Multi-Group Fully Homomorphic Encryption Scheme Based on LWE and NTRU

Abstract

Multi-group homomorphic encryption (MGHE) is a pivotal advance in secure multi-party computation, integrating merits of multi-party homomorphic encryption (MPHE) and multi-key homomorphic encryption (MKHE) to eliminate MPHE’s fixed-party limitation and mitigate MKHE’s ciphertext expansion from dynamic enrollment. However, the efficient single-key FINAL scheme cannot extend to multi-party scenarios due to the challenge of defining valid multiplication for vector NTRU ciphertexts, which hinders its use in multi-group bootstrapping and curbs efficiency. To address this, additive secret sharing was adopted to convert vector NTRU ciphertext multiplication into secret share multiplication, enabling shared bootstrapping key generation within groups. A new multi-group ciphertext bootstrapping algorithm for MGHE was developed via the integration of LWE and NTRU cryptographic primitives. Bootstrapping tasks were decomposed for parallel processing, and a hybrid product algorithm was designed to aggregate subtask outputs, boosting multi-group bootstrapping speed to match that of single-key ciphertexts. Noise accumulation was analyzed, with 100-bit and 128-bit security parameter sets selected for validation. Experiments showed that 30- and 50-party multi-group bootstrapping takes only 1.87 s and 2.58 s respectively.

1. Introduction

Homomorphic encryption (HE) is a cryptographic technology that enables computations to be performed directly on encrypted data. Dubbed the “holy grail” of cryptography, HE holds enormous application potential in the field of information security. Based on the scope of homomorphic computations supported, HE can be categorized into partial homomorphic encryption (PHE), leveled homomorphic encryption (LHE), and fully homomorphic encryption (FHE). Early research on HE focused on PHE, with representative schemes including the RSA scheme proposed by Rivest et al. [1] and the Paillier encryption scheme [2] developed later. The RSA scheme exhibits multiplicative homomorphism—decrypting the product of two ciphertexts yields the product of the corresponding plaintexts. In contrast, the Paillier scheme possesses additive homomorphism—decrypting the product of two ciphertexts results in the sum of the corresponding plaintexts. However, PHE schemes are highly restrictive as they only support either additive or multiplicative homomorphism. Decades after the concept of ‘homomorphic encryption’ was proposed, Gentry [3] introduced a framework for constructing FHE, shifting academic focus from PHE to LHE and FHE. LHE supports both additive and multiplicative operations on ciphertexts, and the resulting new ciphertexts are encryptions of the corresponding plaintext sums or products. Nevertheless, LHE does not allow unlimited homomorphic computations—if the noise accumulated after each computation exceeds the scheme’s tolerance threshold, the ciphertext will fail to decrypt. Gentry’s FHE framework consists of LHE and bootstrapping. The core idea of bootstrapping is to execute a homomorphic decryption circuit on the ciphertext before the noise reaches the threshold. As long as the noise of the bootstrapped ciphertext remains sufficiently low to support one additional homomorphic operation, LHE can be transformed into FHE.

Existing bootstrapping methods primarily fall into three categories. The first category is tailored for BGV/BFV schemes [4,5,6,7], leveraging the Chinese remainder theorem (CRT) over polynomial rings. Its core idea involves re-encrypting the original ciphertext and then decrypting the inner-layer ciphertext of the new ciphertext. The second category is designed for the CKKS scheme [8]. Since CKKS ciphertexts treat noise as part of the plaintext, the decryption function is replaced by an approximate modulus function, with the remaining steps closely resembling those of the first category. The third category is the bootstrapping based on blind rotation in TFHE schemes [9,10]. Unlike the previous two, blind rotation utilizes the negative cyclic property of the polynomial ring ${\mathbb{Z}}_Q\left[X\right]/(X^N+1)$. Through the iterative multiplication of the rotation polynomial with key-related monomials, specific coefficients of the rotation polynomial are rotated to the constant term in the encrypted state, thereby achieving homomorphic decryption. In TFHE, blind rotation consists of two types of ciphertexts (RLWE and RGSW) and their “external product”. Given the large size of these two ciphertext types, Bonte et al. [11] proposed the NTRU-based FINAL scheme to reduce the size of bootstrapping keys. The FINAL scheme replaces RLWE and RGSW ciphertexts with scalar NTRU and vector NTRU ciphertexts, respectively. Since scalar NTRU ciphertexts consist of only one polynomial and since the size of vector NTRU ciphertexts is half that of RGSW ciphertexts, the NTRU-based bootstrapping algorithm not only offers superior space complexity but also requires fewer polynomial multiplications for executing the “external product” compared to TFHE. Subsequent works extended the NTRU-based blind rotation to MKHE scenarios, yet these schemes are tailored for the pure multi-key setting and lack architectural compatibility with the multi-group framework while also suffering from limitations such as symmetric-only bootstrapping key encryption and non-parallelizable bootstrapping execution.

The primary application of FHE is outsourcing computation, where data owners can encrypt their data and entrust it to untrusted computing service providers without revealing sensitive information. However, in secure multi-party computation (SMPC) scenarios, there is a need to compute data from multiple sources, rendering single-key FHE inadequate. To meet this demand, researchers have extended FHE to multi-party settings, leading to two main technical routes: static multi-party homomorphic encryption (MPHE) [12,13,14] and dynamic multi-key homomorphic encryption (MKHE) [15,16,17]. MPHE requires parties to be fixed prior to computation, with various keys generated collectively by all parties. Since encryption, decryption, and bootstrapping are performed under the same key, its computational efficiency is independent of the number of parties, ensuring high efficiency but limited flexibility. In contrast, MKHE does not require pre-computation negotiation among parties—each party generates its own key and participates in encryption, decryption, and bootstrapping without disclosing any key-related information. However, the size of multi-key ciphertexts is positively correlated with the number of parties, resulting in high flexibility but low computational efficiency. To balance flexibility and efficiency, Kwak et al. [18] proposed a new HE primitive called multi-group homomorphic encryption (MGHE). MGHE treats ciphertexts of MPHE as single-key ciphertexts under a joint public key, while ciphertexts encrypted under joint public keys of different groups are computed jointly in a multi-key manner. Notably, the initial MGHE construction and its follow-up extensions exclusively adopt RLWE/RGSW-based bootstrapping methods (the first, second, and third categories mentioned above) and have not integrated the high-efficiency NTRU-based blind rotation; meanwhile, all existing NTRU-based MKHE schemes inherently lack support for parallel bootstrapping, which limits their efficiency and scalability in practical multi-key homomorphic evaluation scenarios. To leverage the advantage of low bootstrapping overhead in the NTRU-based FINAL scheme and address the issue that existing NTRU-based MKHE schemes do not support parallel bootstrapping, we focus our core solution on the proposed MGHE scheme. Specifically, the main contributions of this paper are as follows:

1.

A secret sharing-based bootstrapping key generation algorithm for the MGHE framework is proposed, which enables the MGHE framework to employ NTRU-based bootstrapping. The FINAL scheme lacks an asymmetric encryption variant, and existing NTRU-based blind rotation algorithms [19,20] employ symmetrically encrypted bootstrapping keys. To ensure compatibility between the proposed bootstrapping algorithm and NTRU-based blind rotation while maintaining low noise levels in bootstrapping keys, additive secret sharing is introduced in the offline phase before bootstrapping. Parties within the same group collectively negotiate and generate bootstrapping keys through operations such as addition and multiplication of secret shares.

2.

A multi-group hybrid product algorithm dedicated to NTRU-based blind rotation is proposed, realizing the parallelizable bootstrapping for MGHE in MKHE setting. To parallelize bootstrapping, the core steps of bootstrapping are divided into multiple subtasks by group. Each subtask independently performs blind rotation using the corresponding group bootstrapping key, and the outputs of the subtasks are aggregated using the multi-group hybrid product algorithm.

3.

Secure parameter sets were determined, with the effectiveness being verified through experiments. Since the FINAL scheme is based on NTRU, “overstretched” parameters render the scheme vulnerable to sublattice attacks. Through an analysis of the upper bound of noise, the parameters of the proposed scheme are ensured to remain within a secure range using LWE [21] and NTRU estimators [22]. Experiments were conducted under different parameter sets with the number of groups ranging from 2 to 8, validating the effectiveness of the proposed scheme.

2. Related Work

In MGHE, plaintexts within the same group are encrypted using a joint public key in the form of MPHE, while ciphertexts encrypted under joint public keys of different groups are computed in a multi-key manner. Thus, MGHE can be regarded as an extension of MPHE to multi-key scenarios. Current mainstream single-key HE schemes include BGV [23], BFV [24], CKKS [25], and FHEW [26]/TFHE [9,10]. Both MPHE and MKHE schemes are constructed on top of these single-key schemes, and existing MGHE schemes are all extended from MPHE/MKHE based on RLWE/RGSW primitives, with no prior work on NTRU-based MGHE construction.

2.1. Multi-Party Homomorphic Encryption Schemes

The earliest MPHE scheme was constructed by Asharov et al. [27] based on the LWE-based BGV scheme. In this scheme, parties independently generate public keys, broadcast them, and compute the joint public key locally by summing the received public keys from other parties. Similarly, Mouchet et al. [13] constructed an RLWE-based MPHE on the BFV scheme, which can be easily extended to BGV and CKKS schemes. FHEW/TFHE-type schemes employ two layers of ciphertexts: the first layer is basic LWE ciphertexts, and the second layer is RGSW ciphertexts for homomorphic decryption. Unlike BGV, BFV, and CKKS schemes, TFHE encodes the LWE secret key into the monomial X and encrypts it into the second-layer ciphertext as the bootstrapping key, achieving homomorphic decryption through the blind rotation algorithm. Thus, constructing a multi-party TFHE scheme requires generating multi-party bootstrapping keys. Lee et al. [28] realized the generation of multi-party blind rotation keys by leveraging homomorphic multiplication between RGSW ciphertexts, constructing a feasible multi-party bootstrapping algorithm. Subsequently, Park et al. [29] built the first multi-party TFHE scheme based on this bootstrapping algorithm.

2.2. Multi-Key Homomorphic Encryption Schemes Based on Blind Rotation

As the fastest method for bootstrapping a single ciphertext, blind rotation is not only applicable to TFHE schemes but also compatible with all (R)LWE-based encryption schemes. Thus, blind rotation is a key technology for both MPHE and MKHE schemes. Chen et al. [17] first extended TFHE to multi-key scenarios, proposing the CCS scheme. This scheme uses the hybrid product between multi-key RLWE ciphertexts and single-key Uni-Enc ciphertexts to replace the external product between multi-key RLWE and multi-key RGSW ciphertexts, achieving lower time and space overhead. Based on the hybrid product algorithm proposed by Chen et al., Kwak et al. [30] constructed a generalized external product algorithm and designed a parallelizable multi-key LWE ciphertext bootstrapping algorithm (KMS scheme). The initial blind rotation algorithm, which used RLWE and RGSW ciphertexts as inputs, was later improved in the FINAL scheme by Bonte et al. [11]. Based on the NTRU problem, their key modification was to replace these ciphertexts with the more compact scalar NTRU and vector ciphertexts, respectively. Since NTRU scalar and vector ciphertexts are smaller in size than are RLWE and RGSW ciphertexts, and fewer polynomial multiplications are required for their homomorphic multiplication, the overhead of blind rotation is reduced. Building on the FINAL scheme, Xu et al. [31] proposed an MKHE scheme that achieves an approximately 5x speedup compared to the CCS scheme for two parties. However, this scheme controls noise accumulation during homomorphic computations by fixing the Hamming weight of NTRU keys, which Kim et al. [32] pointed out compromises the scheme’s security, making it unsuitable for practical applications. Subsequently, Xiang et al. [33] proposed the first practical multi-key NTRU ciphertext scheme based on NTRU. Distinct from the scheme put forward by Xu et al., the intermediate multi-key NTRU ciphertext employed in the bootstrapping algorithm of this scheme is structurally consistent with multi-key RLWE ciphertexts. Consequently, it can effectively mitigate noise growth while avoiding overstretched parameters. Nevertheless, this scheme shares the same limitation with Xu et al.’s construction, namely, the lack of support for parallel bootstrapping. Park et al. [34] applied the hybrid product algorithm to the key switching key generation protocol, avoiding the invocation of the hybrid product during blind rotation, resulting in significant performance improvements over the CCS and KMS schemes. Nevertheless, it still does not support parallel execution.

2.3. Multi-Group Homomorphic Encryption Scheme

Currently, there are relatively few studies on constructing new multi-group homomorphic encryption schemes based on the MGHE framework proposed by Kwak et al. [18], and all existing MGHE extensions are built on RLWE/RGSW-based primitives and have not integrated NTRU-based blind rotation or addressed the inefficiencies of RLWE/RGSW-based bootstrapping. To address the gap of TFHE-based MGHE construction, Wan et al. [35] proposed the first MGHE scheme based on TFHE by relying on the original MGHE architecture. The bootstrapping algorithm of this scheme is consistent with that of the CCS scheme, directly migrating the RLWE/RGSW-based blind rotation and hybrid product from MKHE to the MGHE framework without customized optimization. Since the bootstrapping key of the CCS scheme is constructed based on RLWE and has a favorable linear structure, the joint bootstrapping key of each group only requires simple accumulation operations. The bootstrapping process of this scheme fully follows the execution paradigm of the CCS scheme, so it also inherits the inherent shortcomings of the CCS scheme. Therefore, the WLW scheme does not support parallel computing and suffers from slow bootstrapping due to the structure of RLWE/RGSW ciphertexts. Most importantly, this scheme and other existing MGHE works do not explore the integration of NTRU-based blind rotation with the MGHE framework, nor do they solve the technical challenges of NTRU-based bootstrapping key generation and parallel execution in the multi-group setting. This is the core research gap that our work addresses, and it is the key novelty that distinguishes our scheme from all existing MGHE and NTRU-based MKHE schemes.

3. Preliminaries

3.1. Notions

Boldface letters denote vectors (e.g., $\mathit{a}$), and the inner product between two vectors $\mathit{a}$ and $\mathit{b}$ is denoted as $\langle \mathit{a},\mathit{b}\rangle$. $\mathbb{Z}$ denotes the ring of integers. For a given positive integer q, ${\mathbb{Z}}_q$ denotes the quotient ring $\mathbb{Z}/q\mathbb{Z}$, whose elements are integers in the interval $[-{\displaystyle \frac{q}{2}},{\displaystyle \frac{q}{2}})$. Similarly, given positive integers Q and N (where N is a power of 2), $R=\mathbb{Z}\left[X\right]/(X^N+1)$ denotes the 2N-th cyclotomic ring, and the quotient ring $R_Q=R/QR={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$ consists of integer polynomials with coefficients in ${\mathbb{Z}}_Q$. $e\leftarrow \chi$ indicates that the random variable e is sampled from the distribution $\chi$. Similarly, $e=(e_1,\dots ,e_n)\leftarrow {\chi }^n$ denotes that the vector e is obtained by sampling n times independently from $\chi$. For clarity, if e is a polynomial (even if its coefficients are sampled multiple times from a distribution), the former notation is still used. $\sigma$ and ${\sigma }^2$ denote the standard deviation and variance of a distribution, respectively. For a random variable a, $Var\left(a\right)$ denotes its variance if $a\in \mathbb{Z}$ or the variance of its coefficients if $a\in R$. For a ciphertext c, $err\left(c\right)$ denotes the ciphertext noise, and $Var\left(err\right(c\left)\right)$ denotes the variance of the ciphertext noise. $\lfloor ·\rceil$, $\lceil ·\rceil$, and $\lfloor ·\rfloor$ denote the rounding function, ceiling function, and floor function, respectively. In secret sharing schemes, for a secret s, ${\left[s\right]}_i$ denotes the secret share belonging to the i-th party, and $\left[s\right]=\left\{{\left[s\right]}_i\right\}$ denotes the set of secret shares.

3.2. Hard Problems

Definition 1. 

Decisional LWE problem [36].

Given positive integers q, n, and a distribution $\chi$ over $\mathbb{Z}$, the decisional LWE problem is to distinguish between the following:

1.

Randomly sampled pairs $(x,\mathit{y})\in {\mathbb{Z}}_q^{n+1}$;

2.

Pairs $(b=-{\sum }_{i=1}^n{a}_i{s}_i+e,\mathit{a})\in {\mathbb{Z}}_q^{n+1}$, where $\mathit{a}$ is uniformly sampled from ${\mathbb{Z}}_q^n$, $a_i$ is the i-th element of $\mathit{a}$, $\mathit{s}$ is uniformly sampled from ${\mathbb{Z}}^n$, $s_i$ is the i-th element of $\mathit{s}$, and e is sampled from $\chi$.

Definition 2. 

Decisional RLWE problem [37].

Given positive integers Q, N, the polynomial ring $R=\mathbb{Z}\left[X\right]/(X^N+1)$, $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$, and a distribution $\chi$ over R, the decisional RLWE problem is to distinguish between the following:

1.

Randomly sampled pairs $(x,y)\in R_Q^2$;

2.

Pairs $(b=-as+e,a)\in R_Q^2$, where $a,s$ are uniformly sampled from $R_Q$, and e is sampled from $\chi$.

Definition 3. 

Decisional NTRU problem [11].

Given positive integers Q, N, the polynomial ring $R=\mathbb{Z}\left[X\right]/(X^N+1)$, $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$, and a distribution $\chi$ over R, let $f\leftarrow \chi$, $e\leftarrow \chi$ with f invertible in $R_Q$. The decisional NTRU problem is to distinguish between the following:

1.

A randomly sampled element $a\in R_Q$;

2.

The element ${\displaystyle \frac{e}{f}}\in R_Q$.

Definition 4. 

Decisional Vector NTRU problem [38].

Given positive integers Q, N, d, the polynomial ring $R=\mathbb{Z}\left[X\right]/(X^N+1)$, $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$, and a distribution $\chi$ over R, let $f,e_1,\dots ,e_d\leftarrow \chi$ with f invertible in $R_Q$. The decisional vector NTRU problem is to distinguish between the following:

1.

A randomly sampled vector $\mathit{a}=(a_1,\dots ,a_d)\in R_Q^d$;

2.

The vector $\left({\displaystyle \frac{e_1}{f}},\dots ,{\displaystyle \frac{e_d}{f}}\right)\in R_Q^d$.

3.3. Gadget Decomposition

Gadget decomposition is a technique for decomposing an integer in $({\mathbb{Z}}_Q$ into multiple small integers in $\mathbb{Z}$. Given positive integers B, $d=\lceil {log}_{B}Q\rceil$, and $a\in {\mathbb{Z}}_Q$, the gadget decomposition vector with base B is defined as ${\mathbf{g}}_B$$=(B^0,B^1,\dots ,B^{d-1})\in {\mathbb{Z}}_Q^d$. The decomposition function of the integer a with base B is given by the following:

$${\mathfrak{g}}_B^{-1}\left(a\right)=(a_1,a_2,\dots ,a_d)\in {\mathbb{Z}}^d,$$

(1)

where ${\sum }_{i=1}^d{a}_i·B^{i-1}=a mod Q$. For brevity, $\langle {\mathfrak{g}}_B^{-1}\left(a\right),{\mathbf{g}}_B\rangle$ is denoted as ${\mathfrak{g}}_B^{-1}\left(a\right)·{\mathbf{g}}_B$. Gadget decomposition is not limited to ${\mathbb{Z}}_Q$ but can also be extended to the polynomial ring $R_Q$. For a polynomial $a\left(X\right)\in R_Q$, it is treated as a coefficient vector, and the above conclusion holds by decomposing each element of the vector individually.

