Enhancing the Multikey GSW Scheme with CRT Decomposition and Ciphertext Compression for Efficient Distributed Decryption

Abstract

This paper enhances the multikey scenario in the Gentry–Sahai–Waters (GSW) fully homomorphic encryption scheme to increase its real-world applicability. We integrate the advantages of two existing GSW multikey approaches: one enabling distributed decryption and the other reducing memory requirements. We also apply the CRT decomposition and ciphertext compression techniques to the multikey settings. While leveraging the effectiveness of decomposition, we adapt the compression technique for practical cryptographic applications, as demonstrated through simulations in federated learning and multiparty communication scenarios. Our work’s potential impact on the cryptography field is significant, as it offers a more efficient and secure solution for distributed data processing in real-world scenarios, thereby advancing the state of the art in secure communication systems.

1. Introduction

As modern communication systems evolve, secure data transmission among multiple users has become increasingly crucial. Multikey encryption schemes are valuable for supporting authorized users in encrypting and decrypting shared data. However, significant challenges arise when users attempt to decrypt messages with incorrect secret keys, introducing errors that hinder accurate decryption. This issue could be more problematic in systems requiring efficient decryption across multiple users, such as federated learning and collaborative computing environments.

Our work focuses on improving the Gentry–Sahai–Waters (GSW) [1] encryption scheme, a fully homomorphic encryption (FHE) scheme that allows for arbitrary computations on encrypted data, in multikey scenarios. Mukherjee et al. (2016) [2] proposed an additional expansion phase after encryption to solve failed decryption due to incorrect keys. We build on this by integrating the distributed decryption capability from Mukherjee’s approach with the additional help of the information memory reduction method from Shen et al. (2021) [3], aiming to create a more balanced solution that reduces total memory size while maintaining decryption efficiency.

We extend the Chinese Remainder Theorem (CRT) decomposition and ciphertext compression techniques from previous research [4] into the multikey context. CRT decomposition continues to expand the message range significantly, even in multikey scenarios, making simple operations like homomorphic addition more practical. While the previously referenced ciphertext compression method (Gentry and Halevi, 2019 [5]) proved ineffective for distributed decryption in multikey scenarios, we propose an improved approach to ease the shortage. Though the execution time and memory requirements will be increased somewhat, our approach ensures the system remains secure and feasible for distributed decryption.

This work makes the following contributions to the field of fully homomorphic encryption (FHE):

• We propose a balanced expansion method that reduces total memory overhead while enabling distributed decryption.
• By extending CRT decomposition, we significantly increase the message range within the GSW scheme, covering the entire plaintext space in multikey scenarios.
• We improve ciphertext compression, ensuring it supports distributed decryption without compromising the efforts of previous expansions.

These contributions enhance the GSW encryption scheme’s applicability, efficiency, and practicality in multikey settings, opening possibilities for real-world cryptographic applications.

1.1. Related Work

1.1.1. Fully Homomorphic Encryption (FHE)

The rapid rise of cloud computing and artificial intelligence has increased reliance on remote data processing, raising significant security concerns. Fully homomorphic encryption (FHE) addresses this by enabling computations on encrypted data without decryption. Proposed by Rivest, Adleman, and Dertouzos [6] in 1978, FHE became practical with Gentry’s breakthrough in 2009 [7]. However, early schemes suffered from excessive noise and large ciphertexts, causing inefficiencies and decryption failures after limited operations.

Subsequent generations of FHE schemes aimed to improve efficiency and reduce noise. The second generation, including BV [8,9], BGV [10], and B/FV [11] schemes, allowed computations on integer vectors but still faced noise management challenges. The third generation, including GSW [1], FHEW [12], and TFHE [13], significantly improved noise handling but sacrificed data packing support.

The CKKS scheme [14] prioritizes optimized packing for efficient vector operations and calculations on real numbers. While its bootstrapping is less advanced than the third generation, CKKS significantly reduces computation time per operation, making it practical for real-world applications requiring efficient and secure data processing.

Recently, a series of studies have also focused on identity-based or multi-identity FHE constructions, which are closely related to the multikey setting [15,16,17].

1.1.2. Ciphertext Compression

Ciphertext compression has become increasingly important in encryption systems because it reduces the encrypted data’s storage and transmission overhead. Gentry and Halevi (2019) [5] introduced a compressible GSW scheme, addressing the significant storage costs associated with large volumes of ciphertext. Their work has inspired further research into adapting these techniques for multikey encryption systems.

Building on this, Shen et al. (2021) [3] extended ciphertext compression to multikey settings, effectively reducing the substantial memory requirements of expanded ciphertexts. However, it was less effective in practical distributed decryption applications. This limitation arises because the compression technique in [3] introduces correlations that can lead to message leakage, making it less reliable in distributed decryption scenarios. In response, we adapted the technique for multiparty communication scenarios to demonstrate its feasibility and potential for securely managing data across multiple users.

Our results indicate that while our approach currently requires significant computational resources for real-world cryptographic operations, it shows considerable promise in enhancing the functionality of the GSW multikey scheme.

1.2. Organization

This writeup is structured as follows: Section 2 introduces the complete encryption process of the GSW multikey scenario. Section 3 discusses two important expansion methods and our proposed balanced approach. Section 4 and Section 5 explore the application of previously researched [4] CRT decomposition and ciphertext compression techniques to the multikey setting, respectively. Section 6 presents various experimental results. Section 7 concludes the writeup with a summary and directions for future research.

2. Multikey Scheme for GSW-like Encryption

In a multi-user or multikey environment, it is essential to guarantee that other authorized users can correctly decrypt encrypted ciphertexts generated by each user to recover the original message. In the single-key scenario, when a user decrypts a message using their secret key, they can retrieve the intended message without issue. However, in a multi-user context, users will inevitably attempt decryption with wrong secret keys, making it challenging to maintain security while ensuring successful multikey operations. We will briefly review the complete GSW multikey encryption and decryption processes, followed by a discussion of distributed decryption, particularly relevant to multi-user or multiparty environments.

2.1. Notation

Before introducing the detailed key generation and encryption steps, we summarize the main notations used throughout this section:

Symbol	Meaning
G	Public gadget matrix for bit decomposition in GSW encryption
X	Pseudo-ciphertext generated during expansion
f	Mapping function used in ciphertext compression
$\mu$	Plaintext message
$P_{\alpha }$	Public key of user $\alpha$
$s_{\alpha }$	Secret key of user $\alpha$
$R_{\alpha }$	Random matrix selected during encryption
$b_{\alpha },t_{\alpha },e_{\alpha }$	LWE-related vectors used in key generation

Additional notations follow standard conventions in the LWE/GSW literature.

2.2. Key Generation

In the multikey scheme, all users possess the public keys of every other user, while each user retains only their secret key due to its sensitive nature. In a system with N users, user $\alpha$ selects a message, encrypts it, and distributes the result to all other users for decryption. The scheme operates as follows:

• All users agree on a common matrix A from ${\mathbb{Z}}_q^{(n-1)\times m}$, where $m=n·\ell$.
• Each user independently selects a random vector $t_{\alpha }$ from ${\mathbb{Z}}_q^{n-1}$ and a vector $e_{\alpha }$ from the distribution ${\chi }^{n-1}$, which conforms to an integer-normal modulo q.
• Users then compute their vectors ${\mathbf{b}}_{\alpha }$ as $t_{\alpha }A+e_{\alpha }$, following the Learning with Errors (LWE) scheme, which was introduced by [18].
• Finally, users define their public keys and secret keys as ${\mathbf{P}}_{\alpha }=\left[\begin{array}{c}-A\\ {\mathbf{b}}_{\alpha }\end{array}\right]\in {\mathbb{Z}}_q^{n\times m}$ and ${\mathbf{s}}_{\alpha }=[t_{\alpha }\mid 1]\in {\mathbb{Z}}_q^n$, respectively, and ensure that the product ${\mathbf{s}}_{\alpha }\times {\mathbf{P}}_{\alpha }\equiv e_{\alpha }(modq)$ confirms the error model of LWE.

2.3. Encryption

The authors of [4] discovered that the error can be flexibly adjusted; both users can select their messages ${\mu }_{\alpha }$ from the range $\left[0,\varphi \right)$, where $\varphi \le q$ and each user independently selects a random matrix $R_{\alpha }\in {\{0,1\}}^{m\times m}$. They then proceed to encrypt their messages using their respective public keys. The ciphertexts ${\mathbf{C}}_{\alpha }$ are computed as:

$${\mathbf{C}}_{\alpha }={\mu }_{\alpha }·\mathbf{G}+{\mathbf{P}}_{\alpha }\times R_{\alpha }(modq)\in {\mathbb{Z}}_q^{n\times m},$$

where $\alpha \in [1,N]$. Therefore, the encryption outputs will significantly differ due to the variations in the chosen parameters.

2.4. Expansion

To ensure successful multikey execution, Mukherjee et al. [2] demonstrated that an additional expansion step is required after encryption compared to the single-key scenario. Although this increases ciphertext size, it is necessary for successful decryption of the final result.

2.4.1. Initial [2] and Our Modified Expansion

Due to our balanced approach (detailed in the next section), the final expanded ciphertext structure matches that of Mukherjee et al. [2]. For user $\alpha$, we need to find a “pseudo-ciphertext” $\mathbf{X}$ that satisfies two conditions:

• ${\mathbf{s}}_{\alpha }{\mathbf{X}}_{\alpha \to \beta }\approx {\mathbf{B}}_{\alpha ,\beta }{R}_{\alpha }$, where $\forall \beta$ such that $\alpha \ne \beta$ and ${\mathbf{B}}_{\alpha ,\beta }={\mathbf{b}}_{\beta }-{\mathbf{b}}_{\alpha }$.
• ${\mathbf{s}}_{\alpha }{\mathbf{X}}_{\alpha \to \beta }+{\mathbf{s}}_{\beta }{\mathbf{C}}_{\alpha }\approx {\mu }_{\alpha }{\mathbf{s}}_{\beta }\mathbf{G}$.

