Efficient Fully Homomorphic Encryption with Large Plaintext Space

ABSTRACT The security of multimedia content and personal privacy for big data has triggered widespread concern in the society. Fully homomorphic encryption (FHE), which can homomorphically compute arbitrary functions on the encrypted data without knowing the secret key, is valuable in protecting user’s data security. However, most of the FHE schemes only take single-bit of ciphertext as the input, which makes the evaluation process complicated. In EUROCRYPT’2015, Ducas and Micciancio proposed an FHE scheme FHEW with the plaintext space , and gave an assumption of extending the plaintext space to . In this paper, we optimize the decryption algorithm of FHEW in bootstrapping, and propose an FHE scheme with large plaintext space . Firstly, we optimize the rounding function of the decryption algorithm in FHEW to the msdExtract algorithm, which can homomorphically extract the most significant digit of the plaintext. Secondly, we design the msdExtract algorithm by employing the homomorphic accumulator, and present the process of general bootstrapping. Finally, based on the msdExtract algorithm, we extend the plaintext space of our scheme to , comparing to in FHEW. The security of our scheme is based on the basic LWE scheme and FHEW. What’s more, our scheme can perform the evaluation more conveniently with large plaintext space, and can be applied to more scenarios.


INTRODUCTION
With the rapid increase of capacity for big data, more and more multimedia data are handled in the cloud, and the security of multimedia content and personal privacy have become a hot topic in big data. Fully homomorphic encryption (FHE) allows a user to perform arbitrary computation on the encrypted data without leaking the secret keys, and the decryption of the output is equal to the result that doing the same computations on the original message. In other words, FHE has inherent exchangeable properties for encryption and homomorphic computation, and is very valuable for protecting the user's information security [1] and secret communication [2] in the environment of cloud computing [3] and big data [4]. Since Gentry's breakthrough work in 2009 [5], many researchers have done deep research on FHE [6][7][8][9][10][11][12][13], and most of their works concentrate on the FHE scheme's construction, efficiency, and security [14][15][16][17][18][19][20][21][22][23]. Efficiency is the main obstacle to the application of FHE schemes, and there are mainly two methods to improve the efficiency. One is applying some optimal technologies to the construction of FHE, such as SMID (Single Instruction Multiple Data), modulus switching [17], etc. The other way is to reduce the computational complexity of the bootstrapping process and has been developed rapidly after GSW13 [18] proposed in 2013 by Gentry et al. In ITCS'2014, Brakerski and Vaikuntanathan presented an optimal vision of GSW13 called BV14 [22]. According to Barrington's Theorem [15], it can be proved that BV14 reduces the noise expansion during bootstrapping to a polynomial level of the security parameter. In CRYPTO'2014, Alperin and Peikert proposed an efficient scheme AP14 [24], in which the noise only increases in polynomial scale during bootstrapping. The prominent contribution of AP14 lies in the construction of an efficient external scheme for bootstrapping. The external scheme, which is used to evaluate the internal decryption process, has an efficient decryption process. What's more, it supports an efficient transformation from the external large ciphertext to the original ciphertext in the internal scheme.
In EUROCRYPT'2015, Ducas and Micciancio proposed a more efficient FHE scheme called FHEW [25] based on AP14. FHEW transforms the rounding process during bootstrapping to the msbExtract algorithm which can homomorphically extract the MSB (Most Significant Bit) of the plaintext from the external ciphertext. By constructing a faster msbExtract process, FHEW can perform bootstrapping within a second. However, only if the plaintext space is Z 2 that the msbExtract algorithm can homomorphically extract the MSB of the plaintext.
In LATINCRYPT'2015, Biasse and Ruiz proposed a new scheme BR15 [26], which introduces homomorphic member tests and parallelizes the bootstrapping process. However, BR15 is based on a special cyclotomic polynomial ring, which will affect the performance of FFT/NTT (Fast Fourier Transformation/Number Theoretic Transform) during bootstrapping. However, comparing to Helib [20], BR15 increases the number of parallels, which results in nearly 100 times improvement in performance.