3.4. FINAL Scheme

The NTRU problem serves as a crucial hard problem for constructing post-quantum FHE schemes, and its parameter selection directly impacts the security of the cryptographic scheme. Schemes built on NTRU are vulnerable to sublattice attacks if “overstretched” parameters are used [39]. To avoid overstretched parameters while ensuring the correctness of homomorphic operations, Bonte et al. proposed the FINAL scheme [11]. Subsequently, Xiang et al. [19] modified the ciphertext form of the scheme to construct their ring isomorphism-based blind rotation algorithm. The modified FINAL scheme is described as follows:

• FINAL.Setup($1^{\lambda }$): Input a security parameter $\lambda$, generate security-compliant parameters including the NTRU polynomial modulus Q, polynomial degree N, gadget decomposition base B, key distribution ${\chi }_{nk}$ over R, and noise distribution ${\chi }_{ne}$ over R. Output $Params=(Q,N,B,{\chi }_{nk},{\chi }_{ne})$.
• FINAL.KeyGen(): Input the parameters generated by the Setup algorithm, select an invertible polynomial $f\in R$ from ${\chi }_{nk}$, and output the NTRU key f.
• FINAL.ScalarEnc(m, f): Input a plaintext $m\in R_Q$ and the NTRU key f, randomly select noise $e\leftarrow {\chi }_{ne}$, set $\Delta ={\displaystyle \frac{Q}{4}}$ as the scaling factor, and output the NTRU scalar ciphertext

  $$c={\displaystyle \frac{e+\Delta m}{f}}\in R_Q.$$

  (2)
• FINAL.VectorEnc(m, f): Input a plaintext $m\in R_Q$ and the NTRU key f, randomly select noise $e_1,\dots ,e_d\leftarrow {\chi }_{ne}$ where $d=\lceil {log}_{B}Q\rceil$, and output the NTRU vector ciphertext

  $$\mathit{c}=\left({\displaystyle \frac{e_1}{f}}+B^0·m,\dots ,{\displaystyle \frac{e_d}{f}}+B^{d-1}·m\right)\in R_Q^d.$$

  (3)

To implement the CMux gate, the TFHE scheme defines the external product between TRLWE and TRGSW ciphertexts. Similarly, the FINAL scheme defines the external product between scalar NTRU and vector NTRU ciphertexts and proves the upper bound of the noise variance for this external product operation.

Definition 5. 

NTRU external product.

Let $c=NTR{U}_{Q,f,\Delta }\left(m\right)$ denote a scalar NTRU ciphertext encrypting the plaintext m with modulus Q, scaling factor $\Delta$, and NTRU key f. Let $\mathit{c}=NTR{U}_{Q,f,B}^{\prime }\left(m\right)$ denote a vector NTRU ciphertext encrypting the plaintext m with modulus Q, gadget decomposition base B, and NTRU key f. The external product is defined as

$$⊡:NTR{U}_{Q,f,\Delta }\times NTR{U}_{Q,f,B}^{\prime }\to NTR{U}_{Q,f,\Delta },$$

(4)

where

$$c⊡\mathit{c}=\langle {\mathfrak{g}}_B^{-1}\left(c\right),\mathit{c}\rangle .$$

(5)

Lemma 1. 

Noise of NTRU external product.

Given positive integers Q, N, B, d, a scalar NTRU ciphertext $c={\displaystyle \frac{e+\Delta m}{f}}\in R_Q$, and a vector NTRU ciphertext $\mathit{c}=\left({\displaystyle \frac{e_1}{f}}+B^0·m^{\prime },\dots ,{\displaystyle \frac{e_d}{f}}+B^{d-1}·m^{\prime }\right)\in R_Q^d$, let $err\left(c\right)$ and $err\left(\mathit{c}\right)$ denote the noise of c and $\mathit{c}$, respectively, and $Var\left(err\right(c\left)\right)$ and $Var\left(err\right(\mathit{c}\left)\right)$ denote their noise variances. Then, the noise variance of the ciphertext $c^{\prime }=c⊡\mathit{c}$ satisfies

$$Var\left(err\left(c^{\prime }\right)\right)\le dN·{\displaystyle \frac{B^2}{12}}·Var\left(err\left(c\right)\right)+Var\left(err\left(\mathit{c}\right)\right).$$

(6)

3.5. XZD Blind Rotation

The first automorphism-based blind rotation algorithm was proposed by Lee et al. [28] (LMKC scheme). Unlike the AP scheme [40], which achieves exponent accumulation through multiplication operations, the LMKC scheme leverages the automorphism map $X\to X^t$ to implement scalar multiplication on exponents, thereby significantly reducing the number of multiplication operations in the accumulator. Subsequently, the XZD scheme proposed by Xiang et al. [19] further shortens the time required for key switching after multiplication in the accumulator by adopting scalar and vector NTRU ciphertexts, effectively reducing the overall computational overhead of blind rotation.

The order of the monomial X over the 2N-th cyclotomic polynomial ring $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$ is 2N, i.e., $X^{2N}=1 mod (X^N+1)$. Thus, for a positive integer t, multiplying any element $r\left(X\right)\in R$ by the monomial $X^t$ results in a regular cyclic left or right shift of the polynomial’s coefficients. Blind rotation leverages this property to rotate specific coefficients to the leading term. Formally, given an element $r\left(X\right)={\sum }_{i=0}^{q-1}i·X^{-i}\in R$, compute the rotation polynomial

$$r(X^{{\displaystyle \frac{2N}{q}}})=\sum _{i=0}^{q-1}i·X^{-{\displaystyle \frac{2N}{q}}i}.$$

(7)

For a ciphertext $c=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_q^{n+1}$ satisfying $\Delta ·m+e=b+{\sum }_{i=1}^n{a}_i{s}_i$ (where $\Delta$ is the LWE scaling factor, q is the LWE ciphertext modulus, and q divides 2N), the goal of blind rotation is to compute the following in the encrypted state

$$r(X^{{\displaystyle \frac{2N}{q}}})·X^{{\displaystyle \frac{2N}{q}}·\left(b+{\sum }_{i=1}^n{a}_i{s}_i\right)}=(\Delta ·m+e)+\sum _{i\ne \Delta m+e}i·X^{{\displaystyle \frac{2N}{q}}(\Delta ·m+e-i)}.$$

(8)

Before performing blind rotation, the XZD scheme preprocesses the ciphertext to be bootstrapped $c=(b,a_1,\dots ,a_n)$ by computing

$$c^{\prime }=\left({\displaystyle \frac{2N}{q}}b+1,{\displaystyle \frac{2N}{q}}{a}_1+1,\dots ,{\displaystyle \frac{2N}{q}}{a}_n+1\right)\in {\mathbb{Z}}_q^{n+1},$$

(9)

ensuring the existence of the automorphism. Subsequently, the rotation polynomial is encrypted into a scalar NTRU ciphertext, and the monomial $X^{s_i}$ (related to the i-th component of the LWE secret key) is encrypted into a vector NTRU ciphertext. During blind rotation, $X^{s_i}$ is iteratively multiplied into the rotation polynomial via the external product between the two types of ciphertexts, followed by key switching based on automorphism to multiply the ciphertext component $a_i$ into the rotation polynomial.

The XZD blind rotation consists of two algorithms: the Blind Rotation Key Generation (BRKGen) algorithm and the Blind Rotation Evaluation (BREval) algorithm. Let $Params=(Q,N,B_{br},{\chi }_{nk},{\chi }_{ne})$ be the public parameters output by $FINAL.Setup$, and $d_{br}=\lceil {log}_{B_{br}}Q\rceil$. Define the set $S=\left\{{\displaystyle \frac{2N}{q}}·i+1\mid 1\le i\le q-1\right\}$ and let $LW{E}_{q,\mathit{s}}\left(m\right)=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_q^{n+1}$ denote the LWE ciphertext encrypting the plaintext m with modulus q and secret key $\mathit{s}$. The two algorithms are described as follows.

• BRKGen(): Given an LWE secret key $\mathit{s}=(s_1,\dots ,s_n)\in {\mathbb{Z}}_q^n$ and an NTRU key $f\in R_Q$, the algorithm outputs $EVK=\{ev{k}_j\mid 1\le j\le n+1\}\cup \{nksv{k}_j\mid j\in S\}$, where

  1.

  $ev{k}_1=NTR{U}_{Q,f,B_{br}}^{\prime }\left({\displaystyle \frac{X^{s_1}}{f}}\right)$, $ev{k}_i=NTR{U}_{Q,f,B_{br}}^{\prime }\left(X^{s_i}\right)$ for $2\le i\le n$, $ev{k}_{n+1}=NTR{U}_{Q,f,B_{br}}^{\prime }\left(X^{-{\sum }_{i=1}^n{s}_i}\right)$;

  2.

  $nksv{k}_j=NTR{U}_{Q,f,B_{br}}^{\prime }\left({\displaystyle \frac{f\left(X^j\right)}{f\left(X\right)}}\right)$.

• BREval($(b,\mathit{a}),r,EVK,\Delta$): Input an LWE ciphertext $LW{E}_{q,\mathit{s}}\left(m\right)=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_q^{n+1}$, a rotation polynomial r, the evaluation key $EVK$ generated by BRKGen, and the NTRU scaling factor $\Delta$. The algorithm computes and outputs

  $$ACC=NTR{U}_{Q,f,\Delta }\left(r\left(X^{{\displaystyle \frac{2N}{q}}}\right)·X^{{\displaystyle \frac{2N}{q}}·\left(b+{\sum }_{i=1}^n{a}_i{s}_i\right)}\right).$$

  (10)

The detailed steps are presented in Algorithm 1.

Algorithm 1 BREval($(b,\mathit{a}),r,EVK,\Delta )$ (adapted from [19])

Require:  An LWE ciphertext $LW{E}_{q,\mathit{s}}\left(m\right)=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_q^{n+1}$  A rotation polynomial $r\left(X\right)$  Evaluation key $EVK=({\left\{ev{k}_j\right\}}_{1\le j\le n+1},{\left\{nks{k}_j\right\}}_{j\in S})$  Scaling factor $\Delta$ Ensure:  A scalar NTRU ciphertext $NTR{U}_{Q,f,\Delta }(r(X^{{\displaystyle \frac{2N}{q}}})·X^{{\displaystyle \frac{2N}{q}}·(b+{\sum }_{i=1}^n{a}_i{s}_i)})$   1: for $i=1$ to n do   2:     $w_i\leftarrow {\displaystyle \frac{2N}{q}}{a}_i+1$   3:   $w_i^{\prime }\leftarrow w_i^{-1} mod 2N$   4: end for   5: $w_{n+1}^{\prime }\leftarrow 1$   6: $ACC\leftarrow \Delta ·r(X^{{\displaystyle \frac{2N}{q}}{w}_1^{\prime }})·X^{{\displaystyle \frac{2N}{q}}b{w}_1^{\prime }}$   7: for $i=1$ to n do   8:   $ACC\leftarrow ACC⊡ev{k}_i$   9:      if $w_i{w}_i^{\prime }\ne 1$ then 10:     $c\left(X\right)\leftarrow ACC$ 11:     $ACC\leftarrow c\left(X^{w_i{w}_{i+1}^{\prime }}\right)⊡nks{k}_{w_i{w}_{i+1}^{\prime }}$ 12:      end if 13: end for 14: $ACC\leftarrow ACC⊡ev{k}_{n+1}$ 15: return $ACC$

3.6. Additive-Only Multi-Party RLWE-Based Homomorphic Encryption

The core algorithms of the multi-party BFV scheme proposed by Mouchet et al. [41] can be combined to form an additive-only (supporting scalar multiplication) multi-party RLWE homomorphic encryption scheme (AHE).

• AHE.Setup($1^{\lambda }$): Input a security parameter $\lambda$ and output security-compliant public parameters including the RLWE ciphertext modulus Q, plaintext modulus t, polynomial degree N, secret key distribution ${\chi }_{rk}$ over R, noise distribution ${\chi }_{re}$ over R, and a common reference polynomial $p\in R$. Output $Params=(Q,t,N,{\chi }_{rk},{\chi }_{re},p)$.
• AHE.SKeyGen(): Each party ${\mathcal{P}}_i\in \mathcal{G}$ selects an RLWE secret key $z_i\leftarrow {\chi }_{rk}$.
• AHE.PKeyGen($z_i$): Each party ${\mathcal{P}}_i\in \mathcal{G}$ selects noise $e_i\leftarrow {\chi }_{re}$, computes $r=-p·z_i+e_i$, and sets $pk=(r,p)\in R_Q^2$.
• AHE.JointPKeyGen(${\left\{z_i\right\}}_{i\in \mathcal{G}}$): Input the public keys $pk=(r_i,p)$ of all parties, compute $\tilde{r}={\sum }_{i\in \mathcal{G}}{r}_i$, and output the joint RLWE public key $rjpk=(\tilde{r},p)\in R_Q^2$.
• AHE.Enc(m): Input a plaintext $m\in R_t$, select noise $e1$, $e_2\leftarrow {\chi }_{re}$, randomly select a temporary secret polynomial $g\leftarrow {\chi }_{rk}$, compute $b=\tilde{r}·g+{\displaystyle \frac{Q}{t}}·m+e_1$ and $a=p·g+e_2$, and output the ciphertext $c=(b,a)\in R_Q^2$.
• AHE.Dec($c,{\left\{z_i\right\}}_{i\in G}$): Input a ciphertext $c=(b,a)$ encrypted under the joint RLWE public key $rjpk$ and the RLWE secret keys ${\left\{z_i\right\}}_{i\in G}$ of all parties and compute $m=\lfloor {\displaystyle \frac{t·(b+{\sum }_{i\in \mathcal{G}}a·z_i)}{Q}}\rceil \in R_t$.
• AHE.Add($c,c^{\prime }$): Input two multi-party RLWE ciphertexts $c=(b,a)$ and $c^{\prime }=(b^{\prime },a^{\prime })$ encrypting plaintexts $m,m^{\prime }\in R_t$ under the same public key and compute and output $\overline{c}=(b+b^{\prime },a+a^{\prime })\in R_Q^2$.
• AHE.ScalarMult($\beta ,c$): Input a scalar polynomial $\beta \in R_t$ and a multi-party RLWE ciphertext $c=(b,a)$ and compute and output $\overline{c}=(\beta ·b,\beta ·a)\in R_Q^2$.

4. Technical Overview and Structure

The core of the scheme proposed in this paper is parallelized bootstrapping, which consists of two phases: an offline phase for generating bootstrapping keys and an online phase for computing arbitrary function over ciphertexts. The online phase refers to rotating the plaintext corresponding to a ciphertext to the first term of the polynomial using the XZD blind rotation algorithm in Section 3.5, and then extracting it into a new ciphertext with lower noise. The offline phase means that each group collaboratively generates a joint evaluation bootstrapping key (JEVK) with the same structure as that of the evaluation bootstrapping key (EVK) output by BRKGen through multiple rounds of communication within the group via multi-party computation technology based on secret sharing. This enables each group in MGHE to act as a single party in MKHE, thus allowing MGHE to perform bootstrapping in the manner of MKHE.

The parallel framework proposed in the KMS scheme partitions MKHE ciphertexts by secret keys. For an MKHE ciphertext $\mathit{c}=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)$ involving k parties with respective secret keys ${\mathit{s}}_1,\dots ,{\mathit{s}}_k$, the decryption formula is roughly given by ${\sum }_{i=1}^k{\mathit{a}}_i·{\mathit{s}}_i$. Owing to this formulation, the decryption formula can be naturally decomposed into multiple subtasks, where each subtask computes the dot product ${\mathit{a}}_i·{\mathit{s}}_i$. The partitioned ciphertexts are then processed independently (in parallel). Since the essence of bootstrapping is to homomorphically compute the decryption formula with all intermediate results remaining in the ciphertext domain, the outputs of these subtasks must be aggregated via the HybridProd algorithm at the final stage. This ultimately achieves the homomorphic computation of the complete decryption formula in the ciphertext domain. As the bootstrapping task is split into multiple subtasks, distributing these subtasks across different CPU cores makes the bootstrapping executed on each core equivalent to single-key bootstrapping.

To realize parallelized bootstrapping in our scheme, we also partition MGHE ciphertexts by groups, where the homomorphic decryption subtask on each core is implemented via the XZD blind rotation algorithm for single-key ciphertexts presented in Section 3.5. To adapt to the parallel framework of the KMS scheme, we designed the MGHybridProd algorithm for MGHE ciphertexts, which has identical functional logic to the HybridProd algorithm in the KMS scheme. The multi-group hybrid product key (HPK) for the MGHybridProd algorithm is also generated on a per-group basis. Since most bootstrapping materials are generated via multiplication over secret sharing, we precompute multiplication triples for this purpose. In our scheme, the generation of multiplication triples is realized by the additive-only multi-party RLWE-based homomorphic encryption scheme introduced in Section 3.6.

The overall workflow of our proposed scheme is illustrated in Figure 1. First, each group sequentially executes the TripleGen, Enroll, JBRKGen, LKSKeyGen, and MGHPKeyGen algorithms in the offline phase to acquire three types of bootstrapping keys including $JEVK$, $LKSK$, and $HPK$. Several parties in each group then invoke MGHE.Enc to encrypt plaintexts and generate multiple ciphertexts, and each group subsequently transmits these ciphertexts and bootstrapping keys to the server. The server employs the received keys and ciphertexts to evaluate a circuit that corresponds to the target function Func, and such circuits are constructed with homomorphic NAND gates. Each homomorphic NAND gate is formed by a NAND operation and a single bootstrapping operation. The bootstrapping algorithm we proposed follows a specific procedure where the ciphertext is first split into several components, the BREval algorithm is then applied to each component individually, the components are aggregated through the MGHybridProd algorithm, and the bootstrapped ciphertext is finally output via key switching.

In the following, we present the basic circuit-model-based MGHE scheme in Section 5. This scheme is not a fully homomorphic encryption (FHE) scheme capable of evaluating arbitrary functions, yet it can obtain the capability of homomorphically computing arbitrary functions by incorporating the bootstrapping operation, which entails reducing ciphertext noise through homomorphic decryption. In Section 6, we divide bootstrapping into the offline phase and the online phase and elaborate on its specific implementation in detail.

5. Basic Multi-Group LWE-Based Homomorphic Encryption Without Bootstrapping

This section first introduces the basic LWE-based multi-group homomorphic encryption scheme.

Parties in each group encrypt plaintexts using the group joint public key to obtain ciphertexts $ct$, which are then sent to the server. After receiving the ciphertexts, the server performs homomorphic computation and bootstrapping and returns the new ciphertext $c{t}^{\prime }$ to be decrypted. Under the MGHE framework, our basic scheme includes two sets of algorithms: The first set includes SKeyGen, PKeyGen, JointPKeyGenm, and Enc, which are dedicated to intra-group interactive computation, while the second set includes Setup, NAND, and Dec, which are for inter-group computation. In addition, to support asymmetric encryption while maintaining a small ciphertext modulus, we distinguish between the encryption modulus $q^{\prime }$ and the bootstrapping modulus q. The encryption modulus $q^{\prime }$ is much larger than q, and ciphertexts under the encryption modulus $q^{\prime }$ can tolerate greater noise. After encrypting a plaintext, a party needs to switch the ciphertext modulus to the bootstrapping modulus q through the ModulusSwitch algorithm to perform subsequent NAND and bootstrapping algorithms.

Let $\mathcal{G}$ be a set of parties, ${\mathcal{G}}_i$ denote the i-th group, j be the unique index of the party in the i-th group within ${\mathcal{G}}_i$, and ${\mathcal{P}}_{i,j}$ denote the j-th party in the i-th group. Our MGHE includes the following algorithms.

