c}_i\cdot s_{l,i}\right)\left(c_0^{\prime }+{\displaystyle \sum _{i=1}^n}{c}_i^{\prime }\cdot s_{l,i}\right) \left(\mathrm{m}\mathrm{o}\mathrm{d} Q_l\right)\left(\mathrm{m}\mathrm{o}\mathrm{d} p\right)\hfill \end{array}$$

This shows that the intermediate ciphertext ${\mathbf{c}}^{†}$ is correctly normalized and decryptable under the original secret keys. The process in the subsequent Step 5, along with its correctness, is entirely consistent with Step 4 of the $\mathbf{S}\mathbf{w}\mathbf{i}\mathbf{t}\mathbf{c}\mathbf{h}\mathbf{K}\mathbf{e}\mathbf{y}$ algorithm described in Section 3.2. Consequently, we obtain the desired equality:

$$c_0^{″}+{\displaystyle \sum _{i=1}^n}{c}_i^{″}\cdot s_{l-1,i}=c_0^{†}+{\displaystyle \sum _{i=1}^n}{c}_i^{†}\cdot s_{l,i}=\left(c_0+{\displaystyle \sum _{i=1}^n}{c}_i\cdot s_{l,i}\right)\left(c_0^{\prime }+{\displaystyle \sum _{i=1}^n}{c}_i^{\prime }\cdot s_{l,i}\right) \left(\mathrm{mod} Q_l\right)\left(\mathrm{mod} p\right)$$

This confirms the correctness of our new homomorphic multiplication algorithm. The $\mathbf{N}\mathbf{e}\mathbf{w}\mathbf{M}\mathbf{u}\mathbf{l}\mathbf{t}$ algorithm can be directly used to replace the $\mathbf{M}\mathbf{u}\mathbf{l}\mathbf{t}$ algorithm in our scheme if we replace the gadget decomposition $h\left(\cdot \right)$ with the homomorphic gadget decomposition $H\left(\cdot \right)$, achieving improved performance.

4. Batched MK-BGV Scheme

In this section, we provide a detailed construction of the ciphertext packing technique based on the Polynomial CRT introduced in Section 2.3, and demonstrate how it can be employed to convert our $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme into an efficient batch processing scheme.

4.1. Ciphertext Packing Based on Polynomial CRT

Recall from Section 3.1 that for a given integer $p$, the input plaintext in the $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme is structured based on the algebraic structure $R_p=R/\left(p\cdot R\right)={\mathbb{Z}}_p\left[X\right]/\left({\mathrm{\Phi }}_k\left(X\right)\right)$, where both addition and multiplication are defined modulo ${\mathrm{\Phi }}_k\left(X\right)$ and $p$. Let ${\mathbb{F}}_p$ represent a finite field with $p$ as its characteristic. The polynomial ${\mathrm{\Phi }}_k\left(X\right)$ can be decomposed modulo $p$ into $\xi$ distinct irreducible factors $f_i\left(X\right)$, such that ${\mathrm{\Phi }}_k\left(X\right)\equiv {\prod }_{i=0}^{\xi -1}{f}_i\left(X\right) \left(\mathrm{mod} p\right)$, where each factor $f_i\left(X\right)$ has degree $d$, with $d=\mathrm{\phi }\left(k\right)/\xi$, and $p^d\equiv 1\left(\mathrm{mod} k\right)$. This decomposition enables multiple plaintext values to be mapped into a single plaintext element via the Polynomial CRT, which is then encrypted into a ciphertext supporting slot-wise SIMD operations. We then have the following isomorphism for $R_p$:

$$R_p={\mathbb{Z}}_p\left[X\right]/\left(f_0\left(X\right)\cdot f_1\left(X\right)\cdots f_{\xi -1}\left(X\right)\right)\cong {\mathbb{Z}}_p\left[X\right]/f_0\left(X\right)\times \cdots \times {\mathbb{Z}}_p\left[X\right]/f_{\xi -1}\left(X\right)\cong {\mathbb{F}}_{p^d}\times \cdots \times {\mathbb{F}}_{p^d}={\left({\mathbb{F}}_{p^d}\right)}^{\xi }.$$

