Research ArticleHomomorphic Evaluation of the Integer ArithmeticOperations for Mobile Edge Computing

Changqing Gong 1 Mengfei Li 1 Liang Zhao 1 Zhenzhou Guo1 and Guangjie Han 2

1School of Computer Science and Technology Shenyang Aerospace University Shenyang 110136 China2Laboratory for Ubiquitous Network and Service Software of Liaoning Province School of SoftwareDalian University of Technology Dalian 116024 China

Correspondence should be addressed to Liang Zhao lzhaosaueducn

Received 26 September 2018 Accepted 31 October 2018 Published 15 November 2018

Guest Editor Mianxiong Dong

Copyright copy 2018 Changqing Gong et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

With the rapid development of the 5G network and Internet of Things (IoT) lots of mobile and IoT devices generate massiveamounts of multisource heterogeneous data Effective processing of such data becomes an urgent problem However traditionalcentralised models of cloud computing are challenging to process multisource heterogeneous data effectively Mobile edgecomputing (MEC) emerges as a new technology to optimise applications or cloud computing systems However the features ofMEC such as content perception real-time computing and parallel processing make the data security and privacy issues that existin the cloud computing environment more prominent Protecting sensitive data through traditional encryption is a very securemethod but this will make it impossible for the MEC to calculate the encrypted data The fully homomorphic encryption (FHE)overcomes this limitation FHE can be used to compute ciphertext directlyTherefore we propose a ciphertext arithmetic operationthat implements data with integer homomorphic encryption to ensure data privacy and computability Our scheme refers to theinteger operation rules of complement addition subtraction multiplication and division First we use Boolean polynomials (BP)of containing logical AND XOR operations to represent the rulers Second we convert the BP into homomorphic polynomials(HP) to perform ciphertext operations Then we optimise our schemeWe divide the ciphertext vector of integer encryption intosubvectors of length 2 and increase the length of private key of FHE to support the 3-multiplication level additional We test ouroptimised scheme in DGHV and CMNT In the number of ciphertext refreshes the optimised scheme is reduced by 23 comparedto the original scheme and the time overhead of our scheme is reduced by 13 We also examine our scheme in CNT of withoutbootstrapping The time overhead of optimised scheme over DGHV and CMNT is close to the original scheme over CNT

1 Introduction

With the rapid development of the 5G network and InternetofThings (IoT)mobile devices and IoTdevices aremore con-venient to access the internet and generate massive amountsof data Since these data come from edge network devicestraditional centralised cloud computing models are difficultto process these multisource heterogeneous data quickly andefficiently If we migrate some of the features of cloud com-puting to an edge network as [1ndash3] it will be beneficial to datacollection and calculation Thereforemobile edge computing(MEC) emerges as the above requires Edge computing [4]is a method of optimizing applications or cloud computingsystems by taking some portion of an application its data or

services away from one or more central nodes (the ldquocorerdquo) tothe other logical extreme (the ldquoedgerdquo) of the internet whichcontacts with the physical world or end users In one visionof this architecture specifically for IoT devices data comes infrom the physical world via various sensors and actions aretaken to change physical state via various forms of output andactuators by performing analytics and knowledge generationat the edge communications bandwidth between systemsunder control and the central data centre is reduced TheMEC is to put any computer program that needs low latencynearer to the requests in particular for mobile networks suchas 5G MEC allows terminal devices to migrate storage andcomputing tasks to network edge nodes The architecture ofedge computing is shown in Figure 1

HindawiWireless Communications and Mobile ComputingVolume 2018 Article ID 8142102 13 pageshttpsdoiorg10115520188142102

2 Wireless Communications and Mobile Computing

latency Lower

Medium

Higher

Real-time analytics

Transactional analytics

Business intelligence

Data CenterCloud

unsafe

unsafe

unsafe unsafe

unsafe

unsafeunsafe

unsafeunsafe

unsafe

unsafe

unsafe

Mobile EdgeComputing

Mobile EdgeComputing

Mobile EdgeComputing

Mobile EdgeComputing

Figure 1 The architecture of mobile edge computing

MEC covers a wide range of technologies includingwireless sensor networks mobile data acquisition mobilesignature analysis cooperative distributed peer-to-peer adhoc networking and processing The foundation of MECis traditional network wireless network mobile networkand Internet of Vehicles (IoV) in which a large number ofnetwork infrastructure technologies and services are appliedInclude energy efficiency and spectral efficiency tradeoff indevice-to-device [5] QoS-aware interdomain multicast [6]efficient cross-layer relay node selection model [7] mobileanchors assisted localization [8] and vehicular communica-tions [9] Mobile edge computing (see Figure 1) is a servicefor multiple entities (mobile devices and IoT devices) Manyentities put their real-time data (outsourced data in cloudcomputing) on mobile edge computing for analysis or stor-age The extensive features of mobile edge computing suchas data collection real-time analytics and parallel processingmake the privacy issues that exist in the cloud computingenvironment become more prominent Therefore the secu-rity of outsourced data remains a fundamental issue for datasecurity of MECThe red dotted lines (see Figure 1) representsafety risk between the different entities and mobile edgecomputing such as IoV and smart home services providedby mobile edge computing In IoV the location informationof the vehicle and the online browsing records generated by

the owner are collected by the mobile edge calculation so asto feed back the precise navigation information of the vehicleand the push information for the ownerrsquos preferences In thisprocess the data of the owner and the car are exposed to themobile edge computing which is extremely unsafe In smarthome many sensors monitor environment changes in theroom such as temperature humidity surveillance video etcthrough mobile edge calculation storage and analysis givingthe best home environment settings This process is alsounsafe Traditional methods including intrusion detectionaccess control and virtual isolation can only protect datafrom being stolen by external attackers For internal attacks(honest and curious mobile edge computing) data securityis still not guaranteed The encrypted data are relativelyconsidered a safe storage status However it is unable tosatisfy the computability of ciphertext data If we want theedge computing to be able to do nontrivial computationswith the ciphertext data and therefore the problem is severeto solve The nontrivial computations include deep learningfor the IoV with Edge Computing [10] offloading com-putation for MEC [11] The fully homomorphic encryption(FHE) overcomes this limitation Gentry described the firstencryption scheme that supports both addition and multipli-cation base on ciphertexts ie FHE scheme [12] The FHEscheme allows anyone to perform arbitrary computations

Wireless Communications and Mobile Computing 3

on encrypted data despite not having the secret decryptionkey

The development of FHE can be partitioned into threegenerations [13] The first generation includes Gentryrsquos orig-inal scheme using ideal lattices [12] the somewhat simplerscheme of van Dijk et al [14] and some optimisations for firstgeneration in public key size [15ndash17] All these schemeshave a problem of rapidly growing noise which affectedboth efficiency and security The second generation beginwith Brakerski-Vaikuntanathan [18 19] and Brakerski et al[20] and is characterized by modulus-switching and key-switching techniques for controlling the noise resulting inimproved efficiency including LWE [18] Ring-LWE [19]and NTRU [21 22] hardness assumption The third gener-ation begins with the scheme of Gentry et al [23] Third-generation schemes are usually slightly less efficient thansecond-generation ones but they can be based on somewhatweaker hardness assumptions

In the homomorphic evaluation of FHE different circuitsin the real world are realized by multiplication homomor-phic addition homomorphic and decryption homomorphic(ciphertext refresh) The application of FHE is ciphertextarithmetic operation and ciphertext retrieval Gentry Haleviand Smart propose the first evaluation of a complex circuitie a full AES-128 block evaluation [24] by using a BGV [20]style schemeThe schememakes use of batching [25 26] keyswitching and modulus switching techniques to obtain anefficient levelled implementation Chen Y et al [27] proposethe integer arithmetic over ciphertext and homomorphic dataaggregation by using a BGV style scheme The scheme usesthe HElib library to implement homomorphic evaluationfor addition subtraction multiplication and division of un-signed integrins Gai K et al [28] propose the blend arith-metic operations on tensor-based FHE over real numbersand proposes a novel tensor-based FHE solution [29] YangJ et al [30] propose the secure tensor decomposition usingFHE scheme

In [24] AES-128 block evaluation cannot implementcarry operation In [27] the integer arithmetic over ciphertextjust implement 2-4 bits arithmetic operation of unsignedinteger In [28] the blend arithmetic operations do notimplement division operation over tensor-based FHE overreal numbers Therefore the [24 27 28] cannot be used asa complete homomorphic evaluation of a signed inte-ger arithmetic operations scheme by using addition andmultiplication homomorphism in MEC The homomor-phic evaluation of integer arithmetic operations is animportant foundation for nontrivial computations with theciphertext data Therefore it is significant to constructhomomorphic evaluation of integer arithmetic operationsscheme

Contribution We propose the homomorphic evaluations ofinteger arithmetic operations base on DGHV [14] and itsvariants [15 31 32] in mobile edge computing And weuse the features of homomorphic encryption to preventsensitive data from being stolen At the same time wecan also calculate ciphertext data in mobile edge comput-ing

(i) Our scheme refers to the integer operation ruleswhich are expressed inBoolean polynomials (BP) thatonly contains logical AND XOR operationsThen weconvert BP into homomorphic polynomials (HP) byusing addition and multiplication on ciphertexts

(ii) We propose judgment choose Boolean polynomials(JCBP) to solve the constantly choose problem in themultiplication and division Then we convert JCBPinto judgment choose homomorphic polynomials(JCHP) by using addition and multiplication onciphertexts

(iii) We optimise the process of homomorphic evalua-tion of integer arithmetic operations We divide theciphertext vector of integer encryption into subvec-tors of length 2 and add the length of the private key ofFHE to support the 3-multiplication level additionalexcept for the 15-multiplication level required bybootstrapping

(iv) We test the optimized scheme in DGHV [14] andCMNT [17] In the number of ciphertext refreshesthe optimized scheme is reduced by 23 comparedto the original scheme and the homomorphic eval-uation time overhead of integer arithmetic opera-tions is reduced by 13 We also test our schemein CNT [31] of without bootstrapping The timeoverhead of optimized scheme over DGHV [14] andCMNT [17] is close to the original scheme over CNT[31]

Organization In Section 2 we will introduce DGHV [14]the variants of DGHV [17 31 32] and some homomorphicevaluation in detail In Section 3 we modify the polynomialsof integer arithmetic operation according to the computationprocess of complement addition subtraction multiplicationand division of integer in the computer We also proposethe BP of integer arithmetic operation and convert the BPinto the HP of integer arithmetic operation In Section 4we analyse the noise ceiling and optimize the process ofhomomorphic evaluation of integer arithmetic operationsIn Section 5 we show our implementation and experimen-tal result We show the efficiency and conclusion of ourscheme

2 Related Work

Fully homomorphic encryption scheme over the integersand its variants are an essential branch of homomorphicencryption research Also we propose the homomorphicevaluations of integer arithmetic operations base on DGHVand its variants We use DGHV and its variants to encryptdata and upload ciphertext data to a MEC data center Theserver of MEC can process ciphertext data by using featuresof homomorphic encryption Our scheme involves homo-morphic encryption and ciphertext computing Thereforewe will introduce the original homomorphic encryptionscheme DGHV [14] and its variants on integer includingshorter public keys CMNT [17] public keys compress andmodulus switching CNT [31] batch encryption CCKL+

4 Wireless Communications and Mobile Computing

[32] Below we will replace [14 17 31 32] with DGHVCMNT CNT and CCKL+ At the same time we will alsointroduce some ciphertext computing techniques related toour scheme including full AES-128 block evaluation [24] byusing a BGV style scheme integer arithmetic over ciphertextand homomorphic data aggregation [27] the blend arith-metic operations on tensor-based FHE over real numbers[28]

21 DGHV and Variants Scheme The DGHV scheme is de-scribed by van Dijk et al base on integer and to simplify[12] The advantages of DGHV include simple encryptionprocess and being easy to understand However it has aweakness that the noise in ciphertext increases rapidly withthe multiplicative level increases The scheme is based on aset of public integers 119909119894 = 119902119894119901 + 119903119894 0 le 119894 le 120591 where theinteger 119901 is secret We use the same notation as in DGHVThe DGHV use the following parameters (all polynomial inthe security parameter 120582)

(i) 120574 is the bit-length of the 119909119894rsquos(ii) 120578 is the bit-length of private key 119901(iii) 120588 is the bit-length of the noise 119903119894(iv) 120591 is the number of 119909119894rsquos in the public key(v) 1205881015840 is used for encryption

For a specific 120578-bit odd integer 119901 DGHV use the followingdistribution over 120574-bit integers

D120574120588(119901) = 119862ℎ119900119900119904119890 119902 larr997888 Z cap [0 2120574119901 ) 119903 larr997888 Z

cap (minus2120588 2120588) 119874119906119905119901119906119905 119909 = 119902 sdot 119901 + 119903(1)

119870119890119910119866119890119899(120582) Generate a random odd integer 119901 of size 120578 bitsas a 119904119896 For the public key sample 119909119894 larr997888 D120574120588(119901) for 0 le 119894 le 120591Relabel so that 1199090 is the largest Let 1199090 be odd and [1199090]119901 evenLet 119901119896 = ⟨1199090 1199091 119909120591⟩ and 119904119896 = 119901119864119899119888119903119910119901119905(119901119896119898 isin 0 1) Choose a random subset 119878 sube1 2 120591 and a random integer 119903 isin (minus2120588 2120588) and output119888 larr997888 [119898 + 2119903 + 2sum119894isin119878 119909119894]1199090 119863119890119888119903119910119901119905(119904119896 119888) Output 1198981015840 = ((119888) mod 119901) mod 2 = (c mod2)(lfloor119888119901rceil mod 2)119864119907119886119897119906119886119905119890(119901119896 119862 1198881 1198882 119888119905) Given the function 119865 with tinput and 119905 ciphertexts 119888119894 convert logic AND and logic XORof 119865 into addition and multiplication performing all theaddition and multiplication and return the resulting integer

The following parameter set is suggested inDGHV120588 = 1205821205881015840 = 2120582 120578 = O(1205822) 120574 = O(1205825) 120591 = 120574 + 120582 The public key sizeis then O(12058210)

The CMNT scheme is described by Coron et al to reducethe public key size of the DGHV scheme from O(12058210) downto O(1205827) CMNT scheme applies a new parameter 120573 bythe form 1199091015840119894119895 = 1199091198940 ∙ 1199091198951 mod 1199090 1 le 119894 119895 le 120573 to

generate the 120591 = 1205732 integers 1199091015840119894119895 used for encryption CMNTscheme enables reducing the public key size from 120591 down toroughly 2radic120591 integers of bits CMNT scheme uses an error-free 1199090 that is 1199090 = 1199020119901 since otherwise the error wouldgrow too large Additionally for encryption CMNT schemeconsider a linear combination of the 1199091015840119894119895 with a coefficientvector 119887 = (119887119894119895) instead of bits this enables reducingthe public key size further The vector 119887 with componentsin [0 2120572)

The CMNT scheme takes 120588 = 120582 120578 = O(1205822) and 120574 =O(1205825) as in the DGHV scheme However it takes 120572 = 120582 1205732 =O(1205822) and 1205881015840 = 4120582 The main difference is that instead ofhaving 120591 = O(1205825) integers 119909119894rsquos CMNT scheme has only 2120573 =O(1205822) integers 119909119894 Hence the public key size becomes O(1205827)instead of O(12058210)

Coron and Naccache et al describe the CNT schemeTheCMT describes a method that can compress the public keysize of the DGHV scheme and optimise the noise manage-ment technique by modifying the modulus switching tech-nology [20] The noise ceiling of CNT scheme increases onlylinearly with the multiplicative level instead of exponentiallySo a levelled DGHV variant was implemented This schemegives two optimisations for homomorphic encryption onDGHV as below

The first optimisation is public keys compression Firstgenerate the secret key 119901 of size 120578 bits and use a pseudo-random function 119891 with random seed 119904119890 to generate a set of120594119894 isin [0 2120574) 1 le 119894 le 120591 Finally compute 120575119894 that 119909119894 = 120594119894 minus 120575119894 issmall modulo 119901 and store 120575119894 in the public key instead of thefull 119909119894rsquos

The second optimisation is Modulus-Switching Tech-nique The CMNT show how to adapt Brakerski Gentry andVaikuntanathanrsquos (BGV) FHE framework [20] to the DGHVscheme over the integers Under the [20] framework thenoise ceiling increases only linearly withmultiplicative depthinstead of exponentially

The CNT scheme takes 120588 = 120582 120578 = O(1205822) 120574 = O(1205825)120572 = O(1205822) 120591 = O(1205823) and 1205881015840 = O(1205822) The new public key ofCNT scheme has size 120574+120591 ∙ (120578+120582) = O(1205825) instead of O(12058210)of DGHV

JH Cheon et al describe the CCKL+ scheme It extendsDGHV to support the same batching capability as in RLWE-based schemes [20 25] and to homomorphically evaluate afull AES circuit with roughly the same level of efficiency as[24] The CCKL+ scheme is a merger of two independentworks [33 34] built on the same basic idea but with differentcontributions Its security under the (stronger) Error-FreeApproximate-GCD assumption already DGHV CMNT andCNT

The CCKL+ scheme extends the DGHV scheme bypacking ℓ plaintexts 1198980 sdot sdot sdot 119898ℓminus1 into a single ciphertextusing theChinese RemainderTheorem (CRT) For somewhathomomorphic encryption this allows us to encrypt not onlybits but elements from rings of formZ119876 The CKLL+ schemetakes 120588 = 2120582 120578 = O(1205822) 120574 = O(1205825) 120572 = O(1205822) and120591 = O(1205823) as in CNT scheme with 1205881015840 = O(120582) 1205721015840 = O(1205822)and ℓ = O(1205822)

Wireless Communications and Mobile Computing 5

Table 1 The parameters of DGHV CMNT CNT and CCKL+ and public key storage size

FHE scheme 120582 1205881015840 120578 120574 pk length pk sizeDGHV 120582 2120582 O (1205822) O (1205825) O (12058210) 41 GBCMNT 120582 4120582 O (1205822) O (1205825) O (1205827) 800MBCNT 120582 O (1205822) O (1205822) O (1205825) O (1205825) 101MBCCKL+ 120582 3120582 O (1205822) O (1205825) O (1205828) 56GB

We can conclude (see Table 1) that the CNT schemeperforms best in public key storage and only 101 MB Wetest public key size of DGHV by using ldquolargerdquo parametersof CMNT and up to 41 GB The CNT scheme has betternoise management technique in which the noise ceilingincreases only linearlywith themultiplicative levelThereforethe CNT scheme supports more multiplication level thanother schemes The CCKL+ scheme implements batch FHEscheme to encrypt a plaintext vector to a ciphertext byusing the CRT However each one of the components in theplaintext vector is required to be independent If we encrypta plaintext vector the encryption result is a plaintext vectorusing DGHV CMNT and CNT scheme and the encryptionresult is a ciphertext by using CCKL+Therefore when we doarithmetic operations on the ciphertext of a plaintext vectorwe can perform carry operation by using DGHV CMNT andCNT scheme instead of using CCKL+

22 Homomorphic Evaluation The advantage of homomor-phic evaluation is implementing various operations in the realworld on ciphertext and is not only multiplication homomor-phic addition homomorphic and decryption homomorphic(ciphertext refresh) The FHE abstracts various operationsof the real world as a collection of circuits consisting oflogical XOR and logical ANDThe homomorphic evaluationis to implement different circuits in this collection of circuitsBelow we will introduce some relevant schemes for homo-morphic evaluation of arithmetic operations

Gentry Halevi and Smart propose the first evaluation ofa complex circuit ie a full AES-128 block evaluation [24]by using a BGV [20] style scheme The scheme makes useof batching [25 26] key switching and modulus switchingtechniques to obtain an efficient levelled implementationAfter that Gentry Smart and Halevi publish significantlyimproved runtime results Compared to the earlier imple-mentation [21] Gentry et al use the latest version of theHElib library [35] Two variations of the implementation arereported one with bootstrapping and one without bootstrap-ping

Chen Y et al [27] propose the integer arithmetic overciphertext and homomorphic data aggregation by using aBGV [20] style scheme The scheme uses the HElib library[35] to implement homomorphic evaluation for additionsubtraction multiplication and division of unsigned inte-grins However the scheme report time overhead of inte-ger arithmetic over ciphertext without bootstrapping andmodulus switching (somewhat homomorphic encryption)The length of integer ciphertext only sets 2 3 4 bitsand sets 128 security level to guarantee right result The

schemedoes not optimise the operations of integer arithmeticover ciphertext with bootstrapping and modulus switch-ing

Gai K et al [28] propose the blend arithmetic operationson tensor-based FHE over real numbers and propose a noveltensor-based FHE solution [29]The scheme uses tensor lawsto carry the computations of blend arithmetic operationsover real numbers However blend arithmetic operationsonly include addition and multiplication The scheme doesnot implement blend arithmetic operations with the divi-sion

3 Homomorphic Evaluation of the IntegerArithmetic Operations

Integer addition subtraction multiplication and division areoperated by complement addition and shift One bit full-adder uses XOR (⨁) gate to get sum and uses AND (and)gate to get carry Below we will explain our notation Theinteger arithmetic operations will take A = a119899minus1 sdot sdot sdota0B = b119899minus1 sdot sdot sdotb0 and Alowast = alowast119899minus1 sdot sdot sdotalowast0 Blowast = blowast119899minus1 sdot sdot sdotblowast0as inputs A and B are the complements Alowast and Blowast aretworsquos complement of A and B However in complementoperation A is original code Alowast is the complement of theA TheA = ⟨a119899minus1 a0⟩ represents ciphertext vector ofALet a119894 = 119864119899119888(a119894) 0 le 119894 le 119899 minus 1 The Alowast = ⟨alowast119899minus1 alowast0 ⟩represents ciphertext vector of Alowast alowast119894 = 119864119899119888(alowast119894 ) 0 le 119894 le119899 minus 1 The V represents the ciphertext vector of B b119894 =119864119899119888(b119894) 0 le 119894 le 119899 minus 1 The Blowast = ⟨blowast119899minus1 blowast0 ⟩ representsciphertext vector of Blowast blowast119894 = 119864119899119888(blowast119894 ) 0 le 119894 le 119899 minus 1 TheAVAlowast andBlowast are inputs of homomorphic evaluation ofthe integer arithmetic operations The 119899 is big enough Wedo not consider the overflow about integer arithmetic opera-tions

31 Homomorphic Evaluation of the Complement OperationsFixed-point number use the complement to finish arithmeticoperations The rules of converting original code into com-plement

(i) Positive number a positive complement and the sameoriginal code

(ii) Negative number negative complement is the symbolfor the numerical bit reverse and then at the bottom(LSB) plus 1

Given the original code A apply the XOR and AND to getcomplement Alowast The MSB a119899minus1 is the signed bit of A andthe size of the remaining bitsa119899minus2 sdot sdot sdota0 represent the value

6 Wireless Communications and Mobile Computing

Given an initialised carry cminus1 = 0 we output theAlowast The BPof complement

cminus1 = 0c119894 = a119894 or c119894minus1

alowast119894 = (a119894 oplus a119899c119894minus1)

0 le 119894 le 119899 minus 2(2)

We convertc119894 into aBP by usingXORgate andANDgateTheBPc119894 = a119894c119894minus1 oplusa119894 oplusc119894minus1 0 le 119894 le 119899 minus 2 Due to initialisedcarry cminus1 = 0 we can convert c119894 into a polynomial withoutcminus1

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 (3)

where S = a119894 sdot sdot sdota0 0 le 119894 le 119899 minus 3 |S| is the Hammingweight of the S We can convert above polynomials intoHP of complement by using addition and multiplication onciphertexts The HP of complement

c119894 = ( 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895) mod 1199090alowast119894 = (a119894 + a

lowast119899 ∙ c119894minus1) mod 1199090

0 le 119894 le 119899 minus 2(4)

where c119894 represents the ciphertext result of c119894 and 119863119890119888(c119894) =c119894 Let a

lowast119899minus1 = a119899minus1 The 1199090 is the largest odd public key in

FHE We can get ciphertext complement Alowast by using aboveHP

32 Homomorphic Evaluation of the Addition and SubtractionOperations Integer complement addition operation needs tocalculate results in order from low to high Every result bitrequires an addend bit an augend bit and a carry bit fromthe low Every carry bit requires an addend bit an augend bitand a carry bit from low aswell By iterating above operationswe can get the result of complement addition We set integercomplement A and B as inputs to calculate S = A + Bwhere S = s119899minus1 sdot sdot sdot s0 The 119899 is big enough We do notconsider the overflow of the S The BP of addition

cminus1 = 0s119894 = a119894 oplus b119894 oplus c119894minus1

c119894 = a119894b119894 oplus c119894minus1 (a119894 oplus b119894)0 le 119894 le 119899 minus 1

(5)

We can convert above BP into HP of addition by using addi-tion and multiplication on ciphertexts The HP of addition

cminus1 = 119864119899119888 (0)s119894 = (a119894 + b119894 + c119894minus1) mod 1199090c119894 = (a119894b119894 + c119894minus1a119894 + c119894minus1b119894) mod 1199090