• MGHE.Setup($1^{\lambda }$): Takes a security parameter $\lambda$ as input and generates global parameters meeting security requirements, including LWE encryption modulus $q^{\prime }$, LWE bootstrapping modulus q, LWE dimension n, LWE secret key distribution ${\chi }_{lk}$ over $\mathbb{Z}$, noise distribution ${\chi }_{le}$ over $\mathbb{Z}$, and a common reference matrix $M\in {\mathbb{Z}}^{n\times n}$. Outputs $Params=(q^{\prime },q,n,{\chi }_{lk},{\chi }_{le},M)$.
• MGHE.SKeyGen(): Parties ${\mathcal{P}}_{i,j}$ in each group independently generate a private LWE secret key $\mathit{s}\leftarrow {\chi }_{lk}^n$ and output the LWE secret key $\mathit{s}\in {\mathbb{Z}}^n$.
• MGHE.PKeyGen($\mathit{s}$): Party ${\mathcal{P}}_{i,j}$ selects noise $\mathit{e}\leftarrow {\chi }_{le}^n$, computes $\mathit{r}=-M·\mathit{s}+\mathit{e}\in {\mathbb{Z}}_{q^{\prime }}^n$, and sets $pk=(\mathit{r},M)\in {\mathbb{Z}}_{q^{\prime }}^n\times {\mathbb{Z}}_{q^{\prime }}^{n\times n}$.
• MGHE.JointPKeyGen(${\left\{p{k}_j\right\}}_{j\in \mathcal{G}}$): Takes the LWE public keys $p{k}_j=({\mathit{r}}_j,M)$ of each party in a group $\mathcal{G}$, computes $\tilde{\mathit{r}}={\sum }_{j\in G}{\mathit{r}}_j$, and outputs the LWE joint public key $jpk=(\tilde{\mathit{r}},M)\in {\mathbb{Z}}_{q^{\prime }}^n\times {\mathbb{Z}}_{q^{\prime }}^{n\times n}$.
• MGHE.Enc($jpk,m$): Takes a plaintext bit $m\in \{0,1\}$ and the LWE joint public key $jpk$ of a group as input, randomly selects a temporary secret vector $\mathit{v}\leftarrow {\chi }_{lk}^n$, noise $e_1\leftarrow {\chi }_{le}$ and ${\mathit{e}}_2\leftarrow {\chi }_{le}^n$, computes $b=\langle \tilde{\mathit{r}},\mathit{v}\rangle +{\displaystyle \frac{q^{\prime }}{4}}m+e_1\in {\mathbb{Z}}_{q^{\prime }}$ and $\mathit{a}={\mathit{v}}^T·M+{\mathit{e}}_2\in {\mathbb{Z}}_{q^{\prime }}^n$, and outputs the LWE ciphertext $c=(b,\mathit{a})\in {\mathbb{Z}}_{q^{\prime }}^{n+1}$, encrypting the plaintext m under the joint LWE public key $jpk$.
• MGHE.ModulusSwitch($\mathit{c},q$): Takes the LWE ciphertext $\mathit{c}=(b,a_1,\dots ,a_n)\in {\mathbb{Z}}_{q^{\prime }}^{n+1}$ generated by the MGHE.Enc algorithm and the LWE bootstrapping modulus q for bootstrapping and computes and outputs ${\mathit{c}}^{\prime }=\left(\lceil {\displaystyle \frac{q}{q^{\prime }}}·b\rceil ,\lceil {\displaystyle \frac{q}{q^{\prime }}}·a_1\rceil ,\dots ,\lceil {\displaystyle \frac{q}{q^{\prime }}}·a_n\rceil \right)\in {\mathbb{Z}}_q^{n+1}$.
• MGHE.Dec($\mathit{c},{\left\{{\mathit{s}}_{i,j}\right\}}_{1\le i\le k,j\in {\mathcal{G}}_i}$): Takes the multi-group LWE ciphertext $c=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)$ and the LWE secret keys ${\mathit{s}}_{i,j}$ of each party in each group as input, computes $u_{i,j}=\langle {\mathit{a}}_i,{\mathit{s}}_{i,j}\rangle$, and outputs $m=\lfloor {\displaystyle \frac{2(b+{\sum }_{i=1}^k{\sum }_{j\in {\mathcal{G}}_i}{u}_{i,j})}{q}}\rceil \in {\mathbb{Z}}_2$.
• MGHE.NAND($\mathit{c},{\mathit{c}}^{\prime }$): Takes two multi-group LWE ciphertexts $\mathit{c}=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)\in {\mathbb{Z}}_q^{kn+1}$ and ${\mathit{c}}^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })\in {\mathbb{Z}}_q^{kn+1}$ encrypted under the same set of public keys ${\left\{jp{k}_i\right\}}_{1\le i\le k}$, which encrypt plaintext bits $m,m^{\prime }$ respectively. For $1\le i\le k$, lets ${\mathit{a}}_i=(a_{i,1},\dots ,a_{i,n})$ and ${\mathit{a}}_i^{\prime }=(a_{i,1}^{\prime },\dots ,a_{i,n}^{\prime })$, computes ${\tilde{\mathit{a}}}_i=(-a_{i,1}-a_{i,1}^{\prime },\dots ,-a_{i,n}-a_{i,n}^{\prime })\in {\mathbb{Z}}_q^n$, and outputs the ciphertext $\tilde{\mathit{c}}=({\displaystyle \frac{5q}{8}}-b-b^{\prime },{\tilde{\mathit{a}}}_1,\dots ,{\tilde{\mathit{a}}}_k)\in {\mathbb{Z}}_q^{kn+1}$ encrypting the plaintext m NAND $m^{\prime }$.

RLWE is a ring variant of LWE. The above multi-group homomorphic encryption scheme can be constructed based on RLWE. Since the RLWE-based multi-group scheme operates on the ring $R_Q$, the main difference between the RLWE-based multi-group homomorphic encryption scheme and the above LWE-based scheme lies in the encryption and decryption algorithms. Let the RLWE joint public key be $jpk=(r,p)\in R_Q^2$. In the encryption algorithm, we compute $b=r·v+{\displaystyle \frac{Q}{4}}·m+e_1$ and $a=p·v+e_2$, where $v\in R_Q$ is a secret polynomial, and $e_1$ and $e_2$ are selected from a distribution over a certain polynomial ring. We denote $\mathit{c}=(b,a_1,\dots ,a_k)\in R_Q^{k+1}$ as the multi-group RLWE ciphertext encrypted by the RLWE joint public keys of k groups, with the corresponding secret keys ${\left\{z_{i,j}\right\}}_{1\le i\le k,j\in \mathcal{G}i}$. The ciphertext satisfies $b+{\sum }_{i=1}^k{\sum }_{j\in {\mathcal{G}}_i}{a}_i·z_{i,j}\approx \Delta ·m$, where $\Delta$ is a scaling factor.

The encryption scheme in this paper is based on Boolean circuits. Since the NAND gate has functional completeness, we can use the NAND gate as the basic unit to construct any Boolean function. Since homomorphic computation is performed under the circuit model, the bootstrapping scheme introduced in this paper belongs to gate bootstrapping. That is, homomorphic decryption is performed immediately after computing a NAND gate, and the scaling factor is converted from ${\displaystyle \frac{q}{2}}$ to ${\displaystyle \frac{q}{4}}$ to support the next homomorphic NAND computation.

Lemma 2. 

Correctness of Homomorphic NAND gate.

Given two MGHE ciphertexts $\mathit{c}=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)$, and ${\mathit{c}}^{\prime }$$=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })$ that encrypt the plaintexts m and $m^{\prime }$ respectively, with a scaling factor of ${\displaystyle \frac{q}{4}}$ and an inserted noises denoted as e and $e^{\prime }$ whose absolute noise value is less than ${\displaystyle \frac{q}{16}}$, the NAND algorithm outputs a ciphertext $\tilde{\mathit{c}}$ with a scaling factor of ${\displaystyle \frac{q}{2}}$ and an absolute noise value less than ${\displaystyle \frac{q}{4}}$, which encrypts the plaintext m NAND $m^{\prime }$.

Proof. 

Denote the corresponding secret key of $\tilde{\mathit{c}}$ as ${\tilde{\mathit{s}}}_1,\dots {\tilde{\mathit{s}}}_k$. Since $m, m^{\prime }\in \{0,1\}$, subtracting the noisy encoded plaintext of this ciphertext from its encoded plaintext yields it noise:

$$\begin{array}{cc}\hfill \left[\left({\displaystyle \frac{5q}{8}}-b-b^{\prime }\right)+\sum _{i=1}^k{\tilde{\mathit{a}}}_i·{\tilde{\mathit{s}}}_i\right]-\left[{\displaystyle \frac{q}{2}}·\left(1-m{m}^{\prime }\right)\right] & ={\displaystyle \frac{q}{4}}·\left[{\displaystyle \frac{1}{2}}-{\left(m-m^{\prime }\right)}^2\right]-(e+e^{\prime })\hfill \\ \hfill & =\pm {\displaystyle \frac{q}{8}}-(e+e^{\prime }).\hfill \end{array}$$

(11)

Since the absolute values of e and $e^{\prime }$ are less than ${\displaystyle \frac{q}{16}}$, the absolute value of the noise in the new ciphertext c is less than ${\displaystyle \frac{q}{4}}$. This completes the proof.    □

After multiple gate bootstrapping operations, the decryption algorithm MGHE.Dec requires each party in each group to execute an interactive protocol called “distributed decryption” to ensure the security of the joint key. The current mainstream implementation is based on the smudging lemma in the AJL scheme [27]. Each party samples an super-polynomially large smudging noise $e_{smg}^{(i,j)}$ from a large noise distribution, computes $u_{i,j}+e_{smg}^{(i,j)}$, and broadcasts it to mask the intermediate results during the decryption process. To ensure the correctness of decryption, the ciphertext modulus also needs to be set very large. However, in our multi-group ciphertext bootstrapping algorithm based on NTRU and LWE, since the NTRU ciphertext modulus Q cannot be super-polynomially large, this method is not applicable.

For such schemes with limited ciphertext modulus, the KLO scheme proposed by Kraitsberg et al. [42] constructs a secure three-party distributed decryption protocol using garbled circuit (GC), and the scheme can be extended to more parties. Although this decryption protocol requires additional communication overhead, no additional noise needs to be introduced, so the parameters of the encryption scheme do not need to be adjusted. In our scheme, we adopt the distributed decryption mechanism of the KLO scheme and implement the decryption computation via garbled circuits. The decryption formula $m=\lfloor {\displaystyle \frac{2(b+{\sum }_{i=1}^k{\sum }_{j\in {\mathcal{G}}_i}{u}_{i,j})}{q}}\rceil =\lfloor m+{\displaystyle \frac{2e}{q}}\rceil$ holds correctly as long as the noise e satisfies $|{\displaystyle \frac{2e}{q}}|<{\displaystyle \frac{1}{2}}$, i.e., $\left|e\right|<{\displaystyle \frac{q}{4}}$. Crucially, the decryption procedure built on garbled circuits reveals no extra information other than the final plaintext m—it leaks no intermediate values, noise terms, or private inputs of each party. This non-leakage property ensures the decryption phase introduces no additional security vulnerabilities and preserves the message privacy, which lays a solid foundation for our subsequent IND-CPA security analysis. Further implementation details of the distributed decryption can be found in the original KLO scheme [42].

6. Bootstrapping for Multi-Group LWE Ciphertext

This section introduces how to bootstrap multi-group LWE ciphertexts. Bootstrapping can be divided into two parts: bootstrapping key generation (offline phase) and bootstrapping execution (online phase). In the blind rotation key output by the BRKGen algorithm, the NTRU key takes the form of a denominator, which must be invertible. To enable MGHE to perform computations in the MKHE manner, we assign an associated joint NTRU key F to each group and define $F=f_1{f}_2\dots f_k$, where each $f_i$ denotes an invertible NTRU key randomly selected by each party in the group, and this construction guarantees the invertibility of F. Setting the joint NTRU key as the product of all $f_i$ confers a distinct advantage, as the distribution of joint key shares can be realized through multiplication operations in secret sharing, and secret recovery only requires all parties to conduct a simple summation of their respective shares. By this approach, we can convert the non-linear F into its linearized secret shares, and this linearity will provide critical support for the subsequent generation of the remaining bootstrapping keys. Therefore, we can design a multi-group hybrid product algorithm suitable for multi-group ciphertexts to realize the multiplication between different types of ciphertexts and further construct a parallelizable bootstrapping algorithm.

6.1. Offline Phase

This section presents a systematic elaboration on the offline phase of bootstrapping, which takes the additive secret sharing technique introduced in Section 6.1.2 as its core technical foundation. The implementation of multiplication operations over additive secret sharing relies on the multiplication triple generation algorithm proposed in Section 6.1.1. Analysis shows that both the HybridProd algorithm in the KMS scheme and the XZD blind rotation key generation algorithm BRKGen frequently invoke the joint NTRU key F, its inverse ${\displaystyle \frac{1}{F}}$, and the value $X^{{\sum }_{j\in \mathcal{G}}{s}_{j,l}},X^{-{\sum }_{j\in \mathcal{G}}{\sum }_{l=1}^n{s}_{j,l}}$ associated with each party’s secret key. For this reason, we perform unified precomputation on these reusable parameters via the Enroll algorithm; the remainder of this section will elaborate on the generation algorithms for the multi-group hybrid product key (MGHPKeyGen) and joint blind rotation key (JBRKGen) in turn.

6.1.1. Generating Polynomial Multiplication Triples

The multiplication triple $(a,b,c=a·b)$ was proposed by Beaver [43] to reduce the number of communication rounds in secret sharing multiplication, thereby converting communication overhead into precomputation overhead in the offline phase. Existing multiplication triple generation schemes mainly include the MASCOT scheme [44] based on oblivious transfer (OT) and the low/high gear scheme [45] based on additive-only homomorphic encryption (AHE). However, the triple elements generated by these schemes are all values over the integer ring (field), which cannot be used for secret multiplication over the polynomial ring $R_Q$. Therefore, we design a multi-party multiplication triple generation algorithm, TripleGen, that supports polynomial secret multiplication according to the framework proposed in [46]. The algorithm comprises two sub-algorithms: the Setup sub-algorithm is used to initialize public parameters, and the EvalGen is used to generate triples.

• TripleGen.Setup(): Successively executes AHE.Setup, AHE.SKeyGen, AHE.PKeyGen, and AHE.JointPKeyGen and outputs public parameters $Params=(Q,t,N,{\chi }_{rk},{\chi }_{re},p)$, secret keys ${\left\{z_i\right\}}_{1\le i\le k}$ of each party, and joint public key $rjpk=(r,p)$.
• TripleGen.EvalGen($Params,{\left\{z_i\right\}}_{1\le i\le k},rjpk$): Takes the public parameters $Params$ output by TripleGen.Setup, the secret keys ${\left\{z_i\right\}}_{1\le i\le k}$ of each party, and the joint public key $rjpk$ as input and outputs a random polynomial multiplication triple. For the detailed specifications, refer to Algorithm 2.

When performing decryption in the fifth step, we also need to use a distributed decryption protocol. The difference is that party ${\mathcal{P}}_1$ does not need to broadcast its partial decryption result, while other parties need to send their partial decryption results to ${\mathcal{P}}_1$. This asymmetric decryption method ensures that no party other than ${\mathcal{P}}_1$ knows the decryption result. Since the AHE scheme can adopt the distributed decryption approach from the AJL scheme (one round of communication), the TripleGen.EvalGen algorithm requires $\mathbf{5}$ rounds of communication.

Let the secrets corresponding to the triple shares output by the algorithm be $a,b,c$. Since we need $c=a·b$ to hold over the ring $R_Q$, the plaintext modulus t of AHE is required to be larger than the coefficients of c to ensure that the c output by the algorithm is not implicitly modulo t.

Algorithm 2 TripleGen.EvalGen($Params,{\left\{z_i\right\}}_{1\le i\le k},rjpk$)

Require:  AHE public parameters $Params$.  Set of RLWE secret keys ${\left\{z_i\right\}}_{1\le i\le k}$ has each $z_i$ belonging to ${\mathcal{P}}_i$.  Joint RLWE public key $rjpk$. Ensure: Polynomial multiplication triple $\left(\right[a],[b],[c\left]\right)$.  1: For $1\le i\le k$, party ${\mathcal{P}}_i$ randomly selects $a_i,b_i\in R_3$ from a symmetric three-point distribution (probability ${\displaystyle \frac{1}{4}}$ for taking values −1 or 1 and ${\displaystyle \frac{1}{2}}$ for taking value 0), computes $C_i=AHE.Enc\left(a_i\right)$, and sends it to ${\mathcal{P}}_1$.  2: ${\mathcal{P}}_1$ computes C=AHE.Add(AHE.Add(… AHE.Add($C_1,C_2),C_3)\dots ,C_k)$ and broadcasts it to all parties.  3: For $1\le i\le k$, party ${\mathcal{P}}_i$ computes $E_i$=AHE.Enc(0), $C_i^{\prime }$=AHE.Add(AHE.ScalarMult($b_i,C),E_i$), and then sends $C_i^{\prime }$ to ${\mathcal{P}}_1$.  4: For $2\le i\le k$, party ${\mathcal{P}}_i$ randomly selects a polynomial $c_i\in R_3$ from the symmetric three-point distribution, computes $C_i^{″}$=AHE.Enc($-c_i$), and sends it to ${\mathcal{P}}_1$.  5: ${\mathcal{P}}_1$ computes $C^{\prime }$=AHE.Add(…AHE.Add($C_1^{\prime },C_2^{\prime })\dots ,C_k^{\prime }$), $C^{″}$=AHE.Add(AHE.Add(…AHE.Add($C_2^{″},C_3^{″})\dots ,C_k^{″}),C^{\prime }$), $c_1$=AHE.Dec($C^{″},{\left\{z_i\right\}}_{1\le i\le k}$).  6: let ${\left[a\right]}_i=a_i,{\left[b\right]}_i=b_i,{\left[c\right]}_i=c_i(1\le i\le k)$.  7: return $\left(\right[a],[b],[c\left]\right)$

In the second step of the algorithm, party ${\mathcal{P}}_1$ broadcasts the ciphertext C, which encrypts ${\sum }_{i=1}^k{a}_i$, and the upper bound of its plaintext coefficients is k. In the third step, each party ${\mathcal{P}}_i$ computes the ciphertext $C_i^{\prime }$, which encrypts the plaintext $b_i·{\sum }_{i=1}^k{a}_i$, with the upper bound of coefficients being $kN$. Similarly, the ciphertext $C^{\prime }$ in the fifth step encrypts $\left({\sum }_{i=1}^k{a}_i\right)·\left({\sum }_{i=1}^k{b}_i\right)$, with the upper bound of plaintext coefficients being $k^{2}N$. The ciphertext $C^{″}$ encrypts $c_1=\left({\sum }_{i=1}^k{a}_i\right)·\left({\sum }_{i=1}^k{b}_i\right)-{\sum }_{i=2}^k{c}_i$, with the upper bound of its coefficients being $k^{2}N+k-1$. Therefore, to ensure correctness, it is required that $t>k^{2}N+k-1$.

6.1.2. Additive Secret Sharing over Polynomial Ring

In additive secret sharing, a secret dealer splits a secret into k secret shares and distributes them to k parties ${\mathcal{P}}_i(1\le i\le k)$. To reconstruct the secret, it is only necessary to simply sum the secret shares of each party. It should be noted that the secret cannot be reconstructed with fewer than k secret shares. The classic additive secret sharing is defined over the integer ring (field) [47], and we extend it to the polynomial ring $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$. Since the secret shares are elements over the polynomial ring, we add an automorphism algorithm. Therefore, additive secret sharing over polynomial rings has a total of 6 algorithms (all operations are implicitly performed over the polynomial ring $R_Q$), as follows.