Contributions:
The main improvement of our work on the FHEW scheme lies in two parts. First, we optimize the decryption algorithm in basic LWE encryption scheme to msdExtract algorithm, which can homomorphically extract the most significant digit of the plaintext, thus allow the bootstrapping procedure to refresh the encryptions of message modulo an integer t ≥ 2.
Second, we give a detailed process about how to implement the msdExtract algorithm by employing the homomorphic accumulator and present the process of general bootstrapping via msdExtract algorithm and homomorphic accumulator. As operations during the general bootstrapping is implemented directly on encrypted data, and the encryption algorithm follows the basic LWE scheme and external scheme in FHEW, the security of our scheme is the same as FHEW, and our scheme has wide applications for large plaintext space such as the protection of gene data, which can be represented by Z 4 (four kinds of bases in DNA: A,T,G,C).
Organization: The rest of the paper is organized as follows. Some background knowledge is provided in Section 2. In Section 3, we firstly introduce the basic LWE symmetric encryption scheme, then analyze the optimization of decrypting process from rounding function to msdExtract function, and give the construction of the general bootstrapping via a homomorphic accumulator. In Section 4, we analyze the construction and components in homomorphic accumulator detailedly. Section 5 analyzes our scheme in aspects of the correctness of the general bootstrapping, scheme's computation complexity and security. The conclusion is provided in Section 6.

MATHEMATICAL PRELIMINARIES
This section introduces some symbols, basic concepts, and definitions used in our scheme. For a list of vectors or matrices a 1 , a 2 , . . . , a l , we use (. . .) for vertical concatenation, and [. . .] for horizontal concatenation.

Distribution
We define the randomized rounding function ψ : R → Z, which satisfies ψ(x + n) = ψ(x) + n for arbitrary x ∈ R and n ∈ Z. When input x ∈ Z, we have ψ(x) = ψ(0) + x as a special case, which means that a certain noise ψ(0) is added to the input x. We define ψ(x) − x as the rounding error of ψ(x), and typically the error We define that the random variable x ∈ R is a sub-Gaussian distribution of parameter α, if its momentgenerating function (MGF) satisfies E[exp(2πtX)] ≤ exp(π α 2 t 2 )αfor all t ∈ R, and then we have Pr{| ≥ t} ≤ 2 exp(−π t 2 /α 2 ) for t ≥ 0. The concept of sub-Gaussian distribution can be extended to vector x and matrice X. For unit vector u, if < u, x > is a sub-Gaussian distribution, then x is also a sub-Gaussian distribution. For all the unit vectors u and v, if u t Xv is a sub-Gaussian distribution, so is X. From the definition, we can see that if concatenate multiple variables which are sub-Gaussian with parameter α, the resulting vectors and matrices are also sub-Gaussian with parameter α.

Cyclotomic Ring
For security parameter λ, let 2N (X) =X N + 1 be the 2N-th cyclotomic polynomial, where N = N(λ) is a power of 2. Let the cyclotomic ring R = Z[X]/(X N + 1), and R Q = R/(QR) denotes the residue ring of R modulo an integer Q, and then there is an isomorphic map- ∈ Z N . The notation · can be extended to vector and matrix over R. We define the Euclidean length of ring elements as ||a|| = || a|| = i |a i | 2 , and the spectral norm of a matrix R ∈ R w×k of ring elements as s 1 (R) = sup x∈R k \{0} ||R · x||/||x||.
Given the ring element r ∈ R, we define the function ⇒ · as And we extend the function ⇒ · to vectors and matrices over R. Given a matrix R ∈ R w×k , we expand it to matrix For ease of easily understanding, two functions l,k (−1) and (1) v (x,y) are defined in this paper: where l, k, x, y and v are all integers.

The General Learning with Errors (GLWE) Problem
The basic homomorphic encryption scheme in this paper is based on the hardness of (Ring) learning with errors (LWE) problem, which can be summarized as the GLWE problem [17], and it's defined as follows. and R q = R/qR. Let χ = χ (λ) be a distribution on R.
The GLWE problem is to distinguish the following two distributions: First distribution is the uniform samples (a i , b i ) ∈ R n+1 q . In the second distribution, sampled a i ← R n q and s ← R n q uniformly, e i ← χ , and the second distribution is the samples The GLWE assumption is that the GLWE problem is infeasible.

LWE problem:
The LWE problem is simply GLWE problem instantiated with d = 1, RLWE problem: The RLWE problem is GLWE problem instantiated with n = 1.

