<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JCC</journal-id><journal-title-group><journal-title>Journal of Computer and Communications</journal-title></journal-title-group><issn pub-type="epub">2327-5219</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jcc.2018.69005</article-id><article-id pub-id-type="publisher-id">JCC-87252</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  An Improved Multiple to One Fully Homomorphic Encryption on the Integers
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Chaoju</surname><given-names>Hu</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Jianwei</surname><given-names>Zhao</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib></contrib-group><aff id="aff1"><addr-line>School of Control &amp;amp; Computer Engineering, North China Electric Power University, Baoding, China</addr-line></aff><pub-date pub-type="epub"><day>04</day><month>09</month><year>2018</year></pub-date><volume>06</volume><issue>09</issue><fpage>50</fpage><lpage>59</lpage><history><date date-type="received"><day>20,</day>	<month>August</month>	<year>2018</year></date><date date-type="rev-recd"><day>9,</day>	<month>September</month>	<year>2018</year>	</date><date date-type="accepted"><day>12,</day>	<month>September</month>	<year>2018</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  The public key of the integer homomorphic encryption scheme which was proposed by Van Dijk 
  <em>et al</em>. is long, so the scheme is almost impossible to use in practice. By studying the scheme and Coron’s public key compression technique, a scheme which is able to encrypt n bits plaintext once was obtained. The scheme improved the efficiency of the decrypting party and increased the number of encrypting parties, so it meets the needs of cloud computing better. The security of the scheme is based on the approximate GCD problem and the sparse-subset sum problem.
 
</p></abstract><kwd-group><kwd>Fully Homomorphic Encryption</kwd><kwd> Multipart to One Fully Homomorphism Encryption</kwd><kwd> Approximate GCD Problem</kwd><kwd> Sparse-Subset Sum Problem</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>Full homomorphic encryption (FHE) was proposed by Rivest, Adleman, and Dertouzos in 1978 [<xref ref-type="bibr" rid="scirp.87252-ref1">1</xref>] . This encryption method can perform operations on ciphertext. After decryption, the same operation is performed on the corresponding plaintext. The results are consistent. With such characteristics, the data can be encrypted and handed over to the cloud for processing, which not only utilizes the computing power of the cloud, but also reduces the amount of local computing and ensures the security of the data [<xref ref-type="bibr" rid="scirp.87252-ref2">2</xref>] [<xref ref-type="bibr" rid="scirp.87252-ref3">3</xref>] .</p><p>To this end, many scholars have studied how to construct a homomorphic encryption scheme, and proposed a variety of encryption schemes that satisfy partial homomorphism [<xref ref-type="bibr" rid="scirp.87252-ref4">4</xref>] - [<xref ref-type="bibr" rid="scirp.87252-ref9">9</xref>] . In 2009, Gentry et al. [<xref ref-type="bibr" rid="scirp.87252-ref10">10</xref>] proposed the first true homomorphic encryption scheme based on the ideal lattice on a polynomial ring, but because it is too complicated and inefficient, it has larger difficulty in practical applications. In 2010, Dijk et al. [<xref ref-type="bibr" rid="scirp.87252-ref11">11</xref>] improved the above ideal lattice scheme and proposed an integer homomorphic encryption scheme, namely