In this representation, $R_p$ is isomorphic to $\xi$ copies of ${\mathbb{Z}}_p\left[X\right]/f_0\left(X\right),\dots ,{\mathbb{Z}}_p\left[X\right]/f_{\xi -1}\left(X\right)$, each corresponding to a message in ${\mathbb{F}}_{p^d}$. Here, each factor ${\mathbb{Z}}_p\left[X\right]/f_i\left(X\right)\cong {\mathbb{F}}_{p^d}$ is referred to as a “plaintext slot”. This allows us to represent $\xi$ plaintext elements of ${\mathbb{F}}_{p^d}$ as a single element in $R_p$. By Definition 1, algebraic operations (addition and multiplication) in $R_p$ can be viewed as parallel operations across all slots, where each slot corresponds to a separate message. This enables us to perform homomorphic computations on $\xi$ input values simultaneously, which forms the foundation for efficient batch homomorphic computations. The above isomorphisms are explicitly manifested through the following mappings $\mathcal{F}$ and $\mathcal{G}$:

$$\mathcal{F}:\left\{\begin{array}{c}{\mathbb{F}}_{p^d}^{\xi }⟶{\mathbb{Z}}_p\left[X\right]/f_0\left(X\right)\times \cdots \times {\mathbb{Z}}_p\left[X\right]/f_{\xi -1}\left(X\right)\\ \left(m_0,\dots ,m_{\xi -1}\right)⟼\left({\mathcal{F}}_0\left(m_0\right),\dots ,{\mathcal{F}}_{\xi -1}\left(m_{\xi -1}\right)\right)\end{array}\right.,$$

$$\mathcal{G}:\left\{\begin{array}{c}{\mathbb{Z}}_p\left[X\right]/f_0\left(X\right)\times \cdots \times {\mathbb{Z}}_p\left[X\right]/f_{\xi -1}\left(X\right)⟶R_p\\ \left({\alpha }_0,\dots ,{\alpha }_{\xi -1}\right)⟼{\displaystyle \sum _{i=0}^{\xi -1}}{\alpha }_i\left(X\right){\beta }_i\left(X\right){\gamma }_i\left(X\right)\end{array}\right.,$$

where ${\gamma }_i\left(X\right)={\displaystyle \frac{{\mathrm{\Phi }}_k\left(X\right)}{f_i\left(X\right)}}$, ${\beta }_i\left(X\right)={\displaystyle \frac{1}{{\gamma }_i\left(X\right)}}\left(\mathrm{mod}{f}_i\left(X\right)\right)$.

Hence, $PCR{T}_p=\mathcal{F}\circ \mathcal{G}$, where $\circ$ denotes function composition, forms a mapping that is an isomorphism from ${\mathbb{F}}_{p^d}^{\xi }$ to $R_p$. Since this mapping is a ring isomorphism, it is bijective and structure-preserving by Definition 1, which guarantees the existence of its inverse mapping $PCR{T}_p^{-1}$. This inverse uniquely recovers the original slot-wise representation in ${\mathbb{F}}_{p^d}^{\xi }$ from any ring element in $R_p$, enabling slot-level access and decomposition when needed.

Let $\mathbf{x}=\left(x_0,x_1,\dots ,x_{\mathrm{\xi }-1}\right)\in {\mathbb{F}}_{p^d}^{\xi }$ and $\mathbf{y}=\left(y_0,y_1,\dots ,y_{\mathrm{\xi }-1}\right)\in {\mathbb{F}}_{p^d}^{\xi }$ be two plaintext vectors consisting of $\xi$ independent slots, where each component $x_i,y_i\in {\mathbb{F}}_{p^d}$ represents one plaintext message. Let $\widehat{x}=PCR{T}_p\left(\mathbf{x}\right)\in R_p$ and $\widehat{y}=PCR{T}_p\left(\mathbf{y}\right)\in R_p$ be their encoded representations in the plaintext ring $R_p={\mathbb{Z}}_p\left[X\right]/\left({\mathrm{\Phi }}_k\left(X\right)\right)$ via the Polynomial CRT-based packing. Then, the ring homomorphism properties of $PCR{T}_p$ imply the following identities:

$$PCR{T}_p^{-1}\left(\widehat{x}+\widehat{y}\right)=\mathbf{x}+\mathbf{y}\in {\mathbb{F}}_{p^d}^{\xi },$$

$$PCR{T}_p^{-1}\left(\widehat{x}\cdot \widehat{y}\right)=\mathbf{x}\odot \mathbf{y}\in {\mathbb{F}}_{p^d}^{\xi },$$

where all additions and multiplications on the right-hand side are component-wise over ${\mathbb{F}}_{p^d}$.

4.2. Improved Batched Multi-Key BGV

Building upon the $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme introduced in Section 3 and the ciphertext packing technique presented in Section 4.1, we now explicitly construct our final batched multi-hop BGV-type MKFHE scheme, termed $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$. The typical application model of $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ is shown in Figure 1.

• $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{S}\mathbf{e}\mathbf{t}\mathbf{u}\mathbf{p}\left(1^{\lambda },1^L\right)$: For a given $N$, $\lambda$, and $L$, where $N$ denotes the RLWE dimension, $L$ is a bound on the circuit depth, and $\lambda$ is the security parameter, define a sequence of ciphertext moduli $\{Q_l{\}}_{l=0}^L$ recursively as $Q_l={\prod }_{i=0}^l{q}_i$ for $l=\mathrm{0,1},\dots ,L$, where each $q_i$ is an integer. Specifically, the largest modulus is $Q_L=q_0\cdot q_1\cdots q_L$. Let the error distribution $\chi =\chi \left(\lambda \right)$ be a $B_{\chi }$-bounded spherical discrete Gaussian distribution $D_{{\mathbb{Z}}^N,\sigma }$ over the ring $R$, where the bound satisfies $B_{\chi }\ll Q_0$. Let $p\in \mathbb{Z}$ be the plaintext modulus, chosen such that $p$ is coprime with every $Q_l$. Let $H:R_{Q_l}\to R^t$ be a homomorphic gadget decomposition function associated with the gadget vector $\mathbf{g}\in R_{Q_l}^t$. The mappings $PCR{T}_p$ and $PCR{T}_p^{-1}$ are isomorphisms between ${\mathbb{F}}_{p^d}^{\xi }$ and $R_p$. For each level $l$, uniformly sample a random vector ${\mathbf{a}}_l\leftarrow U\left(R_{Q_l}^t\right)$. Output the public parameters $pp=\left(R, p,\{Q_l,{\mathbf{a}}_l{\}}_{l=0}^L,\chi \right)$.
• $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{K}\mathbf{e}\mathbf{y}\mathbf{G}\mathbf{e}\mathbf{n}\left(pp\right)$: For each level $l$ (from $L$ down to 0) and for the $i$-th party, output $L+1$ secret-public key pairs $\{\left(s_{l,i},{\mathbf{b}}_{l,i}\right){\}}_{l=0}^L\leftarrow \mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{K}\mathbf{e}\mathbf{y}\mathbf{G}\mathbf{e}\mathbf{n}\left(pp\right)$.
• $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{n}\mathbf{c}\left(\{{\mu }_j{\}}_{j=0}^{\xi -1},{\mathbf{b}}_{l,i},{\mathbf{a}}_l\right)$: For a plaintext vector ${\mathsf{\mu }}_i=\left({\mu }_{i,0},{\mu }_{i,1},\dots ,{\mu }_{i,\xi -1}\right)\in {\mathbb{F}}_{p^d}^{\xi }$, compute the aggregate plaintext $\mu \leftarrow PCR{T}_p\left({\mathsf{\mu }}_i\right)\in R_p$. Then, for party $i$ at level $l$, compute the ciphertext ${\mathbf{c}}_{l,i}=\left(c_{l,i}^0,c_{l,i}^1\right)\in R_{Q_l}^2$ as ${\mathbf{c}}_{l,i}=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{n}\mathbf{c}\left(\mu ,{\mathbf{b}}_{l,i},{\mathbf{a}}_l\right)$.
• $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{C}\mathbf{T}\mathbf{E}\mathbf{x}\mathbf{t}\left(\mathbf{c},n^{*}\right)$: Suppose $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)\in R_{Q_l}^{n+1}$ is a ciphertext at level $l$ associated with $n$ parties. To extend this ciphertext to support $n^{*}$ parties (with $n^{*}\ge n$), construct and output an extended ciphertext ${\mathbf{c}}^{*}=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{C}\mathbf{T}\mathbf{E}\mathbf{x}\mathbf{t}\left(\mathbf{c},n^{*}\right)\in R_{Q_l}^{n^{*}+1}$.
• $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{D}\mathbf{e}\mathbf{c}\left(\mathbf{c},\{s_{l,i}{\}}_{i=1}^n\right)$: Given an $n$-key ciphertext $\mathbf{c}=\left(c_0,c_1,\dots ,c_n\right)\in R_{Q_l}^{n+1}$ at level $l$ associated with $n$ parties, along with the corresponding secret keys $\{s_{l,i}{\}}_{i=1}^n$, the aggregate plaintext $\mu$ is recovered by computing $\mu =\left(c_0+{\sum }_{i=1}^n{c}_i\cdot s_{l,i}\right)\mathrm{mod} Q_l\mathrm{mod} p$. Subsequently, the complete set of plaintext messages across the $\xi$ slots is obtained via the inverse mapping