THE NEWLY DESIGNED SCHEME
According to Gentry's theory, a "noisy" ciphertext can be refreshed by running the bootstrapping procedure to reduce the noise involved in it. In earlier FHE scheme, the decryption algorithms for ciphertext decryption and bootstrapping are the same. For optimizing the efficiency of FHE, since AP14, many FHE schemes are divided into internal and external schemes, and the decryption algorithms are usually different. We write enc(·) (E(·)) for the encryption scheme of internal (external) scheme. Ciphertext in internal (external) scheme is called internal (external) ciphertext. We can homomorphically run the internal decryption program on the external ciphertext to refresh the "noisy" ciphertext, and get a more efficient bootstrapping process. This type of bootstrapping is called general bootstrapping in this paper.
FHE scheme usually contains three parts: basic encryption scheme, homomorphic evaluation and bootstrapping. In this paper, the basic encryption scheme and the homomorphic evaluation follow the basic LWE symmetric encryption scheme in [25]. The main difference and innovation of our scheme lie in the bootstrapping process.
As bootstrapping process needs to run the decryption procedure in internal scheme homomorphically, we firstly introduce the basic encryption scheme, then present the optimization of the decryption process, and introduce the design of the general bootstrapping via homomorphic accumulator at last.

Basic Scheme and Techniques
In this section, we will introduce the basic LWE symmetric encryption scheme used in the internal scheme and two basic techniques (Modulus switching and Key switching [17]). The external encryption scheme will be introduced in Section 4.1.

LWE Symmetric Encryption Scheme:
Let n denote the dimension of the ring R.
[·] q denotes the reduction modulus q into the interval (−q/2, q/2]. Set the plaintext modulus t ≥ 2 and the ciphertext modulus q = n O (1) . Define the randomized rounding function ψ : R → Z (For the sake of decrypting correctly, usually the noise distribution of the rounding function satisfies |ψ(x) − x| < q/(2t)). The keys s ∈ Z n q of the scheme are randomly selected vectors (or short vectors). The encryption of plaintext m ∈ Z t under the key s is where a ← Z n q is chosen uniformly at random.
Modulus switching and Key switching are two techniques often used in current FHE [24], and here we give a brief introduction to them.
Lemma 1: [13] Given the secret key s ∈ Z n q , message m ∈ Z t and ciphertext c ∈ LWE the key switching procedure can be represented as: The key switching technique can reduce the dimension of the expanded ciphertext after the homomorphic computation (mainly homomorphic multiplication) to the original dimension, thus can save the storage cost for ciphertext. Lemma 2: Given the ciphertext c ∈ LWE t/q s (m) with a sub-Gaussian error of parameter α, the switching key K ={k i,j,v }, and a sub-Gaussian error ewith parameter σ . The key switching procedure outputs the ciphertext KeySwitch(c, {k i,j,v }) in which the noise is a sub-Gaussian distribution of parameter α 2 + Nd ks σ 2 .

Optimization of the Decryption Process
Given the ciphertext (a, b) ∈ LWE t/q s (m, q/2t), the decrypting process of the basic LWE scheme is t(b − a · s)/q mod t. As the rounding operation is not easy to be implemented to the ciphertext, some conversion is needed. Let msd(·) (msdExtract(·)) denotes extracting the most significant digit of the plaintext (ciphertext). We found the rounding function in the decryption process can be converted to msd(·) or msdExtract(·), and the analysis is as follows.
First, we use t = 4 as an example to analyze the basic decryption process. As shown in the Figure 1, the points on the circle represent Z q , and the value of ρ = b − a · s can be regarded as a point on the circle. Regardless of the noise e, as b − a · s = mq/t + e, there are four possible positions of ρ on the circle: 0, q/4, 2q/4, 3q/4. Due to the interference of noise e, the corresponding position of ρ is uncertain on the circle. By limiting the noise e to |e| ≤ q/8, we define a mapping π : Z q → Z t from ρ to the corresponding plaintext m:  According to the mapping π between the points on the circle (ρ = b − a · s) and the corresponding plaintext m, the correct decryption is achieved. (9) and the new mapping π can be represented visually in Figure 2.
When q = t k , (ρ + q/2t) can be represented by (ρ + q/2t) t which has k − 1 digits in baset: As we can see in (10), the plaintext m in mapping π can be represented by msd((ρ + q/2t) t ). Naturally, the mapping π can be expressed as Then we successfully convert the decryption process of the basic LWE encryption scheme to msd(·), and we will give the detailed steps for homomorphically extracting the most significant digit of ciphertext by msdExtract(·) in Section 3.3.