the DGHV scheme. The public key size of this scheme is O ˜ ( λ 10 ) . In 2011, Coron et al. [<xref ref-type="bibr" rid="scirp.87252-ref12">12</xref>] optimized the DGHV scheme. For the problem of the large number of public keys in the DGHV scheme, a scheme for generating public key integers in quadratic form was proposed, which shortened the public key length to O ˜ ( λ 7 ) . The following year, Coron et al. [<xref ref-type="bibr" rid="scirp.87252-ref13">13</xref>] proposed a “public key compression technique” for the problem of excessive public key elements in the DGHV scheme, shortening the public key length to O ˜ ( λ 5 ) .</p><p>Through comparison and research, it is found that the above schemes are composed of one encryption party and also a single decryption party, which is difficult to meet the problem of multi-party interaction in the cloud computing environment. In view of the above problems, this paper studies Coron’s public key compression technology, shortens the size of the public key, expands the plaintext space in the scheme to n bits, and expands the number of encryption parties to achieve multiple encryption methods. A solution composed of a decryption party is more in line with the application needs of actual scenarios such as cloud computing. The public key size of this scheme is O ˜ ( λ 5 ) .</p></sec><sec id="s2"><title>2. Basic Symbols and Concepts</title><sec id="s2_1"><title>2.1. Fully Homomorphic Encryption</title><p>A compact encryption scheme E encrypts the plaintext according to the encryption method in scheme E. After the obtained ciphertext is arbitrarily operated, the result is decrypted and the result is the same as the plaintext, and the scheme E is fully homomorphic Encryption scheme. Expressed as a mathematical formula as:</p><p>D e c [ f ( E n c ( m 1 ) , E n c ( m 2 ) , ⋯ , E n c ( m n ) ) ] = f ( m 1 , m 2 , ⋯ , m n )</p><p>Enc is an encryption algorithm, Dec is a decryption algorithm, f is an arbitrary function, c<sub>n</sub> is ciphertext, and m<sub>n</sub> is plaintext.</p><p>In general, a fully homomorphic encryption algorithm consists of four parts:</p><p>Key generation algorithm KeyGen (λ): Generate public key pk, private key sk.</p><p>Encryption algorithm Encrypt (pk, m): encrypts the plaintext m with the public key pk to obtain the ciphertext c.</p><p>Decryption algorithm Decrypt (sk, c): Decrypt the ciphertext c with the private key sk to obtain the plaintext m.</p><p>The ciphertext calculation algorithm Evaluates ( p k , f , c 1 , c 2 , ⋯ , c n ) : the operation of the ciphertext should satisfy:</p><p>D e c [ f ( E n c ( m 1 ) , E n c ( m 2 ) , ⋯ , E n c ( m n ) ) ] = f ( m 1 , m 2 , ⋯ , m n )</p></sec><sec id="s2_2"><title>2.2. DGHV Program</title><p>In 2010, Dijk, Gentry et al. proposed an integer homomorphic encryption scheme, namely the DGHV scheme, which is no longer based on ideal lattices but on modular operations on integers.</p><p>The encryption algorithm of the DGHV scheme is</p><p>c ← m + 2 r + p q</p><p>where c is ciphertext, m is plaintext, r is random noise interference, p is a private key, and q is a large positive integer generated during the key generation phase.</p><p>The decryption algorithm is</p><p>( c mod p ) mod 2 = ( c − p ∗ c p ) mod 2 = L s b ( c ) x o r L s b (cp)</p><p>The public key size of this scheme is O ˜ ( λ 10 ) .