Kyber AHE: An Easy-to-Implement Additive Homomorphic Encryption Scheme Based on Kyber and Its Application in Biometric Template Protection

Abstract

Homomorphic encryption solutions tend to be costly in terms of memory and computational resources, making them difficult to implement. In this paper, we present Kyber AHE, a lightweight additive homomorphic encryption scheme for computing the addition modulo 2 of two binary strings in the encrypted domain. It is based on the CRYSTALS-Kyber public key encryption (PKE) scheme, which is the basis of the NIST module-lattice-based key-encapsulation mechanism standard. Apart from being quantum-safe, Kyber PKE has other interesting features such as the use of compressed ciphertexts, reduced sizes of keys, low execution times, and the ability to easily increase the security level. The operations performed in the encrypted domain by Kyber AHE are the decompression of ciphertexts, the component-wise modulo q addition of polynomials, and the compression of the results. A great advantage of Kyber AHE is that it can be easily implemented along with CRYSTALS-Kyber without the need for additional libraries. Among the applications of homomorphic encryption, biometric template protection schemes are a promising solution to provide data privacy by comparing biometric features in the encrypted domain. Therefore, we present the application of Kyber AHE for the protection of biometric templates. Experimental results have been obtained using Kyber AHE in an iris biometric template protection scheme with 256-byte features using Kyber512, Kyber768, and Kyber1024 instances. The sizes of the encrypted iris features are 6.0, 8.5, and 12.5 kB for NIST security levels I, III, and V, respectively. Using a commercial laptop, the encryption ranges from 0.755 to 1.73 ms, the evaluation from 0.096 to 0.161 ms, and the decryption from 0.259 to 0.415 ms, depending on the security level.

1. Introduction

Homomorphic encryption schemes are a promising tool to perform computations in a private way without revealing sensitive information. However, homomorphic encryption schemes are not generally easy to implement, which limits their widespread use. Also, the more complex a scheme is to implement, the more difficult it is to protect against side-channel attacks because it is more complicated to control the security of the multiple components. For example, side-channel vulnerabilities have been found in Microsoft’s SEAL library [1,2,3,4].

When we talk about ease of implementation, we also include the choice of parameters, and this has a relation with the definition of security strength. It seems that the uncertainty about the discovery of new quantum algorithms and the limited ability to predict the performance of future quantum computers makes it difficult to define the strength of a given cryptosystem. This is mentioned in Section 4 of the Call for proposals of the NIST post-quantum competition [5]. This makes the cryptographic engineering of quantum-safe cryptographic primitives a messy task. A curious example is that most quantum-safe homomorphic encryption schemes express the security of the scheme in bits, while the call for proposals of the NIST post-quantum competition does not agree with the definition of the security in bits. Instead, they state that the security should be expressed using a category (I to V) defined by a comparatively easy-to-analyze reference symmetric primitive whose security serves as a floor. Thus, there is a lack of homogeneity in defining the security of quantum-safe primitives.

Biometrics is a promising technology that can be used in conjunction with other authentication methods, such as passwords or tokens, to build strong multi-factor authentication systems for identity management. However, by their very nature (immutable and unique to each individual), biometric traits are sensitive information. This is reflected in the European (EU) General Data Protection Regulation 2016/679 [6]. For this reason, biometric data should be processed with additional schemes to ensure their protection. These schemes are called biometric template protection schemes.

One approach that has gained attention for the protection of biometric templates is the use of homomorphic encryption schemes. In an enrollment phase, a biometric reference (template) is stored in encrypted form. Then, in an authentication phase, a fresh biometric query is generated by the user and later encrypted and compared with the reference in the encrypted domain. The result of the comparison in the encrypted domain is the same as the result of the comparison in the unencrypted domain. Several approaches have been proposed to achieve this [7,8,9].

Homomorphic encryption schemes that allow an unlimited number of operations on an unlimited number of ciphertexts are called Fully Homomorphic Encryption schemes [10]. If there is a limit on the number of operations, the scheme is called a Somewhat Homomorphic Encryption scheme [11]. These types of schemes have been tested in the literature for biometric template protection. Examples include BFV and CKKS, which work with floating-point and integer numbers, respectively.

On the other hand, there is an interest in the literature for homomorphic encryption systems that work with binary numbers, since they generally achieve better performance. Biometric features can be binarized without significantly reducing recognition accuracy [12,13,14]. Also, biometric features can be obtained directly in binary form, such as iris, veins, or palm print features. Note that the privacy of iris features has raised concerns in the public domain, and new works are attempting to address this [15].

1.1. Motivations

We have seen that homomorphic encryption schemes are proposed to be universal solutions that are not tied to concrete applications. However, one drawback of homomorphic encryption schemes is its low performance and even impracticability in certain situations. For example, the work in [16] directly used the CKKS scheme in a fingerprint biometric template protection, and the authors concluded that this scheme was not practical.

We think that the proposal of new homomorphic encryption schemes tied to specific settings is an interesting line of research. In this work, we focus on dealing with messages that have a binary format, and we are interested in the setting where an addition modulo 2 between two binary strings is computed in the encrypted domain and not directly as plaintext. The addition modulo 2 is the same as the XOR operation and can be used to compute the Hamming distance without affecting biometric accuracy. Biometric systems are a clear application where high performance is required because the number of users can be significant.

The work in [17] uses the NTRUEncrypt scheme presented in [18] as an additive homomorphic encryption scheme to protect binary biometric templates. However, the version of NTRUEncrypt used is not provably secure [19]. This renders NTRUEncrypt undesirable as a homomorphic encryption scheme, since at least IND-CPA security is required. Even provably secure versions of the scheme, such as the one in [19], have been shown to have certain vulnerabilities [20,21]. Recently used, NTRU-based public key encryption schemes do not seem to be homomorphic [22]. At the time of writing, it is unclear whether the NTRU cryptosystem could be used to develop a provably secure additive homomorphic encryption scheme. Remarkably, none NTRU-based proposal was selected in the NIST post-quantum competition [23].

1.2. Contributions

In this paper, we propose a homomorphic encryption scheme based on CRYSTALS-Kyber Public Key Encryption, called Kyber Additive Homomorphic Encryption (Kyber AHE). Why Kyber? The reason is that it is a scheme already used in the CRYSTALS-Kyber Key Encapsulation Mechanism (KEM), which is standardized in FIPS-203 [24,25]. It is expected that Kyber KEM will be widely used to exchange ephemeral keys and achieve secure communication. For example, it is expected that it will be used in quantum-safe TLS 1.3 [26,27]. The Call for proposals of the NIST post-quantum competition defines a well-established framework for evaluating the strength of the security of candidates. Thus, Kyber comes with a well-defined notion of security that makes the parameter selection of Kyber AHE easy and homogeneous with existing cryptographic primitives (as the recently standardized Kyber KEM).

Kyber has also some interesting features such as the use of compressed ciphertexts, low execution times, and the ability to easily increase the security level. There are some efforts in the literature to use Kyber for face template protection. A preliminary work was presented in [28]. However, in [28] the homomorphic encryption scheme was not defined, the concrete operations in the encrypted domain were not explained in detail, the homomorphic property of Kyber was not formally proved, and an analysis of the selection of concrete parameters was not shown. We plan to fill this gap with this paper.

Note that the proposed scheme is not general, and we cannot add an arbitrary number of values or perform other binary operations, such as AND. However, the scheme is very lightweight for its intended purpose. In addition, it can be easily integrated with Kyber KEM, for example, in a Trusted Execution Environment (TEE) with constrained enclave sizes [29].

The specific contributions are the following:

• We present a concrete definition of Kyber AHE, with algorithms for key generation, encryption, evaluation, and decryption. The IND-CPA security of Kyber AHE, required in homomorphic encryption schemes, is reduced to the IND-CPA security of Kyber PKE.
• We demonstrate the homomorphic property of the scheme with a theorem, which is used to estimate the failure probability of the scheme in computing the addition modulo 2 of two binary strings. This is important because Kyber AHE (as well as Kyber PKE) algorithms are probabilistic. The results show that very low failure probabilities can be achieved using the parameters of the standardized instances Kyber512, Kyber768, and Kyber1024.
• We are the first in the literature to propose a homomorphic encryption scheme with parameters related to security levels according to the NIST call for proposals. This is because we can use the standardized Kyber instance.
• We show how to apply the proposed scheme in a biometric template protection setting and present concrete experimental results using an iris biometric feature as a reference, specifically the well-known IrisCodes. The performance parameters evaluated are the size of the keys (public and private), the size of the encrypted iris feature, and the times taken to encrypt, evaluate an addition modulo 2 between two binary strings, and decrypt the result.