General Bootstrapping via Homomorphic Accumulator
In order to refresh the "noisy" ciphertextc = (a, b) ∈ LWE t/q s (m), we need to run the homomorphic decryption procedure on E(b + q/2t − a · s). As the decryption algorithm of the internal scheme has been optimized to msd(·), we construct a mapping ζ , and the refreshing process can be expressed as Before giving detailed steps about how to implement the mapping, we first introduce the homomorphic accumulator ACC, which is employed to support the construction of the mapping, and the specific process will be introduced in Section 4.1.
For brevity, we write ACC ← v for ACC ← Init(v), and ACC + ← E(v) for ACC ← Incr(ACC, E(v)). For v 0 , v 1 , . . . , v l ∈ Z q , after the sequences of operations The homomorphic accumulator ACC is said ε-correct, only if for arbitrary l-encryption ACC of v, c ← msdExtract(ACC) ensures LWE t/q s (msd(v), ε(l)) with overwhelming probability.
Next, we give a brief introduction to general bootstrapping and how to homomorphically implementing the msdExtract(·) function.
Using the bootstrapping keys and homomorphic accumulator, the general bootstrapping is constructed in algorithm 1. K (a,b),

Algorithm 1 Gbootstrapping
• For the "noisy" ciphertext c = (a, b), The analysis is as follows:

THE DETAILED CONSTRUCTION OF THE SCHEME
In this section, we present the details of the functions in the homomorphic accumulator, and analyze the components in the homomorphic accumulator.

The Construction of Homomorphic Accumulator
For security parameter λ, the parameters used in homomorphic accumulator include the ciphertext modulus Q = Q(λ) and plaintext modulus q = q(λ) in the external scheme (q is also the ciphertext modulus in internal LWE scheme), the plaintext modulus t = t(λ) in the internal scheme, and the decomposing base B g of external ciphertext. For simplicity of the analysis, we assume that Q = B g d g for some integer d g .
The ring in the external scheme is R Q = R/QR, whereR = Z[X]/(X N + 1). The integer u ∈ Z Q is a reversible element closest to Q/t in Z Q . In order to decrypt correctly, the parameter δ = u − Q/t is at most |δ| < 1. The condition for parameter selection is that there are integers d tr = 0, τ and k which ensure that q/t · τ = N + d tr ,τ = td tr , 2|(t + 1), and the modulus q = t k .
The plaintext m ∈ Z q needs to be encoded as a unit root Y m ∈ R before being encrypted in the external scheme, where Y = X τ . Noticing that the unit roots G−− = X = {1, X, . . . , X N−1 , X N = −1, −X, . . . , −X N−1 } form a cyclic group, and the group Y = {Y 0 , . . . , Y q−1 } Z q is a subgroup of G− Z 2N , and the relationship between < Y > and G− will be given in 4.2.
The homomorphic accumulator contains five parts: • E z (m). Input the message m and key z ∈ R, pick a R −→ R 2d g Q uniformly at random, and e ∈ R 2d g Z 2d g N with a sub-Gaussian distribution χ of the parameter ς, output the external ciphertext where G = (I, B g I, . . . , B Input v ∈ Z q , and output the initial- • Incr(ACC + ← C). Input ACC ∈ R 2d g ×2 Q and the exter- , decompose the accumulator ACC based on B g as where each D i has entries with coefficients in {(1 − B g )/2, . . . , (B g − 1)/2}), and then update the accumulator ACC := [D 1 , . . . , D d g ] · C ∈ R 2d g ×2 . • uMultcontant(C ← k). Input a constant k ∈ Z q and ciphertext C ∈ R 2d g ×2 Q with parameter u ∈ Z q , output a ciphertext C ku ← kC ∈ R 2d g ×2 Q with the parameter ku ∈ Z q . For brevity, we denote C ku ∈ R 2d g ×2 Q as C (k) .
• msdExtract(·). Firstly the plaintext m ∈ Z q is encoded as a monomial Y m in Y . Secondly, the operation of plaintext is achieved by operating the position of the term in the monomial.
Input the switching key K and a set of vectors T = {t (1) , t (2) , . . . , The details of the function msdExtract(·) are shown in Algorithm 2.
where msd (k)   ). An accumulator ACC which is the lencryption of v.
The main idea of the function msdExtract(·) is that

Analysis of Homomorphic Accumulator Components
This section analyzes the functions in the homomorphic accumulator and their properties. The plaintext m ∈ Z q needs to be encoded as Y m ∈ R before being encrypted in the external scheme, so we need to prove that < Y >= {Y 0 , . . . , Y q−1 } forms a group. As ciphertext computing is operated in R Q , we also need to prove that the elements in < Y > are contained in R. Actually, group < Y > is a subgroup of G− =< X >, and the distribution of < Y >= {Y 0 , . . . , Y q−1 } in R is shown in Figure 4.
As is shown in Figure 4, the i-th column in the matrix represents for ±X i , and the j-th row in the matrix indicates that the power of X in the row is greater than (j − 1)N and less than jN, and most of the zeros in the graph are not marked. Analysis of the matrix shows that if there is an integer d tr = 0 ensure that τ = td tr , τ |(N + d tr ) and q = t N+d tr τ , then each column will only have one nonzero element. This ensures that the elements of < Y > are different. More importantly, for m ∈ Z q , Y m just appear in the msd(m)-th row, and this property is the key to the construction of msdExtract(·). Proof: Firstly we prove that the set < Y > forms a group. As the elements in < Y > inherit the associative law Closure: Uniqueness: Here we use proof by contradiction.