</p><p>In order to ensure security, the approximate maximum common divisor problem is introduced. In the encryption process, some ciphertext x i encrypted by 0, { x i : x i = r i + p q } is added, then reorder x i so that x 0 is the largest and x 0 is odd. ( x 0 mod p ) is an even number, then the public key p k = ( x 0 , x 1 , ⋯ , x τ ) . When encrypting, a subset of the set is randomly added to the ciphertext, and the encryption algorithm is</p><p>c ← ( m + 2 r + ∑ 1 ≤ i ≤ τ x i ) mod x 0 .</p><p>The addition of the approximate greatest common divisor problem means that the attack on the program is due to an attack on the approximate greatest common divisor problem, so the scheme is safe [<xref ref-type="bibr" rid="scirp.87252-ref14">14</xref>] .</p></sec><sec id="s2_3"><title>2.3. Many-to-One Homomorphic Encryption</title><p>The many-to-one fully homomorphic encryption scheme [<xref ref-type="bibr" rid="scirp.87252-ref15">15</xref>] contains a plurality of encryption parties P i ( i = 1 , 2 , ⋯ , n ) and a decryption party P. The plaintext space is M, the public-private key pair ( p k i , s k i ) of the encrypting party, and the public-private key pair ( p k , s k ) of the decrypting party. And the encryption algorithm E(⋅) and the corresponding decryption algorithm D(⋅). In this model, the plaintext m i ∈ M of the encryption side, the generated ciphertext c i is m i encrypted by p k i , and needs to satisfy the following properties, where ⊕ denotes the operator, i ≠ j :</p><p>1) Both the encrypting party and the decrypting party can use their own private key to decrypt the message encrypted by their own public key, i.e.</p><p>D s k i ( E p k i ( m i ) ) = m i , D s k ( E p k ( m ) ) = m .</p><p>2) The encrypting party i cannot use its own private key s k i to decrypt the message encrypted by the encrypting party j with its own public key p k j , that is,</p><p>D s k i ( E p k j ( m j ) ) ≠ m j .</p><p>3) The message encrypted by the encrypting party i with its own public key p k i can be decrypted by the decrypting party P with its own private key sk, that is,</p><p>D s k ( E p k i ( m i ) ) = m i .</p><p>4) Different messages encrypted by the encrypting party i with its own public key p k i have homomorphism under the operation of the decrypting party P, that is,</p><p>D s k ( E p k i ( m 1 ⊕ m 2 ) ) = D s k ( E p k i ( m 1 ) ⊕ E p k i ( m 2 ) ) .</p><p>5) Different messages encrypted by different encrypting party i and encrypting party j have homomorphism under the operation of decrypting party P, that is,</p><p>D s k ( E p k i ( m 1 ) ⊕ E p k j ( m 2 ) ) = D s k ( E p k ( m 1 ⊕ m 2 ) ) .</p></sec></sec><sec id="s3"><title>3. Improved N-Bit “One-to-One” Homomorphic Encryption Scheme</title><p>The DGHV scheme can only encrypt 1 bit of plaintext at a time, and the size of the public key element is too large. This section extends the plaintext space to n bits, and uses the public key compression technique to improve the key generation algorithm, using pseudo-random number generation. The f and the seed se generate a set of integers χ i having the same number of bits as x i , so that it is not necessary to store the large integer x i , and it is only necessary to store the difference between χ i and x i as a public key element.</p><sec id="s3_1"><title>3.1. Program Establishment</title><p>KeyGen: randomly generate a large prime number p ∈ [ 2 η − 1 , 2 η ) of length η bits, and calculate x 0 = q 0 ⋅ p , where q 0 ∈ [ 0 , 2 γ / p ) is a random odd number. Initialize the pseudo-random number generator f and the seed se, and generate τ integers by using f ( s e ) , that is, χ 1 , χ 2 , ⋯ , χ τ , and calculate</p><p>δ i = ( χ i mod p ) + ξ i ⋅ p − r i , 1 ≤ i ≤ τ ,</p><p>where r i ∈ Z ∩ ( − 2 ρ , 2 ρ ) , ξ i ∈ Z ∩ [ 0 , 2 λ + η / p ) . Then x i = χ i − δ i . The public key p k = ( s e , x 0 , δ 1 , δ 2 , ⋯ , δ τ ) , private key s k = p .