The detailed construction of pseudo-ciphertext $\mathbf{X}$ will be presented in Section 3.

The resulting expanded ciphertext becomes

$$\widehat{\mathbf{C}}=\left[\begin{array}{ccccc}{\mathbf{C}}_{\alpha }& \dots & \mathbf{0}& \dots & \mathbf{0}\\ ⋮& \ddots & ⋮& & ⋮\\ {\mathbf{X}}_{\alpha \to 1}& \dots & {\mathbf{C}}_{\alpha }& \dots & {\mathbf{X}}_{\alpha \to N}\\ ⋮& & ⋮& \ddots & ⋮\\ \mathbf{0}& \dots & \mathbf{0}& \dots & {\mathbf{C}}_{\alpha }\end{array}\right]\in {\mathbb{Z}}_q^{n·N\times m·N},$$

(1)

which follows a fixed pattern. The main diagonal contains the previously encrypted ciphertext, with the number of identical ciphertexts corresponding to the number of users. The $\alpha$-th row is filled with all pseudo-ciphertexts, where the horizontal axis represents the user sending this information, and the vertical axis represents users receiving auxiliary information. The remaining positions contain zeros.

2.4.2. Advanced Expansion [3]

Shen et al. [3] proposed reducing the expanded ciphertext size, but this method requires splitting the previous pseudo-ciphertext into two parts. Consequently, user $\alpha$ now needs pairs of pseudo-ciphertexts (${\mathbf{X}}^{\left(1\right)}$ and ${\mathbf{X}}^{\left(2\right)}$) that satisfy the following three conditions:

• $t_{\alpha }{\mathbf{X}}_{\alpha \to \beta }^{\left(1\right)}\approx {\sum }_{i,j}-{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)$, where $\forall \beta$ such that $\alpha \ne \beta$.
• ${\mathbf{X}}_{\alpha \to \beta }^{\left(2\right)}={\mathbf{b}}_{\beta }·R^L+{\sum }_{i,j}{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\in {\mathbb{Z}}_q^{(n-1)·\ell }$.
• $t_{\alpha }{\mathbf{X}}_{\alpha \to \beta }^{\left(1\right)}+t_{\beta }{\mathbf{C}}_{\alpha }^{1,1}+{\mathbf{X}}_{\alpha \to \beta }^{\left(2\right)}\approx {\mu }_{\alpha }{t}_{\beta }{\mathbf{G}}_{n-1}\in {\mathbb{Z}}_q^{(n-1)·\ell }$.

The detailed construction of these pseudo-ciphertexts will be shown in Section 3. The final expanded ciphertext becomes

$${\widehat{\mathbf{C}}}^{†}=\left[\begin{array}{cccccc}{\mathbf{C}}_{\alpha }^{1,1}& \dots & \mathbf{0}& \dots & \mathbf{0}& \mathbf{0}\\ ⋮& \ddots & ⋮& & ⋮& ⋮\\ {\mathbf{X}}_{\alpha \to 1}^{\left(1\right)}& \dots & {\mathbf{C}}_{\alpha }^{1,1}& \dots & {\mathbf{X}}_{\alpha \to N}^{\left(1\right)}& {\mathbf{C}}_{\alpha }^{1,2}\\ ⋮& & ⋮& \ddots & ⋮& ⋮\\ \mathbf{0}& \dots & \mathbf{0}& \dots & {\mathbf{C}}_{\alpha }^{1,1}& \mathbf{0}\\ {\mathbf{X}}_{\alpha \to 1}^{\left(2\right)}& \dots & {\mathbf{C}}_{\alpha }^{2,1}& \dots & {\mathbf{X}}_{\alpha \to N}^{\left(2\right)}& {\mathbf{C}}_{\alpha }^{2,2}\end{array}\right]\in {\mathbb{Z}}_q^{(Nn-N+1)\times (Nn-N+1)\ell },$$

where ${\mathbf{C}}_{\alpha }^{1,1}={\mu }_{\alpha }·{\mathbf{G}}_{n-1}-A·R^L\in {\mathbb{Z}}_q^{n-1\times (n-1)·\ell }$, ${\mathbf{C}}_{\alpha }^{1,2}=-A·R^R\in {\mathbb{Z}}_q^{n-1\times \ell }$, ${\mathbf{C}}_{\alpha }^{2,1}={\mathbf{b}}_{\alpha }·R^L\in {\mathbb{Z}}_q^{(n-1)·\ell }$, ${\mathbf{C}}_{\alpha }^{2,2}={\mu }_{\alpha }·\mathbf{g}+{\mathbf{b}}_{\alpha }·R^R\in {\mathbb{Z}}_q^{\ell }$, and $R_{\alpha }=\left[R^L\right|R^R]$, with

$${\mathbf{C}}_{\alpha }=\left[\begin{array}{cc}{\mathbf{C}}_{\alpha }^{1,1}& {\mathbf{C}}_{\alpha }^{1,2}\\ {\mathbf{C}}_{\alpha }^{2,1}& {\mathbf{C}}_{\alpha }^{2,2}\end{array}\right]\in {\mathbb{Z}}_q^{n\times m}.$$

Moreover, the expanded ciphertext follows a fixed placement pattern. The arrangement on the top left follows the same pattern as in Equation (1), but this time the main diagonal contains ${\mathbf{C}}_{\alpha }^{1,1}$. The remaining space is filled with pseudo-ciphertexts, which are now divided into two parts, ${\mathbf{X}}^{\left(1\right)}$ and ${\mathbf{X}}^{\left(2\right)}$. The first pseudo-ciphertext is placed here. Next, the bottom left and top right sections are arranged according to the sender’s position. The bottom left contains ${\mathbf{C}}_{\alpha }^{2,1}$, while the top right holds ${\mathbf{C}}_{\alpha }^{1,2}$. The remaining part of the bottom left section contains the second pseudo-ciphertext, and the rest of the top right section is filled with zeros. Finally, the bottom right section only contains ${\mathbf{C}}_{\alpha }^{2,2}$.

2.5. Decryption

When other users attempt direct decryption with their wrong secret keys, they only recover approximate results. When user $\beta$ attempts decryption with their secret key, it can be expressed as follows:

$$\begin{array}{cc}\hfill {\mathbf{s}}_{\beta }{\mathbf{C}}_{\alpha }& ={\mu }_{\alpha }·{\mathbf{s}}_{\beta }\times \mathbf{G}+{\mathbf{s}}_{\beta }\times {\mathbf{P}}_{\alpha }\times R_{\alpha }(modq)\in {\mathbb{Z}}_q^m\hfill \\ \hfill & ={\mu }_{\alpha }·{\mathbf{s}}_{\beta }\times \mathbf{G}-{\mathbf{b}}_{\beta }{R}_{\alpha }+{\mathbf{b}}_{\alpha }{R}_{\alpha }+e_{\beta }{R}_{\alpha }(modq)\hfill \\ \hfill & ={\mu }_{\alpha }·{\mathbf{s}}_{\beta }\times \mathbf{G}+\widehat{e}(modq),\hfill \end{array}$$

where ${\mathbf{P}}_{\alpha }=\left[\begin{array}{c}-A\\ {\mathbf{b}}_{\alpha }\end{array}\right],{\mathbf{s}}_{\beta }=[t_{\beta }\mid 1]$, and $\widehat{e}$ represents a significant error term. The additional term “$-{\mathbf{b}}_{\beta }{R}_{\alpha }+{\mathbf{b}}_{\alpha }{R}_{\alpha }$” introduces significant errors, leading to incorrect results. Furthermore, since $R_{\alpha }$ is a random matrix used by user $\alpha$ during encryption and is not shared, other users cannot independently resolve this issue. This necessitates additional assistance from user $\alpha$ to eliminate the “$-{\mathbf{b}}_{\beta }{R}_{\alpha }+{\mathbf{b}}_{\alpha }{R}_{\alpha }$” term, which explains the need for the expansion step.

2.5.1. Combined Decryption

Since our method produces results for the pseudo-ciphertext $\mathbf{X}$ consistent with those in the initial expansion, we consider the initial and our expansion as one group for decryption, while treating the advanced expansion as a separate group.