Lemma 4: (Analysis of parameter adjustment function)
For plaintext m ∈ Z q and constant k ∈ Z q , if C = [a, a · z + e] + uY m G, then the output of uMultcontant(C ← k) has the form of C ku = [a , a · z, +ke] + ukY m G where e is the error in C.

Proof:
As uMultcontant(C ← k) outputs the ciphertext C ku ← kC, let a = ka, then So the ciphertext has form of C ku = [a , a · z + ke] + ukY m G, where e is the noise in C.

ANALYSIS OF OUR SCHEME
In this section, we analyze the correctness of the general bootstrapping process and the scheme's security.

Analysis of the Correctness of the Generalized Bootstrapping
Based on the construction and analysis of the homomorphic accumulator, this section analyzes the correctness of the bootstrapping process in Algorithm 1.  (D (0) , D (1) , . . . , D (l−1) ) = O(B g Nd g · l) with a large probability.

FACT 7 (Spectral Norm of Decomposition Matrix) Let
Lemma 8 analyzes the first four steps in msdExtract(·) function. Theorem 9 analyzes the impact of key switching and modulus switching process on ciphertext based on Lemma 8.

Lemma 5 (Intermediate noise):
Supposing that the RLWE R,Q,χ problem is hard, let accumulator ACC be the l-encryption of v, where l ≥ w log N. Let ACC be the input of Algorithm 2, then the ciphertext c = k=t 2 k=1 c (k) defined in the fourth row of Algorithm 2 belongs to LWE t/Q − → z (msd(v)), and contains err(c) = err( k=t 2 k=1 c (k) ), which is a sub-Gaussian distribution of parameter φ and mean 2δ, where φ = O(ς B q · Nd g · lt 3 ).
Proof: Run l times of homomorphic addition on the initial accumulator ACC, and the output of the accumulator is called ACC. According to Fact 5, ACC ciphertext has the form of the external ciphertext ACC = [a, a · z + e] + uY v G, and satisfies Line 1: According to Lemma 4, ciphertext ACC (k) = uMultcontant(ACC ← k − 1) has the form of the external scheme As vector [ 0 t , (t (k) ) t , 0 t , . . . , 0 t ] is 0 except for the second item, we have where β] . So (a (k) , b (k) 0 ) has the form of LWE ciphertext, and the noise contained in ciphertext , thus the noise e (k)0 can be represented as As the number of items in vector t does not exceed q/t, then ||t|| 2 ≤ q/t. According to Fact 7 we can see that the spectral norm of [ , thus the noise e (k)0 can be repre- (1) , . . . ,ẽ (l) ) is a sub-Gaussian vector of the parameter ς , so the noise e (k)0 is a sub-Gaussian distribution of the parameter φ = O((k − 1)ς B g qNd g · l/t).