</p><p>Encrypt: Randomly select the integer vector b = ( b i ) 1 ≤ i ≤ τ ∈ [ 0 , 2 α ) τ , randomly select the integer r ∈ Z ∩ ( − 2 ρ ′ , 2 ρ ′ ) , ciphertext</p><p>c ← ( m + 2 n ⋅ r + 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ x i ) mod x 0 .</p><p>Decrypt: m ← ( c mod p ) mod 2 n .</p><p>In order to ensure the security of the scheme, the parameters in the above method need to meet the following restrictions: to resist violent attacks, select ρ = ω ( log λ ) ; in order to make the compressed decryption circuit belong to the permissible circuit, select η ≥ ρ ⋅ Θ ( λ log 2 λ ) ; to resist the lattice-based attack, choose γ = ω ( η 2 ⋅ log λ ) ; apply the residual hash theorem to the approximation of the approximate GCD problem, choose α ⋅ τ ≥ γ + ω ( log λ ) ; To ensure correct decryption of ciphertext, select η ≥ ρ + α + 2 + log 2 τ ; second noise parameter ρ ′ = ρ + α + ω ( log λ ) . In this scheme, the parameters take ρ = λ , η = O ˜ ( λ 2 ) , γ = O ˜ ( λ 5 ) , τ = O ˜ ( λ 3 ) , α = O ˜ ( λ 2 ) , ρ ′ = O ˜ ( λ 2 ) .</p></sec><sec id="s3_2"><title>3.2. Proof of Correctness</title><p>( c mod p ) mod 2 n = [ ( m + 2 n ⋅ r + 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ x i ) mod p ] mod 2 n = [ ( m + 2 n ⋅ r + 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ ( χ i − δ i ) ) mod p ] mod 2 n</p><p>In which</p><p>( χ i − δ i ) mod p = ( χ i − ( χ i mod p ) − ξ i ⋅ p + r i ) mod p = { [ χ i − ( χ i mod p ) ] mod p − [ ξ i ⋅ p ] mod p + r i } mod p = ( 0 − 0 + r i ) mod p = r i</p><p>So the original</p><p>( c mod p ) mod 2 n = ( m + 2 n ⋅ r + 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ r i ) mod 2 n = m</p></sec><sec id="s3_3"><title>3.3. Test of Homomorphism</title><p>There are ciphertext c 1 = m 1 + 2 n ⋅ r 1 + 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ x i and ciphertext c 2 = m 2 + 2 n ⋅ r 2 + 2 n ⋅ ∑ 1 ≤ i ≤ τ b j ⋅ x j , then</p><p>[ ( c 1 + c 2 ) mod p ] mod 2 n = ( ( ( m 1 + m 2 ) + 2 n ⋅ ( r 1 + r 2 ) + 2 n ⋅ ( ∑ 1 ≤ i ≤ τ b i ⋅ x i + ∑ 1 ≤ j ≤ τ b j ⋅ x j ) ) mod p ) mod 2 n = ( ( m 1 + m 2 ) + 2 n ⋅ ( r 1 + r 2 ) + 2 n ⋅ ( ∑ 1 ≤ i ≤ τ b i ⋅ r i + ∑ 1 ≤ j ≤ τ b j ⋅ r j ) ) mod 2 n = m 1 + m 2</p><p>[ ( c 1 c 2 ) mod p ] mod 2 n = ( ( ( m 1 + 2 n ⋅ r 1 ) ( m 2 + 2 n ⋅ r 2 ) + ( m 1 + 2 n ⋅ r 1 ) ( 2 n ⋅ ∑ 1 ≤ j ≤ τ b j ⋅ x j )       + ( 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ x i ) ( m 2 + 2 n ⋅ r 2 ) + ( 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ x i ) ( 2 n ⋅ ∑ 1 ≤ j ≤ τ b j ⋅ x j ) ) mod p ) mod 2 n</p><p>= ( ( m 1 + 2 n ⋅ r 1 ) ( m 2 + 2 n ⋅ r 2 ) + ( m 1 + 2 n ⋅ r 1 ) ( 2 n ⋅ ∑ 1 ≤ j ≤ τ b j ⋅ r j )       + ( 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ r i ) ( m 2 + 2 n ⋅ r 2 ) + ( 2 n ⋅ ∑ 1 ≤ i ≤ τ b i ⋅ r i ) ( 2 n ⋅ ∑ 1 ≤ j ≤ τ b j ⋅ r j ) ) mod 2 n = ( ( m 1 + 2 n ⋅ r 1 ) ( m 2 + 2 n ⋅ r 2 ) ) mod 2 n = m 1 m 2</p></sec></sec><sec id="s4"><title>4. Improved N-Bit “Many-to-One” Fully Homomorphic Encryption Scheme</title><p>Based on the scheme given in Section 3.1, this section changes the key generation algorithm, expands the number of encryption parties, and gives a “many-to-one” fully homomorphic encryption scheme for processing n-bit plaintext, and corrects it. Sex and homomorphism have been proved.