Initial and Our Approaches

Suppose there are N users, and the combined secret key is simply the concatenation of all secret keys:

$$\widehat{\mathbf{s}}=[{\mathbf{s}}_1,{\mathbf{s}}_2,\cdots ,{\mathbf{s}}_N]=[t_1,1,t_2,1,\dots ,t_N,1]\in {\mathbb{Z}}_q^{n·N}.$$

(2)

In this case, the decryption process is

$$\begin{array}{cc}\hfill \widehat{\mathbf{s}}\widehat{\mathbf{C}}& =\left[{\mathbf{s}}_1{\mathbf{C}}_{\alpha }+{\mathbf{s}}_{\alpha }{\mathbf{X}}_{\alpha \to 1},\dots ,{\mathbf{s}}_{\alpha }{\mathbf{C}}_{\alpha },\dots ,{\mathbf{s}}_N{\mathbf{C}}_{\alpha }+{\mathbf{s}}_{\alpha }{\mathbf{X}}_{\alpha \to N}\right]\hfill \\ \hfill & =[{\mu }_{\alpha }{\mathbf{s}}_1\mathbf{G}-{\mathbf{b}}_1{R}_{\alpha }+{\mathbf{b}}_{\alpha }{R}_{\alpha }+e_1{R}_{\alpha }+{\mathbf{B}}_{\alpha ,1}{R}_{\alpha }+e_1^{\prime \prime },\dots ,\hfill \\ \hfill & {\mu }_{\alpha }{\mathbf{s}}_{\alpha }\mathbf{G}-{\mathbf{b}}_{\alpha }{R}_{\alpha }+{\mathbf{b}}_{\alpha }{R}_{\alpha }+e_{\alpha }{R}_{\alpha },\dots ,\hfill \\ \hfill & {\mu }_{\alpha }{\mathbf{s}}_N\mathbf{G}-{\mathbf{b}}_N{R}_{\alpha }+{\mathbf{b}}_{\alpha }{R}_{\alpha }+e_N{R}_{\alpha }+{\mathbf{B}}_{\alpha ,N}{R}_{\alpha }+e_N^{\prime \prime }]\hfill \\ \hfill & =\left[{\mu }_{\alpha }{\mathbf{s}}_1\mathbf{G}+(e_1{R}_{\alpha }+e_1^{\prime \prime }),\dots ,{\mu }_{\alpha }{\mathbf{s}}_{\alpha }\mathbf{G}+e_{\alpha }{R}_{\alpha },\dots ,{\mu }_{\alpha }{\mathbf{s}}_N\mathbf{G}+(e_N{R}_{\alpha }+e_N^{\prime \prime })\right]\hfill \\ \hfill & \approx \left[{\mu }_{\alpha }{\mathbf{s}}_1\mathbf{G},\dots ,{\mu }_{\alpha }{\mathbf{s}}_{\alpha }\mathbf{G},\dots ,{\mu }_{\alpha }{\mathbf{s}}_N\mathbf{G}\right],\hfill \end{array}$$

where all additional errors initially generated by the users are successfully canceled. However, since $\mathbf{X}$ is also encrypted, the decryption process still introduces a small additional error ($e^{\prime \prime }$). Although the original more significant additional errors ($-{\mathbf{b}}_{\beta }{R}_{\alpha }+{\mathbf{b}}_{\alpha }{R}_{\alpha }$) are successfully eliminated, the final error magnitude remains slightly higher than that of users decrypting with the correct secret key.

Follow-Up Approach

Later, Ref. [3] discovered in Equation (2) that simply combining all secret keys would repeatedly include multiple “1”s. They suggested that these repeated “1”s could be omitted, keeping only a single “1” at the end. Thus, the combined secret key is adjusted to:

$${\widehat{\mathbf{s}}}^{*}=[t_1,t_2,\dots ,t_N,1]\in {\mathbb{Z}}_q^{Nn-N+1}.$$

The decryption process then becomes

$$\begin{array}{cc}\hfill {\widehat{\mathbf{s}}}^{*}{\widehat{\mathbf{C}}}^{†}& =[t_1,\dots ,t_{\alpha },\dots ,t_N,1]·{\widehat{\mathbf{C}}}^{†}\hfill \\ \hfill & =[t_1{\mathbf{C}}_{\alpha }^{1,1}+t_{\alpha }{\mathbf{X}}_{\alpha \to 1}^{\left(1\right)}+{\mathbf{X}}_{\alpha \to 1}^{\left(2\right)},\dots ,t_{\alpha }{\mathbf{C}}_{\alpha }^{1,1}+{\mathbf{C}}_{\alpha }^{2,1},\dots ,\hfill \\ \hfill & t_N{\mathbf{C}}_{\alpha }^{1,1}+t_{\alpha }{\mathbf{X}}_{\alpha \to N}^{\left(1\right)}+{\mathbf{X}}_{\alpha \to N}^{\left(2\right)},t_{\alpha }{\mathbf{C}}_{\alpha }^{1,2}+{\mathbf{C}}_{\alpha }^{2,2}],\hfill \end{array}$$

and thereafter, these can be divided into three parts and calculated separately,

1. 

$t_{\beta }{\mathbf{C}}_{\alpha }^{1,1}+t_{\alpha }{\mathbf{X}}_{\alpha \to \beta }^{\left(1\right)}+{\mathbf{X}}_{\alpha \to \beta }^{\left(2\right)}=t_{\beta }·({\mu }_{\alpha }·{\mathbf{G}}_{n-1}-A·R^L)+$

$\begin{array}{cc}& \sum _{i,j}-{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)+e^{\prime \prime }+\hfill \\ & {\mathbf{b}}_{\beta }·R^L+\sum _{i,j}{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\hfill \\ & ={\mu }_{\alpha }·t_{\beta }·{\mathbf{G}}_{n-1}+(-{\mathbf{b}}_{\beta }+e_{\beta })·R^L+e^{\prime \prime }+{\mathbf{b}}_{\beta }·R^L\hfill \\ & ={\mu }_{\alpha }·t_{\beta }·{\mathbf{G}}_{n-1}+e_{\beta }·R^L+e^{\prime \prime }\hfill \\ & ={\mu }_{\alpha }·t_{\beta }·{\mathbf{G}}_{n-1}+e_{\beta }^{\prime },\hfill \end{array}$

2. 

$t_{\alpha }{\mathbf{C}}_{\alpha }^{1,1}+{\mathbf{C}}_{\alpha }^{2,1}=t_{\alpha }·({\mu }_{\alpha }·{\mathbf{G}}_{n-1}-A·R^L)+{\mathbf{b}}_{\alpha }·R^L$

$\begin{array}{cc}& ={\mu }_{\alpha }·t_{\alpha }·{\mathbf{G}}_{n-1}+(-{\mathbf{b}}_{\alpha }+e_{\alpha })·R^L+{\mathbf{b}}_{\alpha }·R^L\hfill \\ & ={\mu }_{\alpha }·t_{\alpha }·{\mathbf{G}}_{n-1}+e_{\alpha }·R^L={\mu }_{\alpha }·t_{\alpha }·{\mathbf{G}}_{n-1}+e_{\alpha }^{\prime },\hfill \end{array}$

3. 

$t_{\alpha }{\mathbf{C}}_{\alpha }^{1,2}+{\mathbf{C}}_{\alpha }^{2,2}=t_{\alpha }·(-A·R^R)+{\mu }_{\alpha }·\mathbf{g}+{\mathbf{b}}_{\alpha }·R^R$

$\begin{array}{cccc}& =(-{\mathbf{b}}_{\alpha }+e_{\alpha })·R^R+{\mu }_{\alpha }·\mathbf{g}+{\mathbf{b}}_{\alpha }·R^R\hfill & & \\ & ={\mu }_{\alpha }·\mathbf{g}+e_{\alpha }·R^R={\mu }_{\alpha }·\mathbf{g}+e^{\prime };\hfill & \end{array}$

Therefore, we now know

$$\begin{array}{cc}\hfill {\widehat{\mathbf{s}}}^{*}{\widehat{\mathbf{C}}}^{†}& =[t_1{\mathbf{C}}_{\alpha }^{1,1}+t_{\alpha }{\mathbf{X}}_{\alpha \to 1}^{\left(1\right)}+{\mathbf{X}}_{\alpha \to 1}^{\left(2\right)},\dots ,t_{\alpha }{\mathbf{C}}_{\alpha }^{1,1}+{\mathbf{C}}_{\alpha }^{2,1},\dots ,\hfill \\ \hfill & t_N{\mathbf{C}}_{\alpha }^{1,1}+t_{\alpha }{\mathbf{X}}_{\alpha \to N}^{\left(1\right)}+{\mathbf{X}}_{\alpha \to N}^{\left(2\right)},t_{\alpha }{\mathbf{C}}_{\alpha }^{1,2}+{\mathbf{C}}_{\alpha }^{2,2}]\hfill \\ \hfill & =[{\mu }_{\alpha }·t_1·{\mathbf{G}}_{n-1}+e_1^{\prime },\dots ,{\mu }_{\alpha }·t_{\alpha }·{\mathbf{G}}_{n-1}+e_{\alpha }^{\prime },\dots ,\hfill \\ \hfill & {\mu }_{\alpha }·t_N·{\mathbf{G}}_{n-1}+e_N^{\prime },{\mu }_{\alpha }·\mathbf{g}+e^{\prime }]\hfill \\ \hfill & \approx \left[{\mu }_{\alpha }·t_1·{\mathbf{G}}_{n-1},\dots ,{\mu }_{\alpha }·t_{\alpha }·{\mathbf{G}}_{n-1},\dots ,{\mu }_{\alpha }·t_N·{\mathbf{G}}_{n-1},{\mu }_{\alpha }·\mathbf{g}\right].\hfill \end{array}$$

In this setup, the first user can attempt to derive the correct answer by outputting from the first and last elements, $\left[{\mu }_{\alpha }·t_1·{\mathbf{G}}_{n-1}+e_1^{\prime }|{\mu }_{\alpha }·\mathbf{g}+e^{\prime }\right]$. Similarly, the second user can attempt to derive the correct answer by outputting from the second and last elements, and so on.

Output

At this stage, irrespective of the specific expansion method employed for decryption, we adopt the same approximate method as in [4] since it is more straightforward to understand. Ultimately, all methods enable users to extract the desired message values accurately.

2.5.2. Distributed Decryption

However, combining all users’ secret keys during the decryption process raises security concerns in real-world applications. Therefore, we will examine whether these three methods can be successfully executed in a distributed decryption scenario.

Figure 1 is divided into two sections: the left side represents the combined decryption scenario, while the right side depicts the distributed decryption scenario. The distributed decryption section is further subdivided to show the elements that each user can decrypt (rows) and all the required elements (columns). For simplicity, the figure assumes only two users, with the message selected from the first user.

Initial and Our Approaches

Firstly, as shown in Figure 1a, we observe that distributed decryption is carried out according to each user’s designated section, regardless of the process. In this setup, users pre-arrange an order. Each user then decrypts all elements of a specific row in the expanded ciphertext using their secret key according to their sequence.