0 le 119894 le 119899 minus 1(6)

where the s119894 is 119894-th ciphertext of result vector S =⟨s119899minus1 sdot sdot sdot s0⟩ and 119863119890119888(A) + 119863119890119888(B) = 119863119890119888(S)The addition operation can do integer subtraction oper-

ation If we calculate A minus B we can convert B to Blowast andcalculateA+Blowast by using integer addition operation In orderto get Blowast we need to use the complement operation to getB1015840 = b1015840119899minus1 sdot sdot sdotb10158400 and then let blowast119899minus1 = b1015840119899minus1 oplus 1 blowast119894 = b1015840119894 0 le119894 le 119899minus2TheHP of subtraction contains two parts includingHP of complement and HP of addition

33 Homomorphic Evaluation of the Multiplication Opera-tions Integer multiplication operation is based on Boothrsquosmultiplication algorithm [36] It is a multiplication algorithmthat multiplies two signed numbers in tworsquos complementnotation We set multiplicand A and multiplier B Boothrsquosalgorithm examines adjacent pairs of bits of the multiplierB in signed tworsquos complement representation including animplicit bit below the least significant bit bminus1 = 0 Also wedenote byP the product accumulator The steps of the basicalgorithm for multiplication operations

(1) We reinitialise the value ofAAlowast andP

(i) AA = A ≪ 119899 arithmetic left shift (119899 + 1) bitsA = a119899a119899minus1 sdot sdot sdota00 sdot sdot sdot 0

(ii) Alowast Alowast = Alowast ≪ 119899 arithmetic left shift (119899 + 1)bitsAlowast = alowast119899minus1 sdot sdot sdotalowast00 sdot sdot sdot 0

(iii) P fill the most significant 119899 bits with 0 To theright of this append the value ofB Fill the LSBwith a 0P = 0 sdot sdot sdot 0b119899minus1 sdot sdot sdotb00

(2) Determine the two least significant (rightmost) bits ofP

(i) If bminus1 = b0 do nothing Use P directly in thenext step Arithmetic right shift 1 bit

(ii) If b0bminus1 = 01 find the value of P = P + AIgnore any overflow Arithmetic right shift 1 bit

(iii) If b0bminus1 = 10 find the value of P = P + AlowastIgnore any overflow Arithmetic right shift 1 bit

Repeat above second steps until they have been done 119899 minus 1times Drop the LSB from P According to second stepsmentioned technique we can summarise a judgment choiceBoolean polynomial (JCBP)

JCBP119898119906119897119905 (b0bminus1AlowastA)= (b0 oplus bminus1) [b0Alowast + bminus1A] (7)

We useP119894 to represent 119894-th times iteration The BP of multi-plication operation

P119894 = P119894minus1 + JCBP119898119906119897119905 (b0bminus1AlowastA)P119894 = P119894minus1 ≫ 1

0 le 119894 lt 119899 minus 1(8)

Wireless Communications and Mobile Computing 7

where≫ represent the arithmetic right shift We can convertformula (7) into HP of addition by using addition and multi-plication on ciphertextsTheHP of JCBP119898119906119897119905(b0bminus1AlowastA)

JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))= [(b0+bminus1) (b0Alowast + bminus1A) + 2119903] mod 1199090 (9)

The A and Alowast represent ciphertext vector of reinitialisingA and Alowast The 119903 = ⟨1199030 119903119899minus1⟩ is a noise vector and119903119894 larr997888 Z cap (minus21205881015840 21205881015840) 0 le 119894 le 119899 minus 1 The HP of multiplica-tion

P119894

= P119894minus1

+ JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))P119894 = P119894minus1 sim≫ 1

0 le 119894 lt 119899 minus 1

(10)

where sim≫ represent the right shift of ciphertext vectorP119899minus1When the right shift of P119899minus1 by 1 ciphertext slot the mostsignificant component of P119899minus1 is filled with a copy of theoriginal most significant component The final value ofP119899minus1is the signed ciphertext product

34 Homomorphic Evaluation of the Division OperationDivision is the most complex of the basic arithmetic opera-tions For a simple computer that operate with an adder cir-cuit for its arithmetic operations a variant using traditionallong division called nonrestoring division provides a simplerand faster speed This method only needs one decision andadditionsubtraction per quotient bit and need not restoringstep after the subtraction We set dividend A and divisorB The Blowast is tworsquos complement of B The R is the partialremainder and the Q is quotient The basic algorithm forbinary (radix 2) nonrestoring division is as follows

(1) Reinitialize value ofBBlowastR and Q

(i) B B = B ≫ 119899 do arithmetic left shift 119899 bitsB = b119899minus1 sdot sdot sdotb00 sdot sdot sdot 0

(ii) Blowast Blowast = Blowast ≫ 119899 do arithmetic left shift 119899bitsBlowast = blowast119899minus1 sdot sdot sdotblowast00 sdot sdot sdot 0

(iii) RR = A ≫ 119899 do arithmetic right shift 119899 bitsR = r2119899minus1 sdot sdot sdotr0

(iv) Q Q = q119899minus1 sdot sdot sdotq0 fill it 119899 bits with 0

(2) Determine the one most significant (a signed bit) bitofR

(i) If r2119899minus1 = 0 fill the LSB of Q with 1 digit dological left shift 1 bit Find the value ofR = 2 lowastR +Blowast

(ii) If r2119899minus1 = 1 fill the LSB of Q with 0 digit dological left shift 1 bit Find the value ofR = 2 lowastR +B

(3) Repeat above second steps until they have been done119899 minus 1 times(4) Convert the quotient Q We suppose original Q =11101010

(i) Start Q = 11101010(ii) Mask the zero term (Signed binary notation

with onersquos complement) Q = 00010101(iii) Subtract Q = Q minus Q Q = 11010101

(5) The actual remainder is R = R ≫ 119899 Final resultof quotient is always odd and the remainder R isin the range minusB lt R lt B To convert to apositive remainder do a single restoring step afterQ isconverted from a nonstandard form to standard formIfR lt 0 find the value ofQ = Qminus1 andR = R+B

According to the second step mentioned technique we cansummarise a judgment choice Boolean polynomial (JCBP)

JCBP119889119894V (r2119899minus1BBlowast) = r2119899minus1B + (r2119899minus1 oplus 1)Blowast (11)

We useR119894 to represent 119894-th times iterationTheBPof divisionoperation

R119894 = 2R119894minus1 + JCBP119889119894V (r2119899minus1BBlowast)0 le 119894 lt 119899 minus 1

q119899minus1minus119894 = r1198942119899minus1 oplus 1 0 le 119894 lt 119899 minus 1Q = Q minus Q

R119899minus1 = R119899minus1 ≫ 119899

(12)

where r1198942119899minus1 represent the MSB ofR119894 Finally doing the fifthstep correctsQ andR119899minus1We can convert aboveBP intoHPofaddition by using addition and multiplication on ciphertextsThe HP of JCBP119889119894V(r2119899minus1BBlowast)

JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplus and))= [r2119899minus1V + (r2119899minus1 + 119864119899119888 (1))V + 2119903] mod 1199090 (13)

whereV andBlowast represent ciphertext vector of reinitialisingB andBlowast respectively The HP of division

R119894

= 2R119894minus1+ JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplusand))

0 le 119894 lt 119899 minus 1q119899minus1minus119894 = (r1198942119899minus1 + 119864119899119888 (1)) mod 1199090 0 le 119894 lt 119899 minus 1Q = Q minusQ

R119899minus1 = R119899minus1 sim≫ 119899

(14)

where R119894 = ⟨r1198942119899minus1 sdot sdot sdot r1198940⟩ represents ciphertext vector ofR119894 andQ=⟨q119899minus1 sdot sdot sdot q0⟩ represents ciphertext vector of QQ

8 Wireless Communications and Mobile Computing

represent q119894 = (q119894 + 119864119899119888(1)) mod 1199090 0 le 119894 lt 119899 Finally weneed to correctQ andR119899minus1 by the following operations

Q = [r119899minus1119899minus1 (Q minus 119864119899119888 (1))] mod 1199090R = [r119899minus1119899minus1 (R119899minus1 +V)] mod 1199090 (15)

The final value ofQ andR is the result of HP of division

4 Noise Analysis and Optimization

In Section 3 we describe the homomorphic evaluation ofthe integer arithmetic operations including complementaddition subtraction multiplication and division In thissection we will analyse the noise ceiling and optimisationfor our scheme Under the DGHV scheme the noise ceilingincreases exponentially with the multiplicative degree Whenciphertexts have noise at most 2120578minus2 lt 1199012 the ciphertextscannot be decrypted correctly Therefore we need bootstrap-ping to control noise of ciphertexts but using bootstrappingto refresh ciphertext will reduce the efficiency of DGHVWe will show the noise ceiling about the homomorphicevaluation of the integer arithmetic operations in this sectionMoreover we will describe an optimisation for the process ofinteger arithmetic operations to reduce time overhead in FHEwith bootstrapping

41 Noise Analysis of Our Scheme According to Section 3 weshow the noise ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations We denoteby HE-IAO the homomorphic evaluation of the integerarithmetic operations and use HE-com HE-add HE-subHE-mul HE-div to represent five operations of HE-IAOThedetails are shown in Table 2

Proof According to homomorphic evaluation of the comple-ment operations formula (3)

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 0 le 119894 le 119899 minus 2 (16)

sum|S|=119894prod119895isin119878a119895 has ( 119899minus2119894+1 ) terms and degree amounts to 119894 + 1According to binomial theorem the term of formula (3) canbe represented as (1+119909)119899minus2minus1 = sum119899minus2119894=0 ( 119899minus2119894 ) 119909119894minus1 when119909 = 1Therefore the polynomial c119894 of term is up to 2119899minus2 minus 1 anddegree amounts to 119899 minus 2 Because ofalowast119894 = (a119894 oplusa119899c119894minus1) 0 le119894 le 119899 minus 1 alowast119894 of term amounts to 2119899minus2 and degree amountsto 119899 minus 1

According to homomorphic evaluation of the additionoperations formula (5) the degree of carry formula c119894 =a119894b119894 oplus c119894minus1(a119894 oplus b119894) is higher 1 than c119894minus1 and the term of c119894is higher 2 lowast 119905119890119903119898(c119894minus1) + 1 than c119894minus1 where 119905119890119903119898(c119894minus1) rep-resents the term of c119894minus1 The degree of c0 = a0b0 amountsto 2 and the term of c0 = a0b0 amounts to 1 The degree ofc119899minus2 amounts to 119899 and terms of c119899minus2 amount to 2119899minus1 minus1TheMSB ofSs119899minus1 = a119899minus1 oplus b119899minus1 oplusc119899minus2 where the degree of s119899minus1amounts to 119899 and the term of s119899minus1 amounts to 2119899minus1 + 1 Ifwe do not consider complement operation subtraction and

Table 2 The degree ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations Above showing theHPof integer arithmetic operations 119899-th iterations ciphertext resultsrsquodegree and term

HE-IAO degree termHE-com 119899 minus 1 2119899minus2HE-add 119899 2119899minus1 + 1HE-sub 119899 2119899minus1 + 1HE-mul 120595 ∙ 22119899minus4 minusHE-div 120593 ∙ 22119899minus4 minusTable 3 The noise ceiling of homomorphic evaluation of the 119899 bitssigned integer arithmetic operations The base of the log is 2

HE-IAO noise ceilingHE-com 1205881015840 log(119899minus1) + log 2119899minus3HE-add 1205881015840 log(119899) + log (2119899minus1 + 1)HE-sub 1205881015840 log(119899) + log (2119899minus1 + 1)HE-mul 1205881015840 log120595∙22119899minus4 + minusHE-div 1205881015840 log120593∙22119899minus4 + minus

addition have the same process Therefore the degree andterm are the same as the addition Multiplication and divisionrequire iteration 119899 minus 1 times addition and shift The processesof multiplication and division are particularly complicatedwe canrsquot find the formula to express the degree According toour calculations the degree of multiplication and division isclose to the 2 to the power of 2119899 minus 4 Therefore the degree ofmultiplication is not more than 120595 ∙ 22119899minus4 and the degree ofdivision is not more than 120593∙22119899minus4The term of multiplicationand division is too high and the degree has made noise morethan the limitation of correct decryption

We can conclude (see Table 2) the degree of homomor-phic evaluation of addition and subtraction is O(119899) and thedepth of the homomorphic evaluation of multiplication anddivision is O(120595 ∙ 22119899minus4) We use items that represent the 1198971norm of HP (the coefficient vector of HP) The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations can be calculated by the following polynomi-al

119873119900119894119904119890 = 1205881015840log 119889 + log1003816100381610038161003816100381610038161003816997888rarr119891

1003816100381610038161003816100381610038161003816 (17)

where 119889 represents the degree of HP and log 119889 representsmultiplication level of HP |997888rarr119891| is the 1198971 norm of HP 1205881015840 isthe noise of length in every ciphertext The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations is shown in Table 3

We can conclude (see Table 3) the noise of homomorphicevaluation of the 119899 bits signed integer arithmetic operationsThe noise increases very rapidly In the homomorphic eval-uation of the complement addition and subtraction noiseincreases up to O(1205881015840119899) In the homomorphic evaluation of themultiplication and division noise ismore than O(1205881015840120595∙22119899minus4)

Wireless Communications and Mobile Computing 9

1 1 1 1 1 1

3 3 3 3 3 3

33L-233L-233L-2

3L+11 recrypt3L+1recrypt1

r shift

33L-233L-233L-21

1 1 1 1 1 11

recrypt recrypt recrypt recrypt recrypt recrypt

Figure 2 The optimised addition operations each colour block represents same position subvectors ofP119894andF the length of each colour

block is L ldquor shiftrdquo represents ciphertext vector right shift one position ldquorecryptrdquo represents ciphertext refresh This figure shows the degreechange of each component ofP

119894andF

42 Optimization of Our Scheme From the analysis of noiseceiling in Section 41 we need to control the noise increasesby using ciphertext refresh or modulus-switching techniquein each multiplication level of homomorphic evaluation ofthe 119899 bits signed integer arithmetic operations Howeverthe ciphertext refresh or modulus-switching technique willreduce our scheme efficiency Therefore we will describe anoptimisation for our scheme in this section The optimisationcan reduce the number of ciphertext refresh and improveefficiency

Because the integer arithmetic operation is completedbased on the addition operation we optimise the homo-morphic evaluation of the integer addition We divide theciphertext vector of integer encryption into subvectors oflength L The homomorphic evaluation of arithmetic oper-ations between the subvectors in the same position do notneed ciphertext refresh and the subvectors in different posi-tions need to refresh ciphertext-carry once Therefore theoptimised scheme need not ciphertext refresh in each multi-plication level and reduces the number of ciphertext refreshWe take addition operations of the product accumulator toexplain our optimisation In the homomorphic evaluationof the multiplication operations the product accumulatorP119894 is as formula (9) The formula (9) is a polynomial ofdegree three and P119894 is a ciphertext vector of degree oneWe denote by F vector of JCHP11989811990611989711990511990901205881015840 We divide theciphertext vector of P119894 and F into ciphertext subvectorsof length L The ciphertext operations of subvectors of thesame position are the same as homomorphic evaluation ofthe addition operations (without ciphertext refresh) Theciphertext operations of subvectors of different position needto refresh ciphertext-carry once (see Figure 2)

The subvectors of P119894 and F generate ciphertext-resultblock and ciphertext-carry In every ciphertext-result blockthe maximum degree is 3L minus 2 (leftmost) and the minimumdegree is 3 (rightmost) The ciphertext-carry degree is 3L +1 in each subvector of the different position Each cipher-text of ciphertext-result block and ciphertext-carry can use

ciphertext refresh (recrypt) to reduce degree up to one Thenumber of ciphertext refresh of once product accumulator(P119894 +F) for ciphertext-carry

(i) If 119899 is divisible by L it will generate 119899Lminus1 ciphertext-carry and the number of ciphertext refresh is 119888119899119905 =119899L minus 1 times

(ii) If 119899 is inalienable by L it will generate lfloor119899Lrfloorciphertext-carry and the number of ciphertext refreshis 119888119899119905 = lfloor119899Lrfloor times

Homomorphic evaluation of the multiplication operationsneeds 119899minus1 times product accumulator and whole operationsneed (119899minus1)∙119888119899119905 times ciphertext refresh for ciphertext-carryand (119899 minus 1) ∙ 119899 times ciphertext refresh for ciphertext-resultblock Total times of ciphertext refresh for homomorphicevaluation of the multiplication operations

119862119873119879 = (119899 minus 1) ∙ 119899 + (119899 minus 1) ∙ 119888119899119905 (18)

In the original homomorphic evaluation of the multi-plication operations every multiplication level needs onceciphertext refresh Whole operations need (119899 minus 1)(3119899 minus 3) +119899(119899 minus 1) + 2119899 minus 3 times ciphertext refresh We apply aboveoptimisation to the homomorphic evaluation of the com-plement addition subtraction multiplication and divisionoperations and set 119899 = 16 L = 1 2 3 4We show the numberof ciphertext refresh of the original scheme (L = 0) and anoptimised scheme (L = 1 2 3 4) as Table 4

In order to implement our optimisation we need to adjustthe parameters of homomorphic encryption and make FHEsupport the log(3L+1)multiplication level additional exceptfor the 15-multiplication level required by bootstrappingTherefore we reset the length of the private key 120578 ge 1205881015840 ∙Θ(120582log2120582) + 1205881015840 ∙ 2log(3L+1) + log(2Lminus1 + 1) We set securityparameter 120582 = 52 the length of noise 1205881015840 = 24 and 120579 = 15Θ = 500 Parameters are set as Table 5

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

Wireless Communications and Mobile Computing 3

on encrypted data despite not having the secret decryptionkey

The development of FHE can be partitioned into threegenerations [13] The first generation includes Gentryrsquos orig-inal scheme using ideal lattices [12] the somewhat simplerscheme of van Dijk et al [14] and some optimisations for firstgeneration in public key size [15ndash17] All these schemeshave a problem of rapidly growing noise which affectedboth efficiency and security The second generation beginwith Brakerski-Vaikuntanathan [18 19] and Brakerski et al[20] and is characterized by modulus-switching and key-switching techniques for controlling the noise resulting inimproved efficiency including LWE [18] Ring-LWE [19]and NTRU [21 22] hardness assumption The third gener-ation begins with the scheme of Gentry et al [23] Third-generation schemes are usually slightly less efficient thansecond-generation ones but they can be based on somewhatweaker hardness assumptions

In the homomorphic evaluation of FHE different circuitsin the real world are realized by multiplication homomor-phic addition homomorphic and decryption homomorphic(ciphertext refresh) The application of FHE is ciphertextarithmetic operation and ciphertext retrieval Gentry Haleviand Smart propose the first evaluation of a complex circuitie a full AES-128 block evaluation [24] by using a BGV [20]style schemeThe schememakes use of batching [25 26] keyswitching and modulus switching techniques to obtain anefficient levelled implementation Chen Y et al [27] proposethe integer arithmetic over ciphertext and homomorphic dataaggregation by using a BGV style scheme The scheme usesthe HElib library to implement homomorphic evaluationfor addition subtraction multiplication and division of un-signed integrins Gai K et al [28] propose the blend arith-metic operations on tensor-based FHE over real numbersand proposes a novel tensor-based FHE solution [29] YangJ et al [30] propose the secure tensor decomposition usingFHE scheme

In [24] AES-128 block evaluation cannot implementcarry operation In [27] the integer arithmetic over ciphertextjust implement 2-4 bits arithmetic operation of unsignedinteger In [28] the blend arithmetic operations do notimplement division operation over tensor-based FHE overreal numbers Therefore the [24 27 28] cannot be used asa complete homomorphic evaluation of a signed inte-ger arithmetic operations scheme by using addition andmultiplication homomorphism in MEC The homomor-phic evaluation of integer arithmetic operations is animportant foundation for nontrivial computations with theciphertext data Therefore it is significant to constructhomomorphic evaluation of integer arithmetic operationsscheme

Contribution We propose the homomorphic evaluations ofinteger arithmetic operations base on DGHV [14] and itsvariants [15 31 32] in mobile edge computing And weuse the features of homomorphic encryption to preventsensitive data from being stolen At the same time wecan also calculate ciphertext data in mobile edge comput-ing

(i) Our scheme refers to the integer operation ruleswhich are expressed inBoolean polynomials (BP) thatonly contains logical AND XOR operationsThen weconvert BP into homomorphic polynomials (HP) byusing addition and multiplication on ciphertexts

(ii) We propose judgment choose Boolean polynomials(JCBP) to solve the constantly choose problem in themultiplication and division Then we convert JCBPinto judgment choose homomorphic polynomials(JCHP) by using addition and multiplication onciphertexts

(iii) We optimise the process of homomorphic evalua-tion of integer arithmetic operations We divide theciphertext vector of integer encryption into subvec-tors of length 2 and add the length of the private key ofFHE to support the 3-multiplication level additionalexcept for the 15-multiplication level required bybootstrapping

(iv) We test the optimized scheme in DGHV [14] andCMNT [17] In the number of ciphertext refreshesthe optimized scheme is reduced by 23 comparedto the original scheme and the homomorphic eval-uation time overhead of integer arithmetic opera-tions is reduced by 13 We also test our schemein CNT [31] of without bootstrapping The timeoverhead of optimized scheme over DGHV [14] andCMNT [17] is close to the original scheme over CNT[31]

Organization In Section 2 we will introduce DGHV [14]the variants of DGHV [17 31 32] and some homomorphicevaluation in detail In Section 3 we modify the polynomialsof integer arithmetic operation according to the computationprocess of complement addition subtraction multiplicationand division of integer in the computer We also proposethe BP of integer arithmetic operation and convert the BPinto the HP of integer arithmetic operation In Section 4we analyse the noise ceiling and optimize the process ofhomomorphic evaluation of integer arithmetic operationsIn Section 5 we show our implementation and experimen-tal result We show the efficiency and conclusion of ourscheme

2 Related Work

Fully homomorphic encryption scheme over the integersand its variants are an essential branch of homomorphicencryption research Also we propose the homomorphicevaluations of integer arithmetic operations base on DGHVand its variants We use DGHV and its variants to encryptdata and upload ciphertext data to a MEC data center Theserver of MEC can process ciphertext data by using featuresof homomorphic encryption Our scheme involves homo-morphic encryption and ciphertext computing Thereforewe will introduce the original homomorphic encryptionscheme DGHV [14] and its variants on integer includingshorter public keys CMNT [17] public keys compress andmodulus switching CNT [31] batch encryption CCKL+

4 Wireless Communications and Mobile Computing

[32] Below we will replace [14 17 31 32] with DGHVCMNT CNT and CCKL+ At the same time we will alsointroduce some ciphertext computing techniques related toour scheme including full AES-128 block evaluation [24] byusing a BGV style scheme integer arithmetic over ciphertextand homomorphic data aggregation [27] the blend arith-metic operations on tensor-based FHE over real numbers[28]

21 DGHV and Variants Scheme The DGHV scheme is de-scribed by van Dijk et al base on integer and to simplify[12] The advantages of DGHV include simple encryptionprocess and being easy to understand However it has aweakness that the noise in ciphertext increases rapidly withthe multiplicative level increases The scheme is based on aset of public integers 119909119894 = 119902119894119901 + 119903119894 0 le 119894 le 120591 where theinteger 119901 is secret We use the same notation as in DGHVThe DGHV use the following parameters (all polynomial inthe security parameter 120582)

(i) 120574 is the bit-length of the 119909119894rsquos(ii) 120578 is the bit-length of private key 119901(iii) 120588 is the bit-length of the noise 119903119894(iv) 120591 is the number of 119909119894rsquos in the public key(v) 1205881015840 is used for encryption

For a specific 120578-bit odd integer 119901 DGHV use the followingdistribution over 120574-bit integers

D120574120588(119901) = 119862ℎ119900119900119904119890 119902 larr997888 Z cap [0 2120574119901 ) 119903 larr997888 Z

cap (minus2120588 2120588) 119874119906119905119901119906119905 119909 = 119902 sdot 119901 + 119903(1)

119870119890119910119866119890119899(120582) Generate a random odd integer 119901 of size 120578 bitsas a 119904119896 For the public key sample 119909119894 larr997888 D120574120588(119901) for 0 le 119894 le 120591Relabel so that 1199090 is the largest Let 1199090 be odd and [1199090]119901 evenLet 119901119896 = ⟨1199090 1199091 119909120591⟩ and 119904119896 = 119901119864119899119888119903119910119901119905(119901119896119898 isin 0 1) Choose a random subset 119878 sube1 2 120591 and a random integer 119903 isin (minus2120588 2120588) and output119888 larr997888 [119898 + 2119903 + 2sum119894isin119878 119909119894]1199090 119863119890119888119903119910119901119905(119904119896 119888) Output 1198981015840 = ((119888) mod 119901) mod 2 = (c mod2)(lfloor119888119901rceil mod 2)119864119907119886119897119906119886119905119890(119901119896 119862 1198881 1198882 119888119905) Given the function 119865 with tinput and 119905 ciphertexts 119888119894 convert logic AND and logic XORof 119865 into addition and multiplication performing all theaddition and multiplication and return the resulting integer

The following parameter set is suggested inDGHV120588 = 1205821205881015840 = 2120582 120578 = O(1205822) 120574 = O(1205825) 120591 = 120574 + 120582 The public key sizeis then O(12058210)