Line 4: Add t LWE ciphertexts and get
The noise in the ciphertext c is e = k=t 2 k=1 e (k)0 which is a sub-Gaussian distribution of the parameter β = O((k − 1)ς B g qNd g · l/t). As 1 ≤ k ≤ t, then noise e is a sub-Gaussian distribution of parameter β = O(ς B g qNd g · lt 3 ).
Considering the process of key switching and modulus switching in Algorithm 2 on the basis of Lemma 8, and analyze the noise function in the accumulator to obtain the Theorem 9.
Theorem 9: Supposing that RLWE R,Q,χ problem is hard and the homomorphic accumulator above is ε-correct. When inputting the switching keys K = {k i,j,w } i ≤ N, j ≤ B ks , w ≤ d ks and the l-encryption of v to accumulator ACC, where k i,j,w ∈ LWE q/q s (w · z i B j ks ), and ACC outputs the LWE t/q s (msd(v)) ciphertext with the noise parameter ε(l) = w · log n· q 2 Q 2 (ς 2 B 2 g · l · q · Nd g t 3 + σ 2 Nd ks ) + ||s|| 2 (23) Proof: According to Lemma 8, ciphertext c = k=t 2 k=1 c (k) belongs to LWE t/Q − → z (msd(v)), which contains the noise err(c) = err( k=t 2 k=1 c (k) ), which is a sub-Gaussian distribution of parameter φ and mean 2δ, where φ = O(ς B q · Nd g · lt 3 ).
According to Lemma 2, when input the ciphertext instance c of LWE t/Q − → z (msd(v)), the key switching process will output LWE t/Q s (msd(v)) ciphertext c ← KeySwitch(c, K), where the noise is a sub-Gaussian distribution of the parameter According to Lemma 1, when input the ciphertext instance c of LWE t/Q s (msd(v)), the modulus switching process will output LWE t/q s (msd(v)) ciphertext c ← ModSwitch(c ), where the noise is a sub-Gaussian distribution of parameter = w · log n · q 2 Q 2 (ς 2 B 2 g · l · q · Nd g t 3 + σ 2 Nd ks ) + ||s|| 2 (25) FACT 10 If the homomorphic accumulator is εcorrect, then input the ciphertext c ∈ LWE t/q s (m, q/2t) and bootstrapping key K− = {K i,c,j = E(c · s i B j r )} i,c,j , and the general bootstrapping process will output ciphertext Gbootstrapping K (c) ← LWE t/q s (msd(m), ε(nd r )).

Proof:
The proving process analyzes the specific steps of each row in Algorithm 1.
Line 1: According to the definition of function Init, when input b + q/(2t), then output the initialized accumulator Line 2: Computing l = nd r times homomorphic additions to accumulator ACC. The new input K i,a i.j ,j = E z (a i.j · s i B j r ) of each addition is the fresh ciphertext of the external scheme.
According to Definition 3 we can see that ciphertext ACC is the l-encryption of v = b + q/2t + i,j a i,j s i B j r , i.e. the ciphertext form of ACC is ACC = [a, a · z + e] + uY v G, and the bound of noise e doesn't exceed ε(nd r ). Analyze the plaintext v: Line 3: According to Theorem 9, when input the lencryption of v to accumulator ACC, the accumulator outputs the ciphertext LWE t/q s (msd(v)), in which the bound of the noise is ε(l). As msd(v) = msd(b + q/2t − as) = t(b − a · s)/q mod t = m (27) then the output of the homomorphic accumulator is the ciphertext Gbootstrapping K (c) of LWE t/q s (msd(m), ε(nd r )).

Scheme's Computational Complexity and Security
Computational Complexity. In this paper, the basic encryption scheme and the homomorphic evaluation follow the basic LWE symmetric encryption scheme in [25]. The main difference and innovation of our scheme lie in the bootstrapping process, so we mainly analyze the computational complexity of the bootstrapping process as follows.
The computational complexity of step3 in algorithm 1 (i.e. the computational complexity of algorithm 2) is O(N 3 log 3 Q).
So the computational complexity of the bootstrapping process isÕ(N 3 log 3 Q). As the complexity of the switchkey process is relatively high, the computational complexity of the bootstrapping process in FHEW and BR15 is the same as ours. What's more, the process of encryption, decryption, and key generation in our scheme is the same as FHEW and BR15, so the complexities of these processes don't change.
Security. Based on FHEW scheme, the main work of this paper is to extend the plaintext space of FHE to Z t . There are two main differences between our scheme and FHEW. On the one hand, we optimize the rounding function during the decryption process to msdExtract function, thus get a basic LWE symmetric encryption scheme with plaintext space. The scheme's security is related to the parameters such as noise, polynomial dimension, and plaintext modulus. In 2008, Regev gave specific relationships and instances between scheme's security and these parameters [27], and the extension of plaintext space does not reduce the scheme's security at the exponential level.
On the other hand, the encryption algorithm follows the basic LWE scheme and RGSW scheme in FHEW, and the evaluations during bootstrapping are implemented directly on the encrypted data without knowing the secret keys, so it does not reduce the basic scheme's security.

CONCLUSION
The security of multimedia content and personal privacy has become a hot topic in big data. FHE has been one of the important tools for personal privacy. In this paper, we proposed an FHE scheme with large plaintext space Z t . Comparing to the plaintext space Z 2 in FHEW, our scheme can perform the evaluation process more conveniently in large plaintext space, and can be applied to more scenarios. We will focus on optimizing the efficiency of bootstrapping and the applications of FHE in practice in our future work.