• ASS.Split(s): Takes a secret $s\in R_Q$ belonging to ${\mathcal{P}}_i$ as input. For $1\le i\le k$, party ${\mathcal{P}}_i$ randomly selects $k-1$ elements ${\left[s\right]}_1,\dots ,{\left[s\right]}_{i-1},{\left[s\right]}_{i+1},\dots ,{\left[s\right]}_k$ in $R_Q$, computes ${\left[s\right]}_i=s-{\sum }_{j=1}^{i-1}{\left[s\right]}_j-{\sum }_{j=i+1}^k{\left[s\right]}_j$, and distributes the secret share ${\left[s\right]}_i$ of the secret s to party ${\mathcal{P}}_i$.
• ASS.Recover(${\left\{{\left[s\right]}_i\right\}}_{1\le i\le k}$): Each party ${\mathcal{P}}_i$ broadcasts the share ${\left[s\right]}_i$ of the secret s. After collection of ${\left\{{\left[s\right]}_j\right\}}_{1\le j\le k,j\ne i}$ sent by the other $k-1$ parties, computes $s={\sum }_{i=1}^k{\left[s\right]}_i$.
• ASS.Add(${\left\{{\left[x\right]}_i\right\}}_{1\le i\le k},{\left\{{\left[y\right]}_i\right\}}_{1\le i\le k}$): Takes the secret shares ${\left[x\right]}_i,{\left[y\right]}_i$ of secrets x and y as input. For $1\le i\le k$, party ${\mathcal{P}}_i$ locally computes ${\left[z\right]}_i={\left[x\right]}_i+{\left[y\right]}_i$ and outputs the secret shares ${\left\{{\left[z\right]}_i\right\}}_{1\le i\le k}$ of the secret $z=x+y$.
• ASS.ScalarMult($\alpha ,{\left\{{\left[x\right]}_i\right\}}_{1\le i\le k}$): Takes the secret shares ${\left[x\right]}_i$ of the secret x and a polynomial $\alpha \in R_Q$ as input. For $1\le i\le k$, party ${\mathcal{P}}_i$ locally computes ${\left[z\right]}_i=\alpha ·{\left[x\right]}_i$ and obtains the secret shares ${\left\{{\left[z\right]}_i\right\}}_{1\le i\le k}$ of the secret $z=\alpha ·x$.
• ASS.Mult(${\left\{{\left[x\right]}_i\right\}}_{1\le i\le k},{\left\{{\left[y\right]}_i\right\}}_{1\le i\le k},{\{{\left[a\right]}_i,{\left[b\right]}_i,{\left[c\right]}_i\}}_{1\le i\le k}$): Takes the secret shares ${\left[x\right]}_i$ and ${\left[y\right]}_i$ of secrets x and y and the secret shares ${\left[a\right]}_i$, ${\left[b\right]}_i$, and ${\left[c\right]}_i$ of the multiplication triple $(a,b,c=a·b)$ as input. Each party ${\mathcal{P}}_i$ locally computes ${\left[u\right]}_i={\left[x\right]}_i-{\left[a\right]}_i$, ${\left[v\right]}_i={\left[y\right]}_i-{\left[b\right]}_i$ and broadcasts them. After receiving the broadcasts from other parties, party ${\mathcal{P}}_i$ locally recovers the secrets $u={\sum }_{i=1}^k{\left[u\right]}_i$ and $v={\sum }_{i=1}^k{\left[v\right]}_i$. For ${\mathcal{P}}_1$, locally computes ${\left[z\right]}_1=u·v+{\left[c\right]}_1+v·{\left[a\right]}_1+u·{\left[b\right]}_1$; for other parties ${\mathcal{P}}_i(2\le i\le k)$, locally computes ${\left[z\right]}_i={\left[c\right]}_i+v·{\left[a\right]}_i+u·{\left[b\right]}_i$.
• ASS.Auto(${\left\{{\left[x\right]}_i\right\}}_{1\le i\le k},{\tau }_t$): Takes the secret shares ${\left[x\right]}_i$ of the secret x and an automorphism ${\tau }_t:X\to X^t$ as input. For $1\le i\le k$, party ${\mathcal{P}}_i$ locally computes ${\left[z\right]}_i={\tau }_t\left({\left[x\right]}_i\right)$ and obtains the secret shares ${\left\{{\left[z\right]}_i\right\}}_{1\le i\le k}$ of the secret $z={\tau }_t\left(x\right)$.

In the same computation task, the multiplication triple input to the ASS.Mult algorithm cannot be reused; otherwise, other parties can infer the corresponding secret. For brevity, the parameter passed to ASS.Mult in the following is a set of triple slices, and the used triple is discarded after each call to secret multiplication. Meanwhile, if the number of parties k is already clear in the following, we use $\left[x\right]$ instead of ${\left\{{\left[x\right]}_i\right\}}_{1\le i\le k}$ to denote the secret shares of the secret x.

6.1.3. Party Enroll

This section presents the Enroll algorithm, which computes the reusable parameters repeatedly utilized in the scheme proposed in this paper via the additive secret sharing technique.

• Enroll(${\{{\mathit{s}}_j,f_j\}}_{j\in \mathcal{G}}$): Takes the LWE secret key ${\mathit{s}}_j$ and its corresponding NTRU key $f_j$ of each party ${\mathcal{P}}_j$ in a group $\mathcal{G}$ as input and outputs $SF,SIF,SSK,SNSSK$, which respectively denote the secret share of the joint NTRU key F, the secret share of $F^{-1}$(multiplicative inverse of F), the secret share of the secret key, and the secret share of the negative sum secret keys. The algorithm is presented in Algorithm 3.

Algorithm 3  $\mathrm{Enroll}({\{{\mathit{s}}_j,f_j\}}_{j\in \mathcal{G}},Triples)$

Require:  LWE secret key ${\mathit{s}}_j$ of all parties ${\mathcal{P}}_j$ in the group $\mathcal{G}$  NTRU key $f_j$ of all parties ${\mathcal{P}}_j$ in the group $\mathcal{G}$  Set of multiplication triples $Triples$ Ensure: Secret shares $\left[F\right],\left[{\displaystyle \frac{1}{F}}\right],{\left\{\left[X^{{\sum }_{j\in \mathcal{G}}{s}_{j,l}}\right]\right\}}_{1\le l\le n},\left[X^{-{\sum }_{j\in \mathcal{G}}{\sum }_{l=1}^n{s}_{j,l}}\right]$   1: For $j\in \mathcal{G},1\le l\le n$, each party ${\mathcal{P}}_j$ computes $s{f}_j$=ASS.Split($f_j$), $si{f}_j$=ASS.Split(${\displaystyle \frac{1}{f_j}}$), $ss{k}_{j,l}$= ASS.Split($X^{s_{j,l}}$), and $sns{k}_{j,l}$=ASS.Split($X^{-s_{j,l}}$) and broadcasts the corresponding secret shares to other parties in the network.   2: For $1\le l\le n$, ${\mathcal{P}}_1$ computes $SF$=ASS.Split(1), $SIF$=ASS.Split(1), $SSK$=ASS.Split(1), $SNSSK$=ASS.Split(1), and $sas{k}_l$= ASS.Split(1).   3: for j in $\mathcal{G}$ do   4:      $SF$=ASS.Mult($SF,s{f}_j,Triples$)                                                           ▹ corresponding to $\left[F\right]$   5:   $SIF$=ASS.Mult($SIF,si{f}_j,Triples$)                                                       ▹ corresponding to $\left[{\displaystyle \frac{1}{F}}\right]$   6:      for $l=1$ to n do   7:     $sas{k}_l$=ASS.Mult($sas{k}_l,ss{k}_{j,l},Triples)$                    ▹ corresponding to ${\left\{\left[X^{{\sum }_{j\in \mathcal{G}}{s}_{j,l}}\right]\right\}}_{1\le l\le n}$   8:     $SNSSK$=ASS.Mult($SNSSK,sns{k}_{j,l},Triples$)               ▹ corresponding to $\left[X^{-{\sum }_{j\in \mathcal{G}}{\sum }_{l=1}^n{s}_{j,l}}\right]$   9:      end for 10: end for 11: $SSK={\left\{sas{k}_l\right\}}_{1\le l\le n}$ 12: return $SF,SIF,SSK,SNSSK$

Lines 1 and 2 of the algorithm can be merged, and Lines 3 to 10 can be finished in one round of communication. Thus, the Enroll algorithm only requires $\mathbf{2}$ rounds of communication. The secret shares $SF$, $SIF$,$SSK$, $SNSSK$ are key information for generating the evaluation key $EVK$ in the XZD scheme. After obtaining the share sets of these four components, we can easily generate the joint bootstrapping key(multi-group version of $EVK$) in the multi-group scenario using additive secret sharing.

6.1.4. Multi-Group Hybrid Product

The hybrid product algorithm was proposed by Chen et al. [17] in the MK-TFHE scheme in 2019 to support the product between multi-key RLWE ciphertexts and single-key Uni-Enc ciphertexts for constructing CMux gates in the multi-key scenario. Subsequently, Kwak [30] generalized it to support the multiplication of single-key RLEV ciphertexts and multi-key RLWE ciphertexts, thereby realizing the parallelization of blind rotation. In our parallelized bootstrapping scheme, since the intermediate ciphertext of bootstrapping is a single-group NTRU ciphertext rather than a single-key RLEV ciphertext, we propose a multi-group hybrid product algorithm to support the parallelization of bootstrapping, which includes the hybrid product key generation(MGHPKeyGen), as well as the hybrid product(MGHybridProd) that takes scalar NTRU ciphertexts and multiple sets of ciphertexts as inputs.

• MGHPKeyGen(${\left\{z_j\right\}}_{j\in \mathcal{G}},\left[F\right]$): Takes the RLWE secret key $z_j$ of the j-th party ${\mathcal{P}}_j$ in group G and the secret share $\left[F\right]$ of the joint NTRU key F as input and randomly selects a common reference polynomial vector $\mathit{p}\in R^{d_{br}}$; each party selects a secret polynomial $r_j\leftarrow {\chi }_{nk}$ from the noise distribution over the ring R and noise polynomial vectors ${\mathit{e}}_j^{\left(0\right)},{\mathit{e}}_j^{\left(1\right)},{\mathit{e}}_j^{\left(2\right)}\leftarrow {\chi }_{ne}^{d_{br}}$. Denote $B_{br}$ and $d_{br}$ as the decomposition base and decomposition degree of the ciphertext modulus Q, respectively, and ${\mathbf{g}}_{B_{br}}$ as the corresponding decomposition vector. For ${\mathcal{P}}_j$$\in \mathcal{G}$,compute

  $${\mathit{H}}_j=-\mathit{p}·z_j+{\mathit{e}}_j^{\left(0\right)},\tilde{\mathit{H}}=\sum _{j\in \mathcal{G}}{\mathit{H}}_j\in R_Q^{d_{br}},$$

  (12)

  $${\mathit{I}}_{j,0}\leftarrow {\chi }_{ne}^{d_{br}},{\tilde{\mathit{I}}}_0=\sum _{j\in \mathcal{G}}{\mathit{I}}_{j,0}\in R_Q^{d_{br}},$$

  (13)

  $${\mathit{I}}_{j,1}=\mathit{p}·r_j+{\left[F\right]}_j·{\mathbf{g}}_{B_{br}}+{\mathit{e}}_j^{\left(1\right)}, {\tilde{\mathit{I}}}_1=\sum _{j\in \mathcal{G}}{\mathit{I}}_{j,1}\in R_Q^{d_{br}},$$

  (14)

  $${\mathit{I}}_{j,2}=-{\tilde{\mathit{I}}}_0·z_j+r_j·{\mathbf{g}}_{B_{br}}+{\mathit{e}}_j^{\left(2\right)},{\tilde{\mathit{I}}}_2=\sum _{j\in \mathcal{G}}{\mathit{I}}_{j,2}\in R_Q^{d_{br}},$$

  (15)
  Then output $\tilde{\mathit{H}},HPK={\tilde{\mathit{I}}}_0,{\tilde{\mathit{I}}}_1,{\tilde{\mathit{I}}}_2$.
• MGHybridProd(${\left\{{\tilde{\mathit{H}}}_l\right\}}_{1\le l\le k},HP{K}_i,ct,{\tilde{\mathit{c}}}_i$): Takes the MGRLWE public keys ${\left\{{\tilde{\mathit{H}}}_l\right\}}_{1\le l\le k}$, the $HP{K}_i$ output by the i-th group after executing MGHPKeyGen, the multi-group RLWE ciphertext $ct=(c_0,\dots ,c_k)\in R_Q^{k+1}$ encrypting the plaintext m, and the vector NTRU ciphertext ${\tilde{\mathit{c}}}_i=NTR{U}_{Q,F_i,B_{br}}^{\prime }({\displaystyle \frac{m}{F_i}})$ encrypting the plaintext $\mu$ as input. For $0\le l\le k$, lets ${\tilde{\mathit{H}}}_0=-\mathit{p}$, where $\mathit{p}$ is the polynomial vector shared by multiple groups in MGHPKeyGen, computes

  $$y_l=c_l⊡{\tilde{\mathit{c}}}_i, u_l=y_l⊡{\tilde{\mathit{I}}}_{i,1}, v=\sum _{l=0}^k{y}_l⊡{\tilde{\mathit{H}}}_l$$

  (16)

  and then updates

  $$c_l^{\prime }=\left\{\begin{array}{c}\hfill u_0+v⊡{\tilde{\mathit{I}}}_{i,2}, l=0\\ \hfill u_l+v⊡{\tilde{\mathit{I}}}_{i,0}, l=i\\ \hfill u_l,\hspace{1em} otherwise \end{array}\right.$$

  (17)
  Outputs the multi-group RLWE ciphertext $c{t}^{\prime }=(c_0^{\prime },\dots ,c_k^{\prime })\in R_Q^{k+1}$ encrypting the plaintext $\mu ·m$.

6.1.5. Joint Blind Rotation Key Generation

The JBRKGen algorithm generates multi-group version of the $EVK$ in the XZD scheme via additive secret sharing; specifically, it implements the encryption algorithm in the FINAL scheme using various algorithms under the framework of additive secret sharing and completes the encryption of the relevant keys in accordance with the flow of BRKGen algorithm in the XZD scheme.

• JBRKGen($SF,SIF,SSK,SNSSK,Triples$): Takes $SF$, $SIF$, $SSK$, and $SNSSK$ output by the Enroll algorithm and a set of multiplication triples $Triples$ as input and outputs the joint bootstrapping key $JEVK$. The details are as shown in Algorithm 4.

Algorithm 4 JBRKGen($SF,SIF,SSK,SNSSK,Triples$)

Require:  Secret shares $SF,SIF,SNSK,SSSK$  Set of multiplication triples $Triples$ Ensure: Joint bootstrapping key ${JEVK=\left(\right\{jevk}_l{\}}_{1\le l\le n+1},{\left\{jnks{k}_r\right\}}_{r\in S})$   1: For $j\in \mathcal{G},u\in S,1\le l\le n+1,0\le r\le d_{br}-1$, each party ${\mathcal{P}}_j$ randomly selects noise $e_{j,l,r}\leftarrow {\chi }_{ne}$ and $e_{j,u,r}^{\prime }\leftarrow {\chi }_{ne}$ and computes $\left[e_{j,l,r}\right]$= ASS.Split($e_{j,l,r})$, $\left[e_{j,u,r}\right]$= ASS.Split($e_{j,u,r}$), ${\mathcal{P}}_1$ computes $\left[E_{l,r}\right]$=ASS.Split(0), and $\left[E_{u,r}\right]$=ASS.Split(0), and broadcasts the corresponding secret shares to other parties in the network.   2: for j in $\mathcal{G}$ do   3:      for $r=0$ to $d_{br}-1$ do   4:           for $l=1$ to $n+1$ do   5:         $\left[E_{l,r}\right]$ = ASS.Add($\left[E_{l,r}\right],\left[e_{j,l,r}\right]$)   6:           end for   7:           for u in S do   8:               $\left[E_{u,r}^{\prime }\right]$ = ASS.Add($\left[E_{u,r}^{\prime }\right],\left[e_{j,u,r}^{\prime }\right]$)   9:           end for 10:      end for 11: end for 12: for $l=1$ to $n+1$ do 13:      for $r=0$ to $d_{br}-1$ do 14:           if $l==1$ then 15:               $\left[jev{k}_{l,r}\right]=\mathrm{ASS}.\mathrm{Mult}(SIF,\mathrm{ASS}.\mathrm{Add}(\left[E_{l,r}\right],\mathrm{ASS}.\mathrm{ScalarMult}(B_{br}^r,sas{k}_1)),Triples)$ 16:           else if $l==n+1$ then 17:               $\left[jev{k}_{l,r}\right]=\mathrm{ASS}.\mathrm{Add}(\mathrm{ASS}.\mathrm{ScalarMult}(B_{br}^r,SNSSK),\mathrm{ASS}.\mathrm{Mult}(SIF,\left[E_{l,r}\right],Triples))$ 18:           else 19:               $\left[jev{k}_{l,r}\right]=\mathrm{ASS}.\mathrm{Add}(\mathrm{ASS}.\mathrm{ScalarMult}(B_{br}^r,sas{k}_l),\mathrm{ASS}.\mathrm{Mult}(SIF,\left[E_{l,r}\right],Triples))$ 20:           end if 21:      end for 22: end for 23: for u in S do 24:      for $r=0$ to $d_{br}-1$ do 25:           $\left[jnks{k}_{u,r}\right]=\mathrm{ASS}.\mathrm{Mult}(SIF,\mathrm{ASS}.\mathrm{Add}(\left[E_{u,r}^{\prime }\right],\mathrm{ASS}.\mathrm{ScalarMult}(B_{br}^r,\mathrm{ASS}.\mathrm{Auto}(SF,{\tau }_u))),Triples)$ 26:      end for 27: end for 28: for $l=1$ to $n+1$ do 29:      $jev{k}_l=(\mathrm{ASS}.\mathrm{Recover}\left(\left[jev{k}_{l,0}\right]\right),...,\mathrm{ASS}.\mathrm{Recover}\left(\left[jev{k}_{l,d_{br}-1}\right]\right))$ 30: end for 31: for u in S do 32:      $jnks{k}_u=(\mathrm{ASS}.\mathrm{Recover}\left(\left[jnks{k}_{u,0}\right]\right),...,\mathrm{ASS}.\mathrm{Recover}\left(\left[jnks{k}_{u,d_{br}-1}\right]\right))$ 33: end for 34: $JEVK=({\left\{jev{k}_l\right\}}_{1\le l\le n+1},{\left\{jnks{k}_u\right\}}_{u\in S})$. 35: return $JEVK$

The broadcast in Line 1 of the algorithm requires one round of communication. The intermediate values computed via secret multiplication in Lines 12–27 are mutually independent, thus requiring only one round of communication. The secret reconstruction in Lines 28–33 also needs one round of communication. Therefore, the algorithm requires $\mathbf{3}$ rounds of communication in total.

6.1.6. LWE Key Switching

LWE key switching is used to switch the secret key of an MGLWE ciphertext to another one. For completeness, we present the generation of the LWE key switching key and the corresponding switching algorithm. Note that only the generation of the LWE key switching key takes place in the offline phase, whereas the key switch procedure is invoked in the online phase.