</p><sec id="s4_1"><title>4.1. Program Establishment</title><p>KeyGen: There are multiple encryption parties P i ( i = 1 , 2 , ⋯ , n ) and one decryption party P in this scheme. The decryption party P generates the public key p k = ( s e , x 0 , δ 1 , δ 2 , ⋯ , δ τ ) from the 3.1 scheme, the encryption side P i ( i = 1 , 2 , ⋯ , n ) selects the integer p i ∈ [ 2 η i − 1 , 2 η i ) ∩ ( 2 Z + 1 ) as its own key s k i , then change the order of ( δ 1 , δ 2 , ⋯ , δ τ ) in the public key randomly to obtain p k &#175; = ( s e , x 0 , δ 1 &#175; , δ 2 &#175; , ⋯ , δ τ &#175; ) , and then randomly selected integer</p><p>q i , 0 , ⋯ , q i , τ ∈ Z ∩ [ 0 , 2 γ i p i ) ,</p><p>randomly select integer r i , 0 , ⋯ , r i , τ ∈ Z ∩ [ − 2 ρ i , 2 ρ i ] , such that</p><p>x i , j = χ i , j − δ i , j = p i q i , j ( χ j − δ j &#175; ) + 2 n r i , j , 1 ≤ j ≤ τ i , x i , 0 = p i q i , 0 x 0 + 2 n r i , 0 ,</p><p>and x i , 0 is the largest. Then the public key of P i is</p><p>p k i = ( s e , x 0 , x i , 0 , δ i , 1 , δ i , 2 , ⋯ , δ i , τ i ) .</p><p>Encrypt: Encryption party P i randomly selects the integer vector</p><p>b i = ( b i , j ) 1 ≤ j ≤ τ i ∈ [ 0 , 2 α ) τ i ,</p><p>randomly selects integer s i ∈ Z ∩ ( − 2 ρ i , 2 ρ i ) , ciphertext</p><p>c i ← ( m + 2 n ⋅ s i + 2 n ⋅ ∑ 1 ≤ j ≤ τ i b i , j ⋅ x i , j ) mod x i , 0 .</p><p>Decrypt: The encryption party P i can decrypt s k i = p i according to s k i = p i ; the decryption party P can decrypt m i ← ( c i mod p ) mod 2 n according to s k = p .</p></sec><sec id="s4_2"><title>4.2. Proof of Correctness</title><p>1) ( p k , s k ) is the public-private key pair generated by P. It can be seen from 3.2 that P can perform correct encryption and decryption.</p><p>2) P i can correctly decrypt c i using the key s k i = p i prove:</p><p>c i = ( m i + 2 n ⋅ s i + 2 n ⋅ ∑ 1 ≤ j ≤ τ i b i , j ⋅ x i , j ) mod x i , 0</p><p>Since x i , 0 is the largest, it can be written as</p><p>c i = m i + 2 n ⋅ s i + 2 n ⋅ ∑ 1 ≤ j ≤ τ i b i , j ⋅ x i , j + k i ⋅ x i , 0 = m i + 2 n ⋅ s i + 2 n ⋅ ∑ 1 ≤ j ≤ τ i b i , j ⋅ ( p i q i , j ( χ j − δ j &#175; ) + 2 n r i , j ) + k i ⋅ ( p i q i , 0 x 0 + 2 n r i , 0 )</p><p>Finishing can get c i = m i + 2 n A + p i B , where</p><p>A = s i + ∑ 1 ≤ j ≤ τ i b i , j ⋅ 2 n r i , j + k i r i , 0 , B = 2 n ⋅ ∑ 1 ≤ j ≤ τ i b i , j ⋅ q i , j ( χ j − δ j &#175; ) + k i q i , 0 x 0 .</p><p>According to the defined parameters, m i + 2 n A &lt; p i , then</p><p>( c i mod p i ) mod 2 n = m i .</p><p>So P i can correctly decrypt c i using the key s k i = p i .</p><p>3) P can correctly decrypt c i using the key s k = p prove:</p><p>As can be seen from 2),</p><p>c i = m i + 2 n ( s i + ∑ 1 ≤ j ≤ τ i b i , j ⋅ 2 n r i , j + k i r i , 0 ) + p i ( 2 n ⋅ ∑ 1 ≤ j ≤ τ i b i , j ⋅ q i , j ( χ j − δ j &#175; ) + k i q i , 0 x 0 )</p><p>According to 3.2, ( χ j − δ j &#175; ) mod p = r j , χ j − δ j &#175; can be written as r j + l j ⋅ p , l j ∈ Z , and x 0 = q 0 ⋅ p , so it is sorted into: c i = m i + 2 n A + p B , where</p><p>A = s i + ∑ 1 ≤ j ≤ τ i b i , j ⋅ ( 2 n r i , j + p i ⋅ q i , j ⋅ r j ) + k i r i , 0 ,</p><p>B = p i ⋅ 2 n ∑ 1 ≤ j ≤ τ i b i , j ⋅ q i , j ⋅ l j + k i q i , 0 q 0 .</p><p>According to the defined parameters, m i + 2 n A &lt; p , then ( c i mod p ) mod 2 n = m i . So P can correctly decrypt c i using the key s k = p .</p></sec><sec id="s4_3"><title>4.3. Test of Homomorphism</title><p>1) P has the homomorphism of the decrypted ciphertext. Proof from 3.3 is known.