  $$\left({\mu }_0,{\mu }_1,\dots ,{\mu }_{\xi -1}\right)\leftarrow PCR{T}_p^{-1}\left(\mu \right)\in {\mathbb{F}}_{p^d}^{\xi }.$$
• $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{v}\mathbf{a}\mathbf{l}\left(\mathcal{C},\{{\mathbf{b}}_i{\}}_{i=1}^n,\left({\mathbf{c}}_1,\dots ,{\mathbf{c}}_x\right)\right)$: Let $\mathcal{C}$ denote the circuit provided as input for homomorphic evaluation on ciphertexts $\left({\mathbf{c}}_1,\dots ,{\mathbf{c}}_x\right)$. Each ciphertext ${\mathbf{c}}_j$ (where $j=1,\dots ,x$) is at a particular level and was originally encrypted under a subset of the parties’ keys. To produce the output ciphertext, compute ${\mathbf{c}}_{\mathrm{out}}=\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{v}\mathbf{a}\mathbf{l}\left(\mathcal{C},\{{\mathbf{b}}_i{\}}_{i=1}^n,\left({\mathbf{c}}_1,\dots ,{\mathbf{c}}_x\right)\right)$, where every invocation of the homomorphic multiplication $\mathbf{M}\mathbf{u}\mathbf{l}\mathbf{t}$ is replaced by our new multiplication algorithm $\mathbf{N}\mathbf{e}\mathbf{w}\mathbf{M}\mathbf{u}\mathbf{l}\mathbf{t}$.

By employing batch processing, all participating parties can concurrently perform joint homomorphic evaluations on $\xi$ sets of encrypted data under the $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme. The use of ciphertext packing and batching does not compromise the IND-CPA security inherited from the underlying $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ framework. Furthermore, the correctness of $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ naturally follows from the correctness of $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$, Definition 1, and the ciphertext packing technique.

5. Parameter and Performance Analysis and Comparison

In this paper, the settings for parameters such as the RLWE assumption parameters $\left(N,Q,\chi \right)$, the plaintext modulus $p$, and the decomposition degree $t$ for the gadget decompositions can follow the classical choices used in advanced schemes such as [5,16,17,19,23], as no modifications have been made to these parameters.

Table 1. Comparison of parameter sizes (in bits) and properties of recent mainstream schemes. Here, $n$ represents the number of parties, $N$ is the dimension of the (R)LWE assumption, $t$ is the decomposition degree, $Q$ is the ciphertext modulus, $b$ is the torus precision, $P$ is the raising modulus factor, $L$ is the circuit depth, and $\xi$ denotes the number of packed plaintexts.

Scheme	Public Key Size	Ciphertext Size	Evaluation Key Size	Security
BP16 [15]	$n{N}^2⌈\log Q⌉\left(1+N⌈\log Q⌉\right)$	$nN⌈\log Q⌉$	$\left(2n-1\right)N^2⌈\log Q⌉$	IND-CPA with circular security assumption
CZW17 [16]	$4\left(L+1\right)tnN⌈\log Q⌉$	$2nN⌈\log Q⌉$	$4t{n}^{2}N⌈\log Q⌉$	IND-CPA
LZY+19 [17]	$4\left(L+1\right)tnN⌈\log Q⌉$	$\left(n+1\right)N⌈\log Q⌉$	$t{\left(n+1\right)}^{2}N⌈\log Q⌉$	IND-CPA
CCS19 [18]	$tnNb$	$\left(nN+1\right)b$	$t{n}^2\left(N+1\right)Nb$	IND-CPA with circular security assumption
CDKS19 [19]	$tnN⌈\log Q⌉$	$\left(n+1\right)N⌈\log Q⌉$	$3tnN⌈\log Q⌉$	IND-CPA with circular security assumption
ZCC+21 [24]	$\left(t+1\right)nN⌈\log PQ⌉$	$2N⌈\log PQ⌉$	$8N⌈\log PQ⌉$	IND-CPA with circular security assumption
$\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$	$\left(L+1\right)tnN⌈\log Q⌉$	$\left(n+1\right)N⌈\log Q⌉$	$4tnN⌈\log Q⌉$	IND-CPA
$\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$	$\left(L+1\right)tnN⌈\log Q⌉{\xi }^{-1}$	$\left(n+1\right)N⌈\log Q⌉{\xi }^{-1}$	$4tnN⌈\log Q⌉{\xi }^{-1}$	IND-CPA

and

Table 2. Comparison of homomorphic multiplication and key switching (relinearization) algorithm performance between recent efficient MKFHE schemes. The notation is consistent with Table 1.

Scheme	Evaluation Key Generation Material Size	Computational Complexity (Number of Scalar Operations)		Number of Gadget Decompositions in Key Switching
		Joint Evaluation Key Generation	Homomorphic Multiplication
CZW17 [16]	$24\left(L+1\right)t^{2}nN⌈\log Q⌉$	$O\left(n^{3}N\right)$	$O\left(n^{3}N\right)$	$O\left(n^2\right)$
LZY+19 [17]	$8\left(L+1\right)tnN⌈\log Q⌉$	$O\left(n^{3}N\right)$	$O\left(n^{3}N\right)$	$O\left(n^2\right)$
CCS19 [18]	$-$	$O\left(n^2{N}^2\right)$	$O\left(n^2{N}^2\right)$	$O\left(nN\right)$
CDKS19 [19]	$-$	$-$	$O\left(n^{2}N\right)$	$O\left(n^2\right)$
ZCC+21 [24]	$2nN⌈\log PQ⌉$	$O\left(nN\right)$	$O\left(N\right)$	$O\left(nt\right)$
$\left(\mathbf{B}\right)\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$	$-$	$-$	$O\left(nN\right)$	$O\left(n\right)$

present a comparison of our schemes with several prominent recent MKFHE schemes. Schemes [16,17] are BGV-type MKFHE schemes of the same type as ours, while Scheme [19] is a BFV(CKKS)-type MKFHE scheme, which is of a similar type to ours. For our batched scheme $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$, we focus on its amortized performance.

A notable aspect that is difficult to display in tables is that the input ciphertexts in $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{C}\mathbf{T}\mathbf{E}\mathbf{x}\mathbf{t}$ and $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{C}\mathbf{T}\mathbf{E}\mathbf{x}\mathbf{t}$, as well as $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{v}\mathbf{a}\mathbf{l}$ and $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{E}\mathbf{v}\mathbf{a}\mathbf{l}$, can either be fresh or intermediate results from any homomorphic operations. This demonstrates the multi-hop property of our schemes. Unlike the schemes in [16] and [17], which also support multi-hop capabilities, their designs require a predefined upper bound $K$ on the number of parties (keys) in the system, whereas our schemes impose no such limitation. Therefore, our schemes are actually closer to the stronger “fully dynamic” property as proposed in [15], but unlike [15], we do not require the introduction of the expensive bootstrapping procedure. However, due to the level-based BGV-type design, our schemes do require predefined maximum computation depths $L$, which can be of arbitrary polynomial magnitude. Nonetheless, the size of the extended ciphertexts in our schemes increases only linearly with the number of parties, the same as in [15].

Additionally, in [16,17], each public key is set to a very large size to accommodate their auxiliary GSW-type MKFHE schemes. Their designs also involve storing repeated random samples of vectors ${\mathbf{a}}_l\in U\left(R_{Q_l}^t\right)$, where $l=L,\dots ,0$, in both the public parameters and the public keys, which results in redundant storage overhead. Our schemes optimize these issues, reducing the public key size to approximately one-quarter of that in [16,17] for non-batch scenarios. Compared to [19], our $\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}$ scheme has slightly larger public key and evaluation key sizes, which is due to the fact that in BFV(CKKS)-type schemes, each party uses the same secret key across all circuit levels. However, this introduces the need for an additional circular security assumption, which poses the risk of leaking secret keys of the participants. Since this circular security assumption has not been rigorously proven, our scheme avoids this potential security issue by rotating the secret keys for all parties at each circuit level.

Scheme [24] adopts an accumulation-style key technique from threshold FHE, achieving extended ciphertexts and evaluation keys whose sizes are independent of the number of participating parties. Furthermore, the number of ring multiplications required in the tensor product operation is independent of the number of parties. However, this design also inherits structural complexities and limitations similar to those observed in threshold FHE constructions. Specifically, their scheme requires the computation of additional types of intricate parameters—such as joint public keys, joint evaluation public keys, and refreshing keys—none of which are required in either of our constructions. As in [16,17], each party in [24] must locally generate its own evaluation key generation materials (referred to as partial switching keys), which are then aggregated to derive joint evaluation keys. In their scheme, a key distinction is that any change in the set of participating parties necessitates the recomputation of not only the joint evaluation key but also all of the aforementioned parameters. This design leads to even higher interaction frequency and complexity, as well as greater computational and storage overheads for each party, compared to [16,17], which highlights the efficiency advantages of our design in minimizing coordination, computation, and storage overheads. Moreover, each ciphertext extension in [24] requires the use of refreshing keys and key switching, whereas our ciphertext extension algorithms—$\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{C}\mathbf{T}\mathbf{E}\mathbf{x}\mathbf{t}$ and $\mathbf{B}\mathbf{M}\mathbf{K}-\mathbf{B}\mathbf{G}\mathbf{V}.\mathbf{C}\mathbf{T}\mathbf{E}\mathbf{x}\mathbf{t}$—complete this operation using only $O\left(n\right)$ lightweight assignment operations, making our method significantly more efficient than that of [24].

6. Conclusions

In this paper, we propose an enhanced multi-hop BGV-type MKFHE scheme that optimizes key aspects of existing schemes. By removing the need for an auxiliary GSW-type scheme, we simplify the multi-key variant design and significantly reduce public key sizes. We introduce novel algorithms for evaluation key generation and key switching that minimize computational overhead and storage requirements while enabling each party to independently and securely precompute and share its evaluation keys. Additionally, we combine tensor products with key switching through homomorphic gadget decomposition, improving homomorphic multiplication efficiency and achieving linear complexity in terms of the number of parties. We also leverage the Polynomial CRT to design a ciphertext packing technique, transforming our BGV-type MKFHE scheme into a batched version with superior amortized performance. Our schemes support multi-hop computations without a predefined upper bound on the number of parties, offering enhanced flexibility and scalability compared to existing similar schemes.