The CMNT scheme is described by Coron et al to reducethe public key size of the DGHV scheme from O(12058210) downto O(1205827) CMNT scheme applies a new parameter 120573 bythe form 1199091015840119894119895 = 1199091198940 ∙ 1199091198951 mod 1199090 1 le 119894 119895 le 120573 to

generate the 120591 = 1205732 integers 1199091015840119894119895 used for encryption CMNTscheme enables reducing the public key size from 120591 down toroughly 2radic120591 integers of bits CMNT scheme uses an error-free 1199090 that is 1199090 = 1199020119901 since otherwise the error wouldgrow too large Additionally for encryption CMNT schemeconsider a linear combination of the 1199091015840119894119895 with a coefficientvector 119887 = (119887119894119895) instead of bits this enables reducingthe public key size further The vector 119887 with componentsin [0 2120572)

The CMNT scheme takes 120588 = 120582 120578 = O(1205822) and 120574 =O(1205825) as in the DGHV scheme However it takes 120572 = 120582 1205732 =O(1205822) and 1205881015840 = 4120582 The main difference is that instead ofhaving 120591 = O(1205825) integers 119909119894rsquos CMNT scheme has only 2120573 =O(1205822) integers 119909119894 Hence the public key size becomes O(1205827)instead of O(12058210)

Coron and Naccache et al describe the CNT schemeTheCMT describes a method that can compress the public keysize of the DGHV scheme and optimise the noise manage-ment technique by modifying the modulus switching tech-nology [20] The noise ceiling of CNT scheme increases onlylinearly with the multiplicative level instead of exponentiallySo a levelled DGHV variant was implemented This schemegives two optimisations for homomorphic encryption onDGHV as below

The first optimisation is public keys compression Firstgenerate the secret key 119901 of size 120578 bits and use a pseudo-random function 119891 with random seed 119904119890 to generate a set of120594119894 isin [0 2120574) 1 le 119894 le 120591 Finally compute 120575119894 that 119909119894 = 120594119894 minus 120575119894 issmall modulo 119901 and store 120575119894 in the public key instead of thefull 119909119894rsquos

The second optimisation is Modulus-Switching Tech-nique The CMNT show how to adapt Brakerski Gentry andVaikuntanathanrsquos (BGV) FHE framework [20] to the DGHVscheme over the integers Under the [20] framework thenoise ceiling increases only linearly withmultiplicative depthinstead of exponentially

The CNT scheme takes 120588 = 120582 120578 = O(1205822) 120574 = O(1205825)120572 = O(1205822) 120591 = O(1205823) and 1205881015840 = O(1205822) The new public key ofCNT scheme has size 120574+120591 ∙ (120578+120582) = O(1205825) instead of O(12058210)of DGHV

JH Cheon et al describe the CCKL+ scheme It extendsDGHV to support the same batching capability as in RLWE-based schemes [20 25] and to homomorphically evaluate afull AES circuit with roughly the same level of efficiency as[24] The CCKL+ scheme is a merger of two independentworks [33 34] built on the same basic idea but with differentcontributions Its security under the (stronger) Error-FreeApproximate-GCD assumption already DGHV CMNT andCNT

The CCKL+ scheme extends the DGHV scheme bypacking ℓ plaintexts 1198980 sdot sdot sdot 119898ℓminus1 into a single ciphertextusing theChinese RemainderTheorem (CRT) For somewhathomomorphic encryption this allows us to encrypt not onlybits but elements from rings of formZ119876 The CKLL+ schemetakes 120588 = 2120582 120578 = O(1205822) 120574 = O(1205825) 120572 = O(1205822) and120591 = O(1205823) as in CNT scheme with 1205881015840 = O(120582) 1205721015840 = O(1205822)and ℓ = O(1205822)

Wireless Communications and Mobile Computing 5

Table 1 The parameters of DGHV CMNT CNT and CCKL+ and public key storage size

FHE scheme 120582 1205881015840 120578 120574 pk length pk sizeDGHV 120582 2120582 O (1205822) O (1205825) O (12058210) 41 GBCMNT 120582 4120582 O (1205822) O (1205825) O (1205827) 800MBCNT 120582 O (1205822) O (1205822) O (1205825) O (1205825) 101MBCCKL+ 120582 3120582 O (1205822) O (1205825) O (1205828) 56GB

We can conclude (see Table 1) that the CNT schemeperforms best in public key storage and only 101 MB Wetest public key size of DGHV by using ldquolargerdquo parametersof CMNT and up to 41 GB The CNT scheme has betternoise management technique in which the noise ceilingincreases only linearlywith themultiplicative levelThereforethe CNT scheme supports more multiplication level thanother schemes The CCKL+ scheme implements batch FHEscheme to encrypt a plaintext vector to a ciphertext byusing the CRT However each one of the components in theplaintext vector is required to be independent If we encrypta plaintext vector the encryption result is a plaintext vectorusing DGHV CMNT and CNT scheme and the encryptionresult is a ciphertext by using CCKL+Therefore when we doarithmetic operations on the ciphertext of a plaintext vectorwe can perform carry operation by using DGHV CMNT andCNT scheme instead of using CCKL+

22 Homomorphic Evaluation The advantage of homomor-phic evaluation is implementing various operations in the realworld on ciphertext and is not only multiplication homomor-phic addition homomorphic and decryption homomorphic(ciphertext refresh) The FHE abstracts various operationsof the real world as a collection of circuits consisting oflogical XOR and logical ANDThe homomorphic evaluationis to implement different circuits in this collection of circuitsBelow we will introduce some relevant schemes for homo-morphic evaluation of arithmetic operations

Gentry Halevi and Smart propose the first evaluation ofa complex circuit ie a full AES-128 block evaluation [24]by using a BGV [20] style scheme The scheme makes useof batching [25 26] key switching and modulus switchingtechniques to obtain an efficient levelled implementationAfter that Gentry Smart and Halevi publish significantlyimproved runtime results Compared to the earlier imple-mentation [21] Gentry et al use the latest version of theHElib library [35] Two variations of the implementation arereported one with bootstrapping and one without bootstrap-ping

Chen Y et al [27] propose the integer arithmetic overciphertext and homomorphic data aggregation by using aBGV [20] style scheme The scheme uses the HElib library[35] to implement homomorphic evaluation for additionsubtraction multiplication and division of unsigned inte-grins However the scheme report time overhead of inte-ger arithmetic over ciphertext without bootstrapping andmodulus switching (somewhat homomorphic encryption)The length of integer ciphertext only sets 2 3 4 bitsand sets 128 security level to guarantee right result The

schemedoes not optimise the operations of integer arithmeticover ciphertext with bootstrapping and modulus switch-ing

Gai K et al [28] propose the blend arithmetic operationson tensor-based FHE over real numbers and propose a noveltensor-based FHE solution [29]The scheme uses tensor lawsto carry the computations of blend arithmetic operationsover real numbers However blend arithmetic operationsonly include addition and multiplication The scheme doesnot implement blend arithmetic operations with the divi-sion

3 Homomorphic Evaluation of the IntegerArithmetic Operations

Integer addition subtraction multiplication and division areoperated by complement addition and shift One bit full-adder uses XOR (⨁) gate to get sum and uses AND (and)gate to get carry Below we will explain our notation Theinteger arithmetic operations will take A = a119899minus1 sdot sdot sdota0B = b119899minus1 sdot sdot sdotb0 and Alowast = alowast119899minus1 sdot sdot sdotalowast0 Blowast = blowast119899minus1 sdot sdot sdotblowast0as inputs A and B are the complements Alowast and Blowast aretworsquos complement of A and B However in complementoperation A is original code Alowast is the complement of theA TheA = ⟨a119899minus1 a0⟩ represents ciphertext vector ofALet a119894 = 119864119899119888(a119894) 0 le 119894 le 119899 minus 1 The Alowast = ⟨alowast119899minus1 alowast0 ⟩represents ciphertext vector of Alowast alowast119894 = 119864119899119888(alowast119894 ) 0 le 119894 le119899 minus 1 The V represents the ciphertext vector of B b119894 =119864119899119888(b119894) 0 le 119894 le 119899 minus 1 The Blowast = ⟨blowast119899minus1 blowast0 ⟩ representsciphertext vector of Blowast blowast119894 = 119864119899119888(blowast119894 ) 0 le 119894 le 119899 minus 1 TheAVAlowast andBlowast are inputs of homomorphic evaluation ofthe integer arithmetic operations The 119899 is big enough Wedo not consider the overflow about integer arithmetic opera-tions

31 Homomorphic Evaluation of the Complement OperationsFixed-point number use the complement to finish arithmeticoperations The rules of converting original code into com-plement

(i) Positive number a positive complement and the sameoriginal code

(ii) Negative number negative complement is the symbolfor the numerical bit reverse and then at the bottom(LSB) plus 1

Given the original code A apply the XOR and AND to getcomplement Alowast The MSB a119899minus1 is the signed bit of A andthe size of the remaining bitsa119899minus2 sdot sdot sdota0 represent the value

6 Wireless Communications and Mobile Computing

Given an initialised carry cminus1 = 0 we output theAlowast The BPof complement

cminus1 = 0c119894 = a119894 or c119894minus1

alowast119894 = (a119894 oplus a119899c119894minus1)

0 le 119894 le 119899 minus 2(2)

We convertc119894 into aBP by usingXORgate andANDgateTheBPc119894 = a119894c119894minus1 oplusa119894 oplusc119894minus1 0 le 119894 le 119899 minus 2 Due to initialisedcarry cminus1 = 0 we can convert c119894 into a polynomial withoutcminus1

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 (3)

where S = a119894 sdot sdot sdota0 0 le 119894 le 119899 minus 3 |S| is the Hammingweight of the S We can convert above polynomials intoHP of complement by using addition and multiplication onciphertexts The HP of complement

c119894 = ( 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895) mod 1199090alowast119894 = (a119894 + a

lowast119899 ∙ c119894minus1) mod 1199090

0 le 119894 le 119899 minus 2(4)

where c119894 represents the ciphertext result of c119894 and 119863119890119888(c119894) =c119894 Let a

lowast119899minus1 = a119899minus1 The 1199090 is the largest odd public key in

FHE We can get ciphertext complement Alowast by using aboveHP

32 Homomorphic Evaluation of the Addition and SubtractionOperations Integer complement addition operation needs tocalculate results in order from low to high Every result bitrequires an addend bit an augend bit and a carry bit fromthe low Every carry bit requires an addend bit an augend bitand a carry bit from low aswell By iterating above operationswe can get the result of complement addition We set integercomplement A and B as inputs to calculate S = A + Bwhere S = s119899minus1 sdot sdot sdot s0 The 119899 is big enough We do notconsider the overflow of the S The BP of addition

cminus1 = 0s119894 = a119894 oplus b119894 oplus c119894minus1

c119894 = a119894b119894 oplus c119894minus1 (a119894 oplus b119894)0 le 119894 le 119899 minus 1

(5)

We can convert above BP into HP of addition by using addi-tion and multiplication on ciphertexts The HP of addition

cminus1 = 119864119899119888 (0)s119894 = (a119894 + b119894 + c119894minus1) mod 1199090c119894 = (a119894b119894 + c119894minus1a119894 + c119894minus1b119894) mod 1199090

0 le 119894 le 119899 minus 1(6)

where the s119894 is 119894-th ciphertext of result vector S =⟨s119899minus1 sdot sdot sdot s0⟩ and 119863119890119888(A) + 119863119890119888(B) = 119863119890119888(S)The addition operation can do integer subtraction oper-

ation If we calculate A minus B we can convert B to Blowast andcalculateA+Blowast by using integer addition operation In orderto get Blowast we need to use the complement operation to getB1015840 = b1015840119899minus1 sdot sdot sdotb10158400 and then let blowast119899minus1 = b1015840119899minus1 oplus 1 blowast119894 = b1015840119894 0 le119894 le 119899minus2TheHP of subtraction contains two parts includingHP of complement and HP of addition

33 Homomorphic Evaluation of the Multiplication Opera-tions Integer multiplication operation is based on Boothrsquosmultiplication algorithm [36] It is a multiplication algorithmthat multiplies two signed numbers in tworsquos complementnotation We set multiplicand A and multiplier B Boothrsquosalgorithm examines adjacent pairs of bits of the multiplierB in signed tworsquos complement representation including animplicit bit below the least significant bit bminus1 = 0 Also wedenote byP the product accumulator The steps of the basicalgorithm for multiplication operations

(1) We reinitialise the value ofAAlowast andP

(i) AA = A ≪ 119899 arithmetic left shift (119899 + 1) bitsA = a119899a119899minus1 sdot sdot sdota00 sdot sdot sdot 0

(ii) Alowast Alowast = Alowast ≪ 119899 arithmetic left shift (119899 + 1)bitsAlowast = alowast119899minus1 sdot sdot sdotalowast00 sdot sdot sdot 0

(iii) P fill the most significant 119899 bits with 0 To theright of this append the value ofB Fill the LSBwith a 0P = 0 sdot sdot sdot 0b119899minus1 sdot sdot sdotb00

(2) Determine the two least significant (rightmost) bits ofP

(i) If bminus1 = b0 do nothing Use P directly in thenext step Arithmetic right shift 1 bit

(ii) If b0bminus1 = 01 find the value of P = P + AIgnore any overflow Arithmetic right shift 1 bit

(iii) If b0bminus1 = 10 find the value of P = P + AlowastIgnore any overflow Arithmetic right shift 1 bit

Repeat above second steps until they have been done 119899 minus 1times Drop the LSB from P According to second stepsmentioned technique we can summarise a judgment choiceBoolean polynomial (JCBP)

JCBP119898119906119897119905 (b0bminus1AlowastA)= (b0 oplus bminus1) [b0Alowast + bminus1A] (7)

We useP119894 to represent 119894-th times iteration The BP of multi-plication operation

P119894 = P119894minus1 + JCBP119898119906119897119905 (b0bminus1AlowastA)P119894 = P119894minus1 ≫ 1

0 le 119894 lt 119899 minus 1(8)

Wireless Communications and Mobile Computing 7

where≫ represent the arithmetic right shift We can convertformula (7) into HP of addition by using addition and multi-plication on ciphertextsTheHP of JCBP119898119906119897119905(b0bminus1AlowastA)

JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))= [(b0+bminus1) (b0Alowast + bminus1A) + 2119903] mod 1199090 (9)

The A and Alowast represent ciphertext vector of reinitialisingA and Alowast The 119903 = ⟨1199030 119903119899minus1⟩ is a noise vector and119903119894 larr997888 Z cap (minus21205881015840 21205881015840) 0 le 119894 le 119899 minus 1 The HP of multiplica-tion

P119894

= P119894minus1

+ JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))P119894 = P119894minus1 sim≫ 1

0 le 119894 lt 119899 minus 1

(10)

where sim≫ represent the right shift of ciphertext vectorP119899minus1When the right shift of P119899minus1 by 1 ciphertext slot the mostsignificant component of P119899minus1 is filled with a copy of theoriginal most significant component The final value ofP119899minus1is the signed ciphertext product

34 Homomorphic Evaluation of the Division OperationDivision is the most complex of the basic arithmetic opera-tions For a simple computer that operate with an adder cir-cuit for its arithmetic operations a variant using traditionallong division called nonrestoring division provides a simplerand faster speed This method only needs one decision andadditionsubtraction per quotient bit and need not restoringstep after the subtraction We set dividend A and divisorB The Blowast is tworsquos complement of B The R is the partialremainder and the Q is quotient The basic algorithm forbinary (radix 2) nonrestoring division is as follows

(1) Reinitialize value ofBBlowastR and Q

(i) B B = B ≫ 119899 do arithmetic left shift 119899 bitsB = b119899minus1 sdot sdot sdotb00 sdot sdot sdot 0

(ii) Blowast Blowast = Blowast ≫ 119899 do arithmetic left shift 119899bitsBlowast = blowast119899minus1 sdot sdot sdotblowast00 sdot sdot sdot 0

(iii) RR = A ≫ 119899 do arithmetic right shift 119899 bitsR = r2119899minus1 sdot sdot sdotr0

(iv) Q Q = q119899minus1 sdot sdot sdotq0 fill it 119899 bits with 0

(2) Determine the one most significant (a signed bit) bitofR

(i) If r2119899minus1 = 0 fill the LSB of Q with 1 digit dological left shift 1 bit Find the value ofR = 2 lowastR +Blowast

(ii) If r2119899minus1 = 1 fill the LSB of Q with 0 digit dological left shift 1 bit Find the value ofR = 2 lowastR +B

(3) Repeat above second steps until they have been done119899 minus 1 times(4) Convert the quotient Q We suppose original Q =11101010

(i) Start Q = 11101010(ii) Mask the zero term (Signed binary notation

with onersquos complement) Q = 00010101(iii) Subtract Q = Q minus Q Q = 11010101

(5) The actual remainder is R = R ≫ 119899 Final resultof quotient is always odd and the remainder R isin the range minusB lt R lt B To convert to apositive remainder do a single restoring step afterQ isconverted from a nonstandard form to standard formIfR lt 0 find the value ofQ = Qminus1 andR = R+B

According to the second step mentioned technique we cansummarise a judgment choice Boolean polynomial (JCBP)

JCBP119889119894V (r2119899minus1BBlowast) = r2119899minus1B + (r2119899minus1 oplus 1)Blowast (11)

We useR119894 to represent 119894-th times iterationTheBPof divisionoperation

R119894 = 2R119894minus1 + JCBP119889119894V (r2119899minus1BBlowast)0 le 119894 lt 119899 minus 1

q119899minus1minus119894 = r1198942119899minus1 oplus 1 0 le 119894 lt 119899 minus 1Q = Q minus Q

R119899minus1 = R119899minus1 ≫ 119899

(12)

where r1198942119899minus1 represent the MSB ofR119894 Finally doing the fifthstep correctsQ andR119899minus1We can convert aboveBP intoHPofaddition by using addition and multiplication on ciphertextsThe HP of JCBP119889119894V(r2119899minus1BBlowast)

JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplus and))= [r2119899minus1V + (r2119899minus1 + 119864119899119888 (1))V + 2119903] mod 1199090 (13)

whereV andBlowast represent ciphertext vector of reinitialisingB andBlowast respectively The HP of division

R119894

= 2R119894minus1+ JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplusand))

0 le 119894 lt 119899 minus 1q119899minus1minus119894 = (r1198942119899minus1 + 119864119899119888 (1)) mod 1199090 0 le 119894 lt 119899 minus 1Q = Q minusQ

R119899minus1 = R119899minus1 sim≫ 119899

(14)

where R119894 = ⟨r1198942119899minus1 sdot sdot sdot r1198940⟩ represents ciphertext vector ofR119894 andQ=⟨q119899minus1 sdot sdot sdot q0⟩ represents ciphertext vector of QQ

8 Wireless Communications and Mobile Computing

represent q119894 = (q119894 + 119864119899119888(1)) mod 1199090 0 le 119894 lt 119899 Finally weneed to correctQ andR119899minus1 by the following operations

Q = [r119899minus1119899minus1 (Q minus 119864119899119888 (1))] mod 1199090R = [r119899minus1119899minus1 (R119899minus1 +V)] mod 1199090 (15)

The final value ofQ andR is the result of HP of division

4 Noise Analysis and Optimization

In Section 3 we describe the homomorphic evaluation ofthe integer arithmetic operations including complementaddition subtraction multiplication and division In thissection we will analyse the noise ceiling and optimisationfor our scheme Under the DGHV scheme the noise ceilingincreases exponentially with the multiplicative degree Whenciphertexts have noise at most 2120578minus2 lt 1199012 the ciphertextscannot be decrypted correctly Therefore we need bootstrap-ping to control noise of ciphertexts but using bootstrappingto refresh ciphertext will reduce the efficiency of DGHVWe will show the noise ceiling about the homomorphicevaluation of the integer arithmetic operations in this sectionMoreover we will describe an optimisation for the process ofinteger arithmetic operations to reduce time overhead in FHEwith bootstrapping

41 Noise Analysis of Our Scheme According to Section 3 weshow the noise ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations We denoteby HE-IAO the homomorphic evaluation of the integerarithmetic operations and use HE-com HE-add HE-subHE-mul HE-div to represent five operations of HE-IAOThedetails are shown in Table 2

Proof According to homomorphic evaluation of the comple-ment operations formula (3)

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 0 le 119894 le 119899 minus 2 (16)

sum|S|=119894prod119895isin119878a119895 has ( 119899minus2119894+1 ) terms and degree amounts to 119894 + 1According to binomial theorem the term of formula (3) canbe represented as (1+119909)119899minus2minus1 = sum119899minus2119894=0 ( 119899minus2119894 ) 119909119894minus1 when119909 = 1Therefore the polynomial c119894 of term is up to 2119899minus2 minus 1 anddegree amounts to 119899 minus 2 Because ofalowast119894 = (a119894 oplusa119899c119894minus1) 0 le119894 le 119899 minus 1 alowast119894 of term amounts to 2119899minus2 and degree amountsto 119899 minus 1

According to homomorphic evaluation of the additionoperations formula (5) the degree of carry formula c119894 =a119894b119894 oplus c119894minus1(a119894 oplus b119894) is higher 1 than c119894minus1 and the term of c119894is higher 2 lowast 119905119890119903119898(c119894minus1) + 1 than c119894minus1 where 119905119890119903119898(c119894minus1) rep-resents the term of c119894minus1 The degree of c0 = a0b0 amountsto 2 and the term of c0 = a0b0 amounts to 1 The degree ofc119899minus2 amounts to 119899 and terms of c119899minus2 amount to 2119899minus1 minus1TheMSB ofSs119899minus1 = a119899minus1 oplus b119899minus1 oplusc119899minus2 where the degree of s119899minus1amounts to 119899 and the term of s119899minus1 amounts to 2119899minus1 + 1 Ifwe do not consider complement operation subtraction and

Table 2 The degree ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations Above showing theHPof integer arithmetic operations 119899-th iterations ciphertext resultsrsquodegree and term

HE-IAO degree termHE-com 119899 minus 1 2119899minus2HE-add 119899 2119899minus1 + 1HE-sub 119899 2119899minus1 + 1HE-mul 120595 ∙ 22119899minus4 minusHE-div 120593 ∙ 22119899minus4 minusTable 3 The noise ceiling of homomorphic evaluation of the 119899 bitssigned integer arithmetic operations The base of the log is 2

HE-IAO noise ceilingHE-com 1205881015840 log(119899minus1) + log 2119899minus3HE-add 1205881015840 log(119899) + log (2119899minus1 + 1)HE-sub 1205881015840 log(119899) + log (2119899minus1 + 1)HE-mul 1205881015840 log120595∙22119899minus4 + minusHE-div 1205881015840 log120593∙22119899minus4 + minus

addition have the same process Therefore the degree andterm are the same as the addition Multiplication and divisionrequire iteration 119899 minus 1 times addition and shift The processesof multiplication and division are particularly complicatedwe canrsquot find the formula to express the degree According toour calculations the degree of multiplication and division isclose to the 2 to the power of 2119899 minus 4 Therefore the degree ofmultiplication is not more than 120595 ∙ 22119899minus4 and the degree ofdivision is not more than 120593∙22119899minus4The term of multiplicationand division is too high and the degree has made noise morethan the limitation of correct decryption

We can conclude (see Table 2) the degree of homomor-phic evaluation of addition and subtraction is O(119899) and thedepth of the homomorphic evaluation of multiplication anddivision is O(120595 ∙ 22119899minus4) We use items that represent the 1198971norm of HP (the coefficient vector of HP) The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations can be calculated by the following polynomi-al

119873119900119894119904119890 = 1205881015840log 119889 + log1003816100381610038161003816100381610038161003816997888rarr119891

1003816100381610038161003816100381610038161003816 (17)

where 119889 represents the degree of HP and log 119889 representsmultiplication level of HP |997888rarr119891| is the 1198971 norm of HP 1205881015840 isthe noise of length in every ciphertext The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations is shown in Table 3

We can conclude (see Table 3) the noise of homomorphicevaluation of the 119899 bits signed integer arithmetic operationsThe noise increases very rapidly In the homomorphic eval-uation of the complement addition and subtraction noiseincreases up to O(1205881015840119899) In the homomorphic evaluation of themultiplication and division noise ismore than O(1205881015840120595∙22119899minus4)

Wireless Communications and Mobile Computing 9

1 1 1 1 1 1

3 3 3 3 3 3

33L-233L-233L-2

3L+11 recrypt3L+1recrypt1

r shift

33L-233L-233L-21

1 1 1 1 1 11

recrypt recrypt recrypt recrypt recrypt recrypt

Figure 2 The optimised addition operations each colour block represents same position subvectors ofP119894andF the length of each colour

block is L ldquor shiftrdquo represents ciphertext vector right shift one position ldquorecryptrdquo represents ciphertext refresh This figure shows the degreechange of each component ofP

119894andF

42 Optimization of Our Scheme From the analysis of noiseceiling in Section 41 we need to control the noise increasesby using ciphertext refresh or modulus-switching techniquein each multiplication level of homomorphic evaluation ofthe 119899 bits signed integer arithmetic operations Howeverthe ciphertext refresh or modulus-switching technique willreduce our scheme efficiency Therefore we will describe anoptimisation for our scheme in this section The optimisationcan reduce the number of ciphertext refresh and improveefficiency