For instance, the first user will decrypt the elements in their designated row, resulting in outputs ${\mathbf{s}}_1{\mathbf{C}}_1$ and ${\mathbf{s}}_1{\mathbf{X}}_{1\to 2}$. The second user will decrypt their designated row similarly, producing outputs ${\mathbf{s}}_2·0^{n\times m}$ and ${\mathbf{s}}_2{\mathbf{C}}_1$. Since the first user selects the message, the result ${\mathbf{s}}_1{\mathbf{C}}_1$ after decryption represents the encrypted message, while ${\mathbf{s}}_2{\mathbf{C}}_1$ from the second user does not yield the message after decryption. In this setup, ${\mathbf{s}}_1{\mathbf{X}}_{1\to 2}$ from the first user serves as auxiliary information (${\mathbf{B}}_{1,2}{R}_1$) that needs to be transmitted to the second user. This ensures that all users obtain the necessary elements they need. Therefore, this indicates that distributed decryption is valid for both the initial and our method.

Follow-Up Approach

Due to the combined secret key adjustments, each user’s secret key must be split for decryption. Thus, in addition to decrypting their designated sections with the first part of their secret key, all users will also decrypt the last row of the expanded ciphertext.

In this case, the two users in the figure can each decrypt six elements. Both users lack two elements that they cannot obtain independently. Specifically, the first user lacks elements $t_2·0^{(n-1)\times (n-1)\ell }$ and $t_2·0^{(n-1)\times \ell }$, while the second user lacks elements $t_1{\mathbf{X}}_{1\to 2}^{\left(1\right)}$ and $t_1{\mathbf{C}}_1^{1,2}$. Under our assumptions, the elements the first user lacks are all zeros, so they do not affect their ability to decrypt the message.

For the second user, element $t_1{\mathbf{X}}_{1\to 2}^{\left(1\right)}$ can be obtained by having the first user transmit it. However, even though the first user can decrypt element $t_1{\mathbf{C}}_1^{1,2}$, it contains parts of the selected message, making it impossible to communicate with the second user. Therefore, the second user cannot obtain all the necessary elements through distributed decryption. Consequently, distributed decryption is not applicable in this scenario.

2.5.3. Noise Considerations

The proposed balanced expansion and compression are structural optimizations of ciphertext representation. These steps do not modify the underlying error distribution but only reorganize ciphertext components to reduce memory overhead. Therefore, the noise behavior essentially follows the same bounds as in Hu et al. [4]. Since no additional approximation error is introduced, the correctness guarantee of decryption is preserved in both single-key and multikey settings.

3. Multikey Expansion Methods

As previously mentioned, decryption attempts with wrong secret keys pose significant challenges in a multi-user context. To address this, Ref. [2] proposes incorporating an additional “expansion” stage following the encryption process. We will now demonstrate the generation methods for all pseudo-ciphertexts mentioned in the three expansion approaches. Section 3.1 and Section 3.3 will introduce those two existing expansion methods. Furthermore, we will combine both techniques to achieve a balanced approach, ultimately resulting in a new method applicable to multikey encryption, which will be presented in Section 3.2.

3.1. Initial Expansion [2]

3.1.1. Masking Scheme

To achieve the expansion, Ref. [2] proposes using the “masking scheme” introduced in [19]. The masking scheme requires the first user to generate significant additional helper information $\mathcal{U}$ about the ciphertext ${\mathbf{C}}_{\alpha }$ during the encryption phase. This involves encrypting the matrix $R_{\alpha }$ from the ciphertext equation.

Since the GSW scheme can only encrypt one scalar at a time, this generates $m\times m$ additional helper information. Thus, $\mathcal{U}$ is represented as $({\mathbf{V}}_{\alpha }^{(1,1)},{\mathbf{V}}_{\alpha }^{(1,2)},\dots ,$${\mathbf{V}}_{\alpha }^{(m,m)})$, where

$${\mathbf{V}}_{\alpha }^{(i,j)}=R_{\alpha }^{i,j}\mathbf{G}+{\mathbf{P}}_{\alpha }\overline{R}\in {\mathbb{Z}}_q^{n\times m},$$

(3)

with $\overline{R}\ne R_{\alpha }$ and $\overline{R}$ being different in each ${\mathbf{V}}_{\alpha }^{(i,j)}$. These are then used in conjunction with all users’ $\mathbf{b}$ vectors to compute the pseudo-ciphertext $\mathbf{X}$.

3.1.2. Homomorphic Linear Combination

Since all elements of $R_{\alpha }$ are now individually encrypted into a matrix, the original “${\mathbf{b}}_{\beta }{R}_{\alpha }-{\mathbf{b}}_{\alpha }{R}_{\alpha }$” can no longer be used. Therefore, it must be transformed into an expression that can be used within the encrypted domain. To achieve this, Ref. [2] proposes a method called “Homomorphic Linear Combination,” which is represented by

$${\mathbf{X}}_{\alpha \to \beta }=\sum _{i,j}{\mathbf{V}}_{\alpha }^{(i,j)}·G^{-1}\left({\mathbf{Z}}_{\alpha ,\beta }^{i,j}\right)\in {\mathbb{Z}}_q^{n\times m},$$

(4)

where ${\mathbf{Z}}_{\alpha ,\beta }$ is defined as

$${\mathbf{Z}}_{\alpha ,\beta }^{i,j}[a,b]:=\left\{\begin{array}{cc}{\mathbf{B}}_{\alpha ,\beta }\left[i\right],\hfill & \mathrm{when}a=n\mathrm{and}b=j\hfill \\ 0,\hfill & \mathrm{otherwise}\hfill \end{array}\right..$$

(5)

We can now prove the first condition for both the initial and modified expansions.

Proof. 

$$\begin{array}{cc}\hfill {\mathbf{s}}_{\alpha }{\mathbf{X}}_{\alpha \to \beta }& ={\mathbf{s}}_{\alpha }\sum _{i,j}{\mathbf{V}}_{\alpha }^{(i,j)}·G^{-1}\left({\mathbf{Z}}_{\alpha ,\beta }^{i,j}\right)=\sum _{i,j}{\mathbf{s}}_{\alpha }(R_{\alpha }^{i,j}\mathbf{G}+{\mathbf{P}}_{\alpha }\overline{R})·G^{-1}\left({\mathbf{Z}}_{\alpha ,\beta }^{i,j}\right)\hfill \\ \hfill & =\sum _{i,j}(R_{\alpha }^{i,j}{\mathbf{s}}_{\alpha }\mathbf{G}+e_{\alpha }^{i,j})·G^{-1}\left({\mathbf{Z}}_{\alpha ,\beta }^{i,j}\right)=\sum _{i,j}{R}_{\alpha }^{i,j}{\mathbf{s}}_{\alpha }·{\mathbf{Z}}_{\alpha ,\beta }^{i,j}+e_{\alpha }^{i,j}·G^{-1}\left({\mathbf{Z}}_{\alpha ,\beta }^{i,j}\right)\hfill \\ \hfill & ={\mathbf{s}}_{\alpha }\sum _{i,j}{R}_{\alpha }^{i,j}{\mathbf{Z}}_{\alpha ,\beta }^{i,j}+e_{\alpha }^{\prime \prime }=(t_{\alpha },1)\left[\begin{array}{c}{0}^{n-1}\\ {\mathbf{B}}_{\alpha ,\beta }{R}_{\alpha }\end{array}\right]+e_{\alpha }^{\prime \prime }={\mathbf{B}}_{\alpha ,\beta }{R}_{\alpha }+e_{\alpha }^{\prime \prime }.\hfill \end{array}$$

□

Therefore, ${\mathbf{s}}_{\alpha }{\mathbf{X}}_{\alpha \to \beta }={\mathbf{B}}_{\alpha ,\beta }{R}_{\alpha }+e_{\alpha }^{\prime \prime }\approx {\mathbf{B}}_{\alpha ,\beta }{R}_{\alpha }$ holds. The second condition can then be derived straightforwardly.

3.2. Our Modified Expansion

Subsequent experiments revealed that the expansion stage caused a significant increase in processing time, which consumed almost 90% of the entire encryption and decryption time. This is because the involvement of random matrix $R_{\alpha }$ is crucial, and the GSW encryption scheme only encrypts one scalar at a time. As a result, the $R_{\alpha }$ matrix requires $m\times m$ encryptions, consuming most of the processing time. Every element in $R_{\alpha }$ is essential for maintaining decryption accuracy, making it impossible to reduce the number of elements as a means of improvement.

Examining Equation (4) reveals that the upper half of the $G^{-1}\left({\mathbf{Z}}_{\alpha ,\beta }^{i,j}\right)$ matrix is just a zero matrix. In practice, only the last ℓ columns of additional helper information are helpful for subsequent computations. Therefore, we considered adjusting the size of this additional helper information and modifying the $G^{-1}\left({\mathbf{Z}}_{\alpha ,\beta }^{i,j}\right)$ matrix to remove the upper zeros in the resulting matrix. These adjustments significantly reduce both the execution time and memory usage. Ideally, the time and space required for the expansion stage could be reduced nearly $n-1$ times. After these adjustments, Equations (3), (4), and (5) are respectively transformed into

$${\mathbf{V}}_{\alpha }^{(i,j)\ast }=R_{\alpha }^{i,j}·\left[\begin{array}{c}0\\ ⋮\\ 0\\ \mathbf{g}\end{array}\right]+{\mathbf{P}}_{\alpha }·\overline{R^{m\times \ell }}\in {\mathbb{Z}}_q^{n\times \ell },$$

(6)

$${\mathbf{X}}_{\alpha \to \beta }=\sum _{i,j}{\mathbf{V}}_{\alpha }^{(i,j)\ast }·G^{-1}\left({\mathbf{Z}}_{\alpha ,\beta }^{i,j\ast }\right)\in {\mathbb{Z}}_q^{n\times m},$$

(7)

$${\mathbf{Z}}_{\alpha ,\beta }^{i,j\ast }\left[x\right]:=\left\{\begin{array}{cc}{\mathbf{B}}_{\alpha ,\beta }\left[i\right],\hfill & \mathrm{when}x=j\hfill \\ 0,\hfill & \mathrm{otherwise}\hfill \end{array}\right.\in {\mathbb{Z}}_q^m.$$

(8)

During the final execution of the homomorphic linear combination, our approach does not alter the resulting pseudo-ciphertext ${\mathbf{X}}_{\alpha \to \beta }$.

