3.1. Homomorphic Encryption
The definition of the homomorphic encryption (HE) scheme is given in [
21] as follows:
Definition 1 (Homomorphic Encryption). A family of schemes ${\left\{{\mathcal{E}}_{k}\right\}}_{k\in {\mathbb{Z}}_{+}}$ is said to be homomorphic with respect to an operator ∘ if there exist decryption algorithms ${\left\{{\mathcal{D}}_{k}\right\}}_{k\in {\mathbb{Z}}_{+}}$ such that for any two ciphertexts ${c}_{1},{c}_{2}\in \mathcal{C}$, the following equality is satisfied:where ${r}_{1},{r}_{2}\in \mathcal{R}$ are the corresponding randomness. A homomorphic encryption scheme is a pair of algorithms, $\mathsf{Enc}$ and $\mathsf{Dec}$, with the following properties:
$\mathsf{Enc}$ takes as input a plaintext $m\in {\mathbb{Z}}_{N}$, and outputs a ciphertext c such that c is a homomorphic image of m, i.e., $\mathsf{Dec}\left(c\right)=m$;
$\mathsf{Dec}$ takes as input a ciphertext c, and outputs a plaintext m such that m is a homomorphic image of c;
$\mathsf{Enc}$ and $\mathsf{Dec}$ are computationally efficient.
There are two types of homomorphic encryption: additively homomorphic and multiplicatively homomorphic.
Additively homomorphic encryptionconsists of a pair of algorithms $\mathsf{Enc}$ and $\mathsf{Dec}$ such that, for all ${m}_{1},{m}_{2}\in {\mathbb{Z}}_{N}$, ${c}_{1}=\mathsf{Enc}\left({m}_{1}\right)$,${c}_{2}=\mathsf{Enc}\left({m}_{2}\right)$, and ${c}_{3}={c}_{1}+{c}_{2}$, we have $\mathsf{Dec}\left({c}_{3}\right)={m}_{1}+{m}_{2}$.
Multiplicatively homomorphic encryption consists of a pair of algorithms $\mathsf{Enc}$ and $\mathsf{Dec}$ such that, for all ${m}_{1},{m}_{2}\in {\mathbb{Z}}_{N}$, ${c}_{1}=\mathsf{Enc}\left({m}_{1}\right)$,${c}_{2}=\mathsf{Enc}\left({m}_{2}\right)$, and ${c}_{3}={c}_{1}{c}_{2}$, we have $\mathsf{Dec}\left({c}_{3}\right)={m}_{1}{m}_{2}$.
Partially homomorphic encryption is a variant of homomorphic encryption where homomorphism is only partially supported, i.e., the encryption scheme is homomorphic for some operations while not homomorphic for others.
Somewhat homomorphic encryption is a variant of fully homomorphic encryption where homomorphism is only limited supported, i.e., the encryption scheme is homomorphic for all operations for a limited number of operations.
Fully homomorphic encryption (FHE) is a variant of homomorphic encryption which allows for homomorphism over all functions, i.e., the encryption scheme is homomorphic for all operations. In other words, an FHE scheme consists of a pair of algorithms $\mathsf{Enc}$ and $\mathsf{Dec}$ such that, for all ${m}_{1},{m}_{2}\in {\mathbb{Z}}_{N}$, ${c}_{1}=\mathsf{Enc}\left({m}_{1}\right)$,${c}_{2}=\mathsf{Enc}\left({m}_{2}\right)$, and ${c}_{3}={c}_{1}{c}_{2}$, we have $\mathsf{Dec}\left({c}_{3}\right)={m}_{1}{m}_{2}$.
Table 1 shows a summary of the major homomorphic encryption schemes.
3.2. Brakerski–Fan–Vercauteren (BFV) Scheme
Since the work of Brakerski, Fan, and Vercauteren (BFV), the somewhat homomorphic encryption (SHE) scheme has become one of the most important research topics in cryptography. In this section, we give the definition of this scheme.
Definition 2 (BFV scheme).
An SHE scheme $\mathcal{E}$ is said to be in the BFV family of schemes if it consists of the following three algorithms: Key generation algorithm: It takes the security parameter k as input, and outputs a public key $pk$ and a secret key $sk$.
Encryption algorithm: It takes the message $m\in \mathcal{M}$, a public key $pk$, and a randomness $r\in \mathcal{R}$ as inputs, and outputs a ciphertext $c\in \mathcal{C}$.
Decryption algorithm: It takes a ciphertext $c\in \mathcal{C}$, a secret key $sk$, and an integer $i\in {\mathbb{Z}}_{+}$ as inputs, and outputs a message $m\in \mathcal{M}$.
Remark 1. In the above definition, the integer i is called the decryption index. It is introduced to allow for efficient decryption of ciphertexts that are the result of homomorphic operations. For example, when the ciphertext ${c}_{1}$ is the result of homomorphic operations on ciphertexts ${c}_{2}$ and ${c}_{3}$, that is, ${c}_{1}={c}_{2}\circ {c}_{3}$, then ${c}_{1}$ can be decrypted by taking the decryption index $i=2$.
In the following, we give a brief description of the BFV scheme.
The key generation algorithm of the BFV scheme consists of the following two steps.
- 1.
Let t be the security parameter. For a positive integer t, define a number $n=\lfloor b\left(t\right)\rfloor $ and a positive integer p where $b:{\mathbb{Z}}_{+}\to {\mathbb{Z}}_{+}$ is a polynomial, and p is a prime number satisfying $p>{2}^{n}$.
- 2.
Let d be a positive integer such that $d<p$. Choose a monic polynomial $f\left(x\right)$ of degree d with $f\left(x\right)\equiv x-\tilde{a}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$ for some $\tilde{a}\in {\mathbb{Z}}_{p}$. Let $T\left(x\right)={x}^{n}f\left(x\right)\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$. Choose a quadratic nonresidue b of ${\mathbb{Z}}_{p}$, and let $L\left(x\right)=T\left(x\right)b{x}^{\frac{n}{2}}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$.
Let $q=2nL\left(0\right)$. The secret key $sk$ is chosen to be a nonnegative integer s less than q. The public key $pk$ is chosen to be the sequence $(p,T(x),L(x),n,q)$.
The encryption algorithm of the BFV scheme consists of the following three steps.
- 1.
Let $pk=(p,T(x),L(x),n,q)$ be the public key. Choose a random polynomial $R\left(x\right)\in {\mathbb{Z}}_{p}\left[x\right]$ of degree less than d.
- 2.
Given a message $m\in {\mathbb{Z}}_{p}$, compute $u\left(x\right)=m+\frac{1}{2}R{\left(x\right)}^{2}L{\left(x\right)}^{-1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$.
- 3.
Choose a random integer $\tilde{t}\in {\mathbb{Z}}_{p}$, and output the ciphertext $c=(\tilde{t},u\left(x\right))$.
The decryption algorithm of the BFV scheme consists of the following two steps.
- 1.
Let $sk=s$ be the secret key. Compute $v\left(x\right)=L{\left(x\right)}^{-1}(s+\frac{1}{2}T{\left(x\right)}^{2}{b}^{-1}{x}^{n})\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$.
- 2.
Given a ciphertext $c=(\tilde{t},u\left(x\right))$, compute $m=u\left(x\right)-\frac{1}{2}v{\left(x\right)}^{2}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}p)$.
Remark 2. In the BFV scheme, the message space is $\mathcal{M}={\mathbb{Z}}_{p}$.
3.2.1. Homomorphic Operations
Additive Homomorphism
In the BFV scheme, the additive homomorphism is defined as follows:
Definition 3 (Additive homomorphism). Let ${c}_{1}=({\tilde{t}}_{1},{u}_{1}\left(x\right))$ and ${c}_{2}=({\tilde{t}}_{2},{u}_{2}\left(x\right))$ be two ciphertexts. The additive homomorphism is defined to be the ciphertext ${c}_{1}+{c}_{2}=({\tilde{t}}_{1}+{\tilde{t}}_{2},{u}_{1}\left(x\right)+{u}_{2}\left(x\right))$.
Remark 3. In the BFV scheme, the standard polynomial addition algorithm implements the additive homomorphism.
Multiplicative Homomorphism
In the BFV scheme, the multiplicative homomorphism is defined as follows:
Definition 4 (Multiplicative homomorphism). Let ${c}_{1}=({\tilde{t}}_{1},{u}_{1}\left(x\right))$ be a ciphertext and $m\in {\mathbb{Z}}_{p}$ be a message. The multiplicative homomorphism is defined to be the ciphertext ${c}_{1}\xb7m=({\tilde{t}}_{1}\xb7m,{u}_{1}\left(x\right)\xb7m)$.
Remark 4. In the BFV scheme, the standard polynomial multiplication algorithm implements the multiplicative homomorphism.
Remark 5. The multiplicative homomorphism is sometimes called the “plaintext multiplication” or the “scalar multiplication”.
3.2.2. Relinearization
Relinearization is a homomorphic operation used in the BFV scheme to reduce the number of ciphertexts generated by homomorphic operations. In the following, we give the definition of this operation.
Definition 5 (Relinearization). Let ${c}_{1}=({\tilde{t}}_{1},{u}_{1}\left(x\right))$ and ${c}_{2}=({\tilde{t}}_{2},{u}_{2}\left(x\right))$ be two ciphertexts. The relinearization homomorphism is defined to be the ciphertext ${c}_{1}+{c}_{2}T\left(x\right)=({\tilde{t}}_{1}+{\tilde{t}}_{2}T\left(x\right),{u}_{1}\left(x\right)+{u}_{2}\left(x\right)T\left(x\right))$.
Remark 6. In the BFV scheme, the relinearization homomorphism is implemented by the standard polynomial addition and multiplication algorithms.
3.2.3. Rotation
Rotation is a homomorphic operation used in the BFV scheme to implement the power operation efficiently. It can be used to implement a large class of homomorphic operations on encrypted data. In the following, we give the definition of this operation.
Definition 6 (Rotation). Let $c=(\tilde{t},u\left(x\right))$ be a ciphertext. The rotation homomorphism is defined to be the ciphertext ${c}^{r}=(\tilde{t},u{\left(x\right)}^{r})$, where r is an integer.
Remark 7. In the BFV scheme, the rotation homomorphism is implemented by the standard polynomial multiplication algorithm.
Remark 8. The rotation is sometimes called the “power operation”.
3.3. Federated Learning
In this section, we briefly describe the federated learning (FL) framework. We refer to [
22,
23] for more details.
Definition 7(FL model).Let N be a positive integer, and $\mathcal{X}$ be a probability space. Let m be a positive integer such that $m<N$, and $\mathcal{P}=\{{p}_{1},{p}_{2},\dots ,{p}_{m}\}$ be a collection of random variables on $\mathcal{X}$ with ${p}_{i}\in {\mathcal{L}}_{1}\left(\mathcal{X}\right)$ for $i=1,2,\dots ,m$. The FL model consists of the following four algorithms: Initialization algorithm: It takes the security parameter k as input, and outputs the global model ${w}_{0}\in {\mathbb{R}}^{n}$, where n is the number of free parameters in ${w}_{0}$.
Local training algorithm: It takes the global model ${w}_{t}\in {\mathbb{R}}^{n}$, a local dataset ${D}_{i}\in \mathcal{D}$, and a positive integer t as inputs, and outputs a local model ${w}_{t+1}^{i}\in {\mathbb{R}}^{n}$.
Upload algorithm: It takes the local model ${w}_{t}^{i}\in {\mathbb{R}}^{n}$, and a positive integer t as inputs, and outputs a vector ${v}_{t}^{i}\in {\mathbb{R}}^{n}$.
Aggregation algorithm: It takes a set of vectors ${v}_{t}^{i}\in {\mathbb{R}}^{n}$, and a positive integer t as inputs, and outputs the global model ${w}_{t+1}\in {\mathbb{R}}^{n}$.
In the above definition, the integer t is called the training round. The global model ${w}_{t}$ is a function of the training round t. The global model ${w}_{t}$ is trained by the local models ${w}_{t}^{i}$, which are trained on the local datasets ${D}_{i}$. The global model ${w}_{t}$ is trained on the aggregated dataset ${\cup}_{i=1}^{m}{D}_{i}$. The global model ${w}_{t}$ is initialized to be the global model ${w}_{0}$.
Remark 9. In the FL model, the local training algorithm, upload algorithm, and aggregation algorithm can be implemented by any machine learning algorithm.
Remark 10. The global model ${w}_{t}$ can be trained on the aggregated dataset ${\cup}_{i=1}^{m}{D}_{i}$ using any machine learning algorithm.
Remark 11. In the FL model, the global model ${w}_{t}$ is shared among all the participating clients, and the local models ${w}_{t}^{i}$ are not shared among the clients.