Because the integer arithmetic operation is completedbased on the addition operation we optimise the homo-morphic evaluation of the integer addition We divide theciphertext vector of integer encryption into subvectors oflength L The homomorphic evaluation of arithmetic oper-ations between the subvectors in the same position do notneed ciphertext refresh and the subvectors in different posi-tions need to refresh ciphertext-carry once Therefore theoptimised scheme need not ciphertext refresh in each multi-plication level and reduces the number of ciphertext refreshWe take addition operations of the product accumulator toexplain our optimisation In the homomorphic evaluationof the multiplication operations the product accumulatorP119894 is as formula (9) The formula (9) is a polynomial ofdegree three and P119894 is a ciphertext vector of degree oneWe denote by F vector of JCHP11989811990611989711990511990901205881015840 We divide theciphertext vector of P119894 and F into ciphertext subvectorsof length L The ciphertext operations of subvectors of thesame position are the same as homomorphic evaluation ofthe addition operations (without ciphertext refresh) Theciphertext operations of subvectors of different position needto refresh ciphertext-carry once (see Figure 2)

The subvectors of P119894 and F generate ciphertext-resultblock and ciphertext-carry In every ciphertext-result blockthe maximum degree is 3L minus 2 (leftmost) and the minimumdegree is 3 (rightmost) The ciphertext-carry degree is 3L +1 in each subvector of the different position Each cipher-text of ciphertext-result block and ciphertext-carry can use

ciphertext refresh (recrypt) to reduce degree up to one Thenumber of ciphertext refresh of once product accumulator(P119894 +F) for ciphertext-carry

(i) If 119899 is divisible by L it will generate 119899Lminus1 ciphertext-carry and the number of ciphertext refresh is 119888119899119905 =119899L minus 1 times

(ii) If 119899 is inalienable by L it will generate lfloor119899Lrfloorciphertext-carry and the number of ciphertext refreshis 119888119899119905 = lfloor119899Lrfloor times

Homomorphic evaluation of the multiplication operationsneeds 119899minus1 times product accumulator and whole operationsneed (119899minus1)∙119888119899119905 times ciphertext refresh for ciphertext-carryand (119899 minus 1) ∙ 119899 times ciphertext refresh for ciphertext-resultblock Total times of ciphertext refresh for homomorphicevaluation of the multiplication operations

119862119873119879 = (119899 minus 1) ∙ 119899 + (119899 minus 1) ∙ 119888119899119905 (18)

In the original homomorphic evaluation of the multi-plication operations every multiplication level needs onceciphertext refresh Whole operations need (119899 minus 1)(3119899 minus 3) +119899(119899 minus 1) + 2119899 minus 3 times ciphertext refresh We apply aboveoptimisation to the homomorphic evaluation of the com-plement addition subtraction multiplication and divisionoperations and set 119899 = 16 L = 1 2 3 4We show the numberof ciphertext refresh of the original scheme (L = 0) and anoptimised scheme (L = 1 2 3 4) as Table 4

In order to implement our optimisation we need to adjustthe parameters of homomorphic encryption and make FHEsupport the log(3L+1)multiplication level additional exceptfor the 15-multiplication level required by bootstrappingTherefore we reset the length of the private key 120578 ge 1205881015840 ∙Θ(120582log2120582) + 1205881015840 ∙ 2log(3L+1) + log(2Lminus1 + 1) We set securityparameter 120582 = 52 the length of noise 1205881015840 = 24 and 120579 = 15Θ = 500 Parameters are set as Table 5

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

4 Wireless Communications and Mobile Computing

[32] Below we will replace [14 17 31 32] with DGHVCMNT CNT and CCKL+ At the same time we will alsointroduce some ciphertext computing techniques related toour scheme including full AES-128 block evaluation [24] byusing a BGV style scheme integer arithmetic over ciphertextand homomorphic data aggregation [27] the blend arith-metic operations on tensor-based FHE over real numbers[28]

21 DGHV and Variants Scheme The DGHV scheme is de-scribed by van Dijk et al base on integer and to simplify[12] The advantages of DGHV include simple encryptionprocess and being easy to understand However it has aweakness that the noise in ciphertext increases rapidly withthe multiplicative level increases The scheme is based on aset of public integers 119909119894 = 119902119894119901 + 119903119894 0 le 119894 le 120591 where theinteger 119901 is secret We use the same notation as in DGHVThe DGHV use the following parameters (all polynomial inthe security parameter 120582)

(i) 120574 is the bit-length of the 119909119894rsquos(ii) 120578 is the bit-length of private key 119901(iii) 120588 is the bit-length of the noise 119903119894(iv) 120591 is the number of 119909119894rsquos in the public key(v) 1205881015840 is used for encryption

For a specific 120578-bit odd integer 119901 DGHV use the followingdistribution over 120574-bit integers

D120574120588(119901) = 119862ℎ119900119900119904119890 119902 larr997888 Z cap [0 2120574119901 ) 119903 larr997888 Z

cap (minus2120588 2120588) 119874119906119905119901119906119905 119909 = 119902 sdot 119901 + 119903(1)

119870119890119910119866119890119899(120582) Generate a random odd integer 119901 of size 120578 bitsas a 119904119896 For the public key sample 119909119894 larr997888 D120574120588(119901) for 0 le 119894 le 120591Relabel so that 1199090 is the largest Let 1199090 be odd and [1199090]119901 evenLet 119901119896 = ⟨1199090 1199091 119909120591⟩ and 119904119896 = 119901119864119899119888119903119910119901119905(119901119896119898 isin 0 1) Choose a random subset 119878 sube1 2 120591 and a random integer 119903 isin (minus2120588 2120588) and output119888 larr997888 [119898 + 2119903 + 2sum119894isin119878 119909119894]1199090 119863119890119888119903119910119901119905(119904119896 119888) Output 1198981015840 = ((119888) mod 119901) mod 2 = (c mod2)(lfloor119888119901rceil mod 2)119864119907119886119897119906119886119905119890(119901119896 119862 1198881 1198882 119888119905) Given the function 119865 with tinput and 119905 ciphertexts 119888119894 convert logic AND and logic XORof 119865 into addition and multiplication performing all theaddition and multiplication and return the resulting integer

The following parameter set is suggested inDGHV120588 = 1205821205881015840 = 2120582 120578 = O(1205822) 120574 = O(1205825) 120591 = 120574 + 120582 The public key sizeis then O(12058210)

The CMNT scheme is described by Coron et al to reducethe public key size of the DGHV scheme from O(12058210) downto O(1205827) CMNT scheme applies a new parameter 120573 bythe form 1199091015840119894119895 = 1199091198940 ∙ 1199091198951 mod 1199090 1 le 119894 119895 le 120573 to

generate the 120591 = 1205732 integers 1199091015840119894119895 used for encryption CMNTscheme enables reducing the public key size from 120591 down toroughly 2radic120591 integers of bits CMNT scheme uses an error-free 1199090 that is 1199090 = 1199020119901 since otherwise the error wouldgrow too large Additionally for encryption CMNT schemeconsider a linear combination of the 1199091015840119894119895 with a coefficientvector 119887 = (119887119894119895) instead of bits this enables reducingthe public key size further The vector 119887 with componentsin [0 2120572)

The CMNT scheme takes 120588 = 120582 120578 = O(1205822) and 120574 =O(1205825) as in the DGHV scheme However it takes 120572 = 120582 1205732 =O(1205822) and 1205881015840 = 4120582 The main difference is that instead ofhaving 120591 = O(1205825) integers 119909119894rsquos CMNT scheme has only 2120573 =O(1205822) integers 119909119894 Hence the public key size becomes O(1205827)instead of O(12058210)

Coron and Naccache et al describe the CNT schemeTheCMT describes a method that can compress the public keysize of the DGHV scheme and optimise the noise manage-ment technique by modifying the modulus switching tech-nology [20] The noise ceiling of CNT scheme increases onlylinearly with the multiplicative level instead of exponentiallySo a levelled DGHV variant was implemented This schemegives two optimisations for homomorphic encryption onDGHV as below

The first optimisation is public keys compression Firstgenerate the secret key 119901 of size 120578 bits and use a pseudo-random function 119891 with random seed 119904119890 to generate a set of120594119894 isin [0 2120574) 1 le 119894 le 120591 Finally compute 120575119894 that 119909119894 = 120594119894 minus 120575119894 issmall modulo 119901 and store 120575119894 in the public key instead of thefull 119909119894rsquos

The second optimisation is Modulus-Switching Tech-nique The CMNT show how to adapt Brakerski Gentry andVaikuntanathanrsquos (BGV) FHE framework [20] to the DGHVscheme over the integers Under the [20] framework thenoise ceiling increases only linearly withmultiplicative depthinstead of exponentially

The CNT scheme takes 120588 = 120582 120578 = O(1205822) 120574 = O(1205825)120572 = O(1205822) 120591 = O(1205823) and 1205881015840 = O(1205822) The new public key ofCNT scheme has size 120574+120591 ∙ (120578+120582) = O(1205825) instead of O(12058210)of DGHV

JH Cheon et al describe the CCKL+ scheme It extendsDGHV to support the same batching capability as in RLWE-based schemes [20 25] and to homomorphically evaluate afull AES circuit with roughly the same level of efficiency as[24] The CCKL+ scheme is a merger of two independentworks [33 34] built on the same basic idea but with differentcontributions Its security under the (stronger) Error-FreeApproximate-GCD assumption already DGHV CMNT andCNT

The CCKL+ scheme extends the DGHV scheme bypacking ℓ plaintexts 1198980 sdot sdot sdot 119898ℓminus1 into a single ciphertextusing theChinese RemainderTheorem (CRT) For somewhathomomorphic encryption this allows us to encrypt not onlybits but elements from rings of formZ119876 The CKLL+ schemetakes 120588 = 2120582 120578 = O(1205822) 120574 = O(1205825) 120572 = O(1205822) and120591 = O(1205823) as in CNT scheme with 1205881015840 = O(120582) 1205721015840 = O(1205822)and ℓ = O(1205822)

Wireless Communications and Mobile Computing 5

Table 1 The parameters of DGHV CMNT CNT and CCKL+ and public key storage size

FHE scheme 120582 1205881015840 120578 120574 pk length pk sizeDGHV 120582 2120582 O (1205822) O (1205825) O (12058210) 41 GBCMNT 120582 4120582 O (1205822) O (1205825) O (1205827) 800MBCNT 120582 O (1205822) O (1205822) O (1205825) O (1205825) 101MBCCKL+ 120582 3120582 O (1205822) O (1205825) O (1205828) 56GB

We can conclude (see Table 1) that the CNT schemeperforms best in public key storage and only 101 MB Wetest public key size of DGHV by using ldquolargerdquo parametersof CMNT and up to 41 GB The CNT scheme has betternoise management technique in which the noise ceilingincreases only linearlywith themultiplicative levelThereforethe CNT scheme supports more multiplication level thanother schemes The CCKL+ scheme implements batch FHEscheme to encrypt a plaintext vector to a ciphertext byusing the CRT However each one of the components in theplaintext vector is required to be independent If we encrypta plaintext vector the encryption result is a plaintext vectorusing DGHV CMNT and CNT scheme and the encryptionresult is a ciphertext by using CCKL+Therefore when we doarithmetic operations on the ciphertext of a plaintext vectorwe can perform carry operation by using DGHV CMNT andCNT scheme instead of using CCKL+

22 Homomorphic Evaluation The advantage of homomor-phic evaluation is implementing various operations in the realworld on ciphertext and is not only multiplication homomor-phic addition homomorphic and decryption homomorphic(ciphertext refresh) The FHE abstracts various operationsof the real world as a collection of circuits consisting oflogical XOR and logical ANDThe homomorphic evaluationis to implement different circuits in this collection of circuitsBelow we will introduce some relevant schemes for homo-morphic evaluation of arithmetic operations

Gentry Halevi and Smart propose the first evaluation ofa complex circuit ie a full AES-128 block evaluation [24]by using a BGV [20] style scheme The scheme makes useof batching [25 26] key switching and modulus switchingtechniques to obtain an efficient levelled implementationAfter that Gentry Smart and Halevi publish significantlyimproved runtime results Compared to the earlier imple-mentation [21] Gentry et al use the latest version of theHElib library [35] Two variations of the implementation arereported one with bootstrapping and one without bootstrap-ping

Chen Y et al [27] propose the integer arithmetic overciphertext and homomorphic data aggregation by using aBGV [20] style scheme The scheme uses the HElib library[35] to implement homomorphic evaluation for additionsubtraction multiplication and division of unsigned inte-grins However the scheme report time overhead of inte-ger arithmetic over ciphertext without bootstrapping andmodulus switching (somewhat homomorphic encryption)The length of integer ciphertext only sets 2 3 4 bitsand sets 128 security level to guarantee right result The

schemedoes not optimise the operations of integer arithmeticover ciphertext with bootstrapping and modulus switch-ing

Gai K et al [28] propose the blend arithmetic operationson tensor-based FHE over real numbers and propose a noveltensor-based FHE solution [29]The scheme uses tensor lawsto carry the computations of blend arithmetic operationsover real numbers However blend arithmetic operationsonly include addition and multiplication The scheme doesnot implement blend arithmetic operations with the divi-sion

3 Homomorphic Evaluation of the IntegerArithmetic Operations

Integer addition subtraction multiplication and division areoperated by complement addition and shift One bit full-adder uses XOR (⨁) gate to get sum and uses AND (and)gate to get carry Below we will explain our notation Theinteger arithmetic operations will take A = a119899minus1 sdot sdot sdota0B = b119899minus1 sdot sdot sdotb0 and Alowast = alowast119899minus1 sdot sdot sdotalowast0 Blowast = blowast119899minus1 sdot sdot sdotblowast0as inputs A and B are the complements Alowast and Blowast aretworsquos complement of A and B However in complementoperation A is original code Alowast is the complement of theA TheA = ⟨a119899minus1 a0⟩ represents ciphertext vector ofALet a119894 = 119864119899119888(a119894) 0 le 119894 le 119899 minus 1 The Alowast = ⟨alowast119899minus1 alowast0 ⟩represents ciphertext vector of Alowast alowast119894 = 119864119899119888(alowast119894 ) 0 le 119894 le119899 minus 1 The V represents the ciphertext vector of B b119894 =119864119899119888(b119894) 0 le 119894 le 119899 minus 1 The Blowast = ⟨blowast119899minus1 blowast0 ⟩ representsciphertext vector of Blowast blowast119894 = 119864119899119888(blowast119894 ) 0 le 119894 le 119899 minus 1 TheAVAlowast andBlowast are inputs of homomorphic evaluation ofthe integer arithmetic operations The 119899 is big enough Wedo not consider the overflow about integer arithmetic opera-tions

31 Homomorphic Evaluation of the Complement OperationsFixed-point number use the complement to finish arithmeticoperations The rules of converting original code into com-plement

(i) Positive number a positive complement and the sameoriginal code

(ii) Negative number negative complement is the symbolfor the numerical bit reverse and then at the bottom(LSB) plus 1

Given the original code A apply the XOR and AND to getcomplement Alowast The MSB a119899minus1 is the signed bit of A andthe size of the remaining bitsa119899minus2 sdot sdot sdota0 represent the value

6 Wireless Communications and Mobile Computing

Given an initialised carry cminus1 = 0 we output theAlowast The BPof complement

cminus1 = 0c119894 = a119894 or c119894minus1

alowast119894 = (a119894 oplus a119899c119894minus1)

0 le 119894 le 119899 minus 2(2)

We convertc119894 into aBP by usingXORgate andANDgateTheBPc119894 = a119894c119894minus1 oplusa119894 oplusc119894minus1 0 le 119894 le 119899 minus 2 Due to initialisedcarry cminus1 = 0 we can convert c119894 into a polynomial withoutcminus1

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 (3)

where S = a119894 sdot sdot sdota0 0 le 119894 le 119899 minus 3 |S| is the Hammingweight of the S We can convert above polynomials intoHP of complement by using addition and multiplication onciphertexts The HP of complement

c119894 = ( 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895) mod 1199090alowast119894 = (a119894 + a

lowast119899 ∙ c119894minus1) mod 1199090

0 le 119894 le 119899 minus 2(4)

where c119894 represents the ciphertext result of c119894 and 119863119890119888(c119894) =c119894 Let a

lowast119899minus1 = a119899minus1 The 1199090 is the largest odd public key in

FHE We can get ciphertext complement Alowast by using aboveHP

32 Homomorphic Evaluation of the Addition and SubtractionOperations Integer complement addition operation needs tocalculate results in order from low to high Every result bitrequires an addend bit an augend bit and a carry bit fromthe low Every carry bit requires an addend bit an augend bitand a carry bit from low aswell By iterating above operationswe can get the result of complement addition We set integercomplement A and B as inputs to calculate S = A + Bwhere S = s119899minus1 sdot sdot sdot s0 The 119899 is big enough We do notconsider the overflow of the S The BP of addition

cminus1 = 0s119894 = a119894 oplus b119894 oplus c119894minus1

c119894 = a119894b119894 oplus c119894minus1 (a119894 oplus b119894)0 le 119894 le 119899 minus 1

(5)

We can convert above BP into HP of addition by using addi-tion and multiplication on ciphertexts The HP of addition

cminus1 = 119864119899119888 (0)s119894 = (a119894 + b119894 + c119894minus1) mod 1199090c119894 = (a119894b119894 + c119894minus1a119894 + c119894minus1b119894) mod 1199090

0 le 119894 le 119899 minus 1(6)

where the s119894 is 119894-th ciphertext of result vector S =⟨s119899minus1 sdot sdot sdot s0⟩ and 119863119890119888(A) + 119863119890119888(B) = 119863119890119888(S)The addition operation can do integer subtraction oper-

ation If we calculate A minus B we can convert B to Blowast andcalculateA+Blowast by using integer addition operation In orderto get Blowast we need to use the complement operation to getB1015840 = b1015840119899minus1 sdot sdot sdotb10158400 and then let blowast119899minus1 = b1015840119899minus1 oplus 1 blowast119894 = b1015840119894 0 le119894 le 119899minus2TheHP of subtraction contains two parts includingHP of complement and HP of addition

33 Homomorphic Evaluation of the Multiplication Opera-tions Integer multiplication operation is based on Boothrsquosmultiplication algorithm [36] It is a multiplication algorithmthat multiplies two signed numbers in tworsquos complementnotation We set multiplicand A and multiplier B Boothrsquosalgorithm examines adjacent pairs of bits of the multiplierB in signed tworsquos complement representation including animplicit bit below the least significant bit bminus1 = 0 Also wedenote byP the product accumulator The steps of the basicalgorithm for multiplication operations

(1) We reinitialise the value ofAAlowast andP

(i) AA = A ≪ 119899 arithmetic left shift (119899 + 1) bitsA = a119899a119899minus1 sdot sdot sdota00 sdot sdot sdot 0

(ii) Alowast Alowast = Alowast ≪ 119899 arithmetic left shift (119899 + 1)bitsAlowast = alowast119899minus1 sdot sdot sdotalowast00 sdot sdot sdot 0

(iii) P fill the most significant 119899 bits with 0 To theright of this append the value ofB Fill the LSBwith a 0P = 0 sdot sdot sdot 0b119899minus1 sdot sdot sdotb00

(2) Determine the two least significant (rightmost) bits ofP

(i) If bminus1 = b0 do nothing Use P directly in thenext step Arithmetic right shift 1 bit

(ii) If b0bminus1 = 01 find the value of P = P + AIgnore any overflow Arithmetic right shift 1 bit

(iii) If b0bminus1 = 10 find the value of P = P + AlowastIgnore any overflow Arithmetic right shift 1 bit

Repeat above second steps until they have been done 119899 minus 1times Drop the LSB from P According to second stepsmentioned technique we can summarise a judgment choiceBoolean polynomial (JCBP)

JCBP119898119906119897119905 (b0bminus1AlowastA)= (b0 oplus bminus1) [b0Alowast + bminus1A] (7)

We useP119894 to represent 119894-th times iteration The BP of multi-plication operation

P119894 = P119894minus1 + JCBP119898119906119897119905 (b0bminus1AlowastA)P119894 = P119894minus1 ≫ 1

0 le 119894 lt 119899 minus 1(8)

Wireless Communications and Mobile Computing 7

where≫ represent the arithmetic right shift We can convertformula (7) into HP of addition by using addition and multi-plication on ciphertextsTheHP of JCBP119898119906119897119905(b0bminus1AlowastA)

JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))= [(b0+bminus1) (b0Alowast + bminus1A) + 2119903] mod 1199090 (9)

The A and Alowast represent ciphertext vector of reinitialisingA and Alowast The 119903 = ⟨1199030 119903119899minus1⟩ is a noise vector and119903119894 larr997888 Z cap (minus21205881015840 21205881015840) 0 le 119894 le 119899 minus 1 The HP of multiplica-tion

P119894

= P119894minus1

+ JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))P119894 = P119894minus1 sim≫ 1

0 le 119894 lt 119899 minus 1

(10)

where sim≫ represent the right shift of ciphertext vectorP119899minus1When the right shift of P119899minus1 by 1 ciphertext slot the mostsignificant component of P119899minus1 is filled with a copy of theoriginal most significant component The final value ofP119899minus1is the signed ciphertext product

34 Homomorphic Evaluation of the Division OperationDivision is the most complex of the basic arithmetic opera-tions For a simple computer that operate with an adder cir-cuit for its arithmetic operations a variant using traditionallong division called nonrestoring division provides a simplerand faster speed This method only needs one decision andadditionsubtraction per quotient bit and need not restoringstep after the subtraction We set dividend A and divisorB The Blowast is tworsquos complement of B The R is the partialremainder and the Q is quotient The basic algorithm forbinary (radix 2) nonrestoring division is as follows

(1) Reinitialize value ofBBlowastR and Q

(i) B B = B ≫ 119899 do arithmetic left shift 119899 bitsB = b119899minus1 sdot sdot sdotb00 sdot sdot sdot 0

(ii) Blowast Blowast = Blowast ≫ 119899 do arithmetic left shift 119899bitsBlowast = blowast119899minus1 sdot sdot sdotblowast00 sdot sdot sdot 0

(iii) RR = A ≫ 119899 do arithmetic right shift 119899 bitsR = r2119899minus1 sdot sdot sdotr0

(iv) Q Q = q119899minus1 sdot sdot sdotq0 fill it 119899 bits with 0

(2) Determine the one most significant (a signed bit) bitofR

(i) If r2119899minus1 = 0 fill the LSB of Q with 1 digit dological left shift 1 bit Find the value ofR = 2 lowastR +Blowast

(ii) If r2119899minus1 = 1 fill the LSB of Q with 0 digit dological left shift 1 bit Find the value ofR = 2 lowastR +B

(3) Repeat above second steps until they have been done119899 minus 1 times(4) Convert the quotient Q We suppose original Q =11101010

(i) Start Q = 11101010(ii) Mask the zero term (Signed binary notation

with onersquos complement) Q = 00010101(iii) Subtract Q = Q minus Q Q = 11010101

(5) The actual remainder is R = R ≫ 119899 Final resultof quotient is always odd and the remainder R isin the range minusB lt R lt B To convert to apositive remainder do a single restoring step afterQ isconverted from a nonstandard form to standard formIfR lt 0 find the value ofQ = Qminus1 andR = R+B

According to the second step mentioned technique we cansummarise a judgment choice Boolean polynomial (JCBP)

JCBP119889119894V (r2119899minus1BBlowast) = r2119899minus1B + (r2119899minus1 oplus 1)Blowast (11)

We useR119894 to represent 119894-th times iterationTheBPof divisionoperation

R119894 = 2R119894minus1 + JCBP119889119894V (r2119899minus1BBlowast)0 le 119894 lt 119899 minus 1

q119899minus1minus119894 = r1198942119899minus1 oplus 1 0 le 119894 lt 119899 minus 1Q = Q minus Q

R119899minus1 = R119899minus1 ≫ 119899

(12)

where r1198942119899minus1 represent the MSB ofR119894 Finally doing the fifthstep correctsQ andR119899minus1We can convert aboveBP intoHPofaddition by using addition and multiplication on ciphertextsThe HP of JCBP119889119894V(r2119899minus1BBlowast)

JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplus and))= [r2119899minus1V + (r2119899minus1 + 119864119899119888 (1))V + 2119903] mod 1199090 (13)

whereV andBlowast represent ciphertext vector of reinitialisingB andBlowast respectively The HP of division

R119894

= 2R119894minus1+ JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplusand))

0 le 119894 lt 119899 minus 1q119899minus1minus119894 = (r1198942119899minus1 + 119864119899119888 (1)) mod 1199090 0 le 119894 lt 119899 minus 1Q = Q minusQ

R119899minus1 = R119899minus1 sim≫ 119899

(14)

where R119894 = ⟨r1198942119899minus1 sdot sdot sdot r1198940⟩ represents ciphertext vector ofR119894 andQ=⟨q119899minus1 sdot sdot sdot q0⟩ represents ciphertext vector of QQ