3.3. Advanced Expansion [3]

Their original method was designed for encryption schemes using a matrix secret key. However, since the previous two expansion methods were applied to vector secret keys, we adapted their concept and approach to work with vector secret keys for comparison purposes. Consequently, the observed improvement will be less significant than when applied to matrix secret keys. The original method from their paper is included in Appendix A.3 for reference.

3.3.1. Additional Helper Information

Upon further examination of Equation (6), it is evident that the information regarding $R_{i,j}$ is zero except for the last row. This insight led to the idea of splitting the additional helper information into upper and lower halves, as shown in the following

$$\begin{array}{cc}\hfill & {\mathbf{V}}_{\alpha }^{1(i,j)}=-A·\overline{R^{m\times \ell }}\in {\mathbb{Z}}_q^{(n-1)\times \ell },\hfill \\ \hfill & {\mathbf{V}}_{\alpha }^{2(i,j)}=R_{\alpha }^{L,i,j}·\mathbf{g}+{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}\in {\mathbb{Z}}_q^{\ell },\hfill \end{array}$$

where $\overline{R^{m\times \ell }}$ must be the same in that pair of ${\mathbf{V}}_{\alpha }^{1(i,j)}$ and ${\mathbf{V}}_{\alpha }^{2(i,j)}$.

Given the importance of the random matrix $R_{\alpha }$ for encrypting the message, any adjustments to the expanded ciphertext and combined secret key necessitate changes in the decryption process. Following their method, the public key error introduced using a wrong secret key affects only ${\mathbf{C}}_{\alpha }^{1,1}$. Since ${\mathbf{C}}_{\alpha }^{1,1}={\mu }_{\alpha }·{\mathbf{G}}_{n-1}-A·R^L$, the crucial $R_{\alpha }$ matrix now requires encryption of only the elements in the first $(n-1)\times \ell$ columns, consequently reducing the necessary additional helper information from $m\times m$ to $m\times (n-1)·\ell$. This adjustment decreases memory usage by a factor of $\ell /m$.

Additionally, due to the changes in the additional helper information, the calculation of subsequent Equation (8) also changes; that is

$${{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\left[x\right]:=\left\{\begin{array}{cc}{\mathbf{b}}_{\beta }\left[i\right],\hfill & \mathrm{when}x=j\hfill \\ 0,\hfill & \mathrm{otherwise}\hfill \end{array}\right.\in {\mathbb{Z}}_q^{(n-1)·\ell }.$$

Initially, it required ${\mathbf{b}}_{\beta }-{\mathbf{b}}_{\alpha }={\mathbf{B}}_{\alpha ,\beta }$, but now it only needs ${\mathbf{b}}_{\beta }$.

3.3.2. Pseudo-Ciphertext

Due to the additional helper information changes, the pseudo-ciphertext is now divided according to

$${\mathbf{X}}_{\alpha \to \beta }^{\left(1\right)}=\sum _{i,j}{\mathbf{V}}_{\alpha }^{1(i,j)}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\in {\mathbb{Z}}_q^{(n-1)\times (n-1)·\ell },$$

$${\mathbf{X}}_{\alpha \to \beta }^{\left(2\right)}=\sum _{i,j}{\mathbf{V}}_{\alpha }^{2(i,j)}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\in {\mathbb{Z}}_q^{(n-1)·\ell }.$$

The first two conditions mentioned earlier can now be proven correct.

Proof. 

1. 

$t_{\alpha }{\mathbf{X}}_{\alpha \to \beta }^{\left(1\right)}={\sum }_{i,j}{t}_{\alpha }·{\mathbf{V}}_{\alpha }^{1(i,j)}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)={\sum }_{i,j}{t}_{\alpha }·(-A·\overline{R^{m\times \ell }})·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)$

$\begin{array}{cc}& =\sum _{i,j}(-{\mathbf{b}}_{\alpha }+e_{\alpha })·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\hfill \\ & =\sum _{i,j}-{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)+\sum _{i,j}{e}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\hfill \\ & =\sum _{i,j}-{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)+e^{\prime \prime }\hfill \\ & \approx \sum _{i,j}-{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right).\hfill \end{array}$

2. 

${\mathbf{X}}_{\alpha \to \beta }^{\left(2\right)}={\sum }_{i,j}{\mathbf{V}}_{\alpha }^{2(i,j)}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)$

$\begin{array}{cc}& =\sum _{i,j}(R_{\alpha }^{L,i,j}·\mathbf{g}+{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }})·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\hfill \\ & =\sum _{i,j}{R}_{\alpha }^{L,i,j}·\mathbf{g}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)+{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\hfill \\ & =\sum _{i,j}{R}_{\alpha }^{L,i,j}·{{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }+{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right)\hfill \\ & ={\mathbf{b}}_{\beta }·R^L+\sum _{i,j}{\mathbf{b}}_{\alpha }·\overline{R^{m\times \ell }}·G^{-1}\left({{\mathbf{Z}}_{\alpha ,\beta }^{i,j}}^{\prime }\right).\hfill \end{array}$

□

Since the first two conditions are confirmed to be accurate, the final condition can be derived naturally.

4. Decomposition with Multikey

At this point, we extended the decomposition approach [4] to multikey scenarios. Although the performance gains in multikey were not as pronounced as in single-key scenarios, they were still notable. The entire decomposition process is illustrated in

Table 1. All benchmarked vector secret key schemes’ decomposition processes.

	Binary-based [5]	$\mathit{\varphi }$-based	CRT-based [4]
KeyGen.	Public key: ${\mathbf{P}}_k=\left[{\displaystyle \frac{-A}{{\mathbf{b}}_k}}\right]\in {\mathbb{Z}}_q^{n\times m}$,
	and Secret key: ${\mathbf{s}}_k=[t_k\mid 1]\in {\mathbb{Z}}_q^n$
Decomp.	Selecting the message $\mu \in \left[0,q\right)$ and $R_k\in {\{0,1\}}^{m\times m}$
	(${\mu }_0,{\mu }_1,\dots ,{\mu }_{\ell -1}$)	(${\mu }_0,{\mu }_1,\dots ,{\mu }_{B-1}$)	$\left\{\begin{array}{cc}\mu \equiv \hfill & {\mu }_{\alpha }(mod{m}_{\alpha })\hfill \\ \mu \equiv \hfill & {\mu }_{\beta }(mod{m}_{\beta })\hfill \\ & ⋮\hfill \\ \mu \equiv \hfill & {\mu }_{\gamma }(mod{m}_{\gamma })\hfill \end{array}\right.$
Enc.	Encrypting each element into ciphertext by
	$\forall i,\mathrm{s}.\mathrm{t}.{\mathbf{C}}_{\mathbf{i}}={\mu }_i·\mathbf{G}+{\mathbf{P}}_k\times R_k(modq)\in {\mathbb{Z}}_q^{n\times m}$
Exp.	Calculate the corresponding pseudo-ciphertext $\mathbf{X}$
Dec.	Decrypting all extended ciphertexts
Output.	Approximate method
Recomb.	$\mu ={\sum }_i{2}^i{\mu }_i$	$\mu ={\sum }_i{\varphi }^i{\mu }_i$	$\mu ={\sum }_i{\mu }_i{\mathbf{t}}_i{\mathbf{M}}_i$

.

4.1. Homomorphic Addition in Multikey

When applying homomorphic addition to multikey encryption, two scenarios can occur: the messages being added are either from the same user (same key) or different users (different keys). Since we aim to simulate practical applications, the expanded ciphertext supports distributed decryption. We use the balanced method proposed in Section 3.2 for more effective experimentation.

Previous discussions indicate that auxiliary information involved in encryption and expansion introduces errors during decryption. This error increases when the information is sent to users with a wrong secret key. Consequently, the message range’s upper bound $\varphi$ will decrease again.