</p><p>2) The encrypting party P i has homomorphism to the encrypted ciphertext. Proof: From 4.2 (2), c i = m i + 2 n A + p i B , with ciphertext c i , 1 = m i , 1 + 2 n A 1 + p i B 1 and ciphertext c i , 2 = m i , 2 + 2 n A 2 + p i B 2 , then</p><p>( ( c i , 1 + c i , 2 ) mod p i ) mod 2 n = ( ( m i , 1 + 2 n A 1 + p i B 1 + m i , 2 + 2 n A 2 + p i B 2 ) mod p i ) mod 2 n = ( ( m i , 1 + m i , 2 + 2 n ( A 1 + A 2 ) + p i ( B 1 + B 2 ) ) mod p i ) mod 2 n = m i , 1 + m i , 2</p><p>( ( c i , 1 c i , 2 ) mod p i ) mod 2 n = ( ( m i , 1 + 2 n A 1 + p i B 1 ) ( m i , 2 + 2 n A 2 + p i B 2 ) mod p i ) mod 2 n = ( ( m i , 1 m i , 2 + 2 n ( m i , 1 A 2 + A 1 m i , 2 + A 1 2 n A 2 )       + p i ( m i , 1 B 2 + 2 n A 1 B 2 + B 1 ( m i , 2 + 2 n A 2 + p i B 2 ) ) ) mod p i ) mod 2 n = m i , 1 m i , 2</p><p>Therefore, P i has homomorphism to the encrypted ciphertext.</p><p>3) The decryption party P has homomorphism to the encrypted ciphertext. Proof: From 4.2 (3), c i = m i + 2 n A + p B , with ciphertext c i , 1 = m i , 1 + 2 n A 1 + p B 1 and ciphertext c i , 2 = m i , 2 + 2 n A 2 + p B 2 , the</p><p>( ( c i , 1 + c i , 2 ) mod p ) mod 2 n = ( ( m i , 1 + 2 n A 1 + p B 1 + m i , 2 + 2 n A 2 + p B 2 ) mod p ) mod 2 n = ( ( m i , 1 + m i , 2 + 2 n ( A 1 + A 2 ) + p ( B 1 + B 2 ) ) mod p ) mod 2 n = m i , 1 + m i , 2</p><p>( ( c i , 1 c i , 2 ) mod p ) mod 2 n = ( ( m i , 1 + 2 n A 1 + p B 1 ) ( m i , 2 + 2 n A 2 + p B 2 ) mod p ) mod 2 n = ( ( m i , 1 m i , 2 + 2 n ( m i , 1 A 2 + A 1 m i , 2 + A 1 2 n A 2 )       + p ( m i , 1 B 2 + 2 n A 1 B 2 + B 1 ( m i , 2 + 2 n A 2 + p B 2 ) ) ) mod p ) mod 2 n = m i , 1 m i , 2</p><p>Therefore, the decryption party P has homomorphism to the encrypted ciphertext.</p><p>4) The decryption party P has homomorphism for different encryption parties P i and the ciphertext of the encryption party P j . Proof: From 4.2 (3), c i = m i + 2 n A + p B , with ciphertext c i = m i + 2 n A i + p B j and ciphertext c j = m j + 2 n A j + p B j , then</p><p>( ( c i + c j ) mod p ) mod 2 n = ( ( m i + 2 n A i + p B i + m j + 2 n A j + p B j ) mod p ) mod 2 n = ( ( m i + m j + 2 n ( A i + A j ) + p ( B i + B j ) ) mod p ) mod 2 n = m i + m j</p><p>( ( c i c j ) mod p ) mod 2 n = ( ( m i + 2 n A i + p B j ) ( m j + 2 n A j + p B j ) mod p ) mod 2 n = ( ( m i m j + 2 n ( m i A j + A i m j + A i 2 n A j )       + p ( m i B j + 2 n A i B j + B i ( m j + 2 n A j + p B j ) ) ) mod p ) mod 2 n = m i m j</p><p>Therefore, the decryption party P has homomorphism to different encryption parties P i and the ciphertext of the encryption party P j .</p></sec><sec id="s4_4"><title>4.4. Compression and Decryption Circuit</title><p>In order to avoid excessive noise generated during the encryption process and affect the correctness of the homomorphic operation, the ciphertext needs to be re-encrypted, and the condition of re-encryption is that the decryption circuit can be operated in the Evaluate algorithm. This requires that the depth of the decryption circuit is less than the maximum depth allowed by the Evaluate algorithm. Therefore, the decryption circuit needs to be compressed to preprocess some of the calculations in the decryption circuit.</p><p>KeyGen: With the KeyGen algorithm in Section 4.1, generate</p><p>p k i * = ( s e , x 0 , x i , 0 , δ i , 1 , δ i , 2 , ⋯ , δ i , τ i ) .</p><p>On the basis of this, add three parameters κ , θ , Θ , and randomly generate a bit vector s = ( s i , 1 , s i , 2 , ⋯ , s i , Θ ) with length Θ .Its Hamming weight is θ .</p><p>The pseudo random number generator f 2 and the seed s e 2 are initialized, and an integer u i , j ∈ [ 0 , 2 κ + 1 ) , 2 ≤ j ≤ Θ is generated by using f 2 ( s e 2 ) .</p><p>∑ 1 ≤ j ≤ Θ s i , j ⋅ u i , j = x p i mod 2 κ + 1 ,</p><p>where x p i = ⌈2<sup>κ</sup>/p<sub>i</sub>⌋. Let y i , j = u i , j / 2 κ .