8 Wireless Communications and Mobile Computing

represent q119894 = (q119894 + 119864119899119888(1)) mod 1199090 0 le 119894 lt 119899 Finally weneed to correctQ andR119899minus1 by the following operations

Q = [r119899minus1119899minus1 (Q minus 119864119899119888 (1))] mod 1199090R = [r119899minus1119899minus1 (R119899minus1 +V)] mod 1199090 (15)

The final value ofQ andR is the result of HP of division

4 Noise Analysis and Optimization

In Section 3 we describe the homomorphic evaluation ofthe integer arithmetic operations including complementaddition subtraction multiplication and division In thissection we will analyse the noise ceiling and optimisationfor our scheme Under the DGHV scheme the noise ceilingincreases exponentially with the multiplicative degree Whenciphertexts have noise at most 2120578minus2 lt 1199012 the ciphertextscannot be decrypted correctly Therefore we need bootstrap-ping to control noise of ciphertexts but using bootstrappingto refresh ciphertext will reduce the efficiency of DGHVWe will show the noise ceiling about the homomorphicevaluation of the integer arithmetic operations in this sectionMoreover we will describe an optimisation for the process ofinteger arithmetic operations to reduce time overhead in FHEwith bootstrapping

41 Noise Analysis of Our Scheme According to Section 3 weshow the noise ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations We denoteby HE-IAO the homomorphic evaluation of the integerarithmetic operations and use HE-com HE-add HE-subHE-mul HE-div to represent five operations of HE-IAOThedetails are shown in Table 2

Proof According to homomorphic evaluation of the comple-ment operations formula (3)

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 0 le 119894 le 119899 minus 2 (16)

sum|S|=119894prod119895isin119878a119895 has ( 119899minus2119894+1 ) terms and degree amounts to 119894 + 1According to binomial theorem the term of formula (3) canbe represented as (1+119909)119899minus2minus1 = sum119899minus2119894=0 ( 119899minus2119894 ) 119909119894minus1 when119909 = 1Therefore the polynomial c119894 of term is up to 2119899minus2 minus 1 anddegree amounts to 119899 minus 2 Because ofalowast119894 = (a119894 oplusa119899c119894minus1) 0 le119894 le 119899 minus 1 alowast119894 of term amounts to 2119899minus2 and degree amountsto 119899 minus 1

According to homomorphic evaluation of the additionoperations formula (5) the degree of carry formula c119894 =a119894b119894 oplus c119894minus1(a119894 oplus b119894) is higher 1 than c119894minus1 and the term of c119894is higher 2 lowast 119905119890119903119898(c119894minus1) + 1 than c119894minus1 where 119905119890119903119898(c119894minus1) rep-resents the term of c119894minus1 The degree of c0 = a0b0 amountsto 2 and the term of c0 = a0b0 amounts to 1 The degree ofc119899minus2 amounts to 119899 and terms of c119899minus2 amount to 2119899minus1 minus1TheMSB ofSs119899minus1 = a119899minus1 oplus b119899minus1 oplusc119899minus2 where the degree of s119899minus1amounts to 119899 and the term of s119899minus1 amounts to 2119899minus1 + 1 Ifwe do not consider complement operation subtraction and

Table 2 The degree ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations Above showing theHPof integer arithmetic operations 119899-th iterations ciphertext resultsrsquodegree and term

HE-IAO degree termHE-com 119899 minus 1 2119899minus2HE-add 119899 2119899minus1 + 1HE-sub 119899 2119899minus1 + 1HE-mul 120595 ∙ 22119899minus4 minusHE-div 120593 ∙ 22119899minus4 minusTable 3 The noise ceiling of homomorphic evaluation of the 119899 bitssigned integer arithmetic operations The base of the log is 2

HE-IAO noise ceilingHE-com 1205881015840 log(119899minus1) + log 2119899minus3HE-add 1205881015840 log(119899) + log (2119899minus1 + 1)HE-sub 1205881015840 log(119899) + log (2119899minus1 + 1)HE-mul 1205881015840 log120595∙22119899minus4 + minusHE-div 1205881015840 log120593∙22119899minus4 + minus

addition have the same process Therefore the degree andterm are the same as the addition Multiplication and divisionrequire iteration 119899 minus 1 times addition and shift The processesof multiplication and division are particularly complicatedwe canrsquot find the formula to express the degree According toour calculations the degree of multiplication and division isclose to the 2 to the power of 2119899 minus 4 Therefore the degree ofmultiplication is not more than 120595 ∙ 22119899minus4 and the degree ofdivision is not more than 120593∙22119899minus4The term of multiplicationand division is too high and the degree has made noise morethan the limitation of correct decryption

We can conclude (see Table 2) the degree of homomor-phic evaluation of addition and subtraction is O(119899) and thedepth of the homomorphic evaluation of multiplication anddivision is O(120595 ∙ 22119899minus4) We use items that represent the 1198971norm of HP (the coefficient vector of HP) The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations can be calculated by the following polynomi-al

119873119900119894119904119890 = 1205881015840log 119889 + log1003816100381610038161003816100381610038161003816997888rarr119891

1003816100381610038161003816100381610038161003816 (17)

where 119889 represents the degree of HP and log 119889 representsmultiplication level of HP |997888rarr119891| is the 1198971 norm of HP 1205881015840 isthe noise of length in every ciphertext The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations is shown in Table 3

We can conclude (see Table 3) the noise of homomorphicevaluation of the 119899 bits signed integer arithmetic operationsThe noise increases very rapidly In the homomorphic eval-uation of the complement addition and subtraction noiseincreases up to O(1205881015840119899) In the homomorphic evaluation of themultiplication and division noise ismore than O(1205881015840120595∙22119899minus4)

Wireless Communications and Mobile Computing 9

1 1 1 1 1 1

3 3 3 3 3 3

33L-233L-233L-2

3L+11 recrypt3L+1recrypt1

r shift

33L-233L-233L-21

1 1 1 1 1 11

recrypt recrypt recrypt recrypt recrypt recrypt

Figure 2 The optimised addition operations each colour block represents same position subvectors ofP119894andF the length of each colour

block is L ldquor shiftrdquo represents ciphertext vector right shift one position ldquorecryptrdquo represents ciphertext refresh This figure shows the degreechange of each component ofP

119894andF

42 Optimization of Our Scheme From the analysis of noiseceiling in Section 41 we need to control the noise increasesby using ciphertext refresh or modulus-switching techniquein each multiplication level of homomorphic evaluation ofthe 119899 bits signed integer arithmetic operations Howeverthe ciphertext refresh or modulus-switching technique willreduce our scheme efficiency Therefore we will describe anoptimisation for our scheme in this section The optimisationcan reduce the number of ciphertext refresh and improveefficiency

Because the integer arithmetic operation is completedbased on the addition operation we optimise the homo-morphic evaluation of the integer addition We divide theciphertext vector of integer encryption into subvectors oflength L The homomorphic evaluation of arithmetic oper-ations between the subvectors in the same position do notneed ciphertext refresh and the subvectors in different posi-tions need to refresh ciphertext-carry once Therefore theoptimised scheme need not ciphertext refresh in each multi-plication level and reduces the number of ciphertext refreshWe take addition operations of the product accumulator toexplain our optimisation In the homomorphic evaluationof the multiplication operations the product accumulatorP119894 is as formula (9) The formula (9) is a polynomial ofdegree three and P119894 is a ciphertext vector of degree oneWe denote by F vector of JCHP11989811990611989711990511990901205881015840 We divide theciphertext vector of P119894 and F into ciphertext subvectorsof length L The ciphertext operations of subvectors of thesame position are the same as homomorphic evaluation ofthe addition operations (without ciphertext refresh) Theciphertext operations of subvectors of different position needto refresh ciphertext-carry once (see Figure 2)

The subvectors of P119894 and F generate ciphertext-resultblock and ciphertext-carry In every ciphertext-result blockthe maximum degree is 3L minus 2 (leftmost) and the minimumdegree is 3 (rightmost) The ciphertext-carry degree is 3L +1 in each subvector of the different position Each cipher-text of ciphertext-result block and ciphertext-carry can use

ciphertext refresh (recrypt) to reduce degree up to one Thenumber of ciphertext refresh of once product accumulator(P119894 +F) for ciphertext-carry

(i) If 119899 is divisible by L it will generate 119899Lminus1 ciphertext-carry and the number of ciphertext refresh is 119888119899119905 =119899L minus 1 times

(ii) If 119899 is inalienable by L it will generate lfloor119899Lrfloorciphertext-carry and the number of ciphertext refreshis 119888119899119905 = lfloor119899Lrfloor times

Homomorphic evaluation of the multiplication operationsneeds 119899minus1 times product accumulator and whole operationsneed (119899minus1)∙119888119899119905 times ciphertext refresh for ciphertext-carryand (119899 minus 1) ∙ 119899 times ciphertext refresh for ciphertext-resultblock Total times of ciphertext refresh for homomorphicevaluation of the multiplication operations

119862119873119879 = (119899 minus 1) ∙ 119899 + (119899 minus 1) ∙ 119888119899119905 (18)

In the original homomorphic evaluation of the multi-plication operations every multiplication level needs onceciphertext refresh Whole operations need (119899 minus 1)(3119899 minus 3) +119899(119899 minus 1) + 2119899 minus 3 times ciphertext refresh We apply aboveoptimisation to the homomorphic evaluation of the com-plement addition subtraction multiplication and divisionoperations and set 119899 = 16 L = 1 2 3 4We show the numberof ciphertext refresh of the original scheme (L = 0) and anoptimised scheme (L = 1 2 3 4) as Table 4

In order to implement our optimisation we need to adjustthe parameters of homomorphic encryption and make FHEsupport the log(3L+1)multiplication level additional exceptfor the 15-multiplication level required by bootstrappingTherefore we reset the length of the private key 120578 ge 1205881015840 ∙Θ(120582log2120582) + 1205881015840 ∙ 2log(3L+1) + log(2Lminus1 + 1) We set securityparameter 120582 = 52 the length of noise 1205881015840 = 24 and 120579 = 15Θ = 500 Parameters are set as Table 5

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

Wireless Communications and Mobile Computing 5

Table 1 The parameters of DGHV CMNT CNT and CCKL+ and public key storage size

FHE scheme 120582 1205881015840 120578 120574 pk length pk sizeDGHV 120582 2120582 O (1205822) O (1205825) O (12058210) 41 GBCMNT 120582 4120582 O (1205822) O (1205825) O (1205827) 800MBCNT 120582 O (1205822) O (1205822) O (1205825) O (1205825) 101MBCCKL+ 120582 3120582 O (1205822) O (1205825) O (1205828) 56GB

We can conclude (see Table 1) that the CNT schemeperforms best in public key storage and only 101 MB Wetest public key size of DGHV by using ldquolargerdquo parametersof CMNT and up to 41 GB The CNT scheme has betternoise management technique in which the noise ceilingincreases only linearlywith themultiplicative levelThereforethe CNT scheme supports more multiplication level thanother schemes The CCKL+ scheme implements batch FHEscheme to encrypt a plaintext vector to a ciphertext byusing the CRT However each one of the components in theplaintext vector is required to be independent If we encrypta plaintext vector the encryption result is a plaintext vectorusing DGHV CMNT and CNT scheme and the encryptionresult is a ciphertext by using CCKL+Therefore when we doarithmetic operations on the ciphertext of a plaintext vectorwe can perform carry operation by using DGHV CMNT andCNT scheme instead of using CCKL+

22 Homomorphic Evaluation The advantage of homomor-phic evaluation is implementing various operations in the realworld on ciphertext and is not only multiplication homomor-phic addition homomorphic and decryption homomorphic(ciphertext refresh) The FHE abstracts various operationsof the real world as a collection of circuits consisting oflogical XOR and logical ANDThe homomorphic evaluationis to implement different circuits in this collection of circuitsBelow we will introduce some relevant schemes for homo-morphic evaluation of arithmetic operations

Gentry Halevi and Smart propose the first evaluation ofa complex circuit ie a full AES-128 block evaluation [24]by using a BGV [20] style scheme The scheme makes useof batching [25 26] key switching and modulus switchingtechniques to obtain an efficient levelled implementationAfter that Gentry Smart and Halevi publish significantlyimproved runtime results Compared to the earlier imple-mentation [21] Gentry et al use the latest version of theHElib library [35] Two variations of the implementation arereported one with bootstrapping and one without bootstrap-ping

Chen Y et al [27] propose the integer arithmetic overciphertext and homomorphic data aggregation by using aBGV [20] style scheme The scheme uses the HElib library[35] to implement homomorphic evaluation for additionsubtraction multiplication and division of unsigned inte-grins However the scheme report time overhead of inte-ger arithmetic over ciphertext without bootstrapping andmodulus switching (somewhat homomorphic encryption)The length of integer ciphertext only sets 2 3 4 bitsand sets 128 security level to guarantee right result The

schemedoes not optimise the operations of integer arithmeticover ciphertext with bootstrapping and modulus switch-ing

Gai K et al [28] propose the blend arithmetic operationson tensor-based FHE over real numbers and propose a noveltensor-based FHE solution [29]The scheme uses tensor lawsto carry the computations of blend arithmetic operationsover real numbers However blend arithmetic operationsonly include addition and multiplication The scheme doesnot implement blend arithmetic operations with the divi-sion

3 Homomorphic Evaluation of the IntegerArithmetic Operations

Integer addition subtraction multiplication and division areoperated by complement addition and shift One bit full-adder uses XOR (⨁) gate to get sum and uses AND (and)gate to get carry Below we will explain our notation Theinteger arithmetic operations will take A = a119899minus1 sdot sdot sdota0B = b119899minus1 sdot sdot sdotb0 and Alowast = alowast119899minus1 sdot sdot sdotalowast0 Blowast = blowast119899minus1 sdot sdot sdotblowast0as inputs A and B are the complements Alowast and Blowast aretworsquos complement of A and B However in complementoperation A is original code Alowast is the complement of theA TheA = ⟨a119899minus1 a0⟩ represents ciphertext vector ofALet a119894 = 119864119899119888(a119894) 0 le 119894 le 119899 minus 1 The Alowast = ⟨alowast119899minus1 alowast0 ⟩represents ciphertext vector of Alowast alowast119894 = 119864119899119888(alowast119894 ) 0 le 119894 le119899 minus 1 The V represents the ciphertext vector of B b119894 =119864119899119888(b119894) 0 le 119894 le 119899 minus 1 The Blowast = ⟨blowast119899minus1 blowast0 ⟩ representsciphertext vector of Blowast blowast119894 = 119864119899119888(blowast119894 ) 0 le 119894 le 119899 minus 1 TheAVAlowast andBlowast are inputs of homomorphic evaluation ofthe integer arithmetic operations The 119899 is big enough Wedo not consider the overflow about integer arithmetic opera-tions

31 Homomorphic Evaluation of the Complement OperationsFixed-point number use the complement to finish arithmeticoperations The rules of converting original code into com-plement

(i) Positive number a positive complement and the sameoriginal code

(ii) Negative number negative complement is the symbolfor the numerical bit reverse and then at the bottom(LSB) plus 1

Given the original code A apply the XOR and AND to getcomplement Alowast The MSB a119899minus1 is the signed bit of A andthe size of the remaining bitsa119899minus2 sdot sdot sdota0 represent the value

6 Wireless Communications and Mobile Computing

Given an initialised carry cminus1 = 0 we output theAlowast The BPof complement

cminus1 = 0c119894 = a119894 or c119894minus1

alowast119894 = (a119894 oplus a119899c119894minus1)

0 le 119894 le 119899 minus 2(2)

We convertc119894 into aBP by usingXORgate andANDgateTheBPc119894 = a119894c119894minus1 oplusa119894 oplusc119894minus1 0 le 119894 le 119899 minus 2 Due to initialisedcarry cminus1 = 0 we can convert c119894 into a polynomial withoutcminus1

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 (3)

where S = a119894 sdot sdot sdota0 0 le 119894 le 119899 minus 3 |S| is the Hammingweight of the S We can convert above polynomials intoHP of complement by using addition and multiplication onciphertexts The HP of complement

c119894 = ( 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895) mod 1199090alowast119894 = (a119894 + a

lowast119899 ∙ c119894minus1) mod 1199090

0 le 119894 le 119899 minus 2(4)

where c119894 represents the ciphertext result of c119894 and 119863119890119888(c119894) =c119894 Let a

lowast119899minus1 = a119899minus1 The 1199090 is the largest odd public key in

FHE We can get ciphertext complement Alowast by using aboveHP

32 Homomorphic Evaluation of the Addition and SubtractionOperations Integer complement addition operation needs tocalculate results in order from low to high Every result bitrequires an addend bit an augend bit and a carry bit fromthe low Every carry bit requires an addend bit an augend bitand a carry bit from low aswell By iterating above operationswe can get the result of complement addition We set integercomplement A and B as inputs to calculate S = A + Bwhere S = s119899minus1 sdot sdot sdot s0 The 119899 is big enough We do notconsider the overflow of the S The BP of addition

cminus1 = 0s119894 = a119894 oplus b119894 oplus c119894minus1

c119894 = a119894b119894 oplus c119894minus1 (a119894 oplus b119894)0 le 119894 le 119899 minus 1

(5)

We can convert above BP into HP of addition by using addi-tion and multiplication on ciphertexts The HP of addition

cminus1 = 119864119899119888 (0)s119894 = (a119894 + b119894 + c119894minus1) mod 1199090c119894 = (a119894b119894 + c119894minus1a119894 + c119894minus1b119894) mod 1199090

0 le 119894 le 119899 minus 1(6)

where the s119894 is 119894-th ciphertext of result vector S =⟨s119899minus1 sdot sdot sdot s0⟩ and 119863119890119888(A) + 119863119890119888(B) = 119863119890119888(S)The addition operation can do integer subtraction oper-

ation If we calculate A minus B we can convert B to Blowast andcalculateA+Blowast by using integer addition operation In orderto get Blowast we need to use the complement operation to getB1015840 = b1015840119899minus1 sdot sdot sdotb10158400 and then let blowast119899minus1 = b1015840119899minus1 oplus 1 blowast119894 = b1015840119894 0 le119894 le 119899minus2TheHP of subtraction contains two parts includingHP of complement and HP of addition

33 Homomorphic Evaluation of the Multiplication Opera-tions Integer multiplication operation is based on Boothrsquosmultiplication algorithm [36] It is a multiplication algorithmthat multiplies two signed numbers in tworsquos complementnotation We set multiplicand A and multiplier B Boothrsquosalgorithm examines adjacent pairs of bits of the multiplierB in signed tworsquos complement representation including animplicit bit below the least significant bit bminus1 = 0 Also wedenote byP the product accumulator The steps of the basicalgorithm for multiplication operations

(1) We reinitialise the value ofAAlowast andP

(i) AA = A ≪ 119899 arithmetic left shift (119899 + 1) bitsA = a119899a119899minus1 sdot sdot sdota00 sdot sdot sdot 0

(ii) Alowast Alowast = Alowast ≪ 119899 arithmetic left shift (119899 + 1)bitsAlowast = alowast119899minus1 sdot sdot sdotalowast00 sdot sdot sdot 0

(iii) P fill the most significant 119899 bits with 0 To theright of this append the value ofB Fill the LSBwith a 0P = 0 sdot sdot sdot 0b119899minus1 sdot sdot sdotb00

(2) Determine the two least significant (rightmost) bits ofP

(i) If bminus1 = b0 do nothing Use P directly in thenext step Arithmetic right shift 1 bit

(ii) If b0bminus1 = 01 find the value of P = P + AIgnore any overflow Arithmetic right shift 1 bit

(iii) If b0bminus1 = 10 find the value of P = P + AlowastIgnore any overflow Arithmetic right shift 1 bit

Repeat above second steps until they have been done 119899 minus 1times Drop the LSB from P According to second stepsmentioned technique we can summarise a judgment choiceBoolean polynomial (JCBP)

JCBP119898119906119897119905 (b0bminus1AlowastA)= (b0 oplus bminus1) [b0Alowast + bminus1A] (7)

We useP119894 to represent 119894-th times iteration The BP of multi-plication operation

P119894 = P119894minus1 + JCBP119898119906119897119905 (b0bminus1AlowastA)P119894 = P119894minus1 ≫ 1

0 le 119894 lt 119899 minus 1(8)

Wireless Communications and Mobile Computing 7

where≫ represent the arithmetic right shift We can convertformula (7) into HP of addition by using addition and multi-plication on ciphertextsTheHP of JCBP119898119906119897119905(b0bminus1AlowastA)

JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))= [(b0+bminus1) (b0Alowast + bminus1A) + 2119903] mod 1199090 (9)

The A and Alowast represent ciphertext vector of reinitialisingA and Alowast The 119903 = ⟨1199030 119903119899minus1⟩ is a noise vector and119903119894 larr997888 Z cap (minus21205881015840 21205881015840) 0 le 119894 le 119899 minus 1 The HP of multiplica-tion

P119894

= P119894minus1

+ JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))P119894 = P119894minus1 sim≫ 1

0 le 119894 lt 119899 minus 1

(10)

where sim≫ represent the right shift of ciphertext vectorP119899minus1When the right shift of P119899minus1 by 1 ciphertext slot the mostsignificant component of P119899minus1 is filled with a copy of theoriginal most significant component The final value ofP119899minus1is the signed ciphertext product

34 Homomorphic Evaluation of the Division OperationDivision is the most complex of the basic arithmetic opera-tions For a simple computer that operate with an adder cir-cuit for its arithmetic operations a variant using traditionallong division called nonrestoring division provides a simplerand faster speed This method only needs one decision andadditionsubtraction per quotient bit and need not restoringstep after the subtraction We set dividend A and divisorB The Blowast is tworsquos complement of B The R is the partialremainder and the Q is quotient The basic algorithm forbinary (radix 2) nonrestoring division is as follows

(1) Reinitialize value ofBBlowastR and Q

(i) B B = B ≫ 119899 do arithmetic left shift 119899 bitsB = b119899minus1 sdot sdot sdotb00 sdot sdot sdot 0

(ii) Blowast Blowast = Blowast ≫ 119899 do arithmetic left shift 119899bitsBlowast = blowast119899minus1 sdot sdot sdotblowast00 sdot sdot sdot 0

(iii) RR = A ≫ 119899 do arithmetic right shift 119899 bitsR = r2119899minus1 sdot sdot sdotr0

(iv) Q Q = q119899minus1 sdot sdot sdotq0 fill it 119899 bits with 0

(2) Determine the one most significant (a signed bit) bitofR

(i) If r2119899minus1 = 0 fill the LSB of Q with 1 digit dological left shift 1 bit Find the value ofR = 2 lowastR +Blowast

(ii) If r2119899minus1 = 1 fill the LSB of Q with 0 digit dological left shift 1 bit Find the value ofR = 2 lowastR +B

(3) Repeat above second steps until they have been done119899 minus 1 times(4) Convert the quotient Q We suppose original Q =11101010

(i) Start Q = 11101010(ii) Mask the zero term (Signed binary notation

with onersquos complement) Q = 00010101(iii) Subtract Q = Q minus Q Q = 11010101

(5) The actual remainder is R = R ≫ 119899 Final resultof quotient is always odd and the remainder R isin the range minusB lt R lt B To convert to apositive remainder do a single restoring step afterQ isconverted from a nonstandard form to standard formIfR lt 0 find the value ofQ = Qminus1 andR = R+B

According to the second step mentioned technique we cansummarise a judgment choice Boolean polynomial (JCBP)

JCBP119889119894V (r2119899minus1BBlowast) = r2119899minus1B + (r2119899minus1 oplus 1)Blowast (11)

We useR119894 to represent 119894-th times iterationTheBPof divisionoperation

R119894 = 2R119894minus1 + JCBP119889119894V (r2119899minus1BBlowast)0 le 119894 lt 119899 minus 1

q119899minus1minus119894 = r1198942119899minus1 oplus 1 0 le 119894 lt 119899 minus 1Q = Q minus Q

R119899minus1 = R119899minus1 ≫ 119899

(12)

where r1198942119899minus1 represent the MSB ofR119894 Finally doing the fifthstep correctsQ andR119899minus1We can convert aboveBP intoHPofaddition by using addition and multiplication on ciphertextsThe HP of JCBP119889119894V(r2119899minus1BBlowast)

JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplus and))= [r2119899minus1V + (r2119899minus1 + 119864119899119888 (1))V + 2119903] mod 1199090 (13)

whereV andBlowast represent ciphertext vector of reinitialisingB andBlowast respectively The HP of division

R119894

= 2R119894minus1+ JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplusand))

0 le 119894 lt 119899 minus 1q119899minus1minus119894 = (r1198942119899minus1 + 119864119899119888 (1)) mod 1199090 0 le 119894 lt 119899 minus 1Q = Q minusQ

R119899minus1 = R119899minus1 sim≫ 119899

(14)

where R119894 = ⟨r1198942119899minus1 sdot sdot sdot r1198940⟩ represents ciphertext vector ofR119894 andQ=⟨q119899minus1 sdot sdot sdot q0⟩ represents ciphertext vector of QQ

8 Wireless Communications and Mobile Computing

represent q119894 = (q119894 + 119864119899119888(1)) mod 1199090 0 le 119894 lt 119899 Finally weneed to correctQ andR119899minus1 by the following operations