4.1.1. Same Key Situation

We know that users decrypting with the wrong secret key will encounter additional errors. In the same key scenario, both messages are not chosen by the user with the wrong secret key, resulting in a double magnitude of additional errors for that user. For simplicity, assume there are only two users and messages are selected from the first user,

$$\begin{array}{cc}\hfill \widehat{\mathbf{s}}\widehat{{\mathbf{C}}^{+}}& =\left[{\mathbf{s}}_1{\mathbf{C}}^{+},{\mathbf{s}}_1{\mathbf{X}}^{+}+{\mathbf{s}}_2{\mathbf{C}}^{+}\right]\hfill \\ \hfill & =\left[{\mathbf{s}}_1·({\mathbf{C}}_1^1+{\mathbf{C}}_1^2),{\mathbf{s}}_1·({\mathbf{X}}_{1\to 2}^1+{\mathbf{X}}_{1\to 2}^2)+{\mathbf{s}}_2·({\mathbf{C}}_1^1+{\mathbf{C}}_1^2)\right]\hfill \\ \hfill & =[{\mathbf{s}}_1·\left({\mu }_1^1\mathbf{G}+{\mathbf{P}}_1{R}_1^1+{\mu }_1^2\mathbf{G}+{\mathbf{P}}_1{R}_1^2\right),\hfill \\ \hfill & \left({\mathbf{s}}_1{\mathbf{X}}_{1\to 2}^1+{\mathbf{s}}_1{\mathbf{X}}_{1\to 2}^2\right)+{\mathbf{s}}_2·\left({\mu }_1^1\mathbf{G}+{\mathbf{P}}_1{R}_1^1+{\mu }_1^2\mathbf{G}+{\mathbf{P}}_1{R}_1^2\right)]\hfill \\ \hfill & =[\left({\mu }_1^1+{\mu }_1^2\right){\mathbf{s}}_1·\mathbf{G}+e_1^1+e_1^2,\hfill \\ \hfill & {\mathbf{B}}_{1,2}{R}_1^1+e_1^{\prime \prime }+{\mathbf{B}}_{1,2}{R}_1^2+e_2^{\prime \prime }+\left({\mu }_1^1+{\mu }_1^2\right){\mathbf{s}}_2·\mathbf{G}+(-{\mathbf{b}}_2+{\mathbf{b}}_1)R_1^1+e_2^1\hfill \\ \hfill & +(-{\mathbf{b}}_2+{\mathbf{b}}_1)R_1^2+e_2^2]\hfill \\ \hfill & =\left[\left({\mu }_1^1+{\mu }_1^2\right){\mathbf{s}}_1·\mathbf{G}+e_1,\left({\mu }_1^1+{\mu }_1^2\right){\mathbf{s}}_2·\mathbf{G}+e_2\right]\hfill \\ \hfill & \approx \left[\left({\mu }_1^1+{\mu }_1^2\right){\mathbf{s}}_1·\mathbf{G},\left({\mu }_1^1+{\mu }_1^2\right){\mathbf{s}}_2·\mathbf{G}\right],\hfill \end{array}$$

where $e_1=e_1^1+e_1^2$, and $e_2=e_2^1+e_2^2+e_1^{\prime \prime }+e_2^{\prime \prime }$. Although the correct calculation can ultimately be recovered with the help of auxiliary information, the cumulative error from these two messages may reach a critical threshold to fail the desired FHE computation.

4.1.2. Different Key Situation

Since both users will receive one message that they did not choose in the different key scenarios, on the one hand, the recovered result for each will include additional errors; on the other hand, these errors may contribute to providing both users with some buffer information to tolerate the error. That is,

$$\begin{array}{cc}\hfill \widehat{\mathbf{s}}\widehat{{\mathbf{C}}^{+}}& =\left[{\mathbf{s}}_1{\mathbf{C}}^{+}+{\mathbf{s}}_2{\mathbf{X}}_{2\to 1},{\mathbf{s}}_1{\mathbf{X}}_{1\to 2}+{\mathbf{s}}_2{\mathbf{C}}^{+}\right]\hfill \\ \hfill & =\left[{\mathbf{s}}_1·({\mathbf{C}}_1+{\mathbf{C}}_2)+{\mathbf{s}}_2{\mathbf{X}}_{2\to 1},{\mathbf{s}}_1{\mathbf{X}}_{1\to 2}+{\mathbf{s}}_2·({\mathbf{C}}_1+{\mathbf{C}}_2)\right]\hfill \\ \hfill & =[{\mathbf{s}}_1·\left({\mu }_1\mathbf{G}+{\mathbf{P}}_1{R}_1+{\mu }_2\mathbf{G}+{\mathbf{P}}_2{R}_2\right)+{\mathbf{B}}_{2,1}{R}_2+e_2^{\prime \prime },\hfill \\ \hfill & {\mathbf{B}}_{1,2}{R}_1+e_1^{\prime \prime }+{\mathbf{s}}_2·\left({\mu }_1\mathbf{G}+{\mathbf{P}}_1{R}_1+{\mu }_2\mathbf{G}+{\mathbf{P}}_2{R}_2\right)]\hfill \\ \hfill & =[\left({\mu }_1+{\mu }_2\right){\mathbf{s}}_1·\mathbf{G}+e_1^1+(-{\mathbf{b}}_1+{\mathbf{b}}_2)R_2+e_1^2+{\mathbf{B}}_{2,1}{R}_2+e_2^{\prime \prime },\hfill \\ \hfill & {\mathbf{B}}_{1,2}{R}_1+e_1^{\prime \prime }+\left({\mu }_1+{\mu }_2\right){\mathbf{s}}_2·\mathbf{G}+(-{\mathbf{b}}_2+{\mathbf{b}}_1)R_1+e_2^1+e_2^2]\hfill \\ \hfill & =\left[\left({\mu }_1+{\mu }_2\right){\mathbf{s}}_1·\mathbf{G}+e_1,\left({\mu }_1+{\mu }_2\right){\mathbf{s}}_2·\mathbf{G}+e_2\right]\hfill \\ \hfill & \approx \left[\left({\mu }_1+{\mu }_2\right){\mathbf{s}}_1·\mathbf{G},\left({\mu }_1+{\mu }_2\right){\mathbf{s}}_2·\mathbf{G}\right],\hfill \end{array}$$

where $e_1=e_1^1+e_1^2+e_2^{\prime \prime }$, and $e_2=e_2^1+e_2^2+e_1^{\prime \prime }$.

From the above derivation, the cumulative errors corresponding to the two users with different key scenarios consist of the correct-key and wrong-key user cases in the same key scenario, as shown in

Table 2. Comparison of accumulated errors for both cases when users withhold the correct and wrong keys.

	Same Key	Different Key
User 1 (correct key)	$e_1^1+e_1^2$	$e_1^1+e_1^2+e_2^{\prime \prime }$
User 2 (wrong key)	$e_2^1+e_2^2+e_1^{\prime \prime }+e_2^{\prime \prime }$	$e_2^1+e_2^2+e_1^{\prime \prime }$

. If both scenarios involve additional homomorphic addition operations, the same key scenario will likely fail due to excessive errors generated by the second user. In contrast, different key scenarios still have a chance of success in eliminating the error because each user has some extra information provided by their computational counterpart.

4.1.3. CRT Decomposition in Multikey

We now apply the CRT decomposition method to both scenarios. Due to the nature of the CRT decomposition, which is carry-free, parallel addition operations can be straightforwardly conducted. Since our method can continuously increase the message range’s upper bound $\varphi$, both users can freely choose within the entire plaintext space without restrictions.

4.2. Federated Learning

Due to the incorporation of CRT decomposition, our derived multikey FHE scheme allows for unrestricted message selection, which enables the possibility of executing multiple consecutive homomorphic additions without decryption. To demonstrate the scheme’s effectiveness, we devised a simple application for federated learning. Suppose N users participate in the computation to aggregate all their numerical data. The process is broken down into the following multiple steps and involves two rounds of communication:

1.

Initial Setup. The user in the i-th position (i.e., geometric location number) possesses all users’ public keys and his own secret key, $S{K}_i$.

2.

Message Selection, Encryption, and Expansion. Each user selects a message ${\mu }_i$, conducts CRT decomposition, and encrypts the results. Due to differing keys, the pre-described expansion is required to prepare auxiliary error-correcting messages for other users.

3.

First Communication Round. The computed expanded ciphertexts are uploaded to the cloud.

4.

Homomorphic Addition. The cloud performs homomorphic addition on the N-expanded ciphertexts without decrypting them.

5.

Return Result. The cloud returns the encrypted computed result to all users, who then decrypt the result according to their position-dependent decryption key $S{K}_i$, concluding the first round of communication.

6.

Error Identification. The decrypted results will likely be incorrect since users will have many extra intermediaries that are not locally selected and generated.

7.

Second Communication Round. The second round of communication begins as users decrypt various intermediate data and upload them to the cloud. Specifically, each user i uploads all decrypted intermediate data except those in their own designated region, that is, user i uploads decrypted data from regions 1 to $i-1$ and $i+1$ to N.

8.

Classification and Final Result. The cloud classifies the received data according to each user’s needs and sends them back to the corresponding user. Each user then aggregates all received data to obtain the correct computation result.

These eight steps complete the basic federated learning application process. Following the steps mentioned above, we conducted a preliminary experiment to check if the learning process could be successfully executed. The purpose of this experiment was solely to determine the availability of execution, so no charts were generated to illustrate the effects under different security parameters. We compared the original method without decomposition and the one with CRT decomposition. To ensure practical applicability, the range of messages was allowed to be arbitrarily selected from the entire plaintext space. The CRT-involved experimental results are justified and consistent with our previous findings when the original setting is adopted. The following are some observations we obtained:

1.

Original Method Without Decomposition. Even with a simple case of $N=3$, the original method proved challenging due to the complexity of a single operation with an arbitrarily chosen message range, making it difficult to complete even one round of the federated learning process.

2.

Method with CRT Decomposition. Although our method currently needs to work on performing many consecutive operations without intermediate decryption, experiments verify that this approach can at least successfully execute one round of federated learning in the case of $N=3$, and it even has the possibility of success for $N=10$.

Although our results have yet to be ready for practical application, our experimental results reveal that the GSW multikey scheme has this potential if ample computation resources are provided.

5. Multikey Ciphertext Compression

Our previous work on single-key schemes [4] found that processing and transmitting encrypted data requires substantial storage capacity. An additional expansion is necessary in the multikey context, resulting in an even more considerable memory requirement for the expanded ciphertext. Therefore, any method that can compress the involved data within these schemes would be incredibly beneficial. Consequently, we apply the PVW-like compression technique proposed in [5] to the multikey scenarios. Additionally, Ref. [3] used this compression method for the expansion approach described in Section 3.3. In the rest of this section, we extend the same compression technique to the other two expansion approaches where secret keys are in vector form.