</p><p>Initialize pseudo-random number generator f 3 and seed s e 3 , use f 3 ( s e 3 ) to generate integer χ ′ i , j ∈ [ 0 , 2 γ i ) , and randomly generate integer r ′ i , j ∈ ( − 2 ρ i , 2 ρ i ) , <inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x175.png" xlink:type="simple"/></inline-formula>, calculate</p><p><inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x176.png" xlink:type="simple"/></inline-formula>,</p><p>then the result of the vector s is encrypted<inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x177.png" xlink:type="simple"/></inline-formula>. The public key<inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x178.png" xlink:type="simple"/></inline-formula>, and the private key<inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x179.png" xlink:type="simple"/></inline-formula>.</p><p>Encrypt: Encrypt the plaintext <inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x180.png" xlink:type="simple"/></inline-formula> with an encryption algorithm to obtain the ciphertext<inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x181.png" xlink:type="simple"/></inline-formula>, and find<inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x182.png" xlink:type="simple"/></inline-formula>. The ciphertext <inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x183.png" xlink:type="simple"/></inline-formula> and the extended ciphertext <inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x184.png" xlink:type="simple"/></inline-formula> are the output.</p><p>Decrypt: Decrypt, output secret civilization</p><p><inline-formula><inline-graphic xlink:href="/html.scirp.org/file/5-1730893x185.png" xlink:type="simple"/></inline-formula>.</p><p>This results in a fully homomorphic encryption scheme.</p></sec></sec><sec id="s5"><title>5. Conclusion</title><p>Based on the DGHV scheme and the public key compression technology of Coron et al., this paper improves the encryption process, expands the number of encryption parties, and builds a multi-party encryption with a smaller public key size. The integer-homomorphic encryption scheme can encrypt the n-bit plaintext at a time, which is more in line with the needs of practical applications such as cloud computing. Whether it can further reduce the amount of calculation, whether it can achieve “multi-party encryption, multi-party decryption” will be the direction that will be improved in the future.</p></sec><sec id="s6"><title>Conflicts of Interest</title><p>The authors declare no conflicts of interest regarding the publication of this paper.</p></sec><sec id="s7"><title>Cite this paper</title><p>Hu, C.J. and Zhao, J.W. (2018) An Improved Multiple to One Fully Homomorphic Encryption on the Integers. Journal of Computer and Communications, 6, 50-59. https://doi.org/10.4236/jcc.2018.69005</p></sec></body><back><ref-list><title>References</title><ref id="scirp.87252-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Rivest, R.L., Adleman, L. and Dertouzos, M.L. (1978) On Data Banks and Privacy Homomorphisms. In: Foundations of Secure Computation, Academia Press, Ghent, 169-179.</mixed-citation></ref><ref id="scirp.87252-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">Chen, Z.-G., Wang, J. and Song, X.-X. (2014) Survey on Fully Homomorphic Encryption. Application Research of Computers, 31, 1624-1631.</mixed-citation></ref><ref id="scirp.87252-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">Lin, C., Su, W.-B., Meng, K., Liu, Q. and Liu, W.-D. (2013) Cloud Computing Security: Architecture, Mechanism and Modeling. Chinese Journal of Computers, 36, 1765-1784.