Q = [r119899minus1119899minus1 (Q minus 119864119899119888 (1))] mod 1199090R = [r119899minus1119899minus1 (R119899minus1 +V)] mod 1199090 (15)

The final value ofQ andR is the result of HP of division

4 Noise Analysis and Optimization

In Section 3 we describe the homomorphic evaluation ofthe integer arithmetic operations including complementaddition subtraction multiplication and division In thissection we will analyse the noise ceiling and optimisationfor our scheme Under the DGHV scheme the noise ceilingincreases exponentially with the multiplicative degree Whenciphertexts have noise at most 2120578minus2 lt 1199012 the ciphertextscannot be decrypted correctly Therefore we need bootstrap-ping to control noise of ciphertexts but using bootstrappingto refresh ciphertext will reduce the efficiency of DGHVWe will show the noise ceiling about the homomorphicevaluation of the integer arithmetic operations in this sectionMoreover we will describe an optimisation for the process ofinteger arithmetic operations to reduce time overhead in FHEwith bootstrapping

41 Noise Analysis of Our Scheme According to Section 3 weshow the noise ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations We denoteby HE-IAO the homomorphic evaluation of the integerarithmetic operations and use HE-com HE-add HE-subHE-mul HE-div to represent five operations of HE-IAOThedetails are shown in Table 2

Proof According to homomorphic evaluation of the comple-ment operations formula (3)

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 0 le 119894 le 119899 minus 2 (16)

sum|S|=119894prod119895isin119878a119895 has ( 119899minus2119894+1 ) terms and degree amounts to 119894 + 1According to binomial theorem the term of formula (3) canbe represented as (1+119909)119899minus2minus1 = sum119899minus2119894=0 ( 119899minus2119894 ) 119909119894minus1 when119909 = 1Therefore the polynomial c119894 of term is up to 2119899minus2 minus 1 anddegree amounts to 119899 minus 2 Because ofalowast119894 = (a119894 oplusa119899c119894minus1) 0 le119894 le 119899 minus 1 alowast119894 of term amounts to 2119899minus2 and degree amountsto 119899 minus 1

According to homomorphic evaluation of the additionoperations formula (5) the degree of carry formula c119894 =a119894b119894 oplus c119894minus1(a119894 oplus b119894) is higher 1 than c119894minus1 and the term of c119894is higher 2 lowast 119905119890119903119898(c119894minus1) + 1 than c119894minus1 where 119905119890119903119898(c119894minus1) rep-resents the term of c119894minus1 The degree of c0 = a0b0 amountsto 2 and the term of c0 = a0b0 amounts to 1 The degree ofc119899minus2 amounts to 119899 and terms of c119899minus2 amount to 2119899minus1 minus1TheMSB ofSs119899minus1 = a119899minus1 oplus b119899minus1 oplusc119899minus2 where the degree of s119899minus1amounts to 119899 and the term of s119899minus1 amounts to 2119899minus1 + 1 Ifwe do not consider complement operation subtraction and

Table 2 The degree ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations Above showing theHPof integer arithmetic operations 119899-th iterations ciphertext resultsrsquodegree and term

HE-IAO degree termHE-com 119899 minus 1 2119899minus2HE-add 119899 2119899minus1 + 1HE-sub 119899 2119899minus1 + 1HE-mul 120595 ∙ 22119899minus4 minusHE-div 120593 ∙ 22119899minus4 minusTable 3 The noise ceiling of homomorphic evaluation of the 119899 bitssigned integer arithmetic operations The base of the log is 2

HE-IAO noise ceilingHE-com 1205881015840 log(119899minus1) + log 2119899minus3HE-add 1205881015840 log(119899) + log (2119899minus1 + 1)HE-sub 1205881015840 log(119899) + log (2119899minus1 + 1)HE-mul 1205881015840 log120595∙22119899minus4 + minusHE-div 1205881015840 log120593∙22119899minus4 + minus

addition have the same process Therefore the degree andterm are the same as the addition Multiplication and divisionrequire iteration 119899 minus 1 times addition and shift The processesof multiplication and division are particularly complicatedwe canrsquot find the formula to express the degree According toour calculations the degree of multiplication and division isclose to the 2 to the power of 2119899 minus 4 Therefore the degree ofmultiplication is not more than 120595 ∙ 22119899minus4 and the degree ofdivision is not more than 120593∙22119899minus4The term of multiplicationand division is too high and the degree has made noise morethan the limitation of correct decryption

We can conclude (see Table 2) the degree of homomor-phic evaluation of addition and subtraction is O(119899) and thedepth of the homomorphic evaluation of multiplication anddivision is O(120595 ∙ 22119899minus4) We use items that represent the 1198971norm of HP (the coefficient vector of HP) The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations can be calculated by the following polynomi-al

119873119900119894119904119890 = 1205881015840log 119889 + log1003816100381610038161003816100381610038161003816997888rarr119891

1003816100381610038161003816100381610038161003816 (17)

where 119889 represents the degree of HP and log 119889 representsmultiplication level of HP |997888rarr119891| is the 1198971 norm of HP 1205881015840 isthe noise of length in every ciphertext The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations is shown in Table 3

We can conclude (see Table 3) the noise of homomorphicevaluation of the 119899 bits signed integer arithmetic operationsThe noise increases very rapidly In the homomorphic eval-uation of the complement addition and subtraction noiseincreases up to O(1205881015840119899) In the homomorphic evaluation of themultiplication and division noise ismore than O(1205881015840120595∙22119899minus4)

Wireless Communications and Mobile Computing 9

1 1 1 1 1 1

3 3 3 3 3 3

33L-233L-233L-2

3L+11 recrypt3L+1recrypt1

r shift

33L-233L-233L-21

1 1 1 1 1 11

recrypt recrypt recrypt recrypt recrypt recrypt

Figure 2 The optimised addition operations each colour block represents same position subvectors ofP119894andF the length of each colour

block is L ldquor shiftrdquo represents ciphertext vector right shift one position ldquorecryptrdquo represents ciphertext refresh This figure shows the degreechange of each component ofP

119894andF

42 Optimization of Our Scheme From the analysis of noiseceiling in Section 41 we need to control the noise increasesby using ciphertext refresh or modulus-switching techniquein each multiplication level of homomorphic evaluation ofthe 119899 bits signed integer arithmetic operations Howeverthe ciphertext refresh or modulus-switching technique willreduce our scheme efficiency Therefore we will describe anoptimisation for our scheme in this section The optimisationcan reduce the number of ciphertext refresh and improveefficiency

Because the integer arithmetic operation is completedbased on the addition operation we optimise the homo-morphic evaluation of the integer addition We divide theciphertext vector of integer encryption into subvectors oflength L The homomorphic evaluation of arithmetic oper-ations between the subvectors in the same position do notneed ciphertext refresh and the subvectors in different posi-tions need to refresh ciphertext-carry once Therefore theoptimised scheme need not ciphertext refresh in each multi-plication level and reduces the number of ciphertext refreshWe take addition operations of the product accumulator toexplain our optimisation In the homomorphic evaluationof the multiplication operations the product accumulatorP119894 is as formula (9) The formula (9) is a polynomial ofdegree three and P119894 is a ciphertext vector of degree oneWe denote by F vector of JCHP11989811990611989711990511990901205881015840 We divide theciphertext vector of P119894 and F into ciphertext subvectorsof length L The ciphertext operations of subvectors of thesame position are the same as homomorphic evaluation ofthe addition operations (without ciphertext refresh) Theciphertext operations of subvectors of different position needto refresh ciphertext-carry once (see Figure 2)

The subvectors of P119894 and F generate ciphertext-resultblock and ciphertext-carry In every ciphertext-result blockthe maximum degree is 3L minus 2 (leftmost) and the minimumdegree is 3 (rightmost) The ciphertext-carry degree is 3L +1 in each subvector of the different position Each cipher-text of ciphertext-result block and ciphertext-carry can use

ciphertext refresh (recrypt) to reduce degree up to one Thenumber of ciphertext refresh of once product accumulator(P119894 +F) for ciphertext-carry

(i) If 119899 is divisible by L it will generate 119899Lminus1 ciphertext-carry and the number of ciphertext refresh is 119888119899119905 =119899L minus 1 times

(ii) If 119899 is inalienable by L it will generate lfloor119899Lrfloorciphertext-carry and the number of ciphertext refreshis 119888119899119905 = lfloor119899Lrfloor times

Homomorphic evaluation of the multiplication operationsneeds 119899minus1 times product accumulator and whole operationsneed (119899minus1)∙119888119899119905 times ciphertext refresh for ciphertext-carryand (119899 minus 1) ∙ 119899 times ciphertext refresh for ciphertext-resultblock Total times of ciphertext refresh for homomorphicevaluation of the multiplication operations

119862119873119879 = (119899 minus 1) ∙ 119899 + (119899 minus 1) ∙ 119888119899119905 (18)

In the original homomorphic evaluation of the multi-plication operations every multiplication level needs onceciphertext refresh Whole operations need (119899 minus 1)(3119899 minus 3) +119899(119899 minus 1) + 2119899 minus 3 times ciphertext refresh We apply aboveoptimisation to the homomorphic evaluation of the com-plement addition subtraction multiplication and divisionoperations and set 119899 = 16 L = 1 2 3 4We show the numberof ciphertext refresh of the original scheme (L = 0) and anoptimised scheme (L = 1 2 3 4) as Table 4

In order to implement our optimisation we need to adjustthe parameters of homomorphic encryption and make FHEsupport the log(3L+1)multiplication level additional exceptfor the 15-multiplication level required by bootstrappingTherefore we reset the length of the private key 120578 ge 1205881015840 ∙Θ(120582log2120582) + 1205881015840 ∙ 2log(3L+1) + log(2Lminus1 + 1) We set securityparameter 120582 = 52 the length of noise 1205881015840 = 24 and 120579 = 15Θ = 500 Parameters are set as Table 5

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

6 Wireless Communications and Mobile Computing

Given an initialised carry cminus1 = 0 we output theAlowast The BPof complement

cminus1 = 0c119894 = a119894 or c119894minus1

alowast119894 = (a119894 oplus a119899c119894minus1)

0 le 119894 le 119899 minus 2(2)

We convertc119894 into aBP by usingXORgate andANDgateTheBPc119894 = a119894c119894minus1 oplusa119894 oplusc119894minus1 0 le 119894 le 119899 minus 2 Due to initialisedcarry cminus1 = 0 we can convert c119894 into a polynomial withoutcminus1

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 (3)

where S = a119894 sdot sdot sdota0 0 le 119894 le 119899 minus 3 |S| is the Hammingweight of the S We can convert above polynomials intoHP of complement by using addition and multiplication onciphertexts The HP of complement

c119894 = ( 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895) mod 1199090alowast119894 = (a119894 + a

lowast119899 ∙ c119894minus1) mod 1199090

0 le 119894 le 119899 minus 2(4)

where c119894 represents the ciphertext result of c119894 and 119863119890119888(c119894) =c119894 Let a

lowast119899minus1 = a119899minus1 The 1199090 is the largest odd public key in

FHE We can get ciphertext complement Alowast by using aboveHP

32 Homomorphic Evaluation of the Addition and SubtractionOperations Integer complement addition operation needs tocalculate results in order from low to high Every result bitrequires an addend bit an augend bit and a carry bit fromthe low Every carry bit requires an addend bit an augend bitand a carry bit from low aswell By iterating above operationswe can get the result of complement addition We set integercomplement A and B as inputs to calculate S = A + Bwhere S = s119899minus1 sdot sdot sdot s0 The 119899 is big enough We do notconsider the overflow of the S The BP of addition

cminus1 = 0s119894 = a119894 oplus b119894 oplus c119894minus1

c119894 = a119894b119894 oplus c119894minus1 (a119894 oplus b119894)0 le 119894 le 119899 minus 1

(5)

We can convert above BP into HP of addition by using addi-tion and multiplication on ciphertexts The HP of addition

cminus1 = 119864119899119888 (0)s119894 = (a119894 + b119894 + c119894minus1) mod 1199090c119894 = (a119894b119894 + c119894minus1a119894 + c119894minus1b119894) mod 1199090

0 le 119894 le 119899 minus 1(6)

where the s119894 is 119894-th ciphertext of result vector S =⟨s119899minus1 sdot sdot sdot s0⟩ and 119863119890119888(A) + 119863119890119888(B) = 119863119890119888(S)The addition operation can do integer subtraction oper-

ation If we calculate A minus B we can convert B to Blowast andcalculateA+Blowast by using integer addition operation In orderto get Blowast we need to use the complement operation to getB1015840 = b1015840119899minus1 sdot sdot sdotb10158400 and then let blowast119899minus1 = b1015840119899minus1 oplus 1 blowast119894 = b1015840119894 0 le119894 le 119899minus2TheHP of subtraction contains two parts includingHP of complement and HP of addition

33 Homomorphic Evaluation of the Multiplication Opera-tions Integer multiplication operation is based on Boothrsquosmultiplication algorithm [36] It is a multiplication algorithmthat multiplies two signed numbers in tworsquos complementnotation We set multiplicand A and multiplier B Boothrsquosalgorithm examines adjacent pairs of bits of the multiplierB in signed tworsquos complement representation including animplicit bit below the least significant bit bminus1 = 0 Also wedenote byP the product accumulator The steps of the basicalgorithm for multiplication operations

(1) We reinitialise the value ofAAlowast andP

(i) AA = A ≪ 119899 arithmetic left shift (119899 + 1) bitsA = a119899a119899minus1 sdot sdot sdota00 sdot sdot sdot 0

(ii) Alowast Alowast = Alowast ≪ 119899 arithmetic left shift (119899 + 1)bitsAlowast = alowast119899minus1 sdot sdot sdotalowast00 sdot sdot sdot 0

(iii) P fill the most significant 119899 bits with 0 To theright of this append the value ofB Fill the LSBwith a 0P = 0 sdot sdot sdot 0b119899minus1 sdot sdot sdotb00

(2) Determine the two least significant (rightmost) bits ofP

(i) If bminus1 = b0 do nothing Use P directly in thenext step Arithmetic right shift 1 bit

(ii) If b0bminus1 = 01 find the value of P = P + AIgnore any overflow Arithmetic right shift 1 bit

(iii) If b0bminus1 = 10 find the value of P = P + AlowastIgnore any overflow Arithmetic right shift 1 bit

Repeat above second steps until they have been done 119899 minus 1times Drop the LSB from P According to second stepsmentioned technique we can summarise a judgment choiceBoolean polynomial (JCBP)

JCBP119898119906119897119905 (b0bminus1AlowastA)= (b0 oplus bminus1) [b0Alowast + bminus1A] (7)

We useP119894 to represent 119894-th times iteration The BP of multi-plication operation

P119894 = P119894minus1 + JCBP119898119906119897119905 (b0bminus1AlowastA)P119894 = P119894minus1 ≫ 1

0 le 119894 lt 119899 minus 1(8)

Wireless Communications and Mobile Computing 7

where≫ represent the arithmetic right shift We can convertformula (7) into HP of addition by using addition and multi-plication on ciphertextsTheHP of JCBP119898119906119897119905(b0bminus1AlowastA)

JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))= [(b0+bminus1) (b0Alowast + bminus1A) + 2119903] mod 1199090 (9)

The A and Alowast represent ciphertext vector of reinitialisingA and Alowast The 119903 = ⟨1199030 119903119899minus1⟩ is a noise vector and119903119894 larr997888 Z cap (minus21205881015840 21205881015840) 0 le 119894 le 119899 minus 1 The HP of multiplica-tion

P119894

= P119894minus1

+ JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))P119894 = P119894minus1 sim≫ 1

0 le 119894 lt 119899 minus 1

(10)

where sim≫ represent the right shift of ciphertext vectorP119899minus1When the right shift of P119899minus1 by 1 ciphertext slot the mostsignificant component of P119899minus1 is filled with a copy of theoriginal most significant component The final value ofP119899minus1is the signed ciphertext product

34 Homomorphic Evaluation of the Division OperationDivision is the most complex of the basic arithmetic opera-tions For a simple computer that operate with an adder cir-cuit for its arithmetic operations a variant using traditionallong division called nonrestoring division provides a simplerand faster speed This method only needs one decision andadditionsubtraction per quotient bit and need not restoringstep after the subtraction We set dividend A and divisorB The Blowast is tworsquos complement of B The R is the partialremainder and the Q is quotient The basic algorithm forbinary (radix 2) nonrestoring division is as follows

(1) Reinitialize value ofBBlowastR and Q

(i) B B = B ≫ 119899 do arithmetic left shift 119899 bitsB = b119899minus1 sdot sdot sdotb00 sdot sdot sdot 0

(ii) Blowast Blowast = Blowast ≫ 119899 do arithmetic left shift 119899bitsBlowast = blowast119899minus1 sdot sdot sdotblowast00 sdot sdot sdot 0

(iii) RR = A ≫ 119899 do arithmetic right shift 119899 bitsR = r2119899minus1 sdot sdot sdotr0

(iv) Q Q = q119899minus1 sdot sdot sdotq0 fill it 119899 bits with 0

(2) Determine the one most significant (a signed bit) bitofR

(i) If r2119899minus1 = 0 fill the LSB of Q with 1 digit dological left shift 1 bit Find the value ofR = 2 lowastR +Blowast

(ii) If r2119899minus1 = 1 fill the LSB of Q with 0 digit dological left shift 1 bit Find the value ofR = 2 lowastR +B

(3) Repeat above second steps until they have been done119899 minus 1 times(4) Convert the quotient Q We suppose original Q =11101010

(i) Start Q = 11101010(ii) Mask the zero term (Signed binary notation

with onersquos complement) Q = 00010101(iii) Subtract Q = Q minus Q Q = 11010101

(5) The actual remainder is R = R ≫ 119899 Final resultof quotient is always odd and the remainder R isin the range minusB lt R lt B To convert to apositive remainder do a single restoring step afterQ isconverted from a nonstandard form to standard formIfR lt 0 find the value ofQ = Qminus1 andR = R+B

According to the second step mentioned technique we cansummarise a judgment choice Boolean polynomial (JCBP)

JCBP119889119894V (r2119899minus1BBlowast) = r2119899minus1B + (r2119899minus1 oplus 1)Blowast (11)

We useR119894 to represent 119894-th times iterationTheBPof divisionoperation

R119894 = 2R119894minus1 + JCBP119889119894V (r2119899minus1BBlowast)0 le 119894 lt 119899 minus 1

q119899minus1minus119894 = r1198942119899minus1 oplus 1 0 le 119894 lt 119899 minus 1Q = Q minus Q

R119899minus1 = R119899minus1 ≫ 119899

(12)

where r1198942119899minus1 represent the MSB ofR119894 Finally doing the fifthstep correctsQ andR119899minus1We can convert aboveBP intoHPofaddition by using addition and multiplication on ciphertextsThe HP of JCBP119889119894V(r2119899minus1BBlowast)

JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplus and))= [r2119899minus1V + (r2119899minus1 + 119864119899119888 (1))V + 2119903] mod 1199090 (13)

whereV andBlowast represent ciphertext vector of reinitialisingB andBlowast respectively The HP of division

R119894

= 2R119894minus1+ JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplusand))

0 le 119894 lt 119899 minus 1q119899minus1minus119894 = (r1198942119899minus1 + 119864119899119888 (1)) mod 1199090 0 le 119894 lt 119899 minus 1Q = Q minusQ

R119899minus1 = R119899minus1 sim≫ 119899

(14)

where R119894 = ⟨r1198942119899minus1 sdot sdot sdot r1198940⟩ represents ciphertext vector ofR119894 andQ=⟨q119899minus1 sdot sdot sdot q0⟩ represents ciphertext vector of QQ

8 Wireless Communications and Mobile Computing

represent q119894 = (q119894 + 119864119899119888(1)) mod 1199090 0 le 119894 lt 119899 Finally weneed to correctQ andR119899minus1 by the following operations

Q = [r119899minus1119899minus1 (Q minus 119864119899119888 (1))] mod 1199090R = [r119899minus1119899minus1 (R119899minus1 +V)] mod 1199090 (15)

The final value ofQ andR is the result of HP of division

4 Noise Analysis and Optimization

In Section 3 we describe the homomorphic evaluation ofthe integer arithmetic operations including complementaddition subtraction multiplication and division In thissection we will analyse the noise ceiling and optimisationfor our scheme Under the DGHV scheme the noise ceilingincreases exponentially with the multiplicative degree Whenciphertexts have noise at most 2120578minus2 lt 1199012 the ciphertextscannot be decrypted correctly Therefore we need bootstrap-ping to control noise of ciphertexts but using bootstrappingto refresh ciphertext will reduce the efficiency of DGHVWe will show the noise ceiling about the homomorphicevaluation of the integer arithmetic operations in this sectionMoreover we will describe an optimisation for the process ofinteger arithmetic operations to reduce time overhead in FHEwith bootstrapping

41 Noise Analysis of Our Scheme According to Section 3 weshow the noise ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations We denoteby HE-IAO the homomorphic evaluation of the integerarithmetic operations and use HE-com HE-add HE-subHE-mul HE-div to represent five operations of HE-IAOThedetails are shown in Table 2

Proof According to homomorphic evaluation of the comple-ment operations formula (3)

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 0 le 119894 le 119899 minus 2 (16)

sum|S|=119894prod119895isin119878a119895 has ( 119899minus2119894+1 ) terms and degree amounts to 119894 + 1According to binomial theorem the term of formula (3) canbe represented as (1+119909)119899minus2minus1 = sum119899minus2119894=0 ( 119899minus2119894 ) 119909119894minus1 when119909 = 1Therefore the polynomial c119894 of term is up to 2119899minus2 minus 1 anddegree amounts to 119899 minus 2 Because ofalowast119894 = (a119894 oplusa119899c119894minus1) 0 le119894 le 119899 minus 1 alowast119894 of term amounts to 2119899minus2 and degree amountsto 119899 minus 1

According to homomorphic evaluation of the additionoperations formula (5) the degree of carry formula c119894 =a119894b119894 oplus c119894minus1(a119894 oplus b119894) is higher 1 than c119894minus1 and the term of c119894is higher 2 lowast 119905119890119903119898(c119894minus1) + 1 than c119894minus1 where 119905119890119903119898(c119894minus1) rep-resents the term of c119894minus1 The degree of c0 = a0b0 amountsto 2 and the term of c0 = a0b0 amounts to 1 The degree ofc119899minus2 amounts to 119899 and terms of c119899minus2 amount to 2119899minus1 minus1TheMSB ofSs119899minus1 = a119899minus1 oplus b119899minus1 oplusc119899minus2 where the degree of s119899minus1amounts to 119899 and the term of s119899minus1 amounts to 2119899minus1 + 1 Ifwe do not consider complement operation subtraction and

Table 2 The degree ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations Above showing theHPof integer arithmetic operations 119899-th iterations ciphertext resultsrsquodegree and term

HE-IAO degree termHE-com 119899 minus 1 2119899minus2HE-add 119899 2119899minus1 + 1HE-sub 119899 2119899minus1 + 1HE-mul 120595 ∙ 22119899minus4 minusHE-div 120593 ∙ 22119899minus4 minusTable 3 The noise ceiling of homomorphic evaluation of the 119899 bitssigned integer arithmetic operations The base of the log is 2

HE-IAO noise ceilingHE-com 1205881015840 log(119899minus1) + log 2119899minus3HE-add 1205881015840 log(119899) + log (2119899minus1 + 1)HE-sub 1205881015840 log(119899) + log (2119899minus1 + 1)HE-mul 1205881015840 log120595∙22119899minus4 + minusHE-div 1205881015840 log120593∙22119899minus4 + minus

addition have the same process Therefore the degree andterm are the same as the addition Multiplication and divisionrequire iteration 119899 minus 1 times addition and shift The processesof multiplication and division are particularly complicatedwe canrsquot find the formula to express the degree According toour calculations the degree of multiplication and division isclose to the 2 to the power of 2119899 minus 4 Therefore the degree ofmultiplication is not more than 120595 ∙ 22119899minus4 and the degree ofdivision is not more than 120593∙22119899minus4The term of multiplicationand division is too high and the degree has made noise morethan the limitation of correct decryption

We can conclude (see Table 2) the degree of homomor-phic evaluation of addition and subtraction is O(119899) and thedepth of the homomorphic evaluation of multiplication anddivision is O(120595 ∙ 22119899minus4) We use items that represent the 1198971norm of HP (the coefficient vector of HP) The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations can be calculated by the following polynomi-al

119873119900119894119904119890 = 1205881015840log 119889 + log1003816100381610038161003816100381610038161003816997888rarr119891

1003816100381610038161003816100381610038161003816 (17)

where 119889 represents the degree of HP and log 119889 representsmultiplication level of HP |997888rarr119891| is the 1198971 norm of HP 1205881015840 isthe noise of length in every ciphertext The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations is shown in Table 3

We can conclude (see Table 3) the noise of homomorphicevaluation of the 119899 bits signed integer arithmetic operationsThe noise increases very rapidly In the homomorphic eval-uation of the complement addition and subtraction noiseincreases up to O(1205881015840119899) In the homomorphic evaluation of themultiplication and division noise ismore than O(1205881015840120595∙22119899minus4)