For ease of explanation, we continue to assume only two users exist and now let the second user select the message. From the discussions on single-key schemes [4], we knew that message decomposition is necessary before compression is applied. By CRT, the original message will be split into sub-messages with smaller value ranges; let $({\mu }_0,{\mu }_1,...,{\mu }_{\ell -1})$ and $({\mathbf{C}}_0,{\mathbf{C}}_1,...,{\mathbf{C}}_{\ell -1})$, respectively, denote corresponding sub-messages in the plaintext and the ciphertext domains.

Since expansion is essential in the multikey settings, we write down the associated mathematical forms in the following. For Section 3.1 and Section 3.2, the ciphertext will be expanded into

$${\widehat{\mathbf{C}}}_i=\left[\begin{array}{cc}{\mathbf{C}}_i& 0\\ \mathbf{X}& {\mathbf{C}}_i\end{array}\right]\in {\mathbb{Z}}_q^{2n\times 2m},$$

while for Section 3.3, the ciphertext will be expanded into

$${\widehat{\mathbf{C}}}_i^{†}=\left[\begin{array}{ccc}{\mathbf{C}}_i^{1,1}& 0& 0\\ {\mathbf{X}}_{2\to 1}^{\left(1\right)}& {\mathbf{C}}_i^{1,1}& {\mathbf{C}}_i^{1,2}\\ {\mathbf{X}}_{2\to 1}^{\left(2\right)}& {\mathbf{C}}_i^{2,1}& {\mathbf{C}}_i^{2,2}\end{array}\right]\in {\mathbb{Z}}_q^{(2n-1)\times (2n-1)\ell }.$$

5.1. The Compression Incurred Problems

We encountered several issues when we tried to apply the technique presented in [3], which was initially used on the matrix secret key, to the case with the vector secret key.

5.1.1. Waste of Pseudo-Ciphertext

When their ideas are transformed and applied to Section 3.3, the compression formula becomes:

$${\widehat{\mathbf{C}}}^{*}=\sum _i{\widehat{\mathbf{C}}}_i^{†}\times G^{-1}(f·2^i·T^{\prime })(modq)\in {\mathbb{Z}}_q^{Nn-N+1},$$

Since these ciphertexts were previously expanded, $T^{\prime }$ must also be expanded to a vector of length $Nn-N+1$.

We observed an interesting fact during the above-mentioned vectorize-key expansion. That is, when we visualize the compression formula, it becomes apparent that only the last ℓ columns of the computation are involved. Regardless of whether the first or second user chooses the message, the pseudo-ciphertext $\mathbf{X}$, which took the most time to compute, is not used. This means the additional helper information and the corresponding pseudo-ciphertext are wasted. This issue also appears in Section 3.1 and Section 3.2; that is

$${\widehat{\mathbf{C}}}^{*}=\sum _i{\widehat{\mathbf{C}}}_i\times G^{-1}(f·2^i·T^{\prime })(modq)\in {\mathbb{Z}}_q^{Nn}.$$

(9)

5.1.2. Unable to Handle Distributed Decryption

Exploring the potential application of the GSW encryption scheme in real-life scenarios, we attempted to implement distributed decryption. Since the pre-described advanced expansion cannot apply to distributed decryption, we used the compression technique for the initial and the modified expansions. That is, as follows

1.

Initial Setup. Both users select their public keys, $P{K}_i$, and secret keys, $S{K}_i$, with all public keys publicly accessible.

2.

Message Selection, Encryption, and Expansion. The second user selects the message and splits it by using bit-level decomposition, $({\mu }_0,{\mu }_1,...,$${\mu }_{\ell -1})$. Each of the sub-messages is then encrypted and expanded separately.

3.

First Communication Round. All expanded ciphertexts are uploaded to the cloud.

4.

Ciphertext Compression. The cloud compresses all received expanded ciphertexts. According to [3], only the last ℓ columns are utilized during this stage. Therefore, the compressed result becomes

$${\widehat{\mathbf{C}}}^{*}=\left[\begin{array}{c}\mathbf{0}\\ {\mathbf{C}}_2^{\prime }\end{array}\right]\in {\mathbb{Z}}_q^{2n}.$$

5.

Return Result. The cloud returns the compressed ciphertext to all users, who decrypt the received data according to their position-dependent secret keys.

6.

Error Identification. The second user can decrypt and retrieve the correct message, while the first user will only obtain a zero, as shown in

Table 3. Decryption outcomes for the first and the second users.

User 1 (wrong key)	$[{\mathbf{s}}_1,0]·{\widehat{\mathbf{C}}}^{\ast }=0$
User 2 (correct key)	$[\mathbf{0},{\mathbf{s}}_2]·{\widehat{\mathbf{C}}}^{\ast }={\mu }_2$

.

7.

Second Communication Round. As before, the second user cannot decrypt any auxiliary information to assist the first user; therefore, the second round of communication is a must. Since uploading the decrypted message directly to the cloud is impractical, the first user needs help to recover the message.

5.2. The Proposed Multikey Ciphertext Compression

Our work focuses on adjusting [3]’s compression technique to solve the two problems mentioned in the previous subsection. By transforming Equation (9) used in Section 3.1 and Section 3.2 into

$${\widehat{\mathbf{C}}}^{*}=\sum _i{\widehat{\mathbf{C}}}_i\times G^{-1}(f·2^i·T^{*})(modq)\in {\mathbb{Z}}_q^{Nn\times N},$$

we can solve the “Waste of Pseudo-Ciphertext” and the “Unable to Handle Distributed Decryption” issues simultaneously. In other words, our proposed multikey ciphertext compression scheme brings the following benefits: the efficient utilization of pseudo-ciphertext and successful implementation of distributed decryption.

5.2.1. Efficient Utilization of Pseudo-Ciphertext

Our main idea is to increase the dimension of the transformation $T^{\prime }$ proportional to the number of users. Let $T^{*}$ denote the dimension-extended transformation of $T^{\prime }$, defined as $T^{*}=I_n\otimes T^{\prime }\in {\mathbb{Z}}_q^{Nn\times N}$. This adjustment expands the range of ciphertext involved in the compression calculation to incorporate the previously wasted pseudo-ciphertexts into the account. Thus, the first issue in the previous subsection is solved.

5.2.2. Successful Implementation of Distributed Decryption

We devised a simple example using a multiparty communication method to demonstrate how to solve the second issue. In this case, for the n-th user, the goal is to ensure that all other users can receive the messages he selected and generated, even after compression. Our proposed scheme consists of the following steps:

1.

Initial Setup. Assume all N public keys are publicly accessible, while the secret keys are exclusively owned by their respective holders.

2.

Message Selection, Encryption, and Expansion. Let the n-th user select a message, split it into multiple sub-messages based on CRT and the selected moduli, and perform encryption and expansion operators.

3.

First Communication Round. All expanded ciphertexts $({\widehat{\mathbf{C}}}_0,{\widehat{\mathbf{C}}}_1,...,$${\widehat{\mathbf{C}}}_{\ell -1})$ are uploaded to the cloud.

4.

Ciphertext Compression. The cloud implements our modified compression method, making compressed ciphertexts significantly more prominent. As a result, the compressed result becomes

$${\widehat{\mathbf{C}}}^{*}=\left[\begin{array}{cccc}{\mathbf{C}}_N^{\prime }& \mathbf{0}& \dots & \mathbf{0}\\ \mathbf{0}& {\mathbf{C}}_N^{\prime }& \dots & \mathbf{0}\\ ⋮& ⋮& \ddots & ⋮\\ {\mathbf{X}}_{N\to 1}^{\prime }& {\mathbf{X}}_{N\to 2}^{\prime }& \dots & {\mathbf{C}}_N^{\prime }\end{array}\right]\in {\mathbb{Z}}_q^{Nn\times N}.$$

5.

Return Result. The cloud then sends the compressed ciphertexts to all users, who decrypt the results according to their position-dependent secret key.

6.

Error Identification. Since the n-th user selects the message, the decryption will be successful, while other users will fail to decrypt, as shown in

Table 4. Decryption outcomes for all users.

User 1 (wrong key)	$[{\mathit{s}}_1,0,\dots ,0]·{\widehat{\mathit{C}}}^{*}=[{\mathit{s}}_1{\mathit{C}}_{\mathit{N}}^{\prime },0,\dots ,0]\in {\mathbb{Z}}_{\mathit{q}}^{\mathit{N}}$
User 2 (wrong key)	$[\mathbf{0},{\mathbf{s}}_2,\dots ,\mathbf{0}]·{\widehat{\mathbf{C}}}^{*}=[0,{\mathbf{s}}_2{\mathbf{C}}_N^{\prime },\dots ,0]\in {\mathbb{Z}}_q^N$
⋮	⋮
User N (correct key)	$[\mathbf{0},\mathbf{0},\dots ,{\mathbf{s}}_N]·{\widehat{\mathbf{C}}}^{*}=[{\mathbf{s}}_N{\mathbf{X}}_{N\to 1}^{\prime },{\mathbf{s}}_N{\mathbf{X}}_{N\to 2}^{\prime },\dots ,{\mu }_N]\in {\mathbb{Z}}_q^N$

.

7.

Second Communication Round. Our proposed adjustment effectively utilizes pseudo-ciphertexts, allowing the n-th user to decrypt auxiliary information, which is then uploaded back to the cloud.

8.