1.3. Organization

The paper is organized as follows. First, the biometric template protection setting and Kyber PKE are explained as preliminaries in Section 2. Then, the additive homomorphic encryption scheme Kyber AHE is presented in Section 3, where the homomorphic property is demonstrated, and a failure probability analysis is performed (Contributions 1 and 2). The security of the scheme is also discussed, and suitable parameter sets are identified by analyzing the failure probability (Contribution 3). Section 4 shows the performance results of the proposal for the protection of iris features (Contribution 4). Finally, Section 5 concludes the paper.

2. Preliminaries

2.1. Biometric Template Protection Setting with Homomorphic Encryption

We consider the biometric template protection of features in binary form that are compared using the Hamming distance, i.e., addition modulo 2. An example is the iris features. We use the scheme in [30,31] as references of homomorphic encryption-based settings, although they employ non-standardized post-quantum cryptography (among others, CKKS and BFV in the case of [30], and ideal lattices in the case of [31]).

We assume three parties, the Client, the Database Server, and the Matching Server. It is assumed a passive honest-but-curious model where the servers will not deviate from the defined protocol but will attempt to learn all possible information from legitimately received messages. Also, the servers cannot collude, that is, exchange information outside the protocol. This is often assumed in biometric template protection schemes based on homomorphic encryption [7,30]. If the non-collusion assumption is not met, the database server can send the user’s encrypted biometric feature to the matching server. This allows them to know the biometric feature without deviating from the protocol. This could affect the user’s security and privacy in two ways. First, if an attacker gains access to one of the servers and learns the user’s biometric features, s/he can impersonate the user in other applications. This is a major concern since biometric features are linked to individuals and cannot be changed. Second, if the database server knows the biometric feature in clear text, the user can be traced if different enrollments have been performed in more than one matching server. Thus, the user privacy is affected. Of course, if they collaborate, the matching servers could also trace the user.

It is assumed that the communication between the entities is secure. KEMTLS, a quantum-safe upgrade of TLS 1.3, and Kyber KEM can be used to establish secure and authenticated channels [26]. First, in an enrollment phase, a reference biometric template is stored in an encrypted way with Kyber AHE (with the algorithm denoted as Kyber.AHE.Encrypt) in the Database Server. In an authentication phase, shown in Figure 1, the user sends a fresh biometric query encrypted with Kyber AHE to the Database Server, and the Database Server then runs the Kyber AHE evaluation algorithm (denoted as Kyber.AHE.Eval) on the enrolled ciphertext and the fresh ciphertext. Finally, the resulting ciphertext is sent to the Matching Server and decrypted (with the algorithm denoted as Kyber.AHE.Decrypt) to obtain the Hamming distance between the biometric features. The algorithms of Kyber AHE are detailed in Section 3.

Note that, with this scheme, the matching server knows more than just the Hamming distance because it knows the XOR between two biometric responses. This is an issue already reported in the literature [32]. It has been stated that the XOR of an individual’s biometric responses can reveal information about the reliability of those responses and that this information could be used to track the individual. However, several solutions have been proposed that could use the proposed scheme while circumventing this issue. One solution is to use Biohashing and cancellable biometrics to erase the link between the template and the individual [32]. Promising results have been found for face templates [33]. Another solution is the use of multi-party computation (MPC) and garbled circuits [34].

2.2. Applications of Additive Homomorphic Encryption Beyond Biometric Template Protection

Masking against side-channel attacks. Side-channel attacks are a major concern for lattice-based cryptographic schemes, including Kyber [35]. To address this issue, new masking techniques are being developed to protect specific implementations. One interesting masking scheme for ring-LWE decryption is presented in [36]. The main idea is that an additive homomorphism in the encryption scheme can introduce randomness into the decryption procedure. Suppose we want to decrypt the ciphertext $c=Enc(m,sk)$, where $m$ is the message that we want to decrypt. First, an internal random message $m^{\prime }$ is generated. Then, $m^{\prime }$ is encrypted using the secret key $sk$ to obtain $c^{\prime }=Enc(m^{\prime },sk)$. Later, the resulting ciphertext $c^{\prime }$ is homomorphically added to $c$, resulting in $c^{\prime }+c$. Finally, $c^{\prime }+c$ is decrypted to obtain $m\oplus m^{\prime }$, which, XOR-ed with $m^{\prime }$, is used to obtain the message $m$. The mentioned work applies the idea to the LPR (Lyubashevsky, Peikert, and Regev) encryption scheme.

The aforementioned approach is easy to implement because it does not require a masked decoder. However, the experimental results show that the failure rate is too high, making the solution impractical. For example, it cannot be used with CCA-secure schemes [37]. In this paper, we demonstrate that the parameters used with Kyber AHE provide low failure probabilities. Thus, this work opens the door to new masking techniques for Kyber PKE or Kyber KEM.

Other schemes that use non-uniform and unreliable secrets. Additive homomorphic encryption can be applied in scenarios where a string that is neither completely uniform nor reliable is used to identify an entity. Device authentication using Physically Unclonable Functions (PUFs) is a good example. PUFs measure the effects of random process variations during the manufacturing of integrated circuits. These variations result in a binary string that can be used as an identifier. Thus, PUF data is similar to biometric data, and the same approach used to compute the XOR of a reference and a fresh response in the encrypted domain can be applied [38,39].

2.3. Notation

Rings and vectors. Let $\mathbb{Z}$ denote the ring of integers and ${\mathbb{Z}}_q$ denote the ring of integers modulo an integer $q$. $R$ and $R_q$ denote the rings ${\displaystyle \frac{\mathbb{Z}\left[X\right]}{X^n+1}}$ and ${\displaystyle \frac{{\mathbb{Z}}_q\left[X\right]}{X^n+1}}$, respectively, where $n=2^{n^{\prime }-1}$ such that $X^n+1$ is the $2^{n^{\prime }}$-th cyclotomic polynomial. Throughout this paper, the values of $\mathrm{n}$, $n^{\prime }$, and $\mathrm{q}$ are 256, 9, and 3329, respectively, as considered in the specifications of CRYSTALS-Kyber. The notation employed is that regular font letters denote elements in $R$ or $R_q$ (which includes elements in $\mathbb{Z}$ and ${\mathbb{Z}}_q$), bold lower-case letters represent vectors with components in $R$ or $R_q$, and bold upper-case letters are matrices. All vectors are column vectors. For a vector $\mathit{t}$ (or matrix $\mathit{A}$), we denote its transpose by ${\mathit{t}}^{\mathit{T}}$ (or ${\mathit{A}}^{\mathit{T}}$).

Modulo reduction. For an even positive integer $\alpha$, we define $r^{\prime }=r{mod}^{\pm }\alpha$ to be the unique element $r^{\prime }$ in the range $-{\displaystyle \frac{\alpha }{2}}<r^{\prime }\le {\displaystyle \frac{\alpha }{2}}$ such that $r^{\prime }=rmod\alpha$. For an odd positive integer $\alpha$, we define $r^{\prime }=r{mod}^{\pm }\alpha$ to be the unique element $r^{\prime }$ in the range $-{\displaystyle \frac{\alpha -1}{2}}<r^{\prime }\le {\displaystyle \frac{\alpha -1}{2}}$ such that $r^{\prime }=rmod\alpha$. For any positive integer $\alpha$, we define $r^{\prime }=r{mod}^{+}\alpha$ to be the unique element $r^{\prime }$ in the range $0\le r^{\prime }<\alpha$ such that $r^{\prime }=rmod\alpha$. If the exact representation is not important, we will use the expression $rmod\alpha$.

Rounding. For an element $x\in \mathbb{Q}$ we denote $⌈x⌋$ by the rounding of $x$ to the closest integer with ties being rounded up. As example that will appear in this paper, if $q$ is a prime number greater than two, then $⌈{\displaystyle \frac{q}{2}}⌋={\displaystyle \frac{q+1}{2}}$.