Wireless Communications and Mobile Computing 9

1 1 1 1 1 1

3 3 3 3 3 3

33L-233L-233L-2

3L+11 recrypt3L+1recrypt1

r shift

33L-233L-233L-21

1 1 1 1 1 11

recrypt recrypt recrypt recrypt recrypt recrypt

Figure 2 The optimised addition operations each colour block represents same position subvectors ofP119894andF the length of each colour

block is L ldquor shiftrdquo represents ciphertext vector right shift one position ldquorecryptrdquo represents ciphertext refresh This figure shows the degreechange of each component ofP

119894andF

42 Optimization of Our Scheme From the analysis of noiseceiling in Section 41 we need to control the noise increasesby using ciphertext refresh or modulus-switching techniquein each multiplication level of homomorphic evaluation ofthe 119899 bits signed integer arithmetic operations Howeverthe ciphertext refresh or modulus-switching technique willreduce our scheme efficiency Therefore we will describe anoptimisation for our scheme in this section The optimisationcan reduce the number of ciphertext refresh and improveefficiency

Because the integer arithmetic operation is completedbased on the addition operation we optimise the homo-morphic evaluation of the integer addition We divide theciphertext vector of integer encryption into subvectors oflength L The homomorphic evaluation of arithmetic oper-ations between the subvectors in the same position do notneed ciphertext refresh and the subvectors in different posi-tions need to refresh ciphertext-carry once Therefore theoptimised scheme need not ciphertext refresh in each multi-plication level and reduces the number of ciphertext refreshWe take addition operations of the product accumulator toexplain our optimisation In the homomorphic evaluationof the multiplication operations the product accumulatorP119894 is as formula (9) The formula (9) is a polynomial ofdegree three and P119894 is a ciphertext vector of degree oneWe denote by F vector of JCHP11989811990611989711990511990901205881015840 We divide theciphertext vector of P119894 and F into ciphertext subvectorsof length L The ciphertext operations of subvectors of thesame position are the same as homomorphic evaluation ofthe addition operations (without ciphertext refresh) Theciphertext operations of subvectors of different position needto refresh ciphertext-carry once (see Figure 2)

The subvectors of P119894 and F generate ciphertext-resultblock and ciphertext-carry In every ciphertext-result blockthe maximum degree is 3L minus 2 (leftmost) and the minimumdegree is 3 (rightmost) The ciphertext-carry degree is 3L +1 in each subvector of the different position Each cipher-text of ciphertext-result block and ciphertext-carry can use

ciphertext refresh (recrypt) to reduce degree up to one Thenumber of ciphertext refresh of once product accumulator(P119894 +F) for ciphertext-carry

(i) If 119899 is divisible by L it will generate 119899Lminus1 ciphertext-carry and the number of ciphertext refresh is 119888119899119905 =119899L minus 1 times

(ii) If 119899 is inalienable by L it will generate lfloor119899Lrfloorciphertext-carry and the number of ciphertext refreshis 119888119899119905 = lfloor119899Lrfloor times

Homomorphic evaluation of the multiplication operationsneeds 119899minus1 times product accumulator and whole operationsneed (119899minus1)∙119888119899119905 times ciphertext refresh for ciphertext-carryand (119899 minus 1) ∙ 119899 times ciphertext refresh for ciphertext-resultblock Total times of ciphertext refresh for homomorphicevaluation of the multiplication operations

119862119873119879 = (119899 minus 1) ∙ 119899 + (119899 minus 1) ∙ 119888119899119905 (18)

In the original homomorphic evaluation of the multi-plication operations every multiplication level needs onceciphertext refresh Whole operations need (119899 minus 1)(3119899 minus 3) +119899(119899 minus 1) + 2119899 minus 3 times ciphertext refresh We apply aboveoptimisation to the homomorphic evaluation of the com-plement addition subtraction multiplication and divisionoperations and set 119899 = 16 L = 1 2 3 4We show the numberof ciphertext refresh of the original scheme (L = 0) and anoptimised scheme (L = 1 2 3 4) as Table 4

In order to implement our optimisation we need to adjustthe parameters of homomorphic encryption and make FHEsupport the log(3L+1)multiplication level additional exceptfor the 15-multiplication level required by bootstrappingTherefore we reset the length of the private key 120578 ge 1205881015840 ∙Θ(120582log2120582) + 1205881015840 ∙ 2log(3L+1) + log(2Lminus1 + 1) We set securityparameter 120582 = 52 the length of noise 1205881015840 = 24 and 120579 = 15Θ = 500 Parameters are set as Table 5

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

Wireless Communications and Mobile Computing 7

where≫ represent the arithmetic right shift We can convertformula (7) into HP of addition by using addition and multi-plication on ciphertextsTheHP of JCBP119898119906119897119905(b0bminus1AlowastA)

JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))= [(b0+bminus1) (b0Alowast + bminus1A) + 2119903] mod 1199090 (9)

The A and Alowast represent ciphertext vector of reinitialisingA and Alowast The 119903 = ⟨1199030 119903119899minus1⟩ is a noise vector and119903119894 larr997888 Z cap (minus21205881015840 21205881015840) 0 le 119894 le 119899 minus 1 The HP of multiplica-tion

P119894

= P119894minus1

+ JCHP11989811990611989711990511990901205881015840 (b0 bminus1AlowastA 119903 119904119908119894119905119888ℎ (oplus and))P119894 = P119894minus1 sim≫ 1

0 le 119894 lt 119899 minus 1

(10)

where sim≫ represent the right shift of ciphertext vectorP119899minus1When the right shift of P119899minus1 by 1 ciphertext slot the mostsignificant component of P119899minus1 is filled with a copy of theoriginal most significant component The final value ofP119899minus1is the signed ciphertext product

34 Homomorphic Evaluation of the Division OperationDivision is the most complex of the basic arithmetic opera-tions For a simple computer that operate with an adder cir-cuit for its arithmetic operations a variant using traditionallong division called nonrestoring division provides a simplerand faster speed This method only needs one decision andadditionsubtraction per quotient bit and need not restoringstep after the subtraction We set dividend A and divisorB The Blowast is tworsquos complement of B The R is the partialremainder and the Q is quotient The basic algorithm forbinary (radix 2) nonrestoring division is as follows

(1) Reinitialize value ofBBlowastR and Q

(i) B B = B ≫ 119899 do arithmetic left shift 119899 bitsB = b119899minus1 sdot sdot sdotb00 sdot sdot sdot 0

(ii) Blowast Blowast = Blowast ≫ 119899 do arithmetic left shift 119899bitsBlowast = blowast119899minus1 sdot sdot sdotblowast00 sdot sdot sdot 0

(iii) RR = A ≫ 119899 do arithmetic right shift 119899 bitsR = r2119899minus1 sdot sdot sdotr0

(iv) Q Q = q119899minus1 sdot sdot sdotq0 fill it 119899 bits with 0

(2) Determine the one most significant (a signed bit) bitofR

(i) If r2119899minus1 = 0 fill the LSB of Q with 1 digit dological left shift 1 bit Find the value ofR = 2 lowastR +Blowast

(ii) If r2119899minus1 = 1 fill the LSB of Q with 0 digit dological left shift 1 bit Find the value ofR = 2 lowastR +B

(3) Repeat above second steps until they have been done119899 minus 1 times(4) Convert the quotient Q We suppose original Q =11101010

(i) Start Q = 11101010(ii) Mask the zero term (Signed binary notation

with onersquos complement) Q = 00010101(iii) Subtract Q = Q minus Q Q = 11010101

(5) The actual remainder is R = R ≫ 119899 Final resultof quotient is always odd and the remainder R isin the range minusB lt R lt B To convert to apositive remainder do a single restoring step afterQ isconverted from a nonstandard form to standard formIfR lt 0 find the value ofQ = Qminus1 andR = R+B

According to the second step mentioned technique we cansummarise a judgment choice Boolean polynomial (JCBP)

JCBP119889119894V (r2119899minus1BBlowast) = r2119899minus1B + (r2119899minus1 oplus 1)Blowast (11)

We useR119894 to represent 119894-th times iterationTheBPof divisionoperation

R119894 = 2R119894minus1 + JCBP119889119894V (r2119899minus1BBlowast)0 le 119894 lt 119899 minus 1

q119899minus1minus119894 = r1198942119899minus1 oplus 1 0 le 119894 lt 119899 minus 1Q = Q minus Q

R119899minus1 = R119899minus1 ≫ 119899

(12)

where r1198942119899minus1 represent the MSB ofR119894 Finally doing the fifthstep correctsQ andR119899minus1We can convert aboveBP intoHPofaddition by using addition and multiplication on ciphertextsThe HP of JCBP119889119894V(r2119899minus1BBlowast)

JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplus and))= [r2119899minus1V + (r2119899minus1 + 119864119899119888 (1))V + 2119903] mod 1199090 (13)

whereV andBlowast represent ciphertext vector of reinitialisingB andBlowast respectively The HP of division

R119894

= 2R119894minus1+ JCBP119889119894V1199090 1205881015840 (r2119899minus1BlowastV 119903 119904119908119894119905119888ℎ (oplusand))

0 le 119894 lt 119899 minus 1q119899minus1minus119894 = (r1198942119899minus1 + 119864119899119888 (1)) mod 1199090 0 le 119894 lt 119899 minus 1Q = Q minusQ

R119899minus1 = R119899minus1 sim≫ 119899

(14)

where R119894 = ⟨r1198942119899minus1 sdot sdot sdot r1198940⟩ represents ciphertext vector ofR119894 andQ=⟨q119899minus1 sdot sdot sdot q0⟩ represents ciphertext vector of QQ

8 Wireless Communications and Mobile Computing

represent q119894 = (q119894 + 119864119899119888(1)) mod 1199090 0 le 119894 lt 119899 Finally weneed to correctQ andR119899minus1 by the following operations

Q = [r119899minus1119899minus1 (Q minus 119864119899119888 (1))] mod 1199090R = [r119899minus1119899minus1 (R119899minus1 +V)] mod 1199090 (15)

The final value ofQ andR is the result of HP of division

4 Noise Analysis and Optimization

In Section 3 we describe the homomorphic evaluation ofthe integer arithmetic operations including complementaddition subtraction multiplication and division In thissection we will analyse the noise ceiling and optimisationfor our scheme Under the DGHV scheme the noise ceilingincreases exponentially with the multiplicative degree Whenciphertexts have noise at most 2120578minus2 lt 1199012 the ciphertextscannot be decrypted correctly Therefore we need bootstrap-ping to control noise of ciphertexts but using bootstrappingto refresh ciphertext will reduce the efficiency of DGHVWe will show the noise ceiling about the homomorphicevaluation of the integer arithmetic operations in this sectionMoreover we will describe an optimisation for the process ofinteger arithmetic operations to reduce time overhead in FHEwith bootstrapping

41 Noise Analysis of Our Scheme According to Section 3 weshow the noise ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations We denoteby HE-IAO the homomorphic evaluation of the integerarithmetic operations and use HE-com HE-add HE-subHE-mul HE-div to represent five operations of HE-IAOThedetails are shown in Table 2

Proof According to homomorphic evaluation of the comple-ment operations formula (3)

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 0 le 119894 le 119899 minus 2 (16)

sum|S|=119894prod119895isin119878a119895 has ( 119899minus2119894+1 ) terms and degree amounts to 119894 + 1According to binomial theorem the term of formula (3) canbe represented as (1+119909)119899minus2minus1 = sum119899minus2119894=0 ( 119899minus2119894 ) 119909119894minus1 when119909 = 1Therefore the polynomial c119894 of term is up to 2119899minus2 minus 1 anddegree amounts to 119899 minus 2 Because ofalowast119894 = (a119894 oplusa119899c119894minus1) 0 le119894 le 119899 minus 1 alowast119894 of term amounts to 2119899minus2 and degree amountsto 119899 minus 1

According to homomorphic evaluation of the additionoperations formula (5) the degree of carry formula c119894 =a119894b119894 oplus c119894minus1(a119894 oplus b119894) is higher 1 than c119894minus1 and the term of c119894is higher 2 lowast 119905119890119903119898(c119894minus1) + 1 than c119894minus1 where 119905119890119903119898(c119894minus1) rep-resents the term of c119894minus1 The degree of c0 = a0b0 amountsto 2 and the term of c0 = a0b0 amounts to 1 The degree ofc119899minus2 amounts to 119899 and terms of c119899minus2 amount to 2119899minus1 minus1TheMSB ofSs119899minus1 = a119899minus1 oplus b119899minus1 oplusc119899minus2 where the degree of s119899minus1amounts to 119899 and the term of s119899minus1 amounts to 2119899minus1 + 1 Ifwe do not consider complement operation subtraction and

Table 2 The degree ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations Above showing theHPof integer arithmetic operations 119899-th iterations ciphertext resultsrsquodegree and term

HE-IAO degree termHE-com 119899 minus 1 2119899minus2HE-add 119899 2119899minus1 + 1HE-sub 119899 2119899minus1 + 1HE-mul 120595 ∙ 22119899minus4 minusHE-div 120593 ∙ 22119899minus4 minusTable 3 The noise ceiling of homomorphic evaluation of the 119899 bitssigned integer arithmetic operations The base of the log is 2

HE-IAO noise ceilingHE-com 1205881015840 log(119899minus1) + log 2119899minus3HE-add 1205881015840 log(119899) + log (2119899minus1 + 1)HE-sub 1205881015840 log(119899) + log (2119899minus1 + 1)HE-mul 1205881015840 log120595∙22119899minus4 + minusHE-div 1205881015840 log120593∙22119899minus4 + minus

addition have the same process Therefore the degree andterm are the same as the addition Multiplication and divisionrequire iteration 119899 minus 1 times addition and shift The processesof multiplication and division are particularly complicatedwe canrsquot find the formula to express the degree According toour calculations the degree of multiplication and division isclose to the 2 to the power of 2119899 minus 4 Therefore the degree ofmultiplication is not more than 120595 ∙ 22119899minus4 and the degree ofdivision is not more than 120593∙22119899minus4The term of multiplicationand division is too high and the degree has made noise morethan the limitation of correct decryption

We can conclude (see Table 2) the degree of homomor-phic evaluation of addition and subtraction is O(119899) and thedepth of the homomorphic evaluation of multiplication anddivision is O(120595 ∙ 22119899minus4) We use items that represent the 1198971norm of HP (the coefficient vector of HP) The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations can be calculated by the following polynomi-al

119873119900119894119904119890 = 1205881015840log 119889 + log1003816100381610038161003816100381610038161003816997888rarr119891

1003816100381610038161003816100381610038161003816 (17)

where 119889 represents the degree of HP and log 119889 representsmultiplication level of HP |997888rarr119891| is the 1198971 norm of HP 1205881015840 isthe noise of length in every ciphertext The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations is shown in Table 3

We can conclude (see Table 3) the noise of homomorphicevaluation of the 119899 bits signed integer arithmetic operationsThe noise increases very rapidly In the homomorphic eval-uation of the complement addition and subtraction noiseincreases up to O(1205881015840119899) In the homomorphic evaluation of themultiplication and division noise ismore than O(1205881015840120595∙22119899minus4)

Wireless Communications and Mobile Computing 9

1 1 1 1 1 1

3 3 3 3 3 3

33L-233L-233L-2

3L+11 recrypt3L+1recrypt1

r shift

33L-233L-233L-21

1 1 1 1 1 11

recrypt recrypt recrypt recrypt recrypt recrypt

Figure 2 The optimised addition operations each colour block represents same position subvectors ofP119894andF the length of each colour

block is L ldquor shiftrdquo represents ciphertext vector right shift one position ldquorecryptrdquo represents ciphertext refresh This figure shows the degreechange of each component ofP

119894andF

42 Optimization of Our Scheme From the analysis of noiseceiling in Section 41 we need to control the noise increasesby using ciphertext refresh or modulus-switching techniquein each multiplication level of homomorphic evaluation ofthe 119899 bits signed integer arithmetic operations Howeverthe ciphertext refresh or modulus-switching technique willreduce our scheme efficiency Therefore we will describe anoptimisation for our scheme in this section The optimisationcan reduce the number of ciphertext refresh and improveefficiency

Because the integer arithmetic operation is completedbased on the addition operation we optimise the homo-morphic evaluation of the integer addition We divide theciphertext vector of integer encryption into subvectors oflength L The homomorphic evaluation of arithmetic oper-ations between the subvectors in the same position do notneed ciphertext refresh and the subvectors in different posi-tions need to refresh ciphertext-carry once Therefore theoptimised scheme need not ciphertext refresh in each multi-plication level and reduces the number of ciphertext refreshWe take addition operations of the product accumulator toexplain our optimisation In the homomorphic evaluationof the multiplication operations the product accumulatorP119894 is as formula (9) The formula (9) is a polynomial ofdegree three and P119894 is a ciphertext vector of degree oneWe denote by F vector of JCHP11989811990611989711990511990901205881015840 We divide theciphertext vector of P119894 and F into ciphertext subvectorsof length L The ciphertext operations of subvectors of thesame position are the same as homomorphic evaluation ofthe addition operations (without ciphertext refresh) Theciphertext operations of subvectors of different position needto refresh ciphertext-carry once (see Figure 2)

The subvectors of P119894 and F generate ciphertext-resultblock and ciphertext-carry In every ciphertext-result blockthe maximum degree is 3L minus 2 (leftmost) and the minimumdegree is 3 (rightmost) The ciphertext-carry degree is 3L +1 in each subvector of the different position Each cipher-text of ciphertext-result block and ciphertext-carry can use

ciphertext refresh (recrypt) to reduce degree up to one Thenumber of ciphertext refresh of once product accumulator(P119894 +F) for ciphertext-carry

(i) If 119899 is divisible by L it will generate 119899Lminus1 ciphertext-carry and the number of ciphertext refresh is 119888119899119905 =119899L minus 1 times

(ii) If 119899 is inalienable by L it will generate lfloor119899Lrfloorciphertext-carry and the number of ciphertext refreshis 119888119899119905 = lfloor119899Lrfloor times

Homomorphic evaluation of the multiplication operationsneeds 119899minus1 times product accumulator and whole operationsneed (119899minus1)∙119888119899119905 times ciphertext refresh for ciphertext-carryand (119899 minus 1) ∙ 119899 times ciphertext refresh for ciphertext-resultblock Total times of ciphertext refresh for homomorphicevaluation of the multiplication operations

119862119873119879 = (119899 minus 1) ∙ 119899 + (119899 minus 1) ∙ 119888119899119905 (18)

In the original homomorphic evaluation of the multi-plication operations every multiplication level needs onceciphertext refresh Whole operations need (119899 minus 1)(3119899 minus 3) +119899(119899 minus 1) + 2119899 minus 3 times ciphertext refresh We apply aboveoptimisation to the homomorphic evaluation of the com-plement addition subtraction multiplication and divisionoperations and set 119899 = 16 L = 1 2 3 4We show the numberof ciphertext refresh of the original scheme (L = 0) and anoptimised scheme (L = 1 2 3 4) as Table 4

In order to implement our optimisation we need to adjustthe parameters of homomorphic encryption and make FHEsupport the log(3L+1)multiplication level additional exceptfor the 15-multiplication level required by bootstrappingTherefore we reset the length of the private key 120578 ge 1205881015840 ∙Θ(120582log2120582) + 1205881015840 ∙ 2log(3L+1) + log(2Lminus1 + 1) We set securityparameter 120582 = 52 the length of noise 1205881015840 = 24 and 120579 = 15Θ = 500 Parameters are set as Table 5

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

8 Wireless Communications and Mobile Computing

represent q119894 = (q119894 + 119864119899119888(1)) mod 1199090 0 le 119894 lt 119899 Finally weneed to correctQ andR119899minus1 by the following operations

Q = [r119899minus1119899minus1 (Q minus 119864119899119888 (1))] mod 1199090R = [r119899minus1119899minus1 (R119899minus1 +V)] mod 1199090 (15)

The final value ofQ andR is the result of HP of division

4 Noise Analysis and Optimization

In Section 3 we describe the homomorphic evaluation ofthe integer arithmetic operations including complementaddition subtraction multiplication and division In thissection we will analyse the noise ceiling and optimisationfor our scheme Under the DGHV scheme the noise ceilingincreases exponentially with the multiplicative degree Whenciphertexts have noise at most 2120578minus2 lt 1199012 the ciphertextscannot be decrypted correctly Therefore we need bootstrap-ping to control noise of ciphertexts but using bootstrappingto refresh ciphertext will reduce the efficiency of DGHVWe will show the noise ceiling about the homomorphicevaluation of the integer arithmetic operations in this sectionMoreover we will describe an optimisation for the process ofinteger arithmetic operations to reduce time overhead in FHEwith bootstrapping

41 Noise Analysis of Our Scheme According to Section 3 weshow the noise ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations We denoteby HE-IAO the homomorphic evaluation of the integerarithmetic operations and use HE-com HE-add HE-subHE-mul HE-div to represent five operations of HE-IAOThedetails are shown in Table 2

Proof According to homomorphic evaluation of the comple-ment operations formula (3)

c119894 = 119894+1sum119896=1

sum|S|=119894+1

prod119895isin119878

a119895 mod 2 0 le 119894 le 119899 minus 2 (16)

sum|S|=119894prod119895isin119878a119895 has ( 119899minus2119894+1 ) terms and degree amounts to 119894 + 1According to binomial theorem the term of formula (3) canbe represented as (1+119909)119899minus2minus1 = sum119899minus2119894=0 ( 119899minus2119894 ) 119909119894minus1 when119909 = 1Therefore the polynomial c119894 of term is up to 2119899minus2 minus 1 anddegree amounts to 119899 minus 2 Because ofalowast119894 = (a119894 oplusa119899c119894minus1) 0 le119894 le 119899 minus 1 alowast119894 of term amounts to 2119899minus2 and degree amountsto 119899 minus 1

According to homomorphic evaluation of the additionoperations formula (5) the degree of carry formula c119894 =a119894b119894 oplus c119894minus1(a119894 oplus b119894) is higher 1 than c119894minus1 and the term of c119894is higher 2 lowast 119905119890119903119898(c119894minus1) + 1 than c119894minus1 where 119905119890119903119898(c119894minus1) rep-resents the term of c119894minus1 The degree of c0 = a0b0 amountsto 2 and the term of c0 = a0b0 amounts to 1 The degree ofc119899minus2 amounts to 119899 and terms of c119899minus2 amount to 2119899minus1 minus1TheMSB ofSs119899minus1 = a119899minus1 oplus b119899minus1 oplusc119899minus2 where the degree of s119899minus1amounts to 119899 and the term of s119899minus1 amounts to 2119899minus1 + 1 Ifwe do not consider complement operation subtraction and

Table 2 The degree ceiling and items of homomorphic evaluationof the 119899 bits signed integer arithmetic operations Above showing theHPof integer arithmetic operations 119899-th iterations ciphertext resultsrsquodegree and term

HE-IAO degree termHE-com 119899 minus 1 2119899minus2HE-add 119899 2119899minus1 + 1HE-sub 119899 2119899minus1 + 1HE-mul 120595 ∙ 22119899minus4 minusHE-div 120593 ∙ 22119899minus4 minusTable 3 The noise ceiling of homomorphic evaluation of the 119899 bitssigned integer arithmetic operations The base of the log is 2

HE-IAO noise ceilingHE-com 1205881015840 log(119899minus1) + log 2119899minus3HE-add 1205881015840 log(119899) + log (2119899minus1 + 1)HE-sub 1205881015840 log(119899) + log (2119899minus1 + 1)HE-mul 1205881015840 log120595∙22119899minus4 + minusHE-div 1205881015840 log120593∙22119899minus4 + minus

addition have the same process Therefore the degree andterm are the same as the addition Multiplication and divisionrequire iteration 119899 minus 1 times addition and shift The processesof multiplication and division are particularly complicatedwe canrsquot find the formula to express the degree According toour calculations the degree of multiplication and division isclose to the 2 to the power of 2119899 minus 4 Therefore the degree ofmultiplication is not more than 120595 ∙ 22119899minus4 and the degree ofdivision is not more than 120593∙22119899minus4The term of multiplicationand division is too high and the degree has made noise morethan the limitation of correct decryption

We can conclude (see Table 2) the degree of homomor-phic evaluation of addition and subtraction is O(119899) and thedepth of the homomorphic evaluation of multiplication anddivision is O(120595 ∙ 22119899minus4) We use items that represent the 1198971norm of HP (the coefficient vector of HP) The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations can be calculated by the following polynomi-al

119873119900119894119904119890 = 1205881015840log 119889 + log1003816100381610038161003816100381610038161003816997888rarr119891

1003816100381610038161003816100381610038161003816 (17)

where 119889 represents the degree of HP and log 119889 representsmultiplication level of HP |997888rarr119891| is the 1198971 norm of HP 1205881015840 isthe noise of length in every ciphertext The noise ceilingof homomorphic evaluation of the 119899 bits integer arithmeticoperations is shown in Table 3

We can conclude (see Table 3) the noise of homomorphicevaluation of the 119899 bits signed integer arithmetic operationsThe noise increases very rapidly In the homomorphic eval-uation of the complement addition and subtraction noiseincreases up to O(1205881015840119899) In the homomorphic evaluation of themultiplication and division noise ismore than O(1205881015840120595∙22119899minus4)