</mixed-citation></ref><ref id="scirp.87252-ref4"><label>4</label><mixed-citation publication-type="journal" xlink:type="simple"><name name-style="western"><surname>Elgamal</surname><given-names> T. </given-names></name>,<etal>et al</etal>. (<year>1984</year>)<article-title>A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms</article-title><source> IEEE Transactions on Information Theory</source><volume> 31</volume>,<fpage> 469</fpage>-<lpage>472</lpage>.<pub-id pub-id-type="doi"></pub-id></mixed-citation></ref><ref id="scirp.87252-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">Fellows, M.R. and Koblitz, N. (1994) Combinatorial Cryptosystems Galore! Contemporary Mathematics, 168, 51-62. https://doi.org/10.1090/conm/168/01688</mixed-citation></ref><ref id="scirp.87252-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">Benaloh, J. (1994) Dense Probabilistic Encryption. Proceedings of the Workshop on Selected Areas of Cryptography, Kingston, 1994, 120-128.</mixed-citation></ref><ref id="scirp.87252-ref7"><label>7</label><mixed-citation publication-type="book" xlink:type="simple">Okamoto, T. and Uchiyama, S. (1998) A New Public-Key Cryptosystem as Secure as Factoring. In: Nyberg, K., Ed., International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, Heidelberg, 308-318.</mixed-citation></ref><ref id="scirp.87252-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Naccache, D. and Stern, J. (1998) A New Public Key Cryptosystem Based on Higher Residues. Proceedings of the 5th ACM Conference on Computer and Communications Security, San Francisco, CA, USA, 2-5 November 1998, 59-66.  
https://doi.org/10.1145/288090.288106</mixed-citation></ref><ref id="scirp.87252-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">Damgard, I. and Jurik, M. (2001) A Generalisation, a Simplication and Some Applications of Paillier’s Probabilistic Public-Key System. In: International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography, Springer-Verlag, Berlin, 119-136.</mixed-citation></ref><ref id="scirp.87252-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">Gentry, C. (2009) Fully Homomorphic Encryption Using Ideal Lattices. ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, 31 May-2 June 2009, 169-178.</mixed-citation></ref><ref id="scirp.87252-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Dijk, M.V., Gentry, C., Halevi, S., et al. (2010) Fully Homomorphic Encryption over the Integers. Lecture Notes in Computer Science, 6110, 24-43.  
https://doi.org/10.1007/978-3-642-13190-5_2</mixed-citation></ref><ref id="scirp.87252-ref12"><label>12</label><mixed-citation publication-type="book" xlink:type="simple">Coron, J.S., Mandal, A., Naccache, D., et al. (2011) Fully Homomorphic Encryption over the Integers with Shorter Public Keys. In: Rogaway, P., Ed., CRYPTO 2011. LNCS, Vol. 6841, 487-504.</mixed-citation></ref><ref id="scirp.87252-ref13"><label>13</label><mixed-citation publication-type="book" xlink:type="simple">Coron, J., Naccache, D. and Tibouchi, M. (2012) Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers. In: David, P. and Thomas, J., Eds., Advances in Cryptology-EUROCRYPT 2012, Springer, Berlin, Heidelberg, 446-464.</mixed-citation></ref><ref id="scirp.87252-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">Tang, Q.-Y. and Ma, C.-G. (2014) Feedback Attack against Fully Homomorphic Encryption System. Computer Engineering, 40, 79-84.</mixed-citation></ref><ref id="scirp.87252-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Xia, C. (2013) Research of Homomorphic Encryption Technology and Application. Anhui University, Hefei.</mixed-citation></ref></ref-list></back></article>