• LKSKeyGen(${\mathit{z}}_j,{\mathit{s}}_j$): Takes the LWE secret keys ${\mathit{z}}_j=\left(z_{j,1},\dots ,z_{j,N}\right)\in {\mathbb{Z}}^N$ and ${\mathit{s}}_j=\left(s_{j,1},\dots ,s_{j,n}\right)\in {\mathbb{Z}}^n$ of party ${\mathcal{P}}_j$ in the group $\mathcal{G}$ as input, randomly selects a matrix $A_l\in {\mathbb{Z}}_{q_{ks}}^{d_{ks}\times n}$ within the group, randomly samples the noise ${\mathit{e}}_{j,l}\leftarrow {\chi }_{le}^{d_{ks}}$ for $1\le l\le N$, computes ${\mathit{b}}_{j,l}=-A_l·{\mathit{s}}_j+{\mathit{e}}_{j,l}+z_{j,l}·{\mathbf{g}}_{B_{ks}}$, denotes ${\tilde{\mathit{b}}}_l={\sum }_{j\in \mathcal{G}}{\mathit{b}}_{j,l}\in {\mathbb{Z}}_{q_{ks}}^{d_{ks}}$, and outputs $LKSK={\left\{\left({\tilde{\mathit{b}}}_l,A_l\right)\right\}}_{1\le l\le N}$.
• LKeySwitch($\mathit{c},{\left\{LKS{K}_i\right\}}_{1\le i\le k}$): Takes the MGLWE ciphertext $\mathit{c}=\left(c_0,{\mathit{c}}_1,\dots ,{\mathit{c}}_k\right)\in {\mathbb{Z}}^{kN+1}$ as well as the key switching key $LKS{K}_i={\left\{\left({\tilde{\mathit{b}}}_{i,l},A_{i,l}\right)\right\}}_{1\le l\le N}$ for the i-th group as input, denotes ${\mathit{c}}_i=\left(c_{i,1},\dots ,c_{i,N}\right)$ for $1\le i\le k,1\le l\le N$, computes $c_0^{\prime }=c_0+{\sum }_{i=1}^k{\sum }_{l=1}^N{\left({\mathfrak{g}}_{B_{ks}}^{-1}\left(c_{i,l}\right)\right)}^T·{\tilde{\mathit{b}}}_{i,l}\in {\mathbb{Z}}_{q_{ks}}$, ${\mathit{c}}_i^{\prime }={\sum }_{l=1}^N{\left({\mathfrak{g}}_{B_{ks}}^{-1}\left(c_{i,l}\right)\right)}^T·A_{i,l}\in {\mathbb{Z}}_{q_{ks}}^n$, and outputs ${\tilde{c}}^{\prime }=\left(c_0^{\prime },{\mathit{c}}_1^{\prime },\dots ,{\mathit{c}}_k^{\prime }\right)\in {\mathbb{Z}}_{q_{ks}}^{kn+1}$.

Since the generation of the LWE key switching key only requires each party to broadcast, accumulate, and aggregate its locally generated share, it incurs merely one round of communication. Furthermore, this communication round can be merged into the communication of JBRKGen, thereby eliminating this extra round.

6.2. Online Phase

The online phase of bootstrapping refers to the process where the server performs homomorphic computation on ciphertexts with high noise levels using the bootstrapping key to reduce the noise level of the ciphertexts. For the online phase, we design a parallelizable bootstrapping algorithm named BootMGCT, which is composed of the BREval and MGHybridProd algorithms mentioned above, as well as all core sub-algorithms introduced in Section 6.2.1.

6.2.1. Core Algorithms for Bootstrapping

This subsection introduces other core algorithms for multi-group ciphertext bootstrapping, including the sample extraction algorithm SampleExt for extracting multi-group LWE ciphertexts from multi-group RLWE ciphertexts and the ModSwitch algorithm for switching the modulus of multi-group LWE ciphertexts.

• SampleExt($\mathit{c}$): Takes the MGRLWE ciphertext $\mathit{c}=(c_0,...,c_k)\in R_Q^{k+1}$ as input, denotes $c_{i,j}$ as the j-th coefficient of the polynomial $c_i$, sets $c_0^{\prime }=c_{0,0}$ and ${\mathit{c}}_i^{\prime }=(c_{i,0},-c_{i,N-1},...,-c_{i,1})$ for $1\le i\le k$, and outputs $\tilde{\mathit{c}}=(c_0^{\prime },{\mathit{c}}_1^{\prime },...,{\mathit{c}}_k^{\prime })\in {\mathbb{Z}}_Q^{kn+1}$.
• ModSwitch($\tilde{\mathit{c}},Q,q$): Takes the MGLWE ciphertext $\tilde{\mathit{c}}=\left(c_0,{\mathit{c}}_1,\dots ,{\mathit{c}}_k\right)$, the original modulus Q and the new modulus q as input, computes $c_0^{\prime }=⌊{\displaystyle \frac{q}{Q}}·c_0⌉$ and ${\mathit{c}}_i^{\prime }=⌊{\displaystyle \frac{q}{Q}}·{\mathit{c}}_i⌉$ for $1\le i\le k$, and outputs the new ciphertext ${\tilde{c}}^{\prime }=\left(c_0^{\prime },{\mathit{c}}_1^{\prime },\dots ,{\mathit{c}}_k^{\prime }\right)$.

6.2.2. Parallelizable Multi-Group Ciphertext Bootstrapping Algorithm

In this subsection, we formally describe the multi-group LWE ciphertext bootstrapping algorithm based on LWE and NTRU proposed in this paper. The algorithm takes a multi-group LWE ciphertext to be bootstrapped and some precomputed bootstrapping materials as inputs and outputs a multi-group LWE ciphertext with a lower noise that encrypts the same plaintext.

In the proposed multi-group homomorphic encryption scheme, bootstrapping involves three types of keys: LWE secret keys, RLWE secret keys, and NTRU keys. For $1\le i\le k$ and $j\in {\mathcal{G}}_i$, let ${\mathit{s}}_{i,j}\leftarrow {\chi }_{lk}^n$ and $z_{i,j},f_{i,j}\leftarrow {\chi }_{nk}$ denote the LWE secret key, RLWE secret key, and NTRU key of ${\mathcal{P}}_{i,j}$, respectively. Let Q, $q_{ks}$, and q denote the ciphertext modulus of NTRU/MGRLWE, the LWE key switching modulus, and the LWE bootstrapping modulus, respectively, with $d_{br}=\lceil {log}_{B_{br}}Q\rceil$. We define the following precomputed materials.

1.

Set of multiplication triples: $Triples\leftarrow$ TripleGen.

2.

Secret shares generated by Enroll algorithm of parties ${\mathcal{P}}_{i,j}$ in group ${\mathcal{G}}_i$:

$S{F}_i,SI{F}_i,SS{K}_i,SNSS{K}_i\leftarrow$ Enroll.

3.

Joint bootstrapping key of group ${\mathcal{G}}_i$: $JEV{K}_i\leftarrow$ JBRKGen.

4.

Multi-group hybrid product key of group ${\mathcal{G}}_i$: ${\tilde{\mathit{H}}}_i,HP{K}_i\leftarrow$ MGHPKeyGen.

5.

LWE key switching key of group ${\mathcal{G}}_i$: $LKS{K}_i\leftarrow$ LKSKeyGen.

We define the multi-group ciphertext bootstrapping algorithm BootMGCT in Algorithm 5.

Algorithm 5  $\mathrm{BootMGCT}(\mathit{c},r\left(X\right),{\left\{JEV{K}_i\right\}}_{1\le i\le k},{\left\{HP{K}_i\right\}}_{1\le i\le k},{\left\{LKS{K}_i\right\}}_{1\le i\le k})$

Require:  Noisy MGLWE ciphertext $\mathit{c}=(b,{\mathit{a}}_1,...,{\mathit{a}}_k)\in {\mathbb{Z}}_q^{kn+1}$.  Rotation polynomial $r\left(X\right)$.  Joint blind rotation keys ${\left\{JEV{K}_i\right\}}_{1\le i\le k}$.  Hybrid product key ${\left\{HP{K}_i\right\}}_{1\le i\le k}$.  LWE key switching key ${\left\{LKS{K}_i\right\}}_{1\le i\le k}$. Ensure:  Refreshed MGLWE ciphertext ${\mathit{c}}^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })\in {\mathbb{Z}}_q^{kn+1}$   1: $ACC\leftarrow (\lfloor {\displaystyle \frac{Q}{8}}\rceil ·r(X^{{\displaystyle \frac{2N}{q}}})·X^{{\displaystyle \frac{2N}{q}}·b},0,\dots ,0)\in R_Q^{k+1}$.   2: for $i=1$ to k do   3:      for $r=0$ to $d_{br}-1$ do   4:          $AC{C}_{i,r}\leftarrow \mathrm{BREval}((0,{\mathit{a}}_i),1,JEV{K}_i,B_{br}^r)$   5:      end for   6: end for   7: Parse $AC{C}_i^{\prime }=(AC{C}_{i,0},\dots ,AC{C}_{i,d_{br}-1})$.   8: for $i=1$ to k do   9:   $ACC\leftarrow \mathrm{MGHybridProd}({\left\{{\tilde{\mathit{H}}}_l\right\}}_{0\le l\le k},{HPK}_i,ACC,{ACC}_i^{\prime }).$ 10: end for 11: $ACC\leftarrow \mathrm{SampleExt}$($ACC$) 12: $ACC\leftarrow ACC+({\displaystyle \frac{Q}{8}},\mathbf{0},\dots ,\mathbf{0})$ 13: $ACC\leftarrow \mathrm{ModSwitch}$($ACC,Q,q_{ks}$) 14: $ACC\leftarrow \mathrm{LKeySwitch}(ACC,{\left\{{LKSK}_i\right\}}_{1\le i\le k})$ 15: $ACC\leftarrow \mathrm{ModSwitch}(ACC,q_{ks},q)$ 16: return $ACC$

The core and most time-consuming operation of the BootMGCT algorithm is BREval, i.e., the XZD blind rotation algorithm. While BREval invokes at most $(2n+1)d_{br}$ polynomial multiplications, and a single execution of MGHybirdProd requires $(3k+5)d_{br}$ polynomial multiplications, it follows that the BootMGCT algorithm requires a total of $k(2n+1)d_{br}^2+k(3k+5)d_{br}$ polynomial multiplications. Through group-wise partitioning of the MGLWE ciphertext (splitting the original ciphertext into multiple ${\mathit{a}}_i$), we remove the input dependency on ${\mathit{a}}_i$, thus enabling the $k{d}_{br}$ invocations of BREval to be executed independently and in parallel across multiple CPU cores. In contrast, this step can only be performed serially on a single CPU core. This distinction in execution modes corresponds to the serialized and parallelized bootstrapping approaches described the experimental section below.

Theorem 1. 

Correctness of algorithm BootMGCT.

Given a noisy MGLWE ciphertext and a rotation polynomial $r\left(X\right)$, along with the joint blind rotation keys (JEVKs), hybrid product keys (HPKs), and LWE key switching keys (LKSKs) of each group, the algorithm BootMGCT outputs an refreshed MGLWE ciphertext encrypted under the original public key, which encrypts the same plaintext as the input noisy MGLWE ciphertext.

Proof. 

We prove the theorem by analyzing the execution process of each step in the algorithm, verifying that the output MGLWE ciphertext maintains the consistency of the encrypted plaintext while reducing noise and is encrypted under the original public key.

Line 1 of the algorithm stores $\lfloor {\displaystyle \frac{Q}{8}}\rceil ·r(X^{{\displaystyle \frac{2N}{q}}})·X^{{\displaystyle \frac{2N}{q}}·b}$ into the accumulator ACC. Lines 2 to 6 split the MGLWE ciphertext on a group-wise basis and input it into the BREval algorithm to obtain the partial bootstrapping result (${\mathrm{NTRU}}_{Q,F_i,B_{br}}^{\prime }({\displaystyle \frac{X^{{\sum }_{j\in {\mathcal{G}}_i}\langle {\mathit{a}}_i,{\mathit{s}}_{i,j}\rangle }}{F_i}})$). These two values are taken as inputs to perform k rounds of iteration (MGHybridProd), outputting the multi-group RLWE (MGRLWE) ciphertext encrypted under the joint RLWE public key of each group. Specifically, the ciphertext encrypts the value of the expression $L\left(X\right)=\lfloor {\displaystyle \frac{Q}{8}}\rceil ·r(X^{{\displaystyle \frac{2N}{q}}})·X^{{\displaystyle \frac{2N}{q}}(b+{\sum }_{i=1}^k{\sum }_{j\in {\mathcal{G}}_i}\langle {\mathit{a}}_i,{\mathit{s}}_{i,j}\rangle )}$, which corresponds to the blind rotation formula given in Equation (8).

Since the leading coefficient of $L\left(X\right)$ is the plaintext to be extracted, we employ the SampleExt algorithm in Line 11 to extract the MGLWE ciphertext encrypting the leading coefficient of $L\left(X\right)$ from the MGRLWE ciphertext output above. As this coefficient is either $-1$ or 1, Step 12 accumulates $({\displaystyle \frac{Q}{8}},\mathbf{0},\dots ,\mathbf{0})$ into ACC, mapping its value to either 0 or 1.

Lines 13–15 perform the key switching of the MGLWE ciphertext to the key of the noisy ciphertext input by the BootMGCT algorithm, and the ACC stores a low-noise MGLWE ciphertext with ${\displaystyle \frac{q}{4}}$ as the scaling factor at the conclusion of the algorithm.

Therefore, the algorithm outputs an MGLWE ciphertext encrypted under the original public key, which encrypts the same plaintext as the input noisy MGLWE ciphertext. The theorem is thus proved. □

7. Noise Analysis

This section analyzes the noise generated by the proposed bootstrapping algorithm. For an input multi-group LWE ciphertext $\mathit{c}$, the noise of the output ciphertext ${\mathit{c}}^{\prime }$ originates from BREval, MGHybridProd, ModSwitch, and LKeySwitch. We analyze the noise output by each of these algorithms separately and finally derive the total noise output by the bootstrapping algorithm.

The LWE scheme has parameters $q^{\prime }$, q, $q_{ks}$, $B_{ks}$, $d_{ks}$, and n, which correspond to the LWE ciphertext modulus of MGHE.Enc, the LWE ciphertext modulus for bootstrapping, the ciphertext modulus for key switching, the gadget decomposition base, the gadget decomposition degree, and the LWE dimension, respectively. The RLWE/NTRU scheme has parameters Q, $B_{br}$, and $d_{br}$, N, which correspond to the RLWE/NTRU ciphertext modulus, the corresponding gadget decomposition base, the gadget decomposition degree, and the degree of the polynomial in the RLWE/NTRU ciphertext, respectively. Two bootstrapping schemes are involved in the bootstrapping process: LWE and RLWE/NTRU, with noise distributions ${\chi }_{le}$ and ${\chi }_{ne}$ (corresponding variances ${\sigma }_{le}^2$ and ${\sigma }_{ne}^2$) and key distributions ${\chi }_{lk}$ and ${\chi }_{nk}$ (corresponding variances ${\sigma }_{lk}^2$ and ${\sigma }_{nk}^2$). For the convenience of analysis, we assume that there are k groups participating in the computation, and each group has K parties.

Lemma 3. 

Noise variance of BREval [19].

Let ${\sigma }_{brk}^2$ denote the noise variance of the input $jevk$ and $jnksk$. For the ciphertext c output by the BREval algorithm, the noise variance of c satisfies

$$Var\left(err\left(c\right)\right)\le \left(2n+1\right)·N{d}_{br}{\displaystyle \frac{B_{br}^2}{12}}·{\sigma }_{ne}^2.$$

(18)

Proof. 

The BREval algorithm performs at most $2n+1$ external products between scalar NTRU ciphertexts and vector NTRU ciphertexts. The rotation polynomial can be regarded as a vector NTRU ciphertext with zero noise. Hence, we complete the proof via Lemma 1. □

Lemma 4. 

Noise variance of MGHybridProd.

Given a multi-group RLWE ciphertext c with noise variance $Var\left(err\right(c\left)\right)$, the noise $err\left(c^{\prime }\right)$ of the ciphertext $c^{\prime }$ output by the MGHybridProd algorithm satisfies

$$\begin{array}{cc}\hfill Var\left(err\left(c^{\prime }\right)\right) & =Var\left(err\left(c\right)\right)+{\displaystyle \frac{Kk{d}_{br}{N}^2{B}_{br}^2{\sigma }_{ne}^{2}Var\left(err\left({\tilde{\mathit{c}}}_i\right)\right)}{12}}\hfill \\ \hfill & +{\displaystyle \frac{K^{2}k{d}_{br}{B}_{br}^2{\sigma }_{nk}^2{\sigma }_{ne}^2}{6}}\hfill \\ \hfill & +{\displaystyle \frac{(2k{\sigma }_{ne}^2+Var\left(err\left({\tilde{\mathit{c}}}_i\right)\right))d_{br}{B}_{br}^2}{12}}.\hfill \end{array}$$

(19)

Proof. 

Assume that the noise variance of the multi-group RLWE ciphertext c encrypting the plaintext m before MGHybridProd is $Var\left(err\right(c\left)\right)$ and that the noise variance of the ciphertext $c^{\prime }$ encrypting the plaintext $\mu m$ after MGHybridProd is $Var\left(err\left(c^{\prime }\right)\right)$. Let Z denote the group joint RLWE secret key, and R and E denote the sums of r and e defined in the algorithm, respectively. According to the MGHybridProd algorithm, the noise $err\left(c^{\prime }\right)$ of the new ciphertext satisfies

$$\begin{array}{cc}\hfill err\left(c^{\prime }\right) & =\left(\sum _{l=0}^k{c}_l^{\prime }·Z_l\right)-{\displaystyle \frac{Q}{4}}\mu m\hfill \\ \hfill & =\mu ·err\left(c\right)+\left(\sum _{l=0}^k{Z}_l·err\left(y_l\right)\right)+R_i\left(\sum _{l=1}^k{y}_l⊡{\mathit{E}}_l^{\left(0\right)}\right)\hfill \\ \hfill & +\left(\sum _{l=0}^k{y}_l⊡{\mathit{E}}_i^{\left(0\right)}·Z_l\right)+\left(v⊡{\mathit{E}}_i^{\left(2\right)}\right).\hfill \end{array}$$

(20)

Given that $\mu$ is a monomial with an absolute coefficient value of 1, the variance of the first term is $Var\left(err\left(c\right)\right)$. Since $err\left(y_l\right)=err\left(c_l⊡{\tilde{\mathit{c}}}_i\right)$, it follows from Lemma 1 that $err\left(y_l\right)=d_{br}N{\displaystyle \frac{B_{br}^2}{12}}·err\left({\tilde{\mathit{c}}}_i\right)$. As $Z_0=1$ and $Z_l$ are the sum of the RLWE secret keys held by K parties, we can derive that $Var\left(Z_l\right)=K{\sigma }_{nk}^2$. Accordingly, the variance corresponding to the second term in the noise expression is $\left(1+Kk{\sigma }_{nk}^{2}N\right)d_{br}N{\displaystyle \frac{B_{br}^2}{12}}Var\left(err\left({\tilde{\mathit{c}}}_i\right)\right)$. On the other hand, $R_i$ and ${\mathit{E}}_l^{\left(0\right)}$ are both accumulations of random variables independently selected by K parties, which means their variances are $K{\sigma }_{nk}^2$ and $K{\sigma }_{ne}^2$, respectively. Based on this, the variance of the third term in the expression can be expressed as $Kk{\sigma }_{nk}^2{d}_{br}N{\displaystyle \frac{B_{br}^2}{12}}·\left(K{\sigma }_{ne}^2\right)$. Similarly, the variance of the fourth term is given by ${\displaystyle \frac{d_{br}N\left(K{\sigma }_{ne}^2\right)B_{br}^2}{12}}+{\displaystyle \frac{Kk{\sigma }_{nk}^2{d}_{br}N\left(K{\sigma }_{ne}^2\right)B_{br}^2}{12}}$, and the variance of the last term is ${\displaystyle \frac{d_{br}N·\left(K{\sigma }_{ne}^2\right)B_{br}^2}{12}}$. By integrating and rearranging all the aforementioned variance terms, the lemma is thus proved. □

Lemma 5. 

Noise variance of ModSwitch.

Given positive integers Q, q, a multi-group LWE ciphertext $\mathit{c}=({\mathit{c}}_0,{\mathit{c}}_1,\dots ,{\mathit{c}}_k)$ with noise variance $Var\left(err\right(\mathit{c}\left)\right)$ and the corresponding joint LWE secret key $\mathit{s}$, a new ciphertext ${\mathit{c}}^{\prime }$ is obtained after modulus switching. The noise $err\left({\mathit{c}}^{\prime }\right)$ of the new ciphertext satisfies

$$Var\left(err\left({\mathit{c}}^{\prime }\right)\right)={\displaystyle \frac{q^2}{Q^2}}·Var\left(err\left(\mathit{c}\right)\right)+{\displaystyle \frac{1+Kkn·{\sigma }_{lk}^2}{12}}.$$

(21)

Proof. 

Consider an original ciphertext $\mathit{c}=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)$ with modulus q, LWE dimension n, and secret keys ${\mathit{s}}_{i,j}$ of each party in each group, which needs to be switched to modulus Q. After modulus switching, $c^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })$, where $b^{\prime }=⌊{\displaystyle \frac{q}{Q}}·b⌉={\displaystyle \frac{q}{Q}}·b+ϵ,{\mathit{a}}_i^{\prime }=\left(⌊{\displaystyle \frac{q}{Q}}·a_{i,1}⌉,\dots ,⌊{\displaystyle \frac{q}{Q}}·a_{i,n}⌉\right)=\left({\displaystyle \frac{q}{Q}}·a_{i,1}+ϵ,\dots ,{\displaystyle \frac{q}{Q}}·a_{i,n}+ϵ\right)$. Here, $ϵ$ denotes the rounding error, which follows a uniform distribution over $\left(-{\displaystyle \frac{1}{2}},{\displaystyle \frac{1}{2}}\right)$. The noise satisfies $e^{\prime }=b^{\prime }-{\sum }_{i=1}^k{\sum }_{j=1}^K〈{\mathit{a}}_i^{\prime },{\mathit{s}}_{i,j}〉 -{\displaystyle \frac{q}{4}}m={\displaystyle \frac{q}{Q}}e+ϵ-{\sum }_{i=1}^k{\sum }_{j=1}^K〈ϵ,{\mathit{s}}_{i,j}〉$, thus $Var\left(err\left({\mathit{c}}^{\prime }\right)\right)={\displaystyle \frac{q^2}{Q^2}}err\left(\mathit{c}\right)+{\displaystyle \frac{1+Kkn·{\sigma }_{lk}^2}{12}}$. □

Lemma 6. 

Noise variance of LKeySwitch.

Given a multi-group LWE ciphertext $\mathit{c}=(b,{\mathit{a}}_1,\dots ,{\mathit{a}}_k)$ with LWE dimension N encrypted under k joint RLWE secret key coefficient vectors ${\mathit{z}}_i,(1\le i\le k)$, the LWE key switching algorithm outputs a multi-group LWE ciphertext ${\mathit{c}}^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })$ with LWE dimension n encrypted under k LWE joint secret keys ${\mathit{s}}_i$. The noise variance of the new ciphertext ${\mathit{c}}^{\prime }$ satisfies

$$Var\left(err\left(c^{\prime }\right)\right)=Var(err\left(c\right)+{\displaystyle \frac{KkN{d}_{ks}{B}_{ks}^2{\sigma }_{le}^2}{12}}.$$

(22)

Proof. 

The components of the joint LWE secret key corresponding to the ciphertext ${\mathit{c}}^{\prime }=(b^{\prime },{\mathit{a}}_1^{\prime },\dots ,{\mathit{a}}_k^{\prime })$ output by the LKeySwitch algorithm are denoted by ${\mathit{s}}_i$. The corresponding noise ${\mathit{e}}^{\prime }$ satisfies

$$\begin{array}{cc}\hfill e^{\prime }& =b^{\prime }+\sum _{i=1}^K\langle {\mathit{a}}_i^{\prime },{\mathit{s}}_i\rangle -{\displaystyle \frac{q}{4}}m\hfill \\ \hfill & =b+\sum _{i=1}^K\sum _{l=0}^{N-1}{\mathfrak{g}}_{B_{ks}}^{-1}{\left(a_{i,l}\right)}^T·({\mathbf{g}}_{B_{ks}}·z_{i,l}+e_{i,l})-{\displaystyle \frac{q}{4}}m\hfill \\ \hfill & =b+\sum _{i=1}^K\sum _{l=0}^{N-1}{a}_{i,l}·z_{i,l}+\sum _{i=1}^K\sum _{l=0}^{N-1}{\mathfrak{g}}_{B_{ks}}^{-1}{\left(a_{i,l}\right)}^T·e_{i,l}-{\displaystyle \frac{q}{4}}m\hfill \\ \hfill & =e+\sum _{i=1}^K\sum _{l=0}^{N-1}{\mathfrak{g}}_{B_{ks}}^{-1}{\left(a_{i,l}\right)}^T·e_{i,l}.\hfill \end{array}$$

(23)

□

Since the variance of $e_{i,l}$ is $K{\sigma }_{le}^2$, it follows that $Var\left(err\left(c^{\prime }\right)\right)=Var(err\left(\mathit{c}\right)+{\displaystyle \frac{KkN{d}_{ks}{B}_{ks}^2{\sigma }_{le}^2}{12}}$.

Theorem 2. 

Noise variance of the multi-key bootstrapping algorithm

Given a ciphertext $\mathit{c}$ to be bootstrapped with noise variance $Var\left(err\right(\mathit{c}\left)\right)$, a rotation polynomial r, joint bootstrapping keys ${\left\{JEV{K}_i\right\}}_{1\le i\le k}$, hybrid product keys ${\left\{HP{K}_i\right\}}_{1\le i\le k}$, ${\left\{{\tilde{\mathit{H}}}_i\right\}}_{0\le i\le k}$, and LWE key switching keys ${\left\{LKS{K}_i\right\}}_{1\le i\le k}$, the noise variance of the new ciphertext output by the BootMGCT algorithm, denoted as $Var\left(err\left({\mathit{c}}^{\prime }\right)\right)$, satisfies

$$\begin{array}{cc}\hfill Var\left(err\left({\mathit{c}}^{\prime }\right)\right) & ={\displaystyle \frac{q^{2}Kk\left(k+1\right)d_{br}^2{N}^3\left(2n+1\right)B_{br}^4{\sigma }_{ne}^4}{288Q^2}}\hfill \\ \hfill & +{\displaystyle \frac{q^2{K}^{2}k\left(k+1\right)d_{br}{B}_{br}^2{\sigma }_{nk}^2{\sigma }_{ne}^2}{12Q^2}}\hfill \\ \hfill & +{\displaystyle \frac{q^{2}k{d}_{br}{B}_{br}^2}{144Q^2}}\left(24K+d_{br}N\left(2n+1\right)B_{br}^2\right){\sigma }_{ne}^2\hfill \\ \hfill & +{\displaystyle \frac{q^2\left(1+KkN{\sigma }_{lk}^2\right)+q_{ks}^2\left(1+Kkn{\sigma }_{lk}^2\right)}{12q_{ks}^2}}\hfill \\ \hfill & +{\displaystyle \frac{q^{2}KkN{d}_{ks}{B}_{ks}^2{\sigma }_{le}^2}{12q_{ks}^2}}.\hfill \end{array}$$

(24)

Proof. 

According to Lemma 3, the noise variance of ${\tilde{\mathit{c}}}_i$ input to MGHybridProd is $\left(2n+1\right)·N{d}_{br}{\displaystyle \frac{B_{br}^2}{12}}·{\sigma }_{ne}^2$, denoted as ${\sigma }_{br}^2$. Before entering the i-th loop in Line 9 of the algorithm, the last $k-i$ terms of the multi-group RLWE ciphertext stored in ACC are all zero, so no noise accumulates. According to Lemma 4, after the MGHybridProd loop in Line 9 is executed, the noise variance of the ciphertext is ${\sigma }_{hp}^2={\displaystyle \frac{Kk\left(k+1\right)d_{br}{N}^2{B}_{br}^2{\sigma }_{ne}^2{\sigma }_{br}^2}{24}}+{\displaystyle \frac{K^{2}k\left(k+1\right)d_{br}{B}_{br}^2{\sigma }_{nk}^2{\sigma }_{ne}^2}{12}}+{\displaystyle \frac{k\left(2K{\sigma }_{ne}^2+{\sigma }_{br}^2\right)d_{br}{B}_{br}^2}{12}}$. According to Lemma 5, after the modulus switching in Line 12, the noise variance of the ciphertext is ${\sigma }_{m{s}_1}^2={\displaystyle \frac{q_{ks}^2}{Q^2}}{\sigma }_{hp}^2+{\displaystyle \frac{1+KkN{\sigma }_{lk}^2}{12}}$. According to Lemma 6, after the LWE key switching in Line 13, the noise variance of the ciphertext is ${\sigma }_{ks}^2={\sigma }_{m{s}_1}^2+{\displaystyle \frac{KkN{d}_{ks}{B}_{ks}^2{\sigma }_{le}^2}{12}}$. Similar to the first modulus switching, the noise after the second modulus switching in Line 14 of the algorithm is ${\sigma }_{m{s}_2}^2={\displaystyle \frac{q^2}{q_{ks}^2}}{\sigma }_{ks}^2+{\displaystyle \frac{1+Kkn{\sigma }_{lk}^2}{12}}$. The theorem is proved by combining the above results. □

8. Security Model and Security Analysis

In this section, we conduct a security analysis of the proposed BootMGCT algorithm in the semi-honest model where the adversary is defined as corrupted parties that follow the protocol strictly and execute all required steps while recording all internal states including private inputs, random tapes, and message transcripts from other parties and attempting to infer honest parties’ additional private information via the collected data post-protocol execution. Next, we conduct a security analysis of the offline and online phases for the proposed bootstrapping process, respectively. Finally, we integrate the basic scheme with the bootstrapping process and prove the security of the full scheme proposed in this work.

Since all existing FHE schemes rely on the weak circular security assumption, and this assumption entails that computations over ciphertexts do not leak any private information, we directly regard the TripleGen, LKeySwitch, and MGHybridProd algorithms in the offline phase as secure against plaintext leakage (i.e., they cannot leak the underlying plaintexts), and thus we focus on proving the non-leakage security of the ASS scheme (Section 6.1.2), Enroll algorithm (Section 6.1.3) and JBRKGen algorithm (Section 6.1.5) in the offline phase.

Lemma 7. 

Security of additive secret sharing.

The ASS scheme can tolerate up to $k-1$ colluding parties in the semi-honest adversary model while ensuring the confidentiality of the original secret.

Proof. 

Under the semi-honest adversary model, the additive secret sharing (ASS) over the polynomial ring $R_Q={\mathbb{Z}}_Q\left[X\right]/(X^N+1)$ ensures secret confidentiality via strict share randomness and operational security. In ASS.Split, a secret $s\in R_Q$ is split into k shares with $k-1$ uniformly random in $R_Q$, with the rest being determined by the secret and other shares, making any subset of fewer than k shares contain no valid secret information. Local computations complete ASS.Add, ASS.ScalarMult, and ASS.Auto without interaction, avoiding intermediate information leakage. ASS.Mult relies on Beaver multiplication triples, and non-reuse of triples prevents adversaries from obtaining the original secret via intermediate differences. The triple generation protocol is secure based on the RLWE-based additive homomorphic encryption (AHE) scheme, whose security rests on the computational hardness of the decisional RLWE problem, thus precluding semi-honest adversaries from obtaining secrets in this process. This completes the proof. □

Lemma 8. 

Security of Enroll algorithm.

For any semi-honest party ${\mathcal{P}}_i$, the output of Enroll avoids leaking the secret keys $f_i$ and ${\mathit{s}}_i$ with up to $k-1$ colluding parties.

Proof. 

The Enroll algorithm is fully implemented based on ASS and never invokes the secret recover operation (ASS.Recover). ASS ensures that a secret split into k shares has no valid information in any subset of fewer than k shares, and all its operations are local without intermediate leakage, with Beaver triple generation secured by the decisional RLWE problem. Thus completes the proof. □

Lemma 9. 

Security of JBRKGen algorithm.

For any semi-honest party ${\mathcal{P}}_i$, the secret keys $f_i$ and ${\mathit{s}}_i$ remain unexposed in both the execution process and the final output of JBRKGen under the collusion of up to $k-1$ parties.

Proof. 

According to Lemma 7, any operation performed on the secret shares does not reveal the original secret. Specifically, the use of the secret shares output by Enroll will not leak $f_i$ or ${\mathit{s}}_i$, and equivalently, no intermediate result exposes $f_i$ or ${\mathit{s}}_i$. Prior to the invocation of the secret recovery algorithm ASS.Recover, all parties hold only the secret shares of $JEVK$; after executing the secret recovery, the parties can obtain nothing but $JEVK$ itself, which acts as the ciphertext of the FINAL scheme. Since the FINAL scheme satisfies semantic security, the output of the JBRKGen algorithm will not leak $f_i$ and ${\mathit{s}}_i$, and the lemma is thus proven. □

In the online phase, we prove that the view of any PPT adversary in a real execution of BootMGCT (Section 6.2.2) is computationally indistinguishable from that in a simulated execution, meaning the adversary obtains no extra private information.

Lemma 10. 

Simulation security of BootMGCT algorithm.

For any PPT honest-but-curious adversary $\mathcal{A}$, the view of $\mathcal{A}$ in the real game (executing BootMGCT with genuine $JEVK/HPK/LKSK$, input ciphertext $\mathit{c}$, and real intermediate computations) is computationally indistinguishable from its view in the simulated game (executed by simulator $\mathcal{S}$ with simulated keys, simulated ciphertexts, and simulated intermediate results). That is, BootMGCT leaks no information and achieves simulation security.

Proof. 

We construct a PPT simulator $\mathcal{S}$ that generates $Vie{w}_{\mathcal{A}}^{\mathcal{S}}$ for any PPT honest-but-curious adversary $\mathcal{A}$. $\mathcal{S}$ only has access to public parameters $Params$ and does not know real plaintext m, secret keys, real input ciphertext $\mathit{c}$, or real public bootstrapping keys. Its operation is simplified as follows, with all simulated keys sampled uniformly from their respective value ranges:

• Simulate public bootstrapping keys: $\mathcal{S}$ uniformly samples a random MGLWE ciphertext ${\mathit{c}}^{\mathcal{S}}$ from the set of valid MGLWE ciphertexts (matching the dimension and modulus of the real input ciphertext $\mathit{c}$), which is computationally indistinguishable from the real $\mathit{c}$ by the IND-CPA security of the underlying MGLWE scheme. (Our basic scheme follows the standard LWE-based public-key encryption scheme, whose IND-CPA security has been rigorously proven in existing literature).
• Simulate input ciphertext: $\mathcal{S}$ uniformly samples a random MGLWE ciphertext ${\mathit{c}}^{\mathcal{S}}$ from the set of valid MGLWE ciphertexts (matching the dimension and modulus of the real input ciphertext $\mathit{c}$), which is computationally indistinguishable from the real $\mathit{c}$ by the IND-CPA security of the underlying MGLWE scheme.
• Simulate intermediate results and output ciphertext: $\mathcal{S}$ generates random simulated intermediate results $Inret{s}^{\mathcal{S}}$ (for BREval,MGHybridProd,LKeySwitch,SampleExt, ModSwitch) and a simulated refreshed ciphertext ${\mathit{c}}^{\prime \mathcal{S}}$, each sampled from the value range of their real counterparts. These simulated results are computationally indistinguishable from real ones, leveraging the IND-CPA security of the FINAL scheme and LWE/RLWE/NTRU hardness assumptions.

We are now ready to define the simulated game view as

$$Vie{w}_{\mathcal{A}}^{\mathcal{S}}=\{Params,JEV{K}^{\mathcal{S}},HP{K}^{\mathcal{S}},LKS{K}^{\mathcal{S}},{\mathit{c}}^{\mathcal{S}},Inrets,{\mathit{c}}^{\prime \mathcal{S}}\}.$$

This view shares an identical structure with the real game view $Vie{w}_{\mathcal{A}}^{\mathcal{R}}$, which refers to all genuine results produced during the practical execution of the BootMGCT algorithm. With all definitions above, we construct three consecutive games $Gam{e}_0$ (real execution), $Gam{e}_1$ (intermediate game), and $Gam{e}_2$ (simulated execution) to prove $Vie{w}_{\mathcal{A}}^{\mathcal{S}}{\equiv }_{c}Vie{w}_{\mathcal{A}}^{\mathcal{R}}$, i.e., the two views are computationally indistinguishable.

‑

$Gam{e}_0$: The challenger uses real $JEVK,HPK,LKSK$ and real input ciphertext $\mathit{c}$ and executes real BootMGCT operations to send $Vie{w}_{\mathcal{A}}^{\mathcal{R}}$ to $\mathcal{A}$.

‑

$Gam{e}_1$: The challenger uses simulated $JEV{K}^{\mathcal{S}},HP{K}^{\mathcal{S}},LKS{K}^{\mathcal{S}}$ (sampled uniformly from their value ranges) but real $\mathit{c}$ and real operations to send the intermediate view to $\mathcal{A}$.

‑

$Gam{e}_2$: The challenger acts as $\mathcal{S}$, sending $Vie{w}_{\mathcal{A}}^{\mathcal{S}}$ (all simulated elements) to $\mathcal{A}$.

From the above games, we consider the following claims.

Claim 1. 

$Gam{e}_0$ and $Gam{e}_1$ are computationally indistinguishable.

Proof. The only computational difference between $Gam{e}_0$ and $Gam{e}_1$ lies in the public bootstrapping keys (real keys vs. simulated ones). Since the simulated $JEV{K}^{\mathcal{S}}$, $HP{K}^{\mathcal{S}}$, and $LKS{K}^{\mathcal{S}}$ are uniformly sampled from the same distribution as the real $JEVK$, $HPK$, and $LKSK$ (over their respective value ranges), the two sets of public bootstrapping keys are computationally indistinguishable. By the hardness assumption of the underlying LWE/RLWE-based encryption scheme, the distinguishing advantage of any PPT adversary $\mathcal{A}$ between $Gam{e}_0$ and $Gam{e}_1$ is negligible, i.e., ${\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_0\to Gam{e}_1}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right)$, where $\lambda$ denotes the security parameter. □

Claim 2. 

$Gam{e}_1$ and $Gam{e}_2$ are computationally indistinguishable.

Proof. The only computational discrepancy between the two games resides in the input ciphertext and the intermediate/output computation results (real executions versus simulated outputs). Since all simulated components are uniformly sampled from the identical distribution as the genuine values over their respective domains, they are computationally indistinguishable under the standard hardness assumptions of LWE, RLWE, and NTRU. Consequently, the distinguishing advantage of any PPT adversary $\mathcal{A}$ is bounded by a negligible function in the security parameter $\lambda$, i.e., ${\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_1\to Gam{e}_2}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right)$. □

According to Claims 1 and 2 and to the transitivity of computational indistinguishability, the total distinguishing advantage of any PPT adversary $\mathcal{A}$ satisfies ${\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_0\to Gam{e}_2}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right).$ That is, $Vie{w}_{\mathcal{A}}^{\mathcal{S}}{\equiv }_{c}Vie{w}_{\mathcal{A}}^{\mathcal{R}}$, as desired.

With the Lemmas 8–10, we are ready to prove the security of our full proposed scheme. Next, we adopt a game-based proof approach to establish the IND-CPA semantic security of the scheme.

Theorem 3. 

Security of MGLWE scheme with bootstrapping.

Under the semi-honest model, our MGLWE scheme achieves semantic security, namely IND-CPA.

Proof. 

Fix the security parameter as $\lambda$, and let ${\mathcal{P}}_1,\dots ,{\mathcal{P}}_k$ be k semi-honest parties and $\mathrm{\Pi }$ be the full MGLWE scheme. As the IND-CPA security of $\mathrm{\Pi }$ is defined via a game between a PPT adversary $\mathcal{A}$ and a challenger $\mathcal{C}$, we begin our security proof by defining the game procedures:

• Initialization Phase: The challenger $\mathcal{C}$ first simulates the behavior of $K·k$ honest-but-curious parties (k groups with K parties in each group). Specifically, $\mathcal{C}$ runs MGHE.Setup to generate the basic public parameters. Based on this, the simulator $\mathcal{C}$ first invokes MGHE.SKeyGen, MGHE.PKeyGen, and MGHE.JointPKeyGen in sequence to generate the secret keys for individual parties, their public keys, and the group joint public key. It then simulates all algorithms in the offline phase of the bootstrapping procedure to derive the public bootstrapping keys $JEVK$ and $HPK$, as well as the LWE key-switching key $LKSK$. Finally, $\mathcal{C}$ sends all the basic public parameters and above-generated key materials to the PPT adversary $\mathcal{A}$.
• Challenge Phase: After receiving all materials generated in initialization phase from the challenger $\mathcal{C}$, the adversary $\mathcal{A}$ selects two plaintexts $m_0,m_1$ from the plaintext space and sends them to $\mathcal{C}$ as the challenge plaintexts. The challenger $\mathcal{C}$ uniformly samples a random bit $b\in \{0,1\}$ to determine which plaintext to encrypt and then strictly executes the full ciphertext processing pipeline specified by the scheme: first, $\mathcal{C}$ runs MGHE.Enc($jpk,m_b$) to generate the initial MGLWE ciphertext ${\mathit{c}}_b$ corresponding to the plaintext $m_b$; next, $\mathcal{C}$ performs homomorphic NAND evaluation by inputting ${\mathit{c}}_b$ and a pre-specified dummy ciphertext ${\mathit{c}}_{dummy}$ into the MGHE.NAND, obtaining the noisy evaluated ciphertext ${\mathit{c}}_{nand,b}$; finally, $\mathcal{C}$ executes the BootMGCT algorithm to refresh the noisy ${\mathit{c}}_{nand,b}$ into a low-noise ciphertext ${\mathit{c}}_b^{\prime }$, which is sent to $\mathcal{A}$ as the final challenge ciphertext.
• Guess Phase: Based on all the information obtained during the game (including the challenge ciphertext ${\mathit{c}}_b^{\prime }$), the adversary $\mathcal{A}$ performs polynomial-time computation to output a guess bit $b^{\prime }\in \{0,1\}$, which serves as $\mathcal{A}$’s guess for the random bit b selected by the challenger $\mathcal{C}$.

We then define three games as follows: $Gam{e}_0$ (real execution), $Gam{e}_1$ (simulated group bootstrapping keys), and $Gam{e}_2$ (all simulated execution).

—

$Gam{e}_0$: $Gam{e}_0$ corresponds to the real execution of the full IND-CPA security experiment, in which the challenger honestly runs the complete MGLWE pipeline: it simulates all $K·k$ semi-honest parties to interactively generate the genuine public bootstrapping keys $JEVK$ and $HPK$, as well as the LWE key-switching key $LKSK$; performs honest MGLWE encryption of the challenge plaintext $m_b$; executes the homomorphic NAND operation on the resulting ciphertext; applies the BootMGCT algorithm to the noisy evaluated ciphertext; and sends the final refreshed ciphertext ${\mathit{c}}_b^{\prime }$ as the challenge to the adversary.

—

$Gam{e}_1$: This game is identical to $Gam{e}_0$ in all steps except for the generation of public bootstrapping keys: instead of executing the real interactive multi-party computation in offline phase, the challenger directly samples simulated keys $JEV{K}^{\mathcal{S}}$, $HP{K}^{\mathcal{S}}$, and $LKS{K}^{\mathcal{S}}$ uniformly at random from their native distribution spaces that match the output of the real-world execution while keeping the encryption, homomorphic NAND, and BootMGCT completely honest and unchanged.

—

$Gam{e}_2$: This game corresponds to $Gam{e}_1$ and adopts the same setup with simulated public bootstrapping keys, but it differs from $Gam{e}_1$ in the core process of generating the challenge ciphertext. The challenger does not encrypt either of the adversary’s challenge plaintexts $m_0$ or $m_1$ but instead samples a uniformly random MGLWE ciphertext $\mathit{c}$. This ciphertext is then processed through the same homomorphic NAND and BootMGCT refresh pipeline to produce the challenge ciphertext ${\mathit{c}}^{\prime }$, which is statistically independent of the challenge bit b as well as both plaintexts $m_0$ and $m_1$.

We first prove the computational indistinguishability between adjacent games. $Gam{e}_0{\equiv }_{c}Gam{e}_1$ because the only difference lies in the generation of public bootstrapping keys, and due to the perfect hiding of additive secret sharing, no PPT adversary can distinguish these two games with non-negligible advantage, i.e., $\left|{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_0}-{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_1}\right|\le \mathsf{negl}\left(\lambda \right)$; next, $Gam{e}_1{\equiv }_{c}Gam{e}_2$ as their sole distinction is the source of the challenge ciphertext—$Gam{e}_1$ derives the challenge ciphertext from an encrypted challenge plaintext $m_b$ via the homomorphic NAND operation and BootMGCT, while $Gam{e}_2$ derives it from a uniformly random MGLWE ciphertext $\mathit{c}$ through the same pipeline—and due to the computational security of the BootMGCT algorithm (Lemma 10) and the IND-CPA security of the underlying MGLWE scheme, the adversary’s distinguishing advantage between these two games is also negligible—$\left|{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_1}-{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_2}\right|\le \mathsf{negl}\left(\lambda \right)$; finally, in $Gam{e}_2$, the challenge ciphertext ${\mathit{c}}^{\prime }$ is uniformly random and statistically independent of the challenge bit b and both challenge plaintexts $m_0,m_1$, meaning the adversary has no valid clues to guess b, so the adversary’s guess is completely uniform, leading to ${\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_2}=0$. By the triangle inequality for distinguishing advantages, the total IND-CPA advantage of any PPT adversary $\mathcal{A}$ in the real game $Gam{e}_0$ is bounded as

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_{\mathrm{\Pi },\mathcal{A}}^{\mathrm{IND}-\mathrm{CPA}}\left(\lambda \right)& ={\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_0}\le \left|{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_0}-{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_1}\right|+\left|{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_1}-{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_2}\right|\hfill \\ & +{\mathsf{Adv}}_{\mathcal{A}}^{Gam{e}_2}\le \mathrm{negl}\left(\lambda \right).\hfill \end{array}$$

This shows that the advantage of any PPT semi-honest adversary is negligible. Therefore, under the semi-honest model, our MGLWE scheme achieves semantic security, namely IND-CPA, and the theorem follows. □

9. Parameters and Implementation

9.1. Parameter Selection

We consider the parameter selection of the multi-group homomorphic encryption scheme from two dimensions: usability and security. Usability means that the set parameters must ensure that the noise size of the ciphertext is always within a specified range to maintain the correctness of the decryption process. Security means that the parameter configuration should be able to resist common attack algorithms, making it impossible for attackers to successfully crack the scheme within the scope of computational feasibility.

According to Lemma 7 of the FHEW scheme [26], for two LWE ciphertexts $c_1$ and $c_2$ encrypting plaintexts $m_1, m_2\in {\mathbb{Z}}_2$ with noises $e_1, e_2$ respectively, after the homomorphic NAND operation is performed, the noise $e^{\prime }$ of the new ciphertext $c^{\prime }$ satisfies $e^{\prime }=e_1+e_2\pm {\displaystyle \frac{q}{8}}$. At this time, the scaling factor corresponding to the ciphertext is ${\displaystyle \frac{q}{2}}$, so the absolute value of the noise $e^{\prime }$ needs to satisfy $|{\displaystyle \frac{2e^{\prime }}{q}}|<{\displaystyle \frac{1}{2}}$, i.e., $\left|e^{\prime }\right|<{\displaystyle \frac{q}{4}}$. Therefore, the sum of the noises of the two ciphertexts undergoing the homomorphic NAND gate needs to satisfy $\left|e_1+e_2\right|<{\displaystyle \frac{q}{8}}$. In gate bootstrapping, we need to control the upper noise bound of the two input ciphertexts, i.e., the upper noise bound of each ciphertext after bootstrapping needs to be lower than ${\displaystyle \frac{q}{16}}$. To ensure the correctness of decryption, the upper noise bound of each step in the bootstrapping algorithm is also required not to exceed the threshold ${\displaystyle \frac{Q_i}{16}}$, where $Q_i$ is the ciphertext modulus of the current ciphertext. We use 6 times the standard deviation as the high-probability upper bound of the noise. Based on the noise variances of ciphertexts at different stages listed in the noise analysis, we obtain the constraints

$$6{\sigma }_{br}<{\displaystyle \frac{Q}{16}},6{\sigma }_{hp}<{\displaystyle \frac{Q}{16}},6{\sigma }_{m{s}_1}<{\displaystyle \frac{q_{ks}}{16}},6{\sigma }_{ks}<{\displaystyle \frac{q_{ks}}{16}},6{\sigma }_{m{s}_2}<{\displaystyle \frac{q}{16}},$$

(25)

which serve as one of the bases for parameter selection. The LWE secret key distribution is a symmetric three-point distribution over $\{-1,0,1\}$, where the probability of taking values −1 and 1 is ${\displaystyle \frac{1}{4}}$ and the probability of taking value 0 is ${\displaystyle \frac{1}{2}}$. The noise of the LWE scheme is sampled from a discrete Gaussian distribution with the mean of 0 and the standard deviation of 3. For the keys and noises of the NTRU and RLWE schemes, we also use the above two distributions respectively. Sampling a polynomial means sequentially sampling coefficients from the distribution, so ${\sigma }_{lk}^2={\sigma }_{nk}^2={\displaystyle \frac{1}{2}},{\sigma }_{le}^2={\sigma }_{ne}^2=9$.

From the noise analysis, the noise level of NTRU ciphertexts reaches its peak after the MGHybridProd operation is executed. At this time, the NTRU modulus Q satisfies $Q=O\left(N^{1.5}\right)<O\left(N^{2.484}\right)$. From the perspective of the asymptotic complexity of noise, the parameter selection of this scheme can theoretically ensure that it is within a safe range.

Our scheme fundamentally relies on three core cryptographic primitives, LWE, RLWE, and NTRU, all of whose security is rooted in the computational hardness of lattice problems. For LWE and RLWE, we validate the security via the LWE estimator [21], ensuring that the computational complexity required to withstand mainstream attacks including dual attack, hybrid dual attack, and uSVP attack exceeds the predefined security level. For NTRU, we employ the NTRU estimator [22] to reduce the probability of DSD events to below a predefined threshold, thereby mitigating the risk of SKR attacks. Accordingly,

Table 1. Parameters set of 100-bit security.

Set	$({\mathit{k}}_{\mathit{m}},{\mathit{K}}_{\mathit{m}})$	${\mathit{q}}^{\prime }$	q	${\mathit{q}}_{\mathit{ks}}$	${\mathit{B}}_{\mathit{ks}}$	${\mathit{d}}_{\mathit{ks}}$	n	Q	${\mathit{B}}_{\mathit{br}}$	${\mathit{d}}_{\mathit{br}}$	N	Estimate Security
I	(2, 15)	$2^{14}$	4096	$2^{30}$	1024	3	600	$2^{50}$	32	10	4096	100
II	(4, 7)	$2^{14}$	4096	$2^{30}$	1024	3	600	$2^{50}$	32	10	4096	100
III	(8, 7)	$2^{14}$	4096	$2^{30}$	1024	3	600	$2^{50}$	16	13	4096	100

Note: $k_m$ denotes the maximum number of groups; $K_m$ denotes the maximum number of parties per group; $q^{\prime }$, q, and $q_{ks}$ represent the LWE encryption modulus, LWE bootstrapping modulus, and LWE key switching modulus, respectively; $B_{ks}$, $d_{ks}$, $B_{br}$, and $d_{br}$ denote the gadget decomposition base and degree for key switching and bootstrapping, respectively; n is the LWE dimension; Q is the NTRU/RLWE ciphertext modulus; and N is the degree of the polynomial in NTRU/RLWE ciphertexts.

and

Table 2. Parameters set of 128-bit security.

Set	$({\mathit{k}}_{\mathit{m}},{\mathit{K}}_{\mathit{m}})$	${\mathit{q}}^{\prime }$	q	${\mathit{q}}_{\mathit{ks}}$	${\mathit{B}}_{\mathit{ks}}$	${\mathit{d}}_{\mathit{ks}}$	n	Q	${\mathit{B}}_{\mathit{br}}$	${\mathit{d}}_{\mathit{br}}$	N	Estimate Security
I’	(2, 25)	$2^{14}$	4096	$2^{30}$	1024	3	600	$2^{60}$	512	7	8192	128
II’	(4, 10)	$2^{14}$	4096	$2^{30}$	1024	3	600	$2^{60}$	512	7	8192	128
III’	(8, 8)	$2^{14}$	4096	$2^{30}$	1024	3	600	$2^{60}$	256	8	8192	128

Note: Same as Table 1.

present the concrete parameter sets for 100-bit and 128-bit security, respectively.

9.2. Comparisons and Experimental Results

We conducted a comprehensive evaluation of our scheme against the WLW scheme in terms of both communication and computational overhead. As MGHE is equivalent to MKHE when the offline phase is neglected, we further compared our scheme with the state-of-the-art NTRU-based MKHE scheme (XZW) and the non-NTRU-based MKHE scheme (KMS). For the comparison with MGHE, we present the offline-phase communication rounds, offline-phase local computational overhead (number of polynomial multiplications), and online-phase computational overhead (number of polynomial multiplications) of our scheme and the WLW scheme. Since the bootstrapping keys of MKHE are mutually independent and it has no offline phase as defined in this work, our comparison with MKHE focused on the online-phase (bootstrapping) computational overhead.

Table 3. Theoretical comparison of different schemes.

Scheme	Type	Hard Problems	#Par	Offline Phase		Online Phase
				Rounds	Processing Cost
XZW	MKHE	(R)LWE/NTRU	☓	N/A	N/A	$k(2k+1)n{d}_{br}$
KMS	MKHE	(R)LWE	✓	N/A	N/A	$4nk{d}_{br}^2+(4k+6)k{d}_{br}$
WLW	MGHE	(R)LWE	☓	1	N/A	$4Kk(k+1)n{d}_{br}$
Ours	MGHE	(R)LWE/NTRU	✓	10	TripleGen+Enroll+JBRKGen	$k{d}_{br}^2(2n+1)+(3k+5)k{d}_{br}$

Note: #Par denotes parallelizability; Rounds represents communication rounds; Processing cost refers to the number of polynomial multiplications in local computation; and Online phase cost denotes the number of polynomial multiplications required for bootstrapping. In MGHE and MKHE, k denotes the number of groups and the number of parties, respectively. Moreover, K represents the number of parties per group in MGHE.

presents the theoretical comparisons among all schemes.

All experiments were conducted on a server equipped with an Intel(R) Xeon(R) Platinum 8481C processor (3.8 GHz, 56 physical cores, 112 logical threads) and 64 GB of memory, running Ubuntu 22.04.5 LTS. Our method was implemented using the OpenFHE library (v1.1.1), and we adopted thread-level parallelism with explicit CPU core binding to eliminate resource contention. Specifically, we leveraged OpenMP compiler directives (e.g., #pragma omp parallel) to spawn multiple worker threads, which were then explicitly bound to dedicated logical cores via OpenMP environment variables. Multi-party communication was simulated on a single machine using Docker containers, and we used the Linux tc tool to limit the network bandwidth to 100 Mbps, set the round-trip time (RTT) to 100 ms, and introduced a 0.1% packet loss rate to reproduce typical transmission characteristics of a wide area network (WAN).

9.2.1. Comparison Between MGHEs

The structure of the group bootstrapping key $JEVK$ in the WLW scheme is consistent with the $HPK$ in our proposed scheme. When the $LKSK$ for LWE key switching is also considered, the WLW scheme only involves a small and fixed number of polynomial multiplications in the offline phase. All parties in the group can complete the offline phase with local computation and 1 round of broadcasting. Our scheme needs to generate $HPK$ and $LKSK$ as extra steps. It also computes $2K(n+1)+d_{br}(n+q)$ multiplication triples with the TripleGen algorithm which takes five communication rounds. It computes the shares of all joint keys with the Enroll algorithm which takes two communication rounds. It computes $JEVK$ with the JBRKGen algorithm which takes three communication rounds. These steps lead to a total of 10 communication rounds.

The Enroll algorithm requires $2K(n+1)$ multiplication triples and the JBRKGen algorithm requires $d_{br}(n+q)$ multiplication triples. When we substitute the parameter sets given above, the exact number of required triples reaches the ten-thousand level. The local computation for generating one single triple includes AHE encryption, AHE scalar multiplication, and AHE addition operations. This computation takes no more than one second under our parameter settings, but it still remains one of the main bottlenecks of our scheme. The communication overhead is also high due to the large number of required triples.

The local computation in the Enroll and JBRKGen algorithms only introduces constant-order polynomial multiplication overhead brought by secret multiplication. The overall communication overhead and local computation overhead of the scheme are both dominated by the TripleGen algorithm. Different parameter sets support varying maximum numbers of intra-group parties. We chose the minimum number of supported parties across these parameter sets as the experimental setting.

We present the communication volume of the WLW scheme and our scheme in the offline phase in

Table 4. Data volume sent by each party in a group (GB).

Party	I		II		III		I’		II’		III’
	WLW	Ours	WLW	Ours	WLW	Ours	WLW	Ours	WLW	Ours	WLW	Ours
2	0.03	16.6	0.03	16.6	0.03	21.33	0.06	23.74	0.06	23.74	0.06	26.89
3	0.03	18.92	0.03	18.92	0.03	27.29	0.06	30.49	0.06	30.49	0.06	34.51
4	0.03	25.93	0.03	25.93	0.03	33.24	0.06	37.25	0.06	37.25	0.06	42.12
5	0.03	30.6	0.03	30.6	0.03	39.2	0.06	44.0	0.06	44.0	0.06	49.73
6	0.03	35.26	0.03	35.26	0.03	45.15	0.06	50.75	0.06	50.75	0.06	57.34
7	0.03	39.93	0.03	39.93	0.03	51.11	0.06	57.5	0.06	57.5	0.06	64.96

Note: Party denotes the number of parties in a single group.

. For brevity, we only present the communication volume of our scheme under the three algorithms in

Table 5. Composition of data volume (GB).

