Constant-Size Unbounded Multi-hop Fully Homomorphic Proxy Re-encryption from Lattices

Abstract

Proxy re-encryption is a cryptosystem that achieves efficient encrypted data sharing by allowing a proxy to transform a ciphertext encrypted under one key into another ciphertext under a different key. Homomorphic proxy re-encryption (HPRE) extends this concept by integrating homomorphic encryption, allowing not only the sharing of encrypted data but also the homomorphic computations on such data. The existing HPRE schemes, however, are limited to a single or bounded number of hops of ciphertext re-encryptions. To address this limitation, this paper introduces a novel lattice-based, unbounded multi-hop fully homomorphic proxy re-encryption (FHPRE) scheme, with constant-size ciphertexts. Our FHPRE scheme supports an unbounded number of re-encryption operations and enables arbitrary homomorphic computations over original, re-encrypted, and evaluated ciphertexts. Additionally, we propose a potential application of our FHPRE scheme in the form of a non-interactive, constant-size multi-user computation system for cloud computing environments.

A Homomorphic Gates Evaluation

In this section, we describe the basic logic gate functions that are compatible with the bootstrapping algorithm.

• NOT Gate The homomorphic NOT gate for \({\boldsymbol{{c}}}'\in \mathrm{\textsf {LWE}}_{\textbf{s}}^{4/q}(m, q/16)\) where \(m\in \{0,1\}\), is defined as: Let \({\boldsymbol{{c}}}'=(\textbf{a}',b')\), \((\textbf{a}, b)\) is computed by

  $$ \textsf {Eval.NOT}((\textbf{a}', b')) = (-\textbf{a}', \dfrac{q}{4}-b')\in \mathrm{\textsf {LWE}}_{\textbf{s}}^{4/q}(\lnot m, \dfrac{q}{16}).$$

  It satisfies: \(b-\textbf{a}\cdot \textbf{s}- \dfrac{q}{4}(1-m)=-e',\) with \(\left| -e'\right| <\dfrac{q}{16}\). No subsequent bootstrapping is needed for a NOT gate since there is no error increase.

• AND Gate The homomorphic AND gate for \({\boldsymbol{{c}}}_i\in \mathrm{\textsf {LWE}}_{\textbf{s}}^{4/q}(m_i, q/16)\), where \(i=0,1, m_i\in \{0,1\}\), is defined as: Let \({\boldsymbol{{c}}}_i=(\textbf{a}_i,b_i)\), \((\textbf{a}, b)\) is computed by

  $$\textsf {Eval.AND}((\textbf{a}_0, b_0), (\textbf{a}_1, b_1)) = (\textbf{a}_0+\textbf{a}_1, -\dfrac{q}{8}+b_0+b_1)\in \mathrm{\textsf {LWE}}_{\textbf{s}}^{2/q}(m_0 \wedge m_1, \dfrac{q}{4}).$$

  It satisfies: \(b-\textbf{a}\cdot \textbf{s}-\dfrac{q}{2}(m_0m_1)=\dfrac{q}{4}(m_0-m_1)^2+(e_0+e_1)-\dfrac{q}{8}=\pm \dfrac{q}{8}+(e_0+e_1),\) with \(\left| \pm \dfrac{q}{8}+(e_0+e_1)\right| <\dfrac{q}{4}\).

• OR Gate The homomorphic OR gate for \({\boldsymbol{{c}}}_i\in \mathrm{\textsf {LWE}}_{\textbf{s}}^{4/q}(m_i, q/16)\), where \(i=0,1, m_i\in \{0,1\}\), is defined as: Let \({\boldsymbol{{c}}}_i=(\textbf{a}_i,b_i)\), \((\textbf{a}, b)\) is computed by

  $$\textsf {Eval.OR}((\textbf{a}_0, b_0), (\textbf{a}_1, b_1)) = (\textbf{a}_0+\textbf{a}_1, \dfrac{q}{8}+b_0+b_1)\in \mathrm{\textsf {LWE}}_{\textbf{s}}^{2/q}(m_0\vee m_1, \dfrac{q}{4}).$$

  It satisfies: \(b-\textbf{a}\cdot \textbf{s}-\dfrac{q}{2}(m_0+m_1-m_0m_1)=-\dfrac{q}{4}(m_0-m_1)^2+(e_0+e_1)+\dfrac{q}{8}=\pm \dfrac{q}{8}+(e_0+e_1),\) with \(\left| \pm \dfrac{q}{8}+(e_0+e_1)\right| <\dfrac{q}{4}\).

• XOR Gate The homomorphic XOR gate for \({\boldsymbol{{c}}}_i\in \mathrm{\textsf {LWE}}_{\textbf{s}}^{4/q}(m_i, q/16)\), where \(i=0,1, m_i\in \{0,1\}\), is defined as: Let \({\boldsymbol{{c}}}_i=(\textbf{a}_i,b_i)\), \((\textbf{a}, b)\) is computed by

  $$\textsf {Eval.XOR}((\textbf{a}_0, b_0), (\textbf{a}_1, b_1)) = (2\textbf{a}_0+2\textbf{a}_1, 2b_0+2b_1)\in \mathrm{\textsf {LWE}}_{\textbf{s}}^{2/q}(m_0\oplus m_1, \dfrac{q}{4}).$$

  It satisfies: \(b-\textbf{a}\cdot \textbf{s}-\dfrac{q}{2}(m_0+m_1-2m_0m_1)=q(m_0m_1)+2(e_0+e_1),\) with \(\left| q(m_0m_1)+2(e_0+e_1)\right| <\dfrac{q}{4}\ (\textrm{mod}\ q)\).