Classification and Final Result. Finally, the cloud distributes the auxiliary information to each user as needed. After recombination through a multipart communication process, all users can successfully receive the message, that is, $({\mathbf{s}}_1{\mathbf{C}}_N^{\prime }+{\mathbf{s}}_N{\mathbf{X}}_{N\to 1}^{\prime },{\mathbf{s}}_2{\mathbf{C}}_N^{\prime }+{\mathbf{s}}_N{\mathbf{X}}_{N\to 2}^{\prime },...,{\mathbf{s}}_N{\mathbf{C}}_N^{\prime })(modq)=({\mu }_N,{\mu }_N,...,{\mu }_N)$.

With the aid of a simple multiparty communication process, this example demonstrates that our adjustment, despite producing a larger amount of compressed results than [3], effectively utilizes pseudo-ciphertexts, facilitating the desired applicability of distributed decryption. This improvement provides a higher potential for practically applying the GSW encryption scheme.

6. Experiments

We will compare and analyze all previously discussed content through numerical experiments, dividing them into comparing the three expansion methods and analyzing the CRT decomposition and compression techniques applied to the multikey scenario. All actual numerical data in our figures will be presented in Appendix B.

6.1. Comparative Analysis of Three Expansion Methods

This subsection compares various aspects of the expansion schemes, such as the execution time of completing encryption and decryption processes, the ciphertext size before the final decryption, the memory space required for all additional helper information, and the impact of these methods on the upper bound $\varphi$ of the message range.

6.1.1. Memory Sizes for the Expanded Ciphertext and the Additional Helper Information

Figure 2 illustrates the size of all additional helper information required for executing the three expansion methods and the final expanded ciphertexts. The first three items in the figure represent the size of the additional helper information for each involved technique; the corresponding measure is on the right vertical axis in MB. The latter four items show the expanded ciphertext size before final decryption for a single key and the three expansion schemes; the corresponding measure is on the left vertical axis in KB.

From Figure 2, several remarks can be drawn accordingly:

• Since our proposed improvement primarily focuses on enhancing the additional helper information without altering the expanded ciphertext, the size of the additional helper information is significantly smaller than that of the initial method. In contrast, the expanded ciphertext size remains consistent with the initial process. However, the advanced approach effectively adjusts the expanded ciphertext and the additional helper information. Consequently, the advanced approach performs better in both aspects.
• Regardless of the adopted expansion method, the memory space required is significantly greater than that for single-key encryption. Both the initial and our derived methods resulted in a fourfold increase compared to the single key’s size. In contrast, the advanced approach results in it being approximately ${\left({\displaystyle \frac{2n-1}{n}}\right)}^2$ times the original size. Although multikey encryption is more practical in real-world scenarios, it inevitably faces a heavy burden in memory space.

6.1.2. Execution Time

The total execution times required for the entire encryption process using three different expansion methods are shown in Figure 3. We additionally included the time needed to execute the single-key method for comparison. The horizontal axis represents the security parameter n, where a higher value indicates a greater security level, while the vertical axis represents the execution time in milliseconds.

From Figure 3, several remarks can be drawn accordingly:

• Evidently, both our and the advanced approach significantly outperform the initial method. Moreover, the time required for the advanced approach is even less than that needed for our proposed process.
• Although, with the aid of compression, both our and the advanced approach have significantly reduced the execution time, it is still considerably higher than the time required for the single-key scenario. Therefore, while the multikey approach is more applicable to real-world scenarios, it necessitates further research to speed up the execution and ensure affordable applicability.

6.1.3. Upper Bound $\varphi$ of the Message Range

As previously addressed, users decrypting with the wrong secret key will inevitably generate additional errors after expansion. This fact makes reducing the message range’s upper bound $\varphi$ a must as the security parameter n increases. We conduct a thorough simulation associated with this consideration to understand the concrete trend of the relationship between the growth in n and the increase in message range for various multikey scenarios. The results are shown in Figure 4, where the vertical axis represents the upper bound $\varphi$, expressed logarithmically. Additionally, due to its high memory requirements and execution time, the initial method is excluded from this experiment.

From Figure 4, several remarks can be drawn accordingly:

• Our proposed method (colored in red in Figure 2) significantly reduces the upper bound compared to the correct key (single-key) condition. This reduction is necessary to ensure the successful operation of the multikey system, clearly reflecting the substantial impact of the additional error on the upper bound of the message range.
• Examining the results of the advanced approach reveals an unexpected phenomenon: from $n=22$ onwards, its required upper bound is almost identical to that of the original single-key counterpart. As previously addressed, the first user is responsible for integrating the first and the last elements after the completion of decryption, that is

  $$\left[{\mu }_{\alpha }·t_1·{\mathbf{G}}_{n-1}+e_1^{\prime }|{\mu }_{\alpha }·\mathbf{g}+e^{\prime }\right].$$
  Notice that this integration resembles concatenation more than linear combination; therefore, the error does not accumulate. Instead, the first user provides two different elements to output. Knowing that the first element carries a significant error, the first user primarily uses the second element to derive the correct message. This finding allows for a substantial increase in the message range’s upper bound.

6.1.4. Concluding Remarks

Finally, we aggregate all the comparisons of these three expansion schemes into

Table 5. This table presents the integration of all performance comparison results, which are crucial for understanding the effectiveness of our proposals.

	Initial [2]	Ours	Advanced [3]
Expanded ciphertext size	2nd	2nd	1st
Additional helper information	3rd	2nd	1st
Execution time	3rd	2nd	1st
Upper bound $\varphi$	-	2nd	1st
Distributed decryption	Yes	Yes	No

. The advanced approach excels in every category except for its inability to perform distributed decryption. We sought a balance between these two competing schemes ([2,3]) because distributed decryption is indispensable in real-world applications by combining the distributed decryption technique (cf. Section 3.1) with the effective reduction technique of additional helper information, presented in Section 3.3.

While our balanced method (indicated as Ours in Table 5) ranks second in all categories, its experimental results are nearly identical to those of the advanced approach. In other words, this combined approach effectively reduces complexity and enhances its applicability in real-world applications.

6.2. Analyzing the CRT Decomposition and Compression Techniques

Next, we will examine the impacts on the message range’s upper bound $\varphi$ when applying the previously proposed CRT decomposition [4] and the compression techniques mentioned above to multikey scenarios. Additionally, we will briefly illustrate how the upper bound $\varphi$ changes when performing homomorphic addition in a multikey use case, explicitly comparing the same key and different key scenarios. We aim to verify whether these changes align with our expectations.

6.2.1. Upper Bound $\varphi$

Figure 5 shows the upper bound simulation results associated with CRT decomposition and our suggested compression technique in single-key and multikey scenarios. It contains seven entries: the first indicates the minimum number of moduli required for CRT decomposition, followed by three entries showing the upper bound $\varphi$ for single-key scenarios without applying any techniques, using CRT decomposition only, and using both CRT and compression. The last three entries correspond to those of multikey scenarios. The left vertical axis represents the logarithmic upper bound $\varphi$, while the right axis shows the number of moduli. There are no values for cases where a simple message with 0 or 1 fails.

From Figure 5, several remarks can be drawn accordingly:

• Our proposed CRT decomposition method [4] significantly increases the upper bound in both scenarios. Due to initially small upper bounds in multikey scenarios, $n>22$ is needed for conducting unrestricted upper bound selection during decomposition. Additional errors generated from wrong secret key decryption (in multikey scenarios) do affect the CRT decomposition’s obtainable upper bound. For instance, at $n=20$, the ideal upper bound of $60(=3\times 4\times 5)$ will be reduced to 13 due to the wrong-key induced errors.
• Compression noticeably decreases the upper bound in both scenarios. Although multikey with compression limits the message range’s upper bound to a tiny value of 6, our suggested new compression method enables simple distributed decryption, which emulates real-world use cases more and increases its potential for practical usage.

6.2.2. Addition Operations in Multikey

Figure 6 depicts the impact on the message range’s upper bound when performing one homomorphic addition operation without CRT decomposition in the same-key and different-key scenarios. The “no addition" line represents the upper bound results of pure multikey scenarios. Performing any homomorphic operation, of course, will incur error accumulation, which in turn will reduce the allowable message range’s upper bound. As previously noted, users decrypting with the wrong secret key in the same-key scenario experienced faster error accumulation, resulting in a lower upper bound compared to the different-key scenarios.

7. Future Works and Conclusions

Since the inclusion of multikey capacity to FHE schemes is crucial in modern cryptography, we proposed a feasible approach by combining methods originating from [2,3], with its applicability to distributed decryption as a critical consideration. This design will enhance the practicability of the GSW-FHE scheme in secure FML applications.

We have applied CRT decomposition and ciphertext compression techniques, suggested in our previous work [4], to the multikey scenario. CRT decomposition continues to increase the range of selectable messages effectively. Although the compression method presented in [4] seems somewhat impractical for distributed decryption use cases, we have proposed improvements to remedy this issue. While the improved scheme requires increased execution time and memory usage, it enhances the applicability of these techniques to everyday scenarios.

Although current results do not fully fit our desired expectations, they represent significant progress toward the practical deployment of the GSW-FHE schemes. Further work focuses on integrating homomorphic operations with ciphertext compression to expand the capability of direct operations on encrypted data, which is a must.

Reference [20] categorized recent advancements in multikey FHE, covering security assumptions, key generation, plaintext encryption, and ciphertext processing. Our work primarily enhances the ciphertext processing counterpart. We noted that public keys across users still share similarities, which may jeopardize the system’s security. Future work should focus on making public keys entirely distinct without affecting the decryption. Moreover, exploring and discussing other aspects of non-GSW multikey FHE schemes would no doubt be a viable research direction.

Regarding ciphertext processing, a recent work [15] discussed adjustments to extended ciphertexts. These adjustments maintain consistent dimensions across different design methods while preventing decryption failures, reducing computational overhead, lowering error levels, and supporting distributed decryption. Integrating our methods with that technology could achieve even higher effectiveness.