Party	I			II			III			I’			II’			III’
	T	E	J	T	E	J	T	E	J	T	E	J	T	E	J	T	E	J
2	12.05	0.22	4.3	12.05	0.22	4.3	15.49	0.22	5.59	17.22	0.44	6.02	17.22	0.44	6.02	19.52	0.44	6.88
3	12.35	0.29	8.6	12.35	0.29	8.6	15.78	0.29	11.18	17.81	0.59	12.04	17.81	0.59	12.04	20.1	0.59	13.76
4	12.64	0.37	12.9	12.64	0.37	12.9	16.08	0.37	16.77	18.4	0.73	18.06	18.4	0.73	18.06	20.69	0.73	20.64
5	12.93	0.44	17.2	12.93	0.44	17.2	16.37	0.44	22.36	18.99	0.88	24.08	18.99	0.88	24.08	21.28	0.88	27.52
6	13.23	0.51	21.5	13.23	0.51	21.5	16.67	0.51	27.95	19.57	1.03	30.1	19.57	1.03	30.1	21.87	1.03	34.39
7	13.52	0.59	25.8	13.52	0.59	25.8	16.96	0.59	33.53	20.16	1.17	36.11	20.16	1.17	36.11	22.45	1.17	41.27

Note: T, E, and J denote the communication volume required for the TripleGen, Enroll, and JBRKGen algorithms, respectively.

. We show the local computation time overhead of each party in the group during the offline phase for both schemes in

Table 6. Offline phase performance comparison between the WLW scheme and our proposed scheme under parameter set I (s).

Party	WLW			Ours
	Comm	JEVK + LKSK	Total	Comm	HPK + LKSK	Triples	Enroll	JEVK	Total
2	5.35	1.11	6.46	2740.48	1.21	1974.56	1.3	61.28	4778.83
3	5.73	1.22	6.95	3009.84	1.19	2123.07	3.04	123.57	5260.71
4	5.89	1.8	7.69	3962.78	1.84	2411.46	5.78	205.46	6587.32
5	5.47	2.08	7.55	5048.01	19.1	2509.09	9.04	271.65	7856.89
6	5.57	2.23	7.8	5384.37	2.24	2763.57	13.94	340.24	8504.36
7	5.2	2.34	7.54	6496.43	2.41	3166.09	19.51	418.24	10,102.68

Note: Party denotes the number of participants in a single group, and Comm denotes the total communication time of the entire offline phase. For the WLW scheme, JEVK + LKSK denotes the local computation time for generating the JEVK and LKSK, while Total denotes the overall time duration of the offline phase (including communication time). For our proposed scheme, HPK + LKSK denotes the local computation time for generating the HPK and LKSK, Triples denotes the local computation time of the TripleGen.EvalGen algorithm, Enroll denotes the local computation time of the Enroll algorithm, JEVK denotes the local computation time for generating the JEVK, and Total denotes the overall time duration of the offline phase.

,

Table 7. Offline phase performance comparison between the WLW scheme and our proposed scheme under parameter set II (s).

Party	WLW			Ours
	Comm	JEVK + LKSK	Total	Comm	HPK + LKSK	Triples	Enroll	JEVK	Total
2	6.07	1.07	7.14	2629.04	1.19	2036.52	1.55	62.07	4730.37
3	5.83	1.27	7.1	3157.94	1.3	2213.21	3.15	121.56	5497.16
4	5.69	1.91	7.6	4163.48	1.87	2323.25	5.65	204.87	6699.12
5	5.65	2.02	7.67	4920.27	2.12	2641.78	8.43	266.45	7839.05
6	5.56	2.22	7.78	5487.21	2.21	2969.03	14.24	345.54	8820.44
7	5.48	2.57	8.05	6657.94	2.6	3308.75	20.98	416.85	10,407.12

Note: All notations and definitions in this table are identical to those in Table 6.

,

Table 8. Offline phase performance comparison between the WLW scheme and our proposed scheme under parameter set III (s).

Party	WLW			Ours
	Comm	JEVK + LKSK	Total	Comm	HPK + LKSK	Triples	Enroll	JEVK	Total
2	5.64	1.11	6.75	3533.62	1.21	2484.26	1.39	80.4	6100.88
3	6.05	1.97	8.02	4398.36	1.96	2593.67	3.05	157.91	7154.95
4	5.58	2.15	7.73	5475.86	2.18	2892.79	5.95	245.72	8622.5
5	5.91	2.31	8.22	6853.26	2.34	3238.9	9.18	324.87	10,428.55
6	5.83	2.49	8.32	7298.03	2.48	3507.04	13.48	399.48	11,211.51
7	5.28	2.68	7.96	8200.97	2.76	3728.45	18.92	472.6	12,423.7

Note: All notations and definitions in this table are identical to those in Table 6.

,

Table 9. Offline phase performance comparison between the WLW scheme and our proposed scheme under parameter set I’ (s).

Party	WLW			Ours
	Comm	JEVK + LKSK	Total	Comm	HPK + LKSK	Triples	Enroll	JEVK	Total
2	10.88	2.34	13.22	3725.53	2.39	2952.05	2.74	97.31	6780.02
3	10.48	2.83	13.31	4834.83	2.99	3370.08	6.27	179.41	8393.58
4	10.12	3.03	13.15	6372.14	3.15	3742.8	11.95	288.66	10,418.7
5	9.34	3.09	12.43	7197.98	3.17	4199.61	19.09	371.46	11,791.31
6	10.48	3.32	13.8	8779.59	3.28	4688.01	28.1	473.49	13,972.47
7	10.64	3.6	14.24	9056.61	3.55	5118.66	39.88	567.4	14,786.1

Note: All notations and definitions in this table are identical to those in Table 6.

,

Table 10. Offline phase performance comparison between the WLW scheme and our proposed scheme under parameter set II’ (s).

Party	WLW			Ours
	Comm	JEVK + LKSK	Total	Comm	HPK + LKSK	Triples	Enroll	JEVK	Total
2	10.85	2.42	13.27	3486.35	2.41	2324.18	2.69	96.01	5911.64
3	10.18	2.61	12.79	4766.65	2.62	2816.2	6.18	174.78	7766.43
4	9.37	2.87	12.24	6203.04	2.91	3276.02	11.87	280.87	9774.71
5	10.27	2.96	13.23	7301.95	3.01	3877.27	18.79	378.76	11,579.78
6	10.22	3.13	13.35	8848.17	3.12	4389.16	29.48	477.23	13,747.16
7	9.59	3.55	13.14	9291.51	3.65	4853.8	40.48	564.58	14,754.02

Note: All notations and definitions in this table are identical to those in Table 6.

and

Table 11. Offline phase performance comparison between the WLW scheme and our proposed scheme under parameter set III’ (s).

Party	WLW			Ours
	Comm	JEVK + LKSK	Total	Comm	HPK + LKSK	Triples	Enroll	JEVK	Total
2	10.49	2.99	13.48	4130.42	3.06	3828.34	2.62	99.48	8063.92
3	10.31	3.25	13.56	5146.62	3.31	4212.18	6.24	181.54	9549.89
4	10.46	3.3	13.76	7287.89	3.5	4760.93	12.45	299.45	12,364.22
5	10.67	3.47	14.14	7551.34	3.49	5296.66	17.89	377.84	13,247.22
6	9.93	3.6	13.53	9107.43	3.67	5765.81	28.87	498.74	15,404.52
7	10.26	3.64	13.9	9614.74	3.86	6133.24	41.45	576.86	16,370.15

Note: All notations and definitions in this table are identical to those in Table 6.

.

In terms of experimental results, our scheme exhibits significant weaknesses in communication overhead and local computation efficiency during the offline phase.

On the communication volume side, under both 100-bit and 128-bit security parameter configurations, the data sent by a single node in our scheme is much higher than that in the WLW scheme across scenarios with 2 to 7 parties in a single group. When there are two parties in a group, the per-node communication volume of our scheme ranges from 16.6 GB to 26.89 GB. The WLW scheme only shows a volume of 0.03 GB to 0.06 GB. The gap between the two schemes reaches hundreds of times. The communication overhead of our scheme increases steadily as the number of group participants grows. When the number of participants rises to seven, the per-node communication volume further increases to 39.93 GB to 64.96 GB. The WLW scheme remains at an extremely low level of 0.03 GB to 0.06 GB. The difference in communication efficiency is thus very obvious. In terms of the communication overhead required by the three algorithms, TripleGen and Enroll exhibit a relatively slow growth in communication volume as the number of participants increases, whereas the communication overhead of the JBRKGen algorithm rises sharply. This is because, under the same parameter settings, each additional participant in the group requires every existing participant in the network to communicate with them, resulting in a multiplicative increase in the data that each participant needs to send.

On the offline local computation side, our scheme adopts additional mechanisms to support key management and ciphertext bootstrapping for the multi-group architecture. These mechanisms include additive secret sharing, polynomial multiplication triple generation, party enroll and joint blind rotation key generation. They cause the total offline local computation time to be much longer than that of the comparison scheme. Taking the 100-bit security parameter set I as an example, the total offline local computation time of our scheme reaches 4778.83 s with two-group parties. The WLW scheme only takes 6.46 s. Among the core computation modules, the TripleGen algorithm accounts for the largest proportion of time at 1974.56 s. The generation of $JEVK$ also further increases the total time consumption. The overall efficiency of the offline preparation phase is therefore significantly low. This phenomenon becomes more severe under the 128-bit security parameter configuration. In parameter set I’, the total offline local computation time of our scheme reaches 6780.02 s with two-group parties. The WLW scheme only takes 13.22 s. The time gap between the two schemes is further widened.

9.2.2. Comparison Between MKHEs

Bootstrapping speed has long been one of the core optimization objectives in FHE. Specifically, the offline phase of MPHE schemes is designed to generate unified keys that allow multiple participants to share the same ciphertext. Since all operations behave similarly to those in single-key homomorphic encryption, MPHE schemes can achieve extremely fast bootstrapping. By contrast, MKHE schemes support dynamic participant enrollment, but their ciphertext size grows drastically with the number of participants, and the bootstrapping time increases linearly accordingly. MGHE schemes have therefore been proposed to reduce bootstrapping time while maintaining scheme flexibility.

It should be emphasized that although our proposed scheme performs unsatisfactorily in the MPHE setting, it achieves significant advantages in bootstrapping speed over the state-of-the-art NTRU-based and non-NTRU-based MKHE schemes under identical parameter configurations (Note that since WLW and KMS are TFHE-based schemes, only the four parameters $d_{ks}$, n, $d_{br}$, and N from the provided parameter sets are applicable to these schemes). As shown in the analysis in Table 3, the number of polynomial multiplications required for bootstrapping in the other three competing schemes is positively correlated with the total number of parties in the network. To fully demonstrate the strength of our scheme, we minimized the value of K for these three schemes across six different parameter sets. For MKHE schemes, we set the total number of participants in the network to k. For MGHE schemes, we set the number of groups to k and the number of participants per group to one. We used this setup to evaluate the fastest achievable bootstrapping speed of each scheme under different parameter sets. Since the bootstrapping time of our scheme is independent of K, the above testing setup effectively highlights the core advantage of our construction. Detailed numerical results are presented in

Table 12. Online phase performance comparison (s).

Set	k	XZW	WLW	KMS (SER)	KMS (PAR)	Ours (SER)	Ours (PAR)	Security
I	2	2.18	2.97	5.62	2.37	42.58	1.87	100-bit
II	3	4.28	5.11	9.33	3.48	50.37	1.91	100-bit
	4	6.67	10.06	12.96	4.78	82.06	2.31
III	5	12.24	16.01	26.89	6.05	146.79	4.18	100-bit
	6	16.51	22.45	32.28	6.81	174.12	4.84
	7	21.2	29.96	40.02	7.67	205.59	5.7
	8	27.13	39.35	47.95	8.15	223.56	6.13
I’	2	3.68	3.81	6.18	3.66	47.36	2.58	128-bit
II’	3	6.84	8.08	10.98	4.25	84.34	2.76	128-bit
	4	10.74	13.08	15.89	5.03	113.5	2.87
III’	5	17.48	21.38	24.31	6.45	158.14	4.35	128-bit
	6	22.17	25.92	32.23	7.39	193.99	5.16
	7	28.26	30.82	41.02	8.23	222.93	5.96
	8	34.89	35.77	53.95	8.86	253.63	6.6

Note: k denotes the number of groups(in MGHEs) or number of parties(in MKHEs). (SER) denotes that the bootstrapping of the corresponding scheme is executed serially on a single CPU core, while (PAR) denotes that the bootstrapping of the corresponding scheme is executed in parallel across multiple CPU cores.

.

According to the performance analysis of the Online phase in Table 3, the XZW scheme requires only $k(2k+1)n{d}_{br}$ polynomial multiplications for bootstrapping. This represents the lowest time complexity among all compared schemes. Accordingly, it achieves the shortest online phase latency in sequential bootstrapping mode. The WLW scheme exhibits slightly higher latency than does XZW. This is because its bootstrapping operations still rely on RLWE and RGSW ciphertexts, without adopting the more compact NTRU ciphertext structure. The serial execution efficiency of the KMS scheme is constrained by its multi-key ciphertext splitting strategy. This strategy partitions the multi-key ciphertext into multiple subtasks. Each subtask requires $4n{d}_{br}^2$ polynomial multiplications, and the total cost is thus approximately $d_{br}$ times that of the XZW and WLW schemes. Furthermore, the computational results of these split subtasks must ultimately be merged via a hybrid product operation, which further increases the computational overhead.

Our proposed scheme has half the time complexity of the KMS scheme. However, in sequential mode, the KMS scheme can leverage SIMD (single instruction, multiple data) compilation optimizations, enabling a single instruction to complete multiple integer multiplications. In contrast, our scheme decomposes operations that were originally amenable to SIMD optimization into independent steps. This corresponds to $d_{br}$ redundant computations performed by BootMGCT. Consequently, the sequential bootstrapping speed of KMS is approximately $d_{br}$ times faster than that of our scheme. Nevertheless, our scheme can distribute bootstrapping tasks across $k{d}_{br}$ CPU cores for parallel execution. We also employ scalar NTRU ciphertexts and vector NTRU ciphertexts, which require fewer polynomial multiplications, as intermediate ciphertexts. In small-scale group scenarios, our parallel bootstrapping speed approaches half that of the KMS scheme.

As can be seen from the concrete data in Table 3, under the 100-bit security parameter set I, when the number of groups $k=2$, the sequential bootstrapping time of the XZW scheme is 2.18 s. The WLW scheme takes 2.97 s. KMS (SER) takes 5.62 s. Our scheme’s sequential bootstrapping time is 42.58 s. In parallel mode, however, our scheme’s bootstrapping time is only 1.87 s. This value is even lower than the sequential latency of XZW and WLW. As k increases, the parallel bootstrapping time of our scheme is significantly lower than that of the XZW and WLW schemes. For example, when $k=8$, our scheme’s parallel latency is 6.13 s. KMS (PAR) takes 8.15 s. XZW takes 27.13 s. This fully demonstrates the advantages of our scheme in parallel bootstrapping. A more intuitive line chart is shown in Figure 2. For visual clarity, the bootstrapping times of our scheme and the KMS scheme under the serial mode are not displayed in the line chart. Instead, only the fastest bootstrapping execution time of each scheme is presented, i.e., with parallel execution employed wherever possible.

10. Discussion

10.1. Practical Application Scenario

In the field of artificial intelligence, federated learning enables collaborative model training among multiple institutions while protecting data privacy. Data holders such as research institutions do not need to provide raw data to external parties. They only need to encrypt the locally trained model parameters and upload them to the central node. The aggregation and update of the global model can then be completed.

The bootstrapping efficiency of fully homomorphic encryption is a key factor that determines whether federated learning can be deployed on a large scale. Traditional multi-party homomorphic encryption achieves efficient bootstrapping performance. It requires all participants to share a unified key and cannot support the dynamic joining and leaving of parties in federated learning. Multi-key homomorphic encryption allows dynamic changes of participants. Its ciphertext size grows linearly with the number of participants. Bootstrapping time also increases significantly. It can hardly meet the efficiency requirements of high-frequency parameter aggregation in large model training.

The multi-group homomorphic encryption scheme proposed in this work delivers faster bootstrapping speed than does the state-of-the-art WLW multi-group homomorphic encryption scheme, and it also supports dynamic user participation, thus making it highly compatible with the federated learning scenarios described above. However, the overhead of intra-group key generation in the proposed scheme is relatively high. To address this issue, the cost of the offline phase needs to be amortized by the efficiency improvement brought by bootstrapping in the online phase. As such, the scheme is more suitable for application scenarios with heavy-computation tasks in the MGHE setting, while scenarios with light-computation tasks can adopt the MKHE setting.

10.2. Limitations

From the perspective of experimental results and actual deployment conditions, this scheme still has clear performance constraints and applicable boundaries. In multi-party scenarios, the communication overhead of the scheme is relatively prominent. Both the communication volume and local computing overhead increase linearly with the number of parties in a group. This characteristic directly limits the scale of participants that a single group can accommodate in actual deployment.

Under the multi-key configuration, the scheme can maintain good performance under the established parameter settings. However, in order to meet the security strength requirements of 100 bit and 128 bit, this scheme adopts a relatively large polynomial dimension N and ciphertext modulus Q. Meanwhile, to alleviate the noise accumulation during the bootstrapping process, we also set a higher decomposition degree $d_{br}$. Even with the above parameter optimization measures, the number of groups supported by the scheme cannot be increased indefinitely. The noise accumulation during the bootstrapping process is positively correlated with the total number of parties in the entire network. An excessive number of groups will lead to noise overflow. This situation will cause decryption failure even if it does not violate the security assumptions of the scheme. The failure of decryption will further result in the failure of the entire computing task. To avoid such decryption failure, it is necessary to further expand the parameter scale to maintain the preset security strength. Such parameter adjustments not only increase the demand for multiplication triples in the offline phase but also raise the number of polynomial multiplications required for bootstrapping. The overall performance of the scheme in multi-party or multi-key scenarios will eventually be significantly limited.

10.3. Directions for Future Improvement

Based on the design philosophy of the MGHE scheme constructed in this study, the future optimization directions are clear.

Firstly, it is necessary to explore a method for generating joint bootstrapping keys without relying on multiplication triples, thereby reducing the number of communication rounds and lowering the overhead of MGHE under the multi-party setting.

Secondly, in our scheme, we set the NTRU key as $F=f_1\dots f_k$, with the core purpose of maintaining its invertibility in the polynomial ring. However, this design results in the coefficients of the NTRU key being randomly distributed in the integer ring, which in turn makes it impossible to use approximate gadget decomposition. Consequently, the external product between vector NTRU and scalar NTRU cannot be achieved with lower noise accumulation. Therefore, how to negotiate an invertible small element in the polynomial ring without leaking the input information of each party will be a key breakthrough to improve the performance of the proposed scheme.

Finally, our scheme can only preserve the privacy of inputs under the semi-honest adversary model at present. Introducing additional mechanisms such as zero-knowledge proof (ZKP) will incur extra overhead, yet this still represents a promising direction for future research.

11. Conclusions

This paper proposes a novel multi-group homomorphic encryption scheme based on LWE and NTRU. By linearizing the NTRU joint key through additive secret sharing technology, the scheme designs a multi-group hybrid product algorithm, enabling parallel bootstrapping of multi-group LWE ciphertexts for encrypted bits. In a multi-core server environment, the time cost of bootstrapping a multi-group ciphertext is comparable to that of bootstrapping a single-key ciphertext, significantly improving the practicality of the homomorphic encryption scheme. Additionally, specific parameter selections are provided to ensure the scheme can effectively resist sublattice attacks. Finally, the scheme was implemented on OpenFHE, and its effectiveness was verified. Experimental results show that although the overhead of our proposed scheme is considerable in multi-party setting and increases with the number of parties within each group, refreshing a collaborative computing ciphertext involving two groups still takes less than 2 s under 100-bit security. Therefore, this scheme provides a new solution suitable for application scenarios that involve heavy-computing tasks.