Size of elements and norms. For an element $w\in {\mathbb{Z}}_q$, we write ${‖w‖}_{\mathrm{\infty }}$ to mean $\left|w {mod}^{\pm }q\right|$. For a polynomial $w\in R$ of degree $n$, we define the $l_{\mathrm{\infty }}$ norm for $w={\sum }_{i=0}^{n-1}{w}_i·X^i\in R$ as ${‖w‖}_{\mathrm{\infty }}={max}_{iϵ\left\{0,\dots ,n-1\right\}}{‖w_i‖}_{\mathrm{\infty }}$. Similarly, for a vector of polynomials $\mathit{w}=\left(w_1,\dots ,w_k\right)\in R^k$, we define it as ${‖\mathit{w}‖}_{\mathrm{\infty }}={max}_{iϵ\left\{1,\dots ,k\right\}}{‖w_i‖}_{\mathrm{\infty }}$.

Sets and distributions. For a set $S$, we write $s\leftarrow S$ to denote that $s$ is chosen uniformly at random from $S$. If $S$ is a probability distribution, then this denotes that $s$ is chosen according to the distribution $S$.

Let $Sam$ be an extendable output function (XOF), that is, a function on bit strings where the output can be extended to any length. If we want $Sam$ to take as input $x$ and then produce a value $y$ that is distributed according to a given distribution $S$ (or uniformly over a set $S$), we write $y\sim S≔Sam\left(x\right)$.

We define the output of a centered binomial distribution $B_{\eta }$ for some positive integer $\eta$ as ${\sum }_{i=1}^{\eta }\left(a_i-b_i\right)$ given the samples ${\left\{\left(a_i,b_i\right)\right\}}_{i=1}^{\eta }\leftarrow {\left({\left\{0,1\right\}}^2\right)}^{\eta }$.

If $v$ is an element of $R$, we write $v\leftarrow {\beta }_{\eta }$ to mean that $v\in R$ is generated from a distribution where each of its coefficients is generated according to $B_{\eta }$. Similarly, a $k$-dimensional vector of polynomials $\mathit{v}\in R^k$ can be generated according to the distribution ${\beta }_{\eta }^k$.

Compression and decompression functions. For an element $x\in {\mathbb{Z}}_q$ and two positive integers $d$ and $q$, with $2^d<q$, the functions ${Compress}_q$ and ${Decompress}_q$ are defined as ${Compress}_q\left(x,d\right)=⌈\left({\displaystyle \frac{2^d}{q}}\right)·x⌋{mod}^{+}{2}^d$ and ${Decompress}_q\left(x,d\right)=⌈\left({\displaystyle \frac{q}{2^d}}\right)·x⌋$. An important property (demonstrated in Appendix X.C in [40]) is that if $x^{\prime }={Decompress}_q\left({Compress}_q\left(x,d\right),d\right)$, then the following is met:

$$\left|x^{\prime }-x{mod}^{\pm }q\right|=\left|x-x^{\prime }{mod}^{\pm }q\right|\le ⌈{\displaystyle \frac{q}{2^{d+1}}}⌋$$

(1)

When ${Compress}_q$ or ${Decompress}_q$ is used with $x\in R_q$ (and $\mathit{x}\in R_q^k$), the procedure is applied to each coefficient individually (and each polynomial individually).

2.4. The Module-LWE Problem

The security of Kyber PKE is based on the hardness of the Module Learning With Errors (Module-LWE) problem [24]. The decision Module-LWE problem is defined as follows.

Definition 1 

(Decision Module-LWE). Let $k$ and q be integer parameters. The problem states that it is hard to distinguish samples $\left({\mathit{a}}_i,b_i\right)\in R_q^k\times R_q$ where the coefficients of ${\mathit{a}}_i$ and $b_i$ are sampled from a uniform random distribution, from samples $\left({\mathit{a}}_i,b_i\right)\in R_q^k\times R_q$, where the coefficients of ${\mathit{a}}_i$ are sampled from a uniform random distribution and $b_i={\mathit{a}}_i^T\mathit{s}+e_i$ such that $\mathit{s}\leftarrow {\beta }_{\eta }^k$ and $e_i\leftarrow {\beta }_{\eta }$, where $\mathit{s}$ is common to all samples and $e_i$ is fresh.

For an algorithm $\mathrm{A}$, the adversary ${\mathit{A}\mathit{d}\mathit{v}}_{m,k,\eta }^{MLWE}\left(\mathrm{A}\right)$ against the decision MLWE problem is defined in [24] as follows:

$$\left|\mathit{Pr}\left[b^{\prime }=1:{\displaystyle \genfrac{}{}{0pt}{}{\mathit{A}\leftarrow R_q^{m\times k};\left(\mathit{s},\mathit{e}\right)\leftarrow {\beta }_{\eta }^k\times {\beta }_{\eta }^m;}{\mathit{b}=\mathit{A} \mathit{s}+\mathit{e};b^{\prime }\leftarrow A\left(\mathit{A},\mathit{b}\right)}}\right]-\mathit{Pr}\left[b^{\prime }=1:{\displaystyle \genfrac{}{}{0pt}{}{\mathit{A}\leftarrow R_q^{m\times k};}{\mathit{b}\leftarrow R_q^m;b^{\prime }\leftarrow A\left(\mathit{A},\mathit{b}\right)}}\right]\right|$$

(2)

2.5. Kyber Public Key Encryption

The Kyber Public Key Encryption (PKE) scheme is defined by a message space $M$ and a triple of probabilistic algorithms, which are key generation ($Kyber.PKE.KeyGen$), encryption ($Kyber.PKE.Encrypt$), and decryption ($Kyber.PKE.Decrypt$) algorithms. The key generation algorithm returns a pair $\left(pk,sk\right)$ consisting of a public key and a secret key, respectively. The encryption algorithm takes a public key $pk$ and a message $m\in M$ to produce a ciphertext $c$. Finally, the decryption algorithm takes a secret key $sk$ and a ciphertext $c$ and returns a message $m$.

In the $Kyber.PKE.KeyGen$ algorithm, defined as Algorithm 1, two seeds, $\rho$ and $\sigma$, are sampled from a uniform random distribution. These seeds are used to sample coefficients from a uniform random distribution for polynomials in the matrix $\mathit{A}$ and from a binomial central distribution (${\beta }_{\eta }$) for polynomials in $\mathit{s}$ and $\mathit{e}$, where η is a positive integer. A XOF is used. $\mathit{t}$ is computed as $\mathit{A} \mathit{s}+\mathit{e}$. Note that the result is not compressed because a problem was found in the security proof for the indistinguishability under chosen plaintext attack (IND-CPA) [41]. The seed $\rho$ is also stored with $\mathit{t}$ to form the public key $pk$ and $\mathit{s}$ is stored as the secret key $sk$.

Algorithm 1. $KYBER.PKE.KeyGen()$

1: $\rho ,\sigma \leftarrow {\{0,1\}}^{256}$

2: $\mathit{A}~R_q^{k\mathrm{x}k}≔Sam(\rho )$

3: $\left(\mathit{s},\mathit{e}\right)~{\beta }_{\eta }^k\times {\beta }_{\eta }^k≔Sam(\sigma )$

4: $\mathit{t}≔\mathit{A} \mathit{s}+\mathit{e}$

5: $\mathit{r}\mathit{e}\mathit{t}\mathit{u}\mathit{r}\mathit{n}(pk≔\left(\mathit{t},\rho \right),sk≔\mathit{s})$

The $Kyber.PKE.Encrypt$ algorithm, defined as Algorithm 2, takes, as input, a message $m$, with message space $M={\left\{0,1\right\}}^{256}$, and the public key $pk=\left(\mathit{t},\rho \right)$. Every message $m\in M$ can be viewed as a polynomial in $R$ with coefficients in $\left\{0,1\right\}$. First, a seed $r$ is sampled from a uniform random distribution. Then, the matrix $\mathit{A}$ is retrieved from the seed $\rho$ as in the $Kyber.PKE.KeyGen$ algorithm. The seed $r$ is used for sampling coefficients from a binomial central distribution ${\beta }_{\eta }$ for polynomials in $\mathit{r}$ and ${\mathit{e}}_1$ and the polynomial $e_2$. Then, two parts of the ciphertext are computed, from ${\mathit{A}}^{\mathit{T}}\mathit{r}+{\mathit{e}}_1$ and ${\mathit{t}}^{\mathit{T}}\mathit{r}+e_2+⌈{\displaystyle \frac{q}{2}}⌋·m$. The two parts are compressed with ${Compress}_q$, resulting in $\mathit{u}$ and $v$. The ciphertext $c$ is formed by $\mathit{u}$ and $v$.

Algorithm 2. $KYBER.PKE.Encrypt(pk=\left(\mathit{t},\rho \right),m\in M)$

1:$r\leftarrow {\{0,1\}}^{256}$

2: $\mathit{A}~R_q^{k\mathrm{x}k}≔Sam(\rho )$

3: $\left(\mathit{r},{\mathit{e}}_1,e_2\right)~{\beta }_{\eta }^k\times {\beta }_{\eta }^k\times {\beta }_{\eta }≔Sam(r)$

4: $\mathit{u}≔{Compress}_q({\mathit{A}}^{\mathit{T}}\mathit{r}+{\mathit{e}}_1,d_u)$

5: $v≔{Compress}_q({\mathit{t}}^{\mathit{T}}\mathit{r}+e_2+\lceil {\displaystyle \frac{q}{2}}\rfloor ·m,d_v)$

6: $\mathit{r}\mathit{e}\mathit{t}\mathit{u}\mathit{r}\mathit{n}c=(\mathit{u},v)$

In the $Decrypt$ algorithm, defined as Algorithm 3, the ciphertext $c=\left(\mathit{u},v\right)$ and the secret key $sk=\mathit{s}$ are taken as inputs. First, the parts of the ciphertext $\mathit{u}$ and $v$ are decompressed using ${Decompress}_q$, resulting in ${\mathit{u}}_{\mathit{D}}$ and $v_D$. Then, the value $v_D-{\mathit{s}}^{\mathit{T}}{\mathit{u}}_{\mathit{D}}$ is computed. The ${Compress}_q$ function is used to decrypt to a 1 if $v_D-{\mathit{s}}^{\mathit{T}}{\mathit{u}}_{\mathit{D}}$ is closer to $⌈{\displaystyle \frac{q}{2}}⌋$ than to 0 and decrypt it to a 0 otherwise.

Algorithm 3. $KYBER.PKE.Decrypt(sk=\mathit{s},c=(\mathit{u},v))$

1:${\mathit{u}}_{\mathit{D}}≔{Decompress}_q(\mathit{u},d_u)$

2: $v_D≔{Decompress}_q(v,d_v)$

3: $\mathit{r}\mathit{e}\mathit{t}\mathit{u}\mathit{r}\mathit{n}m={Compress}_q(v_D-{\mathit{s}}^{\mathit{T}}{\mathit{u}}_{\mathit{D}},1)$

3. Kyber Additive Homomorphic Encryption

3.1. Definition

We define the Kyber Additive Homomorphic Encryption (Kyber AHE) scheme, also referred to as $Kyber.AHE$, with the message space $M$ and the tuple of algorithms $\Pi =$ ($Kyber.AHE.KeyGen$, $Kyber.AHE.Encrypt$, $Kyber.AHE.Eval$, $Kyber.AHE.Decrypt$). The algorithms are defined as follows:

-

$Kyber.AHE.KeyGen\left(\right)$: is the same as the $Kyber.PKE.KeyGen$ algorithm defined in Section 2.5. It returns a secret key $sk$ and a public key $pk$.

-

$Kyber.AHE.Encrypt\left(pk,m\right)$: is the same as the $Kyber.PKE.Encrypt$ algorithm defined in Section 2.5. It takes the public key $pk$ and the message $m$ and returns the ciphertext $c=\left(\mathit{u},v\right)$.

-

$Kyber.AHE.Eval\left(c_1,c_2\right)$: it takes two ciphertexts, $c_1$ and $c_2$, and returns a ciphertext $c$. It works as follows. First, the two input ciphertexts, $c_1$ and $c_2$, are parsed into $\left({\mathit{u}}_1,v_1\right)$ and $\left({\mathit{u}}_2,v_2\right)$. Then, they are decompressed using the ${Decompress}_q$ function and added modulo $q$. Finally, the result is recompressed using the $C{ompress}_q$ function. The result is the ciphertext $c=\left(\mathit{u},v\right)$. Figure 2 illustrates the high-level block diagram of the operations involved in the evaluation algorithm. The steps are shown in Algorithm 4.

-

$Kyber.AHE.Decrypt\left(sk,c\right)$: is the same as the $Kyber.PKE.Decrypt$ algorithm defined in Section 2.5.

This scheme allows for computing the addition modulo 2 of two messages in the encrypted domain. This is proven in Theorem 1. Note that the addition modulo 2 is the same as the coefficient-wise XOR of the messages.

Algorithm 4. $KYBER.AHE.Eval(c_1=\left({\mathit{u}}_1,v_1\right),c_2=({\mathit{u}}_2,v_2))$

1: ${\mathit{u}}_{\mathit{D},1}≔{Decompress}_q({\mathit{u}}_1,d_u)$

2: ${\mathit{u}}_{\mathit{D},2}≔{Decompress}_q({\mathit{u}}_2,d_u)$

3: $v_{D,1}≔{Decompress}_q(v_1,d_v)$

4: $v_{D,2}≔{Decompress}_q(v_2,d_v)$

5: ${\mathit{u}}_{\mathit{a}\mathit{d}\mathit{d}}≔{\mathit{u}}_{\mathit{D},1}+{\mathit{u}}_{\mathit{D},2}{mod}^{+}q$

6: $v_{add}≔v_{D,1}+v_{D,2}{mod}^{+}q$

7: $\mathit{u}≔{Compress}_q({\mathit{u}}_{add},d_u)$

8: $v≔{Compress}_q(v_{add},d_v)$

9: $\mathit{r}\mathit{e}\mathit{t}\mathit{u}\mathit{r}\mathit{n}(\mathit{u},v)$

Theorem 1 

(Correctness). Let $\mathit{A}\in R_q^{kxk}$, $\mathit{s}$, ${\mathit{r}}_1$, ${\mathit{r}}_2$, $\mathit{e}$, ${\mathit{e}}_{1,1}$, ${\mathit{e}}_{\mathrm{1,2}}\in R^k$, $e_{\mathrm{2,1}}$, $e_{\mathrm{2,2}}\in R$ and let the messages $m_1$, $m_2\in R_q$ with coefficients in $\left\{0,1\right\}$. It is assumed that $q\equiv 1mod4$. Define:

• $\mathit{t}$, $\rho$, and $\mathit{s}$ as the output $\left(\mathit{t},\rho \right)$ and $\mathit{s}$ of Algorithm 1.
• $\left({\mathit{u}}_1,v_1\right)$ as the output of Algorithm 2 applied to $m_1$ using $\mathit{t}$ and $\rho$. Similarly, $\left({\mathit{u}}_2,v_2\right)$ as the output of Algorithm 2 applied to $m_2$ using the same $\mathit{t}$ and $\rho$.
• $\left(\mathit{u},v\right)$ as the output of Algorithm 4 applied to $\left({\mathit{u}}_1,v_1\right)$ and $\left({\mathit{u}}_2,v_2\right)$.
• ${\mathit{c}}_{u,1},{\mathit{c}}_{u,2},c_{v,1}$, and $c_{v,2}$ as the compression errors introduced in Algorithm 2 to obtain $\left({\mathit{u}}_1,v_1\right)$ and $\left({\mathit{u}}_2,v_2\right)$.
• ${\mathit{c}}_u$, $c_v$ as the compression errors introduced in Algorithm 4 to obtain $\left(\mathit{u},v\right)$.
• $m$ as the output of Algorithm 3 applied to $\left(\mathit{u},v\right)$ using $\mathit{s}$.

If the following is true,

$${‖{\mathit{e}}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+e_{\mathrm{2,1}}+e_{\mathrm{2,2}}+c_{v,1}+c_{v,2}+c_v-{\mathit{s}}^T\left({\mathit{e}}_{1,1}+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,1}+{\mathit{c}}_{u,2}+{\mathit{c}}_u\right)‖}_{\infty }<⌈{\displaystyle \frac{q}{4}}⌋,$$

(3)

then, $m\in R_q$ is equal to $m_1+m_{2}mod2$, that is, the XOR between the coefficients of $m_1$ and $m_2$.

Proof. 

When Algorithm 4 is applied, the decompressed values of ${\mathit{u}}_1$ and ${\mathit{u}}_2$ are as follows:

$${\mathit{u}}_{D,1}={Decompress}_q\left({Compress}_q\left({\mathit{A}}^T{\mathit{r}}_1+{\mathit{e}}_{1,1},d_u\right),d_u\right)={\mathit{A}}^T{\mathit{r}}_1+{\mathit{e}}_{1,1}+{\mathit{c}}_{u,1}$$

(4)

$${\mathit{u}}_{D,2}={\mathit{A}}^T{\mathit{r}}_2+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,2}$$

(5)

where ${\mathit{c}}_{u,1},{\mathit{c}}_{u,2}\in R^k$. Similarly, the decompressed values of $v_1$ and $v_2$ are as follows:

$$\begin{gathered} v_{D,1}={Decompress}_q\left({Compress}_q\left({\mathit{t}}^T{\mathit{r}}_1+e_{\mathrm{2,1}}+⌈{\displaystyle \frac{q}{2}}⌋·m_1,d_v\right),d_v\right)= \\ {\mathit{t}}^T{\mathit{r}}_1+e_{\mathrm{2,1}}+⌈{\displaystyle \frac{q}{2}}⌋·m_1+c_{v,1}={\left(\mathit{A} \mathit{s}+\mathit{e}\right)}^T{\mathit{r}}_1+e_{\mathrm{2,1}}+⌈{\displaystyle \frac{q}{2}}⌋·m_1+c_{v,1} \end{gathered}$$

(6)

$$v_{D,2}={\left(\mathit{A} \mathit{s}+\mathit{e}\right)}^T{\mathit{r}}_2+e_{\mathrm{2,2}}+⌈{\displaystyle \frac{q}{2}}⌋·m_2+c_{v,2}$$

(7)

In Algorithm 4, these values are added modulo $\mathrm{q}$, resulting in the following:

$${\mathit{u}}_{\mathit{a}\mathit{d}\mathit{d}}={\mathit{u}}_{\mathit{D},1}+{\mathit{u}}_{\mathit{D},2}{mod}^{+}q={\mathit{A}}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+{\mathit{e}}_{1,1}+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,1}+{\mathit{c}}_{u,2}{mod}^{+}q$$

(8)

$$v_{add}=v_{D,1}+v_{D,2}{mod}^{+}q={\left(\mathit{A} \mathit{s}+\mathit{e}\right)}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+e_{\mathrm{2,1}}+e_{\mathrm{2,2}}+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2\right)+c_{v,1}+c_{v,2}{mod}^{+}q$$

(9)

Then, the values of ${\mathit{u}}_D$ and $v_D$ that are obtained when executing Algorithm 3 can be written as follows:

$${\mathit{u}}_D={Decompress}_q\left({Compress}_q\left({\mathit{u}}_{\mathit{a}\mathit{d}\mathit{d}},d_u\right),d_u\right)={\mathit{A}}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+{\mathit{e}}_{1,1}+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,1}+{\mathit{c}}_{u,2}+{\mathit{c}}_u$$

(10)

$$v_D={Decompress}_q\left({Compress}_q\left(v_{add},d_v\right),d_v\right)={\left(\mathit{A} \mathit{s}+\mathit{e}\right)}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+e_{\mathrm{2,1}}+e_{\mathrm{2,2}}+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2\right)+c_{v,1}+c_{v,2}+c_v$$

(11)

Then, the $v_D-{\mathit{s}}^T{\mathit{u}}_D$ term can be expressed as follows:

$$\begin{gathered} v_D-{\mathit{s}}^T{\mathit{u}}_D= \\ {\left(\mathit{A} \mathit{s}+\mathit{e}\right)}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+e_{\mathrm{2,1}}+e_{\mathrm{2,2}}+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2\right)+c_{v,1}+c_{v,2}+c_v \\ -{\mathit{s}}^T\left({\mathit{A}}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+{\mathit{e}}_{1,1}+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,1}+{\mathit{c}}_{u,2}+{\mathit{c}}_u\right)= \\ {\mathit{e}}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+e_{\mathrm{2,1}}+e_{\mathrm{2,2}}+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2\right)+c_{v,1}+c_{v,2}+ \\ {c}_v-{\mathit{s}}^T\left({\mathit{e}}_{1,1}+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,1}+{\mathit{c}}_{u,2}+{\mathit{c}}_u\right) \end{gathered}$$

(12)

We can conveniently accumulate all the error terms in one variable $w$ as follows:

$$w={\mathit{e}}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+e_{\mathrm{2,1}}+e_{\mathrm{2,2}}+c_{v,1}+c_{v,2}+c_v-{\mathit{s}}^T\left({\mathit{e}}_{1,1}+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,1}+{\mathit{c}}_{u,2}+{\mathit{c}}_u\right)$$

(13)

Hence, Equation (12) can be expressed as follows:

$$v_D-{\mathit{s}}^T{\mathit{u}}_D=w+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2\right)$$

(14)

Then, the decrypted message that is obtained when Algorithm 3 is used to decrypt the result of Algorithm 4 can be expressed as follows:

$$m={Compress}_q\left(v_D-{\mathit{s}}^T{\mathit{u}}_D,1\right)$$

(15)

Since $m$ can be viewed as a polynomial in $R$ with coefficients in $\left\{0,1\right\}$, we can write the following:

$$m^{\prime }={Decompress}_q\left(m,1\right)=⌈{\displaystyle \frac{q}{2^1}}·m⌋=⌈{\displaystyle \frac{q}{2}}·m⌋=⌈{\displaystyle \frac{q}{2}}⌋·m={Decompress}_q\left({Compress}_q(v_D-{\mathit{s}}^{\mathit{T}}{\mathit{u}}_{\mathit{D}},1\right),1)$$

(16)

We also know from inequality (1) that the distance between a value and the result of the decompression of its compression has an upper bound. Thus, the following is true:

$${{‖v_D-{\mathit{s}}^T{\mathit{u}}_D-m^{\prime }‖}_{\infty }=‖v_D-{\mathit{s}}^T{\mathit{u}}_D-⌈{\displaystyle \frac{q}{2}}⌋·m‖}_{\infty }\le ⌈{\displaystyle \frac{q}{2^{1+1}}}⌋=⌈{\displaystyle \frac{q}{4}}⌋$$

(17)

Hence, inequality (17) can be rewritten as (using Equation (14)):

$${‖w+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2\right)-⌈{\displaystyle \frac{q}{2}}⌋·m‖}_{\infty }={‖w+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2-m\right)‖}_{\infty }\le ⌈{\displaystyle \frac{q}{4}}⌋$$

(18)

Then, we know from the statement of the theorem (inequality (3)) that the following is accomplished:

$${‖{\mathit{e}}^{\mathit{T}}\left({\mathit{r}}_1+{\mathit{r}}_2\right)+e_{\mathrm{2,1}}+e_{\mathrm{2,2}}+c_{v,1}+c_{v,2}+c_v-{\mathit{s}}^{\mathit{T}}\left({\mathit{e}}_{1,1}+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{\mathit{u},1}+{\mathit{c}}_{\mathit{u},2}+{\mathit{c}}_{\mathit{u}}\right)‖}_{\mathit{\infty }}={‖w‖}_{\mathit{\infty }}<⌈{\displaystyle \frac{q}{4}}⌋$$

(19)

Using inequalities (18) and (19) and the triangle inequality in ${‖·‖}_{\infty }$, we can also get the following inequality:

$${‖⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2-m\right)‖}_{\infty }={‖w+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2-m\right)-w‖}_{\infty }\le {‖w+⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2-m\right)‖}_{\infty }+{‖w‖}_{\infty }<⌈{\displaystyle \frac{q}{4}}⌋+⌈{\displaystyle \frac{q}{4}}⌋=2·⌈{\displaystyle \frac{q}{4}}⌋$$

(20)

Thus, we arrive at the following inequality:

$${‖⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2-m\right)‖}_{\infty }<2·⌈{\displaystyle \frac{q}{4}}⌋$$

(21)

In order to show that the values of $m$, take the values of $m_1+m_{2}mod2$, we note, first, that if $m$ is equal to $m_1+m_{2}mod2$; then, inequality (21) is accomplished. Then, let us imagine that the values of the coefficients of $m$ do not take the value $m_1+m_{2}mod2$. Then, the value of $\left(m_1+m_2-m\right)$ would be $\pm 1$. In that case, there would be a coefficient with the following value:

$${‖⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2-m\right)‖}_{\infty }=\left|⌈{\displaystyle \frac{q}{2}}⌋·\left(\pm 1\right){mod}^{\pm }q\right|=\left|{\displaystyle \frac{q+1}{2}}{mod}^{\pm }q\right|=\left|{\displaystyle \frac{-q+1}{2}}\right|={\displaystyle \frac{q-1}{2}}=2·{\displaystyle \frac{q-1}{4}}$$

(22)

where ${\displaystyle \frac{\left(q+1\right)}{2}}$ is reduced to ${\displaystyle \frac{\left(-q+1\right)}{2}}$ with the ${mod}^{\pm }$ operation. As shown in [40], if $q\equiv 1mod4$, that is true since its value is 3329, then we have the equality $⌈{\displaystyle \frac{q}{4}}⌋={\displaystyle \frac{q-1}{4}}$, and the Equation (22) is the following:

$${‖⌈{\displaystyle \frac{q}{2}}⌋·\left(m_1+m_2-m\right)‖}_{\infty }=2·⌈{\displaystyle \frac{q}{4}}⌋$$

(23)

which contradicts inequality (21). On the other hand, if $m$ is equal to $m_1+m_2 mod 2$, we have the following cases:

• $m_1=m_2=0$, then $m=0$. Inequality (21) is accomplished as follows:

  $$\left|⌈{\displaystyle \frac{q}{2}}⌋·\left(0+0-0\right){mod}^{\pm }q\right|=0<2·⌈{\displaystyle \frac{q}{4}}⌋$$
• $m_1=0$ and $m_2=1$, then $m=1$. Inequality (21) is accomplished as follows:

  $$\left|⌈{\displaystyle \frac{q}{2}}⌋·\left(0+1-1\right){mod}^{\pm }q\right|=0<2·⌈{\displaystyle \frac{q}{4}}⌋$$
• $m_1=1$ and $m_2=0$, then $m=1$. Inequality (21) is accomplished as follows:

  $$\left|⌈{\displaystyle \frac{q}{2}}⌋·\left(1+0-1\right){mod}^{\pm }q\right|=0<2·⌈{\displaystyle \frac{q}{4}}⌋$$
• $m_1=1$ and $m_2=1$, then $m=0$. Inequality (21) is accomplished as follows:

  $$\left|⌈{\displaystyle \frac{q}{2}}⌋·\left(1+1-0\right){mod}^{\pm }q\right|=\left|2·⌈{\displaystyle \frac{q}{2}}⌋{mod}^{\pm }q\right|=\left|q+1{mod}^{\pm }q\right|=1<2·⌈{\displaystyle \frac{q}{4}}⌋$$

Thus, we conclude that the decryption algorithm returns the addition mod 2 of the bitstrings. Figure 3 illustrates a high-level description of how errors accumulate at the end of the decryption process. □

For the sake of completeness, Theorem 2 states that subtraction mod 2 can be used in an encrypted domain to perform XOR on bit strings.

Theorem 2. 

Let $\mathit{A}\in R_q^{kxk}$, $\mathit{s}$, ${\mathit{r}}_1$, ${\mathit{r}}_2$, $\mathit{e}$, ${\mathit{e}}_{1,1}$, ${\mathit{e}}_{\mathrm{1,2}}\in R_q^k$, $e_{\mathrm{2,1}}$, $e_{\mathrm{2,2}}\in R_q$ and let the messages $m_1$, $m_2\in R_q$ with coefficients in $\left\{0,1\right\}$. It is assumed that $q\equiv 1mod4$. Define:

• $\mathit{t}$, $\rho$, and $\mathit{s}$ as the output $\left(\mathit{t},\rho \right)$ and $\mathit{s}$ of Algorithm 1.
• $({\mathit{u}}_1,v_1)$ as the output of Algorithm 2 applied to $m_1$ using $\mathit{t}$ and $\rho$. Similarly, $({\mathit{u}}_2,v_2)$ as the output of Algorithm 2 is applied to $m_2$ using the same $\mathit{t}$ and $\rho$.
• $(\mathit{u},v)$ as the output of Algorithm 5 applied to $({\mathit{u}}_1,v_1)$ and $({\mathit{u}}_2,v_2)$ using $\mathit{t}$, it is, the coefficients of the polynomials in the ciphertexts are subtracted.
• ${\mathit{c}}_{u,1}$, ${\mathit{c}}_{u,2}$, $c_{v,1}$, $c_{v,1}$ as the compression errors of $({\mathit{u}}_1,v_1)$ and $({\mathit{u}}_2,v_2)$ introduced in Algorithm 2.
• ${\mathit{c}}_u$, $c_v$ as the compression errors of $(\mathit{u},v)$ introduced in Algorithm 5.
• $m^{\prime }$ as the output of Algorithm 3 applied to $\left(\mathit{u},v\right)$ using $\mathit{s}$.

Algorithm 5. $KYBER.AHE.Eval(c_1=\left({\mathit{u}}_1,v_1\right),c_2=\left({\mathit{u}}_2,v_2\right))$

1: ${\mathit{u}}_{\mathit{D},1}≔{Decompress}_q({\mathit{u}}_1,d_u)$

2: ${\mathit{u}}_{\mathit{D},2}≔{Decompress}_q({\mathit{u}}_2,d_u)$

3: $v_{D,1}≔{Decompress}_q(v_1,d_v)$

4: $v_{D,2}≔{Decompress}_q(v_2,d_v)$

5: ${\mathit{u}}_{\mathit{s}\mathit{u}\mathit{b}}≔{\mathit{u}}_{\mathit{D},1}-{\mathit{u}}_{\mathit{D},2}{ mod}^{+} q$

6: $v_{sub}≔v_{D,1}-v_{D,2}{mod}^{+}q$

7: $\mathit{u}≔{Compress}_q({\mathit{u}}_{\mathit{s}\mathit{u}\mathit{b}},d_u)$

8: $v≔{Compress}_q(v_{sub},d_v)$

9: $\mathit{r}\mathit{e}\mathit{t}\mathit{u}\mathit{r}\mathit{n}(\mathit{u},v)$

If the following is true,

$${‖{\mathit{e}}^T\left({\mathit{r}}_1-{\mathit{r}}_2\right)+e_{\mathrm{2,1}}-e_{\mathrm{2,2}}+c_{v,1}-c_{v,2}+c_v-{\mathit{s}}^T\left({\mathit{e}}_{1,1}-{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,1}-{\mathit{c}}_{u,2}+{\mathit{c}}_u\right)‖}_{\infty }<⌈{\displaystyle \frac{q}{4}}⌋,$$

(24)

then, Algorithm 5 returns $m^{\prime }\in R_q$ with coefficients being $m_1\oplus m_2$, it is, the XOR between the coefficients of $m_1$ and $m_2$.

The proof of Theorem 2 has the same development as proof of Theorem 1.

In biometric template protection, normally only two values are compared as will be discussed in the following Section. However, for completeness, we include the following corollary to extend the scheme to have depth $N$.

Corollary 1. 

Let $\mathit{A}\in R_q^{kxk}$, $\mathit{s}$, ${\mathit{r}}_1,\dots$, ${\mathit{r}}_N$, $\mathit{e}$, ${\mathit{e}}_{1,1},\dots$, ${\mathit{e}}_{1,N}\in R^k$, $e_{\mathrm{2,1}},\dots$, $e_{2,N}\in R$. Let $\mathrm{N}$ messages $m_1{,\dots ,m}_N\in R_q$ with coefficients in $\left\{0,1\right\}$. It is assumed that $q\equiv 1mod4$. Define:

• $\mathit{t}$, $\rho$, and $\mathit{s}$ as the output $\left(\mathit{t},\rho \right)$ and $\mathit{s}$ of Algorithm 1.
• $\left({\mathit{u}}_i,v_i\right)$ as the output of Algorithm 2 applied to the $\mathrm{i}$-th message $m_i$ using $\mathit{t}$ and $\rho$.
• $\left(\mathit{u},v\right)$ as the output of Algorithm 4 extended to the same operations on $\mathrm{i}$ ciphertexts $\left({\mathit{u}}_1,v_1\right),\dots ,\left({\mathit{u}}_N,v_N\right)$ using $\mathit{t}$ and $\rho$.
• ${\mathit{c}}_{u,1},$ … $,{\mathit{c}}_{u,N}$, $c_{v,1},\dots$, $c_{v,N}$ as the compression errors introduced in Algorithm 2.
• ${\mathit{c}}_u$, $c_v$ as the compression errors introduced in Algorithm 4 to obtain $\left(\mathit{u},v\right)$.
• $m$ as the output of Algorithm 3 applied to $\left(\mathit{u},v\right)$.

If the following is true,

$${‖{\mathit{e}}^T\left(\sum _{i=1}^N{\mathit{r}}_{\mathit{i}}\right)+\sum _{i=1}^N{e}_{2,i}+\sum _{i=1}^N{c}_{v,i}+c_v-{\mathit{s}}^T\left(\sum _{i=1}^N{\mathit{e}}_{1,i}+\sum _{i=1}^N{\mathit{c}}_{u,i}+{\mathit{c}}_u\right)‖}_{\infty }<⌈{\displaystyle \frac{q}{4}}⌋$$

(25)

then, Algorithm 3 returns $m\in R_q$ with coefficients being $m_1+{\dots +m}_N mod 2=m_1\oplus \dots \oplus m_N$.

The proof of this corollary is trivial following Theorem 1.

3.2. Security (IND-CPA)

The Kyber AHE scheme is tightly IND-CPA secure under the hardness of the Module-LWE problem in the Random Oracle Model (ROM). We argue this with the following theorem.

Theorem 3 

(Security of Kyber AHE). Suppose Sam is a random oracle. For any adversary A, there exist adversaries B and C with roughly the same running time as that of A such that ${\mathit{A}\mathit{d}\mathit{v}}_{Kyber.AHE}^{CPA}\left(\mathrm{A}\right)\le 2·{\mathit{A}\mathit{d}\mathit{v}}_{k+1,k,\eta }^{MLWE}\left(\mathrm{B}\right)+{\mathit{A}\mathit{d}\mathit{v}}_{PRF}^{prf}\left(\mathrm{C}\right)$.

The proof is straightforward since Kyber AHE is based on Kyber PKE. Then, ${\mathit{A}\mathit{d}\mathit{v}}_{Kyber.AHE}^{CPA}\left(\mathrm{A}\right)={\mathit{A}\mathit{d}\mathit{v}}_{Kyber.PKE}^{CPA}\left(\mathrm{A}\right)$. The proof of the IND-CPA security of Kyber PKE is based on the fact that, under the Module-LWE assumption, the public key and a ciphertext are pseudorandom. This proof, along with a more comprehensive analysis of attacks against it, can be found in [24,41].

3.3. The Error Bound and Parameter Selection

Since Kyber PKE uses probabilistic algorithms, the decryption in Theorem 1 leads to the addition modulo 2 of the messages $m_1$ and $m_2$ with probability $1-{\delta }_h$, that is, there is a probability ${\delta }_h$ that the decryption does not result in the XOR of the messages. In order to obtain the probability of decryption failure, we will use the following method:

First, let us define the distribution ${\psi }_d^k$ over $R$ as follows:

$$\begin{gathered} 1.\mathit{y}\leftarrow R^k \\ 2.return\left(\mathit{y}-{Decompress}_q\left({Compress}_q\right(\mathit{y},d),d)\right){mod}^{\pm }q \end{gathered}$$

Similarly, the distribution ${\psi }_d$ is defined as follows:

$$\begin{gathered} 1.y\leftarrow R \\ 2.return\left(y-{Decompress}_q\left({Compress}_q\right(y,d),d)\right){mod}^{\pm }q \end{gathered}$$

Assuming that compression errors are distributed as ${\psi }_d^k$, that is, they are pseudo-random due to the hardness of the Module-LWE problem, thus ${\mathit{c}}_{u,1}$, ${\mathit{c}}_{u,2}$, ${\mathit{c}}_u\in {\psi }_d^k$, $c_{v,1}$, $c_{v,2}$ $c_v\in {\psi }_d$. Then, taking into consideration Theorem 1, ${\delta }_h$ can be computed as follows:

$${\delta }_h=P\left[\left\{\begin{array}{c}s,{\mathit{r}}_1,{\mathit{r}}_2,e,{\mathit{e}}_{1,1},{\mathit{e}}_{\mathrm{1,2}}\in {\beta }_{\eta }^k;\\ e_{\mathrm{2,1}},e_{\mathrm{2,2}}\in {\beta }_{\eta };\\ {\mathit{c}}_{u,1},{\mathit{c}}_{u,2},{\mathit{c}}_u\in {\psi }_d^k;\\ c_{v,1},c_{v,2}{c}_v\in {\psi }_d;\\ {‖\begin{array}{c}{\mathit{e}}^T\left({\mathit{r}}_1+{\mathit{r}}_2\right)+{\mathit{e}}_{\mathrm{2,1}}+{\mathit{e}}_{\mathrm{2,2}}+c_{v,1}+c_{v,2}+c_v\\ -{\mathit{s}}^T\left({\mathit{e}}_{1,1}+{\mathit{e}}_{\mathrm{1,2}}+{\mathit{c}}_{u,1}+{\mathit{c}}_{u,2}+{\mathit{c}}_u\right)\end{array}‖}_{\infty }<⌈{\displaystyle \frac{q}{4}}⌋\end{array}\right\}\right]$$

(26)

This method is very similar to that used by Kyber’s authors in [41] to compute the failure probability, whose results are included in the official submission to the NIST competition in [24] and in the standardization in FIPS 203 [25].

Based on the script in Python for Kyber PKE found in [42], we have coded a script to calculate the failure probability and security of Kyber AHE depending on the parameters used (specifically, we used Python version 3.12.1). Our code can be found at https://github.com/RobertoRomanCrypto/Kyber-AHE-Failure (accessed on 15 August 2025). In

Table 1. Failure probabilities ${\delta }_h$ depending on the Kyber instance. Concrete parameters considered are shown. The results are for a depth of 2.

	SL	$\mathit{k}$	${\mathit{\eta }}_1$	${\mathit{\eta }}_2$	$\left({\mathit{d}}_{\mathit{u}},{\mathit{d}}_{\mathit{v}}\right)$	${\mathit{\delta }}_{\mathit{h}}$	${1/\mathit{\delta }}_{\mathit{h}}$
Kyber512	I	2	3	2	(10, 4)	2−39	≈5.49‧1011
Kyber768	III	3	2	2	(10, 4)	2−45	≈3.51‧1013
Kyber1024	V	4	2	2	(11, 5)	2−68	≈2.95‧1020
-	III	3	2	2	(12, 6)	2−135	≈4.36‧1040

, we show the failure probability of Kyber AHE using the same parameters as Kyber PKE used in Kyber KEM (and ML-KEM of FIPS203), along with the inverse of the failure probability. These results are for an application that requires a depth of two. We show also the security level (SL) of each instance, defined as in the Call for proposals of the NIST post-quantum competitions [5]. The parameter ${\eta }_1$ defines the noise of $\mathit{s}$, $\mathit{e}$, ${\mathit{r}}_1,$ and ${\mathit{r}}_2$. The parameter ${\eta }_2$ defines the noise of ${\mathit{e}}_1$ and $e_2$. In the case of Kyber768 and Kyber1024, ${\eta }_1$ and ${\eta }_2$ are equal because they are the values of $\eta$ indicated in the definition of the PKE algorithms.

We can see that the failure probabilities are very low and from a practical point of view are sufficiently low for a biometric template protection application. In any case, since these probabilities are not extremely low (e.g., 2⁻¹²⁸), one may ask if they are sufficiently low to be secure. At time of writing, the works that exploit the approximate correctness of the homomorphic encryption scheme, for a concrete setting where the adversary is passive, can control the input messages of the system and have access to a decryption oracle [43,44]. We argue that these attacks are not a concern in a biometric template protection setting where servers are passive honest-but-curious and the user does not have access to other protected templates. However, with the included Python code, lower failure probabilities can be achieved in case that IND-CPA security is desired. For example, we can use the same parameters of Kyber768 with $\left(d_u,d_v\right)=(12,6)$ to achieve a failure probability of 2⁻¹³⁵ and maintaining the security level III.

Table 2. Failure probabilities ${\delta }_h$ depending on the Kyber instance. Concrete parameters considered are shown. The results are for a depth of 3.

	SL	$\mathit{k}$	${\mathit{\eta }}_1$	${\mathit{\eta }}_2$	$\left({\mathit{d}}_{\mathit{u}},{\mathit{d}}_{\mathit{v}}\right)$	${\mathit{\delta }}_{\mathit{h}}$	${1/\mathit{\delta }}_{\mathit{h}}$
Kyber512	I	2	3	2	(10, 4)	2−23	≈8.39‧106
Kyber768	III	3	2	2	(10, 4)	2−26	≈6.71‧107
Kyber1024	V	4	2	2	(11, 5)	2−43	≈8.80‧1012
-	I	2	3	2	(11, 5)	2−47	≈1.41‧1014
-	III	3	2	2	(11, 5)	2−53	≈9.01‧1015

shows the failure probability results when the Kyber AHE scheme with a depth of 3 is required. This can be used, for example, for the MPC scheme proposed in [34], in which Kyber is combined with garbled circuits. As can be seen, the error growth is still manageable, since the inverse of the failure probability is more than eight million with the worst-case parameter set. The table shows alternative parameter sets for a lower failure probability.

The fact that Kyber AHE can use the same parameters as Kyber PKE makes the scheme very easy to implement.

3.4. Protection Against Side-Channel Attacks

The side-channel analysis of Kyber is an active area of research. As a result, various side-channel attacks have been identified against Kyber, including those in constant-time implementations [45,46,47]. Several works propose masked versions of Kyber to deal with side-channel attacks, which can also be applied to Kyber AHE. One study proposes a first-order Kyber masked implementation optimized for an ARM Cortex-M4 processor [48]. Another study suggests using a masked hardware/software co-design. Other studies propose solutions to mask specific operations. To mask the compression function, the work in [49] proposes a bit-sliced binary search of the 12-bit Boolean version of an arithmetically shifted coefficient share to determine if the share is greater than or equal to $⌊{\displaystyle \frac{q}{2}}⌋$. The work in [50] also proposes two additional masking methods for the compression function: a double and check algorithm that adds a level of obfuscation and the integration of a look-up table (LUT) that uses one arithmetic-to-Boolean conversion for each share. To mask the symmetric operations used in Kyber, the method used proposed in [51] is often recommended. To mask the central binomial distribution sampler, the approach shown in [52] can be used. Other countermeasures used to deal with side-channel attacks include adding noise (mainly Gaussian noise), introducing random delays during the execution of the encryption and decryption algorithms, and introducing clock instability (clock jitter) [53].

4. Application to Biometric Template Protection

In the following, we present the experimental results of Kyber AHE for the setup described in Section 2.1 and illustrated in Figure 1. The experiments were conducted using a commercial laptop equipped with an 11th generation Intel^® Core™ i7-11800H @ 2.30 GHz processor and 16.0 GB of RAM. The operating system used was Windows 10. Visual Studio Code version 1.102.3 was used as an integrated development environment (IDE). Execution times were averaged from 1000 test runs.

Our implementation is based on the Kyber C implementation found on GitHub at https://github.com/pq-crystals/kyber/tree/main/ref (accessed on 17 May 2025). Specifically, it is the reference (ref) implementation. The indcpa.c file contains the key generation (indcpa_keypair), encryption (indcpa_enc), and decryption (indcpa_dec) functions. We implemented the evaluation function as indcpa_eval in the same file. Decompression and compression are performed using the poly_decompress, polyvec_decompress, poly_compress, and polyvec_compress functions, which are implemented in the poly.c and polyvec.c files. Addition modulo $q$ is performed using the poly_add and polyvec_add functions. Note that the modulus q has a value of 3329. We encourage readers to refer to [24] to see the exact implementations of the Kyber algorithms. The implementation of Kyber AHE can be found at https://github.com/RobertoRomanCrypto/Kyber-AHE (accessed on 15 August 2025).

We use 256-byte iris templates, which is the size used for the popular IrisCodes [54]. Thus, if we want to encrypt an iris template, we should use 8 ciphertexts because Kyber AHE encrypts 32 bytes at a time. Figure 4 shows how the protected data are managed by the Client, the Database Server, and the Matching Server.

We note that decryption failures in Kyber AHE are extremely rare considering the results in Table 1. Thus, the recognition accuracy of IrisCodes before and after encryption is the same. The analysis of the security and performance recognition of IrisCodes has been extensively studied in the literature [55,56,57,58,59]. Therefore, in this paper, we focus on the performance in terms of sizes and execution times of Kyber AHE to protect the iris features. We present results for three NIST security levels I, III, and V corresponding to Kyber512, Kyber768, and Kyber1024, respectively. It is shown in [24] that they have a quantum core-SVP hardness of 107, 165, and 232 bits, respectively.

Table 3. Performance results in terms of execution times. The results from this work are in grey.

	Execution Times (in ms)
	Encrypt	Evaluate + Decrypt
Kyber512 (256 bytes)	0.755	0.096 + 0.259
Kyber768 (256 bytes)	1.25	0.131 + 0.343
Kyber1024 (256 bytes)	1.73	0.161 + 0.415
Id. latt. * (256 bytes) [31]	19.89	18.10 + 9.08
CKKS ** (512 Floating Point values) [30]	~6	~3391
BFV ** (512 integer values) [30]	~76	~168

* In an Intel Xeon X3480 at 3.07 GHz with 16 GB of memory. ** In an Intel Core i7 at 2.7 GHz with 16 GB of memory.

shows the execution times to carry out each operation as long as the size of the encrypted iris features. The execution times shown are those required for the Client to encrypt an iris feature, for the Database Server to evaluate an addition modulo 2 in the encrypted domain using the Kyber AHE evaluation algorithm, and for the Matching Server to decrypt the result.

The sizes of an encrypted iris feature are shown in Figure 5. They are not very large. An encrypted database of 100,000 individuals will require between 586 MB and 1197 MB using Kyber AHE for iris encryption, which is not a very large number for a database server. Also, the times are very low, even using the reference Kyber implementation that is not optimized for the AVX2 instruction set. The size of the public key is 800, 1184, and 1568 bytes for security levels I, III, and V, respectively. The size of the secret key is 32 bytes.

Table 3 also compares our solution with others from the literature. The authors of [30] claim they have used a bit security of 128 bits for CKKS and BFV. The work in [31] claims a security of 80 bits against BKZ 2.0 [60] with a certain margin. The format of the template is shown in parentheses. Clearly, our solution outperforms the homomorphic solutions in [31] that encrypt binary biometric strings. Additionally, compared with the solutions using CKKS and BFV in [30], it can be concluded that using binary instead of floating-point and integer format templates is important for achieving low-cost implementations with simpler operations.

The execution times shown in Table 3 do not consider countermeasures to prevent leakage of the XOR between the reference and fresh biometric features. As mentioned in Section 2.1, potential countermeasures include adding a cancellable biometric method before encrypting the biometric feature and using an MPC solution. Other works from the literature can provide a qualitative idea of the overhead cost of implementing one of these schemes.

The work in [33] uses a hybrid method combining three hashing methods and homomorphic encryption with the BFV scheme. For example, results from a system with an Intel^® Core™ i7-7700K CPU @ 4.20 GHz processor demonstrate that the Biohashing operation requires 15.08 ms to protect a biometric feature obtained from an ArcFace face recognition model, accounting for 4.36% of the total execution time of the hybrid scheme. Additionally, cancellable biometrics do not significantly increase bandwidth usage in their scheme. Thus, combining cancelable biometrics with the Kyber AHE scheme seems completely affordable.

On the other hand, the work in [34] combines homomorphic encryption and garbled circuits to protect facial biometric features from FaceNet. Only the verification decision is revealed to the authentication server. The results show that the oblivious transfer adds nearly 0.5 s of overhead to the baseline system. While this overhead is significant, the solution is feasible, especially considering that the oblivious transfer is performed between two servers. Also, their proposal is affordable in terms of communication costs.

5. Conclusions

In this work, we propose Kyber AHE, an additive homomorphic encryption scheme used to compute the addition modulo 2 of two binary strings in the encrypted domain. The scheme consists of three algorithms: Kyber.AHE.KeyGen, Ky-ber.AHE.Encrypt, Kyber.AHE.Eval, and Kyber.AHE.Decrypt. The addition modulo 2 can be used to compute the Hamming distance between two biometric features in binary format. This makes Kyber AHE very suitable for the protection of biometric templates. An analysis of the failure probability shows that using the parameters of Kyber512, Kyber768, and Kyber1024 instances has a very low probability of decryption failure (smaller than 2⁻³⁹ in the worst case). Consequently, the use of Kyber AHE with these instances does not degrade the recognition performance when used in a biometric template protection scheme. Experimental results for the protection of a 256-byte iris feature show that the size of the protected feature is relatively small (smaller than 12.25 kB in the worst case) and the execution times are also very low (shorter than 1.73 ms in the worst case of the encryption algorithm), which clearly outperform other homomorphic solutions reported in the literature.