Wireless Communications and Mobile Computing 9

1 1 1 1 1 1

3 3 3 3 3 3

33L-233L-233L-2

3L+11 recrypt3L+1recrypt1

r shift

33L-233L-233L-21

1 1 1 1 1 11

recrypt recrypt recrypt recrypt recrypt recrypt

Figure 2 The optimised addition operations each colour block represents same position subvectors ofP119894andF the length of each colour

block is L ldquor shiftrdquo represents ciphertext vector right shift one position ldquorecryptrdquo represents ciphertext refresh This figure shows the degreechange of each component ofP

119894andF

42 Optimization of Our Scheme From the analysis of noiseceiling in Section 41 we need to control the noise increasesby using ciphertext refresh or modulus-switching techniquein each multiplication level of homomorphic evaluation ofthe 119899 bits signed integer arithmetic operations Howeverthe ciphertext refresh or modulus-switching technique willreduce our scheme efficiency Therefore we will describe anoptimisation for our scheme in this section The optimisationcan reduce the number of ciphertext refresh and improveefficiency

Because the integer arithmetic operation is completedbased on the addition operation we optimise the homo-morphic evaluation of the integer addition We divide theciphertext vector of integer encryption into subvectors oflength L The homomorphic evaluation of arithmetic oper-ations between the subvectors in the same position do notneed ciphertext refresh and the subvectors in different posi-tions need to refresh ciphertext-carry once Therefore theoptimised scheme need not ciphertext refresh in each multi-plication level and reduces the number of ciphertext refreshWe take addition operations of the product accumulator toexplain our optimisation In the homomorphic evaluationof the multiplication operations the product accumulatorP119894 is as formula (9) The formula (9) is a polynomial ofdegree three and P119894 is a ciphertext vector of degree oneWe denote by F vector of JCHP11989811990611989711990511990901205881015840 We divide theciphertext vector of P119894 and F into ciphertext subvectorsof length L The ciphertext operations of subvectors of thesame position are the same as homomorphic evaluation ofthe addition operations (without ciphertext refresh) Theciphertext operations of subvectors of different position needto refresh ciphertext-carry once (see Figure 2)

The subvectors of P119894 and F generate ciphertext-resultblock and ciphertext-carry In every ciphertext-result blockthe maximum degree is 3L minus 2 (leftmost) and the minimumdegree is 3 (rightmost) The ciphertext-carry degree is 3L +1 in each subvector of the different position Each cipher-text of ciphertext-result block and ciphertext-carry can use

ciphertext refresh (recrypt) to reduce degree up to one Thenumber of ciphertext refresh of once product accumulator(P119894 +F) for ciphertext-carry

(i) If 119899 is divisible by L it will generate 119899Lminus1 ciphertext-carry and the number of ciphertext refresh is 119888119899119905 =119899L minus 1 times

(ii) If 119899 is inalienable by L it will generate lfloor119899Lrfloorciphertext-carry and the number of ciphertext refreshis 119888119899119905 = lfloor119899Lrfloor times

Homomorphic evaluation of the multiplication operationsneeds 119899minus1 times product accumulator and whole operationsneed (119899minus1)∙119888119899119905 times ciphertext refresh for ciphertext-carryand (119899 minus 1) ∙ 119899 times ciphertext refresh for ciphertext-resultblock Total times of ciphertext refresh for homomorphicevaluation of the multiplication operations

119862119873119879 = (119899 minus 1) ∙ 119899 + (119899 minus 1) ∙ 119888119899119905 (18)

In the original homomorphic evaluation of the multi-plication operations every multiplication level needs onceciphertext refresh Whole operations need (119899 minus 1)(3119899 minus 3) +119899(119899 minus 1) + 2119899 minus 3 times ciphertext refresh We apply aboveoptimisation to the homomorphic evaluation of the com-plement addition subtraction multiplication and divisionoperations and set 119899 = 16 L = 1 2 3 4We show the numberof ciphertext refresh of the original scheme (L = 0) and anoptimised scheme (L = 1 2 3 4) as Table 4

In order to implement our optimisation we need to adjustthe parameters of homomorphic encryption and make FHEsupport the log(3L+1)multiplication level additional exceptfor the 15-multiplication level required by bootstrappingTherefore we reset the length of the private key 120578 ge 1205881015840 ∙Θ(120582log2120582) + 1205881015840 ∙ 2log(3L+1) + log(2Lminus1 + 1) We set securityparameter 120582 = 52 the length of noise 1205881015840 = 24 and 120579 = 15Θ = 500 Parameters are set as Table 5

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

Wireless Communications and Mobile Computing 9

1 1 1 1 1 1

3 3 3 3 3 3

33L-233L-233L-2

3L+11 recrypt3L+1recrypt1

r shift

33L-233L-233L-21

1 1 1 1 1 11

recrypt recrypt recrypt recrypt recrypt recrypt

Figure 2 The optimised addition operations each colour block represents same position subvectors ofP119894andF the length of each colour

block is L ldquor shiftrdquo represents ciphertext vector right shift one position ldquorecryptrdquo represents ciphertext refresh This figure shows the degreechange of each component ofP

119894andF

42 Optimization of Our Scheme From the analysis of noiseceiling in Section 41 we need to control the noise increasesby using ciphertext refresh or modulus-switching techniquein each multiplication level of homomorphic evaluation ofthe 119899 bits signed integer arithmetic operations Howeverthe ciphertext refresh or modulus-switching technique willreduce our scheme efficiency Therefore we will describe anoptimisation for our scheme in this section The optimisationcan reduce the number of ciphertext refresh and improveefficiency

Because the integer arithmetic operation is completedbased on the addition operation we optimise the homo-morphic evaluation of the integer addition We divide theciphertext vector of integer encryption into subvectors oflength L The homomorphic evaluation of arithmetic oper-ations between the subvectors in the same position do notneed ciphertext refresh and the subvectors in different posi-tions need to refresh ciphertext-carry once Therefore theoptimised scheme need not ciphertext refresh in each multi-plication level and reduces the number of ciphertext refreshWe take addition operations of the product accumulator toexplain our optimisation In the homomorphic evaluationof the multiplication operations the product accumulatorP119894 is as formula (9) The formula (9) is a polynomial ofdegree three and P119894 is a ciphertext vector of degree oneWe denote by F vector of JCHP11989811990611989711990511990901205881015840 We divide theciphertext vector of P119894 and F into ciphertext subvectorsof length L The ciphertext operations of subvectors of thesame position are the same as homomorphic evaluation ofthe addition operations (without ciphertext refresh) Theciphertext operations of subvectors of different position needto refresh ciphertext-carry once (see Figure 2)

The subvectors of P119894 and F generate ciphertext-resultblock and ciphertext-carry In every ciphertext-result blockthe maximum degree is 3L minus 2 (leftmost) and the minimumdegree is 3 (rightmost) The ciphertext-carry degree is 3L +1 in each subvector of the different position Each cipher-text of ciphertext-result block and ciphertext-carry can use

ciphertext refresh (recrypt) to reduce degree up to one Thenumber of ciphertext refresh of once product accumulator(P119894 +F) for ciphertext-carry

(i) If 119899 is divisible by L it will generate 119899Lminus1 ciphertext-carry and the number of ciphertext refresh is 119888119899119905 =119899L minus 1 times

(ii) If 119899 is inalienable by L it will generate lfloor119899Lrfloorciphertext-carry and the number of ciphertext refreshis 119888119899119905 = lfloor119899Lrfloor times

Homomorphic evaluation of the multiplication operationsneeds 119899minus1 times product accumulator and whole operationsneed (119899minus1)∙119888119899119905 times ciphertext refresh for ciphertext-carryand (119899 minus 1) ∙ 119899 times ciphertext refresh for ciphertext-resultblock Total times of ciphertext refresh for homomorphicevaluation of the multiplication operations

119862119873119879 = (119899 minus 1) ∙ 119899 + (119899 minus 1) ∙ 119888119899119905 (18)

In the original homomorphic evaluation of the multi-plication operations every multiplication level needs onceciphertext refresh Whole operations need (119899 minus 1)(3119899 minus 3) +119899(119899 minus 1) + 2119899 minus 3 times ciphertext refresh We apply aboveoptimisation to the homomorphic evaluation of the com-plement addition subtraction multiplication and divisionoperations and set 119899 = 16 L = 1 2 3 4We show the numberof ciphertext refresh of the original scheme (L = 0) and anoptimised scheme (L = 1 2 3 4) as Table 4

In order to implement our optimisation we need to adjustthe parameters of homomorphic encryption and make FHEsupport the log(3L+1)multiplication level additional exceptfor the 15-multiplication level required by bootstrappingTherefore we reset the length of the private key 120578 ge 1205881015840 ∙Θ(120582log2120582) + 1205881015840 ∙ 2log(3L+1) + log(2Lminus1 + 1) We set securityparameter 120582 = 52 the length of noise 1205881015840 = 24 and 120579 = 15Θ = 500 Parameters are set as Table 5

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

10 Wireless Communications and Mobile Computing

Table 4 The number of ciphertext refresh of homomorphic evaluation of the integer arithmetic operations

HE-IAO L = 0 L = 1 L = 2 L = 3 L = 4HE-com 29 29 22 20 18HE-add 45 31 23 21 19HE-sub 74 60 45 41 37HE-mul 944 494 367 335 303HE-div 1095 585 437 397 359

Table 5 Concrete parameters based on the ldquosmallrdquo parameters of CMNT scheme and reset the length of public key 120578 and 120574 Fixed 120582 1205881015840 andthe number of public keys 120591 only changed 120578 and 120574 according to L

parameters 120582 1205881015840 120578 120574 120591L = 0 52 24 1632 20 ∙ 106 1000L = 1 52 24 1728 25 ∙ 106 1000L = 2 52 24 1801 30 ∙ 106 1000L = 3 52 24 1874 35 ∙ 106 1000L = 4 52 24 1993 42 ∙ 106 1000

5 Experimental Result

Our optimisations described in our scheme were incorpo-rated in our code which is built on top of GnuMP We testedour implementation on a desktop computer with Intel Corei5-3470 running at 32 GHz on which we run an Ubuntu1804 with 8 GB of RAM and with the gcc compiler version62 We regard this desktop computer as an edge data centreto test our scheme efficiency in edge computing We choosethe ciphertext vector of 16 and 8 bits signed integer as inputDue to our optimisations for the FHE with bootstrappingwe test our original scheme (L = 0) and optimised scheme(L = 1 2 3 4) in DGHV and CMNT scheme (see Figures3(a) 3(b) 3(c) 3(d) and 3(e)) In CNT scheme we onlyuse modulus-switching technique to control noise So wetest the original scheme in CNT scheme (see Figures 4(a)and 4(b)) In our figures ldquoHE-com (CMNT 16)rdquo representthe homomorphic evaluation of the complement operationsand calculate the ciphertext vector of 16 bits signed integerin the CMNT scheme ldquoHE-com (DGHV 8)rdquo represent thehomomorphic evaluation of the complement operations andcalculate the ciphertext vector of 8 bits signed integer inDGHV schemeThe explanation of other legends is the sameas above We show the following experimental results basedon the Section 42 parameter settings

We can conclude (see Figures 3(b) 3(c) 3(d) and 3(e))that L = 2 is best parameters setting for homomorphicevaluation of the addition subtraction multiplication anddivision However the time overhead of homomorphic eval-uation of the complement operations is monotone increasingat L (see Figure 3(a)) When L = 0 the time overhead is theabsolute minimum When L = 0 and L = 1 the number ofciphertext refresh is the sameAlso the degree of complementoperations is 2119899 minus 3 When 119899 = 16 the degree is 29 inL = 0 It is the same as L = 1 The reduced time overheadof the optimised complement operations cannot offset thecomputation cost caused by the increase in ciphertext lengthHowever the relative minimum value appears at L = 2

(see Figures 3(a) 3(b) 3(c) 3(d) and 3(e)) It shows thatour optimisation is useful and can reduce the time overheadfor our scheme except homomorphic evaluation of thecomplement operations Namely we divide the ciphertextvector of integer encryption into subvectors of length 2 andmake DGHV and CMNT scheme to support the log(3 ∙ 2 +1) asymp 3 multiplication level additional The optimisation ofour scheme can achieve the best results In the number ofciphertext refreshes the optimised scheme is reduced by 23compared to the original scheme over DGHV and CMNTand the homomorphic evaluation time overhead of integerarithmetic operation is reduced by 13

The DGHV and CMNT schemes are different with CNTscheme in noise management technology The DGHV andCMNT schemes use bootstrapping to control noise andthe CNT scheme uses the modulus switching technology tocontrol noise Our optimization is used for homomorphicevaluation of integer arithmetic operations which are imple-mented byDGHVandCMNTschemes (with bootstrapping)rather than by CNT scheme (modulus-switching)Thereforewe just compare the beat result (L = 2) of our scheme basedon DGHV and CMNT schemes with CNT scheme (L = 0)We can draw a conclusion (see Figures 4(a) and 4(b)) thatthe time overhead of our optimised scheme based on DGHVand CMNT schemes (bootstrapping) with L = 2 close to thetime overhead of basing on CNT (modulus-switching) withL = 0 It also shows that our optimisation is effective And ouroptimized scheme can be applied to mobile edge computingto solve privacy data computing problems in ciphertext

6 Conclusion

We implement the homomorphic evaluation scheme ofinteger arithmetic operations under DGHV and its variantsin edge computing We use the features of homomorphicencryption to prevent sensitive data from being stolen inedge computing At the same time we can also calculateciphertext data in edge computing and improve the QoS

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

Wireless Communications and Mobile Computing 11

HE-com(CMNT 16)HE-com(DGHV 16)

HE-com(CMNT 8)HE-com(DGHV 8)

200

300

400

500

600

700

800

Tim

e (s)

30 1 42L (subvector length)

(a)

HE-add(CMNT 16)HE-add(DGHV 16)

HE-add(CMNT 8)HE-add(DGHV 8)

30 1 2 4L (subvector length)

200

300

400

500

600

700

800

900

Tim

e (s)

(b)

400

600

800

1000

1200

1400

1600

1800

Tim

e (s)

30 1 2 4L (subvector length)

HE-sub(CMNT 16)HE-sub(DGHV 16)

HE-sub(CMNT 8)HE-sub(DGHV 8)

(c)

HE-mul(CMNT 16)HE-mul(DGHV 16)

HE-mul(CMNT 8)HE-mul(DGHV 8)

30 1 2 4L (subvector length)

2000

4000

6000

8000

10000

12000

14000

16000

Tim

e (s)

(d)

HE-div(CMNT 16)HE-div(DGHV 16)

HE-div(CMNT 8)HE-div(DGHV 8)

30 1 2 4L (subvector length)

02040608

112141618

2

Tim

e (s)

times104

(e)

Figure 3 Tested (a) HE-com (b) HE-add (c) HE-sub (d) HE-mul (e) HE-div CPU time

of edge computing Through scheme design noise analysisscheme optimisation and experimental comparison thedifferent performance of homomorphic evaluation of theinteger arithmetic operations is obtained under different FHEschemes Although we optimise our scheme in Section 42

the time overhead of our scheme is still high The primaryopen problem is to improve the efficiency of the FHE schemeThis requires us to work together to find a natural FHEscheme or to continue to optimise the FHE architecture toachieve more efficient noise management techniques

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

12 Wireless Communications and Mobile Computing

3500

3000

2500

2000

1500

1000

500

0

Tim

e (s)

DGHV(8)CMNT(8)CNT(8)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

(a)

Tim

e (s)

DGHV(16)CMNT(16)CNT(16)

DGHV and CMNTL=2CNTL=0HE-divHE-mulHE-subHE-addHE-com

12000

10000

8000

6000

4000

2000

0

(b)

Figure 4 (a) Tested HE-IAO CPU time of ciphertext vector of length 8 (b) Tested HE-IAO CPU time of ciphertext vector of length 16

Data Availability

The data and code used to support the findings of thisstudy have been deposited in the GitHub repository (httpsgithubcomlimengfei1187Homomorphic-Encryptiongit)

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is partly supported by the National ScienceFoundation of China (61701322) the Key Projects of LiaoningNatural Science Foundation (20170540700) and the LiaoningProvincial Department of Education Science Foundation(L201630)

References

[1] L He O Kaoru and D Mianxiong ldquoECCN Orchestration ofEdge-Centric Computing and Content-Centric Networking inthe 5G Radio Access Networkrdquo IEEEWireless Commun vol 25no 3 pp 88ndash93 2018

[2] M Tao K Ota andMDong ldquoFoud Integrating Fog andCloudfor 5G-EnabledV2GNetworksrdquo IEEENetwork vol 31 no 2 pp8ndash13 2017

[3] J Xu K Ota and M Dong ldquoReal-Time Awareness Schedulingfor Multimedia Big Data Oriented In-Memory ComputingrdquoIEEE Internet of Things Journal 2018

[4] P G Lopez A Montresor D Epema et al ldquoEdge-centriccomputing vision and challengesrdquo Computer CommunicationReview vol 45 no 5 pp 37ndash42 2015

[5] Z ZhouM Dong K Ota JWu and T Sato ldquoEnergy efficiencyand spectral efficiency tradeoff in device-to-device (D2D)communicationsrdquo IEEE Wireless Communications Letters vol3 no 5 pp 485ndash488 2014

[6] A Y Al-Dubai L Zhao A Y Zomaya andGMin ldquoQoS-AwareInter-DomainMulticast for Scalable Wireless Community Net-worksrdquo IEEE Transactions on Parallel and Distributed Systemsvol 26 no 11 pp 3136ndash3148 2015

[7] L Zhao A Al-Dubai X Li andG Chen ldquoA new efficient cross-layer relay node selectionmodel forWireless CommunityMeshNetworksrdquo Computers Electrical Engineering vol 61 pp 361ndash372 2017

[8] G Han J Jiang C Zhang T Q Duong M Guizani and GK Karagiannidis ldquoA Survey on Mobile Anchor Node AssistedLocalization in Wireless Sensor Networksrdquo IEEE Communica-tions Surveys amp Tutorials vol 18 no 3 pp 2220ndash2243 2016

[9] L Zhao et al ldquoVehicular Communications Standardizationand Open Issuesrdquo IEEE Communications Standards Magazine2019

[10] H Li K Ota and M Dong ldquoLearning IoT in edge deeplearning for the internet of things with edge computingrdquo IEEENetwork vol 32 no 1 pp 96ndash101 2018

[11] X Tao KOtaMDongHQi andK Li ldquoPerformance guaran-teed computation offloading formobile-edge cloud computingrdquoIEEEWireless Communications Letters vol 6 no 6 pp 774ndash7772017

[12] CGentry ldquoFully homomorphic encryption using ideal latticesrdquoin Proceedings of the 41st annual ACM symposium on Theory ofComputing (STOC rsquo09) pp 169ndash178 ACM Bethesda Md USA2009

[13] S Halevi ldquoHomomorphic Encryptionrdquo in Tutorials on theFoundations of Cryptography Information Security and Cryp-tography pp 219ndash276 Springer International PublishingCham 2017

[14] M vanDijk C Gentry S Halevi and V Vaikuntanathan ldquoFullyhomomorphic encryption over the integersrdquo in Advances incryptologymdashEUROCRYPT 2010 vol 6110 pp 24ndash43 SpringerBerlin Germany 2010

[15] C Gentry and S Halevi ldquoImplementing Gentryrsquos fullymdashhomomorphic encryption schemerdquo inAdvances in cryptologymdashEUROCRYPT 2011 vol 6632 of Lecture Notes in ComputerScience pp 129ndash148 Springer Heidelberg Germany 2011

[16] N P Smart andFVercauteren ldquoFully homomorphic encryptionwith relatively small key and ciphertext sizesrdquo Lecture Notes in

Wireless Communications and Mobile Computing 13

Computer Science (including subseries Lecture Notes in ArtificialIntelligence and Lecture Notes in Bioinformatics) Preface vol6056 pp 420ndash443 2010

[17] J-S Coron A Mandal D Naccache and M Tibouchi ldquoFullyhomomorphic encryption over the integers with shorter publickeysrdquo in Proceedings of the 31st Annual International CryptologyConference (CRYPTO rsquo11) vol 6841 ofLectureNotes in ComputerScience pp 487ndash504 Springer Santa Barbara Calif USA

[18] Z Brakerski and V Vaikuntanathan ldquoEfficient fully homomor-phic encryption from (standard) LWErdquo in Proceedings of theIEEE 52nd Annual Symposium on Foundations of ComputerScience (FOCS rsquo11) pp 97ndash106 Palm Springs Calif USAOctober 2011

[19] Z Brakerski and V Vaikuntanathan ldquoFully homomorphicencryption from ring-LWE and security for key dependentmessagesrdquo inAdvances in CryptologymdashCRYPTO2011 R PhillipEd vol 6841 pp 505ndash524 Springer Berlin Germany 2011

[20] Z Brakerski C Gentry and V Vaikuntanathan ldquo(Leveled)fully homomorphic encryption without bootstrappingrdquo in Pro-ceedings of the 3rd Innovations in Theoretical Computer ScienceConference pp 309ndash325 ACM 2012

[21] A Lopez-Alt E Tromer and V Vaikuntanathan ldquoOn-the-fly multiparty computation on the cloud via multikey fullyhomomorphic encryptionrdquo in Proceedings of the 44th AnnualACM Symposium onTheory of Computing (STOC rsquo12) pp 1219ndash1234 ACM May 2012

[22] J W Bos K Lauter J Loftus andM Naehrig ldquoImproved secu-rity for a ring-based fully homomorphic encryption schemerdquo inCryptography and coding vol 8308 of Lecture Notes in ComputSci pp 45ndash64 Springer Heidelberg 2013

[23] C Gentry A Sahai and B Waters ldquoHomomorphic encryptionfrom learning with errors Conceptually-simpler asymptoti-cally-faster attribute-basedrdquo Proceedings of CRYPTO 2013 vol8042 no 1 pp 75ndash92 2013

[24] C Gentry S Halevi and N P Smart ldquoHomomorphic evalu-ation of the AES circuitrdquo Lecture Notes in Computer Science(including subseries Lecture Notes in Artificial Intelligence andLecture Notes in Bioinformatics) Preface vol 7417 pp 850ndash8672012

[25] C Gentry S Halevi and N P Smart ldquoFully homomorphicencryption with polylog overheadrdquo inAdvances in cryptologymdashEUROCRYPT 2012 vol 7237 of Lecture Notes in Comput Scipp 465ndash482 Springer Heidelberg 2012

[26] N P Smart and F Vercauteren ldquoFully homomorphic SIMDoperationsrdquo Designs Codes and Cryptography vol 71 no 1 pp57ndash81 2014

[27] Y Chen and G Gong ldquoInteger arithmetic over ciphertextand homomorphic data aggregationrdquo in Proceedings of the 3rdIEEE International Conference onCommunications andNetworkSecurity CNS 2015 pp 628ndash632 Italy September 2015

[28] K Gai and M Qiu ldquoBlend Arithmetic Operations on Tensor-Based Fully Homomorphic Encryption Over Real NumbersrdquoIEEE Transactions on Industrial Informatics vol 14 no 8 pp3590ndash3598 2018

[29] K GaiMQiu Y Li andX-Y Liu ldquoAdvanced FullyHomomor-phic Encryption Scheme over Real Numbersrdquo in Proceedingsof the 4th IEEE International Conference on Cyber Security andCloud Computing CSCloud 2017 and 3rd IEEE InternationalConference of Scalable and Smart Cloud SSC 2017 pp 64ndash69USA June 2017

[30] L Kuang L T Yang J Feng and M Dong ldquoSecure Ten-sor Decomposition Using Fully Homomorphic Encryption

Schemerdquo IEEE Transactions on Cloud Computing vol 6 no 3pp 868ndash878 2018

[31] J-S Coron D Naccache and M Tibouchi ldquoPublic keycompression and modulus switching for fully homomorphicencryption over the integersrdquo in Proceedings of the AnnualInternational Conference on the Theory and Applications ofCryptographic Techniques (EUROCRYPT 2012) vol 7237 ofLecture Notes in Comput Sci pp 446ndash464 Springer

[32] J H Cheon J S Coron J Kim et al ldquoBatch fully homomorphicencryption over the integersrdquo in Annual International Confer-ence on theTheory andApplications of Cryptographic Techniquesvol 7881 of Lecture Notes in Computer Science pp 315ndash335Springer Berlin Germany 2013

[33] J-S Coron T Lepoint M Tibouchi J H Cheon and JKim ldquoBatch fully homomorphic encryption over the integersrdquoin Proceedings of the Annual International Conference on theTheory and Applications of Cryptographic Techniques pp 315ndash335 Springer Berlin Germany 2013

[34] J Kim M S Lee A Yun et al CRT-based fully homomorphicencryption over the integers Cryptology ePrint Archivehttpseprintiacrorg057pdf

[35] S Halevi and V Shoup ldquoAlgorithms in helibrdquo in Lecture Notesin Computer Science vol 8616 of Lecture Notes in Comput Scipp 554ndash571 Springer Heidelberg 2014

[36] A D Booth ldquoA signed binary multiplication techniquerdquo TheQuarterly Journal of Mechanics and Applied Mathematics vol4 pp 236ndash240 1951

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom